package whitelist
import "github.com/cloudflare/cfssl/whitelist"
Package whitelist implements IP whitelisting for various types of connections. Two types of access control lists (ACLs) are supported: host-based and network-based.
Index ¶
- func DumpBasic(wl *Basic) []byte
- func HTTPRequestLookup(req *http.Request) (net.IP, error)
- func NetConnLookup(conn net.Conn) (net.IP, error)
- func NewHandler(allow, deny http.Handler, acl ACL) (http.Handler, error)
- type ACL
- type Basic
- func LoadBasic(in []byte) (*Basic, error)
- func NewBasic() *Basic
- func (wl *Basic) Add(ip net.IP)
- func (wl *Basic) MarshalJSON() ([]byte, error)
- func (wl *Basic) Permitted(ip net.IP) bool
- func (wl *Basic) Remove(ip net.IP)
- func (wl *Basic) UnmarshalJSON(in []byte) error
- type BasicNet
- func NewBasicNet() *BasicNet
- func (wl *BasicNet) Add(n *net.IPNet)
- func (wl *BasicNet) MarshalJSON() ([]byte, error)
- func (wl *BasicNet) Permitted(ip net.IP) bool
- func (wl *BasicNet) Remove(n *net.IPNet)
- func (wl *BasicNet) UnmarshalJSON(in []byte) error
- type Handler
- type HandlerFunc
- func NewHandlerFunc(allow, deny func(http.ResponseWriter, *http.Request), acl ACL) (*HandlerFunc, error)
- func (h *HandlerFunc) ServeHTTP(w http.ResponseWriter, req *http.Request)
- type HostACL
- type HostStub
- func NewHostStub() HostStub
- func (wl HostStub) Add(ip net.IP)
- func (wl HostStub) Permitted(ip net.IP) bool
- func (wl HostStub) Remove(ip net.IP)
- type NetACL
- type NetStub
- func NewNetStub() NetStub
- func (wl NetStub) Add(ip *net.IPNet)
- func (wl NetStub) Permitted(ip net.IP) bool
- func (wl NetStub) Remove(ip *net.IPNet)
- Bugs
Functions ¶
func DumpBasic ¶
DumpBasic returns a whitelist as a byte slice where each IP is on its own line.
func HTTPRequestLookup ¶
HTTPRequestLookup extracts an IP from the remote address in a *http.Request. A single *http.Request should be passed to Address.
func NetConnLookup ¶
NetConnLookup extracts an IP from the remote address in the net.Conn. A single net.Conn should be passed to Address.
func NewHandler ¶
NewHandler returns a new whitelisting-wrapped HTTP handler. The allow handler should contain a handler that will be called if the request is whitelisted; the deny handler should contain a handler that will be called in the request is not whitelisted.
Types ¶
type ACL ¶
type ACL interface {
// Permitted takes an IP address, and returns true if the
// IP address is whitelisted (e.g. permitted access).
Permitted(net.IP) bool
}
An ACL stores a list of permitted IP addresses, and handles concurrency as needed.
type Basic ¶
type Basic struct {
// contains filtered or unexported fields
}
Basic implements a basic map-backed whitelister that uses an RWMutex for conccurency. IPv4 addresses are treated differently than an IPv6 address; namely, the IPv4 localhost will not match the IPv6 localhost.
func LoadBasic ¶
LoadBasic loads a whitelist from a byteslice.
func NewBasic ¶
func NewBasic() *Basic
NewBasic returns a new initialised basic whitelist.
func (*Basic) Add ¶
Add whitelists an IP.
func (*Basic) MarshalJSON ¶
MarshalJSON serialises a host whitelist to a comma-separated list of hosts, implementing the json.Marshaler interface.
func (*Basic) Permitted ¶
Permitted returns true if the IP has been whitelisted.
func (*Basic) Remove ¶
Remove clears the IP from the whitelist.
func (*Basic) UnmarshalJSON ¶
UnmarshalJSON implements the json.Unmarshaler interface for host whitelists, taking a comma-separated string of hosts.
type BasicNet ¶
type BasicNet struct {
// contains filtered or unexported fields
}
BasicNet implements a basic map-backed network whitelist using locks for concurrency. It must be initialised with one of the constructor functions. This particular implementation is unoptimised and will not scale.
func NewBasicNet ¶
func NewBasicNet() *BasicNet
NewBasicNet constructs a new basic network-based whitelist.
func (*BasicNet) Add ¶
Add adds a new network to the whitelist. Caveat: overlapping networks won't be detected.
func (*BasicNet) MarshalJSON ¶
MarshalJSON serialises a network whitelist to a comma-separated list of networks.
func (*BasicNet) Permitted ¶
Permitted returns true if the IP has been whitelisted.
func (*BasicNet) Remove ¶
Remove removes a network from the whitelist.
func (*BasicNet) UnmarshalJSON ¶
UnmarshalJSON implements the json.Unmarshaler interface for network whitelists, taking a comma-separated string of networks.
type Handler ¶
type Handler struct {
// contains filtered or unexported fields
}
Handler wraps an HTTP handler with IP whitelisting.
func (*Handler) ServeHTTP ¶
func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request)
ServeHTTP wraps the request in a whitelist check.
type HandlerFunc ¶
type HandlerFunc struct {
// contains filtered or unexported fields
}
A HandlerFunc contains a pair of http.HandleFunc-handler functions that will be called depending on whether a request is allowed or denied.
func NewHandlerFunc ¶
func NewHandlerFunc(allow, deny func(http.ResponseWriter, *http.Request), acl ACL) (*HandlerFunc, error)
NewHandlerFunc returns a new basic whitelisting handler.
func (*HandlerFunc) ServeHTTP ¶
func (h *HandlerFunc) ServeHTTP(w http.ResponseWriter, req *http.Request)
ServeHTTP checks the incoming request to see whether it is permitted, and calls the appropriate handle function.
type HostACL ¶
type HostACL interface {
ACL
// Add takes an IP address and adds it to the whitelist so
// that it is now permitted.
Add(net.IP)
// Remove takes an IP address and drops it from the whitelist
// so that it is no longer permitted.
Remove(net.IP)
}
A HostACL stores a list of permitted hosts.
type HostStub ¶
type HostStub struct{}
HostStub allows host whitelisting to be added into a system's flow without doing anything yet. All operations result in warning log messages being printed to stderr. There is no mechanism for squelching these messages short of modifying the log package's default logger.
func NewHostStub ¶
func NewHostStub() HostStub
NewHostStub returns a new stubbed host whitelister.
func (HostStub) Add ¶
Add prints a warning message about whitelisting being stubbed.
func (HostStub) Permitted ¶
Permitted always returns true, but prints a warning message alerting that whitelisting is stubbed.
func (HostStub) Remove ¶
Remove prints a warning message about whitelisting being stubbed.
type NetACL ¶
type NetACL interface {
ACL
// Add takes an IP network and adds it to the whitelist so
// that it is now permitted.
Add(*net.IPNet)
// Remove takes an IP network and drops it from the whitelist
// so that it is no longer permitted.
Remove(*net.IPNet)
}
A NetACL stores a list of permitted IP networks.
type NetStub ¶
type NetStub struct{}
NetStub allows network whitelisting to be added into a system's flow without doing anything yet. All operations result in warning log messages being printed to stderr. There is no mechanism for squelching these messages short of modifying the log package's default logger.
func NewNetStub ¶
func NewNetStub() NetStub
NewNetStub returns a new stubbed network whitelister.
func (NetStub) Add ¶
Add prints a warning message about whitelisting being stubbed.
func (NetStub) Permitted ¶
Permitted always returns true, but prints a warning message alerting that whitelisting is stubbed.
func (NetStub) Remove ¶
Remove prints a warning message about whitelisting being stubbed.
Bugs ¶
☞ overlapping networks aren't detected.
Source Files ¶
lookup.go whitelist.go whitelist_net.go
Directories ¶
| Path | Synopsis |
|---|---|
| whitelist/example |
- Version
- v1.6.5 (latest)
- Published
- Mar 5, 2024
- Platform
- linux/amd64
- Imports
- 7 packages
- Last checked
- 6 days ago –
Tools for package owners.