Add a fully working IP and CIDR extraction mechanism, Update README.md and demo folder

Author: esidate

.gitignore

@@ -0,0 +1 @@
+.vscode

README.md

@@ -18,9 +18,14 @@ luarocks pack lua-resty-whitelist-*.rockspec
 
 ```sh
 cd demo
-docker-compose up # visit openresty at localhost:80
-# Run a local server to serve the IP lists to simulate a dynamic IP whitelist
+docker-compose up
+# Visit openresty at localhost:80, You should get a 503 error as the whitelist endpoint is not up yet
+
+# Run a local mockup server to serve the dynamic IP whitelist
 # Depending on the configuration, the server is genereally accessible inside the openrest docker container at 172.18.0.1
 python -m http.server 9001
-# Edit the IP list files to experiment with the configuration
+# Now visiting openresty at localhost:80 should return a 403 error as the IP is not whitelisted
+
+# Add to and remove from the mockup server your client IP address or a CIDR that matches it such as 172.19.0.1/16 to test the configuration
+# If your client IP is whitelisted, you should get the "Welcome to OpenResty!" page
 ```

demo/default.conf

@@ -10,8 +10,11 @@ server {
         lua_code_cache on;
         access_by_lua_block {
             local whitelist = require "resty.whitelist"
-            local url = "http://172.18.0.1:9001/list-cloudfront-ips.json"
-            whitelist.new(url)
+
+            local whitelist_urls = {
+                "http://172.18.0.1:9001/list-cloudfront-ips.json", "http://172.18.0.1:9001/list-cloudflare-ips.txt"
+            }
+            local whitelist = whitelist.new(whitelist_urls)
         }
     }
 }

demo/list-cloudflare-ips.txt

@@ -1,15 +1,4 @@
 173.245.48.0/20
-103.21.244.0/22
-103.22.200.0/22
-103.31.4.0/22
-141.101.64.0/18
-108.162.192.0/18
-190.93.240.0/20
-188.114.96.0/20
-197.234.240.0/22
-198.41.128.0/17
-162.158.0.0/15
-104.16.0.0/13
 104.24.0.0/14
 172.64.0.0/13
 131.0.72.0/22

demo/list-cloudfront-ips.json

@@ -1,138 +1,12 @@
 {
-  "CLOUDFRONT_GLOBAL_IP_LIST": [
-    "120.52.22.96/27",
-    "205.251.249.0/24",
-    "180.163.57.128/26",
-    "204.246.168.0/22",
-    "18.160.0.0/15",
-    "205.251.252.0/23",
-    "54.192.0.0/16",
-    "204.246.173.0/24",
-    "54.230.200.0/21",
-    "120.253.240.192/26",
-    "116.129.226.128/26",
-    "130.176.0.0/17",
-    "108.156.0.0/14",
-    "99.86.0.0/16",
-    "205.251.200.0/21",
-    "223.71.71.128/25",
-    "13.32.0.0/15",
-    "120.253.245.128/26",
-    "13.224.0.0/14",
-    "70.132.0.0/18",
-    "15.158.0.0/16",
-    "13.249.0.0/16",
-    "18.238.0.0/15",
-    "18.244.0.0/15",
-    "205.251.208.0/20",
-    "65.9.128.0/18",
-    "130.176.128.0/18",
-    "58.254.138.0/25",
-    "54.230.208.0/20",
-    "116.129.226.0/25",
-    "52.222.128.0/17",
-    "18.164.0.0/15",
-    "64.252.128.0/18",
-    "205.251.254.0/24",
-    "54.230.224.0/19",
-    "71.152.0.0/17",
-    "216.137.32.0/19",
-    "204.246.172.0/24",
-    "18.172.0.0/15",
-    "120.52.39.128/27",
-    "118.193.97.64/26",
-    "223.71.71.96/27",
-    "18.154.0.0/15",
-    "54.240.128.0/18",
-    "205.251.250.0/23",
-    "180.163.57.0/25",
-    "52.46.0.0/18",
-    "223.71.11.0/27",
-    "52.82.128.0/19",
-    "54.230.0.0/17",
-    "54.230.128.0/18",
-    "54.239.128.0/18",
-    "130.176.224.0/20",
-    "36.103.232.128/26",
-    "52.84.0.0/15",
-    "143.204.0.0/16",
-    "144.220.0.0/16",
-    "120.52.153.192/26",
-    "119.147.182.0/25",
-    "120.232.236.0/25",
-    "54.182.0.0/16",
-    "58.254.138.128/26",
-    "120.253.245.192/27",
-    "54.239.192.0/19",
-    "18.68.0.0/16",
-    "18.64.0.0/14",
-    "120.52.12.64/26",
-    "99.84.0.0/16",
-    "130.176.192.0/19",
-    "52.124.128.0/17",
-    "204.246.164.0/22",
-    "13.35.0.0/16",
-    "204.246.174.0/23",
-    "36.103.232.0/25",
-    "119.147.182.128/26",
-    "118.193.97.128/25",
-    "120.232.236.128/26",
-    "204.246.176.0/20",
-    "65.8.0.0/16",
-    "65.9.0.0/17",
-    "108.138.0.0/15",
-    "120.253.241.160/27",
-    "64.252.64.0/18"
-  ],
+  "CLOUDFRONT_GLOBAL_IP_LIST": ["120.52.22.96/27", "64.252.64.0/18"],
   "CLOUDFRONT_REGIONAL_EDGE_IP_LIST": [
     "13.113.196.64/26",
+    "172.19.0.1/16",
     "13.113.203.0/24",
+    "52.199.0.10",
     "52.199.127.192/26",
     "13.124.199.0/24",
-    "3.35.130.128/25",
-    "52.78.247.128/26",
-    "13.233.177.192/26",
-    "15.207.13.128/25",
-    "15.207.213.128/25",
-    "52.66.194.128/26",
-    "13.228.69.0/24",
-    "52.220.191.0/26",
-    "13.210.67.128/26",
-    "13.54.63.128/26",
-    "99.79.169.0/24",
-    "18.192.142.0/23",
-    "35.158.136.0/24",
-    "52.57.254.0/24",
-    "13.48.32.0/24",
-    "18.200.212.0/23",
-    "52.212.248.0/26",
-    "3.10.17.128/25",
-    "3.11.53.0/24",
-    "52.56.127.0/25",
-    "15.188.184.0/24",
-    "52.47.139.0/24",
-    "18.229.220.192/26",
-    "54.233.255.128/26",
-    "3.231.2.0/25",
-    "3.234.232.224/27",
-    "3.236.169.192/26",
-    "3.236.48.0/23",
-    "34.195.252.0/24",
-    "34.226.14.0/24",
-    "13.59.250.0/26",
-    "18.216.170.128/25",
-    "3.128.93.0/24",
-    "3.134.215.0/24",
-    "52.15.127.128/26",
-    "3.101.158.0/23",
-    "52.52.191.128/26",
-    "34.216.51.0/25",
-    "34.223.12.224/27",
-    "34.223.80.192/26",
-    "35.162.63.192/26",
-    "35.167.191.128/26",
-    "44.227.178.0/24",
-    "44.234.108.128/25",
     "44.234.90.252/30"
   ]
 }

lib/resty/whitelist.lua

@@ -32,44 +32,69 @@ local function fetch_whitelist(url)
         }
     })
 
-    local status = res and res.status or nil
-    local body = res and res.body or nil
-
-    if (not res) or (not body) or (status and (status < 200 or status >= 300)) or err then
-        ngx.log(ngx.ERR, "[lua-resty-whitelist] failed to fetch whitelist => url: " .. url .. ", status: " .. status ..
-            ", body: " .. body, err)
-        ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
+    if not res then
+        ngx.log(ngx.ERR, "[lua-resty-whitelist] failed to request whitelist endpoint: response is empty, URL: ", url)
+        ngx.exit(ngx.HTTP_SERVICE_UNAVAILABLE)
+    end
+    if is_empty(res.body) or res.status < 200 or res.status > 299 then
+        ngx.log(ngx.ERR,
+            "[lua-resty-whitelist] failed to request whitelist endpoint: status code is not success, URL: ", url)
+        ngx.exit(ngx.HTTP_SERVICE_UNAVAILABLE)
     end
 
-    local whitelist = body .. " "
-    local whitelist_array = {}
+    local body = res.body
 
-    -- Extract CIRDs
-    for ip in string.gmatch(whitelist, "((%d%d?%d?)%.(%d%d?%d?)%.(%d%d?%d?)%.(%d%d?%d?)/(%d%d?))") do
-        table.insert(whitelist_array, ip)
-    end
+    local whitelist_body = " " .. body .. " "
 
-    -- local whitelist_concat = table.concat(whitelist_array, ", ")
-    -- ngx.log(ngx.ERR, "[lua-resty-whitelist] CIRDs: " .. whitelist_concat)
+    -- Extract all CIDRs from whitelist
+    local cidrs_regex =
+        "((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\\/(3[0-6]|[1-2][0-9]|[0-9])))"
+    local whitelist_cidrs = {}
+    for cidr in ngx.re.gmatch(whitelist_body, cidrs_regex, "o") do
+        table.insert(whitelist_cidrs, cidr[0])
+    end
 
-    -- TODO: Extract normal IPs as well
+    -- Extract all IPs from whitelist
+    local ip_regex =
+        "((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))"
+    local whitelist_ips = {}
+    for ip in ngx.re.gmatch(whitelist_body, ip_regex, "o") do
+        table.insert(whitelist_ips, ip[0])
+    end
 
-    -- -- Extract IPs
-    -- for ip in string.gmatch(whitelist, "((%d%d?%d?)%.(%d%d?%d?)%.(%d%d?%d?)%.(%d%d?%d?)$)") do
-    --     table.insert(whitelist_array, string.sub(ip, 1, -2))
-    -- end
+    -- Parse CIDRs
+    local whitelist_cidrs_parsed = {}
+    if istable(whitelist_cidrs) and #whitelist_ips > 0 then
+        whitelist_cidrs_parsed, err = iputils.parse_cidrs(whitelist_cidrs)
+        if err then
+            ngx.log(ngx.ERR, "[lua-resty-whitelist] failed to parse CIDRs, URL: " .. url .. ", err: " .. err)
+            ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
+        end
+    end
 
-    -- whitelist_concat = table.concat(whitelist_array, ", ")
-    -- ngx.log(ngx.ERR, "[lua-resty-whitelist] whitelist_concat: " .. whitelist_concat)
+    -- For each IP verify that there is no CIDR that contains it (sort of a clean up)
+    local clean_whitelist_ips = {}
+    for _, ip in ipairs(whitelist_ips) do
+        if not iputils.ip_in_cidrs(ip, whitelist_cidrs_parsed) then
+            table.insert(clean_whitelist_ips, ip)
+        end
+    end
 
-    return whitelist_array
+    return clean_whitelist_ips, whitelist_cidrs_parsed, whitelist_cidrs
 end
 
-local function match_ip_whitelist(ip, whitelist_array)
-    local whitelist = iputils.parse_cidrs(whitelist_array)
-    if not iputils.ip_in_cidrs(ip, whitelist) then
-        return ngx.exit(ngx.HTTP_FORBIDDEN)
+local function match_ip_whitelist(ip, full_whitelist_ips, full_whitelist_cidrs_parsed)
+    if iputils.ip_in_cidrs(ip, full_whitelist_cidrs_parsed) then
+        return true
     end
+
+    for _, v in ipairs(full_whitelist_ips) do
+        if v == ip then
+            return true
+        end
+    end
+
+    return ngx.exit(ngx.HTTP_FORBIDDEN)
 end
 
 function whitelist_m.new(url)
@@ -79,24 +104,41 @@ function whitelist_m.new(url)
         ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
     end
 
-    local whitelist_array = {}
+    local full_whitelist_cidrs_parsed = {}
+    local full_whitelist_cidrs_unparsed = {}
+    local full_whitelist_ips = {}
 
     if istable(url) then
-        for _, u in ipairs(url) do
-            if is_empty(u) then
+        -- Iterate over the table url as it is a list of URLs
+        for _, v in ipairs(url) do
+            if is_empty(v) then
                 ngx.log(ngx.ERR, validation_message)
                 ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
             end
 
-            for _, v in ipairs(fetch_whitelist(u)) do
-                table.insert(whitelist_array, v)
+            local whitelist_ips, whitelist_cidrs_parsed, whitelist_cidrs_unparsed = fetch_whitelist(v)
+
+            for _, ip in ipairs(whitelist_ips) do
+                table.insert(full_whitelist_ips, ip)
+            end
+
+            for _, cidr in ipairs(whitelist_cidrs_parsed) do
+                table.insert(full_whitelist_cidrs_parsed, cidr)
+            end
+
+            for _, cidr in ipairs(whitelist_cidrs_unparsed) do
+                table.insert(full_whitelist_cidrs_unparsed, cidr)
             end
         end
     else
-        whitelist_array = fetch_whitelist(url)
+        -- Get clean_whitelist_ips, whitelist_cidrs_parsed from fetch_whitelist(url)
+        full_whitelist_ips, full_whitelist_cidrs_parsed, full_whitelist_cidrs_unparsed = fetch_whitelist(url)
     end
 
-    match_ip_whitelist(ngx.var.remote_addr, whitelist_array)
+    ngx.log(ngx.ALERT, "Whitelist IPs: " .. table.concat(full_whitelist_ips, ", "))
+    ngx.log(ngx.ALERT, "Whitelist CIDRs: " .. table.concat(full_whitelist_cidrs_unparsed, ", "))
+
+    match_ip_whitelist(ngx.var.remote_addr, full_whitelist_ips, full_whitelist_cidrs_parsed)
 end
 
 return whitelist_m