Add support for CIDR ranges in ignore_hosts setting.

build.gradle

@@ -589,6 +589,7 @@ dependencies {
     implementation 'com.nimbusds:nimbus-jose-jwt:9.48'
     implementation 'com.rfksystems:blake2b:2.0.0'
     implementation 'com.password4j:password4j:1.8.2'
+    implementation "commons-net:commons-net:3.11.1"
 
     // Action privileges: check tables and compact collections
     implementation 'com.selectivem.collections:special-collections-complete:1.4.0'

src/main/java/org/opensearch/security/auth/AuthFailureListener.java

@@ -18,12 +18,20 @@
 package org.opensearch.security.auth;
 
 import java.net.InetAddress;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.commons.net.util.SubnetUtils;
 
 import org.opensearch.security.support.WildcardMatcher;
 import org.opensearch.security.user.AuthCredentials;
 
 public interface AuthFailureListener {
+    List<String> getIgnoreHosts();
+
     void onAuthFailure(InetAddress remoteAddress, AuthCredentials authCredentials, Object request);
 
     WildcardMatcher getIgnoreHostsMatcher();
+
+    Map<String, SubnetUtils.SubnetInfo> getSubnetUtilsMatcherMap();
 }

src/main/java/org/opensearch/security/auth/BackendRegistry.java

@@ -28,7 +28,6 @@
 
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
-import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
@@ -76,11 +75,13 @@
 import static org.apache.http.HttpStatus.SC_FORBIDDEN;
 import static org.apache.http.HttpStatus.SC_SERVICE_UNAVAILABLE;
 import static org.apache.http.HttpStatus.SC_UNAUTHORIZED;
+import static org.opensearch.security.support.SecurityUtils.matchesHostNamePatterns;
+import static org.opensearch.security.support.SecurityUtils.matchesIpAndCidrPatterns;
 import static com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator.SAML_TYPE;
 
 public class BackendRegistry {
 
-    protected final Logger log = LogManager.getLogger(this.getClass());
+    protected static final Logger log = LogManager.getLogger(BackendRegistry.class);
     private SortedSet<AuthDomain> restAuthDomains;
     private Set<AuthorizationBackend> restAuthorizers;
 
@@ -696,8 +697,7 @@ private boolean isBlocked(InetAddress address) {
         }
 
         for (ClientBlockRegistry<InetAddress> clientBlockRegistry : ipClientBlockRegistries) {
-            WildcardMatcher ignoreHostsMatcher = ((AuthFailureListener) clientBlockRegistry).getIgnoreHostsMatcher();
-            if (matchesHostPatterns(ignoreHostsMatcher, address, hostResolverMode)) {
+            if (matchesIgnoreHostPatterns(clientBlockRegistry, address, hostResolverMode)) {
                 return false;
             }
             if (clientBlockRegistry.isBlocked(address)) {
@@ -708,21 +708,17 @@ private boolean isBlocked(InetAddress address) {
         return false;
     }
 
-    public static boolean matchesHostPatterns(WildcardMatcher hostMatcher, InetAddress address, String hostResolverMode) {
-        if (hostMatcher == null) {
+    private static boolean matchesIgnoreHostPatterns(
+        ClientBlockRegistry<InetAddress> clientBlockRegistry,
+        InetAddress address,
+        String hostResolverMode
+    ) {
+        WildcardMatcher ignoreHostsMatcher = ((AuthFailureListener) clientBlockRegistry).getIgnoreHostsMatcher();
+        if (ignoreHostsMatcher == null || address == null) {
             return false;
         }
-        if (address != null) {
-            List<String> valuesToCheck = new ArrayList<>(List.of(address.getHostAddress()));
-            if (hostResolverMode != null
-                && (hostResolverMode.equalsIgnoreCase("ip-hostname") || hostResolverMode.equalsIgnoreCase("ip-hostname-lookup"))) {
-                final String hostName = address.getHostName();
-                valuesToCheck.add(hostName);
-            }
-
-            return valuesToCheck.stream().anyMatch(hostMatcher);
-        }
-        return false;
+        return matchesHostNamePatterns(ignoreHostsMatcher, address, hostResolverMode)
+            || matchesIpAndCidrPatterns(clientBlockRegistry, address);
     }
 
     private boolean isBlocked(String authBackend, String userName) {

src/main/java/org/opensearch/security/auth/limiting/AbstractRateLimiter.java

@@ -21,20 +21,25 @@
 import java.nio.file.Path;
 import java.util.Collections;
 import java.util.List;
+import java.util.Map;
+
+import org.apache.commons.net.util.SubnetUtils;
 
 import org.opensearch.common.settings.Settings;
 import org.opensearch.security.auth.AuthFailureListener;
 import org.opensearch.security.auth.blocking.ClientBlockRegistry;
 import org.opensearch.security.auth.blocking.HeapBasedClientBlockRegistry;
 import org.opensearch.security.support.WildcardMatcher;
 import org.opensearch.security.user.AuthCredentials;
+import org.opensearch.security.util.IPAddressUtils;
 import org.opensearch.security.util.ratetracking.RateTracker;
 
 public abstract class AbstractRateLimiter<ClientIdType> implements AuthFailureListener, ClientBlockRegistry<ClientIdType> {
     protected final ClientBlockRegistry<ClientIdType> clientBlockRegistry;
     protected final RateTracker<ClientIdType> rateTracker;
     protected final List<String> ignoreHosts;
     private WildcardMatcher ignoreHostMatcher;
+    protected final Map<String, SubnetUtils.SubnetInfo> subnetUtilsMatcherMap;
 
     public AbstractRateLimiter(Settings settings, Path configPath, Class<ClientIdType> clientIdType) {
         this.ignoreHosts = settings.getAsList("ignore_hosts", Collections.emptyList());
@@ -48,6 +53,19 @@ public AbstractRateLimiter(Settings settings, Path configPath, Class<ClientIdTyp
             settings.getAsInt("allowed_tries", 10),
             settings.getAsInt("max_tracked_clients", 100_000)
         );
+        this.subnetUtilsMatcherMap = IPAddressUtils.createSubnetUtils(
+            ignoreHosts.stream().filter(IPAddressUtils::isValidIpv4Cidr).toList()
+        );
+    }
+
+    @Override
+    public List<String> getIgnoreHosts() {
+        return ignoreHosts;
+    }
+
+    @Override
+    public Map<String, SubnetUtils.SubnetInfo> getSubnetUtilsMatcherMap() {
+        return subnetUtilsMatcherMap;
     }
 
     @Override

src/main/java/org/opensearch/security/support/SecurityUtils.java

@@ -26,16 +26,25 @@
 
 package org.opensearch.security.support;
 
+import java.net.InetAddress;
 import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
 import java.util.Base64;
+import java.util.List;
 import java.util.Locale;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import org.apache.commons.net.util.SubnetUtils;
+import org.apache.commons.net.util.SubnetUtils.SubnetInfo;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
 import org.opensearch.common.settings.Settings;
+import org.opensearch.security.auth.AuthFailureListener;
+import org.opensearch.security.auth.blocking.ClientBlockRegistry;
 import org.opensearch.security.tools.Hasher;
 
 public final class SecurityUtils {
@@ -46,6 +55,7 @@
     static final Pattern ENVBC_PATTERN = Pattern.compile("\\$\\{envbc" + ENV_PATTERN_SUFFIX);
     static final Pattern ENVBASE64_PATTERN = Pattern.compile("\\$\\{envbase64" + ENV_PATTERN_SUFFIX);
     public static Locale EN_Locale = forEN();
+    private static final Map<String, SubnetInfo> cidrCache = new ConcurrentHashMap<>();
 
     private SecurityUtils() {}
 
@@ -140,4 +150,53 @@
             return bc ? Hasher.hash(envVarValue.toCharArray(), settings) : envVarValue;
         }
     }
+
+    // This is used to match host names - for e.g. *.example.local to dev.example.local
+    public static boolean matchesHostNamePatterns(WildcardMatcher hostMatcher, InetAddress address, String hostResolverMode) {
+        if (address == null || hostMatcher == null) {
+            return false;
+        }
+
+        // Only proceed with hostname checks if hostResolverMode is configured
+        if (hostResolverMode != null
+            && (hostResolverMode.equalsIgnoreCase("ip-hostname") || hostResolverMode.equalsIgnoreCase("ip-hostname-lookup"))) {
+            try {
+                List<String> valuesToCheck = new ArrayList<>(List.of(address.getHostAddress()));
+                final String hostName = address.getHostName();
+                valuesToCheck.add(hostName);
+                return valuesToCheck.stream().anyMatch(hostMatcher);
+            } catch (Exception e) {
+                log.warn("Failed to resolve hostname for {}: {}", address.getHostAddress(), e.getMessage());
+                return false;
+            }
+        }
+        return false;
+    }
+
+    // This is used to match IP addresses - for e.g. 192.168.0.1 to 192.168.0.0/16
+    public static boolean matchesIpAndCidrPatterns(ClientBlockRegistry<InetAddress> clientBlockRegistry, InetAddress address) {
+        if (address == null || clientBlockRegistry == null) {
+            return false;
+        }
+
+        AuthFailureListener authFailureListener = (AuthFailureListener) clientBlockRegistry;
+        final String hostAddress = address.getHostAddress();
+
+        for (String pattern : authFailureListener.getIgnoreHosts()) {
+            // Handle CIDR patterns - SubnetUtilsMatcherMap holds a SubnetInfo object for valid IPv4 patterns
+            if (authFailureListener.getSubnetUtilsMatcherMap().containsKey(pattern)) {
+                SubnetUtils.SubnetInfo subnetInfo = authFailureListener.getSubnetUtilsMatcherMap().get(pattern);
+                if (subnetInfo != null && subnetInfo.isInRange(hostAddress)) {
+                    return true;
+                }
+            } else {
+                // Handle both direct IPs and wildcard IP patterns
+                if (authFailureListener.getIgnoreHostsMatcher().test(hostAddress)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+
+    }
 }

src/main/java/org/opensearch/security/util/IPAddressUtils.java

@@ -0,0 +1,79 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.util;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+
+import org.apache.commons.net.util.SubnetUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import org.opensearch.security.support.SecurityUtils;
+
+public class IPAddressUtils {
+
+    protected final static Logger log = LogManager.getLogger(SecurityUtils.class);
+    private static final String IP_ADDRESS = "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})";
+    private static final String SLASH_FORMAT = IP_ADDRESS + "/(\\d{1,2})"; // 0 -> 32
+    private static final Pattern IPV4_CIDR_PATTERN = Pattern.compile(SLASH_FORMAT);
+
+    /**
+     * Creates a map of CIDR strings to their corresponding SubnetInfo objects
+     *
+     * @param hosts List of CIDR patterns to process
+     * @return Map of valid CIDR strings to their SubnetInfo objects
+     */
+    public static Map<String, SubnetUtils.SubnetInfo> createSubnetUtils(List<String> hosts) {
+        if (hosts == null || hosts.isEmpty()) {
+            return Collections.emptyMap();
+        }
+
+        return hosts.stream()
+            .filter(Objects::nonNull)
+            .collect(
+                Collectors.toMap(
+                    cidr -> cidr,
+                    IPAddressUtils::getSubnetForCidr,
+                    (existing, replacement) -> existing,
+                    () -> new HashMap<>(hosts.size())
+                )
+            );
+    }
+
+    /**
+     * Creates a SubnetInfo object for a given CIDR pattern
+     *
+     * @param cidr CIDR pattern to process
+     * @return SubnetInfo object for the given CIDR
+     */
+    private static SubnetUtils.SubnetInfo getSubnetForCidr(String cidr) {
+        SubnetUtils utils = new SubnetUtils(cidr);
+        utils.setInclusiveHostCount(true);
+        return utils.getInfo();
+    }
+
+    /**
+     * Validates if a given string matches IPv4 CIDR pattern
+     *
+     * @param cidr String to validate
+     * @return true if the string is a valid IPv4 CIDR pattern, false otherwise
+     */
+    public static boolean isValidIpv4Cidr(String cidr) {
+        return cidr != null && IPV4_CIDR_PATTERN.matcher(cidr).matches();
+    }
+}