oauth2-proxy/pkg/ip/net_set.go

package ip

import (
	"fmt"
	"net"
)

// Fast lookup table for intersection of a single IP address within a collection of CIDR networks.
//
// Supports 4-byte (IPv4) and 16-byte (IPv6) networks.
//
// Provides O(1) best-case, O(log(n)) worst-case performance.
// In practice netmasks included will generally only be of standard lengths:
// - /8, /16, /24, and /32 for IPv4
// - /64 and /128 for IPv6.
// As a result, typical lookup times will lean closer to best-case rather than worst-case even when most of the internet
// is included.
type NetSet struct {
	ip4NetMaps []ipNetMap
	ip6NetMaps []ipNetMap
}

// Create a new NetSet with all of the provided networks.
func NewNetSet() *NetSet {
	return &NetSet{
		ip4NetMaps: make([]ipNetMap, 0),
		ip6NetMaps: make([]ipNetMap, 0),
	}
}

// Check if `ip` is in the set, true if within the set otherwise false.
func (w *NetSet) Has(ip net.IP) bool {
	netMaps := w.getNetMaps(ip)

	// Check all ipNetMaps for intersection with `ip`.
	for _, netMap := range *netMaps {
		if netMap.has(ip) {
			return true
		}
	}
	return false
}

// Add an CIDR network to the set.
func (w *NetSet) AddIPNet(ipNet net.IPNet) {
	netMaps := w.getNetMaps(ipNet.IP)

	// Determine the size / number of ones in the CIDR network mask.
	ones, _ := ipNet.Mask.Size()

	var netMap *ipNetMap

	// Search for the ipNetMap containing networks with the same number of ones.
	for i := 0; len(*netMaps) > i; i++ {
		if netMapOnes, _ := (*netMaps)[i].mask.Size(); netMapOnes == ones {
			netMap = &(*netMaps)[i]
			break
		}
	}

	// Create a new ipNetMap if none with this number of ones have been created yet.
	if netMap == nil {
		netMap = &ipNetMap{
			mask: ipNet.Mask,
			ips:  make(map[string]bool),
		}
		*netMaps = append(*netMaps, *netMap)
		// Recurse once now that there exists an netMap.
		w.AddIPNet(ipNet)
		return
	}

	// Add the IP to the ipNetMap.
	netMap.ips[ipNet.IP.String()] = true
}

// Get the appropriate array of networks for the given IP version.
func (w *NetSet) getNetMaps(ip net.IP) (netMaps *[]ipNetMap) {
	switch {
	case ip.To4() != nil:
		netMaps = &w.ip4NetMaps
	case ip.To16() != nil:
		netMaps = &w.ip6NetMaps
	default:
		panic(fmt.Sprintf("IP (%s) is neither 4-byte nor 16-byte?", ip.String()))
	}

	return netMaps
}

// Hash-set of CIDR networks with the same mask size.
type ipNetMap struct {
	mask net.IPMask
	ips  map[string]bool
}

// Check if the IP is in any of the CIDR networks contained in this map.
func (m ipNetMap) has(ip net.IP) bool {
	// Apply the mask to the IP to remove any irrelevant bits in the IP.
	ipMasked := ip.Mask(m.mask)
	if ipMasked == nil {
		panic(fmt.Sprintf(
			"Mismatch in net.IPMask and net.IP protocol version, cannot apply mask %s to %s",
			m.mask.String(), ip.String()))
	}

	// Check if the masked IP is the same as any of the networks.
	if _, ok := m.ips[ipMasked.String()]; ok {
		return true
	}
	return false
}
Implements --trusted-ip option (#552) * Implements --ip-whitelist option * Included IPWhitelist option to allow one-or-more selected CIDR ranges to bypass OAuth2 authentication. * Adds IPWhitelist, a fast lookup table for multiple CIDR ranges. * Renamed IPWhitelist ipCIDRSet * Fixed unessesary pointer usage in ipCIDRSet * Update CHANGELOG.md * Update CHANGELOG.md * Updated to not use err.Error() in printf statements * Imrpoved language for --ip-whitelist descriptions. * Improve IP whitelist options error messages * Clarify options single-host normalization * Wrote a book about ipCIDRSet * Added comment to IsWhitelistedIP in oauthproxy.go * Rewrite oauthproxy test case as table driven * oops * Support whitelisting by low-level remote address * Added more test-cases, improved descriptions * Move ip_cidr_set.go to pkg/ip/net_set.go * Add more whitelist test use cases. * Oops * Use subtests for TestIPWhitelist * Add minimal tests for ip.NetSet * Use switch statment * Renamed ip-whitelist to whitelist-ip * Update documentation with a warning. * Update pkg/apis/options/options.go * Update CHANGELOG.md Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Update pkg/ip/net_set_test.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Update pkg/ip/net_set_test.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Update pkg/ip/net_set_test.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Apply suggestions from code review Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * fix fmt * Move ParseIPNet into abstraction * Add warning in case of --reverse-proxy * Update pkg/validation/options_test.go * Rename --whitelist-ip to --trusted-ip * Update oauthproxy.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * fix Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-07-11 12:10:58 +02:00			`package ip`

			`import (`
			`"fmt"`
			`"net"`
			`)`

			`// Fast lookup table for intersection of a single IP address within a collection of CIDR networks.`
			`//`
			`// Supports 4-byte (IPv4) and 16-byte (IPv6) networks.`
			`//`
			`// Provides O(1) best-case, O(log(n)) worst-case performance.`
			`// In practice netmasks included will generally only be of standard lengths:`
			`// - /8, /16, /24, and /32 for IPv4`
			`// - /64 and /128 for IPv6.`
			`// As a result, typical lookup times will lean closer to best-case rather than worst-case even when most of the internet`
			`// is included.`
			`type NetSet struct {`
			`ip4NetMaps []ipNetMap`
			`ip6NetMaps []ipNetMap`
			`}`

			`// Create a new NetSet with all of the provided networks.`
			`func NewNetSet() *NetSet {`
			`return &NetSet{`
			`ip4NetMaps: make([]ipNetMap, 0),`
			`ip6NetMaps: make([]ipNetMap, 0),`
			`}`
			`}`

			// Check if `ip` is in the set, true if within the set otherwise false.
			`func (w *NetSet) Has(ip net.IP) bool {`
			`netMaps := w.getNetMaps(ip)`

			// Check all ipNetMaps for intersection with `ip`.
			`for _, netMap := range *netMaps {`
			`if netMap.has(ip) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

			`// Add an CIDR network to the set.`
			`func (w *NetSet) AddIPNet(ipNet net.IPNet) {`
			`netMaps := w.getNetMaps(ipNet.IP)`

			`// Determine the size / number of ones in the CIDR network mask.`
			`ones, _ := ipNet.Mask.Size()`

			`var netMap *ipNetMap`

			`// Search for the ipNetMap containing networks with the same number of ones.`
			`for i := 0; len(*netMaps) > i; i++ {`
			`if netMapOnes, _ := (*netMaps)[i].mask.Size(); netMapOnes == ones {`
			`netMap = &(*netMaps)[i]`
			`break`
			`}`
			`}`

			`// Create a new ipNetMap if none with this number of ones have been created yet.`
			`if netMap == nil {`
			`netMap = &ipNetMap{`
			`mask: ipNet.Mask,`
			`ips: make(map[string]bool),`
			`}`
			`netMaps = append(netMaps, *netMap)`
			`// Recurse once now that there exists an netMap.`
			`w.AddIPNet(ipNet)`
			`return`
			`}`

			`// Add the IP to the ipNetMap.`
			`netMap.ips[ipNet.IP.String()] = true`
			`}`

			`// Get the appropriate array of networks for the given IP version.`
			`func (w NetSet) getNetMaps(ip net.IP) (netMaps []ipNetMap) {`
			`switch {`
			`case ip.To4() != nil:`
			`netMaps = &w.ip4NetMaps`
			`case ip.To16() != nil:`
			`netMaps = &w.ip6NetMaps`
			`default:`
			`panic(fmt.Sprintf("IP (%s) is neither 4-byte nor 16-byte?", ip.String()))`
			`}`

			`return netMaps`
			`}`

			`// Hash-set of CIDR networks with the same mask size.`
			`type ipNetMap struct {`
			`mask net.IPMask`
			`ips map[string]bool`
			`}`

			`// Check if the IP is in any of the CIDR networks contained in this map.`
			`func (m ipNetMap) has(ip net.IP) bool {`
			`// Apply the mask to the IP to remove any irrelevant bits in the IP.`
			`ipMasked := ip.Mask(m.mask)`
			`if ipMasked == nil {`
			`panic(fmt.Sprintf(`
			`"Mismatch in net.IPMask and net.IP protocol version, cannot apply mask %s to %s",`
			`m.mask.String(), ip.String()))`
			`}`

			`// Check if the masked IP is the same as any of the networks.`
			`if _, ok := m.ips[ipMasked.String()]; ok {`
			`return true`
			`}`
			`return false`
			`}`