Merge branch 'rrpadilla-master'

fideloper · fideloper · commit 9038b4b3d10c · 2019-01-09T19:11:11.000-06:00
diff --git a/config/trustedproxy.php b/config/trustedproxy.php
@@ -15,19 +15,20 @@
      * of your proxy (e.g. if using ELB or similar).
      *
      */
-    'proxies' => null, // [<ip addresses>,], '*'
+    'proxies' => null, // [<ip addresses>,], '*', '<ip addresses>,'
 
     /*
      * To trust one or more specific proxies that connect
-     * directly to your server, use an array of IP addresses:
+     * directly to your server, use an array or a string separated by comma of IP addresses:
      */
-     # 'proxies' => ['192.168.1.1'],
+    // 'proxies' => ['192.168.1.1'],
+    // 'proxies' => '192.168.1.1, 192.168.1.2',
 
     /*
      * Or, to trust all proxies that connect
      * directly to your server, use a "*"
      */
-     # 'proxies' => '*',
+    // 'proxies' => '*',
 
     /*
      * Which headers to use to detect proxy related data (For, Host, Proto, Port)
@@ -36,10 +37,14 @@
      * 
      * - Illuminate\Http\Request::HEADER_X_FORWARDED_ALL (use all x-forwarded-* headers to establish trust)
      * - Illuminate\Http\Request::HEADER_FORWARDED (use the FORWARDED header to establish trust)
+     * - Illuminate\Http\Request::HEADER_X_FORWARDED_AWS_ELB (If you are using AWS Elastic Load Balancer)
+     *
+     * - 'HEADER_X_FORWARDED_ALL' (use all x-forwarded-* headers to establish trust)
+     * - 'HEADER_FORWARDED' (use the FORWARDED header to establish trust)
+     * - 'HEADER_X_FORWARDED_AWS_ELB' (If you are using AWS Elastic Load Balancer)
      * 
      * @link https://symfony.com/doc/current/deployment/proxies.html
      */
     'headers' => Illuminate\Http\Request::HEADER_X_FORWARDED_ALL,
 
-    
 ];
diff --git a/src/TrustProxies.php b/src/TrustProxies.php
@@ -66,16 +66,19 @@ protected function setTrustedProxyIpAddresses(Request $request)
     {
         $trustedIps = $this->proxies ?: $this->config->get('trustedproxy.proxies');
 
-        // Only trust specific IP addresses
-        if (is_array($trustedIps)) {
-            return $this->setTrustedProxyIpAddressesToSpecificIps($request, $trustedIps);
-        }
-
         // Trust any IP address that calls us
-        // `**` for backwards compatibility, but is depreciated
+        // `**` for backwards compatibility, but is deprecated
         if ($trustedIps === '*' || $trustedIps === '**') {
             return $this->setTrustedProxyIpAddressesToTheCallingIp($request);
         }
+
+        // Support IPs addresses separated by comma
+        $trustedIps = is_string($trustedIps) ? array_map('trim', explode(',', $trustedIps)) : $trustedIps;
+
+        // Only trust specific IP addresses
+        if (is_array($trustedIps)) {
+            return $this->setTrustedProxyIpAddressesToSpecificIps($request, $trustedIps);
+        }
     }
 
     /**
@@ -102,10 +105,25 @@ private function setTrustedProxyIpAddressesToTheCallingIp(Request $request)
     /**
      * Retrieve trusted header name(s), falling back to defaults if config not set.
      *
-     * @return array
+     * @return int A bit field of Request::HEADER_*, to set which headers to trust from your proxies.
      */
     protected function getTrustedHeaderNames()
     {
-        return $this->headers ?: $this->config->get('trustedproxy.headers');
+        $headers = $this->headers ?: $this->config->get('trustedproxy.headers');
+        switch ($headers) {
+            case 'HEADER_X_FORWARDED_AWS_ELB':
+            case Request::HEADER_X_FORWARDED_AWS_ELB:
+                return Request::HEADER_X_FORWARDED_AWS_ELB;
+                break;
+            case 'HEADER_FORWARDED':
+            case Request::HEADER_FORWARDED:
+                return Request::HEADER_FORWARDED;
+                break;
+            default:
+                return Request::HEADER_X_FORWARDED_ALL;
+        }
+
+        // Should never reach this point
+        return $headers;
     }
 }
diff --git a/tests/TrustedProxyTest.php b/tests/TrustedProxyTest.php
@@ -70,8 +70,6 @@ public function test_trusted_proxy_sets_trusted_proxies_with_double_wildcard_for
         });
     }
 
-
-
     /**
      * Test the most typical usage of TrustProxies:
      * Trusted X-Forwarded-For header
@@ -182,6 +180,44 @@ public function test_can_distrust_headers()
         });
     }
 
+    /**
+     * Test to ensure it's reading text-based configurations and converting it correctly.
+     */
+    public function test_is_reading_text_based_configurations()
+    {
+        $request = $this->createProxiedRequest();
+
+        // trust *all* "X-Forwarded-*" headers
+        $trustedProxy = $this->createTrustedProxy('HEADER_X_FORWARDED_ALL', '192.168.1.1, 192.168.1.2');
+        $trustedProxy->handle($request, function (Request $request) {
+            $this->assertEquals($request->getTrustedHeaderSet(), Request::HEADER_X_FORWARDED_ALL,
+                'Assert trusted proxy used all "X-Forwarded-*" header');
+
+            $this->assertEquals($request->getTrustedProxies(), ['192.168.1.1', '192.168.1.2'],
+                'Assert trusted proxy using proxies as string separated by comma.');
+        });
+
+        // or, if your proxy instead uses the "Forwarded" header
+        $trustedProxy = $this->createTrustedProxy('HEADER_FORWARDED', '192.168.1.1, 192.168.1.2');
+        $trustedProxy->handle($request, function (Request $request) {
+            $this->assertEquals($request->getTrustedHeaderSet(), Request::HEADER_FORWARDED,
+                'Assert trusted proxy used forwarded header');
+
+            $this->assertEquals($request->getTrustedProxies(), ['192.168.1.1', '192.168.1.2'],
+                'Assert trusted proxy using proxies as string separated by comma.');
+        });
+
+        // or, if you're using AWS ELB
+        $trustedProxy = $this->createTrustedProxy('HEADER_X_FORWARDED_AWS_ELB', '192.168.1.1, 192.168.1.2');
+        $trustedProxy->handle($request, function (Request $request) {
+            $this->assertEquals($request->getTrustedHeaderSet(), Request::HEADER_X_FORWARDED_AWS_ELB,
+                'Assert trusted proxy used AWS ELB header');
+
+            $this->assertEquals($request->getTrustedProxies(), ['192.168.1.1', '192.168.1.2'],
+                'Assert trusted proxy using proxies as string separated by comma.');
+        });
+    }
+
     ################################################################
     # Utility Functions
     ################################################################
@@ -219,8 +255,8 @@ protected function createProxiedRequest($serverOverRides = [])
     /**
      * Retrieve a TrustProxies object, with dependencies mocked.
      *
-     * @param array $trustedHeaders
-     * @param array $trustedProxies
+     * @param null|string|int $trustedHeaders
+     * @param null|array|string $trustedProxies
      *
      * @return \Fideloper\Proxy\TrustProxies
      */
