gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "Adding HTTP verb whitelisting options."

Browse Source 
This reverts commit 34837afc7a.
This commit is contained in:
Mike Tolman
2016-08-05 15:45:48 -06:00
parent 34837afc7a
commit ce99bb927d
11 changed files with 72 additions and 290 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
weed/security/guard.go
View File

@@ -41,31 +41,17 @@ https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go
*/
type Guard struct {
ipWhiteList []string
rootWhiteList []string
whiteList []string
SecretKey Secret
isActive bool
}
func NewGuard(ipWhiteList []string, rootWhiteList []string, secretKey string) *Guard {
g := &Guard{ipWhiteList: ipWhiteList, rootWhiteList: rootWhiteList, SecretKey: Secret(secretKey)}
g.isActive = len(g.ipWhiteList) != 0 || len(g.SecretKey) != 0
func NewGuard(whiteList []string, secretKey string) *Guard {
g := &Guard{whiteList: whiteList, SecretKey: Secret(secretKey)}
g.isActive = len(g.whiteList) != 0 || len(g.SecretKey) != 0
return g
}
func (g *Guard) WhiteList2(f func(w http.ResponseWriter, r *http.Request, b bool)) func(w http.ResponseWriter, r *http.Request, b bool) {
if !g.isActive {
//if no security needed, just skip all checkings
return f
}
return func(w http.ResponseWriter, r *http.Request, b bool) {
if err := g.checkWhiteList(w, r); err != nil {
w.WriteHeader(http.StatusUnauthorized)
return
}
f(w, r, b)
}
}
func (g *Guard) WhiteList(f func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
if !g.isActive {
@@ -110,14 +96,13 @@ func GetActualRemoteHost(r *http.Request) (host string, err error) {
}
func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error {
if len(g.ipWhiteList) == 0 {
glog.V(0).Info("No whitelist specified for operation")
if len(g.whiteList) == 0 {
return nil
}
host, err := GetActualRemoteHost(r)
if err == nil {
for _, ip := range g.ipWhiteList {
for _, ip := range g.whiteList {
// If the whitelist entry contains a "/" it
// is a CIDR range, and we should check the
@@ -129,7 +114,6 @@ func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error {
}
remote := net.ParseIP(host)
if cidrnet.Contains(remote) {
glog.V(0).Infof("Found %s in CIDR whitelist.", r.RemoteAddr)
return nil
}
}
@@ -138,28 +122,8 @@ func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error {
// Otherwise we're looking for a literal match.
//
if ip == host {
glog.V(0).Infof("Found %s in whitelist.", r.RemoteAddr)
return nil
}
// ::1 is the same as 127.0.0.1 and localhost
if host == "::1" && (ip == "127.0.0.1" || ip == "localhost") {
glog.V(0).Infof("Found %s (localhost) in whitelist.", r.RemoteAddr)
return nil
}
}
}
// The root whitelist allows exceptions to the IP whitelist, but only by certain root paths in the request.
if len(g.rootWhiteList) > 0 {
pathParts := strings.Split(r.RequestURI, "/")
if len(pathParts) > 0 {
requestedRoot := pathParts[1]
for _, root := range g.rootWhiteList {
if root == requestedRoot {
glog.V(0).Infof("Found %s in root whitelist.", requestedRoot)
return nil
}
}
glog.V(0).Infof("Not in root whitelist: %s", requestedRoot)
}
}