You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by ra...@apache.org on 2022/03/31 18:30:23 UTC
[trafficcontrol] branch master updated: Change t3c ip_allow to omit within rules (#6692)
This is an automated email from the ASF dual-hosted git repository.
rawlin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/master by this push:
new caf7c66 Change t3c ip_allow to omit within rules (#6692)
caf7c66 is described below
commit caf7c66a51520fab45e07797389381755e118e8d
Author: Robert O Butts <ro...@users.noreply.github.com>
AuthorDate: Thu Mar 31 12:30:07 2022 -0600
Change t3c ip_allow to omit within rules (#6692)
---
lib/go-atscfg/ipallowdotconfig.go | 162 ++++++++++++++-------------------
lib/go-atscfg/ipallowdotconfig_test.go | 34 ++-----
lib/go-atscfg/ipallowdotyaml.go | 160 ++++++++++++++------------------
lib/go-atscfg/ipallowdotyaml_test.go | 56 ++++--------
4 files changed, 160 insertions(+), 252 deletions(-)
diff --git a/lib/go-atscfg/ipallowdotconfig.go b/lib/go-atscfg/ipallowdotconfig.go
index ab45f6e..5a419a8 100644
--- a/lib/go-atscfg/ipallowdotconfig.go
+++ b/lib/go-atscfg/ipallowdotconfig.go
@@ -78,21 +78,6 @@ func MakeIPAllowDotConfig(
params := paramsToMultiMap(filterParams(serverParams, IPAllowConfigFileName, "", "", ""))
ipAllowDat := []ipAllowData{}
- const ActionAllow = "ip_allow"
- const ActionDeny = "ip_deny"
- const MethodAll = "ALL"
-
- // localhost is trusted.
- ipAllowDat = append(ipAllowDat, ipAllowData{
- Src: `127.0.0.1`,
- Action: ActionAllow,
- Method: MethodAll,
- })
- ipAllowDat = append(ipAllowDat, ipAllowData{
- Src: `::1`,
- Action: ActionAllow,
- Method: MethodAll,
- })
// default for coalesce_ipv4 = 24, 5 and for ipv6 48, 5; override with the parameters in the server profile.
coalesceMaskLenV4 := DefaultCoalesceMaskLenV4
@@ -103,12 +88,8 @@ func MakeIPAllowDotConfig(
for name, vals := range params {
for _, val := range vals {
switch name {
- case "purge_allow_ip":
- ipAllowDat = append(ipAllowDat, ipAllowData{
- Src: val,
- Action: ActionAllow,
- Method: MethodAll,
- })
+ case ParamPurgeAllowIP:
+ ipAllowDat = append(ipAllowDat, allowAll(val))
case ParamCoalesceMaskLenV4:
if vi, err := strconv.Atoi(val); err != nil {
warnings = append(warnings, "got param '"+name+"' val '"+val+"' not a number, ignoring!")
@@ -148,16 +129,10 @@ func MakeIPAllowDotConfig(
// for edges deny "PUSH|PURGE|DELETE", allow everything else to everyone.
isMid := strings.HasPrefix(server.Type, tc.MidTypePrefix)
if !isMid {
- ipAllowDat = append(ipAllowDat, ipAllowData{
- Src: `0.0.0.0-255.255.255.255`,
- Action: ActionDeny,
- Method: `PUSH|PURGE|DELETE`,
- })
- ipAllowDat = append(ipAllowDat, ipAllowData{
- Src: `::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`,
- Action: ActionDeny,
- Method: `PUSH|PURGE|DELETE`,
- })
+ ipAllowDat = append([]ipAllowData{allowAll(`127.0.0.1`)}, ipAllowDat...)
+ ipAllowDat = append([]ipAllowData{allowAll(`::1`)}, ipAllowDat...)
+ ipAllowDat = append(ipAllowDat, allowAllButPushPurgeDelete(`0.0.0.0-255.255.255.255`))
+ ipAllowDat = append(ipAllowDat, allowAllButPushPurgeDelete(`::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`))
} else {
ips := []*net.IPNet{}
@@ -209,7 +184,7 @@ func MakeIPAllowDotConfig(
// - all monitors, if this server is a Mid
//
_, isChild := childCGs[*childServer.Cachegroup]
- if !isChild && (!strings.HasPrefix(server.Type, tc.MidTypePrefix) || (string(childServer.Type) != tc.MonitorTypeName)) {
+ if !isChild && !strings.HasPrefix(server.Type, tc.MidTypePrefix) && string(childServer.Type) != tc.MonitorTypeName {
continue
}
@@ -247,78 +222,27 @@ func MakeIPAllowDotConfig(
cidr6s := util.CoalesceCIDRs(ip6s, coalesceNumberV6, coalesceMaskLenV6)
for _, cidr := range cidrs {
- ipAllowDat = append(ipAllowDat, ipAllowData{
- Src: util.RangeStr(cidr),
- Action: ActionAllow,
- Method: MethodAll,
- })
+ ipAllowDat = append(ipAllowDat, allowAllButPushPurge(util.RangeStr(cidr)))
}
for _, cidr := range cidr6s {
- ipAllowDat = append(ipAllowDat, ipAllowData{
- Src: util.RangeStr(cidr),
- Action: ActionAllow,
- Method: MethodAll,
- })
+ ipAllowDat = append(ipAllowDat, allowAllButPushPurge(util.RangeStr(cidr)))
}
// allow RFC 1918 server space - TODO JvD: parameterize
- ipAllowDat = append(ipAllowDat, ipAllowData{
- Src: `10.0.0.0-10.255.255.255`,
- Action: ActionAllow,
- Method: MethodAll,
- })
- ipAllowDat = append(ipAllowDat, ipAllowData{
- Src: `172.16.0.0-172.31.255.255`,
- Action: ActionAllow,
- Method: MethodAll,
- })
- ipAllowDat = append(ipAllowDat, ipAllowData{
- Src: `192.168.0.0-192.168.255.255`,
- Action: ActionAllow,
- Method: MethodAll,
- })
+ ipAllowDat = append(ipAllowDat, allowAllButPushPurge(`10.0.0.0-10.255.255.255`))
+ ipAllowDat = append(ipAllowDat, allowAllButPushPurge(`172.16.0.0-172.31.255.255`))
+ ipAllowDat = append(ipAllowDat, allowAllButPushPurge(`192.168.0.0-192.168.255.255`))
// order matters, so sort before adding the denys
sort.Sort(ipAllowDatas(ipAllowDat))
- // start with a deny for PUSH and PURGE - TODO CDL: parameterize
- // but leave purge open through localhost
- if isMid { // Edges already deny PUSH and PURGE
- ipAllowDat = append([]ipAllowData{
- {
- Src: `127.0.0.1`,
- Action: ActionAllow,
- Method: `PURGE`,
- },
- {
- Src: `::1`,
- Action: ActionAllow,
- Method: `PURGE`,
- },
- {
- Src: `0.0.0.0-255.255.255.255`,
- Action: ActionDeny,
- Method: `PUSH|PURGE`,
- },
- {
- Src: `::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`,
- Action: ActionDeny,
- Method: `PUSH|PURGE`,
- },
- }, ipAllowDat...)
- }
+ // start by allowing everything to localhost, including PURGE and PUSH
+ ipAllowDat = append([]ipAllowData{allowAll(`127.0.0.1`)}, ipAllowDat...)
+ ipAllowDat = append([]ipAllowData{allowAll(`::1`)}, ipAllowDat...)
// end with a deny
- ipAllowDat = append(ipAllowDat, ipAllowData{
- Src: `0.0.0.0-255.255.255.255`,
- Action: ActionDeny,
- Method: MethodAll,
- })
- ipAllowDat = append(ipAllowDat, ipAllowData{
- Src: `::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`,
- Action: ActionDeny,
- Method: MethodAll,
- })
+ ipAllowDat = append(ipAllowDat, denyAll(`0.0.0.0-255.255.255.255`))
+ ipAllowDat = append(ipAllowDat, denyAll(`::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`))
}
text := makeHdrComment(opt.HdrComment)
@@ -371,3 +295,55 @@ func (ss serversSortByName) Less(i, j int) bool {
}
return *ss[i].HostName < *ss[j].HostName
}
+
+const ActionAllow = "ip_allow"
+const ActionDeny = "ip_deny"
+const MethodAll = "ALL"
+const MethodPush = "PUSH"
+const MethodPurge = "PURGE"
+const MethodDelete = "DELETE"
+const MethodSeparator = `|`
+
+// allowAllButPushPurge is a helper func to build a ipAllowData for the given range string immediately allowing all Methods except Push and Purge.
+func allowAllButPushPurge(rangeStr string) ipAllowData {
+ // Note denying methods implicitly and immediately allows all other methods!
+ // So Deny PUSH|PURGE will make all other methods
+ // immediately allowed, regardless of any later deny rules!
+ methodPushPurge := strings.Join([]string{MethodPush, MethodPurge}, MethodSeparator)
+ return ipAllowData{
+ Src: rangeStr,
+ Action: ActionDeny,
+ Method: methodPushPurge,
+ }
+}
+
+// allowAllButPushPurgeDelete is a helper func to build a ipAllowData for the given range string immediately allowing all Methods except PUSH, PURGE, and DELETE.
+func allowAllButPushPurgeDelete(rangeStr string) ipAllowData {
+ // Note denying methods implicitly and immediately allows all other methods!
+ // So Deny PUSH|PURGE will make all other methods
+ // immediately allowed, regardless of any later deny rules!
+ methodPushPurgeDelete := strings.Join([]string{MethodPush, MethodPurge, MethodDelete}, MethodSeparator)
+ return ipAllowData{
+ Src: rangeStr,
+ Action: ActionDeny,
+ Method: methodPushPurgeDelete,
+ }
+}
+
+// allowAll is a helper func to build a ipAllowData for the given range string immediately allowing all Methods, including Push and Purge.
+func allowAll(rangeStr string) ipAllowData {
+ return ipAllowData{
+ Src: rangeStr,
+ Action: ActionAllow,
+ Method: MethodAll,
+ }
+}
+
+// denyAll is a helper func to build a ipAllowData for the given range string immediately denying all Methods.
+func denyAll(rangeStr string) ipAllowData {
+ return ipAllowData{
+ Src: rangeStr,
+ Action: ActionDeny,
+ Method: MethodAll,
+ }
+}
diff --git a/lib/go-atscfg/ipallowdotconfig_test.go b/lib/go-atscfg/ipallowdotconfig_test.go
index eaf5e0d..a3428a6 100644
--- a/lib/go-atscfg/ipallowdotconfig_test.go
+++ b/lib/go-atscfg/ipallowdotconfig_test.go
@@ -103,20 +103,11 @@ func TestMakeIPAllowDotConfig(t *testing.T) {
/* Test that PUSH and PURGE are denied ere the allowance of anything else. */
{
- ip4deny := false
- ip6deny := false
- eachLine:
for i, line := range lines {
- switch {
- case strings.Contains(line, `0.0.0.0-255.255.255.255`) && strings.Contains(line, `ip_deny`) && strings.Contains(line, `PUSH`) && strings.Contains(line, `PURGE`):
- ip4deny = true
- case strings.Contains(line, `::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`) && strings.Contains(line, `ip_deny`) && strings.Contains(line, `PUSH`) && strings.Contains(line, `PURGE`):
- ip6deny = true
- case strings.Contains(line, `ip_allow`) && !(strings.Contains(line, `127.0.0.1`) || strings.Contains(line, `::1`)):
- if !(ip4deny && ip6deny) {
- t.Errorf("Expected denies for PUSH and PURGE before any ips are allowed; pre-denial allowance on line %d.", i+1)
- }
- break eachLine
+ if strings.Contains(line, "ALL") && strings.Contains(line, "ip_allow") && !(strings.Contains(line, `src_ip=::1`) ||
+ strings.Contains(line, `src_ip=127.0`) ||
+ strings.Contains(line, `src_ip=192.168.2.99`)) {
+ t.Errorf("Expected the only lines allowing ALL (i.e. PUSH and PURGE) to be localhost and purge_allow_ip, actual: line %v '%v'", i, line)
}
}
}
@@ -393,20 +384,11 @@ func TestMakeIPAllowDotConfigTopologies(t *testing.T) {
/* Test that PUSH and PURGE are denied ere the allowance of anything else. */
{
- ip4deny := false
- ip6deny := false
- eachLine:
for i, line := range lines {
- switch {
- case strings.Contains(line, `0.0.0.0-255.255.255.255`) && strings.Contains(line, `ip_deny`) && strings.Contains(line, `PUSH`) && strings.Contains(line, `PURGE`):
- ip4deny = true
- case strings.Contains(line, `::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`) && strings.Contains(line, `ip_deny`) && strings.Contains(line, `PUSH`) && strings.Contains(line, `PURGE`):
- ip6deny = true
- case strings.Contains(line, `ip_allow`) && !(strings.Contains(line, `127.0.0.1`) || strings.Contains(line, `::1`)):
- if !(ip4deny && ip6deny) {
- t.Errorf("Expected denies for PUSH and PURGE before any ips are allowed; pre-denial allowance on line %d.", i+1)
- }
- break eachLine
+ if strings.Contains(line, "ALL") && strings.Contains(line, "ip_allow") && !(strings.Contains(line, `src_ip=::1`) ||
+ strings.Contains(line, `src_ip=127.0`) ||
+ strings.Contains(line, `src_ip=192.168.2.99`)) {
+ t.Errorf("Expected the only lines allowing ALL (i.e. PUSH and PURGE) to be localhost and purge_allow_ip, actual: line %v '%v'", i, line)
}
}
}
diff --git a/lib/go-atscfg/ipallowdotyaml.go b/lib/go-atscfg/ipallowdotyaml.go
index 0bcd0ea..0b19ca3 100644
--- a/lib/go-atscfg/ipallowdotyaml.go
+++ b/lib/go-atscfg/ipallowdotyaml.go
@@ -21,7 +21,6 @@ package atscfg
import (
"net"
- "net/http"
"sort"
"strconv"
"strings"
@@ -45,9 +44,6 @@ const LineCommentIPAllowDotYAML = LineCommentHash
// const DefaultCoalesceMaskLenV6 = 48
// const DefaultCoalesceNumberV6 = 5
-const MethodPush = `PUSH`
-const MethodPurge = `PURGE`
-
// AStatsDotConfigOpts contains settings to configure generation options.
type IPAllowDotYAMLOpts struct {
// HdrComment is the header comment to include at the beginning of the file.
@@ -80,21 +76,10 @@ func MakeIPAllowDotYAML(
params := paramsToMultiMap(filterParams(serverParams, IPAllowConfigFileName, "", "", ""))
ipAllowDat := []ipAllowYAMLData{}
- const ActionAllow = "allow"
- const ActionDeny = "deny"
- const MethodAll = "ALL"
// localhost is trusted.
- ipAllowDat = append(ipAllowDat, ipAllowYAMLData{
- Src: `127.0.0.1`,
- Action: ActionAllow,
- Methods: []string{MethodAll},
- })
- ipAllowDat = append(ipAllowDat, ipAllowYAMLData{
- Src: `::1`,
- Action: ActionAllow,
- Methods: []string{MethodAll},
- })
+ ipAllowDat = append([]ipAllowYAMLData{yamlAllowAll(`127.0.0.1`)}, ipAllowDat...)
+ ipAllowDat = append([]ipAllowYAMLData{yamlAllowAll(`::1`)}, ipAllowDat...)
// default for coalesce_ipv4 = 24, 5 and for ipv6 48, 5; override with the parameters in the server profile.
coalesceMaskLenV4 := DefaultCoalesceMaskLenV4
@@ -105,12 +90,8 @@ func MakeIPAllowDotYAML(
for name, vals := range params {
for _, val := range vals {
switch name {
- case "purge_allow_ip":
- ipAllowDat = append(ipAllowDat, ipAllowYAMLData{
- Src: val,
- Action: ActionAllow,
- Methods: []string{MethodAll},
- })
+ case ParamPurgeAllowIP:
+ ipAllowDat = append(ipAllowDat, yamlAllowAll(val))
case ParamCoalesceMaskLenV4:
if vi, err := strconv.Atoi(val); err != nil {
warnings = append(warnings, "got param '"+name+"' val '"+val+"' not a number, ignoring!")
@@ -150,16 +131,8 @@ func MakeIPAllowDotYAML(
// for edges deny "PUSH|PURGE|DELETE", allow everything else to everyone.
isMid := strings.HasPrefix(server.Type, tc.MidTypePrefix)
if !isMid {
- ipAllowDat = append(ipAllowDat, ipAllowYAMLData{
- Src: `0.0.0.0/0`,
- Action: ActionDeny,
- Methods: []string{MethodPush, MethodPurge, http.MethodDelete},
- })
- ipAllowDat = append(ipAllowDat, ipAllowYAMLData{
- Src: `::/0`,
- Action: ActionDeny,
- Methods: []string{MethodPush, MethodPurge, http.MethodDelete},
- })
+ ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurgeDelete(`0.0.0.0/0`))
+ ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurgeDelete(`::/0`))
} else {
ips := []*net.IPNet{}
@@ -211,7 +184,7 @@ func MakeIPAllowDotYAML(
// - all monitors, if this server is a Mid
//
_, isChild := childCGs[*childServer.Cachegroup]
- if !isChild && (!strings.HasPrefix(server.Type, tc.MidTypePrefix) || (string(childServer.Type) != tc.MonitorTypeName)) {
+ if !isChild && !strings.HasPrefix(server.Type, tc.MidTypePrefix) && string(childServer.Type) != tc.MonitorTypeName {
continue
}
@@ -249,78 +222,31 @@ func MakeIPAllowDotYAML(
cidr6s := util.CoalesceCIDRs(ip6s, coalesceNumberV6, coalesceMaskLenV6)
for _, cidr := range cidrs {
- ipAllowDat = append(ipAllowDat, ipAllowYAMLData{
- Src: cidr.String(),
- Action: ActionAllow,
- Methods: []string{MethodAll},
- })
+ ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurge(cidr.String()))
}
for _, cidr := range cidr6s {
- ipAllowDat = append(ipAllowDat, ipAllowYAMLData{
- Src: cidr.String(),
- Action: ActionAllow,
- Methods: []string{MethodAll},
- })
+ ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurge(cidr.String()))
}
// allow RFC 1918 server space - TODO JvD: parameterize
- ipAllowDat = append(ipAllowDat, ipAllowYAMLData{
- Src: `10.0.0.0/8`,
- Action: ActionAllow,
- Methods: []string{MethodAll},
- })
- ipAllowDat = append(ipAllowDat, ipAllowYAMLData{
- Src: `172.16.0.0/12`,
- Action: ActionAllow,
- Methods: []string{MethodAll},
- })
- ipAllowDat = append(ipAllowDat, ipAllowYAMLData{
- Src: `192.168.0.0/16`,
- Action: ActionAllow,
- Methods: []string{MethodAll},
- })
+ ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurge(`10.0.0.0/8`))
+ ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurge(`172.16.0.0/12`))
+ ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurge(`192.168.0.0/16`))
// order matters, so sort before adding the denys
sort.Sort(ipAllowYAMLDatas(ipAllowDat))
// start with a deny for PUSH and PURGE - TODO CDL: parameterize
// but leave purge open through localhost
- if isMid { // Edges already deny PUSH and PURGE
- ipAllowDat = append([]ipAllowYAMLData{
- {
- Src: `127.0.0.1`,
- Action: ActionAllow,
- Methods: []string{MethodPurge},
- },
- {
- Src: `::1`,
- Action: ActionAllow,
- Methods: []string{MethodPurge},
- },
- {
- Src: `0.0.0.0/0`,
- Action: ActionDeny,
- Methods: []string{MethodPush, MethodPurge},
- },
- {
- Src: `::/0`,
- Action: ActionDeny,
- Methods: []string{MethodPush, MethodPurge},
- },
- }, ipAllowDat...)
- }
+ // Edges already deny PUSH and PURGE
+
+ // start by allowing everything to localhost, including PURGE and PUSH
+ ipAllowDat = append([]ipAllowYAMLData{yamlAllowAll(`127.0.0.1`)}, ipAllowDat...)
+ ipAllowDat = append([]ipAllowYAMLData{yamlAllowAll(`::1`)}, ipAllowDat...)
// end with a deny
- ipAllowDat = append(ipAllowDat, ipAllowYAMLData{
- Src: `0.0.0.0/0`,
- Action: ActionDeny,
- Methods: []string{MethodAll},
- })
- ipAllowDat = append(ipAllowDat, ipAllowYAMLData{
- Src: `::/0`,
- Action: ActionDeny,
- Methods: []string{MethodAll},
- })
+ ipAllowDat = append(ipAllowDat, yamlDenyAll(`0.0.0.0/0`))
+ ipAllowDat = append(ipAllowDat, yamlDenyAll(`::/0`))
}
text := makeHdrComment(opt.HdrComment)
@@ -374,3 +300,51 @@ func (is ipAllowYAMLDatas) Less(i, j int) bool {
}
return false
}
+
+const YAMLActionAllow = "allow"
+const YAMLActionDeny = "deny"
+const YAMLMethodAll = "ALL"
+
+// yamlAllowAllButPushPurge is a helper func to build a ipAllowYAMLData for the given range string immediately allowing all Methods except Push and Purge.
+func yamlAllowAllButPushPurge(rangeStr string) ipAllowYAMLData {
+ // Note denying methods implicitly and immediately allows all other methods!
+ // So Deny PUSH|PURGE will make all other methods
+ // immediately allowed, regardless of any later deny rules!
+ methodPushPurge := []string{MethodPush, MethodPurge}
+ return ipAllowYAMLData{
+ Src: rangeStr,
+ Action: YAMLActionDeny,
+ Methods: methodPushPurge,
+ }
+}
+
+// yamlAllowAllButPushPurgeDelete is a helper func to build a ipAllowYAMLData for the given range string immediately allowing all Methods except PUSH, PURGE, and DELETE.
+func yamlAllowAllButPushPurgeDelete(rangeStr string) ipAllowYAMLData {
+ // Note denying methods implicitly and immediately allows all other methods!
+ // So Deny PUSH|PURGE will make all other methods
+ // immediately allowed, regardless of any later deny rules!
+ methodPushPurgeDelete := []string{MethodPush, MethodPurge, MethodDelete}
+ return ipAllowYAMLData{
+ Src: rangeStr,
+ Action: YAMLActionDeny,
+ Methods: methodPushPurgeDelete,
+ }
+}
+
+// yamlAllowAll is a helper func to build a ipAllowYAMLData for the given range string immediately allowing all Methods, including Push and Purge.
+func yamlAllowAll(rangeStr string) ipAllowYAMLData {
+ return ipAllowYAMLData{
+ Src: rangeStr,
+ Action: YAMLActionAllow,
+ Methods: []string{YAMLMethodAll},
+ }
+}
+
+// yamlDenyAll is a helper func to build a ipAllowYAMLData for the given range string immediately denying all Methods.
+func yamlDenyAll(rangeStr string) ipAllowYAMLData {
+ return ipAllowYAMLData{
+ Src: rangeStr,
+ Action: YAMLActionDeny,
+ Methods: []string{YAMLMethodAll},
+ }
+}
diff --git a/lib/go-atscfg/ipallowdotyaml_test.go b/lib/go-atscfg/ipallowdotyaml_test.go
index 3cbdbe0..42a3094 100644
--- a/lib/go-atscfg/ipallowdotyaml_test.go
+++ b/lib/go-atscfg/ipallowdotyaml_test.go
@@ -101,29 +101,18 @@ func TestMakeIPAllowDotYAML(t *testing.T) {
lines = lines[1:] // remove comment line
+ groups := strings.Split(txt, `apply: in`)
+
/* Test that PUSH and PURGE are denied ere the allowance of anything else. */
{
- ip4deny := false
- ip6deny := false
- eachLine:
- for i, line := range lines {
- if strings.Contains(line, `0.0.0.0/0`) && strings.Contains(lines[i+1], `deny`) && strings.Contains(lines[i+3], `PUSH`) && strings.Contains(lines[i+4], `PURGE`) {
- ip4deny = true
- continue
- }
-
- if strings.Contains(line, `::/0`) && strings.Contains(lines[i+1], `deny`) && strings.Contains(lines[i+3], `PUSH`) && strings.Contains(lines[i+4], `PURGE`) {
- ip6deny = true
- continue
+ for _, group := range groups {
+ if strings.Contains(group, "ALL") &&
+ strings.Contains(group, "ip_allow") &&
+ !(strings.Contains(group, `ip_addrs: ::1`) ||
+ strings.Contains(group, `ip_addrs: 127.0`) ||
+ strings.Contains(group, `ip_addrs: 192.168.2.99`)) {
+ t.Fatalf("Expected the only rules allowing ALL (i.e. PUSH and PURGE) to be localhost and purge_allow_ip, actual: rule '%v'", group)
}
-
- if strings.Contains(line, `: allow`) && !(strings.Contains(lines[i-1], `127.0.0.1`) || strings.Contains(lines[i-1], `::1`)) {
- if !(ip4deny && ip6deny) {
- t.Errorf("Expected denies for PUSH and PURGE before any ips are allowed; pre-denial allowance on line %d: '%v' v4 %v v6 %v text %v", i+1, line, ip4deny, ip6deny, txt)
- }
- break eachLine
- }
-
}
}
@@ -397,29 +386,16 @@ func TestMakeIPAllowDotYAMLTopologies(t *testing.T) {
lines = lines[1:] // remove comment line
+ groups := strings.Split(txt, `apply: in`)
+
/* Test that PUSH and PURGE are denied ere the allowance of anything else. */
{
- ip4deny := false
- ip6deny := false
- eachLine:
- for i, line := range lines {
- if strings.Contains(line, `0.0.0.0/0`) && strings.Contains(lines[i+1], `deny`) && strings.Contains(lines[i+3], `PUSH`) && strings.Contains(lines[i+4], `PURGE`) {
- ip4deny = true
- continue
- }
-
- if strings.Contains(line, `::/0`) && strings.Contains(lines[i+1], `deny`) && strings.Contains(lines[i+3], `PUSH`) && strings.Contains(lines[i+4], `PURGE`) {
- ip6deny = true
- continue
+ for _, group := range groups {
+ if strings.Contains(group, "ALL") && strings.Contains(group, "ip_allow") && !(strings.Contains(group, `ip_addrs: ::1`) ||
+ strings.Contains(group, `ip_addrs: 127.0`) ||
+ strings.Contains(group, `ip_addrs: 192.168.2.99`)) {
+ t.Fatalf("Expected the only rules allowing ALL (i.e. PUSH and PURGE) to be localhost and purge_allow_ip, actual: rule '%v'", group)
}
-
- if strings.Contains(line, `: allow`) && !(strings.Contains(lines[i-1], `127.0.0.1`) || strings.Contains(lines[i-1], `::1`)) {
- if !(ip4deny && ip6deny) {
- t.Errorf("Expected denies for PUSH and PURGE before any ips are allowed; pre-denial allowance on line %d: '%v' v4 %v v6 %v text %v", i+1, line, ip4deny, ip6deny, txt)
- }
- break eachLine
- }
-
}
}