Skip to content

OBE-8859: ip whitelist source only (PART 1)#79

Open
yoonlee-s1 wants to merge 12 commits intomasterfrom
OBE-8859-1-IP-whitelist-source-only
Open

OBE-8859: ip whitelist source only (PART 1)#79
yoonlee-s1 wants to merge 12 commits intomasterfrom
OBE-8859-1-IP-whitelist-source-only

Conversation

@yoonlee-s1
Copy link
Copy Markdown

@yoonlee-s1 yoonlee-s1 commented Apr 9, 2026

left out windows event forwarder for now, may need change in dataplane_private.

Sources implemented so far: tcp, splunk HEC, firehose, prometheus remote write, HTTP server (push), udp, datadog agent, OpenTelemetry

@yoonlee-s1
Copy link
Copy Markdown
Author

yoonlee-s1 commented Apr 9, 2026
edited
Loading

./target/debug/vector --config test.toml

test.toml:

type = "socket"
mode = "udp"
address = "0.0.0.0:9000"
permit_origin = ["127.0.0.1/32", "127.0.0.22/32"]

[sinks.console]
type = "console"
inputs = ["my_udp"]
encoding.codec = "text"

echo "hello from udp" | nc -u 127.0.0.1 9000

also tried permit_origin ["127.0.0.1/32"] (message received), ["127.0.0.22/32"] (no messages received)

@yoonlee-s1
Copy link
Copy Markdown
Author

yoonlee-s1 commented Apr 9, 2026

comprehensive test.
test.toml

# ---- Socket: UDP ----
[sources.test_udp]
type = "socket"
mode = "udp"
address = "0.0.0.0:9000"
permit_origin = ["127.0.0.1/32"]

# ---- Socket: TCP ----
[sources.test_tcp]
type = "socket"
mode = "tcp"
address = "0.0.0.0:9001"
permit_origin = ["127.0.0.1/32"]

# ---- HTTP Server ----
[sources.test_http]
type = "http_server"
address = "0.0.0.0:9002"
permit_origin = ["127.0.0.1/32"]

# ---- Prometheus Remote Write ----
[sources.test_prom_rw]
type = "prometheus_remote_write"
address = "0.0.0.0:9003"
permit_origin = ["127.0.0.1/32"]

# ---- Prometheus Pushgateway ----
[sources.test_prom_pg]
type = "prometheus_pushgateway"
address = "0.0.0.0:9004"
permit_origin = ["127.0.0.1/32"]

# ---- Splunk HEC ----
[sources.test_splunk]
type = "splunk_hec"
address = "0.0.0.0:9005"
token = "test-token"
permit_origin = ["127.0.0.1/32"]

# ---- AWS Kinesis Firehose ----
[sources.test_firehose]
type = "aws_kinesis_firehose"
address = "0.0.0.0:9006"
store_access_key = false
permit_origin = ["127.0.0.1/32"]

# ---- Datadog Agent ----
[sources.test_datadog]
type = "datadog_agent"
address = "0.0.0.0:9007"
permit_origin = ["127.0.0.1/32"]

# ---- OpenTelemetry ----
[sources.test_otel]
type = "opentelemetry"
permit_origin = ["127.0.0.1/32"]

[sources.test_otel.grpc]
address = "0.0.0.0:9008"

[sources.test_otel.http]
address = "0.0.0.0:9009"

# ---- Heroku Logs ----
[sources.test_heroku]
type = "heroku_logs"
address = "0.0.0.0:9010"
permit_origin = ["127.0.0.1/32"]

# ---- Sink: all to console ----
[sinks.console]
type = "console"
inputs = ["test_*"]
encoding.codec = "json"

@yoonlee-s1
Copy link
Copy Markdown
Author

yoonlee-s1 commented Apr 9, 2026

send request from another terminal.

gRPC is skipped. need brew install grpcurl

grpcurl -plaintext -d '{"resource_logs":[{"scope_logs":[{"log_records":[{"body":{"string_value":"hello otel"}}]}]}]}' \ 127.0.0.1:9008 opentelemetry.proto.collector.logs.v1.LogsService/Export

test_requests.sh

#!/bin/bash
# Test commands for each source with permit_origin
# Run vector first: ./target/debug/vector --config test.toml

echo "=== UDP (port 9000) ==="
echo "hello udp" | nc -u -w1 127.0.0.1 9000

echo "=== TCP (port 9001) ==="
echo "hello tcp" | nc -w1 127.0.0.1 9001

echo "=== HTTP Server (port 9002) ==="
curl -s -X POST http://127.0.0.1:9002 -d "hello http"

echo "=== Prometheus Remote Write (port 9003) - connectivity test ==="
curl -s -X POST http://127.0.0.1:9003/api/v1/write -d "test"
echo " (any response = connection accepted, timeout = blocked)"

echo "=== Prometheus Pushgateway (port 9004) ==="
curl -s -X POST http://127.0.0.1:9004/metrics/job/test \
  -H "Content-Type: text/plain" \
  -d 'test_metric{label="value"} 42'

echo "=== Splunk HEC (port 9005) ==="
curl -s -X POST http://127.0.0.1:9005/services/collector \
  -H "Authorization: Splunk test-token" \
  -d '{"event":"hello splunk"}'

echo "=== AWS Kinesis Firehose (port 9006) ==="
curl -s -X POST http://127.0.0.1:9006 \
  -H "Content-Type: application/json" \
  -H "X-Amz-Firehose-Request-Id: test-123" \
  -H "X-Amz-Firehose-Protocol-Version: 1.0" \
  -H "X-Amz-Firehose-Source-Arn: arn:aws:firehose:us-east-1:123456789:deliverystream/test" \
  -d '{"requestId":"test-123","timestamp":1234567890,"records":[{"data":"aGVsbG8gZmlyZWhvc2U="}]}'

echo "=== Datadog Agent (port 9007) ==="
curl -s -X POST http://127.0.0.1:9007/api/v2/logs \
  -H "Content-Type: application/json" \
  -H "dd-api-key: test-key" \
  -d '[{"message":"hello datadog","status":"info"}]'

echo "=== OpenTelemetry HTTP (port 9009) - connectivity test ==="
curl -s -X POST http://127.0.0.1:9009/v1/logs -d "test"
echo " (any response = connection accepted, timeout = blocked)"

echo "=== Heroku Logs (port 9010) ==="
curl -s -X POST http://127.0.0.1:9010/events \
  -H "Content-Type: text/plain" \
  -d "hello heroku"

janmejay-s1
janmejay-s1 reviewed Apr 10, 2026
View reviewed changes
Comment thread lib/vector-core/src/tls/incoming.rs Outdated
Comment thread src/sources/datadog_agent/tests.rs
Comment thread src/sources/opentelemetry/tests.rs
Comment thread src/sources/prometheus/pushgateway.rs
Comment thread src/sources/aws_kinesis_firehose/mod.rs
@yoonlee-s1 yoonlee-s1 force-pushed the OBE-8859-1-IP-whitelist-source-only branch from d43a89d to 470e464 Compare April 10, 2026 20:22
janmejay-s1
janmejay-s1 reviewed Apr 15, 2026
View reviewed changes
Comment thread lib/vector-core/src/tls/incoming.rs Outdated
Comment thread src/sources/socket/mod.rs
let address = next_addr();

let mut config = UdpConfig::from_address(address.into());
config.permit_origin = make_allowlist(&["127.0.0.1/32"]);
Copy link
Copy Markdown
Contributor

@janmejay-s1 janmejay-s1 Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May be make one of these just the address (kill /32 suffix) just for completeness. Not everywhere, just one positive test and one negative test suffices.

Comment thread src/sources/aws_kinesis_firehose/mod.rs
}

#[tokio::test]
async fn permit_origin_allows_matching_ip() {
Copy link
Copy Markdown
Contributor

@janmejay-s1 janmejay-s1 Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Often it is possible to avoid so much duplication. One way I can think of is to create a helper that accepts permit-origin fragment (or in case of toml config-parsing tests, accepts the entire toml string) and returns the receive channel. Then the test can simply recv the message or assert timeout.

Comment thread src/sources/aws_kinesis_firehose/mod.rs
.send()
.await;

assert!(response.is_ok(), "expected connection to be accepted for allowed IP");
Copy link
Copy Markdown
Contributor

@janmejay-s1 janmejay-s1 Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

assert the message was received (don't ignore _recv).

Comment thread src/sources/datadog_agent/tests.rs
}

#[tokio::test]
async fn permit_origin_allows_matching_ip() {
Copy link
Copy Markdown
Contributor

@janmejay-s1 janmejay-s1 Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

try to dedup here and in other tests (should be a pretty quick thing with coding assistant)

Comment thread src/sources/socket/udp.rs

if let Some(ref allowlist) = origin_allowlist {
if !allowlist.iter().any(|net| net.contains(&address.ip())) {
continue;
Copy link
Copy Markdown
Contributor

@janmejay-s1 janmejay-s1 Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Increment a metric (this can lead to a lot of confusion). Preferably also add a log-line.

Comment thread src/sources/http_server.rs
Comment on lines +1813 to +1830
address,
headers: vec![],
encoding: None,
query_parameters: vec![],
response_code: StatusCode::OK,
tls: None,
auth: None,
strict_path: true,
path_key: OptionalValuePath::from(owned_value_path!("path")),
host_key: OptionalValuePath::from(owned_value_path!("host")),
path: "/".to_owned(),
method: HttpMethod::Post,
framing: None,
decoding: None,
acknowledgements: false.into(),
log_namespace: None,
keepalive: Default::default(),
permit_origin,
Copy link
Copy Markdown
Contributor

@janmejay-s1 janmejay-s1 Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In these cases toml can make the test really short.

@yoonlee-s1 yoonlee-s1 force-pushed the OBE-8859-1-IP-whitelist-source-only branch from 518eb00 to d15e34e Compare April 16, 2026 22:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@janmejay-s1 janmejay-s1 janmejay-s1 left review comments

+1 more reviewer

@ajayshekar-s1 ajayshekar-s1 ajayshekar-s1 approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yoonlee-s1 @ajayshekar-s1 @janmejay-s1