alec-pinson / ip-whitelister Goto Github PK

It appears there have been a couple of typos in config.go and user.go when go vet is run.

➜  ip-whitelister git:(main) go version
go version go1.17.13 darwin/amd64
➜  ip-whitelister git:(main) go vet
# github.com/alec-pinson/ip-whitelister
./config.go:26:2: struct field tag `yaml":ttl"` not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
./user.go:28:2: struct field tag `json:"objectId` not compatible with reflect.StructTag.Get: bad syntax for struct tag value
➜  ip-whitelister git:(main)

Whitelist TTL = 24 in this example

Current process

1. Request whitelist
2. 'Whitelist complete'
3. Whitelist expires 24 hours later
4. Request whitelist again 10 minutes later... fail
5. Whitelist expires 24 hours later
6. Request whitelist again 24 hours later... success

A solution to this (as we don't want to allow API spam) would be to allow each user to request a whitelist maybe once a minute or so instead.

Proposed process

1. Request whitelist
2. Whitelist complete
3. Whitelist expires 24 hours later
4. Request whitelist again 10 seconds later... fail
5. Request whitelist again 1 minute later... success
6. Whitelist expires 24 hours later

2 replicas were running at the time

frontdoor.PoliciesClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: autorest/azure: Service returned an error. Status=<nil> Code="Conflict" Message="The requested operation cannot be executed on the entity as another operation is in progress."
panic: runtime error: invalid memory address or nil pointer dereference

If a user is already whitelisted then any new groups they may have if they login again aren't updated

Problem

If you add tags to your Azure Front Door WAF policy then restart ip-whitelister, the tags will be removed.

How to recreate

1. Add some arbitary tags to terraform/frontdoor.tf, example diff below:

   diff --git a/terraform/frontdoor.tf b/terraform/frontdoor.tf
   index 1fb3315..4c61e75 100644
   --- a/terraform/frontdoor.tf
   +++ b/terraform/frontdoor.tf
   @@ -12,6 +12,11 @@ resource "azurerm_frontdoor_firewall_policy" "this" {
        https://xyz.com/ip-whitelister
      */
      lifecycle { ignore_changes = [custom_rule, managed_rule] }
   +
   +  tags = {
   +    name       = var.name
   +    created-by = "terraform"
   +  }
    }
   
    output "azure_frontdoor_policy" {

2. Build the infra in ./terraform

3. Check the tags on the Azure Front Door WAF policy exist in Azure Portal

4. Configure the config file ./config/config.yaml as per the Terraform and service principal (I also did rm ./config/resources/*.yaml for testing).

5. Run go build

6. Run ./ip-whitelister

7. Re-check the tags on the Azure Front Door WAF policy exist in Azure Portal - they will have been removed.

E.g. to be whitelisted against the 'app_50_keyvault' you must be part of the 'app_50' ad group.

Config would look something like this

resources:
  - cloud: azure
    type: storageaccount
    subscription_id: notreal-not-real-not-notreal
    resource_group: notreal-rg
    name: app50storage
    group:
      - admins_group
      - app_50_group
  - cloud: azure
    type: keyvault
    subscription_id: notreal-not-real-not-notreal
    resource_group: notreal-rg
    name: app50kv
    group:
      - admins_group
      - app_50_group

If you're not part of the group, you wont be whitelisted against the resource.

• azure
• functions
• redis
• user
• whitelist

no errors just exits

App seems to be crashing randomly with above message

IPv6 is not supported by all resources, e.g. storage account, key vault

e.g.

resources:
  - cloud: azure
    type: frontdoor
    subscription_id: notreal-not-real-not-notreal
    resource_group: notreal-rg
    policy_name: notrealpolicy
    ip_whitelist:
      - 85.0.0.0/24
      - 200.0.0.0/24
  - cloud: azure
    type: storageaccount
    subscription_id: notreal-not-real-not-notreal
    resource_group: notreal-rg
    name: notrealstorage
    ip_whitelist:
      - 85.0.0.0/24
      - 200.0.0.0/24