package correlation import ( "net" "net/http" "github.com/sebest/xff" "github.com/sirupsen/logrus" ) // XFFAllowedFunc decides whether X-Forwarded-For headers are to be trusted. type XFFAllowedFunc func(ip string) bool // The configuration for InjectCorrelationID. type inboundHandlerConfig struct { propagation bool sendResponseHeader bool invalidCIDRsForPropagation bool trustedCIDRsForPropagation []net.IPNet trustedCIDRsForXForwardedFor []net.IPNet xffAllowed XFFAllowedFunc } // InboundHandlerOption will configure a correlation handler // currently there are no options, but this gives us the option // to extend the interface in a backwards compatible way. type InboundHandlerOption func(*inboundHandlerConfig) func applyInboundHandlerOptions(opts []InboundHandlerOption) inboundHandlerConfig { config := inboundHandlerConfig{ propagation: false, } for _, v := range opts { v(&config) } return config } // WithPropagation will configure the handler to propagate existing correlation_ids // passed in from upstream services. // This is not the default behaviour. func WithPropagation() InboundHandlerOption { return func(config *inboundHandlerConfig) { config.propagation = true } } // WithSetResponseHeader will configure the handler to set the correlation_id // in the http response headers. func WithSetResponseHeader() InboundHandlerOption { return func(config *inboundHandlerConfig) { config.sendResponseHeader = true } } // WithCIDRsTrustedForPropagation will configure the handler to set a list of trusted // CIDR blocks to allow propagation of correlation_ids. func WithCIDRsTrustedForPropagation(trustedCIDRs []string) InboundHandlerOption { return func(config *inboundHandlerConfig) { for _, s := range trustedCIDRs { _, ipNet, err := net.ParseCIDR(s) if err != nil { logrus.Errorf("Bad trusted CIDR for propagation %s: %v, propagation disabled", s, err) config.invalidCIDRsForPropagation = true } else { config.trustedCIDRsForPropagation = append(config.trustedCIDRsForPropagation, *ipNet) } } } } // WithCIDRsTrustedForXForwardedFor will configure the handler to trust // X-Forwarded-For from trusted CIDR blocks. func WithCIDRsTrustedForXForwardedFor(trustedCIDRs []string) InboundHandlerOption { return func(config *inboundHandlerConfig) { for _, s := range trustedCIDRs { _, ipNet, err := net.ParseCIDR(s) if err != nil { logrus.Errorf("Bad trusted CIDR for XForwardedFor %s: %v", s, err) } else { config.trustedCIDRsForXForwardedFor = append(config.trustedCIDRsForXForwardedFor, *ipNet) } } config.xffAllowed = func(ip string) bool { return isTrustedIP(ip, config.trustedCIDRsForXForwardedFor) } } } func isTrustedIP(ipAddress string, trustedCIDRs []net.IPNet) bool { ip := net.ParseIP(ipAddress) for _, cidr := range trustedCIDRs { if cidr.Contains(ip) { return true } } return false } func isTrustedAddr(addr string, trustedCIDRs []net.IPNet) bool { host, _, err := net.SplitHostPort(addr) if err != nil { return false } return isTrustedIP(host, trustedCIDRs) } func (c *inboundHandlerConfig) shouldPropagate(r *http.Request) bool { if !c.propagation || c.invalidCIDRsForPropagation { return false } if len(c.trustedCIDRsForPropagation) == 0 { return true } remoteAddr := r.RemoteAddr if c.xffAllowed != nil { // Unix domain sockets have a remote addr of @. This will make the // xff package lookup the X-Forwarded-For address if available. if remoteAddr == "@" { r.RemoteAddr = "127.0.0.1:0" } remoteAddr = xff.GetRemoteAddrIfAllowed(r, c.xffAllowed) // If X-Forwarded-For was allowed and returned a different address, check // the original address against our trusted CIDRs for propagation, in case // the reverse proxy is trusted if remoteAddr != r.RemoteAddr && isTrustedAddr(r.RemoteAddr, c.trustedCIDRsForPropagation) { return true } } return isTrustedAddr(remoteAddr, c.trustedCIDRsForPropagation) }