Resolve trusted proxy host names to all available A/AAAA records

ahus1 · ahus1 · commit 51166ddc3ee0 · 2025-02-18T11:32:31.000+01:00
Closes #42782 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/ForwardedProxyHandler.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/ForwardedProxyHandler.java
@@ -2,20 +2,28 @@
 
 import static io.quarkus.vertx.http.runtime.TrustedProxyCheck.denyAll;
 
+import java.net.Inet4Address;
+import java.net.Inet6Address;
 import java.net.InetAddress;
+import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Iterator;
+import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Set;
 import java.util.function.Supplier;
+import java.util.stream.Collectors;
 
 import org.jboss.logging.Logger;
 
 import io.smallrye.common.net.Inet;
-import io.vertx.core.AsyncResult;
+import io.vertx.core.Future;
 import io.vertx.core.Handler;
 import io.vertx.core.Vertx;
 import io.vertx.core.dns.DnsClient;
 import io.vertx.core.http.HttpServerRequest;
+import io.vertx.core.net.SocketAddress;
 import io.vertx.core.net.impl.SocketAddressImpl;
 
 /**
@@ -75,30 +83,28 @@ private void lookupHostNamesAndHandleRequest(HttpServerRequest event,
             // we do not cache result as IP address may change, and we advise users to use IP or CIDR
             final var entry = iterator.next();
             final String hostName = entry.getKey();
-            dnsClient.lookup(hostName,
-                    new Handler<AsyncResult<String>>() {
-                        @Override
-                        public void handle(AsyncResult<String> stringAsyncResult) {
-                            if (stringAsyncResult.succeeded() && stringAsyncResult.result() != null) {
-                                var trustedIP = Inet.parseInetAddress(stringAsyncResult.result());
-                                if (trustedIP != null) {
-                                    // create proxy check for resolved IP and proceed with the lookup
-                                    lookupHostNamesAndHandleRequest(event, iterator,
-                                            builder.withTrustedIP(trustedIP, entry.getValue()), dnsClient);
-                                } else {
-                                    logInvalidIpAddress(hostName);
-                                    // ignore this hostname proxy check and proceed with the lookup
-                                    lookupHostNamesAndHandleRequest(event, iterator, builder, dnsClient);
-                                }
-                            } else {
-                                // inform we can't cope without IP
-                                logDnsLookupFailure(hostName);
-                                // ignore this hostname proxy check and proceed with the lookup
-                                lookupHostNamesAndHandleRequest(event, iterator, builder, dnsClient);
-                            }
-                        }
 
-                    });
+            resolveHostNameToAllIpAddresses(dnsClient, hostName, event.remoteAddress(), results -> {
+                if (!results.isEmpty()) {
+                    Set<InetAddress> trustedIPs = results.stream().map(Inet::parseInetAddress).filter(Objects::nonNull)
+                            .collect(Collectors.toSet());
+                    if (!trustedIPs.isEmpty()) {
+                        // create proxy check for resolved IP and proceed with the lookup
+                        lookupHostNamesAndHandleRequest(event, iterator,
+                                builder.withTrustedIP(trustedIPs, entry.getValue()), dnsClient);
+                    } else {
+                        logInvalidIpAddress(hostName);
+                        // ignore this hostname proxy check and proceed with the lookup
+                        lookupHostNamesAndHandleRequest(event, iterator, builder, dnsClient);
+                    }
+                } else {
+                    // inform we can't cope without IP
+                    logDnsLookupFailure(hostName);
+                    // ignore this hostname proxy check and proceed with the lookup
+                    lookupHostNamesAndHandleRequest(event, iterator, builder, dnsClient);
+                }
+            });
+
         } else {
             // DNS lookup is done
             if (builder.hasProxyChecks()) {
@@ -110,6 +116,38 @@ public void handle(AsyncResult<String> stringAsyncResult) {
         }
     }
 
+    private void resolveHostNameToAllIpAddresses(DnsClient dnsClient, String hostName, SocketAddress callersSocketAddress,
+            Handler<Collection<String>> handler) {
+        ArrayList<Future<List<String>>> results = new ArrayList<>();
+        InetAddress proxyIP = null;
+        if (callersSocketAddress != null) {
+            proxyIP = ((SocketAddressImpl) callersSocketAddress).ipAddress();
+        }
+        // Match the lookup with the address type of the caller
+        if (proxyIP == null || proxyIP instanceof Inet4Address) {
+            results.add(dnsClient.resolveA(hostName));
+        }
+        if (proxyIP == null || proxyIP instanceof Inet6Address) {
+            results.add(dnsClient.resolveAAAA(hostName));
+        }
+        processFutures(results, new ArrayList<>(), handler);
+    }
+
+    private void processFutures(ArrayList<Future<List<String>>> future, Collection<String> results,
+            Handler<Collection<String>> handler) {
+        if (!future.isEmpty()) {
+            Future<List<String>> poll = future.remove(0);
+            poll.onComplete(result -> {
+                if (result.succeeded() && result.result() != null) {
+                    results.addAll(result.result());
+                }
+                processFutures(future, results, handler);
+            });
+        } else {
+            handler.handle(results);
+        }
+    }
+
     private void resolveProxyIpAndHandleRequest(HttpServerRequest event,
             TrustedProxyCheck.TrustedProxyCheckBuilder builder) {
         InetAddress proxyIP = ((SocketAddressImpl) event.remoteAddress()).ipAddress();
@@ -121,28 +159,26 @@ private void resolveProxyIpAndHandleRequest(HttpServerRequest event,
         if (proxyIP == null) {
             // perform DNS lookup, then create proxy check and handle request
             final String hostName = Objects.requireNonNull(event.remoteAddress().hostName());
-            vertx.get().createDnsClient().lookup(hostName,
-                    new Handler<AsyncResult<String>>() {
-                        @Override
-                        public void handle(AsyncResult<String> stringAsyncResult) {
-                            TrustedProxyCheck proxyCheck;
-                            if (stringAsyncResult.succeeded()) {
-                                // use resolved IP to build proxy check
-                                final var proxyIP = Inet.parseInetAddress(stringAsyncResult.result());
-                                if (proxyIP != null) {
-                                    proxyCheck = builder.build(proxyIP, event.remoteAddress().port());
-                                } else {
-                                    logInvalidIpAddress(hostName);
-                                    proxyCheck = denyAll();
-                                }
+            resolveHostNameToAllIpAddresses(vertx.get().createDnsClient(), hostName, null,
+                    results -> {
+                        TrustedProxyCheck proxyCheck;
+                        if (!results.isEmpty()) {
+                            // use resolved IP to build proxy check
+                            Set<InetAddress> proxyIPs = results.stream().map(Inet::parseInetAddress).filter(Objects::nonNull)
+                                    .collect(Collectors.toSet());
+                            if (!proxyIPs.isEmpty()) {
+                                proxyCheck = builder.build(proxyIPs, event.remoteAddress().port());
                             } else {
-                                // we can't cope without IP => ignore headers
-                                logDnsLookupFailure(hostName);
+                                logInvalidIpAddress(hostName);
                                 proxyCheck = denyAll();
                             }
-
-                            handleForwardedServerRequest(event, proxyCheck);
+                        } else {
+                            // we can't cope without IP => ignore headers
+                            logDnsLookupFailure(hostName);
+                            proxyCheck = denyAll();
                         }
+
+                        handleForwardedServerRequest(event, proxyCheck);
                     });
         } else {
             // we have proxy IP => create proxy check and handle request
diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/TrustedProxyCheck.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/TrustedProxyCheck.java
@@ -2,6 +2,7 @@
 
 import java.net.InetAddress;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -62,7 +63,7 @@ static TrustedProxyCheckBuilder builder(List<TrustedProxyCheckPart> parts) {
             return new TrustedProxyCheckBuilder(hostNameToPort, proxyChecks);
         }
 
-        TrustedProxyCheckBuilder withTrustedIP(InetAddress trustedIP, int trustedPort) {
+        TrustedProxyCheckBuilder withTrustedIP(Collection<InetAddress> trustedIP, int trustedPort) {
             final List<BiPredicate<InetAddress, Integer>> proxyChecks = new ArrayList<>(this.proxyChecks);
             proxyChecks.add(createNewIpCheck(trustedIP, trustedPort));
             return new TrustedProxyCheckBuilder(null, proxyChecks);
@@ -87,6 +88,20 @@ public boolean isProxyAllowed() {
             };
         }
 
+        TrustedProxyCheck build(Collection<InetAddress> proxyIPs, int proxyPort) {
+            Objects.requireNonNull(proxyIPs);
+            return () -> {
+                for (BiPredicate<InetAddress, Integer> proxyCheck : proxyChecks) {
+                    for (InetAddress proxyIP : proxyIPs) {
+                        if (proxyCheck.test(proxyIP, proxyPort)) {
+                            return true;
+                        }
+                    }
+                }
+                return false;
+            };
+        }
+
         boolean hasHostNames() {
             return hasHostNames(this.hostNameToPort);
         }
@@ -115,6 +130,20 @@ private boolean isPortOk(int port) {
         };
     }
 
+    static BiPredicate<InetAddress, Integer> createNewIpCheck(Collection<InetAddress> trustedIP, int trustedPort) {
+        final boolean doNotCheckPort = trustedPort == 0;
+        return new BiPredicate<>() {
+            @Override
+            public boolean test(InetAddress proxyIP, Integer proxyPort) {
+                return isPortOk(proxyPort) && trustedIP.contains(proxyIP);
+            }
+
+            private boolean isPortOk(int port) {
+                return doNotCheckPort || port == trustedPort;
+            }
+        };
+    }
+
     final class TrustedProxyCheckPart {
 
         final BiPredicate<InetAddress, Integer> proxyCheck;
