Option to limit access for remote-user to specified IP(s) / hostname(s) (#4881)

Author: Florian Schaal

install/sql/incremental/upd_dev_collection.sql

@@ -1 +1,3 @@
 ALTER TABLE `web_domain` ADD COLUMN `ssl_letsencrypt_exclude` enum('n','y') NOT NULL DEFAULT 'n' AFTER `ssl_letsencrypt`;
+ALTER TABLE `remote_user` ADD `remote_access` ENUM('y','n') NOT NULL DEFAULT 'y' AFTER `remote_password`;
+ALTER TABLE `remote_user` ADD `remote_ips` TEXT AFTER `remote_access`;

install/sql/ispconfig3.sql

@@ -1246,6 +1246,8 @@ CREATE TABLE `remote_user` (
   `sys_perm_other` varchar(5) default NULL,
   `remote_username` varchar(64) NOT NULL DEFAULT '',
   `remote_password` varchar(64) NOT NULL DEFAULT '',
+  `remote_access` enum('y','n') NOT NULL DEFAULT 'y',
+  `remote_ips` TEXT,
   `remote_functions` text,
   PRIMARY KEY  (`remote_userid`)
 ) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;

interface/lib/classes/remoting.inc.php

@@ -144,6 +144,41 @@ public function login($username, $password, $client_login = false)
 			$sql = "SELECT * FROM remote_user WHERE remote_username = ? and remote_password = md5(?)";
 			$remote_user = $app->db->queryOneRecord($sql, $username, $password);
 			if($remote_user['remote_userid'] > 0) {
+				$allowed_ips = explode(',',$remote_user['remote_ips']);
+				foreach($allowed_ips as $i => $allowed) { 
+					if(!filter_var($allowed, FILTER_VALIDATE_IP)) { 
+						// get the ip for a hostname
+						unset($allowed_ips[$i]);
+						$temp=dns_get_record($allowed, DNS_A+DNS_AAAA);
+						foreach($temp as $t) {
+							if(isset($t['ip'])) $allowed_ips[] = $t['ip'];
+							if(isset($t['ipv6'])) $allowed_ips[] = $t['ipv6'];
+						}
+						unset($temp);
+					}
+				}
+				$allowed_ips[] = '127.0.0.1';
+				$allowed_ips[] = '::1';
+				$allowed_ips=array_unique($allowed_ips);
+				$ip = $_SERVER['REMOTE_ADDR'];
+				$remote_allowed = @($ip == '::1' || $ip == '127.0.0.1')?true:false;
+				if(!$remote_allowed && $remote_user['remote_access'] == 'y') {
+					if(trim($remote_user['remote_ips']) == '') {
+						$remote_allowed=true;
+					} else {
+						$ip = inet_pton($_SERVER['REMOTE_ADDR']);
+						foreach($allowed_ips as $allowed) {
+							if($ip == inet_pton(trim($allowed))) {
+								$remote_allowed=true;
+								break;
+							}
+						}
+					}
+				}
+				if(!$remote_allowed) {
+					throw new SoapFault('login_failed', 'The login is not allowed from '.$_SERVER['REMOTE_ADDR']);
+					return false;
+				}	
 				//* Create a remote user session
 				//srand ((double)microtime()*1000000);
 				$remote_session = md5(mt_rand().uniqid('ispco'));

interface/lib/classes/validate_remote_user.inc.php

@@ -0,0 +1,59 @@
+<?php
+
+/*
+Copyright (c) 2017, Florian Schaal , schaal @it UG
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of ISPConfig nor the names of its contributors
+      may be used to endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+class validate_remote_user {
+
+	function valid_remote_ip($field_name, $field_value, $validator) {
+		global $app;
+
+		$values = explode(',', $field_value);
+		$regex = '/^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/';
+		foreach($values as $cur_value) {
+			$cur_value = trim($cur_value);
+			$valid = true;
+			if(function_exists('filter_var')) {
+				if(!filter_var($cur_value, FILTER_VALIDATE_IP)) {
+					$valid = false;
+					if(preg_match($regex, $cur_value)) $valid = true;
+				}
+			} else return "function filter_var missing <br />\r\n";
+
+			if($valid == false) {
+				$errmsg = $validator['errmsg'];
+				if(isset($app->tform->wordbook[$errmsg])) {
+					return $app->tform->wordbook[$errmsg]."<br>\r\n";
+				} else {
+					return $errmsg."<br>\r\n";
+				}
+			}
+		}
+	}
+
+}

interface/web/admin/form/remote_user.tform.php

@@ -115,6 +115,27 @@
 			'width'  => '30',
 			'maxlength' => '255'
 		),
+		'remote_access' => array (
+ 			'datatype' => 'VARCHAR',
+			'formtype' => 'CHECKBOX',
+			'default' => 'n',
+			'value'  => array(0 => 'n', 1 => 'y')
+        ),
+		'remote_ips' => array (
+			'datatype'  => 'TEXT',
+			'formtype'  => 'TEXT',
+			'validators'  => array (  
+				0 => array (
+					'type' => 'CUSTOM', 
+					'class' => 'validate_remote_user', 
+					'function' => 'valid_remote_ip', 
+					'errmsg' => 'remote_user_error_ips'),
+			),
+			'default' => '',
+			'value'   => '',
+			'width'   => '60',
+			'searchable' => 2
+		),
 		'remote_functions' => array (
 			'datatype' => 'TEXT',
 			'formtype' => 'CHECKBOXARRAY',

interface/web/admin/lib/lang/de_remote_user.lng

@@ -44,4 +44,7 @@ $wb['generate_password_txt'] = 'Passwort erzeugen';
 $wb['repeat_password_txt'] = 'Passwort wiederholen';
 $wb['password_mismatch_txt'] = 'Die Passwörter stimmen nicht überein.';
 $wb['password_match_txt'] = 'Die Passwörter stimmen überein.';
+$wb['remote_user_error_ips'] = 'Mindestens eine eingegebene IP-Adresse oder ein Hostname ist ungueltig.';
+$wb['remote_access_txt'] = 'Entfernter Zugriff';
+$wb['remote_ips_txt'] = 'Entfernter Zugriff IP / Hostname (Mehrere mit Komma trennen, keine Angabe für <i>alle</i>)';
 ?>

interface/web/admin/lib/lang/en_remote_user.lng

@@ -44,4 +44,7 @@ $wb['generate_password_txt'] = 'Generate Password';
 $wb['repeat_password_txt'] = 'Repeat Password';
 $wb['password_mismatch_txt'] = 'The passwords do not match.';
 $wb['password_match_txt'] = 'The passwords do match.';
+$wb['remote_access_txt'] = 'Remote Access';
+$wb['remote_ips_txt'] = 'Remote Access IPs / Hostnames (separate by , and leave blank for <i>any</i>)';
+$wb['remote_user_error_ips'] = 'At least one of the entered ip addresses or hostnames is invalid.';
 ?>

interface/web/admin/templates/remote_user_edit.htm

@@ -36,6 +36,12 @@ <h1><tmpl_var name="list_head_txt"></h1>
 					<div id="confirmpasswordOK" style="display:none;" class="confirmpasswordok">{tmpl_var name='password_match_txt'}</div>
 				</div>
 			</div>
+            <div class="form-group">
+                <label class="col-sm-3 control-label">{tmpl_var name='remote_access_txt'}</label>
+                <div class="col-sm-9">{tmpl_var name='remote_access'}</div></div>
+            <div class="form-group">
+                <label for="remote_ips" class="col-sm-3 control-label">{tmpl_var name='remote_ips_txt'}</label>
+                <div class="col-sm-9"><input type="text" name="remote_ips" id="remote_ips" value="{tmpl_var name='remote_ips'}" class="form-control" /></div></div>
             <div class="form-group">
                 <label class="col-sm-3 control-label">{tmpl_var name='function_txt'}</label>
                 <div class="col-sm-9">