Tests for custom ip filters (#5872)

* Add "none" as a valid argument for --allow-ips to allow narrow
custom ranges, eg.: --allow-ips="none 10.0.0.0/8"
* Add tests for parsing filter arguments and node endpoints.
* Add ipnetwork crate to dev dependencies for testing.

Cargo.toml

@@ -66,6 +66,7 @@ rustc_version = "0.2"
 [dev-dependencies]
 ethcore-ipc-tests = { path = "ipc/tests" }
 pretty_assertions = "0.1"
+ipnetwork = "0.12.6"
 
 [target.'cfg(windows)'.dependencies]
 winapi = "0.2"

parity/cli/usage.txt

@@ -151,9 +151,11 @@ Networking Options:
                                    private - connect to private network IP addresses only;
                                    public - connect to public network IP addresses only;
                                    all - connect to any IP address;
-                                   Or a list in the format: "ip_range1,-ip_range2,private,...".
-                                   Where "-ip_range2" means block ip_range2.
-                                   Later ranges in the list override earlier ranges.
+                                   none - block all (for use with a custom filter as follows);
+                                   Or a list in the format: "private,ip_range1,-ip_range2,...".
+                                   Where ip_range1 would be allowed and ip_range2 blocked;
+                                   Custom blocks ("-ip_range") override custom allows ("ip_range").
+                                   Latest predefined ("public, private, etc") in the list will be used.
                                    (default: {flag_allow_ips}).
   --max-pending-peers NUM          Allow up to NUM pending connections. (default: {flag_max_pending_peers})
   --no-ancient-blocks              Disable downloading old blocks after snapshot restoration

parity/configuration.rs

@@ -1077,6 +1077,7 @@ impl Configuration {
 mod tests {
 	use std::io::Write;
 	use std::fs::{File, create_dir};
+	use std::str::FromStr;
 
 	use devtools::{RandomTempPath};
 	use ethcore::client::{VMType, BlockId};
@@ -1094,6 +1095,11 @@ mod tests {
 	use rpc::{WsConfiguration, UiConfiguration};
 	use run::RunCmd;
 
+	use network::{AllowIP, IpFilter};
+
+	extern crate ipnetwork;
+	use self::ipnetwork::IpNetwork;
+
 	use super::*;
 
 	#[derive(Debug, PartialEq)]
@@ -1748,4 +1754,36 @@ mod tests {
 		assert_eq!(&conf0.ipfs_config().interface, "0.0.0.0");
 		assert_eq!(conf0.ipfs_config().hosts, None);
 	}
+
+	#[test]
+	fn allow_ips() {
+		let all = parse(&["parity", "--allow-ips", "all"]);
+		let private = parse(&["parity", "--allow-ips", "private"]);
+		let block_custom = parse(&["parity", "--allow-ips", "-10.0.0.0/8"]);
+		let combo = parse(&["parity", "--allow-ips", "public 10.0.0.0/8 -1.0.0.0/8"]);
+
+		assert_eq!(all.ip_filter().unwrap(), IpFilter {
+			predefined: AllowIP::All,
+			custom_allow: vec![],
+			custom_block: vec![],
+		});
+
+		assert_eq!(private.ip_filter().unwrap(), IpFilter {
+			predefined: AllowIP::Private,
+			custom_allow: vec![],
+			custom_block: vec![],
+		});
+
+		assert_eq!(block_custom.ip_filter().unwrap(), IpFilter {
+			predefined: AllowIP::All,
+			custom_allow: vec![],
+			custom_block: vec![IpNetwork::from_str("10.0.0.0/8").unwrap()],
+		});
+
+		assert_eq!(combo.ip_filter().unwrap(), IpFilter {
+			predefined: AllowIP::Public,
+			custom_allow: vec![IpNetwork::from_str("10.0.0.0/8").unwrap()],
+			custom_block: vec![IpNetwork::from_str("1.0.0.0/8").unwrap()],
+		});
+	}
 }

parity/helpers.rs

@@ -28,7 +28,6 @@ use upgrade::{upgrade, upgrade_data_paths};
 use migration::migrate;
 use ethsync::is_valid_node_url;
 use path;
-use network::IpFilter;
 
 pub fn to_duration(s: &str) -> Result<Duration, String> {
 	to_seconds(s).map(Duration::from_secs)
@@ -193,6 +192,7 @@ pub fn to_bootnodes(bootnodes: &Option<String>) -> Result<Vec<String>, String> {
 #[cfg(test)]
 pub fn default_network_config() -> ::ethsync::NetworkConfiguration {
 	use ethsync::{NetworkConfiguration};
+	use super::network::IpFilter;
 	NetworkConfiguration {
 		config_path: Some(replace_home(&::dir::default_data_path(), "$BASE/network")),
 		net_config_path: None,

util/network/src/lib.rs

@@ -151,9 +151,9 @@ impl NonReservedPeerMode {
 #[derive(Clone, Debug, PartialEq, Eq)]
 #[cfg_attr(feature = "ipc", binary)]
 pub struct IpFilter {
-    predefined: AllowIP,
-    custom_allow: Vec<IpNetwork>,
-    custom_block: Vec<IpNetwork>,
+    pub predefined: AllowIP,
+    pub custom_allow: Vec<IpNetwork>,
+    pub custom_block: Vec<IpNetwork>,
 } 
 
 impl IpFilter {
@@ -173,6 +173,7 @@ impl IpFilter {
                 "all" => filter.predefined = AllowIP::All,
                 "private" => filter.predefined = AllowIP::Private,
                 "public" => filter.predefined = AllowIP::Public,
+                "none" => filter.predefined = AllowIP::Non,
                 custom => {
                     if custom.starts_with("-") {
                         match IpNetwork::from_str(&custom.to_owned().split_off(1)) {
@@ -201,5 +202,7 @@ pub enum AllowIP {
 	Private,
 	/// Connect to public network only
 	Public,
+
+    Non,
 }
 

util/network/src/node_table.rs

@@ -69,6 +69,7 @@ impl NodeEndpoint {
 			&AllowIP::All => true,
 			&AllowIP::Private => self.address.ip().is_usable_private(),
 			&AllowIP::Public => self.address.ip().is_usable_public(),
+			&AllowIP::Non => false,
 		}
 	}
 
@@ -375,6 +376,7 @@ mod tests {
 	use util::H512;
 	use std::str::FromStr;
 	use devtools::*;
+	use ipnetwork::IpNetwork;
 
 	#[test]
 	fn endpoint_parse() {
@@ -447,4 +449,28 @@ mod tests {
 			assert_eq!(r[1][..], id2[..]);
 		}
 	}
+
+	#[test]
+	fn custom_allow() {
+		let filter = IpFilter {
+			predefined: AllowIP::Non,
+			custom_allow: vec![IpNetwork::from_str(&"10.0.0.0/8").unwrap(), IpNetwork::from_str(&"1.0.0.0/8").unwrap()],
+			custom_block: vec![],
+		};
+		assert!(!NodeEndpoint::from_str("123.99.55.44:7770").unwrap().is_allowed(&filter));
+		assert!(NodeEndpoint::from_str("10.0.0.1:7770").unwrap().is_allowed(&filter));
+		assert!(NodeEndpoint::from_str("1.0.0.55:5550").unwrap().is_allowed(&filter));
+	}
+
+	#[test]
+	fn custom_block() {
+		let filter = IpFilter {
+			predefined: AllowIP::All,
+			custom_allow: vec![],
+			custom_block: vec![IpNetwork::from_str(&"10.0.0.0/8").unwrap(), IpNetwork::from_str(&"1.0.0.0/8").unwrap()],
+		};
+		assert!(NodeEndpoint::from_str("123.99.55.44:7770").unwrap().is_allowed(&filter));
+		assert!(!NodeEndpoint::from_str("10.0.0.1:7770").unwrap().is_allowed(&filter));
+		assert!(!NodeEndpoint::from_str("1.0.0.55:5550").unwrap().is_allowed(&filter));
+	}
 }