subnets 1.0.0pre

data/test/benchmark_helper.rb

@@ -0,0 +1,59 @@
+require 'benchmark'
+require 'ipaddr'
+require 'ipaddress'
+require 'socket'
+
+require 'subnets'
+require 'well_known_subnets'
+
+# RANDOM_IPS = (
+#   (1..1000).map{random_ipv4(CLOUDFRONT_SUBNETS.sample)} +
+#   (1..3000).map{PRIVATE_SUBNETS_IPV4.sample}
+#   (1..4000).map{random_ipv4}
+# ).shuffle
+
+def random_ip(subnet)
+  net = Subnets.parse(subnet)
+  Subnets::IP4.random & ~net.mask | net.address
+end
+
+def plotbarslogscale(prefix: '%-15.15s %5.2f ', width:, min:, max:, tics:[], data:{})
+  pos = proc { |x| (Math.log10(x) - Math.log10(min)) * width/Math.log10(max) }
+
+  # https://en.wikipedia.org/wiki/Block_Elements
+  eighths = {
+    8 => "\u2588",
+    7 => "\u2589",
+    6 => "\u258a",
+    5 => "\u258b",
+    4 => "\u258c",
+    3 => "\u258d",
+    2 => "\u258e",
+    1 => "\u258f",
+    0 => "",
+  }
+
+  bar = proc do |w|
+    eighths[8]*(w.floor) + eighths[((w - w.floor)*8).round]
+  end
+
+  prefixwidth = 0
+  data.each do |k,v|
+    str = prefix % [k,v]
+    prefixwidth = [prefixwidth, str.size].max
+    puts(str + bar.call(pos.call(v)))
+  end
+
+  if tics.size > 0
+    ticbar = ''
+    labelbar = ''
+    tics.each do |tic|
+      x = pos.call(tic).round
+      ticbar += (' '*(x - ticbar.size) + "'")
+      labelbar += (' '*(x - labelbar.size) + "#{tic}")
+    end
+
+    puts(' '*prefixwidth + ticbar)
+    puts(' '*prefixwidth + labelbar)
+  end
+end

data/test/eql_and_hash.rb

@@ -0,0 +1,35 @@
+module EqlAndHash
+  def new_obj(c=klass)
+    c.new(*constructor_args)
+  end
+
+  def new_obj_subclass
+    new_obj(Class.new(klass))
+  end
+
+  def test_eq
+    a, b = [new_obj, new_obj]
+    refute_equal a.object_id, b.object_id
+    assert_equal a, b
+  end
+
+  def test_eq_subclass
+    refute_equal new_obj, new_obj_subclass
+  end
+
+  def test_eq_string
+    refute_equal new_obj, 'str'
+  end
+
+  def test_hash
+    a, b = [new_obj, new_obj]
+    refute_equal a.object_id, b.object_id
+    assert_equal a.hash, b.hash
+
+    h = {}
+    h[a] = 'found'
+    assert_equal 'found', h[a]
+    assert_equal 'found', h[b]
+    assert_nil h[new_obj_subclass]
+  end
+end

data/test/private_networks_benchmark.rb

@@ -0,0 +1,53 @@
+require 'benchmark_helper'
+
+require 'ipaddr'
+require 'ipaddress'
+require 'netaddr'
+require 'subnets'
+require 'rack'
+
+nets = PRIVATE_SUBNETS_IPV4
+ipaddr_nets = nets.map(&IPAddr.method(:new))
+ipaddress_nets = nets.map(&IPAddress::IPv4.method(:new))
+netaddr_nets = nets.map(&NetAddr::IPv4Net.method(:parse))
+subnets_nets = nets.map(&Subnets.method(:parse))
+rack_nets = Rack::Request.new({})
+
+# note: ipaddress and netaddr checks would need additional cases to handle ipv6 too
+ipaddr_check = lambda {|ip| ipaddr_nets.any? { |net| net.include? ip } }
+ipaddress_check = lambda {|ip| ipaddress_nets.any? { |net| net.include?(IPAddress::IPv4.new(ip)) } }
+netaddr_check = lambda {|ip|  netaddr_nets.any? { |net| net.contains(NetAddr::IPv4.parse(ip)) } }
+subnets_check = lambda {|ip| Subnets.include?(subnets_nets, ip) }
+rack_check = lambda {|ip| rack_nets.trusted_proxy?(ip) }
+
+def ipaddr_check.name; 'ipaddr'; end
+def ipaddress_check.name; 'ipaddress'; end
+def netaddr_check.name; 'netaddr'; end
+def subnets_check.name; 'subnets'; end
+def rack_check.name; 'rack (regexp)'; end
+
+results = {}
+
+puts '#'*60
+puts "# check if single IP is in the private IPv4 subnets"
+[ipaddr_check, ipaddress_check, netaddr_check, subnets_check, rack_check].each do |check|
+  total = count = hits = 0
+  until total >= 2
+    net = Subnets.parse((['0.0.0.0/0'] + PRIVATE_SUBNETS_IPV4).sample)
+    ip = (Subnets::IP4.random & ~net.mask | net.address).to_s
+
+    total += Benchmark.measure {
+      100.times do |i|
+        hits += 1 if check.call(ip)
+      end
+    }.total
+    count += 100
+  end
+  puts "%10.10s: checked %8d (%6d hits, %2d%%) in %2.2f for %7.2fus/ip" %
+       [check.name, count, hits, 100.0*hits/count, total, total/count*1e6]
+
+  results[check.name] = total/count*1e6
+end
+
+puts
+plotbarslogscale(prefix: '%-15.15s: %5.2fus/ip ', width: 46, min: 2, max: 65, tics: [2,5,10,20,50], data: results)

data/test/rack_ip_benchmark.rb

@@ -0,0 +1,45 @@
+require 'benchmark_helper'
+
+require 'rack'
+
+def rack_trusted_proxy_benchmark(name, request)
+  total = count = hits = 0
+  until total >= 3
+    ip = random_ip((['0.0.0.0/0'] + PRIVATE_SUBNETS_IPV4).sample).to_s
+
+    100.times {
+      is_trusted = false
+      total += Benchmark.measure {
+        is_trusted = request.trusted_proxy?(ip)
+      }.total
+      hits += 1 if is_trusted
+      count += 1
+    }
+  end
+
+  puts
+  puts "checked %d IPs @ %.2fμs/ip (%d%% trusted)" %
+       [count, 1e6*total/count, 100.0*hits/count]
+  plotbarslogscale(
+    prefix: '%-12.12s %4.2fμs/ip ', width: 36, min: 1, max: 5, tics: [1,2,5],
+    data: { name => 1e6*total/count })
+end
+
+rack_trusted_proxy_benchmark(
+  'rack', Rack::Request.new({}))
+
+subnets = PRIVATE_SUBNETS.map(&Subnets.method(:parse))
+def subnets.trusted_proxy?(ip)
+  Subnets.include?(self, ip)
+end
+
+rack_trusted_proxy_benchmark(
+  'subnets', subnets)
+
+subnets_cf = (PRIVATE_SUBNETS + CLOUDFRONT_SUBNETS).map(&Subnets.method(:parse))
+def subnets_cf.trusted_proxy?(ip)
+  Subnets.include?(self, ip)
+end
+
+rack_trusted_proxy_benchmark(
+  'subnets +CF', subnets_cf)

data/test/rails_remote_ip_benchmark.rb

@@ -0,0 +1,104 @@
+require 'benchmark_helper'
+
+require 'action_dispatch/middleware/remote_ip'
+
+def benchmark(name, getip, mkrequest)
+  total = count = request_count = untrusted = 0
+
+  until total >= 1
+    request = mkrequest.call
+
+    total += Benchmark.measure {
+      untrusted += getip.send(:filter_proxies, request).size
+    }.total
+
+    count += request.size
+    request_count += 1
+  end
+
+  trusted = count - untrusted
+  puts
+  puts "checked %d requests at %.2fμs/req finding %d trusted ips (%d%%)" %
+       [request_count, total/request_count*1e6, trusted, 100.0*trusted/count]
+
+  plotbarslogscale(prefix: '%-15.15s %7.2fμs/req ',
+                   width: 36, min: 1, max: 2000, tics: [1,10,100,1000],
+                   data: { name => total/request_count*1e6 })
+end
+
+pub_priv_priv = ->() {
+  [
+    random_ip('0.0.0.0/0'),
+    random_ip(PRIVATE_SUBNETS_IPV4.sample),
+    random_ip(PRIVATE_SUBNETS_IPV4.sample),
+  ].map(&:to_s)
+}
+
+############################################################
+# as-is rails remote_ip
+
+proxies = ActionDispatch::RemoteIp::TRUSTED_PROXIES
+getip = ActionDispatch::RemoteIp::GetIp.new(nil, nil, proxies)
+benchmark('remote_ip', getip, pub_priv_priv)
+
+############################################################
+# as-is rails remote_ip with CloudFront
+
+pub_cf_priv_priv = ->() {
+  [
+    random_ip('0.0.0.0/0'),
+    random_ip(CLOUDFRONT_SUBNETS.sample),
+    random_ip(PRIVATE_SUBNETS_IPV4.sample),
+    random_ip(PRIVATE_SUBNETS_IPV4.sample),
+  ].map(&:to_s)
+}
+
+proxies = ActionDispatch::RemoteIp::TRUSTED_PROXIES +
+          CLOUDFRONT_SUBNETS.map(&IPAddr.method(:new))
+getip = ActionDispatch::RemoteIp::GetIp.new(nil, nil, proxies)
+benchmark('remote_ip +CF', getip, pub_cf_priv_priv)
+
+############################################################
+# naive replacement of IPAddr with Subnets-derived objects
+
+proxies = ActionDispatch::RemoteIp::TRUSTED_PROXIES.
+            map{|p| "#{p}/#{p.prefix}"}.map(&Subnets.method(:parse))
+getip = ActionDispatch::RemoteIp::GetIp.new(nil, nil, proxies)
+benchmark('subnets', getip, pub_priv_priv)
+
+proxies = ActionDispatch::RemoteIp::TRUSTED_PROXIES.
+            map{|p| "#{p}/#{p.prefix}"}.map(&Subnets.method(:parse)) +
+          CLOUDFRONT_SUBNETS.map(&Subnets.method(:parse))
+getip = ActionDispatch::RemoteIp::GetIp.new(nil, nil, proxies)
+benchmark('subnets +CF', getip, pub_cf_priv_priv)
+
+############################################################
+# hack to use fast Subnets.include?
+
+Identity = Object.new
+def Identity.===(v); v; end
+
+# instead of letting Ruby call the block for every element of the
+# list, call it once to extract the ip to be tested, then use fast
+# Subnets.include? method.
+proxies2 = proxies.dup
+
+def proxies2.any?(&block)
+  ip = block.call(Identity)
+  Subnets.include?(self, ip)
+end
+
+getip = ActionDispatch::RemoteIp::GetIp.new(nil, nil, proxies2)
+benchmark('hack +CF', getip, pub_cf_priv_priv)
+
+############################################################
+# Alternate impl to really use fast Subnets.include?
+
+Alternate = Struct.new(:proxies) do
+  def filter_proxies(ips)
+    ips.reject{|ip| Subnets.include?(self.proxies, ip)}
+  end
+end
+
+getip = Alternate.new(proxies)
+benchmark('alt +CF', getip, pub_cf_priv_priv)

data/test/subnets/net4_test.rb

@@ -0,0 +1,74 @@
+require 'test_helper'
+
+module Subnets
+  class TestNet4 < Minitest::Test
+    include EqlAndHash
+
+    def klass
+      Net4
+    end
+
+    def constructor_args
+      [1,24]
+    end
+    
+    def test_new_creates_net4
+      assert_instance_of Net4, Net4.new(1, 1)
+    end
+
+    def test_new_rejects_invalid_prefixlen
+      assert_raises(ArgumentError) { Net4.new(1, 33) }
+    end
+
+    class ParseBadInput < Minitest::Test
+      data = [
+        'a', '12', '1.2.3', '1/2', '',
+      ]
+
+      data.each_with_index do |s, i|
+        define_method("test_parse_fail_%02d" % i) do
+          assert_raises(ParseError) { Net4.parse(s) }
+        end
+      end
+    end
+
+    class Parse < Minitest::Test
+      data = ['127.0.0.1/32', '192.168.0.0/24', '10.1.0.0/16', '1.2.3.4/2']
+
+      data.each_with_index do |cidr, i|
+        define_method("test_parse_%02d" % i) do
+          assert_instance_of Net4, Net4.parse(cidr)
+        end
+      end
+    end
+
+    def test_includes_ip
+      net = Net4.parse '192.168.0.0/24'
+      assert_include net, '192.168.0.0'
+      assert_include net, Subnets.parse('192.168.0.2')
+      assert_include net, '192.168.0.255'
+
+      refute_include net, '192.168.1.0'
+      refute_include net, Subnets.parse('10.168.0.2')
+    end
+
+    def test_includes_net
+      net = Net4.parse '192.168.0.0/24'
+      assert_include net, '192.168.0.0/24'
+      assert_include net, Net4.parse('192.168.0.2/26')
+      refute_include net, '192.168.0.0/22'
+      refute_include net, Net4.parse('10.168.0.0/16')
+    end
+
+    def test_random_roundtrip
+      random = Random.new
+      start = Time.now
+      until Time.now - start > TIMED_TEST_DURATION
+        1000.times do
+          net = Net4.random(random).to_s
+          assert_equal net, Net4.parse(net).to_s
+        end
+      end
+    end
+  end
+end

data/test/subnets/net6_test.rb

@@ -0,0 +1,125 @@
+require 'test_helper'
+require 'ipaddr'
+
+module Subnets
+  class TestNet6 < Minitest::Test
+    include EqlAndHash
+
+    # for EqlAndHash
+    def klass
+      Net6
+    end
+
+    # for EqlAndHash
+    def constructor_args
+      [[1,2,3,4,5,6,7,8], 96]
+    end
+    
+    class New < Minitest::Test
+      def test_rejects_invalid_prefixlen
+        assert_raises(ArgumentError) { Net6.new([0,0,0,0,0,0,0,0], 129) }
+      end
+
+      def test_rejects_invalid_hextets
+        assert_raises(ArgumentError) { Net6.new([0,0,0,0,0,0,0], 128) }
+        assert_raises(ArgumentError) { Net6.new([0,0,0,0,0,0,0,0,0], 128) }
+      end
+
+      def test_creates_net6
+        assert_equal Net6.parse('1:2:44:55:ef::/128'),
+                     Net6.new([0x1,0x2,0x44,0x55,0xef,0,0,0], 128)
+      end
+    end
+
+    class ParseBadInput < Minitest::Test
+      data = [
+        { name: 'leading single colon', s: ':1::' },
+        { name: 'non-hexadecimal', s: 'u' },
+        { name: 'too short', s: '12:' },
+        { name: 'too short', s: ':1' },
+        { name: 'missing compression', s: '1/2' },
+        { name: 'trailing single colon', s: '1::1:/1' },
+        { name: 'leading zero in hextet', s: '045:1:2::/32' },
+        { name: 'prefixlen too large', s: '1::/129' },
+      ]
+
+      data.each_with_index do |d, i|
+        define_method("test_parse_fail_%02d #{d[:name]}" % i) do
+          assert_raises(ParseError) { Net6.parse(d[:s]) }
+        end
+      end
+    end
+
+    class Parse < Minitest::Test
+      data = [
+        { name: 'zero', s: '::/0' },
+        { name: 'localhost', s: '::1/128' },
+        { name: 'first-one', s: '1::/128' },
+        { name: 'one-one', s: '1::1/32' },
+        { name: 'ip', s: 'ffe3::ff01/32' },
+        { name: 'ip', s: '46db:20af:2b68:4034::871f:0/83' },
+        { name: 'full', s: '1:2:3:4:5:6:7:8/96' },
+        { name: 'many-zeros', s: '0:0:0:1:0:0:0:0/44', to_s: '0:0:0:1::/44' },
+        { name: 'embedded ipv4', s: '::1.2.3.4/96', to_s: '::102:304/96' },
+        { name: 'embedded ipv4', s: 'fe:55::1.2.3.4/96', to_s: 'fe:55::102:304/96' },
+        { name: 'embedded ipv4', s: 'a:b:c:d:e:f:1.2.3.4/128', to_s: 'a:b:c:d:e:f:102:304/128' },
+      ]
+
+      data.each_with_index do |d, i|
+        define_method("test_parse_%02d #{d[:name]}" % i) do
+          assert_instance_of Net6, Net6.parse(d[:s])
+        end
+
+        define_method("test_to_s_%02d #{d[:name]}" % i) do
+          assert_equal (d[:to_s] || d[:s]), Net6.parse(d[:s]).to_s
+        end
+
+        define_method("test_prefixlen_%02d #{d[:name]}" % i) do
+          raise "#{d[:s]} didn't match regex" unless d[:s] =~ /\/(\d+)\z/
+          assert_equal $1.to_i, Net6.parse(d[:s]).prefixlen
+        end
+      end
+    end
+
+    def test_random_roundtrip
+      random = Random.new
+      start = Time.now
+      until Time.now - start > TIMED_TEST_DURATION
+        1000.times do
+          net = Net6.random(random, zeros: true).to_s
+          assert_equal net, Net6.parse(net).to_s
+        end
+      end
+    end
+
+    def test_prefixlen
+      (0..128).each do |i|
+        assert_equal i, Net6.parse("::1/#{i}").prefixlen
+      end
+    end
+
+    class Include < Minitest::Test
+      def setup
+        @net = Net6.parse '1:2:3:4:5:6:7:8/96'
+      end
+
+      def test_includes_ips
+        ['1:2:3:4:5:6:7:9', '1:2:3:4:5:6:99::'].each do |ip|
+          assert_include @net, ip
+        end
+      end
+
+      def test_excludes_ips
+        ['5::', '1:2:3:99::'].each do |ip|
+          refute_include @net, ip
+        end
+      end
+
+      def test_returns_false_with_non_ips_or_nets
+        ['a', /a/, 2].each do |obj|
+          refute_include @net, obj
+        end
+      end
+    end
+  end
+end