Implement white/blacklisting for socks and ssh

Author: sheerun

cmd/gost/main.go

@@ -65,6 +65,8 @@ func main() {
 			glog.Fatal(err)
 		}
 
+		glog.Info(serverNode)
+
 		wg.Add(1)
 		go func(node gost.ProxyNode) {
 			defer wg.Done()

node.go

@@ -19,6 +19,8 @@ type ProxyNode struct {
 	Transport  string          // transport: ws/wss/tls/http2/tcp/udp/rtcp/rudp
 	Remote     string          // remote address, used by tcp/udp port forwarding
 	Users      []*url.Userinfo // authentication for proxy
+	Whitelist  *Permissions
+	Blacklist  *Permissions
 	values     url.Values
 	serverName string
 	conn       net.Conn
@@ -36,12 +38,36 @@ func ParseProxyNode(s string) (node ProxyNode, err error) {
 		return
 	}
 
+	query := u.Query()
+
 	node = ProxyNode{
 		Addr:       u.Host,
-		values:     u.Query(),
+		values:     query,
 		serverName: u.Host,
 	}
 
+	if query.Get("whitelist") != "" {
+		node.Whitelist, err = ParsePermissions(query.Get("whitelist"))
+
+		if err != nil {
+			glog.Fatal(err)
+		}
+	} else {
+		// By default allow for everyting
+		node.Whitelist, _ = ParsePermissions("*:*:*")
+	}
+
+	if query.Get("blacklist") != "" {
+		node.Blacklist, err = ParsePermissions(query.Get("blacklist"))
+
+		if err != nil {
+			glog.Fatal(err)
+		}
+	} else {
+		// By default block nothing
+		node.Blacklist, _ = ParsePermissions("")
+	}
+
 	if u.User != nil {
 		node.Users = append(node.Users, u.User)
 	}
@@ -126,6 +152,24 @@ func (node *ProxyNode) Get(key string) string {
 	return node.values.Get(key)
 }
 
+func (node *ProxyNode) Can(action string, addr string) bool {
+	host, strport, err := net.SplitHostPort(addr)
+
+	if err != nil {
+		return false
+	}
+
+	port, err := strconv.Atoi(strport)
+
+	if err != nil {
+		return false
+	}
+
+	glog.V(LDEBUG).Infof("Can action: %s, host: %s, port %d", action, host, port)
+
+	return node.Whitelist.Can(action, host, port) && !node.Blacklist.Can(action, host, port)
+}
+
 func (node *ProxyNode) getBool(key string) bool {
 	s := node.Get(key)
 	if b, _ := strconv.ParseBool(s); b {
@@ -162,5 +206,5 @@ func (node *ProxyNode) keyFile() string {
 }
 
 func (node ProxyNode) String() string {
-	return fmt.Sprintf("transport: %s, protocol: %s, addr: %s", node.Transport, node.Protocol, node.Addr)
+	return fmt.Sprintf("transport: %s, protocol: %s, addr: %s, whitelist: %v, blacklist: %v", node.Transport, node.Protocol, node.Addr, node.Whitelist, node.Blacklist)
 }

node_test.go

@@ -0,0 +1,43 @@
+package gost
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNodeDefaultWhitelist(t *testing.T) {
+	assert := assert.New(t)
+
+	node, _ := ParseProxyNode("http2://localhost:8000")
+
+	assert.True(node.Can("connect", "google.pl:80"))
+	assert.True(node.Can("connect", "google.pl:443"))
+	assert.True(node.Can("connect", "google.pl:22"))
+	assert.True(node.Can("bind", "google.pl:80"))
+	assert.True(node.Can("bind", "google.com:80"))
+}
+
+func TestNodeWhitelist(t *testing.T) {
+	assert := assert.New(t)
+
+	node, _ := ParseProxyNode("http2://localhost:8000?whitelist=connect:google.pl:80,443")
+
+	assert.True(node.Can("connect", "google.pl:80"))
+	assert.True(node.Can("connect", "google.pl:443"))
+	assert.False(node.Can("connect", "google.pl:22"))
+	assert.False(node.Can("bind", "google.pl:80"))
+	assert.False(node.Can("bind", "google.com:80"))
+}
+
+func TestNodeBlacklist(t *testing.T) {
+	assert := assert.New(t)
+
+	node, _ := ParseProxyNode("http2://localhost:8000?blacklist=connect:google.pl:80,443")
+
+	assert.False(node.Can("connect", "google.pl:80"))
+	assert.False(node.Can("connect", "google.pl:443"))
+	assert.True(node.Can("connect", "google.pl:22"))
+	assert.True(node.Can("bind", "google.pl:80"))
+	assert.True(node.Can("bind", "google.com:80"))
+}

permissions.go

@@ -0,0 +1,185 @@
+package gost
+
+import (
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+
+	glob "github.com/ryanuber/go-glob"
+)
+
+type PortRange struct {
+	Min, Max int
+}
+
+type PortSet []PortRange
+
+type StringSet []string
+
+type Permission struct {
+	Actions StringSet
+	Hosts   StringSet
+	Ports   PortSet
+}
+
+type Permissions []Permission
+
+func minint(x, y int) int {
+	if x < y {
+		return x
+	}
+	return y
+}
+
+func maxint(x, y int) int {
+	if x > y {
+		return x
+	}
+	return y
+}
+
+func (ir *PortRange) Contains(value int) bool {
+	return value >= ir.Min && value <= ir.Max
+}
+
+func ParsePortRange(s string) (*PortRange, error) {
+	if s == "*" {
+		return &PortRange{Min: 0, Max: 65535}, nil
+	}
+
+	minmax := strings.Split(s, "-")
+	switch len(minmax) {
+	case 1:
+		port, err := strconv.Atoi(s)
+		if err != nil {
+			return nil, err
+		}
+		if port < 0 || port > 65535 {
+			return nil, fmt.Errorf("invalid port: %s", s)
+		}
+		return &PortRange{Min: port, Max: port}, nil
+	case 2:
+		min, err := strconv.Atoi(minmax[0])
+		if err != nil {
+			return nil, err
+		}
+		max, err := strconv.Atoi(minmax[1])
+		if err != nil {
+			return nil, err
+		}
+
+		realmin := maxint(0, minint(min, max))
+		realmax := minint(65535, maxint(min, max))
+
+		return &PortRange{Min: realmin, Max: realmax}, nil
+	default:
+		return nil, fmt.Errorf("invalid range: %s", s)
+	}
+}
+
+func (ps *PortSet) Contains(value int) bool {
+	for _, portRange := range *ps {
+		if portRange.Contains(value) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func ParsePortSet(s string) (*PortSet, error) {
+	ps := &PortSet{}
+
+	if s == "" {
+		return nil, errors.New("must specify at least one port")
+	}
+
+	ranges := strings.Split(s, ",")
+
+	for _, r := range ranges {
+		portRange, err := ParsePortRange(r)
+
+		if err != nil {
+			return nil, err
+		}
+
+		*ps = append(*ps, *portRange)
+	}
+
+	return ps, nil
+}
+
+func (ss *StringSet) Contains(subj string) bool {
+	for _, s := range *ss {
+		if glob.Glob(s, subj) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func ParseStringSet(s string) (*StringSet, error) {
+	ss := &StringSet{}
+	if s == "" {
+		return nil, errors.New("cannot be empty")
+	}
+
+	*ss = strings.Split(s, ",")
+
+	return ss, nil
+}
+
+func (ps *Permissions) Can(action string, host string, port int) bool {
+	for _, p := range *ps {
+		if p.Actions.Contains(action) && p.Hosts.Contains(host) && p.Ports.Contains(port) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func ParsePermissions(s string) (*Permissions, error) {
+	ps := &Permissions{}
+
+	if s == "" {
+		return &Permissions{}, nil
+	}
+
+	perms := strings.Split(s, "+")
+
+	for _, perm := range perms {
+		parts := strings.Split(perm, ":")
+
+		switch len(parts) {
+		case 3:
+			actions, err := ParseStringSet(parts[0])
+
+			if err != nil {
+				return nil, fmt.Errorf("action list must look like connect,bind given: %s", parts[0])
+			}
+
+			hosts, err := ParseStringSet(parts[1])
+
+			if err != nil {
+				return nil, fmt.Errorf("hosts list must look like google.pl,*.google.com given: %s", parts[1])
+			}
+
+			ports, err := ParsePortSet(parts[2])
+
+			if err != nil {
+				return nil, fmt.Errorf("ports list must look like 80,8000-9000, given: %s", parts[2])
+			}
+
+			permission := Permission{Actions: *actions, Hosts: *hosts, Ports: *ports}
+
+			*ps = append(*ps, permission)
+		default:
+			return nil, fmt.Errorf("permission must have format [actions]:[hosts]:[ports] given: %s", perm)
+		}
+	}
+
+	return ps, nil
+}