fix(authn-network): handles r.RemoteAddr without port

2024-05-22 15:13:39 +02:00 · 2024-05-22 15:13:39 +02:00 · 499bb3696d
parent 572093536a
commit 499bb3696d
2 changed files with 70 additions and 3 deletions
--- a/internal/proxy/director/layer/authn/network/authenticator.go
+++ b/internal/proxy/director/layer/authn/network/authenticator.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"net"
 	"net/http"
+	"strings"

 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
@ -49,9 +50,15 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
 }

 func (a *Authenticator) matchAnyAuthorizedCIDRs(ctx context.Context, remoteHostPort string, CIDRs []string) (bool, error) {
-	remoteHost, _, err := net.SplitHostPort(remoteHostPort)
-	if err != nil {
-		return false, errors.WithStack(err)
+	var remoteHost string
+	if strings.Contains(remoteHostPort, ":") {
+		var err error
+		remoteHost, _, err = net.SplitHostPort(remoteHostPort)
+		if err != nil {
+			return false, errors.WithStack(err)
+		}
+	} else {
+		remoteHost = remoteHostPort
 	}

 	remoteAddr := net.ParseIP(remoteHost)
--- a/internal/proxy/director/layer/authn/network/authenticator_test.go
+++ b/internal/proxy/director/layer/authn/network/authenticator_test.go
@ -0,0 +1,60 @@
+package network
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/pkg/errors"
+)
+
+func TestMatchAuthorizedCIDRs(t *testing.T) {
+
+	type testCase struct {
+		RemoteHostPort  string
+		AuthorizedCIDRs []string
+		ExpectedResult  bool
+		ExpectedError   error
+	}
+
+	testCases := []testCase{
+		{
+			RemoteHostPort: "192.168.1.15",
+			AuthorizedCIDRs: []string{
+				"192.168.1.0/24",
+			},
+			ExpectedResult: true,
+		},
+		{
+			RemoteHostPort: "192.168.1.15:43349",
+			AuthorizedCIDRs: []string{
+				"192.168.1.0/24",
+			},
+			ExpectedResult: true,
+		},
+		{
+			RemoteHostPort: "192.168.1.15:43349",
+			AuthorizedCIDRs: []string{
+				"192.168.1.5/32",
+			},
+			ExpectedResult: false,
+		},
+	}
+
+	auth := Authenticator{}
+	ctx := context.Background()
+
+	for idx, tc := range testCases {
+		t.Run(fmt.Sprintf("Case #%d", idx), func(t *testing.T) {
+			result, err := auth.matchAnyAuthorizedCIDRs(ctx, tc.RemoteHostPort, tc.AuthorizedCIDRs)
+
+			if g, e := result, tc.ExpectedResult; e != g {
+				t.Errorf("result: expected '%v', got '%v'", e, g)
+			}
+
+			if e, g := tc.ExpectedError, err; !errors.Is(err, tc.ExpectedError) {
+				t.Errorf("err: expected '%v', got '%v'", e, g)
+			}
+		})
+	}
+}