From 141e5da4b066e45de8991eadfb43410a25aa51cc Mon Sep 17 00:00:00 2001 From: SQAMPY <73666436+sqampy@users.noreply.github.com> Date: Tue, 28 Nov 2023 11:56:09 +0100 Subject: [PATCH 1/3] Forward the source IP as value for "client" in sendRequest() --- src/PrivacyIDEA.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/PrivacyIDEA.php b/src/PrivacyIDEA.php index bf929b0..d50eb90 100644 --- a/src/PrivacyIDEA.php +++ b/src/PrivacyIDEA.php @@ -422,6 +422,19 @@ public function sendRequest(array $params, array $headers, $httpMethod, $endpoin assert('string' === gettype($httpMethod)); assert('string' === gettype($endpoint)); + /** + * Sending the "client" field allows us to use the original IP address in policies in Privacyidea. + */ + $serverHeaders = $_SERVER; + foreach(array("X-Forwarded-For", "HTTP_X_FORWARDED_FOR", "REMOTE_ADDR") as $clientkey) { + if (array_key_exists($clientkey, $serverHeaders)) { + $client_ip = $serverHeaders[$clientkey]; + $this->debugLog("Forwarding Client IP: " . $clientkey . ": " . $client_ip); + $params['client'] = $client_ip; + break; + } + } + $this->debugLog("Sending " . http_build_query($params, '', ', ') . " to " . $endpoint); $completeUrl = $this->serverURL . $endpoint; From 446aff01934c1ba9582c8d73bbe30972e601b789 Mon Sep 17 00:00:00 2001 From: lukasmatusiewicz <77617779+lukasmatusiewicz@users.noreply.github.com> Date: Wed, 21 Feb 2024 14:32:22 +0100 Subject: [PATCH 2/3] Update PrivacyIDEA.php --- src/PrivacyIDEA.php | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/src/PrivacyIDEA.php b/src/PrivacyIDEA.php index d50eb90..1ef7d2b 100644 --- a/src/PrivacyIDEA.php +++ b/src/PrivacyIDEA.php @@ -42,6 +42,9 @@ class PrivacyIDEA /* @var string Realm for a service account to the privacyIDEA server. This is required to use the /validate/triggerchallenge endpoint. This is optional. */ public $serviceAccountRealm = ""; + /* @var bool Send the "client" parameter to allow using the original IP address in the privacyIDEA policies. */ + public $forwardClientIP = false; + /* @var object Implementation of the PILog interface. */ public $logger = null; @@ -422,18 +425,21 @@ public function sendRequest(array $params, array $headers, $httpMethod, $endpoin assert('string' === gettype($httpMethod)); assert('string' === gettype($endpoint)); - /** - * Sending the "client" field allows us to use the original IP address in policies in Privacyidea. - */ - $serverHeaders = $_SERVER; - foreach(array("X-Forwarded-For", "HTTP_X_FORWARDED_FOR", "REMOTE_ADDR") as $clientkey) { - if (array_key_exists($clientkey, $serverHeaders)) { - $client_ip = $serverHeaders[$clientkey]; - $this->debugLog("Forwarding Client IP: " . $clientkey . ": " . $client_ip); - $params['client'] = $client_ip; - break; - } - } + // Add the client parameter if wished. + if ($this->forwardClientIP === true) + { + $serverHeaders = $_SERVER; + foreach (array("X-Forwarded-For", "HTTP_X_FORWARDED_FOR", "REMOTE_ADDR") as $clientKey) + { + if (array_key_exists($clientKey, $serverHeaders)) + { + $clientIP = $serverHeaders[$clientKey]; + $this->debugLog("Forwarding Client IP: " . $clientKey . ": " . $clientIP); + $params['client'] = $clientIP; + break; + } + } + } $this->debugLog("Sending " . http_build_query($params, '', ', ') . " to " . $endpoint); From 56fb73e64c1da5f8f6c1c4896f87f4a899724a07 Mon Sep 17 00:00:00 2001 From: lukasmatusiewicz <77617779+lukasmatusiewicz@users.noreply.github.com> Date: Wed, 21 Feb 2024 14:39:14 +0100 Subject: [PATCH 3/3] Update ValidateCheckTest.php --- test/ValidateCheckTest.php | 1 + 1 file changed, 1 insertion(+) diff --git a/test/ValidateCheckTest.php b/test/ValidateCheckTest.php index 5a92b6e..ea00235 100644 --- a/test/ValidateCheckTest.php +++ b/test/ValidateCheckTest.php @@ -32,6 +32,7 @@ public function setUp(): void $this->pi->logger = $this; $this->pi->sslVerifyHost = false; $this->pi->sslVerifyPeer = false; + $this->pi->forwardClientIP = true; $this->pi->realm = "testRealm"; }