From 4e2b5e480b19b92bf1c8071a37c1a99c817a71ac Mon Sep 17 00:00:00 2001
From: Andy Janata <ajanata@gmail.com>
Date: Thu, 22 Mar 2018 16:26:30 -0700
Subject: [PATCH] Move admin IP addresses to config file.

---
 WebContent/addcard.jsp                           | 16 ++++++++++++----
 WebContent/admin.jsp                             | 12 ++++++------
 WebContent/cardsets.jsp                          | 16 ++++++++++++----
 build.properties.example                         |  2 ++
 .../filtered-resources/WEB-INF/pyx.properties    |  1 +
 src/main/java/net/socialgamer/cah/CahModule.java | 15 +++++++++++++++
 src/main/java/net/socialgamer/cah/Constants.java | 12 ------------
 .../cah/handlers/RegisterHandler.java            |  9 ++++++---
 8 files changed, 54 insertions(+), 29 deletions(-)

diff --git a/WebContent/addcard.jsp b/WebContent/addcard.jsp
index 3ae2514..d71f117 100644
--- a/WebContent/addcard.jsp
+++ b/WebContent/addcard.jsp
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <%--
-Copyright (c) 2012, Andy Janata
+Copyright (c) 2012-2018, Andy Janata
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification, are permitted
@@ -27,16 +27,24 @@ Administration tools.
 @author Andy Janata (ajanata@socialgamer.net)
 --%>
 <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
+<%@ page import="com.google.inject.Injector" %>
+<%@ page import="com.google.inject.Key" %>
+<%@ page import="com.google.inject.TypeLiteral" %>
+<%@ page import="net.socialgamer.cah.CahModule.Admins" %>
 <%@ page import="net.socialgamer.cah.HibernateUtil" %>
+<%@ page import="net.socialgamer.cah.StartupUtils" %>
 <%@ page import="net.socialgamer.cah.db.PyxBlackCard" %>
 <%@ page import="net.socialgamer.cah.db.PyxWhiteCard" %>
-<%@ page import="net.socialgamer.cah.Constants" %>
 <%@ page import="net.socialgamer.cah.RequestWrapper" %>
 <%@ page import="org.hibernate.Session" %>
 <%@ page import="org.hibernate.Transaction" %>
+<%@ page import="java.util.Set" %>
 <%
-  RequestWrapper wrapper = new RequestWrapper(request);
-if (!Constants.ADMIN_IP_ADDRESSES.contains(wrapper.getRemoteAddr())) {
+RequestWrapper wrapper = new RequestWrapper(request);
+ServletContext servletContext = pageContext.getServletContext();
+Injector injector = (Injector) servletContext.getAttribute(StartupUtils.INJECTOR);
+Set<String> admins = injector.getInstance(Key.get(new TypeLiteral<Set<String>>(){}, Admins.class));
+if (!admins.contains(wrapper.getRemoteAddr())) {
   response.sendError(403, "Access is restricted to known hosts");
   return;
 }
diff --git a/WebContent/admin.jsp b/WebContent/admin.jsp
index 06659dc..a07d34c 100644
--- a/WebContent/admin.jsp
+++ b/WebContent/admin.jsp
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <%--
-Copyright (c) 2012-2017, Andy Janata
+Copyright (c) 2012-2018, Andy Janata
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification, are permitted
@@ -32,8 +32,8 @@ Administration tools.
 <%@ page import="com.google.inject.TypeLiteral" %>
 <%@ page import="net.socialgamer.cah.RequestWrapper" %>
 <%@ page import="net.socialgamer.cah.StartupUtils" %>
+<%@ page import="net.socialgamer.cah.CahModule.Admins" %>
 <%@ page import="net.socialgamer.cah.CahModule.BanList" %>
-<%@ page import="net.socialgamer.cah.Constants" %>
 <%@ page import="net.socialgamer.cah.Constants.DisconnectReason" %>
 <%@ page import="net.socialgamer.cah.Constants.LongPollEvent" %>
 <%@ page import="net.socialgamer.cah.Constants.LongPollResponse" %>
@@ -50,14 +50,14 @@ Administration tools.
 
 <%
 RequestWrapper wrapper = new RequestWrapper(request);
-if (!Constants.ADMIN_IP_ADDRESSES.contains(wrapper.getRemoteAddr())) {
+ServletContext servletContext = pageContext.getServletContext();
+Injector injector = (Injector) servletContext.getAttribute(StartupUtils.INJECTOR);
+Set<String> admins = injector.getInstance(Key.get(new TypeLiteral<Set<String>>(){}, Admins.class));
+if (!admins.contains(wrapper.getRemoteAddr())) {
   response.sendError(403, "Access is restricted to known hosts");
   return;
 }
 
-ServletContext servletContext = pageContext.getServletContext();
-Injector injector = (Injector) servletContext.getAttribute(StartupUtils.INJECTOR);
-
 ConnectedUsers connectedUsers = injector.getInstance(ConnectedUsers.class);
 Set<String> banList = injector.getInstance(Key.get(new TypeLiteral<Set<String>>(){}, BanList.class));
 
diff --git a/WebContent/cardsets.jsp b/WebContent/cardsets.jsp
index 139491a..36cfbb2 100644
--- a/WebContent/cardsets.jsp
+++ b/WebContent/cardsets.jsp
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <%--
-Copyright (c) 2012, Andy Janata
+Copyright (c) 2012-2018, Andy Janata
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification, are permitted
@@ -27,20 +27,28 @@ Administration tools.
 @author Andy Janata (ajanata@socialgamer.net)
 --%>
 <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
+<%@ page import="com.google.inject.Injector" %>
+<%@ page import="com.google.inject.Key" %>
+<%@ page import="com.google.inject.TypeLiteral" %>
 <%@ page import="java.util.ArrayList" %>
 <%@ page import="java.util.List" %>
+<%@ page import="java.util.Set" %>
+<%@ page import="net.socialgamer.cah.CahModule.Admins" %>
 <%@ page import="net.socialgamer.cah.HibernateUtil" %>
+<%@ page import="net.socialgamer.cah.StartupUtils" %>
 <%@ page import="net.socialgamer.cah.db.PyxBlackCard" %>
 <%@ page import="net.socialgamer.cah.db.PyxCardSet" %>
 <%@ page import="net.socialgamer.cah.db.PyxWhiteCard" %>
-<%@ page import="net.socialgamer.cah.Constants" %>
 <%@ page import="net.socialgamer.cah.RequestWrapper" %>
 <%@ page import="org.apache.commons.lang3.StringEscapeUtils" %>
 <%@ page import="org.hibernate.Session" %>
 <%@ page import="org.hibernate.Transaction" %>
 <%
-  RequestWrapper wrapper = new RequestWrapper(request);
-if (!Constants.ADMIN_IP_ADDRESSES.contains(wrapper.getRemoteAddr())) {
+RequestWrapper wrapper = new RequestWrapper(request);
+ServletContext servletContext = pageContext.getServletContext();
+Injector injector = (Injector) servletContext.getAttribute(StartupUtils.INJECTOR);
+Set<String> admins = injector.getInstance(Key.get(new TypeLiteral<Set<String>>(){}, Admins.class));
+if (!admins.contains(wrapper.getRemoteAddr())) {
   response.sendError(403, "Access is restricted to known hosts");
   return;
 }
diff --git a/build.properties.example b/build.properties.example
index 638afb3..342318b 100644
--- a/build.properties.example
+++ b/build.properties.example
@@ -8,6 +8,8 @@ pyx.global_chat_enabled=true
 pyx.insecure_id_allowed=true
 # set this to some secure random value, and never change it, unless you want to break all codes
 pyx.id_code_salt=
+# comma-separated listed of IP addresses (v4 or v6) from which users are considered admins.
+pyx.admin_addrs=127.0.0.1,::1
 
 # for production use, use postgres
 #hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
diff --git a/src/main/filtered-resources/WEB-INF/pyx.properties b/src/main/filtered-resources/WEB-INF/pyx.properties
index ef955cb..2ddf662 100644
--- a/src/main/filtered-resources/WEB-INF/pyx.properties
+++ b/src/main/filtered-resources/WEB-INF/pyx.properties
@@ -5,6 +5,7 @@ pyx.server.max_games=${pyx.max_games}
 pyx.server.broadcast_connects_and_disconnects=${pyx.broadcast_connects_and_disconnects}
 pyx.server.global_chat_enabled=${pyx.global_chat_enabled}
 pyx.server.id_code_salt=${pyx.id_code_salt}
+pyx.server.admin_addrs=${pyx.admin_addrs}
 pyx.build=${buildNumber}
 
 # this is NOT allowed to be changed during a reload, as metrics depend on previous events
diff --git a/src/main/java/net/socialgamer/cah/CahModule.java b/src/main/java/net/socialgamer/cah/CahModule.java
index 20687e3..998d47a 100644
--- a/src/main/java/net/socialgamer/cah/CahModule.java
+++ b/src/main/java/net/socialgamer/cah/CahModule.java
@@ -40,6 +40,7 @@ import javax.servlet.ServletContext;
 import org.apache.log4j.Logger;
 import org.hibernate.Session;
 
+import com.google.common.collect.ImmutableSet;
 import com.google.inject.AbstractModule;
 import com.google.inject.BindingAnnotation;
 import com.google.inject.Provides;
@@ -215,6 +216,15 @@ public class CahModule extends AbstractModule {
     return session;
   }
 
+  @Provides
+  @Admins
+  Set<String> provideAdmins() {
+    synchronized (properties) {
+      return ImmutableSet
+          .copyOf(properties.getProperty("pyx.server.admin_addrs", "127.0.0.1,::1").split(","));
+    }
+  }
+
   @BindingAnnotation
   @Retention(RetentionPolicy.RUNTIME)
   public @interface BanList {
@@ -269,4 +279,9 @@ public class CahModule extends AbstractModule {
   @Retention(RetentionPolicy.RUNTIME)
   public @interface UserPersistentId {
   }
+
+  @BindingAnnotation
+  @Retention(RetentionPolicy.RUNTIME)
+  public @interface Admins {
+  }
 }
diff --git a/src/main/java/net/socialgamer/cah/Constants.java b/src/main/java/net/socialgamer/cah/Constants.java
index bb547e0..0e61cd3 100644
--- a/src/main/java/net/socialgamer/cah/Constants.java
+++ b/src/main/java/net/socialgamer/cah/Constants.java
@@ -25,8 +25,6 @@ package net.socialgamer.cah;
 
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
-import java.util.HashSet;
-import java.util.Set;
 
 import net.socialgamer.cah.data.Game;
 
@@ -48,16 +46,6 @@ public class Constants {
   public static final int CHAT_FLOOD_TIME = 30 * 1000;
   public static final int CHAT_MAX_LENGTH = 200;
 
-  @SuppressWarnings("serial")
-  public static final Set<String> ADMIN_IP_ADDRESSES = new HashSet<String>() {
-    {
-      add("0:0:0:0:0:0:0:1");
-      add("127.0.0.1");
-      // ajanata
-      add("107.218.154.202");
-    }
-  };
-
   /**
    * Enums that implement this interface are valid keys for data returned to clients.
    */
diff --git a/src/main/java/net/socialgamer/cah/handlers/RegisterHandler.java b/src/main/java/net/socialgamer/cah/handlers/RegisterHandler.java
index 1632407..483f183 100644
--- a/src/main/java/net/socialgamer/cah/handlers/RegisterHandler.java
+++ b/src/main/java/net/socialgamer/cah/handlers/RegisterHandler.java
@@ -36,9 +36,9 @@ import org.apache.http.HttpHeaders;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 
+import net.socialgamer.cah.CahModule.Admins;
 import net.socialgamer.cah.CahModule.BanList;
 import net.socialgamer.cah.CahModule.UserPersistentId;
-import net.socialgamer.cah.Constants;
 import net.socialgamer.cah.Constants.AjaxOperation;
 import net.socialgamer.cah.Constants.AjaxRequest;
 import net.socialgamer.cah.Constants.AjaxResponse;
@@ -65,6 +65,7 @@ public class RegisterHandler extends Handler {
   private static final int ID_CODE_MAX_LENGTH = 100;
 
   private final ConnectedUsers users;
+  private final Set<String> adminList;
   private final Set<String> banList;
   private final User.Factory userFactory;
   private final Provider<String> persistentIdProvider;
@@ -73,12 +74,14 @@ public class RegisterHandler extends Handler {
   @Inject
   public RegisterHandler(final ConnectedUsers users, @BanList final Set<String> banList,
       final User.Factory userFactory, final IdCodeMangler idCodeMangler,
-      @UserPersistentId final Provider<String> persistentIdProvider) {
+      @UserPersistentId final Provider<String> persistentIdProvider,
+      @Admins final Set<String> adminList) {
     this.users = users;
     this.banList = banList;
     this.userFactory = userFactory;
     this.persistentIdProvider = persistentIdProvider;
     this.idCodeManger = idCodeMangler;
+    this.adminList = adminList;
   }
 
   @Override
@@ -112,7 +115,7 @@ public class RegisterHandler extends Handler {
             request.getParameter(AjaxRequest.ID_CODE));
 
         final User user = userFactory.create(nick, mangledIdCode, request.getRemoteAddr(),
-            Constants.ADMIN_IP_ADDRESSES.contains(request.getRemoteAddr()), persistentId,
+            adminList.contains(request.getRemoteAddr()), persistentId,
             request.getHeader(HttpHeaders.ACCEPT_LANGUAGE),
             request.getHeader(HttpHeaders.USER_AGENT));
         final ErrorCode errorCode = users.checkAndAdd(user);