Allow new documentation ranges in the validation of IPs (#2529)

This PR adds the latest IP ranges to the isDocumentation so they
can be validated successfully in elastic-package tests.

Author: mrodm

docs/howto/ingest_geoip.md

@@ -2,7 +2,19 @@
 
 Elasticsearch provides default GeoIP databases that can be downloaded in runtime and which weights ~70 MB. This can be
 a root cause of flakiness of package tests, so elastic-package embeds small samples of GeoIP databases, that can identify
-accurately only few ranges of IP addresses included [here](../../internal/fields/_static/allowed_geo_ips.txt)
+accurately only few ranges of IP addresses.
+
+Specifically, the following documentation ranges of IP addresses are included in those GeoIP databases:
+- [RFC5737](https://datatracker.ietf.org/doc/rfc5737/)
+    - 192.0.2.0/24
+    - 198.51.100.0/24
+    - 203.0.113.0/24
+- [RFC6676](https://datatracker.ietf.org/doc/rfc6676/) (multicast addresses allocated for documentation purposes):
+    - 233.252.0.0/24
+- [RFC3849](https://datatracker.ietf.org/doc/rfc3849/)
+    - "2001:DB8::/32"
+- [RFC9637](https://datatracker.ietf.org/doc/rfc9637/)
+    - "3fff::/20"
 
 If you want the ingest pipeline to include a "geo" section in the event, feel free to use one of above IP addresses.
 Embedded databases contain information about: cities, countries and ASNs.

internal/fields/validate.go

@@ -1263,29 +1263,35 @@ func (v *Validator) parseSingleElementValue(key string, definition FieldDefiniti
 }
 
 // isDocumentation reports whether ip is a reserved address for documentation,
-// according to RFC 5737 (IPv4 Address Blocks Reserved for Documentation) and
-// RFC 3849 (IPv6 Address Prefix Reserved for Documentation).
+// according to RFC 5737 (IPv4 Address Blocks Reserved for Documentation), RFC 6676,
+// RFC 3849 (IPv6 Address Prefix Reserved for Documentation) and RFC 9637.
 func isDocumentation(ip net.IP) bool {
 	if ip4 := ip.To4(); ip4 != nil {
 		// Following RFC 5737, Section 3. Documentation Address Blocks which says:
 		//   The blocks 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2),
 		//   and 203.0.113.0/24 (TEST-NET-3) are provided for use in
 		//   documentation.
+		// Following RFC 6676, the IPV4 multicast addresses allocated for documentation
+		// purposes are 233.252.0.0/24
 		return ((ip4[0] == 192 && ip4[1] == 0 && ip4[2] == 2) ||
 			(ip4[0] == 198 && ip4[1] == 51 && ip4[2] == 100) ||
-			(ip4[0] == 203 && ip4[1] == 0 && ip4[2] == 113))
+			(ip4[0] == 203 && ip4[1] == 0 && ip4[2] == 113) ||
+			(ip4[0] == 233 && ip4[1] == 252 && ip4[2] == 0))
 	}
 	// Following RFC 3849, Section 2. Documentation IPv6 Address Prefix which
 	// says:
 	//   The prefix allocated for documentation purposes is 2001:DB8::/32
-	return len(ip) == net.IPv6len && ip[0] == 32 && ip[1] == 1 && ip[2] == 13 && ip[3] == 184
+	// Following RFC 9637, a new address block 3fff::/20 is registered for documentation purposes
+	return len(ip) == net.IPv6len &&
+		(ip[0] == 32 && ip[1] == 1 && ip[2] == 13 && ip[3] == 184) ||
+		(ip[0] == 63 && ip[1] == 255 && ip[2] <= 15)
 }
 
 // isAllowedIPValue checks if the provided IP is allowed for testing
 // The set of allowed IPs are:
 // - private IPs as described in RFC 1918 & RFC 4193
 // - public IPs allowed by MaxMind for testing
-// - Reserved IPs for documentation RFC 5737 and RFC 3849
+// - Reserved IPs for documentation RFC 5737, RFC 3849, RFC 6676 and RFC 9637
 // - 0.0.0.0 and 255.255.255.255 for IPv4
 // - 0:0:0:0:0:0:0:0 and ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff for IPv6
 func (v *Validator) isAllowedIPValue(s string) bool {

internal/fields/validate_test.go

@@ -1247,6 +1247,24 @@ func Test_IsAllowedIPValue(t *testing.T) {
 				"89.160.20.112/28",
 			},
 		},
+		{
+			title:      "valid ipv4 multicast address",
+			ip:         "233.252.0.57",
+			expected:   true,
+			allowedIps: []string{},
+		},
+		{
+			title:      "second range documentation ipv6",
+			ip:         "3fff:0000:0000:0000:0000:1000:1000:1000",
+			expected:   true,
+			allowedIps: []string{},
+		},
+		{
+			title:      "other invalid ipv6",
+			ip:         "3fff:1fff:ffff:ffff:ffff:ffff:ffff:ffff",
+			expected:   false,
+			allowedIps: []string{},
+		},
 	}
 
 	for _, c := range cases {

test/packages/parallel/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log

@@ -1,6 +1,7 @@
 ::1 - - [26/Dec/2016:16:16:28 +0200] "GET / HTTP/1.1" 200 45
 ::1 - - [26/Dec/2016:16:16:29 +0200] "GET /favicon.ico HTTP/1.1" 404 209
 ::1 - - [26/Dec/2016:16:16:48 +0200] "-" 408 -
+3fff::1 - - [26/Dec/2016:16:16:48 +0200] "-" 408 -
 89.160.20.156 - - [26/Dec/2016:18:23:35 +0200] "GET / HTTP/1.1" 200 45
 89.160.20.156 - - [26/Dec/2016:18:23:41 +0200] "GET /notfound HTTP/1.1" 404 206
 89.160.20.156 - - [26/Dec/2016:18:23:45 +0200] "GET /hmm HTTP/1.1" 404 201

test/packages/parallel/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log-expected.json

@@ -134,6 +134,59 @@
                 "name": "-"
             }
         },
+        {
+            "@timestamp": "2016-12-26T14:16:48.000Z",
+            "apache": {
+                "access": {}
+            },
+            "ecs": {
+                "version": "1.12.0"
+            },
+            "event": {
+                "category": [
+                    "web"
+                ],
+                "created": "2020-04-28T11:07:58.223Z",
+                "ingested": "2022-09-08T10:05:05.950497950Z",
+                "kind": "event",
+                "original": "3fff::1 - - [26/Dec/2016:16:16:48 +0200] \"-\" 408 -",
+                "outcome": "failure",
+                "type": [
+                    "access"
+                ]
+            },
+            "http": {
+                "response": {
+                    "status_code": 408
+                }
+            },
+            "source": {
+                "address": "3fff::1",
+                "as": {
+                    "number": 65552,
+                    "organization": {
+                        "name": "Documentation ASN"
+                    }
+                },
+                "geo": {
+                    "city_name": "Lisbon",
+                    "continent_name": "Europe",
+                    "country_iso_code": "PT",
+                    "country_name": "Portugal",
+                    "location": {
+                        "lat": 38.71667,
+                        "lon": -9.13333
+                    }
+                },
+                "ip": "3fff::1"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "name": "-"
+            }
+        },
         {
             "@timestamp": "2016-12-26T16:23:35.000Z",
             "apache": {