You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

hostmatcher.go 4.2KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161
  1. // Copyright 2021 The Gitea Authors. All rights reserved.
  2. // SPDX-License-Identifier: MIT
  3. package hostmatcher
  4. import (
  5. "net"
  6. "path/filepath"
  7. "strings"
  8. )
  9. // HostMatchList is used to check if a host or IP is in a list.
  10. type HostMatchList struct {
  11. SettingKeyHint string
  12. SettingValue string
  13. // builtins networks
  14. builtins []string
  15. // patterns for host names (with wildcard support)
  16. patterns []string
  17. // ipNets is the CIDR network list
  18. ipNets []*net.IPNet
  19. }
  20. // MatchBuiltinExternal A valid non-private unicast IP, all hosts on public internet are matched
  21. const MatchBuiltinExternal = "external"
  22. // MatchBuiltinPrivate RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and RFC 4193 (FC00::/7). Also called LAN/Intranet.
  23. const MatchBuiltinPrivate = "private"
  24. // MatchBuiltinLoopback 127.0.0.0/8 for IPv4 and ::1/128 for IPv6, localhost is included.
  25. const MatchBuiltinLoopback = "loopback"
  26. func isBuiltin(s string) bool {
  27. return s == MatchBuiltinExternal || s == MatchBuiltinPrivate || s == MatchBuiltinLoopback
  28. }
  29. // ParseHostMatchList parses the host list HostMatchList
  30. func ParseHostMatchList(settingKeyHint, hostList string) *HostMatchList {
  31. hl := &HostMatchList{SettingKeyHint: settingKeyHint, SettingValue: hostList}
  32. for _, s := range strings.Split(hostList, ",") {
  33. s = strings.ToLower(strings.TrimSpace(s))
  34. if s == "" {
  35. continue
  36. }
  37. _, ipNet, err := net.ParseCIDR(s)
  38. if err == nil {
  39. hl.ipNets = append(hl.ipNets, ipNet)
  40. } else if isBuiltin(s) {
  41. hl.builtins = append(hl.builtins, s)
  42. } else {
  43. hl.patterns = append(hl.patterns, s)
  44. }
  45. }
  46. return hl
  47. }
  48. // ParseSimpleMatchList parse a simple matchlist (no built-in networks, no CIDR support, only wildcard pattern match)
  49. func ParseSimpleMatchList(settingKeyHint, matchList string) *HostMatchList {
  50. hl := &HostMatchList{
  51. SettingKeyHint: settingKeyHint,
  52. SettingValue: matchList,
  53. }
  54. for _, s := range strings.Split(matchList, ",") {
  55. s = strings.ToLower(strings.TrimSpace(s))
  56. if s == "" {
  57. continue
  58. }
  59. // we keep the same result as old `matchlist`, so no builtin/CIDR support here, we only match wildcard patterns
  60. hl.patterns = append(hl.patterns, s)
  61. }
  62. return hl
  63. }
  64. // AppendBuiltin appends more builtins to match
  65. func (hl *HostMatchList) AppendBuiltin(builtin string) {
  66. hl.builtins = append(hl.builtins, builtin)
  67. }
  68. // AppendPattern appends more pattern to match
  69. func (hl *HostMatchList) AppendPattern(pattern string) {
  70. hl.patterns = append(hl.patterns, pattern)
  71. }
  72. // IsEmpty checks if the checklist is empty
  73. func (hl *HostMatchList) IsEmpty() bool {
  74. return hl == nil || (len(hl.builtins) == 0 && len(hl.patterns) == 0 && len(hl.ipNets) == 0)
  75. }
  76. func (hl *HostMatchList) checkPattern(host string) bool {
  77. host = strings.ToLower(strings.TrimSpace(host))
  78. for _, pattern := range hl.patterns {
  79. if matched, _ := filepath.Match(pattern, host); matched {
  80. return true
  81. }
  82. }
  83. return false
  84. }
  85. func (hl *HostMatchList) checkIP(ip net.IP) bool {
  86. for _, pattern := range hl.patterns {
  87. if pattern == "*" {
  88. return true
  89. }
  90. }
  91. for _, builtin := range hl.builtins {
  92. switch builtin {
  93. case MatchBuiltinExternal:
  94. if ip.IsGlobalUnicast() && !ip.IsPrivate() {
  95. return true
  96. }
  97. case MatchBuiltinPrivate:
  98. if ip.IsPrivate() {
  99. return true
  100. }
  101. case MatchBuiltinLoopback:
  102. if ip.IsLoopback() {
  103. return true
  104. }
  105. }
  106. }
  107. for _, ipNet := range hl.ipNets {
  108. if ipNet.Contains(ip) {
  109. return true
  110. }
  111. }
  112. return false
  113. }
  114. // MatchHostName checks if the host matches an allow/deny(block) list
  115. func (hl *HostMatchList) MatchHostName(host string) bool {
  116. if hl == nil {
  117. return false
  118. }
  119. hostname, _, err := net.SplitHostPort(host)
  120. if err != nil {
  121. hostname = host
  122. }
  123. if hl.checkPattern(hostname) {
  124. return true
  125. }
  126. if ip := net.ParseIP(hostname); ip != nil {
  127. return hl.checkIP(ip)
  128. }
  129. return false
  130. }
  131. // MatchIPAddr checks if the IP matches an allow/deny(block) list, it's safe to pass `nil` to `ip`
  132. func (hl *HostMatchList) MatchIPAddr(ip net.IP) bool {
  133. if hl == nil {
  134. return false
  135. }
  136. host := ip.String() // nil-safe, we will get "<nil>" if ip is nil
  137. return hl.checkPattern(host) || hl.checkIP(ip)
  138. }
  139. // MatchHostOrIP checks if the host or IP matches an allow/deny(block) list
  140. func (hl *HostMatchList) MatchHostOrIP(host string, ip net.IP) bool {
  141. return hl.MatchHostName(host) || hl.MatchIPAddr(ip)
  142. }