burble.dn42/bird-lg-go
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity

tweak to allow use of CIDR network masks for proxy
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone Build is failing
Details

Browse Source
This commit is contained in:
Simon Marsh 2023-10-04 14:40:03 +01:00
parent 5f9400b9d4
commit c4bd22a323
Signed by: burble
GPG Key ID: E9B4156C1659C079
5 changed files with 68 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
.drone.yml
View File

@ -23,21 +23,14 @@ steps:
- go vet - go vet
- go build - go build
- name: stage
image: alpine
commands:
- mkdir artifacts
- mv frontend/frontend artifacts/
- mv proxy/proxy artifacts/
- tar -cvzf bird-lg-go.bdn42.tar.gz -C artifacts .
- name: upload artifacts - name: upload artifacts
image: git.burble.dn42/burble.dn42/drone-gitea-pkg-plugin:latest image: git.burble.dn42/burble.dn42/drone-gitea-pkg-plugin:latest
settings: settings:
token: token:
from_secret: TOKEN from_secret: TOKEN
version: RELEASE version: RELEASE
artifact: bird-lg-go.bdn42.tar.gz artifact: proxy
filename: proxy/proxy
package: bird-lg-go package: bird-lg-go
owner: burble.dn42 owner: burble.dn42

2
README.md
View File

@ -127,7 +127,7 @@ Configuration is handled by [viper](https://github.com/spf13/viper), any config
| Config Key | Parameter | Environment Variable | Description | | Config Key | Parameter | Environment Variable | Description |
| ---------- | --------- | -------------------- | ----------- | | ---------- | --------- | -------------------- | ----------- |
| allowed_ips | --allowed | ALLOWED_IPS | IPs allowed to access this proxy, separated by commas. Don't set to allow all IPs. (default "") | | allowed_ips | --allowed | ALLOWED_IPS | IPs or networks allowed to access this proxy, separated by commas. Don't set to allow all IPs. (default "") |
| bird_socket | --bird | BIRD_SOCKET | socket file for bird, set either in parameter or environment variable BIRD_SOCKET (default "/var/run/bird/bird.ctl") | | bird_socket | --bird | BIRD_SOCKET | socket file for bird, set either in parameter or environment variable BIRD_SOCKET (default "/var/run/bird/bird.ctl") |
| listen | --listen | BIRDLG_PROXY_PORT | listen address, set either in parameter or environment variable BIRDLG_PROXY_PORT(default "8000") | | listen | --listen | BIRDLG_PROXY_PORT | listen address, set either in parameter or environment variable BIRDLG_PROXY_PORT(default "8000") |
| traceroute_bin | --traceroute_bin | BIRDLG_TRACEROUTE_BIN | traceroute binary file, set either in parameter or environment variable BIRDLG_TRACEROUTE_BIN | | traceroute_bin | --traceroute_bin | BIRDLG_TRACEROUTE_BIN | traceroute binary file, set either in parameter or environment variable BIRDLG_TRACEROUTE_BIN |

22
proxy/main.go
View File

@ -22,8 +22,8 @@ func invalidHandler(httpW http.ResponseWriter, httpR *http.Request) {
} }
func hasAccess(remoteAddr string) bool { func hasAccess(remoteAddr string) bool {
// setting.allowedIPs will always have at least one element because of how it's defined // setting.allowedNets will always have at least one element because of how it's defined
if len(setting.allowedIPs) == 0 { if len(setting.allowedNets) == 0 {
return true return true
} }
@ -40,8 +40,8 @@ func hasAccess(remoteAddr string) bool {
return false return false
} }
for _, allowedIP := range setting.allowedIPs { for _, net := range setting.allowedNets {
if ipObject.Equal(allowedIP) { if net.Contains(ipObject) {
return true return true
} }
} }
@ -49,7 +49,7 @@ func hasAccess(remoteAddr string) bool {
return false return false
} }
// Access handler, check to see if client IP in allowed IPs, continue if it is, send to invalidHandler if not // Access handler, check to see if client IP in allowed nets, continue if it is, send to invalidHandler if not
func accessHandler(next http.Handler) http.Handler { func accessHandler(next http.Handler) http.Handler {
return http.HandlerFunc(func(httpW http.ResponseWriter, httpR *http.Request) { return http.HandlerFunc(func(httpW http.ResponseWriter, httpR *http.Request) {
if hasAccess(httpR.RemoteAddr) { if hasAccess(httpR.RemoteAddr) {
@ -61,12 +61,12 @@ func accessHandler(next http.Handler) http.Handler {
} }
type settingType struct { type settingType struct {
birdSocket string birdSocket string
listen string listen string
allowedIPs []net.IP allowedNets []*net.IPNet
tr_bin string tr_bin string
tr_flags []string tr_flags []string
tr_raw bool tr_raw bool
} }
var setting settingType var setting settingType

41
proxy/main_test.go
View File

@ -10,42 +10,61 @@ import (
) )
func TestHasAccessNotConfigured(t *testing.T) { func TestHasAccessNotConfigured(t *testing.T) {
setting.allowedIPs = []net.IP{} setting.allowedNets = []*net.IPNet{}
assert.Equal(t, hasAccess("whatever"), true) assert.Equal(t, hasAccess("whatever"), true)
} }
func TestHasAccessAllowIPv4(t *testing.T) { func TestHasAccessAllowIPv4(t *testing.T) {
setting.allowedIPs = []net.IP{net.ParseIP("1.2.3.4")} _, netip, _ := net.ParseCIDR("1.2.3.4/32")
setting.allowedNets = []*net.IPNet{netip}
assert.Equal(t, hasAccess("1.2.3.4:4321"), true)
}
func TestHasAccessAllowIPv4Net(t *testing.T) {
_, netip, _ := net.ParseCIDR("1.2.3.0/24")
setting.allowedNets = []*net.IPNet{netip}
assert.Equal(t, hasAccess("1.2.3.4:4321"), true) assert.Equal(t, hasAccess("1.2.3.4:4321"), true)
} }
func TestHasAccessDenyIPv4(t *testing.T) { func TestHasAccessDenyIPv4(t *testing.T) {
setting.allowedIPs = []net.IP{net.ParseIP("4.3.2.1")} _, netip, _ := net.ParseCIDR("4.3.2.1/32")
setting.allowedNets = []*net.IPNet{netip}
assert.Equal(t, hasAccess("1.2.3.4:4321"), false) assert.Equal(t, hasAccess("1.2.3.4:4321"), false)
} }
func TestHasAccessAllowIPv6(t *testing.T) { func TestHasAccessAllowIPv6(t *testing.T) {
setting.allowedIPs = []net.IP{net.ParseIP("2001:db8::1")} _, netip, _ := net.ParseCIDR("2001:db8::1/128")
setting.allowedNets = []*net.IPNet{netip}
assert.Equal(t, hasAccess("[2001:db8::1]:4321"), true)
}
func TestHasAccessAllowIPv6Net(t *testing.T) {
_, netip, _ := net.ParseCIDR("2001:db8::/64")
setting.allowedNets = []*net.IPNet{netip}
assert.Equal(t, hasAccess("[2001:db8::1]:4321"), true) assert.Equal(t, hasAccess("[2001:db8::1]:4321"), true)
} }
func TestHasAccessAllowIPv6DifferentForm(t *testing.T) { func TestHasAccessAllowIPv6DifferentForm(t *testing.T) {
setting.allowedIPs = []net.IP{net.ParseIP("2001:0db8::1")} _, netip, _ := net.ParseCIDR("2001:db8::1/128")
setting.allowedNets = []*net.IPNet{netip}
assert.Equal(t, hasAccess("[2001:db8::1]:4321"), true) assert.Equal(t, hasAccess("[2001:db8::1]:4321"), true)
} }
func TestHasAccessDenyIPv6(t *testing.T) { func TestHasAccessDenyIPv6(t *testing.T) {
setting.allowedIPs = []net.IP{net.ParseIP("2001:db8::2")} _, netip, _ := net.ParseCIDR("2001:db8::2/128")
setting.allowedNets = []*net.IPNet{netip}
assert.Equal(t, hasAccess("[2001:db8::1]:4321"), false) assert.Equal(t, hasAccess("[2001:db8::1]:4321"), false)
} }
func TestHasAccessBadClientIP(t *testing.T) { func TestHasAccessBadClientIP(t *testing.T) {
setting.allowedIPs = []net.IP{net.ParseIP("1.2.3.4")} _, netip, _ := net.ParseCIDR("1.2.3.4/32")
setting.allowedNets = []*net.IPNet{netip}
assert.Equal(t, hasAccess("not an IP"), false) assert.Equal(t, hasAccess("not an IP"), false)
} }
func TestHasAccessBadClientIPPort(t *testing.T) { func TestHasAccessBadClientIPPort(t *testing.T) {
setting.allowedIPs = []net.IP{net.ParseIP("1.2.3.4")} _, netip, _ := net.ParseCIDR("1.2.3.4/32")
setting.allowedNets = []*net.IPNet{netip}
assert.Equal(t, hasAccess("not an IP:not a port"), false) assert.Equal(t, hasAccess("not an IP:not a port"), false)
} }
@ -57,7 +76,8 @@ func TestAccessHandlerAllow(t *testing.T) {
r.RemoteAddr = "1.2.3.4:4321" r.RemoteAddr = "1.2.3.4:4321"
w := httptest.NewRecorder() w := httptest.NewRecorder()
setting.allowedIPs = []net.IP{net.ParseIP("1.2.3.4")} _, netip, _ := net.ParseCIDR("1.2.3.4/32")
setting.allowedNets = []*net.IPNet{netip}
wrappedHandler.ServeHTTP(w, r) wrappedHandler.ServeHTTP(w, r)
assert.Equal(t, w.Code, http.StatusNotFound) assert.Equal(t, w.Code, http.StatusNotFound)
@ -71,7 +91,8 @@ func TestAccessHandlerDeny(t *testing.T) {
r.RemoteAddr = "1.2.3.4:4321" r.RemoteAddr = "1.2.3.4:4321"
w := httptest.NewRecorder() w := httptest.NewRecorder()
setting.allowedIPs = []net.IP{net.ParseIP("4.3.2.1")} _, netip, _ := net.ParseCIDR("4.3.2.1/32")
setting.allowedNets = []*net.IPNet{netip}
wrappedHandler.ServeHTTP(w, r) wrappedHandler.ServeHTTP(w, r)
assert.Equal(t, w.Code, http.StatusInternalServerError) assert.Equal(t, w.Code, http.StatusInternalServerError)

33
proxy/settings.go
View File

@ -13,7 +13,7 @@ import (
type viperSettingType struct { type viperSettingType struct {
BirdSocket string `mapstructure:"bird_socket"` BirdSocket string `mapstructure:"bird_socket"`
Listen string `mapstructure:"listen"` Listen string `mapstructure:"listen"`
AllowedIPs string `mapstructure:"allowed_ips"` AllowedNets string `mapstructure:"allowed_ips"`
TracerouteBin string `mapstructure:"traceroute_bin"` TracerouteBin string `mapstructure:"traceroute_bin"`
TracerouteFlags string `mapstructure:"traceroute_flags"` TracerouteFlags string `mapstructure:"traceroute_flags"`
TracerouteRaw bool `mapstructure:"traceroute_raw"` TracerouteRaw bool `mapstructure:"traceroute_raw"`
@ -40,7 +40,7 @@ func parseSettings() {
pflag.String("listen", "8000", "listen address, set either in parameter or environment variable BIRDLG_PROXY_PORT") pflag.String("listen", "8000", "listen address, set either in parameter or environment variable BIRDLG_PROXY_PORT")
viper.BindPFlag("listen", pflag.Lookup("listen")) viper.BindPFlag("listen", pflag.Lookup("listen"))
pflag.String("allowed", "", "IPs allowed to access this proxy, separated by commas. Don't set to allow all IPs.") pflag.String("allowed", "", "IPs or networks allowed to access this proxy, separated by commas. Don't set to allow all IPs.")
viper.BindPFlag("allowed_ips", pflag.Lookup("allowed")) viper.BindPFlag("allowed_ips", pflag.Lookup("allowed"))
pflag.String("traceroute_bin", "", "traceroute binary file, set either in parameter or environment variable BIRDLG_TRACEROUTE_BIN") pflag.String("traceroute_bin", "", "traceroute binary file, set either in parameter or environment variable BIRDLG_TRACEROUTE_BIN")
@ -66,18 +66,31 @@ func parseSettings() {
setting.birdSocket = viperSettings.BirdSocket setting.birdSocket = viperSettings.BirdSocket
setting.listen = viperSettings.Listen setting.listen = viperSettings.Listen
if viperSettings.AllowedIPs != "" { if viperSettings.AllowedNets != "" {
for _, ip := range strings.Split(viperSettings.AllowedIPs, ",") { for _, arg := range strings.Split(viperSettings.AllowedNets, ",") {
ipObject := net.ParseIP(ip)
if ipObject == nil { // if argument is an IP address, convert to CIDR by adding a suitable mask
fmt.Printf("Parse IP %s failed\n", ip) if !strings.Contains(arg, "/") {
continue if strings.Contains(arg, ":") {
// IPv6 address with /128 mask
arg += "/128"
} else {
// IPv4 address with /32 mask
arg += "/32"
}
} }
setting.allowedIPs = append(setting.allowedIPs, ipObject) // parse the network
_, netip, err := net.ParseCIDR(arg)
if err != nil {
fmt.Printf("Failed to parse CIDR %s: %s\n", arg, err.Error())
continue
}
setting.allowedNets = append(setting.allowedNets, netip)
} }
} else { } else {
setting.allowedIPs = []net.IP{} setting.allowedNets = []*net.IPNet{}
} }
var err error var err error