From 0ee567ca6a355d78d5eb8c54925efda06d5bdfa6 Mon Sep 17 00:00:00 2001 From: kkolinko Date: Fri, 6 Nov 2009 05:12:50 +0000 Subject: [PATCH] svn:eol-style git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@833300 13f79535-47bb-0310-9956-ffa450edef68 --- java/org/apache/catalina/valves/RemoteIpValve.java | 1424 ++++++++++---------- .../apache/catalina/valves/RemoteIpValveTest.java | 772 +++++------ 2 files changed, 1098 insertions(+), 1098 deletions(-) diff --git a/java/org/apache/catalina/valves/RemoteIpValve.java b/java/org/apache/catalina/valves/RemoteIpValve.java index 44a3cff50..5b49b227a 100644 --- a/java/org/apache/catalina/valves/RemoteIpValve.java +++ b/java/org/apache/catalina/valves/RemoteIpValve.java @@ -1,712 +1,712 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.catalina.valves; - -import java.io.IOException; -import java.util.ArrayList; -import java.util.Iterator; -import java.util.LinkedList; -import java.util.List; -import java.util.regex.Pattern; -import java.util.regex.PatternSyntaxException; - -import javax.servlet.ServletException; - -import org.apache.tomcat.util.res.StringManager; -import org.apache.catalina.connector.Request; -import org.apache.catalina.connector.Response; -import org.apache.catalina.valves.Constants; -import org.apache.catalina.valves.RequestFilterValve; -import org.apache.catalina.valves.ValveBase; -import org.apache.juli.logging.Log; -import org.apache.juli.logging.LogFactory; - -/** - *

- * Tomcat port of mod_remoteip, this valve replaces the apparent - * client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request - * headers (e.g. "X-Forwarded-For"). - *

- *

- * Another feature of this valve is to replace the apparent scheme (http/https) and server port with the scheme presented by a proxy or a - * load balancer via a request header (e.g. "X-Forwarded-Proto"). - *

- *

- * This valve proceeds as follows: - *

- *

- * If the incoming request.getRemoteAddr() matches the valve's list of internal proxies : - *

- *

- *

- * Configuration parameters: - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - *
RemoteIpValve propertyDescriptionEquivalent mod_remoteip directiveFormatDefault Value
remoteIPHeaderName of the Http Header read by this valve that holds the list of traversed IP addresses starting from the requesting clientRemoteIPHeaderCompliant http header namex-forwarded-for
internalProxiesList of internal proxies ip adress. If they appear in the remoteIpHeader value, they will be trusted and will not appear - * in the proxiesHeader valueRemoteIPInternalProxyComma delimited list of regular expressions (in the syntax supported by the {@link java.util.regex.Pattern} library)10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 169\.254\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3}
- * By default, 10/8, 192.168/16, 169.254/16 and 127/8 are allowed ; 172.16/12 has not been enabled by default because it is complex to - * describe with regular expressions
proxiesHeaderName of the http header created by this valve to hold the list of proxies that have been processed in the incoming - * remoteIPHeaderRemoteIPProxiesHeaderCompliant http header namex-forwarded-by
trustedProxiesList of trusted proxies ip adress. If they appear in the remoteIpHeader value, they will be trusted and will appear - * in the proxiesHeader valueRemoteIPTrustedProxyComma delimited list of regular expressions (in the syntax supported by the {@link java.util.regex.Pattern} library) 
protocolHeaderName of the http header read by this valve that holds the flag that this request N/ACompliant http header name like X-Forwarded-Proto, X-Forwarded-Ssl or Front-End-Httpsnull
protocolHeaderHttpsValueValue of the protocolHeader to indicate that it is an Https requestN/AString like https or ONhttps
- *

- *

- *

- * This Valve may be attached to any Container, depending on the granularity of the filtering you wish to perform. - *

- *

- * Regular expression vs. IP address blocks: mod_remoteip allows to use address blocks (e.g. - * 192.168/16) to configure RemoteIPInternalProxy and RemoteIPTrustedProxy ; as Tomcat doesn't have a - * library similar to apr_ipsubnet_test, - * RemoteIpValve uses regular expression to configure internalProxies and trustedProxies in the same - * fashion as {@link RequestFilterValve} does. - *

- *
- *

- * Sample with internal proxies - *

- *

- * RemoteIpValve configuration: - *

- * 
- * <Valve 
- *   className="org.apache.catalina.connector.RemoteIpValve"
- *   internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
- *   remoteIPHeader="x-forwarded-for"
- *   remoteIPProxiesHeader="x-forwarded-by"
- *   protocolHeader="x-forwarded-proto"
- *   />
 - *

- * Request values: - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - *
propertyValue Before RemoteIpValveValue After RemoteIpValve
request.remoteAddr192.168.0.10140.211.11.130
request.header['x-forwarded-for']140.211.11.130, 192.168.0.10null
request.header['x-forwarded-by']nullnull
request.header['x-forwarded-proto']httpshttps
request.schemehttphttps
request.securefalsetrue
request.serverPort80443
- * Note : x-forwarded-by header is null because only internal proxies as been traversed by the request. - * x-forwarded-by is null because all the proxies are trusted or internal. - *

- *
- *

- * Sample with trusted proxies - *

- *

- * RemoteIpValve configuration: - *

- * 
- * <Valve 
- *   className="org.apache.catalina.connector.RemoteIpValve"
- *   internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
- *   remoteIPHeader="x-forwarded-for"
- *   remoteIPProxiesHeader="x-forwarded-by"
- *   trustedProxies="proxy1, proxy2"
- *   />
 - *

- * Request values: - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - *
propertyValue Before RemoteIpValveValue After RemoteIpValve
request.remoteAddr192.168.0.10140.211.11.130
request.header['x-forwarded-for']140.211.11.130, proxy1, proxy2null
request.header['x-forwarded-by']nullproxy1, proxy2
- * Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for header, they both - * are migrated in x-forwarded-by header. x-forwarded-by is null because all the proxies are trusted or internal. - *

- *
- *

- * Sample with internal and trusted proxies - *

- *

- * RemoteIpValve configuration: - *

- * 
- * <Valve 
- *   className="org.apache.catalina.connector.RemoteIpValve"
- *   internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
- *   remoteIPHeader="x-forwarded-for"
- *   remoteIPProxiesHeader="x-forwarded-by"
- *   trustedProxies="proxy1, proxy2"
- *   />
 - *

- * Request values: - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - *
propertyValue Before RemoteIpValveValue After RemoteIpValve
request.remoteAddr192.168.0.10140.211.11.130
request.header['x-forwarded-for']140.211.11.130, proxy1, proxy2, 192.168.0.10null
request.header['x-forwarded-by']nullproxy1, proxy2
- * Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for header, they both - * are migrated in x-forwarded-by header. As 192.168.0.10 is an internal proxy, it does not appear in - * x-forwarded-by. x-forwarded-by is null because all the proxies are trusted or internal. - *

- *
- *

- * Sample with an untrusted proxy - *

- *

- * RemoteIpValve configuration: - *

- * 
- * <Valve 
- *   className="org.apache.catalina.connector.RemoteIpValve"
- *   internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
- *   remoteIPHeader="x-forwarded-for"
- *   remoteIPProxiesHeader="x-forwarded-by"
- *   trustedProxies="proxy1, proxy2"
- *   />
 - *

- * Request values: - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - *
propertyValue Before RemoteIpValveValue After RemoteIpValve
request.remoteAddr192.168.0.10untrusted-proxy
request.header['x-forwarded-for']140.211.11.130, untrusted-proxy, proxy1140.211.11.130
request.header['x-forwarded-by']nullproxy1
- * Note : x-forwarded-by holds the trusted proxy proxy1. x-forwarded-by holds - * 140.211.11.130 because untrusted-proxy is not trusted and thus, we can not trust that - * untrusted-proxy is the actual remote ip. request.remoteAddr is untrusted-proxy that is an IP - * verified by proxy1. - *

- */ -public class RemoteIpValve extends ValveBase { - - /** - * {@link Pattern} for a comma delimited string that support whitespace characters - */ - private static final Pattern commaSeparatedValuesPattern = Pattern.compile("\\s*,\\s*"); - - /** - * The descriptive information related to this implementation. - */ - private static final String info = "org.apache.catalina.connector.RemoteIpValve/1.0"; - - /** - * Logger - */ - private static Log log = LogFactory.getLog(RemoteIpValve.class); - - /** - * The StringManager for this package. - */ - protected static StringManager sm = StringManager.getManager(Constants.Package); - - /** - * Convert a given comma delimited list of regular expressions into an array of compiled {@link Pattern} - * - * @return array of patterns (not null) - */ - protected static Pattern[] commaDelimitedListToPatternArray(String commaDelimitedPatterns) { - String[] patterns = commaDelimitedListToStringArray(commaDelimitedPatterns); - List patternsList = new ArrayList(); - for (String pattern : patterns) { - try { - patternsList.add(Pattern.compile(pattern)); - } catch (PatternSyntaxException e) { - throw new IllegalArgumentException(sm.getString("remoteIpValve.syntax", pattern), e); - } - } - return patternsList.toArray(new Pattern[0]); - } - - /** - * Convert a given comma delimited list of regular expressions into an array of String - * - * @return array of patterns (non null) - */ - protected static String[] commaDelimitedListToStringArray(String commaDelimitedStrings) { - return (commaDelimitedStrings == null || commaDelimitedStrings.length() == 0) ? new String[0] : commaSeparatedValuesPattern - .split(commaDelimitedStrings); - } - - /** - * Convert an array of strings in a comma delimited string - */ - protected static String listToCommaDelimitedString(List stringList) { - if (stringList == null) { - return ""; - } - StringBuilder result = new StringBuilder(); - for (Iterator it = stringList.iterator(); it.hasNext();) { - Object element = it.next(); - if (element != null) { - result.append(element); - if (it.hasNext()) { - result.append(", "); - } - } - } - return result.toString(); - } - - /** - * Return true if the given str matches at least one of the given patterns. - */ - protected static boolean matchesOne(String str, Pattern... patterns) { - for (Pattern pattern : patterns) { - if (pattern.matcher(str).matches()) { - return true; - } - } - return false; - } - - /** - * @see #setHttpsServerPort(int) - */ - private int httpsServerPort = 443; - - /** - * @see #setInternalProxies(String) - */ - private Pattern[] internalProxies = new Pattern[] { - Pattern.compile("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"), Pattern.compile("192\\.168\\.\\d{1,3}\\.\\d{1,3}"), - Pattern.compile("169\\.254\\.\\d{1,3}\\.\\d{1,3}"), Pattern.compile("127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}") - }; - - /** - * @see #setProtocolHeader(String) - */ - private String protocolHeader = null; - - /** - * @see #setProtocolHeaderHttpsValue(String) - */ - private String protocolHeaderHttpsValue = "https"; - - /** - * @see #setProxiesHeader(String) - */ - private String proxiesHeader = "X-Forwarded-By"; - - /** - * @see #setRemoteIpHeader(String) - */ - private String remoteIpHeader = "X-Forwarded-For"; - - /** - * @see RemoteIpValve#setTrustedProxies(String) - */ - private Pattern[] trustedProxies = new Pattern[0]; - - public int getHttpsServerPort() { - return httpsServerPort; - } - - /** - * Return descriptive information about this Valve implementation. - */ - @Override - public String getInfo() { - return info; - } - - /** - * @see #setInternalProxies(String) - * @return comma delimited list of internal proxies - */ - public String getInternalProxies() { - List internalProxiesAsStringList = new ArrayList(); - for (Pattern internalProxyPattern : internalProxies) { - internalProxiesAsStringList.add(String.valueOf(internalProxyPattern)); - } - return listToCommaDelimitedString(internalProxiesAsStringList); - } - - /** - * @see #setProtocolHeader(String) - * @return the protocol header (e.g. "X-Forwarded-Proto") - */ - public String getProtocolHeader() { - return protocolHeader; - } - - /** - * @see RemoteIpValve#setProtocolHeaderHttpsValue(String) - * @return the value of the protocol header for incoming https request (e.g. "https") - */ - public String getProtocolHeaderHttpsValue() { - return protocolHeaderHttpsValue; - } - - /** - * @see #setProxiesHeader(String) - * @return the proxies header name (e.g. "X-Forwarded-By") - */ - public String getProxiesHeader() { - return proxiesHeader; - } - - /** - * @see #setRemoteIpHeader(String) - * @return the remote IP header name (e.g. "X-Forwarded-For") - */ - public String getRemoteIpHeader() { - return remoteIpHeader; - } - - /** - * @see #setTrustedProxies(String) - * @return comma delimited list of trusted proxies - */ - public String getTrustedProxies() { - List trustedProxiesAsStringList = new ArrayList(); - for (Pattern trustedProxy : trustedProxies) { - trustedProxiesAsStringList.add(String.valueOf(trustedProxy)); - } - return listToCommaDelimitedString(trustedProxiesAsStringList); - } - - /** - * {@inheritDoc} - */ - @Override - public void invoke(Request request, Response response) throws IOException, ServletException { - final String originalRemoteAddr = request.getRemoteAddr(); - final String originalRemoteHost = request.getRemoteHost(); - final String originalScheme = request.getScheme(); - final boolean originalSecure = request.isSecure(); - final int originalServerPort = request.getServerPort(); - - if (matchesOne(originalRemoteAddr, internalProxies)) { - String remoteIp = null; - // In java 6, proxiesHeaderValue should be declared as a java.util.Deque - LinkedList proxiesHeaderValue = new LinkedList(); - - String[] remoteIPHeaderValue = commaDelimitedListToStringArray(request.getHeader(remoteIpHeader)); - int idx; - // loop on remoteIPHeaderValue to find the first trusted remote ip and to build the proxies chain - for (idx = remoteIPHeaderValue.length - 1; idx >= 0; idx--) { - String currentRemoteIp = remoteIPHeaderValue[idx]; - remoteIp = currentRemoteIp; - if (matchesOne(currentRemoteIp, internalProxies)) { - // do nothing, internalProxies IPs are not appended to the - } else if (matchesOne(currentRemoteIp, trustedProxies)) { - proxiesHeaderValue.addFirst(currentRemoteIp); - } else { - idx--; // decrement idx because break statement doesn't do it - break; - } - } - // continue to loop on remoteIPHeaderValue to build the new value of the remoteIPHeader - LinkedList newRemoteIpHeaderValue = new LinkedList(); - for (; idx >= 0; idx--) { - String currentRemoteIp = remoteIPHeaderValue[idx]; - newRemoteIpHeaderValue.addFirst(currentRemoteIp); - } - if (remoteIp != null) { - - request.setRemoteAddr(remoteIp); - request.setRemoteHost(remoteIp); - - // use request.coyoteRequest.mimeHeaders.setValue(str).setString(str) because request.addHeader(str, str) is no-op in Tomcat - // 6.0 - if (proxiesHeaderValue.size() == 0) { - request.getCoyoteRequest().getMimeHeaders().removeHeader(proxiesHeader); - } else { - String commaDelimitedListOfProxies = listToCommaDelimitedString(proxiesHeaderValue); - request.getCoyoteRequest().getMimeHeaders().setValue(proxiesHeader).setString(commaDelimitedListOfProxies); - } - if (newRemoteIpHeaderValue.size() == 0) { - request.getCoyoteRequest().getMimeHeaders().removeHeader(remoteIpHeader); - } else { - String commaDelimitedRemoteIpHeaderValue = listToCommaDelimitedString(newRemoteIpHeaderValue); - request.getCoyoteRequest().getMimeHeaders().setValue(remoteIpHeader).setString(commaDelimitedRemoteIpHeaderValue); - } - } - - if (protocolHeader != null) { - String protocolHeaderValue = request.getHeader(protocolHeader); - if (protocolHeaderValue != null && protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue)) { - request.setSecure(true); - // use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0 - request.getCoyoteRequest().scheme().setString("https"); - - request.setServerPort(httpsServerPort); - } - } - - if (log.isDebugEnabled()) { - log.debug("Incoming request " + request.getRequestURI() + " with originalRemoteAddr '" + originalRemoteAddr - + "', originalRemoteHost='" + originalRemoteHost + "', originalSecure='" + originalSecure + "', originalScheme='" - + originalScheme + "' will be seen as newRemoteAddr='" + request.getRemoteAddr() + "', newRemoteHost='" - + request.getRemoteHost() + "', newScheme='" + request.getScheme() + "', newSecure='" + request.isSecure() + "'"); - } - } - try { - getNext().invoke(request, response); - } finally { - request.setRemoteAddr(originalRemoteAddr); - request.setRemoteHost(originalRemoteHost); - - request.setSecure(originalSecure); - - // use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0 - request.getCoyoteRequest().scheme().setString(originalScheme); - - request.setServerPort(originalServerPort); - } - } - - /** - *

- * Server Port value if the {@link #protocolHeader} indicates HTTPS - *

- *

- * Default value : 443 - *

- */ - public void setHttpsServerPort(int httpsServerPort) { - this.httpsServerPort = httpsServerPort; - } - - /** - *

- * Comma delimited list of internal proxies. Can be expressed with regular expressions. - *

- *

- * Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3} - *

- */ - public void setInternalProxies(String commaDelimitedInternalProxies) { - this.internalProxies = commaDelimitedListToPatternArray(commaDelimitedInternalProxies); - } - - /** - *

- * Header that holds the incoming protocol, usally named X-Forwarded-Proto. If null, request.scheme and - * request.secure will not be modified. - *

- *

- * Default value : null - *

- */ - public void setProtocolHeader(String protocolHeader) { - this.protocolHeader = protocolHeader; - } - - /** - *

- * Case insensitive value of the protocol header to indicate that the incoming http request uses SSL. - *

- *

- * Default value : https - *

- */ - public void setProtocolHeaderHttpsValue(String protocolHeaderHttpsValue) { - this.protocolHeaderHttpsValue = protocolHeaderHttpsValue; - } - - /** - *

- * The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP - * addresses trusted to resolve the actual remote IP. Note that intermediate RemoteIPTrustedProxy addresses are recorded in this header, - * while any intermediate RemoteIPInternalProxy addresses are discarded. - *

- *

- * Name of the http header that holds the list of trusted proxies that has been traversed by the http request. - *

- *

- * The value of this header can be comma delimited. - *

- *

- * Default value : X-Forwarded-By - *

- */ - public void setProxiesHeader(String proxiesHeader) { - this.proxiesHeader = proxiesHeader; - } - - /** - *

- * Name of the http header from which the remote ip is extracted. - *

- *

- * The value of this header can be comma delimited. - *

- *

- * Default value : X-Forwarded-For - *

- * - * @param remoteIPHeader - */ - public void setRemoteIpHeader(String remoteIpHeader) { - this.remoteIpHeader = remoteIpHeader; - } - - /** - *

- * Comma delimited list of proxies that are trusted when they appear in the {@link #remoteIPHeader} header. Can be expressed as a - * regular expression. - *

- *

- * Default value : empty list, no external proxy is trusted. - *

- */ - public void setTrustedProxies(String commaDelimitedTrustedProxies) { - this.trustedProxies = commaDelimitedListToPatternArray(commaDelimitedTrustedProxies); - } -} +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.catalina.valves; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; +import java.util.regex.Pattern; +import java.util.regex.PatternSyntaxException; + +import javax.servlet.ServletException; + +import org.apache.tomcat.util.res.StringManager; +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.Response; +import org.apache.catalina.valves.Constants; +import org.apache.catalina.valves.RequestFilterValve; +import org.apache.catalina.valves.ValveBase; +import org.apache.juli.logging.Log; +import org.apache.juli.logging.LogFactory; + +/** + *

+ * Tomcat port of mod_remoteip, this valve replaces the apparent + * client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request + * headers (e.g. "X-Forwarded-For"). + *

+ *

+ * Another feature of this valve is to replace the apparent scheme (http/https) and server port with the scheme presented by a proxy or a + * load balancer via a request header (e.g. "X-Forwarded-Proto"). + *

+ *

+ * This valve proceeds as follows: + *

+ *

+ * If the incoming request.getRemoteAddr() matches the valve's list of internal proxies : + *

    + *
  • Loop on the comma delimited list of IPs and hostnames passed by the preceding load balancer or proxy in the given request's Http + * header named $remoteIPHeader (default value x-forwarded-for). Values are processed in right-to-left order.
    • + *
  • For each ip/host of the list: + *
      + *
    • if it matches the internal proxies list, the ip/host is swallowed
      • + *
    • if it matches the trusted proxies list, the ip/host is added to the created proxies header
      • + *
    • otherwise, the ip/host is declared to be the remote ip and looping is stopped.
      • + *
    + *
    • + *
  • If the request http header named $protocolHeader (e.g. x-forwarded-for) equals to the value of + * protocolHeaderHttpsValue configuration parameter (default https) then request.isSecure = true, + * request.scheme = https and request.serverPort = 443. Note that 443 can be overwritten with the + * $httpsServerPort configuration parameter.
    • + *
+ *

+ *

+ * Configuration parameters: + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + *
RemoteIpValve propertyDescriptionEquivalent mod_remoteip directiveFormatDefault Value
remoteIPHeaderName of the Http Header read by this valve that holds the list of traversed IP addresses starting from the requesting clientRemoteIPHeaderCompliant http header namex-forwarded-for
internalProxiesList of internal proxies ip adress. If they appear in the remoteIpHeader value, they will be trusted and will not appear + * in the proxiesHeader valueRemoteIPInternalProxyComma delimited list of regular expressions (in the syntax supported by the {@link java.util.regex.Pattern} library)10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 169\.254\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3}
+ * By default, 10/8, 192.168/16, 169.254/16 and 127/8 are allowed ; 172.16/12 has not been enabled by default because it is complex to + * describe with regular expressions
proxiesHeaderName of the http header created by this valve to hold the list of proxies that have been processed in the incoming + * remoteIPHeaderRemoteIPProxiesHeaderCompliant http header namex-forwarded-by
trustedProxiesList of trusted proxies ip adress. If they appear in the remoteIpHeader value, they will be trusted and will appear + * in the proxiesHeader valueRemoteIPTrustedProxyComma delimited list of regular expressions (in the syntax supported by the {@link java.util.regex.Pattern} library) 
protocolHeaderName of the http header read by this valve that holds the flag that this request N/ACompliant http header name like X-Forwarded-Proto, X-Forwarded-Ssl or Front-End-Httpsnull
protocolHeaderHttpsValueValue of the protocolHeader to indicate that it is an Https requestN/AString like https or ONhttps
+ *

+ *

+ *

+ * This Valve may be attached to any Container, depending on the granularity of the filtering you wish to perform. + *

+ *

+ * Regular expression vs. IP address blocks: mod_remoteip allows to use address blocks (e.g. + * 192.168/16) to configure RemoteIPInternalProxy and RemoteIPTrustedProxy ; as Tomcat doesn't have a + * library similar to apr_ipsubnet_test, + * RemoteIpValve uses regular expression to configure internalProxies and trustedProxies in the same + * fashion as {@link RequestFilterValve} does. + *

+ *
+ *

+ * Sample with internal proxies + *

+ *

+ * RemoteIpValve configuration: + *

+ * 
+ * <Valve 
+ *   className="org.apache.catalina.connector.RemoteIpValve"
+ *   internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
+ *   remoteIPHeader="x-forwarded-for"
+ *   remoteIPProxiesHeader="x-forwarded-by"
+ *   protocolHeader="x-forwarded-proto"
+ *   />
 + *

+ * Request values: + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + *
propertyValue Before RemoteIpValveValue After RemoteIpValve
request.remoteAddr192.168.0.10140.211.11.130
request.header['x-forwarded-for']140.211.11.130, 192.168.0.10null
request.header['x-forwarded-by']nullnull
request.header['x-forwarded-proto']httpshttps
request.schemehttphttps
request.securefalsetrue
request.serverPort80443
+ * Note : x-forwarded-by header is null because only internal proxies as been traversed by the request. + * x-forwarded-by is null because all the proxies are trusted or internal. + *

+ *
+ *

+ * Sample with trusted proxies + *

+ *

+ * RemoteIpValve configuration: + *

+ * 
+ * <Valve 
+ *   className="org.apache.catalina.connector.RemoteIpValve"
+ *   internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
+ *   remoteIPHeader="x-forwarded-for"
+ *   remoteIPProxiesHeader="x-forwarded-by"
+ *   trustedProxies="proxy1, proxy2"
+ *   />
 + *

+ * Request values: + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + *
propertyValue Before RemoteIpValveValue After RemoteIpValve
request.remoteAddr192.168.0.10140.211.11.130
request.header['x-forwarded-for']140.211.11.130, proxy1, proxy2null
request.header['x-forwarded-by']nullproxy1, proxy2
+ * Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for header, they both + * are migrated in x-forwarded-by header. x-forwarded-by is null because all the proxies are trusted or internal. + *

+ *
+ *

+ * Sample with internal and trusted proxies + *

+ *

+ * RemoteIpValve configuration: + *

+ * 
+ * <Valve 
+ *   className="org.apache.catalina.connector.RemoteIpValve"
+ *   internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
+ *   remoteIPHeader="x-forwarded-for"
+ *   remoteIPProxiesHeader="x-forwarded-by"
+ *   trustedProxies="proxy1, proxy2"
+ *   />
 + *

+ * Request values: + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + *
propertyValue Before RemoteIpValveValue After RemoteIpValve
request.remoteAddr192.168.0.10140.211.11.130
request.header['x-forwarded-for']140.211.11.130, proxy1, proxy2, 192.168.0.10null
request.header['x-forwarded-by']nullproxy1, proxy2
+ * Note : proxy1 and proxy2 are both trusted proxies that come in x-forwarded-for header, they both + * are migrated in x-forwarded-by header. As 192.168.0.10 is an internal proxy, it does not appear in + * x-forwarded-by. x-forwarded-by is null because all the proxies are trusted or internal. + *

+ *
+ *

+ * Sample with an untrusted proxy + *

+ *

+ * RemoteIpValve configuration: + *

+ * 
+ * <Valve 
+ *   className="org.apache.catalina.connector.RemoteIpValve"
+ *   internalProxies="192\.168\.0\.10, 192\.168\.0\.11"
+ *   remoteIPHeader="x-forwarded-for"
+ *   remoteIPProxiesHeader="x-forwarded-by"
+ *   trustedProxies="proxy1, proxy2"
+ *   />
 + *

+ * Request values: + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + *
propertyValue Before RemoteIpValveValue After RemoteIpValve
request.remoteAddr192.168.0.10untrusted-proxy
request.header['x-forwarded-for']140.211.11.130, untrusted-proxy, proxy1140.211.11.130
request.header['x-forwarded-by']nullproxy1
+ * Note : x-forwarded-by holds the trusted proxy proxy1. x-forwarded-by holds + * 140.211.11.130 because untrusted-proxy is not trusted and thus, we can not trust that + * untrusted-proxy is the actual remote ip. request.remoteAddr is untrusted-proxy that is an IP + * verified by proxy1. + *

+ */ +public class RemoteIpValve extends ValveBase { + + /** + * {@link Pattern} for a comma delimited string that support whitespace characters + */ + private static final Pattern commaSeparatedValuesPattern = Pattern.compile("\\s*,\\s*"); + + /** + * The descriptive information related to this implementation. + */ + private static final String info = "org.apache.catalina.connector.RemoteIpValve/1.0"; + + /** + * Logger + */ + private static Log log = LogFactory.getLog(RemoteIpValve.class); + + /** + * The StringManager for this package. + */ + protected static StringManager sm = StringManager.getManager(Constants.Package); + + /** + * Convert a given comma delimited list of regular expressions into an array of compiled {@link Pattern} + * + * @return array of patterns (not null) + */ + protected static Pattern[] commaDelimitedListToPatternArray(String commaDelimitedPatterns) { + String[] patterns = commaDelimitedListToStringArray(commaDelimitedPatterns); + List patternsList = new ArrayList(); + for (String pattern : patterns) { + try { + patternsList.add(Pattern.compile(pattern)); + } catch (PatternSyntaxException e) { + throw new IllegalArgumentException(sm.getString("remoteIpValve.syntax", pattern), e); + } + } + return patternsList.toArray(new Pattern[0]); + } + + /** + * Convert a given comma delimited list of regular expressions into an array of String + * + * @return array of patterns (non null) + */ + protected static String[] commaDelimitedListToStringArray(String commaDelimitedStrings) { + return (commaDelimitedStrings == null || commaDelimitedStrings.length() == 0) ? new String[0] : commaSeparatedValuesPattern + .split(commaDelimitedStrings); + } + + /** + * Convert an array of strings in a comma delimited string + */ + protected static String listToCommaDelimitedString(List stringList) { + if (stringList == null) { + return ""; + } + StringBuilder result = new StringBuilder(); + for (Iterator it = stringList.iterator(); it.hasNext();) { + Object element = it.next(); + if (element != null) { + result.append(element); + if (it.hasNext()) { + result.append(", "); + } + } + } + return result.toString(); + } + + /** + * Return true if the given str matches at least one of the given patterns. + */ + protected static boolean matchesOne(String str, Pattern... patterns) { + for (Pattern pattern : patterns) { + if (pattern.matcher(str).matches()) { + return true; + } + } + return false; + } + + /** + * @see #setHttpsServerPort(int) + */ + private int httpsServerPort = 443; + + /** + * @see #setInternalProxies(String) + */ + private Pattern[] internalProxies = new Pattern[] { + Pattern.compile("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"), Pattern.compile("192\\.168\\.\\d{1,3}\\.\\d{1,3}"), + Pattern.compile("169\\.254\\.\\d{1,3}\\.\\d{1,3}"), Pattern.compile("127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}") + }; + + /** + * @see #setProtocolHeader(String) + */ + private String protocolHeader = null; + + /** + * @see #setProtocolHeaderHttpsValue(String) + */ + private String protocolHeaderHttpsValue = "https"; + + /** + * @see #setProxiesHeader(String) + */ + private String proxiesHeader = "X-Forwarded-By"; + + /** + * @see #setRemoteIpHeader(String) + */ + private String remoteIpHeader = "X-Forwarded-For"; + + /** + * @see RemoteIpValve#setTrustedProxies(String) + */ + private Pattern[] trustedProxies = new Pattern[0]; + + public int getHttpsServerPort() { + return httpsServerPort; + } + + /** + * Return descriptive information about this Valve implementation. + */ + @Override + public String getInfo() { + return info; + } + + /** + * @see #setInternalProxies(String) + * @return comma delimited list of internal proxies + */ + public String getInternalProxies() { + List internalProxiesAsStringList = new ArrayList(); + for (Pattern internalProxyPattern : internalProxies) { + internalProxiesAsStringList.add(String.valueOf(internalProxyPattern)); + } + return listToCommaDelimitedString(internalProxiesAsStringList); + } + + /** + * @see #setProtocolHeader(String) + * @return the protocol header (e.g. "X-Forwarded-Proto") + */ + public String getProtocolHeader() { + return protocolHeader; + } + + /** + * @see RemoteIpValve#setProtocolHeaderHttpsValue(String) + * @return the value of the protocol header for incoming https request (e.g. "https") + */ + public String getProtocolHeaderHttpsValue() { + return protocolHeaderHttpsValue; + } + + /** + * @see #setProxiesHeader(String) + * @return the proxies header name (e.g. "X-Forwarded-By") + */ + public String getProxiesHeader() { + return proxiesHeader; + } + + /** + * @see #setRemoteIpHeader(String) + * @return the remote IP header name (e.g. "X-Forwarded-For") + */ + public String getRemoteIpHeader() { + return remoteIpHeader; + } + + /** + * @see #setTrustedProxies(String) + * @return comma delimited list of trusted proxies + */ + public String getTrustedProxies() { + List trustedProxiesAsStringList = new ArrayList(); + for (Pattern trustedProxy : trustedProxies) { + trustedProxiesAsStringList.add(String.valueOf(trustedProxy)); + } + return listToCommaDelimitedString(trustedProxiesAsStringList); + } + + /** + * {@inheritDoc} + */ + @Override + public void invoke(Request request, Response response) throws IOException, ServletException { + final String originalRemoteAddr = request.getRemoteAddr(); + final String originalRemoteHost = request.getRemoteHost(); + final String originalScheme = request.getScheme(); + final boolean originalSecure = request.isSecure(); + final int originalServerPort = request.getServerPort(); + + if (matchesOne(originalRemoteAddr, internalProxies)) { + String remoteIp = null; + // In java 6, proxiesHeaderValue should be declared as a java.util.Deque + LinkedList proxiesHeaderValue = new LinkedList(); + + String[] remoteIPHeaderValue = commaDelimitedListToStringArray(request.getHeader(remoteIpHeader)); + int idx; + // loop on remoteIPHeaderValue to find the first trusted remote ip and to build the proxies chain + for (idx = remoteIPHeaderValue.length - 1; idx >= 0; idx--) { + String currentRemoteIp = remoteIPHeaderValue[idx]; + remoteIp = currentRemoteIp; + if (matchesOne(currentRemoteIp, internalProxies)) { + // do nothing, internalProxies IPs are not appended to the + } else if (matchesOne(currentRemoteIp, trustedProxies)) { + proxiesHeaderValue.addFirst(currentRemoteIp); + } else { + idx--; // decrement idx because break statement doesn't do it + break; + } + } + // continue to loop on remoteIPHeaderValue to build the new value of the remoteIPHeader + LinkedList newRemoteIpHeaderValue = new LinkedList(); + for (; idx >= 0; idx--) { + String currentRemoteIp = remoteIPHeaderValue[idx]; + newRemoteIpHeaderValue.addFirst(currentRemoteIp); + } + if (remoteIp != null) { + + request.setRemoteAddr(remoteIp); + request.setRemoteHost(remoteIp); + + // use request.coyoteRequest.mimeHeaders.setValue(str).setString(str) because request.addHeader(str, str) is no-op in Tomcat + // 6.0 + if (proxiesHeaderValue.size() == 0) { + request.getCoyoteRequest().getMimeHeaders().removeHeader(proxiesHeader); + } else { + String commaDelimitedListOfProxies = listToCommaDelimitedString(proxiesHeaderValue); + request.getCoyoteRequest().getMimeHeaders().setValue(proxiesHeader).setString(commaDelimitedListOfProxies); + } + if (newRemoteIpHeaderValue.size() == 0) { + request.getCoyoteRequest().getMimeHeaders().removeHeader(remoteIpHeader); + } else { + String commaDelimitedRemoteIpHeaderValue = listToCommaDelimitedString(newRemoteIpHeaderValue); + request.getCoyoteRequest().getMimeHeaders().setValue(remoteIpHeader).setString(commaDelimitedRemoteIpHeaderValue); + } + } + + if (protocolHeader != null) { + String protocolHeaderValue = request.getHeader(protocolHeader); + if (protocolHeaderValue != null && protocolHeaderHttpsValue.equalsIgnoreCase(protocolHeaderValue)) { + request.setSecure(true); + // use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0 + request.getCoyoteRequest().scheme().setString("https"); + + request.setServerPort(httpsServerPort); + } + } + + if (log.isDebugEnabled()) { + log.debug("Incoming request " + request.getRequestURI() + " with originalRemoteAddr '" + originalRemoteAddr + + "', originalRemoteHost='" + originalRemoteHost + "', originalSecure='" + originalSecure + "', originalScheme='" + + originalScheme + "' will be seen as newRemoteAddr='" + request.getRemoteAddr() + "', newRemoteHost='" + + request.getRemoteHost() + "', newScheme='" + request.getScheme() + "', newSecure='" + request.isSecure() + "'"); + } + } + try { + getNext().invoke(request, response); + } finally { + request.setRemoteAddr(originalRemoteAddr); + request.setRemoteHost(originalRemoteHost); + + request.setSecure(originalSecure); + + // use request.coyoteRequest.scheme instead of request.setScheme() because request.setScheme() is no-op in Tomcat 6.0 + request.getCoyoteRequest().scheme().setString(originalScheme); + + request.setServerPort(originalServerPort); + } + } + + /** + *

+ * Server Port value if the {@link #protocolHeader} indicates HTTPS + *

+ *

+ * Default value : 443 + *

+ */ + public void setHttpsServerPort(int httpsServerPort) { + this.httpsServerPort = httpsServerPort; + } + + /** + *

+ * Comma delimited list of internal proxies. Can be expressed with regular expressions. + *

+ *

+ * Default value : 10\.\d{1,3}\.\d{1,3}\.\d{1,3}, 192\.168\.\d{1,3}\.\d{1,3}, 127\.\d{1,3}\.\d{1,3}\.\d{1,3} + *

+ */ + public void setInternalProxies(String commaDelimitedInternalProxies) { + this.internalProxies = commaDelimitedListToPatternArray(commaDelimitedInternalProxies); + } + + /** + *

+ * Header that holds the incoming protocol, usally named X-Forwarded-Proto. If null, request.scheme and + * request.secure will not be modified. + *

+ *

+ * Default value : null + *

+ */ + public void setProtocolHeader(String protocolHeader) { + this.protocolHeader = protocolHeader; + } + + /** + *

+ * Case insensitive value of the protocol header to indicate that the incoming http request uses SSL. + *

+ *

+ * Default value : https + *

+ */ + public void setProtocolHeaderHttpsValue(String protocolHeaderHttpsValue) { + this.protocolHeaderHttpsValue = protocolHeaderHttpsValue; + } + + /** + *

+ * The proxiesHeader directive specifies a header into which mod_remoteip will collect a list of all of the intermediate client IP + * addresses trusted to resolve the actual remote IP. Note that intermediate RemoteIPTrustedProxy addresses are recorded in this header, + * while any intermediate RemoteIPInternalProxy addresses are discarded. + *

+ *

+ * Name of the http header that holds the list of trusted proxies that has been traversed by the http request. + *

+ *

+ * The value of this header can be comma delimited. + *

+ *

+ * Default value : X-Forwarded-By + *

+ */ + public void setProxiesHeader(String proxiesHeader) { + this.proxiesHeader = proxiesHeader; + } + + /** + *

+ * Name of the http header from which the remote ip is extracted. + *

+ *

+ * The value of this header can be comma delimited. + *

+ *

+ * Default value : X-Forwarded-For + *

+ * + * @param remoteIPHeader + */ + public void setRemoteIpHeader(String remoteIpHeader) { + this.remoteIpHeader = remoteIpHeader; + } + + /** + *

+ * Comma delimited list of proxies that are trusted when they appear in the {@link #remoteIPHeader} header. Can be expressed as a + * regular expression. + *

+ *

+ * Default value : empty list, no external proxy is trusted. + *

+ */ + public void setTrustedProxies(String commaDelimitedTrustedProxies) { + this.trustedProxies = commaDelimitedListToPatternArray(commaDelimitedTrustedProxies); + } +} diff --git a/test/org/apache/catalina/valves/RemoteIpValveTest.java b/test/org/apache/catalina/valves/RemoteIpValveTest.java index 3afee685c..d1946f1c6 100644 --- a/test/org/apache/catalina/valves/RemoteIpValveTest.java +++ b/test/org/apache/catalina/valves/RemoteIpValveTest.java @@ -1,386 +1,386 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.catalina.valves; - -import java.io.IOException; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.List; - -import javax.servlet.ServletException; - -import junit.framework.TestCase; - -import org.apache.catalina.connector.Request; -import org.apache.catalina.connector.Response; -import org.apache.catalina.valves.ValveBase; - -/** - * {@link RemoteIpValve} Tests - */ -public class RemoteIpValveTest extends TestCase { - - static class RemoteAddrAndHostTrackerValve extends ValveBase { - private String remoteAddr; - private String remoteHost; - - public String getRemoteAddr() { - return remoteAddr; - } - - public String getRemoteHost() { - return remoteHost; - } - - @Override - public void invoke(Request request, Response response) throws IOException, ServletException { - this.remoteHost = request.getRemoteHost(); - this.remoteAddr = request.getRemoteAddr(); - } - } - - public void testCommaDelimitedListToStringArray() { - List elements = Arrays.asList("element1", "element2", "element3"); - String actual = RemoteIpValve.listToCommaDelimitedString(elements); - assertEquals("element1, element2, element3", actual); - } - - public void testCommaDelimitedListToStringArrayEmptyList() { - List elements = new ArrayList(); - String actual = RemoteIpValve.listToCommaDelimitedString(elements); - assertEquals("", actual); - } - - public void testCommaDelimitedListToStringArrayNullList() { - String actual = RemoteIpValve.listToCommaDelimitedString(null); - assertEquals("", actual); - } - - public void testInvokeAllowedRemoteAddrWithNullRemoteIpHeader() throws Exception { - // PREPARE - RemoteIpValve remoteIpValve = new RemoteIpValve(); - remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); - remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); - remoteIpValve.setRemoteIpHeader("x-forwarded-for"); - remoteIpValve.setProxiesHeader("x-forwarded-by"); - RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); - remoteIpValve.setNext(remoteAddrAndHostTrackerValve); - - Request request = new Request(); - request.setCoyoteRequest(new org.apache.coyote.Request()); - request.setRemoteAddr("192.168.0.10"); - request.setRemoteHost("remote-host-original-value"); - - // TEST - remoteIpValve.invoke(request, null); - - // VERIFY - String actualXForwardedFor = request.getHeader("x-forwarded-for"); - assertNull("x-forwarded-for must be null", actualXForwardedFor); - - String actualXForwardedBy = request.getHeader("x-forwarded-by"); - assertNull("x-forwarded-by must be null", actualXForwardedBy); - - String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); - assertEquals("remoteAddr", "192.168.0.10", actualRemoteAddr); - - String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); - assertEquals("remoteHost", "remote-host-original-value", actualRemoteHost); - - String actualPostInvokeRemoteAddr = request.getRemoteAddr(); - assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr); - - String actualPostInvokeRemoteHost = request.getRemoteHost(); - assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); - - } - - public void testInvokeAllProxiesAreTrusted() throws Exception { - - // PREPARE - RemoteIpValve remoteIpValve = new RemoteIpValve(); - remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); - remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); - remoteIpValve.setRemoteIpHeader("x-forwarded-for"); - remoteIpValve.setProxiesHeader("x-forwarded-by"); - RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); - remoteIpValve.setNext(remoteAddrAndHostTrackerValve); - - Request request = new Request(); - request.setCoyoteRequest(new org.apache.coyote.Request()); - request.setRemoteAddr("192.168.0.10"); - request.setRemoteHost("remote-host-original-value"); - request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, proxy1, proxy2"); - - // TEST - remoteIpValve.invoke(request, null); - - // VERIFY - String actualXForwardedFor = request.getHeader("x-forwarded-for"); - assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); - - String actualXForwardedBy = request.getHeader("x-forwarded-by"); - assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1, proxy2", actualXForwardedBy); - - String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); - assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr); - - String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); - assertEquals("remoteHost", "140.211.11.130", actualRemoteHost); - - String actualPostInvokeRemoteAddr = request.getRemoteAddr(); - assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr); - - String actualPostInvokeRemoteHost = request.getRemoteHost(); - assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); - } - - public void testInvokeAllProxiesAreTrustedOrInternal() throws Exception { - - // PREPARE - RemoteIpValve remoteIpValve = new RemoteIpValve(); - remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); - remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); - remoteIpValve.setRemoteIpHeader("x-forwarded-for"); - remoteIpValve.setProxiesHeader("x-forwarded-by"); - RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); - remoteIpValve.setNext(remoteAddrAndHostTrackerValve); - - Request request = new Request(); - request.setCoyoteRequest(new org.apache.coyote.Request()); - request.setRemoteAddr("192.168.0.10"); - request.setRemoteHost("remote-host-original-value"); - request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for") - .setString("140.211.11.130, proxy1, proxy2, 192.168.0.10, 192.168.0.11"); - - // TEST - remoteIpValve.invoke(request, null); - - // VERIFY - String actualXForwardedFor = request.getHeader("x-forwarded-for"); - assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); - - String actualXForwardedBy = request.getHeader("x-forwarded-by"); - assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1, proxy2", actualXForwardedBy); - - String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); - assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr); - - String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); - assertEquals("remoteHost", "140.211.11.130", actualRemoteHost); - - String actualPostInvokeRemoteAddr = request.getRemoteAddr(); - assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr); - - String actualPostInvokeRemoteHost = request.getRemoteHost(); - assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); - } - - public void testInvokeAllProxiesAreInternal() throws Exception { - - // PREPARE - RemoteIpValve remoteIpValve = new RemoteIpValve(); - remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); - remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); - remoteIpValve.setRemoteIpHeader("x-forwarded-for"); - remoteIpValve.setProxiesHeader("x-forwarded-by"); - RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); - remoteIpValve.setNext(remoteAddrAndHostTrackerValve); - - Request request = new Request(); - request.setCoyoteRequest(new org.apache.coyote.Request()); - request.setRemoteAddr("192.168.0.10"); - request.setRemoteHost("remote-host-original-value"); - request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, 192.168.0.10, 192.168.0.11"); - - // TEST - remoteIpValve.invoke(request, null); - - // VERIFY - String actualXForwardedFor = request.getHeader("x-forwarded-for"); - assertNull("all proxies are internal, x-forwarded-for must be null", actualXForwardedFor); - - String actualXForwardedBy = request.getHeader("x-forwarded-by"); - assertNull("all proxies are internal, x-forwarded-by must be null", actualXForwardedBy); - - String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); - assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr); - - String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); - assertEquals("remoteHost", "140.211.11.130", actualRemoteHost); - - String actualPostInvokeRemoteAddr = request.getRemoteAddr(); - assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr); - - String actualPostInvokeRemoteHost = request.getRemoteHost(); - assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); - } - - public void testInvokeAllProxiesAreTrustedAndRemoteAddrMatchRegexp() throws Exception { - - // PREPARE - RemoteIpValve remoteIpValve = new RemoteIpValve(); - remoteIpValve.setInternalProxies("127\\.0\\.0\\.1, 192\\.168\\..*, another-internal-proxy"); - remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); - remoteIpValve.setRemoteIpHeader("x-forwarded-for"); - remoteIpValve.setProxiesHeader("x-forwarded-by"); - RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); - remoteIpValve.setNext(remoteAddrAndHostTrackerValve); - - Request request = new Request(); - request.setCoyoteRequest(new org.apache.coyote.Request()); - request.setRemoteAddr("192.168.0.10"); - request.setRemoteHost("remote-host-original-value"); - request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, proxy1, proxy2"); - - // TEST - remoteIpValve.invoke(request, null); - - // VERIFY - String actualXForwardedFor = request.getHeader("x-forwarded-for"); - assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); - - String actualXForwardedBy = request.getHeader("x-forwarded-by"); - assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1, proxy2", actualXForwardedBy); - - String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); - assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr); - - String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); - assertEquals("remoteHost", "140.211.11.130", actualRemoteHost); - - String actualPostInvokeRemoteAddr = request.getRemoteAddr(); - assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr); - - String actualPostInvokeRemoteHost = request.getRemoteHost(); - assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); - } - - public void testInvokeNotAllowedRemoteAddr() throws Exception { - // PREPARE - RemoteIpValve remoteIpValve = new RemoteIpValve(); - remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); - remoteIpValve.setTrustedProxies("proxy1,proxy2,proxy3"); - remoteIpValve.setRemoteIpHeader("x-forwarded-for"); - remoteIpValve.setProxiesHeader("x-forwarded-by"); - RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); - remoteIpValve.setNext(remoteAddrAndHostTrackerValve); - - Request request = new Request(); - request.setCoyoteRequest(new org.apache.coyote.Request()); - request.setRemoteAddr("not-allowed-internal-proxy"); - request.setRemoteHost("not-allowed-internal-proxy-host"); - request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, proxy1, proxy2"); - - // TEST - remoteIpValve.invoke(request, null); - - // VERIFY - String actualXForwardedFor = request.getHeader("x-forwarded-for"); - assertEquals("x-forwarded-for must be unchanged", "140.211.11.130, proxy1, proxy2", actualXForwardedFor); - - String actualXForwardedBy = request.getHeader("x-forwarded-by"); - assertNull("x-forwarded-by must be null", actualXForwardedBy); - - String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); - assertEquals("remoteAddr", "not-allowed-internal-proxy", actualRemoteAddr); - - String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); - assertEquals("remoteHost", "not-allowed-internal-proxy-host", actualRemoteHost); - - String actualPostInvokeRemoteAddr = request.getRemoteAddr(); - assertEquals("postInvoke remoteAddr", "not-allowed-internal-proxy", actualPostInvokeRemoteAddr); - - String actualPostInvokeRemoteHost = request.getRemoteHost(); - assertEquals("postInvoke remoteAddr", "not-allowed-internal-proxy-host", actualPostInvokeRemoteHost); - } - - public void testInvokeUntrustedProxyInTheChain() throws Exception { - // PREPARE - RemoteIpValve remoteIpValve = new RemoteIpValve(); - remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); - remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); - remoteIpValve.setRemoteIpHeader("x-forwarded-for"); - remoteIpValve.setProxiesHeader("x-forwarded-by"); - RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); - remoteIpValve.setNext(remoteAddrAndHostTrackerValve); - - Request request = new Request(); - request.setCoyoteRequest(new org.apache.coyote.Request()); - request.setRemoteAddr("192.168.0.10"); - request.setRemoteHost("remote-host-original-value"); - request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for") - .setString("140.211.11.130, proxy1, untrusted-proxy, proxy2"); - - // TEST - remoteIpValve.invoke(request, null); - - // VERIFY - String actualXForwardedFor = request.getHeader("x-forwarded-for"); - assertEquals("ip/host before untrusted-proxy must appear in x-forwarded-for", "140.211.11.130, proxy1", actualXForwardedFor); - - String actualXForwardedBy = request.getHeader("x-forwarded-by"); - assertEquals("ip/host after untrusted-proxy must appear in x-forwarded-by", "proxy2", actualXForwardedBy); - - String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); - assertEquals("remoteAddr", "untrusted-proxy", actualRemoteAddr); - - String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); - assertEquals("remoteHost", "untrusted-proxy", actualRemoteHost); - - String actualPostInvokeRemoteAddr = request.getRemoteAddr(); - assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr); - - String actualPostInvokeRemoteHost = request.getRemoteHost(); - assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); - } - - public void testListToCommaDelimitedString() { - String[] actual = RemoteIpValve.commaDelimitedListToStringArray("element1, element2, element3"); - String[] expected = new String[] { - "element1", "element2", "element3" - }; - assertArrayEquals(expected, actual); - } - - public void testListToCommaDelimitedStringMixedSpaceChars() { - String[] actual = RemoteIpValve.commaDelimitedListToStringArray("element1 , element2,\t element3"); - String[] expected = new String[] { - "element1", "element2", "element3" - }; - assertArrayEquals(expected, actual); - } - - private void assertArrayEquals(String[] expected, String[] actual) { - if (expected == null) { - assertNull(actual); - return; - } - assertNotNull(actual); - assertEquals(expected.length, actual.length); - List e = new ArrayList(); - e.addAll(Arrays.asList(expected)); - List a = new ArrayList(); - a.addAll(Arrays.asList(actual)); - - for (String entry : e) { - assertTrue(a.remove(entry)); - } - assertTrue(a.isEmpty()); - } -} +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.catalina.valves; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +import javax.servlet.ServletException; + +import junit.framework.TestCase; + +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.Response; +import org.apache.catalina.valves.ValveBase; + +/** + * {@link RemoteIpValve} Tests + */ +public class RemoteIpValveTest extends TestCase { + + static class RemoteAddrAndHostTrackerValve extends ValveBase { + private String remoteAddr; + private String remoteHost; + + public String getRemoteAddr() { + return remoteAddr; + } + + public String getRemoteHost() { + return remoteHost; + } + + @Override + public void invoke(Request request, Response response) throws IOException, ServletException { + this.remoteHost = request.getRemoteHost(); + this.remoteAddr = request.getRemoteAddr(); + } + } + + public void testCommaDelimitedListToStringArray() { + List elements = Arrays.asList("element1", "element2", "element3"); + String actual = RemoteIpValve.listToCommaDelimitedString(elements); + assertEquals("element1, element2, element3", actual); + } + + public void testCommaDelimitedListToStringArrayEmptyList() { + List elements = new ArrayList(); + String actual = RemoteIpValve.listToCommaDelimitedString(elements); + assertEquals("", actual); + } + + public void testCommaDelimitedListToStringArrayNullList() { + String actual = RemoteIpValve.listToCommaDelimitedString(null); + assertEquals("", actual); + } + + public void testInvokeAllowedRemoteAddrWithNullRemoteIpHeader() throws Exception { + // PREPARE + RemoteIpValve remoteIpValve = new RemoteIpValve(); + remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); + remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); + remoteIpValve.setRemoteIpHeader("x-forwarded-for"); + remoteIpValve.setProxiesHeader("x-forwarded-by"); + RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); + remoteIpValve.setNext(remoteAddrAndHostTrackerValve); + + Request request = new Request(); + request.setCoyoteRequest(new org.apache.coyote.Request()); + request.setRemoteAddr("192.168.0.10"); + request.setRemoteHost("remote-host-original-value"); + + // TEST + remoteIpValve.invoke(request, null); + + // VERIFY + String actualXForwardedFor = request.getHeader("x-forwarded-for"); + assertNull("x-forwarded-for must be null", actualXForwardedFor); + + String actualXForwardedBy = request.getHeader("x-forwarded-by"); + assertNull("x-forwarded-by must be null", actualXForwardedBy); + + String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); + assertEquals("remoteAddr", "192.168.0.10", actualRemoteAddr); + + String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); + assertEquals("remoteHost", "remote-host-original-value", actualRemoteHost); + + String actualPostInvokeRemoteAddr = request.getRemoteAddr(); + assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr); + + String actualPostInvokeRemoteHost = request.getRemoteHost(); + assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); + + } + + public void testInvokeAllProxiesAreTrusted() throws Exception { + + // PREPARE + RemoteIpValve remoteIpValve = new RemoteIpValve(); + remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); + remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); + remoteIpValve.setRemoteIpHeader("x-forwarded-for"); + remoteIpValve.setProxiesHeader("x-forwarded-by"); + RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); + remoteIpValve.setNext(remoteAddrAndHostTrackerValve); + + Request request = new Request(); + request.setCoyoteRequest(new org.apache.coyote.Request()); + request.setRemoteAddr("192.168.0.10"); + request.setRemoteHost("remote-host-original-value"); + request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, proxy1, proxy2"); + + // TEST + remoteIpValve.invoke(request, null); + + // VERIFY + String actualXForwardedFor = request.getHeader("x-forwarded-for"); + assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); + + String actualXForwardedBy = request.getHeader("x-forwarded-by"); + assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1, proxy2", actualXForwardedBy); + + String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); + assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr); + + String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); + assertEquals("remoteHost", "140.211.11.130", actualRemoteHost); + + String actualPostInvokeRemoteAddr = request.getRemoteAddr(); + assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr); + + String actualPostInvokeRemoteHost = request.getRemoteHost(); + assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); + } + + public void testInvokeAllProxiesAreTrustedOrInternal() throws Exception { + + // PREPARE + RemoteIpValve remoteIpValve = new RemoteIpValve(); + remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); + remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); + remoteIpValve.setRemoteIpHeader("x-forwarded-for"); + remoteIpValve.setProxiesHeader("x-forwarded-by"); + RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); + remoteIpValve.setNext(remoteAddrAndHostTrackerValve); + + Request request = new Request(); + request.setCoyoteRequest(new org.apache.coyote.Request()); + request.setRemoteAddr("192.168.0.10"); + request.setRemoteHost("remote-host-original-value"); + request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for") + .setString("140.211.11.130, proxy1, proxy2, 192.168.0.10, 192.168.0.11"); + + // TEST + remoteIpValve.invoke(request, null); + + // VERIFY + String actualXForwardedFor = request.getHeader("x-forwarded-for"); + assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); + + String actualXForwardedBy = request.getHeader("x-forwarded-by"); + assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1, proxy2", actualXForwardedBy); + + String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); + assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr); + + String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); + assertEquals("remoteHost", "140.211.11.130", actualRemoteHost); + + String actualPostInvokeRemoteAddr = request.getRemoteAddr(); + assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr); + + String actualPostInvokeRemoteHost = request.getRemoteHost(); + assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); + } + + public void testInvokeAllProxiesAreInternal() throws Exception { + + // PREPARE + RemoteIpValve remoteIpValve = new RemoteIpValve(); + remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); + remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); + remoteIpValve.setRemoteIpHeader("x-forwarded-for"); + remoteIpValve.setProxiesHeader("x-forwarded-by"); + RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); + remoteIpValve.setNext(remoteAddrAndHostTrackerValve); + + Request request = new Request(); + request.setCoyoteRequest(new org.apache.coyote.Request()); + request.setRemoteAddr("192.168.0.10"); + request.setRemoteHost("remote-host-original-value"); + request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, 192.168.0.10, 192.168.0.11"); + + // TEST + remoteIpValve.invoke(request, null); + + // VERIFY + String actualXForwardedFor = request.getHeader("x-forwarded-for"); + assertNull("all proxies are internal, x-forwarded-for must be null", actualXForwardedFor); + + String actualXForwardedBy = request.getHeader("x-forwarded-by"); + assertNull("all proxies are internal, x-forwarded-by must be null", actualXForwardedBy); + + String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); + assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr); + + String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); + assertEquals("remoteHost", "140.211.11.130", actualRemoteHost); + + String actualPostInvokeRemoteAddr = request.getRemoteAddr(); + assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr); + + String actualPostInvokeRemoteHost = request.getRemoteHost(); + assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); + } + + public void testInvokeAllProxiesAreTrustedAndRemoteAddrMatchRegexp() throws Exception { + + // PREPARE + RemoteIpValve remoteIpValve = new RemoteIpValve(); + remoteIpValve.setInternalProxies("127\\.0\\.0\\.1, 192\\.168\\..*, another-internal-proxy"); + remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); + remoteIpValve.setRemoteIpHeader("x-forwarded-for"); + remoteIpValve.setProxiesHeader("x-forwarded-by"); + RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); + remoteIpValve.setNext(remoteAddrAndHostTrackerValve); + + Request request = new Request(); + request.setCoyoteRequest(new org.apache.coyote.Request()); + request.setRemoteAddr("192.168.0.10"); + request.setRemoteHost("remote-host-original-value"); + request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, proxy1, proxy2"); + + // TEST + remoteIpValve.invoke(request, null); + + // VERIFY + String actualXForwardedFor = request.getHeader("x-forwarded-for"); + assertNull("all proxies are trusted, x-forwarded-for must be null", actualXForwardedFor); + + String actualXForwardedBy = request.getHeader("x-forwarded-by"); + assertEquals("all proxies are trusted, they must appear in x-forwarded-by", "proxy1, proxy2", actualXForwardedBy); + + String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); + assertEquals("remoteAddr", "140.211.11.130", actualRemoteAddr); + + String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); + assertEquals("remoteHost", "140.211.11.130", actualRemoteHost); + + String actualPostInvokeRemoteAddr = request.getRemoteAddr(); + assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr); + + String actualPostInvokeRemoteHost = request.getRemoteHost(); + assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); + } + + public void testInvokeNotAllowedRemoteAddr() throws Exception { + // PREPARE + RemoteIpValve remoteIpValve = new RemoteIpValve(); + remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); + remoteIpValve.setTrustedProxies("proxy1,proxy2,proxy3"); + remoteIpValve.setRemoteIpHeader("x-forwarded-for"); + remoteIpValve.setProxiesHeader("x-forwarded-by"); + RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); + remoteIpValve.setNext(remoteAddrAndHostTrackerValve); + + Request request = new Request(); + request.setCoyoteRequest(new org.apache.coyote.Request()); + request.setRemoteAddr("not-allowed-internal-proxy"); + request.setRemoteHost("not-allowed-internal-proxy-host"); + request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for").setString("140.211.11.130, proxy1, proxy2"); + + // TEST + remoteIpValve.invoke(request, null); + + // VERIFY + String actualXForwardedFor = request.getHeader("x-forwarded-for"); + assertEquals("x-forwarded-for must be unchanged", "140.211.11.130, proxy1, proxy2", actualXForwardedFor); + + String actualXForwardedBy = request.getHeader("x-forwarded-by"); + assertNull("x-forwarded-by must be null", actualXForwardedBy); + + String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); + assertEquals("remoteAddr", "not-allowed-internal-proxy", actualRemoteAddr); + + String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); + assertEquals("remoteHost", "not-allowed-internal-proxy-host", actualRemoteHost); + + String actualPostInvokeRemoteAddr = request.getRemoteAddr(); + assertEquals("postInvoke remoteAddr", "not-allowed-internal-proxy", actualPostInvokeRemoteAddr); + + String actualPostInvokeRemoteHost = request.getRemoteHost(); + assertEquals("postInvoke remoteAddr", "not-allowed-internal-proxy-host", actualPostInvokeRemoteHost); + } + + public void testInvokeUntrustedProxyInTheChain() throws Exception { + // PREPARE + RemoteIpValve remoteIpValve = new RemoteIpValve(); + remoteIpValve.setInternalProxies("192\\.168\\.0\\.10, 192\\.168\\.0\\.11"); + remoteIpValve.setTrustedProxies("proxy1, proxy2, proxy3"); + remoteIpValve.setRemoteIpHeader("x-forwarded-for"); + remoteIpValve.setProxiesHeader("x-forwarded-by"); + RemoteAddrAndHostTrackerValve remoteAddrAndHostTrackerValve = new RemoteAddrAndHostTrackerValve(); + remoteIpValve.setNext(remoteAddrAndHostTrackerValve); + + Request request = new Request(); + request.setCoyoteRequest(new org.apache.coyote.Request()); + request.setRemoteAddr("192.168.0.10"); + request.setRemoteHost("remote-host-original-value"); + request.getCoyoteRequest().getMimeHeaders().addValue("x-forwarded-for") + .setString("140.211.11.130, proxy1, untrusted-proxy, proxy2"); + + // TEST + remoteIpValve.invoke(request, null); + + // VERIFY + String actualXForwardedFor = request.getHeader("x-forwarded-for"); + assertEquals("ip/host before untrusted-proxy must appear in x-forwarded-for", "140.211.11.130, proxy1", actualXForwardedFor); + + String actualXForwardedBy = request.getHeader("x-forwarded-by"); + assertEquals("ip/host after untrusted-proxy must appear in x-forwarded-by", "proxy2", actualXForwardedBy); + + String actualRemoteAddr = remoteAddrAndHostTrackerValve.getRemoteAddr(); + assertEquals("remoteAddr", "untrusted-proxy", actualRemoteAddr); + + String actualRemoteHost = remoteAddrAndHostTrackerValve.getRemoteHost(); + assertEquals("remoteHost", "untrusted-proxy", actualRemoteHost); + + String actualPostInvokeRemoteAddr = request.getRemoteAddr(); + assertEquals("postInvoke remoteAddr", "192.168.0.10", actualPostInvokeRemoteAddr); + + String actualPostInvokeRemoteHost = request.getRemoteHost(); + assertEquals("postInvoke remoteAddr", "remote-host-original-value", actualPostInvokeRemoteHost); + } + + public void testListToCommaDelimitedString() { + String[] actual = RemoteIpValve.commaDelimitedListToStringArray("element1, element2, element3"); + String[] expected = new String[] { + "element1", "element2", "element3" + }; + assertArrayEquals(expected, actual); + } + + public void testListToCommaDelimitedStringMixedSpaceChars() { + String[] actual = RemoteIpValve.commaDelimitedListToStringArray("element1 , element2,\t element3"); + String[] expected = new String[] { + "element1", "element2", "element3" + }; + assertArrayEquals(expected, actual); + } + + private void assertArrayEquals(String[] expected, String[] actual) { + if (expected == null) { + assertNull(actual); + return; + } + assertNotNull(actual); + assertEquals(expected.length, actual.length); + List e = new ArrayList(); + e.addAll(Arrays.asList(expected)); + List a = new ArrayList(); + a.addAll(Arrays.asList(actual)); + + for (String entry : e) { + assertTrue(a.remove(entry)); + } + assertTrue(a.isEmpty()); + } +} -- 2.11.0