Merge pull request #80 from it-at-m/feature/save-requests-with-netmask

Implemented saving captcha requests source addesses filtered by netmask

Author: tobiasholler

captchaservice-backend/pom.xml

@@ -313,6 +313,16 @@
             <artifactId>altcha</artifactId>
             <version>1.1.2</version>
         </dependency>
+        <dependency>
+            <groupId>commons-net</groupId>
+            <artifactId>commons-net</artifactId>
+            <version>3.11.1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+            <version>33.4.8-jre</version>
+        </dependency>
     </dependencies>
 
     <scm>

captchaservice-backend/src/main/java/de/muenchen/captchaservice/common/InvalidSourceAddressException.java

@@ -0,0 +1,10 @@
+package de.muenchen.captchaservice.common;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.server.ResponseStatusException;
+
+public class InvalidSourceAddressException extends ResponseStatusException {
+    public InvalidSourceAddressException(final String sourceAddress) {
+        super(HttpStatus.BAD_REQUEST, "Source address " + sourceAddress + " is not valid.");
+    }
+}

captchaservice-backend/src/main/java/de/muenchen/captchaservice/configuration/captcha/CaptchaSite.java

@@ -1,15 +1,31 @@
 package de.muenchen.captchaservice.configuration.captcha;
 
+import jakarta.validation.constraints.Max;
 import jakarta.validation.constraints.Min;
 import jakarta.validation.constraints.NotNull;
 
 import java.util.List;
 
-public record CaptchaSite(String siteKey, String secret, @Min(1) Integer maxVerifiesPerPayload, @NotNull List<DifficultyItem> difficultyMap) {
-    public CaptchaSite(final String siteKey, final String secret, final Integer maxVerifiesPerPayload, final List<DifficultyItem> difficultyMap) {
+public record CaptchaSite(
+        String siteKey,
+        String secret,
+        @Min(1) Integer maxVerifiesPerPayload,
+        @NotNull List<DifficultyItem> difficultyMap,
+
+        @Min(0) @Max(32) Integer sourceAddressIpv4Cidr,
+        @Min(0) @Max(128) Integer sourceAddressIpv6Cidr) {
+    public CaptchaSite(
+            final String siteKey,
+            final String secret,
+            final Integer maxVerifiesPerPayload,
+            final List<DifficultyItem> difficultyMap,
+            final Integer sourceAddressIpv4Cidr,
+            final Integer sourceAddressIpv6Cidr) {
         this.siteKey = siteKey;
         this.secret = secret;
         this.maxVerifiesPerPayload = maxVerifiesPerPayload != null ? maxVerifiesPerPayload : 1;
         this.difficultyMap = List.copyOf(difficultyMap);
+        this.sourceAddressIpv4Cidr = sourceAddressIpv4Cidr != null ? sourceAddressIpv4Cidr : 32;
+        this.sourceAddressIpv6Cidr = sourceAddressIpv6Cidr != null ? sourceAddressIpv6Cidr : 128;
     }
 }

captchaservice-backend/src/main/java/de/muenchen/captchaservice/controller/captcha/CaptchaController.java

@@ -6,13 +6,17 @@
 import de.muenchen.captchaservice.controller.captcha.response.PostChallengeResponse;
 import de.muenchen.captchaservice.controller.captcha.response.PostVerifyResponse;
 import de.muenchen.captchaservice.data.SourceAddress;
+import de.muenchen.captchaservice.service.captcha.CaptchaService;
 import de.muenchen.captchaservice.service.siteauth.SiteAuthService;
+import de.muenchen.captchaservice.service.sourceaddress.SourceAddressService;
 import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;
 import lombok.SneakyThrows;
 import org.altcha.altcha.Altcha;
-import org.springframework.web.bind.annotation.*;
-import de.muenchen.captchaservice.service.captcha.CaptchaService;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
 
 @RestController
 @RequestMapping("/api/v1/captcha")
@@ -21,6 +25,7 @@ public class CaptchaController {
 
     private final CaptchaService captchaService;
     private final SiteAuthService siteAuthService;
+    private final SourceAddressService sourceAddressService;
 
     @PostMapping("/challenge")
     @SneakyThrows
@@ -29,7 +34,7 @@ public PostChallengeResponse postChallenge(@Valid @RequestBody final PostChallen
             throw new UnauthorizedException("Wrong credentials.");
         }
 
-        final SourceAddress sourceAddress = SourceAddress.parse(request.getClientAddress());
+        final SourceAddress sourceAddress = sourceAddressService.parse(request.getSiteKey(), request.getClientAddress());
         final Altcha.Challenge challenge = captchaService.createChallenge(request.getSiteKey(), sourceAddress);
         return new PostChallengeResponse(challenge);
     }

captchaservice-backend/src/main/java/de/muenchen/captchaservice/data/SourceAddress.java

@@ -3,19 +3,12 @@
 import lombok.AllArgsConstructor;
 import org.apache.commons.codec.digest.DigestUtils;
 
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-
 @AllArgsConstructor
 public class SourceAddress {
 
-    final private InetAddress inetAddress;
-
-    public static SourceAddress parse(final String sourceAddress) throws UnknownHostException {
-        return new SourceAddress(InetAddress.getByName(sourceAddress));
-    }
+    final private String sourceAddress;
 
     public String getHash() {
-        return DigestUtils.sha256Hex(inetAddress.toString());
+        return DigestUtils.sha256Hex(sourceAddress);
     }
 }

captchaservice-backend/src/main/java/de/muenchen/captchaservice/service/sourceaddress/SourceAddressService.java

@@ -0,0 +1,32 @@
+package de.muenchen.captchaservice.service.sourceaddress;
+
+import com.google.common.net.InetAddresses;
+import de.muenchen.captchaservice.configuration.captcha.CaptchaProperties;
+import de.muenchen.captchaservice.configuration.captcha.CaptchaSite;
+import de.muenchen.captchaservice.data.SourceAddress;
+import de.muenchen.captchaservice.util.networkaddresscalculator.NetworkAddressCalculator;
+import lombok.AllArgsConstructor;
+import org.springframework.stereotype.Service;
+
+import java.net.InetAddress;
+
+@Service
+@AllArgsConstructor
+public class SourceAddressService {
+    private final CaptchaProperties captchaProperties;
+
+    public SourceAddress parse(final String siteKey, final String sourceAddress) {
+        CaptchaSite site = captchaProperties.sites().get(siteKey);
+        String networkAddressString;
+        InetAddress addr = InetAddresses.forString(sourceAddress);
+        if (addr instanceof java.net.Inet4Address) {
+            networkAddressString = NetworkAddressCalculator.getNetworkAddress(sourceAddress, site.sourceAddressIpv4Cidr());
+        } else if (addr instanceof java.net.Inet6Address) {
+            networkAddressString = NetworkAddressCalculator.getNetworkAddress(sourceAddress, site.sourceAddressIpv6Cidr());
+        } else {
+            throw new IllegalArgumentException("Unsupported IP address type: " + addr.getClass().getName());
+        }
+        return new SourceAddress(networkAddressString);
+    }
+
+}

captchaservice-backend/src/main/java/de/muenchen/captchaservice/util/networkaddresscalculator/InvalidAddressException.java

@@ -0,0 +1,13 @@
+package de.muenchen.captchaservice.util.networkaddresscalculator;
+
+import lombok.Getter;
+
+public class InvalidAddressException extends RuntimeException {
+    @Getter
+    private final String address;
+
+    public InvalidAddressException(String message, String address, Exception cause) {
+        super(message, cause);
+        this.address = address;
+    }
+}

captchaservice-backend/src/main/java/de/muenchen/captchaservice/util/networkaddresscalculator/InvalidNetSizeException.java

@@ -0,0 +1,13 @@
+package de.muenchen.captchaservice.util.networkaddresscalculator;
+
+import lombok.Getter;
+
+public class InvalidNetSizeException extends RuntimeException {
+    @Getter
+    private final int netSize;
+
+    public InvalidNetSizeException(String message, int netSize) {
+        super(message);
+        this.netSize = netSize;
+    }
+}

captchaservice-backend/src/main/java/de/muenchen/captchaservice/util/networkaddresscalculator/NetworkAddressCalculator.java

@@ -0,0 +1,54 @@
+package de.muenchen.captchaservice.util.networkaddresscalculator;
+
+import com.google.common.net.InetAddresses;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+public class NetworkAddressCalculator {
+
+    /**
+     * Calculates the network address for a given IP address and netmask size (CIDR prefix).
+     * Supports both IPv4 and IPv6 addresses.
+     *
+     * @param address The IP address string (e.g., "192.168.1.1", "2001:db8::1").
+     * @param netSize The CIDR netmask size (e.g., 24 for IPv4, 64 for IPv6).
+     * @return The network address string (e.g., "192.168.1.0", "2001:db8::").
+     * @throws InvalidAddressException If the IP address is invalid.
+     * @throws InvalidNetSizeException If the `netSize` is out of range for the given IP version.
+     */
+    public static String getNetworkAddress(String address, int netSize) {
+        try {
+            InetAddress inetAddress = InetAddresses.forString(address);
+            byte[] addressBytes = inetAddress.getAddress();
+            int addressLengthBits = addressBytes.length * 8;
+
+            if (netSize < 0 || netSize > addressLengthBits) {
+                throw new InvalidNetSizeException(
+                        "Net size " + netSize + " is out of range for a " +
+                                (addressLengthBits == 32 ? "IPv4" : "IPv6") + " address (0-" + addressLengthBits + ")",
+                        netSize);
+            }
+
+            byte[] netAddressBytes = new byte[addressBytes.length];
+
+            // Apply the netmask bit by bit
+            for (int i = 0; i < addressBytes.length; i++) {
+                int byteNetSizeRemaining = netSize - (i * 8);
+                if (byteNetSizeRemaining >= 8) {
+                    netAddressBytes[i] = addressBytes[i];
+                } else if (byteNetSizeRemaining > 0) {
+                    int mask = 0xFF << (8 - byteNetSizeRemaining);
+                    netAddressBytes[i] = (byte) (addressBytes[i] & mask);
+                } else {
+                    netAddressBytes[i] = 0;
+                }
+            }
+
+            InetAddress netInetAddress = InetAddress.getByAddress(netAddressBytes);
+            return netInetAddress.getHostAddress();
+        } catch (IllegalArgumentException | UnknownHostException e) {
+            throw new InvalidAddressException("Invalid address: " + address, address, e);
+        }
+    }
+}

captchaservice-backend/src/main/java/de/muenchen/captchaservice/validation/SourceAddressConstraintValidator.java

@@ -1,17 +1,15 @@
 package de.muenchen.captchaservice.validation;
 
+import com.google.common.net.InetAddresses;
 import jakarta.validation.ConstraintValidator;
 import jakarta.validation.ConstraintValidatorContext;
 
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-
 public class SourceAddressConstraintValidator implements ConstraintValidator<ValidSourceAddress, String> {
     @Override
     public boolean isValid(final String value, final ConstraintValidatorContext constraintValidatorContext) {
         try {
-            InetAddress.getByName(value);
-        } catch (UnknownHostException e) {
+            InetAddresses.forString(value);
+        } catch (IllegalArgumentException e) {
             return false;
         }
         return true;