benelog/IpFilter.java

## IpFilter.java
package net.benelog.markerboard.filter;

import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Arrays;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StringUtils;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

/**
 *
 *  허락된 IP만 접근할 수 있게 걸러준다. IP는 CIDR 형식으로 지정가능하다. (예: 10.0.0.0/16)
 * Spring Security의 IpAddressMatcher의 코드를 배낌.
 * (http://www.jarvana.com/jarvana/view/org/springframework/security/spring-security-web/3.0.3.RELEASE/spring-security-web-3.0.3.RELEASE-sources.jar!/org/springframework/security/web/util/IpAddressMatcher.java)
 *
 * @author sanghyuk.jung
 *
 */
public class IpFilter extends HandlerInterceptorAdapter {
	private final Logger log = LoggerFactory.getLogger(IpFilter.class);
	private final CidrNotation[] permittedIpRanges;

	public IpFilter(String... ipList) {
		permittedIpRanges = new CidrNotation[ipList.length];
		for (int i=0,n = ipList.length;i<n; i++) {
			String ip = ipList[i];
			int maskBits = -1;
			if (ipList[i].indexOf('/') > 0) {
				String[] addressAndMask = StringUtils.split(ip, "/");
				ip = addressAndMask[0];
				maskBits = Integer.parseInt(addressAndMask[1]);
			}
			permittedIpRanges[i] = new CidrNotation(parseAddress(ip),maskBits);
		}
	}

	@Override
	public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {

		String remoteAddr = request.getRemoteAddr();
		log.debug("Request from  {} ", remoteAddr);

		for (CidrNotation ip: permittedIpRanges ) {
			if (matches(remoteAddr, ip)){
				return true;
			}
		}
		log.warn("IP {} is not allowed.", remoteAddr);
		return false;
	}

	public boolean matches(String clientAddr, CidrNotation permittedRange) {
		InetAddress permittedAddr = permittedRange.getAddress();
		InetAddress remoteAddr = parseAddress(clientAddr);

		if (!permittedAddr.getClass().equals(remoteAddr.getClass())) {
			return false;
		}

		int maskBits = permittedRange.getMaskBits();
		if (maskBits < 0) {
			return remoteAddr.equals(permittedAddr);
		}

		byte[] clientAddrBytes = remoteAddr.getAddress();
		byte[] permittedAddrBytes = permittedAddr.getAddress();

		int oddBits = maskBits % 8;
		int maskBytes = maskBits / 8 + (oddBits == 0 ? 0 : 1);
		byte[] mask = new byte[maskBytes];
		Arrays.fill(mask, 0, oddBits == 0 ? mask.length : mask.length - 1,	(byte) 0xFF);

		if (oddBits != 0) {
			int finalByte = (1 << oddBits) - 1;
			finalByte <<= 8 - oddBits;
			mask[mask.length - 1] = (byte) finalByte;
		}

		for (int i = 0; i < mask.length; i++) {
			if ((clientAddrBytes[i] & mask[i]) != (permittedAddrBytes[i] & mask[i])) {
				return false;
			}
		}
		return true;
	}

	private InetAddress parseAddress(String address) {
		try {
			return InetAddress.getByName(address);
		} catch (UnknownHostException e) {
			throw new IllegalArgumentException("Failed to parse address" + address, e);
		}
	}

	static class CidrNotation {
		private final InetAddress address;
		private final int maskBits;
		public int getMaskBits() {
			return maskBits;
		}
		public CidrNotation(InetAddress address, int maskBits){
			this.address = address;
			this.maskBits = maskBits;
		}
		public InetAddress getAddress() {
			return address;
		}
	}
}

## IpFilterTest.java
package net.benelog.markerboard.filter;

import static org.hamcrest.CoreMatchers.*;
import static org.junit.Assert.*;

import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;

public class IpFilterTest {
	Object handler = new Object();
	MockHttpServletRequest request = new MockHttpServletRequest();
	MockHttpServletResponse response = new MockHttpServletResponse();
	IpFilter filter;

	@Test
	public void passedWithSimple() throws Exception {
		request.setRemoteAddr("192.168.0.1");
		filter = new IpFilter("192.168.0.1");

		boolean passed = filter.preHandle(request, response, handler);
		assertThat(passed, is(true));
	}

	@Test
	public void passedWith1IpList() throws Exception {
		request.setRemoteAddr("192.168.0.1");
		filter = new IpFilter("127.0.0.1/16");

		boolean passed = filter.preHandle(request, response, handler);
		assertThat(passed, is(false));
	}

	@Test
	public void nonpassedWith1IpList() throws Exception {
		request.setRemoteAddr("127.0.100.12");
		filter = new IpFilter("127.0.0.1/16");

		boolean passed = filter.preHandle(request, response, handler);
		assertThat(passed, is(true));
	}

	@Test
	public void nonpassedWith12IpList() throws Exception {
		request.setRemoteAddr("127.0.1.12");
		filter = new IpFilter("192.0.0.1/16", "125.0.0.1/16");

		boolean passed = filter.preHandle(request, response, handler);
		assertThat(passed, is(false));
	}

	@Test
	public void passedWith12IpList1() throws Exception {
		request.setRemoteAddr("127.0.1.12");
		filter = new IpFilter("127.0.1.12/32", "192.0.0.1/16");

		boolean passed = filter.preHandle(request, response, handler);
		assertThat(passed, is(true));
	}

	@Test
	public void passedWith12IpList2() throws Exception {
		request.setRemoteAddr("127.0.1.12");
		filter = new IpFilter("192.0.0.1/16", "127.0.1.12/32");

		boolean passed = filter.preHandle(request, response, handler);
		assertThat(passed, is(true));
	}

	@Test
	public void passedWith2IpList3() throws Exception {
		request.setRemoteAddr("127.0.1.13");
		filter = new IpFilter("192.0.0.1/16", "127.0.1.12/31");

		boolean passed = filter.preHandle(request, response, handler);
		assertThat(passed, is(true));
	}

	@Test
	public void passedWith2IpList4() throws Exception {
		request.setRemoteAddr("127.0.1.12");
		filter = new IpFilter("192.0.0.1/16", "127.0.1.13/31");

		boolean passed = filter.preHandle(request, response, handler);
		assertThat(passed, is(true));
	}

	@Test
	public void passedWith3IpList3() throws Exception {
		request.setRemoteAddr("210.94.41.89");
		filter = new IpFilter("192.0.0.1/16", "127.0.1.12/31", "210.94.41.88/31");

		boolean passed = filter.preHandle(request, response, handler);
		assertThat(passed, is(true));
	}
}
	package net.benelog.markerboard.filter;

	import java.net.InetAddress;
	import java.net.UnknownHostException;
	import java.util.Arrays;

	import javax.servlet.http.HttpServletRequest;
	import javax.servlet.http.HttpServletResponse;

	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;
	import org.springframework.util.StringUtils;
	import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

	/**
	*
	* 허락된 IP만 접근할 수 있게 걸러준다. IP는 CIDR 형식으로 지정가능하다. (예: 10.0.0.0/16)
	* Spring Security의 IpAddressMatcher의 코드를 배낌.
	* (http://www.jarvana.com/jarvana/view/org/springframework/security/spring-security-web/3.0.3.RELEASE/spring-security-web-3.0.3.RELEASE-sources.jar!/org/springframework/security/web/util/IpAddressMatcher.java)
	*
	* @author sanghyuk.jung
	*
	*/
	public class IpFilter extends HandlerInterceptorAdapter {
	private final Logger log = LoggerFactory.getLogger(IpFilter.class);
	private final CidrNotation[] permittedIpRanges;

	public IpFilter(String... ipList) {
	permittedIpRanges = new CidrNotation[ipList.length];
	for (int i=0,n = ipList.length;i<n; i++) {
	String ip = ipList[i];
	int maskBits = -1;
	if (ipList[i].indexOf('/') > 0) {
	String[] addressAndMask = StringUtils.split(ip, "/");
	ip = addressAndMask[0];
	maskBits = Integer.parseInt(addressAndMask[1]);
	}
	permittedIpRanges[i] = new CidrNotation(parseAddress(ip),maskBits);
	}
	}

	@Override
	public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {

	String remoteAddr = request.getRemoteAddr();
	log.debug("Request from {} ", remoteAddr);

	for (CidrNotation ip: permittedIpRanges ) {
	if (matches(remoteAddr, ip)){
	return true;
	}
	}
	log.warn("IP {} is not allowed.", remoteAddr);
	return false;
	}

	public boolean matches(String clientAddr, CidrNotation permittedRange) {
	InetAddress permittedAddr = permittedRange.getAddress();
	InetAddress remoteAddr = parseAddress(clientAddr);

	if (!permittedAddr.getClass().equals(remoteAddr.getClass())) {
	return false;
	}

	int maskBits = permittedRange.getMaskBits();
	if (maskBits < 0) {
	return remoteAddr.equals(permittedAddr);
	}

	byte[] clientAddrBytes = remoteAddr.getAddress();
	byte[] permittedAddrBytes = permittedAddr.getAddress();

	int oddBits = maskBits % 8;
	int maskBytes = maskBits / 8 + (oddBits == 0 ? 0 : 1);
	byte[] mask = new byte[maskBytes];
	Arrays.fill(mask, 0, oddBits == 0 ? mask.length : mask.length - 1, (byte) 0xFF);

	if (oddBits != 0) {
	int finalByte = (1 << oddBits) - 1;
	finalByte <<= 8 - oddBits;
	mask[mask.length - 1] = (byte) finalByte;
	}

	for (int i = 0; i < mask.length; i++) {
	if ((clientAddrBytes[i] & mask[i]) != (permittedAddrBytes[i] & mask[i])) {
	return false;
	}
	}
	return true;
	}

	private InetAddress parseAddress(String address) {
	try {
	return InetAddress.getByName(address);
	} catch (UnknownHostException e) {
	throw new IllegalArgumentException("Failed to parse address" + address, e);
	}
	}

	static class CidrNotation {
	private final InetAddress address;
	private final int maskBits;
	public int getMaskBits() {
	return maskBits;
	}
	public CidrNotation(InetAddress address, int maskBits){
	this.address = address;
	this.maskBits = maskBits;
	}
	public InetAddress getAddress() {
	return address;
	}
	}
	}
	package net.benelog.markerboard.filter;

	import static org.hamcrest.CoreMatchers.*;
	import static org.junit.Assert.*;

	import org.junit.Test;
	import org.springframework.mock.web.MockHttpServletRequest;
	import org.springframework.mock.web.MockHttpServletResponse;

	public class IpFilterTest {
	Object handler = new Object();
	MockHttpServletRequest request = new MockHttpServletRequest();
	MockHttpServletResponse response = new MockHttpServletResponse();
	IpFilter filter;

	@Test
	public void passedWithSimple() throws Exception {
	request.setRemoteAddr("192.168.0.1");
	filter = new IpFilter("192.168.0.1");

	boolean passed = filter.preHandle(request, response, handler);
	assertThat(passed, is(true));
	}

	@Test
	public void passedWith1IpList() throws Exception {
	request.setRemoteAddr("192.168.0.1");
	filter = new IpFilter("127.0.0.1/16");

	boolean passed = filter.preHandle(request, response, handler);
	assertThat(passed, is(false));
	}

	@Test
	public void nonpassedWith1IpList() throws Exception {
	request.setRemoteAddr("127.0.100.12");
	filter = new IpFilter("127.0.0.1/16");

	boolean passed = filter.preHandle(request, response, handler);
	assertThat(passed, is(true));
	}

	@Test
	public void nonpassedWith12IpList() throws Exception {
	request.setRemoteAddr("127.0.1.12");
	filter = new IpFilter("192.0.0.1/16", "125.0.0.1/16");

	boolean passed = filter.preHandle(request, response, handler);
	assertThat(passed, is(false));
	}

	@Test
	public void passedWith12IpList1() throws Exception {
	request.setRemoteAddr("127.0.1.12");
	filter = new IpFilter("127.0.1.12/32", "192.0.0.1/16");

	boolean passed = filter.preHandle(request, response, handler);
	assertThat(passed, is(true));
	}

	@Test
	public void passedWith12IpList2() throws Exception {
	request.setRemoteAddr("127.0.1.12");
	filter = new IpFilter("192.0.0.1/16", "127.0.1.12/32");

	boolean passed = filter.preHandle(request, response, handler);
	assertThat(passed, is(true));
	}

	@Test
	public void passedWith2IpList3() throws Exception {
	request.setRemoteAddr("127.0.1.13");
	filter = new IpFilter("192.0.0.1/16", "127.0.1.12/31");

	boolean passed = filter.preHandle(request, response, handler);
	assertThat(passed, is(true));
	}

	@Test
	public void passedWith2IpList4() throws Exception {
	request.setRemoteAddr("127.0.1.12");
	filter = new IpFilter("192.0.0.1/16", "127.0.1.13/31");

	boolean passed = filter.preHandle(request, response, handler);
	assertThat(passed, is(true));
	}

	@Test
	public void passedWith3IpList3() throws Exception {
	request.setRemoteAddr("210.94.41.89");
	filter = new IpFilter("192.0.0.1/16", "127.0.1.12/31", "210.94.41.88/31");

	boolean passed = filter.preHandle(request, response, handler);
	assertThat(passed, is(true));
	}
	}