Skip to content

fix: improve WireGuard middleware to enforce policies based on cliet IP and Interface#110

Merged
alexlovelltroy merged 1 commit into
mainfrom
bugfix/middleware-wrong-check
Jun 11, 2026
Merged

fix: improve WireGuard middleware to enforce policies based on cliet IP and Interface#110
alexlovelltroy merged 1 commit into
mainfrom
bugfix/middleware-wrong-check

Conversation

@alexlovelltroy

@alexlovelltroy alexlovelltroy commented Jun 11, 2026

Copy link
Copy Markdown
Member

Description

This pull request enhances the WireGuard middleware logic and significantly expands test coverage to ensure correct policy enforcement for both proxy-based and interface-based scenarios. The main improvements include refactoring the interface-based middleware for clearer and more robust client IP and interface checks, and introducing comprehensive unit and integration tests for both middleware variants.

Middleware logic improvements:

  • Refactored WireGuardMiddlewareWithInterface to more robustly extract and validate the client IP, check for membership in the WireGuard subnet, and determine if the request arrived on the designated WireGuard interface. The logic now prioritizes headers like X-Forwarded-For, handles edge cases, and improves debug logging for policy decisions. [1] [2] [3]

Test coverage and reliability:

  • Added a new test file wireguard_test.go with extensive test cases covering both WireGuardMiddlewareWithProxy and WireGuardMiddlewareWithInterface, including scenarios with header precedence, subnet boundaries, invalid inputs, and real-world bug simulations. This ensures the middleware behaves as expected in a wide range of situations.
  • Included tests to verify that the middleware panics on invalid CIDR input, improving reliability and developer feedback.
  • Added a benchmark for the interface-based middleware to monitor performance.

Checklist

  • My code follows the style guidelines of this project
  • I have added/updated comments where needed
  • I have added tests that prove my fix is effective or my feature works
  • I have run make test (or equivalent) locally and all tests pass
  • DCO Sign-off: All commits are signed off (git commit -s) with my real name and email
  • REUSE Compliance:
    • Each new/modified source file has SPDX copyright and license headers
    • Any non-commentable files include a <filename>.license sidecar
    • All referenced licenses are present in the LICENSES/ directory

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update

For more info, see Contributing Guidelines.

@alexlovelltroy
fix: improve WireGuard middleware to enforce policies based on client…
a67d396 
… IP and interface

Signed-off-by: Alex Lovell-Troy <alovelltroy@lanl.gov>
travisbcotton
travisbcotton approved these changes Jun 11, 2026
View reviewed changes

@travisbcotton travisbcotton left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@alexlovelltroy alexlovelltroy merged commit b4d6c75 into main Jun 11, 2026
5 checks passed
@synackd synackd deleted the bugfix/middleware-wrong-check branch June 11, 2026 21:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@travisbcotton travisbcotton travisbcotton approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alexlovelltroy @travisbcotton