Merge pull request #83 from it-at-m/v1.2

Added Source Address Whitelist and refactoring

Author: tobiasholler

captchaservice-backend/src/main/java/de/muenchen/captchaservice/configuration/captcha/CaptchaSite.java

@@ -11,21 +11,23 @@ public record CaptchaSite(
         String secret,
         @Min(1) Integer maxVerifiesPerPayload,
         @NotNull List<DifficultyItem> difficultyMap,
-
-        @Min(0) @Max(32) Integer sourceAddressIpv4Cidr,
-        @Min(0) @Max(128) Integer sourceAddressIpv6Cidr) {
+        @Min(0) @Max(32) Integer sourceAddressIpv4NetSize,
+        @Min(0) @Max(128) Integer sourceAddressIpv6NetSize,
+        List<String> whitelistedSourceAddresses) {
     public CaptchaSite(
             final String siteKey,
             final String secret,
             final Integer maxVerifiesPerPayload,
             final List<DifficultyItem> difficultyMap,
-            final Integer sourceAddressIpv4Cidr,
-            final Integer sourceAddressIpv6Cidr) {
+            final Integer sourceAddressIpv4NetSize,
+            final Integer sourceAddressIpv6NetSize,
+            final List<String> whitelistedSourceAddresses) {
         this.siteKey = siteKey;
         this.secret = secret;
         this.maxVerifiesPerPayload = maxVerifiesPerPayload != null ? maxVerifiesPerPayload : 1;
         this.difficultyMap = List.copyOf(difficultyMap);
-        this.sourceAddressIpv4Cidr = sourceAddressIpv4Cidr != null ? sourceAddressIpv4Cidr : 32;
-        this.sourceAddressIpv6Cidr = sourceAddressIpv6Cidr != null ? sourceAddressIpv6Cidr : 128;
+        this.sourceAddressIpv4NetSize = sourceAddressIpv4NetSize != null ? sourceAddressIpv4NetSize : 32;
+        this.sourceAddressIpv6NetSize = sourceAddressIpv6NetSize != null ? sourceAddressIpv6NetSize : 128;
+        this.whitelistedSourceAddresses = whitelistedSourceAddresses != null ? List.copyOf(whitelistedSourceAddresses) : List.of();
     }
 }

captchaservice-backend/src/main/java/de/muenchen/captchaservice/data/SourceAddress.java

@@ -1,9 +1,11 @@
 package de.muenchen.captchaservice.data;
 
 import lombok.AllArgsConstructor;
+import lombok.Data;
 import org.apache.commons.codec.digest.DigestUtils;
 
 @AllArgsConstructor
+@Data
 public class SourceAddress {
 
     final private String sourceAddress;

captchaservice-backend/src/main/java/de/muenchen/captchaservice/entity/CaptchaRequest.java

@@ -8,14 +8,15 @@
 import jakarta.validation.constraints.NotNull;
 import jakarta.validation.constraints.Size;
 import lombok.*;
+import org.hibernate.annotations.CreationTimestamp;
 
 import java.time.Instant;
 
 @Entity
 @Table(
         indexes = {
                 @Index(name = "idx_captcha_request_source_address_hash", columnList = "sourceAddressHash"),
-                @Index(name = "idx_captcha_request_expires_at", columnList = "expiresAt")
+                @Index(name = "idx_captcha_request_source_address_hash_expires_at", columnList = "sourceAddressHash, expiresAt")
         }
 )
 
@@ -25,7 +26,6 @@
 @ToString(callSuper = true)
 @EqualsAndHashCode(callSuper = true)
 @NoArgsConstructor
-@AllArgsConstructor
 public class CaptchaRequest extends BaseEntity {
 
     private static final long serialVersionUID = 1L;
@@ -34,12 +34,25 @@ public class CaptchaRequest extends BaseEntity {
     // Variables //
     // ========= //
 
+    @CreationTimestamp
+    @Column(updatable = false)
+    private Instant requestAt;
+
     @Column(nullable = false, length = 64)
     @NotNull
     @Size(min = 64, max = 64)
     private String sourceAddressHash;
 
+    @NotNull
+    private boolean isWhitelisted;
+
     @NotNull
     private Instant expiresAt;
 
+    public CaptchaRequest(String sourceAddressHash, boolean isWhitelisted, Instant expiresAt) {
+        this.sourceAddressHash = sourceAddressHash;
+        this.isWhitelisted = isWhitelisted;
+        this.expiresAt = expiresAt;
+    }
+
 }

captchaservice-backend/src/main/java/de/muenchen/captchaservice/entity/InvalidatedPayload.java

@@ -15,7 +15,7 @@
 @Table(
         indexes = {
                 @Index(name = "idx_invalidated_payload_payload_hash", columnList = "payloadHash"),
-                @Index(name = "idx_invalidated_payload_expires_at", columnList = "expiresAt")
+                @Index(name = "idx_invalidated_payload_payload_hash_expires_at", columnList = "payloadHash, expiresAt")
         }
 )
 // Definition of getter, setter, ...

captchaservice-backend/src/main/java/de/muenchen/captchaservice/service/captcha/CaptchaService.java

@@ -32,7 +32,7 @@ public CaptchaService(final CaptchaProperties captchaProperties, final Difficult
 
     public Altcha.Challenge createChallenge(final String siteKey, final SourceAddress sourceAddress) {
         final long difficulty = difficultyService.getDifficultyForSourceAddress(siteKey, sourceAddress);
-        difficultyService.registerRequest(sourceAddress);
+        difficultyService.registerRequest(siteKey, sourceAddress);
         final Altcha.ChallengeOptions options = new Altcha.ChallengeOptions();
         options.algorithm = Altcha.Algorithm.SHA256;
         options.hmacKey = captchaProperties.hmacKey();

captchaservice-backend/src/main/java/de/muenchen/captchaservice/service/difficulty/DifficultyService.java

@@ -8,10 +8,13 @@
 import de.muenchen.captchaservice.repository.CaptchaRequestRepository;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.web.util.matcher.IpAddressMatcher;
 import org.springframework.stereotype.Service;
 
 import java.time.Instant;
+import java.util.Map;
 import java.util.Optional;
+import java.util.concurrent.ConcurrentHashMap;
 
 @Service
 @Slf4j
@@ -21,21 +24,26 @@ public class DifficultyService {
 
     private final CaptchaRequestRepository captchaRequestRepository;
 
+    private final Map<String, IpAddressMatcher> matcherCache = new ConcurrentHashMap<>();
+
     @SuppressFBWarnings(value = { "EI_EXPOSE_REP2" }, justification = "Dependency Injection")
     public DifficultyService(final CaptchaProperties captchaProperties, final CaptchaRequestRepository captchaRequestRepository) {
         this.captchaProperties = captchaProperties;
         this.captchaRequestRepository = captchaRequestRepository;
     }
 
-    public void registerRequest(final SourceAddress sourceAddress) {
+    public void registerRequest(final String siteKey, final SourceAddress sourceAddress) {
         final String sourceAddressHash = sourceAddress.getHash();
-        final CaptchaRequest captchaRequest = new CaptchaRequest(sourceAddressHash,
+        final CaptchaRequest captchaRequest = new CaptchaRequest(sourceAddressHash, isSourceAddressWhitelisted(siteKey, sourceAddress),
                 Instant.now().plusSeconds(captchaProperties.sourceAddressWindowSeconds()));
         captchaRequestRepository.save(captchaRequest);
         log.debug("Registered request for source address with hash {}", sourceAddressHash);
     }
 
     public long getDifficultyForSourceAddress(final String siteKey, final SourceAddress sourceAddress) {
+        if (isSourceAddressWhitelisted(siteKey, sourceAddress)) {
+            return 1L;
+        }
         final CaptchaSite captchaSite = captchaProperties.sites().get(siteKey);
         if (captchaSite == null) {
             throw new IllegalArgumentException("siteKey not found");
@@ -47,7 +55,7 @@ public long getDifficultyForSourceAddress(final String siteKey, final SourceAddr
                 .difficultyMap()
                 .stream()
                 .sorted((o1, o2) -> Math.toIntExact(o2.minVisits() - o1.minVisits()))
-                .filter(di -> di.minVisits() <= sourceVisitCount)
+                .filter(di -> di.minVisits() - 1 <= sourceVisitCount)
                 .findFirst();
         if (difficultyItem.isEmpty()) {
             log.error("No difficulty found site {} with {} visits", siteKey, sourceVisitCount);
@@ -58,4 +66,13 @@ public long getDifficultyForSourceAddress(final String siteKey, final SourceAddr
         return maxNumber;
     }
 
+    public boolean isSourceAddressWhitelisted(final String siteKey, final SourceAddress sourceAddress) {
+        final CaptchaSite captchaSite = captchaProperties.sites().get(siteKey);
+        for (String subnet : captchaSite.whitelistedSourceAddresses()) {
+            IpAddressMatcher matcher = matcherCache.computeIfAbsent(subnet, IpAddressMatcher::new);
+            if (matcher.matches(sourceAddress.getSourceAddress())) return true;
+        }
+        return false;
+    }
+
 }

captchaservice-backend/src/main/java/de/muenchen/captchaservice/service/sourceaddress/SourceAddressService.java

@@ -20,9 +20,9 @@ public SourceAddress parse(final String siteKey, final String sourceAddress) {
         String networkAddressString;
         InetAddress addr = InetAddresses.forString(sourceAddress);
         if (addr instanceof java.net.Inet4Address) {
-            networkAddressString = NetworkAddressCalculator.getNetworkAddress(sourceAddress, site.sourceAddressIpv4Cidr());
+            networkAddressString = NetworkAddressCalculator.getNetworkAddress(sourceAddress, site.sourceAddressIpv4NetSize());
         } else if (addr instanceof java.net.Inet6Address) {
-            networkAddressString = NetworkAddressCalculator.getNetworkAddress(sourceAddress, site.sourceAddressIpv6Cidr());
+            networkAddressString = NetworkAddressCalculator.getNetworkAddress(sourceAddress, site.sourceAddressIpv6NetSize());
         } else {
             throw new IllegalArgumentException("Unsupported IP address type: " + addr.getClass().getName());
         }

captchaservice-backend/src/main/resources/application-local.yml

@@ -39,8 +39,13 @@ security:
 captcha:
   hmac-key: secret
   sites:
+    loadtest:
+      secret: loadtest
+      difficulty-map:
+        - min-visits: 1
+          max-number: 1
     test:
       secret: test
       difficulty-map:
-        - min-visits: 0
+        - min-visits: 1
           max-number: 1000

captchaservice-backend/src/main/resources/db/migration/schema/V001__Init.sql

@@ -1,7 +1,9 @@
 CREATE TABLE captcha_request
 (
     id                  UUID                     NOT NULL,
+    request_at          TIMESTAMP WITH TIME ZONE,
     source_address_hash VARCHAR(64)              NOT NULL,
+    is_whitelisted      BOOLEAN                  NOT NULL,
     expires_at          TIMESTAMP WITH TIME ZONE NOT NULL,
     CONSTRAINT pk_captcharequest PRIMARY KEY (id)
 );
@@ -14,10 +16,10 @@ CREATE TABLE invalidated_payload
     CONSTRAINT pk_invalidatedpayload PRIMARY KEY (id)
 );
 
-CREATE INDEX idx_captcha_request_expires_at ON captcha_request (expires_at);
-
 CREATE INDEX idx_captcha_request_source_address_hash ON captcha_request (source_address_hash);
 
-CREATE INDEX idx_invalidated_payload_expires_at ON invalidated_payload (expires_at);
+CREATE INDEX idx_captcha_request_source_address_hash_expires_at ON captcha_request (source_address_hash, expires_at);
+
+CREATE INDEX idx_invalidated_payload_payload_hash ON invalidated_payload (payload_hash);
 
-CREATE INDEX idx_invalidated_payload_payload_hash ON invalidated_payload (payload_hash);
+CREATE INDEX idx_invalidated_payload_payload_hash_expires_at ON invalidated_payload (payload_hash, expires_at);

captchaservice-backend/src/test/java/de/muenchen/captchaservice/service/difficulty/DifficultyServiceTest.java

@@ -43,23 +43,49 @@ void testDifficultyIncrease() {
         final SourceAddress sourceAddress = new SourceAddress("1.2.3.4");
         long difficulty;
         // --
-        difficultyService.registerRequest(sourceAddress);
+        difficultyService.registerRequest("test_site", sourceAddress);
         difficulty = difficultyService.getDifficultyForSourceAddress(TEST_SITE_KEY, sourceAddress);
         assertEquals(1_000L, difficulty);
         // --
-        difficultyService.registerRequest(sourceAddress);
+        difficultyService.registerRequest("test_site", sourceAddress);
         difficulty = difficultyService.getDifficultyForSourceAddress(TEST_SITE_KEY, sourceAddress);
         assertEquals(2_000L, difficulty);
         // --
-        difficultyService.registerRequest(sourceAddress);
+        difficultyService.registerRequest("test_site", sourceAddress);
         difficulty = difficultyService.getDifficultyForSourceAddress(TEST_SITE_KEY, sourceAddress);
         assertEquals(3_000L, difficulty);
         // --
         for (int i = 0; i < 5; i++) {
-            difficultyService.registerRequest(sourceAddress);
+            difficultyService.registerRequest("test_site", sourceAddress);
         }
         difficulty = difficultyService.getDifficultyForSourceAddress(TEST_SITE_KEY, sourceAddress);
         assertEquals(3_000L, difficulty);
     }
 
+    @Test
+    @SneakyThrows
+    void testDifficultyIncreaseWithWhitelistedSourceAddress() {
+        databaseTestUtil.clearDatabase();
+        final SourceAddress sourceAddress = new SourceAddress("10.1.2.3");
+        long difficulty;
+        // --
+        difficultyService.registerRequest("test_site", sourceAddress);
+        difficulty = difficultyService.getDifficultyForSourceAddress(TEST_SITE_KEY, sourceAddress);
+        assertEquals(1L, difficulty);
+        // --
+        difficultyService.registerRequest("test_site", sourceAddress);
+        difficulty = difficultyService.getDifficultyForSourceAddress(TEST_SITE_KEY, sourceAddress);
+        assertEquals(1L, difficulty);
+        // --
+        difficultyService.registerRequest("test_site", sourceAddress);
+        difficulty = difficultyService.getDifficultyForSourceAddress(TEST_SITE_KEY, sourceAddress);
+        assertEquals(1L, difficulty);
+        // --
+        for (int i = 0; i < 5; i++) {
+            difficultyService.registerRequest("test_site", sourceAddress);
+        }
+        difficulty = difficultyService.getDifficultyForSourceAddress(TEST_SITE_KEY, sourceAddress);
+        assertEquals(1L, difficulty);
+    }
+
 }