feat: allow bypassing of basic auth from a list of authorized cidrs (#50)
All checks were successful
Cadoles/bouncer/pipeline/head This commit looks good
All checks were successful
Cadoles/bouncer/pipeline/head This commit looks good
This commit is contained in:
42
internal/cidr/match.go
Normal file
42
internal/cidr/match.go
Normal file
@ -0,0 +1,42 @@
|
||||
package cidr
|
||||
|
||||
import (
|
||||
"net"
|
||||
"strings"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
func MatchAny(hostPort string, CIDRs ...string) (bool, error) {
|
||||
var remoteHost string
|
||||
if strings.Contains(hostPort, ":") {
|
||||
var err error
|
||||
remoteHost, _, err = net.SplitHostPort(hostPort)
|
||||
if err != nil {
|
||||
return false, errors.WithStack(err)
|
||||
}
|
||||
} else {
|
||||
remoteHost = hostPort
|
||||
}
|
||||
|
||||
remoteAddr := net.ParseIP(remoteHost)
|
||||
if remoteAddr == nil {
|
||||
return false, errors.Errorf("remote host '%s' is not a valid ip address", remoteHost)
|
||||
}
|
||||
|
||||
for _, rawCIDR := range CIDRs {
|
||||
_, net, err := net.ParseCIDR(rawCIDR)
|
||||
if err != nil {
|
||||
return false, errors.WithStack(err)
|
||||
}
|
||||
|
||||
match := net.Contains(remoteAddr)
|
||||
if !match {
|
||||
continue
|
||||
}
|
||||
|
||||
return true, nil
|
||||
}
|
||||
|
||||
return false, nil
|
||||
}
|
||||
77
internal/cidr/match_test.go
Normal file
77
internal/cidr/match_test.go
Normal file
@ -0,0 +1,77 @@
|
||||
package cidr
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"testing"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
func TestMatchAny(t *testing.T) {
|
||||
type testCase struct {
|
||||
RemoteHostPort string
|
||||
AuthorizedCIDRs []string
|
||||
ExpectedResult bool
|
||||
ExpectedError error
|
||||
}
|
||||
|
||||
testCases := []testCase{
|
||||
{
|
||||
RemoteHostPort: "192.168.1.15",
|
||||
AuthorizedCIDRs: []string{
|
||||
"192.168.1.0/24",
|
||||
},
|
||||
ExpectedResult: true,
|
||||
},
|
||||
{
|
||||
RemoteHostPort: "192.168.1.15:43349",
|
||||
AuthorizedCIDRs: []string{
|
||||
"192.168.1.0/24",
|
||||
},
|
||||
ExpectedResult: true,
|
||||
},
|
||||
{
|
||||
RemoteHostPort: "192.168.1.15:43349",
|
||||
AuthorizedCIDRs: []string{
|
||||
"192.168.1.5/32",
|
||||
},
|
||||
ExpectedResult: false,
|
||||
},
|
||||
{
|
||||
RemoteHostPort: "192.168.1.15:43349",
|
||||
AuthorizedCIDRs: []string{
|
||||
"192.168.1.5/32",
|
||||
"192.168.1.0/24",
|
||||
},
|
||||
ExpectedResult: true,
|
||||
},
|
||||
{
|
||||
RemoteHostPort: "192.168.1.15:43349",
|
||||
AuthorizedCIDRs: []string{
|
||||
"192.168.1.5/32",
|
||||
"192.168.1.6/32",
|
||||
"192.168.1.7/32",
|
||||
},
|
||||
ExpectedResult: false,
|
||||
},
|
||||
{
|
||||
RemoteHostPort: "[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8001",
|
||||
AuthorizedCIDRs: []string{"2000::/3"},
|
||||
ExpectedResult: true,
|
||||
},
|
||||
}
|
||||
|
||||
for idx, tc := range testCases {
|
||||
t.Run(fmt.Sprintf("Case #%d", idx), func(t *testing.T) {
|
||||
result, err := MatchAny(tc.RemoteHostPort, tc.AuthorizedCIDRs...)
|
||||
|
||||
if g, e := result, tc.ExpectedResult; e != g {
|
||||
t.Errorf("result: expected '%v', got '%v'", e, g)
|
||||
}
|
||||
|
||||
if e, g := tc.ExpectedError, err; !errors.Is(err, tc.ExpectedError) {
|
||||
t.Errorf("err: expected '%v', got '%v'", e, g)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user