-
Notifications
You must be signed in to change notification settings - Fork 232
/
acl.go
122 lines (107 loc) · 2.75 KB
/
acl.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
package forwardproxy
import (
"errors"
"net"
"strings"
)
// ACLRule describes an ACL rule.
type ACLRule struct {
Subjects []string `json:"subjects,omitempty"`
Allow bool `json:"allow,omitempty"`
}
type aclDecision uint8
const (
aclDecisionAllow = iota
aclDecisionDeny
aclDecisionNoMatch
)
type aclRule interface {
tryMatch(ip net.IP, domain string) aclDecision
}
type aclIPRule struct {
net net.IPNet
allow bool
}
func (a *aclIPRule) tryMatch(ip net.IP, domain string) aclDecision {
if !a.net.Contains(ip) {
return aclDecisionNoMatch
}
if a.allow {
return aclDecisionAllow
}
return aclDecisionDeny
}
type aclDomainRule struct {
domain string
subdomainsAllowed bool
allow bool
}
func (a *aclDomainRule) tryMatch(ip net.IP, domain string) aclDecision {
domain = strings.TrimPrefix(domain, ".")
if domain == a.domain ||
a.subdomainsAllowed && strings.HasSuffix(domain, "."+a.domain) {
if a.allow {
return aclDecisionAllow
}
return aclDecisionDeny
}
return aclDecisionNoMatch
}
type aclAllRule struct {
allow bool
}
func (a *aclAllRule) tryMatch(ip net.IP, domain string) aclDecision {
if a.allow {
return aclDecisionAllow
}
return aclDecisionDeny
}
func newACLRule(ruleSubject string, allow bool) (aclRule, error) {
if ruleSubject == "all" {
return &aclAllRule{allow: allow}, nil
}
_, ipNet, err := net.ParseCIDR(ruleSubject)
if err != nil {
ip := net.ParseIP(ruleSubject)
// support specifying just an IP
if ip.To4() != nil {
_, ipNet, err = net.ParseCIDR(ruleSubject + "/32")
} else if ip.To16() != nil {
_, ipNet, err = net.ParseCIDR(ruleSubject + "/128")
}
}
if err == nil {
return &aclIPRule{net: *ipNet, allow: allow}, nil
}
subdomainsAllowed := false
if strings.HasPrefix(ruleSubject, `*.`) {
subdomainsAllowed = true
ruleSubject = ruleSubject[2:]
}
err = isValidDomainLite(ruleSubject)
if err != nil {
return nil, errors.New(ruleSubject + " could not be parsed as either IP, IP network, or domain: " + err.Error())
}
return &aclDomainRule{domain: ruleSubject, subdomainsAllowed: subdomainsAllowed, allow: allow}, nil
}
// isValidDomainLite shamelessly rejects non-LDH names. returns nil if domains seems valid
func isValidDomainLite(domain string) error {
for i := 0; i < len(domain); i++ {
c := domain[i]
if 'a' <= c && c <= 'z' || 'A' <= c && c <= 'Z' || c == '_' || '0' <= c && c <= '9' ||
c == '-' || c == '.' {
continue
}
return errors.New("character " + string(c) + " is not allowed")
}
sections := strings.Split(domain, ".")
for _, s := range sections {
if len(s) == 0 {
return errors.New("empty section between dots in domain name or trailing dot")
}
if len(s) > 63 {
return errors.New("domain name section is too long")
}
}
return nil
}