Ability to use "X-Forwarded-For" as a source of IP for white list.

2018-03-23 17:40:04 +01:00 · 2018-03-23 17:40:04 +01:00 · d2766b1b4f
commit d2766b1b4f
parent 4802484729
50 changed files with 1496 additions and 599 deletions
--- a/provider/kv/keynames.go
+++ b/provider/kv/keynames.go
@ -22,29 +22,30 @@ const (
 	pathBackendBufferingMemRequestBodyBytes     = pathBackendBuffering + "memrequestbodybytes"
 	pathBackendBufferingRetryExpression         = pathBackendBuffering + "retryexpression"

-	pathFrontends                        = "/frontends/"
-	pathFrontendBackend                  = "/backend"
-	pathFrontendPriority                 = "/priority"
-	pathFrontendPassHostHeaderDeprecated = "/passHostHeader" // Deprecated
-	pathFrontendPassHostHeader           = "/passhostheader"
-	pathFrontendPassTLSCert              = "/passtlscert"
-	pathFrontendWhiteListSourceRange     = "/whitelistsourcerange"
-	pathFrontendBasicAuth                = "/basicauth"
-	pathFrontendEntryPoints              = "/entrypoints"
-	pathFrontendRedirectEntryPoint       = "/redirect/entrypoint"
-	pathFrontendRedirectRegex            = "/redirect/regex"
-	pathFrontendRedirectReplacement      = "/redirect/replacement"
-	pathFrontendRedirectPermanent        = "/redirect/permanent"
-	pathFrontendErrorPages               = "/errors/"
-	pathFrontendErrorPagesBackend        = "/backend"
-	pathFrontendErrorPagesQuery          = "/query"
-	pathFrontendErrorPagesStatus         = "/status"
-	pathFrontendRateLimit                = "/ratelimit/"
-	pathFrontendRateLimitRateSet         = pathFrontendRateLimit + "rateset/"
-	pathFrontendRateLimitExtractorFunc   = pathFrontendRateLimit + "extractorfunc"
-	pathFrontendRateLimitPeriod          = "/period"
-	pathFrontendRateLimitAverage         = "/average"
-	pathFrontendRateLimitBurst           = "/burst"
+	pathFrontends                         = "/frontends/"
+	pathFrontendBackend                   = "/backend"
+	pathFrontendPriority                  = "/priority"
+	pathFrontendPassHostHeaderDeprecated  = "/passHostHeader" // Deprecated
+	pathFrontendPassHostHeader            = "/passhostheader"
+	pathFrontendPassTLSCert               = "/passtlscert"
+	pathFrontendWhiteListSourceRange      = "/whitelist/sourcerange"
+	pathFrontendWhiteListUseXForwardedFor = "/whitelist/usexforwardedfor"
+	pathFrontendBasicAuth                 = "/basicauth"
+	pathFrontendEntryPoints               = "/entrypoints"
+	pathFrontendRedirectEntryPoint        = "/redirect/entrypoint"
+	pathFrontendRedirectRegex             = "/redirect/regex"
+	pathFrontendRedirectReplacement       = "/redirect/replacement"
+	pathFrontendRedirectPermanent         = "/redirect/permanent"
+	pathFrontendErrorPages                = "/errors/"
+	pathFrontendErrorPagesBackend         = "/backend"
+	pathFrontendErrorPagesQuery           = "/query"
+	pathFrontendErrorPagesStatus          = "/status"
+	pathFrontendRateLimit                 = "/ratelimit/"
+	pathFrontendRateLimitRateSet          = pathFrontendRateLimit + "rateset/"
+	pathFrontendRateLimitExtractorFunc    = pathFrontendRateLimit + "extractorfunc"
+	pathFrontendRateLimitPeriod           = "/period"
+	pathFrontendRateLimitAverage          = "/average"
+	pathFrontendRateLimitBurst            = "/burst"

 	pathFrontendCustomRequestHeaders    = "/headers/customrequestheaders/"
 	pathFrontendCustomResponseHeaders   = "/headers/customresponseheaders/"
--- a/provider/kv/kv_config.go
+++ b/provider/kv/kv_config.go
@ -41,18 +41,18 @@ func (p *Provider) buildConfiguration() *types.Configuration {
 		"getTLSSection": p.getTLSSection,

 		// Frontend functions
-		"getBackendName":          p.getFuncString(pathFrontendBackend, ""),
-		"getPriority":             p.getFuncInt(pathFrontendPriority, label.DefaultFrontendPriorityInt),
-		"getPassHostHeader":       p.getPassHostHeader(),
-		"getPassTLSCert":          p.getFuncBool(pathFrontendPassTLSCert, label.DefaultPassTLSCert),
-		"getEntryPoints":          p.getFuncList(pathFrontendEntryPoints),
-		"getWhitelistSourceRange": p.getFuncList(pathFrontendWhiteListSourceRange),
-		"getBasicAuth":            p.getFuncList(pathFrontendBasicAuth),
-		"getRoutes":               p.getRoutes,
-		"getRedirect":             p.getRedirect,
-		"getErrorPages":           p.getErrorPages,
-		"getRateLimit":            p.getRateLimit,
-		"getHeaders":              p.getHeaders,
+		"getBackendName":    p.getFuncString(pathFrontendBackend, ""),
+		"getPriority":       p.getFuncInt(pathFrontendPriority, label.DefaultFrontendPriorityInt),
+		"getPassHostHeader": p.getPassHostHeader(),
+		"getPassTLSCert":    p.getFuncBool(pathFrontendPassTLSCert, label.DefaultPassTLSCert),
+		"getEntryPoints":    p.getFuncList(pathFrontendEntryPoints),
+		"getBasicAuth":      p.getFuncList(pathFrontendBasicAuth),
+		"getRoutes":         p.getRoutes,
+		"getRedirect":       p.getRedirect,
+		"getErrorPages":     p.getErrorPages,
+		"getRateLimit":      p.getRateLimit,
+		"getHeaders":        p.getHeaders,
+		"getWhiteList":      p.getWhiteList,

 		// Backend functions
 		"getServers":              p.getServers,
@ -125,6 +125,19 @@ func (p *Provider) getStickinessCookieName(rootPath string) string {
 	return p.get("", rootPath, pathBackendLoadBalancerStickinessCookieName)
 }

+func (p *Provider) getWhiteList(rootPath string) *types.WhiteList {
+	ranges := p.getList(rootPath, pathFrontendWhiteListSourceRange)
+
+	if len(ranges) > 0 {
+		return &types.WhiteList{
+			SourceRange:      ranges,
+			UseXForwardedFor: p.getBool(false, rootPath, pathFrontendWhiteListUseXForwardedFor),
+		}
+	}
+
+	return nil
+}
+
 func (p *Provider) getRedirect(rootPath string) *types.Redirect {
 	permanent := p.getBool(false, rootPath, pathFrontendRedirectPermanent)

--- a/provider/kv/kv_config_test.go
+++ b/provider/kv/kv_config_test.go
@ -91,6 +91,7 @@ func TestProviderBuildConfiguration(t *testing.T) {
 					withPair(pathFrontendPassTLSCert, "true"),
 					withPair(pathFrontendEntryPoints, "http,https"),
 					withPair(pathFrontendWhiteListSourceRange, "1.1.1.1/24, 1234:abcd::42/32"),
+					withPair(pathFrontendWhiteListUseXForwardedFor, "true"),
 					withPair(pathFrontendBasicAuth, "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/, test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"),
 					withPair(pathFrontendRedirectEntryPoint, "https"),
 					withPair(pathFrontendRedirectRegex, "nope"),
@ -180,12 +181,15 @@ func TestProviderBuildConfiguration(t *testing.T) {
 				},
 				Frontends: map[string]*types.Frontend{
 					"frontend1": {
-						Priority:             6,
-						EntryPoints:          []string{"http", "https"},
-						Backend:              "backend1",
-						PassTLSCert:          true,
-						WhitelistSourceRange: []string{"1.1.1.1/24", "1234:abcd::42/32"},
-						BasicAuth:            []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"},
+						Priority:    6,
+						EntryPoints: []string{"http", "https"},
+						Backend:     "backend1",
+						PassTLSCert: true,
+						WhiteList: &types.WhiteList{
+							SourceRange:      []string{"1.1.1.1/24", "1234:abcd::42/32"},
+							UseXForwardedFor: true,
+						},
+						BasicAuth: []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"},
 						Redirect: &types.Redirect{
 							EntryPoint: "https",
 							Permanent:  true,
@ -1031,6 +1035,68 @@ func TestProviderHasStickinessLabel(t *testing.T) {
 	}
 }

+func TestWhiteList(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		rootPath string
+		kvPairs  []*store.KVPair
+		expected *types.WhiteList
+	}{
+		{
+			desc:     "should return nil when no white list labels",
+			rootPath: "traefik/frontends/foo",
+			expected: nil,
+		},
+		{
+			desc:     "should return a struct when only range",
+			rootPath: "traefik/frontends/foo",
+			kvPairs: filler("traefik",
+				frontend("foo",
+					withPair(pathFrontendWhiteListSourceRange, "10.10.10.10"))),
+			expected: &types.WhiteList{
+				SourceRange: []string{
+					"10.10.10.10",
+				},
+				UseXForwardedFor: false,
+			},
+		},
+		{
+			desc:     "should return a struct when range and UseXForwardedFor",
+			rootPath: "traefik/frontends/foo",
+			kvPairs: filler("traefik",
+				frontend("foo",
+					withPair(pathFrontendWhiteListSourceRange, "10.10.10.10"),
+					withPair(pathFrontendWhiteListUseXForwardedFor, "true"))),
+			expected: &types.WhiteList{
+				SourceRange: []string{
+					"10.10.10.10",
+				},
+				UseXForwardedFor: true,
+			},
+		},
+		{
+			desc:     "should return nil when only UseXForwardedFor",
+			rootPath: "traefik/frontends/foo",
+			kvPairs: filler("traefik",
+				frontend("foo",
+					withPair(pathFrontendWhiteListUseXForwardedFor, "true"))),
+			expected: nil,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			p := newProviderMock(test.kvPairs)
+
+			actual := p.getWhiteList(test.rootPath)
+			assert.Equal(t, test.expected, actual)
+		})
+	}
+}
+
 func TestProviderGetRedirect(t *testing.T) {
 	testCases := []struct {
 		desc     string