From af0a7a2375a96b632dfd3d1b9bab0945a0a77cb4 Mon Sep 17 00:00:00 2001
From: Peter Kurfer <peter.kurfer@googlemail.com>
Date: Wed, 20 Jan 2021 18:43:00 +0100
Subject: [PATCH] Capture source and destination addresses as byte arrays

- update necessary tests

This removes a lot of complexity because IPv4 and IPv6 addresses can be handled the same way.
To distinguish between them it's enough to take their length into account.
Parsing should be straight forward in any language.
---
 api/proto/pkg/audit/event_entity.proto | 22 ++++-----------
 pkg/audit/event.go                     | 38 +++-----------------------
 pkg/audit/ip_conversion.go             | 33 ----------------------
 pkg/audit/reader_test.go               | 10 ++++---
 4 files changed, 16 insertions(+), 87 deletions(-)
 delete mode 100644 pkg/audit/ip_conversion.go

diff --git a/api/proto/pkg/audit/event_entity.proto b/api/proto/pkg/audit/event_entity.proto
index 2939193..00492af 100644
--- a/api/proto/pkg/audit/event_entity.proto
+++ b/api/proto/pkg/audit/event_entity.proto
@@ -42,20 +42,10 @@ message EventEntity {
     google.protobuf.Timestamp timestamp = 2;
     TransportProtocol transport = 3;
     AppProtocol application = 4;
-
-    oneof sourceIP {
-        uint32 sourceIPv4 = 5;
-        uint64 sourceIPv6 = 6;
-    }
-
-    oneof destinationIP {
-        uint32 destinationIPv4 = 7;
-        uint64 destinationIPv6 = 8;
-    }
-
-    uint32 sourcePort = 9;
-    uint32 destinationPort = 10;
-
-    TLSDetailsEntity tls = 11;
-    google.protobuf.Any protocolDetails = 12;
+    bytes sourceIP = 5;
+    bytes destinationIP = 6;
+    uint32 sourcePort = 7;
+    uint32 destinationPort = 8;
+    TLSDetailsEntity tls = 9;
+    google.protobuf.Any protocolDetails = 10;
 }
\ No newline at end of file
diff --git a/pkg/audit/event.go b/pkg/audit/event.go
index 5e2f29d..0e7576c 100644
--- a/pkg/audit/event.go
+++ b/pkg/audit/event.go
@@ -30,20 +30,6 @@ type Event struct {
 }
 
 func (e *Event) ProtoMessage() *EventEntity {
-	var sourceIP isEventEntity_SourceIP
-	if ipv4 := e.SourceIP.To4(); ipv4 != nil {
-		sourceIP = &EventEntity_SourceIPv4{SourceIPv4: ipv4ToUint32(ipv4)}
-	} else {
-		sourceIP = &EventEntity_SourceIPv6{SourceIPv6: ipv6ToBytes(e.SourceIP)}
-	}
-
-	var destinationIP isEventEntity_DestinationIP
-	if ipv4 := e.DestinationIP.To4(); ipv4 != nil {
-		destinationIP = &EventEntity_DestinationIPv4{DestinationIPv4: ipv4ToUint32(ipv4)}
-	} else {
-		destinationIP = &EventEntity_DestinationIPv6{DestinationIPv6: ipv6ToBytes(e.DestinationIP)}
-	}
-
 	var tlsDetails *TLSDetailsEntity = nil
 	if e.TLS != nil {
 		tlsDetails = e.TLS.ProtoMessage()
@@ -61,8 +47,8 @@ func (e *Event) ProtoMessage() *EventEntity {
 		Timestamp:       timestamppb.New(e.Timestamp),
 		Transport:       e.Transport,
 		Application:     e.Application,
-		SourceIP:        sourceIP,
-		DestinationIP:   destinationIP,
+		SourceIP:        e.SourceIP,
+		DestinationIP:   e.DestinationIP,
 		SourcePort:      uint32(e.SourcePort),
 		DestinationPort: uint32(e.DestinationPort),
 		Tls:             tlsDetails,
@@ -91,29 +77,13 @@ func (e *Event) SetDestinationIPFromAddr(localAddr net.Addr) {
 }
 
 func NewEventFromProto(msg *EventEntity) (ev Event) {
-	var sourceIP net.IP
-	switch ip := msg.GetSourceIP().(type) {
-	case *EventEntity_SourceIPv4:
-		sourceIP = uint32ToIP(ip.SourceIPv4)
-	case *EventEntity_SourceIPv6:
-		sourceIP = uint64ToIP(ip.SourceIPv6)
-	}
-
-	var destinationIP net.IP
-	switch ip := msg.GetDestinationIP().(type) {
-	case *EventEntity_DestinationIPv4:
-		destinationIP = uint32ToIP(ip.DestinationIPv4)
-	case *EventEntity_DestinationIPv6:
-		destinationIP = uint64ToIP(ip.DestinationIPv6)
-	}
-
 	ev = Event{
 		ID:              msg.GetId(),
 		Timestamp:       msg.GetTimestamp().AsTime(),
 		Transport:       msg.GetTransport(),
 		Application:     msg.GetApplication(),
-		SourceIP:        sourceIP,
-		DestinationIP:   destinationIP,
+		SourceIP:        msg.SourceIP,
+		DestinationIP:   msg.DestinationIP,
 		SourcePort:      uint16(msg.GetSourcePort()),
 		DestinationPort: uint16(msg.GetDestinationPort()),
 		ProtocolDetails: guessDetailsFromApp(msg.GetProtocolDetails()),
diff --git a/pkg/audit/ip_conversion.go b/pkg/audit/ip_conversion.go
deleted file mode 100644
index 7385eb3..0000000
--- a/pkg/audit/ip_conversion.go
+++ /dev/null
@@ -1,33 +0,0 @@
-package audit
-
-import (
-	"encoding/binary"
-	"math/big"
-	"net"
-)
-
-func ipv4ToUint32(ip net.IP) uint32 {
-	if len(ip) == 16 {
-		return binary.BigEndian.Uint32(ip[12:16])
-	}
-	return binary.BigEndian.Uint32(ip)
-}
-
-func ipv6ToBytes(ip net.IP) uint64 {
-	ipv6 := big.NewInt(0)
-	ipv6.SetBytes(ip)
-	return ipv6.Uint64()
-}
-
-func uint32ToIP(i uint32) (ip net.IP) {
-	buf := make([]byte, 4)
-	binary.BigEndian.PutUint32(buf, i)
-	ip = buf
-	ip = ip.To4()
-	return
-}
-
-func uint64ToIP(i uint64) (ip net.IP) {
-	ip = big.NewInt(int64(i)).FillBytes(make([]byte, 16))
-	return
-}
diff --git a/pkg/audit/reader_test.go b/pkg/audit/reader_test.go
index e65ec7f..94c2e32 100644
--- a/pkg/audit/reader_test.go
+++ b/pkg/audit/reader_test.go
@@ -13,11 +13,13 @@ import (
 
 var (
 	//nolint:lll
-	httpPayloadBytesLittleEndian = `dd000000120b088092b8c398feffffff011801200248d8fc0150505a3308041224544c535f45434448455f45434453415f574954485f4145535f3235365f4342435f5348411a096c6f63616c686f73746282010a34747970652e676f6f676c65617069732e636f6d2f696e65746d6f636b2e61756469742e4854545044657461696c73456e74697479124a12096c6f63616c686f73741a15687474703a2f2f6c6f63616c686f73742f6173646622084854545020312e312a1c0a0641636365707412120a106170706c69636174696f6e2f6a736f6e28818080f80738818080f807`
+	httpPayloadBytesLittleEndian = `dd000000120b088092b8c398feffffff01180120022a047f00000132047f00000138d8fc0140504a3308041224544c535f45434448455f45434453415f574954485f4145535f3235365f4342435f5348411a096c6f63616c686f73745282010a34747970652e676f6f676c65617069732e636f6d2f696e65746d6f636b2e61756469742e4854545044657461696c73456e74697479124a12096c6f63616c686f73741a15687474703a2f2f6c6f63616c686f73742f6173646622084854545020312e312a1c0a0641636365707412120a106170706c69636174696f6e2f6a736f6e`
 	//nolint:lll
-	httpPayloadBytesBigEndian   = `000000dd120b088092b8c398feffffff011801200248d8fc0150505a3308041224544c535f45434448455f45434453415f574954485f4145535f3235365f4342435f5348411a096c6f63616c686f73746282010a34747970652e676f6f676c65617069732e636f6d2f696e65746d6f636b2e61756469742e4854545044657461696c73456e74697479124a12096c6f63616c686f73741a15687474703a2f2f6c6f63616c686f73742f6173646622084854545020312e312a1c0a0641636365707412120a106170706c69636174696f6e2f6a736f6e28818080f80738818080f807`
-	dnsPayloadBytesLittleEndian = `1b000000120b088092b8c398feffffff011801200148d8fc01505030014001`
-	dnsPayloadBytesBigEndian    = `0000001b120b088092b8c398feffffff011801200148d8fc01505030014001`
+	httpPayloadBytesBigEndian = `000000dd120b088092b8c398feffffff01180120022a047f00000132047f00000138d8fc0140504a3308041224544c535f45434448455f45434453415f574954485f4145535f3235365f4342435f5348411a096c6f63616c686f73745282010a34747970652e676f6f676c65617069732e636f6d2f696e65746d6f636b2e61756469742e4854545044657461696c73456e74697479124a12096c6f63616c686f73741a15687474703a2f2f6c6f63616c686f73742f6173646622084854545020312e312a1c0a0641636365707412120a106170706c69636174696f6e2f6a736f6e`
+	//nolint:lll
+	dnsPayloadBytesLittleEndian = `3b000000120b088092b8c398feffffff01180120012a100000000000000000000000000000000132100000000000000000000000000000000138d8fc014050`
+	//nolint:lll
+	dnsPayloadBytesBigEndian = `0000003b120b088092b8c398feffffff01180120012a100000000000000000000000000000000132100000000000000000000000000000000138d8fc014050`
 )
 
 func mustDecodeHex(hexBytes string) io.Reader {