add network whitelist for public relay node

2025-12-16 14:47:25 +08:00 · 2024-08-03 15:12:54 +08:00
parent 02b5b5f3c7
commit 0da09ec605
7 changed files with 75 additions and 3 deletions
--- a/easytier/src/peers/foreign_network_manager.rs
+++ b/easytier/src/peers/foreign_network_manager.rs
@@ -399,6 +399,37 @@ mod tests {
        assert_eq!(2, rpc_resp.foreign_networks["net1"].peers.len());
    }

+    async fn foreign_network_whitelist_helper(name: String) {
+        let pm_center = create_mock_peer_manager_with_mock_stun(crate::rpc::NatType::Unknown).await;
+        tracing::debug!("pm_center: {:?}", pm_center.my_peer_id());
+        let mut flag = pm_center.get_global_ctx().get_flags();
+        flag.foreign_network_whitelist = vec!["net1".to_string(), "net2*".to_string()].join(" ");
+        pm_center.get_global_ctx().config.set_flags(flag);
+
+        let pma_net1 = create_mock_peer_manager_for_foreign_network(name.as_str()).await;
+
+        let (a_ring, b_ring) = crate::tunnel::ring::create_ring_tunnel_pair();
+        let b_mgr_copy = pm_center.clone();
+        let s_ret = tokio::spawn(async move { b_mgr_copy.add_tunnel_as_server(b_ring).await });
+
+        pma_net1.add_client_tunnel(a_ring).await.unwrap();
+
+        s_ret.await.unwrap().unwrap();
+    }
+
+    #[tokio::test]
+    async fn foreign_network_whitelist() {
+        foreign_network_whitelist_helper("net1".to_string()).await;
+        foreign_network_whitelist_helper("net2".to_string()).await;
+        foreign_network_whitelist_helper("net2abc".to_string()).await;
+    }
+
+    #[tokio::test]
+    #[should_panic]
+    async fn foreign_network_whitelist_fail() {
+        foreign_network_whitelist_helper("net3".to_string()).await;
+    }
+
    #[tokio::test]
    async fn test_foreign_network_manager() {
        let pm_center = create_mock_peer_manager_with_mock_stun(crate::rpc::NatType::Unknown).await;
--- a/easytier/src/peers/peer_manager.rs
+++ b/easytier/src/peers/peer_manager.rs
@@ -309,6 +309,21 @@ impl PeerManager {
        self.add_client_tunnel(t).await
    }

+    fn check_network_in_whitelist(&self, network_name: &str) -> Result<(), Error> {
+        if self
+            .global_ctx
+            .get_flags()
+            .foreign_network_whitelist
+            .split(" ")
+            .map(wildmatch::WildMatch::new)
+            .any(|wl| wl.matches(network_name))
+        {
+            Ok(())
+        } else {
+            Err(anyhow::anyhow!("network {} not in whitelist", network_name).into())
+        }
+    }
+
    #[tracing::instrument]
    pub async fn add_tunnel_as_server(&self, tunnel: Box<dyn Tunnel>) -> Result<(), Error> {
        tracing::info!("add tunnel as server start");
@@ -319,6 +334,7 @@ impl PeerManager {
        {
            self.add_new_peer_conn(peer).await?;
        } else {
+            self.check_network_in_whitelist(&peer.get_network_identity().network_name)?;
            self.foreign_network_manager.add_peer_conn(peer).await?;
        }
        tracing::info!("add tunnel as server done");