You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by oc...@apache.org on 2020/11/18 17:26:29 UTC
[trafficcontrol] 07/09: Add PUSH and PURGE denial to mid tier
caches. (#5292)
This is an automated email from the ASF dual-hosted git repository.
ocket8888 pushed a commit to branch 5.0.x
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
commit 71812820de47dcbb471d15232e6c960bf0e5bdc3
Author: alficles <al...@gmail.com>
AuthorDate: Tue Nov 17 16:51:45 2020 -0700
Add PUSH and PURGE denial to mid tier caches. (#5292)
(cherry picked from commit 97382c971d2e98cc4922f331ebb870ffa744895e)
---
lib/go-atscfg/ipallowdotconfig.go | 16 ++++++++++++++++
lib/go-atscfg/ipallowdotconfig_test.go | 20 ++++++++++++++++++++
2 files changed, 36 insertions(+)
diff --git a/lib/go-atscfg/ipallowdotconfig.go b/lib/go-atscfg/ipallowdotconfig.go
index 246fb6c..f3f59ba 100644
--- a/lib/go-atscfg/ipallowdotconfig.go
+++ b/lib/go-atscfg/ipallowdotconfig.go
@@ -268,6 +268,22 @@ func MakeIPAllowDotConfig(
// order matters, so sort before adding the denys
sort.Sort(ipAllowDatas(ipAllowDat))
+ // start with a deny for PUSH and PURGE - TODO CDL: parameterize
+ if isMid { // Edges already deny PUSH and PURGE
+ ipAllowData = append([]IPAllowData{
+ {
+ Src: `0.0.0.0-255.255.255.255`,
+ Action: ActionDeny,
+ Method: `PUSH|PURGE`,
+ },
+ {
+ Src: `::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`,
+ Action: ActionDeny,
+ Method: `PUSH|PURGE`,
+ },
+ }, ipAllowData...)
+ }
+
// end with a deny
ipAllowDat = append(ipAllowDat, ipAllowData{
Src: `0.0.0.0-255.255.255.255`,
diff --git a/lib/go-atscfg/ipallowdotconfig_test.go b/lib/go-atscfg/ipallowdotconfig_test.go
index 9a1c8fa..ed6dc0a 100644
--- a/lib/go-atscfg/ipallowdotconfig_test.go
+++ b/lib/go-atscfg/ipallowdotconfig_test.go
@@ -99,6 +99,26 @@ func TestMakeIPAllowDotConfig(t *testing.T) {
lines = lines[1:] // remove comment line
+ /* Test that PUSH and PURGE are denied ere the allowance of anything else. */
+ {
+ ip4deny := false
+ ip6deny := false
+ eachLine:
+ for i, line := range lines {
+ switch {
+ case strings.Contains(line, `0.0.0.0-255.255.255.255`) && strings.Contains(line, `ip_deny`) && strings.Contains(line, `PUSH`) && strings.Contains(line, `PURGE`):
+ ip4deny = true
+ case strings.Contains(line, `::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`) && strings.Contains(line, `ip_deny`) && strings.Contains(line, `PUSH`) && strings.Contains(line, `PURGE`):
+ ip6deny = true
+ case strings.Contains(line, `ip_allow`):
+ if !(ip4deny && ip6deny) {
+ t.Errorf("Expected denies for PUSH and PURGE before any ips are allowed; pre-denial allowance on line %d.", i+1)
+ }
+ break eachLine
+ }
+ }
+ }
+
for _, expected := range expecteds {
if !strings.Contains(txt, expected) {
t.Errorf("expected %+v actual '%v'\n", expected, txt)