firewall/Events.php at main · GreenMeteor/firewall · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
<?php

namespace humhub\modules\firewall;

use Yii;
use yii\base\Event;
use yii\helpers\Url;
use humhub\modules\ui\menu\MenuLink;
use humhub\modules\ui\icon\widgets\Icon;
use humhub\modules\admin\widgets\AdminMenu;
use humhub\modules\firewall\models\FirewallLog;
use humhub\modules\admin\permissions\ManageModules;

class Events
{
    /**
     * Handles the AdminMenu init event
     *
     * @param Event $event
     */
    public static function onAdminMenuInit($event)
    {
        if (!Yii::$app->user->can(ManageModules::class)) {
            return;
        }

        /** @var AdminMenu $menu */
        $menu = $event->sender;

        $menu->addEntry(new MenuLink([
            'label' => Yii::t('FirewallModule.base', 'Firewall'),
            'url' => Url::toRoute('/firewall/admin/index'),
            'icon' => Icon::get('shield'),
            'isActive' => Yii::$app->controller->module && Yii::$app->controller->module->id == 'firewall' && Yii::$app->controller->id == 'admin',
            'sortOrder' => 650,
            'isVisible' => true,
        ]));
    }

    /**
     * Handles the Application's beforeRequest event.
     * Performs firewall checks before serving the request
     *
     * @param Event $event
     */
    public static function onBeforeRequest($event)
    {
        /** @var \humhub\components\Application $app */
        $app = $event->sender;

        /** @var Module $module */
        $module = Yii::$app->getModule('firewall');

        if (!$module->enableFirewall) {
            return;
        }

        // Skip check on console requests
        if ($app instanceof \yii\console\Application) {
            return;
        }

        $isAllowed = $module->checkAccess();

        if (!$isAllowed) {
            // Log the blocked request
            $log = new FirewallLog();
            $log->ip = Yii::$app->request->userIP;
            $log->url = Yii::$app->request->url;
            $log->user_agent = Yii::$app->request->userAgent;
            $log->save();

            // Render access denied page
            echo Yii::$app->view->renderFile(
                $module->denyView . '.php',
                ['ip' => Yii::$app->request->userIP]
            );

            Yii::$app->end();
        }
    }

    /**
     * Handles hourly cron events
     * Used for cleaning up old log entries and other maintenance tasks
     *
     * @param Event $event
     */
    public static function onHourlyCron($event)
    {
        // Clean up old log entries (older than 30 days)
        FirewallLog::deleteAll(['<', 'created_at', new \yii\db\Expression('DATE_SUB(NOW(), INTERVAL 30 DAY)')]);
    }
}