Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plumb IP allow list all the way to the front door #5730

Merged
merged 4 commits into from May 13, 2024
Merged

Plumb IP allow list all the way to the front door #5730

merged 4 commits into from May 13, 2024

Conversation

bnaecker
Copy link
Collaborator

@bnaecker bnaecker commented May 9, 2024

@bnaecker
Plumb IP allow list all the way to the front door
7daaa19 
- Fixes #5728
- Store the uploaded allowlist in the `wicketd` server context
- Spit the allowlist out in the TOML document we get back from the
  `wicket` CLI `setup get-config` subcommand
@bnaecker
Copy link
Collaborator Author

bnaecker commented May 9, 2024

See the corresponding issue for details. I missed a few places we needed to actually store the allow-list on upload to wicketd, and the part that serializes it to a TOML document for the wicket CLI. I showed in the issue that the wicket TUI now includes the list, and we can also see here that it's included in the TOML that we get back from the CLI:

bnaecker@shale : ~/omicron $ rg -A 10 allowed_source wicket/tests/output/example_non_empty.toml
54:[allowed_source_ips]
55-# Any external IPs to make requests. This is the default.
56-#allow = "any"
57-
58-# Use the below two lines to only allow requests from the specified IP subnets.
59-# Requests from any other source IPs are refused. Note that individual addresses
60-# must include the netmask, e.g., `1.2.3.4/32`.
61-allow = "list"
62-ips = [ "1.2.3.4/5", "5.6.7.8/10" ]
63-
64-# TODO: docs on network config
bnaecker@shale : ~/omicron $ SSH_ORIGINAL_COMMAND="setup set-config" cargo run -p wicket < wicket/tests/output/example_non_empty.toml
    Finished dev [unoptimized + debuginfo] target(s) in 0.90s
     Running `target/debug/wicket`
May 09 23:13:42.128 INFO reading config from stdin..., file: wicket/src/cli/rack_setup.rs:110
May 09 23:13:42.129 INFO parsing config..., file: wicket/src/cli/rack_setup.rs:115
May 09 23:13:42.131 INFO uploading config to wicketd..., file: wicket/src/cli/rack_setup.rs:120
May 09 23:13:42.133 INFO config upload complete, file: wicket/src/cli/rack_setup.rs:126
bnaecker@shale : ~/omicron $ SSH_ORIGINAL_COMMAND="setup get-config" cargo run -p wicket | rg -A 10 allowed_source
    Finished dev [unoptimized + debuginfo] target(s) in 0.72s
     Running `target/debug/wicket`
[allowed_source_ips]
allow = "list"
ips = ["1.2.3.4/5", "5.6.7.8/10"]

# Use the below two lines to only allow requests from the specified IP subnets.
# Requests from any other source IPs are refused. Note that individual addresses
# must include the netmask, e.g., `1.2.3.4/32`.
# allow = "list"
# ips = [ "1.2.3.4/5", "5.6.7.8/10" ]

# TODO: docs on network config

sunshowers
sunshowers approved these changes May 13, 2024
View reviewed changes
Copy link
Contributor

@sunshowers sunshowers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thanks!

wicket/tests/output/example_non_empty.toml Outdated Show resolved Hide resolved
@bnaecker bnaecker enabled auto-merge (squash) May 13, 2024 19:26
@bnaecker bnaecker merged commit c1374bf into main May 13, 2024
20 checks passed
@bnaecker bnaecker deleted the dude-wheres-my-allowlist branch May 13, 2024 21:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sunshowers sunshowers sunshowers approved these changes

@andrewjstone andrewjstone Awaiting requested review from andrewjstone

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Source IP allowlist is not making it from RSS config file to Wicket UI
2 participants
@bnaecker @sunshowers