update gen_config in cli to support adding allowed_ips

2022-12-27 05:41:14 +00:00
parent 0a5256cbd7
commit 9cde83de0e
6 changed files with 46 additions and 17 deletions
--- a/cli/src/helpers.rs
+++ b/cli/src/helpers.rs
@@ -1,6 +1,7 @@
 use std::{
    fs::{self, File},
    io::{Read, Write},
+    net::IpAddr,
    path::PathBuf,
    str::FromStr,
 };
@@ -253,9 +254,21 @@ pub fn gen_periphery_config(sub_matches: &ArgMatches) {
        .parse::<Timelength>()
        .expect("invalid timelength");

+    let allowed_ips = sub_matches
+        .get_one::<String>("allowed_ips")
+        .map(|p| p.as_str())
+        .unwrap_or("")
+        .split(",")
+        .map(|ip| {
+            ip.parse()
+                .expect("given allowed ip address is not valid ip")
+        })
+        .collect::<Vec<IpAddr>>();
+
    let config = PeripheryConfig {
        port,
        stats_polling_rate,
+        allowed_ips,
        repo_dir: "/repos".to_string(),
        secrets: Default::default(),
        github_accounts: Default::default(),
--- a/cli/src/main.rs
+++ b/cli/src/main.rs
@@ -20,7 +20,7 @@ fn cli() -> Command {
                .arg_required_else_help(true)
                .allow_external_subcommands(true)
                .subcommand(
-                    Command::new("config_gen")
+                    Command::new("gen_config")
                        .about("generate a core config file")
                        .arg(
                            arg!(--path <PATH> "sets path of generated config file. default is '~/.monitor/core.config.toml'")
@@ -108,7 +108,7 @@ fn cli() -> Command {
                .arg_required_else_help(true)
                .allow_external_subcommands(true)
                .subcommand(
-                    Command::new("config_gen")
+                    Command::new("gen_config")
                        .about("generate a periphery config file")
                        .arg(
                            arg!(--path <PATH> "sets path of generated config file. default is '~/.monitor/periphery.config.toml'")
@@ -122,6 +122,9 @@ fn cli() -> Command {
                            arg!(--stats_polling_rate <INTERVAL> "sets stats polling rate to control granularity of system stats returned. default is 5-sec. options: 1-sec, 5-sec, 10-sec, 30-sec, 1-min")
                                .required(false)
                        )
+                        .arg(
+                            arg!(--allowed_ips <IPS> "used to only accept requests from known ips. give ips as comma seperated list, like '--allowed_ips 127.0.0.1,10.20.30.43'. default is empty, which will not block any ip.")
+                        )
                )
                .subcommand(
                    Command::new("start")
@@ -154,25 +157,25 @@ fn main() {

    match matches.subcommand() {
        Some(("core", sub_matches)) => {
-            let core_command = sub_matches.subcommand().expect("\n❌ invalid call, should be 'monitor_cli core <config_gen, start_mongo, start> <flags>' ❌\n");
+            let core_command = sub_matches.subcommand().expect("\n❌ invalid call, should be 'monitor_cli core <gen_config, start_mongo, start> <flags>' ❌\n");
            match core_command {
-                ("config_gen", sub_matches) => gen_core_config(sub_matches),
+                ("gen_config", sub_matches) => gen_core_config(sub_matches),
                ("start_mongo", sub_matches) => start_mongo(sub_matches),
                ("start", sub_matches) => start_core(sub_matches),
                _ => {
-                    println!("\n❌ invalid call, should be 'monitor_cli core <config_gen, start_mongo, start> <flags>' ❌\n")
+                    println!("\n❌ invalid call, should be 'monitor_cli core <gen_config, start_mongo, start> <flags>' ❌\n")
                }
            }
        }
        Some(("periphery", sub_matches)) => {
            let periphery_command = sub_matches.subcommand().expect(
-                "\n❌ invalid call, should be 'monitor_cli periphery <config_gen, start> <flags>' ❌\n",
+                "\n❌ invalid call, should be 'monitor_cli periphery <gen_config, start> <flags>' ❌\n",
            );
            match periphery_command {
-                ("config_gen", sub_matches) => gen_periphery_config(sub_matches),
+                ("gen_config", sub_matches) => gen_periphery_config(sub_matches),
                ("start", sub_matches) => start_periphery(sub_matches),
                _ => {
-                    println!("\n❌ invalid call, should be 'monitor_cli periphery <config_gen, start> <flags>' ❌\n")
+                    println!("\n❌ invalid call, should be 'monitor_cli periphery <gen_config, start> <flags>' ❌\n")
                }
            }
        }
--- a/cli/src/types.rs
+++ b/cli/src/types.rs
@@ -1,4 +1,4 @@
-use std::collections::HashMap;
+use std::{collections::HashMap, net::IpAddr};

 use async_timing_util::Timelength;
 use serde_derive::{Deserialize, Serialize};
@@ -76,6 +76,8 @@ pub struct PeripheryConfig {
    #[serde(default = "default_stats_refresh_interval")]
    pub stats_polling_rate: Timelength,
    #[serde(default)]
+    pub allowed_ips: Vec<IpAddr>,
+    #[serde(default)]
    pub secrets: SecretsMap,
    #[serde(default)]
    pub github_accounts: GithubAccounts,
--- a/config_example/periphery.config.example.toml
+++ b/config_example/periphery.config.example.toml
@@ -1,6 +1,7 @@
 port = 9001           # optional. 9001 is default
 repo_dir = "/repos"   # optional. /repos is default. no reason to change if running the docker container, just mount your desired repo dir to /repos in the container
 stats_polling_rate = "5-sec" # optional. 5-sec is default. can use 1-sec, 5-sec, 10-sec, 30-sec, 1-min. controls granularity of system stats recorded
+allowed_ips = ["127.0.0.1"] # optional. default is empty, which will not block any request by ip.

 [secrets] # optional. can inject these values into your deployments configuration.
 secret_variable = "secret_value"
--- a/lib/types/src/config.rs
+++ b/lib/types/src/config.rs
@@ -76,7 +76,7 @@ pub struct PeripheryConfig {
    #[serde(default = "default_stats_refresh_interval")]
    pub stats_polling_rate: Timelength,
    #[serde(default)]
-    pub allowed_core_ip: Vec<IpAddr>,
+    pub allowed_ips: Vec<IpAddr>,
    #[serde(default)]
    pub secrets: SecretsMap,
    #[serde(default)]
--- a/periphery/src/api/mod.rs
+++ b/periphery/src/api/mod.rs
@@ -10,7 +10,7 @@ use axum::{
    Router,
 };
 use helpers::docker::DockerClient;
-use types::PeripheryConfig;
+use types::{monitor_timestamp, PeripheryConfig};

 use crate::PeripheryConfigExtension;

@@ -44,21 +44,31 @@ async fn guard_request(
    req: Request<Body>,
    next: Next<Body>,
 ) -> Result<Response, (StatusCode, String)> {
+    let config = req.extensions().get::<Arc<PeripheryConfig>>().ok_or((
+        StatusCode::INTERNAL_SERVER_ERROR,
+        "could not get periphery config".to_string(),
+    ))?;
+    if config.allowed_ips.is_empty() {
+        return Ok(next.run(req).await);
+    }
    let ConnectInfo(socket_addr) = req.extensions().get::<ConnectInfo<SocketAddr>>().ok_or((
        StatusCode::UNAUTHORIZED,
        "could not get socket addr of request".to_string(),
    ))?;
    let ip = socket_addr.ip();
-    let config = req.extensions().get::<Arc<PeripheryConfig>>().ok_or((
-        StatusCode::INTERNAL_SERVER_ERROR,
-        "could not get periphery config".to_string(),
-    ))?;
-    if config.allowed_core_ip.contains(&ip) {
+    if config.allowed_ips.contains(&ip) {
        Ok(next.run(req).await)
    } else {
+        eprintln!(
+            "{} | unauthorized request from {ip} | method: {} | uri: {} | body: {:?}",
+            monitor_timestamp(),
+            req.method(),
+            req.uri(),
+            req.body()
+        );
        Err((
            StatusCode::UNAUTHORIZED,
-            "requesting ip not allowed".to_string(),
+            format!("requesting ip {ip} not allowed"),
        ))
    }
 }