mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16706 Commits
17 Branches
Tree: 96d3fcf179
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '96d3fcf179'
${ noResults }
gitea/modules/hostmatcher/hostmatcher.go

hostmatcher.go 4.2KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161 
  1. // Copyright 2021 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package hostmatcher

  5. 

  6. import (

  7. 	"net"

  8. 	"path/filepath"

  9. 	"strings"

  10. )

  11. 

  12. // HostMatchList is used to check if a host or IP is in a list.

  13. type HostMatchList struct {

  14. 	SettingKeyHint string

  15. 	SettingValue   string

  16. 

  17. 	// builtins networks

  18. 	builtins []string

  19. 	// patterns for host names (with wildcard support)

  20. 	patterns []string

  21. 	// ipNets is the CIDR network list

  22. 	ipNets []*net.IPNet

  23. }

  24. 

  25. // MatchBuiltinExternal A valid non-private unicast IP, all hosts on public internet are matched

  26. const MatchBuiltinExternal = "external"

  27. 

  28. // MatchBuiltinPrivate RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and RFC 4193 (FC00::/7). Also called LAN/Intranet.

  29. const MatchBuiltinPrivate = "private"

  30. 

  31. // MatchBuiltinLoopback 127.0.0.0/8 for IPv4 and ::1/128 for IPv6, localhost is included.

  32. const MatchBuiltinLoopback = "loopback"

  33. 

  34. func isBuiltin(s string) bool {

  35. 	return s == MatchBuiltinExternal || s == MatchBuiltinPrivate || s == MatchBuiltinLoopback

  36. }

  37. 

  38. // ParseHostMatchList parses the host list HostMatchList

  39. func ParseHostMatchList(settingKeyHint, hostList string) *HostMatchList {

  40. 	hl := &HostMatchList{SettingKeyHint: settingKeyHint, SettingValue: hostList}

  41. 	for _, s := range strings.Split(hostList, ",") {

  42. 		s = strings.ToLower(strings.TrimSpace(s))

  43. 		if s == "" {

  44. 			continue

  45. 		}

  46. 		_, ipNet, err := net.ParseCIDR(s)

  47. 		if err == nil {

  48. 			hl.ipNets = append(hl.ipNets, ipNet)

  49. 		} else if isBuiltin(s) {

  50. 			hl.builtins = append(hl.builtins, s)

  51. 		} else {

  52. 			hl.patterns = append(hl.patterns, s)

  53. 		}

  54. 	}

  55. 	return hl

  56. }

  57. 

  58. // ParseSimpleMatchList parse a simple matchlist (no built-in networks, no CIDR support, only wildcard pattern match)

  59. func ParseSimpleMatchList(settingKeyHint, matchList string) *HostMatchList {

  60. 	hl := &HostMatchList{

  61. 		SettingKeyHint: settingKeyHint,

  62. 		SettingValue:   matchList,

  63. 	}

  64. 	for _, s := range strings.Split(matchList, ",") {

  65. 		s = strings.ToLower(strings.TrimSpace(s))

  66. 		if s == "" {

  67. 			continue

  68. 		}

  69. 		// we keep the same result as old `matchlist`, so no builtin/CIDR support here, we only match wildcard patterns

  70. 		hl.patterns = append(hl.patterns, s)

  71. 	}

  72. 	return hl

  73. }

  74. 

  75. // AppendBuiltin appends more builtins to match

  76. func (hl *HostMatchList) AppendBuiltin(builtin string) {

  77. 	hl.builtins = append(hl.builtins, builtin)

  78. }

  79. 

  80. // AppendPattern appends more pattern to match

  81. func (hl *HostMatchList) AppendPattern(pattern string) {

  82. 	hl.patterns = append(hl.patterns, pattern)

  83. }

  84. 

  85. // IsEmpty checks if the checklist is empty

  86. func (hl *HostMatchList) IsEmpty() bool {

  87. 	return hl == nil || (len(hl.builtins) == 0 && len(hl.patterns) == 0 && len(hl.ipNets) == 0)

  88. }

  89. 

  90. func (hl *HostMatchList) checkPattern(host string) bool {

  91. 	host = strings.ToLower(strings.TrimSpace(host))

  92. 	for _, pattern := range hl.patterns {

  93. 		if matched, _ := filepath.Match(pattern, host); matched {

  94. 			return true

  95. 		}

  96. 	}

  97. 	return false

  98. }

  99. 

  100. func (hl *HostMatchList) checkIP(ip net.IP) bool {

  101. 	for _, pattern := range hl.patterns {

  102. 		if pattern == "*" {

  103. 			return true

  104. 		}

  105. 	}

  106. 	for _, builtin := range hl.builtins {

  107. 		switch builtin {

  108. 		case MatchBuiltinExternal:

  109. 			if ip.IsGlobalUnicast() && !ip.IsPrivate() {

  110. 				return true

  111. 			}

  112. 		case MatchBuiltinPrivate:

  113. 			if ip.IsPrivate() {

  114. 				return true

  115. 			}

  116. 		case MatchBuiltinLoopback:

  117. 			if ip.IsLoopback() {

  118. 				return true

  119. 			}

  120. 		}

  121. 	}

  122. 	for _, ipNet := range hl.ipNets {

  123. 		if ipNet.Contains(ip) {

  124. 			return true

  125. 		}

  126. 	}

  127. 	return false

  128. }

  129. 

  130. // MatchHostName checks if the host matches an allow/deny(block) list

  131. func (hl *HostMatchList) MatchHostName(host string) bool {

  132. 	if hl == nil {

  133. 		return false

  134. 	}

  135. 

  136. 	hostname, _, err := net.SplitHostPort(host)

  137. 	if err != nil {

  138. 		hostname = host

  139. 	}

  140. 	if hl.checkPattern(hostname) {

  141. 		return true

  142. 	}

  143. 	if ip := net.ParseIP(hostname); ip != nil {

  144. 		return hl.checkIP(ip)

  145. 	}

  146. 	return false

  147. }

  148. 

  149. // MatchIPAddr checks if the IP matches an allow/deny(block) list, it's safe to pass `nil` to `ip`

  150. func (hl *HostMatchList) MatchIPAddr(ip net.IP) bool {

  151. 	if hl == nil {

  152. 		return false

  153. 	}

  154. 	host := ip.String() // nil-safe, we will get "<nil>" if ip is nil

  155. 	return hl.checkPattern(host) || hl.checkIP(ip)

  156. }

  157. 

  158. // MatchHostOrIP checks if the host or IP matches an allow/deny(block) list

  159. func (hl *HostMatchList) MatchHostOrIP(host string, ip net.IP) bool {

  160. 	return hl.MatchHostName(host) || hl.MatchIPAddr(ip)

  161. }