open-vault/helper/proxyutil/proxyutil.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package proxyutil

import (
	"errors"
	"fmt"
	"net"
	"sync"
	"time"

	"github.com/hashicorp/go-secure-stdlib/parseutil"
	sockaddr "github.com/hashicorp/go-sockaddr"
	proxyproto "github.com/pires/go-proxyproto"
)

// ProxyProtoConfig contains configuration for the PROXY protocol
type ProxyProtoConfig struct {
	sync.RWMutex
	Behavior        string
	AuthorizedAddrs []*sockaddr.SockAddrMarshaler `json:"authorized_addrs"`
}

func (p *ProxyProtoConfig) SetAuthorizedAddrs(addrs interface{}) error {
	aa, err := parseutil.ParseAddrs(addrs)
	if err != nil {
		return err
	}

	p.AuthorizedAddrs = aa
	return nil
}

// WrapInProxyProto wraps the given listener in the PROXY protocol. If behavior
// is "use_if_authorized" or "deny_if_unauthorized" it also configures a
// SourceCheck based on the given ProxyProtoConfig. In an error case it returns
// the original listener and the error.
func WrapInProxyProto(listener net.Listener, config *ProxyProtoConfig) (net.Listener, error) {
	config.Lock()
	defer config.Unlock()

	var newLn *proxyproto.Listener

	switch config.Behavior {
	case "use_always":
		newLn = &proxyproto.Listener{
			Listener:          listener,
			ReadHeaderTimeout: 10 * time.Second,
		}

	case "allow_authorized", "deny_unauthorized":
		newLn = &proxyproto.Listener{
			Listener:          listener,
			ReadHeaderTimeout: 10 * time.Second,
			Policy: func(addr net.Addr) (proxyproto.Policy, error) {
				config.RLock()
				defer config.RUnlock()

				sa, err := sockaddr.NewSockAddr(addr.String())
				if err != nil {
					return proxyproto.REJECT, fmt.Errorf("error parsing remote address: %w", err)
				}

				for _, authorizedAddr := range config.AuthorizedAddrs {
					if authorizedAddr.Contains(sa) {
						return proxyproto.USE, nil
					}
				}

				if config.Behavior == "allow_authorized" {
					return proxyproto.IGNORE, nil
				}

				return proxyproto.REJECT, errors.New(`upstream connection not trusted proxy_protocol_behavior is "deny_unauthorized"`)
			},
		}
	default:
		return listener, fmt.Errorf("unknown behavior type for proxy proto config")
	}

	return newLn, nil
}
adding copyright header (#19555) * adding copyright header * fix fmt and a test 2023-03-15 16:00:52 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

Add PROXY protocol support (#3098) 2017-08-02 22:24:12 +00:00			`package proxyutil`

			`import (`
Add support for PROXY protocol v2 in TCP listener (#13540) * Add support for PROXY protocol v2 in TCP listener I did not find tests for this so I added one trying to cover different configurations to make sure I did not break something. As far as I know, the behavior should be exactly the same as before except for one thing when proxy_protocol_behavior is set to "deny_unauthorized", unauthorized requests were previously silently reject because of https://github.com/armon/go-proxyproto/blob/7e956b284f0a/protocol.go#L81-L84 but it will now be logged. Also fixes https://github.com/hashicorp/vault/issues/9462 by adding support for `PROXY UNKNOWN` for PROXY protocol v1. Closes https://github.com/hashicorp/vault/issues/3807 * Add changelog 2022-03-08 17:13:00 +00:00			`"errors"`
Add PROXY protocol support (#3098) 2017-08-02 22:24:12 +00:00			`"fmt"`
			`"net"`
			`"sync"`
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server 2018-06-16 22:21:33 +00:00			`"time"`
Add PROXY protocol support (#3098) 2017-08-02 22:24:12 +00:00
Migrate to sdk/internalshared libs in go-secure-stdlib (#12090) * Swap sdk/helper libs to go-secure-stdlib * Migrate to go-secure-stdlib reloadutil * Migrate to go-secure-stdlib kv-builder * Migrate to go-secure-stdlib gatedwriter 2021-07-16 00:17:31 +00:00			`"github.com/hashicorp/go-secure-stdlib/parseutil"`
Add PROXY protocol support (#3098) 2017-08-02 22:24:12 +00:00			`sockaddr "github.com/hashicorp/go-sockaddr"`
Add support for PROXY protocol v2 in TCP listener (#13540) * Add support for PROXY protocol v2 in TCP listener I did not find tests for this so I added one trying to cover different configurations to make sure I did not break something. As far as I know, the behavior should be exactly the same as before except for one thing when proxy_protocol_behavior is set to "deny_unauthorized", unauthorized requests were previously silently reject because of https://github.com/armon/go-proxyproto/blob/7e956b284f0a/protocol.go#L81-L84 but it will now be logged. Also fixes https://github.com/hashicorp/vault/issues/9462 by adding support for `PROXY UNKNOWN` for PROXY protocol v1. Closes https://github.com/hashicorp/vault/issues/3807 * Add changelog 2022-03-08 17:13:00 +00:00			`proxyproto "github.com/pires/go-proxyproto"`
Add PROXY protocol support (#3098) 2017-08-02 22:24:12 +00:00			`)`

			`// ProxyProtoConfig contains configuration for the PROXY protocol`
			`type ProxyProtoConfig struct {`
			`sync.RWMutex`
			`Behavior string`
			AuthorizedAddrs []*sockaddr.SockAddrMarshaler `json:"authorized_addrs"`
			`}`

			`func (p *ProxyProtoConfig) SetAuthorizedAddrs(addrs interface{}) error {`
X-Forwarded-For (#4380) 2018-04-17 22:52:09 +00:00			`aa, err := parseutil.ParseAddrs(addrs)`
			`if err != nil {`
			`return err`
Add PROXY protocol support (#3098) 2017-08-02 22:24:12 +00:00			`}`

X-Forwarded-For (#4380) 2018-04-17 22:52:09 +00:00			`p.AuthorizedAddrs = aa`
Add PROXY protocol support (#3098) 2017-08-02 22:24:12 +00:00			`return nil`
			`}`

			`// WrapInProxyProto wraps the given listener in the PROXY protocol. If behavior`
			`// is "use_if_authorized" or "deny_if_unauthorized" it also configures a`
			`// SourceCheck based on the given ProxyProtoConfig. In an error case it returns`
			`// the original listener and the error.`
			`func WrapInProxyProto(listener net.Listener, config *ProxyProtoConfig) (net.Listener, error) {`
			`config.Lock()`
			`defer config.Unlock()`

			`var newLn *proxyproto.Listener`

			`switch config.Behavior {`
			`case "use_always":`
			`newLn = &proxyproto.Listener{`
remove mount accessor from MFA config (#14406) * remove mount accessor from MFA config * Update login_mfa_duo_test.go * DUO test with entity templating * using identitytpl.PopulateString to perform templating * minor refactoring * fixing fmt failures in CI * change username format to username template * fixing username_template example 2022-03-09 17:14:30 +00:00			`Listener: listener,`
Add support for PROXY protocol v2 in TCP listener (#13540) * Add support for PROXY protocol v2 in TCP listener I did not find tests for this so I added one trying to cover different configurations to make sure I did not break something. As far as I know, the behavior should be exactly the same as before except for one thing when proxy_protocol_behavior is set to "deny_unauthorized", unauthorized requests were previously silently reject because of https://github.com/armon/go-proxyproto/blob/7e956b284f0a/protocol.go#L81-L84 but it will now be logged. Also fixes https://github.com/hashicorp/vault/issues/9462 by adding support for `PROXY UNKNOWN` for PROXY protocol v1. Closes https://github.com/hashicorp/vault/issues/3807 * Add changelog 2022-03-08 17:13:00 +00:00			`ReadHeaderTimeout: 10 * time.Second,`
Add PROXY protocol support (#3098) 2017-08-02 22:24:12 +00:00			`}`

			`case "allow_authorized", "deny_unauthorized":`
			`newLn = &proxyproto.Listener{`
remove mount accessor from MFA config (#14406) * remove mount accessor from MFA config * Update login_mfa_duo_test.go * DUO test with entity templating * using identitytpl.PopulateString to perform templating * minor refactoring * fixing fmt failures in CI * change username format to username template * fixing username_template example 2022-03-09 17:14:30 +00:00			`Listener: listener,`
Add support for PROXY protocol v2 in TCP listener (#13540) * Add support for PROXY protocol v2 in TCP listener I did not find tests for this so I added one trying to cover different configurations to make sure I did not break something. As far as I know, the behavior should be exactly the same as before except for one thing when proxy_protocol_behavior is set to "deny_unauthorized", unauthorized requests were previously silently reject because of https://github.com/armon/go-proxyproto/blob/7e956b284f0a/protocol.go#L81-L84 but it will now be logged. Also fixes https://github.com/hashicorp/vault/issues/9462 by adding support for `PROXY UNKNOWN` for PROXY protocol v1. Closes https://github.com/hashicorp/vault/issues/3807 * Add changelog 2022-03-08 17:13:00 +00:00			`ReadHeaderTimeout: 10 * time.Second,`
			`Policy: func(addr net.Addr) (proxyproto.Policy, error) {`
Add PROXY protocol support (#3098) 2017-08-02 22:24:12 +00:00			`config.RLock()`
			`defer config.RUnlock()`

			`sa, err := sockaddr.NewSockAddr(addr.String())`
			`if err != nil {`
Add support for PROXY protocol v2 in TCP listener (#13540) * Add support for PROXY protocol v2 in TCP listener I did not find tests for this so I added one trying to cover different configurations to make sure I did not break something. As far as I know, the behavior should be exactly the same as before except for one thing when proxy_protocol_behavior is set to "deny_unauthorized", unauthorized requests were previously silently reject because of https://github.com/armon/go-proxyproto/blob/7e956b284f0a/protocol.go#L81-L84 but it will now be logged. Also fixes https://github.com/hashicorp/vault/issues/9462 by adding support for `PROXY UNKNOWN` for PROXY protocol v1. Closes https://github.com/hashicorp/vault/issues/3807 * Add changelog 2022-03-08 17:13:00 +00:00			`return proxyproto.REJECT, fmt.Errorf("error parsing remote address: %w", err)`
Add PROXY protocol support (#3098) 2017-08-02 22:24:12 +00:00			`}`

			`for _, authorizedAddr := range config.AuthorizedAddrs {`
			`if authorizedAddr.Contains(sa) {`
Add support for PROXY protocol v2 in TCP listener (#13540) * Add support for PROXY protocol v2 in TCP listener I did not find tests for this so I added one trying to cover different configurations to make sure I did not break something. As far as I know, the behavior should be exactly the same as before except for one thing when proxy_protocol_behavior is set to "deny_unauthorized", unauthorized requests were previously silently reject because of https://github.com/armon/go-proxyproto/blob/7e956b284f0a/protocol.go#L81-L84 but it will now be logged. Also fixes https://github.com/hashicorp/vault/issues/9462 by adding support for `PROXY UNKNOWN` for PROXY protocol v1. Closes https://github.com/hashicorp/vault/issues/3807 * Add changelog 2022-03-08 17:13:00 +00:00			`return proxyproto.USE, nil`
Add PROXY protocol support (#3098) 2017-08-02 22:24:12 +00:00			`}`
			`}`

			`if config.Behavior == "allow_authorized" {`
Add support for PROXY protocol v2 in TCP listener (#13540) * Add support for PROXY protocol v2 in TCP listener I did not find tests for this so I added one trying to cover different configurations to make sure I did not break something. As far as I know, the behavior should be exactly the same as before except for one thing when proxy_protocol_behavior is set to "deny_unauthorized", unauthorized requests were previously silently reject because of https://github.com/armon/go-proxyproto/blob/7e956b284f0a/protocol.go#L81-L84 but it will now be logged. Also fixes https://github.com/hashicorp/vault/issues/9462 by adding support for `PROXY UNKNOWN` for PROXY protocol v1. Closes https://github.com/hashicorp/vault/issues/3807 * Add changelog 2022-03-08 17:13:00 +00:00			`return proxyproto.IGNORE, nil`
Add PROXY protocol support (#3098) 2017-08-02 22:24:12 +00:00			`}`

Add support for PROXY protocol v2 in TCP listener (#13540) * Add support for PROXY protocol v2 in TCP listener I did not find tests for this so I added one trying to cover different configurations to make sure I did not break something. As far as I know, the behavior should be exactly the same as before except for one thing when proxy_protocol_behavior is set to "deny_unauthorized", unauthorized requests were previously silently reject because of https://github.com/armon/go-proxyproto/blob/7e956b284f0a/protocol.go#L81-L84 but it will now be logged. Also fixes https://github.com/hashicorp/vault/issues/9462 by adding support for `PROXY UNKNOWN` for PROXY protocol v1. Closes https://github.com/hashicorp/vault/issues/3807 * Add changelog 2022-03-08 17:13:00 +00:00			return proxyproto.REJECT, errors.New(`upstream connection not trusted proxy_protocol_behavior is "deny_unauthorized"`)
Add PROXY protocol support (#3098) 2017-08-02 22:24:12 +00:00			`},`
			`}`
			`default:`
			`return listener, fmt.Errorf("unknown behavior type for proxy proto config")`
			`}`

			`return newLn, nil`
			`}`