-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Expand file tree
/
Copy pathawscheck.go
More file actions
114 lines (98 loc) · 2.74 KB
/
awscheck.go
File metadata and controls
114 lines (98 loc) · 2.74 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
package cliutil
import (
"context"
"encoding/json"
"io"
"net/http"
"net/netip"
"time"
"golang.org/x/xerrors"
)
const AWSIPRangesURL = "https://ip-ranges.amazonaws.com/ip-ranges.json"
type awsIPv4Prefix struct {
Prefix string `json:"ip_prefix"`
Region string `json:"region"`
Service string `json:"service"`
NetworkBorderGroup string `json:"network_border_group"`
}
type awsIPv6Prefix struct {
Prefix string `json:"ipv6_prefix"`
Region string `json:"region"`
Service string `json:"service"`
NetworkBorderGroup string `json:"network_border_group"`
}
type AWSIPRanges struct {
V4 []netip.Prefix
V6 []netip.Prefix
}
type awsIPRangesResponse struct {
SyncToken string `json:"syncToken"`
CreateDate string `json:"createDate"`
IPV4Prefixes []awsIPv4Prefix `json:"prefixes"`
IPV6Prefixes []awsIPv6Prefix `json:"ipv6_prefixes"`
}
func FetchAWSIPRanges(ctx context.Context, url string) (*AWSIPRanges, error) {
client := &http.Client{}
reqCtx, reqCancel := context.WithTimeout(ctx, 5*time.Second)
defer reqCancel()
req, _ := http.NewRequestWithContext(reqCtx, http.MethodGet, url, nil)
resp, err := client.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
b, _ := io.ReadAll(resp.Body)
return nil, xerrors.Errorf("unexpected status code %d: %s", resp.StatusCode, b)
}
var body awsIPRangesResponse
err = json.NewDecoder(resp.Body).Decode(&body)
if err != nil {
return nil, xerrors.Errorf("json decode: %w", err)
}
out := &AWSIPRanges{
V4: make([]netip.Prefix, 0, len(body.IPV4Prefixes)),
V6: make([]netip.Prefix, 0, len(body.IPV6Prefixes)),
}
for _, p := range body.IPV4Prefixes {
prefix, err := netip.ParsePrefix(p.Prefix)
if err != nil {
return nil, xerrors.Errorf("parse ip prefix: %w", err)
}
if prefix.Addr().Is6() {
return nil, xerrors.Errorf("ipv4 prefix contains ipv6 address: %s", p.Prefix)
}
out.V4 = append(out.V4, prefix)
}
for _, p := range body.IPV6Prefixes {
prefix, err := netip.ParsePrefix(p.Prefix)
if err != nil {
return nil, xerrors.Errorf("parse ip prefix: %w", err)
}
if prefix.Addr().Is4() {
return nil, xerrors.Errorf("ipv6 prefix contains ipv4 address: %s", p.Prefix)
}
out.V6 = append(out.V6, prefix)
}
return out, nil
}
// CheckIP checks if the given IP address is an AWS IP.
func (r *AWSIPRanges) CheckIP(ip netip.Addr) bool {
if ip.IsLoopback() || ip.IsLinkLocalMulticast() || ip.IsLinkLocalUnicast() || ip.IsPrivate() {
return false
}
if ip.Is4() {
for _, p := range r.V4 {
if p.Contains(ip) {
return true
}
}
} else {
for _, p := range r.V6 {
if p.Contains(ip) {
return true
}
}
}
return false
}