Move admin IP addresses to config file.

WebContent/addcard.jsp

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <%--
-Copyright (c) 2012, Andy Janata
+Copyright (c) 2012-2018, Andy Janata
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification, are permitted
@@ -27,16 +27,24 @@ Administration tools.
 @author Andy Janata (ajanata@socialgamer.net)
 --%>
 <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
+<%@ page import="com.google.inject.Injector" %>
+<%@ page import="com.google.inject.Key" %>
+<%@ page import="com.google.inject.TypeLiteral" %>
+<%@ page import="net.socialgamer.cah.CahModule.Admins" %>
 <%@ page import="net.socialgamer.cah.HibernateUtil" %>
+<%@ page import="net.socialgamer.cah.StartupUtils" %>
 <%@ page import="net.socialgamer.cah.db.PyxBlackCard" %>
 <%@ page import="net.socialgamer.cah.db.PyxWhiteCard" %>
-<%@ page import="net.socialgamer.cah.Constants" %>
 <%@ page import="net.socialgamer.cah.RequestWrapper" %>
 <%@ page import="org.hibernate.Session" %>
 <%@ page import="org.hibernate.Transaction" %>
+<%@ page import="java.util.Set" %>
 <%
-  RequestWrapper wrapper = new RequestWrapper(request);
-if (!Constants.ADMIN_IP_ADDRESSES.contains(wrapper.getRemoteAddr())) {
+RequestWrapper wrapper = new RequestWrapper(request);
+ServletContext servletContext = pageContext.getServletContext();
+Injector injector = (Injector) servletContext.getAttribute(StartupUtils.INJECTOR);
+Set<String> admins = injector.getInstance(Key.get(new TypeLiteral<Set<String>>(){}, Admins.class));
+if (!admins.contains(wrapper.getRemoteAddr())) {
   response.sendError(403, "Access is restricted to known hosts");
   return;
 }

WebContent/admin.jsp

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <%--
-Copyright (c) 2012-2017, Andy Janata
+Copyright (c) 2012-2018, Andy Janata
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification, are permitted
@@ -32,8 +32,8 @@ Administration tools.
 <%@ page import="com.google.inject.TypeLiteral" %>
 <%@ page import="net.socialgamer.cah.RequestWrapper" %>
 <%@ page import="net.socialgamer.cah.StartupUtils" %>
+<%@ page import="net.socialgamer.cah.CahModule.Admins" %>
 <%@ page import="net.socialgamer.cah.CahModule.BanList" %>
-<%@ page import="net.socialgamer.cah.Constants" %>
 <%@ page import="net.socialgamer.cah.Constants.DisconnectReason" %>
 <%@ page import="net.socialgamer.cah.Constants.LongPollEvent" %>
 <%@ page import="net.socialgamer.cah.Constants.LongPollResponse" %>
@@ -50,14 +50,14 @@ Administration tools.
 
 <%
 RequestWrapper wrapper = new RequestWrapper(request);
-if (!Constants.ADMIN_IP_ADDRESSES.contains(wrapper.getRemoteAddr())) {
+ServletContext servletContext = pageContext.getServletContext();
+Injector injector = (Injector) servletContext.getAttribute(StartupUtils.INJECTOR);
+Set<String> admins = injector.getInstance(Key.get(new TypeLiteral<Set<String>>(){}, Admins.class));
+if (!admins.contains(wrapper.getRemoteAddr())) {
   response.sendError(403, "Access is restricted to known hosts");
   return;
 }
 
-ServletContext servletContext = pageContext.getServletContext();
-Injector injector = (Injector) servletContext.getAttribute(StartupUtils.INJECTOR);
-
 ConnectedUsers connectedUsers = injector.getInstance(ConnectedUsers.class);
 Set<String> banList = injector.getInstance(Key.get(new TypeLiteral<Set<String>>(){}, BanList.class));
 

WebContent/cardsets.jsp

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <%--
-Copyright (c) 2012, Andy Janata
+Copyright (c) 2012-2018, Andy Janata
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification, are permitted
@@ -27,20 +27,28 @@ Administration tools.
 @author Andy Janata (ajanata@socialgamer.net)
 --%>
 <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
+<%@ page import="com.google.inject.Injector" %>
+<%@ page import="com.google.inject.Key" %>
+<%@ page import="com.google.inject.TypeLiteral" %>
 <%@ page import="java.util.ArrayList" %>
 <%@ page import="java.util.List" %>
+<%@ page import="java.util.Set" %>
+<%@ page import="net.socialgamer.cah.CahModule.Admins" %>
 <%@ page import="net.socialgamer.cah.HibernateUtil" %>
+<%@ page import="net.socialgamer.cah.StartupUtils" %>
 <%@ page import="net.socialgamer.cah.db.PyxBlackCard" %>
 <%@ page import="net.socialgamer.cah.db.PyxCardSet" %>
 <%@ page import="net.socialgamer.cah.db.PyxWhiteCard" %>
-<%@ page import="net.socialgamer.cah.Constants" %>
 <%@ page import="net.socialgamer.cah.RequestWrapper" %>
 <%@ page import="org.apache.commons.lang3.StringEscapeUtils" %>
 <%@ page import="org.hibernate.Session" %>
 <%@ page import="org.hibernate.Transaction" %>
 <%
-  RequestWrapper wrapper = new RequestWrapper(request);
-if (!Constants.ADMIN_IP_ADDRESSES.contains(wrapper.getRemoteAddr())) {
+RequestWrapper wrapper = new RequestWrapper(request);
+ServletContext servletContext = pageContext.getServletContext();
+Injector injector = (Injector) servletContext.getAttribute(StartupUtils.INJECTOR);
+Set<String> admins = injector.getInstance(Key.get(new TypeLiteral<Set<String>>(){}, Admins.class));
+if (!admins.contains(wrapper.getRemoteAddr())) {
   response.sendError(403, "Access is restricted to known hosts");
   return;
 }

build.properties.example

@@ -8,6 +8,8 @@ pyx.global_chat_enabled=true
 pyx.insecure_id_allowed=true
 # set this to some secure random value, and never change it, unless you want to break all codes
 pyx.id_code_salt=
+# comma-separated listed of IP addresses (v4 or v6) from which users are considered admins.
+pyx.admin_addrs=127.0.0.1,::1
 
 # for production use, use postgres
 #hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect

src/main/filtered-resources/WEB-INF/pyx.properties

@@ -5,6 +5,7 @@ pyx.server.max_games=${pyx.max_games}
 pyx.server.broadcast_connects_and_disconnects=${pyx.broadcast_connects_and_disconnects}
 pyx.server.global_chat_enabled=${pyx.global_chat_enabled}
 pyx.server.id_code_salt=${pyx.id_code_salt}
+pyx.server.admin_addrs=${pyx.admin_addrs}
 pyx.build=${buildNumber}
 
 # this is NOT allowed to be changed during a reload, as metrics depend on previous events

src/main/java/net/socialgamer/cah/CahModule.java

@@ -40,6 +40,7 @@ import javax.servlet.ServletContext;
 import org.apache.log4j.Logger;
 import org.hibernate.Session;
 
+import com.google.common.collect.ImmutableSet;
 import com.google.inject.AbstractModule;
 import com.google.inject.BindingAnnotation;
 import com.google.inject.Provides;
@@ -215,6 +216,15 @@ public class CahModule extends AbstractModule {
     return session;
   }
 
+  @Provides
+  @Admins
+  Set<String> provideAdmins() {
+    synchronized (properties) {
+      return ImmutableSet
+          .copyOf(properties.getProperty("pyx.server.admin_addrs", "127.0.0.1,::1").split(","));
+    }
+  }
+
   @BindingAnnotation
   @Retention(RetentionPolicy.RUNTIME)
   public @interface BanList {
@@ -269,4 +279,9 @@ public class CahModule extends AbstractModule {
   @Retention(RetentionPolicy.RUNTIME)
   public @interface UserPersistentId {
   }
+
+  @BindingAnnotation
+  @Retention(RetentionPolicy.RUNTIME)
+  public @interface Admins {
+  }
 }

src/main/java/net/socialgamer/cah/Constants.java

@@ -25,8 +25,6 @@ package net.socialgamer.cah;
 
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
-import java.util.HashSet;
-import java.util.Set;
 
 import net.socialgamer.cah.data.Game;
 
@@ -48,16 +46,6 @@ public class Constants {
   public static final int CHAT_FLOOD_TIME = 30 * 1000;
   public static final int CHAT_MAX_LENGTH = 200;
 
-  @SuppressWarnings("serial")
-  public static final Set<String> ADMIN_IP_ADDRESSES = new HashSet<String>() {
-    {
-      add("0:0:0:0:0:0:0:1");
-      add("127.0.0.1");
-      // ajanata
-      add("107.218.154.202");
-    }
-  };
-
   /**
    * Enums that implement this interface are valid keys for data returned to clients.
    */

src/main/java/net/socialgamer/cah/handlers/RegisterHandler.java

@@ -36,9 +36,9 @@ import org.apache.http.HttpHeaders;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 
+import net.socialgamer.cah.CahModule.Admins;
 import net.socialgamer.cah.CahModule.BanList;
 import net.socialgamer.cah.CahModule.UserPersistentId;
-import net.socialgamer.cah.Constants;
 import net.socialgamer.cah.Constants.AjaxOperation;
 import net.socialgamer.cah.Constants.AjaxRequest;
 import net.socialgamer.cah.Constants.AjaxResponse;
@@ -65,6 +65,7 @@ public class RegisterHandler extends Handler {
   private static final int ID_CODE_MAX_LENGTH = 100;
 
   private final ConnectedUsers users;
+  private final Set<String> adminList;
   private final Set<String> banList;
   private final User.Factory userFactory;
   private final Provider<String> persistentIdProvider;
@@ -73,12 +74,14 @@ public class RegisterHandler extends Handler {
   @Inject
   public RegisterHandler(final ConnectedUsers users, @BanList final Set<String> banList,
       final User.Factory userFactory, final IdCodeMangler idCodeMangler,
-      @UserPersistentId final Provider<String> persistentIdProvider) {
+      @UserPersistentId final Provider<String> persistentIdProvider,
+      @Admins final Set<String> adminList) {
     this.users = users;
     this.banList = banList;
     this.userFactory = userFactory;
     this.persistentIdProvider = persistentIdProvider;
     this.idCodeManger = idCodeMangler;
+    this.adminList = adminList;
   }
 
   @Override
@@ -112,7 +115,7 @@ public class RegisterHandler extends Handler {
             request.getParameter(AjaxRequest.ID_CODE));
 
         final User user = userFactory.create(nick, mangledIdCode, request.getRemoteAddr(),
-            Constants.ADMIN_IP_ADDRESSES.contains(request.getRemoteAddr()), persistentId,
+            adminList.contains(request.getRemoteAddr()), persistentId,
             request.getHeader(HttpHeaders.ACCEPT_LANGUAGE),
             request.getHeader(HttpHeaders.USER_AGENT));
         final ErrorCode errorCode = users.checkAndAdd(user);