Add protected mode.

Author: prvyk

Dockerfile

@@ -52,4 +52,4 @@ USER $APP_UID
 # For inter-container communication.
 EXPOSE 6379
 
-ENTRYPOINT ["/app/GarnetServer"]
+ENTRYPOINT ["/app/GarnetServer", "--protected-mode no"]

Dockerfile.alpine

@@ -50,4 +50,4 @@ USER $APP_UID
 # For inter-container communication.
 EXPOSE 6379
 
-ENTRYPOINT ["/app/GarnetServer"]
+ENTRYPOINT ["/app/GarnetServer", "--protected-mode no"]

Dockerfile.cbl-mariner

@@ -50,4 +50,4 @@ USER $APP_UID
 # For inter-container communication.
 EXPOSE 6379
 
-ENTRYPOINT ["/app/GarnetServer"]
+ENTRYPOINT ["/app/GarnetServer", "--protected-mode no"]

Dockerfile.chiseled

@@ -46,4 +46,4 @@ VOLUME /data
 # For inter-container communication.
 EXPOSE 6379
 
-ENTRYPOINT ["/app/GarnetServer"]
+ENTRYPOINT ["/app/GarnetServer", "--protected-mode no"]

Dockerfile.nanoserver

@@ -22,4 +22,4 @@ COPY --from=build /app .
 # For inter-container communication.
 EXPOSE 6379
 
-ENTRYPOINT ["/app/GarnetServer.exe"]
+ENTRYPOINT ["/app/GarnetServer.exe", "--protected-mode no"]

Dockerfile.ubuntu

@@ -54,4 +54,4 @@ USER $APP_UID
 # For inter-container communication.
 EXPOSE 6379
 
-ENTRYPOINT ["/app/GarnetServer"]
+ENTRYPOINT ["/app/GarnetServer", "--protected-mode no"]

libs/common/Format.cs

@@ -46,16 +46,18 @@ static EndPoint[] defaultBindLoopBack(int port)
         /// <param name="port">Endpoint Port</param>
         /// <param name="endpoints">List of endpoints generated from the input IPs</param>
         /// <param name="errorHostnameOrAddress">Output error if any</param>
+        /// <param name="protectedMode">Is protected mode enabled?</param>
         /// <param name="logger">Logger</param>
         /// <returns>True if parse and address validation was successful, otherwise false</returns>
-        public static bool TryParseAddressList(string addressList, int port, out EndPoint[] endpoints, out string errorHostnameOrAddress, ILogger logger = null)
+        public static bool TryParseAddressList(string addressList, int port, out EndPoint[] endpoints, out string errorHostnameOrAddress,
+                                               bool protectedMode = false, ILogger logger = null)
         {
             endpoints = null;
             errorHostnameOrAddress = null;
             // Check if input null or empty
             if (string.IsNullOrEmpty(addressList) || string.IsNullOrWhiteSpace(addressList))
             {
-                endpoints = defaultBindAny(port);
+                endpoints = protectedMode ? defaultBindLoopBack(port) : defaultBindAny(port);
                 return true;
             }
 

libs/host/Configuration/CommandLineTypes.cs

@@ -0,0 +1,16 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+namespace Garnet
+{
+    /// <summary>
+    /// Enum to specify boolean variable over command line.
+    /// </summary>
+    public enum CommandLineBooleanOption
+    {
+        False = 0,
+        No = 0,
+        True = 1,
+        Yes = 1
+    }
+}

libs/host/Configuration/Options.cs

@@ -533,6 +533,10 @@ internal sealed class Options
         [Option("enable-debug-command", Required = false, HelpText = "Enable DEBUG command for 'no', 'local' or 'all' connections")]
         public ConnectionProtectionOption EnableDebugCommand { get; set; }
 
+        [OptionValidation]
+        [Option("protected-mode", Required = false, HelpText = "Enable protected mode.")]
+        public CommandLineBooleanOption ProtectedMode { get; set; }
+
         [DirectoryPathsValidation(true, false)]
         [Option("extension-bin-paths", Separator = ',', Required = false, HelpText = "List of directories on server from which custom command binaries can be loaded by admin users")]
         public IEnumerable<string> ExtensionBinPaths { get; set; }
@@ -682,7 +686,8 @@ public GarnetServerOptions GetServerOptions(ILogger logger = null)
             var checkpointDir = CheckpointDir;
             if (!useAzureStorage) checkpointDir = new DirectoryInfo(string.IsNullOrEmpty(checkpointDir) ? (string.IsNullOrEmpty(logDir) ? "." : logDir) : checkpointDir).FullName;
 
-            if (!Format.TryParseAddressList(Address, Port, out var endpoints, out _) || endpoints.Length == 0)
+            if (!Format.TryParseAddressList(Address, Port, out var endpoints, out _, ProtectedMode == CommandLineBooleanOption.True)
+              || endpoints.Length == 0)
                 throw new GarnetException($"Invalid endpoint format {Address} {Port}.");
 
             EndPoint[] clusterAnnounceEndpoint = null;

libs/host/Configuration/Redis/RedisOptions.cs

@@ -27,6 +27,9 @@ internal class RedisOptions
         [RedisOption("bind", nameof(Options.Address), BindWarning)]
         public Option<string> Bind { get; set; }
 
+        [RedisOption("protected-mode", nameof(Options.ProtectedMode))]
+        public Option<CommandLineBooleanOption> ProtectedMode { get; set; }
+
         [RedisOption("enable-debug-command", nameof(Options.EnableDebugCommand))]
         public Option<RedisConnectionProtectionOption> EnableDebugCommand { get; set; }