server/dashboard/restrict_ip.go

package main

import (
	"encoding/json"
	"fmt"
	"log"
	"net/http"
	"os"
	"os/signal"
	"path"
	"strings"
	"syscall"

	"github.com/gin-gonic/gin"
	"gopkg.in/fsnotify.v1"
)

func (app *App) loadAndWatchIPs(ipfile string) {
	// First load of file if it exists
	app.tryReloadIPList(ipfile)

	// Register SIGHUP
	c := make(chan os.Signal, 1)
	signal.Notify(c, syscall.SIGHUP)
	go func() {
		for range c {
			log.Println("SIGHUP received, reloading ip list...")
			go app.tryReloadIPList(ipfile)
		}
	}()

	// Watch the configuration file
	if watcher, err := fsnotify.NewWatcher(); err != nil {
		log.Fatal(err)
	} else {
		if err := watcher.Add(path.Dir(ipfile)); err != nil {
			log.Fatal("Unable to watch: ", path.Dir(ipfile), ": ", err)
		}

		go func() {
			defer watcher.Close()
			for {
				select {
				case ev := <-watcher.Events:
					if path.Base(ev.Name) == path.Base(ipfile) && ev.Op&(fsnotify.Write|fsnotify.Create) != 0 {
						log.Println("IPs file changes, reloading them!")
						go app.tryReloadIPList(ipfile)
					}
				case err := <-watcher.Errors:
					log.Println("watcher error:", err)
				}
			}
		}()
	}
}

func (app *App) tryReloadIPList(ipfile string) {
	if _, err := os.Stat(ipfile); !os.IsNotExist(err) {
		if iplist, err := loadIPs(ipfile); err != nil {
			log.Println("ERROR: Unable to read ip file:", err)
		} else {
			log.Printf("Loading %d IPs to authorized list", len(iplist))
			app.ips = iplist
		}
	}
}

func loadIPs(file string) ([]string, error) {
	fd, err := os.Open(file)
	if err != nil {
		return nil, err
	}
	defer fd.Close()

	var ret []string
	jdec := json.NewDecoder(fd)

	if err := jdec.Decode(&ret); err != nil {
		return ret, err
	}

	return ret, nil
}

func (app *App) Restrict2IPs(c *gin.Context) {
	found := false
	for _, ip := range app.ips {
		if strings.HasPrefix(c.Request.RemoteAddr, ip) {
			found = true
			break
		}
	}

	if found {
		c.Next()
	} else {
		c.AbortWithError(http.StatusForbidden, fmt.Errorf("IP not authorized: %s", c.Request.RemoteAddr))
	}
}