You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by oc...@apache.org on 2020/11/18 17:26:29 UTC

[trafficcontrol] 07/09: Add PUSH and PURGE denial to mid tier caches. (#5292)

This is an automated email from the ASF dual-hosted git repository.

ocket8888 pushed a commit to branch 5.0.x
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git

commit 71812820de47dcbb471d15232e6c960bf0e5bdc3
Author: alficles <al...@gmail.com>
AuthorDate: Tue Nov 17 16:51:45 2020 -0700

    Add PUSH and PURGE denial to mid tier caches. (#5292)
    
    (cherry picked from commit 97382c971d2e98cc4922f331ebb870ffa744895e)
---
 lib/go-atscfg/ipallowdotconfig.go      | 16 ++++++++++++++++
 lib/go-atscfg/ipallowdotconfig_test.go | 20 ++++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/lib/go-atscfg/ipallowdotconfig.go b/lib/go-atscfg/ipallowdotconfig.go
index 246fb6c..f3f59ba 100644
--- a/lib/go-atscfg/ipallowdotconfig.go
+++ b/lib/go-atscfg/ipallowdotconfig.go
@@ -268,6 +268,22 @@ func MakeIPAllowDotConfig(
 		// order matters, so sort before adding the denys
 		sort.Sort(ipAllowDatas(ipAllowDat))
 
+		// start with a deny for PUSH and PURGE - TODO CDL: parameterize
+		if isMid { // Edges already deny PUSH and PURGE
+			ipAllowData = append([]IPAllowData{
+				{
+					Src:    `0.0.0.0-255.255.255.255`,
+					Action: ActionDeny,
+					Method: `PUSH|PURGE`,
+				},
+				{
+					Src:    `::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`,
+					Action: ActionDeny,
+					Method: `PUSH|PURGE`,
+				},
+			}, ipAllowData...)
+		}
+
 		// end with a deny
 		ipAllowDat = append(ipAllowDat, ipAllowData{
 			Src:    `0.0.0.0-255.255.255.255`,
diff --git a/lib/go-atscfg/ipallowdotconfig_test.go b/lib/go-atscfg/ipallowdotconfig_test.go
index 9a1c8fa..ed6dc0a 100644
--- a/lib/go-atscfg/ipallowdotconfig_test.go
+++ b/lib/go-atscfg/ipallowdotconfig_test.go
@@ -99,6 +99,26 @@ func TestMakeIPAllowDotConfig(t *testing.T) {
 
 	lines = lines[1:] // remove comment line
 
+	/* Test that PUSH and PURGE are denied ere the allowance of anything else. */
+	{
+		ip4deny := false
+		ip6deny := false
+	eachLine:
+		for i, line := range lines {
+			switch {
+			case strings.Contains(line, `0.0.0.0-255.255.255.255`) && strings.Contains(line, `ip_deny`) && strings.Contains(line, `PUSH`) && strings.Contains(line, `PURGE`):
+				ip4deny = true
+			case strings.Contains(line, `::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`) && strings.Contains(line, `ip_deny`) && strings.Contains(line, `PUSH`) && strings.Contains(line, `PURGE`):
+				ip6deny = true
+			case strings.Contains(line, `ip_allow`):
+				if !(ip4deny && ip6deny) {
+					t.Errorf("Expected denies for PUSH and PURGE before any ips are allowed; pre-denial allowance on line %d.", i+1)
+				}
+				break eachLine
+			}
+		}
+	}
+
 	for _, expected := range expecteds {
 		if !strings.Contains(txt, expected) {
 			t.Errorf("expected %+v actual '%v'\n", expected, txt)