Validate appliance IP addresses from Orchestrator response in HPE Aruba EdgeConnect (#24130)

* Validate appliance IP addresses from Orchestrator response in HPE Aruba EdgeConnect

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Add changelog entry for PR #24130

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Use neutral names in non-IP appliance test fixtures

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Fix E2E test setup: use static appliance IP on docker network

The fake appliance now listens on port 443 inside the container and is
assigned a static IP (192.168.200.10) on the docker-compose network.
The orchestrator returns this plain IP, which passes strict
ipaddress.ip_address() validation. The conftest health check uses the
host-exposed port mapping separately.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Rework E2E appliance setup: DNS resolution, no hardcoded subnet

The fake orchestrator now resolves the appliance IP via Docker DNS
(socket.gethostbyname("dd-appliance")) at request time instead of
reading a hardcoded IP from an env var. The fake appliance listens on
port 443 inside the container so the check connects via standard HTTPS.
Removes the custom network subnet and static IP assignment from
docker-compose.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Use get_container_ip to resolve appliance container IP for E2E tests

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Remove socket fallback from fake_orch now that APPLIANCE_IP is always set

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Revert to DNS resolution for appliance IP in fake orchestrator

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Add recommendation to configure appliance_ips allowlist in README

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Extract appliance IP validation into _parse_appliances method

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: lucia-sb

hpe_aruba_edgeconnect/README.md

@@ -35,6 +35,8 @@ No additional installation is needed on your server.
 
    **Note**: Monitor permissions are enough to collect most metrics. Admin permissions are required to collect the `hpe_aruba_edgeconnect.device.cpu.usage` metric on the appliances. If the configured credentials do not have admin access, the Agent skips this metric, but collects the rest of the metrics.
 
+   It is recommended to configure `appliance_ips` with an explicit include list that matches your known appliance IP ranges. This helps ensure that the check only connects to expected appliances.
+
 2. [Restart the Agent][5].
 
 ### Validation

hpe_aruba_edgeconnect/changelog.d/24130.fixed

@@ -0,0 +1 @@
+Validate appliance IP addresses from Orchestrator response before connecting to appliances.

hpe_aruba_edgeconnect/datadog_checks/hpe_aruba_edgeconnect/check.py

@@ -3,6 +3,7 @@
 # Licensed under a 3-clause BSD style license (see LICENSE)
 from __future__ import annotations
 
+import ipaddress
 import json
 import threading
 from collections.abc import Callable
@@ -111,13 +112,29 @@ def _submit_metadata(
                 "network-devices-metadata",
             )
 
+    def _parse_appliances(self, raw_appliances: list[dict]) -> list[Appliance]:
+        appliances = []
+        for raw in raw_appliances:
+            raw_ip = raw.get('ip', '')
+            try:
+                ipaddress.ip_address(raw_ip)
+            except ValueError:
+                self.log.warning(
+                    "Skipping appliance with non-IP address %r from orchestrator %s",
+                    raw_ip,
+                    self.config.orchestrator_ip,
+                )
+                continue
+            appliances.append(Appliance(raw))
+        return appliances
+
     def _collect_appliances_from_orch(self, client: OrchestratorClient) -> Appliances:
         raw_appliances = client.get_appliances()
         if not raw_appliances:
             self.log.warning("No appliances returned from orchestrator %s", self.config.orchestrator_ip)
             return Appliances([], self.log)
         self.log.debug("Found %d appliances from orchestrator before filtering", len(raw_appliances))
-        all_appliances = [Appliance(a) for a in raw_appliances]
+        all_appliances = self._parse_appliances(raw_appliances)
         self._peer_lookup = {ap.host_name: (ap.ip, ap.site or 'unknown') for ap in all_appliances if ap.host_name}
         appliances = Appliances(all_appliances, self.log)
         appliances.filter(self.config.appliance_ips)

hpe_aruba_edgeconnect/tests/conftest.py

@@ -62,14 +62,13 @@ def dd_environment(instance, dd_save_state):
         orch_port = find_free_port(HOST)
         appliance_port = find_free_port(HOST)
         orch_ip = f'{HOST}:{orch_port}'
-        appliance_ip = f'{HOST}:{appliance_port}'
 
         def _ready():
             ctx = ssl.create_default_context()
             ctx.check_hostname = False
             ctx.verify_mode = ssl.CERT_NONE
             urlopen(f'https://{orch_ip}/health', timeout=2, context=ctx)
-            urlopen(f'https://{appliance_ip}/health', timeout=2, context=ctx)
+            urlopen(f'https://{HOST}:{appliance_port}/health', timeout=2, context=ctx)
 
         inst = instance(
             orch_ip,
@@ -88,7 +87,6 @@ def _ready():
                 'ORCH_PASSWORD': '',
                 'APPLIANCE_USERNAME': 'admin',
                 'APPLIANCE_PASSWORD': '',
-                'APPLIANCE_IP': appliance_ip,
             },
         ):
             yield {'instances': [inst]}

hpe_aruba_edgeconnect/tests/docker/docker-compose.yaml

@@ -9,7 +9,6 @@ services:
     environment:
       ORCH_USERNAME: "${ORCH_USERNAME}"
       ORCH_PASSWORD: "${ORCH_PASSWORD}"
-      APPLIANCE_IP: "${APPLIANCE_IP}"
     restart: "no"
 
   appliance:
@@ -18,7 +17,7 @@ services:
       dockerfile: tests/docker/fake_appliance/Dockerfile
     container_name: dd-appliance
     ports:
-      - "${APPLIANCE_PORT}:8444"
+      - "${APPLIANCE_PORT}:443"
     environment:
       APPLIANCE_USERNAME: "${APPLIANCE_USERNAME}"
       APPLIANCE_PASSWORD: "${APPLIANCE_PASSWORD}"

hpe_aruba_edgeconnect/tests/docker/fake_appliance/Dockerfile

@@ -23,6 +23,6 @@ RUN mkdir -p /app/certs \
 
 COPY tests/docker/fake_appliance/app.py app.py
 
-EXPOSE 8444
+EXPOSE 443
 
 CMD ["python", "app.py"]

hpe_aruba_edgeconnect/tests/docker/fake_appliance/app.py

@@ -190,4 +190,4 @@ def health():
     app.config["start_time"] = time.time()
     ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
     ctx.load_cert_chain(CERT_FILE, KEY_FILE)
-    app.run(host="0.0.0.0", port=8444, ssl_context=ctx)
+    app.run(host="0.0.0.0", port=443, ssl_context=ctx)

hpe_aruba_edgeconnect/tests/docker/fake_orch/app.py

@@ -4,6 +4,7 @@
 """Fake HPE Aruba EdgeConnect orchestrator for E2E tests."""
 
 import os
+import socket
 import ssl
 
 from flask import Flask, jsonify, request
@@ -16,11 +17,14 @@
 ORCH_USERNAME = os.environ.get("ORCH_USERNAME", "admin")
 ORCH_PASSWORD = os.environ.get("ORCH_PASSWORD", "")
 
-APPLIANCE_IP = os.environ.get("APPLIANCE_IP", "172.16.3.21")
 PEER_NEWYORK_IP = "10.0.0.2"
 PEER_SANFRAN_IP = "10.0.0.3"
 
 
+def _appliance_ip():
+    return socket.gethostbyname("dd-appliance")
+
+
 def _appliance(ip, ne_pk, host_name, site, startup_time=None):
     return {
         "id": ne_pk,
@@ -60,13 +64,6 @@ def _appliance(ip, ne_pk, host_name, site, startup_time=None):
     }
 
 
-APPLIANCE_LIST = [
-    _appliance(APPLIANCE_IP, "1.NE", "SydneySP01", "SYD", startup_time=86400),
-    _appliance(PEER_NEWYORK_IP, "4.NE", "NewYorkSP01", "NYC"),
-    _appliance(PEER_SANFRAN_IP, "5.NE", "SanFranSP02", "SFO"),
-]
-
-
 @app.route("/gms/rest/authentication/login", methods=["POST"])
 def login():
     data = request.get_json(silent=True) or {}
@@ -77,7 +74,13 @@ def login():
 
 @app.route("/gms/rest/appliance")
 def appliances():
-    return jsonify(APPLIANCE_LIST)
+    return jsonify(
+        [
+            _appliance(_appliance_ip(), "1.NE", "SydneySP01", "SYD", startup_time=86400),
+            _appliance(PEER_NEWYORK_IP, "4.NE", "NewYorkSP01", "NYC"),
+            _appliance(PEER_SANFRAN_IP, "5.NE", "SanFranSP02", "SFO"),
+        ]
+    )
 
 
 @app.route("/gms/rest/gms/overlays/config")

hpe_aruba_edgeconnect/tests/test_unit.py

@@ -110,6 +110,36 @@ def test_appliances_filter(dd_run_check, aggregator, mocker, instance, ips, filt
     assert monitored_ips == sorted(expected_ips)
 
 
+@pytest.mark.parametrize(
+    'bad_ip',
+    [
+        pytest.param('appliance.example.com', id='hostname'),
+        pytest.param('appliance.example.com:8443', id='host_port'),
+        pytest.param('localhost:9999', id='localhost_port'),
+        pytest.param('', id='empty'),
+    ],
+)
+def test_appliances_with_non_ip_address_are_skipped(dd_run_check, aggregator, mocker, instance, bad_ip):
+    inst = instance('localhost:8443', max_backfill_minutes=10)
+    check = HpeArubaEdgeconnectCheck('hpe_aruba_edgeconnect', {}, [inst])
+
+    payload = [
+        {**APPLIANCE_PAYLOAD[0], 'ip': '10.0.0.1'},
+        {**APPLIANCE_PAYLOAD[0], 'ip': bad_ip, 'hostName': 'invalid-appliance'},
+    ]
+    _setup_mocks(mocker, check, payload, appliance_client=_mock_appliance_client(TGZ_DATA))
+
+    dd_run_check(check)
+
+    monitored_ips = [
+        tag.split(':', 1)[1]
+        for metric in aggregator.metrics(f'{NS}.device.reachability')
+        for tag in metric.tags
+        if tag.startswith('device_ip:')
+    ]
+    assert monitored_ips == ['10.0.0.1']
+
+
 @pytest.mark.parametrize(
     'value, expected',
     [