IP Whitelists for Frontend (with Docker- & Kubernetes-Provider Support)

2017-04-30 11:22:07 +02:00 · 2017-04-30 11:22:07 +02:00 · 5f0b215e90
commit 5f0b215e90
parent 55f610422a
16 changed files with 731 additions and 14 deletions
--- a/provider/docker/docker.go
+++ b/provider/docker/docker.go
@ -272,6 +272,7 @@ func (p *Provider) loadDockerConfig(containersInspected []dockerData) *types.Con
 		"getServicePassHostHeader":    p.getServicePassHostHeader,
 		"getServicePriority":          p.getServicePriority,
 		"getServiceBackend":           p.getServiceBackend,
+		"getWhitelistSourceRange":     p.getWhitelistSourceRange,
 	}
 	// filter containers
 	filteredContainers := fun.Filter(func(container dockerData) bool {
@ -663,6 +664,15 @@ func (p *Provider) getPassHostHeader(container dockerData) string {
 	return "true"
 }

+func (p *Provider) getWhitelistSourceRange(container dockerData) []string {
+	var whitelistSourceRange []string
+
+	if whitelistSourceRangeLabel, err := getLabel(container, "traefik.frontend.whitelistSourceRange"); err == nil {
+		whitelistSourceRange = provider.SplitAndTrimString(whitelistSourceRangeLabel)
+	}
+	return whitelistSourceRange
+}
+
 func (p *Provider) getPriority(container dockerData) string {
 	if priority, err := getLabel(container, "traefik.frontend.priority"); err == nil {
 		return priority
--- a/provider/docker/docker_test.go
+++ b/provider/docker/docker_test.go
@ -400,6 +400,68 @@ func TestDockerGetPassHostHeader(t *testing.T) {
 	}
 }

+func TestDockerGetWhitelistSourceRange(t *testing.T) {
+	containers := []struct {
+		desc      string
+		container docker.ContainerJSON
+		expected  []string
+	}{
+		{
+			desc:      "no whitelist-label",
+			container: containerJSON(),
+			expected:  nil,
+		},
+		{
+			desc: "whitelist-label with empty string",
+			container: containerJSON(labels(map[string]string{
+				"traefik.frontend.whitelistSourceRange": "",
+			})),
+			expected: nil,
+		},
+		{
+			desc: "whitelist-label with IPv4 mask",
+			container: containerJSON(labels(map[string]string{
+				"traefik.frontend.whitelistSourceRange": "1.2.3.4/16",
+			})),
+			expected: []string{
+				"1.2.3.4/16",
+			},
+		},
+		{
+			desc: "whitelist-label with IPv6 mask",
+			container: containerJSON(labels(map[string]string{
+				"traefik.frontend.whitelistSourceRange": "fe80::/16",
+			})),
+			expected: []string{
+				"fe80::/16",
+			},
+		},
+		{
+			desc: "whitelist-label with multiple masks",
+			container: containerJSON(labels(map[string]string{
+				"traefik.frontend.whitelistSourceRange": "1.1.1.1/24, 1234:abcd::42/32",
+			})),
+			expected: []string{
+				"1.1.1.1/24",
+				"1234:abcd::42/32",
+			},
+		},
+	}
+
+	for _, e := range containers {
+		e := e
+		t.Run(e.desc, func(t *testing.T) {
+			t.Parallel()
+			dockerData := parseContainer(e.container)
+			provider := &Provider{}
+			actual := provider.getWhitelistSourceRange(dockerData)
+			if !reflect.DeepEqual(actual, e.expected) {
+				t.Errorf("expected %q, got %q", e.expected, actual)
+			}
+		})
+	}
+}
+
 func TestDockerGetLabel(t *testing.T) {
 	containers := []struct {
 		container docker.ContainerJSON