mirror of
				https://github.com/librenms/librenms.git
				synced 2024-10-07 16:52:45 +00:00 
			
		
		
		
	* More secure external graph access Add @signedGraphTag() and @signedGraphUrl() blade directives Takes either an array of graph variables or a url to a graph Uses a signed url that is accessible without user login, embeds signature in url to authenticate access See Laravel Signed Url for more details. Adds Laravel route to graphs (does not change links to use it yet) @graphImage requires the other PR Also APP_URL is required in .env * missing files from rebase * Fix url parsing with a get string * allow width and height to be omitted * Documentation * Add to, otherwise it will always be now * Doc note for to and from relative security * fix vars.inc.php (Laravel has a dummy url here)
		
			
				
	
	
		
			101 lines
		
	
	
		
			2.9 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
			
		
		
	
	
			101 lines
		
	
	
		
			2.9 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
| <?php
 | |
| /*
 | |
|  * AuthenticateGraph.php
 | |
|  *
 | |
|  * -Description-
 | |
|  *
 | |
|  * This program is free software: you can redistribute it and/or modify
 | |
|  * it under the terms of the GNU General Public License as published by
 | |
|  * the Free Software Foundation, either version 3 of the License, or
 | |
|  * (at your option) any later version.
 | |
|  *
 | |
|  * This program is distributed in the hope that it will be useful,
 | |
|  * but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
|  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
 | |
|  * GNU General Public License for more details.
 | |
|  *
 | |
|  * You should have received a copy of the GNU General Public License
 | |
|  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 | |
|  *
 | |
|  * @package    LibreNMS
 | |
|  * @link       http://librenms.org
 | |
|  * @copyright  2022 Tony Murray
 | |
|  * @author     Tony Murray <murraytony@gmail.com>
 | |
|  */
 | |
| 
 | |
| namespace App\Http\Middleware;
 | |
| 
 | |
| use Closure;
 | |
| use Illuminate\Auth\AuthenticationException;
 | |
| use Illuminate\Http\Request;
 | |
| use LibreNMS\Config;
 | |
| use LibreNMS\Exceptions\InvalidIpException;
 | |
| use LibreNMS\Util\IP;
 | |
| 
 | |
| class AuthenticateGraph
 | |
| {
 | |
|     /** @var string[] */
 | |
|     protected $auth = [
 | |
|         \App\Http\Middleware\LegacyExternalAuth::class,
 | |
|         \App\Http\Middleware\Authenticate::class,
 | |
|         \App\Http\Middleware\VerifyTwoFactor::class,
 | |
|         \App\Http\Middleware\LoadUserPreferences::class,
 | |
|     ];
 | |
| 
 | |
|     /**
 | |
|      * Handle an incoming request.
 | |
|      *
 | |
|      * @param  \Illuminate\Http\Request  $request
 | |
|      * @param  \Closure  $next
 | |
|      * @param  string|null  $relative
 | |
|      * @return \Illuminate\Http\Response
 | |
|      *
 | |
|      * @throws \Illuminate\Auth\AuthenticationException
 | |
|      */
 | |
|     public function handle($request, Closure $next, $relative = null)
 | |
|     {
 | |
|         // if user is logged in, allow
 | |
|         if (\Auth::check()) {
 | |
|             return $next($request);
 | |
|         }
 | |
| 
 | |
|         // bypass normal auth if signed
 | |
|         if ($request->hasValidSignature($relative !== 'relative')) {
 | |
|             return $next($request);
 | |
|         }
 | |
| 
 | |
|         // bypass normal auth if ip is allowed (or all IPs)
 | |
|         if ($this->isAllowed($request)) {
 | |
|             return $next($request);
 | |
|         }
 | |
| 
 | |
|         // unauthenticated, force login
 | |
|         throw new AuthenticationException('Unauthenticated.');
 | |
|     }
 | |
| 
 | |
|     protected function isAllowed(Request $request): bool
 | |
|     {
 | |
|         if (Config::get('allow_unauth_graphs', false)) {
 | |
|             d_echo("Unauthorized graphs allowed\n");
 | |
| 
 | |
|             return true;
 | |
|         }
 | |
| 
 | |
|         $ip = $request->getClientIp();
 | |
|         try {
 | |
|             $client_ip = IP::parse($ip);
 | |
|             foreach (Config::get('allow_unauth_graphs_cidr', []) as $range) {
 | |
|                 if ($client_ip->inNetwork($range)) {
 | |
|                     d_echo("Unauthorized graphs allowed from $range\n");
 | |
| 
 | |
|                     return true;
 | |
|                 }
 | |
|             }
 | |
|         } catch (InvalidIpException $e) {
 | |
|             d_echo("Client IP ($ip) is invalid.\n");
 | |
|         }
 | |
| 
 | |
|         return false;
 | |
|     }
 | |
| }
 |