Skip to content

Commit

Permalink
feat(ops): handle real_ip_from CIDR format (#6981)
Browse files Browse the repository at this point in the history
Signed-off-by: kwanhur <[email protected]>
  • Loading branch information
kwanhur authored May 9, 2022
1 parent 36c87bc commit 1b5c190
Show file tree
Hide file tree
Showing 4 changed files with 99 additions and 7 deletions.
66 changes: 66 additions & 0 deletions apisix/cli/ip.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
--
-- Licensed to the Apache Software Foundation (ASF) under one or more
-- contributor license agreements. See the NOTICE file distributed with
-- this work for additional information regarding copyright ownership.
-- The ASF licenses this file to You under the Apache License, Version 2.0
-- (the "License"); you may not use this file except in compliance with
-- the License. You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
--

--- IP match and verify module.
--
-- @module cli.ip

local mediador_ip = require("resty.mediador.ip")
local setmetatable = setmetatable


local _M = {}
local mt = { __index = _M }


---
-- create a instance of module cli.ip
--
-- @function cli.ip:new
-- @tparam string ip IP or CIDR.
-- @treturn instance of module if the given ip valid, nil and error message otherwise.
function _M.new(self, ip)
if not mediador_ip.valid(ip) then
return nil, "invalid ip"
end

local _ip = mediador_ip.parse(ip)

return setmetatable({ _ip = _ip }, mt)
end


---
-- Is that the given ip loopback?
--
-- @function cli.ip:is_loopback
-- @treturn boolean True if the given ip is the loopback, false otherwise.
function _M.is_loopback(self)
return self._ip and "loopback" == self._ip:range()
end

---
-- Is that the given ip unspecified?
--
-- @function cli.ip:is_unspecified
-- @treturn boolean True if the given ip is all the unspecified, false otherwise.
function _M.is_unspecified(self)
return self._ip and "unspecified" == self._ip:range()
end


return _M
9 changes: 5 additions & 4 deletions apisix/cli/ops.lua
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ local util = require("apisix.cli.util")
local file = require("apisix.cli.file")
local schema = require("apisix.cli.schema")
local ngx_tpl = require("apisix.cli.ngx_tpl")
local cli_ip = require("apisix.cli.ip")
local profile = require("apisix.core.profile")
local template = require("resty.template")
local argparse = require("argparse")
Expand Down Expand Up @@ -277,16 +278,16 @@ Please modify "admin_key" in conf/config.yaml .
-- not disabled by the users
if real_ip_from then
for _, ip in ipairs(real_ip_from) do
-- TODO: handle cidr
if ip == "127.0.0.1" or ip == "0.0.0.0/0" then
local _ip = cli_ip:new(ip)
if _ip:is_loopback() or _ip:is_unspecified() then
pass_real_client_ip = true
end
end
end

if not pass_real_client_ip then
util.die("missing '127.0.0.1' in the nginx_config.http.real_ip_from for plugin " ..
"batch-requests\n")
util.die("missing loopback or unspecified in the nginx_config.http.real_ip_from" ..
" for plugin batch-requests\n")
end
end

Expand Down
3 changes: 2 additions & 1 deletion rockspec/apisix-master-0.rockspec
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,8 @@ dependencies = {
"opentelemetry-lua = 0.1-3",
"net-url = 0.9-1",
"xml2lua = 1.5-2",
"nanoid = 0.1-1"
"nanoid = 0.1-1",
"lua-resty-mediador = 0.1.2-1"
}

build = {
Expand Down
28 changes: 26 additions & 2 deletions t/cli/test_validate_config.sh
Original file line number Diff line number Diff line change
Expand Up @@ -161,17 +161,41 @@ fi

echo "passed: apisix test(failure scenario)"

# apisix plugin batch-requests real_ip_from invalid - failure scenario
echo '
plugins:
- batch-requests
nginx_config:
http:
real_ip_from:
- "127.0.0.2"
- "128.0.0.2"
' > conf/config.yaml

out=$(make init 2>&1 || true)
if ! echo "$out" | grep "missing '127.0.0.1' in the nginx_config.http.real_ip_from for plugin batch-requests"; then
if ! echo "$out" | grep "missing loopback or unspecified in the nginx_config.http.real_ip_from for plugin batch-requests"; then
echo "failed: should check the realip configuration for batch-requests"
exit 1
fi

echo "passed: apisix plugin batch-requests real_ip_from(failure scenario)"

# apisix plugin batch-requests real_ip_from valid
echo '
plugins:
- batch-requests
nginx_config:
http:
real_ip_from:
- "127.0.0.1"
- "127.0.0.2/8"
- "0.0.0.0"
- "0.0.0.0/0"
- "::"
- "::/0"
' > conf/config.yaml

out=$(make init 2>&1 || true)
if echo "$out" | grep "missing loopback or unspecified in the nginx_config.http.real_ip_from for plugin batch-requests"; then
echo "failed: should check the realip configuration for batch-requests"
exit 1
fi
Expand Down

0 comments on commit 1b5c190

Please sign in to comment.