traefik/whitelist/ip.go

package whitelist

import (
	"errors"
	"fmt"
	"net"
	"net/http"
	"strings"
)

const (
	// XForwardedFor Header name
	XForwardedFor = "X-Forwarded-For"
)

// IP allows to check that addresses are in a white list
type IP struct {
	whiteListsIPs    []*net.IP
	whiteListsNet    []*net.IPNet
	insecure         bool
	useXForwardedFor bool
}

// NewIP builds a new IP given a list of CIDR-Strings to white list
func NewIP(whiteList []string, insecure bool, useXForwardedFor bool) (*IP, error) {
	if len(whiteList) == 0 && !insecure {
		return nil, errors.New("no white list provided")
	}

	ip := IP{
		insecure:         insecure,
		useXForwardedFor: useXForwardedFor,
	}

	if !insecure {
		for _, ipMask := range whiteList {
			if ipAddr := net.ParseIP(ipMask); ipAddr != nil {
				ip.whiteListsIPs = append(ip.whiteListsIPs, &ipAddr)
			} else {
				_, ipAddr, err := net.ParseCIDR(ipMask)
				if err != nil {
					return nil, fmt.Errorf("parsing CIDR white list %s: %v", ipAddr, err)
				}
				ip.whiteListsNet = append(ip.whiteListsNet, ipAddr)
			}
		}
	}

	return &ip, nil
}

// IsAuthorized checks if provided request is authorized by the white list
func (ip *IP) IsAuthorized(req *http.Request) error {
	if ip.insecure {
		return nil
	}

	var invalidMatches []string

	if ip.useXForwardedFor {
		xFFs := req.Header[XForwardedFor]
		if len(xFFs) > 0 {
			for _, xFF := range xFFs {
				xffs := strings.Split(xFF, ",")
				for _, xff := range xffs {
					ok, err := ip.contains(parseHost(xff))
					if err != nil {
						return err
					}

					if ok {
						return nil
					}

					invalidMatches = append(invalidMatches, xff)
				}
			}
		}
	}

	host, _, err := net.SplitHostPort(req.RemoteAddr)
	if err != nil {
		return err
	}

	ok, err := ip.contains(host)
	if err != nil {
		return err
	}

	if !ok {
		invalidMatches = append(invalidMatches, req.RemoteAddr)
		return fmt.Errorf("%q matched none of the white list", strings.Join(invalidMatches, ", "))
	}

	return nil
}

// contains checks if provided address is in the white list
func (ip *IP) contains(addr string) (bool, error) {
	ipAddr, err := parseIP(addr)
	if err != nil {
		return false, fmt.Errorf("unable to parse address: %s: %s", addr, err)
	}

	return ip.ContainsIP(ipAddr), nil
}

// ContainsIP checks if provided address is in the white list
func (ip *IP) ContainsIP(addr net.IP) bool {
	if ip.insecure {
		return true
	}

	for _, whiteListIP := range ip.whiteListsIPs {
		if whiteListIP.Equal(addr) {
			return true
		}
	}

	for _, whiteListNet := range ip.whiteListsNet {
		if whiteListNet.Contains(addr) {
			return true
		}
	}

	return false
}

func parseIP(addr string) (net.IP, error) {
	userIP := net.ParseIP(addr)
	if userIP == nil {
		return nil, fmt.Errorf("can't parse IP from address %s", addr)
	}

	return userIP, nil
}

func parseHost(addr string) string {
	host, _, err := net.SplitHostPort(addr)
	if err != nil {
		return addr
	}
	return host
}
Add trusted whitelist proxy protocol 2017-10-10 15:50:03 +03:00			`package whitelist`

			`import (`
Fix whitelist and XFF. 2018-04-23 17:20:05 +03:00			`"errors"`
Add trusted whitelist proxy protocol 2017-10-10 15:50:03 +03:00			`"fmt"`
			`"net"`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00			`"net/http"`
Fix whitelist and XFF. 2018-04-23 17:20:05 +03:00			`"strings"`
Add trusted whitelist proxy protocol 2017-10-10 15:50:03 +03:00			`)`

Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00			`const (`
			`// XForwardedFor Header name`
			`XForwardedFor = "X-Forwarded-For"`
			`)`

Add trusted whitelist proxy protocol 2017-10-10 15:50:03 +03:00			`// IP allows to check that addresses are in a white list`
			`type IP struct {`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00			`whiteListsIPs []*net.IP`
			`whiteListsNet []*net.IPNet`
			`insecure bool`
			`useXForwardedFor bool`
Add trusted whitelist proxy protocol 2017-10-10 15:50:03 +03:00			`}`

Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00			`// NewIP builds a new IP given a list of CIDR-Strings to white list`
			`func NewIP(whiteList []string, insecure bool, useXForwardedFor bool) (*IP, error) {`
			`if len(whiteList) == 0 && !insecure {`
Propagate insecure in white list. 2018-03-08 17:08:03 +03:00			`return nil, errors.New("no white list provided")`
Add trusted whitelist proxy protocol 2017-10-10 15:50:03 +03:00			`}`

Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00			`ip := IP{`
			`insecure: insecure,`
			`useXForwardedFor: useXForwardedFor,`
			`}`
Add trusted whitelist proxy protocol 2017-10-10 15:50:03 +03:00
Add TrustForwardHeader options. 2017-10-16 13:46:03 +03:00			`if !insecure {`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00			`for _, ipMask := range whiteList {`
			`if ipAddr := net.ParseIP(ipMask); ipAddr != nil {`
Add TrustForwardHeader options. 2017-10-16 13:46:03 +03:00			`ip.whiteListsIPs = append(ip.whiteListsIPs, &ipAddr)`
			`} else {`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00			`_, ipAddr, err := net.ParseCIDR(ipMask)`
Add TrustForwardHeader options. 2017-10-16 13:46:03 +03:00			`if err != nil {`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00			`return nil, fmt.Errorf("parsing CIDR white list %s: %v", ipAddr, err)`
Add TrustForwardHeader options. 2017-10-16 13:46:03 +03:00			`}`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00			`ip.whiteListsNet = append(ip.whiteListsNet, ipAddr)`
Add trusted whitelist proxy protocol 2017-10-10 15:50:03 +03:00			`}`
			`}`
			`}`

			`return &ip, nil`
			`}`

Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00			`// IsAuthorized checks if provided request is authorized by the white list`
Fix whitelist and XFF. 2018-04-23 17:20:05 +03:00			`func (ip IP) IsAuthorized(req http.Request) error {`
Add TrustForwardHeader options. 2017-10-16 13:46:03 +03:00			`if ip.insecure {`
Fix whitelist and XFF. 2018-04-23 17:20:05 +03:00			`return nil`
Add TrustForwardHeader options. 2017-10-16 13:46:03 +03:00			`}`

Fix whitelist and XFF. 2018-04-23 17:20:05 +03:00			`var invalidMatches []string`

Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00			`if ip.useXForwardedFor {`
			`xFFs := req.Header[XForwardedFor]`
Fix whitelist and XFF. 2018-04-23 17:20:05 +03:00			`if len(xFFs) > 0 {`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00			`for _, xFF := range xFFs {`
fix: whitelist and XFF. 2018-05-30 10:26:03 +03:00			`xffs := strings.Split(xFF, ",")`
			`for _, xff := range xffs {`
			`ok, err := ip.contains(parseHost(xff))`
			`if err != nil {`
			`return err`
			`}`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00
fix: whitelist and XFF. 2018-05-30 10:26:03 +03:00			`if ok {`
			`return nil`
			`}`
Fix whitelist and XFF. 2018-04-23 17:20:05 +03:00
fix: whitelist and XFF. 2018-05-30 10:26:03 +03:00			`invalidMatches = append(invalidMatches, xff)`
			`}`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00			`}`
			`}`
			`}`

			`host, _, err := net.SplitHostPort(req.RemoteAddr)`
			`if err != nil {`
Fix whitelist and XFF. 2018-04-23 17:20:05 +03:00			`return err`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00			`}`
Fix whitelist and XFF. 2018-04-23 17:20:05 +03:00
			`ok, err := ip.contains(host)`
			`if err != nil {`
			`return err`
			`}`

			`if !ok {`
			`invalidMatches = append(invalidMatches, req.RemoteAddr)`
			`return fmt.Errorf("%q matched none of the white list", strings.Join(invalidMatches, ", "))`
			`}`

			`return nil`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00			`}`

			`// contains checks if provided address is in the white list`
Fix whitelist and XFF. 2018-04-23 17:20:05 +03:00			`func (ip *IP) contains(addr string) (bool, error) {`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00			`ipAddr, err := parseIP(addr)`
Add trusted whitelist proxy protocol 2017-10-10 15:50:03 +03:00			`if err != nil {`
Fix whitelist and XFF. 2018-04-23 17:20:05 +03:00			`return false, fmt.Errorf("unable to parse address: %s: %s", addr, err)`
Add trusted whitelist proxy protocol 2017-10-10 15:50:03 +03:00			`}`

Fix whitelist and XFF. 2018-04-23 17:20:05 +03:00			`return ip.ContainsIP(ipAddr), nil`
Add trusted whitelist proxy protocol 2017-10-10 15:50:03 +03:00			`}`

			`// ContainsIP checks if provided address is in the white list`
Fix whitelist and XFF. 2018-04-23 17:20:05 +03:00			`func (ip *IP) ContainsIP(addr net.IP) bool {`
Add TrustForwardHeader options. 2017-10-16 13:46:03 +03:00			`if ip.insecure {`
Fix whitelist and XFF. 2018-04-23 17:20:05 +03:00			`return true`
Add TrustForwardHeader options. 2017-10-16 13:46:03 +03:00			`}`

Add trusted whitelist proxy protocol 2017-10-10 15:50:03 +03:00			`for _, whiteListIP := range ip.whiteListsIPs {`
			`if whiteListIP.Equal(addr) {`
Fix whitelist and XFF. 2018-04-23 17:20:05 +03:00			`return true`
Add trusted whitelist proxy protocol 2017-10-10 15:50:03 +03:00			`}`
			`}`

			`for _, whiteListNet := range ip.whiteListsNet {`
			`if whiteListNet.Contains(addr) {`
Fix whitelist and XFF. 2018-04-23 17:20:05 +03:00			`return true`
Add trusted whitelist proxy protocol 2017-10-10 15:50:03 +03:00			`}`
			`}`

Fix whitelist and XFF. 2018-04-23 17:20:05 +03:00			`return false`
Add trusted whitelist proxy protocol 2017-10-10 15:50:03 +03:00			`}`

Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00			`func parseIP(addr string) (net.IP, error) {`
Add trusted whitelist proxy protocol 2017-10-10 15:50:03 +03:00			`userIP := net.ParseIP(addr)`
			`if userIP == nil {`
			`return nil, fmt.Errorf("can't parse IP from address %s", addr)`
			`}`

			`return userIP, nil`
			`}`
Ability to use "X-Forwarded-For" as a source of IP for white list. 2018-03-23 19:40:04 +03:00
			`func parseHost(addr string) string {`
			`host, _, err := net.SplitHostPort(addr)`
			`if err != nil {`
			`return addr`
			`}`
			`return host`
			`}`