From 1d52afb45a032c60e5ff933d17e33177a12bdeb0 Mon Sep 17 00:00:00 2001
From: Yuri Kuznetsov <yurikuzn@users.noreply.github.com>
Date: Thu, 20 Apr 2023 16:42:26 +0300
Subject: [PATCH] ip address util

---
 application/Espo/Core/Api/Util.php            | 31 +++----------
 .../Core/Authentication/Authentication.php    |  9 ++--
 .../Hook/Hooks/FailedAttemptsLimit.php        |  5 ++-
 .../Core/Authentication/Ldap/LdapLogin.php    | 44 +++++--------------
 .../Espo/Resources/defaults/systemConfig.php  |  1 +
 5 files changed, 26 insertions(+), 64 deletions(-)

diff --git a/application/Espo/Core/Api/Util.php b/application/Espo/Core/Api/Util.php
index 7a5e1bf870..6eef92cc0e 100644
--- a/application/Espo/Core/Api/Util.php
+++ b/application/Espo/Core/Api/Util.php
@@ -29,19 +29,12 @@
 
 namespace Espo\Core\Api;
 
+use Espo\Core\Utils\Config;
 use stdClass;
 
 class Util
 {
-    private const IP_PARAM_LIST = [
-        'HTTP_CLIENT_IP',
-        'HTTP_X_FORWARDED_FOR',
-        'HTTP_X_FORWARDED',
-        'HTTP_X_CLUSTER_CLIENT_IP',
-        'HTTP_FORWARDED_FOR',
-        'HTTP_FORWARDED',
-        'REMOTE_ADDR',
-    ];
+    public function __construct(private Config $config) {}
 
     public static function cloneObject(stdClass $source): stdClass
     {
@@ -81,24 +74,10 @@ class Util
         return $item;
     }
 
-    public static function obtainIpFromRequest(Request $request): ?string
+    public function obtainIpFromRequest(Request $request): ?string
     {
-        foreach (self::IP_PARAM_LIST as $var){
-            $value = $request->getServerParam($var);
+        $param = $this->config->get('ipAddressServerParam') ?? 'REMOTE_ADDR';
 
-            if (!is_string($value)) {
-                continue;
-            }
-
-            foreach (explode(',', $value) as $item) {
-                $item = trim($item);
-
-                if (filter_var($item, FILTER_VALIDATE_IP) !== false) {
-                    return $item;
-                }
-            }
-        }
-
-        return null;
+        return $request->getServerParam($param);
     }
 }
diff --git a/application/Espo/Core/Authentication/Authentication.php b/application/Espo/Core/Authentication/Authentication.php
index c7441922ba..b6d9dca216 100644
--- a/application/Espo/Core/Authentication/Authentication.php
+++ b/application/Espo/Core/Authentication/Authentication.php
@@ -86,7 +86,8 @@ class Authentication
         private HookManager $hookManager,
         private Log $log,
         private LogoutFactory $logoutFactory,
-        private MethodProvider $methodProvider
+        private MethodProvider $methodProvider,
+        private Util $util
     ) {}
 
     /**
@@ -220,7 +221,7 @@ class Authentication
             $user->loadLinkMultipleField('teams');
         }
 
-        $user->set('ipAddress', Util::obtainIpFromRequest($request));
+        $user->set('ipAddress', $this->util->obtainIpFromRequest($request));
 
         [$loggedUser, $anotherUserFailReason] = $this->getLoggedUser($request, $user);
 
@@ -467,7 +468,7 @@ class Authentication
 
         /** @var ?string $password */
         $password = $user->get('password');
-        $ipAddress = Util::obtainIpFromRequest($request);
+        $ipAddress = $this->util->obtainIpFromRequest($request);
 
         $authTokenData = AuthTokenData::create([
             'hash' => $password,
@@ -595,7 +596,7 @@ class Authentication
 
         $authLogRecord
             ->setUsername($username)
-            ->setIpAddress(Util::obtainIpFromRequest($request))
+            ->setIpAddress($this->util->obtainIpFromRequest($request))
             ->setRequestTime($request->getServerParam('REQUEST_TIME_FLOAT'))
             ->setRequestMethod($request->getMethod())
             ->setRequestUrl($requestUrl)
diff --git a/application/Espo/Core/Authentication/Hook/Hooks/FailedAttemptsLimit.php b/application/Espo/Core/Authentication/Hook/Hooks/FailedAttemptsLimit.php
index 30550b9855..d108dffcb0 100644
--- a/application/Espo/Core/Authentication/Hook/Hooks/FailedAttemptsLimit.php
+++ b/application/Espo/Core/Authentication/Hook/Hooks/FailedAttemptsLimit.php
@@ -46,7 +46,8 @@ class FailedAttemptsLimit implements BeforeLogin
     public function __construct(
         private ConfigDataProvider $configDataProvider,
         private EntityManager $entityManager,
-        private Log $log
+        private Log $log,
+        private Util $util
     ) {}
 
     /**
@@ -71,7 +72,7 @@ class FailedAttemptsLimit implements BeforeLogin
 
         $requestTimeFrom = (new DateTime('@' . $requestTime))->modify('-' . $failedAttemptsPeriod);
 
-        $ip = Util::obtainIpFromRequest($request);
+        $ip = $this->util->obtainIpFromRequest($request);
 
         $where = [
             'requestTime>' => $requestTimeFrom->format('U'),
diff --git a/application/Espo/Core/Authentication/Ldap/LdapLogin.php b/application/Espo/Core/Authentication/Ldap/LdapLogin.php
index 31feacd6b8..ebc92d17f9 100644
--- a/application/Espo/Core/Authentication/Ldap/LdapLogin.php
+++ b/application/Espo/Core/Authentication/Ldap/LdapLogin.php
@@ -57,44 +57,24 @@ class LdapLogin implements Login
 {
     private LDAPUtils $utils;
     private ?Client $client = null;
-    private bool $isPortal;
 
-    private Config $config;
-    private EntityManager $entityManager;
-    private PasswordHash $passwordHash;
     private Language $language;
-    private Log $log;
-    private Espo $baseLogin;
-    private ClientFactory $clientFactory;
-    private LinkMultipleSaver $linkMultipleSaver;
-    private EmailAddressSaver $emailAddressSaver;
-    private PhoneNumberSaver $phoneNumberSaver;
 
     public function __construct(
-        Config $config,
-        EntityManager $entityManager,
-        PasswordHash $passwordHash,
+        private Config $config,
+        private EntityManager $entityManager,
+        private PasswordHash $passwordHash,
         Language $defaultLanguage,
-        Log $log,
-        Espo $baseLogin,
-        ClientFactory $clientFactory,
-        LinkMultipleSaver $linkMultipleSaver,
-        EmailAddressSaver $emailAddressSaver,
-        PhoneNumberSaver $phoneNumberSaver,
-        bool $isPortal = false
+        private Log $log,
+        private Espo $baseLogin,
+        private ClientFactory $clientFactory,
+        private LinkMultipleSaver $linkMultipleSaver,
+        private EmailAddressSaver $emailAddressSaver,
+        private PhoneNumberSaver $phoneNumberSaver,
+        private Util $util,
+        private bool $isPortal = false
     ) {
-        $this->config = $config;
-        $this->entityManager = $entityManager;
-        $this->passwordHash = $passwordHash;
         $this->language = $defaultLanguage;
-        $this->log = $log;
-        $this->baseLogin = $baseLogin;
-        $this->clientFactory = $clientFactory;
-        $this->linkMultipleSaver = $linkMultipleSaver;
-        $this->emailAddressSaver = $emailAddressSaver;
-        $this->phoneNumberSaver = $phoneNumberSaver;
-
-        $this->isPortal = $isPortal;
 
         $this->utils = new LDAPUtils($config);
     }
@@ -297,7 +277,7 @@ class LdapLogin implements Login
         $tokenUsername = $user->getUserName() ?? '';
 
         if (strtolower($username) !== strtolower($tokenUsername)) {
-            $ip = Util::obtainIpFromRequest($request);
+            $ip = $this->util->obtainIpFromRequest($request);
 
             $this->log->alert('Unauthorized access attempt for user [' . $username . '] from IP [' . $ip . ']');
 
diff --git a/application/Espo/Resources/defaults/systemConfig.php b/application/Espo/Resources/defaults/systemConfig.php
index 697941b5b5..fadc26b377 100644
--- a/application/Espo/Resources/defaults/systemConfig.php
+++ b/application/Espo/Resources/defaults/systemConfig.php
@@ -100,6 +100,7 @@ return [
         'authTokenSecretDisabled',
         'authLogDisabled',
         'authApiUserLogDisabled',
+        'ipAddressServerParam',
     ],
     'adminItems' => [
         'devMode',