Commit 2f492488 authored by mattwire's avatar mattwire

Initial commit

parents
<?php
/**
* @package CRM
* @copyright CiviCRM LLC https://civicrm.org/licensing
*
* Generated from /home/matthew/buildkit/build/d7master/web/sites/default/files/civicrm/ext/firewall/xml/schema/CRM/Firewall/FirewallIpaddress.xml
* DO NOT EDIT. Generated by CRM_Core_CodeGen
* (GenCodeChecksum:fc7cd407630b3df83f5b3418b2cb5a9d)
*/
/**
* Database access object for the FirewallIpaddress entity.
*/
class CRM_Firewall_DAO_FirewallIpaddress extends CRM_Core_DAO {
/**
* Static instance to hold the table name.
*
* @var string
*/
public static $_tableName = 'civicrm_firewall_ipaddress';
/**
* Should CiviCRM log any modifications to this table in the civicrm_log table.
*
* @var bool
*/
public static $_log = TRUE;
/**
* Unique FirewallIpaddress ID
*
* @var int
*/
public $id;
/**
* IP address used
*
* @var string
*/
public $ip_address;
/**
* When the IP address accessed
*
* @var timestamp
*/
public $access_date;
/**
* The type of event that triggered this log
*
* @var string
*/
public $event_type;
/**
* Origin of this access request
*
* @var string
*/
public $source;
/**
* Class constructor.
*/
public function __construct() {
$this->__table = 'civicrm_firewall_ipaddress';
parent::__construct();
}
/**
* Returns all the column names of this table
*
* @return array
*/
public static function &fields() {
if (!isset(Civi::$statics[__CLASS__]['fields'])) {
Civi::$statics[__CLASS__]['fields'] = [
'id' => [
'name' => 'id',
'type' => CRM_Utils_Type::T_INT,
'description' => CRM_Firewall_ExtensionUtil::ts('Unique FirewallIpaddress ID'),
'required' => TRUE,
'where' => 'civicrm_firewall_ipaddress.id',
'table_name' => 'civicrm_firewall_ipaddress',
'entity' => 'FirewallIpaddress',
'bao' => 'CRM_Firewall_DAO_FirewallIpaddress',
'localizable' => 0,
],
'ip_address' => [
'name' => 'ip_address',
'type' => CRM_Utils_Type::T_STRING,
'title' => CRM_Firewall_ExtensionUtil::ts('IP Address'),
'description' => CRM_Firewall_ExtensionUtil::ts('IP address used'),
'maxlength' => 255,
'size' => CRM_Utils_Type::HUGE,
'where' => 'civicrm_firewall_ipaddress.ip_address',
'table_name' => 'civicrm_firewall_ipaddress',
'entity' => 'FirewallIpaddress',
'bao' => 'CRM_Firewall_DAO_FirewallIpaddress',
'localizable' => 0,
],
'access_date' => [
'name' => 'access_date',
'type' => CRM_Utils_Type::T_TIMESTAMP,
'title' => CRM_Firewall_ExtensionUtil::ts('Access Date'),
'description' => CRM_Firewall_ExtensionUtil::ts('When the IP address accessed'),
'required' => TRUE,
'where' => 'civicrm_firewall_ipaddress.access_date',
'default' => 'CURRENT_TIMESTAMP',
'table_name' => 'civicrm_firewall_ipaddress',
'entity' => 'FirewallIpaddress',
'bao' => 'CRM_Firewall_DAO_FirewallIpaddress',
'localizable' => 0,
],
'event_type' => [
'name' => 'event_type',
'type' => CRM_Utils_Type::T_STRING,
'title' => CRM_Firewall_ExtensionUtil::ts('Event Type'),
'description' => CRM_Firewall_ExtensionUtil::ts('The type of event that triggered this log'),
'maxlength' => 64,
'size' => CRM_Utils_Type::BIG,
'where' => 'civicrm_firewall_ipaddress.event_type',
'table_name' => 'civicrm_firewall_ipaddress',
'entity' => 'FirewallIpaddress',
'bao' => 'CRM_Firewall_DAO_FirewallIpaddress',
'localizable' => 0,
],
'source' => [
'name' => 'source',
'type' => CRM_Utils_Type::T_STRING,
'title' => CRM_Firewall_ExtensionUtil::ts('Source'),
'description' => CRM_Firewall_ExtensionUtil::ts('Origin of this access request'),
'maxlength' => 255,
'size' => CRM_Utils_Type::HUGE,
'where' => 'civicrm_firewall_ipaddress.source',
'table_name' => 'civicrm_firewall_ipaddress',
'entity' => 'FirewallIpaddress',
'bao' => 'CRM_Firewall_DAO_FirewallIpaddress',
'localizable' => 0,
],
];
CRM_Core_DAO_AllCoreTables::invoke(__CLASS__, 'fields_callback', Civi::$statics[__CLASS__]['fields']);
}
return Civi::$statics[__CLASS__]['fields'];
}
/**
* Return a mapping from field-name to the corresponding key (as used in fields()).
*
* @return array
* Array(string $name => string $uniqueName).
*/
public static function &fieldKeys() {
if (!isset(Civi::$statics[__CLASS__]['fieldKeys'])) {
Civi::$statics[__CLASS__]['fieldKeys'] = array_flip(CRM_Utils_Array::collect('name', self::fields()));
}
return Civi::$statics[__CLASS__]['fieldKeys'];
}
/**
* Returns the names of this table
*
* @return string
*/
public static function getTableName() {
return self::$_tableName;
}
/**
* Returns if this table needs to be logged
*
* @return bool
*/
public function getLog() {
return self::$_log;
}
/**
* Returns the list of fields that can be imported
*
* @param bool $prefix
*
* @return array
*/
public static function &import($prefix = FALSE) {
$r = CRM_Core_DAO_AllCoreTables::getImports(__CLASS__, 'firewall_ipaddress', $prefix, []);
return $r;
}
/**
* Returns the list of fields that can be exported
*
* @param bool $prefix
*
* @return array
*/
public static function &export($prefix = FALSE) {
$r = CRM_Core_DAO_AllCoreTables::getExports(__CLASS__, 'firewall_ipaddress', $prefix, []);
return $r;
}
/**
* Returns the list of indices
*
* @param bool $localize
*
* @return array
*/
public static function indices($localize = TRUE) {
$indices = [];
return ($localize && !empty($indices)) ? CRM_Core_DAO_AllCoreTables::multilingualize(__CLASS__, $indices) : $indices;
}
}
<?php
use CRM_Firewall_ExtensionUtil as E;
/**
* Collection of upgrade steps.
*/
class CRM_Firewall_Upgrader extends CRM_Firewall_Upgrader_Base {
// By convention, functions that look like "function upgrade_NNNN()" are
// upgrade tasks. They are executed in order (like Drupal's hook_update_N).
/**
* Example: Run an external SQL script when the module is installed.
*
public function install() {
$this->executeSqlFile('sql/myinstall.sql');
}
/**
* Example: Work with entities usually not available during the install step.
*
* This method can be used for any post-install tasks. For example, if a step
* of your installation depends on accessing an entity that is itself
* created during the installation (e.g., a setting or a managed entity), do
* so here to avoid order of operation problems.
*
public function postInstall() {
$customFieldId = civicrm_api3('CustomField', 'getvalue', array(
'return' => array("id"),
'name' => "customFieldCreatedViaManagedHook",
));
civicrm_api3('Setting', 'create', array(
'myWeirdFieldSetting' => array('id' => $customFieldId, 'weirdness' => 1),
));
}
/**
* Example: Run an external SQL script when the module is uninstalled.
*
public function uninstall() {
$this->executeSqlFile('sql/myuninstall.sql');
}
/**
* Example: Run a simple query when a module is enabled.
*
public function enable() {
CRM_Core_DAO::executeQuery('UPDATE foo SET is_active = 1 WHERE bar = "whiz"');
}
/**
* Example: Run a simple query when a module is disabled.
*
public function disable() {
CRM_Core_DAO::executeQuery('UPDATE foo SET is_active = 0 WHERE bar = "whiz"');
}
/**
* Example: Run a couple simple queries.
*
* @return TRUE on success
* @throws Exception
*
public function upgrade_4200() {
$this->ctx->log->info('Applying update 4200');
CRM_Core_DAO::executeQuery('UPDATE foo SET bar = "whiz"');
CRM_Core_DAO::executeQuery('DELETE FROM bang WHERE willy = wonka(2)');
return TRUE;
} // */
/**
* Example: Run an external SQL script.
*
* @return TRUE on success
* @throws Exception
public function upgrade_4201() {
$this->ctx->log->info('Applying update 4201');
// this path is relative to the extension base dir
$this->executeSqlFile('sql/upgrade_4201.sql');
return TRUE;
} // */
/**
* Example: Run a slow upgrade process by breaking it up into smaller chunk.
*
* @return TRUE on success
* @throws Exception
public function upgrade_4202() {
$this->ctx->log->info('Planning update 4202'); // PEAR Log interface
$this->addTask(E::ts('Process first step'), 'processPart1', $arg1, $arg2);
$this->addTask(E::ts('Process second step'), 'processPart2', $arg3, $arg4);
$this->addTask(E::ts('Process second step'), 'processPart3', $arg5);
return TRUE;
}
public function processPart1($arg1, $arg2) { sleep(10); return TRUE; }
public function processPart2($arg3, $arg4) { sleep(10); return TRUE; }
public function processPart3($arg5) { sleep(10); return TRUE; }
// */
/**
* Example: Run an upgrade with a query that touches many (potentially
* millions) of records by breaking it up into smaller chunks.
*
* @return TRUE on success
* @throws Exception
public function upgrade_4203() {
$this->ctx->log->info('Planning update 4203'); // PEAR Log interface
$minId = CRM_Core_DAO::singleValueQuery('SELECT coalesce(min(id),0) FROM civicrm_contribution');
$maxId = CRM_Core_DAO::singleValueQuery('SELECT coalesce(max(id),0) FROM civicrm_contribution');
for ($startId = $minId; $startId <= $maxId; $startId += self::BATCH_SIZE) {
$endId = $startId + self::BATCH_SIZE - 1;
$title = E::ts('Upgrade Batch (%1 => %2)', array(
1 => $startId,
2 => $endId,
));
$sql = '
UPDATE civicrm_contribution SET foobar = whiz(wonky()+wanker)
WHERE id BETWEEN %1 and %2
';
$params = array(
1 => array($startId, 'Integer'),
2 => array($endId, 'Integer'),
);
$this->addTask($title, 'executeSql', $sql, $params);
}
return TRUE;
} // */
}
This diff is collapsed.
<?php
namespace Civi\Api4;
/**
* FirewallIpaddress entity.
*
* Provided by the Firewall extension.
*
* @package Civi\Api4
*/
class FirewallIpaddress extends Generic\DAOEntity {
}
<?php
/*
+--------------------------------------------------------------------+
| Copyright CiviCRM LLC. All rights reserved. |
| |
| This work is published under the GNU AGPLv3 license with some |
| permitted exceptions and without any warranty. For full license |
| and copyright information, see https://civicrm.org/licensing |
+--------------------------------------------------------------------+
*/
namespace Civi\Firewall\Event;
/**
* Class FraudEvent
*/
class FraudEvent extends \Symfony\Component\EventDispatcher\Event {
/**
* @var string
*/
public $ipAddress;
/**
* @var string
*/
public $source;
/**
* @var string
*/
public $eventType;
/**
* FraudEvent constructor.
*
* @param string $ipAddress
* @param string|NULL $source
*/
public function __construct(string $ipAddress, string $source = NULL) {
$this->ipAddress = $ipAddress;
$this->source = $source;
$this->eventType = 'FraudEvent';
}
/**
* Use this to trigger an event from your code with a single line
*
* @param string $ipAddress
* @param string|NULL $source
*/
public static function trigger(string $ipAddress, string $source = NULL) {
$event = new \Civi\Firewall\Event\FraudEvent($ipAddress, $source);
\Civi::dispatcher()->dispatch('civi.firewall.fraud', $event);
}
}
<?php
/*
+--------------------------------------------------------------------+
| Copyright CiviCRM LLC. All rights reserved. |
| |
| This work is published under the GNU AGPLv3 license with some |
| permitted exceptions and without any warranty. For full license |
| and copyright information, see https://civicrm.org/licensing |
+--------------------------------------------------------------------+
*/
namespace Civi\Firewall\Event;
/**
* Class FraudEvent
*/
class InvalidCSRFEvent extends \Symfony\Component\EventDispatcher\Event {
/**
* @var string
*/
public $ipAddress;
/**
* @var string
*/
public $source;
/**
* @var string
*/
public $eventType;
/**
* FraudEvent constructor.
*
* @param string $ipAddress
* @param string|NULL $source
*/
public function __construct(string $ipAddress, string $source = NULL) {
$this->ipAddress = $ipAddress;
$this->source = $source;
$this->eventType = 'InvalidCSRFEvent';
}
/**
* Use this to trigger an event from your code with a single line
*
* @param string $ipAddress
* @param string|NULL $source
*/
public static function trigger(string $ipAddress, string $source = NULL) {
$event = new \Civi\Firewall\Event\InvalidCSRFEvent($ipAddress, $source);
\Civi::dispatcher()->dispatch('civi.firewall.invalidcsrf', $event);
}
}
<?php
/*
+--------------------------------------------------------------------+
| Copyright CiviCRM LLC. All rights reserved. |
| |
| This work is published under the GNU AGPLv3 license with some |
| permitted exceptions and without any warranty. For full license |
| and copyright information, see https://civicrm.org/licensing |
+--------------------------------------------------------------------+
*/
namespace Civi\Firewall;
class Firewall {
public function run() {
// If there are more than COUNT triggers for this event within time interval then block
$interval = 'INTERVAL 2 HOUR';
$queryParams = [
// The client IP address
1 => [\CRM_Utils_System::ipAddress(), 'String'],
];
$blockFraudAfter = 5;
$blockInvalidCSRFAfter = 5;
$sql = "
SELECT COUNT(*) as eventCount,event_type FROM `civicrm_firewall_ipaddress`
WHERE access_date >= DATE_SUB(NOW(), {$interval})
AND ip_address = %1
GROUP BY ip_address,event_type
";
$block = FALSE;
$dao = \CRM_Core_DAO::executeQuery($sql, $queryParams);
while ($dao->fetch()) {
switch ($dao->event_type) {
case 'FraudEvent':
if ($dao->eventCount >= $blockFraudAfter) {
$block = TRUE;
break 2;
}
break;
case 'InvalidCSRFEvent':
if ($dao->eventCount >= $blockInvalidCSRFAfter) {
$block = TRUE;
break 2;
}
break;
}
}
if ($block) {
// Block them
http_response_code(403); // Forbidden
exit();
}
}
/**
* Generate and store a CSRF token. Clients will need to retreive and pass this into AJAX/API requests.
*
* @return string
*/
public static function getCSRFToken(): string {
$token = base64_encode(openssl_random_pseudo_bytes(32));
\CRM_Core_Session::singleton()->set('firewall_csrftoken', $token);
return $token;
}
/**
* Check if the passed in CSRF token is valid and trigger InvalidCSRFEvent if invalid.
*
* @param string $token
*
* @return bool
*/
public static function isCSRFTokenValid(string $token): bool {
if (!empty($token) && (\CRM_Core_Session::singleton()->get('firewall_csrftoken') === $token)) {
return TRUE;
}
\Civi\Firewall\Event\InvalidCSRFEvent::trigger(\CRM_Utils_System::ipAddress(), NULL);
return FALSE;
}
}
<?php
/*
+--------------------------------------------------------------------+
| Copyright CiviCRM LLC. All rights reserved. |
| |
| This work is published under the GNU AGPLv3 license with some |
| permitted exceptions and without any warranty. For full license |
| and copyright information, see https://civicrm.org/licensing |
+--------------------------------------------------------------------+
*/
namespace Civi\Firewall\Listener;
class FraudulentRequest {
public function onTrigger(\Civi\Firewall\Event\FraudEvent $event) {
// Add to firewall ip address log table with timestamp + event type
\Civi\Api4\FirewallIpaddress::create()
->addValue('ip_address', $event->ipAddress)
->addValue('source', $event->source)
->addValue('event_type', $event->eventType)
->execute();
}
}
<?php
/*
+--------------------------------------------------------------------+
| Copyright CiviCRM LLC. All rights reserved. |
| |
| This work is published under the GNU AGPLv3 license with some |
| permitted exceptions and without any warranty. For full license |
| and copyright information, see https://civicrm.org/licensing |
+--------------------------------------------------------------------+
*/
namespace Civi\Firewall\Listener;
class InvalidCSRFRequest {
public function onTrigger(\Civi\Firewall\Event\InvalidCSRFEvent $event) {
// Add to firewall ip address log table with timestamp + event type
\Civi\Api4\FirewallIpaddress::create()
->addValue('ip_address', $event->ipAddress)
->addValue('source', $event->source)
->addValue('event_type', $event->eventType)
->execute();
}
}
<?php
/*
+--------------------------------------------------------------------+
| Copyright CiviCRM LLC. All rights reserved. |
| |
| This work is published under the GNU AGPLv3 license with some |
| permitted exceptions and without any warranty. For full license |
| and copyright information, see https://civicrm.org/licensing |
+--------------------------------------------------------------------+
*/
namespace Civi\Firewall;
use Symfony\Component\DependencyInjection\ContainerBuilder;
use Symfony\Component\DependencyInjection\Definition;
/**
* Services
*
* Define the services
*/
class Services {
public static function registerServices(ContainerBuilder $container) {
$container->addResource(new \Symfony\Component\Config\Resource\FileResource(__FILE__));
$container->setDefinition('firewall_fraudulent_request', new Definition('\Civi\Firewall\Listener\FraudulentRequest'));
$container->setDefinition('firewall_invalidcsrf_request', new Definition('\Civi\Firewall\Listener\InvalidCSRFRequest'));
foreach (self::getListenerSpecs() as $listenerSpec) {
$container->findDefinition('dispatcher')->addMethodCall('addListenerService', $listenerSpec);
}
}
protected static function getListenerSpecs() {
$listenerSpecs = [
['civi.firewall.fraud', ['firewall_fraudulent_request', 'onTrigger'], 2000],
['civi.firewall.invalidcsrf', ['firewall_invalidcsrf_request', 'onTrigger'], 2000],
];
return $listenerSpecs;
}
}
This diff is collapsed.
# firewall
This implements a simple firewall for CiviCRM that blocks by IP address in various scenarios.
The extension is licensed under [AGPL-3.0](LICENSE.txt).
### Scenarios
#### Fraud Events
You can trigger a Fraud Event by calling:
```php
\Civi\Firewall\Event\FraudEvent::trigger([ip address], "my helpful description");
```
If 5 or more fraud events from the same IP address are triggered within 2 hours the IP address will be blocked for 2 hours.
Once the number of fraud events in a 2 hour period drop below 5 the IP address will be automatically unblocked again.
#### Invalid CSRF Events
If you implement APIs or AJAX endpoints which require anonymous access (eg. a javascript based payment processor
such as [Stripe](https://lab.civicrm.org/extensions/stripe)) then you will probably need to protect them with a CSRF token.
First get a token and pass it to your form/endpoint:
```php
$myVars = [
'token' => class_exists('\Civi\Firewall\Firewall') ? \Civi\Firewall\Firewall::getCSRFToken() : NULL,
];