add whitelisted source address support and changed net size configuration names

Author: tobiasholler

captchaservice-backend/src/main/java/de/muenchen/captchaservice/configuration/captcha/CaptchaSite.java

@@ -11,21 +11,23 @@ public record CaptchaSite(
         String secret,
         @Min(1) Integer maxVerifiesPerPayload,
         @NotNull List<DifficultyItem> difficultyMap,
-
-        @Min(0) @Max(32) Integer sourceAddressIpv4Cidr,
-        @Min(0) @Max(128) Integer sourceAddressIpv6Cidr) {
+        @Min(0) @Max(32) Integer sourceAddressIpv4NetSize,
+        @Min(0) @Max(128) Integer sourceAddressIpv6NetSize,
+        List<String> whitelistedSourceAddresses) {
     public CaptchaSite(
             final String siteKey,
             final String secret,
             final Integer maxVerifiesPerPayload,
             final List<DifficultyItem> difficultyMap,
-            final Integer sourceAddressIpv4Cidr,
-            final Integer sourceAddressIpv6Cidr) {
+            final Integer sourceAddressIpv4NetSize,
+            final Integer sourceAddressIpv6NetSize,
+            final List<String> whitelistedSourceAddresses) {
         this.siteKey = siteKey;
         this.secret = secret;
         this.maxVerifiesPerPayload = maxVerifiesPerPayload != null ? maxVerifiesPerPayload : 1;
         this.difficultyMap = List.copyOf(difficultyMap);
-        this.sourceAddressIpv4Cidr = sourceAddressIpv4Cidr != null ? sourceAddressIpv4Cidr : 32;
-        this.sourceAddressIpv6Cidr = sourceAddressIpv6Cidr != null ? sourceAddressIpv6Cidr : 128;
+        this.sourceAddressIpv4NetSize = sourceAddressIpv4NetSize != null ? sourceAddressIpv4NetSize : 32;
+        this.sourceAddressIpv6NetSize = sourceAddressIpv6NetSize != null ? sourceAddressIpv6NetSize : 128;
+        this.whitelistedSourceAddresses = whitelistedSourceAddresses != null ? List.copyOf(whitelistedSourceAddresses) : List.of();
     }
 }

captchaservice-backend/src/main/java/de/muenchen/captchaservice/data/SourceAddress.java

@@ -1,9 +1,11 @@
 package de.muenchen.captchaservice.data;
 
 import lombok.AllArgsConstructor;
+import lombok.Data;
 import org.apache.commons.codec.digest.DigestUtils;
 
 @AllArgsConstructor
+@Data
 public class SourceAddress {
 
     final private String sourceAddress;

captchaservice-backend/src/main/java/de/muenchen/captchaservice/entity/CaptchaRequest.java

@@ -43,11 +43,15 @@ public class CaptchaRequest extends BaseEntity {
     @Size(min = 64, max = 64)
     private String sourceAddressHash;
 
+    @NotNull
+    private boolean isWhitelisted;
+
     @NotNull
     private Instant expiresAt;
 
-    public CaptchaRequest(String sourceAddressHash, Instant expiresAt) {
+    public CaptchaRequest(String sourceAddressHash, boolean isWhitelisted, Instant expiresAt) {
         this.sourceAddressHash = sourceAddressHash;
+        this.isWhitelisted = isWhitelisted;
         this.expiresAt = expiresAt;
     }
 

captchaservice-backend/src/main/java/de/muenchen/captchaservice/service/captcha/CaptchaService.java

@@ -32,7 +32,7 @@ public CaptchaService(final CaptchaProperties captchaProperties, final Difficult
 
     public Altcha.Challenge createChallenge(final String siteKey, final SourceAddress sourceAddress) {
         final long difficulty = difficultyService.getDifficultyForSourceAddress(siteKey, sourceAddress);
-        difficultyService.registerRequest(sourceAddress);
+        difficultyService.registerRequest(siteKey, sourceAddress);
         final Altcha.ChallengeOptions options = new Altcha.ChallengeOptions();
         options.algorithm = Altcha.Algorithm.SHA256;
         options.hmacKey = captchaProperties.hmacKey();

captchaservice-backend/src/main/java/de/muenchen/captchaservice/service/difficulty/DifficultyService.java

@@ -8,6 +8,7 @@
 import de.muenchen.captchaservice.repository.CaptchaRequestRepository;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.web.util.matcher.IpAddressMatcher;
 import org.springframework.stereotype.Service;
 
 import java.time.Instant;
@@ -27,15 +28,18 @@ public DifficultyService(final CaptchaProperties captchaProperties, final Captch
         this.captchaRequestRepository = captchaRequestRepository;
     }
 
-    public void registerRequest(final SourceAddress sourceAddress) {
+    public void registerRequest(final String siteKey, final SourceAddress sourceAddress) {
         final String sourceAddressHash = sourceAddress.getHash();
-        final CaptchaRequest captchaRequest = new CaptchaRequest(sourceAddressHash,
+        final CaptchaRequest captchaRequest = new CaptchaRequest(sourceAddressHash, isSourceAddressWhitelisted(siteKey, sourceAddress),
                 Instant.now().plusSeconds(captchaProperties.sourceAddressWindowSeconds()));
         captchaRequestRepository.save(captchaRequest);
         log.debug("Registered request for source address with hash {}", sourceAddressHash);
     }
 
     public long getDifficultyForSourceAddress(final String siteKey, final SourceAddress sourceAddress) {
+        if (isSourceAddressWhitelisted(siteKey, sourceAddress)) {
+            return 1L;
+        }
         final CaptchaSite captchaSite = captchaProperties.sites().get(siteKey);
         if (captchaSite == null) {
             throw new IllegalArgumentException("siteKey not found");
@@ -58,4 +62,12 @@ public long getDifficultyForSourceAddress(final String siteKey, final SourceAddr
         return maxNumber;
     }
 
+    public boolean isSourceAddressWhitelisted(final String siteKey, final SourceAddress sourceAddress) {
+        final CaptchaSite captchaSite = captchaProperties.sites().get(siteKey);
+        for (String subnet : captchaSite.whitelistedSourceAddresses()) {
+            if (new IpAddressMatcher(subnet).matches(sourceAddress.getSourceAddress())) return true;
+        }
+        return false;
+    }
+
 }

captchaservice-backend/src/main/java/de/muenchen/captchaservice/service/sourceaddress/SourceAddressService.java

@@ -20,9 +20,9 @@ public SourceAddress parse(final String siteKey, final String sourceAddress) {
         String networkAddressString;
         InetAddress addr = InetAddresses.forString(sourceAddress);
         if (addr instanceof java.net.Inet4Address) {
-            networkAddressString = NetworkAddressCalculator.getNetworkAddress(sourceAddress, site.sourceAddressIpv4Cidr());
+            networkAddressString = NetworkAddressCalculator.getNetworkAddress(sourceAddress, site.sourceAddressIpv4NetSize());
         } else if (addr instanceof java.net.Inet6Address) {
-            networkAddressString = NetworkAddressCalculator.getNetworkAddress(sourceAddress, site.sourceAddressIpv6Cidr());
+            networkAddressString = NetworkAddressCalculator.getNetworkAddress(sourceAddress, site.sourceAddressIpv6NetSize());
         } else {
             throw new IllegalArgumentException("Unsupported IP address type: " + addr.getClass().getName());
         }

captchaservice-backend/src/main/resources/db/migration/schema/V001__Init.sql

@@ -3,6 +3,7 @@ CREATE TABLE captcha_request
     id                  UUID                     NOT NULL,
     request_at          TIMESTAMP WITH TIME ZONE,
     source_address_hash VARCHAR(64)              NOT NULL,
+    is_whitelisted      BOOLEAN                  NOT NULL,
     expires_at          TIMESTAMP WITH TIME ZONE NOT NULL,
     CONSTRAINT pk_captcharequest PRIMARY KEY (id)
 );

captchaservice-backend/src/test/java/de/muenchen/captchaservice/service/difficulty/DifficultyServiceTest.java

@@ -43,23 +43,49 @@ void testDifficultyIncrease() {
         final SourceAddress sourceAddress = new SourceAddress("1.2.3.4");
         long difficulty;
         // --
-        difficultyService.registerRequest(sourceAddress);
+        difficultyService.registerRequest("test_site", sourceAddress);
         difficulty = difficultyService.getDifficultyForSourceAddress(TEST_SITE_KEY, sourceAddress);
         assertEquals(1_000L, difficulty);
         // --
-        difficultyService.registerRequest(sourceAddress);
+        difficultyService.registerRequest("test_site", sourceAddress);
         difficulty = difficultyService.getDifficultyForSourceAddress(TEST_SITE_KEY, sourceAddress);
         assertEquals(2_000L, difficulty);
         // --
-        difficultyService.registerRequest(sourceAddress);
+        difficultyService.registerRequest("test_site", sourceAddress);
         difficulty = difficultyService.getDifficultyForSourceAddress(TEST_SITE_KEY, sourceAddress);
         assertEquals(3_000L, difficulty);
         // --
         for (int i = 0; i < 5; i++) {
-            difficultyService.registerRequest(sourceAddress);
+            difficultyService.registerRequest("test_site", sourceAddress);
         }
         difficulty = difficultyService.getDifficultyForSourceAddress(TEST_SITE_KEY, sourceAddress);
         assertEquals(3_000L, difficulty);
     }
 
+    @Test
+    @SneakyThrows
+    void testDifficultyIncreaseWithWhitelistedSourceAddress() {
+        databaseTestUtil.clearDatabase();
+        final SourceAddress sourceAddress = new SourceAddress("10.1.2.3");
+        long difficulty;
+        // --
+        difficultyService.registerRequest("test_site", sourceAddress);
+        difficulty = difficultyService.getDifficultyForSourceAddress(TEST_SITE_KEY, sourceAddress);
+        assertEquals(1L, difficulty);
+        // --
+        difficultyService.registerRequest("test_site", sourceAddress);
+        difficulty = difficultyService.getDifficultyForSourceAddress(TEST_SITE_KEY, sourceAddress);
+        assertEquals(1L, difficulty);
+        // --
+        difficultyService.registerRequest("test_site", sourceAddress);
+        difficulty = difficultyService.getDifficultyForSourceAddress(TEST_SITE_KEY, sourceAddress);
+        assertEquals(1L, difficulty);
+        // --
+        for (int i = 0; i < 5; i++) {
+            difficultyService.registerRequest("test_site", sourceAddress);
+        }
+        difficulty = difficultyService.getDifficultyForSourceAddress(TEST_SITE_KEY, sourceAddress);
+        assertEquals(1L, difficulty);
+    }
+
 }

captchaservice-backend/src/test/java/de/muenchen/captchaservice/service/expireddata/ExpiredDataServiceTest.java

@@ -49,14 +49,14 @@ void deleteExpiredData() {
         final String expiredHash = DigestUtils.sha256Hex("expired");
 
         // Not expired data
-        captchaRequestRepository.save(new CaptchaRequest(notExpiredHash, Instant.now().plus(Period.ofDays(1))));
-        captchaRequestRepository.save(new CaptchaRequest(notExpiredHash, Instant.now().plus(Period.ofDays(1))));
+        captchaRequestRepository.save(new CaptchaRequest(notExpiredHash, false, Instant.now().plus(Period.ofDays(1))));
+        captchaRequestRepository.save(new CaptchaRequest(notExpiredHash, false, Instant.now().plus(Period.ofDays(1))));
         invalidatedPayloadRepository.save(new InvalidatedPayload(notExpiredHash, Instant.now().plus(Period.ofDays(1))));
         invalidatedPayloadRepository.save(new InvalidatedPayload(notExpiredHash, Instant.now().plus(Period.ofDays(1))));
 
         // Expired data
-        captchaRequestRepository.save(new CaptchaRequest(expiredHash, Instant.now().minus(Period.ofDays(1))));
-        captchaRequestRepository.save(new CaptchaRequest(expiredHash, Instant.now().minus(Period.ofDays(1))));
+        captchaRequestRepository.save(new CaptchaRequest(expiredHash, false, Instant.now().minus(Period.ofDays(1))));
+        captchaRequestRepository.save(new CaptchaRequest(expiredHash, false, Instant.now().minus(Period.ofDays(1))));
         invalidatedPayloadRepository.save(new InvalidatedPayload(expiredHash, Instant.now().minus(Period.ofDays(1))));
         invalidatedPayloadRepository.save(new InvalidatedPayload(expiredHash, Instant.now().minus(Period.ofDays(1))));
 

captchaservice-backend/src/test/resources/application-test.yml

@@ -24,7 +24,9 @@ captcha:
   sites:
     test_site:
       secret: test_secret
-      source-address-ipv6-cidr: 64
+      source-address-ipv6-net-size: 64
+      whitelisted-source-addresses:
+        - "10.0.0.0/8"
       difficulty-map:
         - minVisits: 1
           maxNumber: 1000