Начало Каталог Помощ
Вход
cloudflare
/
cfssl
огледало от https://github.com/cloudflare/cfssl
Наблюдаван 1
Харесван 0
Разклонения 0
Файлове Задачи
ИН на ревизия: 3da27f45e5
Клонове Маркери
cfssl
/
whitelist
/
whitelist_net.go

whitelist_net.go 4.1 KB
История Директен файл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171 
  1. package whitelist
    2. 

  2. 

  3. // This file contains a variant of the ACL that operates on
    4. 

  4. // netblocks. It will mimic as much of the code in whitelist.go
    5. 

  5. // that is needed to support network whitelists.
    6. 

  6. 

  7. import (
    8. 

  8. 	"errors"
    9. 

  9. 	"log"
    10. 

  10. 	"net"
    11. 

  11. 	"strings"
    12. 

  12. 	"sync"
    13. 

  13. )
    14. 

  14. 

  15. // A NetACL stores a list of permitted IP networks.
    16. 

  16. type NetACL interface {
    17. 

  17. 	ACL
    18. 

  18. 

  19. 	// Add takes an IP network and adds it to the whitelist so
    20. 

  20. 	// that it is now permitted.
    21. 

  21. 	Add(*net.IPNet)
    22. 

  22. 

  23. 	// Remove takes an IP network and drops it from the whitelist
    24. 

  24. 	// so that it is no longer permitted.
    25. 

  25. 	Remove(*net.IPNet)
    26. 

  26. }
    27. 

  27. 

  28. // BasicNet implements a basic map-backed network whitelist using
    29. 

  29. // locks for concurrency. It must be initialised with one of the
    30. 

  30. // constructor functions. This particular implementation is
    31. 

  31. // unoptimised and will not scale.
    32. 

  32. type BasicNet struct {
    33. 

  33. 	lock      *sync.Mutex
    34. 

  34. 	whitelist []*net.IPNet
    35. 

  35. }
    36. 

  36. 

  37. // Permitted returns true if the IP has been whitelisted.
    38. 

  38. func (wl *BasicNet) Permitted(ip net.IP) bool {
    39. 

  39. 	if !validIP(ip) { // see whitelist.go for this function
    40. 

  40. 		return false
    41. 

  41. 	}
    42. 

  42. 

  43. 	wl.lock.Lock()
    44. 

  44. 	defer wl.lock.Unlock()
    45. 

  45. 	for i := range wl.whitelist {
    46. 

  46. 		if wl.whitelist[i].Contains(ip) {
    47. 

  47. 			return true
    48. 

  48. 		}
    49. 

  49. 	}
    50. 

  50. 	return false
    51. 

  51. }
    52. 

  52. 

  53. // BUG(kyle): overlapping networks aren't detected.
    54. 

  54. 

  55. // Add adds a new network to the whitelist. Caveat: overlapping
    56. 

  56. // networks won't be detected.
    57. 

  57. func (wl *BasicNet) Add(n *net.IPNet) {
    58. 

  58. 	if n == nil {
    59. 

  59. 		return
    60. 

  60. 	}
    61. 

  61. 

  62. 	wl.lock.Lock()
    63. 

  63. 	defer wl.lock.Unlock()
    64. 

  64. 	wl.whitelist = append(wl.whitelist, n)
    65. 

  65. }
    66. 

  66. 

  67. // Remove removes a network from the whitelist.
    68. 

  68. func (wl *BasicNet) Remove(n *net.IPNet) {
    69. 

  69. 	if n == nil {
    70. 

  70. 		return
    71. 

  71. 	}
    72. 

  72. 

  73. 	index := -1
    74. 

  74. 	wl.lock.Lock()
    75. 

  75. 	defer wl.lock.Unlock()
    76. 

  76. 	for i := range wl.whitelist {
    77. 

  77. 		if wl.whitelist[i].String() == n.String() {
    78. 

  78. 			index = i
    79. 

  79. 			break
    80. 

  80. 		}
    81. 

  81. 	}
    82. 

  82. 

  83. 	if index == -1 {
    84. 

  84. 		return
    85. 

  85. 	}
    86. 

  86. 

  87. 	wl.whitelist = append(wl.whitelist[:index], wl.whitelist[index+1:]...)
    88. 

  88. }
    89. 

  89. 

  90. // NewBasicNet constructs a new basic network-based whitelist.
    91. 

  91. func NewBasicNet() *BasicNet {
    92. 

  92. 	return &BasicNet{
    93. 

  93. 		lock: new(sync.Mutex),
    94. 

  94. 	}
    95. 

  95. }
    96. 

  96. 

  97. // MarshalJSON serialises a network whitelist to a comma-separated
    98. 

  98. // list of networks.
    99. 

  99. func (wl *BasicNet) MarshalJSON() ([]byte, error) {
    100. 

  100. 	var ss = make([]string, 0, len(wl.whitelist))
    101. 

  101. 	for i := range wl.whitelist {
    102. 

  102. 		ss = append(ss, wl.whitelist[i].String())
    103. 

  103. 	}
    104. 

  104. 

  105. 	out := []byte(`"` + strings.Join(ss, ",") + `"`)
    106. 

  106. 	return out, nil
    107. 

  107. }
    108. 

  108. 

  109. // UnmarshalJSON implements the json.Unmarshaler interface for network
    110. 

  110. // whitelists, taking a comma-separated string of networks.
    111. 

  111. func (wl *BasicNet) UnmarshalJSON(in []byte) error {
    112. 

  112. 	if in[0] != '"' || in[len(in)-1] != '"' {
    113. 

  113. 		return errors.New("whitelist: invalid whitelist")
    114. 

  114. 	}
    115. 

  115. 

  116. 	if wl.lock == nil {
    117. 

  117. 		wl.lock = new(sync.Mutex)
    118. 

  118. 	}
    119. 

  119. 

  120. 	wl.lock.Lock()
    121. 

  121. 	defer wl.lock.Unlock()
    122. 

  122. 

  123. 	var err error
    124. 

  124. 	netString := strings.TrimSpace(string(in[1 : len(in)-1]))
    125. 

  125. 	nets := strings.Split(netString, ",")
    126. 

  126. 	wl.whitelist = make([]*net.IPNet, len(nets))
    127. 

  127. 	for i := range nets {
    128. 

  128. 		addr := strings.TrimSpace(nets[i])
    129. 

  129. 		if addr == "" {
    130. 

  130. 			continue
    131. 

  131. 		}
    132. 

  132. 		_, wl.whitelist[i], err = net.ParseCIDR(addr)
    133. 

  133. 		if err != nil {
    134. 

  134. 			wl.whitelist = nil
    135. 

  135. 			return err
    136. 

  136. 		}
    137. 

  137. 	}
    138. 

  138. 

  139. 	return nil
    140. 

  140. }
    141. 

  141. 

  142. // NetStub allows network whitelisting to be added into a system's
    143. 

  143. // flow without doing anything yet. All operations result in warning
    144. 

  144. // log messages being printed to stderr. There is no mechanism for
    145. 

  145. // squelching these messages short of modifying the log package's
    146. 

  146. // default logger.
    147. 

  147. type NetStub struct{}
    148. 

  148. 

  149. // Permitted always returns true, but prints a warning message alerting
    150. 

  150. // that whitelisting is stubbed.
    151. 

  151. func (wl NetStub) Permitted(ip net.IP) bool {
    152. 

  152. 	log.Printf("WARNING: whitelist check for %s but whitelisting is stubbed", ip)
    153. 

  153. 	return true
    154. 

  154. }
    155. 

  155. 

  156. // Add prints a warning message about whitelisting being stubbed.
    157. 

  157. func (wl NetStub) Add(ip *net.IPNet) {
    158. 

  158. 	log.Printf("WARNING: IP network %s added to whitelist but whitelisting is stubbed", ip)
    159. 

  159. }
    160. 

  160. 

  161. // Remove prints a warning message about whitelisting being stubbed.
    162. 

  162. func (wl NetStub) Remove(ip *net.IPNet) {
    163. 

  163. 	log.Printf("WARNING: IP network %s removed from whitelist but whitelisting is stubbed", ip)
    164. 

  164. }
    165. 

  165. 

  166. // NewNetStub returns a new stubbed network whitelister.
    167. 

  167. func NewNetStub() NetStub {
    168. 

  168. 	log.Println("WARNING: whitelisting is being stubbed")
    169. 

  169. 	return NetStub{}
    170. 

  170. }
    171. 

  171.