Add CIDR processing class (#69630)

shans96 · web-flow · commit 1b60ec05a998 · 2021-03-30T10:00:45.000-05:00
Adapted logic from CIDRUtils to create a new class for CIDR processing. Relates #60668
diff --git a/modules/lang-painless/src/main/java/org/elasticsearch/painless/api/CIDR.java b/modules/lang-painless/src/main/java/org/elasticsearch/painless/api/CIDR.java
@@ -0,0 +1,98 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+package org.elasticsearch.painless.api;
+
+import org.elasticsearch.common.collect.Tuple;
+import org.elasticsearch.common.network.InetAddresses;
+
+import java.net.InetAddress;
+import java.util.Arrays;
+
+/**
+ * The intent of this class is to provide a more efficient way of matching multiple IP addresses against a single CIDR.
+ * The logic comes from CIDRUtils.
+ * @see org.elasticsearch.common.network.CIDRUtils
+ */
+public class CIDR {
+    private final byte[] lower;
+    private final byte[] upper;
+
+    /**
+     * @param cidr an IPv4 or IPv6 address, which may or may not contain a suffix.
+     */
+    public CIDR(String cidr) {
+        if (cidr.contains("/")) {
+            final Tuple<byte[], byte[]> range = getLowerUpper(InetAddresses.parseCidr(cidr));
+            lower = range.v1();
+            upper = range.v2();
+        } else {
+            lower = InetAddresses.forString(cidr).getAddress();
+            upper = lower;
+        }
+    }
+
+    /**
+     * Checks if a given IP address belongs to the range of the CIDR object.
+     * @param addressToCheck an IPv4 or IPv6 address without a suffix.
+     * @return whether the IP is in the object's range or not.
+     */
+    public boolean contains(String addressToCheck) {
+        if (addressToCheck == null) {
+            return false;
+        }
+
+        byte[] parsedAddress = InetAddresses.forString(addressToCheck).getAddress();
+        return isBetween(parsedAddress, lower, upper);
+    }
+
+    private static Tuple<byte[], byte[]> getLowerUpper(Tuple<InetAddress, Integer> cidr) {
+        final InetAddress value = cidr.v1();
+        final Integer prefixLength = cidr.v2();
+
+        if (prefixLength < 0 || prefixLength > 8 * value.getAddress().length) {
+            throw new IllegalArgumentException("illegal prefixLength '" + prefixLength +
+                "'. Must be 0-32 for IPv4 ranges, 0-128 for IPv6 ranges");
+        }
+
+        byte[] lower = value.getAddress();
+        byte[] upper = value.getAddress();
+        // Borrowed from Lucene
+        for (int i = prefixLength; i < 8 * lower.length; i++) {
+            int m = 1 << (7 - (i & 7));
+            lower[i >> 3] &= ~m;
+            upper[i >> 3] |= m;
+        }
+        return new Tuple<>(lower, upper);
+    }
+
+    private static boolean isBetween(byte[] addr, byte[] lower, byte[] upper) {
+        if (addr.length != lower.length) {
+            addr = encode(addr);
+            lower = encode(lower);
+            upper = encode(upper);
+        }
+        return Arrays.compareUnsigned(lower, addr) <= 0 &&
+            Arrays.compareUnsigned(upper, addr) >= 0;
+    }
+
+    // Borrowed from Lucene to make this consistent IP fields matching for the mix of IPv4 and IPv6 values
+    // Modified signature to avoid extra conversions
+    private static byte[] encode(byte[] address) {
+        final byte[] IPV4_PREFIX = new byte[]{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, -1, -1};
+        if (address.length == 4) {
+            byte[] mapped = new byte[16];
+            System.arraycopy(IPV4_PREFIX, 0, mapped, 0, IPV4_PREFIX.length);
+            System.arraycopy(address, 0, mapped, IPV4_PREFIX.length, address.length);
+            address = mapped;
+        } else if (address.length != 16) {
+            throw new UnsupportedOperationException("Only IPv4 and IPv6 addresses are supported");
+        }
+        return address;
+    }
+}
diff --git a/modules/lang-painless/src/test/java/org/elasticsearch/painless/api/CIDRTests.java b/modules/lang-painless/src/test/java/org/elasticsearch/painless/api/CIDRTests.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+package org.elasticsearch.painless.api;
+
+import org.elasticsearch.test.ESTestCase;
+
+public class CIDRTests extends ESTestCase {
+    public void testCIDR() {
+        CIDR cidr = new CIDR("192.168.8.0/24");
+        assertTrue(cidr.contains("192.168.8.0"));
+        assertTrue(cidr.contains("192.168.8.255"));
+        assertFalse(cidr.contains("192.168.9.0"));
+        assertFalse(cidr.contains("192.168.7.255"));
+        assertFalse(cidr.contains(null));
+
+        CIDR cidrNoRange = new CIDR("169.254.0.0");
+        assertTrue(cidrNoRange.contains("169.254.0.0"));
+        assertFalse(cidrNoRange.contains("169.254.0.1"));
+
+        CIDR cidrIPv6 = new CIDR("b181:3a88:339c:97f5:2b40:5175:bf3d:f77d/64");
+        assertTrue(cidrIPv6.contains("b181:3a88:339c:97f5:2b40:5175:bf3d:f77e"));
+        assertFalse(cidrIPv6.contains("254.120.25.32"));
+
+        expectThrows(IllegalArgumentException.class, () -> new CIDR("10.2.0.0/36"));
+    }
+}
