IPStrategy for selecting IP in whitelist

2018-08-24 16:20:03 +02:00 · 2018-08-24 16:20:03 +02:00 · 00728e711c
commit 00728e711c
parent 1ec4e03738
65 changed files with 2444 additions and 1837 deletions
--- a/middlewares/forwardedheaders/forwarded_header.go
+++ b/middlewares/forwardedheaders/forwarded_header.go
@ -0,0 +1,52 @@
+package forwardedheaders
+
+import (
+	"net/http"
+
+	"github.com/containous/traefik/ip"
+	"github.com/vulcand/oxy/forward"
+	"github.com/vulcand/oxy/utils"
+)
+
+// XForwarded filter for XForwarded headers
+type XForwarded struct {
+	insecure   bool
+	trustedIps []string
+	ipChecker  *ip.Checker
+}
+
+// NewXforwarded creates a new XForwarded
+func NewXforwarded(insecure bool, trustedIps []string) (*XForwarded, error) {
+	var ipChecker *ip.Checker
+	if len(trustedIps) > 0 {
+		var err error
+		ipChecker, err = ip.NewChecker(trustedIps)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return &XForwarded{
+		insecure:   insecure,
+		trustedIps: trustedIps,
+		ipChecker:  ipChecker,
+	}, nil
+}
+
+func (x *XForwarded) isTrustedIP(ip string) bool {
+	if x.ipChecker == nil {
+		return false
+	}
+	return x.ipChecker.IsAuthorized(ip) == nil
+}
+
+func (x *XForwarded) ServeHTTP(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
+	if !x.insecure && !x.isTrustedIP(r.RemoteAddr) {
+		utils.RemoveHeaders(r.Header, forward.XHeaders...)
+	}
+
+	// If there is a next, call it.
+	if next != nil {
+		next(w, r)
+	}
+}
--- a/middlewares/forwardedheaders/forwarded_header_test.go
+++ b/middlewares/forwardedheaders/forwarded_header_test.go
@ -0,0 +1,128 @@
+package forwardedheaders
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestServeHTTP(t *testing.T) {
+	testCases := []struct {
+		desc            string
+		insecure        bool
+		trustedIps      []string
+		incomingHeaders map[string]string
+		remoteAddr      string
+		expectedHeaders map[string]string
+	}{
+		{
+			desc:            "all Empty",
+			insecure:        true,
+			trustedIps:      nil,
+			remoteAddr:      "",
+			incomingHeaders: map[string]string{},
+			expectedHeaders: map[string]string{
+				"X-Forwarded-for": "",
+			},
+		},
+		{
+			desc:       "insecure true with incoming X-Forwarded-For",
+			insecure:   true,
+			trustedIps: nil,
+			remoteAddr: "",
+			incomingHeaders: map[string]string{
+				"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
+			},
+			expectedHeaders: map[string]string{
+				"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
+			},
+		},
+		{
+			desc:       "insecure false with incoming X-Forwarded-For",
+			insecure:   false,
+			trustedIps: nil,
+			remoteAddr: "",
+			incomingHeaders: map[string]string{
+				"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
+			},
+			expectedHeaders: map[string]string{
+				"X-Forwarded-for": "",
+			},
+		},
+		{
+			desc:       "insecure false with incoming X-Forwarded-For and valid Trusted Ips",
+			insecure:   false,
+			trustedIps: []string{"10.0.1.100"},
+			remoteAddr: "10.0.1.100:80",
+			incomingHeaders: map[string]string{
+				"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
+			},
+			expectedHeaders: map[string]string{
+				"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
+			},
+		},
+		{
+			desc:       "insecure false with incoming X-Forwarded-For and invalid Trusted Ips",
+			insecure:   false,
+			trustedIps: []string{"10.0.1.100"},
+			remoteAddr: "10.0.1.101:80",
+			incomingHeaders: map[string]string{
+				"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
+			},
+			expectedHeaders: map[string]string{
+				"X-Forwarded-for": "",
+			},
+		},
+		{
+			desc:       "insecure false with incoming X-Forwarded-For and valid Trusted Ips CIDR",
+			insecure:   false,
+			trustedIps: []string{"1.2.3.4/24"},
+			remoteAddr: "1.2.3.156:80",
+			incomingHeaders: map[string]string{
+				"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
+			},
+			expectedHeaders: map[string]string{
+				"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
+			},
+		},
+		{
+			desc:       "insecure false with incoming X-Forwarded-For and invalid Trusted Ips CIDR",
+			insecure:   false,
+			trustedIps: []string{"1.2.3.4/24"},
+			remoteAddr: "10.0.1.101:80",
+			incomingHeaders: map[string]string{
+				"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
+			},
+			expectedHeaders: map[string]string{
+				"X-Forwarded-for": "",
+			},
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			req, err := http.NewRequest(http.MethodGet, "", nil)
+			require.NoError(t, err)
+
+			req.RemoteAddr = test.remoteAddr
+
+			for k, v := range test.incomingHeaders {
+				req.Header.Set(k, v)
+			}
+
+			m, err := NewXforwarded(test.insecure, test.trustedIps)
+			require.NoError(t, err)
+
+			m.ServeHTTP(nil, req, nil)
+
+			for k, v := range test.expectedHeaders {
+				assert.Equal(t, v, req.Header.Get(k))
+			}
+		})
+	}
+}
--- a/middlewares/ip_whitelister.go
+++ b/middlewares/ip_whitelister.go
@ -4,9 +4,9 @@ import (
 	"fmt"
 	"net/http"

+	"github.com/containous/traefik/ip"
 	"github.com/containous/traefik/log"
 	"github.com/containous/traefik/middlewares/tracing"
-	"github.com/containous/traefik/whitelist"
 	"github.com/pkg/errors"
 	"github.com/urfave/negroni"
 )
@ -14,22 +14,25 @@ import (
 // IPWhiteLister is a middleware that provides Checks of the Requesting IP against a set of Whitelists
 type IPWhiteLister struct {
 	handler     negroni.Handler
-	whiteLister *whitelist.IP
+	whiteLister *ip.Checker
+	strategy    ip.Strategy
 }

 // NewIPWhiteLister builds a new IPWhiteLister given a list of CIDR-Strings to whitelist
-func NewIPWhiteLister(whiteList []string, useXForwardedFor bool) (*IPWhiteLister, error) {
+func NewIPWhiteLister(whiteList []string, strategy ip.Strategy) (*IPWhiteLister, error) {
 	if len(whiteList) == 0 {
 		return nil, errors.New("no white list provided")
 	}

-	whiteLister := IPWhiteLister{}
-
-	ip, err := whitelist.NewIP(whiteList, false, useXForwardedFor)
+	checker, err := ip.NewChecker(whiteList)
 	if err != nil {
 		return nil, fmt.Errorf("parsing CIDR whitelist %s: %v", whiteList, err)
 	}
-	whiteLister.whiteLister = ip
+
+	whiteLister := IPWhiteLister{
+		strategy:    strategy,
+		whiteLister: checker,
+	}

 	whiteLister.handler = negroni.HandlerFunc(whiteLister.handle)
 	log.Debugf("configured IP white list: %s", whiteList)
@ -38,13 +41,13 @@ func NewIPWhiteLister(whiteList []string, useXForwardedFor bool) (*IPWhiteLister
 }

 func (wl *IPWhiteLister) handle(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
-	err := wl.whiteLister.IsAuthorized(r)
+	err := wl.whiteLister.IsAuthorized(wl.strategy.GetIP(r))
 	if err != nil {
 		tracing.SetErrorAndDebugLog(r, "request %+v - rejecting: %v", r, err)
 		reject(w)
 		return
 	}
-
+	log.Debugf("Accept %s: %+v", wl.strategy.GetIP(r), r)
 	tracing.SetErrorAndDebugLog(r, "request %+v matched white list %s - passing", r, wl.whiteLister)
 	next.ServeHTTP(w, r)
 }
--- a/middlewares/ip_whitelister_test.go
+++ b/middlewares/ip_whitelister_test.go
@ -5,29 +5,26 @@ import (
 	"net/http/httptest"
 	"testing"

-	"github.com/containous/traefik/whitelist"
+	"github.com/containous/traefik/ip"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

 func TestNewIPWhiteLister(t *testing.T) {
 	testCases := []struct {
-		desc             string
-		whiteList        []string
-		useXForwardedFor bool
-		expectedError    string
+		desc          string
+		whiteList     []string
+		expectedError string
 	}{
 		{
-			desc:             "invalid IP",
-			whiteList:        []string{"foo"},
-			useXForwardedFor: false,
-			expectedError:    "parsing CIDR whitelist [foo]: parsing CIDR white list <nil>: invalid CIDR address: foo",
+			desc:          "invalid IP",
+			whiteList:     []string{"foo"},
+			expectedError: "parsing CIDR whitelist [foo]: parsing CIDR trusted IPs <nil>: invalid CIDR address: foo",
 		},
 		{
-			desc:             "valid IP",
-			whiteList:        []string{"10.10.10.10"},
-			useXForwardedFor: false,
-			expectedError:    "",
+			desc:          "valid IP",
+			whiteList:     []string{"10.10.10.10"},
+			expectedError: "",
 		},
 	}

@ -36,7 +33,7 @@ func TestNewIPWhiteLister(t *testing.T) {
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()

-			whiteLister, err := NewIPWhiteLister(test.whiteList, test.useXForwardedFor)
+			whiteLister, err := NewIPWhiteLister(test.whiteList, &ip.RemoteAddrStrategy{})

 			if len(test.expectedError) > 0 {
 				assert.EqualError(t, err, test.expectedError)
@ -50,57 +47,22 @@ func TestNewIPWhiteLister(t *testing.T) {

 func TestIPWhiteLister_ServeHTTP(t *testing.T) {
 	testCases := []struct {
-		desc             string
-		whiteList        []string
-		useXForwardedFor bool
-		remoteAddr       string
-		xForwardedFor    []string
-		expected         int
+		desc       string
+		whiteList  []string
+		remoteAddr string
+		expected   int
 	}{
 		{
-			desc:             "authorized with remote address",
-			whiteList:        []string{"20.20.20.20"},
-			useXForwardedFor: false,
-			remoteAddr:       "20.20.20.20:1234",
-			xForwardedFor:    nil,
-			expected:         200,
+			desc:       "authorized with remote address",
+			whiteList:  []string{"20.20.20.20"},
+			remoteAddr: "20.20.20.20:1234",
+			expected:   200,
 		},
 		{
-			desc:             "non authorized with remote address",
-			whiteList:        []string{"20.20.20.20"},
-			useXForwardedFor: false,
-			remoteAddr:       "20.20.20.21:1234",
-			xForwardedFor:    nil,
-			expected:         403,
-		},
-		{
-			desc:             "non authorized with remote address (X-Forwarded-For possible)",
-			whiteList:        []string{"20.20.20.20"},
-			useXForwardedFor: false,
-			remoteAddr:       "20.20.20.21:1234",
-			xForwardedFor:    []string{"20.20.20.20", "40.40.40.40"},
-			expected:         403,
-		},
-		{
-			desc:             "authorized with X-Forwarded-For",
-			whiteList:        []string{"30.30.30.30"},
-			useXForwardedFor: true,
-			xForwardedFor:    []string{"30.30.30.30", "40.40.40.40"},
-			expected:         200,
-		},
-		{
-			desc:             "authorized with only one X-Forwarded-For",
-			whiteList:        []string{"30.30.30.30"},
-			useXForwardedFor: true,
-			xForwardedFor:    []string{"30.30.30.30"},
-			expected:         200,
-		},
-		{
-			desc:             "non authorized with X-Forwarded-For",
-			whiteList:        []string{"30.30.30.30"},
-			useXForwardedFor: true,
-			xForwardedFor:    []string{"30.30.30.31", "40.40.40.40"},
-			expected:         403,
+			desc:       "non authorized with remote address",
+			whiteList:  []string{"20.20.20.20"},
+			remoteAddr: "20.20.20.21:1234",
+			expected:   403,
 		},
 	}

@ -109,7 +71,7 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()

-			whiteLister, err := NewIPWhiteLister(test.whiteList, test.useXForwardedFor)
+			whiteLister, err := NewIPWhiteLister(test.whiteList, &ip.RemoteAddrStrategy{})
 			require.NoError(t, err)

 			recorder := httptest.NewRecorder()
@ -120,12 +82,6 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
 				req.RemoteAddr = test.remoteAddr
 			}

-			if len(test.xForwardedFor) > 0 {
-				for _, xff := range test.xForwardedFor {
-					req.Header.Add(whitelist.XForwardedFor, xff)
-				}
-			}
-
 			next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})

 			whiteLister.ServeHTTP(recorder, req, next)