Skip to content

Commit

Permalink
pkg/validate: fix subnet validation
Browse files Browse the repository at this point in the history 
Before this change validation allowed CIDRs with network IP set to any IP address in the range.
This change enforces that CIDR notation use network IP.
  • Loading branch information
@abhinavdahiya
abhinavdahiya committed Jan 15, 2019
1 parent 28494bb commit 2a1bf26
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 18 deletions.
6 changes: 5 additions & 1 deletion pkg/validate/validate.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,14 +93,18 @@ func ClusterName(v string) error {
return validateSubdomain(v)
}

// SubnetCIDR checks if the given IP net is a valid CIDR for a master nodes or worker nodes subnet and returns an error if not.
// SubnetCIDR checks if the given IP net is a valid CIDR.
func SubnetCIDR(cidr *net.IPNet) error {
if cidr.IP.To4() == nil {
return errors.New("must use IPv4")
}
if cidr.IP.IsUnspecified() {
return errors.New("address must be specified")
}
nip := cidr.IP.Mask(cidr.Mask)
if nip.String() != cidr.IP.String() {
return fmt.Errorf("invalid network address. got %s, expecting %s", cidr.String(), (&net.IPNet{IP: nip, Mask: cidr.Mask}).String())
}
if DoCIDRsOverlap(cidr, dockerBridgeCIDR) {
return fmt.Errorf("overlaps with default Docker Bridge subnet (%v)", cidr.String())
}
Expand Down
34 changes: 17 additions & 17 deletions pkg/validate/validate_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,31 +52,31 @@ func TestClusterName(t *testing.T) {
func TestSubnetCIDR(t *testing.T) {
cases := []struct {
cidr string
valid bool
valid string
}{
{"0.0.0.0/32", false},
{"1.2.3.4/0", false},
{"1.2.3.4/1", false},
{"1.2.3.4/31", true},
{"1.2.3.4/32", true},
{"0:0:0:0:0:1:102:304/116", false},
{"0:0:0:0:0:ffff:102:304/116", true},
{"172.17.1.2/20", false},
{"172.17.1.2/8", false},
{"255.255.255.255/1", false},
{"255.255.255.255/32", true},
{"0.0.0.0/32", "address must be specified"},
{"1.2.3.4/0", "invalid network address. got 1.2.3.4/0, expecting 0.0.0.0/0"},
{"1.2.3.4/1", "invalid network address. got 1.2.3.4/1, expecting 0.0.0.0/1"},
{"1.2.3.4/31", "blah"},
{"1.2.3.4/32", "blah"},
{"0:0:0:0:0:1:102:304/116", "must use IPv4"},
{"0:0:0:0:0:ffff:102:304/116", "invalid network address. got 1.2.3.4/20, expecting 1.2.0.0/20"},
{"172.17.0.0/20", "overlaps with default Docker Bridge subnet (172.17.0.0/20)"},
{"172.0.0.0/8", "overlaps with default Docker Bridge subnet (172.0.0.0/8)"},
{"255.255.255.255/1", "invalid network address. got 255.255.255.255/1, expecting 128.0.0.0/1"},
{"255.255.255.255/32", "blah"},
}
for _, tc := range cases {
t.Run(tc.cidr, func(t *testing.T) {
_, cidr, err := net.ParseCIDR(tc.cidr)
ip, cidr, err := net.ParseCIDR(tc.cidr)
if err != nil {
t.Fatalf("could not parse cidr: %v", err)
}
err = SubnetCIDR(cidr)
if tc.valid {
assert.NoError(t, err)
err = SubnetCIDR(&net.IPNet{IP: ip, Mask: cidr.Mask})
if err != nil {
assert.EqualError(t, err, tc.valid)
} else {
assert.Error(t, err)
assert.NoError(t, err)
}
})
}
Expand Down

0 comments on commit 2a1bf26

Please sign in to comment.