/
ipallowdotyaml.go
350 lines (308 loc) · 11.9 KB
/
ipallowdotyaml.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
package atscfg
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
import (
"net"
"sort"
"strconv"
"strings"
"github.com/apache/trafficcontrol/lib/go-tc"
"github.com/apache/trafficcontrol/lib/go-util"
)
const IPAllowYamlFileName = `ip_allow.yaml`
const ContentTypeIPAllowDotYAML = ContentTypeYAML
const LineCommentIPAllowDotYAML = LineCommentHash
// const ParamPurgeAllowIP = "purge_allow_ip"
// const ParamCoalesceMaskLenV4 = "coalesce_masklen_v4"
// const ParamCoalesceNumberV4 = "coalesce_number_v4"
// const ParamCoalesceMaskLenV6 = "coalesce_masklen_v6"
// const ParamCoalesceNumberV6 = "coalesce_number_v6"
// const DefaultCoalesceMaskLenV4 = 24
// const DefaultCoalesceNumberV4 = 5
// const DefaultCoalesceMaskLenV6 = 48
// const DefaultCoalesceNumberV6 = 5
// AStatsDotConfigOpts contains settings to configure generation options.
type IPAllowDotYAMLOpts struct {
// HdrComment is the header comment to include at the beginning of the file.
// This should be the text desired, without comment syntax (like # or //). The file's comment syntax will be added.
// To omit the header comment, pass the empty string.
HdrComment string
}
// MakeIPAllowDotYAML creates the ip_allow.yaml ATS 9+ config file.
func MakeIPAllowDotYAML(
serverParams []tc.Parameter,
server *Server,
servers []Server,
cacheGroups []tc.CacheGroupNullable,
topologies []tc.Topology,
opt *IPAllowDotYAMLOpts,
) (Cfg, error) {
if opt == nil {
opt = &IPAllowDotYAMLOpts{}
}
warnings := []string{}
if server.Cachegroup == nil {
return Cfg{}, makeErr(warnings, "this server missing Cachegroup")
}
if server.HostName == nil {
return Cfg{}, makeErr(warnings, "this server missing HostName")
}
params := paramsToMultiMap(filterParams(serverParams, IPAllowConfigFileName, "", "", ""))
ipAllowDat := []ipAllowYAMLData{}
// localhost is trusted.
ipAllowDat = append([]ipAllowYAMLData{yamlAllowAll(`127.0.0.1`)}, ipAllowDat...)
ipAllowDat = append([]ipAllowYAMLData{yamlAllowAll(`::1`)}, ipAllowDat...)
// default for coalesce_ipv4 = 24, 5 and for ipv6 48, 5; override with the parameters in the server profile.
coalesceMaskLenV4 := DefaultCoalesceMaskLenV4
coalesceNumberV4 := DefaultCoalesceNumberV4
coalesceMaskLenV6 := DefaultCoalesceMaskLenV6
coalesceNumberV6 := DefaultCoalesceNumberV6
for name, vals := range params {
for _, val := range vals {
switch name {
case ParamPurgeAllowIP:
ipAllowDat = append(ipAllowDat, yamlAllowAll(val))
case ParamCoalesceMaskLenV4:
if vi, err := strconv.Atoi(val); err != nil {
warnings = append(warnings, "got param '"+name+"' val '"+val+"' not a number, ignoring!")
} else if coalesceMaskLenV4 != DefaultCoalesceMaskLenV4 {
warnings = append(warnings, "got multiple param '"+name+"' - ignoring val '"+val+"'!")
} else {
coalesceMaskLenV4 = vi
}
case ParamCoalesceNumberV4:
if vi, err := strconv.Atoi(val); err != nil {
warnings = append(warnings, "got param '"+name+"' val '"+val+"' not a number, ignoring!")
} else if coalesceNumberV4 != DefaultCoalesceNumberV4 {
warnings = append(warnings, "got multiple param '"+name+"' - ignoring val '"+val+"'!")
} else {
coalesceNumberV4 = vi
}
case ParamCoalesceMaskLenV6:
if vi, err := strconv.Atoi(val); err != nil {
warnings = append(warnings, "got param '"+name+"' val '"+val+"' not a number, ignoring!")
} else if coalesceMaskLenV6 != DefaultCoalesceMaskLenV6 {
warnings = append(warnings, "got multiple param '"+name+"' - ignoring val '"+val+"'!")
} else {
coalesceMaskLenV6 = vi
}
case ParamCoalesceNumberV6:
if vi, err := strconv.Atoi(val); err != nil {
warnings = append(warnings, "got param '"+name+"' val '"+val+"' not a number, ignoring!")
} else if coalesceNumberV6 != DefaultCoalesceNumberV6 {
warnings = append(warnings, "got multiple param '"+name+"' - ignoring val '"+val+"'!")
} else {
coalesceNumberV6 = vi
}
}
}
}
// for edges deny "PUSH|PURGE|DELETE", allow everything else to everyone.
isMid := strings.HasPrefix(server.Type, tc.MidTypePrefix)
if !isMid {
ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurgeDelete(`0.0.0.0/0`))
ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurgeDelete(`::/0`))
} else {
ips := []*net.IPNet{}
ip6s := []*net.IPNet{}
cgMap := map[string]tc.CacheGroupNullable{}
for _, cg := range cacheGroups {
if cg.Name == nil {
return Cfg{}, makeErr(warnings, "got cachegroup with nil name!")
}
cgMap[*cg.Name] = cg
}
if server.Cachegroup == nil {
return Cfg{}, makeErr(warnings, "server had nil Cachegroup!")
}
serverCG, ok := cgMap[*server.Cachegroup]
if !ok {
return Cfg{}, makeErr(warnings, "server cachegroup not in cachegroups!")
}
childCGNames := getTopologyDirectChildren(tc.CacheGroupName(*server.Cachegroup), topologies)
childCGs := map[string]tc.CacheGroupNullable{}
for cgName, _ := range childCGNames {
childCGs[string(cgName)] = cgMap[string(cgName)]
}
for cgName, cg := range cgMap {
if (cg.ParentName != nil && *cg.ParentName == *serverCG.Name) || (cg.SecondaryParentName != nil && *cg.SecondaryParentName == *serverCG.Name) {
childCGs[cgName] = cg
}
}
// sort servers, to guarantee things like IP coalescing are deterministic
sort.Sort(serversSortByName(servers))
for _, childServer := range servers {
if childServer.Cachegroup == nil {
warnings = append(warnings, "Servers had server with nil Cachegroup, skipping!")
continue
} else if childServer.HostName == nil {
warnings = append(warnings, "Servers had server with nil HostName, skipping!")
continue
}
// We need to add IPs to the allow of
// - all children of this server
// - all monitors, if this server is a Mid
//
_, isChild := childCGs[*childServer.Cachegroup]
if !isChild && !strings.HasPrefix(server.Type, tc.MidTypePrefix) && string(childServer.Type) != tc.MonitorTypeName {
continue
}
for _, svInterface := range childServer.Interfaces {
for _, svAddr := range svInterface.IPAddresses {
if ip := net.ParseIP(svAddr.Address); ip != nil {
// got an IP - convert it to a CIDR and add it to the list
if ip4 := ip.To4(); ip4 != nil {
ips = append(ips, util.IPToCIDR(ip4))
} else {
ip6s = append(ip6s, util.IPToCIDR(ip))
}
} else {
// not an IP, try a CIDR
if ip, cidr, err := net.ParseCIDR(svAddr.Address); err != nil {
// not a CIDR or IP - error out
warnings = append(warnings, "server '"+*server.HostName+"' IP '"+svAddr.Address+" is not an IP address or CIDR - skipping!")
} else if ip == nil {
// not a CIDR or IP - error out
warnings = append(warnings, "server '"+*server.HostName+"' IP '"+svAddr.Address+" failed to parse as IP or CIDR - skipping!")
} else {
// got a valid CIDR - add it to the list
if ip4 := ip.To4(); ip4 != nil {
ips = append(ips, cidr)
} else {
ip6s = append(ip6s, cidr)
}
}
}
}
}
}
cidrs := util.CoalesceCIDRs(ips, coalesceNumberV4, coalesceMaskLenV4)
cidr6s := util.CoalesceCIDRs(ip6s, coalesceNumberV6, coalesceMaskLenV6)
for _, cidr := range cidrs {
ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurge(cidr.String()))
}
for _, cidr := range cidr6s {
ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurge(cidr.String()))
}
// allow RFC 1918 server space - TODO JvD: parameterize
ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurge(`10.0.0.0/8`))
ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurge(`172.16.0.0/12`))
ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurge(`192.168.0.0/16`))
// order matters, so sort before adding the denys
sort.Sort(ipAllowYAMLDatas(ipAllowDat))
// start with a deny for PUSH and PURGE - TODO CDL: parameterize
// but leave purge open through localhost
// Edges already deny PUSH and PURGE
// start by allowing everything to localhost, including PURGE and PUSH
ipAllowDat = append([]ipAllowYAMLData{yamlAllowAll(`127.0.0.1`)}, ipAllowDat...)
ipAllowDat = append([]ipAllowYAMLData{yamlAllowAll(`::1`)}, ipAllowDat...)
// end with a deny
ipAllowDat = append(ipAllowDat, yamlDenyAll(`0.0.0.0/0`))
ipAllowDat = append(ipAllowDat, yamlDenyAll(`::/0`))
}
text := makeHdrComment(opt.HdrComment)
text += `
ip_allow:`
for _, al := range ipAllowDat {
text += `
- apply: in
ip_addrs: ` + al.Src + `
action: ` + al.Action + `
methods:`
for _, method := range al.Methods {
text += `
- ` + method
}
}
text += "\n"
return Cfg{
Text: text,
ContentType: ContentTypeHostingDotConfig,
LineComment: LineCommentHostingDotConfig,
Warnings: warnings,
}, nil
}
type ipAllowYAMLData struct {
Src string
Action string
Methods []string
}
type ipAllowYAMLDatas []ipAllowYAMLData
func (is ipAllowYAMLDatas) Len() int { return len(is) }
func (is ipAllowYAMLDatas) Swap(i, j int) { is[i], is[j] = is[j], is[i] }
func (is ipAllowYAMLDatas) Less(i, j int) bool {
if is[i].Src != is[j].Src {
return is[i].Src < is[j].Src
}
if is[i].Action != is[j].Action {
return is[i].Action < is[j].Action
}
if len(is[i].Methods) < len(is[j].Methods) {
return true
}
for mi := 0; mi < len(is[i].Methods); mi++ {
if is[i].Methods[mi] != is[j].Methods[mi] {
return is[i].Methods[mi] < is[j].Methods[mi]
}
}
return false
}
const YAMLActionAllow = "allow"
const YAMLActionDeny = "deny"
const YAMLMethodAll = "ALL"
// yamlAllowAllButPushPurge is a helper func to build a ipAllowYAMLData for the given range string immediately allowing all Methods except Push and Purge.
func yamlAllowAllButPushPurge(rangeStr string) ipAllowYAMLData {
// Note denying methods implicitly and immediately allows all other methods!
// So Deny PUSH|PURGE will make all other methods
// immediately allowed, regardless of any later deny rules!
methodPushPurge := []string{MethodPush, MethodPurge}
return ipAllowYAMLData{
Src: rangeStr,
Action: YAMLActionDeny,
Methods: methodPushPurge,
}
}
// yamlAllowAllButPushPurgeDelete is a helper func to build a ipAllowYAMLData for the given range string immediately allowing all Methods except PUSH, PURGE, and DELETE.
func yamlAllowAllButPushPurgeDelete(rangeStr string) ipAllowYAMLData {
// Note denying methods implicitly and immediately allows all other methods!
// So Deny PUSH|PURGE will make all other methods
// immediately allowed, regardless of any later deny rules!
methodPushPurgeDelete := []string{MethodPush, MethodPurge, MethodDelete}
return ipAllowYAMLData{
Src: rangeStr,
Action: YAMLActionDeny,
Methods: methodPushPurgeDelete,
}
}
// yamlAllowAll is a helper func to build a ipAllowYAMLData for the given range string immediately allowing all Methods, including Push and Purge.
func yamlAllowAll(rangeStr string) ipAllowYAMLData {
return ipAllowYAMLData{
Src: rangeStr,
Action: YAMLActionAllow,
Methods: []string{YAMLMethodAll},
}
}
// yamlDenyAll is a helper func to build a ipAllowYAMLData for the given range string immediately denying all Methods.
func yamlDenyAll(rangeStr string) ipAllowYAMLData {
return ipAllowYAMLData{
Src: rangeStr,
Action: YAMLActionDeny,
Methods: []string{YAMLMethodAll},
}
}