-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: correctly compare compressed/expanded ipv6 in targets #109
Merged
Merged
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,8 +4,11 @@ import ( | |
"context" | ||
"errors" | ||
"fmt" | ||
"net/netip" | ||
"reflect" | ||
"regexp" | ||
"sort" | ||
"strings" | ||
|
||
"github.com/blang/semver/v4" | ||
"github.com/kong/go-database-reconciler/pkg/konnect" | ||
|
@@ -1033,6 +1036,70 @@ func (b *stateBuilder) rbacRoles() { | |
} | ||
} | ||
|
||
var ( | ||
IPv6HasPortPattern = regexp.MustCompile(`\]\:\d+$`) | ||
IPv6HasBracketPattern = regexp.MustCompile(`\[\S+\]$`) | ||
) | ||
|
||
// hasIPv6Format checks if the hostname is in ipv6 format. | ||
// This is a best effort check, it doesn't guarantee that the hostname is a valid ipv6 address, | ||
// but it checks if the hostname has more than 2 colons. | ||
func hasIPv6Format(hostname string) bool { | ||
parts := strings.Split(hostname, ":") | ||
return len(parts) > 2 | ||
} | ||
|
||
// expandIPv6 decompress an ipv6 address into its 'long' format. | ||
// for example: | ||
// | ||
// from ::1 to 0000:0000:0000:0000:0000:0000:0000:0001. | ||
func expandIPv6(address string) string { | ||
pmalek marked this conversation as resolved.
Show resolved
Hide resolved
|
||
addr, err := netip.ParseAddr(address) | ||
if err != nil { | ||
return "" | ||
} | ||
return addr.StringExpanded() | ||
} | ||
|
||
// normalizeIPv6 normalizes an ipv6 address to the format [address]:port. | ||
// for example: | ||
// from ::1 to [0000:0000:0000:0000:0000:0000:0000:0001]:8000. | ||
func normalizeIPv6(target string) (string, error) { | ||
pmalek marked this conversation as resolved.
Show resolved
Hide resolved
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Couldn't we also use |
||
ip := target | ||
port := "8000" | ||
match := IPv6HasPortPattern.FindStringSubmatch(target) | ||
if len(match) > 0 { | ||
// has [address]:port pattern | ||
ipAndPort, err := netip.ParseAddrPort(ip) | ||
if err != nil { | ||
return "", fmt.Errorf("invalid ipv6 address and port %s", target) | ||
} | ||
port = fmt.Sprint(ipAndPort.Port()) | ||
ip = ipAndPort.Addr().String() | ||
} else { | ||
match = IPv6HasBracketPattern.FindStringSubmatch(target) | ||
if len(match) > 0 { | ||
// has [address] pattern | ||
ip = removeBrackets(match[0]) | ||
} | ||
ipAddr, err := netip.ParseAddr(ip) | ||
if err != nil { | ||
return "", fmt.Errorf("invalid ipv6 address %s", target) | ||
} | ||
ip = ipAddr.String() | ||
} | ||
expandedIPv6 := expandIPv6(ip) | ||
if expandedIPv6 == "" { | ||
return "", fmt.Errorf("failed while expanding ipv6 address %s", target) | ||
} | ||
return fmt.Sprintf("[%s]:%s", expandedIPv6, port), nil | ||
} | ||
|
||
func removeBrackets(ip string) string { | ||
ip = strings.ReplaceAll(ip, "[", "") | ||
return strings.ReplaceAll(ip, "]", "") | ||
} | ||
|
||
func (b *stateBuilder) upstreams() { | ||
if b.err != nil { | ||
return | ||
|
@@ -1075,6 +1142,15 @@ func (b *stateBuilder) upstreams() { | |
func (b *stateBuilder) ingestTargets(targets []kong.Target) error { | ||
for _, t := range targets { | ||
t := t | ||
|
||
if t.Target != nil && hasIPv6Format(*t.Target) { | ||
normalizedTarget, err := normalizeIPv6(*t.Target) | ||
if err != nil { | ||
return err | ||
} | ||
t.Target = kong.String(normalizedTarget) | ||
} | ||
|
||
if utils.Empty(t.ID) { | ||
target, err := b.currentState.Targets.Get(*t.Upstream.ID, *t.Target) | ||
if errors.Is(err, state.ErrNotFound) { | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be prone to errors or to be misused. Why not use https://pkg.go.dev/net/netip#ParseAddr and https://pkg.go.dev/net/netip#Addr.Is6 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As silly as it may look, this is enough to catch all combinations of targets in IPv6 format, including the one with port and brackets like
[2600:1f16:1784:fa03:fd73::e]:1326
, which the library wouldn't consider as v6There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't https://pkg.go.dev/net/netip#ParseAddrPort work for this then?
I'm just worried that this func is very easy to abuse.
isIPv6("this:is:nuts:!")
will also returntrue
. It will also return true for1:2:3:4
which http://sqa.fyicenter.com/1000334_IPv6_Address_Validator.html#Result reports as invalid.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ParseAddrPort
works if the port is always there, but it would fail to parse things like::1
(would work with[::1]:8000
though).If you really feel strong about this we can improve this validation, but generally decK (or this library) doesn't do much input validation other than what's part of the JSON schemas from go-kong.
For the records though, those bogus entries would still fail validation at a later stage:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Understood that this is validated on other levels.
I'm just suggesting to consider improving the reliability of this while we're at it
For instance something like this should work just fine and will work for addresses with and without ports
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This still would fail to parse something like
[::1]
, as well as detecting bogus patterns like[invalid:ipv6::address]:1326
: the function would rightly returnfalse
, but this is not justfalse
, it's invalid. At this point we would need add extra handling and validation for these cases too. I think this is going to become more complex and fragile overall.I'm renaming this function to
hasIPv6Format
which better represent its purpose: 6764fd2