Skip to content

Commit

Permalink
Refactor allowed_domains_mitm to mitm_domains
Browse files Browse the repository at this point in the history
  • Loading branch information
harold-s committed Sep 17, 2024
1 parent 8fcae44 commit b319203
Show file tree
Hide file tree
Showing 7 changed files with 93 additions and 40 deletions.
10 changes: 6 additions & 4 deletions Development.md
Original file line number Diff line number Diff line change
Expand Up @@ -229,8 +229,9 @@ default:
name: default
project: security
action: enforce
allowed_domains: []
allowed_domains_mitm:
allowed_domains:
- wttr.in
mitm_domains:
- domain: wttr.in
add_headers:
Accept-Language: el
Expand Down Expand Up @@ -278,8 +279,9 @@ services:
- name: localhost
project: github
action: enforce
allowed_domains: []
allowed_domains_mitm:
allowed_domains:
- wttr.in
mitm_domains:
- domain: wttr.in
add_headers:
Accept-Language: el
Expand Down
45 changes: 28 additions & 17 deletions pkg/smokescreen/acl/v1/acl.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ type Rule struct {
Project string
Policy EnforcementPolicy
DomainGlobs []string
DomainMitmGlobs []MitmDomain
MitmDomains []MitmDomain
ExternalProxyGlobs []string
}

Expand Down Expand Up @@ -83,7 +83,7 @@ func (acl *ACL) Add(svc string, r Rule) error {
return err
}

err = acl.ValidateRuleDomainsGlobs(svc, r)
err = acl.ValidateRuleDomainsGlobsAndMitm(svc, r)
if err != nil {
return err
}
Expand Down Expand Up @@ -137,18 +137,16 @@ func (acl *ACL) Decide(service, host, connectProxyHost string) (Decision, error)
for _, dg := range rule.DomainGlobs {
if HostMatchesGlob(host, dg) {
d.Result, d.Reason = Allow, "host matched allowed domain in rule"
return d, nil
}
}

// if the host matches any of the rule's allowed domains with MITM config, allow
for _, dg := range rule.DomainMitmGlobs {
if HostMatchesGlob(host, dg.Domain) {
d.Result, d.Reason = Allow, "host matched allowed domain in MITM rule"
d.MitmConfig = &MitmConfig{
AddHeaders: dg.AddHeaders,
DetailedHttpLogs: dg.DetailedHttpLogs,
DetailedHttpLogsFullHeaders: dg.DetailedHttpLogsFullHeaders,
// Check if we can find a matching MITM config
for _, dg := range rule.MitmDomains {
if HostMatchesGlob(host, dg.Domain) {
d.MitmConfig = &MitmConfig{
AddHeaders: dg.AddHeaders,
DetailedHttpLogs: dg.DetailedHttpLogs,
DetailedHttpLogsFullHeaders: dg.DetailedHttpLogsFullHeaders,
}
return d, nil
}
}
return d, nil
}
Expand Down Expand Up @@ -208,7 +206,7 @@ func (acl *ACL) DisablePolicies(actions []string) error {
// and is not utilizing a disabled enforcement policy.
func (acl *ACL) Validate() error {
for svc, r := range acl.Rules {
err := acl.ValidateRuleDomainsGlobs(svc, r)
err := acl.ValidateRuleDomainsGlobsAndMitm(svc, r)
if err != nil {
return err
}
Expand All @@ -220,19 +218,24 @@ func (acl *ACL) Validate() error {
return nil
}

func (acl *ACL) ValidateRuleDomainsGlobs(svc string, r Rule) error {
func (acl *ACL) ValidateRuleDomainsGlobsAndMitm(svc string, r Rule) error {
var err error
for _, d := range r.DomainGlobs {
err = acl.ValidateDomainGlob(svc, d)
if err != nil {
return err
}
}
for _, d := range r.DomainMitmGlobs {
for _, d := range r.MitmDomains {
err = acl.ValidateDomainGlob(svc, d.Domain)
if err != nil {
return err
}
// Check if the MITM config domain is also in DomainGlobs
// Replace with slices.ContainsString when project upgraded to > 1.21
if !containsString(r.DomainGlobs, d.Domain) {
return fmt.Errorf("domain %s was added to mitm_domains but is missing in allowed_domains", d.Domain)
}
}
return nil
}
Expand Down Expand Up @@ -327,3 +330,11 @@ func HostMatchesGlob(host string, domainGlob string) bool {
}
return false
}
func containsString(slice []string, str string) bool {
for _, item := range slice {
if item == str {
return true
}
}
return false
}
28 changes: 27 additions & 1 deletion pkg/smokescreen/acl/v1/acl_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -377,10 +377,36 @@ func TestMitmComfig(t *testing.T) {
d, err := acl.Decide(mitmService, "example-mitm.com", "")
a.NoError(err)
a.Equal(Allow, d.Result)
a.Equal("host matched allowed domain in MITM rule", d.Reason)
a.Equal("host matched allowed domain in rule", d.Reason)

a.NotNil(d.MitmConfig)
a.Equal(true, d.MitmConfig.DetailedHttpLogs)
a.Equal([]string{"User-Agent"}, d.MitmConfig.DetailedHttpLogsFullHeaders)
a.Equal(map[string]string{"Accept-Language": "el"}, d.MitmConfig.AddHeaders)
}

func TestInvalidMitmComfig(t *testing.T) {
a := assert.New(t)

acl := &ACL{
Rules: map[string]Rule{
"enforce-dummy-mitm-srv": {
Project: "usersec",
Policy: Enforce,
DomainGlobs: []string{
"example.com",
},
MitmDomains: []MitmDomain{{
Domain: "example-mitm.com",
AddHeaders: map[string]string{
"Accept-Language": "el",
},
DetailedHttpLogs: true,
}},
},
},
}

err := acl.Validate()
a.Error(err)
}
3 changes: 2 additions & 1 deletion pkg/smokescreen/acl/v1/testdata/mitm_config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ services:
allowed_domains:
- examplea.com
- exampleb.com
allowed_domains_mitm:
- example-mitm.com
mitm_domains:
- domain: example-mitm.com
add_headers:
Accept-Language: el
Expand Down
33 changes: 17 additions & 16 deletions pkg/smokescreen/acl/v1/yaml_loader.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,15 +26,15 @@ type YAMLConfig struct {
}

type YAMLRule struct {
Name string `yaml:"name"`
Project string `yaml:"project"` // owner
Action string `yaml:"action"`
AllowedHosts []string `yaml:"allowed_domains"`
AllowedHostsMitm []YAMLMitmRule `yaml:"allowed_domains_mitm"`
AllowedExternalProxyHosts []string `yaml:"allowed_external_proxies"`
Name string `yaml:"name"`
Project string `yaml:"project"` // owner
Action string `yaml:"action"`
AllowedHosts []string `yaml:"allowed_domains"`
MitmDomains []YAMLMitmDomain `yaml:"mitm_domains"`
AllowedExternalProxyHosts []string `yaml:"allowed_external_proxies"`
}

type YAMLMitmRule struct {
type YAMLMitmDomain struct {
Domain string `yaml:"domain"`
AddHeaders map[string]string `yaml:"add_headers"`
DetailedHttpLogs bool `yaml:"detailed_http_logs"`
Expand Down Expand Up @@ -86,18 +86,18 @@ func (cfg *YAMLConfig) Load() (*ACL, error) {
return nil, err
}

var allowedHostsMitm []MitmDomain
var mitmDomains []MitmDomain

for _, w := range v.AllowedHostsMitm {
for _, w := range v.MitmDomains {
mitmDomain := NewMITMDomain(w)
allowedHostsMitm = append(allowedHostsMitm, mitmDomain)
mitmDomains = append(mitmDomains, mitmDomain)
}

r := Rule{
Project: v.Project,
Policy: p,
DomainGlobs: v.AllowedHosts,
DomainMitmGlobs: allowedHostsMitm,
MitmDomains: mitmDomains,
ExternalProxyGlobs: v.AllowedExternalProxyHosts,
}

Expand All @@ -113,18 +113,19 @@ func (cfg *YAMLConfig) Load() (*ACL, error) {
return nil, err
}

var allowedHostsMitm []MitmDomain
var mitmDomains []MitmDomain

for _, w := range cfg.Default.MitmDomains {

for _, w := range cfg.Default.AllowedHostsMitm {
mitmDomain := NewMITMDomain(w)
allowedHostsMitm = append(allowedHostsMitm, mitmDomain)
mitmDomains = append(mitmDomains, mitmDomain)
}

acl.DefaultRule = &Rule{
Project: cfg.Default.Project,
Policy: p,
DomainGlobs: cfg.Default.AllowedHosts,
DomainMitmGlobs: allowedHostsMitm,
MitmDomains: mitmDomains,
ExternalProxyGlobs: cfg.Default.AllowedExternalProxyHosts,
}
}
Expand All @@ -142,7 +143,7 @@ func (cfg *YAMLConfig) Load() (*ACL, error) {
return &acl, nil
}

func NewMITMDomain(w YAMLMitmRule) MitmDomain {
func NewMITMDomain(w YAMLMitmDomain) MitmDomain {
return MitmDomain{
AddHeaders: w.AddHeaders,
DetailedHttpLogs: w.DetailedHttpLogs,
Expand Down
10 changes: 10 additions & 0 deletions pkg/smokescreen/acl/v1/yaml_loader_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,16 @@ func TestYAMLLoader(t *testing.T) {
a.NotNil(err)
a.Nil(acl)
}

// Load a valid MITM config
{
yl := NewYAMLLoader("testdata/mitm_config.yaml")
acl, err := New(logrus.New(), yl, []string{})
a.Nil(err)
a.NotNil(acl)
a.Equal(1, len(acl.Rules))
a.Equal(1, len(acl.Rules["enforce-dummy-mitm-srv"].MitmDomains))
}
}

func TestYAMLLoaderInvalidGlob(t *testing.T) {
Expand Down
4 changes: 3 additions & 1 deletion pkg/smokescreen/testdata/acl.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,9 @@ services:
- name: test-mitm
project: security
action: enforce
allowed_domains_mitm:
allowed_domains:
- 127.0.0.1
mitm_domains:
- domain: 127.0.0.1
add_headers:
Accept-Language: el
Expand Down

0 comments on commit b319203

Please sign in to comment.