Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for CIDR ranges in ignore_hosts setting. #5099

Merged
merged 17 commits into from
Mar 6, 2025
Merged

Add support for CIDR ranges in ignore_hosts setting. #5099

Changes from 1 commit
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
9b598de
Add CIDR support in ignore_hosts setting
shikharj05 Feb 6, 2025
6603a89
Remove commented method/code
shikharj05 Feb 6, 2025
8aca1e6
Move IP matching to cidr matcher
shikharj05 Feb 10, 2025
6efe00b
Remove cache from AbstractRateLimiter, replace parallelStreams with s…
shikharj05 Feb 10, 2025
ac5cd05
Pre-compute subnetUtils instances
shikharj05 Feb 11, 2025
e160f82
Merge branch 'opensearch-project:main' into ignore-hosts-cidr-support
shikharj05 Feb 18, 2025
1646c01
Merge branch 'opensearch-project:main' into ignore-hosts-cidr-support
shikharj05 Mar 3, 2025
f8e68af
Add a new HostAndCidrMatcher for ignore-hosts cidr support
shikharj05 Mar 3, 2025
d2cab5c
Remove unused method
shikharj05 Mar 3, 2025
1ef938d
Use assertThat instead of assertTrue/assertFalse
shikharj05 Mar 3, 2025
e5fbd78
Always check host-pattern, add more tests
shikharj05 Mar 3, 2025
df78c30
Add license header to new files
shikharj05 Mar 3, 2025
6e790c6
Merge branch 'opensearch-project:main' into ignore-hosts-cidr-support
shikharj05 Mar 3, 2025
903ac93
Merge branch 'main' into ignore-hosts-cidr-support
shikharj05 Mar 5, 2025
d15652f
Adding HostResolverMode as enum, minor changes
shikharj05 Mar 6, 2025
2dfc3f4
Adding license header to new files
shikharj05 Mar 6, 2025
e8ff312
Throw original exception in HostAndCidrMatcher.matchesCidr
shikharj05 Mar 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
View file
Original file line number Diff line number Diff line change
@@ -52,6 +52,7 @@
import org.opensearch.security.securityconf.impl.v7.RoleV7;
import org.opensearch.security.securityconf.impl.v7.TenantV7;
import org.opensearch.security.support.ConfigConstants;
import org.opensearch.security.support.HostResolverMode;
import org.opensearch.security.support.WildcardMatcher;
import org.opensearch.security.user.User;

@@ -330,15 +331,16 @@ private Set<String> map(final User user, final TransportAddress caller) {
}

if (caller.address() != null
&& (hostResolverMode.equalsIgnoreCase("ip-hostname") || hostResolverMode.equalsIgnoreCase("ip-hostname-lookup"))) {
&& (hostResolverMode.equalsIgnoreCase(HostResolverMode.IP_HOSTNAME.getValue())
|| hostResolverMode.equalsIgnoreCase(HostResolverMode.IP_HOSTNAME_LOOKUP.getValue()))) {
final String hostName = caller.address().getHostString();

for (String p : WildcardMatcher.getAllMatchingPatterns(hostMatchers, hostName)) {
securityRoles.addAll(hosts.get(p));
}
}

if (caller.address() != null && hostResolverMode.equalsIgnoreCase("ip-hostname-lookup")) {
if (caller.address() != null && hostResolverMode.equalsIgnoreCase(HostResolverMode.IP_HOSTNAME_LOOKUP.getValue())) {

final String resolvedHostName = caller.address().getHostName();

11 changes: 4 additions & 7 deletions src/main/java/org/opensearch/security/support/HostAndCidrMatcher.java
View file
Original file line number Diff line number Diff line change
@@ -25,9 +25,6 @@
* This matcher supports both wildcard hostname patterns (e.g., *.example.com) and CIDR notation (e.g., 192.168.1.0/24).
*/
public class HostAndCidrMatcher {
private static final String IP_HOSTNAME = "ip-hostname";
private static final String IP_HOSTNAME_LOOKUP = "ip-hostname-lookup";

protected final Logger log = LogManager.getLogger(HostAndCidrMatcher.class);
private final WildcardMatcher hostMatcher;
private final List<IPAddressString> cidrMatchers;
@@ -66,7 +63,7 @@ public boolean matchesCidr(InetAddress address) {
return cidrMatchers.stream().anyMatch(cidrAddress -> cidrAddress.contains(addressString));
} catch (Exception e) {
log.warn("Failed to process IP address {}: {}", address, e.getMessage());
return false;
throw new RuntimeException("Invalid Address format used");
}
}

@@ -75,8 +72,7 @@ public boolean matchesCidr(InetAddress address) {
* This method can perform DNS lookups depending on the hostResolverMode.
*
* @param address The IP address to check
* @param hostResolverMode The resolution mode. Must be either "ip-hostname" or
* "ip-hostname-lookup" to enable hostname matching
* @param hostResolverMode The resolution mode. Must be one of {@link HostResolverMode} to enable hostname matching
* @return true if the address matches any configured hostname pattern, false otherwise,
* if the address is null, or if the resolver mode is invalid
* @implNote This method may perform DNS lookups which could impact performance
@@ -88,7 +84,8 @@ public boolean matchesHostname(InetAddress address, String hostResolverMode) {

List<String> valuesToCheck = new ArrayList<>(List.of(address.getHostAddress()));
if (hostResolverMode != null
&& (hostResolverMode.equalsIgnoreCase(IP_HOSTNAME) || hostResolverMode.equalsIgnoreCase(IP_HOSTNAME_LOOKUP))) {
&& (hostResolverMode.equalsIgnoreCase(HostResolverMode.IP_HOSTNAME.getValue())
|| hostResolverMode.equalsIgnoreCase(HostResolverMode.IP_HOSTNAME_LOOKUP.getValue()))) {
try {
final String hostName = address.getHostName(); // potential blocking call
valuesToCheck.add(hostName);
16 changes: 16 additions & 0 deletions src/main/java/org/opensearch/security/support/HostResolverMode.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
package org.opensearch.security.support;

public enum HostResolverMode {
IP_HOSTNAME("ip-hostname"),
IP_HOSTNAME_LOOKUP("ip-hostname-lookup");

private final String value;

HostResolverMode(String value) {
this.value = value;
}

public String getValue() {
return value;
}
}
7 changes: 0 additions & 7 deletions src/test/java/org/opensearch/security/support/HostAndCidrMatcherTest.java
View file
Original file line number Diff line number Diff line change
@@ -177,13 +177,6 @@ public void shouldHandleInvalidCidrNotation() throws Exception {
assertThat(matcher.matchesCidr(address), is(false));
}

@Test(expected = Exception.class)
public void shouldHandleMalformedIpAddresses() throws Exception {
matcher = new HostAndCidrMatcher(Arrays.asList(PRIVATE_CLASS_C_CIDR));
InetAddress address = InetAddress.getByName("invalid.ip.address");
matcher.matchesCidr(address);
}

@Test
public void shouldMatchIpHostnameLookupMode() throws Exception {
matcher = new HostAndCidrMatcher(Arrays.asList(OPENSEARCH_DOMAIN));
24 changes: 24 additions & 0 deletions src/test/java/org/opensearch/security/support/HostResolverModeTest.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
package org.opensearch.security.support;

import org.junit.Test;

import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.is;

public class HostResolverModeTest {

@Test
public void testIpHostnameValue() {
assertThat(HostResolverMode.IP_HOSTNAME.getValue(), is("ip-hostname"));
}

@Test
public void testIpHostnameLookupValue() {
assertThat(HostResolverMode.IP_HOSTNAME_LOOKUP.getValue(), is("ip-hostname-lookup"));
}

@Test
public void testEnumCount() {
assertThat(HostResolverMode.values().length, is(2));
}
}