Extend realip parsing of GRPC peer address to handle IPv6 (#692)

surik · web-flow · commit c2940ba9c9de · 2024-02-02T10:43:59.000-08:00
* Extend realip parsing of GRPC peer address to handle IPv6

* Remove debug fmt
diff --git a/interceptors/realip/realip.go b/interceptors/realip/realip.go
@@ -83,10 +83,12 @@ func getRemoteIP(ctx context.Context, trustedPeers []netip.Prefix, headers []str
 		return noIP
 	}
 
-	ip, err := netip.ParseAddr(strings.Split(pr.String(), ":")[0])
+	addrPort, err := netip.ParseAddrPort(pr.String())
 	if err != nil {
 		return noIP
 	}
+	ip := addrPort.Addr()
+
 	if len(trustedPeers) == 0 || !ipInNets(ip, trustedPeers) {
 		return ip
 	}
diff --git a/interceptors/realip/realip_test.go b/interceptors/realip/realip_test.go
@@ -19,17 +19,22 @@ import (
 var (
 	localnet []netip.Prefix = []netip.Prefix{
 		netip.MustParsePrefix("127.0.0.1/8"),
+		netip.MustParsePrefix("::1/128"),
 	}
 
 	privatenet []netip.Prefix = []netip.Prefix{
 		netip.MustParsePrefix("10.0.0.0/8"),
 		netip.MustParsePrefix("172.16.0.0/12"),
 		netip.MustParsePrefix("192.168.0.0/16"),
+		netip.MustParsePrefix("2002:c0a8::/32"),
 	}
 
-	privateIP netip.Addr = netip.MustParseAddr("192.168.0.1")
-	publicIP  netip.Addr = netip.MustParseAddr("8.8.8.8")
-	localhost netip.Addr = netip.MustParseAddr("127.0.0.1")
+	privateIP  netip.Addr = netip.MustParseAddr("192.168.0.1")
+	privateIP6 netip.Addr = netip.MustParseAddr("::ffff:c0a8:1")
+	publicIP   netip.Addr = netip.MustParseAddr("8.8.8.8")
+	publicIP6  netip.Addr = netip.MustParseAddr("::ffff:808:808")
+	localhost  netip.Addr = netip.MustParseAddr("127.0.0.1")
+	localhost6 netip.Addr = netip.MustParseAddr("::1")
 )
 
 func localhostPeer() *peer.Peer {
@@ -40,6 +45,14 @@ func localhostPeer() *peer.Peer {
 	}
 }
 
+func localhost6Peer() *peer.Peer {
+	return &peer.Peer{
+		Addr: &net.TCPAddr{
+			IP: net.ParseIP(localhost6.String()),
+		},
+	}
+}
+
 func publicPeer() *peer.Peer {
 	return &peer.Peer{
 		Addr: &net.TCPAddr{
@@ -56,6 +69,14 @@ func privatePeer() *peer.Peer {
 	}
 }
 
+func private6Peer() *peer.Peer {
+	return &peer.Peer{
+		Addr: &net.TCPAddr{
+			IP: net.ParseIP(privateIP6.String()),
+		},
+	}
+}
+
 type testCase struct {
 	trustedPeers []netip.Prefix
 	headerKeys   []string
@@ -331,6 +352,37 @@ func TestInterceptor(t *testing.T) {
 			testStreamServerInterceptor(t, tc)
 		})
 	})
+	t.Run("ipv6 from grpc peer", func(t *testing.T) {
+		tc := testCase{
+			trustedPeers: localnet,
+			headerKeys:   []string{},
+			peer:         localhost6Peer(),
+			expectedIP:   localhost6,
+		}
+		t.Run("unary", func(t *testing.T) {
+			testUnaryServerInterceptor(t, tc)
+		})
+		t.Run("stream", func(t *testing.T) {
+			testStreamServerInterceptor(t, tc)
+		})
+	})
+	t.Run("ipv6 from header", func(t *testing.T) {
+		tc := testCase{
+			trustedPeers: privatenet,
+			headerKeys:   []string{XForwardedFor},
+			inputHeaders: map[string]string{
+				XForwardedFor: publicIP6.String(),
+			},
+			peer:       private6Peer(),
+			expectedIP: publicIP6,
+		}
+		t.Run("unary", func(t *testing.T) {
+			testUnaryServerInterceptor(t, tc)
+		})
+		t.Run("stream", func(t *testing.T) {
+			testStreamServerInterceptor(t, tc)
+		})
+	})
 	t.Run("unix", func(t *testing.T) {
 		tc := testCase{
 			trustedPeers: localnet,

Original file line number	Diff line number	Diff line change
`@@ -83,10 +83,12 @@ func getRemoteIP(ctx context.Context, trustedPeers []netip.Prefix, headers []str`
`83`	`83`	`return noIP`
`84`	`84`	`}`
`85`	`85`
`86`		`- ip, err := netip.ParseAddr(strings.Split(pr.String(), ":")[0])`
	`86`	`+ addrPort, err := netip.ParseAddrPort(pr.String())`
`87`	`87`	`if err != nil {`
`88`	`88`	`return noIP`
`89`	`89`	`}`
	`90`	`+ ip := addrPort.Addr()`
	`91`	`+`
`90`	`92`	`if len(trustedPeers) == 0 \|\| !ipInNets(ip, trustedPeers) {`
`91`	`93`	`return ip`
`92`	`94`	`}`