You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by mo...@apache.org on 2023/03/29 01:56:08 UTC
[apisix] branch master updated: fix(cli): prevent non-`127.0.0.0/24` to access admin api with empty admin_key (#9146)
This is an automated email from the ASF dual-hosted git repository.
monkeydluffy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 01f049849 fix(cli): prevent non-`127.0.0.0/24` to access admin api with empty admin_key (#9146)
01f049849 is described below
commit 01f0498498b6cbd90b5d9afc73a34a6931e3c724
Author: dongjunduo <an...@gmail.com>
AuthorDate: Wed Mar 29 09:55:53 2023 +0800
fix(cli): prevent non-`127.0.0.0/24` to access admin api with empty admin_key (#9146)
---
apisix/cli/ops.lua | 9 +++------
t/cli/test_admin.sh | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 38 insertions(+), 6 deletions(-)
diff --git a/apisix/cli/ops.lua b/apisix/cli/ops.lua
index ef069f815..5ce51dab3 100644
--- a/apisix/cli/ops.lua
+++ b/apisix/cli/ops.lua
@@ -185,12 +185,9 @@ local function init(env)
local checked_admin_key = false
local allow_admin = yaml_conf.deployment.admin and
yaml_conf.deployment.admin.allow_admin
- if yaml_conf.apisix.enable_admin and allow_admin then
- for _, allow_ip in ipairs(allow_admin) do
- if allow_ip == "127.0.0.0/24" then
- checked_admin_key = true
- end
- end
+ if yaml_conf.apisix.enable_admin and allow_admin
+ and #allow_admin == 1 and allow_admin[1] == "127.0.0.0/24" then
+ checked_admin_key = true
end
if yaml_conf.apisix.enable_admin and not checked_admin_key then
diff --git a/t/cli/test_admin.sh b/t/cli/test_admin.sh
index 5336244e3..6f39ffae1 100755
--- a/t/cli/test_admin.sh
+++ b/t/cli/test_admin.sh
@@ -154,6 +154,41 @@ fi
echo "pass: missing admin key and show ERROR message"
+# missing admin key, only allow 127.0.0.0/24 to access admin api
+
+echo '
+deployment:
+ admin:
+ admin_key: ~
+ allow_admin:
+ - 127.0.0.0/24
+' > conf/config.yaml
+
+make init > output.log 2>&1 | true
+
+if grep -E "ERROR: missing valid Admin API token." output.log > /dev/null; then
+ echo "failed: should not show 'ERROR: missing valid Admin API token.'"
+ exit 1
+fi
+
+echo '
+deployment:
+ admin:
+ admin_key: ~
+ allow_admin:
+ - 0.0.0.0/0
+ - 127.0.0.0/24
+' > conf/config.yaml
+
+make init > output.log 2>&1 | true
+
+if ! grep -E "ERROR: missing valid Admin API token." output.log > /dev/null; then
+ echo "failed: should show 'ERROR: missing valid Admin API token.'"
+ exit 1
+fi
+
+echo "pass: missing admin key and only allow 127.0.0.0/24 to access admin api"
+
# admin api, allow any IP but use default key
echo '