[trafficcontrol] branch master updated: Add PUSH and PURGE denial to mid tier caches. (#5292)

Tue, 17 Nov 2020 15:52:06 -0800 

This is an automated email from the ASF dual-hosted git repository.

rob pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git


The following commit(s) were added to refs/heads/master by this push:
     new 97382c9  Add PUSH and PURGE denial to mid tier caches. (#5292)
97382c9 is described below

commit 97382c971d2e98cc4922f331ebb870ffa744895e
Author: alficles <[email protected]>
AuthorDate: Tue Nov 17 16:51:45 2020 -0700

    Add PUSH and PURGE denial to mid tier caches. (#5292)
---
 lib/go-atscfg/ipallowdotconfig.go      | 16 ++++++++++++++++
 lib/go-atscfg/ipallowdotconfig_test.go | 20 ++++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/lib/go-atscfg/ipallowdotconfig.go 
b/lib/go-atscfg/ipallowdotconfig.go
index 246fb6c..f3f59ba 100644
--- a/lib/go-atscfg/ipallowdotconfig.go
+++ b/lib/go-atscfg/ipallowdotconfig.go
@@ -268,6 +268,22 @@ func MakeIPAllowDotConfig(
                // order matters, so sort before adding the denys
                sort.Sort(ipAllowDatas(ipAllowDat))
 
+               // start with a deny for PUSH and PURGE - TODO CDL: parameterize
+               if isMid { // Edges already deny PUSH and PURGE
+                       ipAllowData = append([]IPAllowData{
+                               {
+                                       Src:    `0.0.0.0-255.255.255.255`,
+                                       Action: ActionDeny,
+                                       Method: `PUSH|PURGE`,
+                               },
+                               {
+                                       Src:    
`::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`,
+                                       Action: ActionDeny,
+                                       Method: `PUSH|PURGE`,
+                               },
+                       }, ipAllowData...)
+               }
+
                // end with a deny
                ipAllowDat = append(ipAllowDat, ipAllowData{
                        Src:    `0.0.0.0-255.255.255.255`,
diff --git a/lib/go-atscfg/ipallowdotconfig_test.go 
b/lib/go-atscfg/ipallowdotconfig_test.go
index 9a1c8fa..ed6dc0a 100644
--- a/lib/go-atscfg/ipallowdotconfig_test.go
+++ b/lib/go-atscfg/ipallowdotconfig_test.go
@@ -99,6 +99,26 @@ func TestMakeIPAllowDotConfig(t *testing.T) {
 
        lines = lines[1:] // remove comment line
 
+       /* Test that PUSH and PURGE are denied ere the allowance of anything 
else. */
+       {
+               ip4deny := false
+               ip6deny := false
+       eachLine:
+               for i, line := range lines {
+                       switch {
+                       case strings.Contains(line, `0.0.0.0-255.255.255.255`) 
&& strings.Contains(line, `ip_deny`) && strings.Contains(line, `PUSH`) && 
strings.Contains(line, `PURGE`):
+                               ip4deny = true
+                       case strings.Contains(line, 
`::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`) && strings.Contains(line, 
`ip_deny`) && strings.Contains(line, `PUSH`) && strings.Contains(line, `PURGE`):
+                               ip6deny = true
+                       case strings.Contains(line, `ip_allow`):
+                               if !(ip4deny && ip6deny) {
+                                       t.Errorf("Expected denies for PUSH and 
PURGE before any ips are allowed; pre-denial allowance on line %d.", i+1)
+                               }
+                               break eachLine
+                       }
+               }
+       }
+
        for _, expected := range expecteds {
                if !strings.Contains(txt, expected) {
                        t.Errorf("expected %+v actual '%v'\n", expected, txt)

Reply via email to