Merge pull request #16 from noplanman/custom_ips

Custom valid IPs

Author: noplanman

CHANGELOG.md

@@ -2,6 +2,8 @@
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
+### Added
+- Ability to define custom valid IPs to access webhook.
 
 ## [0.43.0] - 2017-04-17
 ### Added

README.md

@@ -157,6 +157,8 @@ Here is a list of available extra parameters:
 | ---------            | ----------- |
 | validate_request     | Only allow webhook access from valid Telegram API IPs. |
 | *bool*               | *default is `true`* |
+| valid_ips            | When using `validate_request`, also allow these IPs (single, CIDR, wildcard, range). |
+| *array*              | *e.g.* `['1.2.3.4', '192.168.1.0/24', '10/8', '5.6.*', '1.1.1.1-2.2.2.2']` |
 | webhook              | URL to the manager PHP file used for setting up the Webhook. |
 | *string*             | *e.g.* `'https://example.com/manager.php'` |
 | certificate          | Path to a self-signed certificate (if necessary). |

composer.json

@@ -17,9 +17,16 @@
             "role": "Developer"
         }
     ],
+    "repositories": [
+        {
+            "type": "vcs",
+            "url": "https://github.com/noplanman/Utils-IP-Tools"
+        }
+    ],
     "require": {
         "php": "^7.0",
-        "longman/telegram-bot": "^0.43"
+        "longman/telegram-bot": "^0.43",
+        "allty/utils-ip": "dev-master"
     },
     "require-dev": {
         "jakub-onderka/php-parallel-lint": "^0.9.2",

composer.lock

@@ -10,6 +10,7 @@
 
 namespace NPM\TelegramBotManager;
 
+use Allty\Utils\IpTools;
 use Longman\TelegramBot\Entities;
 use Longman\TelegramBot\Request;
 use Longman\TelegramBot\Telegram;
@@ -20,14 +21,9 @@
 class BotManager
 {
     /**
-     * @var string Telegram post servers lower IP limit
+     * @var string Telegram post servers IP range
      */
-    const TELEGRAM_IP_LOWER = '149.154.167.197';
-
-    /**
-     * @var string Telegram post servers upper IP limit
-     */
-    const TELEGRAM_IP_UPPER = '149.154.167.233';
+    const TELEGRAM_IP_RANGE = '149.154.167.197-149.154.167.233';
 
     /**
      * @var string The output for testing, instead of echoing
@@ -470,17 +466,22 @@ public function isValidRequest(): bool
 
         $ip = $_SERVER['REMOTE_ADDR'] ?? '0.0.0.0';
         foreach (['HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR'] as $key) {
-            $addr = $_SERVER[$key] ?? null;
-            if (filter_var($addr, FILTER_VALIDATE_IP)) {
-                $ip = $addr;
+            if (filter_var($_SERVER[$key] ?? null, FILTER_VALIDATE_IP)) {
+                $ip = $_SERVER[$key];
                 break;
             }
         }
 
-        $lower_dec = (float) sprintf('%u', ip2long(self::TELEGRAM_IP_LOWER));
-        $upper_dec = (float) sprintf('%u', ip2long(self::TELEGRAM_IP_UPPER));
-        $ip_dec    = (float) sprintf('%u', ip2long($ip));
+        $valid_ips = array_merge(
+            [self::TELEGRAM_IP_RANGE],
+            (array) $this->params->getBotParam('valid_ips', [])
+        );
+        foreach ($valid_ips as $valid_ip) {
+            if (IpTools::ipInRange($ip, $valid_ip)) {
+                return true;
+            }
+        }
 
-        return $ip_dec >= $lower_dec && $ip_dec <= $upper_dec;
+        return false;
     }
 }

src/BotManager.php

@@ -38,6 +38,7 @@ class Params
      */
     private static $valid_extra_bot_params = [
         'validate_request',
+        'valid_ips',
         'webhook',
         'certificate',
         'max_connections',
@@ -72,7 +73,8 @@ class Params
      * api_key (string) Telegram Bot API key
      * bot_username (string) Telegram Bot username
      * secret (string) Secret string to validate calls
-     * validate_request (bool) Only allow webhook access from valid Telegram API IPs
+     * validate_request (bool) Only allow webhook access from valid Telegram API IPs and defined valid_ips
+     * valid_ips (array) Any IPs, besides Telegram API IPs, that are allowed to access the webhook
      * webhook (string) URI of the webhook
      * certificate (string) Path to the self-signed certificate
      * max_connections (int) Maximum allowed simultaneous HTTPS connections to the webhook