Access Control by IP Address Ranges

Jun 13th, 2011

Simple example of controlling access to resources based on origin IP address, this example validates origin is a private IP range.

<?php require_once 'Zend/Acl/Assert/Interface.php'; /** * * Assert the REMOTE_ADDR of the reqeust is from a private IP address * @author zircote * */ class PrivateIPAssertion implements Zend_Acl_Assert_Interface { public function assert ( Zend_Acl $acl, Zend_Acl_Role_Interface $role = null, Zend_Acl_Resource_Interface $resource = null, $privilege = null ) { return $this->_isValidIP($_SERVER['REMOTE_ADDR']); } /** * * @assert ('10.0.0.1') == true * @assert ('192.168.0.1') == true * @assert ('68.45.32.17') == false * * @param string $ip * @return bool */ protected function _isValidIP ($ip) { $ipLong = $this->_ip2Long($ip); $ten = new Zend_Validate_Between( array( 'min' => $this->_ip2Long('10.0.0.0'), 'max' => $this->_ip2Long('10.255.255.255') ) ); $oneSeven = new Zend_Validate_Between( array( 'min' => $this->_ip2Long('172.16.0.0'), 'max' => $this->_ip2Long('172.31.255.255') ) ); $oneNine = new Zend_Validate_Between( array( 'min' => $this->_ip2Long('192.168.0.0'), 'max' => $this->_ip2Long('192.168.255.255') ) ); $ipLong = sprintf('%u',ip2long($ip)); switch (true) { case $ten->isValid($ipLong): return true; case $oneSeven->isValid($ipLong): return true; case $oneNine->isValid($ipLong): return true; default: return false; } } protected function _ip2Long($ip) { return sprintf('%u',ip2long($ip)); } }

I have also added the supporting unit test, note that I am reflecting the method inorder to set it to public visibility to allow testing of it. It should also be note that in order to generate the tests you must change the protected to public so that PHPUnit will recognize the annotated assertions and generate the desired tests.

<?php /** * Test class for PrivateIPAssertion. * Generated by PHPUnit on 2011-06-11 at 19:38:41. */ class PrivateIPAssertionTest extends PHPUnit_Framework_TestCase { /** * @var PrivateIPAssertion */ protected $object; /** * * @var ReflectionMethod */ protected $method; /** * Sets up the fixture, for example, opens a network connection. * This method is called before a test is executed. */ protected function setUp() { /* set the protected method visible */ $this->object = new PrivateIPAssertion(); $this->method = new ReflectionMethod('PrivateIPAssertion', '_isValidIP'); $this->method->setAccessible(true); } /** * Tears down the fixture, for example, closes a network connection. * This method is called after a test is executed. */ protected function tearDown() { $this->object = null; $this->method = null; } /** * Generated from @assert ('10.0.0.1') == true. */ public function test_isValidIP() { $this->assertTrue( $this->method->invoke($this->object,'10.0.0.1') ); } /** * Generated from @assert ('192.168.0.1') == true. */ public function test_isValidIP2() { $this->assertTrue( $this->method->invoke($this->object,'192.168.0.1') ); } /** * Generated from @assert (68.45.32.17) == false. */ public function test_isValidIP3() { $this->assertFalse( $this->method->invoke($this->object,'68.45.32.17') ); } }

zircote.com

development (in)action

Access Control by IP Address Ranges