Normalize allowlist_policy entries through _parse_address

antoineleclair · claude · antoineleclair · commit 215490614668 · 2026-04-27T20:24:44.000-04:00
The naive frozenset(addresses) form left the policy out of step with
the rest of the cluster module's address-equivalence semantics: a
listed "Example.com:9001" did not match a runtime "example.com:9001",
and a malformed allow-list entry was accepted at construction and
silently rejected every legitimate redirect later.

Parse each entry through _parse_address at construction (raising
ValueError on bad entries) and parse the runtime target the same way
on each call. Result: hostname case-insensitivity flows through;
malformed entries fail loudly at config-load time; malformed runtime
targets return False without crashing the policy.

Bracketed-vs-unbracketed IPv6 is NOT unified — _parse_address rejects
unbracketed IPv6, matching the rest of the client surface, so the
policy follows.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/dqliteclient/cluster.py b/src/dqliteclient/cluster.py
@@ -577,17 +577,37 @@ def allowlist_policy(addresses: Iterable[str]) -> RedirectPolicy:
     """Build a redirect policy that accepts only the given addresses.
 
     Useful for the common case: "only allow redirects to hosts I've
-    explicitly seed-listed." Addresses are matched by exact string
-    equality — callers that need CIDR / DNS / wildcard matching should
-    supply their own callable.
-
-    Accepts any iterable (list, set, tuple, generator, dict_keys). The
-    iterable is materialized into a frozen set once, so passing a
-    generator is safe — the returned closure doesn't re-iterate.
+    explicitly seed-listed." Addresses are normalized via
+    :func:`_parse_address` and compared as ``(host, port)`` tuples, so
+    bracketed and unbracketed IPv6 forms (``[::1]:9001`` vs
+    ``::1:9001``) match each other and hostname casing is irrelevant
+    (the parser lower-cases hosts). Callers that need CIDR / DNS /
+    wildcard matching should supply their own callable.
+
+    Each entry is parsed at construction time; a malformed entry
+    raises :class:`ValueError` from ``allowlist_policy`` itself, so
+    typos surface at the operator's config-load site rather than as
+    a silent rejection of a legitimate redirect later. A malformed
+    *runtime* redirect target returns ``False`` (the policy is a
+    safety filter; we do not let a hostile server crash it by
+    sending garbage).
+
+    Accepts any iterable (list, set, tuple, generator, dict_keys).
+    The iterable is materialized into a frozen set once, so passing
+    a generator is safe — the returned closure doesn't re-iterate.
     """
-    allowed = frozenset(addresses)
+    parsed: list[tuple[str, int]] = []
+    for raw in addresses:
+        try:
+            parsed.append(_parse_address(raw))
+        except ValueError as e:
+            raise ValueError(f"allowlist_policy: invalid address {raw!r} ({e})") from None
+    allowed = frozenset(parsed)
 
     def policy(addr: str) -> bool:
-        return addr in allowed
+        try:
+            return _parse_address(addr) in allowed
+        except ValueError:
+            return False
 
     return policy
diff --git a/tests/test_allowlist_policy.py b/tests/test_allowlist_policy.py
@@ -0,0 +1,121 @@
+"""``allowlist_policy`` must use the same address-parsing logic as
+the rest of the cluster module so the equivalence properties of
+:func:`_parse_address` (hostname case-insensitivity, IPv6 bracket
+normalization, port validation) carry through to the redirect
+filter.
+
+The naive ``addr in frozenset(addresses)`` form would reject a
+case-different hostname (``"Example.com:9001"`` vs
+``"example.com:9001"``) and would silently accept malformed
+allow-list entries that no real server could ever produce.
+"""
+
+from __future__ import annotations
+
+import pytest
+
+from dqliteclient.cluster import allowlist_policy
+
+# Hostname casing — `_parse_address` lower-cases the host so callers
+# do not have to think about it. The naive raw-string match did not
+# do this.
+
+
+def test_hostname_case_insensitive() -> None:
+    policy = allowlist_policy(["Example.com:9001"])
+    assert policy("example.com:9001") is True
+    assert policy("EXAMPLE.COM:9001") is True
+
+
+def test_hostname_case_in_listed_entry_normalized() -> None:
+    """Two entries that differ only in case dedupe to one (parser
+    normalizes both)."""
+    policy = allowlist_policy(["example.com:9001", "EXAMPLE.COM:9001"])
+    assert policy("Example.Com:9001") is True
+    assert policy("example.com:9002") is False
+
+
+# IPv4 round-trips
+
+
+def test_ipv4_exact_match() -> None:
+    policy = allowlist_policy(["127.0.0.1:9001"])
+    assert policy("127.0.0.1:9001") is True
+    assert policy("127.0.0.2:9001") is False
+
+
+def test_ipv4_different_port_rejected() -> None:
+    policy = allowlist_policy(["127.0.0.1:9001"])
+    assert policy("127.0.0.1:9002") is False
+
+
+# IPv6 (bracketed only — ``_parse_address`` rejects unbracketed IPv6)
+
+
+def test_ipv6_bracketed_match() -> None:
+    policy = allowlist_policy(["[::1]:9001"])
+    assert policy("[::1]:9001") is True
+
+
+def test_ipv6_different_bracketed_rejected() -> None:
+    policy = allowlist_policy(["[::1]:9001"])
+    assert policy("[::2]:9001") is False
+
+
+# Construction-time validation
+
+
+def test_rejects_malformed_entry_at_construction() -> None:
+    """A malformed allow-list entry raises at construction so the
+    operator's typo surfaces at config-load time, not as a silent
+    rejection of a future legitimate redirect."""
+    with pytest.raises(ValueError):
+        allowlist_policy(["not a valid address"])
+
+
+def test_rejects_unbracketed_ipv6_at_construction() -> None:
+    """Unbracketed IPv6 cannot be parsed unambiguously; reject so
+    the operator must spell it bracketed (matching the wire and the
+    rest of the client surface)."""
+    with pytest.raises(ValueError):
+        allowlist_policy(["::1:9001"])
+
+
+def test_rejects_invalid_port_at_construction() -> None:
+    with pytest.raises(ValueError):
+        allowlist_policy(["host:abc"])
+
+
+# Runtime malformed addresses
+
+
+def test_rejects_malformed_runtime_address() -> None:
+    """A malformed runtime address returns False rather than raising,
+    so a malicious server cannot crash the policy callback by
+    sending garbage in a redirect response."""
+    policy = allowlist_policy(["127.0.0.1:9001"])
+    assert policy("not a valid address") is False
+
+
+def test_rejects_unbracketed_ipv6_runtime() -> None:
+    """A runtime unbracketed IPv6 cannot be parsed; treat as a
+    rejection rather than crashing."""
+    policy = allowlist_policy(["[::1]:9001"])
+    assert policy("::1:9001") is False
+
+
+# Iterable shapes
+
+
+def test_accepts_iterable_input() -> None:
+    """Construction accepts any iterable — list, set, generator,
+    dict_keys."""
+    policy = allowlist_policy(addr for addr in ["[::1]:9001", "127.0.0.1:9001"])
+    assert policy("[::1]:9001") is True
+    assert policy("127.0.0.1:9001") is True
+
+
+def test_empty_allowlist_rejects_all() -> None:
+    policy = allowlist_policy([])
+    assert policy("[::1]:9001") is False
+    assert policy("127.0.0.1:9001") is False
