alec-pinson / ip-whitelister Goto Github PK
View Code? Open in Web Editor NEWLogin with AzureAD account and whitelist your IP against Cloud resources for 24 hours
License: Apache License 2.0
Login with AzureAD account and whitelist your IP against Cloud resources for 24 hours
License: Apache License 2.0
It appears there have been a couple of typos in config.go
and user.go
when go vet
is run.
➜ ip-whitelister git:(main) go version
go version go1.17.13 darwin/amd64
➜ ip-whitelister git:(main) go vet
# github.com/alec-pinson/ip-whitelister
./config.go:26:2: struct field tag `yaml":ttl"` not compatible with reflect.StructTag.Get: bad syntax for struct tag pair
./user.go:28:2: struct field tag `json:"objectId` not compatible with reflect.StructTag.Get: bad syntax for struct tag value
➜ ip-whitelister git:(main)
2022/01/06 15:23:50 azure.AzureFrontDoor.update():frontdoor.PoliciesClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: autorest/azure: Service returned an error. Status=<nil> Code="Conflict" Message="The requested operation cannot be executed on the entity as another operation is in progress."
2022/01/06 15:23:50 azure.AzureFrontDoor.update(): updated 'rg/policy'
➜ ip-whitelister git:(main) go version
go version go1.17.13 darwin/amd64
➜ ip-whitelister git:(main) staticcheck -version
staticcheck 2022.1.3 (v0.3.3)
➜ ip-whitelister git:(main) staticcheck
functions.go:25:9: unnecessary assignment to the blank identifier (S1005)
http.go:77:3: empty branch (SA9003)
user.go:128:16: func (*User).unwhitelist is unused (U1000)
Whitelist TTL = 24 in this example
Current process
A solution to this (as we don't want to allow API spam) would be to allow each user to request a whitelist maybe once a minute or so instead.
Proposed process
2 replicas were running at the time
frontdoor.PoliciesClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: autorest/azure: Service returned an error. Status=<nil> Code="Conflict" Message="The requested operation cannot be executed on the entity as another operation is in progress."
panic: runtime error: invalid memory address or nil pointer dereference
If a user is already whitelisted then any new groups they may have if they login again aren't updated
If you add tags to your Azure Front Door WAF policy then restart ip-whitelister
, the tags will be removed.
Add some arbitary tags to terraform/frontdoor.tf
, example diff below:
diff --git a/terraform/frontdoor.tf b/terraform/frontdoor.tf
index 1fb3315..4c61e75 100644
--- a/terraform/frontdoor.tf
+++ b/terraform/frontdoor.tf
@@ -12,6 +12,11 @@ resource "azurerm_frontdoor_firewall_policy" "this" {
https://xyz.com/ip-whitelister
*/
lifecycle { ignore_changes = [custom_rule, managed_rule] }
+
+ tags = {
+ name = var.name
+ created-by = "terraform"
+ }
}
output "azure_frontdoor_policy" {
Build the infra in ./terraform
Check the tags on the Azure Front Door WAF policy exist in Azure Portal
Configure the config file ./config/config.yaml
as per the Terraform and service principal (I also did rm ./config/resources/*.yaml
for testing).
Run go build
Run ./ip-whitelister
Re-check the tags on the Azure Front Door WAF policy exist in Azure Portal - they will have been removed.
2022/01/10 17:12:27 config.load(): read config/resources/..data: is a directory
2022/01/11 09:23:05 functions.getIpList():invalid CIDR address: 1.2.3.4
``
E.g. to be whitelisted against the 'app_50_keyvault
' you must be part of the 'app_50'
ad group.
Config would look something like this
resources:
- cloud: azure
type: storageaccount
subscription_id: notreal-not-real-not-notreal
resource_group: notreal-rg
name: app50storage
group:
- admins_group
- app_50_group
- cloud: azure
type: keyvault
subscription_id: notreal-not-real-not-notreal
resource_group: notreal-rg
name: app50kv
group:
- admins_group
- app_50_group
If you're not part of the group, you wont be whitelisted against the resource.
no errors just exits
App seems to be crashing randomly with above message
IPv6 is not supported by all resources, e.g. storage account, key vault
e.g.
resources:
- cloud: azure
type: frontdoor
subscription_id: notreal-not-real-not-notreal
resource_group: notreal-rg
policy_name: notrealpolicy
ip_whitelist:
- 85.0.0.0/24
- 200.0.0.0/24
- cloud: azure
type: storageaccount
subscription_id: notreal-not-real-not-notreal
resource_group: notreal-rg
name: notrealstorage
ip_whitelist:
- 85.0.0.0/24
- 200.0.0.0/24
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.