mirrored from https://chromium.googlesource.com/infra/luci/luci-go
-
Notifications
You must be signed in to change notification settings - Fork 43
/
validation.go
126 lines (111 loc) · 3.61 KB
/
validation.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
// Copyright 2015 The LUCI Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package authdb
import (
"fmt"
"net"
"go.chromium.org/luci/auth/identity"
"go.chromium.org/luci/server/auth/service/protocol"
)
// validateAuthDB returns nil if AuthDB looks correct.
func validateAuthDB(db *protocol.AuthDB) error {
groups := make(map[string]*protocol.AuthGroup, len(db.GetGroups()))
for _, g := range db.GetGroups() {
groups[g.GetName()] = g
}
for name := range groups {
if err := validateAuthGroup(name, groups); err != nil {
return err
}
}
for _, wl := range db.GetIpWhitelists() {
if err := validateIPWhitelist(wl); err != nil {
return fmt.Errorf("auth: bad IP whitlist %q - %s", wl.GetName(), err)
}
}
return nil
}
// validateAuthGroup returns nil if AuthGroup looks correct.
func validateAuthGroup(name string, groups map[string]*protocol.AuthGroup) error {
g := groups[name]
for _, ident := range g.GetMembers() {
if _, err := identity.MakeIdentity(ident); err != nil {
return fmt.Errorf("auth: invalid identity %q in group %q - %s", ident, name, err)
}
}
for _, glob := range g.GetGlobs() {
if _, err := identity.MakeGlob(glob); err != nil {
return fmt.Errorf("auth: invalid glob %q in group %q - %s", glob, name, err)
}
}
for _, nested := range g.GetNested() {
if groups[nested] == nil {
return fmt.Errorf("auth: unknown nested group %q in group %q", nested, name)
}
}
if cycle := findGroupCycle(name, groups); len(cycle) != 0 {
return fmt.Errorf("auth: dependency cycle found - %v", cycle)
}
return nil
}
// findGroupCycle searches for a group dependency cycle that contains group
// `name`. Returns list of groups that form the cycle if found, empty list
// if no cycles. Unknown groups are considered empty.
func findGroupCycle(name string, groups map[string]*protocol.AuthGroup) []string {
// Set of groups that are completely explored (all subtree is traversed).
visited := map[string]bool{}
// Stack of groups that are being explored now. In case a cycle is detected
// it would contain that cycle.
var visiting []string
// Recursively explores `group` subtree, returns true if finds a cycle.
var visit func(string) bool
visit = func(group string) bool {
g := groups[group]
if g == nil {
visited[group] = true
return false
}
visiting = append(visiting, group)
for _, nested := range g.GetNested() {
// Cross edge. Can happen in diamond-like graph, not a cycle.
if visited[nested] {
continue
}
// Is `group` references its own ancestor -> cycle is detected.
for _, v := range visiting {
if v == nested {
return true
}
}
// Explore subtree.
if visit(nested) {
return true
}
}
visiting = visiting[:len(visiting)-1]
visited[group] = true
return false
}
visit(name)
return visiting // will contain a cycle, if any
}
// validateIPWhitelist checks IPs in the whitelist are parsable.
func validateIPWhitelist(wl *protocol.AuthIPWhitelist) error {
for _, subnet := range wl.GetSubnets() {
if _, _, err := net.ParseCIDR(subnet); err != nil {
return fmt.Errorf("bad subnet %q - %s", subnet, err)
}
}
return nil
}