Add support for the shared_secret field.

2023-08-07 23:37:42 +08:00 · 2023-08-07 23:37:42 +08:00 · 7ab3125daa
parent 4ee27b145a
commit 7ab3125daa
5 changed files with 31 additions and 7 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -368,7 +368,7 @@ checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"

 [[package]]
 name = "bird-looking-glass-proxy"
-version = "0.0.3"
+version = "0.0.4"
 dependencies = [
 "actix-web",
 "birdc",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "bird-looking-glass-proxy"
-version = "0.0.3"
+version = "0.0.4"
 edition = "2021"

 [dependencies]
--- a/config.toml
+++ b/config.toml
@ -1,9 +1,9 @@
 bind_ip = "0.0.0.0"
 bind_port = 8000

-# Used to restrict access to bird-looking-glass-proxy based on source IP address.
-# Empty list = any IP is allowed to run queries.
+# Empty = no access restriction.
 access_list = ["127.0.0.1"]
+shared_secret = ""

 # Used as source address when running traceroute
 ipv4_source="198.51.100.42"
--- a/src/auth.rs
+++ b/src/auth.rs
@ -53,11 +53,22 @@ where
        Box::pin(async move {
            let addr = req.peer_addr().unwrap();
            let access_list = &GLOBAL_CONFIG.access_list;
-            if access_list.contains(&addr.ip().to_string()) || access_list.is_empty() {
+            let shared_secret = &GLOBAL_CONFIG.shared_secret;
+            let provided_shared_secret = req
+                .headers()
+                .get("X-Shared-Secret")
+                .map(|header| header.to_str().unwrap_or_default())
+                .unwrap_or_default();
+            if (access_list.is_empty() && shared_secret.is_empty())
+                || access_list.contains(&addr.ip().to_string())
+                || shared_secret == provided_shared_secret
+                || (access_list.is_empty() && shared_secret == provided_shared_secret)
+                || (access_list.contains(&addr.ip().to_string()) && shared_secret.is_empty())
+            {
                Ok(svc.call(req).await?)
            } else {
                Err(error::ErrorUnauthorized(
-                    "Your remote address is not valid!",
+                    "You do not have permission to access.",
                ))
            }
        })
--- a/src/main.rs
+++ b/src/main.rs
@ -13,7 +13,20 @@ lazy_static! {
            .arg_from_usage("-e, --example 'Export sample config file'")
            .get_matches();
        if matches.is_present("example") {
-            println!("bind_ip = \"0.0.0.0\"\nbind_port = 8000\n\n# Used to restrict access to bird-looking-glass-proxy based on source IP address.\n# Empty list = any IP is allowed to run queries.\naccess_list = [\"127.0.0.1\"]\n\n# Used as source address when running traceroute\nipv4_source=\"198.51.100.42\"\nipv6_source=\"2001:db8:42::1\"\n\nbird_socket=\"/var/run/bird/bird.ctl\"\nbird6_socket=\"/var/run/bird/bird6.ctl\"");
+            println!("bind_ip = \"0.0.0.0\"
+bind_port = 8000
+            
+# Empty = no access restriction.
+access_list = [\"127.0.0.1\"]
+shared_secret = \"\"
+            
+# Used as source address when running traceroute
+ipv4_source=\"198.51.100.42\"
+ipv6_source=\"2001:db8:42::1\"
+            
+bird_socket=\"/var/run/bird/bird.ctl\"
+bird6_socket=\"/var/run/bird/bird6.ctl\"");
+            
            std::process::exit(0);
        }
        config::Config::new(matches.value_of("config").unwrap_or("config.toml"))