From bf2de7f6530f494811016684e6f08f7f52d4f4d5 Mon Sep 17 00:00:00 2001
From: Ralf Becker <RalfBecker@outdoor-training.de>
Date: Fri, 26 Apr 2019 17:11:54 +0200
Subject: [PATCH] * Admin: white-list IP addresses from blocking or set higher
 number of attempts

---
 admin/templates/default/config.xet |  5 +++++
 api/src/Session.php                | 20 ++++++++++++++++++--
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/admin/templates/default/config.xet b/admin/templates/default/config.xet
index 3cdde0e8e7..c1ee62494f 100644
--- a/admin/templates/default/config.xet
+++ b/admin/templates/default/config.xet
@@ -220,6 +220,11 @@
 					<description value="After how many unsuccessful attempts to login, an IP should be blocked (default 15) ?" label="%s:"/>
 					<textbox id="newsettings[num_unsuccessful_ip]" size="5"/>
 				</row>
+				<row>
+					<description value="Comma-separated IP addresses white-listed from above blocking (:optional number of attempts)"/>
+					<textbox id="newsettings[unsuccessful_ip_whitelist]" size="64" blur="X.X.X.X[:N], ..."
+						validator="/^(\\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(:\d+)?,? *)*$/"/>
+				</row>
 				<row>
 					<description value="How many minutes should an account or IP be blocked (default 1) ?" label="%s:"/>
 					<textbox id="newsettings[block_time]" size="5"/>
diff --git a/api/src/Session.php b/api/src/Session.php
index 64d0384692..b2121d5df4 100644
--- a/api/src/Session.php
+++ b/api/src/Session.php
@@ -808,8 +808,24 @@ class Session
 		$false_ip += Cache::getInstance(__CLASS__, self::FALSE_IP_CACHE_PREFIX.$ip);
 		$false_id += Cache::getInstance(__CLASS__, self::FALSE_ID_CACHE_PREFIX.$login);
 
-		$blocked = $false_ip > $GLOBALS['egw_info']['server']['num_unsuccessful_ip'] ||
-			$false_id > $GLOBALS['egw_info']['server']['num_unsuccessful_id'];
+		// if IP matches one in the (comma-separated) whitelist
+		// --> check with whitelists optional number (none means never block)
+		$matches = null;
+		if (!empty($GLOBALS['egw_info']['server']['unsuccessful_ip_whitelist']) &&
+			preg_match_all('/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:\d+)?/',
+				$GLOBALS['egw_info']['server']['unsuccessful_ip_whitelist'], $matches) &&
+			($key=array_search($ip, $matches[1])) !== false)
+		{
+			$blocked = !empty($matches[3][$key]) && $false_ip > $matches[3][$key];
+		}
+		else	// else check with general number
+		{
+			$blocked = $false_ip > $GLOBALS['egw_info']['server']['num_unsuccessful_ip'];
+		}
+		if (!$blocked)
+		{
+			$blocked = $false_id > $GLOBALS['egw_info']['server']['num_unsuccessful_id'];
+		}
 		//error_log(__METHOD__."('$login', '$ip') false_ip=$false_ip, false_id=$false_id --> blocked=".array2string($blocked));
 
 		if ($blocked && $GLOBALS['egw_info']['server']['admin_mails'] &&