Issue #10388 - fix InetAccessHandler module

jetty-server/src/main/config/modules/inetaccess.mod

@@ -2,7 +2,7 @@
 
 [description]
 Enables the InetAccessHandler.
-Applies a include/exclude control of the remote IP of requests.
+Applies an include/exclude control of the remote IP of requests.
 
 [tags]
 connector
@@ -18,15 +18,9 @@ etc/jetty-inetaccess.xml
 
 [ini-template]
 
-## List of InetAddress patterns to include
-#jetty.inetaccess.include=127.0.0.1,127.0.0.2
+## List of InetAddress patterns to include (connectorName@addressPattern|pathSpec)
+#jetty.inetaccess.include=http@127.0.0.1-127.0.0.2|/pathSpec,tls@,|/pathSpec2,127.0.0.20
 
-## List of InetAddress patterns to exclude
-#jetty.inetaccess.exclude=127.0.0.1,127.0.0.2
-
-## List of Connector names to include
-#jetty.inetaccess.includeConnectors=http
-
-## List of Connector names to exclude
-#jetty.inetaccess.excludeConnectors=tls
+## List of InetAddress patterns to exclude (connectorName@addressPattern|pathSpec)
+#jetty.inetaccess.exclude=http@127.0.0.1-127.0.0.2|/pathSpec,tls@,|/pathSpec2,127.0.0.20
 

jetty-server/src/main/config/modules/inetaccess/jetty-inetaccess.xml

@@ -19,20 +19,6 @@
             </Call>
           </Arg>
         </Call>
-        <Call name="includeConnectors">
-          <Arg>
-            <Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
-              <Arg><Property name="jetty.inetaccess.includeConnectors" default="" /></Arg>
-            </Call>
-          </Arg>
-        </Call>
-        <Call name="excludeConnectors">
-          <Arg>
-            <Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
-              <Arg><Property name="jetty.inetaccess.excludeConnectors" default="" /></Arg>
-            </Call>
-          </Arg>
-        </Call>
       </New>
     </Arg>
   </Call>

jetty-server/src/main/java/org/eclipse/jetty/server/handler/InetAccessSet.java

@@ -27,7 +27,7 @@
 
 public class InetAccessSet extends AbstractSet<InetAccessSet.PatternTuple> implements Set<InetAccessSet.PatternTuple>, Predicate<InetAccessSet.AccessTuple>
 {
-    private ArrayList<PatternTuple> tuples = new ArrayList<>();
+    private final ArrayList<PatternTuple> tuples = new ArrayList<>();
 
     @Override
     public boolean add(PatternTuple storageTuple)
@@ -67,7 +67,7 @@ public boolean test(AccessTuple entry)
         return false;
     }
 
-    static class PatternTuple implements Predicate<AccessTuple>
+    public static class PatternTuple implements Predicate<AccessTuple>
     {
         private final String connector;
         private final InetAddressPattern address;
@@ -110,19 +110,22 @@ public boolean test(AccessTuple entry)
             if ((connector != null) && !connector.equals(entry.getConnector()))
                 return false;
 
-            // If we have a path we must must be at this path to match for an address.
+            // If we have a path we must be at this path to match for an address.
             if ((pathSpec != null) && !pathSpec.matches(entry.getPath()))
                 return false;
 
             // Match for InetAddress.
-            if ((address != null) && !address.test(entry.getAddress()))
-                return false;
+            return (address == null) || address.test(entry.getAddress());
+        }
 
-            return true;
+        @Override
+        public String toString()
+        {
+            return String.format("%s@%x{connector=%s, addressPattern=%s, pathSpec=%s}", getClass().getSimpleName(), hashCode(), connector, address, pathSpec);
         }
     }
 
-    static class AccessTuple
+    public static class AccessTuple
     {
         private final String connector;
         private final InetAddress address;

tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/DistributionTests.java

@@ -1376,4 +1376,42 @@ public void testVirtualThreadPool() throws Exception
             }
         }
     }
+
+    @Test
+    public void testInetAccessHandler() throws Exception
+    {
+        String jettyVersion = System.getProperty("jettyVersion");
+        JettyHomeTester distribution = JettyHomeTester.Builder.newInstance()
+            .jettyVersion(jettyVersion)
+            .mavenLocalRepository(System.getProperty("mavenRepoPath"))
+            .build();
+
+        try (JettyHomeTester.Run run1 = distribution.start("--add-modules=inetaccess,http"))
+        {
+            assertTrue(run1.awaitFor(10, TimeUnit.SECONDS));
+            assertEquals(0, run1.getExitValue());
+
+            int httpPort = distribution.freePort();
+            List<String> args = List.of(
+                "jetty.inetaccess.exclude=|/excludedPath/*",
+                "jetty.http.port=" + httpPort);
+            try (JettyHomeTester.Run run2 = distribution.start(args))
+            {
+                assertTrue(run2.awaitConsoleLogsFor("Started Server@", 10, TimeUnit.SECONDS));
+                startHttpClient();
+
+                // Excluded path returns 403 response.
+                ContentResponse response = client.newRequest("http://localhost:" + httpPort + "/excludedPath")
+                    .timeout(15, TimeUnit.SECONDS)
+                    .send();
+                assertEquals(HttpStatus.FORBIDDEN_403, response.getStatus());
+
+                // Other paths return 404 response.
+                response = client.newRequest("http://localhost:" + httpPort + "/path")
+                    .timeout(15, TimeUnit.SECONDS)
+                    .send();
+                assertEquals(HttpStatus.NOT_FOUND_404, response.getStatus());
+            }
+        }
+    }
 }