首页 发现 帮助
登录
chiappa
/
irdb
镜像自地址 https://git.snix.ch/chiappa/irdb.git
1
0
派生 0
文件 工单管理 0
目录树: 2cc1924a4e
分支列表 标签列表
irdb
/
api
/
src
/
Application
/
Admin
/
IpsController.php

IpsController.php 11 KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316 
  1. <?php
    2. 

  2. 

  3. declare(strict_types=1);
    4. 

  4. 

  5. namespace App\Application\Admin;
    6. 

  6. 

  7. use App\Domain\Category\Category;
    8. 

  8. use App\Domain\Ip\InvalidIpException;
    9. 

  9. use App\Domain\Ip\IpAddress;
    10. 

  10. use App\Domain\Reputation\EffectiveStatus;
    11. 

  11. use App\Domain\Reputation\EffectiveStatusService;
    12. 

  12. use App\Infrastructure\Allowlist\AllowlistRepository;
    13. 

  13. use App\Infrastructure\Category\CategoryRepository;
    14. 

  14. use App\Infrastructure\ManualBlock\ManualBlockRepository;
    15. 

  15. use App\Infrastructure\Reputation\CidrEvaluatorFactory;
    16. 

  16. use App\Infrastructure\Reputation\IpEnrichmentRepository;
    17. 

  17. use App\Infrastructure\Reputation\IpHistoryRepository;
    18. 

  18. use App\Infrastructure\Reputation\IpScoreRepository;
    19. 

  19. use Psr\Http\Message\ResponseInterface;
    20. 

  20. use Psr\Http\Message\ServerRequestInterface;
    21. 

  21. 

  22. /**
    23. 

  23.  * Admin IP browser — search + detail.
    24. 

  24.  *
    25. 

  25.  * The search composes filters against `ip_scores` (joined with
    26. 

  26.  * `ip_enrichment` when country/asn is set), with the manual-block /
    27. 

  27.  * allowlist single-IP universes pre-resolved from `CidrEvaluatorFactory`
    28. 

  28.  * so the SQL stays a single query. Subnet membership is NOT expanded
    29. 

  29.  * here — IPs that are only "covered by" a manual /24 don't appear in
    30. 

  30.  * the search unless they also have a row in `ip_scores`. The IP-detail
    31. 

  31.  * page shows the precise effective status.
    32. 

  32.  *
    33. 

  33.  * Pagination: `page` (1-indexed) + `page_size` (default 25, max 200).
    34. 

  34.  *
    35. 

  35.  * RBAC: Viewer.
    36. 

  36.  */
    37. 

  37. final class IpsController
    38. 

  38. {
    39. 

  39.     use AdminControllerSupport;
    40. 

  40. 

  41.     public function __construct(
    42. 

  42.         private readonly IpScoreRepository $ipScores,
    43. 

  43.         private readonly CategoryRepository $categories,
    44. 

  44.         private readonly ManualBlockRepository $manualBlocks,
    45. 

  45.         private readonly AllowlistRepository $allowlist,
    46. 

  46.         private readonly IpEnrichmentRepository $enrichment,
    47. 

  47.         private readonly IpHistoryRepository $history,
    48. 

  48.         private readonly CidrEvaluatorFactory $cidrEvaluatorFactory,
    49. 

  49.         private readonly EffectiveStatusService $effectiveStatus,
    50. 

  50.     ) {
    51. 

  51.     }
    52. 

  52. 

  53.     public function list(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
    54. 

  54.     {
    55. 

  55.         $query = $request->getQueryParams();
    56. 

  56.         $filters = $this->parseSearchFilters($query);
    57. 

  57.         $errors = $filters['errors'];
    58. 

  58.         if ($errors !== []) {
    59. 

  59.             return self::validationFailed($response, $errors);
    60. 

  60.         }
    61. 

  61. 

  62.         $page = $filters['page'];
    63. 

  63.         $pageSize = $filters['page_size'];
    64. 

  64. 

  65.         $evaluator = $this->cidrEvaluatorFactory->get();
    66. 

  66.         $repoFilters = [
    67. 

  67.             'q' => $filters['q'],
    68. 

  68.             'category_id' => $filters['category_id'],
    69. 

  69.             'min_score' => $filters['min_score'],
    70. 

  70.             'max_score' => $filters['max_score'],
    71. 

  71.             'country' => $filters['country'],
    72. 

  72.             'asn' => $filters['asn'],
    73. 

  73.             'status' => $filters['status'],
    74. 

  74.             'manual_bins' => $evaluator->manualBlockedIpBins(),
    75. 

  75.             'allow_bins' => $evaluator->allowlistedIpBins(),
    76. 

  76.         ];
    77. 

  77. 

  78.         $result = $this->ipScores->searchIps($repoFilters, $pageSize, ($page - 1) * $pageSize);
    79. 

  79.         $slugByCategoryId = $this->slugByCategoryId();
    80. 

  80. 

  81.         // Per-row: top category slug + raw enrichment (country flag rendering happens in the UI).
    82. 

  82.         $items = [];
    83. 

  83.         foreach ($result['items'] as $row) {
    84. 

  84.             $top = $this->topCategoryFor($row['ip_bin']);
    85. 

  85.             $enrichmentRow = $this->enrichment->findByIpBin($row['ip_bin']);
    86. 

  86.             $effective = $this->effectiveStatusFor($row['ip_bin']);
    87. 

  87.             $items[] = [
    88. 

  88.                 'ip' => $row['ip_text'],
    89. 

  89.                 'is_ipv4' => str_contains($row['ip_text'], '.') && !str_contains($row['ip_text'], ':'),
    90. 

  90.                 'max_score' => round($row['max_score'], 4),
    91. 

  91.                 'top_category' => $top !== null ? ($slugByCategoryId[$top] ?? null) : null,
    92. 

  92.                 'pair_count' => $row['pair_count'],
    93. 

  93.                 'last_report_at' => $this->formatTimestamp($row['last_report_at']),
    94. 

  94.                 'status' => $effective->value,
    95. 

  95.                 'enrichment' => $enrichmentRow,
    96. 

  96.             ];
    97. 

  97.         }
    98. 

  98. 

  99.         return self::json($response, 200, [
    100. 

  100.             'items' => $items,
    101. 

  101.             'page' => $page,
    102. 

  102.             'page_size' => $pageSize,
    103. 

  103.             'total' => $result['total'],
    104. 

  104.         ]);
    105. 

  105.     }
    106. 

  106. 

  107.     /**
    108. 

  108.      * Country dropdown source for the IPs list page. Returns every
    109. 

  109.      * country code seen so far in `ip_enrichment` with its population.
    110. 

  110.      */
    111. 

  111.     public function countries(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
    112. 

  112.     {
    113. 

  113.         return self::json($response, 200, [
    114. 

  114.             'items' => $this->enrichment->countryCounts(),
    115. 

  115.         ]);
    116. 

  116.     }
    117. 

  117. 

  118.     /**
    119. 

  119.      * @param array{ip: string} $args
    120. 

  120.      */
    121. 

  121.     public function show(ServerRequestInterface $request, ResponseInterface $response, array $args): ResponseInterface
    122. 

  122.     {
    123. 

  123.         try {
    124. 

  124.             $ip = IpAddress::fromString(rawurldecode($args['ip']));
    125. 

  125.         } catch (InvalidIpException) {
    126. 

  126.             return self::error($response, 404, 'not_found');
    127. 

  127.         }
    128. 

  128. 

  129.         $bin = $ip->binary();
    130. 

  130.         $scoreRows = $this->ipScores->scoresForIp($bin);
    131. 

  131.         $slugById = $this->slugByCategoryId();
    132. 

  132. 

  133.         $scores = [];
    134. 

  134.         foreach ($scoreRows as $row) {
    135. 

  135.             $scores[] = [
    136. 

  136.                 'category' => $slugById[$row['category_id']] ?? null,
    137. 

  137.                 'category_id' => $row['category_id'],
    138. 

  138.                 'score' => round($row['score'], 4),
    139. 

  139.                 'last_report_at' => $this->formatTimestamp($row['last_report_at']),
    140. 

  140.                 'report_count_30d' => $row['report_count_30d'],
    141. 

  141.             ];
    142. 

  142.         }
    143. 

  143. 

  144.         $manual = $this->manualBlocks->findByIpBin($bin);
    145. 

  145.         $allow = $this->allowlist->findByIpBin($bin);
    146. 

  146.         $enrichment = $this->enrichment->findByIpBin($bin) ?? [
    147. 

  147.             'country_code' => null,
    148. 

  148.             'asn' => null,
    149. 

  149.             'as_org' => null,
    150. 

  150.             'enriched_at' => null,
    151. 

  151.         ];
    152. 

  152.         $status = $this->effectiveStatus->forIp($ip);
    153. 

  153.         $history = $this->history->forIp($bin);
    154. 

  154. 

  155.         return self::json($response, 200, [
    156. 

  156.             'ip' => $ip->text(),
    157. 

  157.             'is_ipv4' => $ip->isIpv4(),
    158. 

  158.             'scores' => $scores,
    159. 

  159.             'enrichment' => $enrichment,
    160. 

  160.             'status' => $status->value,
    161. 

  161.             'manual_block' => $manual?->toArray(),
    162. 

  162.             'allowlist' => $allow?->toArray(),
    163. 

  163.             'history' => $history['items'],
    164. 

  164.             'has_more' => $history['has_more'],
    165. 

  165.         ]);
    166. 

  166.     }
    167. 

  167. 

  168.     /**
    169. 

  169.      * @param array<string, mixed> $query
    170. 

  170.      * @return array{
    171. 

  171.      *     errors: array<string, string>,
    172. 

  172.      *     page: int,
    173. 

  173.      *     page_size: int,
    174. 

  174.      *     q: ?string,
    175. 

  175.      *     category_id: ?int,
    176. 

  176.      *     min_score: ?float,
    177. 

  177.      *     max_score: ?float,
    178. 

  178.      *     country: ?string,
    179. 

  179.      *     asn: ?int,
    180. 

  180.      *     status: ?string,
    181. 

  181.      * }
    182. 

  182.      */
    183. 

  183.     private function parseSearchFilters(array $query): array
    184. 

  184.     {
    185. 

  185.         $errors = [];
    186. 

  186.         $page = isset($query['page']) && ctype_digit((string) $query['page']) ? max(1, (int) $query['page']) : 1;
    187. 

  187.         $pageSize = isset($query['page_size']) && ctype_digit((string) $query['page_size'])
    188. 

  188.             ? (int) $query['page_size']
    189. 

  189.             : 25;
    190. 

  190.         $pageSize = max(1, min(200, $pageSize));
    191. 

  191. 

  192.         $q = isset($query['q']) && is_string($query['q']) && trim($query['q']) !== '' ? trim((string) $query['q']) : null;
    193. 

  193.         if ($q !== null) {
    194. 

  194.             // SEC_REVIEW F30 / F46: bound `q` to characters that can appear in
    195. 

  195.             // a literal IP (digits, hex, `:`, `.`) and cap its length. The
    196. 

  196.             // repository uses `q` as an anchored LIKE prefix; rejecting other
    197. 

  197.             // shapes here forecloses non-anchored full-table scans and the
    198. 

  198.             // `%`/`_` wildcard-injection vector in one go. 64 is well above
    199. 

  199.             // the 39-char IPv6 maximum.
    200. 

  200.             if (strlen($q) > 64 || preg_match('/^[0-9a-fA-F:.]+$/', $q) !== 1) {
    201. 

  201.                 $errors['q'] = 'must be an IP or IP prefix (digits, hex, `:`, `.`; max 64 chars)';
    202. 

  202.                 $q = null;
    203. 

  203.             }
    204. 

  204.         }
    205. 

  205. 

  206.         $categoryId = null;
    207. 

  207.         if (isset($query['category']) && is_string($query['category']) && $query['category'] !== '') {
    208. 

  208.             $cat = $this->categories->findActiveBySlug($query['category']);
    209. 

  209.             if ($cat === null) {
    210. 

  210.                 $errors['category'] = 'unknown category slug';
    211. 

  211.             } else {
    212. 

  212.                 $categoryId = $cat->id;
    213. 

  213.             }
    214. 

  214.         }
    215. 

  215. 

  216.         $minScore = $this->parseFloat($query['min_score'] ?? null);
    217. 

  217.         $maxScore = $this->parseFloat($query['max_score'] ?? null);
    218. 

  218. 

  219.         $country = null;
    220. 

  220.         if (isset($query['country']) && is_string($query['country']) && $query['country'] !== '') {
    221. 

  221.             if (preg_match('/^[A-Za-z]{2}$/', $query['country']) !== 1) {
    222. 

  222.                 $errors['country'] = 'must be a 2-letter ISO code';
    223. 

  223.             } else {
    224. 

  224.                 $country = strtoupper($query['country']);
    225. 

  225.             }
    226. 

  226.         }
    227. 

  227. 

  228.         $asn = null;
    229. 

  229.         if (isset($query['asn']) && (string) $query['asn'] !== '') {
    230. 

  230.             if (!ctype_digit((string) $query['asn'])) {
    231. 

  231.                 $errors['asn'] = 'must be a positive integer';
    232. 

  232.             } else {
    233. 

  233.                 $asn = (int) $query['asn'];
    234. 

  234.             }
    235. 

  235.         }
    236. 

  236. 

  237.         $status = null;
    238. 

  238.         if (isset($query['status']) && is_string($query['status']) && $query['status'] !== '') {
    239. 

  239.             if (!in_array($query['status'], ['scored', 'manual', 'allowlisted', 'clean'], true)) {
    240. 

  240.                 $errors['status'] = 'must be scored | manual | allowlisted | clean';
    241. 

  241.             } else {
    242. 

  242.                 $status = $query['status'];
    243. 

  243.             }
    244. 

  244.         }
    245. 

  245. 

  246.         return [
    247. 

  247.             'errors' => $errors,
    248. 

  248.             'page' => $page,
    249. 

  249.             'page_size' => $pageSize,
    250. 

  250.             'q' => $q,
    251. 

  251.             'category_id' => $categoryId,
    252. 

  252.             'min_score' => $minScore,
    253. 

  253.             'max_score' => $maxScore,
    254. 

  254.             'country' => $country,
    255. 

  255.             'asn' => $asn,
    256. 

  256.             'status' => $status,
    257. 

  257.         ];
    258. 

  258.     }
    259. 

  259. 

  260.     private function parseFloat(mixed $value): ?float
    261. 

  261.     {
    262. 

  262.         if ($value === null || $value === '') {
    263. 

  263.             return null;
    264. 

  264.         }
    265. 

  265.         if (is_numeric($value)) {
    266. 

  266.             return (float) $value;
    267. 

  267.         }
    268. 

  268. 

  269.         return null;
    270. 

  270.     }
    271. 

  271. 

  272.     private function topCategoryFor(string $ipBin): ?int
    273. 

  273.     {
    274. 

  274.         $rows = $this->ipScores->scoresForIp($ipBin);
    275. 

  275.         foreach ($rows as $row) {
    276. 

  276.             if ($row['score'] > 0) {
    277. 

  277.                 return $row['category_id'];
    278. 

  278.             }
    279. 

  279.         }
    280. 

  280. 

  281.         return null;
    282. 

  282.     }
    283. 

  283. 

  284.     private function effectiveStatusFor(string $ipBin): EffectiveStatus
    285. 

  285.     {
    286. 

  286.         return $this->effectiveStatus->forIp(IpAddress::fromBinary($ipBin));
    287. 

  287.     }
    288. 

  288. 

  289.     /**
    290. 

  290.      * @return array<int, string>
    291. 

  291.      */
    292. 

  292.     private function slugByCategoryId(): array
    293. 

  293.     {
    294. 

  294.         $out = [];
    295. 

  295.         foreach ($this->categories->listAll() as $cat) {
    296. 

  296.             /** @var Category $cat */
    297. 

  297.             $out[$cat->id] = $cat->slug;
    298. 

  298.         }
    299. 

  299. 

  300.         return $out;
    301. 

  301.     }
    302. 

  302. 

  303.     private function formatTimestamp(?string $value): ?string
    304. 

  304.     {
    305. 

  305.         if ($value === null) {
    306. 

  306.             return null;
    307. 

  307.         }
    308. 

  308.         // Convert "YYYY-MM-DD HH:MM:SS" → ISO 8601 "YYYY-MM-DDTHH:MM:SSZ".
    309. 

  309.         $s = trim($value);
    310. 

  310.         if (str_contains($s, 'T')) {
    311. 

  311.             return $s;
    312. 

  312.         }
    313. 

  313. 

  314.         return str_replace(' ', 'T', $s) . 'Z';
    315. 

  315.     }
    316. 

  316. }
    317.