openziti · r-caamano · Jul 10, 2023 · Jul 7, 2023
@@ -82,6 +82,7 @@ XX(Id, string, none, Id, __VA_ARGS__) \
 XX(Name, string, none, Name, __VA_ARGS__) \
 XX(Protocols, string, array, Protocols, __VA_ARGS__) \
 XX(Addresses, tunnel_address, array, Addresses, __VA_ARGS__) \
+XX(AllowedSourceAddresses, tunnel_address, array, AllowedSourceAddresses, __VA_ARGS__) \
 XX(Ports, tunnel_port_range, array, Ports, __VA_ARGS__)  \
 XX(OwnsIntercept, bool, none, OwnsIntercept, __VA_ARGS__) \
 XX(PostureChecks, tunnel_posture_check, array, PostureChecks, __VA_ARGS__) \

@@ -28,6 +28,7 @@
 
 model_map tnl_identity_map = {0};
 static const char* CFG_INTERCEPT_V1 = "intercept.v1";
+static const char* CFG_HOST_V1 = "host.v1";
 static const char* CFG_ZITI_TUNNELER_CLIENT_V1 = "ziti-tunneler-client.v1";
 static tunnel_status tnl_status = {0};
 
@@ -286,6 +287,44 @@ tunnel_port_range *getTunnelPortRange(ziti_port_range *zpr){
     return tpr;
 }
 
+static void setTunnelAllowedSourceAddress(tunnel_service *tnl_svc, ziti_service *service) {
+    const char* cfg_json = ziti_service_get_raw_config(service, CFG_HOST_V1);
+    tunnel_address_array allowed_src_addr_arr = NULL;
+    if (cfg_json != NULL && strlen(cfg_json) > 0) {
+        ZITI_LOG(TRACE, "host.v1: %s", cfg_json);
+        ziti_host_cfg_v1 cfg_v1 = {0};
+        parse_ziti_host_cfg_v1(&cfg_v1, cfg_json, strlen(cfg_json));
+        size_t n = 0;
+        int j = 0;
+        ziti_address_array allowed_src_addrs = cfg_v1.allowed_source_addresses;
+        for (int x = 0; allowed_src_addrs != NULL && allowed_src_addrs[x] != NULL; x++) {
+            if (allowed_src_addrs[x]->type == ziti_address_cidr) {
+                n++;
+            }
+        }
+        allowed_src_addr_arr = calloc(n + 1, sizeof(tunnel_address *));
+        for (int i = 0; allowed_src_addrs != NULL && allowed_src_addrs[i] != NULL; i++) {
+            if (allowed_src_addrs[i]->type != ziti_address_cidr) {
+                    if (allowed_src_addrs[i]->type == ziti_address_hostname) {
+                        ZITI_LOG(ERROR, "hosted_service[%s] cannot use hostname '%s' as `allowed_source_address`",
+                                 tnl_svc->Name, allowed_src_addrs[i]->addr.hostname);
+                    } else {
+                        ZITI_LOG(ERROR, "unknown ziti_address type %d", allowed_src_addrs[i]->type);
+                    }
+                    continue;
+            }
+            else{
+                allowed_src_addr_arr[j] = to_address(allowed_src_addrs[i]);
+                j++;
+            }
+        }
+        free_ziti_host_cfg_v1(&cfg_v1);
+        if (allowed_src_addr_arr != NULL) {
+            tnl_svc->AllowedSourceAddresses = allowed_src_addr_arr;
+        }
+    }
+}
+
 static void setTunnelServiceAddress(tunnel_service *tnl_svc, ziti_service *service) {
     const char* cfg_json = ziti_service_get_raw_config(service, CFG_INTERCEPT_V1);
     tunnel_address_array tnl_addr_arr = NULL;
@@ -295,7 +334,6 @@ static void setTunnelServiceAddress(tunnel_service *tnl_svc, ziti_service *servi
         ZITI_LOG(TRACE, "intercept.v1: %s", cfg_json);
         ziti_intercept_cfg_v1 cfg_v1 = {0};
         parse_ziti_intercept_cfg_v1(&cfg_v1, cfg_json, strlen(cfg_json));
-
         // set address
         size_t n = model_list_size(&cfg_v1.addresses);
         tnl_addr_arr = calloc(n+1, sizeof(tunnel_address *));
@@ -381,6 +419,9 @@ tunnel_service *get_tunnel_service(tunnel_identity* id, ziti_service* zs) {
     svc->Permissions.Dial = ziti_service_has_permission(zs, ziti_session_type_Dial);
     setTunnelPostureDataTimeout(svc, zs);
     setTunnelServiceAddress(svc, zs);
+    if(svc->Permissions.Bind){
+        setTunnelAllowedSourceAddress(svc, zs);
+    }
     return svc;
 }