Do not merge allowed ip addresses

Author: timokoessler

library/agent/Agent.test.ts

@@ -1145,6 +1145,6 @@ t.test("it only allows some IP addresses", async () => {
   });
 
   t.same(agent.getConfig().shouldOnlyAllowSomeIPAddresses(), true);
-  t.same(agent.getConfig().isOnlyAllowedIPAddress("1.2.3.4"), false);
-  t.same(agent.getConfig().isOnlyAllowedIPAddress("4.3.2.1"), true);
+  t.same(agent.getConfig().isOnlyAllowedIPAddress("1.2.3.4").allowed, false);
+  t.same(agent.getConfig().isOnlyAllowedIPAddress("4.3.2.1").allowed, true);
 });

library/agent/ServiceConfig.test.ts

@@ -174,9 +174,32 @@ t.test("restricting access to some ips", async () => {
 
   t.same(config.shouldOnlyAllowSomeIPAddresses(), true);
 
-  t.same(config.isOnlyAllowedIPAddress("1.2.3.4"), true);
-  t.same(config.isOnlyAllowedIPAddress("4.3.2.1"), false);
+  t.same(config.isOnlyAllowedIPAddress("1.2.3.4").allowed, true);
+  t.same(config.isOnlyAllowedIPAddress("4.3.2.1").allowed, false);
 
   config.updateOnlyAllowedIPAddresses([]);
-  t.same(config.isOnlyAllowedIPAddress("1.2.3.4"), false);
+  t.same(config.isOnlyAllowedIPAddress("1.2.3.4").allowed, false);
+});
+
+t.test("only allow some ips: empty list", async () => {
+  const config = new ServiceConfig(
+    [],
+    0,
+    [],
+    [],
+    true,
+    [],
+    [
+      {
+        source: "geoip",
+        description: "description",
+        ips: [],
+      },
+    ]
+  );
+
+  t.same(config.shouldOnlyAllowSomeIPAddresses(), false);
+
+  t.same(config.isOnlyAllowedIPAddress("1.2.3.4").allowed, false);
+  t.same(config.isOnlyAllowedIPAddress("4.3.2.1").allowed, false);
 });

library/agent/ServiceConfig.ts

@@ -11,7 +11,10 @@ export class ServiceConfig {
   private blockedIPAddresses: { blocklist: IPMatcher; description: string }[] =
     [];
   private blockedUserAgentRegex: RegExp | undefined;
-  private onlyAllowedIPAddresses: IPMatcher | undefined;
+  private onlyAllowedIPAddresses: {
+    allowlist: IPMatcher;
+    description: string;
+  }[] = [];
 
   constructor(
     endpoints: Endpoint[],
@@ -127,15 +130,18 @@ export class ServiceConfig {
   }
 
   private setOnlyAllowedIPAddresses(ipAddresses: IPList[]) {
-    this.onlyAllowedIPAddresses = undefined;
-
-    if (ipAddresses.length === 0) {
-      return;
+    this.onlyAllowedIPAddresses = [];
+
+    for (const source of ipAddresses) {
+      // Skip empty allowlists
+      if (source.ips.length === 0) {
+        continue;
+      }
+      this.onlyAllowedIPAddresses.push({
+        allowlist: new IPMatcher(source.ips),
+        description: source.description,
+      });
     }
-
-    const ips = ipAddresses.map((source) => source.ips).flat();
-
-    this.onlyAllowedIPAddresses = new IPMatcher(ips);
   }
 
   updateOnlyAllowedIPAddresses(ipAddresses: IPList[]) {
@@ -146,13 +152,15 @@ export class ServiceConfig {
    * Returns true if only some IP addresses are allowed to access the service, e.g. if a geoip country allowlist is set.
    */
   shouldOnlyAllowSomeIPAddresses() {
-    return this.onlyAllowedIPAddresses !== undefined;
+    return this.onlyAllowedIPAddresses.length > 0;
   }
 
-  isOnlyAllowedIPAddress(ip: string) {
-    return this.onlyAllowedIPAddresses
-      ? this.onlyAllowedIPAddresses.has(ip)
-      : false;
+  isOnlyAllowedIPAddress(ip: string): { allowed: boolean } {
+    const allowlist = this.onlyAllowedIPAddresses.find((list) =>
+      list.allowlist.has(ip)
+    );
+
+    return { allowed: !!allowlist };
   }
 
   updateConfig(

library/sources/http-server/checkIfRequestIsBlocked.ts

@@ -53,7 +53,7 @@ export function checkIfRequestIsBlocked(
     context.remoteAddress &&
     agent.getConfig().shouldOnlyAllowSomeIPAddresses() &&
     !isPrivateIP(context.remoteAddress) &&
-    !agent.getConfig().isOnlyAllowedIPAddress(context.remoteAddress)
+    !agent.getConfig().isOnlyAllowedIPAddress(context.remoteAddress).allowed
   ) {
     res.statusCode = 403;
     res.setHeader("Content-Type", "text/plain");