diff --git a/lib/fog/aws/requests/compute/authorize_security_group_ingress.rb b/lib/fog/aws/requests/compute/authorize_security_group_ingress.rb index 13557958e1..04d3ae717c 100644 --- a/lib/fog/aws/requests/compute/authorize_security_group_ingress.rb +++ b/lib/fog/aws/requests/compute/authorize_security_group_ingress.rb @@ -91,6 +91,8 @@ def authorize_security_group_ingress(group_name, options = {}) group_name = options.delete('GroupName') end + verify_permission_options(options) + response = Excon::Response.new group = self.data[:security_groups][group_name] @@ -131,6 +133,24 @@ def authorize_security_group_ingress(group_name, options = {}) private + def verify_permission_options(options) + if options.empty? + raise Fog::Compute::AWS::Error.new("InvalidRequest => The request received was invalid.") + end + if options['IpProtocol'] && !['tcp', 'udp', 'icmp'].include?(options['IpProtocol']) + raise Fog::Compute::AWS::Error.new("InvalidPermission.Malformed => Unsupported IP protocol \"#{options['IpProtocol']}\" - supported: [tcp, udp, icmp]") + end + if options['IpProtocol'] && (!options['FromPort'] || !options['ToPort']) + raise Fog::Compute::AWS::Error.new("InvalidPermission.Malformed => TCP/UDP port (-1) out of range") + end + if options.has_key?('IpPermissions') + if !options['IpPermissions'].is_a?(Array) || options['IpPermissions'].empty? + raise Fog::Compute::AWS::Error.new("InvalidRequest => The request received was invalid.") + end + options['IpPermissions'].each {|p| verify_permission_options(p) } + end + end + def normalize_permissions(options) normalized_permissions = [] diff --git a/lib/fog/aws/requests/compute/revoke_security_group_ingress.rb b/lib/fog/aws/requests/compute/revoke_security_group_ingress.rb index 339dbe590d..6cc119658f 100644 --- a/lib/fog/aws/requests/compute/revoke_security_group_ingress.rb +++ b/lib/fog/aws/requests/compute/revoke_security_group_ingress.rb @@ -68,6 +68,8 @@ def revoke_security_group_ingress(group_name, options = {}) group_name = options.delete('GroupName') end + verify_permission_options(options) + response = Excon::Response.new group = self.data[:security_groups][group_name] diff --git a/tests/aws/requests/compute/security_group_tests.rb b/tests/aws/requests/compute/security_group_tests.rb index 5e5ce70b2b..8e86cad862 100644 --- a/tests/aws/requests/compute/security_group_tests.rb +++ b/tests/aws/requests/compute/security_group_tests.rb @@ -301,6 +301,30 @@ Fog::Compute[:aws].delete_security_group(@other_security_group.name) end + broken_params = [ + {}, + { "IpProtocol" => "what" }, + { "IpProtocol" => "tcp" }, + { "IpProtocol" => "what", "FromPort" => 1, "ToPort" => 1 }, + ] + broken_params += broken_params.map do |broken_params_item| + { "IpPermissions" => [broken_params_item] } + end + broken_params += [ + { "IpPermissions" => [] }, + { "IpPermissions" => nil } + ] + + broken_params.each do |broken_params_item| + tests("#authorize_security_group_ingress('fog_security_group', #{broken_params_item.inspect})").raises(Fog::Compute::AWS::Error) do + Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', broken_params_item) + end + + tests("#revoke_security_group_ingress('fog_security_group', #{broken_params_item.inspect})").raises(Fog::Compute::AWS::Error) do + Fog::Compute[:aws].revoke_security_group_ingress('fog_security_group', broken_params_item) + end + end + tests("#revoke_security_group_ingress('not_a_group_name', {'FromPort' => 80, 'IpProtocol' => 'tcp', 'toPort' => 80})").raises(Fog::Compute::AWS::NotFound) do Fog::Compute[:aws].revoke_security_group_ingress( 'not_a_group_name',