This is an automated email from the ASF dual-hosted git repository. ocket8888 pushed a commit to branch 5.0.x in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
commit 71812820de47dcbb471d15232e6c960bf0e5bdc3 Author: alficles <[email protected]> AuthorDate: Tue Nov 17 16:51:45 2020 -0700 Add PUSH and PURGE denial to mid tier caches. (#5292) (cherry picked from commit 97382c971d2e98cc4922f331ebb870ffa744895e) --- lib/go-atscfg/ipallowdotconfig.go | 16 ++++++++++++++++ lib/go-atscfg/ipallowdotconfig_test.go | 20 ++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/lib/go-atscfg/ipallowdotconfig.go b/lib/go-atscfg/ipallowdotconfig.go index 246fb6c..f3f59ba 100644 --- a/lib/go-atscfg/ipallowdotconfig.go +++ b/lib/go-atscfg/ipallowdotconfig.go @@ -268,6 +268,22 @@ func MakeIPAllowDotConfig( // order matters, so sort before adding the denys sort.Sort(ipAllowDatas(ipAllowDat)) + // start with a deny for PUSH and PURGE - TODO CDL: parameterize + if isMid { // Edges already deny PUSH and PURGE + ipAllowData = append([]IPAllowData{ + { + Src: `0.0.0.0-255.255.255.255`, + Action: ActionDeny, + Method: `PUSH|PURGE`, + }, + { + Src: `::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`, + Action: ActionDeny, + Method: `PUSH|PURGE`, + }, + }, ipAllowData...) + } + // end with a deny ipAllowDat = append(ipAllowDat, ipAllowData{ Src: `0.0.0.0-255.255.255.255`, diff --git a/lib/go-atscfg/ipallowdotconfig_test.go b/lib/go-atscfg/ipallowdotconfig_test.go index 9a1c8fa..ed6dc0a 100644 --- a/lib/go-atscfg/ipallowdotconfig_test.go +++ b/lib/go-atscfg/ipallowdotconfig_test.go @@ -99,6 +99,26 @@ func TestMakeIPAllowDotConfig(t *testing.T) { lines = lines[1:] // remove comment line + /* Test that PUSH and PURGE are denied ere the allowance of anything else. */ + { + ip4deny := false + ip6deny := false + eachLine: + for i, line := range lines { + switch { + case strings.Contains(line, `0.0.0.0-255.255.255.255`) && strings.Contains(line, `ip_deny`) && strings.Contains(line, `PUSH`) && strings.Contains(line, `PURGE`): + ip4deny = true + case strings.Contains(line, `::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`) && strings.Contains(line, `ip_deny`) && strings.Contains(line, `PUSH`) && strings.Contains(line, `PURGE`): + ip6deny = true + case strings.Contains(line, `ip_allow`): + if !(ip4deny && ip6deny) { + t.Errorf("Expected denies for PUSH and PURGE before any ips are allowed; pre-denial allowance on line %d.", i+1) + } + break eachLine + } + } + } + for _, expected := range expecteds { if !strings.Contains(txt, expected) { t.Errorf("expected %+v actual '%v'\n", expected, txt)
