apic

mmetc · mmetc · commit 94ea4e069d15 · 2025-06-20T09:25:33.000+02:00
diff --git a/pkg/apiserver/apic.go b/pkg/apiserver/apic.go
@@ -7,7 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"math/rand"
-	"net"
+	"net/netip"
 	"net/http"
 	"net/url"
 	"slices"
@@ -844,26 +844,30 @@ func (a *apic) UpdateAllowlists(ctx context.Context, allowlistsLinks []*modelsca
 
 // if decisions is whitelisted: return representation of the whitelist ip or cidr
 // if not whitelisted: empty string
-func (a *apic) whitelistedBy(decision *models.Decision, additionalIPs []net.IP, additionalRanges []*net.IPNet) string {
+func (a *apic) whitelistedBy(decision *models.Decision, additionalIPs []netip.Addr, additionalRanges []netip.Prefix) string {
 	if decision.Value == nil {
 		return ""
 	}
 
-	ipval := net.ParseIP(*decision.Value)
+	ipval, err := netip.ParseAddr(*decision.Value)
+	if err != nil {
+		// XXX: handle error
+	}
+
 	for _, cidr := range a.whitelists.Cidrs {
 		if cidr.Contains(ipval) {
 			return cidr.String()
 		}
 	}
 
 	for _, ip := range a.whitelists.Ips {
-		if ip != nil && ip.Equal(ipval) {
+		if ip == ipval {
 			return ip.String()
 		}
 	}
 
 	for _, ip := range additionalIPs {
-		if ip.Equal(ipval) {
+		if ip == ipval {
 			return ip.String()
 		}
 	}
diff --git a/pkg/apiserver/apic_test.go b/pkg/apiserver/apic_test.go
@@ -5,7 +5,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"net"
+	"net/netip"
 	"net/http"
 	"net/url"
 	"os"
@@ -528,14 +528,14 @@ func TestAPICWhitelists(t *testing.T) {
 	api := getAPIC(t, ctx)
 	// one whitelist on IP, one on CIDR
 	api.whitelists = &csconfig.CapiWhitelist{}
-	api.whitelists.Ips = append(api.whitelists.Ips, net.ParseIP("9.2.3.4"), net.ParseIP("7.2.3.4"))
+	api.whitelists.Ips = append(api.whitelists.Ips, netip.MustParseAddr("9.2.3.4"), netip.MustParseAddr("7.2.3.4"))
 
-	_, tnet, err := net.ParseCIDR("13.2.3.0/24")
+	tnet, err := netip.ParsePrefix("13.2.3.0/24")
 	require.NoError(t, err)
 
 	api.whitelists.Cidrs = append(api.whitelists.Cidrs, tnet)
 
-	_, tnet, err = net.ParseCIDR("11.2.3.0/24")
+	tnet, err = netip.ParsePrefix("11.2.3.0/24")
 	require.NoError(t, err)
 
 	api.whitelists.Cidrs = append(api.whitelists.Cidrs, tnet)
diff --git a/pkg/csconfig/api.go b/pkg/csconfig/api.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"net/netip"
 	"os"
 	"strings"
 	"time"
@@ -276,8 +277,8 @@ func toValidCIDR(ip string) string {
 }
 
 type CapiWhitelist struct {
-	Ips   []net.IP     `yaml:"ips,omitempty"`
-	Cidrs []*net.IPNet `yaml:"cidrs,omitempty"`
+	Ips   []netip.Addr   `yaml:"ips,omitempty"`
+	Cidrs []netip.Prefix `yaml:"cidrs,omitempty"`
 }
 
 type LocalAPIAutoRegisterCfg struct {
@@ -450,21 +451,21 @@ func parseCapiWhitelists(fd io.Reader) (*CapiWhitelist, error) {
 	}
 
 	ret := &CapiWhitelist{
-		Ips:   make([]net.IP, len(fromCfg.Ips)),
-		Cidrs: make([]*net.IPNet, len(fromCfg.Cidrs)),
+		Ips:   make([]netip.Addr, len(fromCfg.Ips)),
+		Cidrs: make([]netip.Prefix, len(fromCfg.Cidrs)),
 	}
 
 	for idx, v := range fromCfg.Ips {
-		ip := net.ParseIP(v)
-		if ip == nil {
-			return nil, fmt.Errorf("invalid IP address: %s", v)
+		ip, err := netip.ParseAddr(v)
+		if err != nil {
+			return nil, err
 		}
 
 		ret.Ips[idx] = ip
 	}
 
 	for idx, v := range fromCfg.Cidrs {
-		_, tnet, err := net.ParseCIDR(v)
+		tnet, err := netip.ParsePrefix(v)
 		if err != nil {
 			return nil, err
 		}
diff --git a/pkg/database/allowlists.go b/pkg/database/allowlists.go
@@ -3,7 +3,7 @@ package database
 import (
 	"context"
 	"fmt"
-	"net"
+	"net/netip"
 	"strings"
 	"time"
 
@@ -354,31 +354,31 @@ func (c *Client) IsAllowlisted(ctx context.Context, value string) (bool, string,
 	return true, reason, nil
 }
 
-func (c *Client) GetAllowlistsContentForAPIC(ctx context.Context) ([]net.IP, []*net.IPNet, error) {
+func (c *Client) GetAllowlistsContentForAPIC(ctx context.Context) ([]netip.Addr, []netip.Prefix, error) {
 	allowlists, err := c.ListAllowLists(ctx, true)
 	if err != nil {
 		return nil, nil, fmt.Errorf("unable to get allowlists: %w", err)
 	}
 
 	var (
-		ips  []net.IP
-		nets []*net.IPNet
+		ips  []netip.Addr
+		nets []netip.Prefix
 	)
 
 	for _, allowlist := range allowlists {
 		for _, item := range allowlist.Edges.AllowlistItems {
 			if item.ExpiresAt.IsZero() || item.ExpiresAt.After(time.Now().UTC()) {
 				if strings.Contains(item.Value, "/") {
-					_, ipNet, err := net.ParseCIDR(item.Value)
+					ipNet, err := netip.ParsePrefix(item.Value)
 					if err != nil {
 						c.Log.Errorf("unable to parse CIDR %s: %s", item.Value, err)
 						continue
 					}
 
 					nets = append(nets, ipNet)
 				} else {
-					ip := net.ParseIP(item.Value)
-					if ip == nil {
+					ip, err := netip.ParseAddr(item.Value)
+					if err != nil {
 						c.Log.Errorf("unable to parse IP %s", item.Value)
 						continue
 					}

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ import (`
`7`	`7`	`"errors"`
`8`	`8`	`"fmt"`
`9`	`9`	`"math/rand"`
`10`		`- "net"`
	`10`	`+ "net/netip"`
`11`	`11`	`"net/http"`
`12`	`12`	`"net/url"`
`13`	`13`	`"slices"`
`@@ -844,26 +844,30 @@ func (a apic) UpdateAllowlists(ctx context.Context, allowlistsLinks []modelsca`
`844`	`844`
`845`	`845`	`// if decisions is whitelisted: return representation of the whitelist ip or cidr`
`846`	`846`	`// if not whitelisted: empty string`
`847`		`-func (a apic) whitelistedBy(decision models.Decision, additionalIPs []net.IP, additionalRanges []*net.IPNet) string {`
	`847`	`+func (a apic) whitelistedBy(decision models.Decision, additionalIPs []netip.Addr, additionalRanges []netip.Prefix) string {`
`848`	`848`	`if decision.Value == nil {`
`849`	`849`	`return ""`
`850`	`850`	`}`
`851`	`851`
`852`		`- ipval := net.ParseIP(*decision.Value)`
	`852`	`+ ipval, err := netip.ParseAddr(*decision.Value)`
	`853`	`+ if err != nil {`
	`854`	`+ // XXX: handle error`
	`855`	`+ }`
	`856`	`+`
`853`	`857`	`for _, cidr := range a.whitelists.Cidrs {`
`854`	`858`	`if cidr.Contains(ipval) {`
`855`	`859`	`return cidr.String()`
`856`	`860`	`}`
`857`	`861`	`}`
`858`	`862`
`859`	`863`	`for _, ip := range a.whitelists.Ips {`
`860`		`- if ip != nil && ip.Equal(ipval) {`
	`864`	`+ if ip == ipval {`
`861`	`865`	`return ip.String()`
`862`	`866`	`}`
`863`	`867`	`}`
`864`	`868`
`865`	`869`	`for _, ip := range additionalIPs {`
`866`		`- if ip.Equal(ipval) {`
	`870`	`+ if ip == ipval {`
`867`	`871`	`return ip.String()`
`868`	`872`	`}`
`869`	`873`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ import (`
`8`	`8`	`"fmt"`
`9`	`9`	`"io"`
`10`	`10`	`"net"`
	`11`	`+ "net/netip"`
`11`	`12`	`"os"`
`12`	`13`	`"strings"`
`13`	`14`	`"time"`
`@@ -276,8 +277,8 @@ func toValidCIDR(ip string) string {`
`276`	`277`	`}`
`277`	`278`
`278`	`279`	`type CapiWhitelist struct {`
`279`		- Ips []net.IP `yaml:"ips,omitempty"`
`280`		- Cidrs []*net.IPNet `yaml:"cidrs,omitempty"`
	`280`	+ Ips []netip.Addr `yaml:"ips,omitempty"`
	`281`	+ Cidrs []netip.Prefix `yaml:"cidrs,omitempty"`
`281`	`282`	`}`
`282`	`283`
`283`	`284`	`type LocalAPIAutoRegisterCfg struct {`
`@@ -450,21 +451,21 @@ func parseCapiWhitelists(fd io.Reader) (*CapiWhitelist, error) {`
`450`	`451`	`}`
`451`	`452`
`452`	`453`	`ret := &CapiWhitelist{`
`453`		`- Ips: make([]net.IP, len(fromCfg.Ips)),`
`454`		`- Cidrs: make([]*net.IPNet, len(fromCfg.Cidrs)),`
	`454`	`+ Ips: make([]netip.Addr, len(fromCfg.Ips)),`
	`455`	`+ Cidrs: make([]netip.Prefix, len(fromCfg.Cidrs)),`
`455`	`456`	`}`
`456`	`457`
`457`	`458`	`for idx, v := range fromCfg.Ips {`
`458`		`- ip := net.ParseIP(v)`
`459`		`- if ip == nil {`
`460`		`- return nil, fmt.Errorf("invalid IP address: %s", v)`
	`459`	`+ ip, err := netip.ParseAddr(v)`
	`460`	`+ if err != nil {`
	`461`	`+ return nil, err`
`461`	`462`	`}`
`462`	`463`
`463`	`464`	`ret.Ips[idx] = ip`
`464`	`465`	`}`
`465`	`466`
`466`	`467`	`for idx, v := range fromCfg.Cidrs {`
`467`		`- _, tnet, err := net.ParseCIDR(v)`
	`468`	`+ tnet, err := netip.ParsePrefix(v)`
`468`	`469`	`if err != nil {`
`469`	`470`	`return nil, err`
`470`	`471`	`}`