refact whitelist/allowlist: net.IP to net/netip (#3683)

mmetc · web-flow · commit 76ea87c6bae9 · 2025-07-30T14:03:16.000+02:00
diff --git a/pkg/apiserver/apic.go b/pkg/apiserver/apic.go
@@ -7,8 +7,8 @@ import (
 	"errors"
 	"fmt"
 	"math/rand"
-	"net"
 	"net/http"
+	"net/netip"
 	"net/url"
 	"slices"
 	"strings"
@@ -113,7 +113,7 @@ func (a *apic) FetchScenariosListFromDB(ctx context.Context) ([]string, error) {
 	return scenarios, nil
 }
 
-func decisionsToApiDecisions(decisions []*models.Decision) models.AddSignalsRequestItemDecisions {
+func decisionsToAPIDecisions(decisions []*models.Decision) models.AddSignalsRequestItemDecisions {
 	apiDecisions := models.AddSignalsRequestItemDecisions{}
 
 	for _, decision := range decisions {
@@ -163,7 +163,7 @@ func alertToSignal(alert *models.Alert, scenarioTrust string, shareContext bool)
 		CreatedAt:     alert.CreatedAt,
 		MachineID:     alert.MachineID,
 		ScenarioTrust: scenarioTrust,
-		Decisions:     decisionsToApiDecisions(alert.Decisions),
+		Decisions:     decisionsToAPIDecisions(alert.Decisions),
 		UUID:          alert.UUID,
 	}
 	if shareContext {
@@ -433,7 +433,7 @@ func (a *apic) CAPIPullIsOld(ctx context.Context) (bool, error) {
 	}
 
 	if count > 0 {
-		log.Printf("last CAPI pull is newer than 1h30, skip.")
+		log.Info("last CAPI pull is newer than 1h30, skip.")
 		return false, nil
 	}
 
@@ -844,26 +844,30 @@ func (a *apic) UpdateAllowlists(ctx context.Context, allowlistsLinks []*modelsca
 
 // if decisions is whitelisted: return representation of the whitelist ip or cidr
 // if not whitelisted: empty string
-func (a *apic) whitelistedBy(decision *models.Decision, additionalIPs []net.IP, additionalRanges []*net.IPNet) string {
+func (a *apic) whitelistedBy(decision *models.Decision, additionalIPs []netip.Addr, additionalRanges []netip.Prefix) string {
 	if decision.Value == nil {
 		return ""
 	}
 
-	ipval := net.ParseIP(*decision.Value)
+	ipval, err := netip.ParseAddr(*decision.Value)
+	if err != nil {
+		return ""
+	}
+
 	for _, cidr := range a.whitelists.Cidrs {
 		if cidr.Contains(ipval) {
 			return cidr.String()
 		}
 	}
 
 	for _, ip := range a.whitelists.Ips {
-		if ip != nil && ip.Equal(ipval) {
+		if ip == ipval {
 			return ip.String()
 		}
 	}
 
 	for _, ip := range additionalIPs {
-		if ip.Equal(ipval) {
+		if ip == ipval {
 			return ip.String()
 		}
 	}
diff --git a/pkg/apiserver/apic_test.go b/pkg/apiserver/apic_test.go
@@ -5,8 +5,8 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"net"
 	"net/http"
+	"net/netip"
 	"net/url"
 	"os"
 	"reflect"
@@ -57,12 +57,12 @@ func getAPIC(t *testing.T, ctx context.Context) *apic {
 	return &apic{
 		AlertsAddChan: make(chan []*models.Alert),
 		// DecisionDeleteChan: make(chan []*models.Decision),
-		dbClient:     dbClient,
-		mu:           sync.Mutex{},
-		startup:      true,
-		pullTomb:     tomb.Tomb{},
-		pushTomb:     tomb.Tomb{},
-		metricsTomb:  tomb.Tomb{},
+		dbClient:    dbClient,
+		mu:          sync.Mutex{},
+		startup:     true,
+		pullTomb:    tomb.Tomb{},
+		pushTomb:    tomb.Tomb{},
+		metricsTomb: tomb.Tomb{},
 		consoleConfig: &csconfig.ConsoleConfig{
 			ShareManualDecisions:  ptr.Of(false),
 			ShareTaintedScenarios: ptr.Of(false),
@@ -528,14 +528,14 @@ func TestAPICWhitelists(t *testing.T) {
 	api := getAPIC(t, ctx)
 	// one whitelist on IP, one on CIDR
 	api.whitelists = &csconfig.CapiWhitelist{}
-	api.whitelists.Ips = append(api.whitelists.Ips, net.ParseIP("9.2.3.4"), net.ParseIP("7.2.3.4"))
+	api.whitelists.Ips = append(api.whitelists.Ips, netip.MustParseAddr("9.2.3.4"), netip.MustParseAddr("7.2.3.4"))
 
-	_, tnet, err := net.ParseCIDR("13.2.3.0/24")
+	tnet, err := netip.ParsePrefix("13.2.3.0/24")
 	require.NoError(t, err)
 
 	api.whitelists.Cidrs = append(api.whitelists.Cidrs, tnet)
 
-	_, tnet, err = net.ParseCIDR("11.2.3.0/24")
+	tnet, err = netip.ParsePrefix("11.2.3.0/24")
 	require.NoError(t, err)
 
 	api.whitelists.Cidrs = append(api.whitelists.Cidrs, tnet)
diff --git a/pkg/csconfig/api.go b/pkg/csconfig/api.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"net/netip"
 	"os"
 	"strings"
 	"time"
@@ -276,8 +277,8 @@ func toValidCIDR(ip string) string {
 }
 
 type CapiWhitelist struct {
-	Ips   []net.IP     `yaml:"ips,omitempty"`
-	Cidrs []*net.IPNet `yaml:"cidrs,omitempty"`
+	Ips   []netip.Addr   `yaml:"ips,omitempty"`
+	Cidrs []netip.Prefix `yaml:"cidrs,omitempty"`
 }
 
 type LocalAPIAutoRegisterCfg struct {
@@ -356,7 +357,7 @@ func (c *Config) LoadAPIServer(inCli bool, skipOnlineCreds bool) error {
 	}
 
 	if (c.API.Server.OnlineClient == nil || c.API.Server.OnlineClient.Credentials == nil) && !inCli {
-		log.Printf("push and pull to Central API disabled")
+		log.Info("push and pull to Central API disabled")
 	}
 
 	// Set default values for CAPI push/pull
@@ -450,21 +451,21 @@ func parseCapiWhitelists(fd io.Reader) (*CapiWhitelist, error) {
 	}
 
 	ret := &CapiWhitelist{
-		Ips:   make([]net.IP, len(fromCfg.Ips)),
-		Cidrs: make([]*net.IPNet, len(fromCfg.Cidrs)),
+		Ips:   make([]netip.Addr, len(fromCfg.Ips)),
+		Cidrs: make([]netip.Prefix, len(fromCfg.Cidrs)),
 	}
 
 	for idx, v := range fromCfg.Ips {
-		ip := net.ParseIP(v)
-		if ip == nil {
-			return nil, fmt.Errorf("invalid IP address: %s", v)
+		ip, err := netip.ParseAddr(v)
+		if err != nil {
+			return nil, err
 		}
 
 		ret.Ips[idx] = ip
 	}
 
 	for idx, v := range fromCfg.Cidrs {
-		_, tnet, err := net.ParseCIDR(v)
+		tnet, err := netip.ParsePrefix(v)
 		if err != nil {
 			return nil, err
 		}
diff --git a/pkg/csconfig/api_test.go b/pkg/csconfig/api_test.go
@@ -1,7 +1,7 @@
 package csconfig
 
 import (
-	"net"
+	"net/netip"
 	"os"
 	"strings"
 	"testing"
@@ -271,13 +271,6 @@ func TestLoadAPIServer(t *testing.T) {
 	}
 }
 
-func mustParseCIDRNet(t *testing.T, s string) *net.IPNet {
-	_, ipNet, err := net.ParseCIDR(s)
-	require.NoError(t, err)
-
-	return ipNet
-}
-
 func TestParseCapiWhitelists(t *testing.T) {
 	tests := []struct {
 		name        string
@@ -289,33 +282,33 @@ func TestParseCapiWhitelists(t *testing.T) {
 			name:  "empty file",
 			input: "",
 			expected: &CapiWhitelist{
-				Ips:   []net.IP{},
-				Cidrs: []*net.IPNet{},
+				Ips:   []netip.Addr{},
+				Cidrs: []netip.Prefix{},
 			},
 			expectedErr: "empty file",
 		},
 		{
 			name:  "empty ip and cidr",
 			input: `{"ips": [], "cidrs": []}`,
 			expected: &CapiWhitelist{
-				Ips:   []net.IP{},
-				Cidrs: []*net.IPNet{},
+				Ips:   []netip.Addr{},
+				Cidrs: []netip.Prefix{},
 			},
 		},
 		{
 			name:  "some ip",
 			input: `{"ips": ["1.2.3.4"]}`,
 			expected: &CapiWhitelist{
-				Ips:   []net.IP{net.IPv4(1, 2, 3, 4)},
-				Cidrs: []*net.IPNet{},
+				Ips:   []netip.Addr{netip.MustParseAddr("1.2.3.4")},
+				Cidrs: []netip.Prefix{},
 			},
 		},
 		{
 			name:  "some cidr",
 			input: `{"cidrs": ["1.2.3.0/24"]}`,
 			expected: &CapiWhitelist{
-				Ips:   []net.IP{},
-				Cidrs: []*net.IPNet{mustParseCIDRNet(t, "1.2.3.0/24")},
+				Ips:   []netip.Addr{},
+				Cidrs: []netip.Prefix{netip.MustParsePrefix("1.2.3.0/24")},
 			},
 		},
 	}
diff --git a/pkg/database/allowlists.go b/pkg/database/allowlists.go
@@ -3,7 +3,7 @@ package database
 import (
 	"context"
 	"fmt"
-	"net"
+	"net/netip"
 	"sort"
 	"strings"
 	"time"
@@ -360,31 +360,31 @@ func (c *Client) IsAllowlisted(ctx context.Context, value string) (bool, string,
 	return true, reason, nil
 }
 
-func (c *Client) GetAllowlistsContentForAPIC(ctx context.Context) ([]net.IP, []*net.IPNet, error) {
+func (c *Client) GetAllowlistsContentForAPIC(ctx context.Context) ([]netip.Addr, []netip.Prefix, error) {
 	allowlists, err := c.ListAllowLists(ctx, true)
 	if err != nil {
 		return nil, nil, fmt.Errorf("unable to get allowlists: %w", err)
 	}
 
 	var (
-		ips  []net.IP
-		nets []*net.IPNet
+		ips  []netip.Addr
+		nets []netip.Prefix
 	)
 
 	for _, allowlist := range allowlists {
 		for _, item := range allowlist.Edges.AllowlistItems {
 			if item.ExpiresAt.IsZero() || item.ExpiresAt.After(time.Now().UTC()) {
 				if strings.Contains(item.Value, "/") {
-					_, ipNet, err := net.ParseCIDR(item.Value)
+					ipNet, err := netip.ParsePrefix(item.Value)
 					if err != nil {
 						c.Log.Errorf("unable to parse CIDR %s: %s", item.Value, err)
 						continue
 					}
 
 					nets = append(nets, ipNet)
 				} else {
-					ip := net.ParseIP(item.Value)
-					if ip == nil {
+					ip, err := netip.ParseAddr(item.Value)
+					if err != nil {
 						c.Log.Errorf("unable to parse IP %s", item.Value)
 						continue
 					}
diff --git a/pkg/parser/whitelist.go b/pkg/parser/whitelist.go
@@ -2,7 +2,7 @@ package parser
 
 import (
 	"fmt"
-	"net"
+	"net/netip"
 
 	"github.com/expr-lang/expr"
 	"github.com/expr-lang/expr/vm"
@@ -16,9 +16,9 @@ import (
 type Whitelist struct {
 	Reason  string   `yaml:"reason,omitempty"`
 	Ips     []string `yaml:"ip,omitempty"`
-	B_Ips   []net.IP
+	B_Ips   []netip.Addr
 	Cidrs   []string `yaml:"cidr,omitempty"`
-	B_Cidrs []*net.IPNet
+	B_Cidrs []netip.Prefix
 	Exprs   []string `yaml:"expression,omitempty"`
 	B_Exprs []*ExprWhitelist
 }
@@ -52,7 +52,7 @@ func (n *Node) CheckIPsWL(p *types.Event) bool {
 			break
 		}
 		for _, v := range n.Whitelist.B_Ips {
-			if v.Equal(src) {
+			if v == src {
 				n.Logger.Debugf("Event from [%s] is whitelisted by IP (%s), reason [%s]", src, v, n.Whitelist.Reason)
 				isWhitelisted = true
 				break
@@ -115,14 +115,19 @@ func (n *Node) CheckExprWL(cachedExprEnv map[string]interface{}, p *types.Event)
 
 func (n *Node) CompileWLs() (bool, error) {
 	for _, v := range n.Whitelist.Ips {
-		n.Whitelist.B_Ips = append(n.Whitelist.B_Ips, net.ParseIP(v))
-		n.Logger.Debugf("adding ip %s to whitelists", net.ParseIP(v))
+		addr, err := netip.ParseAddr(v)
+		if err != nil {
+			return false, fmt.Errorf("parsing whitelist: %w", err)
+		}
+
+		n.Whitelist.B_Ips = append(n.Whitelist.B_Ips, addr)
+		n.Logger.Debugf("adding ip %s to whitelists", addr)
 	}
 
 	for _, v := range n.Whitelist.Cidrs {
-		_, tnet, err := net.ParseCIDR(v)
+		tnet, err := netip.ParsePrefix(v)
 		if err != nil {
-			return false, fmt.Errorf("unable to parse cidr whitelist '%s' : %v", v, err)
+			return false, fmt.Errorf("parsing whitelist: %w", err)
 		}
 		n.Whitelist.B_Cidrs = append(n.Whitelist.B_Cidrs, tnet)
 		n.Logger.Debugf("adding cidr %s to whitelists", tnet)
@@ -131,7 +136,7 @@ func (n *Node) CompileWLs() (bool, error) {
 	for _, filter := range n.Whitelist.Exprs {
 		var err error
 		expression := &ExprWhitelist{}
-		expression.Filter, err = expr.Compile(filter, exprhelpers.GetExprOptions(map[string]interface{}{"evt": &types.Event{}})...)
+		expression.Filter, err = expr.Compile(filter, exprhelpers.GetExprOptions(map[string]any{"evt": &types.Event{}})...)
 		if err != nil {
 			return false, fmt.Errorf("unable to compile whitelist expression '%s' : %v", filter, err)
 		}
diff --git a/pkg/parser/whitelist_test.go b/pkg/parser/whitelist_test.go
@@ -38,7 +38,7 @@ func TestWhitelistCompile(t *testing.T) {
 					"127.0.0.1/1000",
 				},
 			},
-			expectedErr: "invalid CIDR address",
+			expectedErr: `parsing whitelist: netip.ParsePrefix("127.0.0.1/1000"): prefix length out of range`,
 		},
 		{
 			name: "Valid EXPR whitelist",
diff --git a/pkg/types/event.go b/pkg/types/event.go
diff --git a/pkg/types/event_test.go b/pkg/types/event_test.go
diff --git a/test/bats/13_capi_whitelists.bats b/test/bats/13_capi_whitelists.bats

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ import (`
`8`	`8`	`"fmt"`
`9`	`9`	`"io"`
`10`	`10`	`"net"`
	`11`	`+ "net/netip"`
`11`	`12`	`"os"`
`12`	`13`	`"strings"`
`13`	`14`	`"time"`
`@@ -276,8 +277,8 @@ func toValidCIDR(ip string) string {`
`276`	`277`	`}`
`277`	`278`
`278`	`279`	`type CapiWhitelist struct {`
`279`		- Ips []net.IP `yaml:"ips,omitempty"`
`280`		- Cidrs []*net.IPNet `yaml:"cidrs,omitempty"`
	`280`	+ Ips []netip.Addr `yaml:"ips,omitempty"`
	`281`	+ Cidrs []netip.Prefix `yaml:"cidrs,omitempty"`
`281`	`282`	`}`
`282`	`283`
`283`	`284`	`type LocalAPIAutoRegisterCfg struct {`
`@@ -356,7 +357,7 @@ func (c *Config) LoadAPIServer(inCli bool, skipOnlineCreds bool) error {`
`356`	`357`	`}`
`357`	`358`
`358`	`359`	`if (c.API.Server.OnlineClient == nil \|\| c.API.Server.OnlineClient.Credentials == nil) && !inCli {`
`359`		`- log.Printf("push and pull to Central API disabled")`
	`360`	`+ log.Info("push and pull to Central API disabled")`
`360`	`361`	`}`
`361`	`362`
`362`	`363`	`// Set default values for CAPI push/pull`
`@@ -450,21 +451,21 @@ func parseCapiWhitelists(fd io.Reader) (*CapiWhitelist, error) {`
`450`	`451`	`}`
`451`	`452`
`452`	`453`	`ret := &CapiWhitelist{`
`453`		`- Ips: make([]net.IP, len(fromCfg.Ips)),`
`454`		`- Cidrs: make([]*net.IPNet, len(fromCfg.Cidrs)),`
	`454`	`+ Ips: make([]netip.Addr, len(fromCfg.Ips)),`
	`455`	`+ Cidrs: make([]netip.Prefix, len(fromCfg.Cidrs)),`
`455`	`456`	`}`
`456`	`457`
`457`	`458`	`for idx, v := range fromCfg.Ips {`
`458`		`- ip := net.ParseIP(v)`
`459`		`- if ip == nil {`
`460`		`- return nil, fmt.Errorf("invalid IP address: %s", v)`
	`459`	`+ ip, err := netip.ParseAddr(v)`
	`460`	`+ if err != nil {`
	`461`	`+ return nil, err`
`461`	`462`	`}`
`462`	`463`
`463`	`464`	`ret.Ips[idx] = ip`
`464`	`465`	`}`
`465`	`466`
`466`	`467`	`for idx, v := range fromCfg.Cidrs {`
`467`		`- _, tnet, err := net.ParseCIDR(v)`
	`468`	`+ tnet, err := netip.ParsePrefix(v)`
`468`	`469`	`if err != nil {`
`469`	`470`	`return nil, err`
`470`	`471`	`}`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ func TestWhitelistCompile(t *testing.T) {`
`38`	`38`	`"127.0.0.1/1000",`
`39`	`39`	`},`
`40`	`40`	`},`
`41`		`- expectedErr: "invalid CIDR address",`
	`41`	+ expectedErr: `parsing whitelist: netip.ParsePrefix("127.0.0.1/1000"): prefix length out of range`,
`42`	`42`	`},`
`43`	`43`	`{`
`44`	`44`	`name: "Valid EXPR whitelist",`