feat(ip-restriction): Add TCP Support (#10245)

--------- Co-authored-by: Aapo Talvensaari <aapo.talvensaari@gmail.com> Co-authored-by: Jacob Chambliss <jjchambliss@gmail.com>
Kong · Jul 7, 2023 · c6987b8 · c6987b8 · khcp-gha-bot · Jul 7, 2023
1 parent 35c8e71
commit c6987b8
Show file tree

Hide file tree

Showing 4 changed files with 137 additions and 61 deletions.
diff --git a/kong/plugins/ip-restriction/handler.lua b/kong/plugins/ip-restriction/handler.lua
@@ -3,9 +3,10 @@ local ipmatcher = require "resty.ipmatcher"
 local kong_meta = require "kong.meta"
 
 
-local ngx_var = ngx.var
-local kong = kong
 local error = error
+local kong = kong
+local log = kong.log
+local ngx_var = ngx.var
 
 
 local IPMATCHER_COUNT = 512
@@ -29,6 +30,13 @@ do
 end
 
 
+local function do_exit(status, message)
+    log.warn(message)
+
+    return kong.response.error(status, message)
+end
+
+
 local function match_bin(list, binary_remote_addr)
   local matcher, err
 
@@ -52,31 +60,41 @@ local function match_bin(list, binary_remote_addr)
 end
 
 
-function IpRestrictionHandler:access(conf)
+local function do_restrict(conf)
   local binary_remote_addr = ngx_var.binary_remote_addr
   if not binary_remote_addr then
-    return kong.response.error(403, "Cannot identify the client IP address, unix domain sockets are not supported.")
+    return do_exit(403, "Cannot identify the client IP address, unix domain sockets are not supported.")
   end
 
   local deny = conf.deny
   local allow = conf.allow
   local status = conf.status or 403
-  local message = conf.message or "Your IP address is not allowed"
+  local message = conf.message or string.format("IP address not allowed: %s", ngx_var.remote_addr)
 
   if not isempty(deny) then
     local blocked = match_bin(deny, binary_remote_addr)
     if blocked then
-      return kong.response.error(status, message)
+      return do_exit(status, message)
     end
   end
 
   if not isempty(allow) then
     local allowed = match_bin(allow, binary_remote_addr)
     if not allowed then
-      return kong.response.error(status, message)
+      return do_exit(status, message)
     end
   end
 end
 
 
+function IpRestrictionHandler:access(conf)
+  return do_restrict(conf)
+end
+
+
+function IpRestrictionHandler:preread(conf)
+  return do_restrict(conf)
+end
+
+
 return IpRestrictionHandler
diff --git a/kong/plugins/ip-restriction/schema.lua b/kong/plugins/ip-restriction/schema.lua
@@ -4,7 +4,7 @@ local typedefs = require "kong.db.schema.typedefs"
 return {
   name = "ip-restriction",
   fields = {
-    { protocols = typedefs.protocols_http },
+    { protocols = typedefs.protocols { default = { "http", "https", "tcp", "tls", "grpc", "grpcs" } }, },
     { config = {
         type = "record",
         fields = {

diff --git a/spec/03-plugins/17-ip-restriction/01-schema_spec.lua b/spec/03-plugins/17-ip-restriction/01-schema_spec.lua
@@ -4,24 +4,24 @@ local v = require("spec.helpers").validate_plugin_config_schema
 
 describe("Plugin: ip-restriction (schema)", function()
   it("should accept a valid allow", function()
-    assert(v({ allow = { "127.0.0.1", "127.0.0.2" } }, schema_def))
+    assert(v({ allow = { "127.0.0.1/32", "127.0.0.2/32" } }, schema_def))
   end)
   it("should accept a valid allow and status/message", function()
-    assert(v({ allow = { "127.0.0.1", "127.0.0.2" }, status = 403, message = "Forbidden" }, schema_def))
+    assert(v({ allow = { "127.0.0.1/32", "127.0.0.2/32" }, status = 403, message = "Forbidden" }, schema_def))
   end)
   it("should accept a valid cidr range", function()
     assert(v({ allow = { "127.0.0.1/8" } }, schema_def))
   end)
   it("should accept a valid deny", function()
-    assert(v({ deny = { "127.0.0.1", "127.0.0.2" } }, schema_def))
+    assert(v({ deny = { "127.0.0.1/32", "127.0.0.2/32" } }, schema_def))
   end)
   it("should accept both non-empty allow and deny", function()
     local schema = {
       deny = {
-        "127.0.0.2"
+        "127.0.0.2/32"
       },
       allow = {
-        "127.0.0.1"
+        "127.0.0.1/32"
       },
     }
     assert(v(schema, schema_def))
@@ -40,7 +40,7 @@ describe("Plugin: ip-restriction (schema)", function()
         allow = { "invalid ip or cidr range: 'hello'" }
       }, err.config)
 
-      ok, err = v({ allow = { "127.0.0.1", "127.0.0.2", "hello" } }, schema_def)
+      ok, err = v({ allow = { "127.0.0.1/32", "127.0.0.2/32", "hello" } }, schema_def)
       assert.falsy(ok)
       assert.same({
         allow = { [3] = "invalid ip or cidr range: 'hello'" }
@@ -58,7 +58,7 @@ describe("Plugin: ip-restriction (schema)", function()
         deny = { "invalid ip or cidr range: 'hello'" }
       }, err.config)
 
-      ok, err = v({ deny = { "127.0.0.1", "127.0.0.2", "hello" } }, schema_def)
+      ok, err = v({ deny = { "127.0.0.1/32", "127.0.0.2/32", "hello" } }, schema_def)
       assert.falsy(ok)
       assert.same({
         deny = { [3] = "invalid ip or cidr range: 'hello'" }