fix(server): fix forwarded IF-TRUSTED with single IPs (#493) (#496)

(cherry picked from commit e3df249)
diennea · Sep 10, 2024 · 0bed007 · 0bed007
1 parent e82dea2
commit 0bed007
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 4 deletions.
diff --git a/carapace-server/src/main/java/org/carapaceproxy/core/ForwardedStrategies.java b/carapace-server/src/main/java/org/carapaceproxy/core/ForwardedStrategies.java
@@ -79,6 +79,7 @@ public ConnectionInfo apply(final ConnectionInfo connectionInfo, final HttpReque
     record IfTrusted(Set<String> trustedIps) implements ForwardedStrategy {
 
         static final String NAME = "IF_TRUSTED";
+        private static final String DEFAULT_SUBNET = "/32";
 
         @Override
         public ConnectionInfo apply(final ConnectionInfo connectionInfo, final HttpRequest request) {
@@ -96,8 +97,12 @@ private boolean validate(final ConnectionInfo connectionInfo) {
             if (address == null) {
                 return false;
             }
-            for (final var cidr : trustedIps) {
-                final var subnetInfo = new SubnetUtils(cidr).getInfo();
+            for (final var trustedIp : trustedIps) {
+                final var cidr = trustedIp.contains("/") ? trustedIp : trustedIp + DEFAULT_SUBNET;
+                final var subnetUtils = new SubnetUtils(cidr);
+                // Include network and broadcast addresses in host count, necessary for /32 subnets
+                subnetUtils.setInclusiveHostCount(true);
+                final var subnetInfo = subnetUtils.getInfo();
                 if (subnetInfo.isInRange(address.getAddress().getHostAddress())) {
                     return true;
                 }

diff --git a/carapace-server/src/test/java/org/carapaceproxy/core/ForwardedStrategyTest.java b/carapace-server/src/test/java/org/carapaceproxy/core/ForwardedStrategyTest.java
@@ -17,6 +17,7 @@
 import static org.junit.Assert.assertTrue;
 import com.github.tomakehurst.wiremock.junit.WireMockRule;
 import java.io.IOException;
+import java.util.List;
 import java.util.Set;
 import org.carapaceproxy.server.config.ConfigurationNotValidException;
 import org.carapaceproxy.server.config.NetworkListenerConfiguration;
@@ -26,13 +27,22 @@
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
 
+@RunWith(Parameterized.class)
 public class ForwardedStrategyTest {
     public static final String REAL_IP_ADDRESS = "127.0.0.1";
     public static final String FORWARDED_IP_ADDRESS = "1.2.3.4";
     public static final String HEADER_PRESENT = "Header present!";
     public static final String HEADER_REWRITTEN = "Header rewritten!";
     public static final String NO_HEADER = "No header!";
+    public static final String SUBNET = "/24";
+
+    @Parameterized.Parameters(name = "Use actual CIDR? {0}")
+    public static Iterable<?> data() {
+        return List.of(true, false);
+    }
 
     @Rule
     public WireMockRule wireMockRule = new WireMockRule(0);
@@ -62,6 +72,9 @@ public void setupWireMock() {
                         .withBody(NO_HEADER)));
     }
 
+    @Parameterized.Parameter
+    public boolean useCidr;
+
     @Test
     public void testDropStrategy() throws IOException, ConfigurationNotValidException, InterruptedException {
         final var mapper = new TestEndpointMapper("localhost", wireMockRule.port());
@@ -123,7 +136,7 @@ public void testRewriteStrategy() throws IOException, ConfigurationNotValidExcep
     public void testIfTrustedStrategy() throws IOException, ConfigurationNotValidException, InterruptedException {
         final var mapper = new TestEndpointMapper("localhost", wireMockRule.port());
         try (final var server = new HttpProxyServer(mapper, tmpDir.newFolder())) {
-            final var trustedIps = Set.of(REAL_IP_ADDRESS + "/24");
+            final var trustedIps = Set.of(REAL_IP_ADDRESS + (useCidr ? SUBNET : ""));
             server.addListener(getConfiguration(ForwardedStrategies.ifTrusted(trustedIps), trustedIps));
             server.start();
             int port = server.getLocalPort();
@@ -143,7 +156,7 @@ public void testIfTrustedStrategy() throws IOException, ConfigurationNotValidExc
     public void testIfNotTrustedStrategy() throws IOException, ConfigurationNotValidException, InterruptedException {
         final var mapper = new TestEndpointMapper("localhost", wireMockRule.port());
         try (final var server = new HttpProxyServer(mapper, tmpDir.newFolder())) {
-            final var trustedIps = Set.of(FORWARDED_IP_ADDRESS + "/24");
+            final var trustedIps = Set.of(FORWARDED_IP_ADDRESS + (useCidr ? SUBNET : ""));
             server.addListener(getConfiguration(ForwardedStrategies.ifTrusted(trustedIps), trustedIps));
             server.start();
             int port = server.getLocalPort();