Rename whitelist -> allowlist

Financial-Times · Dec 14, 2020 · a336f25 · a336f25
1 parent 92e9bbb
commit a336f25
Show file tree

Hide file tree

Showing 5 changed files with 84 additions and 84 deletions.
diff --git a/src/lib/fastly-ip-whitelist-backup.json → src/lib/fastly-ip-allowlist-backup.json b/src/lib/fastly-ip-whitelist-backup.json → src/lib/fastly-ip-allowlist-backup.json
diff --git a/src/lib/ft-ip-whitelist.json → src/lib/ft-ip-allowlist.json b/src/lib/ft-ip-whitelist.json → src/lib/ft-ip-allowlist.json
diff --git a/src/lib/ip-allowlist.js b/src/lib/ip-allowlist.js
@@ -0,0 +1,53 @@
+const logger = require('@financial-times/n-logger').default;
+const metrics = require('next-metrics');
+const fetchres = require('fetchres');
+const ip = require('ip');
+
+const backupFastlyAllowlist = require('./fastly-ip-allowlist-backup.json').addresses;
+const ftAllowlist = require('./ft-ip-allowlist.json');
+
+const fastlyAllowlistUrl = 'https://api.fastly.com/public-ip-list';
+
+function IpAllowlist () {
+	this.fetchedFastlyAllowlist = null;
+	this.poll();
+	setInterval(() => this.poll(), 10000); // every 10 seconds
+};
+
+IpAllowlist.prototype.poll = function () {
+	return fetch(fastlyAllowlistUrl)
+		.then(fetchres.json)
+		.then(resp => {
+			if (Array.isArray(resp.addresses) && resp.addresses.length > 0) {
+				metrics.count('express.ip_allowlist.fetch_success');
+				if (JSON.stringify(this.fetchedFastlyAllowlist) !== JSON.stringify(resp.addresses)) {
+					logger.info({ event: 'IP_ALLOWLIST_UPDATE', oldSize: Array.isArray(this.fetchedFastlyAllowlist) ? this.fetchedFastlyAllowlist.length : 0, newSize: resp.addresses.length });
+					metrics.count('express.ip_allowlist.update');
+					this.fetchedFastlyAllowlist = resp.addresses;
+				}
+			} else {
+				logger.error({ event: 'IP_ALLOWLIST_UNRECOGNISED', response: JSON.stringify(resp) });
+				metrics.count('express.ip_allowlist.unrecognised');
+			}
+		})
+		.catch(err => {
+			logger.error({ event: 'IP_ALLOWLIST_FETCH_FAIL' }, err);
+			metrics.count('express.ip_allowlist.fetch_fail');
+		});
+};
+
+IpAllowlist.prototype.validate = function (ipAddress) {
+	if (ipAddress.match(/^::ffff:/)) {
+		ipAddress = ipAddress.replace(/^::ffff:/, '');
+	}
+	const ranges = [].concat(this.fetchedFastlyAllowlist || backupFastlyAllowlist, ftAllowlist);
+	let i;
+	for (i = 0; i < ranges.length; i++) {
+		if (ip.cidrSubnet(ranges[i]).contains(ipAddress)) {
+			return true;
+		}
+	}
+	return false;
+};
+
+module.exports = IpAllowlist;
diff --git a/src/lib/ip-whitelist.js b/src/lib/ip-whitelist.js
diff --git a/test/lib/ip-whitelist.test.js → test/lib/ip-allowlist.test.js b/test/lib/ip-whitelist.test.js → test/lib/ip-allowlist.test.js
@@ -9,100 +9,100 @@ const fetchMock = require('fetch-mock');
 const info = sinon.stub();
 const error = sinon.stub();
 
-const IpWhitelist = proxyquire('../../src/lib/ip-whitelist', {
+const IpAllowlist = proxyquire('../../src/lib/ip-allowlist', {
 	'@financial-times/n-logger': { default: { info: info, error: error } }
 });
 
-const WHITELISTED_FASTLY_IP_ADDRESS = '104.156.80.5';
-const WHITELISTED_FASTLY_IPV6_ADDRESS = '::ffff:104.156.80.5';
-//const WHITELISTED_FT_IP_ADDRESS = '';
+const ALLOWLISTED_FASTLY_IP_ADDRESS = '104.156.80.5';
+const ALLOWLISTED_FASTLY_IPV6_ADDRESS = '::ffff:104.156.80.5';
+//const ALLOWLISTED_FT_IP_ADDRESS = '';
 
-describe('IP whitelist', () => {
+describe('IP allowlist', () => {
 
 	afterEach(() => {
 		fetchMock.restore();
 		info.reset();
 		error.reset();
 	});
 
-	it('fetches whitelist', (done) => {
+	it('fetches allowlist', (done) => {
 		fetchMock.get('https://api.fastly.com/public-ip-list', { addresses: ['123.456.789.0/20'] });
-		new IpWhitelist();
+		new IpAllowlist();
 		setTimeout(() => {
-			expect(info).to.have.been.calledWith({ event: 'IP_WHITELIST_UPDATE', oldSize: 0, newSize: 1 });
+			expect(info).to.have.been.calledWith({ event: 'IP_ALLOWLIST_UPDATE', oldSize: 0, newSize: 1 });
 			done();
 		}, 0);
 	});
 
-	it('fails to fetch whitelist', (done) => {
+	it('fails to fetch allowlist', (done) => {
 		fetchMock.get('https://api.fastly.com/public-ip-list', 404);
-		new IpWhitelist();
+		new IpAllowlist();
 		setTimeout(() => {
-			expect(error).to.have.been.calledWith({ event: 'IP_WHITELIST_FETCH_FAIL' }, sinon.match.object);
+			expect(error).to.have.been.calledWith({ event: 'IP_ALLOWLIST_FETCH_FAIL' }, sinon.match.object);
 			done();
 		}, 0);
 	});
 
 	it('fetches an unrecognised response', (done) => {
 		fetchMock.get('https://api.fastly.com/public-ip-list', {});
-		new IpWhitelist();
+		new IpAllowlist();
 		setTimeout(() => {
-			expect(error).to.have.been.calledWith({ event: 'IP_WHITELIST_UNRECOGNISED', response: '{}' });
+			expect(error).to.have.been.calledWith({ event: 'IP_ALLOWLIST_UNRECOGNISED', response: '{}' });
 			done();
 		}, 0);
 	});
 
-	it('denies non-whitelisted IP address', (done) => {
+	it('denies non-allowlisted IP address', (done) => {
 		fetchMock.get('https://api.fastly.com/public-ip-list', { addresses: ['123.456.789.0/20'] });
-		const ipWhitelist = new IpWhitelist();
+		const ipAllowlist = new IpAllowlist();
 		setTimeout(() => {
-			expect(ipWhitelist.validate('123.456.333.1')).to.equal(false);
+			expect(ipAllowlist.validate('123.456.333.1')).to.equal(false);
 			done();
 		}, 0);
 	});
 
-	it('denies non-whitelisted IP address using backup list', (done) => {
+	it('denies non-allowlisted IP address using backup list', (done) => {
 		fetchMock.get('https://api.fastly.com/public-ip-list', 404);
-		const ipWhitelist = new IpWhitelist();
+		const ipAllowlist = new IpAllowlist();
 		setTimeout(() => {
-			expect(ipWhitelist.validate('123.456.333.1')).to.equal(false);
+			expect(ipAllowlist.validate('123.456.333.1')).to.equal(false);
 			done();
 		}, 0);
 	});
 
-	it('allows whitelisted IP address', (done) => {
+	it('allows allowlisted IP address', (done) => {
 		fetchMock.get('https://api.fastly.com/public-ip-list', { addresses: ['123.456.789.0/20'] });
-		const ipWhitelist = new IpWhitelist();
+		const ipAllowlist = new IpAllowlist();
 		setTimeout(() => {
-			expect(ipWhitelist.validate('123.456.789.1')).to.equal(true);
+			expect(ipAllowlist.validate('123.456.789.1')).to.equal(true);
 			done();
 		}, 0);
 	});
 
-	it('allows whitelisted Fastly IP address from backup list', (done) => {
+	it('allows allowlisted Fastly IP address from backup list', (done) => {
 		fetchMock.get('https://api.fastly.com/public-ip-list', 404);
-		const ipWhitelist = new IpWhitelist();
+		const ipAllowlist = new IpAllowlist();
 		setTimeout(() => {
-			expect(ipWhitelist.validate(WHITELISTED_FASTLY_IP_ADDRESS)).to.equal(true);
+			expect(ipAllowlist.validate(ALLOWLISTED_FASTLY_IP_ADDRESS)).to.equal(true);
 			done();
 		}, 0);
 	});
 
-	it('allows whitelisted Fastly IPv6 address from backup list', (done) => {
+	it('allows allowlisted Fastly IPv6 address from backup list', (done) => {
 		fetchMock.get('https://api.fastly.com/public-ip-list', 404);
-		const ipWhitelist = new IpWhitelist();
+		const ipAllowlist = new IpAllowlist();
 		setTimeout(() => {
-			expect(ipWhitelist.validate(WHITELISTED_FASTLY_IPV6_ADDRESS)).to.equal(true);
+			expect(ipAllowlist.validate(ALLOWLISTED_FASTLY_IPV6_ADDRESS)).to.equal(true);
 			done();
 		}, 0);
 	});
 
 /*
-	it('allows whitelisted FT IP address from backup list', (done) => {
+	it('allows allowlisted FT IP address from backup list', (done) => {
 		fetchMock.get('https://api.fastly.com/public-ip-list', 404);
-		const ipWhitelist = new IpWhitelist();
+		const ipAllowlist = new IpAllowlist();
 		setTimeout(() => {
-			expect(ipWhitelist.validate(WHITELISTED_FT_IP_ADDRESS)).to.equal(true);
+			expect(ipAllowlist.validate(ALLOWLISTED_FT_IP_ADDRESS)).to.equal(true);
 			done();
 		}, 0);
 	});