From 1ec90c7faf6b71b1626398610b464be4dac5f502 Mon Sep 17 00:00:00 2001 From: r-caamano Date: Fri, 7 Jul 2023 22:57:19 +0000 Subject: [PATCH] Added AllowedSourceAddresses to the event channel --- .../ziti-edge-tunnel/include/model/dtos.h | 1 + programs/ziti-edge-tunnel/instance.c | 43 ++++++++++++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/programs/ziti-edge-tunnel/include/model/dtos.h b/programs/ziti-edge-tunnel/include/model/dtos.h index d42f8138..6471829e 100644 --- a/programs/ziti-edge-tunnel/include/model/dtos.h +++ b/programs/ziti-edge-tunnel/include/model/dtos.h @@ -82,6 +82,7 @@ XX(Id, string, none, Id, __VA_ARGS__) \ XX(Name, string, none, Name, __VA_ARGS__) \ XX(Protocols, string, array, Protocols, __VA_ARGS__) \ XX(Addresses, tunnel_address, array, Addresses, __VA_ARGS__) \ +XX(AllowedSourceAddresses, tunnel_address, array, AllowedSourceAddresses, __VA_ARGS__) \ XX(Ports, tunnel_port_range, array, Ports, __VA_ARGS__) \ XX(OwnsIntercept, bool, none, OwnsIntercept, __VA_ARGS__) \ XX(PostureChecks, tunnel_posture_check, array, PostureChecks, __VA_ARGS__) \ diff --git a/programs/ziti-edge-tunnel/instance.c b/programs/ziti-edge-tunnel/instance.c index 9cde3652..58d1a063 100644 --- a/programs/ziti-edge-tunnel/instance.c +++ b/programs/ziti-edge-tunnel/instance.c @@ -28,6 +28,7 @@ model_map tnl_identity_map = {0}; static const char* CFG_INTERCEPT_V1 = "intercept.v1"; +static const char* CFG_HOST_V1 = "host.v1"; static const char* CFG_ZITI_TUNNELER_CLIENT_V1 = "ziti-tunneler-client.v1"; static tunnel_status tnl_status = {0}; @@ -286,6 +287,44 @@ tunnel_port_range *getTunnelPortRange(ziti_port_range *zpr){ return tpr; } +static void setTunnelAllowedSourceAddress(tunnel_service *tnl_svc, ziti_service *service) { + const char* cfg_json = ziti_service_get_raw_config(service, CFG_HOST_V1); + tunnel_address_array allowed_src_addr_arr = NULL; + if (cfg_json != NULL && strlen(cfg_json) > 0) { + ZITI_LOG(TRACE, "host.v1: %s", cfg_json); + ziti_host_cfg_v1 cfg_v1 = {0}; + parse_ziti_host_cfg_v1(&cfg_v1, cfg_json, strlen(cfg_json)); + size_t n = 0; + int j = 0; + ziti_address_array allowed_src_addrs = cfg_v1.allowed_source_addresses; + for (int x = 0; allowed_src_addrs != NULL && allowed_src_addrs[x] != NULL; x++) { + if (allowed_src_addrs[x]->type == ziti_address_cidr) { + n++; + } + } + allowed_src_addr_arr = calloc(n + 1, sizeof(tunnel_address *)); + for (int i = 0; allowed_src_addrs != NULL && allowed_src_addrs[i] != NULL; i++) { + if (allowed_src_addrs[i]->type != ziti_address_cidr) { + if (allowed_src_addrs[i]->type == ziti_address_hostname) { + ZITI_LOG(ERROR, "hosted_service[%s] cannot use hostname '%s' as `allowed_source_address`", + tnl_svc->Name, allowed_src_addrs[i]->addr.hostname); + } else { + ZITI_LOG(ERROR, "unknown ziti_address type %d", allowed_src_addrs[i]->type); + } + continue; + } + else{ + allowed_src_addr_arr[j] = to_address(allowed_src_addrs[i]); + j++; + } + } + free_ziti_host_cfg_v1(&cfg_v1); + if (allowed_src_addr_arr != NULL) { + tnl_svc->AllowedSourceAddresses = allowed_src_addr_arr; + } + } +} + static void setTunnelServiceAddress(tunnel_service *tnl_svc, ziti_service *service) { const char* cfg_json = ziti_service_get_raw_config(service, CFG_INTERCEPT_V1); tunnel_address_array tnl_addr_arr = NULL; @@ -295,7 +334,6 @@ static void setTunnelServiceAddress(tunnel_service *tnl_svc, ziti_service *servi ZITI_LOG(TRACE, "intercept.v1: %s", cfg_json); ziti_intercept_cfg_v1 cfg_v1 = {0}; parse_ziti_intercept_cfg_v1(&cfg_v1, cfg_json, strlen(cfg_json)); - // set address size_t n = model_list_size(&cfg_v1.addresses); tnl_addr_arr = calloc(n+1, sizeof(tunnel_address *)); @@ -381,6 +419,9 @@ tunnel_service *get_tunnel_service(tunnel_identity* id, ziti_service* zs) { svc->Permissions.Dial = ziti_service_has_permission(zs, ziti_session_type_Dial); setTunnelPostureDataTimeout(svc, zs); setTunnelServiceAddress(svc, zs); + if(svc->Permissions.Bind){ + setTunnelAllowedSourceAddress(svc, zs); + } return svc; }