| package atscfg |
| |
| /* |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| */ |
| |
| import ( |
| "net" |
| "sort" |
| "strconv" |
| "strings" |
| |
| "github.com/apache/trafficcontrol/lib/go-tc" |
| "github.com/apache/trafficcontrol/lib/go-util" |
| ) |
| |
| const IPAllowYamlFileName = `ip_allow.yaml` |
| const ContentTypeIPAllowDotYAML = ContentTypeYAML |
| const LineCommentIPAllowDotYAML = LineCommentHash |
| |
| // const ParamPurgeAllowIP = "purge_allow_ip" |
| // const ParamCoalesceMaskLenV4 = "coalesce_masklen_v4" |
| // const ParamCoalesceNumberV4 = "coalesce_number_v4" |
| // const ParamCoalesceMaskLenV6 = "coalesce_masklen_v6" |
| // const ParamCoalesceNumberV6 = "coalesce_number_v6" |
| |
| // const DefaultCoalesceMaskLenV4 = 24 |
| // const DefaultCoalesceNumberV4 = 5 |
| // const DefaultCoalesceMaskLenV6 = 48 |
| // const DefaultCoalesceNumberV6 = 5 |
| |
| // AStatsDotConfigOpts contains settings to configure generation options. |
| type IPAllowDotYAMLOpts struct { |
| // HdrComment is the header comment to include at the beginning of the file. |
| // This should be the text desired, without comment syntax (like # or //). The file's comment syntax will be added. |
| // To omit the header comment, pass the empty string. |
| HdrComment string |
| } |
| |
| // MakeIPAllowDotYAML creates the ip_allow.yaml ATS 9+ config file. |
| func MakeIPAllowDotYAML( |
| serverParams []tc.Parameter, |
| server *Server, |
| servers []Server, |
| cacheGroups []tc.CacheGroupNullable, |
| topologies []tc.Topology, |
| opt *IPAllowDotYAMLOpts, |
| ) (Cfg, error) { |
| if opt == nil { |
| opt = &IPAllowDotYAMLOpts{} |
| } |
| warnings := []string{} |
| |
| if server.Cachegroup == nil { |
| return Cfg{}, makeErr(warnings, "this server missing Cachegroup") |
| } |
| if server.HostName == nil { |
| return Cfg{}, makeErr(warnings, "this server missing HostName") |
| } |
| |
| params := paramsToMultiMap(filterParams(serverParams, IPAllowConfigFileName, "", "", "")) |
| |
| ipAllowDat := []ipAllowYAMLData{} |
| |
| // localhost is trusted. |
| ipAllowDat = append([]ipAllowYAMLData{yamlAllowAll(`127.0.0.1`)}, ipAllowDat...) |
| ipAllowDat = append([]ipAllowYAMLData{yamlAllowAll(`::1`)}, ipAllowDat...) |
| |
| // default for coalesce_ipv4 = 24, 5 and for ipv6 48, 5; override with the parameters in the server profile. |
| coalesceMaskLenV4 := DefaultCoalesceMaskLenV4 |
| coalesceNumberV4 := DefaultCoalesceNumberV4 |
| coalesceMaskLenV6 := DefaultCoalesceMaskLenV6 |
| coalesceNumberV6 := DefaultCoalesceNumberV6 |
| |
| for name, vals := range params { |
| for _, val := range vals { |
| switch name { |
| case ParamPurgeAllowIP: |
| ipAllowDat = append(ipAllowDat, yamlAllowAll(val)) |
| case ParamCoalesceMaskLenV4: |
| if vi, err := strconv.Atoi(val); err != nil { |
| warnings = append(warnings, "got param '"+name+"' val '"+val+"' not a number, ignoring!") |
| } else if coalesceMaskLenV4 != DefaultCoalesceMaskLenV4 { |
| warnings = append(warnings, "got multiple param '"+name+"' - ignoring val '"+val+"'!") |
| } else { |
| coalesceMaskLenV4 = vi |
| } |
| case ParamCoalesceNumberV4: |
| if vi, err := strconv.Atoi(val); err != nil { |
| warnings = append(warnings, "got param '"+name+"' val '"+val+"' not a number, ignoring!") |
| } else if coalesceNumberV4 != DefaultCoalesceNumberV4 { |
| warnings = append(warnings, "got multiple param '"+name+"' - ignoring val '"+val+"'!") |
| } else { |
| coalesceNumberV4 = vi |
| } |
| case ParamCoalesceMaskLenV6: |
| if vi, err := strconv.Atoi(val); err != nil { |
| warnings = append(warnings, "got param '"+name+"' val '"+val+"' not a number, ignoring!") |
| } else if coalesceMaskLenV6 != DefaultCoalesceMaskLenV6 { |
| warnings = append(warnings, "got multiple param '"+name+"' - ignoring val '"+val+"'!") |
| } else { |
| coalesceMaskLenV6 = vi |
| } |
| case ParamCoalesceNumberV6: |
| if vi, err := strconv.Atoi(val); err != nil { |
| warnings = append(warnings, "got param '"+name+"' val '"+val+"' not a number, ignoring!") |
| } else if coalesceNumberV6 != DefaultCoalesceNumberV6 { |
| warnings = append(warnings, "got multiple param '"+name+"' - ignoring val '"+val+"'!") |
| } else { |
| coalesceNumberV6 = vi |
| } |
| } |
| } |
| } |
| |
| // for edges deny "PUSH|PURGE|DELETE", allow everything else to everyone. |
| isMid := strings.HasPrefix(server.Type, tc.MidTypePrefix) |
| if !isMid { |
| ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurgeDelete(`0.0.0.0/0`)) |
| ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurgeDelete(`::/0`)) |
| } else { |
| |
| ips := []*net.IPNet{} |
| ip6s := []*net.IPNet{} |
| |
| cgMap := map[string]tc.CacheGroupNullable{} |
| for _, cg := range cacheGroups { |
| if cg.Name == nil { |
| return Cfg{}, makeErr(warnings, "got cachegroup with nil name!") |
| } |
| cgMap[*cg.Name] = cg |
| } |
| |
| if server.Cachegroup == nil { |
| return Cfg{}, makeErr(warnings, "server had nil Cachegroup!") |
| } |
| |
| serverCG, ok := cgMap[*server.Cachegroup] |
| if !ok { |
| return Cfg{}, makeErr(warnings, "server cachegroup not in cachegroups!") |
| } |
| |
| childCGNames := getTopologyDirectChildren(tc.CacheGroupName(*server.Cachegroup), topologies) |
| |
| childCGs := map[string]tc.CacheGroupNullable{} |
| for cgName, _ := range childCGNames { |
| childCGs[string(cgName)] = cgMap[string(cgName)] |
| } |
| |
| for cgName, cg := range cgMap { |
| if (cg.ParentName != nil && *cg.ParentName == *serverCG.Name) || (cg.SecondaryParentName != nil && *cg.SecondaryParentName == *serverCG.Name) { |
| childCGs[cgName] = cg |
| } |
| } |
| |
| // sort servers, to guarantee things like IP coalescing are deterministic |
| sort.Sort(serversSortByName(servers)) |
| for _, childServer := range servers { |
| if childServer.Cachegroup == nil { |
| warnings = append(warnings, "Servers had server with nil Cachegroup, skipping!") |
| continue |
| } else if childServer.HostName == nil { |
| warnings = append(warnings, "Servers had server with nil HostName, skipping!") |
| continue |
| } |
| |
| // We need to add IPs to the allow of |
| // - all children of this server |
| // - all monitors, if this server is a Mid |
| // |
| _, isChild := childCGs[*childServer.Cachegroup] |
| if !isChild && !strings.HasPrefix(server.Type, tc.MidTypePrefix) && string(childServer.Type) != tc.MonitorTypeName { |
| continue |
| } |
| |
| for _, svInterface := range childServer.Interfaces { |
| for _, svAddr := range svInterface.IPAddresses { |
| if ip := net.ParseIP(svAddr.Address); ip != nil { |
| // got an IP - convert it to a CIDR and add it to the list |
| if ip4 := ip.To4(); ip4 != nil { |
| ips = append(ips, util.IPToCIDR(ip4)) |
| } else { |
| ip6s = append(ip6s, util.IPToCIDR(ip)) |
| } |
| } else { |
| // not an IP, try a CIDR |
| if ip, cidr, err := net.ParseCIDR(svAddr.Address); err != nil { |
| // not a CIDR or IP - error out |
| warnings = append(warnings, "server '"+*server.HostName+"' IP '"+svAddr.Address+" is not an IP address or CIDR - skipping!") |
| } else if ip == nil { |
| // not a CIDR or IP - error out |
| warnings = append(warnings, "server '"+*server.HostName+"' IP '"+svAddr.Address+" failed to parse as IP or CIDR - skipping!") |
| } else { |
| // got a valid CIDR - add it to the list |
| if ip4 := ip.To4(); ip4 != nil { |
| ips = append(ips, cidr) |
| } else { |
| ip6s = append(ip6s, cidr) |
| } |
| } |
| } |
| } |
| } |
| } |
| |
| cidrs := util.CoalesceCIDRs(ips, coalesceNumberV4, coalesceMaskLenV4) |
| cidr6s := util.CoalesceCIDRs(ip6s, coalesceNumberV6, coalesceMaskLenV6) |
| |
| for _, cidr := range cidrs { |
| ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurge(cidr.String())) |
| } |
| for _, cidr := range cidr6s { |
| ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurge(cidr.String())) |
| } |
| |
| // allow RFC 1918 server space - TODO JvD: parameterize |
| ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurge(`10.0.0.0/8`)) |
| ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurge(`172.16.0.0/12`)) |
| ipAllowDat = append(ipAllowDat, yamlAllowAllButPushPurge(`192.168.0.0/16`)) |
| |
| // order matters, so sort before adding the denys |
| sort.Sort(ipAllowYAMLDatas(ipAllowDat)) |
| |
| // start with a deny for PUSH and PURGE - TODO CDL: parameterize |
| // but leave purge open through localhost |
| // Edges already deny PUSH and PURGE |
| |
| // start by allowing everything to localhost, including PURGE and PUSH |
| ipAllowDat = append([]ipAllowYAMLData{yamlAllowAll(`127.0.0.1`)}, ipAllowDat...) |
| ipAllowDat = append([]ipAllowYAMLData{yamlAllowAll(`::1`)}, ipAllowDat...) |
| |
| // end with a deny |
| ipAllowDat = append(ipAllowDat, yamlDenyAll(`0.0.0.0/0`)) |
| ipAllowDat = append(ipAllowDat, yamlDenyAll(`::/0`)) |
| } |
| |
| text := makeHdrComment(opt.HdrComment) |
| text += ` |
| ip_allow:` |
| for _, al := range ipAllowDat { |
| text += ` |
| - apply: in |
| ip_addrs: ` + al.Src + ` |
| action: ` + al.Action + ` |
| methods:` |
| for _, method := range al.Methods { |
| text += ` |
| - ` + method |
| } |
| } |
| text += "\n" |
| |
| return Cfg{ |
| Text: text, |
| ContentType: ContentTypeHostingDotConfig, |
| LineComment: LineCommentHostingDotConfig, |
| Warnings: warnings, |
| }, nil |
| } |
| |
| type ipAllowYAMLData struct { |
| Src string |
| Action string |
| Methods []string |
| } |
| |
| type ipAllowYAMLDatas []ipAllowYAMLData |
| |
| func (is ipAllowYAMLDatas) Len() int { return len(is) } |
| func (is ipAllowYAMLDatas) Swap(i, j int) { is[i], is[j] = is[j], is[i] } |
| func (is ipAllowYAMLDatas) Less(i, j int) bool { |
| if is[i].Src != is[j].Src { |
| return is[i].Src < is[j].Src |
| } |
| if is[i].Action != is[j].Action { |
| return is[i].Action < is[j].Action |
| } |
| if len(is[i].Methods) < len(is[j].Methods) { |
| return true |
| } |
| for mi := 0; mi < len(is[i].Methods); mi++ { |
| if is[i].Methods[mi] != is[j].Methods[mi] { |
| return is[i].Methods[mi] < is[j].Methods[mi] |
| } |
| } |
| return false |
| } |
| |
| const YAMLActionAllow = "allow" |
| const YAMLActionDeny = "deny" |
| const YAMLMethodAll = "ALL" |
| |
| // yamlAllowAllButPushPurge is a helper func to build a ipAllowYAMLData for the given range string immediately allowing all Methods except Push and Purge. |
| func yamlAllowAllButPushPurge(rangeStr string) ipAllowYAMLData { |
| // Note denying methods implicitly and immediately allows all other methods! |
| // So Deny PUSH|PURGE will make all other methods |
| // immediately allowed, regardless of any later deny rules! |
| methodPushPurge := []string{MethodPush, MethodPurge} |
| return ipAllowYAMLData{ |
| Src: rangeStr, |
| Action: YAMLActionDeny, |
| Methods: methodPushPurge, |
| } |
| } |
| |
| // yamlAllowAllButPushPurgeDelete is a helper func to build a ipAllowYAMLData for the given range string immediately allowing all Methods except PUSH, PURGE, and DELETE. |
| func yamlAllowAllButPushPurgeDelete(rangeStr string) ipAllowYAMLData { |
| // Note denying methods implicitly and immediately allows all other methods! |
| // So Deny PUSH|PURGE will make all other methods |
| // immediately allowed, regardless of any later deny rules! |
| methodPushPurgeDelete := []string{MethodPush, MethodPurge, MethodDelete} |
| return ipAllowYAMLData{ |
| Src: rangeStr, |
| Action: YAMLActionDeny, |
| Methods: methodPushPurgeDelete, |
| } |
| } |
| |
| // yamlAllowAll is a helper func to build a ipAllowYAMLData for the given range string immediately allowing all Methods, including Push and Purge. |
| func yamlAllowAll(rangeStr string) ipAllowYAMLData { |
| return ipAllowYAMLData{ |
| Src: rangeStr, |
| Action: YAMLActionAllow, |
| Methods: []string{YAMLMethodAll}, |
| } |
| } |
| |
| // yamlDenyAll is a helper func to build a ipAllowYAMLData for the given range string immediately denying all Methods. |
| func yamlDenyAll(rangeStr string) ipAllowYAMLData { |
| return ipAllowYAMLData{ |
| Src: rangeStr, |
| Action: YAMLActionDeny, |
| Methods: []string{YAMLMethodAll}, |
| } |
| } |