feat: add access policy middleware support cidr block

2024-12-09 18:33:44 +01:00
parent 7e3489e201
commit 89a6f3fffd
3 changed files with 19 additions and 7 deletions
--- a/docs/middleware/access-policy.md
+++ b/docs/middleware/access-policy.md
@@ -13,7 +13,7 @@ It supports two actions: `ALLOW` and `DENY`.
 ### How It Works
 1. **Define an action:** Specify whether the middleware should `ALLOW` or `DENY` access.

-2. **Set sourceRanges:** Provide a list of IP addresses or IP ranges to which the policy applies. 
+2. **Set sourceRanges:** Provide a list of IP addresses, IP ranges or a CIDR block to which the policy applies. 

    Requests originating from these sources will be evaluated according to the specified action.

@@ -28,5 +28,6 @@ middlewares:
      action: DENY # Specify either DENY or ALLOW
      sourceRanges:
        - 192.168.1.1 # Single IP address
-        - 172.18.0.0-172.18.0.10 # IP range
+        - 10.42.1.1-10.42.1.100 # IP range
+        - 10.42.1.1/16 # CIDR block
 ```
--- a/internal/config.go
+++ b/internal/config.go
@@ -307,10 +307,6 @@ func getAccessPoliciesMiddleware(input interface{}) (AccessPolicyRuleMiddleware,
 			if !validateCIDR(ip) {
 				return AccessPolicyRuleMiddleware{}, fmt.Errorf("invalid cidr address")
 			}
-			if validateCIDR(ip) {
-				return AccessPolicyRuleMiddleware{}, fmt.Errorf("cidr is not yet supported")
-
-			}
 		}

 	}
--- a/internal/middlewares/access_policy_middleware.go
+++ b/internal/middlewares/access_policy_middleware.go
@@ -63,13 +63,18 @@ func (access AccessPolicy) AccessPolicyMiddleware(next http.Handler) http.Handle
 	})
 }

-// isIPAllowed checks if a client IP matches an entry (range or single IP).
+// isIPAllowed checks if a client IP matches an entry (range, single IP or CIDR block).
 func isIPAllowed(clientIP, entry string) bool {
+	// Handle IP range
 	if strings.Contains(entry, "-") {
 		// Handle IP range
 		startIP, endIP, err := parseIPRange(entry)
 		return err == nil && ipInRange(clientIP, startIP, endIP)
 	}
+	// Handle CIDR
+	if strings.Contains(entry, "/") {
+		return ipInCIDR(clientIP, entry)
+	}
 	// Handle single IP
 	return clientIP == entry
 }
@@ -116,3 +121,13 @@ func ipInRange(ipStr, startIP, endIP string) bool {
 	}
 	return true
 }
+
+// Check if an IP is within a CIDR block
+func ipInCIDR(ipStr, cidr string) bool {
+	ip := net.ParseIP(ipStr)
+	_, ipNet, err := net.ParseCIDR(cidr)
+	if err != nil {
+		return false
+	}
+	return ipNet.Contains(ip)
+}