From 5d7e37ab7c18f18cc833077ce2895d11a5f62b13 Mon Sep 17 00:00:00 2001 From: Edgaru089 Date: Thu, 27 Mar 2025 23:28:12 +0800 Subject: [PATCH] Working config & permissions --- config.json | 4 +++ internal/conf/config.go | 7 +++++ internal/http/server.go | 39 ++++++++++++++++++++++++++- internal/perm/config.go | 29 +++++++++++--------- internal/perm/perm.go | 6 ++++- main.go | 59 +++++++++++++++++++++++++++++++++++++++-- perm.json | 21 +++++++++++++++ 7 files changed, 148 insertions(+), 17 deletions(-) create mode 100644 config.json create mode 100644 internal/conf/config.go create mode 100644 perm.json diff --git a/config.json b/config.json new file mode 100644 index 0000000..041ea60 --- /dev/null +++ b/config.json @@ -0,0 +1,4 @@ +{ + "ListenAddress": "127.0.0.1:3128", + "ListenType": "tcp4" +} diff --git a/internal/conf/config.go b/internal/conf/config.go new file mode 100644 index 0000000..f29d153 --- /dev/null +++ b/internal/conf/config.go @@ -0,0 +1,7 @@ +package conf + +type Config struct { + ListenAddress string // Address to listen on, passed to net.Listen + ListenType string // Type of network to listen on, passed to net.Listen. One of tcp, tcp4 and tcp6 + +} diff --git a/internal/http/server.go b/internal/http/server.go index 1ad2989..6e8849c 100644 --- a/internal/http/server.go +++ b/internal/http/server.go @@ -10,6 +10,8 @@ import ( "net/http" "strings" "time" + + "edgaru089.ink/go/regolith/internal/perm" ) const ( @@ -22,6 +24,24 @@ var ( ) type Server struct { + Perm *perm.Perm +} + +// checkPerm invokes perm.Match. +// If s.perm is nil, then every request is Accept-ed. +// +// It also logs if the action is Deny. +func (s *Server) checkPerm(src, dest string) (act perm.Action) { + if s.Perm == nil { + return perm.ActionAccept + } + + src_host, _, _ := net.SplitHostPort(src) + act = s.Perm.Match(src_host, dest) + if act == perm.ActionDeny { + log.Printf("denied: [%s] -> [%s]", src, dest) + } + return } func (s *Server) Serve(listener net.Listener) (err error) { @@ -120,6 +140,12 @@ func (s *Server) handle_connect(conn net.Conn, req *http.Request) { } req_addr := net.JoinHostPort(req.URL.Hostname(), port) + // check permission + if s.checkPerm(conn.RemoteAddr().String(), req_addr) != perm.ActionAccept { + _ = simple_respond(conn, req, http.StatusBadGateway) + return + } + // prep for error log on close var close_err error defer func() { @@ -164,11 +190,22 @@ func (s *Server) handle_request(conn net.Conn, req *http.Request) (should_keepal remove_hop_headers(req.Header) remove_extra_host_port(req) - if req.URL.Scheme == "" || req.URL.Host == "" { + if req.URL.Scheme != "http" || req.URL.Host == "" { _ = simple_respond(conn, req, http.StatusBadRequest) return false } + // Check permission + req_hostname := req.URL.Hostname() + req_port := req.URL.Port() + if req_port == "" { + req_port = "80" + } + if s.checkPerm(conn.RemoteAddr().String(), net.JoinHostPort(req_hostname, req_port)) != perm.ActionAccept { + _ = simple_respond(conn, req, http.StatusBadGateway) + return false + } + // Request & error log var close_err error defer func() { diff --git a/internal/perm/config.go b/internal/perm/config.go index 59cc2b2..a3ab90b 100644 --- a/internal/perm/config.go +++ b/internal/perm/config.go @@ -27,6 +27,20 @@ func MostSevere(a, b Action) Action { return min(a, b) } +func (a Action) String() (name string) { + switch a { + case ActionDeny: + name = "deny" + case ActionIgnore: + name = "ignore" + case ActionAccept: + name = "accept" + default: + name = "<" + strconv.Itoa(int(a)) + ">" + } + return +} + // Marshal/Unmarshal for Action func (a *Action) UnmarshalText(text []byte) error { switch strings.ToLower(string(text)) { @@ -42,25 +56,14 @@ func (a *Action) UnmarshalText(text []byte) error { return nil } func (a Action) MarshalText() ([]byte, error) { - var name string - switch a { - case ActionDeny: - name = "deny" - case ActionIgnore: - name = "ignore" - case ActionAccept: - name = "accept" - default: - name = "<" + strconv.Itoa(int(a)) + ">" - } - return []byte(name), nil + return []byte(a.String()), nil } // Config is a list of address and actions, for each source address. // It can just be Marshal/Unmarshaled into/from json. type Config struct { DefaultAction Action // What we should do when no action is matched. - DefaultPort []uint // Port numbers to add to address without port numbers already in them. Don't put too many entries in here. + DefaultPort []int // Port numbers to add to address without port numbers already in them. Don't put too many entries in here. // Object which holds addresses and optionally ports, mapping to actions. // diff --git a/internal/perm/perm.go b/internal/perm/perm.go index b72ab4e..dccc174 100644 --- a/internal/perm/perm.go +++ b/internal/perm/perm.go @@ -1,6 +1,7 @@ package perm import ( + "log" "net" "strconv" "strings" @@ -50,9 +51,11 @@ func (p *Perm) Load(cs map[string]Config) { load_per_source := func(c Config) (p_int int_perm) { p_int.match = make(map[string]Action) p_int.def = c.DefaultAction + log.Printf("default action %s", p_int.def) // insert helper to use the most severe action existing insert := func(addrport string, action Action) { + log.Printf("loading target %s, action %s", addrport, action) existing_action, ok := p_int.match[addrport] if ok { p_int.match[addrport] = MostSevere(existing_action, action) @@ -69,7 +72,7 @@ func (p *Perm) Load(cs map[string]Config) { } else { // so this is why def_port shouldn't be that big // TODO change this to sth faster - for def_port := range c.DefaultPort { + for _, def_port := range c.DefaultPort { insert(net.JoinHostPort(addr, strconv.Itoa(def_port)), act) } } @@ -78,6 +81,7 @@ func (p *Perm) Load(cs map[string]Config) { } for src, c := range cs { + log.Printf("loading source %s", src) if strings.EqualFold(src, "$global") { p.global = load_per_source(c) } else { diff --git a/main.go b/main.go index b12fbcb..f778286 100644 --- a/main.go +++ b/main.go @@ -1,29 +1,84 @@ package main import ( + "encoding/json" "fmt" + "log" "net" "os" "os/signal" + "syscall" + "edgaru089.ink/go/regolith/internal/conf" "edgaru089.ink/go/regolith/internal/http" + "edgaru089.ink/go/regolith/internal/perm" ) func main() { + var s *http.Server - listener, err := net.Listen("tcp", ":3128") + { + perm_buf, err := os.ReadFile("perm.json") + if err != nil { + panic(err) + } + perm_json := make(map[string]perm.Config) + err = json.Unmarshal(perm_buf, &perm_json) + if err != nil { + panic(err) + } + s = &http.Server{ + Perm: perm.New(perm_json), + } + } + + var conf conf.Config + { + conf_buf, err := os.ReadFile("config.json") + if err != nil { + panic(err) + } + err = json.Unmarshal(conf_buf, &conf) + if err != nil { + panic(err) + } + } + + listener, err := net.Listen(conf.ListenType, conf.ListenAddress) if err != nil { panic(err) } + log.Printf("listeneing on [%s], type %s", conf.ListenAddress, conf.ListenType) sigint_chan := make(chan os.Signal, 1) signal.Notify(sigint_chan, os.Interrupt) go func() { <-sigint_chan + log.Printf("SIGINT received, quitting") listener.Close() }() - s := &http.Server{} + sighup_chan := make(chan os.Signal, 1) + signal.Notify(sighup_chan, syscall.SIGHUP) + go func() { + for { + <-sighup_chan + log.Printf("SIGHUP received, reloading permissions") + perm_buf, err := os.ReadFile("perm.json") + if err != nil { + log.Printf("skipping reload: error opening perm.json: %e", err) + continue + } + perm_json := make(map[string]perm.Config) + err = json.Unmarshal(perm_buf, &perm_json) + if err != nil { + log.Printf("skipping reload: error unmarshaling perm.json: %e", err) + continue + } + s.Perm.Load(perm_json) + } + }() + err = s.Serve(listener) if err != nil { fmt.Println(err) diff --git a/perm.json b/perm.json new file mode 100644 index 0000000..7a7b2ca --- /dev/null +++ b/perm.json @@ -0,0 +1,21 @@ +{ + "$global": { + "DefaultAction": "deny", + "DefaultPort": [443], + "Match": { + "mirrors.tuna.tsinghua.edu.cn": "accept", + "mirrors6.tuna.tsinghua.edu.cn": "accept", + + "incoming.telemetry.mozilla.org": "ignore" + } + }, + "127.0.0.1": { + "DefaultAction": "deny", + "DefaultPort": [443], + "Match": { + "pkg.go.dev": "accept", + "go.dev": "accept" + } + } +} +