1.11.0 - add per container allowlists

Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1
-FROM --platform=$BUILDPLATFORM golang:1.25.4-alpine3.22 AS build
+FROM --platform=$BUILDPLATFORM golang:1.25.6-alpine3.23 AS build
 WORKDIR /application
 COPY . ./
 ARG TARGETOS

LICENSE

@@ -21,9 +21,10 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 
 ---
-Parts of this project, specifically the file cmd/internal/bindmount.go,
+Parts of this project, specifically the file cmd/socket-proxy/bindmount.go and
+the files in the internal/docker and internal/go-connections folders,
 contain source code licensed under the Apache License 2.0. See the comments
-in that file for details.
+in the applicable files for details.
 The rest of the project is licensed under the MIT License.
 
                                  Apache License

cmd/socket-proxy/bindmount.go

@@ -79,9 +79,9 @@ type (
 )
 
 // checkBindMountRestrictions checks if bind mounts in the request are allowed.
-func checkBindMountRestrictions(r *http.Request) error {
+func checkBindMountRestrictions(allowedBindMounts []string, r *http.Request) error {
 	// Only check if bind mount restrictions are configured
-	if len(cfg.AllowBindMountFrom) == 0 {
+	if len(allowedBindMounts) == 0 {
 		return nil
 	}
 
@@ -94,23 +94,23 @@ func checkBindMountRestrictions(r *http.Request) error {
 	switch {
 	case len(pathParts) >= 4 && pathParts[2] == "containers" && pathParts[3] == "create":
 		// Container creation: /vX.xx/containers/create
-		return checkContainer(r)
+		return checkContainer(allowedBindMounts, r)
 	case len(pathParts) >= 5 && pathParts[2] == "containers" && pathParts[4] == "update":
 		// Container update: /vX.xx/containers/{id}/update
-		return checkContainer(r)
+		return checkContainer(allowedBindMounts, r)
 	case len(pathParts) >= 4 && pathParts[2] == "services" && pathParts[3] == "create":
 		// Service creation: /vX.xx/services/create
-		return checkService(r)
+		return checkService(allowedBindMounts, r)
 	case len(pathParts) >= 5 && pathParts[2] == "services" && pathParts[4] == "update":
 		// Service update: /vX.xx/services/{id}/update
-		return checkService(r)
+		return checkService(allowedBindMounts, r)
 	default:
 		return nil
 	}
 }
 
 // checkContainer checks bind mounts in container creation requests.
-func checkContainer(r *http.Request) error {
+func checkContainer(allowedBindMounts []string, r *http.Request) error {
 	body, err := readAndRestoreBody(r)
 	if err != nil {
 		return err
@@ -122,11 +122,11 @@ func checkContainer(r *http.Request) error {
 		return nil // Don't block if we can't parse.
 	}
 
-	return checkHostConfigBindMounts(req.HostConfig)
+	return checkHostConfigBindMounts(allowedBindMounts, req.HostConfig)
 }
 
 // checkService checks bind mounts in service creation requests.
-func checkService(r *http.Request) error {
+func checkService(allowedBindMounts []string, r *http.Request) error {
 	body, err := readAndRestoreBody(r)
 	if err != nil {
 		return err
@@ -141,28 +141,31 @@ func checkService(r *http.Request) error {
 	if req.TaskTemplate.ContainerSpec == nil {
 		return nil // No container spec, nothing to check.
 	}
-	return checkHostConfigBindMounts(&containerHostConfig{
-		Mounts: req.TaskTemplate.ContainerSpec.Mounts,
-	})
+	return checkHostConfigBindMounts(
+		allowedBindMounts,
+		&containerHostConfig{
+			Mounts: req.TaskTemplate.ContainerSpec.Mounts,
+		},
+	)
 }
 
 // checkHostConfigBindMounts checks bind mounts in HostConfig.
-func checkHostConfigBindMounts(hostConfig *containerHostConfig) error {
+func checkHostConfigBindMounts(allowedBindMounts []string, hostConfig *containerHostConfig) error {
 	if hostConfig == nil {
 		return nil // No HostConfig, nothing to check
 	}
 
 	// Check legacy Binds field
 	for _, bind := range hostConfig.Binds {
-		if err := validateBindMount(bind); err != nil {
+		if err := validateBindMount(allowedBindMounts, bind); err != nil {
 			return err
 		}
 	}
 
 	// Check modern Mounts field
 	for _, mountItem := range hostConfig.Mounts {
 		if mountItem.Type == mountTypeBind {
-			if err := validateBindMountSource(mountItem.Source); err != nil {
+			if err := validateBindMountSource(allowedBindMounts, mountItem.Source); err != nil {
 				return err
 			}
 		}
@@ -172,23 +175,23 @@ func checkHostConfigBindMounts(hostConfig *containerHostConfig) error {
 }
 
 // validateBindMount validates a bind mount string in the format "source:target:options".
-func validateBindMount(bind string) error {
+func validateBindMount(allowedBindMounts []string, bind string) error {
 	parts := strings.Split(bind, ":")
 	if len(parts) < 2 {
 		return fmt.Errorf("invalid bind mount format: %s", bind)
 	}
-	return validateBindMountSource(parts[0])
+	return validateBindMountSource(allowedBindMounts, parts[0])
 }
 
 // validateBindMountSource checks if the source directory is allowed.
-func validateBindMountSource(source string) error {
+func validateBindMountSource(allowedBindMounts []string, source string) error {
 	// Skip if source is not an absolute path (i.e. bind mount).
 	if !strings.HasPrefix(source, "/") {
 		return nil
 	}
 
 	source = filepath.Clean(source) // Clean the path to resolve .. and . components.
-	for _, allowedDir := range cfg.AllowBindMountFrom {
+	for _, allowedDir := range allowedBindMounts {
 		if allowedDir == "/" || source == allowedDir || strings.HasPrefix(source, allowedDir+"/") {
 			return nil
 		}

cmd/socket-proxy/bindmount_test.go

@@ -5,8 +5,6 @@ import (
 	"net/http"
 	"runtime"
 	"testing"
-
-	"github.com/wollomatic/socket-proxy/internal/config"
 )
 
 func skipIfNotUnix(t *testing.T) {
@@ -21,9 +19,7 @@ func skipIfNotUnix(t *testing.T) {
 func TestValidateBindMountSource(t *testing.T) {
 	skipIfNotUnix(t)
 
-	cfg = &config.Config{
-		AllowBindMountFrom: []string{"/home", "/var/log"},
-	}
+	allowedBindMounts := []string{"/home", "/var/log"}
 
 	tests := []struct {
 		name       string
@@ -44,7 +40,7 @@ func TestValidateBindMountSource(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := validateBindMountSource(tt.source)
+			err := validateBindMountSource(allowedBindMounts, tt.source)
 			if tt.shouldPass && err != nil {
 				t.Errorf("expected %s to pass, but got error: %v", tt.source, err)
 			}
@@ -83,10 +79,7 @@ func TestIsPathAllowed(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			cfg = &config.Config{
-				AllowBindMountFrom: []string{tt.allowedDir},
-			}
-			err := validateBindMountSource(tt.path)
+			err := validateBindMountSource([]string{tt.allowedDir}, tt.path)
 			if (err == nil) != tt.expected {
 				t.Errorf("isPathAllowed(%s, %s) = %v, expected %v", tt.path, tt.allowedDir, err, tt.expected)
 			}
@@ -97,9 +90,7 @@ func TestIsPathAllowed(t *testing.T) {
 func TestValidateBindMount(t *testing.T) {
 	skipIfNotUnix(t)
 
-	cfg = &config.Config{
-		AllowBindMountFrom: []string{"/home", "/var/log"},
-	}
+	allowedBindMounts := []string{"/home", "/var/log"}
 
 	tests := []struct {
 		name       string
@@ -115,7 +106,7 @@ func TestValidateBindMount(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := validateBindMount(tt.bind)
+			err := validateBindMount(allowedBindMounts, tt.bind)
 			if tt.shouldPass && err != nil {
 				t.Errorf("expected %s to pass, but got error: %v", tt.bind, err)
 			}
@@ -129,9 +120,7 @@ func TestValidateBindMount(t *testing.T) {
 func TestCheckBindMountRestrictions(t *testing.T) {
 	skipIfNotUnix(t)
 
-	cfg = &config.Config{
-		AllowBindMountFrom: []string{"/home"},
-	}
+	allowedBindMounts := []string{"/home"}
 
 	tests := []struct {
 		name       string
@@ -212,7 +201,7 @@ func TestCheckBindMountRestrictions(t *testing.T) {
 				t.Fatalf("failed to create request: %v", err)
 			}
 
-			err = checkBindMountRestrictions(req)
+			err = checkBindMountRestrictions(allowedBindMounts, req)
 			if tt.shouldPass && err != nil {
 				t.Errorf("expected request to pass, but got error: %v", err)
 			}

cmd/socket-proxy/handlehttprequest.go

@@ -5,25 +5,21 @@ import (
 	"log/slog"
 	"net"
 	"net/http"
+
+	"github.com/wollomatic/socket-proxy/internal/config"
 )
 
 // handleHTTPRequest checks if the request is allowed and sends it to the proxy.
 // Otherwise, it returns a "405 Method Not Allowed" or a "403 Forbidden" error.
 // In case of an error, it returns a 500 Internal Server Error.
 func handleHTTPRequest(w http.ResponseWriter, r *http.Request) {
-	if cfg.ProxySocketEndpoint == "" { // do not perform this check if we proxy to a unix socket
-		allowedIP, err := isAllowedClient(r.RemoteAddr)
-		if err != nil {
-			slog.Warn("cannot get valid IP address for client allowlist check", "reason", err, "method", r.Method, "URL", r.URL, "client", r.RemoteAddr)
-		}
-		if !allowedIP {
-			communicateBlockedRequest(w, r, "forbidden IP", http.StatusForbidden)
-			return
-		}
+	allowList, ok := determineAllowList(r)
+	if !ok {
+		communicateBlockedRequest(w, r, "forbidden IP", http.StatusForbidden)
+		return
 	}
 
-	// check if the request is allowed
-	allowed, exists := cfg.AllowedRequests[r.Method]
+	allowed, exists := allowList.AllowedRequests[r.Method]
 	if !exists { // method not in map -> not allowed
 		communicateBlockedRequest(w, r, "method not allowed", http.StatusMethodNotAllowed)
 		return
@@ -34,7 +30,7 @@ func handleHTTPRequest(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// check bind mount restrictions
-	if err := checkBindMountRestrictions(r); err != nil {
+	if err := checkBindMountRestrictions(allowList.AllowedBindMounts, r); err != nil {
 		communicateBlockedRequest(w, r, "bind mount restriction: "+err.Error(), http.StatusForbidden)
 		return
 	}
@@ -44,14 +40,40 @@ func handleHTTPRequest(w http.ResponseWriter, r *http.Request) {
 	socketProxy.ServeHTTP(w, r) // proxy the request
 }
 
+// return the relevant allowlist
+func determineAllowList(r *http.Request) (config.AllowList, bool) {
+	if cfg.ProxySocketEndpoint == "" { // do not perform this check if we proxy to a unix socket
+		// Get the client IP address from the remote address string
+		clientIPStr, _, err := net.SplitHostPort(r.RemoteAddr)
+		if err != nil {
+			slog.Warn("cannot get valid IP address from request", "reason", err, "method", r.Method, "URL", r.URL, "client", r.RemoteAddr)
+			return config.AllowList{}, false
+		}
+
+		// If applicable, get the non-default allowlist corresponding to the client IP address
+		if cfg.ProxyContainerName != "" {
+			allowList, found := cfg.AllowLists.FindByIP(clientIPStr)
+			if found {
+				return allowList, true
+			}
+		}
+
+		// Check if client is allowed for the default allowlist:
+		allowedIP, err := isAllowedClient(clientIPStr)
+		if err != nil {
+			slog.Warn("cannot get valid IP address for client allowlist check", "reason", err, "method", r.Method, "URL", r.URL, "client", r.RemoteAddr)
+		}
+		if !allowedIP {
+			return config.AllowList{}, false
+		}
+	}
+
+	return cfg.AllowLists.Default, true
+}
+
 // isAllowedClient checks if the given remote address is allowed to connect to the proxy.
 // The IP address is extracted from a RemoteAddr string (the part before the colon).
-func isAllowedClient(remoteAddr string) (bool, error) {
-	// Get the client IP address from the remote address string
-	clientIPStr, _, err := net.SplitHostPort(remoteAddr)
-	if err != nil {
-		return false, err
-	}
+func isAllowedClient(clientIPStr string) (bool, error) {
 	// Parse the IP address
 	clientIP := net.ParseIP(clientIPStr)
 	if clientIP == nil {

cmd/socket-proxy/main.go

@@ -56,6 +56,11 @@ func main() {
 	}
 	slog.SetDefault(logger)
 
+	// setup non-default allowlists
+	if cfg.ProxySocketEndpoint == "" && cfg.ProxyContainerName != "" {
+		go cfg.UpdateAllowLists()
+	}
+
 	// print configuration
 	slog.Info("starting socket-proxy", "version", version, "os", runtime.GOOS, "arch", runtime.GOARCH, "runtime", runtime.Version(), "URL", programURL)
 	if cfg.ProxySocketEndpoint == "" {
@@ -71,26 +76,18 @@ func main() {
 	} else {
 		slog.Info("watchdog disabled")
 	}
-	if len(cfg.AllowBindMountFrom) > 0 {
-		slog.Info("Docker bind mount restrictions enabled", "allowbindmountfrom", cfg.AllowBindMountFrom)
+	if len(cfg.ProxyContainerName) > 0 {
+		slog.Info("Proxy container name provided", "proxycontainername", cfg.ProxyContainerName)
+		slog.Info("per-container allowlists enabled!")
 	} else {
-		// we only log this on DEBUG level because bind mount restrictions are a very special use case
-		slog.Debug("no Docker bind mount restrictions")
+		// we only log this on DEBUG level because providing the socket-proxy container name
+		// enables the use of labels to specify per-container allowlists
+		slog.Debug("no proxy container name provided")
 	}
+	cfg.AllowLists.PrintNetworks()
 
-	// print request allowlist
-	if cfg.LogJSON {
-		for method, regex := range cfg.AllowedRequests {
-			slog.Info("configured allowed request", "method", method, "regex", regex)
-		}
-	} else {
-		// don't use slog here, as we want to print the regexes as they are
-		// see https://github.com/wollomatic/socket-proxy/issues/11
-		fmt.Printf("Request allowlist:\n   %-8s %s\n", "Method", "Regex")
-		for method, regex := range cfg.AllowedRequests {
-			fmt.Printf("   %-8s %s\n", method, regex)
-		}
-	}
+	// print default request allowlist
+	cfg.AllowLists.PrintDefault(cfg.LogJSON)
 
 	// check if the socket is available
 	err = checkSocketAvailability(cfg.SocketPath)