Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(ip-restriction): Add TCP Support #10245

Merged
merged 55 commits into from
Jul 7, 2023
Merged

feat(ip-restriction): Add TCP Support #10245

Show file tree
Hide file tree
Changes from 49 commits
Commits
Show all changes
55 commits
Select commit Hold shift + click to select a range
06ea6ac
feat(ip-restriction): Add TCP Support
scrudge Feb 6, 2023
06d3261
Merge branch 'Kong:master' into master
scrudge Feb 8, 2023
4d281a7
feat(ip-restriction): Localize json conversion and string formatting
scrudge Feb 8, 2023
0cf7888
Merge branch 'Kong:master' into master
scrudge Feb 11, 2023
929dbb0
Merge branch 'Kong:master' into master
scrudge Feb 15, 2023
6aa987e
Merge branch 'Kong:master' into master
scrudge Feb 19, 2023
fef1b7d
feat(ip-restriction): localize cjson and tcpsock
scrudge Feb 19, 2023
808353a
feat(ip-restriction): fix tests
scrudge Feb 19, 2023
73df543
feat(ip-restriction): Use string to report IP, localize exit and ret…
scrudge Feb 20, 2023
08fa05c
Merge branch 'Kong:master' into master
scrudge Feb 20, 2023
23b3cf6
feat(ip-restriction): Set exit code to status
scrudge Feb 22, 2023
a216f67
Merge branch 'Kong:master' into master
scrudge Feb 22, 2023
06bffe0
feat(ip-restriction): Remove status from TCP response
scrudge Feb 23, 2023
333fbfb
Merge branch 'Kong:master' into master
scrudge Feb 23, 2023
12c11da
Merge branch 'Kong:master' into master
scrudge Feb 23, 2023
d1c7501
Update kong/plugins/ip-restriction/handler.lua
scrudge Mar 8, 2023
8123cce
Update kong/plugins/ip-restriction/handler.lua
scrudge Mar 8, 2023
63f4f19
Merge branch 'Kong:master' into master
scrudge Mar 13, 2023
dc94b55
Merge branch 'Kong:master' into master
scrudge Apr 28, 2023
605fa76
wip: add tests for tcp ip restriction plugin
jjchambl Jun 13, 2023
e5635c4
Merge branch 'Kong:master' into master
scrudge Jun 13, 2023
becec8f
Merge branch 'Kong:master' into master
scrudge Jun 14, 2023
b097631
Merge branch 'Kong:master' into master
scrudge Jun 14, 2023
1591e5e
Merge pull request #1 from jjchambl/feat/tcp_ip_restriction
scrudge Jun 14, 2023
54df200
Merge branch 'master' into master
scrudge Jun 15, 2023
d1d5794
test(ip-restrictions): Correct CIDRs
scrudge Jun 15, 2023
cc56a33
test(ip-restriction): Fix CIDRs
scrudge Jun 15, 2023
75f7973
feat(ip-restrction): Remove uneeded variables
scrudge Jun 15, 2023
17bf82b
test(ip-restriction): Add IP to stream_listen
scrudge Jun 15, 2023
218f184
test(ip-restriction): Update syntax on stream_listen
scrudge Jun 15, 2023
6c3ee61
test(ip-restrictions): Add assert matches
scrudge Jun 15, 2023
f6a294a
test(ip-restriction): Update matches assert
scrudge Jun 15, 2023
0b71f20
test(ip-restriction): Check raw body for substring
scrudge Jun 16, 2023
42eb3eb
test(ip-restriction): Convert to assert matches
scrudge Jun 16, 2023
f438025
doh!
scrudge Jun 16, 2023
af55d98
test(ip-restriction): convert assert to matches
scrudge Jun 16, 2023
5546de8
test(ip-restriction): convert assert to matches
scrudge Jun 16, 2023
68178a5
Update kong/plugins/ip-restriction/handler.lua
scrudge Jun 16, 2023
26849d3
fix(ip-restriction): rolback suggested change
scrudge Jun 16, 2023
d454899
fix(ip-restriction): Syntax error
scrudge Jun 16, 2023
4f7a747
Merge branch 'master' into master
scrudge Jun 21, 2023
84d4771
feat(ip-restriction): Remove json response from tcp exit
scrudge Jun 21, 2023
94e82cf
Merge branch 'Kong:master' into master
scrudge Jun 21, 2023
428b153
Merge branch 'master' into master
scrudge Jun 22, 2023
5b1f9d8
Merge branch 'master' into master
scrudge Jun 22, 2023
de2ecf2
Merge branch 'Kong:master' into master
scrudge Jun 27, 2023
7a1897f
feat(ip-restriction): Use kong.response.error for TCP
scrudge Jun 27, 2023
2e8eadd
feat(ip-restriction): Cleanup unused variables
scrudge Jun 27, 2023
d767c11
feat(ip-restriction): Revert kong response change
scrudge Jun 27, 2023
292a134
Merge branch 'Kong:master' into master
scrudge Jun 30, 2023
94c5dc6
feat(ip-restriction): Remove message from TCP deny
scrudge Jun 30, 2023
fe14d09
feat(ip-restriction): Apply lint suggestion
scrudge Jun 30, 2023
d89d257
Merge branch 'Kong:master' into master
scrudge Jul 3, 2023
9d1bd70
Merge branch 'Kong:master' into master
scrudge Jul 4, 2023
7a6d439
Merge branch 'Kong:master' into master
scrudge Jul 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 41 additions & 7 deletions kong/plugins/ip-restriction/handler.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,11 @@ local ipmatcher = require "resty.ipmatcher"
local kong_meta = require "kong.meta"


local ngx_var = ngx.var
local kong = kong
local error = error
local kong = kong
local ngx_exit = ngx.exit
local ngx_var = ngx.var
local ngx_req = ngx.req


local IPMATCHER_COUNT = 512
Expand All @@ -29,6 +31,28 @@ do
end


local is_http_subsystem = ngx.config.subsystem == "http"


local do_exit
if is_http_subsystem then
do_exit = function(status, message)
return kong.response.error(status, message)
end

else
scrudge marked this conversation as resolved.
Show resolved Hide resolved
do_exit = function(status, message)
local tcpsock, err = ngx_req.socket(true)
if err then
error(err)
end

tcpsock:send(message)
scrudge marked this conversation as resolved.
Show resolved Hide resolved

return ngx_exit(status)
end
end

local function match_bin(list, binary_remote_addr)
local matcher, err

Expand All @@ -52,31 +76,41 @@ local function match_bin(list, binary_remote_addr)
end


function IpRestrictionHandler:access(conf)
local function do_restrict(conf)
local binary_remote_addr = ngx_var.binary_remote_addr
if not binary_remote_addr then
return kong.response.error(403, "Cannot identify the client IP address, unix domain sockets are not supported.")
return do_exit(403, "Cannot identify the client IP address, unix domain sockets are not supported.")
end

local deny = conf.deny
local allow = conf.allow
local status = conf.status or 403
local message = conf.message or "Your IP address is not allowed"
local message = conf.message or string.format("IP address not allowed: %s", ngx_var.remote_addr)

if not isempty(deny) then
local blocked = match_bin(deny, binary_remote_addr)
if blocked then
return kong.response.error(status, message)
return do_exit(status, message)
end
end

if not isempty(allow) then
local allowed = match_bin(allow, binary_remote_addr)
if not allowed then
return kong.response.error(status, message)
return do_exit(status, message)
end
end
end


function IpRestrictionHandler:access(conf)
return do_restrict(conf)
end


function IpRestrictionHandler:preread(conf)
return do_restrict(conf)
end


return IpRestrictionHandler
2 changes: 1 addition & 1 deletion kong/plugins/ip-restriction/schema.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ local typedefs = require "kong.db.schema.typedefs"
return {
name = "ip-restriction",
fields = {
{ protocols = typedefs.protocols_http },
{ protocols = typedefs.protocols { default = { "http", "https", "tcp", "tls", "grpc", "grpcs" } }, },
{ config = {
type = "record",
fields = {
Expand Down
14 changes: 7 additions & 7 deletions spec/03-plugins/17-ip-restriction/01-schema_spec.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,24 +4,24 @@ local v = require("spec.helpers").validate_plugin_config_schema

describe("Plugin: ip-restriction (schema)", function()
it("should accept a valid allow", function()
assert(v({ allow = { "127.0.0.1", "127.0.0.2" } }, schema_def))
assert(v({ allow = { "127.0.0.1/32", "127.0.0.2/32" } }, schema_def))
end)
it("should accept a valid allow and status/message", function()
assert(v({ allow = { "127.0.0.1", "127.0.0.2" }, status = 403, message = "Forbidden" }, schema_def))
assert(v({ allow = { "127.0.0.1/32", "127.0.0.2/32" }, status = 403, message = "Forbidden" }, schema_def))
end)
it("should accept a valid cidr range", function()
assert(v({ allow = { "127.0.0.1/8" } }, schema_def))
end)
it("should accept a valid deny", function()
assert(v({ deny = { "127.0.0.1", "127.0.0.2" } }, schema_def))
assert(v({ deny = { "127.0.0.1/32", "127.0.0.2/32" } }, schema_def))
end)
it("should accept both non-empty allow and deny", function()
local schema = {
deny = {
"127.0.0.2"
"127.0.0.2/32"
},
allow = {
"127.0.0.1"
"127.0.0.1/32"
},
}
assert(v(schema, schema_def))
Expand All @@ -40,7 +40,7 @@ describe("Plugin: ip-restriction (schema)", function()
allow = { "invalid ip or cidr range: 'hello'" }
}, err.config)

ok, err = v({ allow = { "127.0.0.1", "127.0.0.2", "hello" } }, schema_def)
ok, err = v({ allow = { "127.0.0.1/32", "127.0.0.2/32", "hello" } }, schema_def)
assert.falsy(ok)
assert.same({
allow = { [3] = "invalid ip or cidr range: 'hello'" }
Expand All @@ -58,7 +58,7 @@ describe("Plugin: ip-restriction (schema)", function()
deny = { "invalid ip or cidr range: 'hello'" }
}, err.config)

ok, err = v({ deny = { "127.0.0.1", "127.0.0.2", "hello" } }, schema_def)
ok, err = v({ deny = { "127.0.0.1/32", "127.0.0.2/32", "hello" } }, schema_def)
assert.falsy(ok)
assert.same({
deny = { [3] = "invalid ip or cidr range: 'hello'" }
Expand Down
Loading