I have the following security configuration:
security:
# .....
access_control:
-
path: ^/path/to/resource
allow_if: "request.getClientIp() in %my.ips%"
parameters:
my.ips:
- '129.0.0.1'
- '55.12.99.100'
Basically I want to allow/deny based on a list of IPs.
This list of IPs keeps changing/growing/shrinking based on some business rules and based on the environment (test, dev, prod etc.). Which is why I HAVE TO write it like that in the allow_if rule. I can't just do something like ip=X or ip=Y or ip=Z or....
Now, this doesn't work. I get an error like:
A string value must be composed of strings and/or numbers, but found parameter "my.ips" of type array inside string value.
I tried all sorts of combinations e.g.:
allow_if: "request.getClientIp() in '%my.ips%'"
allow_if: "request.getClientIp() in ['%my.ips%']"
...
and I got the same error.
My suspicion is that this is parsed and interpreted using the Expression-Language component. Therefore, according to the syntax described here, I tried it like this as well:
allow_if: "request.getClientIp() in parameter('my.ips')"
But it again failed with the error:
The function "parameter" does not exist around position 26.
And now I'm kind of stuck. Is there some way I can make this work?
OK, so I wasn't able to make the expression parse/accept regular parameters, but I was able to work around it.
Here's what I did:
security:
# .....
access_control:
-
path: ^/path/to/resource
ips: '%my.ips%'
roles: ['ROLE_MY_ROLE']
-
path: ^/path/to/resource
allow_if: 'false'
parameters:
my.ips:
- '129.0.0.1'
- '55.12.0.0/16'
So the way this works is like this:
allow_if is always false)So this way the user is obligated to access that route ONLY IF he is coming from a specific IP AND he has one of the allowed roles.
Something interesting that I discovered is that you can use subnets for the list of allowed IPs, which is really cool because it means you can add IP ranges in there as well. Maybe this should be added to the docs, since it's very useful (I'll make a PR on GitHub when I have time).