From 880d4bfe2a6d37dad8af75e1486f1e15c00b8bb1 Mon Sep 17 00:00:00 2001 From: prodiether Date: Mon, 16 Sep 2024 11:18:43 +0000 Subject: [PATCH] chore: allow multiple allow subnets --- .traefik.yml | 4 ++-- main.go | 49 ++++++++++++++++++++++++++++++++++++------------- readme.md | 5 +++-- 3 files changed, 41 insertions(+), 17 deletions(-) diff --git a/.traefik.yml b/.traefik.yml index 412f4f6..15fe763 100644 --- a/.traefik.yml +++ b/.traefik.yml @@ -7,5 +7,5 @@ summary: '[Auth] Authorize though ical endpoint' testData: HeaderName: Authorization - AllowSubnet: "0.0.0.0/24" - + AllowSubnet: + - "0.0.0.0/24" diff --git a/main.go b/main.go index 0aebead..af1d4ee 100644 --- a/main.go +++ b/main.go @@ -1,6 +1,7 @@ package icalmiddleware import ( + "container/list" "context" "fmt" "io" @@ -12,10 +13,10 @@ import ( ) type Config struct { - ForwardToken bool `json:"forwardToken,omitempty"` - Freshness int64 `json:"freshness,omitempty"` - HeaderName string `json:"headerName,omitempty"` - AllowSubnet string `json:"allowSubnet,omitempty"` + ForwardToken bool `json:"forwardToken,omitempty"` + Freshness int64 `json:"freshness,omitempty"` + HeaderName string `json:"headerName,omitempty"` + AllowSubnet []string `json:"allowSubnet,omitempty"` } func CreateConfig() *Config { @@ -23,7 +24,7 @@ func CreateConfig() *Config { HeaderName: "Authorization", ForwardToken: false, Freshness: 3600, - AllowSubnet: "0.0.0.0/24", + AllowSubnet: []string{"0.0.0.0/24"}, } } @@ -33,14 +34,27 @@ type ICalMiddleware struct { forwardToken bool freshness int64 cache *Cache - allowSubnet netip.Prefix + allowSubnet []netip.Prefix name string } func New(_ context.Context, next http.Handler, config *Config, name string) (http.Handler, error) { - network, err := netip.ParsePrefix(config.AllowSubnet) - if err != nil { - return nil, fmt.Errorf("subnet parse error: %v", err) + cidrList := list.New() + for _, cidr := range config.AllowSubnet { + prefix, err := netip.ParsePrefix(cidr) + if err != nil { + fmt.Printf("Subnet parse error %s: %v\n", cidr, err) + } else { + cidrList.PushBack(prefix) + } + } + + cidrs := make([]netip.Prefix, cidrList.Len()) + + i := 0 + for e := cidrList.Front(); e != nil; e = e.Next() { + cidrs[i] = e.Value.(netip.Prefix) + i++ } cache := NewCache(time.Duration(config.Freshness)*time.Second, 8*time.Hour) @@ -49,7 +63,7 @@ func New(_ context.Context, next http.Handler, config *Config, name string) (htt headerName: config.HeaderName, forwardToken: config.ForwardToken, freshness: config.Freshness, - allowSubnet: network, + allowSubnet: cidrs, next: next, cache: cache, name: name, @@ -123,15 +137,24 @@ func (plugin *ICalMiddleware) containsSubnet(address string) bool { fmt.Printf("Invalid addr: %v", err) return false } - fmt.Printf("%v contains %v %v\n", ip, plugin.allowSubnet, plugin.allowSubnet.Contains(ip)) - return plugin.allowSubnet.Contains(ip) + + var flag bool + for _, prefix := range plugin.allowSubnet { + flag = prefix.Contains(ip) + if flag { + fmt.Printf("%v contains %v\n", prefix, ip) + break + } + } + + return flag } // validate validates the request and returns the HTTP status code or an error if the request is not valid. It also sets any headers that should be forwarded to the backend. func (plugin *ICalMiddleware) validate(request *http.Request) (int, error) { if !plugin.containsSubnet(ReadUserIP(request)) { token := plugin.extractTokenFromHeader(request) - if token == "" { + if len(token) != 16 { // No token provided fmt.Println("No token provided") return http.StatusUnauthorized, fmt.Errorf("no token provided") diff --git a/readme.md b/readme.md index ea3afe3..63b690b 100644 --- a/readme.md +++ b/readme.md @@ -15,7 +15,7 @@ experimental: plugins: icalmiddleware: moduleName: github.com/psumaps/icalmiddleware - version: v0.0.1 + version: v0.0.5 ``` Here is an example of a file provider dynamic configuration (given here in YAML), where the interesting part is the `http.middlewares` section: @@ -44,7 +44,8 @@ http: plugin: icalmiddleware: HeaderName: "Authorization" - AllowSubnet: "0.0.0.0/24" + AllowSubnet: + - "0.0.0.0/24" Freshness: 3600 ForwardToken: false ```