IPStrategy for selecting IP in whitelist

2018-08-24 16:20:03 +02:00 · 2018-08-24 16:20:03 +02:00 · 00728e711c
commit 00728e711c
parent 1ec4e03738
65 changed files with 2444 additions and 1837 deletions
--- a/integration/basic_test.go
+++ b/integration/basic_test.go
@ -3,6 +3,7 @@ package integration
 import (
 	"fmt"
 	"net/http"
+	"net/http/httptest"
 	"os"
 	"strings"
 	"syscall"
@ -253,7 +254,6 @@ func (s *SimpleSuite) TestNoAuthOnPing(c *check.C) {
 }

 func (s *SimpleSuite) TestDefaultEntrypointHTTP(c *check.C) {
-
 	s.createComposeProject(c, "base")
 	s.composeProject.Start(c)

@ -272,7 +272,6 @@ func (s *SimpleSuite) TestDefaultEntrypointHTTP(c *check.C) {
 }

 func (s *SimpleSuite) TestWithUnexistingEntrypoint(c *check.C) {
-
 	s.createComposeProject(c, "base")
 	s.composeProject.Start(c)

@ -291,7 +290,6 @@ func (s *SimpleSuite) TestWithUnexistingEntrypoint(c *check.C) {
 }

 func (s *SimpleSuite) TestMetricsPrometheusDefaultEntrypoint(c *check.C) {
-
 	s.createComposeProject(c, "base")
 	s.composeProject.Start(c)

@ -313,15 +311,16 @@ func (s *SimpleSuite) TestMetricsPrometheusDefaultEntrypoint(c *check.C) {
 }

 func (s *SimpleSuite) TestMultipleProviderSameBackendName(c *check.C) {
-
 	s.createComposeProject(c, "base")
 	s.composeProject.Start(c)
+
 	ipWhoami01 := s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress
 	ipWhoami02 := s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress
 	file := s.adaptFile(c, "fixtures/multiple_provider.toml", struct{ IP string }{
 		IP: ipWhoami02,
 	})
 	defer os.Remove(file)
+
 	cmd, output := s.traefikCmd(withConfigFile(file))
 	defer output(c)

@ -339,3 +338,80 @@ func (s *SimpleSuite) TestMultipleProviderSameBackendName(c *check.C) {
 	c.Assert(err, checker.IsNil)

 }
+
+func (s *SimpleSuite) TestIPStrategyWhitelist(c *check.C) {
+	s.createComposeProject(c, "whitelist")
+	s.composeProject.Start(c)
+
+	cmd, output := s.traefikCmd(withConfigFile("fixtures/simple_whitelist.toml"))
+	defer output(c)
+
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 1*time.Second, try.BodyContains("override"))
+	c.Assert(err, checker.IsNil)
+
+	testCases := []struct {
+		desc               string
+		xForwardedFor      string
+		host               string
+		expectedStatusCode int
+	}{
+		{
+			desc:               "default client ip strategy accept",
+			xForwardedFor:      "8.8.8.8,127.0.0.1",
+			host:               "no.override.whitelist.docker.local",
+			expectedStatusCode: 200,
+		},
+		{
+			desc:               "default client ip strategy reject",
+			xForwardedFor:      "8.8.8.10,127.0.0.1",
+			host:               "no.override.whitelist.docker.local",
+			expectedStatusCode: 403,
+		},
+		{
+			desc:               "override remote addr reject",
+			xForwardedFor:      "8.8.8.8,8.8.8.8",
+			host:               "override.remoteaddr.whitelist.docker.local",
+			expectedStatusCode: 403,
+		},
+		{
+			desc:               "override depth accept",
+			xForwardedFor:      "8.8.8.8,10.0.0.1,127.0.0.1",
+			host:               "override.depth.whitelist.docker.local",
+			expectedStatusCode: 200,
+		},
+		{
+			desc:               "override depth reject",
+			xForwardedFor:      "10.0.0.1,8.8.8.8,127.0.0.1",
+			host:               "override.depth.whitelist.docker.local",
+			expectedStatusCode: 403,
+		},
+		{
+			desc:               "override excludedIPs reject",
+			xForwardedFor:      "10.0.0.3,10.0.0.1,10.0.0.2",
+			host:               "override.excludedips.whitelist.docker.local",
+			expectedStatusCode: 403,
+		},
+		{
+			desc:               "override excludedIPs accept",
+			xForwardedFor:      "8.8.8.8,10.0.0.1,10.0.0.2",
+			host:               "override.excludedips.whitelist.docker.local",
+			expectedStatusCode: 200,
+		},
+	}
+
+	for _, test := range testCases {
+		req := httptest.NewRequest(http.MethodGet, "http://127.0.0.1:8000", nil)
+		req.Header.Set("X-Forwarded-For", test.xForwardedFor)
+		req.Host = test.host
+		req.RequestURI = ""
+
+		err = try.Request(req, 1*time.Second, try.StatusCodeIs(test.expectedStatusCode))
+		if err != nil {
+			c.Fatalf("Error while %s: %v", test.desc, err)
+		}
+	}
+}
--- a/integration/fixtures/access_log_config.toml
+++ b/integration/fixtures/access_log_config.toml
@ -17,7 +17,8 @@ checkNewVersion = false
      entryPoint = "http"
  [entryPoints.httpWhitelistReject]
    address = ":8002"
-    whiteListSourceRange = ["8.8.8.8/32"]
+  [entryPoints.httpWhitelistReject.whiteList]
+    sourceRange = ["8.8.8.8/32"]
  [entryPoints.httpAuth]
    address = ":8004"
    [entryPoints.httpAuth.auth.basic]
--- a/integration/fixtures/simple_whitelist.toml
+++ b/integration/fixtures/simple_whitelist.toml
@ -0,0 +1,13 @@
+logLevel = "DEBUG"
+defaultEntryPoints = ["http"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":8000"
+  [entryPoints.http.ForwardedHeaders]
+    insecure=true
+  [entryPoints.http.ClientIPStrategy]
+    depth=2
+
+[api]
+[docker]
--- a/integration/resources/compose/access_log.yml
+++ b/integration/resources/compose/access_log.yml
@ -102,6 +102,6 @@ frontendWhitelist:
    - traefik.enable=true
    - traefik.port=80
    - traefik.backend=backend3
-    - traefik.frontend.whitelistSourceRange=8.8.8.8/32
+    - traefik.frontend.whiteList.sourceRange=8.8.8.8/32
    - traefik.frontend.entryPoints=http
    - traefik.frontend.rule=Host:frontend.whitelist.docker.local
--- a/integration/resources/compose/whitelist.yml
+++ b/integration/resources/compose/whitelist.yml
@ -0,0 +1,34 @@
+noOverrideWhitelist:
+  image: containous/whoami
+  labels:
+    - traefik.enable=true
+    - traefik.port=80
+    - traefik.frontend.rule=Host:no.override.whitelist.docker.local
+    - traefik.frontend.whiteList.sourceRange=8.8.8.8
+
+overrideIPStrategyRemoteAddrWhitelist:
+  image: containous/whoami
+  labels:
+    - traefik.enable=true
+    - traefik.port=80
+    - traefik.frontend.rule=Host:override.remoteaddr.whitelist.docker.local
+    - traefik.frontend.whiteList.sourceRange=8.8.8.8
+    - traefik.frontend.whiteList.ipStrategy=true
+
+overrideIPStrategyDepthWhitelist:
+  image: containous/whoami
+  labels:
+  - traefik.enable=true
+  - traefik.port=80
+  - traefik.frontend.rule=Host:override.depth.whitelist.docker.local
+  - traefik.frontend.whiteList.sourceRange=8.8.8.8
+  - traefik.frontend.whiteList.ipStrategy.depth=3
+
+overrideIPStrategyExcludedIPsWhitelist:
+  image: containous/whoami
+  labels:
+  - traefik.enable=true
+  - traefik.port=80
+  - traefik.frontend.rule=Host:override.excludedips.whitelist.docker.local
+  - traefik.frontend.whiteList.sourceRange=8.8.8.8
+  - traefik.frontend.whiteList.ipStrategy.excludedIPs=10.0.0.1,10.0.0.2