diff --git a/address_validator.go b/address_validator.go new file mode 100644 index 0000000..35749a2 --- /dev/null +++ b/address_validator.go @@ -0,0 +1,56 @@ +package water + +import ( + "errors" +) + +var ( + ErrAddressValidatorNotInitialized = errors.New("address validator not initialized properly") + ErrAddressValidationDenied = errors.New("address validation denied") +) + +type addressValidator struct { + catchAll bool + allowlist map[string][]string // map[address]networks + denylist map[string][]string // map[address]networks +} + +func (a *addressValidator) validate(network, address string) error { + if a.catchAll { + // only check denylist, otherwise allow + if a.denylist == nil { + return ErrAddressValidatorNotInitialized + } + + if deniedNetworks, ok := a.denylist[address]; ok { + if deniedNetworks == nil { + return ErrAddressValidatorNotInitialized + } + + for _, deniedNet := range deniedNetworks { + if deniedNet == network { + return ErrAddressValidationDenied + } + } + } + return nil + } else { + // only check allowlist, otherwise deny + if a.allowlist == nil { + return ErrAddressValidatorNotInitialized + } + + if allowedNetworks, ok := a.allowlist[address]; ok { + if allowedNetworks == nil { + return ErrAddressValidatorNotInitialized + } + + for _, allowedNet := range allowedNetworks { + if allowedNet == network { + return nil + } + } + } + return ErrAddressValidationDenied + } +} diff --git a/address_validator_test.go b/address_validator_test.go new file mode 100644 index 0000000..2ca04e0 --- /dev/null +++ b/address_validator_test.go @@ -0,0 +1,75 @@ +package water + +// package water instead of water_test to access unexported struct addressValidator and its unexported fields/methods + +import "testing" + +func Test_addressValidator_validate(t *testing.T) { + var a addressValidator + + // test catchAll with nil denylist + a.catchAll = true + + if err := a.validate("random net", "random address"); err != ErrAddressValidatorNotInitialized { + t.Errorf("Expected ErrAddressValidatorNotInitialized, got %v", err) + } + + // test nil denylist entry + a.denylist = map[string][]string{ + "denied address": nil, + } + + if err := a.validate("random net", "denied address"); err != ErrAddressValidatorNotInitialized { + t.Errorf("Expected ErrAddressValidatorNotInitialized, got %v", err) + } + + // test denied address on denied network + a.denylist["denied address"] = []string{"denied net"} + + if err := a.validate("denied net", "denied address"); err != ErrAddressValidationDenied { + t.Errorf("Expected ErrAddressValidationDenied, got %v", err) + } + + // test random network with denied address + if err := a.validate("random net", "denied address"); err != nil { + t.Errorf("Expected nil, got %v", err) + } + + // test random address on denied network + if err := a.validate("denied net", "random address"); err != nil { + t.Errorf("Expected nil, got %v", err) + } + + // test not catchAll with nil allowlist + a.catchAll = false + + if err := a.validate("random net", "random address"); err != ErrAddressValidatorNotInitialized { + t.Errorf("Expected ErrAddressValidatorNotInitialized, got %v", err) + } + + // test nil allowlist entry + a.allowlist = map[string][]string{ + "allowed address": nil, + } + + if err := a.validate("random net", "allowed address"); err != ErrAddressValidatorNotInitialized { + t.Errorf("Expected ErrAddressValidatorNotInitialized, got %v", err) + } + + // test allowed address on allowed network + a.allowlist["allowed address"] = []string{"allowed net"} + + if err := a.validate("allowed net", "allowed address"); err != nil { + t.Errorf("Expected nil, got %v", err) + } + + // test random network with allowed address + if err := a.validate("random net", "allowed address"); err != ErrAddressValidationDenied { + t.Errorf("Expected ErrAddressValidationDenied, got %v", err) + } + + // test random address on allowed network + if err := a.validate("allowed net", "random address"); err != ErrAddressValidationDenied { + t.Errorf("Expected ErrAddressValidationDenied, got %v", err) + } +} diff --git a/config.go b/config.go index 31d569b..7afb657 100644 --- a/config.go +++ b/config.go @@ -204,6 +204,16 @@ func (c *Config) UnmarshalJSON(data []byte) error { } } + if c.DialedAddressValidator == nil { + a := &addressValidator{ + catchAll: confJson.Network.AddressValidation.CatchAll, + allowlist: confJson.Network.AddressValidation.Allowlist, + denylist: confJson.Network.AddressValidation.Denylist, + } + + c.DialedAddressValidator = a.validate + } + if len(confJson.Network.Listener.Network) > 0 && len(confJson.Network.Listener.Address) > 0 { c.NetworkListener, err = net.Listen(confJson.Network.Listener.Network, confJson.Network.Listener.Address) if err != nil { @@ -281,6 +291,31 @@ func (c *Config) UnmarshalProto(b []byte) error { c.TransportModuleConfig = TransportModuleConfigFromBytes(confProto.GetTransportModule().GetConfig()) } + // Parse DialedAddressValidator if not already set + if c.DialedAddressValidator == nil { + a := &addressValidator{ + catchAll: confProto.GetNetwork().GetAddressValidation().GetCatchAll(), + } + + allowlist := confProto.GetNetwork().GetAddressValidation().GetAllowlist() + if len(allowlist) > 0 { + a.allowlist = make(map[string][]string) + for k, v := range allowlist { + a.allowlist[k] = v.GetNames() + } + } + + denylist := confProto.GetNetwork().GetAddressValidation().GetDenylist() + if len(denylist) > 0 { + a.denylist = make(map[string][]string) + for k, v := range denylist { + a.denylist[k] = v.GetNames() + } + } + + c.DialedAddressValidator = a.validate + } + // Parse NetworkListener listenerNetwork, listenerAddress := confProto.GetNetwork().GetListener().GetNetwork(), confProto.GetNetwork().GetListener().GetAddress() if len(listenerNetwork) > 0 && len(listenerAddress) > 0 { diff --git a/configbuilder/config.json.go b/configbuilder/config.json.go index f38e9f7..377ee58 100644 --- a/configbuilder/config.json.go +++ b/configbuilder/config.json.go @@ -12,6 +12,11 @@ type ConfigJSON struct { Network struct { // DialerFunc string `json:"dialer_func,omitempty"` // we have no good way to represent a func in JSON format yet + AddressValidation struct { + CatchAll bool `json:"catch_all,omitempty"` // If set, will allow all unspecified addresses. Otherwise, unspecified addresses will be rejected. + Allowlist map[string][]string `json:"allowlist,omitempty"` // e.g. {"1.1.1.1:443": ["tcp", "udp"], "1.0.0.1:443": ["tcp"], ...} + Denylist map[string][]string `json:"denylist,omitempty"` // e.g. {"1.0.0.0:80": ["udp"], ...} + } `json:"address_validator,omitempty"` Listener struct { Network string `json:"network"` // e.g. "tcp" Address string `json:"address"` // e.g. "0.0.0.0:0" diff --git a/configbuilder/pb/config.pb.go b/configbuilder/pb/config.pb.go index 9ebcfd7..8a58dbb 100644 --- a/configbuilder/pb/config.pb.go +++ b/configbuilder/pb/config.pb.go @@ -151,7 +151,8 @@ type Network struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - Listener *Listener `protobuf:"bytes,1,opt,name=listener,proto3" json:"listener,omitempty"` + Listener *Listener `protobuf:"bytes,1,opt,name=listener,proto3" json:"listener,omitempty"` + AddressValidation *AddressValidation `protobuf:"bytes,2,opt,name=address_validation,json=addressValidation,proto3" json:"address_validation,omitempty"` } func (x *Network) Reset() { @@ -193,6 +194,13 @@ func (x *Network) GetListener() *Listener { return nil } +func (x *Network) GetAddressValidation() *AddressValidation { + if x != nil { + return x.AddressValidation + } + return nil +} + type Listener struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -248,6 +256,116 @@ func (x *Listener) GetAddress() string { return "" } +type AddressValidation struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + CatchAll bool `protobuf:"varint,1,opt,name=catch_all,json=catchAll,proto3" json:"catch_all,omitempty"` + Allowlist map[string]*NetworkNames `protobuf:"bytes,2,rep,name=allowlist,proto3" json:"allowlist,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` + Denylist map[string]*NetworkNames `protobuf:"bytes,3,rep,name=denylist,proto3" json:"denylist,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` +} + +func (x *AddressValidation) Reset() { + *x = AddressValidation{} + if protoimpl.UnsafeEnabled { + mi := &file_config_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *AddressValidation) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*AddressValidation) ProtoMessage() {} + +func (x *AddressValidation) ProtoReflect() protoreflect.Message { + mi := &file_config_proto_msgTypes[4] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use AddressValidation.ProtoReflect.Descriptor instead. +func (*AddressValidation) Descriptor() ([]byte, []int) { + return file_config_proto_rawDescGZIP(), []int{4} +} + +func (x *AddressValidation) GetCatchAll() bool { + if x != nil { + return x.CatchAll + } + return false +} + +func (x *AddressValidation) GetAllowlist() map[string]*NetworkNames { + if x != nil { + return x.Allowlist + } + return nil +} + +func (x *AddressValidation) GetDenylist() map[string]*NetworkNames { + if x != nil { + return x.Denylist + } + return nil +} + +type NetworkNames struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Names []string `protobuf:"bytes,1,rep,name=names,proto3" json:"names,omitempty"` +} + +func (x *NetworkNames) Reset() { + *x = NetworkNames{} + if protoimpl.UnsafeEnabled { + mi := &file_config_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *NetworkNames) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*NetworkNames) ProtoMessage() {} + +func (x *NetworkNames) ProtoReflect() protoreflect.Message { + mi := &file_config_proto_msgTypes[5] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use NetworkNames.ProtoReflect.Descriptor instead. +func (*NetworkNames) Descriptor() ([]byte, []int) { + return file_config_proto_rawDescGZIP(), []int{5} +} + +func (x *NetworkNames) GetNames() []string { + if x != nil { + return x.Names + } + return nil +} + type Module struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -264,7 +382,7 @@ type Module struct { func (x *Module) Reset() { *x = Module{} if protoimpl.UnsafeEnabled { - mi := &file_config_proto_msgTypes[4] + mi := &file_config_proto_msgTypes[6] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -277,7 +395,7 @@ func (x *Module) String() string { func (*Module) ProtoMessage() {} func (x *Module) ProtoReflect() protoreflect.Message { - mi := &file_config_proto_msgTypes[4] + mi := &file_config_proto_msgTypes[6] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -290,7 +408,7 @@ func (x *Module) ProtoReflect() protoreflect.Message { // Deprecated: Use Module.ProtoReflect.Descriptor instead. func (*Module) Descriptor() ([]byte, []int) { - return file_config_proto_rawDescGZIP(), []int{4} + return file_config_proto_rawDescGZIP(), []int{6} } func (x *Module) GetArgv() []string { @@ -347,7 +465,7 @@ type Runtime struct { func (x *Runtime) Reset() { *x = Runtime{} if protoimpl.UnsafeEnabled { - mi := &file_config_proto_msgTypes[5] + mi := &file_config_proto_msgTypes[7] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -360,7 +478,7 @@ func (x *Runtime) String() string { func (*Runtime) ProtoMessage() {} func (x *Runtime) ProtoReflect() protoreflect.Message { - mi := &file_config_proto_msgTypes[5] + mi := &file_config_proto_msgTypes[7] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -373,7 +491,7 @@ func (x *Runtime) ProtoReflect() protoreflect.Message { // Deprecated: Use Runtime.ProtoReflect.Descriptor instead. func (*Runtime) Descriptor() ([]byte, []int) { - return file_config_proto_rawDescGZIP(), []int{5} + return file_config_proto_rawDescGZIP(), []int{7} } func (x *Runtime) GetForceInterpreter() bool { @@ -410,49 +528,79 @@ var file_config_proto_rawDesc = []byte{ 0x0a, 0x0f, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x4d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x62, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x03, 0x62, 0x69, 0x6e, 0x12, 0x16, 0x0a, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x0c, 0x52, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x36, 0x0a, 0x07, 0x4e, + 0x01, 0x28, 0x0c, 0x52, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x7f, 0x0a, 0x07, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x12, 0x2b, 0x0a, 0x08, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0f, 0x2e, 0x77, 0x61, 0x74, 0x65, 0x72, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x52, 0x08, 0x6c, 0x69, 0x73, 0x74, 0x65, - 0x6e, 0x65, 0x72, 0x22, 0x3e, 0x0a, 0x08, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x12, - 0x18, 0x0a, 0x07, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x07, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, - 0x72, 0x65, 0x73, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, - 0x65, 0x73, 0x73, 0x22, 0xfc, 0x02, 0x0a, 0x06, 0x4d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x12, 0x12, - 0x0a, 0x04, 0x61, 0x72, 0x67, 0x76, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x04, 0x61, 0x72, - 0x67, 0x76, 0x12, 0x28, 0x0a, 0x03, 0x65, 0x6e, 0x76, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, - 0x16, 0x2e, 0x77, 0x61, 0x74, 0x65, 0x72, 0x2e, 0x4d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x2e, 0x45, - 0x6e, 0x76, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x03, 0x65, 0x6e, 0x76, 0x12, 0x23, 0x0a, 0x0d, - 0x69, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x5f, 0x73, 0x74, 0x64, 0x69, 0x6e, 0x18, 0x03, 0x20, - 0x01, 0x28, 0x08, 0x52, 0x0c, 0x69, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x53, 0x74, 0x64, 0x69, - 0x6e, 0x12, 0x25, 0x0a, 0x0e, 0x69, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x5f, 0x73, 0x74, 0x64, - 0x6f, 0x75, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x69, 0x6e, 0x68, 0x65, 0x72, - 0x69, 0x74, 0x53, 0x74, 0x64, 0x6f, 0x75, 0x74, 0x12, 0x25, 0x0a, 0x0e, 0x69, 0x6e, 0x68, 0x65, - 0x72, 0x69, 0x74, 0x5f, 0x73, 0x74, 0x64, 0x65, 0x72, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, - 0x52, 0x0d, 0x69, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x53, 0x74, 0x64, 0x65, 0x72, 0x72, 0x12, - 0x47, 0x0a, 0x0e, 0x70, 0x72, 0x65, 0x6f, 0x70, 0x65, 0x6e, 0x65, 0x64, 0x5f, 0x64, 0x69, 0x72, - 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x77, 0x61, 0x74, 0x65, 0x72, 0x2e, - 0x4d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x65, 0x6f, 0x70, 0x65, 0x6e, 0x65, 0x64, - 0x44, 0x69, 0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0d, 0x70, 0x72, 0x65, 0x6f, 0x70, - 0x65, 0x6e, 0x65, 0x64, 0x44, 0x69, 0x72, 0x73, 0x1a, 0x36, 0x0a, 0x08, 0x45, 0x6e, 0x76, 0x45, - 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, - 0x1a, 0x40, 0x0a, 0x12, 0x50, 0x72, 0x65, 0x6f, 0x70, 0x65, 0x6e, 0x65, 0x64, 0x44, 0x69, 0x72, - 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, + 0x6e, 0x65, 0x72, 0x12, 0x47, 0x0a, 0x12, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x5f, 0x76, + 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x18, 0x2e, 0x77, 0x61, 0x74, 0x65, 0x72, 0x2e, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x56, + 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x11, 0x61, 0x64, 0x64, 0x72, 0x65, + 0x73, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x3e, 0x0a, 0x08, + 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x12, 0x18, 0x0a, 0x07, 0x6e, 0x65, 0x74, 0x77, + 0x6f, 0x72, 0x6b, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6e, 0x65, 0x74, 0x77, 0x6f, + 0x72, 0x6b, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x22, 0xe0, 0x02, 0x0a, + 0x11, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x12, 0x1b, 0x0a, 0x09, 0x63, 0x61, 0x74, 0x63, 0x68, 0x5f, 0x61, 0x6c, 0x6c, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x63, 0x61, 0x74, 0x63, 0x68, 0x41, 0x6c, 0x6c, 0x12, + 0x45, 0x0a, 0x09, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x6c, 0x69, 0x73, 0x74, 0x18, 0x02, 0x20, 0x03, + 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x77, 0x61, 0x74, 0x65, 0x72, 0x2e, 0x41, 0x64, 0x64, 0x72, 0x65, + 0x73, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x41, 0x6c, 0x6c, + 0x6f, 0x77, 0x6c, 0x69, 0x73, 0x74, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x09, 0x61, 0x6c, 0x6c, + 0x6f, 0x77, 0x6c, 0x69, 0x73, 0x74, 0x12, 0x42, 0x0a, 0x08, 0x64, 0x65, 0x6e, 0x79, 0x6c, 0x69, + 0x73, 0x74, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x77, 0x61, 0x74, 0x65, 0x72, + 0x2e, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x2e, 0x44, 0x65, 0x6e, 0x79, 0x6c, 0x69, 0x73, 0x74, 0x45, 0x6e, 0x74, 0x72, 0x79, + 0x52, 0x08, 0x64, 0x65, 0x6e, 0x79, 0x6c, 0x69, 0x73, 0x74, 0x1a, 0x51, 0x0a, 0x0e, 0x41, 0x6c, + 0x6c, 0x6f, 0x77, 0x6c, 0x69, 0x73, 0x74, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, + 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x29, + 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, + 0x77, 0x61, 0x74, 0x65, 0x72, 0x2e, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4e, 0x61, 0x6d, + 0x65, 0x73, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x50, 0x0a, + 0x0d, 0x44, 0x65, 0x6e, 0x79, 0x6c, 0x69, 0x73, 0x74, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, + 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, + 0x12, 0x29, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x13, 0x2e, 0x77, 0x61, 0x74, 0x65, 0x72, 0x2e, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4e, + 0x61, 0x6d, 0x65, 0x73, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, + 0x24, 0x0a, 0x0c, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, + 0x14, 0x0a, 0x05, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, + 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x22, 0xfc, 0x02, 0x0a, 0x06, 0x4d, 0x6f, 0x64, 0x75, 0x6c, 0x65, + 0x12, 0x12, 0x0a, 0x04, 0x61, 0x72, 0x67, 0x76, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x04, + 0x61, 0x72, 0x67, 0x76, 0x12, 0x28, 0x0a, 0x03, 0x65, 0x6e, 0x76, 0x18, 0x02, 0x20, 0x03, 0x28, + 0x0b, 0x32, 0x16, 0x2e, 0x77, 0x61, 0x74, 0x65, 0x72, 0x2e, 0x4d, 0x6f, 0x64, 0x75, 0x6c, 0x65, + 0x2e, 0x45, 0x6e, 0x76, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x03, 0x65, 0x6e, 0x76, 0x12, 0x23, + 0x0a, 0x0d, 0x69, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x5f, 0x73, 0x74, 0x64, 0x69, 0x6e, 0x18, + 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x69, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x53, 0x74, + 0x64, 0x69, 0x6e, 0x12, 0x25, 0x0a, 0x0e, 0x69, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x5f, 0x73, + 0x74, 0x64, 0x6f, 0x75, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x69, 0x6e, 0x68, + 0x65, 0x72, 0x69, 0x74, 0x53, 0x74, 0x64, 0x6f, 0x75, 0x74, 0x12, 0x25, 0x0a, 0x0e, 0x69, 0x6e, + 0x68, 0x65, 0x72, 0x69, 0x74, 0x5f, 0x73, 0x74, 0x64, 0x65, 0x72, 0x72, 0x18, 0x05, 0x20, 0x01, + 0x28, 0x08, 0x52, 0x0d, 0x69, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x53, 0x74, 0x64, 0x65, 0x72, + 0x72, 0x12, 0x47, 0x0a, 0x0e, 0x70, 0x72, 0x65, 0x6f, 0x70, 0x65, 0x6e, 0x65, 0x64, 0x5f, 0x64, + 0x69, 0x72, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x77, 0x61, 0x74, 0x65, + 0x72, 0x2e, 0x4d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x65, 0x6f, 0x70, 0x65, 0x6e, + 0x65, 0x64, 0x44, 0x69, 0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0d, 0x70, 0x72, 0x65, + 0x6f, 0x70, 0x65, 0x6e, 0x65, 0x64, 0x44, 0x69, 0x72, 0x73, 0x1a, 0x36, 0x0a, 0x08, 0x45, 0x6e, + 0x76, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, - 0x38, 0x01, 0x22, 0x75, 0x0a, 0x07, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x12, 0x2b, 0x0a, - 0x11, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x5f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74, - 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x49, - 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74, 0x65, 0x72, 0x12, 0x3d, 0x0a, 0x1c, 0x64, 0x6f, - 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x5f, 0x6f, 0x6e, 0x5f, 0x63, 0x6f, - 0x6e, 0x74, 0x65, 0x78, 0x74, 0x5f, 0x64, 0x6f, 0x6e, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, - 0x52, 0x17, 0x64, 0x6f, 0x4e, 0x6f, 0x74, 0x43, 0x6c, 0x6f, 0x73, 0x65, 0x4f, 0x6e, 0x43, 0x6f, - 0x6e, 0x74, 0x65, 0x78, 0x74, 0x44, 0x6f, 0x6e, 0x65, 0x42, 0x2a, 0x5a, 0x28, 0x67, 0x69, 0x74, - 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x61, 0x75, 0x6b, 0x61, 0x73, 0x2f, 0x77, - 0x61, 0x74, 0x65, 0x72, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x62, 0x75, 0x69, 0x6c, 0x64, - 0x65, 0x72, 0x2f, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x38, 0x01, 0x1a, 0x40, 0x0a, 0x12, 0x50, 0x72, 0x65, 0x6f, 0x70, 0x65, 0x6e, 0x65, 0x64, 0x44, + 0x69, 0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, + 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, + 0x3a, 0x02, 0x38, 0x01, 0x22, 0x75, 0x0a, 0x07, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x12, + 0x2b, 0x0a, 0x11, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x5f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, + 0x65, 0x74, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x66, 0x6f, 0x72, 0x63, + 0x65, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74, 0x65, 0x72, 0x12, 0x3d, 0x0a, 0x1c, + 0x64, 0x6f, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x63, 0x6c, 0x6f, 0x73, 0x65, 0x5f, 0x6f, 0x6e, 0x5f, + 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x5f, 0x64, 0x6f, 0x6e, 0x65, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x08, 0x52, 0x17, 0x64, 0x6f, 0x4e, 0x6f, 0x74, 0x43, 0x6c, 0x6f, 0x73, 0x65, 0x4f, 0x6e, + 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x44, 0x6f, 0x6e, 0x65, 0x42, 0x39, 0x5a, 0x37, 0x67, + 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x66, 0x72, 0x61, 0x63, + 0x74, 0x69, 0x6f, 0x6e, 0x2d, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, + 0x77, 0x61, 0x74, 0x65, 0x72, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x62, 0x75, 0x69, 0x6c, + 0x64, 0x65, 0x72, 0x2f, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -467,30 +615,39 @@ func file_config_proto_rawDescGZIP() []byte { return file_config_proto_rawDescData } -var file_config_proto_msgTypes = make([]protoimpl.MessageInfo, 8) +var file_config_proto_msgTypes = make([]protoimpl.MessageInfo, 12) var file_config_proto_goTypes = []interface{}{ - (*Config)(nil), // 0: water.Config - (*TransportModule)(nil), // 1: water.TransportModule - (*Network)(nil), // 2: water.Network - (*Listener)(nil), // 3: water.Listener - (*Module)(nil), // 4: water.Module - (*Runtime)(nil), // 5: water.Runtime - nil, // 6: water.Module.EnvEntry - nil, // 7: water.Module.PreopenedDirsEntry + (*Config)(nil), // 0: water.Config + (*TransportModule)(nil), // 1: water.TransportModule + (*Network)(nil), // 2: water.Network + (*Listener)(nil), // 3: water.Listener + (*AddressValidation)(nil), // 4: water.AddressValidation + (*NetworkNames)(nil), // 5: water.NetworkNames + (*Module)(nil), // 6: water.Module + (*Runtime)(nil), // 7: water.Runtime + nil, // 8: water.AddressValidation.AllowlistEntry + nil, // 9: water.AddressValidation.DenylistEntry + nil, // 10: water.Module.EnvEntry + nil, // 11: water.Module.PreopenedDirsEntry } var file_config_proto_depIdxs = []int32{ - 1, // 0: water.Config.transport_module:type_name -> water.TransportModule - 2, // 1: water.Config.network:type_name -> water.Network - 4, // 2: water.Config.module:type_name -> water.Module - 5, // 3: water.Config.runtime:type_name -> water.Runtime - 3, // 4: water.Network.listener:type_name -> water.Listener - 6, // 5: water.Module.env:type_name -> water.Module.EnvEntry - 7, // 6: water.Module.preopened_dirs:type_name -> water.Module.PreopenedDirsEntry - 7, // [7:7] is the sub-list for method output_type - 7, // [7:7] is the sub-list for method input_type - 7, // [7:7] is the sub-list for extension type_name - 7, // [7:7] is the sub-list for extension extendee - 0, // [0:7] is the sub-list for field type_name + 1, // 0: water.Config.transport_module:type_name -> water.TransportModule + 2, // 1: water.Config.network:type_name -> water.Network + 6, // 2: water.Config.module:type_name -> water.Module + 7, // 3: water.Config.runtime:type_name -> water.Runtime + 3, // 4: water.Network.listener:type_name -> water.Listener + 4, // 5: water.Network.address_validation:type_name -> water.AddressValidation + 8, // 6: water.AddressValidation.allowlist:type_name -> water.AddressValidation.AllowlistEntry + 9, // 7: water.AddressValidation.denylist:type_name -> water.AddressValidation.DenylistEntry + 10, // 8: water.Module.env:type_name -> water.Module.EnvEntry + 11, // 9: water.Module.preopened_dirs:type_name -> water.Module.PreopenedDirsEntry + 5, // 10: water.AddressValidation.AllowlistEntry.value:type_name -> water.NetworkNames + 5, // 11: water.AddressValidation.DenylistEntry.value:type_name -> water.NetworkNames + 12, // [12:12] is the sub-list for method output_type + 12, // [12:12] is the sub-list for method input_type + 12, // [12:12] is the sub-list for extension type_name + 12, // [12:12] is the sub-list for extension extendee + 0, // [0:12] is the sub-list for field type_name } func init() { file_config_proto_init() } @@ -548,7 +705,7 @@ func file_config_proto_init() { } } file_config_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*Module); i { + switch v := v.(*AddressValidation); i { case 0: return &v.state case 1: @@ -560,6 +717,30 @@ func file_config_proto_init() { } } file_config_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*NetworkNames); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_config_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*Module); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_config_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*Runtime); i { case 0: return &v.state @@ -578,7 +759,7 @@ func file_config_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_config_proto_rawDesc, NumEnums: 0, - NumMessages: 8, + NumMessages: 12, NumExtensions: 0, NumServices: 0, }, diff --git a/configbuilder/pb/config.proto b/configbuilder/pb/config.proto index 3bbb6f7..4f76d75 100644 --- a/configbuilder/pb/config.proto +++ b/configbuilder/pb/config.proto @@ -18,6 +18,7 @@ message TransportModule { message Network { Listener listener = 1; + AddressValidation address_validation = 2; } message Listener { @@ -25,6 +26,16 @@ message Listener { string address = 2; // ip:port } +message AddressValidation { + bool catch_all = 1; + map allowlist = 2; + map denylist = 3; +} + +message NetworkNames { + repeated string names = 1; +} + message Module { repeated string argv = 1; // warning: this is not a recommended way to pass configuration parameters to the module, use transport_module.config instead. map env = 2; // warning: this is not a recommended way to pass configuration parameters to the module, use transport_module.config instead.