-
Notifications
You must be signed in to change notification settings - Fork 28
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add remote IP filter to allow a connection from remote kms (#692)
* feat: add kms remote IP filter * fix: side-effect for testing by allowing any connection if remote address is empty * chore: add some tests * feat: apply denyAll if empty allow address, and null object pattern for "unix" connection type * chore: increase test coverage
- Loading branch information
1 parent
5a8209b
commit 0e64a96
Showing
14 changed files
with
269 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
package internal | ||
|
||
import "net" | ||
|
||
type ConnectionFilter interface { | ||
Filter(addr net.Addr) net.Addr | ||
String() string | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
package internal | ||
|
||
import ( | ||
"fmt" | ||
"github.com/Finschia/ostracon/libs/log" | ||
"net" | ||
) | ||
|
||
type IpFilter struct { | ||
allowAddr string | ||
log log.Logger | ||
} | ||
|
||
func NewIpFilter(addr string, l log.Logger) *IpFilter { | ||
return &IpFilter{ | ||
allowAddr: addr, | ||
log: l, | ||
} | ||
} | ||
|
||
func (f *IpFilter) Filter(addr net.Addr) net.Addr { | ||
if f.isAllowedAddr(addr) { | ||
return addr | ||
} | ||
return nil | ||
} | ||
|
||
func (f *IpFilter) String() string { | ||
return f.allowAddr | ||
} | ||
|
||
func (f *IpFilter) isAllowedAddr(addr net.Addr) bool { | ||
if len(f.allowAddr) == 0 { | ||
return false | ||
} | ||
hostAddr, _, err := net.SplitHostPort(addr.String()) | ||
if err != nil { | ||
if f.log != nil { | ||
f.log.Error(fmt.Sprintf("IpFilter: can't split host and port from addr.String()=%s", addr.String())) | ||
} | ||
return false | ||
} | ||
return f.allowAddr == hostAddr | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
package internal | ||
|
||
import ( | ||
"github.com/stretchr/testify/assert" | ||
"net" | ||
"testing" | ||
) | ||
|
||
type addrStub struct { | ||
address string | ||
} | ||
|
||
func (a addrStub) Network() string { | ||
return "" | ||
} | ||
|
||
func (a addrStub) String() string { | ||
return a.address | ||
} | ||
|
||
func TestFilterRemoteConnectionByIP(t *testing.T) { | ||
type fields struct { | ||
allowIP string | ||
remoteAddr net.Addr | ||
expected net.Addr | ||
} | ||
tests := []struct { | ||
name string | ||
fields fields | ||
}{ | ||
{ | ||
"should allow correct ip", | ||
struct { | ||
allowIP string | ||
remoteAddr net.Addr | ||
expected net.Addr | ||
}{"127.0.0.1", addrStub{"127.0.0.1:45678"}, addrStub{"127.0.0.1:45678"}}, | ||
}, | ||
{ | ||
"should not allow different ip", | ||
struct { | ||
allowIP string | ||
remoteAddr net.Addr | ||
expected net.Addr | ||
}{"127.0.0.1", addrStub{"10.0.0.2:45678"}, nil}, | ||
}, | ||
{ | ||
"should works for IPv6 with correct ip", | ||
struct { | ||
allowIP string | ||
remoteAddr net.Addr | ||
expected net.Addr | ||
}{"2001:db8::1", addrStub{"[2001:db8::1]:80"}, addrStub{"[2001:db8::1]:80"}}, | ||
}, | ||
{ | ||
"should works for IPv6 with incorrect ip", | ||
struct { | ||
allowIP string | ||
remoteAddr net.Addr | ||
expected net.Addr | ||
}{"2001:db8::2", addrStub{"[2001:db8::1]:80"}, nil}, | ||
}, | ||
{ | ||
"empty allowIP should deny all", | ||
struct { | ||
allowIP string | ||
remoteAddr net.Addr | ||
expected net.Addr | ||
}{"", addrStub{"127.0.0.1:45678"}, nil}, | ||
}, | ||
} | ||
for _, tt := range tests { | ||
t.Run(tt.name, func(t *testing.T) { | ||
cut := NewIpFilter(tt.fields.allowIP, nil) | ||
assert.Equalf(t, tt.fields.expected, cut.Filter(tt.fields.remoteAddr), tt.name) | ||
}) | ||
} | ||
} | ||
|
||
func TestIpFilterShouldSetAllowAddress(t *testing.T) { | ||
expected := "192.168.0.1" | ||
|
||
cut := NewIpFilter(expected, nil) | ||
|
||
assert.Equal(t, expected, cut.allowAddr) | ||
} | ||
|
||
func TestIpFilterStringShouldReturnsIP(t *testing.T) { | ||
expected := "127.0.0.1" | ||
assert.Equal(t, expected, NewIpFilter(expected, nil).String()) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
package internal | ||
|
||
import "net" | ||
|
||
// NullObject is null object pattern. It does nothing | ||
type NullObject struct { | ||
} | ||
|
||
func NewNullObject() *NullObject { | ||
return &NullObject{} | ||
} | ||
|
||
func (n NullObject) Filter(addr net.Addr) net.Addr { | ||
return addr | ||
} | ||
|
||
func (n NullObject) String() string { | ||
return "NullObject" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
package internal | ||
|
||
import ( | ||
"github.com/stretchr/testify/assert" | ||
"net" | ||
"reflect" | ||
"testing" | ||
) | ||
|
||
func TestNullObject_filter(t *testing.T) { | ||
stubInput := addrStub{} | ||
tests := []struct { | ||
name string | ||
addr net.Addr | ||
want net.Addr | ||
}{ | ||
{ | ||
name: "null object does nothing, returns what it receives", | ||
addr: stubInput, | ||
want: stubInput, | ||
}, | ||
{ | ||
name: "null object does nothing, returns nil it receives nil", | ||
addr: nil, | ||
want: nil, | ||
}, | ||
} | ||
for _, tt := range tests { | ||
t.Run(tt.name, func(t *testing.T) { | ||
n := NewNullObject() | ||
if got := n.Filter(tt.addr); !reflect.DeepEqual(got, tt.want) { | ||
t.Errorf("Filter() = %v, want %v", got, tt.want) | ||
} | ||
}) | ||
} | ||
} | ||
|
||
func TestNullObjectString(t *testing.T) { | ||
assert.Equal(t, "NullObject", NewNullObject().String()) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.