From 37e7a745bef24265d965ff978fdcdc3ae0e7d5dc Mon Sep 17 00:00:00 2001 From: FusionPBX Date: Wed, 20 May 2026 19:05:38 +0000 Subject: [PATCH] Update comments for event_guard_service --- .../resources/classes/event_guard_service.php | 132 +++++++++--------- 1 file changed, 67 insertions(+), 65 deletions(-) diff --git a/app/event_guard/resources/classes/event_guard_service.php b/app/event_guard/resources/classes/event_guard_service.php index 272251c8b..bd6dac8de 100644 --- a/app/event_guard/resources/classes/event_guard_service.php +++ b/app/event_guard/resources/classes/event_guard_service.php @@ -155,15 +155,19 @@ class event_guard_service extends service { // Registration failed - block IP address unless they are registered if (is_array($json_array) && $json_array['Event-Subclass'] == 'sofia::register_failure') { - //not registered so block the address - if (!$this->allow_access($json_array['network-ip'])) { + // Not registered so block the address + $is_valid_ip = filter_var($json_array['network-ip'], FILTER_VALIDATE_IP); + if ($is_valid_ip && !$this->allow_access($json_array['network-ip'])) { $this->block_add($json_array['network-ip'], 'sip-auth-fail', $json_array); } + + // Debug info + $this->debug("sofia::register_failure network-ip ".$json_array['network-ip'].", to-host ".$json_array['to-host']); } // Sendevent CUSTOM event_guard:unblock if (is_array($json_array) && $json_array['Event-Subclass'] == 'event_guard:unblock') { - //check the database for pending requests + // Check the database for pending requests $sql = "select event_guard_log_uuid, log_date, filter, ip_address, extension, user_agent "; $sql .= "from v_event_guard_logs "; $sql .= "where log_status = 'pending' "; @@ -174,13 +178,13 @@ class event_guard_service extends service { if (is_array($event_guard_logs)) { $x = 0; foreach($event_guard_logs as $row) { - //unblock the ip address + // Unblock the IP address $this->block_delete($row['ip_address'], 'all'); - //debug info + // Debug info $this->info("unblocked: [ip_address: ".$row['ip_address'].", filter: all, to-user: ".$row['extension'].", to-host: ".$row['hostname'].", line: ".__line__); - //log the blocked ip address to the database + // Log the blocked IP address to the database $array['event_guard_logs'][$x]['event_guard_log_uuid'] = $row['event_guard_log_uuid']; $array['event_guard_logs'][$x]['log_date'] = 'now()'; $array['event_guard_logs'][$x]['log_status'] = 'unblocked'; @@ -198,17 +202,17 @@ class event_guard_service extends service { // Registration to the IP address if (is_array($json_array) && $json_array['Event-Subclass'] == 'sofia::pre_register') { - if (isset($json_array['to-host'])) { - $is_valid_ip = filter_var($json_array['to-host'], FILTER_VALIDATE_IP); - if ($is_valid_ip) { - //if not registered block the address - if (!$this->allow_access($json_array['network-ip'])) { - $this->block_add($json_array['network-ip'], 'sip-auth-ip', $json_array); - } + if (isset($json_array['network-ip'])) { + // Validate the IP address + $is_valid_ip = filter_var($json_array['network-ip'], FILTER_VALIDATE_IP); - //debug info - $this->debug("network-ip ".$json_array['network-ip'].", to-host ".$json_array['to-host']); + // If not registered block the address + if ($is_valid_ip && !$this->allow_access($json_array['network-ip'])) { + $this->block_add($json_array['network-ip'], 'sip-auth-ip', $json_array); } + + // Debug info + $this->debug("sofia::pre_register network-ip ".$json_array['network-ip'].", to-host ".$json_array['to-host']); } } @@ -256,18 +260,18 @@ class event_guard_service extends service { * @return boolean True if the block command was executed successfully, false otherwise */ public function block_add(string $ip_address, string $filter, array $event) : bool { - //invalid ip address + // Invalid IP address if (!filter_var($ip_address, FILTER_VALIDATE_IP)) { return false; } - //block the IP address + // Block the IP address $result = $this->firewall->block_add($ip_address, $filter); if ($result) { - //log the blocked ip address to the log + // Log the blocked IP address to the log $this->warning("blocked: [ip_address: ".$ip_address.", filter: ".$filter.", to-user: ".$event['to-user'].", to-host: ".$event['to-host'].", line: ".__line__."]"); - //log the blocked ip address to the database + // Log the blocked IP address to the database $array = []; $array['event_guard_logs'][0]['event_guard_log_uuid'] = uuid(); $array['event_guard_logs'][0]['hostname'] = gethostname(); @@ -283,39 +287,39 @@ class event_guard_service extends service { $p->delete('event_guard_log_add', 'temp'); } - //return the result + // Return the result return $result; } public function block_delete(string $ip_address, string $filter) : bool { - //invalid ip address + // Invalid IP address if (!filter_var($ip_address, FILTER_VALIDATE_IP)) { return false; } - //unblock the IP address + // Unblock the IP address $result = $this->firewall->block_delete($ip_address, $filter); - //send debug information to the console + // Send debug information to the console $this->warning("unblocked: [ip_address: ".$ip_address.", filter: ".$filter.", line: ".__line__."]"); - //return the result + // Return the result return $result; } public function block_exists(string $ip_address, string $filter) : bool { - //invalid ip address + // Invalid IP address if (!filter_var($ip_address, FILTER_VALIDATE_IP)) { return false; } - //check if the address is blocked + // Check if the address is blocked $result = $this->firewall->block_exists($ip_address, $filter); - //send debug information to the console + // Send debug information to the console $this->debug("Address Exists " . $ip_address . ", line " . __line__); - //return the result + // Return the result return $result; } @@ -332,73 +336,72 @@ class event_guard_service extends service { * @return boolean True if access is allowed, false otherwise. */ private function allow_access($ip_address) { - - //invalid ip address + // Invalid IP address if (!filter_var($ip_address, FILTER_VALIDATE_IP)) { return false; } - //check the cache to see if the address is allowed + // Check the cache to see if the address is allowed $cache = new cache; if ($cache->get("switch:allowed:".$ip_address) === 'true') { - //debug info + // Debug info $this->debug("address: ".$ip_address." allowed by: cache"); - //return boolean true + // Return boolean true return true; } - //allow access for addresses with authentication status success + // Allow access for addresses with authentication status success if ($this->allow_user_log_success($ip_address)) { - //save address to the cache as allowed + // Save address to the cache as allowed $cache->set("switch:allowed:".$ip_address, 'true'); - //debug info + // Debug info $this->debug("address: ".$ip_address." allowed by: user logs"); - //return boolean true + // Return boolean true return true; } - //allow access for addresses that have been unblocked + // Allow access for addresses that have been unblocked /* if (event_guard_log_allowed($ip_address)) { - //save address to the cache as allowed + // Save address to the cache as allowed $cache->set("switch:allowed:".$ip_address, 'true'); - //debug info + // Debug info $this->debug("address: ".$ip_address." allowed by: unblocked"); - //return boolean true + // Return boolean true return true; } */ - //allow access if the cidr address is allowed + // Allow access if the cidr address is allowed if ($this->allow_access_control($ip_address)) { - //save address to the cache as allowed + // Save address to the cache as allowed $cache->set("switch:allowed:".$ip_address, 'true'); - //debug info + // Debug info $this->debug("address: ".$ip_address." allowed by: access controls"); - //return boolean true + // Return boolean true return true; } - //allow if there is a registration from the same IP address + // Allow if there is a registration from the same IP address if ($this->allow_registered($ip_address)) { - //save address to the cache as allowed + // Save address to the cache as allowed $cache->set("switch:allowed:".$ip_address, 'true'); - //debug info + // Debug info $this->debug("address: ".$ip_address." allowed by: registration"); - //return boolean true + // Return boolean true return true; } - //return + // Return return false; } @@ -410,13 +413,12 @@ class event_guard_service extends service { * @return bool True if the IP address is authorized, false otherwise. */ private function allow_access_control($ip_address) { - - //invalid ip address + // Invalid ip address if (!filter_var($ip_address, FILTER_VALIDATE_IP)) { return false; } - //get the access control allowed nodes + // Get the access control allowed nodes $sql = "select access_control_node_uuid, access_control_uuid, node_cidr, node_description "; $sql .= "from v_access_control_nodes "; $sql .= "where node_type = 'allow' "; @@ -424,10 +426,10 @@ class event_guard_service extends service { $parameters = null; $allowed_nodes = $this->database->select($sql, $parameters, 'all'); - //default authorized to false + // Default authorized to false $allowed = false; - //use the ip address to get the authorized nodes + // Use the ip address to get the authorized nodes if (is_array($allowed_nodes)) { foreach($allowed_nodes as $row) { if (check_cidr($row['node_cidr'], $ip_address)) { @@ -444,7 +446,7 @@ class event_guard_service extends service { } } - //return + // Return return $allowed; } @@ -456,13 +458,12 @@ class event_guard_service extends service { * @return bool True if the IP address is allowed, false otherwise. */ private function allow_user_log_success($ip_address) { - - //invalid ip address + // Invalid IP address if (!filter_var($ip_address, FILTER_VALIDATE_IP)) { return false; } - //check to see if the address was authenticated successfully + // Check to see if the address was authenticated successfully $sql = "select count(user_log_uuid) "; $sql .= "from v_user_logs "; $sql .= "where remote_address = :remote_address "; @@ -471,18 +472,18 @@ class event_guard_service extends service { $parameters['remote_address'] = $ip_address; $user_log_count = $this->database->select($sql, $parameters, 'column'); - //debug info + // Debug info $this->debug("address ".$ip_address." count ".$user_log_count); - //default authorized to false + // Default authorized to false $allowed = false; - //use the ip address to get the authorized nodes + // Use the IP address to get the authorized nodes if (!empty($user_log_count) && $user_log_count > 0) { $allowed = true; } - //return + // Return return $allowed; } @@ -494,11 +495,12 @@ class event_guard_service extends service { * @return bool True if the IP address is registered, false otherwise. */ private function allow_registered($ip_address) { - //invalid ip address + // Invalid IP address if (!filter_var($ip_address, FILTER_VALIDATE_IP)) { return false; } + // Check if the IP address is registered $registered = false; $command = "fs_cli -x 'show registrations as json' "; $result = shell_exec($command); @@ -511,7 +513,7 @@ class event_guard_service extends service { } } - //return registered boolean + // Return registered boolean return $registered; } }