From 764c8171bc0fa8dbcc0ffbd987b7acf817a6fa4d Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Fri, 25 Aug 2023 13:53:24 +1000 Subject: [PATCH 1/3] Issue #10388 - fix InetAccessHandler module Signed-off-by: Lachlan Roberts --- .../src/main/config/modules/inetaccess.mod | 16 +++++----------- .../config/modules/inetaccess/inetaccess.xml | 13 ------------- .../modules/inetaccess/jetty-inetaccess.xml | 14 -------------- .../jetty/server/handler/InetAccessSet.java | 17 ++++++++++------- 4 files changed, 15 insertions(+), 45 deletions(-) delete mode 100644 jetty-server/src/main/config/modules/inetaccess/inetaccess.xml diff --git a/jetty-server/src/main/config/modules/inetaccess.mod b/jetty-server/src/main/config/modules/inetaccess.mod index 8716b1d4e798..acd2ceacfe75 100644 --- a/jetty-server/src/main/config/modules/inetaccess.mod +++ b/jetty-server/src/main/config/modules/inetaccess.mod @@ -2,7 +2,7 @@ [description] Enables the InetAccessHandler. -Applies a include/exclude control of the remote IP of requests. +Applies an include/exclude control of the remote IP of requests. [tags] connector @@ -18,15 +18,9 @@ etc/jetty-inetaccess.xml [ini-template] -## List of InetAddress patterns to include -#jetty.inetaccess.include=127.0.0.1,127.0.0.2 +## List of InetAddress patterns to include (connectorName@addressPattern|pathSpec) +#jetty.inetaccess.include=http@127.0.0.1-127.0.0.2|/pathSpec,tls@,|/pathSpec2,127.0.0.20 -## List of InetAddress patterns to exclude -#jetty.inetaccess.exclude=127.0.0.1,127.0.0.2 - -## List of Connector names to include -#jetty.inetaccess.includeConnectors=http - -## List of Connector names to exclude -#jetty.inetaccess.excludeConnectors=tls +## List of InetAddress patterns to exclude (connectorName@addressPattern|pathSpec) +#jetty.inetaccess.exclude=http@127.0.0.1-127.0.0.2|/pathSpec,tls@,|/pathSpec2,127.0.0.20 diff --git a/jetty-server/src/main/config/modules/inetaccess/inetaccess.xml b/jetty-server/src/main/config/modules/inetaccess/inetaccess.xml deleted file mode 100644 index 34af6f2e8289..000000000000 --- a/jetty-server/src/main/config/modules/inetaccess/inetaccess.xml +++ /dev/null @@ -1,13 +0,0 @@ - - - - - - - - 127.0.0.1-127.0.0.255 - 127.0.0.128-127.0.0.129 - - - - diff --git a/jetty-server/src/main/config/modules/inetaccess/jetty-inetaccess.xml b/jetty-server/src/main/config/modules/inetaccess/jetty-inetaccess.xml index e784968e37bc..f30fe062f66f 100644 --- a/jetty-server/src/main/config/modules/inetaccess/jetty-inetaccess.xml +++ b/jetty-server/src/main/config/modules/inetaccess/jetty-inetaccess.xml @@ -19,20 +19,6 @@ - - - - - - - - - - - - - - diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/InetAccessSet.java b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/InetAccessSet.java index bb4327fb38b0..505512c4280a 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/InetAccessSet.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/InetAccessSet.java @@ -27,7 +27,7 @@ public class InetAccessSet extends AbstractSet implements Set, Predicate { - private ArrayList tuples = new ArrayList<>(); + private final ArrayList tuples = new ArrayList<>(); @Override public boolean add(PatternTuple storageTuple) @@ -67,7 +67,7 @@ public boolean test(AccessTuple entry) return false; } - static class PatternTuple implements Predicate + public static class PatternTuple implements Predicate { private final String connector; private final InetAddressPattern address; @@ -110,19 +110,22 @@ public boolean test(AccessTuple entry) if ((connector != null) && !connector.equals(entry.getConnector())) return false; - // If we have a path we must must be at this path to match for an address. + // If we have a path we must be at this path to match for an address. if ((pathSpec != null) && !pathSpec.matches(entry.getPath())) return false; // Match for InetAddress. - if ((address != null) && !address.test(entry.getAddress())) - return false; + return (address == null) || address.test(entry.getAddress()); + } - return true; + @Override + public String toString() + { + return String.format("%s@%x{connector=%s, addressPattern=%s, pathSpec=%s}", getClass().getSimpleName(), hashCode(), connector, address, pathSpec); } } - static class AccessTuple + public static class AccessTuple { private final String connector; private final InetAddress address; From b89398d91c8cfdebf4f75d05f157d0f42a6a97a6 Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Fri, 25 Aug 2023 14:19:38 +1000 Subject: [PATCH 2/3] Issue #10388 - add DistributionTest for InetAccessHandler Signed-off-by: Lachlan Roberts --- .../tests/distribution/DistributionTests.java | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/DistributionTests.java b/tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/DistributionTests.java index e1f6feddea00..1424d5a044d8 100644 --- a/tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/DistributionTests.java +++ b/tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/DistributionTests.java @@ -1376,4 +1376,42 @@ public void testVirtualThreadPool() throws Exception } } } + + @Test + public void testInetAccessHandler() throws Exception + { + String jettyVersion = System.getProperty("jettyVersion"); + JettyHomeTester distribution = JettyHomeTester.Builder.newInstance() + .jettyVersion(jettyVersion) + .mavenLocalRepository(System.getProperty("mavenRepoPath")) + .build(); + + try (JettyHomeTester.Run run1 = distribution.start("--add-modules=inetaccess,http")) + { + assertTrue(run1.awaitFor(10, TimeUnit.SECONDS)); + assertEquals(0, run1.getExitValue()); + + int httpPort = distribution.freePort(); + List args = List.of( + "jetty.inetaccess.exclude=|/excludedPath/*", + "jetty.http.port=" + httpPort); + try (JettyHomeTester.Run run2 = distribution.start(args)) + { + assertTrue(run2.awaitConsoleLogsFor("Started Server@", 10, TimeUnit.SECONDS)); + startHttpClient(); + + // Excluded path returns 403 response. + ContentResponse response = client.newRequest("http://localhost:" + httpPort +"/excludedPath") + .timeout(15, TimeUnit.SECONDS) + .send(); + assertEquals(HttpStatus.FORBIDDEN_403, response.getStatus()); + + // Other paths return 404 response. + response = client.newRequest("http://localhost:" + httpPort +"/path") + .timeout(15, TimeUnit.SECONDS) + .send(); + assertEquals(HttpStatus.NOT_FOUND_404, response.getStatus()); + } + } + } } From d6320c44947758e405cda4bd82e7d79c5c0d2987 Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Fri, 25 Aug 2023 15:37:40 +1000 Subject: [PATCH 3/3] fix checkstyle violation Signed-off-by: Lachlan Roberts --- .../eclipse/jetty/tests/distribution/DistributionTests.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/DistributionTests.java b/tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/DistributionTests.java index 1424d5a044d8..7ba60185a7c3 100644 --- a/tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/DistributionTests.java +++ b/tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/DistributionTests.java @@ -1401,13 +1401,13 @@ public void testInetAccessHandler() throws Exception startHttpClient(); // Excluded path returns 403 response. - ContentResponse response = client.newRequest("http://localhost:" + httpPort +"/excludedPath") + ContentResponse response = client.newRequest("http://localhost:" + httpPort + "/excludedPath") .timeout(15, TimeUnit.SECONDS) .send(); assertEquals(HttpStatus.FORBIDDEN_403, response.getStatus()); // Other paths return 404 response. - response = client.newRequest("http://localhost:" + httpPort +"/path") + response = client.newRequest("http://localhost:" + httpPort + "/path") .timeout(15, TimeUnit.SECONDS) .send(); assertEquals(HttpStatus.NOT_FOUND_404, response.getStatus());