hex/wstunnel
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Turn match in restriction config into a list

Browse source
This commit is contained in:
Σrebe - Romain GERARD 2024-04-30 22:21:47 +02:00
parent 1e07eb7b2a
commit 368f6657fd
No known key found for this signature in database
GPG key ID: 7A42B4B97E0332F4
5 changed files with 105 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
restrictions.yaml
View file

@ -3,21 +3,28 @@
restrictions:
- name: "Allow all"
description: "This restriction allows all requests"
# This restriction apply only if it matches the prefix that match the given regex
# This restriction apply only and only if all matchers match/are evaluated to true
# It is a logical AND
match:
# This match apply only if it succeeds to match the path prefix with the given regex
# The regex does a match, so if you want to match exactly you need to bound the pattern with ^ $
# I.e: "tesotron" is going to match "XXXtesotronXXX", but "^tesotron$" is going to match only "tesotron"
match: !PathPrefix "^.*$"
- !PathPrefix "^.*$"
# The only other possible match type for now is !Any, that match everything/any request
# - !Any
# This is th list of tunnels your restriction is going to allow
# The list is going to be checked in order, the first match is going to allow the request
# This is the list of tunnels your restriction is going to allow
# The list is checked in order, the first match is going to allow the request
allow:
# !Tunnel allows forward tunnels
- !Tunnel
# Protocol that are allowed. Empty list means all protocols are allowed
# Logical OR
protocol:
- Tcp
- Udp
# Port that are allowed. Can be a single port or an inclusive range (i.e. 80..90)
# Logical OR
port:
- 80
- 443
@ -25,7 +32,8 @@ restrictions:
# if the tunnel wants to connect to a specific host, this regex must match
host: ^.*$
# if the tunnel wants to connect to a specific IP, it must match one of the network cidr
# if the tunnel wants to connect to a specific IP, it must be included in one of the network cidr
# Logical OR
cidr:
- 0.0.0.0/0
- ::/0
@ -49,7 +57,8 @@ restrictions:
restrictions:
- name: "example 1"
description: "Only allow forward tunnels to port 443 and forbid reverse tunnels"
match: !PathPrefix "^.*$"
match:
- !PathPrefix "^.*$"
allow:
- !Tunnel
port:
@ -58,7 +67,8 @@ restrictions:
restrictions:
- name: "example 2"
description: "Only allow forward tunnels to local ssh and forbid reverse tunnels"
match: !PathPrefix "^.*$"
match:
- !PathPrefix "^.*$"
allow:
- !Tunnel
protocol:
@ -72,7 +82,8 @@ restrictions:
restrictions:
- name: "example 3"
description: "Only allow socks5 reverse tunnels listening on port between 1080..1443 on lan network"
match: !PathPrefix "^.*$"
match:
- !PathPrefix "^.*$"
allow:
- !ReverseTunnel
protocol:
@ -85,7 +96,15 @@ restrictions:
restrictions:
- name: "example 4"
description: "Allow everything for client using path prefix my-super-secret-path"
match: !PathPrefix "^my-super-secret-path$"
match:
- !PathPrefix "^my-super-secret-path$"
allow:
- !Tunnel
- !ReverseTunnel
---
restrictions:
- name: "example 5"
description: "Forbid everything ..."
match:
- !Any
allow: []

3
src/main.rs
View file

@ -1278,9 +1278,10 @@ async fn main() {
args.restrict_http_upgrade_path_prefix.as_deref().unwrap_or(&[]),
&restrict_to,
)
.expect("Cannot covertion restriction rules from path-prefix and restric-to");
.expect("Cannot convert restriction rules from path-prefix and restric-to");
restriction_cfg
};
debug!("Restriction rules: {:?}", restrictions);
let server_config = WsServerConfig {
socket_so_mark: args.socket_so_mark,

64
src/restrictions/mod.rs
View file

@ -1,11 +1,18 @@
use crate::restrictions::types::{default_cidr, default_host};
use regex::Regex;
use ipnet::IpNet;
use std::fs::File;
use std::io::BufReader;
use std::net::IpAddr;
use std::ops::RangeInclusive;
use std::path::Path;
use std::str::FromStr;
use std::vec;
use regex::Regex;
use types::RestrictionsRules;
use crate::restrictions::types::{default_cidr, default_host};
pub mod types;
impl RestrictionsRules {
@ -18,41 +25,68 @@ impl RestrictionsRules {
path_prefixes: &[String],
restrict_to: &[(String, u16)],
) -> anyhow::Result<RestrictionsRules> {
let mut tunnels_restrictions = if restrict_to.is_empty() {
let tunnels_restrictions = if restrict_to.is_empty() {
let r = types::AllowConfig::Tunnel(types::AllowTunnelConfig {
protocol: vec![],
port: vec![],
host: default_host(),
cidr: default_cidr(),
});
vec![r]
let reverse_tunnel = types::AllowConfig::ReverseTunnel(types::AllowReverseTunnelConfig {
protocol: vec![],
port: vec![],
cidr: default_cidr(),
});
vec![r, reverse_tunnel]
} else {
restrict_to
.iter()
.map(|(host, port)| {
let reg = Regex::new(&format!("^{}$", regex::escape(host)))?;
Ok(types::AllowConfig::Tunnel(types::AllowTunnelConfig {
let tunnels = if let Ok(ip) = IpAddr::from_str(host) {
vec![
types::AllowConfig::Tunnel(types::AllowTunnelConfig {
protocol: vec![],
port: vec![RangeInclusive::new(*port, *port)],
host: reg,
cidr: default_cidr(),
}))
})
.collect::<Result<Vec<_>, anyhow::Error>>()?
};
tunnels_restrictions.push(types::AllowConfig::ReverseTunnel(types::AllowReverseTunnelConfig {
}),
types::AllowConfig::ReverseTunnel(types::AllowReverseTunnelConfig {
protocol: vec![],
port: vec![RangeInclusive::new(*port, *port)],
cidr: vec![IpNet::new(ip, if ip.is_ipv4() { 32 } else { 128 })?],
}),
]
} else {
vec![
types::AllowConfig::Tunnel(types::AllowTunnelConfig {
protocol: vec![],
port: vec![RangeInclusive::new(*port, *port)],
host: reg,
cidr: default_cidr(),
}),
types::AllowConfig::ReverseTunnel(types::AllowReverseTunnelConfig {
protocol: vec![],
port: vec![],
cidr: default_cidr(),
}));
}),
]
};
Ok(tunnels)
})
.collect::<Result<Vec<_>, anyhow::Error>>()?
.into_iter()
.flatten()
.collect()
};
let restrictions = if path_prefixes.is_empty() {
// if no path prefixes are provided, we allow all
let reg = Regex::new(".").unwrap();
let r = types::RestrictionConfig {
name: "Allow All".to_string(),
r#match: types::MatchConfig::PathPrefix(reg),
r#match: vec![types::MatchConfig::Any],
allow: tunnels_restrictions,
};
vec![r]
@ -63,7 +97,7 @@ impl RestrictionsRules {
let reg = Regex::new(&format!("^{}$", regex::escape(path_prefix)))?;
Ok(types::RestrictionConfig {
name: format!("Allow path prefix {}", path_prefix),
r#match: types::MatchConfig::PathPrefix(reg),
r#match: vec![types::MatchConfig::PathPrefix(reg)],
allow: tunnels_restrictions.clone(),
})
})

16
src/restrictions/types.rs
View file

@ -12,7 +12,8 @@ pub struct RestrictionsRules {
#[derive(Debug, Clone, Deserialize)]
pub struct RestrictionConfig {
pub name: String,
pub r#match: MatchConfig,
#[serde(deserialize_with = "deserialize_non_empty_vec")]
pub r#match: Vec<MatchConfig>,
pub allow: Vec<AllowConfig>,
}
@ -109,6 +110,19 @@ where
Ok(ranges)
}
fn deserialize_non_empty_vec<'de, D, T>(d: D) -> Result<Vec<T>, D::Error>
where
D: Deserializer<'de>,
T: Deserialize<'de>,
{
let vec = <Vec<T>>::deserialize(d)?;
if vec.is_empty() {
Err(serde::de::Error::custom("List must not be empty"))
} else {
Ok(vec)
}
}
impl From<&LocalProtocol> for ReverseTunnelConfigProtocol {
fn from(value: &LocalProtocol) -> Self {
match value {

10
src/tunnel/server.rs
View file

@ -319,14 +319,12 @@ fn validate_tunnel<'a>(
restrictions: &'a RestrictionsRules,
) -> Result<&'a RestrictionConfig, Response<String>> {
for restriction in &restrictions.restrictions {
match &restriction.r#match {
MatchConfig::Any => {}
MatchConfig::PathPrefix(path) => {
if !path.is_match(path_prefix) {
if !restriction.r#match.iter().all(|m| match m {
MatchConfig::Any => true,
MatchConfig::PathPrefix(path) => path.is_match(path_prefix),
}) {
continue;
}
}
}
for allow in &restriction.allow {
match allow {