go-agent: github.com/sqreen/go-agent/agent/internal/actor Index | Files

package actor

import "github.com/sqreen/go-agent/agent/internal/actor"

Package actor manages and associates IP addresses or user IDs to security actions such as redirecting, blacklisting or whitelisting.

The stores are grouped according to the way the backend sends them to the agent. The goal is to be able to update them separately in order to avoid read/write modifications: when a new store is received, it is instantiated in the agent and then atomically swapped with the current one. Current stores are security actions and the CIDR whitelist

Actor Store

The actor actionStore is a central agent actionStore associating actor IP addresses and user identifiers to security actions provided by the backend. Since it is used in HTTP request handlers, it is designed to be as efficient as possible to avoid slowing down requests. An important design constraint is the fact that the sooner a request is handled, the sooner its memory is released (goroutines and memory they used). So time-efficiency is considered as a better general memory-efficiency here.

Radix Tree

A radix-tree is used to efficiently store security actions by IP addresses and networks.

Security Actions

Security actions are stored using structures implementing the Action interface. Actions can have a time duration by implementing the Timed interface.

Security Action HTTP Handlers

Constructors `NewUserActionHTTPHandler()` and `NewIPActionHTTPHandler()` allow to create a `http.Handler` from an action that matched a user or an IP address. They allow to apply the expected security response to the request's response. The user and IP address are used as properties of events performed by handlers.

CIDR Whitelist Store

The CIDR whitelist store is a set of radix trees simply storing CIDRs that should be whitelisted. The same action tree is used in order to find back the matching source, stored as the action ID. This is required to send the expected metric key including the matching CIDR

Index

Package Files

action-treev4.go action-treev6.go action.go actor.go config.go doc.go http.go whitelist.go

func NewIPActionHTTPHandler Uses

func NewIPActionHTTPHandler(action Action, ip net.IP) (http.Handler, error)

NewIPActionHTTPHandler returns a HTTP handler that should be applied at the request handler level to perform the security response.

func NewUserActionHTTPHandler Uses

func NewUserActionHTTPHandler(action Action, userID map[string]string) (http.Handler, error)

NewUserActionHTTPHandler returns a HTTP handler that should be applied at the request handler level to perform the security response.

type Action Uses

type Action interface {
    // ActionID returns the unique ID of the request.
    ActionID() string
}

Action is an interface common to each concrete action type stored in the data structures, and allowing to type-switch the stored values.

type CIDRWhitelistStore Uses

type CIDRWhitelistStore struct {
    // contains filtered or unexported fields
}

CIDRWhitelistStore is the set of data-structures to store CIDR IPv6 and IPv4 whitelists. Locking is avoided by not having concurrent insertions and lookups. Therefore, a second whitelistStore is created when a new whitelist is received, and only swapping the whitelistStore pointer needs to be thread-safe.

func NewCIDRWhitelistStore Uses

func NewCIDRWhitelistStore(cidrs []string) (*CIDRWhitelistStore, error)

func (*CIDRWhitelistStore) Find Uses

func (s *CIDRWhitelistStore) Find(ip net.IP) (whitelisted bool, matched string, err error)

type Store Uses

type Store struct {
    // contains filtered or unexported fields
}

Store is the structure associating IP addresses or user IDs to security actions such as whitelisting and blacklisting. It wraps several underlying memory- and cpu-efficient data-structures, and provides the API the agent expects. It is designed to have the shortest possible lookup time from HTTP request handlers while providing the ability the load other security actions concurrently, without locking the actionStore operations. To do so, when a new set of actions is received, a new actionStore is created while still using the current one, and only the access to the actionStore pointer is synchronized using a reader/writer mutex (mutual-exclusion of readers and writers with 1 writer and N readers at a time). This operation is therefore limited to the time to modify the actionStore pointer, hence the smallest possible locking time.

func NewStore Uses

func NewStore(logger *plog.Logger) *Store

func (*Store) FindIP Uses

func (s *Store) FindIP(ip net.IP) (action Action, exists bool, err error)

FindIP returns the security action of the given IP v4/v6 address. The returned boolean `exists` is `false` when it is not present in the actionStore, `true` otherwise.

func (*Store) FindUser Uses

func (s *Store) FindUser(userID map[string]string) (action Action, exists bool)

FindUser returns the security action of the given userID map. The returned boolean `exists` is `false` when it is not present in the actionStore, `true` otherwise.

func (*Store) IsIPWhitelisted Uses

func (s *Store) IsIPWhitelisted(ip net.IP) (whitelisted bool, matchedCIDR string, err error)

IsIPWhitelisted returns true when the given IP address matched a whitelist entry. This matched whitelist entry is also returned. The error is non-nil when an internal error occurred.

func (*Store) SetActions Uses

func (s *Store) SetActions(actions []api.ActionsPackResponse_Action) error

SetActions creates a new action store and then replaces the current one. The new store is built while allowing accesses to the current one.

func (*Store) SetCIDRWhitelist Uses

func (s *Store) SetCIDRWhitelist(cidrs []string) error

SetCIDRWhitelist creates a new whitelist store and then replaces the current one. The new store is built while allowing accesses to the current one.

type Timed Uses

type Timed interface {
    Expired() bool
}

Timed is an interface implemented by actions having an expiration time.

type UserIdentifiersHash Uses

type UserIdentifiersHash [sha256.Size]byte

UserIdentifiersHash is a type suitable to be used as key type of the map of user actions. It is therefore an array, as slices cannot be used as map key types.

func NewUserIdentifiersHash Uses

func NewUserIdentifiersHash(id map[string]string) UserIdentifiersHash

type WhitelistTreeV4 Uses

type WhitelistTreeV4 actionTreeV4

type WhitelistTreeV6 Uses

type WhitelistTreeV6 actionTreeV6

Package actor imports 17 packages (graph) and is imported by 1 packages. Updated 2019-08-14. Refresh now. Tools for package owners.