Implements --trusted-ip option (#552)

* Implements --ip-whitelist option * Included IPWhitelist option to allow one-or-more selected CIDR ranges to bypass OAuth2 authentication. * Adds IPWhitelist, a fast lookup table for multiple CIDR ranges. * Renamed IPWhitelist ipCIDRSet * Fixed unessesary pointer usage in ipCIDRSet * Update CHANGELOG.md * Update CHANGELOG.md * Updated to not use err.Error() in printf statements * Imrpoved language for --ip-whitelist descriptions. * Improve IP whitelist options error messages * Clarify options single-host normalization * Wrote a book about ipCIDRSet * Added comment to IsWhitelistedIP in oauthproxy.go * Rewrite oauthproxy test case as table driven * oops * Support whitelisting by low-level remote address * Added more test-cases, improved descriptions * Move ip_cidr_set.go to pkg/ip/net_set.go * Add more whitelist test use cases. * Oops * Use subtests for TestIPWhitelist * Add minimal tests for ip.NetSet * Use switch statment * Renamed ip-whitelist to whitelist-ip * Update documentation with a warning. * Update pkg/apis/options/options.go * Update CHANGELOG.md Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Update pkg/ip/net_set_test.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Update pkg/ip/net_set_test.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Update pkg/ip/net_set_test.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Apply suggestions from code review Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * fix fmt * Move ParseIPNet into abstraction * Add warning in case of --reverse-proxy * Update pkg/validation/options_test.go * Rename --whitelist-ip to --trusted-ip * Update oauthproxy.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * fix Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2025-06-21 00:29:44 +02:00 · 2020-07-11 12:10:58 +02:00
parent e6903d8c1f
commit 64ae31b5a0
12 changed files with 541 additions and 17 deletions
--- a/pkg/ip/parse_ip_net.go
+++ b/pkg/ip/parse_ip_net.go
@ -0,0 +1,39 @@
+package ip
+
+import (
+	"net"
+	"strings"
+)
+
+func ParseIPNet(s string) *net.IPNet {
+	if !strings.ContainsRune(s, '/') {
+		ip := net.ParseIP(s)
+		if ip == nil {
+			return nil
+		}
+
+		var mask net.IPMask
+		switch {
+		case ip.To4() != nil:
+			mask = net.CIDRMask(32, 32)
+		case ip.To16() != nil:
+			mask = net.CIDRMask(128, 128)
+		default:
+			return nil
+		}
+
+		return &net.IPNet{
+			IP:   ip,
+			Mask: mask,
+		}
+	}
+
+	switch ip, ipNet, err := net.ParseCIDR(s); {
+	case err != nil:
+		return nil
+	case !ipNet.IP.Equal(ip):
+		return nil
+	default:
+		return ipNet
+	}
+}