diff --git a/CHANGES b/CHANGES index 4765ba7..3ff687d 100644 --- a/CHANGES +++ b/CHANGES @@ -2,4 +2,9 @@ Version 1.0.3 * Add Changelog * Disable Authentication for `/`, allowing it to be used for healtchecks. - - thanks @archiloque \ No newline at end of file + - thanks @archiloque + +Version 1.3.1 + +* Add CIDR support for whitelists + - @fooka03 diff --git a/pom.xml b/pom.xml index e9647e4..bc69a2b 100644 --- a/pom.xml +++ b/pom.xml @@ -14,6 +14,7 @@ UTF-8 1.3.0 4.9.0 + 3.3 @@ -38,6 +39,12 @@ ${elasticsearch.version} + + commons-net + commons-net + ${commons-net.version} + + org.elasticsearch elasticsearch @@ -64,6 +71,32 @@ + + org.apache.maven.plugins + maven-dependency-plugin + 2.4 + + + copy + process-resources + + copy + + + + + commons-net + commons-net + ${commons-net.version} + jar + true + ${project.build.directory} + + + + + + org.apache.maven.plugins maven-antrun-plugin @@ -75,7 +108,7 @@ diff --git a/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java b/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java index dd416f2..3ceeb14 100644 --- a/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java +++ b/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java @@ -10,25 +10,30 @@ import java.net.InetAddress; import java.net.UnknownHostException; +import org.apache.commons.net.util.SubnetUtils; + /** * * Wraps the configured whitelisted ips. - * It uses a set of {@link InetAddress} internally. + * Uses a Set of SubnetUtils objects. *

* * * * @author Ernesto Miguez (ernesto.miguez@asquera.de) + * @author Nigel Foucha (nigel.foucha@gmail.com) */ public class InetAddressWhitelist { - private Set whitelist; + private static final String LOCALHOST = "127.0.0.1"; + private static final String SINGLEMASK = "255.255.255.255"; + private Set whitelist; /** * * * @param whitelist */ - public InetAddressWhitelist(Set whitelist) { + public InetAddressWhitelist(Set whitelist) { this.whitelist = whitelist; } @@ -51,7 +56,7 @@ public InetAddressWhitelist(String[] sWhitelist) { * @return if the ip is included in the whitelist */ public Boolean contains(InetAddress candidate) { - return this.whitelist.contains(candidate); + return contains(candidate.getHostAddress()); } /** @@ -65,44 +70,67 @@ public Boolean contains(InetAddress candidate) { * whitelist ips */ public Boolean contains(String candidate) { - return getStringWhitelist().contains(candidate); - } - - /** - * @return set of the string representations of the whitelist - */ - Set getStringWhitelist() { - Iterator iterator = this.whitelist.iterator(); - Set set = new HashSet(); - while (iterator.hasNext()) { - InetAddress next = iterator.next(); - set.add(next.getHostAddress()); + boolean result = false; + for (SubnetUtils util : whitelist) { + try { + if (util.getInfo().isInRange(candidate)) { + result = true; + break; + } + } catch (IllegalArgumentException e) { + Loggers.getLogger(InetAddressWhitelist.class).debug("Illegal address encountered {}, error: {}", candidate, e.getMessage()); + } } - return set; + return new Boolean(result); } /** - * when an configured InetAddress is Unkown or Invalid it is dropped from the - * whitelist * * @param ips a list of string ips * @return a list of {@link InetAddress} objects * */ - static Set toInetAddress(List ips) { - List listIps = new ArrayList(); - Iterator iterator = ips.iterator(); - while (iterator.hasNext()) { - String next = iterator.next(); + static Set toInetAddress(List ips) { + List listIps = new ArrayList(); + for (String ip : ips) { + SubnetUtils util = null; + Loggers.getLogger(InetAddressWhitelist.class).debug("Processing ip entry: {}", ip); try { - listIps.add(InetAddress.getByName(next)); + if ((ip == null) || (ip.length() <= 0)) { + Loggers.getLogger(InetAddressWhitelist.class).debug("Empty address encountered, setting to localhost"); + InetAddress address = InetAddress.getByName(ip); + util = new SubnetUtils(address.getHostAddress(), SINGLEMASK); + util.setInclusiveHostCount(true); + listIps.add(util); + } + else if (ip.indexOf('/') > -1) { + util = new SubnetUtils(ip); + util.setInclusiveHostCount(true); + listIps.add(util); + } + else if (ip.indexOf(',') > -1) { + String[] parts = ip.split(","); + util = new SubnetUtils(parts[0], parts[1]); + util.setInclusiveHostCount(true); + } + else { + // Here we create a util for a single ip address or hostname + InetAddress address = InetAddress.getByName(ip); + util = new SubnetUtils(address.getHostAddress(), SINGLEMASK); + util.setInclusiveHostCount(true); + listIps.add(util); + } + } catch (IllegalArgumentException e) { + String template = "an ip set in the whitelist settings raised an " + + "IllegalArgumentException: {}, dropping it"; + Loggers.getLogger(InetAddressWhitelist.class).info(template, e.getMessage()); } catch (UnknownHostException e) { String template = "an ip set in the whitelist settings raised an " + "UnknownHostException: {}, dropping it"; Loggers.getLogger(InetAddressWhitelist.class).info(template, e.getMessage()); } } - return new HashSet(listIps); + return new HashSet(listIps); } /** diff --git a/src/test/java/com/asquera/elasticsearch/plugins/http/auth/integration/EmptyWhitelistIntegrationTest.java b/src/test/java/com/asquera/elasticsearch/plugins/http/auth/integration/EmptyWhitelistIntegrationTest.java index d1a024d..fad835b 100644 --- a/src/test/java/com/asquera/elasticsearch/plugins/http/auth/integration/EmptyWhitelistIntegrationTest.java +++ b/src/test/java/com/asquera/elasticsearch/plugins/http/auth/integration/EmptyWhitelistIntegrationTest.java @@ -49,7 +49,7 @@ public class EmptyWhitelistIntegrationTest extends ElasticsearchIntegrationTest @Override protected Settings nodeSettings(int nodeOrdinal) { - return ImmutableSettings.settingsBuilder().putArray("http.basic.ipwhitelist", "unkown") + return ImmutableSettings.settingsBuilder().putArray("http.basic.ipwhitelist", "unknown") .put("plugin.types", HttpBasicServerPlugin.class.getName()) .build(); }