cfssl: github.com/cloudflare/cfssl/whitelist Index | Files | Directories

package whitelist

import "github.com/cloudflare/cfssl/whitelist"

Package whitelist implements IP whitelisting for various types of connections. Two types of access control lists (ACLs) are supported: host-based and network-based.

Index

Package Files

lookup.go whitelist.go whitelist_net.go

func DumpBasic Uses

func DumpBasic(wl *Basic) []byte

DumpBasic returns a whitelist as a byte slice where each IP is on its own line.

func HTTPRequestLookup Uses

func HTTPRequestLookup(req *http.Request) (net.IP, error)

HTTPRequestLookup extracts an IP from the remote address in a *http.Request. A single *http.Request should be passed to Address.

func NetConnLookup Uses

func NetConnLookup(conn net.Conn) (net.IP, error)

NetConnLookup extracts an IP from the remote address in the net.Conn. A single net.Conn should be passed to Address.

func NewHandler Uses

func NewHandler(allow, deny http.Handler, acl ACL) (http.Handler, error)

NewHandler returns a new whitelisting-wrapped HTTP handler. The allow handler should contain a handler that will be called if the request is whitelisted; the deny handler should contain a handler that will be called in the request is not whitelisted.

type ACL Uses

type ACL interface {
    // Permitted takes an IP address, and returns true if the
    // IP address is whitelisted (e.g. permitted access).
    Permitted(net.IP) bool
}

An ACL stores a list of permitted IP addresses, and handles concurrency as needed.

type Basic Uses

type Basic struct {
    // contains filtered or unexported fields
}

Basic implements a basic map-backed whitelister that uses an RWMutex for conccurency. IPv4 addresses are treated differently than an IPv6 address; namely, the IPv4 localhost will not match the IPv6 localhost.

func LoadBasic Uses

func LoadBasic(in []byte) (*Basic, error)

LoadBasic loads a whitelist from a byteslice.

func NewBasic Uses

func NewBasic() *Basic

NewBasic returns a new initialised basic whitelist.

func (*Basic) Add Uses

func (wl *Basic) Add(ip net.IP)

Add whitelists an IP.

func (*Basic) MarshalJSON Uses

func (wl *Basic) MarshalJSON() ([]byte, error)

MarshalJSON serialises a host whitelist to a comma-separated list of hosts, implementing the json.Marshaler interface.

func (*Basic) Permitted Uses

func (wl *Basic) Permitted(ip net.IP) bool

Permitted returns true if the IP has been whitelisted.

func (*Basic) Remove Uses

func (wl *Basic) Remove(ip net.IP)

Remove clears the IP from the whitelist.

func (*Basic) UnmarshalJSON Uses

func (wl *Basic) UnmarshalJSON(in []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for host whitelists, taking a comma-separated string of hosts.

type BasicNet Uses

type BasicNet struct {
    // contains filtered or unexported fields
}

BasicNet implements a basic map-backed network whitelist using locks for concurrency. It must be initialised with one of the constructor functions. This particular implementation is unoptimised and will not scale.

func NewBasicNet Uses

func NewBasicNet() *BasicNet

NewBasicNet constructs a new basic network-based whitelist.

func (*BasicNet) Add Uses

func (wl *BasicNet) Add(n *net.IPNet)

Add adds a new network to the whitelist. Caveat: overlapping networks won't be detected.

func (*BasicNet) MarshalJSON Uses

func (wl *BasicNet) MarshalJSON() ([]byte, error)

MarshalJSON serialises a network whitelist to a comma-separated list of networks.

func (*BasicNet) Permitted Uses

func (wl *BasicNet) Permitted(ip net.IP) bool

Permitted returns true if the IP has been whitelisted.

func (*BasicNet) Remove Uses

func (wl *BasicNet) Remove(n *net.IPNet)

Remove removes a network from the whitelist.

func (*BasicNet) UnmarshalJSON Uses

func (wl *BasicNet) UnmarshalJSON(in []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for network whitelists, taking a comma-separated string of networks.

type Handler Uses

type Handler struct {
    // contains filtered or unexported fields
}

Handler wraps an HTTP handler with IP whitelisting.

func (*Handler) ServeHTTP Uses

func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request)

ServeHTTP wraps the request in a whitelist check.

type HandlerFunc Uses

type HandlerFunc struct {
    // contains filtered or unexported fields
}

A HandlerFunc contains a pair of http.HandleFunc-handler functions that will be called depending on whether a request is allowed or denied.

func NewHandlerFunc Uses

func NewHandlerFunc(allow, deny func(http.ResponseWriter, *http.Request), acl ACL) (*HandlerFunc, error)

NewHandlerFunc returns a new basic whitelisting handler.

func (*HandlerFunc) ServeHTTP Uses

func (h *HandlerFunc) ServeHTTP(w http.ResponseWriter, req *http.Request)

ServeHTTP checks the incoming request to see whether it is permitted, and calls the appropriate handle function.

type HostACL Uses

type HostACL interface {
    ACL

    // Add takes an IP address and adds it to the whitelist so
    // that it is now permitted.
    Add(net.IP)

    // Remove takes an IP address and drops it from the whitelist
    // so that it is no longer permitted.
    Remove(net.IP)
}

A HostACL stores a list of permitted hosts.

type HostStub Uses

type HostStub struct{}

HostStub allows host whitelisting to be added into a system's flow without doing anything yet. All operations result in warning log messages being printed to stderr. There is no mechanism for squelching these messages short of modifying the log package's default logger.

func NewHostStub Uses

func NewHostStub() HostStub

NewHostStub returns a new stubbed host whitelister.

func (HostStub) Add Uses

func (wl HostStub) Add(ip net.IP)

Add prints a warning message about whitelisting being stubbed.

func (HostStub) Permitted Uses

func (wl HostStub) Permitted(ip net.IP) bool

Permitted always returns true, but prints a warning message alerting that whitelisting is stubbed.

func (HostStub) Remove Uses

func (wl HostStub) Remove(ip net.IP)

Remove prints a warning message about whitelisting being stubbed.

type NetACL Uses

type NetACL interface {
    ACL

    // Add takes an IP network and adds it to the whitelist so
    // that it is now permitted.
    Add(*net.IPNet)

    // Remove takes an IP network and drops it from the whitelist
    // so that it is no longer permitted.
    Remove(*net.IPNet)
}

A NetACL stores a list of permitted IP networks.

type NetStub Uses

type NetStub struct{}

NetStub allows network whitelisting to be added into a system's flow without doing anything yet. All operations result in warning log messages being printed to stderr. There is no mechanism for squelching these messages short of modifying the log package's default logger.

func NewNetStub Uses

func NewNetStub() NetStub

NewNetStub returns a new stubbed network whitelister.

func (NetStub) Add Uses

func (wl NetStub) Add(ip *net.IPNet)

Add prints a warning message about whitelisting being stubbed.

func (NetStub) Permitted Uses

func (wl NetStub) Permitted(ip net.IP) bool

Permitted always returns true, but prints a warning message alerting that whitelisting is stubbed.

func (NetStub) Remove Uses

func (wl NetStub) Remove(ip *net.IPNet)

Remove prints a warning message about whitelisting being stubbed.

Bugs

overlapping networks aren't detected.

Directories

PathSynopsis
example

Package whitelist imports 7 packages (graph) and is imported by 76 packages. Updated 2016-12-25. Refresh now. Tools for package owners.