Compare commits
No commits in common. "main" and "v0.1.9" have entirely different histories.
@ -37,9 +37,10 @@ func main() {
|
||||
var group *errgroup.Group
|
||||
group, ctx = errgroup.WithContext(ctx)
|
||||
app := cli.Command{
|
||||
Name: appName,
|
||||
Usage: "Securely mount the Docker socket: apply fine-grained access control to Docker socket HTTP requests",
|
||||
Version: buildVersion(),
|
||||
Name: appName,
|
||||
Usage: "Securely mount the Docker socket: apply fine-grained access control to Docker socket HTTP requests",
|
||||
Version: buildVersion(),
|
||||
DefaultCommand: command.ServeCmd,
|
||||
Commands: []*cli.Command{
|
||||
command.Serve(group),
|
||||
command.Healthcheck(group),
|
||||
|
||||
150
command/serve.go
150
command/serve.go
@ -6,16 +6,15 @@ import (
|
||||
"fmt"
|
||||
"gitea.illuad.fr/adrien/middleman"
|
||||
"gitea.illuad.fr/adrien/middleman/flag"
|
||||
"gitea.illuad.fr/adrien/middleman/pkg/fastrp"
|
||||
"github.com/rs/zerolog/log"
|
||||
"github.com/urfave/cli/v3"
|
||||
"golang.org/x/sync/errgroup"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/http/httputil"
|
||||
"net/netip"
|
||||
"net/url"
|
||||
"regexp"
|
||||
"slices"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
@ -35,7 +34,25 @@ type methodRegex = map[string]*regexp.Regexp
|
||||
|
||||
// ProxyHandler takes an incoming request and sends it to another server, proxying the response back to the client.
|
||||
type ProxyHandler struct {
|
||||
frp *fastrp.FastRP
|
||||
rp *httputil.ReverseProxy
|
||||
}
|
||||
|
||||
// ErrHTTPMethodNotAllowed is returned if the request's HTTP method is not allowed for this container.
|
||||
type ErrHTTPMethodNotAllowed struct {
|
||||
httpMethod string
|
||||
}
|
||||
|
||||
// ErrNoMatch is returned if the request's URL path is not allowed for this container.
|
||||
type ErrNoMatch struct {
|
||||
path, httpMethod string
|
||||
}
|
||||
|
||||
func (e ErrHTTPMethodNotAllowed) Error() string {
|
||||
return fmt.Sprintf("%s is not in the list of HTTP methods allowed this container", e.httpMethod)
|
||||
}
|
||||
|
||||
func (e ErrNoMatch) Error() string {
|
||||
return fmt.Sprintf("%s does not match any registered regular expression for this HTTP method (%s)", e.path, e.httpMethod)
|
||||
}
|
||||
|
||||
// ServeCmd is the command name.
|
||||
@ -75,8 +92,8 @@ const (
|
||||
defaultHealthEndpoint = "/healthz"
|
||||
// defaultHealthListenAddr is the proxy health endpoint default listen address and port.
|
||||
defaultHealthListenAddr = "127.0.0.1:5732"
|
||||
// defaultAllowedRequests is the default allowed requests. Note that they should be sufficient to make Traefik work properly.
|
||||
defaultAllowedRequests = "/v1.\\d{1,2}/(version|containers/(?:json|[a-zA-Z0-9]{64}/json)|events)$"
|
||||
// defaultAllowedRequest is the proxy default allowed request.
|
||||
defaultAllowedRequest = "^/(version|containers/.*|events.*)$"
|
||||
)
|
||||
|
||||
var s serve
|
||||
@ -84,7 +101,7 @@ var s serve
|
||||
var (
|
||||
containerMethodRegex = map[string]methodRegex{
|
||||
"*": {
|
||||
http.MethodGet: regexp.MustCompile(defaultAllowedRequests),
|
||||
http.MethodGet: regexp.MustCompile(defaultAllowedRequest),
|
||||
},
|
||||
}
|
||||
applicatorURLRegex = regexp.MustCompile(`^([a-zA-Z0-9][a-zA-Z0-9_.-]+)\(((?:(?:GET|HEAD|POST|PUT|PATCH|DELETE|CONNECT|TRACE|OPTIONS)(?:,(?:GET|HEAD|POST|PUT|PATCH|DELETE|CONNECT|TRACE|OPTIONS))*)?)\):(.*)$`)
|
||||
@ -131,75 +148,68 @@ func Serve(group *errgroup.Group) *cli.Command {
|
||||
}
|
||||
|
||||
func (ph *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
log.Debug().Str("remote_addr", r.RemoteAddr).Str("method", r.Method).Str("path", r.URL.Path).Msg("incoming request")
|
||||
if mr, ok := containerMethodRegex["*"]; ok {
|
||||
if code := ph.checkMethodAndRegex(mr, r, ""); code != http.StatusOK {
|
||||
http.Error(w, http.StatusText(code), code)
|
||||
log.Debug().Str("remote_addr", r.RemoteAddr).Str("http_method", r.Method).Str("path", r.URL.Path).Msg("incoming request")
|
||||
mr, ok := containerMethodRegex["*"]
|
||||
if ok {
|
||||
fmt.Println("here 1")
|
||||
if err := checkMethodPath(w, r, mr); err != nil {
|
||||
fmt.Println("failed here 1")
|
||||
log.Err(err).Send()
|
||||
return
|
||||
}
|
||||
ph.frp.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
host, _, _ := net.SplitHostPort(r.RemoteAddr)
|
||||
for containerName, mr := range containerMethodRegex {
|
||||
if ph.isContainerAuthorized(containerName, host) {
|
||||
if code := ph.checkMethodAndRegex(mr, r, containerName); code != http.StatusOK {
|
||||
http.Error(w, http.StatusText(code), code)
|
||||
} else {
|
||||
var (
|
||||
containerName string
|
||||
host, _, _ = net.SplitHostPort(r.RemoteAddr)
|
||||
ip = net.ParseIP(host)
|
||||
)
|
||||
for containerName, mr = range containerMethodRegex {
|
||||
resolvedIPs, err := net.LookupIP(containerName)
|
||||
if err != nil {
|
||||
http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
|
||||
fmt.Println("failed here 2")
|
||||
log.Err(err).Send()
|
||||
return
|
||||
}
|
||||
ph.frp.ServeHTTP(w, r)
|
||||
return
|
||||
fmt.Printf("count of resolved IPs: %d\n", len(resolvedIPs))
|
||||
for _, resolvedIP := range resolvedIPs {
|
||||
if resolvedIP.Equal(ip) {
|
||||
fmt.Printf("%s == %s\n", resolvedIP.String(), ip.String())
|
||||
if err = checkMethodPath(w, r, mr); err != nil {
|
||||
fmt.Println("failed here 3")
|
||||
log.Err(err).Send()
|
||||
return
|
||||
}
|
||||
fmt.Println("here 2")
|
||||
}
|
||||
fmt.Println("here 3")
|
||||
}
|
||||
fmt.Println("here 4")
|
||||
}
|
||||
fmt.Println("here 5")
|
||||
}
|
||||
logDeniedRequest(r, http.StatusUnauthorized, "this container is not on the list of authorized ones")
|
||||
http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
|
||||
ph.rp.ServeHTTP(w, r)
|
||||
}
|
||||
|
||||
func (ph *ProxyHandler) isContainerAuthorized(containerName, host string) bool {
|
||||
resolvedIPs, err := net.LookupIP(containerName)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
for resolvedIP := range slices.Values(resolvedIPs) {
|
||||
if resolvedIP.Equal(net.ParseIP(host)) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func logDeniedRequest(r *http.Request, statusCode int, message string) {
|
||||
log.Error().
|
||||
Str("remote_addr", r.RemoteAddr).Str("method", r.Method).
|
||||
Str("path", r.URL.Path).Int("status_code", statusCode).
|
||||
Str("status_text", http.StatusText(statusCode)).Msg(message)
|
||||
}
|
||||
|
||||
func logAuthorizedRequest(r *http.Request, containerName, message string) {
|
||||
l := log.Info().
|
||||
Str("remote_addr", r.RemoteAddr).
|
||||
Str("method", r.Method).
|
||||
Str("path", r.URL.Path).
|
||||
Int("status_code", http.StatusOK).
|
||||
Str("status_text", http.StatusText(http.StatusOK))
|
||||
if containerName != "" {
|
||||
l.Str("container_name", containerName)
|
||||
}
|
||||
l.Msg(message)
|
||||
}
|
||||
|
||||
func (ph *ProxyHandler) checkMethodAndRegex(mr methodRegex, r *http.Request, containerName string) int {
|
||||
// checkMethodPath executes the regular expression on the path of the HTTP request if and only if
|
||||
// the latter's HTTP method is actually present in the list of authorized HTTP methods.
|
||||
func checkMethodPath(w http.ResponseWriter, r *http.Request, mr methodRegex) error {
|
||||
req, ok := mr[r.Method]
|
||||
if !ok {
|
||||
logDeniedRequest(r, http.StatusMethodNotAllowed, "this HTTP method is not in the list of those authorized for this container")
|
||||
return http.StatusMethodNotAllowed
|
||||
fmt.Printf("%s is not a registered HTTP method\n", r.Method)
|
||||
http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed)
|
||||
return ErrHTTPMethodNotAllowed{httpMethod: r.Method}
|
||||
}
|
||||
log.Debug().Msgf("%s is a registered HTTP method", r.Method)
|
||||
if !req.MatchString(r.URL.Path) {
|
||||
logDeniedRequest(r, http.StatusForbidden, "this path does not match any regular expression for this HTTP method")
|
||||
return http.StatusForbidden
|
||||
http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
|
||||
return ErrNoMatch{
|
||||
path: r.URL.Path,
|
||||
httpMethod: r.Method,
|
||||
}
|
||||
}
|
||||
logAuthorizedRequest(r, containerName, "incoming request matches a registered regular expression")
|
||||
return http.StatusOK
|
||||
log.Debug().Msgf("%s matches %s", r.URL.Path, req.String())
|
||||
return nil
|
||||
}
|
||||
|
||||
// action is executed when the ServeCmd command is called.
|
||||
@ -217,11 +227,15 @@ func (s serve) action(ctx context.Context, command *cli.Command) error {
|
||||
return err
|
||||
}
|
||||
dummyURL, _ := url.Parse("http://dummy")
|
||||
srv := &http.Server{ // #nosec: G112
|
||||
Handler: &ProxyHandler{
|
||||
frp: fastrp.NewRP("unix", command.String(dockerSocketPathFlagName), dummyURL),
|
||||
rp := httputil.NewSingleHostReverseProxy(dummyURL)
|
||||
rp.Transport = &http.Transport{
|
||||
DialContext: func(_ context.Context, _ string, _ string) (net.Conn, error) {
|
||||
return net.Dial("unix", command.String(dockerSocketPathFlagName))
|
||||
},
|
||||
}
|
||||
srv := &http.Server{ // #nosec: G112
|
||||
Handler: &ProxyHandler{rp: rp},
|
||||
}
|
||||
s.group.Go(func() error {
|
||||
if err = srv.Serve(l); err != nil && !errors.Is(err, http.ErrServerClosed) {
|
||||
return err
|
||||
@ -418,9 +432,9 @@ func addRequests() cli.Flag {
|
||||
Category: "network",
|
||||
Usage: "add requests",
|
||||
Sources: middleman.PluckEnvVar(EnvVarPrefix, addRequestsFlagName),
|
||||
// Local: true, // Required to trigger the Action when this flag is set via the environment variable, see https://github.com/urfave/cli/issues/2041.
|
||||
Value: []string{"*:" + defaultAllowedRequests},
|
||||
Aliases: middleman.PluckAlias(ServeCmd, addRequestsFlagName),
|
||||
Local: true, // Required to trigger the Action when this flag is set via the environment variable, see https://github.com/urfave/cli/issues/2041.
|
||||
Value: []string{"*:" + defaultAllowedRequest},
|
||||
Aliases: middleman.PluckAlias(ServeCmd, addRequestsFlagName),
|
||||
Action: func(ctx context.Context, command *cli.Command, requests []string) error {
|
||||
clear(containerMethodRegex)
|
||||
for _, request := range requests {
|
||||
|
||||
@ -1,41 +0,0 @@
|
||||
package fastrp
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/http/httputil"
|
||||
"net/url"
|
||||
"sync"
|
||||
)
|
||||
|
||||
type FastRP struct {
|
||||
rp *httputil.ReverseProxy
|
||||
connPool *sync.Pool
|
||||
}
|
||||
|
||||
func NewRP(network, address string, url *url.URL) *FastRP {
|
||||
roundTripper := &http.Transport{
|
||||
DialContext: func(_ context.Context, _ string, _ string) (net.Conn, error) {
|
||||
return net.Dial(network, address)
|
||||
},
|
||||
MaxIdleConns: 10,
|
||||
}
|
||||
frp := &FastRP{
|
||||
rp: httputil.NewSingleHostReverseProxy(url),
|
||||
connPool: &sync.Pool{
|
||||
New: func() any {
|
||||
return roundTripper.Clone()
|
||||
},
|
||||
},
|
||||
}
|
||||
frp.rp.Transport = frp.connPool.Get().(http.RoundTripper)
|
||||
return frp
|
||||
}
|
||||
|
||||
func (frp *FastRP) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
roundTripper := frp.connPool.Get().(http.RoundTripper)
|
||||
defer frp.connPool.Put(roundTripper)
|
||||
frp.rp.Transport = roundTripper
|
||||
frp.rp.ServeHTTP(w, r)
|
||||
}
|
||||
Loading…
x
Reference in New Issue
Block a user