This is an automated email from the ASF dual-hosted git repository.
rawlin pushed a commit to branch 4.1.x
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/4.1.x by this push:
new 817a702 Add PUSH and PURGE denial to mid tier caches. (#5292) (#5302)
817a702 is described below
commit 817a702a9de6169c86e30cd70304af380a8e9dc6
Author: Rawlin Peters <[email protected]>
AuthorDate: Wed Nov 18 08:01:21 2020 -0700
Add PUSH and PURGE denial to mid tier caches. (#5292) (#5302)
(cherry picked from commit 97382c971d2e98cc4922f331ebb870ffa744895e)
Co-authored-by: alficles <[email protected]>
---
lib/go-atscfg/ipallowdotconfig.go | 16 ++++++++++++++++
lib/go-atscfg/ipallowdotconfig_test.go | 20 ++++++++++++++++++++
2 files changed, 36 insertions(+)
diff --git a/lib/go-atscfg/ipallowdotconfig.go
b/lib/go-atscfg/ipallowdotconfig.go
index 65310e2..f322e6d 100644
--- a/lib/go-atscfg/ipallowdotconfig.go
+++ b/lib/go-atscfg/ipallowdotconfig.go
@@ -274,6 +274,22 @@ func MakeIPAllowDotConfig(
// order matters, so sort before adding the denys
sort.Sort(IPAllowDatas(ipAllowData))
+ // start with a deny for PUSH and PURGE - TODO CDL: parameterize
+ if isMid { // Edges already deny PUSH and PURGE
+ ipAllowData = append([]IPAllowData{
+ {
+ Src: `0.0.0.0-255.255.255.255`,
+ Action: ActionDeny,
+ Method: `PUSH|PURGE`,
+ },
+ {
+ Src:
`::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`,
+ Action: ActionDeny,
+ Method: `PUSH|PURGE`,
+ },
+ }, ipAllowData...)
+ }
+
// end with a deny
ipAllowData = append(ipAllowData, IPAllowData{
Src: `0.0.0.0-255.255.255.255`,
diff --git a/lib/go-atscfg/ipallowdotconfig_test.go
b/lib/go-atscfg/ipallowdotconfig_test.go
index 428067b..57a5b0c 100644
--- a/lib/go-atscfg/ipallowdotconfig_test.go
+++ b/lib/go-atscfg/ipallowdotconfig_test.go
@@ -106,6 +106,26 @@ func TestMakeIPAllowDotConfig(t *testing.T) {
lines = lines[1:] // remove comment line
+ /* Test that PUSH and PURGE are denied ere the allowance of anything
else. */
+ {
+ ip4deny := false
+ ip6deny := false
+ eachLine:
+ for i, line := range lines {
+ switch {
+ case strings.Contains(line, `0.0.0.0-255.255.255.255`)
&& strings.Contains(line, `ip_deny`) && strings.Contains(line, `PUSH`) &&
strings.Contains(line, `PURGE`):
+ ip4deny = true
+ case strings.Contains(line,
`::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`) && strings.Contains(line,
`ip_deny`) && strings.Contains(line, `PUSH`) && strings.Contains(line, `PURGE`):
+ ip6deny = true
+ case strings.Contains(line, `ip_allow`):
+ if !(ip4deny && ip6deny) {
+ t.Errorf("Expected denies for PUSH and
PURGE before any ips are allowed; pre-denial allowance on line %d.", i+1)
+ }
+ break eachLine
+ }
+ }
+ }
+
for _, expected := range expecteds {
if !strings.Contains(txt, expected) {
t.Errorf("expected %+v actual '%v'\n", expected, txt)
