feat(settings): Add settings to mock IPs and proxy behavior

Author: julienloizelet

.github/workflows/test-suite.yml

@@ -17,6 +17,11 @@ jobs:
     name: Test suite
     runs-on: ubuntu-latest
     if: ${{ !contains(github.event.head_commit.message, 'chore(') }}
+    env:
+      EXTENSION_PATH: "my-own-modules/crowdsec-php-lib"
+      JP_TEST_IP: "210.249.74.42"
+      IPV6_TEST_IP: "2001:0db8:0000:85a3:0000:0000:ac1f:8001"
+      IPV6_TEST_PROXY_IP: "2345:0425:2CA1:0000:0000:0567:5673:23b5"
 
     steps:
       - name: Clone DDEV files
@@ -70,18 +75,18 @@ jobs:
           path: my-own-modules/crowdsec-php-lib
 
       - name: Validate composer.json
-        run: ddev composer validate --strict --working-dir ./my-own-modules/crowdsec-php-lib
+        run: ddev composer validate --strict --working-dir ./${{env.EXTENSION_PATH}}
 
       - name: Install CrowdSec lib dependencies
         run: |
-          ddev composer update --working-dir ./my-own-modules/crowdsec-php-lib
+          ddev composer update --working-dir ./${{env.EXTENSION_PATH}}
 
       - name: Prepare PHP UNIT tests
         run: |
           ddev create-watcher PhpUnitTestMachine PhpUnitTestMachinePassword
-          ddev maxmind-download DEFAULT GeoLite2-City /var/www/html/my-own-modules/crowdsec-php-lib/tests
-          ddev maxmind-download DEFAULT GeoLite2-Country /var/www/html/my-own-modules/crowdsec-php-lib/tests
-          cd my-own-modules/crowdsec-php-lib/tests
+          ddev maxmind-download DEFAULT GeoLite2-City /var/www/html/${{env.EXTENSION_PATH}}/tests
+          ddev maxmind-download DEFAULT GeoLite2-Country /var/www/html/${{env.EXTENSION_PATH}}/tests
+          cd ${{env.EXTENSION_PATH}}/tests
           sha256sum -c GeoLite2-Country.tar.gz.sha256.txt
           sha256sum -c GeoLite2-City.tar.gz.sha256.txt
           tar -xf GeoLite2-Country.tar.gz
@@ -90,36 +95,38 @@ jobs:
 
       - name: Run PHP UNIT tests (IP verification)
         run: |
-          ddev exec BOUNCER_KEY=${{ env.BOUNCER_KEY }} LAPI_URL=http://crowdsec:8080 MEMCACHED_DSN=memcached://memcached:11211 REDIS_DSN=redis://redis:6379 /usr/bin/php ./my-own-modules/crowdsec-php-lib/vendor/bin/phpunit --testdox --colors --exclude-group ignore ./my-own-modules/crowdsec-php-lib/tests/Integration/IpVerificationTest.php
+          ddev exec BOUNCER_KEY=${{ env.BOUNCER_KEY }} LAPI_URL=http://crowdsec:8080 MEMCACHED_DSN=memcached://memcached:11211 REDIS_DSN=redis://redis:6379 /usr/bin/php ./${{env.EXTENSION_PATH}}/vendor/bin/phpunit --testdox --colors --exclude-group ignore ./${{env.EXTENSION_PATH}}/tests/Integration/IpVerificationTest.php
 
       - name: Run PHP UNIT tests (Geolocation)
         run: |
-          ddev exec BOUNCER_KEY=${{ env.BOUNCER_KEY }} LAPI_URL=http://crowdsec:8080  /usr/bin/php ./my-own-modules/crowdsec-php-lib/vendor/bin/phpunit --testdox --colors --exclude-group ignore ./my-own-modules/crowdsec-php-lib/tests/Integration/GeolocationTest.php
+          ddev exec BOUNCER_KEY=${{ env.BOUNCER_KEY }} LAPI_URL=http://crowdsec:8080  /usr/bin/php ./${{env.EXTENSION_PATH}}/vendor/bin/phpunit --testdox --colors --exclude-group ignore ./${{env.EXTENSION_PATH}}/tests/Integration/GeolocationTest.php
 
       - name: Prepare Standalone Bouncer end-to-end tests
         run: |
           ddev create-watcher
           cd ${{ github.workspace }}/.ddev
           ddev nginx-config custom_files/crowdsec-prepend-nginx-site.conf
           cd ${{ github.workspace }}
-          cp .ddev/custom_files/crowdsec/cache-actions.php my-own-modules/crowdsec-php-lib/scripts/public/cache-actions.php
-          cp .ddev/custom_files/crowdsec/geolocation-test.php my-own-modules/crowdsec-php-lib/scripts/public/geolocation-test.php
-          cp .ddev/custom_files/crowdsec-lib-settings.php crowdsec-lib-settings.php
+          cp ${{env.EXTENSION_PATH}}/tests/end-to-end/php-scripts/cache-actions.php.dist ${{env.EXTENSION_PATH}}/scripts/public/cache-actions.php
+          cp ${{env.EXTENSION_PATH}}/tests/end-to-end/php-scripts/geolocation-test.php.dist ${{env.EXTENSION_PATH}}/scripts/public/geolocation-test.php
+          cp ${{env.EXTENSION_PATH}}/tests/end-to-end/settings/base.php.dist crowdsec-lib-settings.php
           sed -i -e 's/REPLACE_API_KEY/${{ env.BOUNCER_KEY }}/g' crowdsec-lib-settings.php
           sed -i -e 's/REPLACE_PROXY_IP/${{ env.PROXY_IP }}/g' crowdsec-lib-settings.php
-          mv crowdsec-lib-settings.php my-own-modules/crowdsec-php-lib/scripts/auto-prepend/settings.php
-          cd ${{ github.workspace }}/my-own-modules/crowdsec-php-lib/tests/end-to-end/__scripts__
+          sed -i -e 's/REPLACE_FORCED_IP//g' crowdsec-lib-settings.php
+          sed -i -e 's/REPLACE_FORCED_FORWARDED_IP//g' crowdsec-lib-settings.php
+          mv crowdsec-lib-settings.php ${{env.EXTENSION_PATH}}/scripts/auto-prepend/settings.php
+          cd ${{ github.workspace }}/${{env.EXTENSION_PATH}}/tests/end-to-end/__scripts__
           chmod +x test-init.sh
           ./test-init.sh
           chmod +x run-tests.sh
 
       - name: Verify auto_prepend_file directive
         run: |
           cd ${{ github.workspace }}
-          cp .ddev/custom_files/phpinfo.php my-own-modules/crowdsec-php-lib/scripts/public/phpinfo.php
-          curl -v https://${{ env.PHP_VERSION_CODE }}.ddev.site/my-own-modules/crowdsec-php-lib/scripts/public/phpinfo.php
-          PREPENDVERIF=$(curl https://${{ env.PHP_VERSION_CODE }}.ddev.site/my-own-modules/crowdsec-php-lib/scripts/public/phpinfo.php | grep -o -E "auto_prepend_file=(.*)php(.*)" | sed 's/<\/tr>//g; s/<\/td>//g;' | tr '\n' '#')
-          if [[ $PREPENDVERIF == "auto_prepend_file=/var/www/html/my-own-modules/crowdsec-php-lib/scripts/auto-prepend/bounce.php#auto_prepend_file=/var/www/html/my-own-modules/crowdsec-php-lib/scripts/auto-prepend/bounce.php#" ]]
+          cp .ddev/custom_files/phpinfo.php ${{env.EXTENSION_PATH}}/scripts/public/phpinfo.php
+          curl -v https://${{ env.PHP_VERSION_CODE }}.ddev.site/${{env.EXTENSION_PATH}}/scripts/public/phpinfo.php
+          PREPENDVERIF=$(curl https://${{ env.PHP_VERSION_CODE }}.ddev.site/${{env.EXTENSION_PATH}}/scripts/public/phpinfo.php | grep -o -E "auto_prepend_file=(.*)php(.*)" | sed 's/<\/tr>//g; s/<\/td>//g;' | tr '\n' '#')
+          if [[ $PREPENDVERIF == "auto_prepend_file=/var/www/html/${{env.EXTENSION_PATH}}/scripts/auto-prepend/bounce.php#auto_prepend_file=/var/www/html/my-own-modules/crowdsec-php-lib/scripts/auto-prepend/bounce.php#" ]]
           then
               echo "AUTO PREPEND FILE OK"
           else
@@ -130,27 +137,42 @@ jobs:
             
       - name: Run Standalone Bouncer end-to-end test (live mode without geolocation)
         run: |
-          cd ${{ github.workspace }}/my-own-modules/crowdsec-php-lib/tests/end-to-end/__scripts__
+          cd ${{ github.workspace }}/${{env.EXTENSION_PATH}}
+          cat scripts/auto-prepend/settings.php
+          cd ${{ github.workspace }}/${{env.EXTENSION_PATH}}/tests/end-to-end/__scripts__
           ./run-tests.sh ci "./__tests__/1-live-mode.js"
 
       - name: Run Standalone Bouncer end-to-end test (live mode with geolocation)
         run: |
-          cd ${{ github.workspace }}/my-own-modules/crowdsec-php-lib
+          cd ${{ github.workspace }}/${{env.EXTENSION_PATH}}
           sed -i  's/\x27enabled\x27 => false/\x27enabled\x27 => true/g' scripts/auto-prepend/settings.php
-          sed -i  's/\x27forced_test_ip\x27 => \x27\x27/\x27forced_test_ip\x27 => \x27210.249.74.42\x27/g' scripts/auto-prepend/settings.php
-          cd ${{ github.workspace }}/my-own-modules/crowdsec-php-lib/tests/end-to-end/__scripts__
+          sed -i  's/\x27forced_test_forwarded_ip\x27 => \x27\x27/\x27forced_test_forwarded_ip\x27 => \x27${{env.JP_TEST_IP}}\x27/g' scripts/auto-prepend/settings.php
+          cat scripts/auto-prepend/settings.php
+          cd ${{ github.workspace }}/${{env.EXTENSION_PATH}}/tests/end-to-end/__scripts__
           ./run-tests.sh ci "./__tests__/2-live-mode-with-geolocation.js"
 
       - name: Run Standalone Bouncer end-to-end test (stream mode without geolocation)
         run: |
-          cd ${{ github.workspace }}/my-own-modules/crowdsec-php-lib
+          cd ${{ github.workspace }}/${{env.EXTENSION_PATH}}
           sed -i  's/\x27enabled\x27 => true/\x27enabled\x27 => false/g' scripts/auto-prepend/settings.php
-          sed -i  's/\x27forced_test_ip\x27 => \x27210.249.74.42\x27/\x27forced_test_ip\x27 => \x27\x27/g' scripts/auto-prepend/settings.php
+          sed -i  's/\x27forced_test_forwarded_ip\x27 => \x27${{env.JP_TEST_IP}}\x27/\x27forced_test_forwarded_ip\x27 => \x27\x27/g' scripts/auto-prepend/settings.php
           sed -i  's/\x27stream_mode\x27 => false/\x27stream_mode\x27 => true/g' scripts/auto-prepend/settings.php
-          cd ${{ github.workspace }}/my-own-modules/crowdsec-php-lib/tests/end-to-end/__scripts__
+          cat scripts/auto-prepend/settings.php
+          cd ${{ github.workspace }}/${{env.EXTENSION_PATH}}/tests/end-to-end/__scripts__
           ./run-tests.sh ci "./__tests__/3-stream-mode.js"
 
       - name: Run Standalone Bouncer end-to-end test (standalone geolocation)
         run: |
-          cd ${{ github.workspace }}/my-own-modules/crowdsec-php-lib/tests/end-to-end/__scripts__
-          ./run-tests.sh ci "./__tests__/4-geolocation.js"
+          cd ${{ github.workspace }}/${{env.EXTENSION_PATH}}/tests/end-to-end/__scripts__
+          ./run-tests.sh ci "./__tests__/4-geolocation.js"
+
+      - name: Run Standalone Bouncer end-to-end test (live mode with IPv6)
+        run: |
+          cd ${{ github.workspace }}/${{env.EXTENSION_PATH}}
+          sed -i  's/\x27forced_test_forwarded_ip\x27 => \x27\x27/\x27forced_test_forwarded_ip\x27 => \x27${{env.IPV6_TEST_IP}}\x27/g' scripts/auto-prepend/settings.php
+          sed -i  's/\x27forced_test_ip\x27 => \x27\x27/\x27forced_test_ip\x27 => \x27${{env.IPV6_TEST_PROXY_IP}}\x27/g' scripts/auto-prepend/settings.php
+          sed -i -e 's/${{ env.PROXY_IP }}/${{env.IPV6_TEST_PROXY_IP}}/g' scripts/auto-prepend/settings.php
+          sed -i  's/\x27stream_mode\x27 => true/\x27stream_mode\x27 => false/g' scripts/auto-prepend/settings.php
+          cat scripts/auto-prepend/settings.php
+          cd ${{ github.workspace }}/${{env.EXTENSION_PATH}}/tests/end-to-end/__scripts__
+          ./run-tests.sh ci "./__tests__/1-live-mode.js"

docs/USER_GUIDE.md

@@ -134,7 +134,14 @@ Here is the list of available settings:
 
 - `display_errors`: true to stop the process and display errors on browser if any.
 
-- `forced_test_ip`: Only for test or debug purpose. Default to empty. If not empty, it will be used for all remediation and geolocation processes.
+- `forced_test_ip`: Only for test or debug purpose. Default to empty. If not empty, it will be used instead of the 
+  real remote ip.
+
+- `forced_test_forwarded_ip`: Only for test or debug purpose. Default to empty. If not empty, it will be used instead of the real forwarded ip.
+
+- `forced_test_never_use_forwarded`:  Only for test or debug purpose. Default to false. Set to true if you never 
+  want to use the x-forwarded-for mechanism.
+
 ##### Bouncer behavior
 
 - `bouncing_level`:  Select from `bouncing_disabled`, `normal_bouncing` or `flex_bouncing`. Choose if you want to apply CrowdSec directives (Normal bouncing) or be more permissive (Flex bouncing). With the `Flex mode`, it is impossible to accidentally block access to your site to people who don’t deserve it. This mode makes it possible to never ban an IP but only to offer a Captcha, in the worst-case scenario.

scripts/auto-prepend/settings.example.php

@@ -35,10 +35,22 @@
 
     /** Only for test or debug purpose. Default to empty.
      *
-     * If not empty, it will be used for all remediation and geolocation processes.
+     * If not empty, it will be used instead of the real remote ip.
      */
     'forced_test_ip' => '',
 
+    /** Only for test or debug purpose. Default to empty.
+     *
+     * If not empty, it will be used instead of the real forwarded ip.
+     */
+    'forced_test_forwarded_ip' => '',
+
+    /** Only for test or debug purpose. Default to false.
+     *
+     * Set to true if you never want to use the x-forwarded-for mechanism.
+     */
+    'forced_test_never_use_forwarded' => false,
+
     /** Select from 'bouncing_disabled', 'normal_bouncing' or 'flex_bouncing'.
      *
      * Choose if you want to apply CrowdSec directives (Normal bouncing) or be more permissive (Flex bouncing).

src/AbstractBounce.php

@@ -44,7 +44,7 @@ abstract class AbstractBounce implements IBounce
 
     protected function getIntegerSettings(string $name): int
     {
-        return !empty($this->settings[$name]) ? (int) $this->settings[$name] : 0;
+        return !empty($this->settings[$name]) ? (int)$this->settings[$name] : 0;
     }
 
     protected function getBoolSettings(string $name): bool
@@ -54,12 +54,12 @@ protected function getBoolSettings(string $name): bool
 
     protected function getStringSettings(string $name): string
     {
-        return !empty($this->settings[$name]) ? (string) $this->settings[$name] : '';
+        return !empty($this->settings[$name]) ? (string)$this->settings[$name] : '';
     }
 
     protected function getArraySettings(string $name): array
     {
-        return !empty($this->settings[$name]) ? (array) $this->settings[$name] : [];
+        return !empty($this->settings[$name]) ? (array)$this->settings[$name] : [];
     }
 
     /**
@@ -111,35 +111,56 @@ protected function initLoggerHelper(string $logDirectoryPath, string $loggerName
         }
     }
 
+    /**
+     * Decide if we use forward (default behavior) or if it depends on test settings
+     *
+     * @param $settings
+     * @return bool
+     */
+    protected function shouldUseForward($settings)
+    {
+        return empty($settings['forced_test_never_use_forwarded']);
+    }
+
     /**
      * @throws Exception|InvalidArgumentException
      */
     protected function bounceCurrentIp(): void
     {
-        $ip = $this->getRemoteIp();
-        // X-Forwarded-For override
-        $XForwardedForHeader = $this->getHttpRequestHeader('X-Forwarded-For');
-        if (null !== $XForwardedForHeader) {
-            $ipList = array_map('trim', array_values(array_filter(explode(',', $XForwardedForHeader))));
-            $forwardedIp = end($ipList);
-            if ($this->shouldTrustXforwardedFor($ip)) {
-                $ip = $forwardedIp;
-            } else {
-                $this->logger->warning('', [
-                'type' => 'NON_AUTHORIZED_X_FORWARDED_FOR_USAGE',
-                'original_ip' => $ip,
-                'x_forwarded_for_ip' => $forwardedIp,
-                ]);
-            }
-        }
-
         try {
             if (!$this->bouncer) {
                 throw new BouncerException('Bouncer must be instantiated to bounce an IP.');
             }
-            $ipToCheck = !empty($this->settings['forced_test_ip']) ? $this->settings['forced_test_ip'] : $ip;
-            $remediation = $this->bouncer->getRemediationForIp($ipToCheck);
-            $this->handleRemediation($remediation, $ipToCheck);
+            // Retrieve the current IP (even if it is a proxy IP) or a testing IP
+            $ip = !empty($this->settings['forced_test_ip']) ? $this->settings['forced_test_ip'] : $this->getRemoteIp();
+            if ($this->shouldUseForward($this->settings)) {
+                // Retrieve the forwarded IP (testing one or real)
+                if (!empty($this->settings['forced_test_forwarded_ip'])) {
+                    $forwardedIp = $this->settings['forced_test_forwarded_ip'];
+                } elseif ($XForwardedForHeader = $this->getHttpRequestHeader('X-Forwarded-For')) {
+                    $ipList = array_map('trim', array_values(array_filter(explode(',', $XForwardedForHeader))));
+                    $forwardedIp = end($ipList);
+                }
+                if (isset($forwardedIp)) {
+                    if ($this->shouldTrustXforwardedFor($ip)) {
+                        $this->logger->debug('', [
+                            'type' => 'AUTHORIZED_X_FORWARDED_FOR_USAGE',
+                            'original_ip' => $ip,
+                        ]);
+                        $ip = $forwardedIp;
+                    } else {
+                        $this->logger->warning('', [
+                            'type' => 'NON_AUTHORIZED_X_FORWARDED_FOR_USAGE',
+                            'original_ip' => $ip,
+                            'x_forwarded_for_ip' => $forwardedIp ?? 'undefined',
+                        ]);
+                    }
+                } else {
+                    $this->logger->debug('', ['type' => 'X_FORWARDED_FOR_NOT_FOUND']);
+                }
+            }
+            $remediation = $this->bouncer->getRemediationForIp($ip);
+            $this->handleRemediation($remediation, $ip);
         } catch (Exception $e) {
             $this->logger->warning('', [
                 'type' => 'UNKNOWN_EXCEPTION_WHILE_BOUNCING',
@@ -185,8 +206,8 @@ protected function displayCaptchaWall(string $ip): void
             $ip
         );
         $body = Bouncer::getCaptchaHtmlTemplate(
-            (bool) $captchaVariables['crowdsec_captcha_resolution_failed'],
-            (string) $captchaVariables['crowdsec_captcha_inline_image'],
+            (bool)$captchaVariables['crowdsec_captcha_resolution_failed'],
+            (string)$captchaVariables['crowdsec_captcha_inline_image'],
             '',
             $options
         );
@@ -225,7 +246,7 @@ protected function handleCaptchaResolutionForm(string $ip)
         }
 
         // Handle image refresh.
-        if (null !== $this->getPostedVariable('refresh') && (int) $this->getPostedVariable('refresh')) {
+        if (null !== $this->getPostedVariable('refresh') && (int)$this->getPostedVariable('refresh')) {
             // Generate new captcha image for the user
             $captchaCouple = Bouncer::buildCaptchaCouple();
             $captchaVariables = [
@@ -248,7 +269,7 @@ protected function handleCaptchaResolutionForm(string $ip)
             }
             if (
                 $this->bouncer->checkCaptcha(
-                    (string) $cachedCaptchaVariables['crowdsec_captcha_phrase_to_guess'],
+                    (string)$cachedCaptchaVariables['crowdsec_captcha_phrase_to_guess'],
                     $this->getPostedVariable('phrase'),
                     $ip
                 )
@@ -264,7 +285,7 @@ protected function handleCaptchaResolutionForm(string $ip)
                     'crowdsec_captcha_inline_image',
                     'crowdsec_captcha_resolution_failed',
                     'crowdsec_captcha_resolution_redirect',
-                    ];
+                ];
                 $this->unsetIpVariables(Constants::CACHE_TAG_CAPTCHA, $unsetVariables, $ip);
                 $redirect = $cachedCaptchaVariables['crowdsec_captcha_resolution_redirect'] ?? '/';
                 header("Location: $redirect");
@@ -306,7 +327,7 @@ protected function handleCaptchaRemediation(string $ip)
                 'crowdsec_captcha_resolution_failed' => false,
                 'crowdsec_captcha_resolution_redirect' => 'POST' === $this->getHttpMethod() &&
                                                           !empty($_SERVER['HTTP_REFERER'])
-                                                            ? $_SERVER['HTTP_REFERER'] : '/',
+                    ? $_SERVER['HTTP_REFERER'] : '/',
             ];
             $this->setIpVariables(Constants::CACHE_TAG_CAPTCHA, $captchaVariables, $ip);
         }

src/Configuration.php

@@ -35,6 +35,8 @@ public function getConfigTreeBuilder(): TreeBuilder
                 ->integerNode('api_timeout')->min(Constants::API_TIMEOUT)->defaultValue(Constants::API_TIMEOUT)->end()
                 // Debug
                 ->scalarNode('forced_test_ip')->defaultValue('')->end()
+                ->scalarNode('forced_test_forwarded_ip')->defaultValue('')->end()
+                ->booleanNode('forced_test_never_use_forwarded')->defaultValue(false)->end()
                 ->booleanNode('debug_mode')->defaultValue(false)->end()
                 ->scalarNode('log_directory_path')->end()
                 ->booleanNode('display_errors')->defaultValue(false)->end()