Skip to content

Commit

Permalink
Fixes a bug in the invalidation event of the IP Restriction plugin
Browse files Browse the repository at this point in the history
  • Loading branch information
subnetmarco committed Feb 6, 2016
1 parent b3e3db8 commit dd835cd
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 1 deletion.
2 changes: 1 addition & 1 deletion kong/cli/services/serf.lua
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ fi
echo $PAYLOAD > /tmp/payload
COMMAND='require("kong.tools.http_client").post("http://]]..self._configuration.admin_api_listen..[[/cluster/events/", ]].."[['${PAYLOAD}']]"..[[, {["content-type"] = "application/json"})'
COMMAND='require("kong.tools.http_client").post("http://]]..self._configuration.admin_api_listen..[[/cluster/events/", ]].."[=['${PAYLOAD}']=]"..[[, {["content-type"] = "application/json"})'
echo $COMMAND | ]]..luajit_path..[[
]]
Expand Down
4 changes: 4 additions & 0 deletions kong/plugins/ip-restriction/handler.lua
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,10 @@ function IpRestrictionHandler:access(conf)
local block = false
local remote_addr = ngx.var.remote_addr

if not remote_addr then
return responses.send_HTTP_FORBIDDEN("Cannot identify the client IP address, unix domain sockets are not supported.")
end

if conf._blacklist_cache and #conf._blacklist_cache > 0 then
block = iputils.ip_in_cidrs(remote_addr, conf._blacklist_cache)
end
Expand Down
3 changes: 3 additions & 0 deletions kong/plugins/ip-restriction/schema.lua
Original file line number Diff line number Diff line change
Expand Up @@ -36,5 +36,8 @@ return {
end

return true
end,
marshall_event = function(self, t)
return {} -- We don't need any value in the cache event
end
}
30 changes: 30 additions & 0 deletions spec/plugins/ip-restriction/access_spec.lua
Original file line number Diff line number Diff line change
@@ -1,8 +1,10 @@
local spec_helper = require "spec.spec_helpers"
local http_client = require "kong.tools.http_client"
local cache = require "kong.tools.database_cache"
local cjson = require "cjson"

local STUB_GET_URL = spec_helper.STUB_GET_URL
local API_URL = spec_helper.API_URL

describe("IP Restriction", function()
setup(function()
Expand Down Expand Up @@ -31,6 +33,7 @@ describe("IP Restriction", function()
teardown(function()
spec_helper.stop_kong()
end)

it("should block request when IP is in blacklist", function()
local response, status = http_client.get(STUB_GET_URL, {}, {host = "test1.com"})
local body = cjson.decode(response)
Expand Down Expand Up @@ -67,4 +70,31 @@ describe("IP Restriction", function()
assert.equal(200, status)
assert.equal("127.0.0.1", body.clientIPAddress)
end)
it("should keep working when configuration changes without needing a restart", function()
local response, status = http_client.get(STUB_GET_URL, {}, {host = "test2.com"})
local body = cjson.decode(response)
assert.equal(200, status)
assert.equal("127.0.0.1", body.clientIPAddress)

-- Adding 127.0.0.1 to the blacklist
local response, status = http_client.get(API_URL.."/apis/iprestriction2/plugins/")
assert.equal(200, status)
local plugin = cjson.decode(response).data[1]
assert.truthy(plugin)
local _, status = http_client.patch(API_URL.."/apis/iprestriction2/plugins/"..plugin.id,
{["config.blacklist"]="127.0.0.1, 127.0.0.2"})
assert.equal(200, status)

-- Wait for event to propagate
local cache_key = cache.plugin_key(plugin.name, plugin.api_id, plugin.consumer_id)
repeat
local _, status = http_client.get(API_URL.."/cache/"..cache_key)
until(status ~= 200)

-- Now the request should not work
local response, status = http_client.get(STUB_GET_URL, {}, {host = "test2.com"})
local body = cjson.decode(response)
assert.equal(403, status)
assert.equal("Your IP address is not allowed", body.message)
end)
end)

0 comments on commit dd835cd

Please sign in to comment.