1
0
Fork 0

Fix whitelist and XFF.

This commit is contained in:
Ludovic Fernandez 2018-04-23 16:20:05 +02:00 committed by Traefiker Bot
parent 667a0c41ed
commit edb5b3d711
8 changed files with 187 additions and 65 deletions

View file

@ -1,11 +1,11 @@
package whitelist
import (
"errors"
"fmt"
"net"
"net/http"
"github.com/pkg/errors"
"strings"
)
const (
@ -50,64 +50,78 @@ func NewIP(whiteList []string, insecure bool, useXForwardedFor bool) (*IP, error
}
// IsAuthorized checks if provided request is authorized by the white list
func (ip *IP) IsAuthorized(req *http.Request) (bool, net.IP, error) {
func (ip *IP) IsAuthorized(req *http.Request) error {
if ip.insecure {
return true, nil, nil
return nil
}
var invalidMatches []string
if ip.useXForwardedFor {
xFFs := req.Header[XForwardedFor]
if len(xFFs) > 1 {
if len(xFFs) > 0 {
for _, xFF := range xFFs {
ok, i, err := ip.contains(parseHost(xFF))
ok, err := ip.contains(parseHost(xFF))
if err != nil {
return false, nil, err
return err
}
if ok {
return ok, i, nil
return nil
}
invalidMatches = append(invalidMatches, xFF)
}
}
}
host, _, err := net.SplitHostPort(req.RemoteAddr)
if err != nil {
return false, nil, err
return err
}
return ip.contains(host)
ok, err := ip.contains(host)
if err != nil {
return err
}
if !ok {
invalidMatches = append(invalidMatches, req.RemoteAddr)
return fmt.Errorf("%q matched none of the white list", strings.Join(invalidMatches, ", "))
}
return nil
}
// contains checks if provided address is in the white list
func (ip *IP) contains(addr string) (bool, net.IP, error) {
func (ip *IP) contains(addr string) (bool, error) {
ipAddr, err := parseIP(addr)
if err != nil {
return false, nil, fmt.Errorf("unable to parse address: %s: %s", addr, err)
return false, fmt.Errorf("unable to parse address: %s: %s", addr, err)
}
contains, err := ip.ContainsIP(ipAddr)
return contains, ipAddr, err
return ip.ContainsIP(ipAddr), nil
}
// ContainsIP checks if provided address is in the white list
func (ip *IP) ContainsIP(addr net.IP) (bool, error) {
func (ip *IP) ContainsIP(addr net.IP) bool {
if ip.insecure {
return true, nil
return true
}
for _, whiteListIP := range ip.whiteListsIPs {
if whiteListIP.Equal(addr) {
return true, nil
return true
}
}
for _, whiteListNet := range ip.whiteListsNet {
if whiteListNet.Contains(addr) {
return true, nil
return true
}
}
return false, nil
return false
}
func parseIP(addr string) (net.IP, error) {

View file

@ -17,7 +17,7 @@ func TestIsAuthorized(t *testing.T) {
allowXForwardedFor bool
remoteAddr string
xForwardedForValues []string
expected bool
authorized bool
}{
{
desc: "allow UseXForwardedFor, remoteAddr not in range, UseXForwardedFor in range",
@ -25,7 +25,7 @@ func TestIsAuthorized(t *testing.T) {
allowXForwardedFor: true,
remoteAddr: "10.2.3.1:123",
xForwardedForValues: []string{"1.2.3.1", "10.2.3.1"},
expected: true,
authorized: true,
},
{
desc: "allow UseXForwardedFor, remoteAddr in range, UseXForwardedFor in range",
@ -33,7 +33,7 @@ func TestIsAuthorized(t *testing.T) {
allowXForwardedFor: true,
remoteAddr: "1.2.3.1:123",
xForwardedForValues: []string{"1.2.3.1", "10.2.3.1"},
expected: true,
authorized: true,
},
{
desc: "allow UseXForwardedFor, remoteAddr in range, UseXForwardedFor not in range",
@ -41,7 +41,7 @@ func TestIsAuthorized(t *testing.T) {
allowXForwardedFor: true,
remoteAddr: "1.2.3.1:123",
xForwardedForValues: []string{"10.2.3.1", "10.2.3.1"},
expected: true,
authorized: true,
},
{
desc: "allow UseXForwardedFor, remoteAddr not in range, UseXForwardedFor not in range",
@ -49,7 +49,7 @@ func TestIsAuthorized(t *testing.T) {
allowXForwardedFor: true,
remoteAddr: "10.2.3.1:123",
xForwardedForValues: []string{"10.2.3.1", "10.2.3.1"},
expected: false,
authorized: false,
},
{
desc: "don't allow UseXForwardedFor, remoteAddr not in range, UseXForwardedFor in range",
@ -57,7 +57,7 @@ func TestIsAuthorized(t *testing.T) {
allowXForwardedFor: false,
remoteAddr: "10.2.3.1:123",
xForwardedForValues: []string{"1.2.3.1", "10.2.3.1"},
expected: false,
authorized: false,
},
{
desc: "don't allow UseXForwardedFor, remoteAddr in range, UseXForwardedFor in range",
@ -65,7 +65,7 @@ func TestIsAuthorized(t *testing.T) {
allowXForwardedFor: false,
remoteAddr: "1.2.3.1:123",
xForwardedForValues: []string{"1.2.3.1", "10.2.3.1"},
expected: true,
authorized: true,
},
{
desc: "don't allow UseXForwardedFor, remoteAddr in range, UseXForwardedFor not in range",
@ -73,7 +73,7 @@ func TestIsAuthorized(t *testing.T) {
allowXForwardedFor: false,
remoteAddr: "1.2.3.1:123",
xForwardedForValues: []string{"10.2.3.1", "10.2.3.1"},
expected: true,
authorized: true,
},
{
desc: "don't allow UseXForwardedFor, remoteAddr not in range, UseXForwardedFor not in range",
@ -81,7 +81,7 @@ func TestIsAuthorized(t *testing.T) {
allowXForwardedFor: false,
remoteAddr: "10.2.3.1:123",
xForwardedForValues: []string{"10.2.3.1", "10.2.3.1"},
expected: false,
authorized: false,
},
}
@ -95,11 +95,12 @@ func TestIsAuthorized(t *testing.T) {
whiteLister, err := NewIP(test.whiteList, false, test.allowXForwardedFor)
require.NoError(t, err)
authorized, ips, err := whiteLister.IsAuthorized(req)
require.NoError(t, err)
assert.NotNil(t, ips)
assert.Equal(t, test.expected, authorized)
err = whiteLister.IsAuthorized(req)
if test.authorized {
require.NoError(t, err)
} else {
require.Error(t, err)
}
})
}
}
@ -349,16 +350,14 @@ func TestContainsIsAllowed(t *testing.T) {
require.NotNil(t, whiteLister)
for _, testIP := range test.passIPs {
allowed, ip, err := whiteLister.contains(testIP)
allowed, err := whiteLister.contains(testIP)
require.NoError(t, err)
require.NotNil(t, ip, err)
assert.Truef(t, allowed, "%s should have passed.", testIP)
}
for _, testIP := range test.rejectIPs {
allowed, ip, err := whiteLister.contains(testIP)
allowed, err := whiteLister.contains(testIP)
require.NoError(t, err)
require.NotNil(t, ip, err)
assert.Falsef(t, allowed, "%s should not have passed.", testIP)
}
})
@ -405,7 +404,7 @@ func TestContainsInsecure(t *testing.T) {
t.Run(test.desc, func(t *testing.T) {
t.Parallel()
ok, _, err := test.whiteLister.contains(test.ip)
ok, err := test.whiteLister.contains(test.ip)
require.NoError(t, err)
assert.Equal(t, test.expected, ok)
@ -426,9 +425,8 @@ func TestContainsBrokenIPs(t *testing.T) {
require.NoError(t, err)
for _, testIP := range brokenIPs {
_, ip, err := whiteLister.contains(testIP)
_, err := whiteLister.contains(testIP)
assert.Error(t, err)
require.Nil(t, ip, err)
}
}