Merge pull request #5 from sproutmaster/v1.0.1

V1.0.1

Author: sproutmaster

.traefik.yml

@@ -6,9 +6,10 @@ import: github.com/sproutmaster/TraefikIPRules
 summary: "Plugin to manage IP allow/deny rules"
 
 testData:
-  denyList:
+  deny:
     - "192.168.1.0/24"  # Deny a subnet
     - "10.0.0.1"        # Deny a specific IP
-  allowList:
+  allow:
     - "192.168.2.0/24"  # Allow a subnet
     - "10.0.0.2"        # Allow a specific IP
+  precedence: "deny"

README.md

@@ -1,7 +1,7 @@
 # Traefik IP Rules
 
-IPRules is a middleware plugin which accepts IP addresses or IP address ranges, and accepts or blocks requests
-originating from those IPs.
+IPRules is a middleware plugin which accepts or blocks requests originating from those IPs based on an IP address, range
+or subnet.
 
 ## How to use (Kubernetes CRD)
 
@@ -11,32 +11,36 @@ originating from those IPs.
    # helm-values.yaml
    experimental:
       plugins:
-         ipRule:
+         iprules:
             moduleName: "github.com/sproutmaster/TraefikIPRules"
-            version: "v1.0.0"
+            version: "v1.0.1"
    ```
-   
+
 2. Configure Middleware
    ```yaml
    # middleware.yaml
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
     kind: Middleware
     metadata:
       name: ip-filter
     spec:
       plugin:
-        ipRule:
-          denyList:
-            - "192.168.1.0/24"
-          allowList:
-            - "0.0.0.0/0"
+        iprules:
+          allow:
+           - "192.168.1.1"                    # Single IP
+           - "10.0.0.0/8"                     # CIDR range
+           - "172.16.1.1-172.16.1.255"        # IP range
+          deny:
+           - "192.168.1.100-192.168.1.200"    # Block this IP range
+           - "10.0.1.0/24"                    # Block this subnet
+          precedence: "deny"                  # deny first
      ```
-   
+
 3. Reference it in ingressRoute
 
     ```yaml
     # ingress-route.yaml
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
     kind: IngressRoute
     metadata:
       name: my-ing
@@ -52,4 +56,14 @@ originating from those IPs.
         middlewares:
           - name: ip-filter
       ```
-   
+
+## How to use (Docker Labels)
+
+```yaml
+ labels:
+   - "traefik.http.middlewares.iprules.plugin.traefik-ip-rules.allow=192.168.1.1"
+   - "traefik.http.middlewares.iprules.plugin.traefik-ip-rules.allow=10.0.0.0/8"
+   - "traefik.http.middlewares.iprules.plugin.traefik-ip-rules.allow=172.16.1.1-172.16.1.255"
+   - "traefik.http.middlewares.iprules.plugin.traefik-ip-rules.deny=192.168.1.100-192.168.1.200"
+   - "traefik.http.middlewares.iprules.plugin.traefik-ip-rules.precedence=deny"
+```

TraefikIPRules.go

@@ -2,75 +2,159 @@ package TraefikIPRules
 
 import (
 	"context"
+	"fmt"
 	"net"
 	"net/http"
 	"strings"
 )
 
 type Config struct {
-	DenyList  []string `json:"denyList,omitempty"`
-	AllowList []string `json:"allowList,omitempty"`
+	Deny       []string `json:"deny,omitempty"`
+	Allow      []string `json:"allow,omitempty"`
+	Precedence string   `json:"precedence,omitempty"` // "allow" or "deny"
+}
+
+type ipRange struct {
+	start net.IP
+	end   net.IP
 }
 
 func CreateConfig() *Config {
 	return &Config{
-		DenyList:  make([]string, 0),
-		AllowList: make([]string, 0),
+		Deny:       make([]string, 0),
+		Allow:      make([]string, 0),
+		Precedence: "deny", // Default to deny
 	}
 }
 
 type IPProcessor struct {
-	next       http.Handler
-	name       string
-	denyCIDRs  []*net.IPNet
-	denyIPs    []net.IP
-	allowCIDRs []*net.IPNet
-	allowIPs   []net.IP
+	next        http.Handler
+	name        string
+	denyCIDRs   []*net.IPNet
+	denyIPs     []net.IP
+	denyRanges  []ipRange
+	allowCIDRs  []*net.IPNet
+	allowIPs    []net.IP
+	allowRanges []ipRange
+	precedence  string
+}
+
+func parseIPRange(ipRangeStr string) (*ipRange, error) {
+	parts := strings.Split(ipRangeStr, "-")
+	if len(parts) != 2 {
+		return nil, fmt.Errorf("invalid IP range format: %s", ipRangeStr)
+	}
+
+	start := net.ParseIP(strings.TrimSpace(parts[0]))
+	end := net.ParseIP(strings.TrimSpace(parts[1]))
+
+	if start == nil || end == nil {
+		return nil, fmt.Errorf("invalid IP address in range: %s", ipRangeStr)
+	}
+
+	if start.To4() == nil || end.To4() == nil {
+		return nil, fmt.Errorf("only IPv4 ranges are supported: %s", ipRangeStr)
+	}
+
+	for i := 0; i < len(start.To4()); i++ {
+		if start.To4()[i] > end.To4()[i] {
+			return nil, fmt.Errorf("invalid range: start IP must be less than end IP")
+		}
+		if start.To4()[i] < end.To4()[i] {
+			break
+		}
+	}
+
+	return &ipRange{
+		start: start.To4(),
+		end:   end.To4(),
+	}, nil
+}
+
+func (r *ipRange) IPRangeContains(ip net.IP) bool {
+	if ip.To4() == nil {
+		return false
+	}
+
+	ip = ip.To4()
+	for i := 0; i < 4; i++ {
+		if ip[i] < r.start[i] || ip[i] > r.end[i] {
+			return false
+		}
+		if ip[i] > r.start[i] || ip[i] < r.end[i] {
+			break
+		}
+	}
+	return true
 }
 
 func New(ctx context.Context, next http.Handler, config *Config, name string) (http.Handler, error) {
+	if config.Precedence != "" && config.Precedence != "allow" && config.Precedence != "deny" {
+		return nil, fmt.Errorf("invalid precedence value: %s. Must be either 'allow' or 'deny'", config.Precedence)
+	}
+
 	processor := &IPProcessor{
-		next: next,
-		name: name,
+		next:       next,
+		name:       name,
+		precedence: config.Precedence,
 	}
 
 	// Process deny rules
-	for _, rule := range config.DenyList {
+	for _, rule := range config.Deny {
+		// Try parsing as a single IP
 		if ip := net.ParseIP(rule); ip != nil {
 			processor.denyIPs = append(processor.denyIPs, ip)
 			continue
 		}
 
+		// Try parsing as CIDR
 		_, network, err := net.ParseCIDR(rule)
-		if err != nil {
-			return nil, err
+		if err == nil {
+			processor.denyCIDRs = append(processor.denyCIDRs, network)
+			continue
 		}
-		processor.denyCIDRs = append(processor.denyCIDRs, network)
+
+		// Try parsing as IP range
+		ipRange, err := parseIPRange(rule)
+		if err == nil {
+			processor.denyRanges = append(processor.denyRanges, *ipRange)
+			continue
+		}
+
+		return nil, fmt.Errorf("invalid IP, CIDR, or range in deny list: %s", rule)
 	}
 
 	// Process allow rules
-	for _, rule := range config.AllowList {
+	for _, rule := range config.Allow {
+		// Try parsing as a single IP
 		if ip := net.ParseIP(rule); ip != nil {
 			processor.allowIPs = append(processor.allowIPs, ip)
 			continue
 		}
 
+		// Try parsing as CIDR
 		_, network, err := net.ParseCIDR(rule)
-		if err != nil {
-			return nil, err
+		if err == nil {
+			processor.allowCIDRs = append(processor.allowCIDRs, network)
+			continue
 		}
-		processor.allowCIDRs = append(processor.allowCIDRs, network)
+
+		// Try parsing as IP range
+		ipRange, err := parseIPRange(rule)
+		if err == nil {
+			processor.allowRanges = append(processor.allowRanges, *ipRange)
+			continue
+		}
+
+		return nil, fmt.Errorf("invalid IP, CIDR, or range in allow list: %s", rule)
 	}
 
 	return processor, nil
 }
 
-// getIP extracts the client IP from the request
 func (p *IPProcessor) getIP(req *http.Request) net.IP {
-	// First try X-Forwarded-For header
 	xff := req.Header.Get("X-Forwarded-For")
 	if xff != "" {
-		// Get the first IP in the chain
 		ips := strings.Split(xff, ",")
 		if len(ips) > 0 {
 			if ip := net.ParseIP(strings.TrimSpace(ips[0])); ip != nil {
@@ -79,10 +163,8 @@ func (p *IPProcessor) getIP(req *http.Request) net.IP {
 		}
 	}
 
-	// Fall back to RemoteAddr
 	host, _, err := net.SplitHostPort(req.RemoteAddr)
 	if err != nil {
-		// Try RemoteAddr as-is
 		if ip := net.ParseIP(req.RemoteAddr); ip != nil {
 			return ip
 		}
@@ -92,53 +174,84 @@ func (p *IPProcessor) getIP(req *http.Request) net.IP {
 	return net.ParseIP(host)
 }
 
-func (p *IPProcessor) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
-	// Get client IP
-	clientIP := p.getIP(req)
-	if clientIP == nil {
-		http.Error(rw, "Invalid IP address", http.StatusForbidden)
-		return
-	}
-
-	// Check deny rules first
+func (p *IPProcessor) checkIPInDenyList(clientIP net.IP) bool {
 	for _, denyIP := range p.denyIPs {
 		if denyIP.Equal(clientIP) {
-			http.Error(rw, "Access denied", http.StatusForbidden)
-			return
+			return true
 		}
 	}
 
 	for _, denyCIDR := range p.denyCIDRs {
 		if denyCIDR.Contains(clientIP) {
-			http.Error(rw, "Access denied", http.StatusForbidden)
-			return
+			return true
 		}
 	}
 
-	// If there are allow rules, the IP must match at least one
-	if len(p.allowIPs) > 0 || len(p.allowCIDRs) > 0 {
-		allowed := false
+	for _, denyRange := range p.denyRanges {
+		if denyRange.IPRangeContains(clientIP) {
+			return true
+		}
+	}
 
-		for _, allowIP := range p.allowIPs {
-			if allowIP.Equal(clientIP) {
-				allowed = true
-				break
-			}
+	return false
+}
+
+func (p *IPProcessor) checkIPInAllowList(clientIP net.IP) bool {
+	if len(p.allowIPs) == 0 && len(p.allowCIDRs) == 0 && len(p.allowRanges) == 0 {
+		return false
+	}
+
+	for _, allowIP := range p.allowIPs {
+		if allowIP.Equal(clientIP) {
+			return true
 		}
+	}
 
-		if !allowed {
-			for _, allowCIDR := range p.allowCIDRs {
-				if allowCIDR.Contains(clientIP) {
-					allowed = true
-					break
-				}
-			}
+	for _, allowCIDR := range p.allowCIDRs {
+		if allowCIDR.Contains(clientIP) {
+			return true
+		}
+	}
+
+	for _, allowRange := range p.allowRanges {
+		if allowRange.IPRangeContains(clientIP) {
+			return true
 		}
+	}
+
+	return false
+}
 
-		if !allowed {
-			http.Error(rw, "Access denied", http.StatusForbidden)
-			return
+func (p *IPProcessor) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
+	clientIP := p.getIP(req)
+	if clientIP == nil {
+		http.Error(rw, "Invalid IP address", http.StatusForbidden)
+		return
+	}
+
+	var allowed bool
+
+	if p.precedence == "allow" {
+		if p.checkIPInAllowList(clientIP) {
+			allowed = true
+		} else if p.checkIPInDenyList(clientIP) {
+			allowed = false
+		} else {
+			allowed = false
 		}
+	} else {
+		if p.checkIPInDenyList(clientIP) {
+			allowed = false
+		} else if p.checkIPInAllowList(clientIP) {
+			allowed = true
+		} else {
+			allowed = false
+		}
+	}
+
+	if !allowed {
+		http.Error(rw, "Access denied", http.StatusForbidden)
+		return
 	}
 
 	p.next.ServeHTTP(rw, req)