From 0c0b8441830a213ff8992b9c1687efb05b00d340 Mon Sep 17 00:00:00 2001 From: Tim Carter Date: Mon, 13 Jan 2025 16:13:42 +1100 Subject: [PATCH] Rename whitelist to allowlist. Enhance readme. --- README.md | 71 +++++++++++++++++++++++++++++++++++++++- pkg/server/server.go | 26 +++++++-------- test/domainproxy_test.go | 12 +++---- 3 files changed, 89 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 21a2b98..53d329f 100644 --- a/README.md +++ b/README.md @@ -1 +1,70 @@ -# domain-proxy \ No newline at end of file +# Domain Proxy + +This proxy enables build tools running within a network isolated unshare environment to download artifacts from a list +of allowed target hosts. + +## Components + +### Domain Proxy Server + +* Runs outside unshare environment +* Listens on Unix domain socket for connections from Domain Proxy Client +* Forwards HTTP requests from Domain Proxy Client to target hosts +* Forwards HTTP responses from target hosts to Domain Proxy Client +* Optionally uses an internally configured proxy for HTTP connections to target hosts + +### Domain Proxy Client + +* Runs inside unshare environment +* Connects to Domain Proxy Server via Unix domain socket +* Listens on HTTP port for connections from build tools +* Forwards HTTP requests from build tools to Domain Proxy Server +* Forwards HTTP responses from Domain Proxy Server to build tools + +## Environment variables + +### Common + +* DOMAIN_PROXY_BYTE_BUFFER_SIZE + * Default: `32768` +* DOMAIN_PROXY_DOMAIN_SOCKET + * Default: `/tmp/domain-socket.sock` +* DOMAIN_PROXY_CONNECTION_TIMEOUT + * Default: `10000` milliseconds +* DOMAIN_PROXY_IDLE_TIMEOUT + * Default: `30000` milliseconds + +### Domain Proxy Server + +* DOMAIN_PROXY_TARGET_ALLOWLIST + * Default: + `localhost,repo.maven.apache.org,repository.jboss.org,packages.confluent.io,jitpack.io,repo.gradle.org,plugins.gradle.org` +* DOMAIN_PROXY_ENABLE_INTERNAL_PROXY + * Default: `false` +* DOMAIN_PROXY_INTERNAL_PROXY_HOST + * Default: `indy-generic-proxy` +* DOMAIN_PROXY_INTERNAL_PROXY_PORT + * Default: `80` +* DOMAIN_PROXY_INTERNAL_PROXY_USER +* DOMAIN_PROXY_INTERNAL_PROXY_PASSWORD +* DOMAIN_PROXY_INTERNAL_NON_PROXY_HOSTS + * Default: `localhost` + +### Domain Proxy Client + +* DOMAIN_PROXY_HTTP_PORT + * Default: `8080` + +## Build + +* `go build -v -o bin/domainproxyserver cmd/server/main.go` +* `go build -v -o bin/domainproxyclient cmd/client/main.go` + +## Run + +* `./bin/domainproxyserver` +* `./bin/domainproxyclient` + +## Test + +* `go test -v ./test` diff --git a/pkg/server/server.go b/pkg/server/server.go index 2f4bb14..8d28993 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -17,8 +17,8 @@ import ( const ( HttpPort = 80 HttpsPort = 443 - TargetWhitelistKey = "DOMAIN_PROXY_TARGET_WHITELIST" - DefaultTargetWhitelist = "localhost,repo.maven.apache.org,repository.jboss.org,packages.confluent.io,jitpack.io,repo.gradle.org,plugins.gradle.org" + TargetAllowlistKey = "DOMAIN_PROXY_TARGET_ALLOWLIST" + DefaultTargetAllowlist = "localhost,repo.maven.apache.org,repository.jboss.org,packages.confluent.io,jitpack.io,repo.gradle.org,plugins.gradle.org" EnableInternalProxyKey = "DOMAIN_PROXY_ENABLE_INTERNAL_PROXY" DefaultEnableInternalProxy = false InternalProxyHostKey = "DOMAIN_PROXY_INTERNAL_PROXY_HOST" @@ -40,7 +40,7 @@ var common = NewCommon(logger) type DomainProxyServer struct { sharedParams *SharedParams - targetWhitelist map[string]bool + targetAllowlist map[string]bool enableInternalProxy bool internalProxyHost string internalProxyPort int @@ -53,7 +53,7 @@ type DomainProxyServer struct { func NewDomainProxyServer() *DomainProxyServer { return &DomainProxyServer{ sharedParams: common.NewSharedParams(), - targetWhitelist: getTargetWhitelist(), + targetAllowlist: getTargetAllowlist(), enableInternalProxy: getEnableInternalProxy(), internalProxyHost: getInternalProxyHost(), internalProxyPort: getInternalProxyPort(), @@ -140,8 +140,8 @@ func (dps *DomainProxyServer) handleHttpConnection(sourceConnection net.Conn, wr } else { logger.Printf("Handling %s Connection %d with target %s:%d", DomainSocketToHttp, connectionNo, actualTargetHost, actualTargetPort) } - // Check if target is whitelisted - if !dps.isTargetWhitelisted(actualTargetHost, writer) { + // Check if target is allowed + if !dps.isTargetAllowed(actualTargetHost, writer) { if err := sourceConnection.Close(); err != nil { common.HandleConnectionCloseError(err) } @@ -212,8 +212,8 @@ func (dps *DomainProxyServer) handleHttpsConnection(sourceConnection net.Conn, w } else { logger.Printf("Handling %s Connection %d with target %s:%d", DomainSocketToHttps, connectionNo, actualTargetHost, actualTargetPort) } - // Check if target is whitelisted - if !dps.isTargetWhitelisted(actualTargetHost, writer) { + // Check if target is allowed + if !dps.isTargetAllowed(actualTargetHost, writer) { if err := sourceConnection.Close(); err != nil { common.HandleConnectionCloseError(err) } @@ -311,9 +311,9 @@ func getTargetHostAndPort(host string, defaultPort int) (string, int) { return targetHost, targetPort } -func (dps *DomainProxyServer) isTargetWhitelisted(targetHost string, writer http.ResponseWriter) bool { - if !dps.targetWhitelist[targetHost] { - message := fmt.Sprintf("Target host %s is not whitelisted", targetHost) +func (dps *DomainProxyServer) isTargetAllowed(targetHost string, writer http.ResponseWriter) bool { + if !dps.targetAllowlist[targetHost] { + message := fmt.Sprintf("Target host %s is not allowed", targetHost) logger.Println(message) http.Error(writer, message, http.StatusForbidden) return false @@ -391,8 +391,8 @@ func (rw *responseWriter) WriteHeader(statusCode int) { } } -func getTargetWhitelist() map[string]bool { - return common.GetCsvEnvVariable(TargetWhitelistKey, DefaultTargetWhitelist) +func getTargetAllowlist() map[string]bool { + return common.GetCsvEnvVariable(TargetAllowlistKey, DefaultTargetAllowlist) } func getEnableInternalProxy() bool { diff --git a/test/domainproxy_test.go b/test/domainproxy_test.go index ede8348..ae5c3d5 100644 --- a/test/domainproxy_test.go +++ b/test/domainproxy_test.go @@ -30,7 +30,7 @@ const ( ContentLength = "403" MockUrlPath = "/com/foo/bar/1.0/bar-1.0.pom" NonExistentUrlPath = "/com/foo/bar/1.0/bar-2.0.pom" - NonWhitelistedUrl = "repo1.maven.org/maven2/org/apache/maven/plugins/maven-jar-plugin/3.4.1/maven-jar-plugin-3.4.1.jar" + NonAllowedUrl = "repo1.maven.org/maven2/org/apache/maven/plugins/maven-jar-plugin/3.4.1/maven-jar-plugin-3.4.1.jar" NonExistentHost = "foo.bar" User = "foo" Password = "bar" @@ -143,7 +143,7 @@ func commonTestBehaviour(t *testing.T, qualifier string) { // Set env variables t.Setenv(DomainSocketKey, getRandomDomainSocket()) t.Setenv(HttpPortKey, DomainProxyPort) - t.Setenv(TargetWhitelistKey, "127.0.0.1,foo.bar") + t.Setenv(TargetAllowlistKey, "127.0.0.1,foo.bar") // Start services domainProxyServer, domainProxyClient := startDomainProxy() defer stopDomainProxy(domainProxyServer, domainProxyClient) @@ -215,8 +215,8 @@ func commonTestBehaviour(t *testing.T, qualifier string) { } }) - t.Run(fmt.Sprintf("Test HTTP non-whitelisted host%s", qualifier), func(t *testing.T) { - response, err := httpClient.Get("http://" + NonWhitelistedUrl) + t.Run(fmt.Sprintf("Test HTTP non-allowed host%s", qualifier), func(t *testing.T) { + response, err := httpClient.Get("http://" + NonAllowedUrl) if err != nil { t.Fatal(err) } @@ -226,8 +226,8 @@ func commonTestBehaviour(t *testing.T, qualifier string) { } }) - t.Run(fmt.Sprintf("Test HTTPS non-whitelisted host%s", qualifier), func(t *testing.T) { - _, err := httpClient.Get("https://" + NonWhitelistedUrl) + t.Run(fmt.Sprintf("Test HTTPS non-allowed host%s", qualifier), func(t *testing.T) { + _, err := httpClient.Get("https://" + NonAllowedUrl) statusText := http.StatusText(http.StatusForbidden) if !strings.Contains(err.Error(), statusText) { t.Fatalf("Actual error %s did not contain expected HTTP status text %s", err.Error(), statusText)