go-libp2p-resource-manager/allowlist.go

package rcmgr

import (
	"bytes"
	"errors"
	"fmt"
	"net"
	"sync"

	"github.com/libp2p/go-libp2p-core/peer"
	"github.com/multiformats/go-multiaddr"
	manet "github.com/multiformats/go-multiaddr/net"
)

type Allowlist struct {
	mu sync.RWMutex
	// a simple structure of lists of networks. There is probably a faster way
	// to check if an IP address is in this network than iterating over this
	// list, but this is good enough for small numbers of networks (<1_000).
	// Analyze the benchmark before trying to optimize this.

	// Any peer with these IPs are allowed
	allowedNetworks []*net.IPNet

	// Only the specified peers can use these IPs
	allowedPeerByNetwork map[peer.ID][]*net.IPNet
}

// WithAllowlistedMultiaddrs sets the multiaddrs to be in the allowlist
func WithAllowlistedMultiaddrs(mas []multiaddr.Multiaddr) Option {
	return func(rm *resourceManager) error {
		for _, ma := range mas {
			err := rm.allowlist.Add(ma)
			if err != nil {
				return err
			}
		}
		return nil
	}
}

func newAllowlist() Allowlist {
	return Allowlist{
		allowedPeerByNetwork: make(map[peer.ID][]*net.IPNet),
	}
}

func toIPNet(ma multiaddr.Multiaddr) (*net.IPNet, peer.ID, error) {
	var ipString string
	var mask string
	var allowedPeerStr string
	var allowedPeer peer.ID
	var isIPV4 bool

	multiaddr.ForEach(ma, func(c multiaddr.Component) bool {
		if c.Protocol().Code == multiaddr.P_IP4 || c.Protocol().Code == multiaddr.P_IP6 {
			isIPV4 = c.Protocol().Code == multiaddr.P_IP4
			ipString = c.Value()
		}
		if c.Protocol().Code == multiaddr.P_IPCIDR {
			mask = c.Value()
		}
		if c.Protocol().Code == multiaddr.P_P2P {
			allowedPeerStr = c.Value()
		}
		return ipString == "" || mask == "" || allowedPeerStr == ""
	})

	if ipString == "" {
		return nil, allowedPeer, errors.New("missing ip address")
	}

	if allowedPeerStr != "" {
		var err error
		allowedPeer, err = peer.Decode(allowedPeerStr)
		if err != nil {
			return nil, allowedPeer, fmt.Errorf("failed to decode allowed peer: %w", err)
		}
	}

	if mask == "" {
		ip := net.ParseIP(ipString)
		if ip == nil {
			return nil, allowedPeer, errors.New("invalid ip address")
		}
		var mask net.IPMask
		if isIPV4 {
			mask = net.CIDRMask(32, 32)
		} else {
			mask = net.CIDRMask(128, 128)
		}

		net := &net.IPNet{IP: ip, Mask: mask}
		return net, allowedPeer, nil
	}

	_, ipnet, err := net.ParseCIDR(ipString + "/" + mask)
	return ipnet, allowedPeer, err

}

// Add takes a multiaddr and adds it to the allowlist. The multiaddr should be
// an ip address of the peer with or without a `/p2p` protocol.
// e.g. /ip4/1.2.3.4/p2p/QmFoo, /ip4/1.2.3.4, and /ip4/1.2.3.0/ipcidr/24 are valid.
// /p2p/QmFoo is not valid.
func (al *Allowlist) Add(ma multiaddr.Multiaddr) error {
	ipnet, allowedPeer, err := toIPNet(ma)
	if err != nil {
		return err
	}
	al.mu.Lock()
	defer al.mu.Unlock()

	if allowedPeer != peer.ID("") {
		// We have a peerID constraint
		if al.allowedPeerByNetwork == nil {
			al.allowedPeerByNetwork = make(map[peer.ID][]*net.IPNet)
		}
		al.allowedPeerByNetwork[allowedPeer] = append(al.allowedPeerByNetwork[allowedPeer], ipnet)
	} else {
		al.allowedNetworks = append(al.allowedNetworks, ipnet)
	}
	return nil
}

func (al *Allowlist) Remove(ma multiaddr.Multiaddr) error {
	ipnet, allowedPeer, err := toIPNet(ma)
	if err != nil {
		return err
	}
	al.mu.Lock()
	defer al.mu.Unlock()

	ipNetList := al.allowedNetworks

	if allowedPeer != "" {
		// We have a peerID constraint
		ipNetList = al.allowedPeerByNetwork[allowedPeer]
	}

	if ipNetList == nil {
		return nil
	}

	i := len(ipNetList)
	for i > 0 {
		i--
		if ipNetList[i].IP.Equal(ipnet.IP) && bytes.Equal(ipNetList[i].Mask, ipnet.Mask) {
			// swap remove
			ipNetList[i] = ipNetList[len(ipNetList)-1]
			ipNetList = ipNetList[:len(ipNetList)-1]
			// We only remove one thing
			break
		}
	}

	if allowedPeer != "" {
		al.allowedPeerByNetwork[allowedPeer] = ipNetList
	} else {
		al.allowedNetworks = ipNetList
	}

	return nil
}

func (al *Allowlist) Allowed(ma multiaddr.Multiaddr) bool {
	ip, err := manet.ToIP(ma)
	if err != nil {
		return false
	}
	al.mu.RLock()
	defer al.mu.RUnlock()

	for _, network := range al.allowedNetworks {
		if network.Contains(ip) {
			return true
		}
	}

	for _, allowedNetworks := range al.allowedPeerByNetwork {
		for _, network := range allowedNetworks {
			if network.Contains(ip) {
				return true
			}
		}
	}

	return false
}

func (al *Allowlist) AllowedPeerAndMultiaddr(peerID peer.ID, ma multiaddr.Multiaddr) bool {
	ip, err := manet.ToIP(ma)
	if err != nil {
		return false
	}
	al.mu.RLock()
	defer al.mu.RUnlock()

	for _, network := range al.allowedNetworks {
		if network.Contains(ip) {
			// We found a match that isn't constrained by a peerID
			return true
		}
	}

	if expectedNetworks, ok := al.allowedPeerByNetwork[peerID]; ok {
		for _, expectedNetwork := range expectedNetworks {
			if expectedNetwork.Contains(ip) {
				return true
			}
		}
	}

	return false
}
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`package rcmgr`

			`import (`
			`"bytes"`
			`"errors"`
PR comments 2022-06-15 02:46:26 +08:00			`"fmt"`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`"net"`
Protect inner data with RWMutex 2022-06-28 05:40:07 +08:00			`"sync"`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00
			`"github.com/libp2p/go-libp2p-core/peer"`
			`"github.com/multiformats/go-multiaddr"`
			`manet "github.com/multiformats/go-multiaddr/net"`
			`)`

Export Allowlist type 2022-06-28 06:39:26 +08:00			`type Allowlist struct {`
Protect inner data with RWMutex 2022-06-28 05:40:07 +08:00			`mu sync.RWMutex`
Add comment 2022-06-14 07:29:28 +08:00			`// a simple structure of lists of networks. There is probably a faster way`
			`// to check if an IP address is in this network than iterating over this`
			`// list, but this is good enough for small numbers of networks (<1_000).`
			`// Analyze the benchmark before trying to optimize this.`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00
			`// Any peer with these IPs are allowed`
			`allowedNetworks []*net.IPNet`

			`// Only the specified peers can use these IPs`
			`allowedPeerByNetwork map[peer.ID][]*net.IPNet`
			`}`

Add WithAllowlistedMultiaddr option 2022-06-28 06:47:51 +08:00			`// WithAllowlistedMultiaddrs sets the multiaddrs to be in the allowlist`
			`func WithAllowlistedMultiaddrs(mas []multiaddr.Multiaddr) Option {`
			`return func(rm *resourceManager) error {`
			`for _, ma := range mas {`
			`err := rm.allowlist.Add(ma)`
			`if err != nil {`
			`return err`
			`}`
			`}`
			`return nil`
			`}`
			`}`

Export Allowlist type 2022-06-28 06:39:26 +08:00			`func newAllowlist() Allowlist {`
			`return Allowlist{`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`allowedPeerByNetwork: make(map[peer.ID][]*net.IPNet),`
			`}`
			`}`

PR comments 2022-06-15 02:46:26 +08:00			`func toIPNet(ma multiaddr.Multiaddr) (*net.IPNet, peer.ID, error) {`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`var ipString string`
			`var mask string`
PR comments 2022-06-15 02:46:26 +08:00			`var allowedPeerStr string`
			`var allowedPeer peer.ID`
Simplify by removing ip addr, only networks. Adds a benchmark 2022-06-14 07:26:59 +08:00			`var isIPV4 bool`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00
			`multiaddr.ForEach(ma, func(c multiaddr.Component) bool {`
			`if c.Protocol().Code == multiaddr.P_IP4 \|\| c.Protocol().Code == multiaddr.P_IP6 {`
Simplify by removing ip addr, only networks. Adds a benchmark 2022-06-14 07:26:59 +08:00			`isIPV4 = c.Protocol().Code == multiaddr.P_IP4`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`ipString = c.Value()`
			`}`
			`if c.Protocol().Code == multiaddr.P_IPCIDR {`
			`mask = c.Value()`
			`}`
			`if c.Protocol().Code == multiaddr.P_P2P {`
PR comments 2022-06-15 02:46:26 +08:00			`allowedPeerStr = c.Value()`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`}`
PR comments 2022-06-15 02:46:26 +08:00			`return ipString == "" \|\| mask == "" \|\| allowedPeerStr == ""`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`})`

			`if ipString == "" {`
Simplify by removing ip addr, only networks. Adds a benchmark 2022-06-14 07:26:59 +08:00			`return nil, allowedPeer, errors.New("missing ip address")`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`}`

PR comments 2022-06-15 02:46:26 +08:00			`if allowedPeerStr != "" {`
			`var err error`
			`allowedPeer, err = peer.Decode(allowedPeerStr)`
			`if err != nil {`
			`return nil, allowedPeer, fmt.Errorf("failed to decode allowed peer: %w", err)`
			`}`
			`}`

Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`if mask == "" {`
			`ip := net.ParseIP(ipString)`
			`if ip == nil {`
Simplify by removing ip addr, only networks. Adds a benchmark 2022-06-14 07:26:59 +08:00			`return nil, allowedPeer, errors.New("invalid ip address")`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`}`
Simplify by removing ip addr, only networks. Adds a benchmark 2022-06-14 07:26:59 +08:00			`var mask net.IPMask`
			`if isIPV4 {`
			`mask = net.CIDRMask(32, 32)`
			`} else {`
			`mask = net.CIDRMask(128, 128)`
			`}`

			`net := &net.IPNet{IP: ip, Mask: mask}`
			`return net, allowedPeer, nil`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`}`

			`_, ipnet, err := net.ParseCIDR(ipString + "/" + mask)`
Simplify by removing ip addr, only networks. Adds a benchmark 2022-06-14 07:26:59 +08:00			`return ipnet, allowedPeer, err`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00
			`}`

PR comments 2022-06-15 02:46:26 +08:00			`// Add takes a multiaddr and adds it to the allowlist. The multiaddr should be`
			// an ip address of the peer with or without a `/p2p` protocol.
Update comment 2022-06-28 06:30:03 +08:00			`// e.g. /ip4/1.2.3.4/p2p/QmFoo, /ip4/1.2.3.4, and /ip4/1.2.3.0/ipcidr/24 are valid.`
PR comments 2022-06-15 02:46:26 +08:00			`// /p2p/QmFoo is not valid.`
Export Allowlist type 2022-06-28 06:39:26 +08:00			`func (al *Allowlist) Add(ma multiaddr.Multiaddr) error {`
PR comments 2022-06-15 02:46:26 +08:00			`ipnet, allowedPeer, err := toIPNet(ma)`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`if err != nil {`
			`return err`
			`}`
PR nits 2022-06-30 12:18:16 +08:00			`al.mu.Lock()`
			`defer al.mu.Unlock()`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00
PR comments 2022-06-15 02:46:26 +08:00			`if allowedPeer != peer.ID("") {`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`// We have a peerID constraint`
Export Allowlist type 2022-06-28 06:39:26 +08:00			`if al.allowedPeerByNetwork == nil {`
			`al.allowedPeerByNetwork = make(map[peer.ID][]*net.IPNet)`
			`}`
PR comments 2022-06-15 02:46:26 +08:00			`al.allowedPeerByNetwork[allowedPeer] = append(al.allowedPeerByNetwork[allowedPeer], ipnet)`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`} else {`
PR comments 2022-06-15 02:46:26 +08:00			`al.allowedNetworks = append(al.allowedNetworks, ipnet)`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`}`
			`return nil`
			`}`

Export Allowlist type 2022-06-28 06:39:26 +08:00			`func (al *Allowlist) Remove(ma multiaddr.Multiaddr) error {`
PR comments 2022-06-15 02:46:26 +08:00			`ipnet, allowedPeer, err := toIPNet(ma)`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`if err != nil {`
			`return err`
			`}`
PR nits 2022-06-30 12:18:16 +08:00			`al.mu.Lock()`
			`defer al.mu.Unlock()`

Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`ipNetList := al.allowedNetworks`

PR nits 2022-06-30 12:18:16 +08:00			`if allowedPeer != "" {`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`// We have a peerID constraint`
			`ipNetList = al.allowedPeerByNetwork[allowedPeer]`
			`}`

Export Allowlist type 2022-06-28 06:39:26 +08:00			`if ipNetList == nil {`
			`return nil`
			`}`

PR comments 2022-06-15 02:46:26 +08:00			`i := len(ipNetList)`
			`for i > 0 {`
			`i--`
			`if ipNetList[i].IP.Equal(ipnet.IP) && bytes.Equal(ipNetList[i].Mask, ipnet.Mask) {`
Remove branch 2022-07-01 00:55:46 +08:00			`// swap remove`
			`ipNetList[i] = ipNetList[len(ipNetList)-1]`
			`ipNetList = ipNetList[:len(ipNetList)-1]`
			`// We only remove one thing`
			`break`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`}`
			`}`

			`if allowedPeer != "" {`
			`al.allowedPeerByNetwork[allowedPeer] = ipNetList`
			`} else {`
			`al.allowedNetworks = ipNetList`
			`}`

			`return nil`
			`}`

Export Allowlist type 2022-06-28 06:39:26 +08:00			`func (al *Allowlist) Allowed(ma multiaddr.Multiaddr) bool {`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`ip, err := manet.ToIP(ma)`
			`if err != nil {`
			`return false`
			`}`
PR nits 2022-06-30 12:18:16 +08:00			`al.mu.RLock()`
			`defer al.mu.RUnlock()`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00
			`for _, network := range al.allowedNetworks {`
			`if network.Contains(ip) {`
			`return true`
			`}`
			`}`

			`for _, allowedNetworks := range al.allowedPeerByNetwork {`
			`for _, network := range allowedNetworks {`
			`if network.Contains(ip) {`
			`return true`
			`}`
			`}`
			`}`

			`return false`
			`}`

Export Allowlist type 2022-06-28 06:39:26 +08:00			`func (al *Allowlist) AllowedPeerAndMultiaddr(peerID peer.ID, ma multiaddr.Multiaddr) bool {`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00			`ip, err := manet.ToIP(ma)`
			`if err != nil {`
			`return false`
			`}`
PR nits 2022-06-30 12:18:16 +08:00			`al.mu.RLock()`
			`defer al.mu.RUnlock()`
Add allowlist impl Accepts multiaddrs that define who is allowed. 2022-06-10 13:26:24 +08:00
			`for _, network := range al.allowedNetworks {`
			`if network.Contains(ip) {`
			`// We found a match that isn't constrained by a peerID`
			`return true`
			`}`
			`}`

			`if expectedNetworks, ok := al.allowedPeerByNetwork[peerID]; ok {`
			`for _, expectedNetwork := range expectedNetworks {`
			`if expectedNetwork.Contains(ip) {`
			`return true`
			`}`
			`}`
			`}`

			`return false`
			`}`