#2165 Global configuration SecurityOptions
#2170
Conversation
raman-m
added
Security Options
raman-m
changed the title
SecurityOptions to global configuration
There was a problem hiding this comment.
Absence of Acceptance Tests❗
What I realized, currently, there are no Security acceptance tests in place, which is undoubtedly a significant concern.
Please develop acceptance tests:
- Create "Security" folder in Ocelot.AcceptanceTests project
- Add
IpSecurityTestsclass inheriting fromSteps - Develop basic config tests
Fabman08
force-pushed
the
fix/ipBlockAllowGlobalCnf
branch
from
8b0c83b to
60fa237
Compare
|
Dear Fabrizio, |
@raman-m sorry for the mail bombing, but switching to develop and running all tests the result is the following
Am I missing something to run unit test correctly? |
|
Oh, you love screenshots, my dear friend... |
Regarding the execution of tests in Visual Studio locally, we have certain precise tests that are highly sensitive to CPU resource availability. These tests generally pass when run silently through the terminal. They are designed to pass 99% of the time, but occasionally they may fail. In Visual Studio, additional UI tasks may be running, and if your PC's CPU is at 90-100% capacity, these precise tests might fail. Usually, running the tests again resolves the issue. Ensure that your PC's CPU is not busy, and Visual Studio is not engaged in background compilation or other intensive tasks. If the tests fail, attempt to run them once more. |
|
My proof that we should not panic. Below are the results from my local testing in Visual Studio, which indicate that everything is functioning correctly. |
| } | ||
|
|
||
| public SecurityOptions(string allowed = null, string blocked = null) | ||
| : this() | ||
| { | ||
| if (!string.IsNullOrEmpty(allowed)) | ||
| { | ||
| IPAllowedList.Add(allowed); | ||
| IPAllowedList = IPAllowedList.Append(allowed).ToList(); |
There was a problem hiding this comment.
This is in my opinion a bit over-engineered, I would keep it simple, avoid calling this() and simply instantiate the two lists and then add the elements.
There was a problem hiding this comment.
Skipped due to raman-m answer
Gui, do you know that this feature and its internal classes can produce 1 million of strings in memory?
There was a problem hiding this comment.
@raman-m @Fabman08 I'm probably too dumb, but could you clarify? My point is, as soon as you call SecurityOptions(...): this(), the lists will be recreated... So what's the relation with the 1 million of strings in memory? My understanding of it was, that you could end up with very big lists for reach route.
There was a problem hiding this comment.
@ggnaegi The issue lies in the design of the IPSecurityPolicy, which relies on processing string objects, often referred to as a flawed design (aka Chinese design, the author is Chinese developer who developed Security feat in 2017/18). It is my firm belief that IP policy processing should be based on IpAddress objects instead of solely relying on strings.
Another concern of mine is that using the Contains method to compare strings, this is a workable solution but it requires having a list of all IP strings. However, in general, it is incorrect to compare IP strings due to the presence of the . dot character mixed with digits. The appropriate comparator for IP strings should position the segments as follows:
10.20.1.200should be converted to_10._20.__1.20010.1.10.100should be converted to_10.__1._10.100111.222.123.123should remain unchanged.
The optimal solution is to convert IP to IpAddress or even to a long value. I believe the internal state of IpAddress is based on long values.
So what's the relation with the 1 million of strings in memory?
This is a problem of the design issue mentioned above, descendant problem. The Creator class logic parses the IpAddress object and converts it into strings.
Let's consider the following test cases:
- the range
192.168.1.1-192.168.255.255: it produces 2562, a maximum of 65 536 strings in the list - the range
10.1.1.1-10.255.255.255: it generates 2563, a maximum of 16 777 216 string objects in the list, resulting in 16 million items❗ This highlights a significant problem.
However, this design issue is out of the current scope. Let the author to complete this config-feat.
There was a problem hiding this comment.
@Fabman08 Do you understand this code review issue?
Would you prefer to keep calling base constructor this() but remove producing new list .ToList()?
Or would you remove this() but wanna keep .ToList()? 😃
P.S. To be fair, I don't understand why did you propose this change? The old code seems pretty optimized and it's valid which was based on this()...
Wanted to fix Visual Studio warning with .Add to upgrade to .Append, right? 🥲
There was a problem hiding this comment.
@raman-m Yes, I understand the issue reported, and I choose to keep calling this() and remove .ToList().
Fixed in last commit
There was a problem hiding this comment.
I will add my concerns as a new TODO-task for the next refactoring round.
| @@ -18,7 +18,7 @@ public async Task<Response> Security(DownstreamRoute downstreamRoute, HttpContex | |||
|
|
|||
| if (securityOptions.IPBlockedList != null) | |||
| { | |||
| if (securityOptions.IPBlockedList.Exists(f => f == clientIp.ToString())) | |||
| if (securityOptions.IPBlockedList.Contains(clientIp.ToString())) | |||
There was a problem hiding this comment.
ClientIp could be null, it's not handled
There was a problem hiding this comment.
Fixed checking clientIp
There was a problem hiding this comment.
Why not to develop operators aka equality operator methods for IpAddress and string objects, if their classes have no already implemented ones? 😉
After operators implementation it will be possible to simply write: IPBlockedList.Contains(clientIp) because of IEquatable<T> interface.
See examples of operator implementations, current ones. The awesome possibility of operators as long as other methods is having 2 arguments of different types. But classic operators override the operation for 2 operands of the same type.
Different types of 2 operands:
Ocelot/src/Ocelot/LoadBalancer/Lease.cs
Lines 58 to 62 in 41fc9bd
The same types of 2 operands:
Ocelot/src/Ocelot/LoadBalancer/Lease.cs
Lines 55 to 56 in 41fc9bd
and
Ocelot/src/Ocelot/Requester/MessageInvokerPool.cs
Lines 119 to 120 in 41fc9bd
Cool, right?
There was a problem hiding this comment.
Maybe in a next Feature PR ? 🤣
Gui, do you know that this feature and its internal classes can produce 1 million of strings in memory? 😂 |
raman-m
added
Winter'25
This reverts commit 3e4d4a4.
…ecurityOptions constructr parameters
Fabman08
force-pushed
the
fix/ipBlockAllowGlobalCnf
branch
from
b8d2031 to
4a37e8b
Compare
|
Could we reduce the number of rebase operations that involve force pushes? A rebase is necessary when conflicts arise, but if are no conflicts, it would be better to simply merge from develop. The reason I bring this up is messages from the team during code reviews seem to be lost after rebasing. |
test/Ocelot.UnitTests/Configuration/SecurityOptionsCreatorTests.cs
Outdated
Show resolved
Hide resolved
test/Ocelot.UnitTests/Configuration/SecurityOptionsCreatorTests.cs
Outdated
Show resolved
Hide resolved
Co-authored-by: Raman Maksimchuk <dotnet044@gmail.com>
|
@Fabman08 Please stop any development! Don't push anything!.. I'm making final review... |
raman-m
changed the title
SecurityOptions to global configurationSecurityOptions
raman-m
changed the title
SecurityOptionsSecurityOptions
|
@Fabman08 Thank you, Fabrizio, for this contribution! 👍 |
raman-m
added
Nov'24
Closes #2165
Proposed Changes
As the issue #2165 reports, the
SecurityOptionsare missing inGlobalConfiguration.This pull request adds the ability to configure Allowed and Blocked IPs globally: the global configuration will be applied for every route unless an existing
SecurityOptionsis present on it