feat: Implement ip filter in emulator (#65)

Author: Mielek

src/Testing/Document/MockIpFilterProvider.cs

@@ -35,5 +35,11 @@ internal Setup(
 
         public void WithCallback(Action<GatewayContext, IpFilterConfig> callback) =>
             _handler.CallbackSetup.Add((_predicate, callback).ToTuple());
+
+        public void OnIpDeny(Action<GatewayContext, IpFilterConfig> onIpDeny) =>
+            _handler.OnIpDenied.Add((_predicate, onIpDeny).ToTuple());
+
+        public void OnIpAllow(Action<GatewayContext, IpFilterConfig> onIpAllow) =>
+            _handler.OnIpAllowed.Add((_predicate, onIpAllow).ToTuple());
     }
 }

src/Testing/Emulator/IPAddressExtentions.cs

@@ -0,0 +1,54 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System.Net;
+using System.Net.Sockets;
+
+namespace Azure.ApiManagement.PolicyToolkit.Testing.Emulator;
+
+public static class IPAddressExtensions
+{
+    public static int CompareTo(this IPAddress? left, IPAddress? right)
+    {
+        if (left is null && right is null)
+        {
+            return 0;
+        }
+
+        if (left is null)
+        {
+            return 1;
+        }
+
+        if (right is null)
+        {
+            return -1;
+        }
+
+        var leftBytesSpan = new ReadOnlySpan<byte>(left.GetAddressBytes());
+        var rightBytesSpan = new ReadOnlySpan<byte>(right.GetAddressBytes());
+        if (left.AddressFamily == right.AddressFamily)
+        {
+            return leftBytesSpan.SequenceCompareTo(rightBytesSpan);
+        }
+
+        return left.AddressFamily == AddressFamily.InterNetwork
+            ? -Compare(rightBytesSpan, leftBytesSpan)
+            : Compare(leftBytesSpan, rightBytesSpan);
+    }
+
+    // IPv6 need to have the following prefix to be treated as IPv4 (first 12 bytes)
+    private static byte[] ipv4PrefixInIpv6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255];
+
+    private static int Compare(ReadOnlySpan<byte> ipv6BytesSpan, ReadOnlySpan<byte> ipv4BytesSpan)
+    {
+        var prefixCompare = ipv6BytesSpan[..ipv4PrefixInIpv6.Length].SequenceCompareTo(ipv4PrefixInIpv6);
+        if (prefixCompare != 0)
+        {
+            return prefixCompare;
+        }
+
+        var ipv4InIpv6Span = ipv6BytesSpan[ipv4PrefixInIpv6.Length..];
+        return ipv4InIpv6Span.SequenceCompareTo(ipv4BytesSpan);
+    }
+}

src/Testing/Emulator/Policies/IpFilterHandler.cs

@@ -1,17 +1,90 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
+using System.Net;
+
 using Azure.ApiManagement.PolicyToolkit.Authoring;
+using Azure.ApiManagement.PolicyToolkit.Testing.Expressions;
 
 namespace Azure.ApiManagement.PolicyToolkit.Testing.Emulator.Policies;
 
 [Section(nameof(IInboundContext))]
 internal class IpFilterHandler : PolicyHandler<IpFilterConfig>
 {
+    public List<Tuple<
+        Func<GatewayContext, IpFilterConfig, bool>,
+        Action<GatewayContext, IpFilterConfig>
+    >> OnIpAllowed { get; } = new();
+
+    public List<Tuple<
+        Func<GatewayContext, IpFilterConfig, bool>,
+        Action<GatewayContext, IpFilterConfig>
+    >> OnIpDenied { get; } = new();
+
     public override string PolicyName => nameof(IInboundContext.IpFilter);
 
     protected override void Handle(GatewayContext context, IpFilterConfig config)
     {
-        throw new NotImplementedException();
+        if (!IPAddress.TryParse(context.Request.IpAddress, out var clientIp))
+        {
+            if ("allow".Equals(config.Action, StringComparison.InvariantCultureIgnoreCase))
+            {
+                DenyAccess(context, config);
+            }
+
+            OnIpAllowed.Find(tuple => tuple.Item1(context, config))?.Item2(context, config);
+            return;
+        }
+
+        var directMatch = (config.Addresses ?? [])
+            .Any(address => clientIp.CompareTo(IPAddress.Parse(address)) == 0);
+        var rangeMatch = (config.AddressRanges ?? [])
+            .Any(range => clientIp.CompareTo(IPAddress.Parse(range.From)) >= 0
+                          && clientIp.CompareTo(IPAddress.Parse(range.To)) <= 0);
+        var match = directMatch || rangeMatch;
+
+        if ("allow".Equals(config.Action, StringComparison.InvariantCultureIgnoreCase))
+        {
+            if (!match)
+            {
+                DenyAccess(context, config);
+            }
+        }
+        else if ("forbid".Equals(config.Action, StringComparison.InvariantCultureIgnoreCase))
+        {
+            if (match)
+            {
+                DenyAccess(context, config);
+            }
+        }
+        else
+        {
+            throw new NotSupportedException("Specified filter action is not supported.");
+        }
+
+        OnIpAllowed.Find(tuple => tuple.Item1(context, config))?.Item2(context, config);
+    }
+
+    void DenyAccess(GatewayContext context, IpFilterConfig config)
+    {
+        context.Response = new MockResponse()
+        {
+            StatusCode = 403,
+            StatusReason = "Forbidden", // TODO use code to reason mapper
+            Headers = { { "Content-Type", ["application/json"] } },
+            Body =
+            {
+                Content = """
+                          {
+                            "statusCode": 403,
+                            "message": "Forbidden"
+                          }
+                          """
+            }
+        };
+
+        OnIpDenied.Find(tuple => tuple.Item1(context, config))?.Item2(context, config);
+
+        throw new FinishSectionProcessingException();
     }
 }

test/Test.Testing/Emulator/IPAddressExtensionsTests.cs

@@ -0,0 +1,52 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System.Net;
+
+using Azure.ApiManagement.PolicyToolkit.Testing.Emulator;
+
+namespace Test.Emulator.Emulator;
+
+[TestClass]
+public class IPAddressExtensionsTests
+{
+    [TestMethod]
+    [DataRow(null, null, 0)]
+    [DataRow(null, "1.1.1.1", 1)]
+    [DataRow("1.1.1.1", null, -1)]
+    [DataRow("1.1.1.1", "1.1.1.1", 0)]
+    [DataRow("1.1.1.1", "1.1.1.2", -1)]
+    [DataRow("1.1.1.2", "1.1.1.1", 1)]
+    [DataRow("1.1.1.1", "1.1.2.1", -1)]
+    [DataRow("1.1.2.1", "1.1.1.1", 1)]
+    [DataRow("1.1.1.1", "1.2.1.1", -1)]
+    [DataRow("1.2.1.1", "1.1.1.1", 1)]
+    [DataRow("1.1.1.1", "2.1.1.1", -1)]
+    [DataRow("2.1.1.1", "1.1.1.1", 1)]
+    [DataRow(null, "::1", 1)]
+    [DataRow("::1", null, -1)]
+    [DataRow("::1", "::1", 0)]
+    [DataRow("::1", "::2", -1)]
+    [DataRow("::2", "::1", 1)]
+    [DataRow("::0201", "::0101", 1)]
+    [DataRow("::0101", "::0201", -1)]
+    [DataRow("::0102:0101", "::0101:0101", 1)]
+    [DataRow("::0101:0101", "::0102:0101", -1)]
+    [DataRow("::ffff:0101:0101", "1.1.1.1", 0)]
+    [DataRow("1.1.1.1", "::ffff:0101:0101", 0)]
+    [DataRow("1.1.1.2", "::ffff:0101:0101", 1)]
+    [DataRow("::ffff:0101:0101", "1.1.1.2", -1)]
+    [DataRow("1.1.1.1", "::ffff:0101:0102", -1)]
+    [DataRow("::ffff:0101:0102", "1.1.1.1", 1)]
+    [DataRow("192.168.0.1", "10.0.0.1", 192 - 10)]
+    [DataRow("10.0.0.1", "192.168.0.1", 10 - 192)]
+    [DataRow("::fffe:0101:0101", "1.1.1.1", -1)] // 1.1.1.1 == ::ffff:0101:0101
+    [DataRow("1.1.1.1", "::fffe:0101:0101", 1)] // 1.1.1.1 == ::ffff:0101:0101
+    public void IPAddress_CompareTo(string? left, string? right, int value)
+    {
+        IPAddress? lAddress = IPAddress.TryParse(left, out var l) ? l : null;
+        IPAddress? rAddress = IPAddress.TryParse(right, out var r) ? r : null;
+
+        lAddress.CompareTo(rAddress).Should().Be(value);
+    }
+}