refactor to modules/hostmatcher

Author: wxiaoguang

modules/hostmatcher/hostmatcher.go

@@ -0,0 +1,92 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package hostmatcher
+
+import (
+	"net"
+	"path/filepath"
+	"strings"
+
+	"code.gitea.io/gitea/modules/util"
+)
+
+// HostMatchList is used to check if a host or ip is in a list
+type HostMatchList struct {
+	hosts []string
+	ipNets []*net.IPNet
+}
+
+// MatchBuiltinAll all hosts are matched
+const MatchBuiltinAll = "all"
+
+// MatchBuiltinExternal A valid non-private unicast IP, all hosts on public internet are matched
+const MatchBuiltinExternal = "external"
+
+// MatchBuiltinPrivate RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and RFC 4193 (FC00::/7). Also called LAN/Intranet.
+const MatchBuiltinPrivate = "private"
+
+// MatchBuiltinLoopback 127.0.0.0/8 for IPv4 and ::1/128 for IPv6, localhost is included.
+const MatchBuiltinLoopback = "loopback"
+
+// ParseHostMatchList parses the host list HostMatchList
+func ParseHostMatchList(hostList string) *HostMatchList {
+	hl := &HostMatchList{}
+	for _, s := range strings.Split(hostList, ",") {
+		s = strings.TrimSpace(s)
+		if s == "" {
+			continue
+		}
+		_, ipNet, err := net.ParseCIDR(s)
+		if err == nil {
+			hl.ipNets = append(hl.ipNets, ipNet)
+		} else {
+			hl.hosts = append(hl.hosts, s)
+		}
+	}
+	return hl
+}
+
+// MatchesHostOrIP checks if the host or IP matches an allow/deny(block) list
+func (hl *HostMatchList) MatchesHostOrIP(host string, ip net.IP) bool {
+	var matched bool
+	ipStr := ip.String()
+loop:
+	for _, hostInList := range hl.hosts {
+		switch hostInList {
+		case "":
+			continue
+		case MatchBuiltinAll:
+			matched = true
+			break loop
+		case MatchBuiltinExternal:
+			if matched = ip.IsGlobalUnicast() && !util.IsIPPrivate(ip); matched {
+				break loop
+			}
+		case MatchBuiltinPrivate:
+			if matched = util.IsIPPrivate(ip); matched {
+				break loop
+			}
+		case MatchBuiltinLoopback:
+			if matched = ip.IsLoopback(); matched {
+				break loop
+			}
+		default:
+			if matched, _ = filepath.Match(hostInList, host); matched {
+				break loop
+			}
+			if matched, _ = filepath.Match(hostInList, ipStr); matched {
+				break loop
+			}
+		}
+	}
+	if !matched {
+		for _, ipNet := range hl.ipNets {
+			if matched = ipNet.Contains(ip); matched {
+				break
+			}
+		}
+	}
+	return matched
+}

modules/util/net_test.go renamed to modules/hostmatcher/hostmatcher_test.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 
-package util
+package hostmatcher
 
 import (
 	"net"
@@ -20,7 +20,7 @@ func TestHostOrIPMatchesList(t *testing.T) {
 
 	// for IPv6: "::1" is loopback, "fd00::/8" is private
 
-	ah, an := ParseHostMatchList("private, external, *.mydomain.com, 169.254.1.0/24")
+	hl := ParseHostMatchList("private, external, *.mydomain.com, 169.254.1.0/24")
 	cases := []tc{
 		{"", net.IPv4zero, false},
 		{"", net.IPv6zero, false},
@@ -42,10 +42,10 @@ func TestHostOrIPMatchesList(t *testing.T) {
 		{"", net.ParseIP("169.254.2.2"), false},
 	}
 	for _, c := range cases {
-		assert.Equalf(t, c.expected, HostOrIPMatchesList(c.host, c.ip, ah, an), "case %s(%v)", c.host, c.ip)
+		assert.Equalf(t, c.expected, hl.MatchesHostOrIP(c.host, c.ip), "case %s(%v)", c.host, c.ip)
 	}
 
-	ah, an = ParseHostMatchList("loopback")
+	hl = ParseHostMatchList("loopback")
 	cases = []tc{
 		{"", net.IPv4zero, false},
 		{"", net.ParseIP("127.0.0.1"), true},
@@ -60,10 +60,10 @@ func TestHostOrIPMatchesList(t *testing.T) {
 		{"mydomain.com", net.IPv4zero, false},
 	}
 	for _, c := range cases {
-		assert.Equalf(t, c.expected, HostOrIPMatchesList(c.host, c.ip, ah, an), "case %s(%v)", c.host, c.ip)
+		assert.Equalf(t, c.expected, hl.MatchesHostOrIP(c.host, c.ip), "case %s(%v)", c.host, c.ip)
 	}
 
-	ah, an = ParseHostMatchList("private")
+	hl = ParseHostMatchList("private")
 	cases = []tc{
 		{"", net.IPv4zero, false},
 		{"", net.ParseIP("127.0.0.1"), false},
@@ -78,10 +78,10 @@ func TestHostOrIPMatchesList(t *testing.T) {
 		{"mydomain.com", net.IPv4zero, false},
 	}
 	for _, c := range cases {
-		assert.Equalf(t, c.expected, HostOrIPMatchesList(c.host, c.ip, ah, an), "case %s(%v)", c.host, c.ip)
+		assert.Equalf(t, c.expected, hl.MatchesHostOrIP(c.host, c.ip), "case %s(%v)", c.host, c.ip)
 	}
 
-	ah, an = ParseHostMatchList("external")
+	hl = ParseHostMatchList("external")
 	cases = []tc{
 		{"", net.IPv4zero, false},
 		{"", net.ParseIP("127.0.0.1"), false},
@@ -96,10 +96,10 @@ func TestHostOrIPMatchesList(t *testing.T) {
 		{"mydomain.com", net.IPv4zero, false},
 	}
 	for _, c := range cases {
-		assert.Equalf(t, c.expected, HostOrIPMatchesList(c.host, c.ip, ah, an), "case %s(%v)", c.host, c.ip)
+		assert.Equalf(t, c.expected, hl.MatchesHostOrIP(c.host, c.ip), "case %s(%v)", c.host, c.ip)
 	}
 
-	ah, an = ParseHostMatchList("all")
+	hl = ParseHostMatchList("all")
 	cases = []tc{
 		{"", net.IPv4zero, true},
 		{"", net.ParseIP("127.0.0.1"), true},
@@ -114,6 +114,6 @@ func TestHostOrIPMatchesList(t *testing.T) {
 		{"mydomain.com", net.IPv4zero, true},
 	}
 	for _, c := range cases {
-		assert.Equalf(t, c.expected, HostOrIPMatchesList(c.host, c.ip, ah, an), "case %s(%v)", c.host, c.ip)
+		assert.Equalf(t, c.expected, hl.MatchesHostOrIP(c.host, c.ip), "case %s(%v)", c.host, c.ip)
 	}
 }

modules/setting/webhook.go

@@ -5,11 +5,10 @@
 package setting
 
 import (
-	"net"
 	"net/url"
 
+	"code.gitea.io/gitea/modules/hostmatcher"
 	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/util"
 )
 
 var (
@@ -18,8 +17,7 @@ var (
 		QueueLength       int
 		DeliverTimeout    int
 		SkipTLSVerify     bool
-		AllowedHostList   []string
-		AllowedHostIPNets []*net.IPNet
+		AllowedHostList   *hostmatcher.HostMatchList
 		Types             []string
 		PagingNum         int
 		ProxyURL          string
@@ -40,7 +38,7 @@ func newWebhookService() {
 	Webhook.QueueLength = sec.Key("QUEUE_LENGTH").MustInt(1000)
 	Webhook.DeliverTimeout = sec.Key("DELIVER_TIMEOUT").MustInt(5)
 	Webhook.SkipTLSVerify = sec.Key("SKIP_TLS_VERIFY").MustBool()
-	Webhook.AllowedHostList, Webhook.AllowedHostIPNets = util.ParseHostMatchList(sec.Key("ALLOWED_HOST_LIST").MustString(util.HostListBuiltinExternal))
+	Webhook.AllowedHostList = hostmatcher.ParseHostMatchList(sec.Key("ALLOWED_HOST_LIST").MustString(hostmatcher.MatchBuiltinExternal))
 	Webhook.Types = []string{"gitea", "gogs", "slack", "discord", "dingtalk", "telegram", "msteams", "feishu", "matrix", "wechatwork"}
 	Webhook.PagingNum = sec.Key("PAGING_NUM").MustInt(10)
 	Webhook.ProxyURL = sec.Key("PROXY_URL").MustString("")

modules/util/net.go

@@ -6,22 +6,8 @@ package util
 
 import (
 	"net"
-	"path/filepath"
-	"strings"
 )
 
-// HostListBuiltinAll all hosts are matched
-const HostListBuiltinAll = "all"
-
-// HostListBuiltinExternal A valid non-private unicast IP, all hosts on public internet are matched
-const HostListBuiltinExternal = "external"
-
-// HostListBuiltinPrivate RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and RFC 4193 (FC00::/7). Also called LAN/Intranet.
-const HostListBuiltinPrivate = "private"
-
-// HostListBuiltinLoopback 127.0.0.0/8 for IPv4 and ::1/128 for IPv6, localhost is included.
-const HostListBuiltinLoopback = "loopback"
-
 // IsIPPrivate for net.IP.IsPrivate. TODO: replace with `ip.IsPrivate()` if min go version is bumped to 1.17
 func IsIPPrivate(ip net.IP) bool {
 	if ip4 := ip.To4(); ip4 != nil {
@@ -31,63 +17,3 @@ func IsIPPrivate(ip net.IP) bool {
 	}
 	return len(ip) == net.IPv6len && ip[0]&0xfe == 0xfc
 }
-
-// ParseHostMatchList parses the host list for HostOrIPMatchesList
-func ParseHostMatchList(hostListStr string) (hostList []string, ipNets []*net.IPNet) {
-	for _, s := range strings.Split(hostListStr, ",") {
-		s = strings.TrimSpace(s)
-		if s == "" {
-			continue
-		}
-		_, ipNet, err := net.ParseCIDR(s)
-		if err == nil {
-			ipNets = append(ipNets, ipNet)
-		} else {
-			hostList = append(hostList, s)
-		}
-	}
-	return
-}
-
-// HostOrIPMatchesList checks if the host or IP matches an allow/deny(block) list
-func HostOrIPMatchesList(host string, ip net.IP, hostList []string, ipNets []*net.IPNet) bool {
-	var matched bool
-	ipStr := ip.String()
-loop:
-	for _, hostInList := range hostList {
-		switch hostInList {
-		case "":
-			continue
-		case HostListBuiltinAll:
-			matched = true
-			break loop
-		case HostListBuiltinExternal:
-			if matched = ip.IsGlobalUnicast() && !IsIPPrivate(ip); matched {
-				break loop
-			}
-		case HostListBuiltinPrivate:
-			if matched = IsIPPrivate(ip); matched {
-				break loop
-			}
-		case HostListBuiltinLoopback:
-			if matched = ip.IsLoopback(); matched {
-				break loop
-			}
-		default:
-			if matched, _ = filepath.Match(hostInList, host); matched {
-				break loop
-			}
-			if matched, _ = filepath.Match(hostInList, ipStr); matched {
-				break loop
-			}
-		}
-	}
-	if !matched {
-		for _, ipNet := range ipNets {
-			if matched = ipNet.Contains(ip); matched {
-				break
-			}
-		}
-	}
-	return matched
-}

services/webhook/deliver.go

@@ -27,8 +27,6 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/proxy"
 	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/util"
-
 	"github.com/gobwas/glob"
 )
 
@@ -312,7 +310,7 @@ func InitDeliverHooks() {
 						if err != nil {
 							return fmt.Errorf("webhook can only call HTTP servers via TCP, deny '%s(%s:%s)', err=%v", req.Host, network, ipAddr, err)
 						}
-						if !util.HostOrIPMatchesList(req.Host, tcpAddr.IP, setting.Webhook.AllowedHostList, setting.Webhook.AllowedHostIPNets) {
+						if !setting.Webhook.AllowedHostList.MatchesHostOrIP(req.Host, tcpAddr.IP) {
 							return fmt.Errorf("webhook can only call allowed HTTP servers (check your webhook.ALLOWED_HOST_LIST setting), deny '%s(%s)'", req.Host, ipAddr)
 						}
 						return nil