diegods/homelabdspbx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update comments for event_guard_service

Browse Source
This commit is contained in:
FusionPBX
2026-05-20 19:05:38 +00:00
committed by GitHub
parent f5cbefe2ec
commit 37e7a745be
1 changed files with 67 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/event_guard/resources/classes/event_guard_service.php
+67 -65
View File
@@ -155,15 +155,19 @@ class event_guard_service extends service {
// Registration failed - block IP address unless they are registered // Registration failed - block IP address unless they are registered
if (is_array($json_array) && $json_array['Event-Subclass'] == 'sofia::register_failure') { if (is_array($json_array) && $json_array['Event-Subclass'] == 'sofia::register_failure') {
//not registered so block the address // Not registered so block the address
if (!$this->allow_access($json_array['network-ip'])) { $is_valid_ip = filter_var($json_array['network-ip'], FILTER_VALIDATE_IP);
if ($is_valid_ip && !$this->allow_access($json_array['network-ip'])) {
$this->block_add($json_array['network-ip'], 'sip-auth-fail', $json_array); $this->block_add($json_array['network-ip'], 'sip-auth-fail', $json_array);
} }
// Debug info
$this->debug("sofia::register_failure network-ip ".$json_array['network-ip'].", to-host ".$json_array['to-host']);
} }
// Sendevent CUSTOM event_guard:unblock // Sendevent CUSTOM event_guard:unblock
if (is_array($json_array) && $json_array['Event-Subclass'] == 'event_guard:unblock') { if (is_array($json_array) && $json_array['Event-Subclass'] == 'event_guard:unblock') {
//check the database for pending requests // Check the database for pending requests
$sql = "select event_guard_log_uuid, log_date, filter, ip_address, extension, user_agent "; $sql = "select event_guard_log_uuid, log_date, filter, ip_address, extension, user_agent ";
$sql .= "from v_event_guard_logs "; $sql .= "from v_event_guard_logs ";
$sql .= "where log_status = 'pending' "; $sql .= "where log_status = 'pending' ";
@@ -174,13 +178,13 @@ class event_guard_service extends service {
if (is_array($event_guard_logs)) { if (is_array($event_guard_logs)) {
$x = 0; $x = 0;
foreach($event_guard_logs as $row) { foreach($event_guard_logs as $row) {
//unblock the ip address // Unblock the IP address
$this->block_delete($row['ip_address'], 'all'); $this->block_delete($row['ip_address'], 'all');
//debug info // Debug info
$this->info("unblocked: [ip_address: ".$row['ip_address'].", filter: all, to-user: ".$row['extension'].", to-host: ".$row['hostname'].", line: ".__line__); $this->info("unblocked: [ip_address: ".$row['ip_address'].", filter: all, to-user: ".$row['extension'].", to-host: ".$row['hostname'].", line: ".__line__);
//log the blocked ip address to the database // Log the blocked IP address to the database
$array['event_guard_logs'][$x]['event_guard_log_uuid'] = $row['event_guard_log_uuid']; $array['event_guard_logs'][$x]['event_guard_log_uuid'] = $row['event_guard_log_uuid'];
$array['event_guard_logs'][$x]['log_date'] = 'now()'; $array['event_guard_logs'][$x]['log_date'] = 'now()';
$array['event_guard_logs'][$x]['log_status'] = 'unblocked'; $array['event_guard_logs'][$x]['log_status'] = 'unblocked';
@@ -198,17 +202,17 @@ class event_guard_service extends service {
// Registration to the IP address // Registration to the IP address
if (is_array($json_array) && $json_array['Event-Subclass'] == 'sofia::pre_register') { if (is_array($json_array) && $json_array['Event-Subclass'] == 'sofia::pre_register') {
if (isset($json_array['to-host'])) { if (isset($json_array['network-ip'])) {
$is_valid_ip = filter_var($json_array['to-host'], FILTER_VALIDATE_IP); // Validate the IP address
if ($is_valid_ip) { $is_valid_ip = filter_var($json_array['network-ip'], FILTER_VALIDATE_IP);
//if not registered block the address
if (!$this->allow_access($json_array['network-ip'])) {
$this->block_add($json_array['network-ip'], 'sip-auth-ip', $json_array);
}
//debug info // If not registered block the address
$this->debug("network-ip ".$json_array['network-ip'].", to-host ".$json_array['to-host']); if ($is_valid_ip && !$this->allow_access($json_array['network-ip'])) {
$this->block_add($json_array['network-ip'], 'sip-auth-ip', $json_array);
} }
// Debug info
$this->debug("sofia::pre_register network-ip ".$json_array['network-ip'].", to-host ".$json_array['to-host']);
} }
} }
@@ -256,18 +260,18 @@ class event_guard_service extends service {
* @return boolean True if the block command was executed successfully, false otherwise * @return boolean True if the block command was executed successfully, false otherwise
*/ */
public function block_add(string $ip_address, string $filter, array $event) : bool { public function block_add(string $ip_address, string $filter, array $event) : bool {
//invalid ip address // Invalid IP address
if (!filter_var($ip_address, FILTER_VALIDATE_IP)) { if (!filter_var($ip_address, FILTER_VALIDATE_IP)) {
return false; return false;
} }
//block the IP address // Block the IP address
$result = $this->firewall->block_add($ip_address, $filter); $result = $this->firewall->block_add($ip_address, $filter);
if ($result) { if ($result) {
//log the blocked ip address to the log // Log the blocked IP address to the log
$this->warning("blocked: [ip_address: ".$ip_address.", filter: ".$filter.", to-user: ".$event['to-user'].", to-host: ".$event['to-host'].", line: ".__line__."]"); $this->warning("blocked: [ip_address: ".$ip_address.", filter: ".$filter.", to-user: ".$event['to-user'].", to-host: ".$event['to-host'].", line: ".__line__."]");
//log the blocked ip address to the database // Log the blocked IP address to the database
$array = []; $array = [];
$array['event_guard_logs'][0]['event_guard_log_uuid'] = uuid(); $array['event_guard_logs'][0]['event_guard_log_uuid'] = uuid();
$array['event_guard_logs'][0]['hostname'] = gethostname(); $array['event_guard_logs'][0]['hostname'] = gethostname();
@@ -283,39 +287,39 @@ class event_guard_service extends service {
$p->delete('event_guard_log_add', 'temp'); $p->delete('event_guard_log_add', 'temp');
} }
//return the result // Return the result
return $result; return $result;
} }
public function block_delete(string $ip_address, string $filter) : bool { public function block_delete(string $ip_address, string $filter) : bool {
//invalid ip address // Invalid IP address
if (!filter_var($ip_address, FILTER_VALIDATE_IP)) { if (!filter_var($ip_address, FILTER_VALIDATE_IP)) {
return false; return false;
} }
//unblock the IP address // Unblock the IP address
$result = $this->firewall->block_delete($ip_address, $filter); $result = $this->firewall->block_delete($ip_address, $filter);
//send debug information to the console // Send debug information to the console
$this->warning("unblocked: [ip_address: ".$ip_address.", filter: ".$filter.", line: ".__line__."]"); $this->warning("unblocked: [ip_address: ".$ip_address.", filter: ".$filter.", line: ".__line__."]");
//return the result // Return the result
return $result; return $result;
} }
public function block_exists(string $ip_address, string $filter) : bool { public function block_exists(string $ip_address, string $filter) : bool {
//invalid ip address // Invalid IP address
if (!filter_var($ip_address, FILTER_VALIDATE_IP)) { if (!filter_var($ip_address, FILTER_VALIDATE_IP)) {
return false; return false;
} }
//check if the address is blocked // Check if the address is blocked
$result = $this->firewall->block_exists($ip_address, $filter); $result = $this->firewall->block_exists($ip_address, $filter);
//send debug information to the console // Send debug information to the console
$this->debug("Address Exists " . $ip_address . ", line " . __line__); $this->debug("Address Exists " . $ip_address . ", line " . __line__);
//return the result // Return the result
return $result; return $result;
} }
@@ -332,73 +336,72 @@ class event_guard_service extends service {
* @return boolean True if access is allowed, false otherwise. * @return boolean True if access is allowed, false otherwise.
*/ */
private function allow_access($ip_address) { private function allow_access($ip_address) {
// Invalid IP address
//invalid ip address
if (!filter_var($ip_address, FILTER_VALIDATE_IP)) { if (!filter_var($ip_address, FILTER_VALIDATE_IP)) {
return false; return false;
} }
//check the cache to see if the address is allowed // Check the cache to see if the address is allowed
$cache = new cache; $cache = new cache;
if ($cache->get("switch:allowed:".$ip_address) === 'true') { if ($cache->get("switch:allowed:".$ip_address) === 'true') {
//debug info // Debug info
$this->debug("address: ".$ip_address." allowed by: cache"); $this->debug("address: ".$ip_address." allowed by: cache");
//return boolean true // Return boolean true
return true; return true;
} }
//allow access for addresses with authentication status success // Allow access for addresses with authentication status success
if ($this->allow_user_log_success($ip_address)) { if ($this->allow_user_log_success($ip_address)) {
//save address to the cache as allowed // Save address to the cache as allowed
$cache->set("switch:allowed:".$ip_address, 'true'); $cache->set("switch:allowed:".$ip_address, 'true');
//debug info // Debug info
$this->debug("address: ".$ip_address." allowed by: user logs"); $this->debug("address: ".$ip_address." allowed by: user logs");
//return boolean true // Return boolean true
return true; return true;
} }
//allow access for addresses that have been unblocked // Allow access for addresses that have been unblocked
/* /*
if (event_guard_log_allowed($ip_address)) { if (event_guard_log_allowed($ip_address)) {
//save address to the cache as allowed // Save address to the cache as allowed
$cache->set("switch:allowed:".$ip_address, 'true'); $cache->set("switch:allowed:".$ip_address, 'true');
//debug info // Debug info
$this->debug("address: ".$ip_address." allowed by: unblocked"); $this->debug("address: ".$ip_address." allowed by: unblocked");
//return boolean true // Return boolean true
return true; return true;
} }
*/ */
//allow access if the cidr address is allowed // Allow access if the cidr address is allowed
if ($this->allow_access_control($ip_address)) { if ($this->allow_access_control($ip_address)) {
//save address to the cache as allowed // Save address to the cache as allowed
$cache->set("switch:allowed:".$ip_address, 'true'); $cache->set("switch:allowed:".$ip_address, 'true');
//debug info // Debug info
$this->debug("address: ".$ip_address." allowed by: access controls"); $this->debug("address: ".$ip_address." allowed by: access controls");
//return boolean true // Return boolean true
return true; return true;
} }
//allow if there is a registration from the same IP address // Allow if there is a registration from the same IP address
if ($this->allow_registered($ip_address)) { if ($this->allow_registered($ip_address)) {
//save address to the cache as allowed // Save address to the cache as allowed
$cache->set("switch:allowed:".$ip_address, 'true'); $cache->set("switch:allowed:".$ip_address, 'true');
//debug info // Debug info
$this->debug("address: ".$ip_address." allowed by: registration"); $this->debug("address: ".$ip_address." allowed by: registration");
//return boolean true // Return boolean true
return true; return true;
} }
//return // Return
return false; return false;
} }
@@ -410,13 +413,12 @@ class event_guard_service extends service {
* @return bool True if the IP address is authorized, false otherwise. * @return bool True if the IP address is authorized, false otherwise.
*/ */
private function allow_access_control($ip_address) { private function allow_access_control($ip_address) {
// Invalid ip address
//invalid ip address
if (!filter_var($ip_address, FILTER_VALIDATE_IP)) { if (!filter_var($ip_address, FILTER_VALIDATE_IP)) {
return false; return false;
} }
//get the access control allowed nodes // Get the access control allowed nodes
$sql = "select access_control_node_uuid, access_control_uuid, node_cidr, node_description "; $sql = "select access_control_node_uuid, access_control_uuid, node_cidr, node_description ";
$sql .= "from v_access_control_nodes "; $sql .= "from v_access_control_nodes ";
$sql .= "where node_type = 'allow' "; $sql .= "where node_type = 'allow' ";
@@ -424,10 +426,10 @@ class event_guard_service extends service {
$parameters = null; $parameters = null;
$allowed_nodes = $this->database->select($sql, $parameters, 'all'); $allowed_nodes = $this->database->select($sql, $parameters, 'all');
//default authorized to false // Default authorized to false
$allowed = false; $allowed = false;
//use the ip address to get the authorized nodes // Use the ip address to get the authorized nodes
if (is_array($allowed_nodes)) { if (is_array($allowed_nodes)) {
foreach($allowed_nodes as $row) { foreach($allowed_nodes as $row) {
if (check_cidr($row['node_cidr'], $ip_address)) { if (check_cidr($row['node_cidr'], $ip_address)) {
@@ -444,7 +446,7 @@ class event_guard_service extends service {
} }
} }
//return // Return
return $allowed; return $allowed;
} }
@@ -456,13 +458,12 @@ class event_guard_service extends service {
* @return bool True if the IP address is allowed, false otherwise. * @return bool True if the IP address is allowed, false otherwise.
*/ */
private function allow_user_log_success($ip_address) { private function allow_user_log_success($ip_address) {
// Invalid IP address
//invalid ip address
if (!filter_var($ip_address, FILTER_VALIDATE_IP)) { if (!filter_var($ip_address, FILTER_VALIDATE_IP)) {
return false; return false;
} }
//check to see if the address was authenticated successfully // Check to see if the address was authenticated successfully
$sql = "select count(user_log_uuid) "; $sql = "select count(user_log_uuid) ";
$sql .= "from v_user_logs "; $sql .= "from v_user_logs ";
$sql .= "where remote_address = :remote_address "; $sql .= "where remote_address = :remote_address ";
@@ -471,18 +472,18 @@ class event_guard_service extends service {
$parameters['remote_address'] = $ip_address; $parameters['remote_address'] = $ip_address;
$user_log_count = $this->database->select($sql, $parameters, 'column'); $user_log_count = $this->database->select($sql, $parameters, 'column');
//debug info // Debug info
$this->debug("address ".$ip_address." count ".$user_log_count); $this->debug("address ".$ip_address." count ".$user_log_count);
//default authorized to false // Default authorized to false
$allowed = false; $allowed = false;
//use the ip address to get the authorized nodes // Use the IP address to get the authorized nodes
if (!empty($user_log_count) && $user_log_count > 0) { if (!empty($user_log_count) && $user_log_count > 0) {
$allowed = true; $allowed = true;
} }
//return // Return
return $allowed; return $allowed;
} }
@@ -494,11 +495,12 @@ class event_guard_service extends service {
* @return bool True if the IP address is registered, false otherwise. * @return bool True if the IP address is registered, false otherwise.
*/ */
private function allow_registered($ip_address) { private function allow_registered($ip_address) {
//invalid ip address // Invalid IP address
if (!filter_var($ip_address, FILTER_VALIDATE_IP)) { if (!filter_var($ip_address, FILTER_VALIDATE_IP)) {
return false; return false;
} }
// Check if the IP address is registered
$registered = false; $registered = false;
$command = "fs_cli -x 'show registrations as json' "; $command = "fs_cli -x 'show registrations as json' ";
$result = shell_exec($command); $result = shell_exec($command);
@@ -511,7 +513,7 @@ class event_guard_service extends service {
} }
} }
//return registered boolean // Return registered boolean
return $registered; return $registered;
} }
} }