introduce IAccessRule to allow access to NodeBase to be configured using with IServiceCollection

Author: smdn

src/Smdn.Net.MuninNode/Smdn.Net.MuninNode/IAccessRule.cs

@@ -0,0 +1,9 @@
+// SPDX-FileCopyrightText: 2024 smdn <smdn@smdn.jp>
+// SPDX-License-Identifier: MIT
+using System.Net;
+
+namespace Smdn.Net.MuninNode;
+
+public interface IAccessRule {
+  bool IsAcceptable(IPEndPoint remoteEndPoint);
+}

src/Smdn.Net.MuninNode/Smdn.Net.MuninNode/IAccessRuleServiceCollectionExtensions.cs

@@ -0,0 +1,77 @@
+// SPDX-FileCopyrightText: 2024 smdn <smdn@smdn.jp>
+// SPDX-License-Identifier: MIT
+using System;
+using System.Collections.Generic;
+using System.Net;
+using System.Net.Sockets;
+
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+
+namespace Smdn.Net.MuninNode;
+
+public static class IAccessRuleServiceCollectionExtensions {
+  internal class AddressListAccessRule : IAccessRule {
+    private readonly IReadOnlyList<IPAddress> addressListAllowFrom;
+
+    public AddressListAccessRule(IReadOnlyList<IPAddress> addressListAllowFrom)
+    {
+      this.addressListAllowFrom = addressListAllowFrom ?? throw new ArgumentNullException(nameof(addressListAllowFrom));
+    }
+
+    public bool IsAcceptable(IPEndPoint remoteEndPoint)
+    {
+      if (remoteEndPoint is null)
+        throw new ArgumentNullException(nameof(remoteEndPoint));
+
+      var remoteAddress = remoteEndPoint.Address;
+
+      foreach (var addressAllowFrom in addressListAllowFrom) {
+        if (addressAllowFrom.AddressFamily == AddressFamily.InterNetwork) {
+          // test for client acceptability by IPv4 address
+          if (remoteAddress.IsIPv4MappedToIPv6)
+            remoteAddress = remoteAddress.MapToIPv4();
+        }
+
+        if (addressAllowFrom.Equals(remoteAddress))
+          return true;
+      }
+
+      return false;
+    }
+  }
+
+  /// <param name="services">The <see cref="IServiceCollection"/> to add services to.</param>
+  /// <param name="addressListAllowFrom">The <see cref="IReadOnlyList{IPAddress}"/> indicates the read-only list of addresses allowed to access <see cref="NodeBase"/>.</param>
+  public static IServiceCollection AddMuninNodeAccessRule(
+    this IServiceCollection services,
+    IReadOnlyList<IPAddress> addressListAllowFrom
+  )
+    => AddMuninNodeAccessRule(
+      services: services ?? throw new ArgumentNullException(nameof(services)),
+      accessRule: new AddressListAccessRule(
+        addressListAllowFrom: addressListAllowFrom ?? throw new ArgumentNullException(nameof(addressListAllowFrom))
+      )
+    );
+
+  /// <param name="services">The <see cref="IServiceCollection"/> to add services to.</param>
+  /// <param name="accessRule">The <see cref="IAccessRule"/> which defines access rules to <see cref="NodeBase"/>.</param>
+  public static IServiceCollection AddMuninNodeAccessRule(
+    this IServiceCollection services,
+    IAccessRule accessRule
+  )
+  {
+#pragma warning disable CA1510
+    if (services is null)
+      throw new ArgumentNullException(nameof(services));
+    if (accessRule is null)
+      throw new ArgumentNullException(nameof(accessRule));
+#pragma warning restore CA1510
+
+    services.TryAdd(
+      ServiceDescriptor.Singleton(typeof(IAccessRule), accessRule)
+    );
+
+    return services;
+  }
+}

src/Smdn.Net.MuninNode/Smdn.Net.MuninNode/LocalNode.Create.cs

@@ -37,6 +37,7 @@ public ConcreteLocalNode(
       IServiceProvider? serviceProvider = null
     )
       : base(
+        accessRule: serviceProvider?.GetService<IAccessRule>(),
         logger: serviceProvider?.GetService<ILoggerFactory>()?.CreateLogger<LocalNode>()
       )
     {

src/Smdn.Net.MuninNode/Smdn.Net.MuninNode/LocalNode.cs

@@ -17,13 +17,18 @@ public abstract partial class LocalNode : NodeBase {
   /// <summary>
   /// Initializes a new instance of the <see cref="LocalNode"/> class.
   /// </summary>
+  /// <param name="accessRule">
+  /// The <see cref="IAccessRule"/> to determine whether to accept or reject a remote host that connects to <see cref="LocalNode"/>.
+  /// </param>
   /// <param name="logger">
   /// The <see cref="ILogger"/> to report the situation.
   /// </param>
   protected LocalNode(
+    IAccessRule? accessRule,
     ILogger? logger = null
   )
     : base(
+      accessRule: accessRule,
       logger: logger
     )
   {
@@ -77,9 +82,4 @@ protected override Socket CreateServerSocket()
       throw;
     }
   }
-
-  protected override bool IsClientAcceptable(IPEndPoint remoteEndPoint)
-    => IPAddress.IsLoopback(
-      (remoteEndPoint ?? throw new ArgumentNullException(nameof(remoteEndPoint))).Address
-    );
 }

src/Smdn.Net.MuninNode/Smdn.Net.MuninNode/NodeBase.cs

@@ -40,14 +40,18 @@ public abstract class NodeBase : IDisposable, IAsyncDisposable {
 
   protected ILogger? Logger { get; }
 
+  private readonly IAccessRule? accessRule;
+
   private Socket? server;
 
   public EndPoint LocalEndPoint => server?.LocalEndPoint ?? throw new InvalidOperationException("not yet bound or already disposed");
 
   protected NodeBase(
+    IAccessRule? accessRule,
     ILogger? logger
   )
   {
+    this.accessRule = accessRule;
     Logger = logger;
   }
 
@@ -131,8 +135,6 @@ public void Start()
     Logger?.LogInformation("started (end point: {LocalEndPoint})", server.LocalEndPoint);
   }
 
-  protected abstract bool IsClientAcceptable(IPEndPoint remoteEndPoint);
-
   /// <summary>
   /// Starts accepting multiple sessions.
   /// The <see cref="ValueTask" /> this method returns will never complete unless the cancellation requested by the <paramref name="cancellationToken" />.
@@ -211,7 +213,7 @@ public async ValueTask AcceptSingleSessionAsync(
         return;
       }
 
-      if (!IsClientAcceptable(remoteEndPoint)) {
+      if (accessRule is not null && !accessRule.IsAcceptable(remoteEndPoint)) {
         Logger?.LogWarning("access refused: {RemoteEndPoint}", remoteEndPoint);
         return;
       }

tests/Smdn.Net.MuninNode/Smdn.Net.MuninNode.Tests.csproj

@@ -12,4 +12,8 @@ SPDX-License-Identifier: MIT
     <TargetFrameworks Condition=" '$(EnableTargetFrameworkDotNet60)' == 'true' ">net6.0;$(TargetFrameworks)</TargetFrameworks>
     <TargetFrameworks Condition=" '$(EnableTargetFrameworkNetFx)' == 'true' ">$(TargetFrameworks)</TargetFrameworks>
   </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="8.*" />
+  </ItemGroup>
 </Project>

tests/Smdn.Net.MuninNode/Smdn.Net.MuninNode/IAccessRuleServiceCollectionExtensions.cs

@@ -0,0 +1,52 @@
+// SPDX-FileCopyrightText: 2024 smdn <smdn@smdn.jp>
+// SPDX-License-Identifier: MIT
+using System;
+using System.Collections.Generic;
+using System.Net;
+
+using Microsoft.Extensions.DependencyInjection;
+
+using NUnit.Framework;
+
+namespace Smdn.Net.MuninNode;
+
+[TestFixture]
+public class IAccessRuleServiceCollectionExtensionsTests {
+  [Test]
+  public void AddMuninNodeAccessRule_TryAddMultiple()
+  {
+    var services = new ServiceCollection();
+
+    services.AddMuninNodeAccessRule([IPAddress.Any]);
+
+    var firstAccessRule = services.BuildServiceProvider().GetRequiredService<IAccessRule>();
+
+    Assert.That(firstAccessRule, Is.Not.Null, nameof(firstAccessRule));
+
+    services.AddMuninNodeAccessRule([IPAddress.Any]);
+
+    var secondAccessRule = services.BuildServiceProvider().GetRequiredService<IAccessRule>();
+
+    Assert.That(secondAccessRule, Is.SameAs(firstAccessRule), nameof(secondAccessRule));
+  }
+
+  [Test]
+  public void AddMuninNodeAccessRule_IReadOnlyListOfIPAddress_ArgumentNull()
+  {
+    var services = new ServiceCollection();
+
+    Assert.Throws<ArgumentNullException>(
+      () => services.AddMuninNodeAccessRule((IReadOnlyList<IPAddress>)null!)
+    );
+  }
+
+  [Test]
+  public void AddMuninNodeAccessRule_IAccessRule_ArgumentNull()
+  {
+    var services = new ServiceCollection();
+
+    Assert.Throws<ArgumentNullException>(
+      () => services.AddMuninNodeAccessRule((IAccessRule)null!)
+    );
+  }
+}

tests/Smdn.Net.MuninNode/Smdn.Net.MuninNode/NodeBase.cs

@@ -31,9 +31,11 @@ public ReadOnlyCollectionPluginProvider(IReadOnlyCollection<IPlugin> plugins)
     public override string HostName => "test.munin-node.localhost";
 
     public TestLocalNode(
+      IAccessRule? accessRule,
       IReadOnlyList<IPlugin> plugins
     )
       : base(
+        accessRule: accessRule,
         logger: null
       )
     {
@@ -53,10 +55,16 @@ protected override EndPoint GetLocalEndPointToBind()
   }
 
   private static NodeBase CreateNode()
-    => CreateNode(plugins: Array.Empty<IPlugin>());
+    => CreateNode(accessRule: null, plugins: Array.Empty<IPlugin>());
+
+  private static NodeBase CreateNode(IAccessRule? accessRule)
+    => CreateNode(accessRule: accessRule, plugins: Array.Empty<IPlugin>());
 
   private static NodeBase CreateNode(IReadOnlyList<IPlugin> plugins)
-    => new TestLocalNode(plugins);
+    => CreateNode(accessRule: null, plugins: plugins);
+
+  private static NodeBase CreateNode(IAccessRule? accessRule, IReadOnlyList<IPlugin> plugins)
+    => new TestLocalNode(accessRule, plugins);
 
   private static TcpClient CreateClient(
     IPEndPoint endPoint,
@@ -79,14 +87,29 @@ out StreamReader reader
   private static Task StartSession(
     Func<NodeBase, TcpClient, StreamWriter, StreamReader, CancellationToken, Task> action
   )
-    => StartSession(plugins: Array.Empty<IPlugin>(), action: action);
+    => StartSession(
+      accessRule: null,
+      plugins: Array.Empty<IPlugin>(),
+      action: action
+    );
+
+  private static Task StartSession(
+    IReadOnlyList<IPlugin> plugins,
+    Func<NodeBase, TcpClient, StreamWriter, StreamReader, CancellationToken, Task> action
+  )
+    => StartSession(
+      accessRule: null,
+      plugins: plugins,
+      action: action
+    );
 
   private static async Task StartSession(
+    IAccessRule? accessRule,
     IReadOnlyList<IPlugin> plugins,
     Func<NodeBase, TcpClient, StreamWriter, StreamReader, CancellationToken, Task> action
   )
   {
-    await using var node = CreateNode(plugins);
+    await using var node = CreateNode(accessRule, plugins);
 
     node.Start();
 
@@ -204,6 +227,66 @@ public async Task AcceptSingleSessionAsync_ClientDisconnected_WhileAwaitingComma
     Assert.DoesNotThrowAsync(async () => await taskAccept);
   }
 
+  private sealed class AcceptAllAccessRule : IAccessRule {
+    public bool IsAcceptable(IPEndPoint remoteEndPoint) => true;
+  }
+
+  [Test]
+  public async Task AcceptSingleSessionAsync_IAccessRule_AccessGranted()
+  {
+    await StartSession(
+      accessRule: new AcceptAllAccessRule(),
+      plugins: Array.Empty<IPlugin>(),
+      async static (node, client, writer, reader, cancellationToken
+    ) => {
+      await writer.WriteLineAsync("command", cancellationToken);
+      await writer.FlushAsync(cancellationToken);
+
+      Assert.That(
+        await reader.ReadLineAsync(cancellationToken),
+        Is.Not.Null,
+        "line #1"
+      );
+
+      var connected = !(
+        client.Client.Poll(1 /*microsecs*/, SelectMode.SelectRead) &&
+        client.Client.Available == 0
+      );
+
+      Assert.That(connected, Is.True);
+    });
+  }
+
+  private sealed class RefuseAllAccessRule : IAccessRule {
+    public bool IsAcceptable(IPEndPoint remoteEndPoint) => false;
+  }
+
+  [Test]
+  public async Task AcceptSingleSessionAsync_IAccessRule_AccessRefused()
+  {
+    await StartSession(
+      accessRule: new RefuseAllAccessRule(),
+      plugins: Array.Empty<IPlugin>(),
+      async static (node, client, writer, reader, cancellationToken
+    ) => {
+      await writer.WriteLineAsync(".", cancellationToken);
+      await writer.FlushAsync(cancellationToken);
+
+      Assert.That(
+        await reader.ReadLineAsync(cancellationToken),
+        Is.Null,
+        "line #1"
+      );
+
+      var connected = !(
+        client.Client.Poll(1 /*microsecs*/, SelectMode.SelectRead) &&
+        client.Client.Available == 0
+      );
+
+      Assert.That(connected, Is.False);
+    });
+  }
+
   private class PseudoPluginWithSessionCallback : IPlugin, INodeSessionCallback {
     public string Name => throw new NotImplementedException();
     public PluginGraphAttributes GraphAttributes => throw new NotImplementedException();