security (dialFunc): adding a dialFunc to estabilishing network conne…

…ctions

internal/security/dialFunc.go

@@ -0,0 +1,65 @@
+package security
+
+import (
+ "crypto/tls"
+ "errors"
+ "net"
+ "time"
+)
+
+var errIpNotAllowed error = errors.New("ip adress is not allowed")
+
+// IsDisallowedIP checks if the provided host is a disallowed IP address.
+// It parses the given host into an IP address and returns true if the IP is multicast,
+// unspecified, a loopback address, or a private address.
+func IsDisallowedIP(host string) bool {
+ ip := net.ParseIP(host)
+
+ return ip.IsMulticast() || ip.IsUnspecified() || ip.IsLoopback() || ip.IsPrivate()
+}
+
+// checkDisallowedIP checks if the IP address of the incoming connection is disallowed.
+func checkDisallowedIP(conn net.Conn) error {
+ ip, _, _ := net.SplitHostPort(conn.RemoteAddr().String())
+
+ if IsDisallowedIP(ip) {
+ conn.Close()
+ return errIpNotAllowed
+ }
+
+ return nil
+}
+
+// dialFunc establishes a network connection to a specified address with optional TLS configuration and timeout.
+// It first checks if a TLS configuration is provided, if so, it dials with TLS using the provided TLS configuration.
+// If not, it dials without TLS. After establishing the connection, it checks if the remote IP is disallowed.
+// Returns the connection and any error encountered during the process.
+func dialFunc(network string, addr string, timeout time.Duration, tlsConfig *tls.Config) (net.Conn, error) {
+ dialer := &net.Dialer{
+ Timeout: timeout,
+ }
+
+ if tlsConfig != nil {
+ conn, err := tls.DialWithDialer(dialer, network, addr, tlsConfig)
+ if err != nil {
+ return nil, err
+ }
+
+ if err := checkDisallowedIP(conn); err != nil {
+ return nil, err
+ }
+
+ return conn, err
+ }
+
+ conn, err := dialer.Dial(network, addr)
+ if err != nil {
+ return nil, err
+ }
+
+ if err := checkDisallowedIP(conn); err != nil {
+ return nil, err
+ }
+
+ return conn, err
+}