Use different library for subnet validation (Apache didn't work with …

…IPv6) Signed-off-by: David Schwilk <david.schwilk@bosch.io>
eclipse-ditto · Oct 24, 2022 · 5a207f8 · 5a207f8
1 parent 11bf8b4
commit 5a207f8
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 6 deletions.
diff --git a/bom/pom.xml b/bom/pom.xml
@@ -47,6 +47,8 @@
         <sshd.version>2.9.0</sshd.version>
         <eddsa.version>0.3.0</eddsa.version>
         <lz4-java.version>1.8.0</lz4-java.version>
+        <spring-security-web.version>5.7.3</spring-security-web.version>
+        <javax.servlet-api.version>4.0.1</javax.servlet-api.version>
 
         <!-- Keep these version consistent with akka-persistence-mongo.version's build.sbt -->
         <mongo-java-driver.version>4.3.4</mongo-java-driver.version>
@@ -357,6 +359,16 @@
                 <artifactId>lz4-java</artifactId>
                 <version>${lz4-java.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.springframework.security</groupId>
+                <artifactId>spring-security-web</artifactId>
+                <version>${spring-security-web.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>javax.servlet</groupId>
+                <artifactId>javax.servlet-api</artifactId>
+                <version>${javax.servlet-api.version}</version>
+            </dependency>
 
             <dependency>
                 <groupId>io.netty</groupId>

diff --git a/connectivity/service/pom.xml b/connectivity/service/pom.xml
@@ -169,6 +169,14 @@ jmh-generator-annprocess). jmh-generator-annprocess overwrites the whole META-IN
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-annotations</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+        </dependency>
 
         <!-- ### Testing ### -->
         <dependency>

diff --git a/...ava/org/eclipse/ditto/connectivity/service/messaging/validation/DefaultHostValidator.java b/...ava/org/eclipse/ditto/connectivity/service/messaging/validation/DefaultHostValidator.java
@@ -19,8 +19,8 @@
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
-import org.apache.commons.net.util.SubnetUtils;
 import org.eclipse.ditto.connectivity.service.config.ConnectivityConfig;
+import org.springframework.security.web.util.matcher.IpAddressMatcher;
 
 import akka.event.LoggingAdapter;
 
@@ -35,7 +35,7 @@ final class DefaultHostValidator implements HostValidator {
 
     private final Collection<String> allowedHostnames;
     private final Collection<InetAddress> blockedAddresses;
-    private final Collection<SubnetUtils.SubnetInfo> blockedSubnets;
+    private final Collection<IpAddressMatcher> blockedSubnets;
     private final AddressResolver resolver;
     private final Pattern hostRegexPattern;
 
@@ -117,8 +117,8 @@ private HostValidationResult validateInetAddressesAndSubnets(final String host)
                     // host is contained in the block-list --> block
                     return HostValidationResult.blocked(host);
                 }
-                for (final SubnetUtils.SubnetInfo subnet : blockedSubnets) {
-                    if (subnet.isInRange(requestAddress.getHostAddress())) {
+                for (final IpAddressMatcher subnet : blockedSubnets) {
+                    if (subnet.matches(requestAddress.getHostAddress())) {
                         // ip is contained in the blocked-subnet --> block
                         return HostValidationResult.blocked(host, "the hostname resides in a blocked subnet.");
                     }
@@ -163,14 +163,14 @@ private Collection<InetAddress> calculateBlockedAddresses(final Collection<Strin
      * @param log the logger.
      * @return info of blocked subnets.
      */
-    private Collection<SubnetUtils.SubnetInfo> calculateBlockedSubnets(final Collection<String> blockedSubnets,
+    private Collection<IpAddressMatcher> calculateBlockedSubnets(final Collection<String> blockedSubnets,
             final LoggingAdapter log) {
 
         return blockedSubnets.stream()
                 .filter(blockedSubnet -> !blockedSubnet.isEmpty())
                 .flatMap(blockedSubnet -> {
                     try {
-                        return Stream.of(new SubnetUtils(blockedSubnet).getInfo());
+                        return Stream.of(new IpAddressMatcher(blockedSubnet));
                     } catch (final IllegalArgumentException e) {
                         log.error(e, "Could not create subnet info during building blocked subnets set: <{}>",
                                 blockedSubnet);