Add new configuration option to allow specific ip addresses

Author: PascalMinder

geoblock.go

@@ -41,6 +41,7 @@ type Config struct {
 	UnknownCountryAPIResponse string   `yaml:"unknownCountryApiResponse"`
 	BlackListMode             bool     `yaml:"blacklist"`
 	Countries                 []string `yaml:"countries,omitempty"`
+	AllowedIPAddresses        []string `yaml:"allowedIPAddresses,omitempty"`
 }
 
 type ipEntry struct {
@@ -67,6 +68,7 @@ type GeoBlock struct {
 	unknownCountryCode    string
 	blackListMode         bool
 	countries             []string
+	allowedIPAddresses    []net.IP
 	privateIPRanges       []*net.IPNet
 	database              *lru.LRUCache
 	name                  string
@@ -86,6 +88,15 @@ func New(_ context.Context, next http.Handler, config *Config, name string) (htt
 		config.APITimeoutMs = 750
 	}
 
+	allowedIPAddresses := make([]net.IP, len(config.AllowedIPAddresses))
+	for idx, ipAddressEntry := range config.AllowedIPAddresses {
+		ipAddress := net.ParseIP(ipAddressEntry)
+		if ipAddress == nil {
+			infoLogger.Fatal("Invalid ip address given!")
+		}
+		allowedIPAddresses[idx] = ipAddress
+	}
+
 	infoLogger.SetOutput(os.Stdout)
 
 	infoLogger.Printf("allow local IPs: %t", config.AllowLocalRequests)
@@ -119,6 +130,7 @@ func New(_ context.Context, next http.Handler, config *Config, name string) (htt
 		unknownCountryCode:    config.UnknownCountryAPIResponse,
 		blackListMode:         config.BlackListMode,
 		countries:             config.Countries,
+		allowedIPAddresses:    allowedIPAddresses,
 		privateIPRanges:       initPrivateIPBlocks(),
 		database:              cache,
 		name:                  name,
@@ -155,6 +167,14 @@ func (a *GeoBlock) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 			return
 		}
 
+		if ipInSlice(*ipAddress, a.allowedIPAddresses) {
+			if a.logLocalRequests {
+				infoLogger.Println("Allow explicitly allowed ip: ", ipAddress)
+			}
+			a.next.ServeHTTP(rw, req)
+			return
+		}
+
 		cacheEntry, ok := a.database.Get(ipAddressString)
 
 		if !ok {
@@ -307,6 +327,15 @@ func stringInSlice(a string, list []string) bool {
 	return false
 }
 
+func ipInSlice(a net.IP, list []net.IP) bool {
+	for _, b := range list {
+		if b.Equal(a) {
+			return true
+		}
+	}
+	return false
+}
+
 func parseIP(addr string) (net.IP, error) {
 	ipAddress := net.ParseIP(addr)
 

geoblock_test.go

@@ -392,6 +392,61 @@ func TestInvalidApiResponse(t *testing.T) {
 	assertStatusCode(t, recorder.Result(), http.StatusForbidden)
 }
 
+func TestExplicitlyAllowedIP(t *testing.T) {
+	cfg := createTesterConfig()
+	cfg.Countries = append(cfg.Countries, "CH")
+	cfg.AllowedIPAddresses = append(cfg.AllowedIPAddresses, caExampleIP)
+	cfg.LogLocalRequests = true
+
+	ctx := context.Background()
+	next := http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {})
+
+	handler, err := geoblock.New(ctx, next, cfg, "GeoBlock")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	recorder := httptest.NewRecorder()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req.Header.Add(xForwardedFor, caExampleIP)
+
+	handler.ServeHTTP(recorder, req)
+
+	assertStatusCode(t, recorder.Result(), http.StatusOK)
+}
+
+func TestExplicitlyAllowedIPNoMatch(t *testing.T) {
+	cfg := createTesterConfig()
+	cfg.Countries = append(cfg.Countries, "CA")
+	cfg.AllowedIPAddresses = append(cfg.AllowedIPAddresses, caExampleIP)
+
+	ctx := context.Background()
+	next := http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {})
+
+	handler, err := geoblock.New(ctx, next, cfg, "GeoBlock")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	recorder := httptest.NewRecorder()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req.Header.Add(xForwardedFor, chExampleIP)
+
+	handler.ServeHTTP(recorder, req)
+
+	assertStatusCode(t, recorder.Result(), http.StatusForbidden)
+}
+
 func assertStatusCode(t *testing.T, req *http.Response, expected int) {
 	t.Helper()
 

readme.md

@@ -479,3 +479,7 @@ When set to `true` the filter logic is inverted, i.e. requests originating from
 ### Countries `countries`
 
 A list of country codes from which connections to the service should be allowed. Logic can be inverted by using the [`blackListMode`](#back-list-mode-blacklistmode).
+
+### Allowed IP addresses `allowedIPAddresses`
+
+A list of explicitly allowed IP addresses. IP addresses added to this list will always be allowed.