traefik/pkg/ip/checker.go

package ip

import (
	"errors"
	"fmt"
	"net"
	"net/netip"
	"strings"
)

// Checker allows to check that addresses are in a trusted IPs.
type Checker struct {
	authorizedIPs    []*net.IP
	authorizedIPsNet []*net.IPNet
}

// NewChecker builds a new Checker given a list of CIDR-Strings to trusted IPs.
func NewChecker(trustedIPs []string) (*Checker, error) {
	if len(trustedIPs) == 0 {
		return nil, errors.New("no trusted IPs provided")
	}

	checker := &Checker{}

	for _, ipMask := range trustedIPs {
		if ipAddr := net.ParseIP(ipMask); ipAddr != nil {
			checker.authorizedIPs = append(checker.authorizedIPs, &ipAddr)
			continue
		}

		_, ipAddr, err := net.ParseCIDR(ipMask)
		if err != nil {
			return nil, fmt.Errorf("parsing CIDR trusted IPs %s: %w", ipAddr, err)
		}
		checker.authorizedIPsNet = append(checker.authorizedIPsNet, ipAddr)
	}

	return checker, nil
}

// IsAuthorized checks if provided request is authorized by the trusted IPs.
func (ip *Checker) IsAuthorized(addr string) error {
	var invalidMatches []string

	host, _, err := net.SplitHostPort(addr)
	if err != nil {
		host = addr
	}

	ok, err := ip.Contains(host)
	if err != nil {
		return err
	}

	if !ok {
		invalidMatches = append(invalidMatches, addr)
		return fmt.Errorf("%q matched none of the trusted IPs", strings.Join(invalidMatches, ", "))
	}

	return nil
}

// Contains checks if provided address is in the trusted IPs.
func (ip *Checker) Contains(addr string) (bool, error) {
	if len(addr) == 0 {
		return false, errors.New("empty IP address")
	}

	ipAddr, err := parseIP(addr)
	if err != nil {
		return false, fmt.Errorf("unable to parse address: %s: %w", addr, err)
	}

	return ip.ContainsIP(ipAddr), nil
}

// ContainsIP checks if provided address is in the trusted IPs.
func (ip *Checker) ContainsIP(addr net.IP) bool {
	for _, authorizedIP := range ip.authorizedIPs {
		if authorizedIP.Equal(addr) {
			return true
		}
	}

	for _, authorizedNet := range ip.authorizedIPsNet {
		if authorizedNet.Contains(addr) {
			return true
		}
	}

	return false
}

func parseIP(addr string) (net.IP, error) {
	parsedAddr, err := netip.ParseAddr(addr)
	if err != nil {
		return nil, fmt.Errorf("can't parse IP from address %s", addr)
	}

	ip := parsedAddr.As16()
	return ip[:], nil
}
IPStrategy for selecting IP in whitelist 2018-08-24 16:20:03 +02:00			`package ip`

			`import (`
			`"errors"`
			`"fmt"`
			`"net"`
Remove interface names from IPv6 2024-07-01 16:26:04 +02:00			`"net/netip"`
IPStrategy for selecting IP in whitelist 2018-08-24 16:20:03 +02:00			`"strings"`
			`)`

Update linter 2020-05-11 12:06:07 +02:00			`// Checker allows to check that addresses are in a trusted IPs.`
IPStrategy for selecting IP in whitelist 2018-08-24 16:20:03 +02:00			`type Checker struct {`
			`authorizedIPs []*net.IP`
			`authorizedIPsNet []*net.IPNet`
			`}`

Update linter 2020-05-11 12:06:07 +02:00			`// NewChecker builds a new Checker given a list of CIDR-Strings to trusted IPs.`
IPStrategy for selecting IP in whitelist 2018-08-24 16:20:03 +02:00			`func NewChecker(trustedIPs []string) (*Checker, error) {`
			`if len(trustedIPs) == 0 {`
			`return nil, errors.New("no trusted IPs provided")`
			`}`

			`checker := &Checker{}`

			`for _, ipMask := range trustedIPs {`
			`if ipAddr := net.ParseIP(ipMask); ipAddr != nil {`
			`checker.authorizedIPs = append(checker.authorizedIPs, &ipAddr)`
Add routing IP rule matcher Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com> Co-authored-by: Romain <rtribotte@users.noreply.github.com> 2021-06-07 18:14:09 +02:00			`continue`
IPStrategy for selecting IP in whitelist 2018-08-24 16:20:03 +02:00			`}`
Add routing IP rule matcher Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com> Co-authored-by: Romain <rtribotte@users.noreply.github.com> 2021-06-07 18:14:09 +02:00
			`_, ipAddr, err := net.ParseCIDR(ipMask)`
			`if err != nil {`
			`return nil, fmt.Errorf("parsing CIDR trusted IPs %s: %w", ipAddr, err)`
			`}`
			`checker.authorizedIPsNet = append(checker.authorizedIPsNet, ipAddr)`
IPStrategy for selecting IP in whitelist 2018-08-24 16:20:03 +02:00			`}`

			`return checker, nil`
			`}`

Update linter 2020-05-11 12:06:07 +02:00			`// IsAuthorized checks if provided request is authorized by the trusted IPs.`
IPStrategy for selecting IP in whitelist 2018-08-24 16:20:03 +02:00			`func (ip *Checker) IsAuthorized(addr string) error {`
			`var invalidMatches []string`

			`host, _, err := net.SplitHostPort(addr)`
			`if err != nil {`
			`host = addr`
			`}`

			`ok, err := ip.Contains(host)`
			`if err != nil {`
			`return err`
			`}`

			`if !ok {`
			`invalidMatches = append(invalidMatches, addr)`
			`return fmt.Errorf("%q matched none of the trusted IPs", strings.Join(invalidMatches, ", "))`
			`}`

			`return nil`
			`}`

Update linter 2020-05-11 12:06:07 +02:00			`// Contains checks if provided address is in the trusted IPs.`
IPStrategy for selecting IP in whitelist 2018-08-24 16:20:03 +02:00			`func (ip *Checker) Contains(addr string) (bool, error) {`
Remove old global config and use new static config 2018-11-27 17:42:04 +01:00			`if len(addr) == 0 {`
IPStrategy for selecting IP in whitelist 2018-08-24 16:20:03 +02:00			`return false, errors.New("empty IP address")`
			`}`

			`ipAddr, err := parseIP(addr)`
			`if err != nil {`
Update linter 2020-05-11 12:06:07 +02:00			`return false, fmt.Errorf("unable to parse address: %s: %w", addr, err)`
IPStrategy for selecting IP in whitelist 2018-08-24 16:20:03 +02:00			`}`

			`return ip.ContainsIP(ipAddr), nil`
			`}`

Update linter 2020-05-11 12:06:07 +02:00			`// ContainsIP checks if provided address is in the trusted IPs.`
IPStrategy for selecting IP in whitelist 2018-08-24 16:20:03 +02:00			`func (ip *Checker) ContainsIP(addr net.IP) bool {`
			`for _, authorizedIP := range ip.authorizedIPs {`
			`if authorizedIP.Equal(addr) {`
			`return true`
			`}`
			`}`

			`for _, authorizedNet := range ip.authorizedIPsNet {`
			`if authorizedNet.Contains(addr) {`
			`return true`
			`}`
			`}`

			`return false`
			`}`

			`func parseIP(addr string) (net.IP, error) {`
Remove interface names from IPv6 2024-07-01 16:26:04 +02:00			`parsedAddr, err := netip.ParseAddr(addr)`
			`if err != nil {`
IPStrategy for selecting IP in whitelist 2018-08-24 16:20:03 +02:00			`return nil, fmt.Errorf("can't parse IP from address %s", addr)`
			`}`

Remove interface names from IPv6 2024-07-01 16:26:04 +02:00			`ip := parsedAddr.As16()`
			`return ip[:], nil`
IPStrategy for selecting IP in whitelist 2018-08-24 16:20:03 +02:00			`}`