[FilterByClientIpPlugin] Implement the whitelist logic (#1127)

LetMeR00t · pre-commit-ci[bot] · abhinavsingh · web-flow · commit 1980a0953d29 · 2022-04-20T22:12:58.000+05:30
* Implement the "whitelist" logic for the plugin "FilterByClientIpPlugin" * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Fix lint errors for the plugin FilterByClientIpPlugin Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Abhinav Singh <126065+abhinavsingh@users.noreply.github.com>
diff --git a/README.md b/README.md
@@ -2469,6 +2469,8 @@ options:
   --filtered-upstream-hosts FILTERED_UPSTREAM_HOSTS
                         Default: Blocks Facebook. Comma separated list of IPv4
                         and IPv6 addresses.
+  --filtered-client-ips-mode FILTERED_CLIENT_IPS_MODE
+                        Default: "blacklist". Can be either "whitelist" (restrict access to specific IPs) or "blacklist" (allow everything except specific IPs).
   --filtered-client-ips FILTERED_CLIENT_IPS
                         Default: 127.0.0.1,::1. Comma separated list of IPv4
                         and IPv6 addresses.
diff --git a/proxy/plugin/filter_by_client_ip.py b/proxy/plugin/filter_by_client_ip.py
@@ -21,6 +21,14 @@
 from ..http.exception import HttpRequestRejected
 
 
+flags.add_argument(
+    '--filtered-client-ips-mode',
+    type=str,
+    default='blacklist',
+    help='Default: blacklist.  Can be either "whitelist" (restrict access to specific IPs)'
+    'or "blacklist" (allow everything except specific IPs).',
+)
+
 flags.add_argument(
     '--filtered-client-ips',
     type=str,
@@ -30,15 +38,23 @@
 
 
 class FilterByClientIpPlugin(HttpProxyBasePlugin):
-    """Drop traffic by inspecting incoming client IP address."""
+    """Allow only (whitelist) or Drop only (blacklist) traffic by inspecting incoming client IP address."""
 
     def before_upstream_connection(
             self, request: HttpParser,
     ) -> Optional[HttpParser]:
         assert not self.flags.unix_socket_path and self.client.addr
-        if self.client.addr[0] in self.flags.filtered_client_ips.split(','):
-            raise HttpRequestRejected(
-                status_code=httpStatusCodes.I_AM_A_TEAPOT,
-                reason=b'I\'m a tea pot',
-            )
+        assert self.flags.filtered_client_ips_mode in ('blacklist', 'whitelist')
+        if self.flags.filtered_client_ips_mode == 'blacklist':
+            if self.client.addr[0] in self.flags.filtered_client_ips.split(','):
+                raise HttpRequestRejected(
+                    status_code=httpStatusCodes.I_AM_A_TEAPOT,
+                    reason=b'I\'m a tea pot',
+                )
+        elif self.flags.filtered_client_ips_mode == 'whitelist':
+            if self.client.addr[0] not in self.flags.filtered_client_ips.split(','):
+                raise HttpRequestRejected(
+                    status_code=httpStatusCodes.I_AM_A_TEAPOT,
+                    reason=b'I\'m a tea pot',
+                )
         return request
