diff --git a/lib/WP_Auth0_Ip_Check.php b/lib/WP_Auth0_Ip_Check.php index 85d9bb25..5e3f1a1b 100644 --- a/lib/WP_Auth0_Ip_Check.php +++ b/lib/WP_Auth0_Ip_Check.php @@ -27,10 +27,13 @@ class WP_Auth0_Ip_Check { */ protected $valid_webtask_ips = array( 'us' => array( + '3.211.189.167', + '18.233.90.226', '34.195.142.251', '35.160.3.103', '35.166.202.113', '35.167.74.121', + '35.171.156.124', '52.14.17.114', '52.14.38.78', '52.14.40.253', @@ -57,10 +60,13 @@ class WP_Auth0_Ip_Check { '52.29.176.99', '52.50.106.250', '52.57.230.214', + '52.208.95.174', + '52.210.122.50', '52.211.56.181', '52.213.38.246', '52.213.74.69', '52.213.216.142', + '54.76.184.103', ), 'au' => array( '13.54.254.182', @@ -99,7 +105,7 @@ public function __construct( WP_Auth0_Options $a0_options = null ) { * @param string $domain - Tenant domain. * @param string $glue - String used to implode arrays. * - * @return string + * @return string|array */ public function get_ips_by_domain( $domain = null, $glue = self::IP_STRING_GLUE ) { if ( empty( $domain ) ) { @@ -115,10 +121,11 @@ public function get_ips_by_domain( $domain = null, $glue = self::IP_STRING_GLUE * @param string $region - Tenant region. * @param string $glue - String used to implode arrays. * - * @return string + * @return string|array */ public function get_ip_by_region( $region, $glue = self::IP_STRING_GLUE ) { - return implode( $glue, $this->valid_webtask_ips[ $region ] ); + $ip_addresses = $this->valid_webtask_ips[ $region ]; + return is_null( $glue ) ? $ip_addresses : implode( $glue, $ip_addresses ); } /** diff --git a/lib/admin/WP_Auth0_Admin_Advanced.php b/lib/admin/WP_Auth0_Admin_Advanced.php index 0b1b2358..e80546c8 100644 --- a/lib/admin/WP_Auth0_Admin_Advanced.php +++ b/lib/admin/WP_Auth0_Admin_Advanced.php @@ -14,6 +14,7 @@ class WP_Auth0_Admin_Advanced extends WP_Auth0_Admin_Generic { protected $actions_middlewares = array( 'basic_validation', 'migration_ws_validation', + 'migration_ips_validation', 'loginredirection_validation', ); @@ -590,9 +591,6 @@ public function basic_validation( $old_options, $input ) { $input['migration_ips_filter'] = ( ! empty( $input['migration_ips_filter'] ) ? 1 : 0 ); - $input['migration_ips'] = isset( $input['migration_ips'] ) ? - sanitize_text_field( $input['migration_ips'] ) : ''; - $input['valid_proxy_ip'] = ( isset( $input['valid_proxy_ip'] ) ? $input['valid_proxy_ip'] : null ); $input['lock_connections'] = isset( $input['lock_connections'] ) ? @@ -656,6 +654,29 @@ public function migration_ws_validation( array $old_options, array $input ) { return $input; } + public function migration_ips_validation( array $old_options, array $input ) { + + if ( empty( $input['migration_ips'] ) ) { + $input['migration_ips'] = ''; + return $input; + } + + $ip_addresses = explode( ',', $input['migration_ips'] ); + $ip_addresses = array_map( 'trim', $ip_addresses ); + $ip_addresses = array_map( 'sanitize_text_field', $ip_addresses ); + $ip_addresses = array_filter( $ip_addresses ); + $ip_addresses = array_unique( $ip_addresses ); + + if ( ! empty( $input['domain'] ) ) { + $ip_check = new WP_Auth0_Ip_Check(); + $whitelist_ips = $ip_check->get_ips_by_domain( $input['domain'], null ); + $ip_addresses = array_diff( $ip_addresses, $whitelist_ips ); + } + + $input['migration_ips'] = implode( ', ', $ip_addresses ); + return $input; + } + /** * @deprecated - 3.10.0, no longer used. * diff --git a/tests/testIpCheck.php b/tests/testIpCheck.php index 7d99aa2f..2777f579 100644 --- a/tests/testIpCheck.php +++ b/tests/testIpCheck.php @@ -43,14 +43,14 @@ public function testThatIpCountDidNotChange() { $ip_check = new WP_Auth0_Ip_Check( self::$opts ); $us_ips = explode( ',', $ip_check->get_ip_by_region( 'us' ) ); - $this->assertCount( 16, $us_ips ); + $this->assertCount( 19, $us_ips ); $us_ips = explode( ',', $ip_check->get_ips_by_domain( 'test.auth0.com' ) ); - $this->assertCount( 16, $us_ips ); + $this->assertCount( 19, $us_ips ); $eu_ips = explode( ',', $ip_check->get_ip_by_region( 'eu' ) ); - $this->assertCount( 16, $eu_ips ); + $this->assertCount( 19, $eu_ips ); $eu_ips = explode( ',', $ip_check->get_ips_by_domain( 'test.eu.auth0.com' ) ); - $this->assertCount( 16, $eu_ips ); + $this->assertCount( 19, $eu_ips ); $au_ips = explode( ',', $ip_check->get_ip_by_region( 'au' ) ); $this->assertCount( 11, $au_ips ); diff --git a/tests/testOptionMigrationIps.php b/tests/testOptionMigrationIps.php new file mode 100644 index 00000000..414e0301 --- /dev/null +++ b/tests/testOptionMigrationIps.php @@ -0,0 +1,121 @@ +set( 'domain', 'test.eu.auth0.com' ); + $field_args = [ + 'label_for' => 'wpa0_migration_ws_ips', + 'opt_name' => 'migration_ips', + ]; + + // Get the field HTML. + ob_start(); + self::$admin->render_migration_ws_ips( $field_args ); + $field_html = ob_get_clean(); + + $textarea = $this->getDomListFromTagName( $field_html, 'textarea' ); + $this->assertEquals( 1, $textarea->length ); + $this->assertEquals( $field_args['label_for'], $textarea->item( 0 )->getAttribute( 'id' ) ); + $this->assertEquals( + self::OPTIONS_NAME . '[' . $field_args['opt_name'] . ']', + $textarea->item( 0 )->getAttribute( 'name' ) + ); + + $whitelist_ips = self::$ip_check->get_ips_by_domain( 'test.eu.auth0.com', null ); + + $ips = $this->getDomListFromTagName( $field_html, 'code' ); + $this->assertEquals( count( $whitelist_ips ), $ips->length ); + for ( $item_index = 0; $item_index < $ips->length; $item_index++ ) { + $this->assertContains( $ips->item( $item_index )->nodeValue, $whitelist_ips ); + } + } + + public function testThatEmptyIpsAreValidatedToAnEmptyString() { + $input = [ 'migration_ips' => 0 ]; + $validated = self::$admin->migration_ips_validation( [], $input ); + $this->assertEquals( '', $validated['migration_ips'] ); + + $input = [ 'migration_ips' => false ]; + $validated = self::$admin->migration_ips_validation( [], $input ); + $this->assertEquals( '', $validated['migration_ips'] ); + + $input = [ 'migration_ips' => null ]; + $validated = self::$admin->migration_ips_validation( [], $input ); + $this->assertEquals( '', $validated['migration_ips'] ); + } + + public function testThatDuplicateIpsAreRemovedDuringValidation() { + $input = [ 'migration_ips' => '1.2.3.4, 2.3.4.5,1.2.3.4,3.4.5.6, 2.3.4.5' ]; + + $validated = self::$admin->migration_ips_validation( [], $input ); + $this->assertEquals( '1.2.3.4, 2.3.4.5, 3.4.5.6', $validated['migration_ips'] ); + } + + public function testThatExistingWhitelistIpsAreRemovedDuringValidation() { + $whitelist_ips = self::$ip_check->get_ip_by_region( 'eu', null ); + $random_whitelisted_ip = $whitelist_ips[ array_rand( $whitelist_ips ) ]; + $input = [ + 'migration_ips' => '4.5.6.7,' . $random_whitelisted_ip . ',5.6.7.8', + 'domain' => 'test.eu.auth0.com', + ]; + + $validated = self::$admin->migration_ips_validation( [], $input ); + $this->assertEquals( '4.5.6.7, 5.6.7.8', $validated['migration_ips'] ); + } + + public function testThatUnsafeValuesAreRemovedDuringValidation() { + $input = [ 'migration_ips' => '6.7.8.9,,7.8.9.10' ]; + + $validated = self::$admin->migration_ips_validation( [], $input ); + $this->assertEquals( '6.7.8.9, 7.8.9.10', $validated['migration_ips'] ); + } + + public function testThatEmptyValuesAreRemovedDuringValidation() { + $input = [ 'migration_ips' => '8.9.10.11, , 9.10.11.12, 0' ]; + + $validated = self::$admin->migration_ips_validation( [], $input ); + $this->assertEquals( '8.9.10.11, 9.10.11.12', $validated['migration_ips'] ); + } +}