CLDSRV-623: Perf of checkIp for bucket policy

BourgoisMickael · BourgoisMickael · commit be4f7e2d3632 · 2025-03-17T12:19:10.000+01:00
Move the validateIpRegex function out of the loop
to avoid recreating it multiple time for perf.
diff --git a/lib/api/apiUtils/authorization/permissionChecks.js b/lib/api/apiUtils/authorization/permissionChecks.js
@@ -1,6 +1,6 @@
 const { evaluators, actionMaps, RequestContext, requestUtils } = require('arsenal').policies;
 const { errorInstances } = require('arsenal');
-const { parseCIDR, isValid } = require('ipaddr.js');
+// const { parseCIDR } = require('ipaddr.js');
 const constants = require('../../../../constants');
 const { config } = require('../../../Config');
 
@@ -494,6 +494,17 @@ function validatePolicyResource(bucketName, policy) {
     });
 }
 
+// Apply the existing IP validation logic to each element
+function validateIpRegex(ip) {
+    if (constants.ipv4Regex.test(ip)) {
+        return ip.split('.').every(part => parseInt(part, 10) <= 255);
+    }
+    if (constants.ipv6Regex.test(ip)) {
+        return ip.split(':').every(part => part.length <= 4);
+    }
+    return false;
+}
+
 function checkIp(value) {
     const errString = 'Invalid IP address in Conditions';
 
@@ -507,6 +518,28 @@ function checkIp(value) {
         // notation (e.g., xxx.xxx.xxx.xxx/xx for IPv4). Otherwise,
         // we would accept different ip formats, which is not
         // standard in an AWS use case.
+        // discard to fix tests ?
+
+        /*
+        As seen in https://scality.atlassian.net/browse/ARSN-477
+        the `isValid` does the same parsing as `parseCIDR` but
+        encapsulate in try catch to return a boolean.
+        The `isValid` in catch is useless and the double try
+        discards completely any error from ipaddr.parseCIDR.
+
+        Meaning in case of invalid ip there will be 2 ipaddr.js parsing,
+        reducing perf for an ignored error.
+
+        Fixing this breaks the tests.
+
+        I'm not even sure of the purpose of using ipaddr.js
+        and using our regex after as our regex seems to be
+        more restrictive.
+
+        ipaddr.js accepts valid ip like:
+            - 0010.0xa5.1.1
+            - ::ffff:222.1.41.900
+
         try {
             try {
                 parseCIDR(values[i]);
@@ -516,17 +549,7 @@ function checkIp(value) {
         } catch (err) {
             return errString;
         }
-
-        // Apply the existing IP validation logic to each element
-        const validateIpRegex = (ip) => {
-            if (constants.ipv4Regex.test(ip)) {
-                return ip.split('.').every(part => parseInt(part, 10) <= 255);
-            }
-            if (constants.ipv6Regex.test(ip)) {
-                return ip.split(':').every(part => part.length <= 4);
-            }
-            return false;
-        };
+        */
 
         if (validateIpRegex(values[i]) !== true) {
             return errString;
