From 2147d505c3745161904dcdbf864ab5c6547ad8fe Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 17 Aug 2019 21:44:37 +0200
Subject: [PATCH] NEW Can restrict API usage to some IP only

---
 htdocs/api/admin/index.php    | 29 ++++++++++++++++++++++++-----
 htdocs/api/index.php          | 15 +++++++++++++++
 htdocs/langs/en_US/admin.lang |  1 +
 3 files changed, 40 insertions(+), 5 deletions(-)
diff --git a/htdocs/api/admin/index.php b/htdocs/api/admin/index.php
index ed23151d99b..0ca6786b9b2 100644
--- a/htdocs/api/admin/index.php
+++ b/htdocs/api/admin/index.php
@@ -78,6 +78,12 @@ if ($action == 'setproductionmode')
 	}
 }
 
+if ($action == 'save')
+{
+	dolibarr_set_const($db, 'API_RESTICT_ON_IP', GETPOST('API_RESTICT_ON_IP', 'alpha'));
+}
+
+
 dol_mkdir(DOL_DATA_ROOT.'/api/temp');		// May have been deleted by a purge
 
 
@@ -93,37 +99,50 @@ print load_fiche_titre($langs->trans("ApiSetup"), $linkback, 'title_setup');
 print $langs->trans("ApiDesc")."<br>\n";
 print "<br>\n";
 
-//print '<form name="apisetupform" action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<form method="POST" action="'.$_SERVER["PHP_SELF"].'">';
 print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
+print '<input type="hidden" name="action" value="save">';
+
 print '<table class="noborder" width="100%">';
 
 print '<tr class="liste_titre">';
 print "<td>".$langs->trans("Parameter")."</td>";
-print '<td align="center">'.$langs->trans("Value")."</td>";
+print '<td>'.$langs->trans("Value")."</td>";
 print "<td>&nbsp;</td>";
 print "</tr>";
 
-print '<tr class="impair">';
+print '<tr class="oddeven">';
 print '<td>'.$langs->trans("ApiProductionMode").'</td>';
 $production_mode=(empty($conf->global->API_PRODUCTION_MODE)?false:true);
 if ($production_mode)
 {
-    print '<td align="center"><a class="reposition" href="'.$_SERVER['PHP_SELF'].'?action=setproductionmode&value='.($i+1).'&status=0">';
+    print '<td><a class="reposition" href="'.$_SERVER['PHP_SELF'].'?action=setproductionmode&value='.($i+1).'&status=0">';
     print img_picto($langs->trans("Activated"), 'switch_on');
     print '</a></td>';
 }
 else
 {
-    print '<td align="center"><a class="reposition" href="'.$_SERVER['PHP_SELF'].'?action=setproductionmode&value='.($i+1).'&status=1">';
+    print '<td><a class="reposition" href="'.$_SERVER['PHP_SELF'].'?action=setproductionmode&value='.($i+1).'&status=1">';
     print img_picto($langs->trans("Disabled"), 'switch_off');
     print '</a></td>';
 }
 print '<td>&nbsp;</td>';
 print '</tr>';
 
+print '<tr class="oddeven">';
+print '<td>'.$langs->trans("RestrictApiToIps").'</td>';
+print '<td><input type="text" name="API_RESTICT_ON_IP" value="'.dol_escape_htmltag($conf->global->API_RESTICT_ON_IP).'"></td>';
+print '<td>';
+print '<input type="submit" class="button" name="save" value="'.dol_escape_htmltag($langs->trans("Save")).'"></td>';
+print '</td>';
+print '</tr>';
+
 print '</table>';
 print '<br><br>';
 
+print '</form>';
+
+
 // Define $urlwithroot
 $urlwithouturlroot=preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root));
 $urlwithroot=$urlwithouturlroot.DOL_URL_ROOT;		// This is to use external domain name found into config file
diff --git a/htdocs/api/index.php b/htdocs/api/index.php
index 9d42b9995f6..1f1235571cc 100644
--- a/htdocs/api/index.php
+++ b/htdocs/api/index.php
@@ -206,6 +206,21 @@ if (! empty($reg[1]) && $reg[1] == 'explorer' && ($reg[2] == '/swagger.json' ||
 // Call one APIs or one definition of an API
 if (! empty($reg[1]) && ($reg[1] != 'explorer' || ($reg[2] != '/swagger.json' && $reg[2] != '/resources.json' && preg_match('/^\/(swagger|resources)\.json\/(.+)$/', $reg[2], $regbis) && $regbis[2] != 'root')))
 {
+	// Restrict API to some IPs
+	if (! empty($conf->global->API_RESTICT_ON_IP))
+	{
+		$allowedip=explode(' ', $conf->global->API_RESTICT_ON_IP);
+		$ipremote = getUserRemoteIP();
+		if (! in_array($ipremote, $allowedip))
+		{
+			dol_syslog('Remote ip is '.$ipremote.', not into list '.$conf->global->API_RESTICT_ON_IP);
+			print 'API not allowed from the IP '.$ipremote;
+			header('HTTP/1.1 503 API not allowed from your IP '.$ipremote);
+			//print $conf->global->API_RESTICT_ON_IP;
+			exit(0);
+		}
+	}
+
     $module = $reg[1];
     if ($module == 'explorer')  // If we call page to explore details of a service
     {
diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang
index d408cddc5c8..c95c9fe05cc 100644
--- a/htdocs/langs/en_US/admin.lang
+++ b/htdocs/langs/en_US/admin.lang
@@ -1932,3 +1932,4 @@ DeleteEmailCollector=Delete email collector
 ConfirmDeleteEmailCollector=Are you sure you want to delete this email collector?
 RecipientEmailsWillBeReplacedWithThisValue=Recipient emails will be always replaced with this value
 AtLeastOneDefaultBankAccountMandatory=At least 1 default bank account must be defined
+RestrictApiToIps=Allow available APIs to some host IP only (wildcard not allowed, use space between values). Empty means every hosts can use the available APIs.
\ No newline at end of file

".$langs->trans("Parameter")."	'.$langs->trans("Value")."	'.$langs->trans("Value")."
'.$langs->trans("ApiProductionMode").'	'; + print '	'; print img_picto($langs->trans("Activated"), 'switch_on'); print '	'; + print '	'; print img_picto($langs->trans("Disabled"), 'switch_off'); print '
'.$langs->trans("RestrictApiToIps").'		'; +print '