From 761ac2c650679f484121a4f6272fb75b9134b074 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Piotr=20J=C3=B3=C5=BAwiak?= <piotr.jozwiak@tpay.com>
Date: Wed, 21 Feb 2018 15:13:54 +0100
Subject: [PATCH] Extended Tpay server checking

Added option to check IP forwarded by proxy
Added option to enable/disable IP checking
---
 Api/TpayInterface.php            | 15 ++++++++
 Controller/tpay/Notification.php | 12 ++++++-
 Model/Tpay.php                   | 16 +++++++--
 composer.json                    |  2 +-
 etc/adminhtml/system.xml         | 20 +++++++----
 etc/config.xml                   |  2 ++
 etc/module.xml                   |  2 +-
 i18n/pl_PL.csv                   |  2 ++
 lib/PaymentBasic.php             | 62 +++++++++++++++++++++++++++-----
 9 files changed, 114 insertions(+), 19 deletions(-)

diff --git a/Api/TpayInterface.php b/Api/TpayInterface.php
index d9d5a07..eb5a2db 100644
--- a/Api/TpayInterface.php
+++ b/Api/TpayInterface.php
@@ -115,4 +115,19 @@ public function getTermsURL();
      * @return string
      */
     public function getInvoiceSendMail();
+
+    /**
+     * Check if Tpay notification server IP is forwarded by proxy
+     *
+     * @return bool
+     */
+    public function getCheckProxy();
+
+    /**
+     * Check Tpay notification server IP
+     *
+     * @return bool
+     */
+    public function getCheckTpayIP();
+
 }
diff --git a/Controller/tpay/Notification.php b/Controller/tpay/Notification.php
index e163b8b..879e921 100644
--- a/Controller/tpay/Notification.php
+++ b/Controller/tpay/Notification.php
@@ -81,9 +81,19 @@ public function execute()
         try {
             $id = $this->tpay->getMerchantId();
             $code = $this->tpay->getSecurityCode();
+            $checkServer = $this->tpay->getCheckTpayIP();
+            $checkProxy = $this->tpay->getCheckProxy();
+            $forwardedIP = null;
             $paymentBasic = $this->paymentBasicFactory->create(['merchantId' => $id, 'merchantSecret' => $code]);
             $params = $this->getRequest()->getParams();
-            $validParams = $paymentBasic->checkPayment($this->remoteAddress->getRemoteAddress(), $params);
+            if ($checkServer === false) {
+                $paymentBasic->disableServerValidation();
+            }
+            if ($checkProxy === true) {
+                $paymentBasic->enableProxyValidation();
+                $forwardedIP = $this->getRequest()->getServer('HTTP_X_FORWARDED_FOR');
+            }
+            $validParams = $paymentBasic->checkPayment($this->remoteAddress->getRemoteAddress(), $forwardedIP, $params);
             $orderId = base64_decode($validParams[ResponseFields::TR_CRC]);
             $this->tpayService->SetOrderStatus($orderId, $validParams, $this->tpay);
 
diff --git a/Model/Tpay.php b/Model/Tpay.php
index 0c2000c..be67e81 100644
--- a/Model/Tpay.php
+++ b/Model/Tpay.php
@@ -22,7 +22,6 @@
 use Magento\Payment\Helper\Data;
 use Magento\Payment\Model\InfoInterface;
 use Magento\Payment\Model\Method\AbstractMethod;
-use Magento\Payment\Model\Method\Adapter;
 use Magento\Payment\Model\Method\Logger;
 use Magento\Quote\Api\Data\CartInterface;
 use tpaycom\magento2basic\Api\Sales\OrderRepositoryInterface;
@@ -303,7 +302,20 @@ public function redirectToChannel()
     {
         return (bool)$this->getConfigData('redirect_directly_to_channel');
     }
-    
+    /**
+     * {@inheritdoc}
+     */
+    public function getCheckProxy()
+    {
+        return (bool)$this->getConfigData('check_proxy');
+    }
+    /**
+     * {@inheritdoc}
+     */
+    public function getCheckTpayIP()
+    {
+        return (bool)$this->getConfigData('check_server');
+    }
     /**
      * {@inheritdoc}
      */
diff --git a/composer.json b/composer.json
index 88cbb4d..5caa9da 100644
--- a/composer.json
+++ b/composer.json
@@ -2,7 +2,7 @@
   "name": "tpaycom/magento2basic",
   "description": "tpay.com payments module",
   "type": "magento2-module",
-  "version": "1.3.6",
+  "version": "1.3.7",
   "license": [
     "OSL-3.0"
   ],
diff --git a/etc/adminhtml/system.xml b/etc/adminhtml/system.xml
index 7ebbceb..4c58000 100644
--- a/etc/adminhtml/system.xml
+++ b/etc/adminhtml/system.xml
@@ -53,25 +53,33 @@
                     <label>BLIK level zero</label>
                     <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
                 </field>
-                <field id="send_invoice_email" translate="label" type="select" sortOrder="10" showInDefault="1" showInWebsite="1" showInStore="1">
+                <field id="send_invoice_email" translate="label" type="select" sortOrder="11" showInDefault="1" showInWebsite="1" showInStore="1">
                     <label>Send new invoice email to customer</label>
                     <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
                 </field>
-                <field id="sort_order" translate="label" type="text" sortOrder="11" showInDefault="1" showInWebsite="1" showInStore="1">
+                <field id="check_proxy" translate="label" type="select" sortOrder="12" showInDefault="1" showInWebsite="1" showInStore="1">
+                    <label>My server use proxy</label>
+                    <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
+                </field>
+                <field id="check_server" translate="label" type="select" sortOrder="13" showInDefault="1" showInWebsite="1" showInStore="1">
+                    <label>Validate Tpay notifications server IP (recommended)</label>
+                    <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
+                </field>
+                <field id="sort_order" translate="label" type="text" sortOrder="14" showInDefault="1" showInWebsite="1" showInStore="1">
                     <label>Sort order</label>
                 </field>
-                <field id="allowspecific" translate="label" type="allowspecific" sortOrder="12" showInDefault="1" showInWebsite="1" showInStore="1">
+                <field id="allowspecific" translate="label" type="allowspecific" sortOrder="15" showInDefault="1" showInWebsite="1" showInStore="1">
                     <label>All or allowed countries</label>
                     <source_model>Magento\Payment\Model\Config\Source\Allspecificcountries</source_model>
                 </field>
-                <field id="specificcountry" translate="label" type="multiselect" sortOrder="13" showInDefault="1" showInWebsite="1" showInStore="1">
+                <field id="specificcountry" translate="label" type="multiselect" sortOrder="16" showInDefault="1" showInWebsite="1" showInStore="1">
                     <label>Allowed countries</label>
                     <source_model>Magento\Directory\Model\Config\Source\Country</source_model>
                 </field>
-                <field id="min_order_total" translate="label" type="text" sortOrder="14" showInDefault="1" showInWebsite="1" showInStore="1">
+                <field id="min_order_total" translate="label" type="text" sortOrder="17" showInDefault="1" showInWebsite="1" showInStore="1">
                     <label>Minimal amount for method</label>
                 </field>
-                <field id="max_order_total" translate="label" type="text" sortOrder="15" showInDefault="1" showInWebsite="1" showInStore="1">
+                <field id="max_order_total" translate="label" type="text" sortOrder="18" showInDefault="1" showInWebsite="1" showInStore="1">
                     <label>Maximal amount for method</label>
                     <comment>Leave empty for no limit</comment>
                 </field>
diff --git a/etc/config.xml b/etc/config.xml
index dc43192..5bfe7eb 100644
--- a/etc/config.xml
+++ b/etc/config.xml
@@ -28,6 +28,8 @@
                 <can_void>0</can_void>
                 <can_cancel>1</can_cancel>
                 <currency>PLN</currency>
+                <check_server>1</check_server>
+                <check_proxy>0</check_proxy>
             </tpaycom_magento2basic>
         </payment>
     </default>
diff --git a/etc/module.xml b/etc/module.xml
index c27bd25..2e5f172 100644
--- a/etc/module.xml
+++ b/etc/module.xml
@@ -9,7 +9,7 @@
  */
 -->
 <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Module/etc/module.xsd">
-    <module name="tpaycom_magento2basic" setup_version="1.3.5">
+    <module name="tpaycom_magento2basic" setup_version="1.3.7">
         <sequence>
             <module name="Magento_Sales" />
             <module name="Magento_Payment" />
diff --git a/i18n/pl_PL.csv b/i18n/pl_PL.csv
index 0c2d2f7..f741add 100644
--- a/i18n/pl_PL.csv
+++ b/i18n/pl_PL.csv
@@ -22,3 +22,5 @@
 "There was an error during your payment.","Wystąpił błąd podczas Twojej płatności."
 "Thank you for your payment!","Dziękujemy za dokonanie płatności!"
 "I do accept tpay.com service regulations","Akceptuję regulamin tpay.com"
+"My server use proxy","Mój serwer korzysta z proxy"
+"Validate Tpay notifications server IP (recommended)","Sprawdzaj adres IP serwera powiadomień (zalecane)"
diff --git a/lib/PaymentBasic.php b/lib/PaymentBasic.php
index b65997c..d3b23ed 100644
--- a/lib/PaymentBasic.php
+++ b/lib/PaymentBasic.php
@@ -43,8 +43,23 @@ class PaymentBasic
         '178.32.201.77',
         '46.248.167.59',
         '46.29.19.106',
+        '176.119.38.175',
     ];
 
+    /**
+     * Check Tpay server IP
+     *
+     * @var bool
+     */
+    private $validateServerIP = true;
+
+    /**
+     * Check Tpay server IP from proxy
+     *
+     * @var bool
+     */
+    private $validateForwardedIP = false;
+
     /**
      * PaymentBasic class constructor for payment:
      * - basic from tpay.com panel
@@ -74,14 +89,14 @@ public function __construct($merchantId = false, $merchantSecret = false)
      * Display information to prevent sending repeated notifications.
      *
      * @param string $remoteAddress remote address
+     * @param string $forwardedAddress
      * @param null|array $params
      * @return array
      * @throws \Exception
      */
 
-    public function checkPayment($remoteAddress, $params = null)
+    public function checkPayment($remoteAddress, $forwardedAddress, $params = null)
     {
-
         $res = Validate::getResponse($params);
         $checkMD5 = $this->checkMD5(
             $res['md5sum'],
@@ -90,7 +105,7 @@ public function checkPayment($remoteAddress, $params = null)
             $res['tr_crc']
         );
 
-        if ($this->checkServer($remoteAddress) === false) {
+        if ($this->checkServer($remoteAddress, $forwardedAddress) === false) {
             throw new \Exception('Request is not from secure server');
         }
 
@@ -119,20 +134,51 @@ public function validateSign($md5sum, $transactionId, $transactionAmount, $crc)
         }
     }
 
+    public function disableServerValidation()
+    {
+        $this->validateServerIP = false;
+        return $this;
+    }
+
+    public function enableProxyValidation()
+    {
+        $this->validateForwardedIP = true;
+        return $this;
+    }
+
     /**
      * Check if request is called from secure tpay.com server
      *
-     * @param $remoteAddress
-     *
+     * @param $remoteIP
+     * @param $forwarderIP
      * @return bool
      */
-    private function checkServer($remoteAddress)
+    private function checkServer($remoteIP, $forwarderIP)
     {
-        if (!isset($remoteAddress) || !in_array($remoteAddress, $this->secureIP)) {
+        if (!$this->validateServerIP) {
+            return true;
+        }
+        if (is_null($remoteIP) && is_null($forwarderIP)) {
             return false;
         }
+        if ($this->checkIP($remoteIP)) {
+            return true;
+        }
+        if ($this->validateForwardedIP && $this->checkIP($forwarderIP)) {
+            return true;
+        }
+        return false;
+    }
 
-        return true;
+    /**
+     * Validate if $ip is secure
+     *
+     * @param $ip
+     * @return bool
+     */
+    private function checkIP($ip)
+    {
+        return in_array($ip, $this->secureIP, true);
     }
 
     /**