implemented saving request source addresses filtered by netmask

Author: tobiasholler

captchaservice-backend/pom.xml

@@ -313,6 +313,11 @@
             <artifactId>altcha</artifactId>
             <version>1.1.2</version>
         </dependency>
+        <dependency>
+            <groupId>commons-net</groupId>
+            <artifactId>commons-net</artifactId>
+            <version>3.11.1</version>
+        </dependency>
     </dependencies>
 
     <scm>

captchaservice-backend/src/main/java/de/muenchen/captchaservice/common/InvalidSourceAddressException.java

@@ -0,0 +1,10 @@
+package de.muenchen.captchaservice.common;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.server.ResponseStatusException;
+
+public class InvalidSourceAddressException extends ResponseStatusException {
+    public InvalidSourceAddressException(final String sourceAddress) {
+        super(HttpStatus.BAD_REQUEST, "Source address " + sourceAddress + " is not valid.");
+    }
+}

captchaservice-backend/src/main/java/de/muenchen/captchaservice/configuration/captcha/CaptchaSite.java

@@ -1,15 +1,31 @@
 package de.muenchen.captchaservice.configuration.captcha;
 
+import jakarta.validation.constraints.Max;
 import jakarta.validation.constraints.Min;
 import jakarta.validation.constraints.NotNull;
 
 import java.util.List;
 
-public record CaptchaSite(String siteKey, String secret, @Min(1) Integer maxVerifiesPerPayload, @NotNull List<DifficultyItem> difficultyMap) {
-    public CaptchaSite(final String siteKey, final String secret, final Integer maxVerifiesPerPayload, final List<DifficultyItem> difficultyMap) {
+public record CaptchaSite(
+        String siteKey,
+        String secret,
+        @Min(1) Integer maxVerifiesPerPayload,
+        @NotNull List<DifficultyItem> difficultyMap,
+
+        @Min(0) @Max(32) Integer sourceAddressIpv4Cidr,
+        @Min(0) @Max(128) Integer sourceAddressIpv6Cidr) {
+    public CaptchaSite(
+            final String siteKey,
+            final String secret,
+            final Integer maxVerifiesPerPayload,
+            final List<DifficultyItem> difficultyMap,
+            final Integer sourceAddressIpv4Cidr,
+            final Integer sourceAddressIpv6Cidr) {
         this.siteKey = siteKey;
         this.secret = secret;
         this.maxVerifiesPerPayload = maxVerifiesPerPayload != null ? maxVerifiesPerPayload : 1;
         this.difficultyMap = List.copyOf(difficultyMap);
+        this.sourceAddressIpv4Cidr = sourceAddressIpv4Cidr != null ? sourceAddressIpv4Cidr : 32;
+        this.sourceAddressIpv6Cidr = sourceAddressIpv6Cidr != null ? sourceAddressIpv6Cidr : 128;
     }
 }

captchaservice-backend/src/main/java/de/muenchen/captchaservice/controller/captcha/CaptchaController.java

@@ -6,13 +6,17 @@
 import de.muenchen.captchaservice.controller.captcha.response.PostChallengeResponse;
 import de.muenchen.captchaservice.controller.captcha.response.PostVerifyResponse;
 import de.muenchen.captchaservice.data.SourceAddress;
+import de.muenchen.captchaservice.service.captcha.CaptchaService;
 import de.muenchen.captchaservice.service.siteauth.SiteAuthService;
+import de.muenchen.captchaservice.service.sourceaddress.SourceAddressService;
 import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;
 import lombok.SneakyThrows;
 import org.altcha.altcha.Altcha;
-import org.springframework.web.bind.annotation.*;
-import de.muenchen.captchaservice.service.captcha.CaptchaService;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
 
 @RestController
 @RequestMapping("/api/v1/captcha")
@@ -21,6 +25,7 @@ public class CaptchaController {
 
     private final CaptchaService captchaService;
     private final SiteAuthService siteAuthService;
+    private final SourceAddressService sourceAddressService;
 
     @PostMapping("/challenge")
     @SneakyThrows
@@ -29,7 +34,7 @@ public PostChallengeResponse postChallenge(@Valid @RequestBody final PostChallen
             throw new UnauthorizedException("Wrong credentials.");
         }
 
-        final SourceAddress sourceAddress = SourceAddress.parse(request.getClientAddress());
+        final SourceAddress sourceAddress = sourceAddressService.parse(request.getSiteKey(), request.getClientAddress());
         final Altcha.Challenge challenge = captchaService.createChallenge(request.getSiteKey(), sourceAddress);
         return new PostChallengeResponse(challenge);
     }

captchaservice-backend/src/main/java/de/muenchen/captchaservice/data/SourceAddress.java

@@ -3,19 +3,12 @@
 import lombok.AllArgsConstructor;
 import org.apache.commons.codec.digest.DigestUtils;
 
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-
 @AllArgsConstructor
 public class SourceAddress {
 
-    final private InetAddress inetAddress;
-
-    public static SourceAddress parse(final String sourceAddress) throws UnknownHostException {
-        return new SourceAddress(InetAddress.getByName(sourceAddress));
-    }
+    final private String sourceAddress;
 
     public String getHash() {
-        return DigestUtils.sha256Hex(inetAddress.toString());
+        return DigestUtils.sha256Hex(sourceAddress);
     }
 }

captchaservice-backend/src/main/java/de/muenchen/captchaservice/service/sourceaddress/SourceAddressService.java

@@ -0,0 +1,36 @@
+package de.muenchen.captchaservice.service.sourceaddress;
+
+import de.muenchen.captchaservice.configuration.captcha.CaptchaProperties;
+import de.muenchen.captchaservice.configuration.captcha.CaptchaSite;
+import de.muenchen.captchaservice.data.SourceAddress;
+import de.muenchen.captchaservice.util.networkaddresscalculator.NetworkAddressCalculator;
+import lombok.AllArgsConstructor;
+import org.springframework.stereotype.Service;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+@Service
+@AllArgsConstructor
+public class SourceAddressService {
+    private final CaptchaProperties captchaProperties;
+
+    public SourceAddress parse(final String siteKey, final String sourceAddress) {
+        CaptchaSite site = captchaProperties.sites().get(siteKey);
+        String networkAddressString;
+        try {
+            InetAddress addr = InetAddress.getByName(sourceAddress);
+            if (addr instanceof java.net.Inet4Address) {
+                networkAddressString = NetworkAddressCalculator.getNetworkAddress(sourceAddress, site.sourceAddressIpv4Cidr());
+            } else if (addr instanceof java.net.Inet6Address) {
+                networkAddressString = NetworkAddressCalculator.getNetworkAddress(sourceAddress, site.sourceAddressIpv6Cidr());
+            } else {
+                throw new IllegalArgumentException("Unsupported IP address type: " + addr.getClass().getName());
+            }
+        } catch (UnknownHostException e) {
+            throw new IllegalArgumentException("Invalid IP address provided: " + sourceAddress, e);
+        }
+        return new SourceAddress(networkAddressString);
+    }
+
+}

captchaservice-backend/src/main/java/de/muenchen/captchaservice/util/networkaddresscalculator/InvalidAddressException.java

@@ -0,0 +1,13 @@
+package de.muenchen.captchaservice.util.networkaddresscalculator;
+
+import lombok.Getter;
+
+public class InvalidAddressException extends RuntimeException {
+    @Getter
+    private final String address;
+
+    public InvalidAddressException(String message, String address, Exception cause) {
+        super(message, cause);
+        this.address = address;
+    }
+}

captchaservice-backend/src/main/java/de/muenchen/captchaservice/util/networkaddresscalculator/InvalidNetSizeException.java

@@ -0,0 +1,13 @@
+package de.muenchen.captchaservice.util.networkaddresscalculator;
+
+import lombok.Getter;
+
+public class InvalidNetSizeException extends RuntimeException {
+    @Getter
+    private final int netSize;
+
+    public InvalidNetSizeException(String message, int netSize) {
+        super(message);
+        this.netSize = netSize;
+    }
+}

captchaservice-backend/src/main/java/de/muenchen/captchaservice/util/networkaddresscalculator/NetworkAddressCalculator.java

@@ -0,0 +1,53 @@
+package de.muenchen.captchaservice.util.networkaddresscalculator;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+public class NetworkAddressCalculator {
+
+    /**
+     * Calculates the network address for a given IP address and netmask size (CIDR prefix).
+     * Supports both IPv4 and IPv6 addresses.
+     *
+     * @param address The IP address string (e.g., "192.168.1.1", "2001:db8::1").
+     * @param netSize The CIDR netmask size (e.g., 24 for IPv4, 64 for IPv6).
+     * @return The network address string (e.g., "192.168.1.0", "2001:db8::").
+     * @throws InvalidAddressException If the IP address is invalid.
+     * @throws InvalidNetSizeException If the `netSize` is out of range for the given IP version.
+     */
+    public static String getNetworkAddress(String address, int netSize) {
+        try {
+            InetAddress inetAddress = InetAddress.getByName(address);
+            byte[] addressBytes = inetAddress.getAddress();
+            int addressLengthBits = addressBytes.length * 8;
+
+            if (netSize < 0 || netSize > addressLengthBits) {
+                throw new InvalidNetSizeException(
+                        "Net size " + netSize + " is out of range for a " +
+                                (addressLengthBits == 32 ? "IPv4" : "IPv6") + " address (0-" + addressLengthBits + ")",
+                        netSize);
+            }
+
+            byte[] netAddressBytes = new byte[addressBytes.length];
+
+            // Apply the netmask bit by bit
+            for (int i = 0; i < addressBytes.length; i++) {
+                int byteNetSizeRemaining = netSize - (i * 8);
+                if (byteNetSizeRemaining >= 8) {
+                    netAddressBytes[i] = addressBytes[i];
+                } else if (byteNetSizeRemaining > 0) {
+                    int mask = 0xFF << (8 - byteNetSizeRemaining);
+                    netAddressBytes[i] = (byte) (addressBytes[i] & mask);
+                } else {
+                    netAddressBytes[i] = 0;
+                }
+            }
+
+            InetAddress netInetAddress = InetAddress.getByAddress(netAddressBytes);
+            return netInetAddress.getHostAddress();
+
+        } catch (UnknownHostException e) {
+            throw new InvalidAddressException("Invalid address: " + address, address, e);
+        }
+    }
+}

captchaservice-backend/src/test/java/de/muenchen/captchaservice/controller/captcha/CaptchaControllerTest.java

@@ -4,9 +4,11 @@
 import de.muenchen.captchaservice.TestConstants;
 import de.muenchen.captchaservice.controller.captcha.request.PostChallengeRequest;
 import de.muenchen.captchaservice.controller.captcha.request.PostVerifyRequest;
+import de.muenchen.captchaservice.repository.CaptchaRequestRepository;
 import de.muenchen.captchaservice.util.DatabaseTestUtil;
 import lombok.SneakyThrows;
 import org.altcha.altcha.Altcha;
+import org.apache.commons.codec.digest.DigestUtils;
 import org.junit.jupiter.api.Test;
 import org.mockito.ArgumentMatchers;
 import org.mockito.MockedStatic;
@@ -25,7 +27,8 @@
 import static de.muenchen.captchaservice.TestConstants.SPRING_NO_SECURITY_PROFILE;
 import static de.muenchen.captchaservice.TestConstants.SPRING_TEST_PROFILE;
 import static org.hamcrest.Matchers.is;
-import static org.junit.jupiter.api.Assertions.*;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.fail;
 import static org.mockito.ArgumentMatchers.argThat;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
@@ -65,6 +68,8 @@ class CaptchaControllerTest {
 
     @Autowired
     private DatabaseTestUtil databaseTestUtil;
+    @Autowired
+    private CaptchaRequestRepository captchaRequestRepository;
 
     @Test
     void postChallenge_basic() {
@@ -110,6 +115,7 @@ void postChallenge_basic() {
     @Test
     @SneakyThrows
     void postChallenge_validIpv4() {
+        databaseTestUtil.clearDatabase();
         final PostChallengeRequest request = new PostChallengeRequest(TEST_SITE_KEY, TEST_SITE_SECRET, "1.2.3.4");
         final String requestBody = objectMapper.writeValueAsString(request);
         mockMvc.perform(
@@ -118,19 +124,22 @@ void postChallenge_validIpv4() {
                         .contentType(MediaType.APPLICATION_JSON))
                 .andExpect(status().isOk())
                 .andExpect(content().contentType(MediaType.APPLICATION_JSON));
+        assertEquals(1, captchaRequestRepository.countBySourceAddressHashIgnoreCase(DigestUtils.sha256Hex("1.2.3.4")));
     }
 
     @Test
     @SneakyThrows
     void postChallenge_validIpv6() {
-        final PostChallengeRequest request = new PostChallengeRequest(TEST_SITE_KEY, TEST_SITE_SECRET, "2001:db8::");
+        databaseTestUtil.clearDatabase();
+        final PostChallengeRequest request = new PostChallengeRequest(TEST_SITE_KEY, TEST_SITE_SECRET, "ea28:0fb8:e3f6:2836:dd46:0946:0589:72c2");
         final String requestBody = objectMapper.writeValueAsString(request);
         mockMvc.perform(
                 post("/api/v1/captcha/challenge")
                         .content(requestBody)
                         .contentType(MediaType.APPLICATION_JSON))
                 .andExpect(status().isOk())
                 .andExpect(content().contentType(MediaType.APPLICATION_JSON));
+        assertEquals(1, captchaRequestRepository.countBySourceAddressHashIgnoreCase(DigestUtils.sha256Hex("ea28:fb8:e3f6:2836:0:0:0:0")));
     }
 
     @Test