From 395ffa3563033ebf61a67ff2202e0ebd0fc7c9f1 Mon Sep 17 00:00:00 2001
From: Nigel Foucha <nigel.foucha@gmail.com>
Date: Thu, 11 Dec 2014 14:44:08 -0600
Subject: [PATCH 1/8] Add CIDR capabilities to whitelist

---
 .../http/auth/InetAddressWhitelist.java       | 23 ++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java b/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java
index dd416f2..aca7b39 100644
--- a/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java
+++ b/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java
@@ -10,6 +10,8 @@
 import java.net.InetAddress;
 import java.net.UnknownHostException;
 
+import org.apache.commons.net.util.SubnetUtils;
+
 /**
  *
  * Wraps the configured whitelisted ips.
@@ -95,7 +97,12 @@ static Set<InetAddress> toInetAddress(List<String> ips) {
     while (iterator.hasNext()) {
       String next = iterator.next();
       try {
-        listIps.add(InetAddress.getByName(next));
+	if (next.indexOf('/') > -1) {
+          listIps.addAll(getInetAddressForCIDR(next));
+        }
+	else {
+          listIps.add(InetAddress.getByName(next));
+	}
       } catch (UnknownHostException e) {
         String template = "an ip set in the whitelist settings raised an " +
           "UnknownHostException: {}, dropping it";
@@ -105,6 +112,20 @@ static Set<InetAddress> toInetAddress(List<String> ips) {
     return new HashSet<InetAddress>(listIps);
   }
 
+  /**
+   * helper method to get all InetAddress entries for a given CIDR address
+   */
+  static List<InetAddress> getInetAddressForCIDR(String cidrAddr) 
+  throws UnknownHostException {
+    List<InetAddress> result = new ArrayList<InetAddress>();
+    SubnetUtils utils = new SubnetUtils(cidrAddr);
+    String[] addrs = utils.getInfo().getAllAddresses();
+    for (String addr : addrs) {
+      result.add(InetAddress.getByName(next));
+    }
+    return result;
+  }
+
   /**
    * delegate method
    */

From 39b01d941dcc90d414ef45a888057d9df2a68589 Mon Sep 17 00:00:00 2001
From: Nigel Foucha <nigel.foucha@gmail.com>
Date: Thu, 11 Dec 2014 14:46:51 -0600
Subject: [PATCH 2/8] Add apache commons net dependency for subnetutils

---
 pom.xml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pom.xml b/pom.xml
index e9647e4..fbddd4d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -38,6 +38,12 @@
             <version>${elasticsearch.version}</version>
         </dependency>
 
+	<dependency>
+	    <groupId>commons-net</groupId>
+	    <artifactId>commons-net</artifactId>
+	    <version>3.3</version>
+	</dependency>
+
         <dependency>
           <groupId>org.elasticsearch</groupId>
           <artifactId>elasticsearch</artifactId>

From d93275c1848d53f5b6f876a369e4ccc47788fa4a Mon Sep 17 00:00:00 2001
From: Nigel Foucha <nigel.foucha@gmail.com>
Date: Thu, 11 Dec 2014 14:52:40 -0600
Subject: [PATCH 3/8] Add comment to changes

---
 CHANGES | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 4765ba7..3ff687d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,4 +2,9 @@ Version 1.0.3
 
 * Add Changelog
 * Disable Authentication for `/`, allowing it to be used for healtchecks.
-  - thanks @archiloque 
\ No newline at end of file
+  - thanks @archiloque
+
+Version 1.3.1
+
+* Add CIDR support for whitelists
+  - @fooka03

From 56230ee3d7c7bbd22da15f076e9e4ec04a5fe0f7 Mon Sep 17 00:00:00 2001
From: Nigel Foucha <nigel.foucha@gmail.com>
Date: Thu, 11 Dec 2014 15:06:13 -0600
Subject: [PATCH 4/8] fix typo in code

---
 .../elasticsearch/plugins/http/auth/InetAddressWhitelist.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java b/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java
index aca7b39..ab04a0c 100644
--- a/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java
+++ b/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java
@@ -121,7 +121,7 @@ static List<InetAddress> getInetAddressForCIDR(String cidrAddr)
     SubnetUtils utils = new SubnetUtils(cidrAddr);
     String[] addrs = utils.getInfo().getAllAddresses();
     for (String addr : addrs) {
-      result.add(InetAddress.getByName(next));
+      result.add(InetAddress.getByName(addr));
     }
     return result;
   }

From 138230b23a011a39e6bd9fe94c223fc59bfd42f5 Mon Sep 17 00:00:00 2001
From: Nigel Foucha <nigel.foucha@gmail.com>
Date: Thu, 11 Dec 2014 15:20:56 -0600
Subject: [PATCH 5/8] Fix NPE in test

---
 .../elasticsearch/plugins/http/auth/InetAddressWhitelist.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java b/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java
index ab04a0c..7289c0a 100644
--- a/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java
+++ b/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java
@@ -97,7 +97,7 @@ static Set<InetAddress> toInetAddress(List<String> ips) {
     while (iterator.hasNext()) {
       String next = iterator.next();
       try {
-	if (next.indexOf('/') > -1) {
+	if ((next != null) && (next.indexOf('/') > -1)) {
           listIps.addAll(getInetAddressForCIDR(next));
         }
 	else {

From c6b9611520d65c132c3d2a505b6cf47d34938d83 Mon Sep 17 00:00:00 2001
From: Nigel Foucha <nigel.foucha@gmail.com>
Date: Thu, 11 Dec 2014 16:40:10 -0600
Subject: [PATCH 6/8] add commons-net jar to plugin zip

---
 pom.xml | 31 +++++++++++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index fbddd4d..bc69a2b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -14,6 +14,7 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <elasticsearch.version>1.3.0</elasticsearch.version>
         <lucene.version>4.9.0</lucene.version>
+	<commons-net.version>3.3</commons-net.version>
     </properties>
 
     <dependencies>
@@ -41,7 +42,7 @@
 	<dependency>
 	    <groupId>commons-net</groupId>
 	    <artifactId>commons-net</artifactId>
-	    <version>3.3</version>
+	    <version>${commons-net.version}</version>
 	</dependency>
 
         <dependency>
@@ -70,6 +71,32 @@
     <build>
         <!-- Create a zip file according to elasticsearch naming scheme -->
         <plugins>
+	    <plugin>
+	        <groupId>org.apache.maven.plugins</groupId>
+		<artifactId>maven-dependency-plugin</artifactId>
+		<version>2.4</version>
+		<executions>
+		    <execution>
+		        <id>copy</id>
+			<phase>process-resources</phase>
+			<goals>
+			    <goal>copy</goal>
+			</goals>
+			<configuration>
+			    <artifactItems>
+			        <artifactItem>
+				    <groupId>commons-net</groupId>
+				    <artifactId>commons-net</artifactId>
+				    <version>${commons-net.version}</version>
+				    <type>jar</type>
+				    <overWrite>true</overWrite>
+				    <outputDirectory>${project.build.directory}</outputDirectory>
+				</artifactItem>
+	                    </artifactItems>
+			</configuration>
+	            </execution>
+		</executions>
+	    </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-antrun-plugin</artifactId>
@@ -81,7 +108,7 @@
                         <configuration>
                             <target>
                                 <zip basedir="${project.build.directory}"
-                                     includes="${project.build.finalName}.jar"
+                                     includes="${project.build.finalName}.jar,commons-net-${commons-net.version}.jar"
                                      destfile="${project.build.directory}/${project.artifactId}-${project.version}.zip" />
                             </target>
                         </configuration>

From 66d82d8c974a8a39393a6e13333d330667b478e5 Mon Sep 17 00:00:00 2001
From: Nigel Foucha <nigel.foucha@gmail.com>
Date: Thu, 11 Dec 2014 17:26:18 -0600
Subject: [PATCH 7/8] add set inclusive flag to include all CIDR addresses

---
 .../plugins/http/auth/InetAddressWhitelist.java        | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java b/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java
index 7289c0a..e03a249 100644
--- a/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java
+++ b/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java
@@ -96,13 +96,14 @@ static Set<InetAddress> toInetAddress(List<String> ips) {
     Iterator<String> iterator = ips.iterator();
     while (iterator.hasNext()) {
       String next = iterator.next();
+      Loggers.getLogger(InetAddressWhitelist.class).info("Processing ip entry: {}", next);
       try {
-	if ((next != null) && (next.indexOf('/') > -1)) {
+        if ((next != null) && (next.indexOf('/') > -1)) {
           listIps.addAll(getInetAddressForCIDR(next));
         }
-	else {
+        else {
           listIps.add(InetAddress.getByName(next));
-	}
+        }
       } catch (UnknownHostException e) {
         String template = "an ip set in the whitelist settings raised an " +
           "UnknownHostException: {}, dropping it";
@@ -119,8 +120,11 @@ static List<InetAddress> getInetAddressForCIDR(String cidrAddr)
   throws UnknownHostException {
     List<InetAddress> result = new ArrayList<InetAddress>();
     SubnetUtils utils = new SubnetUtils(cidrAddr);
+    utils.setInclusiveHostCount(true);
     String[] addrs = utils.getInfo().getAllAddresses();
+    Loggers.getLogger(InetAddressWhitelist.class).info("Processing {} CIDR entries", addrs.length);
     for (String addr : addrs) {
+      Loggers.getLogger(InetAddressWhitelist.class).info("Adding ip entry: {}", addr);
       result.add(InetAddress.getByName(addr));
     }
     return result;

From 9d1e676b6ec4c697dcb446388aae9ae8ccd67ea4 Mon Sep 17 00:00:00 2001
From: Nigel Foucha <nigel.foucha@gmail.com>
Date: Mon, 15 Dec 2014 10:31:35 -0600
Subject: [PATCH 8/8] re-architect InetAddressWhitelist to use SubnetUtils

---
 .../http/auth/InetAddressWhitelist.java       | 95 ++++++++++---------
 .../EmptyWhitelistIntegrationTest.java        |  2 +-
 2 files changed, 50 insertions(+), 47 deletions(-)

diff --git a/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java b/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java
index e03a249..3ceeb14 100644
--- a/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java
+++ b/src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java
@@ -15,22 +15,25 @@
 /**
  *
  * Wraps the configured whitelisted ips.
- * It uses a set of {@link InetAddress} internally.
+ * Uses a Set of SubnetUtils objects.
  * <p>
  *
  *
  *
  * @author Ernesto Miguez (ernesto.miguez@asquera.de)
+ * @author Nigel Foucha (nigel.foucha@gmail.com)
  */
 
 public class InetAddressWhitelist {
-  private Set<InetAddress> whitelist;
+  private static final String LOCALHOST = "127.0.0.1";
+  private static final String SINGLEMASK = "255.255.255.255";
+  private Set<SubnetUtils> whitelist;
   /**
    *
    *
    * @param whitelist
    */
-  public InetAddressWhitelist(Set<InetAddress> whitelist) {
+  public InetAddressWhitelist(Set<SubnetUtils> whitelist) {
     this.whitelist = whitelist;
   }
 
@@ -53,7 +56,7 @@ public InetAddressWhitelist(String[] sWhitelist) {
    * @return if the ip is included in the whitelist
    */
   public Boolean contains(InetAddress candidate) {
-    return this.whitelist.contains(candidate);
+    return contains(candidate.getHostAddress());
   }
 
   /**
@@ -67,67 +70,67 @@ public Boolean contains(InetAddress candidate) {
    * whitelist ips
    */
   public Boolean contains(String candidate) {
-    return getStringWhitelist().contains(candidate);
-  }
-
-  /**
-   * @return set of the string representations of the whitelist
-   */
-  Set<String> getStringWhitelist() {
-    Iterator<InetAddress> iterator = this.whitelist.iterator();
-    Set<String> set = new HashSet<String>();
-    while (iterator.hasNext()) {
-      InetAddress next = iterator.next();
-      set.add(next.getHostAddress());
+    boolean result = false;
+    for (SubnetUtils util : whitelist) {
+      try {
+        if (util.getInfo().isInRange(candidate)) {
+          result = true;
+          break;
+        }
+      } catch (IllegalArgumentException e) {
+        Loggers.getLogger(InetAddressWhitelist.class).debug("Illegal address encountered {}, error: {}", candidate, e.getMessage());
+      }
     }
-    return set;
+    return new Boolean(result);
   }
 
   /**
-   * when an configured InetAddress is Unkown or Invalid it is dropped from the
-   * whitelist
    *
    * @param  ips a list of string ips
    * @return a list of {@link InetAddress} objects
    *
    */
-  static Set<InetAddress> toInetAddress(List<String> ips) {
-    List<InetAddress> listIps = new ArrayList<InetAddress>();
-    Iterator<String> iterator = ips.iterator();
-    while (iterator.hasNext()) {
-      String next = iterator.next();
-      Loggers.getLogger(InetAddressWhitelist.class).info("Processing ip entry: {}", next);
+  static Set<SubnetUtils> toInetAddress(List<String> ips) {
+    List<SubnetUtils> listIps = new ArrayList<SubnetUtils>();
+    for (String ip : ips) {
+      SubnetUtils util = null;
+      Loggers.getLogger(InetAddressWhitelist.class).debug("Processing ip entry: {}", ip);
       try {
-        if ((next != null) && (next.indexOf('/') > -1)) {
-          listIps.addAll(getInetAddressForCIDR(next));
+        if ((ip == null) || (ip.length() <= 0)) {
+          Loggers.getLogger(InetAddressWhitelist.class).debug("Empty address encountered, setting to localhost");
+          InetAddress address = InetAddress.getByName(ip);
+          util = new SubnetUtils(address.getHostAddress(), SINGLEMASK);
+          util.setInclusiveHostCount(true);
+          listIps.add(util);
+        }
+        else if (ip.indexOf('/') > -1) {
+          util = new SubnetUtils(ip);
+          util.setInclusiveHostCount(true);
+          listIps.add(util);
+        }
+        else if (ip.indexOf(',') > -1) {
+          String[] parts = ip.split(",");
+          util = new SubnetUtils(parts[0], parts[1]);
+          util.setInclusiveHostCount(true);
         }
         else {
-          listIps.add(InetAddress.getByName(next));
+          // Here we create a util for a single ip address or hostname
+          InetAddress address = InetAddress.getByName(ip);
+          util = new SubnetUtils(address.getHostAddress(), SINGLEMASK);
+          util.setInclusiveHostCount(true);
+          listIps.add(util);
         }
+      } catch (IllegalArgumentException e) {
+        String template = "an ip set in the whitelist settings raised an " +
+          "IllegalArgumentException: {}, dropping it";
+        Loggers.getLogger(InetAddressWhitelist.class).info(template, e.getMessage());
       } catch (UnknownHostException e) {
         String template = "an ip set in the whitelist settings raised an " +
           "UnknownHostException: {}, dropping it";
         Loggers.getLogger(InetAddressWhitelist.class).info(template, e.getMessage());
       }
     }
-    return new HashSet<InetAddress>(listIps);
-  }
-
-  /**
-   * helper method to get all InetAddress entries for a given CIDR address
-   */
-  static List<InetAddress> getInetAddressForCIDR(String cidrAddr) 
-  throws UnknownHostException {
-    List<InetAddress> result = new ArrayList<InetAddress>();
-    SubnetUtils utils = new SubnetUtils(cidrAddr);
-    utils.setInclusiveHostCount(true);
-    String[] addrs = utils.getInfo().getAllAddresses();
-    Loggers.getLogger(InetAddressWhitelist.class).info("Processing {} CIDR entries", addrs.length);
-    for (String addr : addrs) {
-      Loggers.getLogger(InetAddressWhitelist.class).info("Adding ip entry: {}", addr);
-      result.add(InetAddress.getByName(addr));
-    }
-    return result;
+    return new HashSet<SubnetUtils>(listIps);
   }
 
   /**
diff --git a/src/test/java/com/asquera/elasticsearch/plugins/http/auth/integration/EmptyWhitelistIntegrationTest.java b/src/test/java/com/asquera/elasticsearch/plugins/http/auth/integration/EmptyWhitelistIntegrationTest.java
index d1a024d..fad835b 100644
--- a/src/test/java/com/asquera/elasticsearch/plugins/http/auth/integration/EmptyWhitelistIntegrationTest.java
+++ b/src/test/java/com/asquera/elasticsearch/plugins/http/auth/integration/EmptyWhitelistIntegrationTest.java
@@ -49,7 +49,7 @@ public class EmptyWhitelistIntegrationTest extends ElasticsearchIntegrationTest
 
     @Override
     protected Settings nodeSettings(int nodeOrdinal) {
-        return ImmutableSettings.settingsBuilder().putArray("http.basic.ipwhitelist", "unkown")
+        return ImmutableSettings.settingsBuilder().putArray("http.basic.ipwhitelist", "unknown")
                  .put("plugin.types", HttpBasicServerPlugin.class.getName())
                  .build();
     }