* ip: support ipv6

Signed-off-by: neo <1100909+neowu@users.noreply.github.com>

Author: neowu

CHANGELOG.md

@@ -3,6 +3,9 @@
 ### 9.2.2 (5/21/2025 - )
 
 * http_client: support proxy
+* ip: support ipv6
+  > support ipv6 ranges in access control
+  > !!! IPRangePropertyValueParser parsing behavior slightly changed, "NAME: CIDR1, CIDR2;", the "NAME:" must have space after it
 
 ### 9.2.1 (4/24/2025 - 5/19/2025) !!! only support java 24
 

core-ng-test/src/test/java/core/framework/test/TestModule.java

@@ -93,6 +93,8 @@ private void configureHTTP() {
         http().maxEntitySize(10000000);
         http().access().allow(List.of("0.0.0.0/0"));
         http().access().deny(List.of("10.0.0.0/24"));
+        http().access().allowIPv6(List.of("::/0"));
+        http().access().denyIPv6(List.of("2001:df0:465::/48"));
         http().errorHandler((request, e) -> Optional.empty());
     }
 

core-ng/src/main/java/core/framework/internal/web/HTTPHandlerContext.java

@@ -2,7 +2,7 @@
 
 import core.framework.internal.web.bean.RequestBeanReader;
 import core.framework.internal.web.bean.ResponseBeanWriter;
-import core.framework.internal.web.http.IPv4AccessControl;
+import core.framework.internal.web.http.IPAccessControl;
 import core.framework.internal.web.http.RateControl;
 import core.framework.internal.web.request.RequestParser;
 
@@ -15,5 +15,5 @@ public class HTTPHandlerContext {
     @Nullable
     public RateControl rateControl;
     @Nullable
-    public IPv4AccessControl accessControl;
+    public IPAccessControl accessControl;
 }

…internal/web/http/IPv4AccessControl.java …k/internal/web/http/IPAccessControl.javacore-ng/src/main/java/core/framework/internal/web/http/IPv4AccessControl.java renamed to core-ng/src/main/java/core/framework/internal/web/http/IPAccessControl.java core-ng/src/main/java/core/framework/internal/web/http/IPv4AccessControl.java renamed to core-ng/src/main/java/core/framework/internal/web/http/IPAccessControl.java

@@ -10,37 +10,48 @@
 /**
  * @author neo
  */
-public class IPv4AccessControl {
-    private final Logger logger = LoggerFactory.getLogger(IPv4AccessControl.class);
+public class IPAccessControl {
+    private final Logger logger = LoggerFactory.getLogger(IPAccessControl.class);
     public IPv4Ranges allow;
     public IPv4Ranges deny;
+    public IPv6Ranges allowIPv6;
+    public IPv6Ranges denyIPv6;
 
     public void validate(String clientIP) {
+        InetAddress address;
         try {
-            InetAddress address = InetAddress.getByName(clientIP);
-            if (isLocal(address)) {
-                logger.debug("allow site local client address");
-                return;
-            }
-
-            if (!allow(address.getAddress())) {
-                throw new ForbiddenException("access denied", "IP_ACCESS_DENIED");
-            }
+            address = InetAddress.getByName(clientIP);
         } catch (UnknownHostException e) {
             throw new Error(e);  // client ip format is already validated in ClientIPParser, so here it won't resolve DNS
         }
+
+        if (isLocal(address)) {
+            logger.debug("allow site local client address");
+            return;
+        }
+
+        byte[] byteAddress = address.getAddress();
+        IPRanges allow;
+        IPRanges deny;
+        if (byteAddress.length == 4) {
+            allow = this.allow;
+            deny = this.deny;
+        } else if (byteAddress.length == 16) {
+            allow = allowIPv6;
+            deny = denyIPv6;
+        } else {
+            throw new Error("unexpected address, address=" + address);
+        }
+        if (!allow(byteAddress, allow, deny)) {
+            throw new ForbiddenException("access denied", "IP_ACCESS_DENIED");
+        }
     }
 
     boolean isLocal(InetAddress address) {
         return address.isLoopbackAddress() || address.isSiteLocalAddress();
     }
 
-    boolean allow(byte[] address) {
-        if (address.length > 4) {   // only support ipv4, as Cloud LB generally uses ipv4 endpoint (gcloud supports both ipv4/v6, but ipv6 is not majority yet)
-            logger.debug("skip with ipv6 client address");
-            return true;
-        }
-
+    boolean allow(byte[] address, IPRanges allow, IPRanges deny) {
         if (allow != null && allow.matches(address)) {
             logger.debug("allow client ip within allowed ranges");
             return true;

core-ng/src/main/java/core/framework/internal/web/http/IPRanges.java

@@ -0,0 +1,16 @@
+package core.framework.internal.web.http;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+public interface IPRanges {
+    static byte[] address(String address) {
+        try {
+            return InetAddress.getByName(address).getAddress();
+        } catch (UnknownHostException e) {
+            throw new Error(e);
+        }
+    }
+
+    boolean matches(byte[] address);
+}

core-ng/src/main/java/core/framework/internal/web/http/IPv4Ranges.java

@@ -1,23 +1,13 @@
 package core.framework.internal.web.http;
 
-import java.net.InetAddress;
-import java.net.UnknownHostException;
 import java.util.Arrays;
 import java.util.Comparator;
 import java.util.List;
 
 /**
  * @author neo
  */
-public class IPv4Ranges {
-    static byte[] address(String address) {
-        try {
-            return InetAddress.getByName(address).getAddress();
-        } catch (UnknownHostException e) {
-            throw new Error(e);
-        }
-    }
-
+public class IPv4Ranges implements IPRanges {
     static boolean withinRanges(int[] ranges, int value) {
         int low = 0;
         int high = ranges.length - 1;
@@ -87,7 +77,7 @@ private int[] sortableRange(String cidr) {
             rangeStart = 0;
             rangeEnd = -1;
         } else {
-            int address = toInt(address(cidr.substring(0, index)));
+            int address = toInt(IPRanges.address(cidr.substring(0, index)));
             int mask = -1 << (32 - maskBits);
             rangeStart = address & mask;
             rangeEnd = rangeStart + ~mask;
@@ -105,6 +95,7 @@ private int toInt(byte[] address) {
         return result;
     }
 
+    @Override
     public boolean matches(byte[] address) {
         if (ranges.length == 0) return false;
         int sortable = toSortable(toInt(address));
@@ -116,6 +107,7 @@ public boolean matches(byte[] address) {
     // 127.255.255.255 => -1        (01111111.11111111.11111111.11111111 => 11111111.11111111.11111111.11111111)
     // 128.0.0.0 => 0               (10000000.0.0.0 => 00000000.0.0.0)
     // 255.255.255.255 => MAX_VALUE (11111111.11111111.11111111.11111111 => 01111111.11111111.11111111.11111111)
+    // refer to Integer.compareUnsigned(x, y)
     private int toSortable(int value) {
         return value ^ Integer.MIN_VALUE;
     }

core-ng/src/main/java/core/framework/internal/web/http/IPv6Ranges.java

@@ -4,7 +4,7 @@
 import java.util.Comparator;
 import java.util.List;
 
-public class IPv6Ranges {
+public class IPv6Ranges implements IPRanges {
     static boolean withinRanges(LongLong[] ranges, LongLong value) {
         int low = 0;
         int high = ranges.length - 1;
@@ -89,7 +89,7 @@ public IPv6Ranges(List<String> cidrs) {
     private LongLong[] sortableRange(String cidr) {
         int index = cidr.indexOf('/');
         if (index <= 0 || index >= cidr.length() - 1) throw new Error("invalid cidr, value=" + cidr);
-        LongLong address = toLongLong(IPv4Ranges.address(cidr.substring(0, index)));
+        LongLong address = toLongLong(IPRanges.address(cidr.substring(0, index)));
         int maskBits = Integer.parseInt(cidr.substring(index + 1));
 
         LongLong rangeStart;
@@ -110,6 +110,7 @@ private LongLong[] sortableRange(String cidr) {
         return new LongLong[]{rangeStart.toSortable(), rangeEnd.toSortable()};
     }
 
+    @Override
     public boolean matches(byte[] address) {
         if (ranges.length == 0) return false;
         if (address.length != 16) return false;

core-ng/src/main/java/core/framework/internal/web/sys/APIController.java

@@ -5,7 +5,7 @@
 import core.framework.internal.web.api.APIDefinitionResponse;
 import core.framework.internal.web.api.MessageAPIDefinitionBuilder;
 import core.framework.internal.web.api.MessageAPIDefinitionResponse;
-import core.framework.internal.web.http.IPv4AccessControl;
+import core.framework.internal.web.http.IPAccessControl;
 import core.framework.internal.web.service.ErrorResponse;
 import core.framework.json.JSON;
 import core.framework.web.Request;
@@ -21,7 +21,7 @@
  * @author neo
  */
 public class APIController {
-    public final IPv4AccessControl accessControl = new IPv4AccessControl();
+    public final IPAccessControl accessControl = new IPAccessControl();
     private final ReentrantLock lock = new ReentrantLock();
 
     public Set<Class<?>> serviceInterfaces = new LinkedHashSet<>();

core-ng/src/main/java/core/framework/internal/web/sys/CacheController.java

@@ -2,7 +2,7 @@
 
 import core.framework.http.ContentType;
 import core.framework.internal.cache.CacheImpl;
-import core.framework.internal.web.http.IPv4AccessControl;
+import core.framework.internal.web.http.IPAccessControl;
 import core.framework.json.JSON;
 import core.framework.util.Strings;
 import core.framework.web.Request;
@@ -17,7 +17,7 @@
  */
 public class CacheController {
     private final Map<String, CacheImpl<?>> caches;
-    private final IPv4AccessControl accessControl = new IPv4AccessControl();
+    private final IPAccessControl accessControl = new IPAccessControl();
 
     public CacheController(Map<String, CacheImpl<?>> caches) {
         this.caches = caches;

core-ng/src/main/java/core/framework/internal/web/sys/DiagnosticController.java

@@ -2,7 +2,7 @@
 
 import core.framework.http.ContentType;
 import core.framework.internal.stat.Diagnostic;
-import core.framework.internal.web.http.IPv4AccessControl;
+import core.framework.internal.web.http.IPAccessControl;
 import core.framework.util.Files;
 import core.framework.web.Request;
 import core.framework.web.Response;
@@ -13,7 +13,7 @@
  * @author neo
  */
 public class DiagnosticController {
-    private final IPv4AccessControl accessControl = new IPv4AccessControl();
+    private final IPAccessControl accessControl = new IPAccessControl();
 
     // add -XX:NativeMemoryTracking=summary or -XX:NativeMemoryTracking=detail to enable native memory tracking, and vmInfo will include NMT summary
     // enabling NMT will result in a 5-10 percent JVM performance drop