feat: support IPv6 CIDR for network restrictions

sweatybridge · sweatybridge · commit fefcfd95c43f · 2024-01-19T14:54:45.000+08:00
diff --git a/cmd/restrictions.go b/cmd/restrictions.go
@@ -1,7 +1,6 @@
 package cmd
 
 import (
-	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 	"github.com/supabase/cli/internal/restrictions/get"
 	"github.com/supabase/cli/internal/restrictions/update"
@@ -22,15 +21,15 @@ var (
 		Use:   "update",
 		Short: "Update network restrictions",
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return update.Run(cmd.Context(), flags.ProjectRef, dbCidrsToAllow, bypassCidrChecks, afero.NewOsFs())
+			return update.Run(cmd.Context(), flags.ProjectRef, dbCidrsToAllow, bypassCidrChecks)
 		},
 	}
 
 	restrictionsGetCmd = &cobra.Command{
 		Use:   "get",
 		Short: "Get the current network restrictions",
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return get.Run(cmd.Context(), flags.ProjectRef, afero.NewOsFs())
+			return get.Run(cmd.Context(), flags.ProjectRef)
 		},
 	}
 )
@@ -41,6 +40,5 @@ func init() {
 	restrictionsUpdateCmd.Flags().BoolVar(&bypassCidrChecks, "bypass-cidr-checks", false, "Bypass some of the CIDR validation checks.")
 	restrictionsCmd.AddCommand(restrictionsGetCmd)
 	restrictionsCmd.AddCommand(restrictionsUpdateCmd)
-
 	rootCmd.AddCommand(restrictionsCmd)
 }
diff --git a/internal/restrictions/get/get.go b/internal/restrictions/get/get.go
@@ -5,24 +5,20 @@ import (
 	"fmt"
 
 	"github.com/go-errors/errors"
-	"github.com/spf13/afero"
 	"github.com/supabase/cli/internal/utils"
 )
 
-func Run(ctx context.Context, projectRef string, fsys afero.Fs) error {
-	// 1. Sanity checks.
-	// 2. get network restrictions
-	{
-		resp, err := utils.GetSupabase().GetNetworkRestrictionsWithResponse(ctx, projectRef)
-		if err != nil {
-			return errors.Errorf("failed to retrieve network restrictions: %w", err)
-		}
-		if resp.JSON200 == nil {
-			return errors.New("failed to retrieve network restrictions; received: " + string(resp.Body))
-		}
-
-		fmt.Printf("DB Allowed CIDRs: %+v\n", resp.JSON200.Config.DbAllowedCidrs)
-		fmt.Printf("Restrictions applied successfully: %+v\n", resp.JSON200.Status == "applied")
-		return nil
+func Run(ctx context.Context, projectRef string) error {
+	resp, err := utils.GetSupabase().GetNetworkRestrictionsWithResponse(ctx, projectRef)
+	if err != nil {
+		return errors.Errorf("failed to retrieve network restrictions: %w", err)
+	}
+	if resp.JSON200 == nil {
+		return errors.New("failed to retrieve network restrictions; received: " + string(resp.Body))
 	}
+
+	fmt.Printf("DB Allowed IPv4 CIDRs: %+v\n", resp.JSON200.Config.DbAllowedCidrs)
+	fmt.Printf("DB Allowed IPv6 CIDRs: %+v\n", resp.JSON200.Config.DbAllowedCidrsV6)
+	fmt.Printf("Restrictions applied successfully: %+v\n", resp.JSON200.Status == "applied")
+	return nil
 }
diff --git a/internal/restrictions/update/update.go b/internal/restrictions/update/update.go
@@ -6,49 +6,42 @@ import (
 	"net"
 
 	"github.com/go-errors/errors"
-	"github.com/spf13/afero"
 	"github.com/supabase/cli/internal/utils"
 	"github.com/supabase/cli/pkg/api"
 )
 
-func validateCidrs(cidrs []string, bypassChecks bool) error {
-	for _, cidr := range cidrs {
+func Run(ctx context.Context, projectRef string, dbCidrsToAllow []string, bypassCidrChecks bool) error {
+	// 1. separate CIDR to v4 and v6
+	body := api.ApplyNetworkRestrictionsJSONRequestBody{
+		DbAllowedCidrs:   &[]string{},
+		DbAllowedCidrsV6: &[]string{},
+	}
+	for _, cidr := range dbCidrsToAllow {
 		ip, _, err := net.ParseCIDR(cidr)
 		if err != nil {
 			return errors.Errorf("failed to parse IP: %s", cidr)
 		}
-		if ip.IsPrivate() && !bypassChecks {
+		if ip.IsPrivate() && !bypassCidrChecks {
 			return errors.Errorf("private IP provided: %s", cidr)
 		}
-		if ip.To4() == nil {
-			return errors.Errorf("only IPv4 supported at the moment: %s", cidr)
-		}
-	}
-	return nil
-}
-
-func Run(ctx context.Context, projectRef string, dbCidrsToAllow []string, bypassCidrChecks bool, fsys afero.Fs) error {
-	// 1. sanity checks
-	{
-		err := validateCidrs(dbCidrsToAllow, bypassCidrChecks)
-		if err != nil {
-			return err
+		if ip.To4() != nil {
+			*body.DbAllowedCidrs = append(*body.DbAllowedCidrs, cidr)
+		} else {
+			*body.DbAllowedCidrsV6 = append(*body.DbAllowedCidrsV6, cidr)
 		}
 	}
 
 	// 2. update restrictions
-	{
-		resp, err := utils.GetSupabase().ApplyNetworkRestrictionsWithResponse(ctx, projectRef, api.ApplyNetworkRestrictionsJSONRequestBody{
-			DbAllowedCidrs: dbCidrsToAllow,
-		})
-		if err != nil {
-			return errors.Errorf("failed to apply network restrictions: %w", err)
-		}
-		if resp.JSON201 == nil {
-			return errors.New("failed to update network restrictions: " + string(resp.Body))
-		}
-		fmt.Printf("DB Allowed CIDRs: %+v\n", resp.JSON201.Config.DbAllowedCidrs)
-		fmt.Printf("Restrictions applied successfully: %+v\n", resp.JSON201.Status == "applied")
-		return nil
+	resp, err := utils.GetSupabase().ApplyNetworkRestrictionsWithResponse(ctx, projectRef, body)
+	if err != nil {
+		return errors.Errorf("failed to apply network restrictions: %w", err)
 	}
+	if resp.JSON201 == nil {
+		return errors.New("failed to apply network restrictions: " + string(resp.Body))
+	}
+
+	fmt.Printf("DB Allowed IPv4 CIDRs: %+v\n", resp.JSON201.Config.DbAllowedCidrs)
+	fmt.Printf("DB Allowed IPv6 CIDRs: %+v\n", resp.JSON201.Config.DbAllowedCidrsV6)
+	fmt.Printf("Restrictions applied successfully: %+v\n", resp.JSON201.Status == "applied")
+	return nil
 }
diff --git a/internal/restrictions/update/update_test.go b/internal/restrictions/update/update_test.go
@@ -1,28 +1,121 @@
 package update
 
 import (
+	"context"
+	"net/http"
 	"testing"
 
+	"github.com/go-errors/errors"
 	"github.com/stretchr/testify/assert"
+	"github.com/supabase/cli/internal/testing/apitest"
+	"github.com/supabase/cli/internal/utils"
+	"github.com/supabase/cli/pkg/api"
+	"gopkg.in/h2non/gock.v1"
 )
 
-func TestPrivateSubnet(t *testing.T) {
-	err := validateCidrs([]string{"12.3.4.5/32", "10.0.0.0/8", "1.2.3.1/24"}, false)
-	assert.ErrorContains(t, err, "private IP provided: 10.0.0.0/8")
-	err = validateCidrs([]string{"10.0.0.0/8"}, true)
-	assert.Nil(t, err, "should bypass private subnet checks")
-}
+func TestUpdateRestrictionsCommand(t *testing.T) {
+	projectRef := apitest.RandomProjectRef()
+	// Setup valid access token
+	token := apitest.RandomAccessToken(t)
+	t.Setenv("SUPABASE_ACCESS_TOKEN", string(token))
+
+	t.Run("updates v4 and v6 CIDR", func(t *testing.T) {
+		// Setup mock api
+		defer gock.OffAll()
+		gock.New(utils.DefaultApiHost).
+			Post("/v1/projects/" + projectRef + "/network-restrictions/apply").
+			MatchType("json").
+			JSON(api.NetworkRestrictionsRequest{
+				DbAllowedCidrs:   &[]string{"12.3.4.5/32", "1.2.3.1/24"},
+				DbAllowedCidrsV6: &[]string{"2001:db8:abcd:0012::0/64"},
+			}).
+			Reply(http.StatusCreated).
+			JSON(api.NetworkRestrictionsResponse{
+				Status: api.NetworkRestrictionsResponseStatus("applied"),
+			})
+		// Run test
+		err := Run(context.Background(), projectRef, []string{"12.3.4.5/32", "2001:db8:abcd:0012::0/64", "1.2.3.1/24"}, false)
+		// Check error
+		assert.NoError(t, err)
+		assert.Empty(t, apitest.ListUnmatchedRequests())
+	})
+
+	t.Run("throws error on network failure", func(t *testing.T) {
+		errNetwork := errors.New("network error")
+		// Setup mock api
+		defer gock.OffAll()
+		gock.New(utils.DefaultApiHost).
+			Post("/v1/projects/" + projectRef + "/network-restrictions/apply").
+			MatchType("json").
+			JSON(api.NetworkRestrictionsRequest{
+				DbAllowedCidrs:   &[]string{},
+				DbAllowedCidrsV6: &[]string{},
+			}).
+			ReplyError(errNetwork)
+		// Run test
+		err := Run(context.Background(), projectRef, []string{}, true)
+		// Check error
+		assert.ErrorIs(t, err, errNetwork)
+		assert.Empty(t, apitest.ListUnmatchedRequests())
+	})
 
-func TestIpv4(t *testing.T) {
-	err := validateCidrs([]string{"12.3.4.5/32", "2001:db8:abcd:0012::0/64", "1.2.3.1/24"}, false)
-	assert.ErrorContains(t, err, "only IPv4 supported at the moment: 2001:db8:abcd:0012::0/64")
-	err = validateCidrs([]string{"12.3.4.5/32", "2001:db8:abcd:0012::0/64", "1.2.3.1/24"}, true)
-	assert.ErrorContains(t, err, "only IPv4 supported at the moment: 2001:db8:abcd:0012::0/64")
+	t.Run("throws error on server unavailable", func(t *testing.T) {
+		// Setup mock api
+		defer gock.OffAll()
+		gock.New(utils.DefaultApiHost).
+			Post("/v1/projects/" + projectRef + "/network-restrictions/apply").
+			MatchType("json").
+			JSON(api.NetworkRestrictionsRequest{
+				DbAllowedCidrs:   &[]string{},
+				DbAllowedCidrsV6: &[]string{},
+			}).
+			Reply(http.StatusServiceUnavailable)
+		// Run test
+		err := Run(context.Background(), projectRef, []string{}, true)
+		// Check error
+		assert.ErrorContains(t, err, "failed to apply network restrictions:")
+		assert.Empty(t, apitest.ListUnmatchedRequests())
+	})
 }
 
-func TestInvalidSubnets(t *testing.T) {
-	err := validateCidrs([]string{"12.3.4.5", "10.0.0.0/8", "1.2.3.1/24"}, false)
-	assert.ErrorContains(t, err, "failed to parse IP: 12.3.4.5")
-	err = validateCidrs([]string{"100/36"}, true)
-	assert.ErrorContains(t, err, "failed to parse IP: 100/36")
+func TestValidateCIDR(t *testing.T) {
+	projectRef := apitest.RandomProjectRef()
+	// Setup valid access token
+	token := apitest.RandomAccessToken(t)
+	t.Setenv("SUPABASE_ACCESS_TOKEN", string(token))
+
+	t.Run("bypasses private subnet checks", func(t *testing.T) {
+		// Setup mock api
+		defer gock.OffAll()
+		gock.New(utils.DefaultApiHost).
+			Post("/v1/projects/" + projectRef + "/network-restrictions/apply").
+			MatchType("json").
+			JSON(api.NetworkRestrictionsRequest{
+				DbAllowedCidrs:   &[]string{"10.0.0.0/8"},
+				DbAllowedCidrsV6: &[]string{},
+			}).
+			Reply(http.StatusCreated).
+			JSON(api.NetworkRestrictionsResponse{
+				Status: api.NetworkRestrictionsResponseStatus("applied"),
+			})
+		// Run test
+		err := Run(context.Background(), projectRef, []string{"10.0.0.0/8"}, true)
+		// Check error
+		assert.NoError(t, err)
+		assert.Empty(t, apitest.ListUnmatchedRequests())
+	})
+
+	t.Run("throws error on private subnet", func(t *testing.T) {
+		// Run test
+		err := Run(context.Background(), projectRef, []string{"12.3.4.5/32", "10.0.0.0/8", "1.2.3.1/24"}, false)
+		// Check error
+		assert.ErrorContains(t, err, "private IP provided: 10.0.0.0/8")
+	})
+
+	t.Run("throws error on invalid subnet", func(t *testing.T) {
+		// Run test
+		err := Run(context.Background(), projectRef, []string{"12.3.4.5", "10.0.0.0/8", "1.2.3.1/24"}, false)
+		// Check error
+		assert.ErrorContains(t, err, "failed to parse IP: 12.3.4.5")
+	})
 }
