fix(authn-network): handles r.RemoteAddr without port
Cadoles/bouncer/pipeline/head This commit looks good Details
Cadoles/bouncer/pipeline/pr-authn-oidc-redirect-url Build started... Details

This commit is contained in:
wpetit 2024-05-22 15:13:39 +02:00
parent 572093536a
commit 499bb3696d
2 changed files with 70 additions and 3 deletions

View File

@ -4,6 +4,7 @@ import (
"context" "context"
"net" "net"
"net/http" "net/http"
"strings"
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn" "forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
"forge.cadoles.com/cadoles/bouncer/internal/store" "forge.cadoles.com/cadoles/bouncer/internal/store"
@ -49,10 +50,16 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
} }
func (a *Authenticator) matchAnyAuthorizedCIDRs(ctx context.Context, remoteHostPort string, CIDRs []string) (bool, error) { func (a *Authenticator) matchAnyAuthorizedCIDRs(ctx context.Context, remoteHostPort string, CIDRs []string) (bool, error) {
remoteHost, _, err := net.SplitHostPort(remoteHostPort) var remoteHost string
if strings.Contains(remoteHostPort, ":") {
var err error
remoteHost, _, err = net.SplitHostPort(remoteHostPort)
if err != nil { if err != nil {
return false, errors.WithStack(err) return false, errors.WithStack(err)
} }
} else {
remoteHost = remoteHostPort
}
remoteAddr := net.ParseIP(remoteHost) remoteAddr := net.ParseIP(remoteHost)
if remoteAddr == nil { if remoteAddr == nil {

View File

@ -0,0 +1,60 @@
package network
import (
"context"
"fmt"
"testing"
"github.com/pkg/errors"
)
func TestMatchAuthorizedCIDRs(t *testing.T) {
type testCase struct {
RemoteHostPort string
AuthorizedCIDRs []string
ExpectedResult bool
ExpectedError error
}
testCases := []testCase{
{
RemoteHostPort: "192.168.1.15",
AuthorizedCIDRs: []string{
"192.168.1.0/24",
},
ExpectedResult: true,
},
{
RemoteHostPort: "192.168.1.15:43349",
AuthorizedCIDRs: []string{
"192.168.1.0/24",
},
ExpectedResult: true,
},
{
RemoteHostPort: "192.168.1.15:43349",
AuthorizedCIDRs: []string{
"192.168.1.5/32",
},
ExpectedResult: false,
},
}
auth := Authenticator{}
ctx := context.Background()
for idx, tc := range testCases {
t.Run(fmt.Sprintf("Case #%d", idx), func(t *testing.T) {
result, err := auth.matchAnyAuthorizedCIDRs(ctx, tc.RemoteHostPort, tc.AuthorizedCIDRs)
if g, e := result, tc.ExpectedResult; e != g {
t.Errorf("result: expected '%v', got '%v'", e, g)
}
if e, g := tc.ExpectedError, err; !errors.Is(err, tc.ExpectedError) {
t.Errorf("err: expected '%v', got '%v'", e, g)
}
})
}
}