You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by mo...@apache.org on 2023/03/29 01:56:08 UTC

[apisix] branch master updated: fix(cli): prevent non-`127.0.0.0/24` to access admin api with empty admin_key (#9146)

This is an automated email from the ASF dual-hosted git repository.

monkeydluffy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git


The following commit(s) were added to refs/heads/master by this push:
     new 01f049849 fix(cli): prevent non-`127.0.0.0/24` to access admin api with empty admin_key (#9146)
01f049849 is described below

commit 01f0498498b6cbd90b5d9afc73a34a6931e3c724
Author: dongjunduo <an...@gmail.com>
AuthorDate: Wed Mar 29 09:55:53 2023 +0800

    fix(cli): prevent non-`127.0.0.0/24` to access admin api with empty admin_key (#9146)
---
 apisix/cli/ops.lua  |  9 +++------
 t/cli/test_admin.sh | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 6 deletions(-)

diff --git a/apisix/cli/ops.lua b/apisix/cli/ops.lua
index ef069f815..5ce51dab3 100644
--- a/apisix/cli/ops.lua
+++ b/apisix/cli/ops.lua
@@ -185,12 +185,9 @@ local function init(env)
     local checked_admin_key = false
     local allow_admin = yaml_conf.deployment.admin and
         yaml_conf.deployment.admin.allow_admin
-    if yaml_conf.apisix.enable_admin and allow_admin then
-        for _, allow_ip in ipairs(allow_admin) do
-            if allow_ip == "127.0.0.0/24" then
-                checked_admin_key = true
-            end
-        end
+    if yaml_conf.apisix.enable_admin and allow_admin
+       and #allow_admin == 1 and allow_admin[1] == "127.0.0.0/24" then
+        checked_admin_key = true
     end
 
     if yaml_conf.apisix.enable_admin and not checked_admin_key then
diff --git a/t/cli/test_admin.sh b/t/cli/test_admin.sh
index 5336244e3..6f39ffae1 100755
--- a/t/cli/test_admin.sh
+++ b/t/cli/test_admin.sh
@@ -154,6 +154,41 @@ fi
 
 echo "pass: missing admin key and show ERROR message"
 
+# missing admin key, only allow 127.0.0.0/24 to access admin api
+
+echo '
+deployment:
+  admin:
+    admin_key: ~
+    allow_admin:
+      - 127.0.0.0/24
+' > conf/config.yaml
+
+make init > output.log 2>&1 | true
+
+if grep -E "ERROR: missing valid Admin API token." output.log > /dev/null; then
+    echo "failed: should not show 'ERROR: missing valid Admin API token.'"
+    exit 1
+fi
+
+echo '
+deployment:
+  admin:
+    admin_key: ~
+    allow_admin:
+      - 0.0.0.0/0
+      - 127.0.0.0/24
+' > conf/config.yaml
+
+make init > output.log 2>&1 | true
+
+if ! grep -E "ERROR: missing valid Admin API token." output.log > /dev/null; then
+    echo "failed: should show 'ERROR: missing valid Admin API token.'"
+    exit 1
+fi
+
+echo "pass: missing admin key and only allow 127.0.0.0/24 to access admin api"
+
 # admin api, allow any IP but use default key
 
 echo '