1.3.0

CHANGES

@@ -2,4 +2,9 @@ Version 1.0.3
 
 * Add Changelog
 * Disable Authentication for `/`, allowing it to be used for healtchecks.
-  - thanks @archiloque 
+  - thanks @archiloque
+
+Version 1.3.1
+
+* Add CIDR support for whitelists
+  - @fooka03

pom.xml

@@ -14,6 +14,7 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <elasticsearch.version>1.3.0</elasticsearch.version>
         <lucene.version>4.9.0</lucene.version>
+	<commons-net.version>3.3</commons-net.version>
     </properties>
 
     <dependencies>
@@ -38,6 +39,12 @@
             <version>${elasticsearch.version}</version>
         </dependency>
 
+	<dependency>
+	    <groupId>commons-net</groupId>
+	    <artifactId>commons-net</artifactId>
+	    <version>${commons-net.version}</version>
+	</dependency>
+
         <dependency>
           <groupId>org.elasticsearch</groupId>
           <artifactId>elasticsearch</artifactId>
@@ -64,6 +71,32 @@
     <build>
         <!-- Create a zip file according to elasticsearch naming scheme -->
         <plugins>
+	    <plugin>
+	        <groupId>org.apache.maven.plugins</groupId>
+		<artifactId>maven-dependency-plugin</artifactId>
+		<version>2.4</version>
+		<executions>
+		    <execution>
+		        <id>copy</id>
+			<phase>process-resources</phase>
+			<goals>
+			    <goal>copy</goal>
+			</goals>
+			<configuration>
+			    <artifactItems>
+			        <artifactItem>
+				    <groupId>commons-net</groupId>
+				    <artifactId>commons-net</artifactId>
+				    <version>${commons-net.version}</version>
+				    <type>jar</type>
+				    <overWrite>true</overWrite>
+				    <outputDirectory>${project.build.directory}</outputDirectory>
+				</artifactItem>
+	                    </artifactItems>
+			</configuration>
+	            </execution>
+		</executions>
+	    </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-antrun-plugin</artifactId>
@@ -75,7 +108,7 @@
                         <configuration>
                             <target>
                                 <zip basedir="${project.build.directory}"
-                                     includes="${project.build.finalName}.jar"
+                                     includes="${project.build.finalName}.jar,commons-net-${commons-net.version}.jar"
                                      destfile="${project.build.directory}/${project.artifactId}-${project.version}.zip" />
                             </target>
                         </configuration>

src/main/java/com/asquera/elasticsearch/plugins/http/auth/InetAddressWhitelist.java

@@ -10,25 +10,30 @@
 import java.net.InetAddress;
 import java.net.UnknownHostException;
 
+import org.apache.commons.net.util.SubnetUtils;
+
 /**
  *
  * Wraps the configured whitelisted ips.
- * It uses a set of {@link InetAddress} internally.
+ * Uses a Set of SubnetUtils objects.
  * <p>
  *
  *
  *
  * @author Ernesto Miguez ([email protected])
+ * @author Nigel Foucha ([email protected])
  */
 
 public class InetAddressWhitelist {
-  private Set<InetAddress> whitelist;
+  private static final String LOCALHOST = "127.0.0.1";
+  private static final String SINGLEMASK = "255.255.255.255";
+  private Set<SubnetUtils> whitelist;
   /**
    *
    *
    * @param whitelist
    */
-  public InetAddressWhitelist(Set<InetAddress> whitelist) {
+  public InetAddressWhitelist(Set<SubnetUtils> whitelist) {
     this.whitelist = whitelist;
   }
 
@@ -51,7 +56,7 @@ public InetAddressWhitelist(String[] sWhitelist) {
    * @return if the ip is included in the whitelist
    */
   public Boolean contains(InetAddress candidate) {
-    return this.whitelist.contains(candidate);
+    return contains(candidate.getHostAddress());
   }
 
   /**
@@ -65,44 +70,67 @@ public Boolean contains(InetAddress candidate) {
    * whitelist ips
    */
   public Boolean contains(String candidate) {
-    return getStringWhitelist().contains(candidate);
-  }
-
-  /**
-   * @return set of the string representations of the whitelist
-   */
-  Set<String> getStringWhitelist() {
-    Iterator<InetAddress> iterator = this.whitelist.iterator();
-    Set<String> set = new HashSet<String>();
-    while (iterator.hasNext()) {
-      InetAddress next = iterator.next();
-      set.add(next.getHostAddress());
+    boolean result = false;
+    for (SubnetUtils util : whitelist) {
+      try {
+        if (util.getInfo().isInRange(candidate)) {
+          result = true;
+          break;
+        }
+      } catch (IllegalArgumentException e) {
+        Loggers.getLogger(InetAddressWhitelist.class).debug("Illegal address encountered {}, error: {}", candidate, e.getMessage());
+      }
     }
-    return set;
+    return new Boolean(result);
   }
 
   /**
-   * when an configured InetAddress is Unkown or Invalid it is dropped from the
-   * whitelist
    *
    * @param  ips a list of string ips
    * @return a list of {@link InetAddress} objects
    *
    */
-  static Set<InetAddress> toInetAddress(List<String> ips) {
-    List<InetAddress> listIps = new ArrayList<InetAddress>();
-    Iterator<String> iterator = ips.iterator();
-    while (iterator.hasNext()) {
-      String next = iterator.next();
+  static Set<SubnetUtils> toInetAddress(List<String> ips) {
+    List<SubnetUtils> listIps = new ArrayList<SubnetUtils>();
+    for (String ip : ips) {
+      SubnetUtils util = null;
+      Loggers.getLogger(InetAddressWhitelist.class).debug("Processing ip entry: {}", ip);
       try {
-        listIps.add(InetAddress.getByName(next));
+        if ((ip == null) || (ip.length() <= 0)) {
+          Loggers.getLogger(InetAddressWhitelist.class).debug("Empty address encountered, setting to localhost");
+          InetAddress address = InetAddress.getByName(ip);
+          util = new SubnetUtils(address.getHostAddress(), SINGLEMASK);
+          util.setInclusiveHostCount(true);
+          listIps.add(util);
+        }
+        else if (ip.indexOf('/') > -1) {
+          util = new SubnetUtils(ip);
+          util.setInclusiveHostCount(true);
+          listIps.add(util);
+        }
+        else if (ip.indexOf(',') > -1) {
+          String[] parts = ip.split(",");
+          util = new SubnetUtils(parts[0], parts[1]);
+          util.setInclusiveHostCount(true);
+        }
+        else {
+          // Here we create a util for a single ip address or hostname
+          InetAddress address = InetAddress.getByName(ip);
+          util = new SubnetUtils(address.getHostAddress(), SINGLEMASK);
+          util.setInclusiveHostCount(true);
+          listIps.add(util);
+        }
+      } catch (IllegalArgumentException e) {
+        String template = "an ip set in the whitelist settings raised an " +
+          "IllegalArgumentException: {}, dropping it";
+        Loggers.getLogger(InetAddressWhitelist.class).info(template, e.getMessage());
       } catch (UnknownHostException e) {
         String template = "an ip set in the whitelist settings raised an " +
           "UnknownHostException: {}, dropping it";
         Loggers.getLogger(InetAddressWhitelist.class).info(template, e.getMessage());
       }
     }
-    return new HashSet<InetAddress>(listIps);
+    return new HashSet<SubnetUtils>(listIps);
   }
 
   /**

src/test/java/com/asquera/elasticsearch/plugins/http/auth/integration/EmptyWhitelistIntegrationTest.java

@@ -49,7 +49,7 @@ public class EmptyWhitelistIntegrationTest extends ElasticsearchIntegrationTest
 
     @Override
     protected Settings nodeSettings(int nodeOrdinal) {
-        return ImmutableSettings.settingsBuilder().putArray("http.basic.ipwhitelist", "unkown")
+        return ImmutableSettings.settingsBuilder().putArray("http.basic.ipwhitelist", "unknown")
                  .put("plugin.types", HttpBasicServerPlugin.class.getName())
                  .build();
     }