feat(worker): access control list (#253)

Author: vm-001

config.yml

@@ -69,9 +69,28 @@ status:
 #------------------------------------------------------------------------------
 
 worker:
-  enabled: false
+  enabled: false                    # Whether to enable the Worker.
   deliverer:
-    timeout: 60000
+    timeout: 60000                  # Sets the request timeout (in milliseconds) for delivery requests.
+    acl:                            # Access Control List (ACL) defines rules to control outbound network access.
+                                    # A rule is a string of IPv4, IPv6, CIDR, hostname, or pre-configured group.
+                                    # A hostname can contain a wildcard prefix (*.) represents its subdomains, and Unicode
+                                    # characters need to be converted to Punycode.
+                                    # The list of pre-configured groups:
+                                    # - @default: [ '@private', '@loopback', '@linklocal', '@reserved' ]
+                                    # - @private: [ '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16' ]
+                                    # - @loopback: [ '127.0.0.0/8', '::1/128' ]
+                                    # - @linklocal: [ '169.254.0.0/16', 'fe80::/10' ]
+                                    # - @reserved: [ '0.0.0.0/8', '100.64.0.0/10', '192.0.0.0/24', '224.0.0.0/4', '240.0.0.0/4', 'fc00::/7' ]
+                                    #
+      deny:                         # `deny` defines a list of rules that deny access.
+        - '@default'                # Example:
+                                    # deny:
+                                    #   - '@default'
+                                    #   - '23.215.0.136'
+                                    #   - '2606:2800:220:1:248:1893:25c8:1946'
+                                    #   - '*.example.com'
+                                    #
   pool:
     size: 10000                     # pool size, default to 10000.
     concurrency: 0                  # pool concurrency, default to 100 * CPUs

config/config_test.go

@@ -358,6 +358,79 @@ func TestRole(t *testing.T) {
 	assert.Equal(t, errors.New("invalid role: ''"), cfg.Validate())
 }
 
+func TestWorkerConfig(t *testing.T) {
+	tests := []struct {
+		desc        string
+		cfg         WorkerConfig
+		validateErr error
+	}{
+		{
+			desc: "sanity",
+			cfg: WorkerConfig{
+				Enabled: false,
+				Deliverer: WorkerDeliverer{
+					Timeout: 0,
+					ACL: ACLConfig{
+						Deny: []string{"@default", "0.0.0.0", "0.0.0.0/32", "*.example.com", "foo.example.com", "::1/128"},
+					},
+				},
+				Pool: Pool{},
+			},
+			validateErr: nil,
+		},
+		{
+			desc: "invalid deliverer configuration: negative timeout",
+			cfg: WorkerConfig{
+				Deliverer: WorkerDeliverer{
+					Timeout: -1,
+					ACL:     ACLConfig{},
+				},
+			},
+			validateErr: errors.New("deliverer.timeout cannot be negative"),
+		},
+		{
+			desc: "invalid deliverer configuration: invalid acl configuration 1",
+			cfg: WorkerConfig{
+				Deliverer: WorkerDeliverer{
+					Timeout: 0,
+					ACL: ACLConfig{
+						Deny: []string{"default"},
+					},
+				},
+			},
+			validateErr: errors.New("invalid rule 'default': requires IP, CIDR, hostname, or pre-configured name"),
+		},
+		{
+			desc: "invalid deliverer configuration: invalid acl configuration 2",
+			cfg: WorkerConfig{
+				Deliverer: WorkerDeliverer{
+					Timeout: 0,
+					ACL: ACLConfig{
+						Deny: []string{"*"},
+					},
+				},
+			},
+			validateErr: errors.New("invalid rule '*': requires IP, CIDR, hostname, or pre-configured name"),
+		},
+		{
+			desc: "invalid deliverer configuration: unicode hostname",
+			cfg: WorkerConfig{
+				Deliverer: WorkerDeliverer{
+					Timeout: 0,
+					ACL: ACLConfig{
+						Deny: []string{"тест.example.com"},
+					},
+				},
+			},
+			validateErr: errors.New("invalid rule 'тест.example.com': requires IP, CIDR, hostname, or pre-configured name"),
+		},
+	}
+	for _, test := range tests {
+		actual := test.cfg.Validate()
+		assert.Equal(t, test.validateErr, actual, "expected %v got %v", test.validateErr, actual)
+	}
+}
+
 func TestConfig(t *testing.T) {
 	cfg, err := Init()
 	assert.Nil(t, err)

config/worker.go

@@ -1,7 +1,25 @@
 package config
 
+import (
+	"fmt"
+	"net/netip"
+	"regexp"
+	"slices"
+)
+
 type WorkerDeliverer struct {
-	Timeout int64 `yaml:"timeout" json:"timeout" default:"60000"`
+	Timeout int64     `yaml:"timeout" json:"timeout" default:"60000"`
+	ACL     ACLConfig `yaml:"acl" json:"acl"`
+}
+
+func (cfg *WorkerDeliverer) Validate() error {
+	if cfg.Timeout < 0 {
+		return fmt.Errorf("deliverer.timeout cannot be negative")
+	}
+	if err := cfg.ACL.Validate(); err != nil {
+		return err
+	}
+	return nil
 }
 
 type Pool struct {
@@ -15,6 +33,40 @@ type WorkerConfig struct {
 	Pool      Pool            `yaml:"pool" json:"pool"`
 }
 
+type ACLConfig struct {
+	Deny []string `yaml:"deny" json:"deny" default:"[\"@default\"]"`
+}
+
+func (acl *ACLConfig) Validate() error {
+	for _, rule := range acl.Deny {
+		if err := validateRule(rule); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func validateRule(rule string) error {
+	groups := []string{"@default", "@private", "@loopback", "@linklocal", "@reserved"}
+	if slices.Contains(groups, rule) {
+		return nil
+	}
+	if _, err := netip.ParseAddr(rule); err == nil {
+		return nil
+	}
+	if _, err := netip.ParsePrefix(rule); err == nil {
+		return nil
+	}
+	r := regexp.MustCompile(`^(\*\.)?[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)+$`)
+	if matched := r.MatchString(rule); matched {
+		return nil
+	}
+	return fmt.Errorf("invalid rule '%s': requires IP, CIDR, hostname, or pre-configured name", rule)
+}
+
 func (cfg *WorkerConfig) Validate() error {
+	if err := cfg.Deliverer.Validate(); err != nil {
+		return err
+	}
 	return nil
 }

db/entities/attempt.go

@@ -43,6 +43,7 @@ const (
 	AttemptErrorCodeTimeout          AttemptErrorCode = "TIMEOUT"
 	AttemptErrorCodeUnknown          AttemptErrorCode = "UNKNOWN"
 	AttemptErrorCodeEndpointDisabled AttemptErrorCode = "ENDPOINT_DISABLED"
+	AttemptErrorCodeDenied           AttemptErrorCode = "DENIED"
 	AttemptErrorCodeEndpointNotFound AttemptErrorCode = "ENDPOINT_NOT_FOUND"
 )
 

test/delivery/acl_test.go

@@ -0,0 +1,204 @@
+package delivery
+
+import (
+	"context"
+	"github.com/go-resty/resty/v2"
+	. "github.com/onsi/ginkgo/v2"
+	"github.com/stretchr/testify/assert"
+	"github.com/webhookx-io/webhookx/app"
+	"github.com/webhookx-io/webhookx/constants"
+	"github.com/webhookx-io/webhookx/db"
+	"github.com/webhookx-io/webhookx/db/entities"
+	"github.com/webhookx-io/webhookx/db/query"
+	"github.com/webhookx-io/webhookx/test/helper"
+	"github.com/webhookx-io/webhookx/test/helper/factory"
+	"github.com/webhookx-io/webhookx/utils"
+	"github.com/webhookx-io/webhookx/worker/deliverer"
+	"net/netip"
+	"time"
+)
+
+type ResolverFunc func(ctx context.Context, network, host string) ([]netip.Addr, error)
+
+func (fn ResolverFunc) LookupNetIP(ctx context.Context, network, host string) ([]netip.Addr, error) {
+	return fn(ctx, network, host)
+}
+
+var _ = Describe("network acl", Ordered, func() {
+	Context("acl", func() {
+		var proxyClient *resty.Client
+
+		var app *app.Application
+		var db *db.DB
+
+		entitiesConfig := helper.EntitiesConfig{
+			Endpoints: []*entities.Endpoint{
+				factory.EndpointP(func(o *entities.Endpoint) {
+					o.Events = []string{"test1"}
+				}),
+				factory.EndpointP(func(o *entities.Endpoint) {
+					o.Events = []string{"test2"}
+					o.Request.URL = "http://www.example.com"
+				}),
+				factory.EndpointP(func(o *entities.Endpoint) {
+					o.Events = []string{"test3"}
+					o.Request.URL = "http://suspicious.webhookx.io"
+				}),
+				factory.EndpointP(func(o *entities.Endpoint) {
+					o.Events = []string{"unicode-test"}
+					o.Request.URL = "http://тест.foo.com"
+				}),
+			},
+			Sources: []*entities.Source{factory.SourceP()},
+		}
+
+		var resolver = deliverer.DefaultResolver
+
+		BeforeAll(func() {
+			deliverer.DefaultResolver = ResolverFunc(func(ctx context.Context, network, host string) ([]netip.Addr, error) {
+				if host == "suspicious.webhookx.io" {
+					return []netip.Addr{netip.MustParseAddr("127.0.0.1")}, nil
+				}
+				return resolver.LookupNetIP(ctx, network, host)
+			})
+
+			db = helper.InitDB(true, &entitiesConfig)
+			proxyClient = helper.ProxyClient()
+
+			app = utils.Must(helper.Start(map[string]string{
+				"WEBHOOKX_PROXY_LISTEN":              "0.0.0.0:8081",
+				"WEBHOOKX_WORKER_ENABLED":            "true",
+				"WEBHOOKX_WORKER_DELIVERER_ACL_DENY": "@default,*.example.com,xn--e1aybc.foo.com",
+			}))
+
+		})
+
+		AfterAll(func() {
+			deliverer.DefaultResolver = resolver
+			app.Stop()
+		})
+
+		It("request denied", func() {
+			err := waitForServer("0.0.0.0:8081", time.Second)
+			assert.NoError(GinkgoT(), err)
+
+			resp, err := proxyClient.R().
+				SetBody(`{"event_type": "test1","data": {"key": "value"}}`).
+				Post("/")
+			assert.NoError(GinkgoT(), err)
+			assert.Equal(GinkgoT(), 200, resp.StatusCode())
+			eventId := resp.Header().Get(constants.HeaderEventId)
+
+			var attempt *entities.Attempt
+			assert.Eventually(GinkgoT(), func() bool {
+				q := query.AttemptQuery{}
+				q.EventId = &eventId
+				list, err := db.Attempts.List(context.TODO(), &q)
+				if err != nil || len(list) == 0 {
+					return false
+				}
+				attempt = list[0]
+				return attempt.Status == entities.AttemptStatusFailure
+			}, time.Second*5, time.Second)
+
+			// attempt.request
+			assert.Equal(GinkgoT(), entities.AttemptErrorCodeDenied, *attempt.ErrorCode)
+			assert.Equal(GinkgoT(), true, attempt.Exhausted)
+			assert.Nil(GinkgoT(), attempt.Response)
+
+			detail, err := db.AttemptDetails.Get(context.TODO(), attempt.ID)
+			assert.NoError(GinkgoT(), err)
+			assert.NotNil(GinkgoT(), detail.RequestHeaders)
+			assert.NotNil(GinkgoT(), detail.RequestBody)
+			assert.Nil(GinkgoT(), detail.ResponseHeaders)
+			assert.Nil(GinkgoT(), detail.ResponseBody)
+		})
+
+		It("request denied by hostname", func() {
+			err := waitForServer("0.0.0.0:8081", time.Second)
+			assert.NoError(GinkgoT(), err)
+
+			resp, err := proxyClient.R().
+				SetBody(`{"event_type": "test2","data": {"key": "value"}}`).
+				Post("/")
+			assert.NoError(GinkgoT(), err)
+			assert.Equal(GinkgoT(), 200, resp.StatusCode())
+			eventId := resp.Header().Get(constants.HeaderEventId)
+
+			var attempt *entities.Attempt
+			assert.Eventually(GinkgoT(), func() bool {
+				q := query.AttemptQuery{}
+				q.EventId = &eventId
+				list, err := db.Attempts.List(context.TODO(), &q)
+				if err != nil || len(list) == 0 {
+					return false
+				}
+				attempt = list[0]
+				return attempt.Status == entities.AttemptStatusFailure
+			}, time.Second*5, time.Second)
+
+			// attempt.request
+			assert.Equal(GinkgoT(), entities.AttemptErrorCodeDenied, *attempt.ErrorCode)
+			assert.Equal(GinkgoT(), true, attempt.Exhausted)
+			assert.Nil(GinkgoT(), attempt.Response)
+		})
+
+		It("request denied by unicode hostname", func() {
+			err := waitForServer("0.0.0.0:8081", time.Second)
+			assert.NoError(GinkgoT(), err)
+
+			resp, err := proxyClient.R().
+				SetBody(`{"event_type": "unicode-test","data": {"key": "value"}}`).
+				Post("/")
+			assert.NoError(GinkgoT(), err)
+			assert.Equal(GinkgoT(), 200, resp.StatusCode())
+			eventId := resp.Header().Get(constants.HeaderEventId)
+
+			var attempt *entities.Attempt
+			assert.Eventually(GinkgoT(), func() bool {
+				q := query.AttemptQuery{}
+				q.EventId = &eventId
+				list, err := db.Attempts.List(context.TODO(), &q)
+				if err != nil || len(list) == 0 {
+					return false
+				}
+				attempt = list[0]
+				return attempt.Status == entities.AttemptStatusFailure
+			}, time.Second*5, time.Second)
+
+			// attempt.request
+			assert.Equal(GinkgoT(), entities.AttemptErrorCodeDenied, *attempt.ErrorCode)
+			assert.Equal(GinkgoT(), true, attempt.Exhausted)
+			assert.Nil(GinkgoT(), attempt.Response)
+		})
+
+		It("request denied by ip resolved by dns", func() {
+			err := waitForServer("0.0.0.0:8081", time.Second)
+			assert.NoError(GinkgoT(), err)
+
+			resp, err := proxyClient.R().
+				SetBody(`{"event_type": "test3","data": {"key": "value"}}`).
+				Post("/")
+			assert.NoError(GinkgoT(), err)
+			assert.Equal(GinkgoT(), 200, resp.StatusCode())
+			eventId := resp.Header().Get(constants.HeaderEventId)
+
+			var attempt *entities.Attempt
+			assert.Eventually(GinkgoT(), func() bool {
+				q := query.AttemptQuery{}
+				q.EventId = &eventId
+				list, err := db.Attempts.List(context.TODO(), &q)
+				if err != nil || len(list) == 0 {
+					return false
+				}
+				attempt = list[0]
+				return attempt.Status == entities.AttemptStatusFailure
+			}, time.Second*5, time.Second)
+
+			// attempt.request
+			assert.Equal(GinkgoT(), entities.AttemptErrorCodeDenied, *attempt.ErrorCode)
+			assert.Equal(GinkgoT(), true, attempt.Exhausted)
+			assert.Nil(GinkgoT(), attempt.Response)
+		})
+	})
+})