Add support for CIDR ranges in ignore_hosts setting.

[shikharj05]

Description

This change adds support to specify CIDR ranges in ignore_hosts settings.

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation) Enhancement
• Why these changes are required?
  While ignore_hosts currently supports specifying IP addresses and hostnames, it would be good to support adding CIDR ranges as well. For example, see comment here- [Feature Request] Request to Document Behaviour Change in Unauthenticated Request Handling in OpenSearch 2.11.0 or later #4927 (comment)
• What is the old behavior before changes and new behavior after changes?
  Adding support for CIDR ranges in ignore_hosts

Issues Resolved

#4927

Is this a backport? If so, please add backport PR # and/or commits #, and remove backport-failed label from the original PR.

Do these changes introduce new permission(s) to be displayed in the static dropdown on the front-end? If so, please open a draft PR in the security dashboards plugin and link the draft PR here

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

• New functionality includes testing
• [TODO] New functionality has been documented
• [NA] New Roles/Permissions have a corresponding security dashboards plugin PR
• [NA] API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Example config-

auth_failure_listeners:
      ip_rate_limiting:
        type: ip
        allowed_tries: 1
        time_window_seconds: 5
        block_expiry_seconds: 20
        max_blocked_clients: 100000
        max_tracked_clients: 100000
        ignore_hosts:
          - 127.0.0.0/16

[codecov]

Codecov Report

Attention: Patch coverage is 78.57143% with 9 lines in your changes missing coverage. Please review.

Project coverage is 71.68%. Comparing base (9e970e2) to head (e8ff312).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...pensearch/security/support/HostAndCidrMatcher.java	80.00%	3 Missing and 2 partials ⚠️
...pensearch/security/securityconf/ConfigModelV7.java	0.00%	0 Missing and 3 partials ⚠️
.../org/opensearch/security/auth/BackendRegistry.java	80.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5099      +/-   ##
==========================================
- Coverage   71.70%   71.68%   -0.03%     
==========================================
  Files         335      337       +2     
  Lines       22755    22781      +26     
  Branches     3601     3604       +3     
==========================================
+ Hits        16316    16330      +14     
- Misses       4638     4650      +12     
  Partials     1801     1801              

Files with missing lines	Coverage Δ
...ch/security/auth/limiting/AbstractRateLimiter.java	95.45% <100.00%> (ø)
.../opensearch/security/support/HostResolverMode.java	100.00% <100.00%> (ø)
.../org/opensearch/security/auth/BackendRegistry.java	77.91% <80.00%> (-0.48%)	⬇️
...pensearch/security/securityconf/ConfigModelV7.java	73.29% <0.00%> (-0.46%)	⬇️
...pensearch/security/support/HostAndCidrMatcher.java	80.00% <80.00%> (ø)

... and 5 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cwperks]

Thank you for this PR @shikharj05. We will also want to update the documentation accordingly.

We could also consider adding support for config.dynamic.hosts_resolver_mode: ip-hostname or config.dynamic.hosts_resolver_mode: ip-hostname-lookup (IP + Hostname resolution when looking at requests) in a future feature request. Currently this only supports config.dynamic.hosts_resolver_mode: ip-only

^ Looks like these cases are already being handled as well

[shikharj05]

Thank you for this PR @shikharj05. We will also want to update the documentation accordingly.

Ack, will create a separate PR for docs.

[nibix]

Look very good! I have left a couple of further minor comments.