-
Notifications
You must be signed in to change notification settings - Fork 867
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Subnet-Based Peer Permissions (#7168)
Signed-off-by: Gabriel-Trintinalia <[email protected]>
- Loading branch information
1 parent
90d2db9
commit e3e86c7
Showing
14 changed files
with
342 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
36 changes: 36 additions & 0 deletions
36
besu/src/main/java/org/hyperledger/besu/cli/converter/SubnetInfoConverter.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
/* | ||
* Copyright contributors to Hyperledger Besu. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with | ||
* the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on | ||
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations under the License. | ||
* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
package org.hyperledger.besu.cli.converter; | ||
|
||
import org.apache.commons.net.util.SubnetUtils; | ||
import org.apache.commons.net.util.SubnetUtils.SubnetInfo; | ||
import picocli.CommandLine; | ||
|
||
/** The SubnetInfo converter for CLI options. */ | ||
public class SubnetInfoConverter implements CommandLine.ITypeConverter<SubnetInfo> { | ||
/** Default Constructor. */ | ||
public SubnetInfoConverter() {} | ||
|
||
/** | ||
* Converts an IP addresses with CIDR notation into SubnetInfo | ||
* | ||
* @param value The IP addresses with CIDR notation. | ||
* @return the SubnetInfo | ||
*/ | ||
@Override | ||
public SubnetInfo convert(final String value) { | ||
return new SubnetUtils(value).getInfo(); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
59 changes: 59 additions & 0 deletions
59
besu/src/test/java/org/hyperledger/besu/cli/converter/SubnetInfoConverterTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
/* | ||
* Copyright contributors to Hyperledger Besu. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with | ||
* the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on | ||
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations under the License. | ||
* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
package org.hyperledger.besu.cli.converter; | ||
|
||
import static org.assertj.core.api.Assertions.assertThat; | ||
import static org.junit.jupiter.api.Assertions.assertThrows; | ||
|
||
import org.apache.commons.net.util.SubnetUtils.SubnetInfo; | ||
import org.junit.jupiter.api.Test; | ||
|
||
public class SubnetInfoConverterTest { | ||
|
||
@Test | ||
void testCreateIpRestrictionHandlerWithValidSubnets() { | ||
String subnet = "192.168.1.0/24"; | ||
assertThat(parseSubnetRules(subnet).getCidrSignature()).isEqualTo(subnet); | ||
} | ||
|
||
@Test | ||
void testCreateIpRestrictionHandlerWithInvalidSubnet() { | ||
assertThrows(IllegalArgumentException.class, () -> parseSubnetRules("abc")); | ||
} | ||
|
||
@Test | ||
void testCreateIpRestrictionHandlerMissingCIDR() { | ||
assertThrows(IllegalArgumentException.class, () -> parseSubnetRules("192.168.1.0")); | ||
} | ||
|
||
@Test | ||
void testCreateIpRestrictionHandlerBigCIDR() { | ||
assertThrows(IllegalArgumentException.class, () -> parseSubnetRules("192.168.1.0:25")); | ||
} | ||
|
||
@Test | ||
void testCreateIpRestrictionHandlerWithInvalidCIDR() { | ||
assertThrows(IllegalArgumentException.class, () -> parseSubnetRules("192.168.1.0/abc")); | ||
} | ||
|
||
@Test | ||
void testCreateIpRestrictionHandlerWithEmptyString() { | ||
assertThrows(IllegalArgumentException.class, () -> parseSubnetRules("")); | ||
} | ||
|
||
private SubnetInfo parseSubnetRules(final String subnet) { | ||
return new SubnetInfoConverter().convert(subnet); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
78 changes: 78 additions & 0 deletions
78
...p2p/src/main/java/org/hyperledger/besu/ethereum/p2p/permissions/PeerPermissionSubnet.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
/* | ||
* Copyright contributors to Hyperledger Besu. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with | ||
* the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on | ||
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations under the License. | ||
* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
package org.hyperledger.besu.ethereum.p2p.permissions; | ||
|
||
import org.hyperledger.besu.ethereum.p2p.peers.Peer; | ||
|
||
import java.util.List; | ||
|
||
import org.apache.commons.net.util.SubnetUtils.SubnetInfo; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
|
||
/** | ||
* Manages peer permissions based on IP subnet restrictions. | ||
* | ||
* <p>This class extends {@link PeerPermissions} to implement access control based on IP subnets. It | ||
* allows for the configuration of permitted subnets and uses these configurations to determine | ||
* whether a peer should be allowed or denied access based on its IP address. | ||
* | ||
* <p>Note: If no subnets are specified, all peers are considered permitted by default. | ||
* | ||
* @see PeerPermissions | ||
*/ | ||
public class PeerPermissionSubnet extends PeerPermissions { | ||
private static final Logger LOG = LoggerFactory.getLogger(PeerPermissionSubnet.class); | ||
|
||
private final List<SubnetInfo> allowedSubnets; | ||
|
||
/** | ||
* Constructs a new {@code PeerPermissionSubnet} instance with specified allowed subnets. | ||
* | ||
* @param allowedSubnets A list of {@link SubnetInfo} objects representing the subnets that are | ||
* allowed to interact with the local node. Cannot be {@code null}. | ||
*/ | ||
public PeerPermissionSubnet(final List<SubnetInfo> allowedSubnets) { | ||
this.allowedSubnets = allowedSubnets; | ||
} | ||
|
||
/** | ||
* Determines if a peer is permitted based on the configured subnets. | ||
* | ||
* <p>This method checks if the remote peer's IP address falls within any of the configured | ||
* allowed subnets. If the peer's IP is within any of the allowed subnets, it is permitted. | ||
* Otherwise, it is denied. | ||
* | ||
* @param localNode This parameter is not used in the current implementation. | ||
* @param remotePeer The remote peer to check. Its IP address is used to determine permission. | ||
* @param action Ignored. If the peer is not allowed in the subnet, all actions are now allowed. | ||
* @return {@code true} if the peer is permitted based on its IP address; {@code false} otherwise. | ||
*/ | ||
@Override | ||
public boolean isPermitted(final Peer localNode, final Peer remotePeer, final Action action) { | ||
// If no subnets are specified, all peers are permitted | ||
if (allowedSubnets == null || allowedSubnets.isEmpty()) { | ||
return true; | ||
} | ||
String remotePeerHostAddress = remotePeer.getEnodeURL().getIpAsString(); | ||
for (SubnetInfo subnet : allowedSubnets) { | ||
if (subnet.isInRange(remotePeerHostAddress)) { | ||
return true; | ||
} | ||
} | ||
LOG.trace("Peer {} is not allowed in any of the configured subnets.", remotePeerHostAddress); | ||
return false; | ||
} | ||
} |
Oops, something went wrong.