feat: Implement IP range checking with caching (main)

Adds functions to check if an IP address is within a set of CIDR
ranges. Includes caching for improved performance.  Uses a LRU
cache with an expiration time to store results.  Adds tests for
IP range checking and cache behavior.

Author: JasonLovesDoggo

Diff for: go.mod

@@ -4,6 +4,8 @@ go 1.23
 
 require (
 	github.com/caddyserver/caddy/v2 v2.9.1
+	github.com/hashicorp/golang-lru/v2 v2.0.7
+	github.com/stretchr/testify v1.9.0
 	go.uber.org/zap v1.27.0
 )
 
@@ -27,6 +29,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgraph-io/badger v1.6.2 // indirect
 	github.com/dgraph-io/badger/v2 v2.2007.4 // indirect
 	github.com/dgraph-io/ristretto v0.1.0 // indirect
@@ -80,6 +83,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.13.2 // indirect
 	github.com/pires/go-proxyproto v0.7.1-0.20240628150027-b718e7ce4964 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.5.0 // indirect
 	github.com/prometheus/common v0.48.0 // indirect

Diff for: go.sum

@@ -243,6 +243,8 @@ github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:Fecb
 github.com/grpc-ecosystem/grpc-gateway v1.5.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
 github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=

Diff for: utils/ip.go

@@ -2,14 +2,27 @@ package utils
 
 import (
 	"fmt"
+	"github.com/hashicorp/golang-lru/v2/expirable"
 	"github.com/jasonlovesdoggo/caddy-defender/ranges/data"
 	"go.uber.org/zap"
 	"net"
+	"time"
 )
 
-// IPInRanges checks if the given IP is within any of the provided CIDR ranges.
-// It returns true if the IP is in any of the ranges, false otherwise.
-func IPInRanges(clientIP net.IP, cidrRanges []string, log *zap.Logger) bool {
+const MaxKeys = 10000
+
+var cache = expirable.NewLRU[string, bool](MaxKeys, nil, time.Minute*10)
+
+// normalizeIP converts an IP to its normalized string representation.
+func normalizeIP(ip net.IP) string {
+	if v4 := ip.To4(); v4 != nil {
+		return v4.String()
+	}
+	return ip.String()
+}
+
+// rawIPInRanges checks if the given IP is in the given CIDR ranges without using the cache.
+func rawIPInRanges(clientIP net.IP, cidrRanges []string, log *zap.Logger) bool {
 	for _, cidr := range cidrRanges {
 		// If the range is a predefined key (e.g., "openai"), use the corresponding CIDRs
 		if ranges, ok := data.IPRanges[cidr]; ok {
@@ -37,3 +50,23 @@ func IPInRanges(clientIP net.IP, cidrRanges []string, log *zap.Logger) bool {
 	}
 	return false
 }
+
+// IPInRanges checks if the given IP is within any of the provided CIDR ranges.
+// It returns true if the IP is in any of the ranges, false otherwise.
+func IPInRanges(clientIP net.IP, cidrRanges []string, log *zap.Logger) bool {
+	// Normalize the IP for consistent cache keys
+	cacheKey := normalizeIP(clientIP)
+
+	// Check the cache first
+	if val, ok := cache.Get(cacheKey); ok {
+		return val
+	}
+
+	// If not in the cache, check the ranges
+	inRanges := rawIPInRanges(clientIP, cidrRanges, log)
+
+	// Add the result to the cache
+	cache.Add(cacheKey, inRanges)
+
+	return inRanges
+}

Diff for: utils/ip_test.go

@@ -0,0 +1,164 @@
+package utils
+
+import (
+	"github.com/hashicorp/golang-lru/v2/expirable"
+	"github.com/jasonlovesdoggo/caddy-defender/ranges/data"
+	"net"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"go.uber.org/zap"
+)
+
+// Test data
+var (
+	validCIDRs = []string{
+		"192.168.1.0/24",
+		"10.0.0.0/8",
+		"2001:db8::/32",
+	}
+	invalidCIDRs = []string{
+		"invalid-cidr",
+		"192.168.1.0/33", // Invalid subnet mask
+	}
+	predefinedCIDRs = map[string][]string{
+		"openai": {
+			"203.0.113.0/24",
+			"2001:db8:1::/48",
+		},
+	}
+)
+
+// Mock logger for testing
+var testLogger = zap.NewNop()
+
+// TestRawIPInRanges tests the rawIPInRanges function.
+func TestRawIPInRanges(t *testing.T) {
+	tests := []struct {
+		name       string
+		ip         string
+		cidrRanges []string
+		expected   bool
+	}{
+		{
+			name:       "IPv4 in range",
+			ip:         "192.168.1.100",
+			cidrRanges: validCIDRs,
+			expected:   true,
+		},
+		{
+			name:       "IPv4 not in range",
+			ip:         "192.168.2.100",
+			cidrRanges: validCIDRs,
+			expected:   false,
+		},
+		{
+			name:       "IPv6 in range",
+			ip:         "2001:db8::1",
+			cidrRanges: validCIDRs,
+			expected:   true,
+		},
+		{
+			name:       "IPv6 not in range",
+			ip:         "2001:db8:1::1",
+			cidrRanges: []string{"2001:db8::/48"}, // Narrower range
+			expected:   false,
+		},
+		{
+			name:       "Invalid CIDR",
+			ip:         "192.168.1.100",
+			cidrRanges: invalidCIDRs,
+			expected:   false,
+		},
+		{
+			name:       "Predefined CIDR (IPv4)",
+			ip:         "203.0.113.10",
+			cidrRanges: []string{"openai"},
+			expected:   true,
+		},
+		{
+			name:       "Predefined CIDR (IPv6)",
+			ip:         "2001:db8:1::10",
+			cidrRanges: []string{"openai"},
+			expected:   true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			clientIP := net.ParseIP(tt.ip)
+			assert.NotNil(t, clientIP, "Failed to parse IP")
+
+			// Mock predefined CIDRs
+			data.IPRanges = predefinedCIDRs
+
+			result := rawIPInRanges(clientIP, tt.cidrRanges, testLogger)
+			assert.Equal(t, tt.expected, result, "Unexpected result for IP %s", tt.ip)
+		})
+	}
+}
+
+// TestIPInRanges tests the IPInRanges function, including caching behavior.
+func TestIPInRanges(t *testing.T) {
+	tests := []struct {
+		name       string
+		ip         string
+		cidrRanges []string
+		expected   bool
+	}{
+		{
+			name:       "IPv4 in range (cached)",
+			ip:         "192.168.1.100",
+			cidrRanges: validCIDRs,
+			expected:   true,
+		},
+		{
+			name:       "IPv4 not in range (cached)",
+			ip:         "192.168.2.100",
+			cidrRanges: validCIDRs,
+			expected:   false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			clientIP := net.ParseIP(tt.ip)
+			assert.NotNil(t, clientIP, "Failed to parse IP")
+
+			// Mock predefined CIDRs
+			data.IPRanges = predefinedCIDRs
+
+			// First call (not cached)
+			result := IPInRanges(clientIP, tt.cidrRanges, testLogger)
+			assert.Equal(t, tt.expected, result, "Unexpected result for IP %s (first call)", tt.ip)
+
+			// Second call (cached)
+			result = IPInRanges(clientIP, tt.cidrRanges, testLogger)
+			assert.Equal(t, tt.expected, result, "Unexpected result for IP %s (second call)", tt.ip)
+		})
+	}
+}
+
+// TestIPInRangesCacheExpiration tests the cache expiration behavior.
+func TestIPInRangesCacheExpiration(t *testing.T) {
+	// Set a short cache expiration time for testing
+	cache = expirable.NewLRU[string, bool](MaxKeys, nil, time.Millisecond*10)
+
+	clientIP := net.ParseIP("192.168.1.100")
+	assert.NotNil(t, clientIP, "Failed to parse IP")
+
+	// Mock predefined CIDRs
+	data.IPRanges = predefinedCIDRs
+
+	// First call (not cached)
+	result := IPInRanges(clientIP, validCIDRs, testLogger)
+	assert.True(t, result, "Expected IP to be in range (first call)")
+
+	// Wait for cache to expire
+	time.Sleep(time.Millisecond * 20)
+
+	// Second call (cache expired)
+	result = IPInRanges(clientIP, validCIDRs, testLogger)
+	assert.True(t, result, "Expected IP to be in range (second call, cache expired)")
+}