hostrestriction.php

<?php
namespace Bitrix\Security;
 
use Bitrix\Main\Config;
use Bitrix\Main\Context;
use Bitrix\Main\Data;
use Bitrix\Main\EventManager;
use Bitrix\Main\Loader;
use Bitrix\Main\ArgumentNullException;
use Bitrix\Main\ArgumentOutOfRangeException;
use Bitrix\Main\ArgumentTypeException;
 
class HostRestriction
{
    const ACTION_REDIRECT = 'redirect';
    const ACTION_STOP = 'stop';
 
    private $optionPrefix = 'restriction_hosts_';
    private $cacheInitPath = 'security';
    private $cacheId = 'restriction_hosts';
    private $cacheTtl = 31536000; //one year
    private $action = 'stop';
    private $actionOptions = array();
    private $isLogNeeded = true;
    private $hosts = null;
    private $validActions = array(
        self::ACTION_REDIRECT,
        self::ACTION_STOP
    );
    private $validationRegExp = null;
    private $isActive = null;
 
    public static function onPageStart()
    {
        if (\CSecuritySystemInformation::isCliMode())
            return;
 
        $instance = new static;
        $instance->process();
    }
 
    public function __construct()
    {
        $this->hosts = Config\Option::get('security', $this->optionPrefix.'hosts', '');
        $this->action = Config\Option::get('security', $this->optionPrefix.'action', '');
        $this->actionOptions = unserialize(Config\Option::get('security', $this->optionPrefix.'action_options', '{}'), ['allowed_classes' => false]);
        $this->isLogNeeded = Config\Option::get('security', $this->optionPrefix.'logging', false);
    }
 
    public function process($host = null)
    {
        if (is_null($host))
            $host = $this->getTargetHost();
 
        if ($this->isValidHost($host))
            return $this;
 
        if ($this->isLogNeeded)
            $this->log($host);
 
        $this->doActions();
 
        return $this;
    }
 
    public function isValidHost($host)
    {
        if (is_string($host) && $host !== '')
        {
            $count = 0;
            preg_replace($this->getValidationRegExp(), '', $host, 1, $count);
            //var_dump($count);
            if ($count)
            {
                return true;
            }
        }
        return false;
    }
 
    public function getProperties()
    {
        return array(
            'hosts' => $this->hosts,
            'current_host' => $this->getTargetHost(),
            'action' => $this->action,
            'action_options' => $this->actionOptions,
            'logging' => $this->isLogNeeded,
            'active' => is_null($this->isActive)? $this->getActive(): $this->isActive
        );
    }
 
    public function setProperties(array $properties)
    {
        if (isset($properties['hosts']))
        {
            $this->setHosts($properties['hosts']);
        }
 
        if (isset($properties['action']))
        {
            if (isset($properties['action_options']))
            {
                $this->setAction($properties['action'], $properties['action_options']);
            }
            else
            {
                $this->setAction($properties['action']);
            }
        }
 
        if (isset($properties['logging']))
        {
            $this->setLogging($properties['logging']);
        }
 
        if (isset($properties['active']))
        {
            $this->setActive($properties['active']);
        }
 
        return $this;
    }
 
    public function getAction()
    {
        return $this->action;
    }
 
    public function getActionOptions()
    {
        return $this->actionOptions;
    }
 
    public function setAction($action, array $options = array())
    {
        if (!$action)
            throw new ArgumentNullException('action');
 
        if (!is_string($action))
            throw new ArgumentTypeException('action', 'string');
 
        if (!in_array($action, $this->validActions))
            throw new ArgumentOutOfRangeException('action', $this->validActions);
 
        if ($action === self::ACTION_REDIRECT)
        {
            if (!isset($options['host']) || !$options['host'])
                throw new LogicException('options[host] not present', 'SECURITY_HOSTS_EMPTY_HOST_ACTION');
 
            if (!preg_match('#^https?://#', $options['host']))
                throw new LogicException('invalid redirecting host present in options[host]', 'SECURITY_HOSTS_INVALID_HOST_ACTION');
        }
 
 
        $this->action = $action;
        $this->actionOptions = $options;
 
        return $this;
    }
 
    public function getLogging()
    {
        return $this->isLogNeeded;
    }
 
    public function setLogging($isLogNeeded = true)
    {
        if (!is_bool($isLogNeeded))
            throw new ArgumentTypeException('isLogNeeded', 'bool');
 
        $this->isLogNeeded = $isLogNeeded;
 
        return $this;
    }
 
    public function getActive()
    {
        if (is_null($this->isActive))
            $this->isActive = $this->isBound();
 
        return $this->isActive;
    }
 
    public function setActive($isActive = false)
    {
        if (!is_bool($isActive))
            throw new ArgumentTypeException('isActive', 'bool');
 
        $this->isActive = $isActive;
 
        return $this;
    }
 
    public function getHosts()
    {
        return $this->hosts;
    }
 
    public function setHosts($hosts, $ignoreChecking = false)
    {
        if (!is_string($hosts))
            throw new ArgumentTypeException('host', 'string');
 
        if (!$ignoreChecking)
            $this->checkNewHosts($hosts);
 
        $this->hosts = $hosts;
 
        return $this;
    }
 
    public function getValidationRegExp()
    {
        if ($this->validationRegExp === null)
        {
            $cache = Data\Cache::createInstance();
            if($cache->initCache($this->cacheTtl, $this->cacheId, $this->cacheInitPath) )
            {
                $this->validationRegExp = $cache->getVars();
            }
            else
            {
                $this->validationRegExp = $this->genValidationRegExp($this->hosts);
                $cache->startDataCache();
                $cache->endDataCache($this->validationRegExp);
            }
        }
 
        return $this->validationRegExp;
    }
 
    public function save()
    {
        Config\Option::set('security', $this->optionPrefix.'hosts', $this->hosts, '');
        Config\Option::set('security', $this->optionPrefix.'action', $this->action, '');
        Config\Option::set('security', $this->optionPrefix.'action_options', serialize($this->actionOptions), '');
        Config\Option::set('security', $this->optionPrefix.'logging', $this->isLogNeeded, '');
        if (!is_null($this->isActive))
        {
 
            if ($this->isActive)
            {
                EventManager::getInstance()
                    ->registerEventHandler('main', 'OnPageStart', 'security', get_class($this), 'onPageStart');
            }
            else
            {
                EventManager::getInstance()
                    ->unRegisterEventHandler('main', 'OnPageStart', 'security', get_class($this), 'onPageStart');
            }
        }
        Data\Cache::createInstance()->clean($this->cacheId, $this->cacheInitPath);
 
        return $this;
    }
 
    protected function isBound()
    {
        $handlers = EventManager::getInstance()->findEventHandlers('main', 'OnPageStart', array('security'));
 
        foreach($handlers as $handler)
        {
            if ($handler['TO_CLASS'] === get_class($this))
                return true;
        }
 
        return false;
    }
 
    protected function getTargetHost()
    {
        static $host = null;
        if (is_null($host))
            $host = Context::getCurrent()->getServer()->getHttpHost();
 
        return $host;
    }
 
    protected function log($host)
    {
        return \CSecurityEvent::getInstance()->doLog('SECURITY', 'SECURITY_HOST_RESTRICTION', 'HTTP_HOST', $host);
    }
 
    protected function doActions()
    {
        switch($this->action)
        {
            case self::ACTION_STOP:
                include Loader::getLocal('/admin/security_403.php');
                die();
                break;
            case self::ACTION_REDIRECT:
                localRedirect($this->actionOptions['host'], true);
                break;
            default:
                trigger_error('Unknown action', E_USER_WARNING);
        }
 
        return $this;
    }
 
    protected function genValidationRegExp($hosts)
    {
        $hosts = preg_replace('/#.*/', '', $hosts);
        $hosts = trim($hosts, " \t\n\r");
        $hosts = preg_quote($hosts);
        $hosts = preg_replace('~\\\\\*~', '.*', $hosts);
        $hosts = preg_split('~\s+~s', $hosts);
 
        foreach ($hosts as $i => $host)
        {
            $hosts[$i] = "#^\s*($host)(:\d+)?\s*$#iD";
        }
        return $hosts;
    }
 
    protected function checkNewHosts($hosts)
    {
        $this->validationRegExp = $this->genValidationRegExp($hosts);
 
        $count = 0;
        preg_replace($this->validationRegExp, '', $this->getTargetHost(), 1, $count);
        if (!$count)
            throw new LogicException('Current host blocked', 'SECURITY_HOSTS_SELF_BLOCK');
 
        $count = 0;
        preg_replace($this->validationRegExp, '', 'some-invalid-host.com', 1, $count);
        if ($count)
            throw new LogicException('Any host passed restrictions', 'SECURITY_HOSTS_ANY_HOST');
 
        return $this;
    }
}