Fix some bugs, add network whitelisting, start on documentation

2025-05-30 12:12:02 -04:00
parent f26a2fad95
commit 28b292453f
4 changed files with 191 additions and 23 deletions
--- a/proxy/main.go
+++ b/proxy/main.go
@ -9,6 +9,8 @@ import (
 	"net"
 	"net/http"
 	"net/http/httputil"
+	"os"
+	"regexp"
 	"strings"
 )

@ -41,11 +43,12 @@ func main() {
 		proxy.ServeHTTP(w, r)
 	})

-	log.Println("Unix socket proxy running on :80")
-	log.Fatal(http.ListenAndServe(":80", nil))
+	log.Println("Unix socket proxy running on :8000")
+	log.Fatal(http.ListenAndServe(":8000", nil))
 }

 func isAllowed(method, path string) bool {
+	// White listed endpoints that are considered relatively safe for now.
 	if method == "GET" {
 		if strings.HasSuffix(path, "/containers/json") ||
 			strings.HasSuffix(path, "/networks") ||
@ -65,10 +68,28 @@ func isAllowed(method, path string) bool {
 			return true
 		}
 	}
+	// If it doesn't fit into any of the above, then do some more checks on it.
 	return allowPath(path)

 }

+// Only allow specific Docker API paths (e.g., container inspect, used by Traefik)
+func allowPath(path string) bool {
+	pattern := `^v\d+\.\d+$`
+	re := regexp.MustCompile(pattern)
+
+	log.Printf("Inspecting %s", path)
+	// Example: /v1.24/containers/<container-id>/json
+	parts := strings.Split(path, "/")
+	log.Printf("Parts %d parts[0] %s", len(parts), parts)
+	if len(parts) == 5 && re.MatchString(parts[1]) && parts[2] == "containers" && parts[4] == "json" {
+		log.Printf("Passes")
+		return true
+	}
+	return false
+}
+
+// Remove some sensitive data from the Docker API response.
 func redactSensitiveFields(resp *http.Response) error {
 	data, err := io.ReadAll(resp.Body)
 	if err != nil {
@ -82,6 +103,8 @@ func redactSensitiveFields(resp *http.Response) error {
 		log.Printf("➡️ Body (object): %+v", obj)

 		// Redact sensitive fields from single object
+		log.Printf("🧪 Item: %+v", obj)
+
 		redactObject(obj)

 		redacted, _ := json.Marshal(obj)
@ -96,9 +119,22 @@ func redactSensitiveFields(resp *http.Response) error {
 	if err := json.Unmarshal(data, &arr); err == nil {
 		log.Printf("➡️ Body (array): %d items", len(arr))

-		// Redact sensitive fields from each item in the array
-		for _, item := range arr {
-			redactObject(item)
+		// Special case: filter top-level networks (from /networks)
+		if strings.Contains(resp.Request.URL.Path, "/networks") {
+			filtered := make([]map[string]interface{}, 0)
+			for _, item := range arr {
+				if name, ok := item["Name"].(string); ok && allowedNetworks[name] {
+					filtered = append(filtered, item)
+				} else {
+					log.Printf("🗑️ Removing disallowed network: %s", name)
+				}
+			}
+			arr = filtered
+		} else {
+			// Generic redaction
+			for _, item := range arr {
+				redactObject(item)
+			}
 		}

 		redacted, _ := json.Marshal(arr)
@ -116,34 +152,78 @@ func redactSensitiveFields(resp *http.Response) error {
 	return nil
 }

-// Only allow specific Docker API paths (e.g., container inspect, used by Traefik)
-func allowPath(path string) bool {
-	log.Printf("Inspecting %s", path)
-	// Example: /v1.24/containers/<container-id>/json
-	parts := strings.Split(path, "/")
-	log.Printf("Parts %d parts[0] %s", len(parts), parts)
-	if len(parts) == 5 && parts[1] == "v1.24" && parts[2] == "containers" && parts[4] == "json" {
-		log.Printf("Passes")
-		return true
+var allowedNetworks = getAllowedNetworks()
+
+func getAllowedNetworks() map[string]bool {
+	env := os.Getenv("ALLOWED_NETWORKS")
+	nets := strings.Split(env, ",")
+	allowed := make(map[string]bool, len(nets))
+	for _, n := range nets {
+		n = strings.TrimSpace(n)
+		if n != "" {
+			allowed[n] = true
+		}
 	}
-	return false
+	return allowed
 }

+// This function is responsible for removing keys/properties from the response.
 func redactObject(obj map[string]interface{}) {
 	// Top-level redactions
 	delete(obj, "HostConfig")
 	delete(obj, "GraphDriver")
 	delete(obj, "Mounts")

-	// Nested redactions
+	// Config redactions
 	if config, ok := obj["Config"].(map[string]interface{}); ok {
 		delete(config, "Env")
 		delete(config, "Volumes")
 		delete(config, "User")
 	}

-	if netSettings, ok := obj["NetworkSettings"].(map[string]interface{}); ok {
-		delete(netSettings, "SandboxID")
-		delete(netSettings, "SandboxKey")
+	// NetworkSettings redactions
+	netSettings, ok := obj["NetworkSettings"].(map[string]interface{})
+	if !ok {
+		log.Println("🔍 No NetworkSettings present")
+		return
+	}
+
+	delete(netSettings, "SandboxID")
+	delete(netSettings, "SandboxKey")
+
+	networksRaw, ok := netSettings["Networks"]
+	if !ok {
+		log.Println("🔍 No Networks field present")
+		return
+	}
+
+	// Filter out any networks that traefik is not on and therefore should not care/know about.
+	switch networks := networksRaw.(type) {
+	case map[string]interface{}:
+		log.Printf("🌐 Found networks: %v", keysOf(networks))
+		for name := range networks {
+			if !allowedNetworks[name] {
+				log.Printf("🗑️ Removing disallowed network: %s", name)
+				delete(networks, name)
+			}
+		}
+	case []interface{}:
+		log.Printf("🌐 Found networks (array): %v", networks)
+		var filtered []interface{}
+		for _, v := range networks {
+			if name, ok := v.(string); ok && allowedNetworks[name] {
+				filtered = append(filtered, name)
+			}
+		}
+		netSettings["Networks"] = filtered
+	default:
+		log.Printf("⚠️ Unknown type for Networks: %T", networksRaw)
 	}
 }
+func keysOf(m map[string]interface{}) []string {
+	keys := make([]string, 0, len(m))
+	for k := range m {
+		keys = append(keys, k)
+	}
+	return keys
+}