From 06ea6ac5c8e43273129f6444b2acc3b7ae720c29 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Mon, 6 Feb 2023 10:20:39 -0600 Subject: [PATCH 01/31] feat(ip-restriction): Add TCP Support --- kong/plugins/ip-restriction/handler.lua | 44 ++++++++++++++++++++++--- kong/plugins/ip-restriction/schema.lua | 2 +- 2 files changed, 40 insertions(+), 6 deletions(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index 3fa5596f4ff3..aa7b45c32de8 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -1,3 +1,4 @@ +local cjson = require "cjson" local lrucache = require "resty.lrucache" local ipmatcher = require "resty.ipmatcher" local kong_meta = require "kong.meta" @@ -52,31 +53,64 @@ local function match_bin(list, binary_remote_addr) end -function IpRestrictionHandler:access(conf) +local function do_exit(status, message, is_http) + if is_http then + return kong.response.error(status, message) + + else + local tcpsock, err = ngx.req.socket(true) + if err then + error(err) + end + + tcpsock:send(cjson.encode({ + status = status, + message = message + })) + + return ngx.exit() + end +end + + +local function handler(conf, is_http) local binary_remote_addr = ngx_var.binary_remote_addr if not binary_remote_addr then - return kong.response.error(403, "Cannot identify the client IP address, unix domain sockets are not supported.") + local status = 403 + local message = "Cannot identify the client IP address, unix domain sockets are not supported." + + do_exit(status, message, is_http) end local deny = conf.deny local allow = conf.allow local status = conf.status or 403 - local message = conf.message or "Your IP address is not allowed" + local message = conf.message or string.format("IP address not allowed: %s", binary_remote_addr) if not isempty(deny) then local blocked = match_bin(deny, binary_remote_addr) if blocked then - return kong.response.error(status, message) + do_exit(status, message, is_http) end end if not isempty(allow) then local allowed = match_bin(allow, binary_remote_addr) if not allowed then - return kong.response.error(status, message) + do_exit(status, message, is_http) end end end +function IpRestrictionHandler:access(conf) + return handler(conf, true) +end + + +function IpRestrictionHandler:preread(conf) + return handler(conf, false) +end + + return IpRestrictionHandler diff --git a/kong/plugins/ip-restriction/schema.lua b/kong/plugins/ip-restriction/schema.lua index 22e742657ea9..d5c47c33d47a 100644 --- a/kong/plugins/ip-restriction/schema.lua +++ b/kong/plugins/ip-restriction/schema.lua @@ -4,7 +4,7 @@ local typedefs = require "kong.db.schema.typedefs" return { name = "ip-restriction", fields = { - { protocols = typedefs.protocols_http }, + { protocols = typedefs.protocols { default = { "http", "https", "tcp", "tls", "grpc", "grpcs" } }, }, { config = { type = "record", fields = { From 4d281a79f6a5652b7d138a1e58dffa34f1f1aae2 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Wed, 8 Feb 2023 10:57:18 -0600 Subject: [PATCH 02/31] feat(ip-restriction): Localize json conversion and string formatting --- kong/plugins/ip-restriction/handler.lua | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index aa7b45c32de8..7d9f58a081ca 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -1,4 +1,4 @@ -local cjson = require "cjson" +local cjson = require "cjson.safe" local lrucache = require "resty.lrucache" local ipmatcher = require "resty.ipmatcher" local kong_meta = require "kong.meta" @@ -63,10 +63,12 @@ local function do_exit(status, message, is_http) error(err) end - tcpsock:send(cjson.encode({ + local response = cjson.encode({ status = status, message = message - })) + }) + + tcpsock:send(response) return ngx.exit() end @@ -85,7 +87,8 @@ local function handler(conf, is_http) local deny = conf.deny local allow = conf.allow local status = conf.status or 403 - local message = conf.message or string.format("IP address not allowed: %s", binary_remote_addr) + local default_message = string.format("IP address not allowed: %s", binary_remote_addr) + local message = conf.message or default_message if not isempty(deny) then local blocked = match_bin(deny, binary_remote_addr) From fef1b7d929c5798ed439b5e2f6364f69a2f6a4ab Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Sun, 19 Feb 2023 07:50:05 -0600 Subject: [PATCH 03/31] feat(ip-restriction): localize cjson and tcpsock --- kong/plugins/ip-restriction/handler.lua | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index 7d9f58a081ca..c4a9b14d8efd 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -5,6 +5,7 @@ local kong_meta = require "kong.meta" local ngx_var = ngx.var +local ngx_req = ngx.req local kong = kong local error = error @@ -58,17 +59,16 @@ local function do_exit(status, message, is_http) return kong.response.error(status, message) else - local tcpsock, err = ngx.req.socket(true) + local cjson_encode = cjson.encode + local tcpsock, err = ngx_req.socket(true) if err then error(err) end - local response = cjson.encode({ + tcpsock:send(cjson_encode({ status = status, message = message - }) - - tcpsock:send(response) + })) return ngx.exit() end From 808353a2030b2224005bdd286455ec3ffbaee355 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Sun, 19 Feb 2023 08:19:53 -0600 Subject: [PATCH 04/31] feat(ip-restriction): fix tests --- kong/plugins/ip-restriction/handler.lua | 58 ++++++++++--------- .../17-ip-restriction/02-access_spec.lua | 42 +++++++------- 2 files changed, 52 insertions(+), 48 deletions(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index c4a9b14d8efd..e55133fbd014 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -31,6 +31,31 @@ do end +local is_http_subsystem = ngx.config.subsystem == "http" + + +local do_exit +if is_http_subsystem then + do_exit = function(status, message) + return kong.response.error(status, message) + end +else + do_exit = function(status, message) + local cjson_encode = cjson.encode + local tcpsock, err = ngx_req.socket(true) + if err then + error(err) + end + + tcpsock:send(cjson_encode({ + status = status, + message = message + })) + + return ngx.exit() + end +end + local function match_bin(list, binary_remote_addr) local matcher, err @@ -54,34 +79,13 @@ local function match_bin(list, binary_remote_addr) end -local function do_exit(status, message, is_http) - if is_http then - return kong.response.error(status, message) - - else - local cjson_encode = cjson.encode - local tcpsock, err = ngx_req.socket(true) - if err then - error(err) - end - - tcpsock:send(cjson_encode({ - status = status, - message = message - })) - - return ngx.exit() - end -end - - -local function handler(conf, is_http) +local function handler(conf) local binary_remote_addr = ngx_var.binary_remote_addr if not binary_remote_addr then local status = 403 local message = "Cannot identify the client IP address, unix domain sockets are not supported." - do_exit(status, message, is_http) + do_exit(status, message) end local deny = conf.deny @@ -93,26 +97,26 @@ local function handler(conf, is_http) if not isempty(deny) then local blocked = match_bin(deny, binary_remote_addr) if blocked then - do_exit(status, message, is_http) + do_exit(status, message) end end if not isempty(allow) then local allowed = match_bin(allow, binary_remote_addr) if not allowed then - do_exit(status, message, is_http) + do_exit(status, message) end end end function IpRestrictionHandler:access(conf) - return handler(conf, true) + return handler(conf) end function IpRestrictionHandler:preread(conf) - return handler(conf, false) + return handler(conf) end diff --git a/spec/03-plugins/17-ip-restriction/02-access_spec.lua b/spec/03-plugins/17-ip-restriction/02-access_spec.lua index 8ed01faf5b86..74631f92fa11 100644 --- a/spec/03-plugins/17-ip-restriction/02-access_spec.lua +++ b/spec/03-plugins/17-ip-restriction/02-access_spec.lua @@ -248,7 +248,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) it("blocks a request when the IP is denied with status/message", function() @@ -310,7 +310,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) it("blocks an IP on a allowed CIDR range", function() local res = assert(proxy_client:send { @@ -322,7 +322,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) it("takes precedence over an allowed IP", function() local res = assert(proxy_client:send { @@ -334,7 +334,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) it("takes precedence over an allowed CIDR range", function() local res = assert(proxy_client:send { @@ -346,7 +346,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) describe("X-Forwarded-For", function() @@ -386,7 +386,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) end) end) @@ -402,7 +402,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) it("allows a allowed IP", function() local res = assert(proxy_client:send { @@ -426,7 +426,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) it("block with not allowed X-Forwarded-For header", function() local res = assert(proxy_client:send { @@ -439,7 +439,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) it("block with not allowed X-Forwarded-For header #grpc", function() local ok, err = helpers.proxy_client_grpc(){ @@ -522,7 +522,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) res = assert(admin_client:send { method = "PATCH", @@ -722,7 +722,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) it("allows a request when the IPv6 is not denied", function() local res = assert(proxy_client:send { @@ -748,7 +748,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) it("blocks an IPv6 on a allowed IPv6 CIDR range", function() local res = assert(proxy_client:send { @@ -761,7 +761,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) it("takes precedence over an allowed IPv6", function() local res = assert(proxy_client:send { @@ -774,7 +774,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) it("takes precedence over an allowed IPv6 CIDR range", function() local res = assert(proxy_client:send { @@ -786,7 +786,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) end) @@ -802,7 +802,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) it("allows a allowed IPv6", function() local res = assert(proxy_client:send { @@ -865,7 +865,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) res = assert(admin_client:send { method = "PATCH", @@ -1002,7 +1002,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) it("blocks with blocked complex X-Forwarded-For header", function() local res = assert(proxy_client:send { @@ -1015,7 +1015,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) it("allows with allowed complex X-Forwarded-For header", function() local res = assert(proxy_client:send { @@ -1044,7 +1044,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) it("allows with allowed X-Forwarded-For header", function() local res = assert(proxy_client:send { @@ -1083,7 +1083,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.same({ message = "Your IP address is not allowed" }, json) + assert.is_true(string.find(json, "IP address not allowed")) end) end) end) From 73df5438f3b5260e22bde18bae17d32862e7c79e Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Mon, 20 Feb 2023 09:16:28 -0600 Subject: [PATCH 05/31] feat(ip-restriction): Use string to report IP, localize exit and return 1, Fix formatting --- kong/plugins/ip-restriction/handler.lua | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index e55133fbd014..8ec98e465e4c 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -4,10 +4,12 @@ local ipmatcher = require "resty.ipmatcher" local kong_meta = require "kong.meta" +local cjson_encode = cjson.encode +local error = error +local kong = kong +local ngx_exit = ngx.exit local ngx_var = ngx.var local ngx_req = ngx.req -local kong = kong -local error = error local IPMATCHER_COUNT = 512 @@ -39,9 +41,9 @@ if is_http_subsystem then do_exit = function(status, message) return kong.response.error(status, message) end + else do_exit = function(status, message) - local cjson_encode = cjson.encode local tcpsock, err = ngx_req.socket(true) if err then error(err) @@ -52,7 +54,7 @@ else message = message })) - return ngx.exit() + return ngx_exit(1) end end @@ -79,7 +81,7 @@ local function match_bin(list, binary_remote_addr) end -local function handler(conf) +local function do_restrict(conf) local binary_remote_addr = ngx_var.binary_remote_addr if not binary_remote_addr then local status = 403 @@ -91,7 +93,7 @@ local function handler(conf) local deny = conf.deny local allow = conf.allow local status = conf.status or 403 - local default_message = string.format("IP address not allowed: %s", binary_remote_addr) + local default_message = string.format("IP address not allowed: %s", ngx_var.remote_addr) local message = conf.message or default_message if not isempty(deny) then @@ -111,12 +113,12 @@ end function IpRestrictionHandler:access(conf) - return handler(conf) + return do_restrict(conf) end function IpRestrictionHandler:preread(conf) - return handler(conf) + return do_restrict(conf) end From 23b3cf6930315eb6e7206c4ca362c45a409dd4b1 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Tue, 21 Feb 2023 20:53:25 -0600 Subject: [PATCH 06/31] feat(ip-restriction): Set exit code to status --- kong/plugins/ip-restriction/handler.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index 8ec98e465e4c..db7f99926c2b 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -54,7 +54,7 @@ else message = message })) - return ngx_exit(1) + return ngx_exit(status) end end From 06bffe0432988e562477b17adf1dd2c176174331 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Wed, 22 Feb 2023 21:07:26 -0600 Subject: [PATCH 07/31] feat(ip-restriction): Remove status from TCP response --- kong/plugins/ip-restriction/handler.lua | 1 - 1 file changed, 1 deletion(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index db7f99926c2b..63a35fca3641 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -50,7 +50,6 @@ else end tcpsock:send(cjson_encode({ - status = status, message = message })) From d1c750199d6c8b85b509b595f8dc1b537b5bd104 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Tue, 7 Mar 2023 22:23:33 -0600 Subject: [PATCH 08/31] Update kong/plugins/ip-restriction/handler.lua Co-authored-by: Aapo Talvensaari --- kong/plugins/ip-restriction/handler.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index 63a35fca3641..57732c9b4e12 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -86,7 +86,7 @@ local function do_restrict(conf) local status = 403 local message = "Cannot identify the client IP address, unix domain sockets are not supported." - do_exit(status, message) + return do_exit(status, message) end local deny = conf.deny From 8123cce11d2c88f14bfd23c9cc20a8fc100f0713 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Tue, 7 Mar 2023 22:24:26 -0600 Subject: [PATCH 09/31] Update kong/plugins/ip-restriction/handler.lua Co-authored-by: Aapo Talvensaari --- kong/plugins/ip-restriction/handler.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index 57732c9b4e12..10eaa2f7e6b3 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -98,7 +98,7 @@ local function do_restrict(conf) if not isempty(deny) then local blocked = match_bin(deny, binary_remote_addr) if blocked then - do_exit(status, message) + return do_exit(status, message) end end From 605fa760f26152ca58915dae6020ed9090b02eff Mon Sep 17 00:00:00 2001 From: Jacob Chambliss Date: Mon, 12 Jun 2023 21:02:19 -0500 Subject: [PATCH 10/31] wip: add tests for tcp ip restriction plugin --- kong/plugins/ip-restriction/handler.lua | 2 +- .../17-ip-restriction/02-access_spec.lua | 78 +++++++++++++++++++ 2 files changed, 79 insertions(+), 1 deletion(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index 10eaa2f7e6b3..c5d0022091bb 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -105,7 +105,7 @@ local function do_restrict(conf) if not isempty(allow) then local allowed = match_bin(allow, binary_remote_addr) if not allowed then - do_exit(status, message) + return do_exit(status, message) end end end diff --git a/spec/03-plugins/17-ip-restriction/02-access_spec.lua b/spec/03-plugins/17-ip-restriction/02-access_spec.lua index 74631f92fa11..b523d0566ec5 100644 --- a/spec/03-plugins/17-ip-restriction/02-access_spec.lua +++ b/spec/03-plugins/17-ip-restriction/02-access_spec.lua @@ -1,6 +1,7 @@ local helpers = require "spec.helpers" local cjson = require "cjson" +local MESSAGE = "echo, ping, pong. echo, ping, pong. echo, ping, pong.\n" for _, strategy in helpers.each_strategy() do describe("Plugin: ip-restriction (access) [#" .. strategy .. "]", function() @@ -91,6 +92,45 @@ for _, strategy in helpers.each_strategy() do service = grpc_service, }) + -- tcp services/routes + local tcp_srv = bp.services:insert({ + name = "tcp", + host = helpers.mock_upstream_host, + port = helpers.mock_upstream_stream_port, + protocol = "tcp" + }) + + local tls_srv = bp.services:insert({ + name = "tls", + host = helpers.mock_upstream_host, + port = helpers.mock_upstream_stream_ssl_port, + protocol = "tls" + }) + + local route_tcp_allow = bp.routes:insert { + destinations = { + { + port = 19000, + }, + }, + protocols = { + "tcp", + }, + service = tcp_srv, + } + + local route_tcp_deny = bp.routes:insert { + destinations = { + { + port = 19443, + }, + }, + protocols = { + "tls", + }, + service = tls_srv, + } + bp.plugins:insert { name = "ip-restriction", route = { id = route1.id }, @@ -192,6 +232,22 @@ for _, strategy in helpers.each_strategy() do }, } + assert(db.plugins:insert { + name = "ip-restriction", + route = { id = route_tcp_allow.id }, + config = { + allow = { "127.0.0.0/24" }, + }, + }) + + assert(db.plugins:insert { + name = "ip-restriction", + route = { id = route_tcp_deny.id }, + config = { + deny = { "127.0.0.1, 127.0.0.2" }, + }, + }) + assert(db.plugins:insert { name = "ip-restriction", route = { id = route_grpc_deny.id }, @@ -222,6 +278,8 @@ for _, strategy in helpers.each_strategy() do real_ip_recursive = "on", trusted_ips = "0.0.0.0/0, ::/0", nginx_conf = "spec/fixtures/custom_nginx.template", + stream_listen = helpers.get_proxy_ip(false) .. ":19000" .. + helpers.get_proxy_ip(false) .. ":19443 ssl" }) proxy_client = helpers.proxy_client() @@ -276,6 +334,16 @@ for _, strategy in helpers.each_strategy() do assert.matches("Code: PermissionDenied", err) end) + it("blocks a request when the IP is denied #tcp", function() + local tcp = ngx.socket.tcp() + assert(tcp:connect(helpers.get_proxy_ip(true), 19443)) + assert(tcp:sslhandshake(nil, nil, false)) + assert(tcp:send(MESSAGE)) + local body = assert(tcp:receive("*a")) + assert.is_true(string.find(body, "IP address not allowed")) + tcp:close() + end) + it("allows a request when the IP is not denied", function() local res = assert(proxy_client:send { method = "GET", @@ -300,6 +368,16 @@ for _, strategy in helpers.each_strategy() do assert.truthy(ok) end) + it("allows a request when the IP is not denied #tcp", function() + local tcp = ngx.socket.tcp() + local ip = helpers.get_proxy_ip(false) + assert(tcp:connect(ip, 19000)) + assert(tcp:send(MESSAGE)) + local body = assert(tcp:receive("*a")) + assert.equal(MESSAGE, body) + tcp:close() + end) + it("blocks IP with CIDR", function() local res = assert(proxy_client:send { method = "GET", From d1d579476f6e6ab83399bc515c2cfa31ef464667 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Thu, 15 Jun 2023 10:26:29 -0500 Subject: [PATCH 11/31] test(ip-restrictions): Correct CIDRs --- .../17-ip-restriction/01-schema_spec.lua | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/spec/03-plugins/17-ip-restriction/01-schema_spec.lua b/spec/03-plugins/17-ip-restriction/01-schema_spec.lua index 265475de91b4..35856efe275e 100644 --- a/spec/03-plugins/17-ip-restriction/01-schema_spec.lua +++ b/spec/03-plugins/17-ip-restriction/01-schema_spec.lua @@ -4,24 +4,24 @@ local v = require("spec.helpers").validate_plugin_config_schema describe("Plugin: ip-restriction (schema)", function() it("should accept a valid allow", function() - assert(v({ allow = { "127.0.0.1", "127.0.0.2" } }, schema_def)) + assert(v({ allow = { "127.0.0.1/32", "127.0.0.2/32" } }, schema_def)) end) it("should accept a valid allow and status/message", function() - assert(v({ allow = { "127.0.0.1", "127.0.0.2" }, status = 403, message = "Forbidden" }, schema_def)) + assert(v({ allow = { "127.0.0.1/32", "127.0.0.2/32" }, status = 403, message = "Forbidden" }, schema_def)) end) it("should accept a valid cidr range", function() assert(v({ allow = { "127.0.0.1/8" } }, schema_def)) end) it("should accept a valid deny", function() - assert(v({ deny = { "127.0.0.1", "127.0.0.2" } }, schema_def)) + assert(v({ deny = { "127.0.0.1/32", "127.0.0.2/32" } }, schema_def)) end) it("should accept both non-empty allow and deny", function() local schema = { deny = { - "127.0.0.2" + "127.0.0.2/32" }, allow = { - "127.0.0.1" + "127.0.0.1/32" }, } assert(v(schema, schema_def)) @@ -40,7 +40,7 @@ describe("Plugin: ip-restriction (schema)", function() allow = { "invalid ip or cidr range: 'hello'" } }, err.config) - ok, err = v({ allow = { "127.0.0.1", "127.0.0.2", "hello" } }, schema_def) + ok, err = v({ allow = { "127.0.0.1/32", "127.0.0.2/32", "hello" } }, schema_def) assert.falsy(ok) assert.same({ allow = { [3] = "invalid ip or cidr range: 'hello'" } @@ -58,7 +58,7 @@ describe("Plugin: ip-restriction (schema)", function() deny = { "invalid ip or cidr range: 'hello'" } }, err.config) - ok, err = v({ deny = { "127.0.0.1", "127.0.0.2", "hello" } }, schema_def) + ok, err = v({ deny = { "127.0.0.1/32", "127.0.0.2/32", "hello" } }, schema_def) assert.falsy(ok) assert.same({ deny = { [3] = "invalid ip or cidr range: 'hello'" } From cc56a3382f5cf8b69146cb0e2d01b2ed4482c2fd Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Thu, 15 Jun 2023 12:47:25 -0500 Subject: [PATCH 12/31] test(ip-restriction): Fix CIDRs --- spec/03-plugins/17-ip-restriction/02-access_spec.lua | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/spec/03-plugins/17-ip-restriction/02-access_spec.lua b/spec/03-plugins/17-ip-restriction/02-access_spec.lua index b523d0566ec5..0756f89b9f3c 100644 --- a/spec/03-plugins/17-ip-restriction/02-access_spec.lua +++ b/spec/03-plugins/17-ip-restriction/02-access_spec.lua @@ -244,7 +244,7 @@ for _, strategy in helpers.each_strategy() do name = "ip-restriction", route = { id = route_tcp_deny.id }, config = { - deny = { "127.0.0.1, 127.0.0.2" }, + deny = { "127.0.0.1/32, 127.0.0.2/32" }, }, }) @@ -252,7 +252,7 @@ for _, strategy in helpers.each_strategy() do name = "ip-restriction", route = { id = route_grpc_deny.id }, config = { - deny = { "127.0.0.1", "127.0.0.2" } + deny = { "127.0.0.1/32", "127.0.0.2/32" } }, }) @@ -260,7 +260,7 @@ for _, strategy in helpers.each_strategy() do name = "ip-restriction", route = { id = route_grpc_allow.id }, config = { - deny = { "127.0.0.2" } + deny = { "127.0.0.2/32" } }, }) @@ -268,7 +268,7 @@ for _, strategy in helpers.each_strategy() do name = "ip-restriction", route = { id = route_grpc_xforwarded_deny.id }, config = { - allow = { "127.0.0.4" }, + allow = { "127.0.0.4/32" }, }, }) From 75f7973049119a1b584b97e56235540cf319c7d0 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Thu, 15 Jun 2023 13:32:12 -0500 Subject: [PATCH 13/31] feat(ip-restrction): Remove uneeded variables --- kong/plugins/ip-restriction/handler.lua | 8 ++------ spec/03-plugins/17-ip-restriction/02-access_spec.lua | 6 +++--- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index c5d0022091bb..83ab3afcafdd 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -83,17 +83,13 @@ end local function do_restrict(conf) local binary_remote_addr = ngx_var.binary_remote_addr if not binary_remote_addr then - local status = 403 - local message = "Cannot identify the client IP address, unix domain sockets are not supported." - - return do_exit(status, message) + return do_exit(403, "Cannot identify the client IP address, unix domain sockets are not supported.") end local deny = conf.deny local allow = conf.allow local status = conf.status or 403 - local default_message = string.format("IP address not allowed: %s", ngx_var.remote_addr) - local message = conf.message or default_message + local message = conf.message or string.format("IP address not allowed: %s", ngx_var.remote_addr) if not isempty(deny) then local blocked = match_bin(deny, binary_remote_addr) diff --git a/spec/03-plugins/17-ip-restriction/02-access_spec.lua b/spec/03-plugins/17-ip-restriction/02-access_spec.lua index 0756f89b9f3c..51dd709ff079 100644 --- a/spec/03-plugins/17-ip-restriction/02-access_spec.lua +++ b/spec/03-plugins/17-ip-restriction/02-access_spec.lua @@ -226,7 +226,7 @@ for _, strategy in helpers.each_strategy() do name = "ip-restriction", route = { id = route12.id }, config = { - deny = { "127.0.0.1", "127.0.0.2" }, + deny = { "127.0.0.0/24" }, status = 401, message = "Forbidden" }, @@ -244,7 +244,7 @@ for _, strategy in helpers.each_strategy() do name = "ip-restriction", route = { id = route_tcp_deny.id }, config = { - deny = { "127.0.0.1/32, 127.0.0.2/32" }, + deny = { "127.0.0.0/24" }, }, }) @@ -252,7 +252,7 @@ for _, strategy in helpers.each_strategy() do name = "ip-restriction", route = { id = route_grpc_deny.id }, config = { - deny = { "127.0.0.1/32", "127.0.0.2/32" } + deny = { "127.0.0.0/24" }, }, }) From 17bf82b95b7ce8eb196bfc26fa740b95a97d93d7 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Thu, 15 Jun 2023 13:45:44 -0500 Subject: [PATCH 14/31] test(ip-restriction): Add IP to stream_listen --- spec/03-plugins/17-ip-restriction/02-access_spec.lua | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/03-plugins/17-ip-restriction/02-access_spec.lua b/spec/03-plugins/17-ip-restriction/02-access_spec.lua index 51dd709ff079..397e307bb308 100644 --- a/spec/03-plugins/17-ip-restriction/02-access_spec.lua +++ b/spec/03-plugins/17-ip-restriction/02-access_spec.lua @@ -278,8 +278,8 @@ for _, strategy in helpers.each_strategy() do real_ip_recursive = "on", trusted_ips = "0.0.0.0/0, ::/0", nginx_conf = "spec/fixtures/custom_nginx.template", - stream_listen = helpers.get_proxy_ip(false) .. ":19000" .. - helpers.get_proxy_ip(false) .. ":19443 ssl" + stream_listen = helpers.get_proxy_ip(false) .. "0.0.0.0/0:19000" .. + helpers.get_proxy_ip(false) .. "0.0.0.0/0:19443 ssl" }) proxy_client = helpers.proxy_client() From 218f1840e1051ff28bb84eb00e97f05da2943611 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Thu, 15 Jun 2023 13:59:26 -0500 Subject: [PATCH 15/31] test(ip-restriction): Update syntax on stream_listen --- spec/03-plugins/17-ip-restriction/02-access_spec.lua | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/03-plugins/17-ip-restriction/02-access_spec.lua b/spec/03-plugins/17-ip-restriction/02-access_spec.lua index 397e307bb308..40a2a8f4dc6c 100644 --- a/spec/03-plugins/17-ip-restriction/02-access_spec.lua +++ b/spec/03-plugins/17-ip-restriction/02-access_spec.lua @@ -278,8 +278,8 @@ for _, strategy in helpers.each_strategy() do real_ip_recursive = "on", trusted_ips = "0.0.0.0/0, ::/0", nginx_conf = "spec/fixtures/custom_nginx.template", - stream_listen = helpers.get_proxy_ip(false) .. "0.0.0.0/0:19000" .. - helpers.get_proxy_ip(false) .. "0.0.0.0/0:19443 ssl" + stream_listen = helpers.get_proxy_ip(false) .. ":19000," .. + helpers.get_proxy_ip(false) .. ":19443 ssl" }) proxy_client = helpers.proxy_client() From 6c3ee6155d5011ab5def8ffff5bbf4d6ab2a574b Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Thu, 15 Jun 2023 14:49:04 -0500 Subject: [PATCH 16/31] test(ip-restrictions): Add assert matches --- spec/03-plugins/17-ip-restriction/02-access_spec.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/03-plugins/17-ip-restriction/02-access_spec.lua b/spec/03-plugins/17-ip-restriction/02-access_spec.lua index 40a2a8f4dc6c..97f21894d856 100644 --- a/spec/03-plugins/17-ip-restriction/02-access_spec.lua +++ b/spec/03-plugins/17-ip-restriction/02-access_spec.lua @@ -306,7 +306,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches(json, "IP address not allowed") end) it("blocks a request when the IP is denied with status/message", function() From f6a294a58a28d92d10a3b207cfc6337bfb8126a7 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Thu, 15 Jun 2023 16:18:05 -0500 Subject: [PATCH 17/31] test(ip-restriction): Update matches assert --- spec/03-plugins/17-ip-restriction/02-access_spec.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/03-plugins/17-ip-restriction/02-access_spec.lua b/spec/03-plugins/17-ip-restriction/02-access_spec.lua index 97f21894d856..937b1aa4a830 100644 --- a/spec/03-plugins/17-ip-restriction/02-access_spec.lua +++ b/spec/03-plugins/17-ip-restriction/02-access_spec.lua @@ -306,7 +306,7 @@ for _, strategy in helpers.each_strategy() do }) local body = assert.res_status(403, res) local json = cjson.decode(body) - assert.matches(json, "IP address not allowed") + assert.matches("IP address not allowed", json) end) it("blocks a request when the IP is denied with status/message", function() From 0b71f20427b29c6e3c80335f804d8b318b94e30e Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Thu, 15 Jun 2023 20:41:17 -0500 Subject: [PATCH 18/31] test(ip-restriction): Check raw body for substring --- spec/03-plugins/17-ip-restriction/02-access_spec.lua | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/spec/03-plugins/17-ip-restriction/02-access_spec.lua b/spec/03-plugins/17-ip-restriction/02-access_spec.lua index 937b1aa4a830..fc8fd9cc964f 100644 --- a/spec/03-plugins/17-ip-restriction/02-access_spec.lua +++ b/spec/03-plugins/17-ip-restriction/02-access_spec.lua @@ -305,8 +305,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.matches("IP address not allowed", json) + assert.matches("IP address not allowed", body) end) it("blocks a request when the IP is denied with status/message", function() From 42eb3eb950e4ec260f1f067bf3ce9dac4008e74d Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Thu, 15 Jun 2023 20:58:02 -0500 Subject: [PATCH 19/31] test(ip-restriction): Convert to assert matches --- spec/03-plugins/17-ip-restriction/02-access_spec.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/03-plugins/17-ip-restriction/02-access_spec.lua b/spec/03-plugins/17-ip-restriction/02-access_spec.lua index fc8fd9cc964f..50d88ce1cba4 100644 --- a/spec/03-plugins/17-ip-restriction/02-access_spec.lua +++ b/spec/03-plugins/17-ip-restriction/02-access_spec.lua @@ -339,7 +339,7 @@ for _, strategy in helpers.each_strategy() do assert(tcp:sslhandshake(nil, nil, false)) assert(tcp:send(MESSAGE)) local body = assert(tcp:receive("*a")) - assert.is_true(string.find(body, "IP address not allowed")) + assert.matches("IP address not allowed", body)) tcp:close() end) From f4380256a6edb69d26bb08def40efe355ce7bd9a Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Thu, 15 Jun 2023 21:05:36 -0500 Subject: [PATCH 20/31] doh! --- spec/03-plugins/17-ip-restriction/02-access_spec.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/03-plugins/17-ip-restriction/02-access_spec.lua b/spec/03-plugins/17-ip-restriction/02-access_spec.lua index 50d88ce1cba4..3b8eb7fe1ae0 100644 --- a/spec/03-plugins/17-ip-restriction/02-access_spec.lua +++ b/spec/03-plugins/17-ip-restriction/02-access_spec.lua @@ -339,7 +339,7 @@ for _, strategy in helpers.each_strategy() do assert(tcp:sslhandshake(nil, nil, false)) assert(tcp:send(MESSAGE)) local body = assert(tcp:receive("*a")) - assert.matches("IP address not allowed", body)) + assert.matches("IP address not allowed", body) tcp:close() end) From af55d98934766dd14204c56b440d873266a664c1 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Thu, 15 Jun 2023 21:25:08 -0500 Subject: [PATCH 21/31] test(ip-restriction): convert assert to matches --- .../17-ip-restriction/02-access_spec.lua | 24 +++++++------------ 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/spec/03-plugins/17-ip-restriction/02-access_spec.lua b/spec/03-plugins/17-ip-restriction/02-access_spec.lua index 3b8eb7fe1ae0..0887ca886357 100644 --- a/spec/03-plugins/17-ip-restriction/02-access_spec.lua +++ b/spec/03-plugins/17-ip-restriction/02-access_spec.lua @@ -386,8 +386,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) end) it("blocks an IP on a allowed CIDR range", function() local res = assert(proxy_client:send { @@ -398,8 +397,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) end) it("takes precedence over an allowed IP", function() local res = assert(proxy_client:send { @@ -410,8 +408,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) end) it("takes precedence over an allowed CIDR range", function() local res = assert(proxy_client:send { @@ -422,8 +419,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) end) describe("X-Forwarded-For", function() @@ -462,8 +458,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) end) end) end) @@ -502,8 +497,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) end) it("block with not allowed X-Forwarded-For header", function() local res = assert(proxy_client:send { @@ -515,8 +509,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) end) it("block with not allowed X-Forwarded-For header #grpc", function() local ok, err = helpers.proxy_client_grpc(){ @@ -598,8 +591,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) res = assert(admin_client:send { method = "PATCH", From 5546de843243135960392d7f91ac9e7867653191 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Thu, 15 Jun 2023 21:43:58 -0500 Subject: [PATCH 22/31] test(ip-restriction): convert assert to matches --- .../17-ip-restriction/02-access_spec.lua | 36 +++++++------------ 1 file changed, 12 insertions(+), 24 deletions(-) diff --git a/spec/03-plugins/17-ip-restriction/02-access_spec.lua b/spec/03-plugins/17-ip-restriction/02-access_spec.lua index 0887ca886357..61072f448177 100644 --- a/spec/03-plugins/17-ip-restriction/02-access_spec.lua +++ b/spec/03-plugins/17-ip-restriction/02-access_spec.lua @@ -473,8 +473,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) end) it("allows a allowed IP", function() local res = assert(proxy_client:send { @@ -790,8 +789,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) end) it("allows a request when the IPv6 is not denied", function() local res = assert(proxy_client:send { @@ -816,8 +814,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) end) it("blocks an IPv6 on a allowed IPv6 CIDR range", function() local res = assert(proxy_client:send { @@ -829,8 +826,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) end) it("takes precedence over an allowed IPv6", function() local res = assert(proxy_client:send { @@ -842,8 +838,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) end) it("takes precedence over an allowed IPv6 CIDR range", function() local res = assert(proxy_client:send { @@ -854,8 +849,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) end) end) @@ -870,8 +864,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) end) it("allows a allowed IPv6", function() local res = assert(proxy_client:send { @@ -933,8 +926,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) res = assert(admin_client:send { method = "PATCH", @@ -1070,8 +1062,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) end) it("blocks with blocked complex X-Forwarded-For header", function() local res = assert(proxy_client:send { @@ -1083,8 +1074,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) end) it("allows with allowed complex X-Forwarded-For header", function() local res = assert(proxy_client:send { @@ -1112,8 +1102,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) end) it("allows with allowed X-Forwarded-For header", function() local res = assert(proxy_client:send { @@ -1151,8 +1140,7 @@ for _, strategy in helpers.each_strategy() do } }) local body = assert.res_status(403, res) - local json = cjson.decode(body) - assert.is_true(string.find(json, "IP address not allowed")) + assert.matches("IP address not allowed", body) end) end) end) From 68178a5288c135f1c840a9e8e5342991f960d6dc Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Fri, 16 Jun 2023 07:40:02 -0500 Subject: [PATCH 23/31] Update kong/plugins/ip-restriction/handler.lua Co-authored-by: Aapo Talvensaari --- kong/plugins/ip-restriction/handler.lua | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index 83ab3afcafdd..765295914864 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -44,16 +44,7 @@ if is_http_subsystem then else do_exit = function(status, message) - local tcpsock, err = ngx_req.socket(true) - if err then - error(err) - end - - tcpsock:send(cjson_encode({ - message = message - })) - - return ngx_exit(status) + return kong.response.exit(status, { message = message }) end end From 26849d351341ea3702dcc60c4acb419b9e3dac74 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Fri, 16 Jun 2023 08:04:43 -0500 Subject: [PATCH 24/31] fix(ip-restriction): rolback suggested change --- kong/plugins/ip-restriction/handler.lua | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index 765295914864..8ed6f1df8b41 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -44,7 +44,16 @@ if is_http_subsystem then else do_exit = function(status, message) - return kong.response.exit(status, { message = message }) + local tcpsock, err = ngx_req.socket(true) + if err then + error(err) + end + + tcpsock:send(cjson_encode({ + message = message + }))z + + return ngx_exit(status) end end From d4548995799664cc0d5cd9453f3c6546d0e4018d Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Fri, 16 Jun 2023 08:11:42 -0500 Subject: [PATCH 25/31] fix(ip-restriction): Syntax error --- kong/plugins/ip-restriction/handler.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index 8ed6f1df8b41..83ab3afcafdd 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -51,7 +51,7 @@ else tcpsock:send(cjson_encode({ message = message - }))z + })) return ngx_exit(status) end From 84d47717f06b62473414899e62da253c4218e3dc Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Wed, 21 Jun 2023 12:51:32 -0500 Subject: [PATCH 26/31] feat(ip-restriction): Remove json response from tcp exit --- kong/plugins/ip-restriction/handler.lua | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index 83ab3afcafdd..4e256de19823 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -1,10 +1,8 @@ -local cjson = require "cjson.safe" local lrucache = require "resty.lrucache" local ipmatcher = require "resty.ipmatcher" local kong_meta = require "kong.meta" -local cjson_encode = cjson.encode local error = error local kong = kong local ngx_exit = ngx.exit @@ -49,9 +47,7 @@ else error(err) end - tcpsock:send(cjson_encode({ - message = message - })) + tcpsock:send(message) return ngx_exit(status) end From 7a1897fddd21e2017edd66a3257f0673142f6a63 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Tue, 27 Jun 2023 09:39:41 -0500 Subject: [PATCH 27/31] feat(ip-restriction): Use kong.response.error for TCP --- kong/plugins/ip-restriction/handler.lua | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index 4e256de19823..cd1ddebb59f0 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -34,25 +34,11 @@ end local is_http_subsystem = ngx.config.subsystem == "http" -local do_exit -if is_http_subsystem then - do_exit = function(status, message) - return kong.response.error(status, message) - end - -else - do_exit = function(status, message) - local tcpsock, err = ngx_req.socket(true) - if err then - error(err) - end - - tcpsock:send(message) - - return ngx_exit(status) - end +local do_exit = function(status, message) + return kong.response.error(status, message) end + local function match_bin(list, binary_remote_addr) local matcher, err From 2e8eadd5067c3b81413d99f27d8155d4981ab952 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Tue, 27 Jun 2023 09:51:37 -0500 Subject: [PATCH 28/31] feat(ip-restriction): Cleanup unused variables --- kong/plugins/ip-restriction/handler.lua | 5 ----- 1 file changed, 5 deletions(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index cd1ddebb59f0..da4ed035ec57 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -5,9 +5,7 @@ local kong_meta = require "kong.meta" local error = error local kong = kong -local ngx_exit = ngx.exit local ngx_var = ngx.var -local ngx_req = ngx.req local IPMATCHER_COUNT = 512 @@ -31,9 +29,6 @@ do end -local is_http_subsystem = ngx.config.subsystem == "http" - - local do_exit = function(status, message) return kong.response.error(status, message) end From d767c1129c4653913560f01a2679c226558fb179 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Tue, 27 Jun 2023 10:11:46 -0500 Subject: [PATCH 29/31] feat(ip-restriction): Revert kong response change --- kong/plugins/ip-restriction/handler.lua | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index da4ed035ec57..4e256de19823 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -5,7 +5,9 @@ local kong_meta = require "kong.meta" local error = error local kong = kong +local ngx_exit = ngx.exit local ngx_var = ngx.var +local ngx_req = ngx.req local IPMATCHER_COUNT = 512 @@ -29,10 +31,27 @@ do end -local do_exit = function(status, message) - return kong.response.error(status, message) -end +local is_http_subsystem = ngx.config.subsystem == "http" + + +local do_exit +if is_http_subsystem then + do_exit = function(status, message) + return kong.response.error(status, message) + end + +else + do_exit = function(status, message) + local tcpsock, err = ngx_req.socket(true) + if err then + error(err) + end + + tcpsock:send(message) + return ngx_exit(status) + end +end local function match_bin(list, binary_remote_addr) local matcher, err From 94c5dc6e2ed164696bab246e5404008db4c0d9b1 Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Fri, 30 Jun 2023 15:05:14 -0500 Subject: [PATCH 30/31] feat(ip-restriction): Remove message from TCP deny --- kong/plugins/ip-restriction/handler.lua | 26 ++++--------------- .../17-ip-restriction/02-access_spec.lua | 3 ++- 2 files changed, 7 insertions(+), 22 deletions(-) diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua index 4e256de19823..2ba1f206d0ca 100644 --- a/kong/plugins/ip-restriction/handler.lua +++ b/kong/plugins/ip-restriction/handler.lua @@ -5,9 +5,8 @@ local kong_meta = require "kong.meta" local error = error local kong = kong -local ngx_exit = ngx.exit +local log = kong.log local ngx_var = ngx.var -local ngx_req = ngx.req local IPMATCHER_COUNT = 512 @@ -31,28 +30,13 @@ do end -local is_http_subsystem = ngx.config.subsystem == "http" - - -local do_exit -if is_http_subsystem then - do_exit = function(status, message) +local function do_exit(status, message) + log.warn(message) + return kong.response.error(status, message) - end - -else - do_exit = function(status, message) - local tcpsock, err = ngx_req.socket(true) - if err then - error(err) - end - - tcpsock:send(message) - - return ngx_exit(status) - end end + local function match_bin(list, binary_remote_addr) local matcher, err diff --git a/spec/03-plugins/17-ip-restriction/02-access_spec.lua b/spec/03-plugins/17-ip-restriction/02-access_spec.lua index 61072f448177..fcc894504ca8 100644 --- a/spec/03-plugins/17-ip-restriction/02-access_spec.lua +++ b/spec/03-plugins/17-ip-restriction/02-access_spec.lua @@ -339,8 +339,9 @@ for _, strategy in helpers.each_strategy() do assert(tcp:sslhandshake(nil, nil, false)) assert(tcp:send(MESSAGE)) local body = assert(tcp:receive("*a")) - assert.matches("IP address not allowed", body) tcp:close() + + assert.logfile().has.line("IP address not allowed", true) end) it("allows a request when the IP is not denied", function() From fe14d09efabd3386adfdfec8c3c6f1088cc7410f Mon Sep 17 00:00:00 2001 From: Larry Owen Date: Fri, 30 Jun 2023 15:31:15 -0500 Subject: [PATCH 31/31] feat(ip-restriction): Apply lint suggestion --- spec/03-plugins/17-ip-restriction/02-access_spec.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/03-plugins/17-ip-restriction/02-access_spec.lua b/spec/03-plugins/17-ip-restriction/02-access_spec.lua index fcc894504ca8..e1af8734813a 100644 --- a/spec/03-plugins/17-ip-restriction/02-access_spec.lua +++ b/spec/03-plugins/17-ip-restriction/02-access_spec.lua @@ -338,7 +338,7 @@ for _, strategy in helpers.each_strategy() do assert(tcp:connect(helpers.get_proxy_ip(true), 19443)) assert(tcp:sslhandshake(nil, nil, false)) assert(tcp:send(MESSAGE)) - local body = assert(tcp:receive("*a")) + assert(tcp:receive("*a")) tcp:close() assert.logfile().has.line("IP address not allowed", true)