From 2feb7d786cde95b28823b6fd48170af627fb7450 Mon Sep 17 00:00:00 2001
From: dahn <daan.hoogland@gmail.com>
Date: Tue, 26 May 2026 12:11:03 +0200
Subject: [PATCH] Fix Prometheus exporter not recognizing ::1 as IPv6 loopback

Normalize IPv6 addresses using InetAddress.getHostAddress() so that
compressed forms like ::1 and full forms like 0:0:0:0:0:0:0:1 are
treated as equivalent when checking the allowed IPs list.

Fixes #6714
---
 .../metrics/PrometheusExporterServerImpl.java  | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/plugins/integrations/prometheus/src/main/java/org/apache/cloudstack/metrics/PrometheusExporterServerImpl.java b/plugins/integrations/prometheus/src/main/java/org/apache/cloudstack/metrics/PrometheusExporterServerImpl.java
index d9f25d2f5772..2ccb2f785cac 100644
--- a/plugins/integrations/prometheus/src/main/java/org/apache/cloudstack/metrics/PrometheusExporterServerImpl.java
+++ b/plugins/integrations/prometheus/src/main/java/org/apache/cloudstack/metrics/PrometheusExporterServerImpl.java
@@ -26,9 +26,13 @@
 import javax.inject.Inject;
 import java.io.IOException;
 import java.io.OutputStream;
+import java.net.InetAddress;
 import java.net.InetSocketAddress;
+import java.net.UnknownHostException;
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
+import java.util.List;
+import java.util.stream.Collectors;
 
 public class PrometheusExporterServerImpl extends ManagerBase implements PrometheusExporterServer, Configurable {
 
@@ -47,11 +51,21 @@ private final class ExporterHandler implements HttpHandler {
 
         @Override
         public void handle(final HttpExchange httpExchange) throws IOException {
-            final String remoteClientAddress = httpExchange.getRemoteAddress().getAddress().toString().replace("/", "");
+            final String remoteClientAddress = httpExchange.getRemoteAddress().getAddress().getHostAddress();
             logger.debug("Prometheus exporter received client request from: " + remoteClientAddress);
             String response = "Forbidden";
             int responseCode = 403;
-            if (Arrays.asList(PrometheusExporterAllowedAddresses.value().split(",")).contains(remoteClientAddress)) {
+            final List<String> allowedAddresses = Arrays.stream(PrometheusExporterAllowedAddresses.value().split(","))
+                    .map(addr -> {
+                        try {
+                            return InetAddress.getByName(addr.trim()).getHostAddress();
+                        } catch (UnknownHostException e) {
+                            logger.warn("Invalid IP address in prometheus.exporter.allowed.ips: " + addr.trim());
+                            return addr.trim();
+                        }
+                    })
+                    .collect(Collectors.toList());
+            if (allowedAddresses.contains(remoteClientAddress)) {
                 prometheusExporter.updateMetrics();
                 response = prometheusExporter.getMetrics();
                 responseCode = 200;