From 2cc053d7eb9f4530e5b22c0f8b1b7e3cddffb005 Mon Sep 17 00:00:00 2001 From: Robert Lucian Chiriac Date: Sat, 17 Jul 2021 06:19:36 +0300 Subject: [PATCH 1/2] Validate VPC CIDR network size --- pkg/types/clusterconfig/cluster_config.go | 12 +++++++++++- pkg/types/clusterconfig/errors.go | 8 ++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/pkg/types/clusterconfig/cluster_config.go b/pkg/types/clusterconfig/cluster_config.go index 2b47c55887..9ffe31b36a 100644 --- a/pkg/types/clusterconfig/cluster_config.go +++ b/pkg/types/clusterconfig/cluster_config.go @@ -86,6 +86,9 @@ var ( _maxIOPSToVolumeSizeRatioForGP3 = int64(500) _minIOPSToThroughputRatioForGP3 = int64(4) + _minLeadingOnesInTheSubnetMask = 16 + _maxLeadingOnesInTheSubnetMask = 24 + // This regex is stricter than the actual S3 rules _strictS3BucketRegex = regexp.MustCompile(`^([a-z0-9])+(-[a-z0-9]+)*$`) ) @@ -1467,11 +1470,18 @@ func (ng *NodeGroup) FillEmptySpotFields(region string) { } func validateCIDR(cidr string) (string, error) { - _, _, err := net.ParseCIDR(cidr) + _, network, err := net.ParseCIDR(cidr) if err != nil { return "", errors.WithStack(err) } + if network != nil { + leadingOnesInMask, _ := network.Mask.Size() + if leadingOnesInMask < _minLeadingOnesInTheSubnetMask || leadingOnesInMask > _maxLeadingOnesInTheSubnetMask { + return "", ErrorSubnetMaskOutOfRange(leadingOnesInMask, _minLeadingOnesInTheSubnetMask, _maxLeadingOnesInTheSubnetMask) + } + } + return cidr, nil } diff --git a/pkg/types/clusterconfig/errors.go b/pkg/types/clusterconfig/errors.go index 5aee00df2b..769f746417 100644 --- a/pkg/types/clusterconfig/errors.go +++ b/pkg/types/clusterconfig/errors.go @@ -60,6 +60,7 @@ const ( ErrUnsupportedAvailabilityZone = "clusterconfig.unsupported_availability_zone" ErrNotEnoughValidDefaultAvailibilityZones = "clusterconfig.not_enough_valid_default_availability_zones" ErrNoNATGatewayWithSubnets = "clusterconfig.no_nat_gateway_with_subnets" + ErrSubnetMaskOutOfRange = "clusterconfig.subnet_mask_out_of_range" ErrConfigCannotBeChangedOnConfigure = "clusterconfig.config_cannot_be_changed_on_configure" ErrNodeGroupCanOnlyBeScaled = "clusterconfig.node_group_can_only_be_scaled" ErrSpecifyOneOrNone = "clusterconfig.specify_one_or_none" @@ -309,6 +310,13 @@ func ErrorNoNATGatewayWithSubnets() error { }) } +func ErrorSubnetMaskOutOfRange(requestedMaskSize, minMaskSize, maxMaskSize int) error { + return errors.WithStack(&errors.Error{ + Kind: ErrSubnetMaskOutOfRange, + Message: fmt.Sprintf("invalid network size /%d; the network size must be between /%d and /%d", requestedMaskSize, minMaskSize, maxMaskSize), + }) +} + func ErrorConfigCannotBeChangedOnConfigure() error { return errors.WithStack(&errors.Error{ Kind: ErrConfigCannotBeChangedOnConfigure, From 03e8ddd9ea4f7eb628269a3c03160356ffe8d7be Mon Sep 17 00:00:00 2001 From: Robert Lucian Chiriac Date: Sat, 17 Jul 2021 23:43:50 +0300 Subject: [PATCH 2/2] Address PR comments --- pkg/types/clusterconfig/cluster_config.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pkg/types/clusterconfig/cluster_config.go b/pkg/types/clusterconfig/cluster_config.go index 9ffe31b36a..f303a63ca4 100644 --- a/pkg/types/clusterconfig/cluster_config.go +++ b/pkg/types/clusterconfig/cluster_config.go @@ -86,8 +86,8 @@ var ( _maxIOPSToVolumeSizeRatioForGP3 = int64(500) _minIOPSToThroughputRatioForGP3 = int64(4) - _minLeadingOnesInTheSubnetMask = 16 - _maxLeadingOnesInTheSubnetMask = 24 + _minSubnetMask = 16 + _maxSubnetMask = 24 // This regex is stricter than the actual S3 rules _strictS3BucketRegex = regexp.MustCompile(`^([a-z0-9])+(-[a-z0-9]+)*$`) @@ -1476,9 +1476,9 @@ func validateCIDR(cidr string) (string, error) { } if network != nil { - leadingOnesInMask, _ := network.Mask.Size() - if leadingOnesInMask < _minLeadingOnesInTheSubnetMask || leadingOnesInMask > _maxLeadingOnesInTheSubnetMask { - return "", ErrorSubnetMaskOutOfRange(leadingOnesInMask, _minLeadingOnesInTheSubnetMask, _maxLeadingOnesInTheSubnetMask) + maskSize, _ := network.Mask.Size() + if maskSize < _minSubnetMask || maskSize > _maxSubnetMask { + return "", ErrorSubnetMaskOutOfRange(maskSize, _minSubnetMask, _maxSubnetMask) } }