Ability to use "X-Forwarded-For" as a source of IP for white list.

2018-03-23 17:40:04 +01:00 · 2018-03-23 17:40:04 +01:00 · d2766b1b4f
commit d2766b1b4f
parent 4802484729
50 changed files with 1496 additions and 599 deletions
--- a/provider/mesos/config.go
+++ b/provider/mesos/config.go
@ -41,18 +41,18 @@ func (p *Provider) buildConfiguration(tasks []state.Task) *types.Configuration {
 		"getPort": p.getPort,

 		// Frontend functions
-		"getFrontEndName":         getFrontendName,
-		"getEntryPoints":          getFuncSliceStringValue(label.TraefikFrontendEntryPoints),
-		"getBasicAuth":            getFuncSliceStringValue(label.TraefikFrontendAuthBasic),
-		"getWhitelistSourceRange": getFuncSliceStringValue(label.TraefikFrontendWhitelistSourceRange),
-		"getPriority":             getFuncStringValue(label.TraefikFrontendPriority, label.DefaultFrontendPriority),
-		"getPassHostHeader":       getFuncBoolValue(label.TraefikFrontendPassHostHeader, label.DefaultPassHostHeaderBool),
-		"getPassTLSCert":          getFuncBoolValue(label.TraefikFrontendPassTLSCert, label.DefaultPassTLSCert),
-		"getFrontendRule":         p.getFrontendRule,
-		"getRedirect":             getRedirect,
-		"getErrorPages":           getErrorPages,
-		"getRateLimit":            getRateLimit,
-		"getHeaders":              getHeaders,
+		"getFrontEndName":   getFrontendName,
+		"getEntryPoints":    getFuncSliceStringValue(label.TraefikFrontendEntryPoints),
+		"getBasicAuth":      getFuncSliceStringValue(label.TraefikFrontendAuthBasic),
+		"getPriority":       getFuncStringValue(label.TraefikFrontendPriority, label.DefaultFrontendPriority),
+		"getPassHostHeader": getFuncBoolValue(label.TraefikFrontendPassHostHeader, label.DefaultPassHostHeaderBool),
+		"getPassTLSCert":    getFuncBoolValue(label.TraefikFrontendPassTLSCert, label.DefaultPassTLSCert),
+		"getFrontendRule":   p.getFrontendRule,
+		"getRedirect":       getRedirect,
+		"getErrorPages":     getErrorPages,
+		"getRateLimit":      getRateLimit,
+		"getHeaders":        getHeaders,
+		"getWhiteList":      getWhiteList,

 		// TODO Deprecated [breaking]
 		"getFrontendBackend": getBackendName,
@ -337,6 +337,18 @@ func (p *Provider) getServers(tasks []state.Task) map[string]types.Server {
 	return servers
 }

+func getWhiteList(task state.Task) *types.WhiteList {
+	ranges := getSliceStringValue(task, label.TraefikFrontendWhiteListSourceRange)
+	if len(ranges) > 0 {
+		return &types.WhiteList{
+			SourceRange:      ranges,
+			UseXForwardedFor: getBoolValue(task, label.TraefikFrontendWhiteListUseXForwardedFor, false),
+		}
+	}
+
+	return nil
+}
+
 func getRedirect(task state.Task) *types.Redirect {
 	permanent := getBoolValue(task, label.TraefikFrontendRedirectPermanent, false)

--- a/provider/mesos/config_test.go
+++ b/provider/mesos/config_test.go
@ -148,7 +148,8 @@ func TestBuildConfiguration(t *testing.T) {
 					withLabel(label.TraefikFrontendRedirectReplacement, "nope"),
 					withLabel(label.TraefikFrontendRedirectPermanent, "true"),
 					withLabel(label.TraefikFrontendRule, "Host:traefik.io"),
-					withLabel(label.TraefikFrontendWhitelistSourceRange, "10.10.10.10"),
+					withLabel(label.TraefikFrontendWhiteListSourceRange, "10.10.10.10"),
+					withLabel(label.TraefikFrontendWhiteListUseXForwardedFor, "true"),

 					withLabel(label.TraefikFrontendRequestHeaders, "Access-Control-Allow-Methods:POST,GET,OPTIONS || Content-type:application/json; charset=utf-8"),
 					withLabel(label.TraefikFrontendResponseHeaders, "Access-Control-Allow-Methods:POST,GET,OPTIONS || Content-type:application/json; charset=utf-8"),
@ -212,8 +213,9 @@ func TestBuildConfiguration(t *testing.T) {
 						"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
 						"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
 					},
-					WhitelistSourceRange: []string{
-						"10.10.10.10",
+					WhiteList: &types.WhiteList{
+						SourceRange:      []string{"10.10.10.10"},
+						UseXForwardedFor: true,
 					},
 					Headers: &types.Headers{
 						CustomRequestHeaders: map[string]string{
@ -953,6 +955,75 @@ func TestGetServers(t *testing.T) {
 	}
 }

+func TestWhiteList(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		task     state.Task
+		expected *types.WhiteList
+	}{
+		{
+			desc: "should return nil when no white list labels",
+			task: aTask("ID1",
+				withIP("10.10.10.10"),
+				withInfo("name1", withPorts(withPort("TCP", 80, "WEB"))),
+				withDefaultStatus(),
+			),
+			expected: nil,
+		},
+		{
+			desc: "should return a struct when only range",
+			task: aTask("ID1",
+				withLabel(label.TraefikFrontendWhiteListSourceRange, "10.10.10.10"),
+				withIP("10.10.10.10"),
+				withInfo("name1", withPorts(withPort("TCP", 80, "WEB"))),
+				withDefaultStatus(),
+			),
+			expected: &types.WhiteList{
+				SourceRange: []string{
+					"10.10.10.10",
+				},
+				UseXForwardedFor: false,
+			},
+		},
+		{
+			desc: "should return a struct when range and UseXForwardedFor",
+			task: aTask("ID1",
+				withLabel(label.TraefikFrontendWhiteListSourceRange, "10.10.10.10"),
+				withLabel(label.TraefikFrontendWhiteListUseXForwardedFor, "true"),
+				withIP("10.10.10.10"),
+				withInfo("name1", withPorts(withPort("TCP", 80, "WEB"))),
+				withDefaultStatus(),
+			),
+			expected: &types.WhiteList{
+				SourceRange: []string{
+					"10.10.10.10",
+				},
+				UseXForwardedFor: true,
+			},
+		},
+		{
+			desc: "should return nil when only UseXForwardedFor",
+			task: aTask("ID1",
+				withLabel(label.TraefikFrontendWhiteListUseXForwardedFor, "true"),
+				withIP("10.10.10.10"),
+				withInfo("name1", withPorts(withPort("TCP", 80, "WEB"))),
+				withDefaultStatus(),
+			),
+			expected: nil,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actual := getWhiteList(test.task)
+			assert.Equal(t, test.expected, actual)
+		})
+	}
+}
+
 func TestGetRedirect(t *testing.T) {
 	testCases := []struct {
 		desc     string