Update whitelisting logic and tests for IP allowlists

tudor-timcu · tudor-timcu · commit c97b628c76dd · 2026-03-23T09:56:39.000Z
Modified the `should_whitelist_request` documentation to clarify that the request IP must be in the endpoint allowlist. Updated the request processing logic to use `IsEndpointIpWhitelisted` for checking IPs against the endpoint allowlist. Refactored the context to store the allowlist status as an integer. Enhanced tests to validate multiple IPs in the global allowlist and adjusted assertions accordingly.
diff --git a/docs/should_whitelist_request.md b/docs/should_whitelist_request.md
@@ -22,7 +22,7 @@ Returns an `AikidoWhitelistRequestStatus` object with the following properties:
 
 The function checks three conditions in order. The first match wins:
 
-1. **`endpoint-allowlist`** — The endpoint has a route-level IP allowlist configured and the request IP is not in it. This indicates that IP-based access control is active for this route.
+1. **`endpoint-allowlist`** — The endpoint has a route-level IP allowlist configured and the request IP is in it. This indicates that IP-based access control is active for this route.
 2. **`bypassed`** — The request IP is in the global firewall bypass list.
 3. **`allowlist`** — The request IP is found in the global allowed IP list.
 
diff --git a/lib/request-processor/context/cache.go b/lib/request-processor/context/cache.go
@@ -299,9 +299,7 @@ func ContextSetIsEndpointIpAllowed(instance *instance.RequestProcessorInstance)
 		}
 	}
 
-	isEndpointIpAllowedBool := isEndpointIpAllowed != utils.NotFound
-
-	c.IsEndpointIpAllowed = &isEndpointIpAllowedBool
+	c.IsEndpointIpAllowed = &isEndpointIpAllowed
 }
 
 func ContextSetIsEndpointRateLimited(instance *instance.RequestProcessorInstance) {
diff --git a/lib/request-processor/context/request_context.go b/lib/request-processor/context/request_context.go
@@ -7,6 +7,7 @@ import (
 	"main/globals"
 	"main/instance"
 	"main/log"
+	"main/utils"
 	"unsafe"
 )
 
@@ -29,7 +30,7 @@ type RequestContextData struct {
 	IsEndpointConfigured          *bool
 	IsEndpointRateLimitingEnabled *bool
 	IsEndpointProtectionTurnedOff *bool
-	IsEndpointIpAllowed           *bool
+	IsEndpointIpAllowed           *int
 	IsEndpointRateLimited         bool
 	UserAgent                     *string
 	UserId                        *string
@@ -247,5 +248,10 @@ func IsEndpointRateLimitingEnabled(instance *instance.RequestProcessorInstance)
 
 func IsEndpointIpAllowed(instance *instance.RequestProcessorInstance) bool {
 	ctx := GetContext(instance)
-	return GetFromCache(instance, ContextSetIsEndpointIpAllowed, &ctx.IsEndpointIpAllowed)
+	return GetFromCache(instance, ContextSetIsEndpointIpAllowed, &ctx.IsEndpointIpAllowed) != utils.NotFound
+}
+
+func IsEndpointIpWhitelisted(instance *instance.RequestProcessorInstance) bool {
+	ctx := GetContext(instance)
+	return GetFromCache(instance, ContextSetIsEndpointIpAllowed, &ctx.IsEndpointIpAllowed) == utils.Found
 }
diff --git a/lib/request-processor/handle_blocking_request.go b/lib/request-processor/handle_blocking_request.go
@@ -164,7 +164,7 @@ func OnGetWhitelistedStatus(instance *instance.RequestProcessorInstance) string
 	log.Debugf(instance, "OnGetWhitelistedStatus called!")
 	ip := context.GetIp(instance)
 
-	if !context.IsEndpointIpAllowed(instance) {
+	if context.IsEndpointIpWhitelisted(instance) {
 		return GetAction("whitelisted", "endpoint-allowlist", "ip", "IP is configured in the route's allowlist", ip, 0)
 	}
 
diff --git a/tests/server/test_whitelist_endpoint_allowlist/test.py b/tests/server/test_whitelist_endpoint_allowlist/test.py
@@ -15,13 +15,13 @@
 
 
 def run_test():
-    response = php_server_get("/test", headers={"X-Forwarded-For": "185.245.255.211"})
+    response = php_server_get("/test", headers={"X-Forwarded-For": "185.245.255.212"})
     assert_response_code_is(response, 200)
     assert_response_body_contains(response, "whitelisted=true;")
     assert_response_body_contains(response, "type=endpoint-allowlist;")
     assert_response_body_contains(response, "trigger=ip;")
     assert_response_body_contains(response, "description=IP is configured in the route&#39;s allowlist;")
-    assert_response_body_contains(response, "ip=185.245.255.211;")
+    assert_response_body_contains(response, "ip=185.245.255.212;")
     assert_response_body_contains(response, "Something!")
 
 
diff --git a/tests/server/test_whitelist_global_allowlist/start_config.json b/tests/server/test_whitelist_global_allowlist/start_config.json
@@ -10,7 +10,7 @@
             "key": "manual",
             "source": "manual",
             "description": "Manually allowed IPs",
-            "ips": ["185.245.255.211"]
+            "ips": ["185.245.255.211", "185.245.255.214"]
         }
     ],
     "receivedAnyStats": true
diff --git a/tests/server/test_whitelist_global_allowlist/test.py b/tests/server/test_whitelist_global_allowlist/test.py
@@ -7,23 +7,32 @@
 Test that should_whitelist_request returns whitelisted=true with type=allowlist
 when the request IP is found in the global allowed IP list.
 
-The IP 185.245.255.211 is in lists_allowedIPAddresses with description "Manually allowed IPs".
-It is not bypassed and no endpoint-level allowlist is configured.
-The allowlist check is the third condition in OnGetWhitelistedStatus.
+Both 185.245.255.211 and 185.245.255.214 are in lists_allowedIPAddresses with
+description "Manually allowed IPs". Multiple requests from both IPs should all
+return whitelisted=true. No bypass and no endpoint-level allowlist is configured.
 '''
 
 
-def run_test():
-    response = php_server_get("/test", headers={"X-Forwarded-For": "185.245.255.211"})
+def assert_whitelisted_for_ip(ip):
+    response = php_server_get("/test", headers={"X-Forwarded-For": ip})
     assert_response_code_is(response, 200)
     assert_response_body_contains(response, "whitelisted=true;")
     assert_response_body_contains(response, "type=allowlist;")
     assert_response_body_contains(response, "trigger=ip;")
     assert_response_body_contains(response, "description=IP is part of allowlist: Manually allowed IPs;")
-    assert_response_body_contains(response, "ip=185.245.255.211;")
+    assert_response_body_contains(response, f"ip={ip};")
     assert_response_body_contains(response, "Something!")
 
 
+def run_test():
+    assert_whitelisted_for_ip("185.245.255.211")
+    assert_whitelisted_for_ip("185.245.255.214")
+    assert_whitelisted_for_ip("185.245.255.211")
+    assert_whitelisted_for_ip("185.245.255.214")
+    assert_whitelisted_for_ip("185.245.255.214")
+    assert_whitelisted_for_ip("185.245.255.211")
+
+
 if __name__ == "__main__":
     load_test_args()
     run_test()

Original file line number	Diff line number	Diff line change
`@@ -299,9 +299,7 @@ func ContextSetIsEndpointIpAllowed(instance *instance.RequestProcessorInstance)`
`299`	`299`	`}`
`300`	`300`	`}`
`301`	`301`
`302`		`- isEndpointIpAllowedBool := isEndpointIpAllowed != utils.NotFound`
`303`		`-`
`304`		`- c.IsEndpointIpAllowed = &isEndpointIpAllowedBool`
	`302`	`+ c.IsEndpointIpAllowed = &isEndpointIpAllowed`
`305`	`303`	`}`
`306`	`304`
`307`	`305`	`func ContextSetIsEndpointRateLimited(instance *instance.RequestProcessorInstance) {`
Original file line number	Diff line number	Diff line change
`@@ -164,7 +164,7 @@ func OnGetWhitelistedStatus(instance *instance.RequestProcessorInstance) string`
`164`	`164`	`log.Debugf(instance, "OnGetWhitelistedStatus called!")`
`165`	`165`	`ip := context.GetIp(instance)`
`166`	`166`
`167`		`- if !context.IsEndpointIpAllowed(instance) {`
	`167`	`+ if context.IsEndpointIpWhitelisted(instance) {`
`168`	`168`	`return GetAction("whitelisted", "endpoint-allowlist", "ip", "IP is configured in the route's allowlist", ip, 0)`
`169`	`169`	`}`
`170`	`170`
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`	`"key": "manual",`
`11`	`11`	`"source": "manual",`
`12`	`12`	`"description": "Manually allowed IPs",`
`13`		`- "ips": ["185.245.255.211"]`
	`13`	`+ "ips": ["185.245.255.211", "185.245.255.214"]`
`14`	`14`	`}`
`15`	`15`	`],`
`16`	`16`	`"receivedAnyStats": true`