refactor: remove source host allowlist from direct login

This commit is contained in:
Marek Miklewicz
2026-06-30 15:25:54 +02:00
parent b27c5c774a
commit c115b2861d
10 changed files with 11 additions and 83 deletions
-1
View File
@@ -19,7 +19,6 @@ foreach ([
'KeyName.php',
'RateLimiter.php',
'RemoteLoginUrlClient.php',
'SourceAuthorizer.php',
'UrlValidator.php',
] as $file) {
require_once PLUGIN_EXEC_DIR . '/lib/' . $file;
-1
View File
@@ -14,7 +14,6 @@ return static function (): void {
Http::errorPage('Metoda logowania nie jest obsługiwana.', 500);
}
$ctx = DirectAdminContext::fromServer($_SERVER, $settings);
SourceAuthorizer::assertAllowed($ctx->sourceHost(), $settings);
$auditBase = [
'request_id' => bin2hex(random_bytes(8)),
+2 -11
View File
@@ -20,7 +20,7 @@ final class DirectAdminContext
if (!preg_match('/^[A-Za-z0-9][A-Za-z0-9._-]{0,31}$/', $username)) {
throw new InvalidArgumentException('Invalid DirectAdmin username');
}
$host = self::trustedSourceHost($server, $settings);
$host = self::trustedSourceHost($server);
if ($host === '') {
throw new InvalidArgumentException('Missing source host');
}
@@ -37,17 +37,8 @@ final class DirectAdminContext
/**
* @param array<string,mixed> $server
*/
private static function trustedSourceHost(array $server, Settings $settings): string
private static function trustedSourceHost(array $server): string
{
$configuredName = $settings->sourceServerName();
if ($configuredName !== '') {
foreach ($settings->allowedSourceHosts() as $allowedHost) {
$label = $settings->sanitizeServerName(explode('.', $allowedHost)[0] ?? '');
if ($label === $configuredName) {
return $allowedHost;
}
}
}
return Settings::normalizeHost((string)($server['SERVER_NAME'] ?? ''));
}
-28
View File
@@ -64,7 +64,6 @@ final class Settings
'MAIL_LOGIN_REDIRECT_URL' => '/',
'LOGIN_KEY_TTL' => '30',
'USER_IP_BOUND' => '1',
'MAIL_LOGIN_ALLOWED_SOURCE_HOSTS' => 's1.abc.pl,serwer.mojserwer.pl,serwer2.xxb.ovh',
'MAIL_LOGIN_SOURCE_SERVER_NAME' => '',
'MAIL_LOGIN_CLIENT_IP_MODE' => 'direct',
'MAIL_LOGIN_TRUSTED_PROXIES' => '',
@@ -136,14 +135,6 @@ final class Settings
return $this->getString('USER_IP_BOUND', '1') === '1';
}
/**
* @return list<string>
*/
public function allowedSourceHosts(): array
{
return $this->csvHosts('MAIL_LOGIN_ALLOWED_SOURCE_HOSTS');
}
public function sourceServerName(): string
{
return $this->sanitizeServerName($this->getString('MAIL_LOGIN_SOURCE_SERVER_NAME', ''));
@@ -213,25 +204,6 @@ final class Settings
return substr($name, 0, 32);
}
/**
* @return list<string>
*/
private function csvHosts(string $key): array
{
$raw = $this->getString($key, '');
if ($raw === '') {
return [];
}
$out = [];
foreach (explode(',', $raw) as $item) {
$host = self::normalizeHost($item);
if ($host !== '') {
$out[] = $host;
}
}
return array_values(array_unique($out));
}
/**
* @return list<string>
*/
-16
View File
@@ -1,16 +0,0 @@
<?php
declare(strict_types=1);
final class SourceAuthorizer
{
public static function assertAllowed(string $sourceHost, Settings $settings): void
{
$allowed = $settings->allowedSourceHosts();
if ($allowed === []) {
throw new RuntimeException('No source host allowlist configured');
}
if (!in_array(Settings::normalizeHost($sourceHost), $allowed, true)) {
throw new RuntimeException('Source host is not allowed');
}
}
}