Do not allow configuration of Allowed Address Pair with prefix length…

… less than 24 Closes-Bug: 1720118 Change-Id: I0ad8c58f01fc6fcd91779632bb23b7d3f8cf0522
Juniper · Oct 24, 2017 · 0670bc0 · 0670bc0
1 parent b852313
commit 0670bc0
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 0 deletions.
diff --git a/src/config/api-server/tests/test_crud_basic.py b/src/config/api-server/tests/test_crud_basic.py
@@ -734,6 +734,46 @@ def test_physical_router_credentials_list(self):
             user_cred_read = rtr.get_physical_router_user_credentials()
             self.assertEqual(user_cred_read.password, '**Password Hidden**')
        # end test_physical_router_credentials
+
+    def test_allowed_address_pair_prefix_len(self):
+       ip_addresses = {'10.10.10.1': 23,
+                       '10.10.10.2': 24,
+                       '10.10.10.3': 25,
+                       'fe80:0:0:0:0:0:a0a:a0a': 119,
+                       'fe80:0:0:0:0:0:a0a:a0b': 120,
+                       'fe80:0:0:0:0:0:a0a:a0c': 121,
+                      }
+       proj = self._vnc_lib.project_read(fq_name=['default-domain', 'default-project'])
+       vn = VirtualNetwork()
+       for ip_address, prefix in ip_addresses.items():
+           ip_family = netaddr.IPNetwork(ip_address).version
+           vmi = VirtualMachineInterface('vmi-%s-' % prefix +self.id(), parent_obj=proj)
+           print 'Validating with ip (%s) and prefix (%s)' % (ip_address, prefix)
+           aap = AllowedAddressPair(ip=SubnetType(ip_address, prefix), address_mode='active-standby')
+           aaps = AllowedAddressPairs()
+           aaps.allowed_address_pair.append(aap)
+           vmi.set_virtual_machine_interface_allowed_address_pairs(aaps)
+           vmi.add_virtual_network(vn)
+           try:
+               self._vnc_lib.virtual_machine_interface_create(vmi)
+               if ip_family == 4 and prefix < 24:
+                   raise RuntimeError('Prefix of length < 24 should have been rejected')
+               if ip_family == 6 and prefix < 120:
+                   raise RuntimeError('Prefix of length < 120 should have been rejected')
+           except cfgm_common.exceptions.BadRequest:
+               if ip_family == 4 and prefix >= 24:
+                   print 'ERROR: Prefix >= 24 should be accepted'
+                   raise
+               if ip_family == 6 and prefix >= 120:
+                   print 'ERROR: Prefix >= 120 should be accepted'
+                   raise
+           finally:
+               if ip_family == 4 and prefix >= 24:
+                   vmi.del_virtual_machine_interface(vmi)
+               if ip_family == 6 and prefix >= 120:
+                   vmi.del_virtual_machine_interface(vmi)
+    # end test_allowed_address_pair_prefix_len
+
 # end class TestCrud
 
 class TestVncCfgApiServer(test_case.ApiServerTestCase):

diff --git a/src/config/api-server/vnc_cfg_api_server.py b/src/config/api-server/vnc_cfg_api_server.py
@@ -24,6 +24,7 @@
 import logging
 import logging.config
 import signal
+import netaddr
 import os
 import re
 import random
@@ -238,6 +239,8 @@ def _validate_complex_type(cls, dict_cls, dict_body):
             if attr_type_vals['is_complex']:
                 attr_cls = cfgm_common.utils.str_to_class(attr_type, __name__)
                 for item in values:
+                    if attr_type == 'AllowedAddressPair':
+                        cls._validate_allowed_address_pair_prefix_len(item)
                     cls._validate_complex_type(attr_cls, item)
             else:
                 simple_type = attr_type_vals['simple_type']
@@ -247,6 +250,22 @@ def _validate_complex_type(cls, dict_cls, dict_body):
                                               restrictions)
     # end _validate_complex_type
 
+    @classmethod
+    def _validate_allowed_address_pair_prefix_len(cls, value):
+        '''Do not allow configuration of AAP with
+           IPv4 prefix length less than 24 and 120 for IPv6.
+           LP #1720118
+        '''
+        if value['address_mode'] == 'active-standby':
+           ip_net_family = netaddr.IPNetwork(value['ip']['ip_prefix']).version
+           if ip_net_family == 6 and value['ip']['ip_prefix_len'] < 120:
+               raise ValueError('IPv6 Prefix length lesser than 120 is'
+                                ' is not acceptable')
+           if ip_net_family == 4 and value['ip']['ip_prefix_len'] < 24:
+               raise ValueError('IPv4 Prefix length lesser than 24'
+                                ' is not acceptable')
+    # end _validate_allowed_address_pair_prefix_len
+
     @classmethod
     def _validate_communityattribute_type(cls, value):
         poss_values = ["no-export",