add unit tests for forwarded/real ip headers

add hashcode/equals to resolvable inet socket address wrapper, comparing them in tests
add RawMessageHandler test
fix subnet trusted proxy code (yay tests)

Author: kroepke

graylog2-server/src/main/java/org/graylog2/inputs/transports/netty/HttpForwardedForHandler.java

@@ -167,12 +167,18 @@ private Optional<String> findOriginalIpAndCheckProxies(List<String> ipChain) thr
                 // if we hit one that we don't trust, bail out and don't use the candidate IP
                 while (iterator.hasNext()) {
                     final String proxyIp = iterator.next();
+                    boolean trusted = false;
                     for (final IpSubnet subnet : trustedProxies) {
-                        if (!subnet.contains(proxyIp)) {
-                            LOG.debug("Untrusted proxy found in X-Forwarded-For header: {}, ignoring the supplied original IP address", proxyIp);
-                            return Optional.empty();
+                        if (subnet.contains(proxyIp)) {
+                            trusted = true;
+                            // we can skip the remainder of the subnet checks for this proxy ip
+                            break;
                         }
                     }
+                    if (!trusted) {
+                        LOG.debug("No trusted proxy entry found in {}, ignoring the supplied original IP address {}", trustedProxies, candidate);
+                        return Optional.empty();
+                    }
                 }
             }
         }

graylog2-server/src/main/java/org/graylog2/plugin/ResolvableInetSocketAddress.java

@@ -21,6 +21,7 @@
 
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
+import java.util.Objects;
 
 import static java.util.Objects.requireNonNull;
 
@@ -92,4 +93,16 @@ public String toString() {
             return getAddress().getHostAddress() + ":" + getPort();
         }
     }
+
+    @Override
+    public boolean equals(Object o) {
+        if (o == null || getClass() != o.getClass()) return false;
+        final ResolvableInetSocketAddress that = (ResolvableInetSocketAddress) o;
+        return reverseLookedUp == that.reverseLookedUp && Objects.equals(inetSocketAddress, that.inetSocketAddress);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(inetSocketAddress, reverseLookedUp);
+    }
 }

graylog2-server/src/test/java/org/graylog2/inputs/transports/netty/HttpForwardedForHandlerTest.java

@@ -0,0 +1,248 @@
+package org.graylog2.inputs.transports.netty;
+
+import io.netty.channel.embedded.EmbeddedChannel;
+import io.netty.handler.codec.http.DefaultFullHttpRequest;
+import io.netty.handler.codec.http.FullHttpRequest;
+import io.netty.handler.codec.http.HttpMethod;
+import io.netty.handler.codec.http.HttpRequest;
+import io.netty.handler.codec.http.HttpVersion;
+import org.graylog2.utilities.IpSubnet;
+import org.junit.jupiter.api.Test;
+
+import java.net.InetSocketAddress;
+import java.net.UnknownHostException;
+import java.nio.charset.StandardCharsets;
+import java.util.Set;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class HttpForwardedForHandlerTest {
+
+    public static final byte[] EMPTY_PAYLOAD = "".getBytes(StandardCharsets.UTF_8);
+
+    @Test
+    void disabledHandlerHasNoSideEffects() {
+        final EmbeddedChannel channel = new EmbeddedChannel(
+                new HttpForwardedForHandler(false, false, "", false, Set.of())
+        );
+
+        final FullHttpRequest httpRequest = new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.POST, "/raw");
+        // payload is irrelevant for this test
+        httpRequest.content().writeBytes(EMPTY_PAYLOAD);
+
+        final FullHttpRequest originalRequest = httpRequest.copy();
+
+        channel.writeInbound(httpRequest);
+        channel.finish();
+
+        // the handler shouldn't have any side effects
+        final HttpRequest o = channel.readInbound();
+        assertThat(o).isEqualTo(originalRequest);
+        assertThat(channel.hasAttr(RawMessageHandler.ORIGINAL_IP_KEY)).isFalse();
+    }
+
+    @Test
+    void xForwardedForDecoded() {
+        final EmbeddedChannel channel = new EmbeddedChannel(
+                new HttpForwardedForHandler(true, false, "", false, Set.of())
+        );
+        final FullHttpRequest httpRequest = new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.POST, "/raw");
+        httpRequest.headers().add("X-Forwarded-For", "6.6.6.6, 192.168.1.1");
+        // payload is irrelevant for this test
+        httpRequest.content().writeBytes(EMPTY_PAYLOAD);
+
+        channel.writeInbound(httpRequest);
+        channel.finish();
+        assertThat(channel.hasAttr(RawMessageHandler.ORIGINAL_IP_KEY)).isTrue();
+        assertThat(channel.attr(RawMessageHandler.ORIGINAL_IP_KEY).get()).isEqualTo(new InetSocketAddress("6.6.6.6", 0));
+    }
+
+    @Test
+    void forwardedDecoded() {
+        final EmbeddedChannel channel = new EmbeddedChannel(
+                new HttpForwardedForHandler(true, false, "", false, Set.of())
+        );
+        final FullHttpRequest httpRequest = new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.POST, "/raw");
+        httpRequest.headers().add("Forwarded", "for=6.6.6.6, by=192.168.1.1");
+        httpRequest.headers().add("Forwarded", "by=5.4.2.2");
+        httpRequest.headers().add("Forwarded", "for=192.168.1.1, by=10.0.1.20");
+        // payload is irrelevant for this test
+        httpRequest.content().writeBytes(EMPTY_PAYLOAD);
+
+        channel.writeInbound(httpRequest);
+        channel.finish();
+        assertThat(channel.hasAttr(RawMessageHandler.ORIGINAL_IP_KEY)).isTrue();
+        assertThat(channel.attr(RawMessageHandler.ORIGINAL_IP_KEY).get()).isEqualTo(new InetSocketAddress("6.6.6.6", 0));
+    }
+
+    @Test
+    void realIp() {
+        final EmbeddedChannel channel = new EmbeddedChannel(
+                new HttpForwardedForHandler(true,
+                        true,
+                        "X-Real-Ip, X-Client-IP, CF-Connecting-IP, True-Client-IP, Fastly-Client-IP",
+                        false, Set.of())
+        );
+        final FullHttpRequest httpRequest = new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.POST, "/raw");
+        httpRequest.headers().add("X-Real-Ip", "6.6.6.6");
+        // payload is irrelevant for this test
+        httpRequest.content().writeBytes(EMPTY_PAYLOAD);
+
+        channel.writeInbound(httpRequest);
+        channel.finish();
+        assertThat(channel.hasAttr(RawMessageHandler.ORIGINAL_IP_KEY)).isTrue();
+        assertThat(channel.attr(RawMessageHandler.ORIGINAL_IP_KEY).get()).isEqualTo(new InetSocketAddress("6.6.6.6", 0));
+    }
+
+    @Test
+    void oneOfRealIpHeaders() {
+        final EmbeddedChannel channel = new EmbeddedChannel(
+                new HttpForwardedForHandler(true,
+                        true,
+                        "X-Real-Ip, X-Client-IP, CF-Connecting-IP, True-Client-IP, Fastly-Client-IP",
+                        false, Set.of())
+        );
+        final FullHttpRequest httpRequest = new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.POST, "/raw");
+        httpRequest.headers().add("true-client-ip", "6.6.6.6");
+        // payload is irrelevant for this test
+        httpRequest.content().writeBytes(EMPTY_PAYLOAD);
+
+        channel.writeInbound(httpRequest);
+        channel.finish();
+        assertThat(channel.hasAttr(RawMessageHandler.ORIGINAL_IP_KEY)).isTrue();
+        assertThat(channel.attr(RawMessageHandler.ORIGINAL_IP_KEY).get()).isEqualTo(new InetSocketAddress("6.6.6.6", 0));
+    }
+
+    @Test
+    void xForwardedForHonorsTrustedProxies() throws UnknownHostException {
+        final IpSubnet host192 = new IpSubnet("192.168.1.1/32");
+        final IpSubnet net10_0_0 = new IpSubnet("10.0.0.1/24");
+        final EmbeddedChannel channel = new EmbeddedChannel(
+                new HttpForwardedForHandler(true,
+                        false,
+                        "",
+                        true, Set.of(host192, net10_0_0))
+        );
+        final FullHttpRequest httpRequest = new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.POST, "/raw");
+        httpRequest.headers().add("X-Forwarded-For", "6.6.6.6, 10.0.0.24, 192.168.1.1");
+        // payload is irrelevant for this test
+        httpRequest.content().writeBytes(EMPTY_PAYLOAD);
+
+        channel.writeInbound(httpRequest);
+        channel.finish();
+        assertThat(channel.hasAttr(RawMessageHandler.ORIGINAL_IP_KEY)).isTrue();
+        assertThat(channel.attr(RawMessageHandler.ORIGINAL_IP_KEY).get()).isEqualTo(new InetSocketAddress("6.6.6.6", 0));
+    }
+
+    @Test
+    void xForwardedForHonorsTrustedProxiesOneUntrusted() throws UnknownHostException {
+        final IpSubnet host192 = new IpSubnet("192.168.1.1/32");
+        final IpSubnet net10_0_0 = new IpSubnet("10.0.0.1/24");
+        final EmbeddedChannel channel = new EmbeddedChannel(
+                new HttpForwardedForHandler(true,
+                        false,
+                        "",
+                        true, Set.of(host192, net10_0_0))
+        );
+        final FullHttpRequest httpRequest = new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.POST, "/raw");
+        // there's a proxy that we don't trust
+        httpRequest.headers().add("X-Forwarded-For", "6.6.6.6, 10.1.0.24, 192.168.1.1");
+        // payload is irrelevant for this test
+        httpRequest.content().writeBytes(EMPTY_PAYLOAD);
+
+        channel.writeInbound(httpRequest);
+        channel.finish();
+        assertThat(channel.hasAttr(RawMessageHandler.ORIGINAL_IP_KEY)).isFalse();
+    }
+
+
+    @Test
+    void xForwardedForHonorsTrustedProxiesNoneTrusted() throws UnknownHostException {
+        final IpSubnet host192 = new IpSubnet("192.168.1.1/32");
+        final IpSubnet net10_0_0 = new IpSubnet("10.0.0.1/24");
+        final EmbeddedChannel channel = new EmbeddedChannel(
+                new HttpForwardedForHandler(true,
+                        false,
+                        "",
+                        true, Set.of(host192, net10_0_0))
+        );
+        final FullHttpRequest httpRequest = new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.POST, "/raw");
+        // there's a proxy that we don't trust
+        httpRequest.headers().add("X-Forwarded-For", "6.6.6.6, 10.1.0.24, 192.168.2.1");
+        // payload is irrelevant for this test
+        httpRequest.content().writeBytes(EMPTY_PAYLOAD);
+
+        channel.writeInbound(httpRequest);
+        channel.finish();
+        assertThat(channel.hasAttr(RawMessageHandler.ORIGINAL_IP_KEY)).isFalse();
+    }
+
+    @Test
+    void forwardedHonorsTrustedProxies() throws UnknownHostException {
+        final IpSubnet host192 = new IpSubnet("192.168.1.1/32");
+        final IpSubnet net10_0_0 = new IpSubnet("10.0.0.1/24");
+        final EmbeddedChannel channel = new EmbeddedChannel(
+                new HttpForwardedForHandler(true,
+                        false,
+                        "",
+                        true, Set.of(host192, net10_0_0))
+        );
+        final FullHttpRequest httpRequest = new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.POST, "/raw");
+        httpRequest.headers().add("Forwarded", "for=6.6.6.6, for=192.168.1.1");
+        httpRequest.headers().add("Forwarded", "for=10.0.0.24");
+        // payload is irrelevant for this test
+        httpRequest.content().writeBytes(EMPTY_PAYLOAD);
+
+        channel.writeInbound(httpRequest);
+        channel.finish();
+        assertThat(channel.hasAttr(RawMessageHandler.ORIGINAL_IP_KEY)).isTrue();
+        assertThat(channel.attr(RawMessageHandler.ORIGINAL_IP_KEY).get()).isEqualTo(new InetSocketAddress("6.6.6.6", 0));
+    }
+
+
+    @Test
+    void forwardedHonorsTrustedProxiesOneUntrusted() throws UnknownHostException {
+        final IpSubnet host192 = new IpSubnet("192.168.1.1/32");
+        final IpSubnet net10_0_0 = new IpSubnet("10.0.0.1/24");
+        final EmbeddedChannel channel = new EmbeddedChannel(
+                new HttpForwardedForHandler(true,
+                        false,
+                        "",
+                        true, Set.of(host192, net10_0_0))
+        );
+        final FullHttpRequest httpRequest = new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.POST, "/raw");
+        // there's a proxy that we don't trust
+        httpRequest.headers().add("Forwarded", "for=6.6.6.6, for=192.168.2.1");
+        httpRequest.headers().add("Forwarded", "for=10.0.0.24");
+        // payload is irrelevant for this test
+        httpRequest.content().writeBytes(EMPTY_PAYLOAD);
+
+        channel.writeInbound(httpRequest);
+        channel.finish();
+        assertThat(channel.hasAttr(RawMessageHandler.ORIGINAL_IP_KEY)).isFalse();
+    }
+
+
+    @Test
+    void forwardedHonorsTrustedProxiesNoneTrusted() throws UnknownHostException {
+        final IpSubnet host192 = new IpSubnet("192.168.1.1/32");
+        final IpSubnet net10_0_0 = new IpSubnet("10.0.0.1/24");
+        final EmbeddedChannel channel = new EmbeddedChannel(
+                new HttpForwardedForHandler(true,
+                        false,
+                        "",
+                        true, Set.of(host192, net10_0_0))
+        );
+        final FullHttpRequest httpRequest = new DefaultFullHttpRequest(HttpVersion.HTTP_1_1, HttpMethod.POST, "/raw");
+        // there's a proxy that we don't trust
+        httpRequest.headers().add("Forwarded", "for=6.6.6.6, for=192.168.2.1");
+        httpRequest.headers().add("Forwarded", "for=10.1.0.24");
+        // payload is irrelevant for this test
+        httpRequest.content().writeBytes(EMPTY_PAYLOAD);
+
+        channel.writeInbound(httpRequest);
+        channel.finish();
+        assertThat(channel.hasAttr(RawMessageHandler.ORIGINAL_IP_KEY)).isFalse();
+    }
+
+}

graylog2-server/src/test/java/org/graylog2/inputs/transports/netty/RawMessageHandlerTest.java

@@ -0,0 +1,66 @@
+package org.graylog2.inputs.transports.netty;
+
+import io.netty.buffer.Unpooled;
+import io.netty.channel.embedded.EmbeddedChannel;
+import org.graylog2.plugin.ResolvableInetSocketAddress;
+import org.graylog2.plugin.inputs.MessageInput;
+import org.graylog2.plugin.journal.RawMessage;
+import org.junit.jupiter.api.Test;
+import org.mockito.ArgumentCaptor;
+
+import java.net.InetSocketAddress;
+import java.net.SocketAddress;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+
+public class RawMessageHandlerTest {
+
+    @Test
+    void channelAttributeNotSet() {
+        // catch the raw message written out by the handler
+        final MessageInput input = mock(MessageInput.class);
+
+        // we have to override this, because EmbeddedChannel uses a different class than RawMessageHandler expects for
+        // the remote address.
+        final EmbeddedChannel channel = new EmbeddedChannel(new RawMessageHandler(input)) {
+            @Override
+            protected SocketAddress remoteAddress0() {
+                return new InetSocketAddress("6.6.6.6", 0);
+            }
+        };
+
+        channel.writeInbound(Unpooled.wrappedBuffer(new byte[]{1, 2, 3}));
+        channel.finish();
+        ArgumentCaptor<RawMessage> captor = ArgumentCaptor.forClass(RawMessage.class);
+        verify(input).processRawMessage(captor.capture());
+        final ResolvableInetSocketAddress actual = captor.getValue().getRemoteAddress();
+        final ResolvableInetSocketAddress expected = ResolvableInetSocketAddress.wrap(new InetSocketAddress("6.6.6.6", 0));
+        assertThat(actual).isEqualTo(expected);
+    }
+
+    @Test
+    void remoteAddressOverriddenByChannelAttribute() {
+        // catch the raw message written out by the handler
+        final MessageInput input = mock(MessageInput.class);
+
+        // we have to override this, because EmbeddedChannel uses a different class than RawMessageHandler expects for
+        // the remote address.
+        final EmbeddedChannel channel = new EmbeddedChannel(new RawMessageHandler(input)) {
+            @Override
+            protected SocketAddress remoteAddress0() {
+                return new InetSocketAddress("6.6.6.6", 0);
+            }
+        };
+
+        channel.attr(RawMessageHandler.ORIGINAL_IP_KEY).set(new InetSocketAddress("3.3.3.3", 0));
+        channel.writeInbound(Unpooled.wrappedBuffer(new byte[]{1, 2, 3}));
+        channel.finish();
+        ArgumentCaptor<RawMessage> captor = ArgumentCaptor.forClass(RawMessage.class);
+        verify(input).processRawMessage(captor.capture());
+        final ResolvableInetSocketAddress actual = captor.getValue().getRemoteAddress();
+        final ResolvableInetSocketAddress expected = ResolvableInetSocketAddress.wrap(new InetSocketAddress("3.3.3.3", 0));
+        assertThat(actual).isEqualTo(expected);
+    }
+}