|
33 | 33 | * TODO: Check which branch was pushed to (currently it pulls no |
34 | 34 | * matter what branch was pushed to) |
35 | 35 | * |
36 | | - * Deployment script to be run from bitbucket. This script runs a shell |
37 | | - * script on the server to do deployment. It should also run from github |
38 | | - * with a change to the $_repositoryIp setting, and any other repository |
39 | | - * that can call a URL on commit. |
40 | | - * |
41 | 36 | * Based on deployment script by Iain Gray igray@itgassociates.com |
42 | 37 | * https://bitbucket.org/itjgray/bitbucket-php-deploy.git |
43 | 38 | * |
@@ -98,10 +93,11 @@ class Deployer |
98 | 93 | * |
99 | 94 | * @var array of IP addresses |
100 | 95 | */ |
101 | | - private $allowedIPs = array( |
102 | | - '131.103.20.165', //Bitbucket |
103 | | - '131.103.20.166', //Bitbucket |
104 | | - ); |
| 96 | + private $allowedIpRanges = array( |
| 97 | + '131.103.20.165/32', // Bitbucket |
| 98 | + '131.103.20.166/32', // Bitbucket |
| 99 | + '192.30.252.0/22', // Github |
| 100 | + ); |
105 | 101 |
|
106 | 102 | /** |
107 | 103 | * The timestamp format used for logging. |
@@ -278,7 +274,7 @@ public function deploy() |
278 | 274 | $this->logHeaders(); |
279 | 275 | $this->logPostedData(); |
280 | 276 |
|
281 | | - if (!in_array($ip, $this->allowedIPs)) { |
| 277 | + if (!$this->isIpPermitted($ip)) { |
282 | 278 | header('HTTP/1.1 403 Forbidden'); |
283 | 279 | throw new Exception($ip.' is not an authorised Remote IP Address'); |
284 | 280 | } |
@@ -337,4 +333,32 @@ private function sendEmails($subject) |
337 | 333 | mail($email, $subject, $message); |
338 | 334 | } |
339 | 335 | } |
| 336 | + |
| 337 | + /** |
| 338 | + * Source: https://gist.github.com/jonavon/2028872 |
| 339 | + * @param [string] $ip |
| 340 | + * @param [string] $range |
| 341 | + * @return boolean |
| 342 | + */ |
| 343 | + private function isIpInRange($ip, $range) { |
| 344 | + if (strpos( $range, '/' ) == false) { |
| 345 | + $range .= '/32'; |
| 346 | + } |
| 347 | + // $range is in IP/CIDR format eg 127.0.0.1/24 |
| 348 | + list( $range, $netmask ) = explode( '/', $range, 2 ); |
| 349 | + $range_decimal = ip2long( $range ); |
| 350 | + $ip_decimal = ip2long( $ip ); |
| 351 | + $wildcard_decimal = pow( 2, ( 32 - $netmask ) ) - 1; |
| 352 | + $netmask_decimal = ~ $wildcard_decimal; |
| 353 | + return ( ( $ip_decimal & $netmask_decimal ) == ( $range_decimal & $netmask_decimal ) ); |
| 354 | + } |
| 355 | + |
| 356 | + private function isIpPermitted($ip) { |
| 357 | + foreach ($yjis->allowedIpRanges as $range) { |
| 358 | + if ($this->isIpInRange($ip, $range)) { |
| 359 | + return true; |
| 360 | + } |
| 361 | + } |
| 362 | + return false; |
| 363 | + } |
340 | 364 | } |
0 commit comments