ingress-nginx-helm/internal/ingress/annotations/ipallowlist/main.go

/*
Copyright 2016 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package ipallowlist

import (
	"fmt"
	"sort"
	"strings"

	networking "k8s.io/api/networking/v1"
	"k8s.io/ingress-nginx/internal/net"

	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
	ing_errors "k8s.io/ingress-nginx/internal/ingress/errors"
	"k8s.io/ingress-nginx/internal/ingress/resolver"
	"k8s.io/ingress-nginx/pkg/util/sets"
)

const (
	ipWhitelistAnnotation = "whitelist-source-range"
	ipAllowlistAnnotation = "allowlist-source-range"
)

var allowlistAnnotations = parser.Annotation{
	Group: "acl",
	Annotations: parser.AnnotationFields{
		ipAllowlistAnnotation: {
			Validator:         parser.ValidateCIDRs,
			Scope:             parser.AnnotationScopeLocation,
			Risk:              parser.AnnotationRiskMedium, // Failure on parsing this may cause undesired access
			Documentation:     `This annotation allows setting a list of IPs and networks allowed to access this Location`,
			AnnotationAliases: []string{ipWhitelistAnnotation},
		},
	},
}

// SourceRange returns the CIDR
type SourceRange struct {
	CIDR []string `json:"cidr,omitempty"`
}

// Equal tests for equality between two SourceRange types
func (sr1 *SourceRange) Equal(sr2 *SourceRange) bool {
	if sr1 == sr2 {
		return true
	}
	if sr1 == nil || sr2 == nil {
		return false
	}

	return sets.StringElementsMatch(sr1.CIDR, sr2.CIDR)
}

type ipallowlist struct {
	r                resolver.Resolver
	annotationConfig parser.Annotation
}

// NewParser creates a new ipallowlist annotation parser
func NewParser(r resolver.Resolver) parser.IngressAnnotation {
	return ipallowlist{
		r:                r,
		annotationConfig: allowlistAnnotations,
	}
}

// ParseAnnotations parses the annotations contained in the ingress
// rule used to limit access to certain client addresses or networks.
// Multiple ranges can specified using commas as separator
// e.g. `18.0.0.0/8,56.0.0.0/8`
func (a ipallowlist) Parse(ing *networking.Ingress) (interface{}, error) {
	defBackend := a.r.GetDefaultBackend()

	defaultAllowlistSourceRange := make([]string, len(defBackend.WhitelistSourceRange))
	copy(defaultAllowlistSourceRange, defBackend.WhitelistSourceRange)
	sort.Strings(defaultAllowlistSourceRange)

	val, err := parser.GetStringAnnotation(ipAllowlistAnnotation, ing, a.annotationConfig.Annotations)
	// A missing annotation is not a problem, just use the default
	if err != nil {
		if err == ing_errors.ErrMissingAnnotations {
			return &SourceRange{CIDR: defaultAllowlistSourceRange}, nil
		}

		return &SourceRange{CIDR: defaultAllowlistSourceRange}, ing_errors.LocationDenied{
			Reason: err,
		}

	}

	values := strings.Split(val, ",")
	ipnets, ips, err := net.ParseIPNets(values...)
	if err != nil && len(ips) == 0 {
		return &SourceRange{CIDR: defaultAllowlistSourceRange}, ing_errors.LocationDenied{
			Reason: fmt.Errorf("the annotation does not contain a valid IP address or network: %w", err),
		}
	}

	cidrs := []string{}
	for k := range ipnets {
		cidrs = append(cidrs, k)
	}
	for k := range ips {
		cidrs = append(cidrs, k)
	}

	sort.Strings(cidrs)

	return &SourceRange{cidrs}, nil
}

func (a ipallowlist) GetDocumentation() parser.AnnotationFields {
	return a.annotationConfig.Annotations
}

func (a ipallowlist) Validate(anns map[string]string) error {
	maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
	return parser.CheckAnnotationRisk(anns, maxrisk, allowlistAnnotations.Annotations)
}