feat(security): Add public API to allow validating IP Ranges and chec…

…king for "in range"

Signed-off-by: Joas Schilling <coding@schilljs.com>

lib/composer/composer/autoload_classmap.php

@@ -641,6 +641,7 @@
     'OCP\\Security\\ICrypto' => $baseDir . '/lib/public/Security/ICrypto.php',
     'OCP\\Security\\IHasher' => $baseDir . '/lib/public/Security/IHasher.php',
     'OCP\\Security\\IRemoteHostValidator' => $baseDir . '/lib/public/Security/IRemoteHostValidator.php',
+    'OCP\\Security\\IRemoteIpAddress' => $baseDir . '/lib/public/Security/IRemoteIpAddress.php',
     'OCP\\Security\\ISecureRandom' => $baseDir . '/lib/public/Security/ISecureRandom.php',
     'OCP\\Security\\ITrustedDomainHelper' => $baseDir . '/lib/public/Security/ITrustedDomainHelper.php',
     'OCP\\Security\\RateLimiting\\ILimiter' => $baseDir . '/lib/public/Security/RateLimiting/ILimiter.php',

lib/composer/composer/autoload_static.php

@@ -674,6 +674,7 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
         'OCP\\Security\\ICrypto' => __DIR__ . '/../../..' . '/lib/public/Security/ICrypto.php',
         'OCP\\Security\\IHasher' => __DIR__ . '/../../..' . '/lib/public/Security/IHasher.php',
         'OCP\\Security\\IRemoteHostValidator' => __DIR__ . '/../../..' . '/lib/public/Security/IRemoteHostValidator.php',
+        'OCP\\Security\\IRemoteIpAddress' => __DIR__ . '/../../..' . '/lib/public/Security/IRemoteIpAddress.php',
         'OCP\\Security\\ISecureRandom' => __DIR__ . '/../../..' . '/lib/public/Security/ISecureRandom.php',
         'OCP\\Security\\ITrustedDomainHelper' => __DIR__ . '/../../..' . '/lib/public/Security/ITrustedDomainHelper.php',
         'OCP\\Security\\RateLimiting\\ILimiter' => __DIR__ . '/../../..' . '/lib/public/Security/RateLimiting/ILimiter.php',

lib/private/Security/RemoteIpAddress.php

@@ -12,9 +12,10 @@
 use IPLib\Factory;
 use OCP\IConfig;
 use OCP\IRequest;
+use OCP\Security\IRemoteIpAddress;
 use Psr\Log\LoggerInterface;
 
-class RemoteIpAddress {
+class RemoteIpAddress implements IRemoteIpAddress {
 	public const SETTING_NAME = 'allowed_admin_ranges';
 
 	public function __construct(
@@ -38,8 +39,15 @@ public function allowsAdminActions(): bool {
 		if (empty($allowedAdminRanges)) {
 			return true;
 		}
+		return $this->isRemoteAddressInAnyRange($this->request->getRemoteAddress(), $allowedAdminRanges);
+	}
+
+	public function isValidRangeString(string $rangeString): bool {
+		return Factory::parseRangeString($rangeString) !== null;
+	}
 
-		$ipAddress = Factory::parseAddressString($this->request->getRemoteAddress());
+	public function isRemoteAddressInAnyRange(string $remoteAddress, array $rangeStrings): bool {
+		$ipAddress = Factory::parseAddressString($remoteAddress);
 		if ($ipAddress === null) {
 			$this->logger->warning(
 				'Unable to parse remote IP "{ip}"',
@@ -49,11 +57,12 @@ public function allowsAdminActions(): bool {
 			return false;
 		}
 
-		foreach ($allowedAdminRanges as $rangeString) {
+		foreach ($rangeStrings as $rangeString) {
 			$range = Factory::parseRangeString($rangeString);
 			if ($range === null) {
 				continue;
 			}
+
 			if ($range->contains($ipAddress)) {
 				return true;
 			}

lib/public/Security/IRemoteIpAddress.php

@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCP\Security;
+
+/**
+ * @since 30.0.0
+ */
+interface IRemoteIpAddress {
+
+	/**
+	 * Check if the current remote address is allowed to perform admin actions
+	 * @since 30.0.0
+	 */
+	public function allowsAdminActions(): bool;
+
+	/**
+	 * Check if a given range is valid
+	 * @since 30.0.0
+	 */
+	public function isValidRangeString(string $rangeString): bool;
+
+	/**
+	 * Check if a given remote address is in a list of ranges
+	 *
+	 * @param string[] $rangeStrings
+	 * @since 30.0.0
+	 */
+	public function isRemoteAddressInAnyRange(string $remoteAddress, array $rangeStrings): bool;
+}