etcdserver: add "HostWhitelist" to "ServerConfig"

Signed-off-by: Gyuho Lee <gyuhox@gmail.com>

etcdserver/config.go

@@ -47,6 +47,11 @@ type ServerConfig struct {
 	ForceNewCluster     bool
 	PeerTLSInfo         transport.TLSInfo
 
+	// HostWhitelist lists acceptable hostnames from client requests.
+	// If server is insecure (no TLS), server only accepts requests
+	// whose Host header value exists in this white list.
+	HostWhitelist map[string]struct{}
+
 	TickMs           uint
 	ElectionTicks    int
 	BootstrapTimeout time.Duration

etcdserver/server.go

@@ -251,6 +251,8 @@ type EtcdServer struct {
 
 	leadTimeMu      sync.RWMutex
 	leadElectedTime time.Time
+
+	hostWhitelist map[string]struct{}
 }
 
 // NewServer creates a new EtcdServer from the supplied configuration. The
@@ -434,6 +436,7 @@ func NewServer(cfg ServerConfig) (srv *EtcdServer, err error) {
 		peerRt:        prt,
 		reqIDGen:      idutil.NewGenerator(uint16(id), time.Now()),
 		forceVersionC: make(chan struct{}),
+		hostWhitelist: cfg.HostWhitelist,
 	}
 
 	srv.applyV2 = &applierV2store{store: srv.v2store, cluster: srv.cluster}
@@ -626,6 +629,16 @@ func (s *EtcdServer) ReportSnapshot(id uint64, status raft.SnapshotStatus) {
 	s.r.ReportSnapshot(id, status)
 }
 
+// IsHostWhitelisted returns true if the host is whitelisted.
+// If whitelist is empty, allow all.
+func (s *EtcdServer) IsHostWhitelisted(host string) bool {
+	if len(s.hostWhitelist) == 0 { // allow all
+		return true
+	}
+	_, ok := s.hostWhitelist[host]
+	return ok
+}
+
 type etcdProgress struct {
 	confState raftpb.ConfState
 	snapi     uint64