MDL-67861 libraries: Refactor is_ip_in_subnet_list in ip_utils
[moodle.git] / lib / classes / ip_utils.php
CommitLineData
6d6e3692
JD
1<?php
2// This file is part of Moodle - http://moodle.org/
3//
4// Moodle is free software: you can redistribute it and/or modify
5// it under the terms of the GNU General Public License as published by
6// the Free Software Foundation, either version 3 of the License, or
7// (at your option) any later version.
8//
9// Moodle is distributed in the hope that it will be useful,
10// but WITHOUT ANY WARRANTY; without even the implied warranty of
11// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12// GNU General Public License for more details.
13//
14// You should have received a copy of the GNU General Public License
15// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
16
17/**
18 * Contains a simple class providing some useful internet protocol-related functions.
19 *
20 * @package core
21 * @copyright 2016 Jake Dallimore
22 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
23 * @author Jake Dallimore <jrhdallimore@gmail.com>
24 */
25
26namespace core;
27
28defined('MOODLE_INTERNAL') || exit();
29
30/**
31 * Static helper class providing some useful internet-protocol-related functions.
32 *
33 * @package core
34 * @copyright 2016 Jake Dallimore
35 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
36 * @author Jake Dallimore <jrhdallimore@gmail.com>
37 */
38final class ip_utils {
39 /**
40 * Syntax checking for domain names, including fully qualified domain names.
41 *
42 * This function does not verify the existence of the domain name. It only verifies syntactic correctness.
43 * This is based on RFC1034/1035 and does not provide support for validation of internationalised domain names (IDNs).
44 * All IDNs must be prior-converted to their ascii-compatible encoding before being passed to this function.
45 *
46 * @param string $domainname the input string to check.
47 * @return bool true if the string has valid syntax, false otherwise.
48 */
49 public static function is_domain_name($domainname) {
50 if (!is_string($domainname)) {
51 return false;
52 }
53 // Usually the trailing dot (null label) is omitted, but is valid if supplied. We'll just remove it and validate as normal.
54 $domainname = rtrim($domainname, '.');
55
56 // The entire name cannot exceed 253 ascii characters (255 octets, less the leading label-length byte and null label byte).
57 if (strlen($domainname) > 253) {
58 return false;
59 }
60 // Tertiary domain labels can have 63 octets max, and must not have begin or end with a hyphen.
61 // The TLD label cannot begin with a number, but otherwise, is only loosely restricted here (TLD list is not checked).
62 $domaintertiary = '([a-zA-Z0-9](([a-zA-Z0-9-]{0,61})[a-zA-Z0-9])?\.)*';
63 $domaintoplevel = '([a-zA-Z](([a-zA-Z0-9-]*)[a-zA-Z0-9])?)';
64 $address = '(' . $domaintertiary . $domaintoplevel . ')';
65 $regexp = '#^' . $address . '$#i'; // Case insensitive matching.
66 return preg_match($regexp, $domainname, $match) == true; // False for error, 0 for no match - we treat the same.
67 }
68
69 /**
70 * Checks whether the input string is a valid wildcard domain matching pattern.
71 *
72 * A domain matching pattern is essentially a domain name with a single, leading wildcard (*) label, and at least one other
73 * label. The wildcard label is considered to match at least one label at or above (to the left of) its position in the string,
74 * but will not match the trailing domain (everything to its right).
75 *
76 * The string must be dot-separated, and the whole pattern must follow the domain name syntax rules defined in RFC1034/1035.
77 * Namely, the character type (ascii), total-length (253) and label-length (63) restrictions. This function only confirms
78 * syntactic correctness. It does not check for the existence of the domain/subdomains.
79 *
80 * For example, the string '*.example.com' is a pattern deemed to match any direct subdomain of
81 * example.com (such as test.example.com), any higher level subdomains (e.g. another.test.example.com) but will not match
82 * the 'example.com' domain itself.
83 *
84 * @param string $pattern the string to check.
85 * @return bool true if the input string is a valid domain wildcard matching pattern, false otherwise.
86 */
87 public static function is_domain_matching_pattern($pattern) {
88 if (!is_string($pattern)) {
89 return false;
90 }
91 // Usually the trailing dot (null label) is omitted, but is valid if supplied. We'll just remove it and validate as normal.
92 $pattern = rtrim($pattern, '.');
93
94 // The entire name cannot exceed 253 ascii characters (255 octets, less the leading label-length byte and null label byte).
95 if (strlen($pattern) > 253) {
96 return false;
97 }
98 // A valid pattern must left-positioned wildcard symbol (*).
99 // Tertiary domain labels can have 63 octets max, and must not have begin or end with a hyphen.
100 // The TLD label cannot begin with a number, but otherwise, is only loosely restricted here (TLD list is not checked).
101 $wildcard = '((\*)\.){1}';
102 $domaintertiary = '([a-zA-Z0-9](([a-zA-Z0-9-]{0,61})[a-zA-Z0-9])?\.)*';
103 $domaintoplevel = '([a-zA-Z](([a-zA-Z0-9-]*)[a-zA-Z0-9])?)';
104 $address = '(' . $wildcard . $domaintertiary . $domaintoplevel . ')';
105 $regexp = '#^' . $address . '$#i'; // Case insensitive matching.
106 return preg_match($regexp, $pattern, $match) == true; // False for error, 0 for no match - we treat the same.
107 }
108
109 /**
110 * Syntax validation for IP addresses, supporting both IPv4 and Ipv6 formats.
111 *
112 * @param string $address the address to check.
113 * @return bool true if the address is a valid IPv4 of IPv6 address, false otherwise.
114 */
115 public static function is_ip_address($address) {
116 return filter_var($address, FILTER_VALIDATE_IP) !== false;
117 }
118
119 /**
120 * Syntax validation for IPv4 addresses.
121 *
122 * @param string $address the address to check.
123 * @return bool true if the address is a valid IPv4 address, false otherwise.
124 */
125 public static function is_ipv4_address($address) {
126 return filter_var($address, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) !== false;
127 }
128
129 /**
130 * Syntax checking for IPv4 address ranges.
131 * Supports CIDR notation and last-group ranges.
132 * Eg. 127.0.0.0/24 or 127.0.0.80-255
133 *
134 * @param string $addressrange the address range to check.
135 * @return bool true if the string is a valid range representation, false otherwise.
136 */
137 public static function is_ipv4_range($addressrange) {
138 // Check CIDR notation.
139 if (preg_match('#^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\/(\d{1,2})$#', $addressrange, $match)) {
140 $address = "{$match[1]}.{$match[2]}.{$match[3]}.{$match[4]}";
141 return self::is_ipv4_address($address) && $match[5] <= 32;
142 }
143 // Check last-group notation.
144 if (preg_match('#^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})-(\d{1,3})$#', $addressrange, $match)) {
145 $address = "{$match[1]}.{$match[2]}.{$match[3]}.{$match[4]}";
146 return self::is_ipv4_address($address) && $match[5] <= 255 && $match[5] >= $match[4];
147 }
148 return false;
149 }
150
151 /**
152 * Syntax validation for IPv6 addresses.
153 * This function does not check whether the address is assigned, only its syntactical correctness.
154 *
155 * @param string $address the address to check.
156 * @return bool true if the address is a valid IPv6 address, false otherwise.
157 */
158 public static function is_ipv6_address($address) {
159 return filter_var($address, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) !== false;
160 }
161
162 /**
163 * Syntax validation for IPv6 address ranges.
164 * Supports CIDR notation and last-group ranges.
165 * Eg. fe80::d98c/64 or fe80::d98c-ffee
166 *
167 * @param string $addressrange the IPv6 address range to check.
168 * @return bool true if the string is a valid range representation, false otherwise.
169 */
170 public static function is_ipv6_range($addressrange) {
171 // Check CIDR notation.
172 $ipv6parts = explode('/', $addressrange);
173 if (count($ipv6parts) == 2) {
174 $range = (int)$ipv6parts[1];
175 return self::is_ipv6_address($ipv6parts[0]) && (string)$range === $ipv6parts[1] && $range >= 0 && $range <= 128;
176 }
177 // Check last-group notation.
178 $ipv6parts = explode('-', $addressrange);
179 if (count($ipv6parts) == 2) {
180 $addressparts = explode(':', $ipv6parts[0]);
181 $rangestart = $addressparts[count($addressparts) - 1];
182 $rangeend = $ipv6parts[1];
183 return self::is_ipv6_address($ipv6parts[0]) && ctype_xdigit($rangestart) && ctype_xdigit($rangeend)
184 && strlen($rangeend) <= 4 && strlen($rangestart) <= 4 && hexdec($rangeend) >= hexdec($rangestart);
185 }
186 return false;
187 }
020c98e3
AG
188
189 /**
190 * Checks the domain name against a list of allowed domains. The list of allowed domains is may use
191 * wildcards that match {@link is_domain_matching_pattern()}.
192 *
193 * @param string $domain Domain address
194 * @param array $alloweddomains An array of allowed domains.
195 * @return boolean True if the domain matches one of the entries in the allowed domains list.
196 */
197 public static function is_domain_in_allowed_list($domain, $alloweddomains) {
198
199 if (!self::is_domain_name($domain)) {
200 return false;
201 }
202
203 foreach ($alloweddomains as $alloweddomain) {
204 if (strpos($alloweddomain, '*') !== false) {
205 if (!self::is_domain_matching_pattern($alloweddomain)) {
206 continue;
207 }
208 // Use of wildcard for possible subdomains.
209 $escapeperiods = str_replace('.', '\.', $alloweddomain);
210 $replacewildcard = str_replace('*', '.*', $escapeperiods);
211 $ultimatepattern = '/' . $replacewildcard . '$/';
212 if (preg_match($ultimatepattern, $domain)) {
213 return true;
214 }
215 } else {
216 if (!self::is_domain_name($alloweddomain)) {
217 continue;
218 }
219 // Strict domain setting.
220 if ($domain === $alloweddomain) {
221 return true;
222 }
223 }
224 }
225 return false;
226 }
516c8aa5
BH
227
228 /**
229 * Is an ip in a given list of subnets?
230 *
231 * @param string $ip - the IP to test against the list
232 * @param string $list - the list of IP subnets
233 * @param string $delim a delimiter of the list
234 * @return bool
235 */
236 public static function is_ip_in_subnet_list($ip, $list, $delim = "\n") {
237 $list = explode($delim, $list);
238 foreach ($list as $line) {
239 $tokens = explode('#', $line);
240 $subnet = trim($tokens[0]);
241 if (address_in_subnet($ip, $subnet)) {
242 return true;
243 }
244 }
245 return false;
246 }
247
6d6e3692 248}