Merge pull request #194 from AikidoSec/allow-country

Added support for allowed lists

Author: tudor-timcu

.github/workflows/build.yml

@@ -13,7 +13,7 @@ jobs:
   build_libs:
     runs-on: ${{ matrix.os }}
     container:
-      image: ubuntu:20.04
+      image: ubuntu:22.04
     strategy:
       matrix:
         os: [ ubuntu-24.04 ]
@@ -92,7 +92,7 @@ jobs:
 
   build_php_extension:
     runs-on: ${{ matrix.os }}
-    container: ubuntu:20.04
+    container: ubuntu:22.04
     strategy:
       matrix:
         php_version: ['7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4']
@@ -123,7 +123,7 @@ jobs:
         echo "AIKIDO_ARTIFACT=aikido-extension-php-${{ matrix.php_version }}" >> $GITHUB_ENV
 
     - name: Setup PHP
-      uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2 # v2
+      uses: shivammathur/setup-php@27853eb8b46dc01c33bf9fef67d98df2683c3be2 # v2
       with:
         php-version: ${{ matrix.php_version }}
         extensions: curl
@@ -163,7 +163,7 @@ jobs:
   build_rpm:
     runs-on: ${{ matrix.os }}
     container:
-      image: centos:8
+      image: quay.io/centos/centos:stream9
     strategy:
       matrix:
         os: ['ubuntu-24.04']
@@ -175,9 +175,6 @@ jobs:
 
       - name: Install rpmdevtools
         run: |
-          cd /etc/yum.repos.d/
-          sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
-          sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
           yum -y install epel-release
           yum -y install rpmdevtools
           yum -y install jq
@@ -260,7 +257,7 @@ jobs:
   build_deb:
     runs-on: ${{ matrix.os }}
     container:
-      image: ubuntu:20.04
+      image: ubuntu:22.04
     strategy:
       matrix:
         os: [ ubuntu-24.04 ]
@@ -328,11 +325,11 @@ jobs:
   test_php_centos:
     runs-on: ${{ matrix.os }}
     container:
-      image: centos:8
+      image: quay.io/centos/centos:stream9
     needs: [ build_rpm ]
     strategy:
       matrix:
-        php_version: ['7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4']
+        php_version: ['7.4', '8.0', '8.1', '8.2', '8.3', '8.4']
         server: ['nginx-php-fpm', 'apache-mod-php', 'php-built-in']
         os: ['ubuntu-24.04']
       fail-fast: false
@@ -344,11 +341,8 @@ jobs:
         run: |
           uname -a
           cat /etc/centos-release
-          cd /etc/yum.repos.d/
-          sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
-          sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
           yum install -y yum-utils
-          yum install -y https://rpms.remirepo.net/enterprise/remi-release-8.4.rpm
+          dnf install -y https://rpms.remirepo.net/enterprise/remi-release-9.rpm
           yum install -y gcc
           yum install -y python3-devel
           pip3 install flask
@@ -361,6 +355,7 @@ jobs:
           yum install -y mod_php
           yum install -y nginx
           yum install -y php-fpm
+          dnf install -y procps-ng
 
       - name: Get Arch
         run: echo "ARCH=$(uname -m)" >> $GITHUB_ENV
@@ -448,7 +443,7 @@ jobs:
           a2enmod rewrite
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # v2
+        uses: shivammathur/setup-php@27853eb8b46dc01c33bf9fef67d98df2683c3be2
         with:
           php-version: ${{ matrix.php_version }}
           extensions: curl, sqlite3

lib/agent/aikido_types/init_data.go

@@ -59,13 +59,15 @@ type CloudConfigData struct {
 	ReceivedAnyStats      bool       `json:"receivedAnyStats"`
 	Block                 *bool      `json:"block,omitempty"`
 	BlockedIpsList        map[string]IpBlocklist
+	AllowedIpsList        map[string]IpBlocklist
 	BlockedUserAgents     string
 	MonitoredIpsList      map[string]IpBlocklist
 	MonitoredUserAgents   string
 	UserAgentDetails      map[string]string
 }
 
-type BlockedIpsData struct {
+type IpsData struct {
+	Key         string   `json:"key"`
 	Source      string   `json:"source"`
 	Description string   `json:"description"`
 	Ips         []string `json:"ips"`
@@ -79,9 +81,10 @@ type UserAgentDetails struct {
 type ListsConfigData struct {
 	Success              bool               `json:"success"`
 	ServiceId            int                `json:"serviceId"`
-	BlockedIpAddresses   []BlockedIpsData   `json:"blockedIPAddresses"`
+	BlockedIpAddresses   []IpsData          `json:"blockedIPAddresses"`
+	AllowedIpAddresses   []IpsData          `json:"allowedIPAddresses"`
 	BlockedUserAgents    string             `json:"blockedUserAgents"`
-	MonitoredIpAddresses []BlockedIpsData   `json:"monitoredIpAddresses"`
+	MonitoredIpAddresses []IpsData          `json:"monitoredIpAddresses"`
 	MonitoredUserAgents  string             `json:"monitoredUserAgents"`
 	UserAgentDetails     []UserAgentDetails `json:"userAgentDetails"`
 }

lib/agent/cloud/common.go

@@ -123,10 +123,10 @@ func ApplyCloudConfig() {
 	UpdateRateLimitingConfig()
 }
 
-func UpdateIpsLists(BlockedIps []BlockedIpsData) map[string]IpBlocklist {
+func UpdateIpsLists(ipLists []IpsData) map[string]IpBlocklist {
 	m := make(map[string]IpBlocklist)
-	for _, blockedIpsGroup := range BlockedIps {
-		m[blockedIpsGroup.Source] = IpBlocklist{Description: blockedIpsGroup.Description, Ips: blockedIpsGroup.Ips}
+	for _, ipList := range ipLists {
+		m[ipList.Key] = IpBlocklist{Description: ipList.Description, Ips: ipList.Ips}
 	}
 	return m
 }
@@ -147,6 +147,7 @@ func UpdateListsConfig() bool {
 
 	CloudConfig.BlockedIpsList = UpdateIpsLists(tempListsConfig.BlockedIpAddresses)
 	CloudConfig.MonitoredIpsList = UpdateIpsLists(tempListsConfig.MonitoredIpAddresses)
+	CloudConfig.AllowedIpsList = UpdateIpsLists(tempListsConfig.AllowedIpAddresses)
 
 	CloudConfig.BlockedUserAgents = tempListsConfig.BlockedUserAgents
 	CloudConfig.MonitoredUserAgents = tempListsConfig.MonitoredUserAgents
@@ -166,7 +167,7 @@ func StoreCloudConfig(configReponse []byte) bool {
 	tempCloudConfig := CloudConfigData{}
 	err := json.Unmarshal(configReponse, &tempCloudConfig)
 	if err != nil {
-		log.Warnf("Failed to unmarshal cloud config!")
+		log.Warnf("Failed to unmarshal cloud config: %v", err)
 		return false
 	}
 	if tempCloudConfig.ConfigUpdatedAt <= globals.CloudConfig.ConfigUpdatedAt {

lib/agent/go.sum

@@ -8,6 +8,7 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

lib/agent/grpc/request.go

@@ -251,10 +251,10 @@ func getRateLimitingStatus(method, route, routeParsed, user, ip string) *protos.
 	return &protos.RateLimitingStatus{Block: false}
 }
 
-func getIpsList(ipsList map[string]IpBlocklist) map[string]*protos.IpBlockList {
-	m := make(map[string]*protos.IpBlockList)
+func getIpsList(ipsList map[string]IpBlocklist) map[string]*protos.IpList {
+	m := make(map[string]*protos.IpList)
 	for ipBlocklistSource, ipBlocklist := range ipsList {
-		m[ipBlocklistSource] = &protos.IpBlockList{Description: ipBlocklist.Description, Ips: ipBlocklist.Ips}
+		m[ipBlocklistSource] = &protos.IpList{Description: ipBlocklist.Description, Ips: ipBlocklist.Ips}
 	}
 	return m
 }
@@ -274,6 +274,7 @@ func getCloudConfig(configUpdatedAt int64) *protos.CloudConfig {
 		BlockedUserIds:      globals.CloudConfig.BlockedUserIds,
 		BypassedIps:         globals.CloudConfig.BypassedIps,
 		BlockedIps:          getIpsList(globals.CloudConfig.BlockedIpsList),
+		AllowedIps:          getIpsList(globals.CloudConfig.AllowedIpsList),
 		BlockedUserAgents:   globals.CloudConfig.BlockedUserAgents,
 		MonitoredIps:        getIpsList(globals.CloudConfig.MonitoredIpsList),
 		MonitoredUserAgents: globals.CloudConfig.MonitoredUserAgents,

lib/ipc.proto

@@ -77,22 +77,24 @@ message CloudConfigUpdatedAt {
   int64 configUpdatedAt = 1;
 }
 
-message IpBlockList {
-  string description = 1;
-  repeated string ips = 2;
+message IpList {
+  string key = 1;
+  string description = 2;
+  repeated string ips = 3;
 }
 
 message CloudConfig {
   int64 configUpdatedAt = 1;
   repeated Endpoint endpoints = 2;
   repeated string blockedUserIds = 3;
   repeated string bypassedIps = 4;
-  map<string, IpBlockList> blockedIps = 5;
-  string blockedUserAgents = 6;
-  map<string, IpBlockList> monitoredIps = 7;
-  string monitoredUserAgents = 8;
-  map<string, string> userAgentDetails = 9;
-  bool block = 10;
+  map<string, IpList> blockedIps = 5;
+  map<string, IpList> allowedIps = 6;
+  string blockedUserAgents = 7;
+  map<string, IpList> monitoredIps = 8;
+  string monitoredUserAgents = 9;
+  map<string, string> userAgentDetails = 10;
+  bool block = 11;
 }
 
 message RateLimitingStatus {

lib/request-processor/aikido_types/config.go

@@ -46,7 +46,8 @@ type EndpointKey struct {
 	Route  string
 }
 
-type IpBlockList struct {
+type IpList struct {
+	Key         string
 	Description string
 	IpSet       netipx.IPSet
 }
@@ -57,9 +58,10 @@ type CloudConfigData struct {
 	WildcardEndpoints   map[string][]WildcardEndpointData
 	BlockedUserIds      map[string]bool
 	BypassedIps         *netipx.IPSet
-	BlockedIps          map[string]IpBlockList
+	BlockedIps          map[string]IpList
+	AllowedIps          map[string]IpList
 	BlockedUserAgents   *regexp.Regexp
-	MonitoredIps        map[string]IpBlockList
+	MonitoredIps        map[string]IpList
 	MonitoredUserAgents *regexp.Regexp
 	UserAgentDetails    map[string]*regexp.Regexp
 	Block               int

lib/request-processor/context/cache.go

@@ -215,22 +215,19 @@ func ContextSetIsEndpointIpAllowed() {
 
 	endpointConfig := GetEndpointConfig()
 	if endpointConfig != nil {
-		isEndpointIpAllowed = utils.IsIpAllowed(endpointConfig.AllowedIPAddresses, ip)
+		isEndpointIpAllowed = utils.IsIpAllowedOnEndpoint(endpointConfig.AllowedIPAddresses, ip)
 	}
 
 	if isEndpointIpAllowed == utils.NoConfig {
 		for _, wildcardEndpointConfig := range GetWildcardEndpointsConfig() {
-			isEndpointIpAllowed = utils.IsIpAllowed(wildcardEndpointConfig.AllowedIPAddresses, ip)
+			isEndpointIpAllowed = utils.IsIpAllowedOnEndpoint(wildcardEndpointConfig.AllowedIPAddresses, ip)
 			if isEndpointIpAllowed != utils.NoConfig {
 				break
 			}
 		}
 	}
 
-	isEndpointIpAllowedBool := true
-	if isEndpointIpAllowed == utils.NotAllowed {
-		isEndpointIpAllowedBool = false
-	}
+	isEndpointIpAllowedBool := isEndpointIpAllowed != utils.NotFound
 
 	Context.IsEndpointIpAllowed = &isEndpointIpAllowedBool
 }

lib/request-processor/grpc/client.go

@@ -211,15 +211,20 @@ func OnMiddlewareInstalled() {
 	log.Debugf("OnMiddlewareInstalled sent via socket")
 }
 
-func OnMonitoredIpMatch(lists []string) {
+func OnMonitoredIpMatch(lists []utils.IpListMatch) {
 	if client == nil || len(lists) == 0 {
 		return
 	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
-	_, err := client.OnMonitoredIpMatch(ctx, &protos.MonitoredIpMatch{Lists: lists})
+	protosLists := []string{}
+	for _, list := range lists {
+		protosLists = append(protosLists, list.Key)
+	}
+
+	_, err := client.OnMonitoredIpMatch(ctx, &protos.MonitoredIpMatch{Lists: protosLists})
 	if err != nil {
 		log.Warnf("Could not call OnMonitoredIpMatch")
 		return

lib/request-processor/grpc/config.go

@@ -17,6 +17,19 @@ var (
 	cloudConfigTicker = time.NewTicker(1 * time.Minute)
 )
 
+func buildIpList(cloudIpList map[string]*protos.IpList) map[string]IpList {
+	ipList := map[string]IpList{}
+	for ipListKey, protoIpList := range cloudIpList {
+		ipSet, err := utils.BuildIpList(protoIpList.Description, protoIpList.Ips)
+		if err != nil {
+			log.Errorf("Error building IP list: %s\n", err)
+			continue
+		}
+		ipList[ipListKey] = *ipSet
+	}
+	return ipList
+}
+
 func getEndpointData(ep *protos.Endpoint) EndpointData {
 	allowedIPSet, err := utils.BuildIpSet(ep.AllowedIPAddresses)
 	if err != nil {
@@ -50,19 +63,6 @@ func storeWildcardEndpointConfig(ep *protos.Endpoint) {
 	globals.CloudConfig.WildcardEndpoints[ep.Method] = append(wildcardRoutes, WildcardEndpointData{RouteRegex: wildcardRouteCompiled, Data: getEndpointData(ep)})
 }
 
-func buildIpListFromProto(monitoredIpsList map[string]*protos.IpBlockList) map[string]IpBlockList {
-	m := map[string]IpBlockList{}
-	for ipBlocklistSource, ipBlocklist := range monitoredIpsList {
-		ipBlocklist, err := utils.BuildIpBlocklist(ipBlocklistSource, ipBlocklist.Description, ipBlocklist.Ips)
-		if err != nil {
-			log.Errorf("Error building IP blocklist: %s\n", err)
-			continue
-		}
-		m[ipBlocklistSource] = *ipBlocklist
-	}
-	return m
-}
-
 func buildUserAgentsRegexpFromProto(userAgents string) *regexp.Regexp {
 	if userAgents == "" {
 		return nil
@@ -121,12 +121,14 @@ func setCloudConfig(cloudConfigFromAgent *protos.CloudConfig) {
 		globals.CloudConfig.Block = 0
 	}
 
-	globals.CloudConfig.BlockedIps = buildIpListFromProto(cloudConfigFromAgent.BlockedIps)
-	globals.CloudConfig.MonitoredIps = buildIpListFromProto(cloudConfigFromAgent.MonitoredIps)
+	globals.CloudConfig.BlockedIps = buildIpList(cloudConfigFromAgent.BlockedIps)
+	globals.CloudConfig.MonitoredIps = buildIpList(cloudConfigFromAgent.MonitoredIps)
 
 	globals.CloudConfig.BlockedUserAgents = buildUserAgentsRegexpFromProto(cloudConfigFromAgent.BlockedUserAgents)
 	globals.CloudConfig.MonitoredUserAgents = buildUserAgentsRegexpFromProto(cloudConfigFromAgent.MonitoredUserAgents)
 
+	globals.CloudConfig.AllowedIps = buildIpList(cloudConfigFromAgent.AllowedIps)
+
 	globals.CloudConfig.UserAgentDetails = buildUserAgentDetailsFromProto(cloudConfigFromAgent.UserAgentDetails)
 
 	// Force garbage collection to ensure that the IP blocklists temporary memory is released ASAP