Browse Source
* Enhancement: adding IPv6 support to RemoteAddrRoutePredicateFactory * Using IpSubnetFilterRule from Netty as suggested fixes gh-165pull/195/head
jphilippeplante
7 years ago
committed by
Spencer Gibb
5 changed files with 97 additions and 382 deletions
@ -1,364 +0,0 @@
@@ -1,364 +0,0 @@
|
||||
/* |
||||
* Copyright 2013-2017 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
* |
||||
*/ |
||||
|
||||
package org.springframework.cloud.gateway.support; |
||||
|
||||
import java.util.regex.Matcher; |
||||
import java.util.regex.Pattern; |
||||
|
||||
/** |
||||
* A class that performs some subnet calculations given a network address and a subnet mask. |
||||
* See original from commons-net org.apache.commons.net.util.SubnetUtils |
||||
* @see "http://www.faqs.org/rfcs/rfc1519.html" |
||||
*/ |
||||
@SuppressWarnings("unused") |
||||
public class SubnetUtils { |
||||
|
||||
private static final String IP_ADDRESS = "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})"; |
||||
private static final String SLASH_FORMAT = IP_ADDRESS + "/(\\d{1,3})"; |
||||
private static final Pattern addressPattern = Pattern.compile(IP_ADDRESS); |
||||
private static final Pattern cidrPattern = Pattern.compile(SLASH_FORMAT); |
||||
private static final int NBITS = 32; |
||||
|
||||
private int netmask = 0; |
||||
private int address = 0; |
||||
private int network = 0; |
||||
private int broadcast = 0; |
||||
|
||||
/** Whether the broadcast/network address are included in host count */ |
||||
private boolean inclusiveHostCount = false; |
||||
|
||||
|
||||
/** |
||||
* Constructor that takes a CIDR-notation string, e.g. "192.168.0.1/16" |
||||
* @param cidrNotation A CIDR-notation string, e.g. "192.168.0.1/16" |
||||
* @throws IllegalArgumentException if the parameter is invalid, |
||||
* i.e. does not match n.n.n.n/m where n=1-3 decimal digits, m = 1-3 decimal digits in range 1-32 |
||||
*/ |
||||
public SubnetUtils(String cidrNotation) { |
||||
calculate(cidrNotation); |
||||
} |
||||
|
||||
/** |
||||
* Constructor that takes a dotted decimal address and a dotted decimal mask. |
||||
* @param address An IP address, e.g. "192.168.0.1" |
||||
* @param mask A dotted decimal netmask e.g. "255.255.0.0" |
||||
* @throws IllegalArgumentException if the address or mask is invalid, |
||||
* i.e. does not match n.n.n.n where n=1-3 decimal digits and the mask is not all zeros |
||||
*/ |
||||
public SubnetUtils(String address, String mask) { |
||||
calculate(toCidrNotation(address, mask)); |
||||
} |
||||
|
||||
|
||||
/** |
||||
* Returns <code>true</code> if the return value of {@link SubnetInfo#getAddressCount()} |
||||
* includes the network and broadcast addresses. |
||||
* @since 2.2 |
||||
* @return true if the hostcount includes the network and broadcast addresses |
||||
*/ |
||||
public boolean isInclusiveHostCount() { |
||||
return inclusiveHostCount; |
||||
} |
||||
|
||||
/** |
||||
* Set to <code>true</code> if you want the return value of {@link SubnetInfo#getAddressCount()} |
||||
* to include the network and broadcast addresses. |
||||
* @param inclusiveHostCount true if network and broadcast addresses are to be included |
||||
* @since 2.2 |
||||
*/ |
||||
public void setInclusiveHostCount(boolean inclusiveHostCount) { |
||||
this.inclusiveHostCount = inclusiveHostCount; |
||||
} |
||||
|
||||
|
||||
|
||||
/** |
||||
* Convenience container for subnet summary information. |
||||
* |
||||
*/ |
||||
public final class SubnetInfo { |
||||
/* Mask to convert unsigned int to a long (i.e. keep 32 bits) */ |
||||
private static final long UNSIGNED_INT_MASK = 0x0FFFFFFFFL; |
||||
|
||||
private SubnetInfo() {} |
||||
|
||||
private int netmask() { return netmask; } |
||||
private int network() { return network; } |
||||
private int address() { return address; } |
||||
private int broadcast() { return broadcast; } |
||||
|
||||
// long versions of the values (as unsigned int) which are more suitable for range checking
|
||||
private long networkLong() { return network & UNSIGNED_INT_MASK; } |
||||
private long broadcastLong(){ return broadcast & UNSIGNED_INT_MASK; } |
||||
|
||||
private int low() { |
||||
return (isInclusiveHostCount() ? network() : |
||||
broadcastLong() - networkLong() > 1 ? network() + 1 : 0); |
||||
} |
||||
|
||||
private int high() { |
||||
return (isInclusiveHostCount() ? broadcast() : |
||||
broadcastLong() - networkLong() > 1 ? broadcast() -1 : 0); |
||||
} |
||||
|
||||
/** |
||||
* Returns true if the parameter <code>address</code> is in the |
||||
* range of usable endpoint addresses for this subnet. This excludes the |
||||
* network and broadcast adresses. |
||||
* @param address A dot-delimited IPv4 address, e.g. "192.168.0.1" |
||||
* @return True if in range, false otherwise |
||||
*/ |
||||
public boolean isInRange(String address) { |
||||
return isInRange(toInteger(address)); |
||||
} |
||||
|
||||
/** |
||||
* |
||||
* @param address the address to check |
||||
* @return true if it is in range |
||||
* @since 3.4 (made public) |
||||
*/ |
||||
public boolean isInRange(int address) { |
||||
long addLong = address & UNSIGNED_INT_MASK; |
||||
long lowLong = low() & UNSIGNED_INT_MASK; |
||||
long highLong = high() & UNSIGNED_INT_MASK; |
||||
return addLong >= lowLong && addLong <= highLong; |
||||
} |
||||
|
||||
public String getBroadcastAddress() { |
||||
return format(toArray(broadcast())); |
||||
} |
||||
|
||||
public String getNetworkAddress() { |
||||
return format(toArray(network())); |
||||
} |
||||
|
||||
public String getNetmask() { |
||||
return format(toArray(netmask())); |
||||
} |
||||
|
||||
public String getAddress() { |
||||
return format(toArray(address())); |
||||
} |
||||
|
||||
/** |
||||
* Return the low address as a dotted IP address. |
||||
* Will be zero for CIDR/31 and CIDR/32 if the inclusive flag is false. |
||||
* |
||||
* @return the IP address in dotted format, may be "0.0.0.0" if there is no valid address |
||||
*/ |
||||
public String getLowAddress() { |
||||
return format(toArray(low())); |
||||
} |
||||
|
||||
/** |
||||
* Return the high address as a dotted IP address. |
||||
* Will be zero for CIDR/31 and CIDR/32 if the inclusive flag is false. |
||||
* |
||||
* @return the IP address in dotted format, may be "0.0.0.0" if there is no valid address |
||||
*/ |
||||
public String getHighAddress() { |
||||
return format(toArray(high())); |
||||
} |
||||
|
||||
/** |
||||
* Get the count of available addresses. |
||||
* Will be zero for CIDR/31 and CIDR/32 if the inclusive flag is false. |
||||
* @return the count of addresses, may be zero. |
||||
* @throws RuntimeException if the correct count is greater than {@code Integer.MAX_VALUE} |
||||
* @deprecated (3.4) use {@link #getAddressCountLong()} instead |
||||
*/ |
||||
@Deprecated |
||||
public int getAddressCount() { |
||||
long countLong = getAddressCountLong(); |
||||
if (countLong > Integer.MAX_VALUE) { |
||||
throw new RuntimeException("Count is larger than an integer: " + countLong); |
||||
} |
||||
// N.B. cannot be negative
|
||||
return (int)countLong; |
||||
} |
||||
|
||||
/** |
||||
* Get the count of available addresses. |
||||
* Will be zero for CIDR/31 and CIDR/32 if the inclusive flag is false. |
||||
* @return the count of addresses, may be zero. |
||||
* @since 3.4 |
||||
*/ |
||||
public long getAddressCountLong() { |
||||
long b = broadcastLong(); |
||||
long n = networkLong(); |
||||
long count = b - n + (isInclusiveHostCount() ? 1 : -1); |
||||
return count < 0 ? 0 : count; |
||||
} |
||||
|
||||
public int asInteger(String address) { |
||||
return toInteger(address); |
||||
} |
||||
|
||||
public String getCidrSignature() { |
||||
return toCidrNotation( |
||||
format(toArray(address())), |
||||
format(toArray(netmask())) |
||||
); |
||||
} |
||||
|
||||
public String[] getAllAddresses() { |
||||
int ct = getAddressCount(); |
||||
String[] addresses = new String[ct]; |
||||
if (ct == 0) { |
||||
return addresses; |
||||
} |
||||
for (int add = low(), j=0; add <= high(); ++add, ++j) { |
||||
addresses[j] = format(toArray(add)); |
||||
} |
||||
return addresses; |
||||
} |
||||
|
||||
/** |
||||
* {@inheritDoc} |
||||
* @since 2.2 |
||||
*/ |
||||
@Override |
||||
public String toString() { |
||||
final StringBuilder buf = new StringBuilder(); |
||||
buf.append("CIDR Signature:\t[").append(getCidrSignature()).append("]") |
||||
.append(" Netmask: [").append(getNetmask()).append("]\n") |
||||
.append("Network:\t[").append(getNetworkAddress()).append("]\n") |
||||
.append("Broadcast:\t[").append(getBroadcastAddress()).append("]\n") |
||||
.append("First Address:\t[").append(getLowAddress()).append("]\n") |
||||
.append("Last Address:\t[").append(getHighAddress()).append("]\n") |
||||
.append("# Addresses:\t[").append(getAddressCount()).append("]\n"); |
||||
return buf.toString(); |
||||
} |
||||
} |
||||
|
||||
/** |
||||
* Return a {@link SubnetInfo} instance that contains subnet-specific statistics |
||||
* @return new instance |
||||
*/ |
||||
public final SubnetInfo getInfo() { return new SubnetInfo(); } |
||||
|
||||
/* |
||||
* Initialize the internal fields from the supplied CIDR mask |
||||
*/ |
||||
private void calculate(String mask) { |
||||
Matcher matcher = cidrPattern.matcher(mask); |
||||
|
||||
if (matcher.matches()) { |
||||
address = matchAddress(matcher); |
||||
|
||||
/* Create a binary netmask from the number of bits specification /x */ |
||||
int cidrPart = rangeCheck(Integer.parseInt(matcher.group(5)), 0, NBITS); |
||||
for (int j = 0; j < cidrPart; ++j) { |
||||
netmask |= (1 << 31 - j); |
||||
} |
||||
|
||||
/* Calculate base network address */ |
||||
network = (address & netmask); |
||||
|
||||
/* Calculate broadcast address */ |
||||
broadcast = network | ~(netmask); |
||||
} else { |
||||
throw new IllegalArgumentException("Could not parse [" + mask + "]"); |
||||
} |
||||
} |
||||
|
||||
/* |
||||
* Convert a dotted decimal format address to a packed integer format |
||||
*/ |
||||
private int toInteger(String address) { |
||||
Matcher matcher = addressPattern.matcher(address); |
||||
if (matcher.matches()) { |
||||
return matchAddress(matcher); |
||||
} else { |
||||
throw new IllegalArgumentException("Could not parse [" + address + "]"); |
||||
} |
||||
} |
||||
|
||||
/* |
||||
* Convenience method to extract the components of a dotted decimal address and |
||||
* pack into an integer using a regex match |
||||
*/ |
||||
private int matchAddress(Matcher matcher) { |
||||
int addr = 0; |
||||
for (int i = 1; i <= 4; ++i) { |
||||
int n = (rangeCheck(Integer.parseInt(matcher.group(i)), 0, 255)); |
||||
addr |= ((n & 0xff) << 8*(4-i)); |
||||
} |
||||
return addr; |
||||
} |
||||
|
||||
/* |
||||
* Convert a packed integer address into a 4-element array |
||||
*/ |
||||
private int[] toArray(int val) { |
||||
int ret[] = new int[4]; |
||||
for (int j = 3; j >= 0; --j) { |
||||
ret[j] |= ((val >>> 8*(3-j)) & (0xff)); |
||||
} |
||||
return ret; |
||||
} |
||||
|
||||
/* |
||||
* Convert a 4-element array into dotted decimal format |
||||
*/ |
||||
private String format(int[] octets) { |
||||
StringBuilder str = new StringBuilder(); |
||||
for (int i =0; i < octets.length; ++i){ |
||||
str.append(octets[i]); |
||||
if (i != octets.length - 1) { |
||||
str.append("."); |
||||
} |
||||
} |
||||
return str.toString(); |
||||
} |
||||
|
||||
/* |
||||
* Convenience function to check integer boundaries. |
||||
* Checks if a value x is in the range [begin,end]. |
||||
* Returns x if it is in range, throws an exception otherwise. |
||||
*/ |
||||
private int rangeCheck(int value, int begin, int end) { |
||||
if (value >= begin && value <= end) { // (begin,end]
|
||||
return value; |
||||
} |
||||
|
||||
throw new IllegalArgumentException("Value [" + value + "] not in range ["+begin+","+end+"]"); |
||||
} |
||||
|
||||
/* |
||||
* Count the number of 1-bits in a 32-bit integer using a divide-and-conquer strategy |
||||
* see Hacker's Delight section 5.1 |
||||
*/ |
||||
int pop(int x) { |
||||
x = x - ((x >>> 1) & 0x55555555); |
||||
x = (x & 0x33333333) + ((x >>> 2) & 0x33333333); |
||||
x = (x + (x >>> 4)) & 0x0F0F0F0F; |
||||
x = x + (x >>> 8); |
||||
x = x + (x >>> 16); |
||||
return x & 0x0000003F; |
||||
} |
||||
|
||||
/* Convert two dotted decimal addresses to a single xxx.xxx.xxx.xxx/yy format |
||||
* by counting the 1-bit population in the mask address. (It may be better to count |
||||
* NBITS-#trailing zeroes for this case) |
||||
*/ |
||||
private String toCidrNotation(String addr, String mask) { |
||||
return addr + "/" + pop(toInteger(mask)); |
||||
} |
||||
} |
||||
@ -0,0 +1,53 @@
@@ -0,0 +1,53 @@
|
||||
package org.springframework.cloud.gateway.handler.predicate; |
||||
|
||||
import static org.springframework.boot.test.context.SpringBootTest.WebEnvironment.RANDOM_PORT; |
||||
import static org.springframework.cloud.gateway.test.TestUtils.assertStatus; |
||||
|
||||
import org.junit.Test; |
||||
import org.junit.runner.RunWith; |
||||
import org.springframework.boot.SpringBootConfiguration; |
||||
import org.springframework.boot.autoconfigure.EnableAutoConfiguration; |
||||
import org.springframework.boot.test.context.SpringBootTest; |
||||
import org.springframework.cloud.gateway.test.BaseWebClientTests; |
||||
import org.springframework.context.annotation.Import; |
||||
import org.springframework.http.HttpStatus; |
||||
import org.springframework.test.annotation.DirtiesContext; |
||||
import org.springframework.test.context.ActiveProfiles; |
||||
import org.springframework.test.context.junit4.SpringRunner; |
||||
import org.springframework.web.reactive.function.client.ClientResponse; |
||||
|
||||
import reactor.core.publisher.Mono; |
||||
import reactor.test.StepVerifier; |
||||
|
||||
@RunWith(SpringRunner.class) |
||||
@SpringBootTest(webEnvironment = RANDOM_PORT) |
||||
@DirtiesContext |
||||
@ActiveProfiles({ "remote-address" }) |
||||
public class RemoteAddrRoutePredicateFactoryTests extends BaseWebClientTests { |
||||
|
||||
@Test |
||||
public void pathRouteWorks() { |
||||
Mono<ClientResponse> result = webClient.get().uri("/ok/httpbin/").exchange(); |
||||
|
||||
StepVerifier.create(result) |
||||
.consumeNextWith(response -> assertStatus(response, HttpStatus.OK)) |
||||
.expectComplete().verify(DURATION); |
||||
} |
||||
|
||||
@Test |
||||
public void pathRouteDoNotWork() { |
||||
Mono<ClientResponse> result = webClient.get().uri("/nok/httpbin/").exchange(); |
||||
|
||||
StepVerifier |
||||
.create(result) |
||||
.consumeNextWith(response -> assertStatus(response, HttpStatus.NOT_FOUND)) |
||||
.expectComplete().verify(DURATION); |
||||
} |
||||
|
||||
@EnableAutoConfiguration |
||||
@SpringBootConfiguration |
||||
@Import(DefaultTestConfig.class) |
||||
public static class TestConfig { |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,27 @@
@@ -0,0 +1,27 @@
|
||||
test: |
||||
uri: lb://myservice |
||||
|
||||
spring: |
||||
cloud: |
||||
gateway: |
||||
default-filters: |
||||
routes: |
||||
# ===================================== |
||||
- id: remote_address_ipv6_test |
||||
uri: ${test.uri} |
||||
predicates: |
||||
- Path=/ok/httpbin/ |
||||
- RemoteAddr=2001:db8:abcd:0012::0/64,::1/32,127.0.0.1 |
||||
filters: |
||||
- SetPath=/httpbin/ |
||||
- SetStatus=200 |
||||
|
||||
# ===================================== |
||||
- id: remote_address_ipv6_test_other_ip |
||||
uri: ${test.uri} |
||||
predicates: |
||||
- Path=/nok/httpbin/ |
||||
- RemoteAddr=2001:db8:abcd:0012::0/64 |
||||
filters: |
||||
- SetPath=/httpbin/ |
||||
- SetStatus=200 |
||||
Loading…
Reference in new issue