devbennett7/goma-gateway
1
0
Fork 0
Code Pull Requests Activity

Merge pull request #153 from jkaninda/develop

Browse Source 
feat: add access policy middleware support cidr block
This commit is contained in:
Jonas Kaninda
2024-12-09 18:36:27 +01:00
committed by GitHub
parent 19942f6046 89a6f3fffd
commit 150ac20c23
10 changed files with 142 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -74,6 +74,9 @@ It's designed to be straightforward and efficient, offering a rich set of featur
- **Authentication Middleware** - **Authentication Middleware**
- Support for **JWT** with client authorization based on request results. - Support for **JWT** with client authorization based on request results.
- **Basic-Auth** and **OAuth** authentication mechanisms. - **Basic-Auth** and **OAuth** authentication mechanisms.
- **Access Policy Middleware**
The Access Policy middleware controls route access by either `allowing` or `denying` requests based on defined rules.
### Monitoring and Performance ### Monitoring and Performance
- **Logging** - **Logging**

3
docs/index.md
View File

@@ -48,6 +48,9 @@ It's designed to be straightforward and efficient, offering a rich set of featur
- **Authentication Middleware** - **Authentication Middleware**
- Support for **JWT** with client authorization based on request results. - Support for **JWT** with client authorization based on request results.
- **Basic-Auth** and **OAuth** authentication mechanisms. - **Basic-Auth** and **OAuth** authentication mechanisms.
- **Access Policy Middleware**
The Access Policy middleware controls route access by either `allowing` or `denying` requests based on defined rules.
### Monitoring and Performance ### Monitoring and Performance
- **Logging** - **Logging**

33
docs/middleware/access-policy.md Normal file
View File

@@ -0,0 +1,33 @@
---
title: Access Policy
layout: default
parent: Middleware
nav_order: 3
---
### Access Policy Middleware
The Access Policy middleware controls route access by either allowing or denying requests based on defined rules.
It supports two actions: `ALLOW` and `DENY`.
### How It Works
1. **Define an action:** Specify whether the middleware should `ALLOW` or `DENY` access.
2. **Set sourceRanges:** Provide a list of IP addresses, IP ranges or a CIDR block to which the policy applies.
Requests originating from these sources will be evaluated according to the specified action.
#### Example Configuration
Heres an example of an Access Policy middleware configuration in YAML:
```yaml
middlewares:
- name: access-policy
type: accessPolicy
rule:
action: DENY # Specify either DENY or ALLOW
sourceRanges:
- 192.168.1.1 # Single IP address
- 10.42.1.1-10.42.1.100 # IP range
- 10.42.1.1/16 # CIDR block
```

2
docs/middleware/basic.md
View File

@@ -2,7 +2,7 @@
title: Basic auth title: Basic auth
layout: default layout: default
parent: Middleware parent: Middleware
nav_order: 3 nav_order: 4
--- ---

2
docs/middleware/jwt.md
View File

@@ -2,7 +2,7 @@
title: JWT Middleware title: JWT Middleware
layout: default layout: default
parent: Middleware parent: Middleware
nav_order: 4 nav_order: 5
--- ---

2
docs/middleware/oauth.md
View File

@@ -2,7 +2,7 @@
title: OAuth auth title: OAuth auth
layout: default layout: default
parent: Middleware parent: Middleware
nav_order: 5 nav_order: 6
--- ---
# OAuth middleware # OAuth middleware

6
docs/middleware/rate-limit.md
View File

@@ -1,8 +1,8 @@
--- ---
title: Rate Limit title: Rate Limiting
layout: default layout: default
parent: Middleware parent: Middleware
nav_order: 6 nav_order: 7
--- ---
@@ -15,7 +15,7 @@ Example of rate limiting middleware
```yaml ```yaml
middlewares: middlewares:
- name: rate-limit - name: rate-limit
type: ratelimit #or rateLimit type: rateLimit #or ratelimit
paths: paths:
- /* - /*
rule: rule:

4
internal/config.go
View File

@@ -307,10 +307,6 @@ func getAccessPoliciesMiddleware(input interface{}) (AccessPolicyRuleMiddleware,
if !validateCIDR(ip) { if !validateCIDR(ip) {
return AccessPolicyRuleMiddleware{}, fmt.Errorf("invalid cidr address") return AccessPolicyRuleMiddleware{}, fmt.Errorf("invalid cidr address")
} }
if validateCIDR(ip) {
return AccessPolicyRuleMiddleware{}, fmt.Errorf("cidr is not yet supported")
}
} }
} }

109
internal/middlewares/access_policy_middleware.go
View File

@@ -21,6 +21,7 @@ import (
"github.com/jkaninda/goma-gateway/pkg/logger" "github.com/jkaninda/goma-gateway/pkg/logger"
"net" "net"
"net/http" "net/http"
"strings"
) )
type AccessPolicy struct { type AccessPolicy struct {
@@ -30,33 +31,103 @@ type AccessPolicy struct {
func (access AccessPolicy) AccessPolicyMiddleware(next http.Handler) http.Handler { func (access AccessPolicy) AccessPolicyMiddleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
iPs := make(map[string]struct{})
for _, ip := range access.SourceRanges {
iPs[ip] = struct{}{}
}
// Get the client's IP address // Get the client's IP address
ip, _, err := net.SplitHostPort(getRealIP(r)) clientIP, _, err := net.SplitHostPort(getRealIP(r))
if err != nil { if err != nil {
logger.Error("Unable to parse IP address") logger.Error("Unable to parse IP address")
RespondWithError(w, http.StatusUnauthorized, "Unable to parse IP address") RespondWithError(w, http.StatusUnauthorized, "Unable to parse IP address")
return return
} }
// Check if the IP is in the blocklist
if access.Action == "DENY" { // Check IP against source ranges
if _, ok := iPs[ip]; ok { isAllowed := access.Action != "DENY"
logger.Error(" %s: IP address in the blocklist, access not allowed", getRealIP(r)) for _, entry := range access.SourceRanges {
RespondWithError(w, http.StatusForbidden, http.StatusText(http.StatusForbidden)) if isIPAllowed(clientIP, entry) {
if isAllowed {
next.ServeHTTP(w, r)
} else {
logger.Error("%s: IP address in the blocklist, access not allowed", clientIP)
RespondWithError(w, http.StatusForbidden, http.StatusText(http.StatusForbidden))
}
return return
} }
} }
// Check if the IP is in the allowlist
if _, ok := iPs[ip]; !ok {
logger.Error("%s: IP address not allowed ", getRealIP(r))
RespondWithError(w, http.StatusForbidden, http.StatusText(http.StatusForbidden))
return
}
// Continue to the next handler if the authentication is successful
next.ServeHTTP(w, r)
})
// Final response for disallowed IPs
if isAllowed {
logger.Error("%s: IP address not allowed", clientIP)
RespondWithError(w, http.StatusForbidden, http.StatusText(http.StatusForbidden))
} else {
next.ServeHTTP(w, r)
}
})
}
// isIPAllowed checks if a client IP matches an entry (range, single IP or CIDR block).
func isIPAllowed(clientIP, entry string) bool {
// Handle IP range
if strings.Contains(entry, "-") {
// Handle IP range
startIP, endIP, err := parseIPRange(entry)
return err == nil && ipInRange(clientIP, startIP, endIP)
}
// Handle CIDR
if strings.Contains(entry, "/") {
return ipInCIDR(clientIP, entry)
}
// Handle single IP
return clientIP == entry
}
// / Parse a range string into start and end IPs
func parseIPRange(rangeStr string) (string, string, error) {
parts := strings.Split(rangeStr, "-")
if len(parts) != 2 {
return "", "", http.ErrAbortHandler
}
startIP := strings.TrimSpace(parts[0])
endIP := strings.TrimSpace(parts[1])
if net.ParseIP(startIP) == nil || net.ParseIP(endIP) == nil {
return "", "", http.ErrAbortHandler
}
return startIP, endIP, nil
}
// Check if an IP is in range
func ipInRange(ipStr, startIP, endIP string) bool {
ip := net.ParseIP(ipStr)
start := net.ParseIP(startIP)
end := net.ParseIP(endIP)
if ip == nil || start == nil || end == nil {
return false
}
ipBytes := ip.To4()
startBytes := start.To4()
endBytes := end.To4()
if ipBytes == nil || startBytes == nil || endBytes == nil {
return false
}
for i := 0; i < 4; i++ {
if ipBytes[i] < startBytes[i] || ipBytes[i] > endBytes[i] {
return false
}
}
return true
}
// Check if an IP is within a CIDR block
func ipInCIDR(ipStr, cidr string) bool {
ip := net.ParseIP(ipStr)
_, ipNet, err := net.ParseCIDR(cidr)
if err != nil {
return false
}
return ipNet.Contains(ip)
} }

13
internal/routes.go
View File

@@ -83,11 +83,12 @@ func (gatewayServer GatewayServer) Initialize() *mux.Router {
} }
// Routes health check // Routes health check
if !gateway.DisableHealthCheckStatus { if !gateway.DisableHealthCheckStatus {
r.HandleFunc("/health/routes", heath.HealthCheckHandler).Methods("GET") r.HandleFunc("/health/routes", heath.HealthCheckHandler).Methods("GET") // Deprecated
r.HandleFunc("/healthz/routes", heath.HealthCheckHandler).Methods("GET")
} }
// Health check // Health check
r.HandleFunc("/health/live", heath.HealthReadyHandler).Methods("GET") r.HandleFunc("/health/live", heath.HealthReadyHandler).Methods("GET") // Deprecated
r.HandleFunc("/readyz", heath.HealthReadyHandler).Methods("GET") r.HandleFunc("/readyz", heath.HealthReadyHandler).Methods("GET")
r.HandleFunc("/healthz", heath.HealthReadyHandler).Methods("GET") r.HandleFunc("/healthz", heath.HealthReadyHandler).Methods("GET")
// Enable common exploits // Enable common exploits
@@ -249,14 +250,14 @@ func attachMiddlewares(rIndex int, route Route, gateway Gateway, router *mux.Rou
} }
// AccessPolicy // AccessPolicy
if accessPolicy == mid.Type { if accessPolicy == mid.Type {
accessPolicy, err := getAccessPoliciesMiddleware(mid.Rule) a, err := getAccessPoliciesMiddleware(mid.Rule)
if err != nil { if err != nil {
logger.Error("Error: %v, middleware not applied", err.Error()) logger.Error("Error: %v, middleware not applied", err.Error())
} }
if len(accessPolicy.SourceRanges) != 0 { if len(a.SourceRanges) != 0 {
access := middlewares.AccessPolicy{ access := middlewares.AccessPolicy{
SourceRanges: accessPolicy.SourceRanges, SourceRanges: a.SourceRanges,
Action: accessPolicy.Action, Action: a.Action,
} }
router.Use(access.AccessPolicyMiddleware) router.Use(access.AccessPolicyMiddleware)
} }