ZOOKEEPER-4240 IPV6 support in ZooKeeper ACLs

Abhishek Kothalikar · Abhishek Kothalikar · commit 5e799a9cd6de · 2025-07-24T14:41:34.000+05:30
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/IPAuthenticationProvider.java b/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/IPAuthenticationProvider.java
@@ -26,11 +26,18 @@
 import org.apache.zookeeper.KeeperException;
 import org.apache.zookeeper.data.Id;
 import org.apache.zookeeper.server.ServerCnxn;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public class IPAuthenticationProvider implements AuthenticationProvider {
+    private static final Logger LOG = LoggerFactory.getLogger(IPAuthenticationProvider.class);
     public static final String X_FORWARDED_FOR_HEADER_NAME = "X-Forwarded-For";
 
     public static final String USE_X_FORWARDED_FOR_KEY = "zookeeper.IPAuthenticationProvider.usexforwardedfor";
+    private static final int IPV6_BYTE_LENGTH = 16; // IPv6 address is 128 bits = 16 bytes
+    private static final int IPV6_SEGMENT_COUNT = 8; // IPv6 address has 8 segments
+    private static final int IPV6_SEGMENT_HEX_LENGTH = 4; // Each segment has up to 4 hex digits
+
 
     public String getScheme() {
         return "ip";
@@ -55,9 +62,16 @@ public List<Id> handleAuthentication(HttpServletRequest request, byte[] authData
     // This is a bit weird but we need to return the address and the number of
     // bytes (to distinguish between IPv4 and IPv6
     private byte[] addr2Bytes(String addr) {
-        byte[] b = v4addr2Bytes(addr);
-        // TODO Write the v6addr2Bytes
-        return b;
+        if (addr.contains(":")) {
+            LOG.info("Attempting to parse as IPv6...");
+            return v6addr2Bytes(addr);
+        } else if (addr.contains(".")) {
+            LOG.info("Attempting to parse as IPv4...");
+            return v4addr2Bytes(addr);
+        } else {
+            LOG.info("Input string does not resemble an IPv4 or IPv6 address: {}", addr);
+            return null;
+        }
     }
 
     private byte[] v4addr2Bytes(String addr) {
@@ -81,6 +95,132 @@ private byte[] v4addr2Bytes(String addr) {
         return b;
     }
 
+    /**
+     * Validates an IPv6 address string and converts it into a byte array.
+     *
+     * @param ipv6Addr The IPv6 address string to validate.
+     * @return A byte array representing the IPv6 address if valid, or null if the address
+     * is invalid or cannot be parsed.
+     */
+    public static byte[] v6addr2Bytes(String ipv6Addr) {
+        if (ipv6Addr == null || ipv6Addr.trim().isEmpty()) {
+            LOG.info("Input IPv6 address cannot be null or empty.");
+            return null;
+        }
+
+        // Check for multiple '::' which is invalid
+        if (ipv6Addr.indexOf("::") != ipv6Addr.lastIndexOf("::")) {
+            LOG.info("IPv6 address contains multiple '::' which is invalid: {}", ipv6Addr);
+            return null;
+        }
+
+        // Split the address by "::" to handle zero compression, -1 to keep trailing empty strings
+        String[] parts = ipv6Addr.split("::", -1);
+
+        String[] segments1 = new String[0];
+        String[] segments2 = new String[0];
+
+        // Case 1: No "::" (full address)
+        if (parts.length == 1) {
+            segments1 = parts[0].split(":");
+            if (segments1.length != IPV6_SEGMENT_COUNT) {
+                LOG.info("IPv6 address without '::' must have " + IPV6_SEGMENT_COUNT + " segments: {}", ipv6Addr);
+                return null;
+            }
+        } else if (parts.length == 2) {
+            // Case 2: "::" is present
+            // Handle cases like "::1" or "1::"
+            if (!parts[0].isEmpty()) {
+                segments1 = parts[0].split(":");
+            }
+            if (!parts[1].isEmpty()) {
+                segments2 = parts[1].split(":");
+            }
+
+            // Check if the total number of explicit segments exceeds 8
+            if (segments1.length + segments2.length >= IPV6_SEGMENT_COUNT) {
+                LOG.info("Too many segments in IPv6 address with '::': {}", ipv6Addr);
+                return null;
+            }
+        } else {
+            // Case 3: Invalid number of parts after splitting by "::" (should be 1 or 2)
+            LOG.info("Invalid IPv6 address format (unexpected '::' split result):  {}", ipv6Addr);
+            return null;
+        }
+
+        List<Byte> byteList = new ArrayList<>();
+
+        try {
+            // Process segments before "::"
+            for (String segment : segments1) {
+                if (isInvalidSegment(segment)) {
+                    LOG.info("Invalid IPv6 segment: '{}' in address:  {}", segment, ipv6Addr);
+                    return null;
+                }
+                int value = Integer.parseInt(segment, 16);
+                byteList.add((byte) ((value >> 8) & 0xFF));
+                byteList.add((byte) (value & 0xFF));
+            }
+
+            // Add zero segments for "::" compression
+            int missingSegments = IPV6_SEGMENT_COUNT - (segments1.length + segments2.length);
+            for (int i = 0; i < missingSegments; i++) {
+                byteList.add((byte) 0x00);
+                byteList.add((byte) 0x00);
+            }
+
+            // Process segments after "::"
+            for (String segment : segments2) {
+                if (isInvalidSegment(segment)) {
+                    LOG.info("Invalid IPv6 segment: '{}' in address:  {}", segment, ipv6Addr);
+                    return null;
+                }
+                int value = Integer.parseInt(segment, 16);
+                byteList.add((byte) ((value >> 8) & 0xFF));
+                byteList.add((byte) (value & 0xFF));
+            }
+
+        } catch (NumberFormatException e) {
+            // 3. Catch NumberFormatException if String cannot be parsed
+            LOG.info("Invalid hexadecimal format in IPv6 address: {} - {}", ipv6Addr, e.getMessage());
+            return null;
+        }
+
+        // 4. Return null if address in out of bounds (i.e., not exactly 16 bytes)
+        if (byteList.size() != IPV6_BYTE_LENGTH) {
+            LOG.info("Parsed IPv6 address byte length is incorrect. Expected " + IPV6_BYTE_LENGTH + ", got {}: {}", byteList.size(), ipv6Addr);
+            return null;
+        }
+
+        // Convert List<Byte> to byte[]
+        byte[] result = new byte[IPV6_BYTE_LENGTH];
+        for (int i = 0; i < byteList.size(); i++) {
+            result[i] = byteList.get(i);
+        }
+
+        return result;
+    }
+
+    /**
+     * Checks if a single IPv6 segment is valid.
+     * A valid segment is a non-empty string of 1 to 4 hexadecimal characters.
+     *
+     * @param segment The segment string to validate.
+     * @return true if the segment is valid, false otherwise.
+     */
+    private static boolean isInvalidSegment(String segment) {
+        if (segment == null || segment.isEmpty() || segment.length() > IPV6_SEGMENT_HEX_LENGTH) {
+            return true;
+        }
+        // Check if all characters are valid hexadecimal digits
+        for (char c : segment.toCharArray()) {
+            if (!Character.isDigit(c) && (c < 'a' || c > 'f') && (c < 'A' || c > 'F')) {
+                return true;
+            }
+        }
+        return false;
+    }
+
     private void mask(byte[] b, int bits) {
         int start = bits / 8;
         int startMask = (1 << (8 - (bits % 8))) - 1;
@@ -93,6 +233,7 @@ private void mask(byte[] b, int bits) {
     }
 
     public boolean matches(String id, String aclExpr) {
+        LOG.trace("id: '{}' aclExpr:  {}", id, aclExpr);
         String[] parts = aclExpr.split("/", 2);
         byte[] aclAddr = addr2Bytes(parts[0]);
         if (aclAddr == null) {
@@ -112,11 +253,13 @@ public boolean matches(String id, String aclExpr) {
         mask(aclAddr, bits);
         byte[] remoteAddr = addr2Bytes(id);
         if (remoteAddr == null) {
+            LOG.info("Address is null");
             return false;
         }
         mask(remoteAddr, bits);
         for (int i = 0; i < remoteAddr.length; i++) {
             if (remoteAddr[i] != aclAddr[i]) {
+                LOG.info("ACL Expr and id are not identical");
                 return false;
             }
         }
diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/test/ACLTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/test/ACLTest.java
@@ -69,6 +69,38 @@ public void testIPAuthenticationIsValidCIDR() throws Exception {
         assertFalse(prov.isValid("10.0.0.1/-1"), "testing netmask too low");
     }
 
+    @Test
+    public void testIPAuthenticationIsValidIpv6CIDR() throws Exception {
+        IPAuthenticationProvider prov = new IPAuthenticationProvider();
+        assertTrue(prov.isValid("2001:0db8:85a3:0000:0000:8a2e:0370:7334"), "full address no netmask");
+        assertTrue(prov.isValid("2001:db8:85a3::8a2e:370:7334"), "compressed zeros");
+        assertTrue(prov.isValid("::1"), "loopback with compression");
+        assertTrue(prov.isValid("1::"), "Start with compression");
+        assertTrue(prov.isValid("2001:db8::/4"), "end with compression");
+        assertTrue(prov.isValid("0:0:0:0:0:0:0::/8"), "all zeros");
+        assertTrue(prov.isValid("2001:db8:85a3:0:0:0:0::/32"), "Explicit zeros");
+        assertTrue(prov.isValid("1234:5678:9abc:def0:1234:5678:9abc:def0"), "max hex value");
+        assertFalse(prov.isValid("2001:db8:85a3:0000:0000:8a2e:0370:7334:extra"), "too many address segments");
+        assertFalse(prov.isValid("2001:db8:85a3:0000:0000:8a2e:0370"), "too few address segments");
+        assertFalse(prov.isValid("2001:db8:85a3::8a2e::0370:7334"), "multiple '::' not valid");
+        assertFalse(prov.isValid("2001:db8:85a3:G::8a2e:0370:7334"), "Invalid hex character");
+        assertFalse(prov.isValid(""), "empty string");
+        assertFalse(prov.isValid("2001:db8:85a3:0:0:0:0:1:2"), "too many segments post compression");
+        assertTrue(prov.isValid("2001:db8:85a3::8a2e:0370:7334:"), "trailing colon");
+        assertFalse(prov.isValid(":2001:db8:85a3::8a2e:0370:7334"), "Leading colon");
+        assertFalse(prov.isValid("::FFFF:192.168.1.1"), "IPv4-mapped");
+        assertTrue(prov.isValid("2001:db8:1234::/64"), "IPv6 address for multiple clients");
+    }
+
+    @Test
+    public void testIPAuthenticationIsValidIpv6Mask() throws Exception {
+        IPAuthenticationProvider prov = new IPAuthenticationProvider();
+        assertTrue(prov.matches("2001:db8:1234::", "2001:db8:1234::/64"));
+        assertTrue  (prov.matches("2001:0db8:85a3:0000:0000:8a2e:0370:7334", "2001:0db8:85a3:0000:0000:8a2e:0370::/2"));
+        assertFalse(prov.matches("22001:db8:85a3:0:0:0:0::0", "2001:db8:85a3:0:0:0:0::/32"));
+        assertFalse(prov.matches("2001:db8::/4", "2001:db8::/4"));
+    }
+
     @Test
     public void testNettyIpAuthDefault(@TempDir File tmpDir) throws Exception {
         String HOSTPORT = "127.0.0.1:" + PortAssignment.unique();
