You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by ro...@apache.org on 2020/11/17 23:52:01 UTC
[trafficcontrol] branch master updated: Add PUSH and PURGE denial
to mid tier caches. (#5292)
This is an automated email from the ASF dual-hosted git repository.
rob pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/master by this push:
new 97382c9 Add PUSH and PURGE denial to mid tier caches. (#5292)
97382c9 is described below
commit 97382c971d2e98cc4922f331ebb870ffa744895e
Author: alficles <al...@gmail.com>
AuthorDate: Tue Nov 17 16:51:45 2020 -0700
Add PUSH and PURGE denial to mid tier caches. (#5292)
---
lib/go-atscfg/ipallowdotconfig.go | 16 ++++++++++++++++
lib/go-atscfg/ipallowdotconfig_test.go | 20 ++++++++++++++++++++
2 files changed, 36 insertions(+)
diff --git a/lib/go-atscfg/ipallowdotconfig.go b/lib/go-atscfg/ipallowdotconfig.go
index 246fb6c..f3f59ba 100644
--- a/lib/go-atscfg/ipallowdotconfig.go
+++ b/lib/go-atscfg/ipallowdotconfig.go
@@ -268,6 +268,22 @@ func MakeIPAllowDotConfig(
// order matters, so sort before adding the denys
sort.Sort(ipAllowDatas(ipAllowDat))
+ // start with a deny for PUSH and PURGE - TODO CDL: parameterize
+ if isMid { // Edges already deny PUSH and PURGE
+ ipAllowData = append([]IPAllowData{
+ {
+ Src: `0.0.0.0-255.255.255.255`,
+ Action: ActionDeny,
+ Method: `PUSH|PURGE`,
+ },
+ {
+ Src: `::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`,
+ Action: ActionDeny,
+ Method: `PUSH|PURGE`,
+ },
+ }, ipAllowData...)
+ }
+
// end with a deny
ipAllowDat = append(ipAllowDat, ipAllowData{
Src: `0.0.0.0-255.255.255.255`,
diff --git a/lib/go-atscfg/ipallowdotconfig_test.go b/lib/go-atscfg/ipallowdotconfig_test.go
index 9a1c8fa..ed6dc0a 100644
--- a/lib/go-atscfg/ipallowdotconfig_test.go
+++ b/lib/go-atscfg/ipallowdotconfig_test.go
@@ -99,6 +99,26 @@ func TestMakeIPAllowDotConfig(t *testing.T) {
lines = lines[1:] // remove comment line
+ /* Test that PUSH and PURGE are denied ere the allowance of anything else. */
+ {
+ ip4deny := false
+ ip6deny := false
+ eachLine:
+ for i, line := range lines {
+ switch {
+ case strings.Contains(line, `0.0.0.0-255.255.255.255`) && strings.Contains(line, `ip_deny`) && strings.Contains(line, `PUSH`) && strings.Contains(line, `PURGE`):
+ ip4deny = true
+ case strings.Contains(line, `::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`) && strings.Contains(line, `ip_deny`) && strings.Contains(line, `PUSH`) && strings.Contains(line, `PURGE`):
+ ip6deny = true
+ case strings.Contains(line, `ip_allow`):
+ if !(ip4deny && ip6deny) {
+ t.Errorf("Expected denies for PUSH and PURGE before any ips are allowed; pre-denial allowance on line %d.", i+1)
+ }
+ break eachLine
+ }
+ }
+ }
+
for _, expected := range expecteds {
if !strings.Contains(txt, expected) {
t.Errorf("expected %+v actual '%v'\n", expected, txt)