feat: support ip exceptions

Author: aeneasr

driver/config/config.go

@@ -173,6 +173,7 @@ const (
 	ViperKeyWebAuthnRPIcon                                   = "selfservice.methods.webauthn.config.rp.issuer"
 	ViperKeyWebAuthnPasswordless                             = "selfservice.methods.webauthn.config.passwordless"
 	ViperKeyClientHTTPNoPrivateIPRanges                      = "clients.http.disallow_private_ip_ranges"
+	ViperKeyClientHTTPPrivateIPExceptionURLs                 = "clients.http.private_ip_exception_urls"
 	ViperKeyVersion                                          = "version"
 )
 
@@ -602,6 +603,10 @@ func (p *Config) ClientHTTPNoPrivateIPRanges(ctx context.Context) bool {
 	return p.GetProvider(ctx).Bool(ViperKeyClientHTTPNoPrivateIPRanges)
 }
 
+func (p *Config) ClientHTTPPrivateIPExceptionURLs(ctx context.Context) []string {
+	return p.GetProvider(ctx).Strings(ViperKeyClientHTTPPrivateIPExceptionURLs)
+}
+
 func (p *Config) SelfServiceFlowRegistrationEnabled(ctx context.Context) bool {
 	return p.GetProvider(ctx).Bool(ViperKeySelfServiceRegistrationEnabled)
 }

driver/config/config_test.go

@@ -57,8 +57,13 @@ func TestViperProvider(t *testing.T) {
 
 		t.Run("group=client config", func(t *testing.T) {
 			assert.False(t, p.ClientHTTPNoPrivateIPRanges(ctx), "Should not have private IP ranges disabled per default")
+			assert.Equal(t, []string{}, p.ClientHTTPPrivateIPExceptionURLs(ctx), "Should return the correct exceptions")
+
 			p.MustSet(ctx, config.ViperKeyClientHTTPNoPrivateIPRanges, true)
 			assert.True(t, p.ClientHTTPNoPrivateIPRanges(ctx), "Should disallow private IP ranges if set")
+
+			p.MustSet(ctx, config.ViperKeyClientHTTPPrivateIPExceptionURLs, []string{"https://foobar.com/baz"})
+			assert.Equal(t, []string{"https://foobar.com/baz"}, p.ClientHTTPPrivateIPExceptionURLs(ctx), "Should return the correct exceptions")
 		})
 
 		t.Run("group=urls", func(t *testing.T) {

driver/registry_default.go

@@ -718,7 +718,12 @@ func (m *RegistryDefault) HTTPClient(ctx context.Context, opts ...httpx.Resilien
 
 	// One of the few exceptions, this usually should not be hot reloaded.
 	if m.Config().ClientHTTPNoPrivateIPRanges(contextx.RootContext) {
-		opts = append(opts, httpx.ResilientClientDisallowInternalIPs())
+		opts = append(
+			opts,
+			httpx.ResilientClientDisallowInternalIPs(),
+			// One of the few exceptions, this usually should not be hot reloaded.
+			httpx.ResilientClientAllowInternalIPRequestsTo(m.Config().ClientHTTPPrivateIPExceptionURLs(contextx.RootContext)...),
+		)
 	}
 	return httpx.NewResilientClient(opts...)
 }

selfservice/hook/web_hook_integration_test.go

@@ -726,6 +726,7 @@ func TestDisallowPrivateIPRanges(t *testing.T) {
 	ctx := context.Background()
 	conf, reg := internal.NewFastRegistryWithMocks(t)
 	conf.MustSet(ctx, config.ViperKeyClientHTTPNoPrivateIPRanges, true)
+	conf.MustSet(ctx, config.ViperKeyClientHTTPPrivateIPExceptionURLs, []string{"http://localhost/exception"})
 	logger := logrusx.New("kratos", "test")
 	whDeps := x.SimpleLoggerWithClient{L: logger, C: reg.HTTPClient(context.Background()), T: otelx.NewNoop(logger, conf.Tracing(ctx))}
 
@@ -748,8 +749,19 @@ func TestDisallowPrivateIPRanges(t *testing.T) {
 		err := wh.ExecuteLoginPostHook(nil, req, node.DefaultGroup, f, s)
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "ip 127.0.0.1 is in the 127.0.0.0/8 range")
+	})
 
+	t.Run("allowed to call exempt url", func(t *testing.T) {
+		wh := hook.NewWebHook(&whDeps, json.RawMessage(`{
+  "url": "http://localhost/exception",
+  "method": "GET",
+  "body": "file://stub/test_body.jsonnet"
+}`))
+		err := wh.ExecuteLoginPostHook(nil, req, node.DefaultGroup, f, s)
+		require.Error(t, err, "the target does not exist and we still receive an error")
+		require.NotContains(t, err.Error(), "ip 127.0.0.1 is in the 127.0.0.0/8 range", "but the error is not related to the IP range.")
 	})
+
 	t.Run("not allowed to load from source", func(t *testing.T) {
 		req := &http.Request{
 			Header: map[string][]string{"Some-Header": {"Some-Value"}},