EB SQS Docker IP check overhaul to correct 403 issue (use remote IP + remote addr)

README.md

@@ -400,6 +400,7 @@ queues:
 ```
 
 To queue a job, you can just use standard ActiveJob methods:
+
 ```ruby
 # To queue for immediate processing
 YourJob.perform_later(args)
@@ -508,14 +509,14 @@ require_relative 'config/environment' # load rails
 ### Elastic Beanstalk workers: processing activejobs using worker environments
 
 Another option for processing jobs without managing the worker process is hosting the application in a scalable
-[Elastic Beanstalk worker environment](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features-managing-env-tiers.html).  
-[Configure the worker](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features-managing-env-tiers.html#using-features-managing-env-tiers-worker-settings) 
-to read from the correct SQS queue that you want to process jobs from and set the 
+[Elastic Beanstalk worker environment](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features-managing-env-tiers.html).
+[Configure the worker](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features-managing-env-tiers.html#using-features-managing-env-tiers-worker-settings)
+to read from the correct SQS queue that you want to process jobs from and set the
 ```AWS_PROCESS_BEANSTALK_WORKER_REQUESTS``` environment variable to `true` in the worker environment configuration.
 Note that this will NOT start the poller.  Instead the
 [SQS Daemon](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features-managing-env-tiers.html#worker-daemon)
-running on the worker sends messages as a POST request to `http://localhost/`. The middleware will forward each 
-request and parameters to their appropriate jobs. The middleware will only process requests from the SQS daemon 
+running on the worker sends messages as a POST request to `http://localhost/`. The middleware will forward each
+request and parameters to their appropriate jobs. The middleware will only process requests from the SQS daemon
 and will pass on others and so will not interfere with other routes in your application.
 
 To add the middleware on application startup, set the ```AWS_PROCESS_BEANSTALK_WORKER_REQUESTS``` environment variable to true

lib/aws/rails/middleware/elastic_beanstalk_sqsd.rb

@@ -5,45 +5,43 @@ module Rails
     module Middleware
       # Middleware to handle requests from the SQS Daemon present on Elastic Beanstalk worker environments.
       class ElasticBeanstalkSQSD
-        INTERNAL_ERROR_MESSAGE = 'Failed to execute job - see Rails log for more details.'
-        # TODO: move these away from constants so they don't have to be frozen
-        INTERNAL_ERROR_RESPONSE = [500, { 'Content-Type' => 'text/plain' }, [INTERNAL_ERROR_MESSAGE]].freeze
-        FORBIDDEN_MESSAGE = 'Request with aws-sqsd user agent was made from untrusted address.'
-        FORBIDDEN_RESPONSE = [403, { 'Content-Type' => 'text/plain' }, [FORBIDDEN_MESSAGE]].freeze
-
         def initialize(app)
           @app = app
           @logger = ::Rails.logger
         end
 
         def call(env)
           request = ::ActionDispatch::Request.new(env)
+
+          # Pass through unless user agent is the SQS Daemon
           return @app.call(env) unless from_sqs_daemon?(request)
 
-          @logger.debug('aws-sdk-rails middleware detected a call from the Elastic Beanstalk SQS Daemon.')
+          @logger.debug('aws-sdk-rails middleware detected call from Elastic Beanstalk SQS Daemon.')
 
           # Only accept requests from this user agent if it is from localhost or a docker host in case of forgery.
           unless request.local? || sent_from_docker_host?(request)
-            @logger.warn("SQSD request detected from untrusted address #{request.ip}; returning 403 forbidden.")
-            return FORBIDDEN_RESPONSE
+            @logger.warn('SQSD request detected from untrusted address; returning 403 forbidden.')
+            return forbidden_response
           end
 
+          # Execute job or periodic task based on HTTP request context
           periodic_task?(request) ? execute_periodic_task(request) : execute_job(request)
         end
 
         private
 
         def execute_job(request)
+          # Jobs queued from the Active Job SQS adapter contain the JSON message in the request body.
           job = Aws::Json.load(request.body.string)
           job_name = job['job_class']
           @logger.debug("Executing job: #{job_name}")
 
           begin
             ::ActiveJob::Base.execute(job)
           rescue NameError => e
-            @logger.error("Job #{job_name} could not resolve to an Active Job class.")
+            @logger.error("Job #{job_name} could not resolve to a class that inherits from Active Job.")
             @logger.error("Error: #{e}")
-            return INTERNAL_ERROR_RESPONSE
+            return internal_error_response
           end
 
           [200, { 'Content-Type' => 'text/plain' }, ["Successfully ran job #{job_name}."]]
@@ -58,14 +56,24 @@ def execute_periodic_task(request)
             job = job_name.constantize.new
             job.perform_now
           rescue NameError => e
-            @logger.error("Periodic task #{job_name} could not resolve to an Active Job class.")
+            @logger.error("Periodic task #{job_name} could not resolve to an Active Job class - check the spelling in cron.yaml.")
             @logger.error("Error: #{e}.")
-            return INTERNAL_ERROR_RESPONSE
+            return internal_error_response
           end
 
           [200, { 'Content-Type' => 'text/plain' }, ["Successfully ran periodic task #{job_name}."]]
         end
 
+        def internal_error_response
+          message = 'Failed to execute job - see Rails log for more details.'
+          [500, { 'Content-Type' => 'text/plain' }, [message]]
+        end
+
+        def forbidden_response
+          message = 'Request with aws-sqsd user agent was made from untrusted address.'
+          [403, { 'Content-Type' => 'text/plain' }, [message]]
+        end
+
         # The beanstalk worker SQS Daemon sets a specific User-Agent headers that begins with 'aws-sqsd'.
         def from_sqs_daemon?(request)
           current_user_agent = request.headers['User-Agent']
@@ -79,7 +87,7 @@ def periodic_task?(request)
         end
 
         def sent_from_docker_host?(request)
-          app_runs_in_docker_container? && default_gw_ips.include?(request.ip)
+          app_runs_in_docker_container? && ip_originates_from_docker_host?(request)
         end
 
         def app_runs_in_docker_container?
@@ -94,14 +102,22 @@ def in_docker_container_with_cgroup2?
           File.exist?('/proc/self/mountinfo') && File.read('/proc/self/mountinfo') =~ %r{/docker/containers/}
         end
 
-        def default_gw_ips
+        def ip_originates_from_docker_host?(request)
+          default_docker_ips.include?(request.remote_ip) ||
+            default_docker_ips.include?(request.remote_addr)
+        end
+
+        def default_docker_ips
+          @default_docker_ips ||= build_default_docker_ips
+        end
+
+        def build_default_docker_ips
           default_gw_ips = ['172.17.0.1']
 
           if File.exist?('/proc/net/route')
             File.open('/proc/net/route').each_line do |line|
               fields = line.strip.split
               next if fields.size != 11
-
               # Destination == 0.0.0.0 and Flags & RTF_GATEWAY != 0
               next unless fields[1] == '00000000' && fields[3].hex.anybits?(0x2)