tako-rs-plugins 2.0.0

Internal plugin and concrete-middleware implementations for tako-rs. Use the `tako-rs` umbrella crate instead.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140

//! IP allow / deny filter with CIDR support.
//!
//! Reads the client IP from the unified [`ConnInfo`] extension (falling back
//! to the legacy `SocketAddr` extension), then matches it against an allow
//! list, a deny list, or both. Deny rules win when both match.
//!
//! `X-Forwarded-For` is intentionally not honored here — that path is the
//! responsibility of an upstream PROXY-protocol handler or an explicit
//! reverse-proxy gate. Trusting client-controlled headers in this layer
//! would let any caller spoof the source IP.

use std::future::Future;
use std::net::IpAddr;
use std::net::SocketAddr;
use std::pin::Pin;
use std::sync::Arc;

use http::StatusCode;
use ipnet::IpNet;
use tako_rs_core::body::TakoBody;
use tako_rs_core::conn_info::ConnInfo;
use tako_rs_core::conn_info::PeerAddr;
use tako_rs_core::middleware::IntoMiddleware;
use tako_rs_core::middleware::Next;
use tako_rs_core::types::Request;
use tako_rs_core::types::Response;

/// Allow / deny list of CIDR ranges.
#[derive(Default, Clone)]
pub struct IpFilter {
  allow: Vec<IpNet>,
  deny: Vec<IpNet>,
  /// When true, a request without a discoverable peer IP is denied. Default
  /// is false (allow when peer is unknown — typical for Unix sockets).
  deny_unknown: bool,
  /// Status returned on rejection.
  status: StatusCode,
}

impl IpFilter {
  /// Builds an empty filter (everything allowed).
  pub fn new() -> Self {
    Self {
      allow: Vec::new(),
      deny: Vec::new(),
      deny_unknown: false,
      status: StatusCode::FORBIDDEN,
    }
  }

  /// Adds a CIDR (or single IP) to the allow list.
  pub fn allow(mut self, cidr: &str) -> Result<Self, ipnet::AddrParseError> {
    self.allow.push(parse_cidr(cidr)?);
    Ok(self)
  }

  /// Adds a CIDR (or single IP) to the deny list.
  pub fn deny(mut self, cidr: &str) -> Result<Self, ipnet::AddrParseError> {
    self.deny.push(parse_cidr(cidr)?);
    Ok(self)
  }

  /// Reject requests whose peer IP cannot be determined.
  pub fn deny_unknown(mut self, deny: bool) -> Self {
    self.deny_unknown = deny;
    self
  }

  /// Override the default `403` rejection status.
  pub fn status(mut self, status: StatusCode) -> Self {
    self.status = status;
    self
  }
}

fn parse_cidr(cidr: &str) -> Result<IpNet, ipnet::AddrParseError> {
  // Single addresses (`1.2.3.4`) are parsed as `/32` or `/128` automatically.
  if let Ok(net) = cidr.parse::<IpNet>() {
    return Ok(net);
  }
  let ip: IpAddr = cidr.parse().map_err(|_| {
    // Re-parse to surface the original ipnet error rather than fabricating one.
    "invalid".parse::<IpNet>().unwrap_err()
  })?;
  Ok(IpNet::from(ip))
}

fn peer_ip(req: &Request) -> Option<IpAddr> {
  if let Some(info) = req.extensions().get::<ConnInfo>()
    && let PeerAddr::Ip(sa) = &info.peer
  {
    return Some(sa.ip());
  }
  if let Some(sa) = req.extensions().get::<SocketAddr>() {
    return Some(sa.ip());
  }
  None
}

impl IntoMiddleware for IpFilter {
  fn into_middleware(
    self,
  ) -> impl Fn(Request, Next) -> Pin<Box<dyn Future<Output = Response> + Send + 'static>>
  + Clone
  + Send
  + Sync
  + 'static {
    let allow = Arc::new(self.allow);
    let deny = Arc::new(self.deny);
    let deny_unknown = self.deny_unknown;
    let status = self.status;

    move |req: Request, next: Next| {
      let allow = allow.clone();
      let deny = deny.clone();
      Box::pin(async move {
        let ip = peer_ip(&req);
        let reject = match ip {
          None => deny_unknown,
          Some(ip) => {
            if deny.iter().any(|n| n.contains(&ip)) {
              true
            } else if allow.is_empty() {
              false
            } else {
              !allow.iter().any(|n| n.contains(&ip))
            }
          }
        };
        if reject {
          return http::Response::builder()
            .status(status)
            .body(TakoBody::empty())
            .expect("valid ip_filter response");
        }
        next.run(req).await
      })
    }
  }
}