You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by sp...@apache.org on 2022/05/09 05:29:45 UTC
[apisix] branch master updated: feat(ops): handle real_ip_from CIDR format (#6981)
This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 1b5c1900d feat(ops): handle real_ip_from CIDR format (#6981)
1b5c1900d is described below
commit 1b5c1900da517bb7d34d4b221aace7242345e78a
Author: kwanhur <hu...@163.com>
AuthorDate: Mon May 9 13:29:41 2022 +0800
feat(ops): handle real_ip_from CIDR format (#6981)
Signed-off-by: kwanhur <hu...@163.com>
---
apisix/cli/ip.lua | 66 +++++++++++++++++++++++++++++++++++++++
apisix/cli/ops.lua | 9 +++---
rockspec/apisix-master-0.rockspec | 3 +-
t/cli/test_validate_config.sh | 28 +++++++++++++++--
4 files changed, 99 insertions(+), 7 deletions(-)
diff --git a/apisix/cli/ip.lua b/apisix/cli/ip.lua
new file mode 100644
index 000000000..182b824fe
--- /dev/null
+++ b/apisix/cli/ip.lua
@@ -0,0 +1,66 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+
+--- IP match and verify module.
+--
+-- @module cli.ip
+
+local mediador_ip = require("resty.mediador.ip")
+local setmetatable = setmetatable
+
+
+local _M = {}
+local mt = { __index = _M }
+
+
+---
+-- create a instance of module cli.ip
+--
+-- @function cli.ip:new
+-- @tparam string ip IP or CIDR.
+-- @treturn instance of module if the given ip valid, nil and error message otherwise.
+function _M.new(self, ip)
+ if not mediador_ip.valid(ip) then
+ return nil, "invalid ip"
+ end
+
+ local _ip = mediador_ip.parse(ip)
+
+ return setmetatable({ _ip = _ip }, mt)
+end
+
+
+---
+-- Is that the given ip loopback?
+--
+-- @function cli.ip:is_loopback
+-- @treturn boolean True if the given ip is the loopback, false otherwise.
+function _M.is_loopback(self)
+ return self._ip and "loopback" == self._ip:range()
+end
+
+---
+-- Is that the given ip unspecified?
+--
+-- @function cli.ip:is_unspecified
+-- @treturn boolean True if the given ip is all the unspecified, false otherwise.
+function _M.is_unspecified(self)
+ return self._ip and "unspecified" == self._ip:range()
+end
+
+
+return _M
diff --git a/apisix/cli/ops.lua b/apisix/cli/ops.lua
index 9a57cf4a9..ae38a9dd5 100644
--- a/apisix/cli/ops.lua
+++ b/apisix/cli/ops.lua
@@ -20,6 +20,7 @@ local util = require("apisix.cli.util")
local file = require("apisix.cli.file")
local schema = require("apisix.cli.schema")
local ngx_tpl = require("apisix.cli.ngx_tpl")
+local cli_ip = require("apisix.cli.ip")
local profile = require("apisix.core.profile")
local template = require("resty.template")
local argparse = require("argparse")
@@ -277,16 +278,16 @@ Please modify "admin_key" in conf/config.yaml .
-- not disabled by the users
if real_ip_from then
for _, ip in ipairs(real_ip_from) do
- -- TODO: handle cidr
- if ip == "127.0.0.1" or ip == "0.0.0.0/0" then
+ local _ip = cli_ip:new(ip)
+ if _ip:is_loopback() or _ip:is_unspecified() then
pass_real_client_ip = true
end
end
end
if not pass_real_client_ip then
- util.die("missing '127.0.0.1' in the nginx_config.http.real_ip_from for plugin " ..
- "batch-requests\n")
+ util.die("missing loopback or unspecified in the nginx_config.http.real_ip_from" ..
+ " for plugin batch-requests\n")
end
end
diff --git a/rockspec/apisix-master-0.rockspec b/rockspec/apisix-master-0.rockspec
index aa67ca736..e75c13e13 100644
--- a/rockspec/apisix-master-0.rockspec
+++ b/rockspec/apisix-master-0.rockspec
@@ -76,7 +76,8 @@ dependencies = {
"opentelemetry-lua = 0.1-3",
"net-url = 0.9-1",
"xml2lua = 1.5-2",
- "nanoid = 0.1-1"
+ "nanoid = 0.1-1",
+ "lua-resty-mediador = 0.1.2-1"
}
build = {
diff --git a/t/cli/test_validate_config.sh b/t/cli/test_validate_config.sh
index 42cd2be4f..43bfd5293 100755
--- a/t/cli/test_validate_config.sh
+++ b/t/cli/test_validate_config.sh
@@ -161,17 +161,41 @@ fi
echo "passed: apisix test(failure scenario)"
+# apisix plugin batch-requests real_ip_from invalid - failure scenario
echo '
plugins:
- batch-requests
nginx_config:
http:
real_ip_from:
- - "127.0.0.2"
+ - "128.0.0.2"
' > conf/config.yaml
out=$(make init 2>&1 || true)
-if ! echo "$out" | grep "missing '127.0.0.1' in the nginx_config.http.real_ip_from for plugin batch-requests"; then
+if ! echo "$out" | grep "missing loopback or unspecified in the nginx_config.http.real_ip_from for plugin batch-requests"; then
+ echo "failed: should check the realip configuration for batch-requests"
+ exit 1
+fi
+
+echo "passed: apisix plugin batch-requests real_ip_from(failure scenario)"
+
+# apisix plugin batch-requests real_ip_from valid
+echo '
+plugins:
+- batch-requests
+nginx_config:
+ http:
+ real_ip_from:
+ - "127.0.0.1"
+ - "127.0.0.2/8"
+ - "0.0.0.0"
+ - "0.0.0.0/0"
+ - "::"
+ - "::/0"
+' > conf/config.yaml
+
+out=$(make init 2>&1 || true)
+if echo "$out" | grep "missing loopback or unspecified in the nginx_config.http.real_ip_from for plugin batch-requests"; then
echo "failed: should check the realip configuration for batch-requests"
exit 1
fi