From c0460ec1df3e6a4866baa65e5e97252fafc9a991 Mon Sep 17 00:00:00 2001
From: Sylvain Mauduit <swop@swop.io>
Date: Sat, 10 Aug 2013 19:29:57 +0200
Subject: [PATCH 1/2] Adds IPs authorization

---
 composer.json   |  3 +-
 composer.lock   | 76 ++++++++++++++++++++++++++++++++++++++++++-------
 config.yml.dist |  1 +
 webhook.php     | 26 +++++++++++++++++
 4 files changed, 94 insertions(+), 12 deletions(-)

diff --git a/composer.json b/composer.json
index dc77882..74583de 100644
--- a/composer.json
+++ b/composer.json
@@ -1,6 +1,7 @@
 {
     "require": {
         "symfony/process": "~2.2.0",
-        "symfony/yaml": "~2.2.0"
+        "symfony/yaml": "~2.2.0",
+        "symfony/http-foundation": "~2.2.0"
     }
 }
diff --git a/composer.lock b/composer.lock
index 808f8ea..8c9404a 100644
--- a/composer.lock
+++ b/composer.lock
@@ -1,19 +1,73 @@
 {
-    "hash": "ee42fbb166b65897d0c7eb820d062397",
+    "_readme": [
+        "This file locks the dependencies of your project to a known state",
+        "Read more about it at http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file"
+    ],
+    "hash": "3626654274e70ae492694c9b5d18ee8f",
     "packages": [
+        {
+            "name": "symfony/http-foundation",
+            "version": "v2.2.5",
+            "target-dir": "Symfony/Component/HttpFoundation",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/symfony/HttpFoundation.git",
+                "reference": "v2.2.5"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/symfony/HttpFoundation/zipball/v2.2.5",
+                "reference": "v2.2.5",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.3"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "2.2-dev"
+                }
+            },
+            "autoload": {
+                "psr-0": {
+                    "Symfony\\Component\\HttpFoundation\\": ""
+                },
+                "classmap": [
+                    "Symfony/Component/HttpFoundation/Resources/stubs"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Fabien Potencier",
+                    "email": "fabien@symfony.com"
+                },
+                {
+                    "name": "Symfony Community",
+                    "homepage": "http://symfony.com/contributors"
+                }
+            ],
+            "description": "Symfony HttpFoundation Component",
+            "homepage": "http://symfony.com",
+            "time": "2013-08-07 14:00:53"
+        },
         {
             "name": "symfony/process",
-            "version": "v2.2.0",
+            "version": "v2.2.5",
             "target-dir": "Symfony/Component/Process",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/Process.git",
-                "reference": "v2.2.0-RC3"
+                "reference": "v2.2.5"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/Process/zipball/v2.2.0-RC3",
-                "reference": "v2.2.0-RC3",
+                "url": "https://api.github.com/repos/symfony/Process/zipball/v2.2.5",
+                "reference": "v2.2.5",
                 "shasum": ""
             },
             "require": {
@@ -46,21 +100,21 @@
             ],
             "description": "Symfony Process Component",
             "homepage": "http://symfony.com",
-            "time": "2013-02-18 21:28:10"
+            "time": "2013-07-21 12:15:26"
         },
         {
             "name": "symfony/yaml",
-            "version": "v2.2.0",
+            "version": "v2.2.5",
             "target-dir": "Symfony/Component/Yaml",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/Yaml.git",
-                "reference": "v2.2.0-RC3"
+                "reference": "v2.2.5"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/Yaml/zipball/v2.2.0-RC3",
-                "reference": "v2.2.0-RC3",
+                "url": "https://api.github.com/repos/symfony/Yaml/zipball/v2.2.5",
+                "reference": "v2.2.5",
                 "shasum": ""
             },
             "require": {
@@ -93,7 +147,7 @@
             ],
             "description": "Symfony Yaml Component",
             "homepage": "http://symfony.com",
-            "time": "2013-01-27 16:49:19"
+            "time": "2013-07-11 09:28:01"
         }
     ],
     "packages-dev": [
diff --git a/config.yml.dist b/config.yml.dist
index 421e710..e2bceb5 100644
--- a/config.yml.dist
+++ b/config.yml.dist
@@ -2,3 +2,4 @@ bin: bin/satis   # Where your satis bin is located
 json: satis.json # Where your satis.json is located
 webroot: web     # Where you want to dump index.html and packages.json
 user: ~          # Run script as another user (sudo -u user -i bin/satis build ...)
+authorized_ips: [204.232.175.64/27, 192.30.252.0/22] # Authorized IP address (defaults are GitHub Hook servers). Use ~ if you want to allow all IPs
diff --git a/webhook.php b/webhook.php
index 927027b..7d40d84 100644
--- a/webhook.php
+++ b/webhook.php
@@ -3,21 +3,47 @@
 
 use Symfony\Component\Process\Process;
 use Symfony\Component\Yaml\Yaml;
+use Symfony\Component\HttpFoundation\IpUtils;
+use \Symfony\Component\HttpFoundation\Request;
 
 if (!file_exists(__DIR__.'/config.yml')) {
     echo "Please, define your satis configuration in a config.yml file.\nYou can use the config.yml.dist as a template.";
     exit(-1);
 }
 
+$request = Request::createFromGlobals();
+
 $defaults = array(
     'bin' => 'bin/satis',
     'json' => 'satis.json',
     'webroot' => 'web/',
     'user' => null,
+    'authorized_ips' => null
 );
 $config = Yaml::parse(__DIR__.'/config.yml');
 $config = array_merge($defaults, $config);
 
+if (null !== $config['authorized_ips']) {
+    $ip = $request->getClientIp();
+    $authorized = false;
+
+    if (is_array($config['authorized_ips'])) {
+        foreach ($config['authorized_ips'] as $authorizedIp) {
+            $authorized = IpUtils::checkIp($ip, $authorizedIp);
+            if ($authorized) {
+                break;
+            }
+        }
+    } else {
+        $authorized = IpUtils::checkIp($ip, $config['authorized_ips']);
+    }
+
+    if (! $authorized) {
+        http_response_code(403);
+        exit(-1);
+    }
+}
+
 $errors = array();
 if (!file_exists($config['bin'])) {
     $errors[] = 'The Satis bin could not be found.';

From 2a0e40ee31257fa32245addef4a901dcfd0cdd78 Mon Sep 17 00:00:00 2001
From: Sylvain Mauduit <swop@swop.io>
Date: Sat, 10 Aug 2013 19:43:25 +0200
Subject: [PATCH 2/2] Updates README

---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 9879911..31e7f92 100644
--- a/README.md
+++ b/README.md
@@ -14,9 +14,10 @@ cp config.yml.dist config.yml
 - **json**: The location of your *satis.json* file. Default: ```satis.json```.
 - **webroot**: The location of your satis webroot, where packages.json is going to be dumped. Default: ```web/```.
 - **user**: The location of your *bin/satis* file. This parameter is optional and default to ```null```.
+- **authorized_ips**: The IP address list allowed to access the page. This parameter is optional and default to the current GitHub hook servers (```[204.232.175.64/27, 192.30.252.0/22]```).
 
 Make your ```webhook.php``` file accessible, for example:
 
 ```
 http://satis.yourcompany.com/webhook.php
-```
\ No newline at end of file
+```