release: v1.3.3

general: only build docker develop images on master branch push
build(deps): bump github.com/spf13/viper from 1.16.0 to 1.17.0 in /proxy (#86 )
2025-10-27 06:42:13 +01:00 · 2023-10-21 00:03:02 -07:00 · 2023-10-08 21:08:07 -07:00 · 2023-10-08 21:04:12 -07:00 · 2023-10-08 21:04:04 -07:00 · 2023-10-04 21:33:37 -07:00
11 changed files with 786 additions and 110 deletions
--- a/.github/workflows/develop.yaml
+++ b/.github/workflows/develop.yaml
@@ -1,7 +1,7 @@
 on:
  push:
    branches:
-      - '**'
+      - 'master'
  pull_request:
    branches:
      - 'master'
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -70,7 +70,9 @@ jobs:
          push: true
          tags: |
            xddxdd/bird-lg-go:latest
+            xddxdd/bird-lg-go:${{ github.event.release.tag_name }}
            ghcr.io/xddxdd/bird-lg-go:frontend
+            ghcr.io/xddxdd/bird-lg-go:frontend-${{ github.event.release.tag_name }}

      - name: Build proxy docker image
        uses: docker/build-push-action@v4
@@ -80,4 +82,6 @@ jobs:
          push: true
          tags: |
            xddxdd/bird-lgproxy-go:latest
+            xddxdd/bird-lgproxy-go:${{ github.event.release.tag_name }}
            ghcr.io/xddxdd/bird-lg-go:proxy
+            ghcr.io/xddxdd/bird-lg-go:proxy-${{ github.event.release.tag_name }}
--- a/README.md
+++ b/README.md
@@ -125,7 +125,7 @@ Configuration is handled by [viper](https://github.com/spf13/viper), any config

 | Config Key | Parameter | Environment Variable | Description |
 | ---------- | --------- | -------------------- | ----------- |
-| allowed_ips | --allowed | ALLOWED_IPS | IPs allowed to access this proxy, separated by commas. Don't set to allow all IPs. (default "") |
+| allowed_ips | --allowed | ALLOWED_IPS | IPs or networks allowed to access this proxy, separated by commas. Don't set to allow all IPs. (default "") |
 | bird_socket | --bird | BIRD_SOCKET | socket file for bird, set either in parameter or environment variable BIRD_SOCKET (default "/var/run/bird/bird.ctl") |
 | listen | --listen | BIRDLG_PROXY_PORT | listen address, set either in parameter or environment variable  BIRDLG_PROXY_PORT(default "8000") |
 | traceroute_bin | --traceroute_bin | BIRDLG_TRACEROUTE_BIN | traceroute binary file, set either in parameter or environment variable  BIRDLG_TRACEROUTE_BIN |
--- a/2
+++ b/2
@@ -1 +1 @@
-v1.3.2.1
+v1.3.3
--- a/frontend/go.mod
+++ b/frontend/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/jarcoal/httpmock v1.3.1
 	github.com/magiconair/properties v1.8.7
 	github.com/spf13/pflag v1.0.5
-	github.com/spf13/viper v1.16.0
+	github.com/spf13/viper v1.17.0
 )

 require (
@@ -16,14 +16,18 @@ require (
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
-	github.com/spf13/afero v1.9.5 // indirect
+	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
+	github.com/sagikazarmark/locafero v0.3.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.10.0 // indirect
 	github.com/spf13/cast v1.5.1 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/subosito/gotenv v1.4.2 // indirect
-	golang.org/x/sys v0.8.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
-	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/multierr v1.9.0 // indirect
+	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
+	golang.org/x/sys v0.12.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/frontend/go.sum
+++ b/frontend/go.sum
--- a/proxy/go.mod
+++ b/proxy/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/gorilla/handlers v1.5.1
 	github.com/magiconair/properties v1.8.7
 	github.com/spf13/pflag v1.0.5
-	github.com/spf13/viper v1.16.0
+	github.com/spf13/viper v1.17.0
 )

 require (
@@ -15,14 +15,18 @@ require (
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
-	github.com/spf13/afero v1.9.5 // indirect
+	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
+	github.com/sagikazarmark/locafero v0.3.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.10.0 // indirect
 	github.com/spf13/cast v1.5.1 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/subosito/gotenv v1.4.2 // indirect
-	golang.org/x/sys v0.8.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
-	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/multierr v1.9.0 // indirect
+	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
+	golang.org/x/sys v0.12.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/proxy/go.sum
+++ b/proxy/go.sum
--- a/proxy/main.go
+++ b/proxy/main.go
@@ -22,8 +22,8 @@ func invalidHandler(httpW http.ResponseWriter, httpR *http.Request) {
 }

 func hasAccess(remoteAddr string) bool {
-	// setting.allowedIPs will always have at least one element because of how it's defined
-	if len(setting.allowedIPs) == 0 {
+	// setting.allowedNets will always have at least one element because of how it's defined
+	if len(setting.allowedNets) == 0 {
 		return true
 	}

@@ -40,8 +40,8 @@ func hasAccess(remoteAddr string) bool {
 		return false
 	}

-	for _, allowedIP := range setting.allowedIPs {
-		if ipObject.Equal(allowedIP) {
+	for _, net := range setting.allowedNets {
+		if net.Contains(ipObject) {
 			return true
 		}
 	}
@@ -49,7 +49,7 @@ func hasAccess(remoteAddr string) bool {
 	return false
 }

-// Access handler, check to see if client IP in allowed IPs, continue if it is, send to invalidHandler if not
+// Access handler, check to see if client IP in allowed nets, continue if it is, send to invalidHandler if not
 func accessHandler(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(httpW http.ResponseWriter, httpR *http.Request) {
 		if hasAccess(httpR.RemoteAddr) {
@@ -61,12 +61,12 @@ func accessHandler(next http.Handler) http.Handler {
 }

 type settingType struct {
-	birdSocket string
-	listen     string
-	allowedIPs []net.IP
-	tr_bin     string
-	tr_flags   []string
-	tr_raw     bool
+	birdSocket  string
+	listen      string
+	allowedNets []*net.IPNet
+	tr_bin      string
+	tr_flags    []string
+	tr_raw      bool
 }

 var setting settingType
--- a/proxy/main_test.go
+++ b/proxy/main_test.go
@@ -10,42 +10,61 @@ import (
 )

 func TestHasAccessNotConfigured(t *testing.T) {
-	setting.allowedIPs = []net.IP{}
+	setting.allowedNets = []*net.IPNet{}
 	assert.Equal(t, hasAccess("whatever"), true)
 }

 func TestHasAccessAllowIPv4(t *testing.T) {
-	setting.allowedIPs = []net.IP{net.ParseIP("1.2.3.4")}
+	_, netip, _ := net.ParseCIDR("1.2.3.4/32")
+	setting.allowedNets = []*net.IPNet{netip}
+	assert.Equal(t, hasAccess("1.2.3.4:4321"), true)
+}
+
+func TestHasAccessAllowIPv4Net(t *testing.T) {
+	_, netip, _ := net.ParseCIDR("1.2.3.0/24")
+	setting.allowedNets = []*net.IPNet{netip}
 	assert.Equal(t, hasAccess("1.2.3.4:4321"), true)
 }

 func TestHasAccessDenyIPv4(t *testing.T) {
-	setting.allowedIPs = []net.IP{net.ParseIP("4.3.2.1")}
+	_, netip, _ := net.ParseCIDR("4.3.2.1/32")
+	setting.allowedNets = []*net.IPNet{netip}
 	assert.Equal(t, hasAccess("1.2.3.4:4321"), false)
 }

 func TestHasAccessAllowIPv6(t *testing.T) {
-	setting.allowedIPs = []net.IP{net.ParseIP("2001:db8::1")}
+	_, netip, _ := net.ParseCIDR("2001:db8::1/128")
+	setting.allowedNets = []*net.IPNet{netip}
+	assert.Equal(t, hasAccess("[2001:db8::1]:4321"), true)
+}
+
+func TestHasAccessAllowIPv6Net(t *testing.T) {
+	_, netip, _ := net.ParseCIDR("2001:db8::/64")
+	setting.allowedNets = []*net.IPNet{netip}
 	assert.Equal(t, hasAccess("[2001:db8::1]:4321"), true)
 }

 func TestHasAccessAllowIPv6DifferentForm(t *testing.T) {
-	setting.allowedIPs = []net.IP{net.ParseIP("2001:0db8::1")}
+	_, netip, _ := net.ParseCIDR("2001:db8::1/128")
+	setting.allowedNets = []*net.IPNet{netip}
 	assert.Equal(t, hasAccess("[2001:db8::1]:4321"), true)
 }

 func TestHasAccessDenyIPv6(t *testing.T) {
-	setting.allowedIPs = []net.IP{net.ParseIP("2001:db8::2")}
+	_, netip, _ := net.ParseCIDR("2001:db8::2/128")
+	setting.allowedNets = []*net.IPNet{netip}
 	assert.Equal(t, hasAccess("[2001:db8::1]:4321"), false)
 }

 func TestHasAccessBadClientIP(t *testing.T) {
-	setting.allowedIPs = []net.IP{net.ParseIP("1.2.3.4")}
+	_, netip, _ := net.ParseCIDR("1.2.3.4/32")
+	setting.allowedNets = []*net.IPNet{netip}
 	assert.Equal(t, hasAccess("not an IP"), false)
 }

 func TestHasAccessBadClientIPPort(t *testing.T) {
-	setting.allowedIPs = []net.IP{net.ParseIP("1.2.3.4")}
+	_, netip, _ := net.ParseCIDR("1.2.3.4/32")
+	setting.allowedNets = []*net.IPNet{netip}
 	assert.Equal(t, hasAccess("not an IP:not a port"), false)
 }

@@ -57,7 +76,8 @@ func TestAccessHandlerAllow(t *testing.T) {
 	r.RemoteAddr = "1.2.3.4:4321"
 	w := httptest.NewRecorder()

-	setting.allowedIPs = []net.IP{net.ParseIP("1.2.3.4")}
+	_, netip, _ := net.ParseCIDR("1.2.3.4/32")
+	setting.allowedNets = []*net.IPNet{netip}

 	wrappedHandler.ServeHTTP(w, r)
 	assert.Equal(t, w.Code, http.StatusNotFound)
@@ -71,7 +91,8 @@ func TestAccessHandlerDeny(t *testing.T) {
 	r.RemoteAddr = "1.2.3.4:4321"
 	w := httptest.NewRecorder()

-	setting.allowedIPs = []net.IP{net.ParseIP("4.3.2.1")}
+	_, netip, _ := net.ParseCIDR("4.3.2.1/32")
+	setting.allowedNets = []*net.IPNet{netip}

 	wrappedHandler.ServeHTTP(w, r)
 	assert.Equal(t, w.Code, http.StatusInternalServerError)
--- a/proxy/settings.go
+++ b/proxy/settings.go
@@ -13,7 +13,7 @@ import (
 type viperSettingType struct {
 	BirdSocket      string `mapstructure:"bird_socket"`
 	Listen          string `mapstructure:"listen"`
-	AllowedIPs      string `mapstructure:"allowed_ips"`
+	AllowedNets     string `mapstructure:"allowed_ips"`
 	TracerouteBin   string `mapstructure:"traceroute_bin"`
 	TracerouteFlags string `mapstructure:"traceroute_flags"`
 	TracerouteRaw   bool   `mapstructure:"traceroute_raw"`
@@ -40,7 +40,7 @@ func parseSettings() {
 	pflag.String("listen", "8000", "listen address, set either in parameter or environment variable BIRDLG_PROXY_PORT")
 	viper.BindPFlag("listen", pflag.Lookup("listen"))

-	pflag.String("allowed", "", "IPs allowed to access this proxy, separated by commas. Don't set to allow all IPs.")
+	pflag.String("allowed", "", "IPs or networks allowed to access this proxy, separated by commas. Don't set to allow all IPs.")
 	viper.BindPFlag("allowed_ips", pflag.Lookup("allowed"))

 	pflag.String("traceroute_bin", "", "traceroute binary file, set either in parameter or environment variable BIRDLG_TRACEROUTE_BIN")
@@ -66,18 +66,31 @@ func parseSettings() {
 	setting.birdSocket = viperSettings.BirdSocket
 	setting.listen = viperSettings.Listen

-	if viperSettings.AllowedIPs != "" {
-		for _, ip := range strings.Split(viperSettings.AllowedIPs, ",") {
-			ipObject := net.ParseIP(ip)
-			if ipObject == nil {
-				fmt.Printf("Parse IP %s failed\n", ip)
-				continue
+	if viperSettings.AllowedNets != "" {
+		for _, arg := range strings.Split(viperSettings.AllowedNets, ",") {
+
+			// if argument is an IP address, convert to CIDR by adding a suitable mask
+			if !strings.Contains(arg, "/") {
+				if strings.Contains(arg, ":") {
+					// IPv6 address with /128 mask
+					arg += "/128"
+				} else {
+					// IPv4 address with /32 mask
+					arg += "/32"
+				}
 			}

-			setting.allowedIPs = append(setting.allowedIPs, ipObject)
+			// parse the network
+			_, netip, err := net.ParseCIDR(arg)
+			if err != nil {
+				fmt.Printf("Failed to parse CIDR %s: %s\n", arg, err.Error())
+				continue
+			}
+			setting.allowedNets = append(setting.allowedNets, netip)
+
 		}
 	} else {
-		setting.allowedIPs = []net.IP{}
+		setting.allowedNets = []*net.IPNet{}
 	}

 	var err error
Author	SHA1	Message	Date
Lan Tian	27c348a864	release: v1.3.3	2023-10-21 00:03:02 -07:00
Lan Tian	43b4ad93dd	general: only build docker develop images on master branch push	2023-10-08 21:08:07 -07:00
dependabot[bot]	6176c45006	build(deps): bump github.com/spf13/viper from 1.16.0 to 1.17.0 in /proxy (#86 ) Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.16.0 to 1.17.0. - [Release notes](https://github.com/spf13/viper/releases) - [Commits](https://github.com/spf13/viper/compare/v1.16.0...v1.17.0) --- updated-dependencies: - dependency-name: github.com/spf13/viper dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-10-08 21:04:12 -07:00
dependabot[bot]	47113184f4	build(deps): bump github.com/spf13/viper in /frontend (#85 ) Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.16.0 to 1.17.0. - [Release notes](https://github.com/spf13/viper/releases) - [Commits](https://github.com/spf13/viper/compare/v1.16.0...v1.17.0) --- updated-dependencies: - dependency-name: github.com/spf13/viper dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-10-08 21:04:04 -07:00
Simon Marsh	3c9a3e4339	Enable proxy to allow access by CIDR network as well as IP (#84 )	2023-10-04 21:33:37 -07:00
Lan Tian	8457b18d46	release: v1.3.2.2	2023-09-09 01:44:16 -07:00
Lan Tian	f8f64b03a6	general: add tag for release Docker images	2023-09-09 01:42:38 -07:00