(CAT-1224) firewall type/provider code updates

- loosen type restrictions for src_range/dst_range/to. - Add increased validation for src_range/dst_range. - Ensure string_hex is compared with whitespaces removed.
puppetlabs · Aug 1, 2023 · a8affb5 · a8affb5
1 parent 1cf5c84
commit a8affb5
Show file tree

Hide file tree

Showing 4 changed files with 968 additions and 948 deletions.
diff --git a/lib/puppet/provider/firewall/firewall.rb b/lib/puppet/provider/firewall/firewall.rb
@@ -687,6 +687,20 @@ def self.validate_input(is, should)
     end
     # Log prefix size is limited
     raise 'Parameter `nflog_prefix`` must be less than 64 characters' if should[:nflog_prefix] && should[:nflog_prefix].length > 64
+
+    [:dst_range, :src_range].each do |key|
+      next unless should[key]
+      matches = %r{^([^\-\/]+)-([^\-\/]+)$}.match(should[key])
+      raise(ArgumentError, "The IP range must be in 'IP1-IP2' format.") unless matches
+
+      [matches[1], matches[2]].each do |addr|
+        begin # rubocop:disable Style/RedundantBegin
+          PuppetX::Firewall::Utility.host_to_ip(addr)
+        rescue StandardError
+          raise("Invalid IP address \"#{addr}\" in range \"#{should[key]}\"")
+        end
+      end
+    end
   end
 
   # Certain attributes need processed in ways that can vary between IPv4 and IPv6
@@ -917,7 +931,7 @@ def insync?(context, _name, property_name, is_hash, should_hash)
       is = is_hash[property_name]
       should = should_hash[property_name]
 
-      should = 'IPv4' if should == 'iptables'
+      is = 'IPv4' if is == 'iptables'
       should = 'IPv6' if should == 'ip6tables'
 
       is == should
@@ -1015,6 +1029,12 @@ def insync?(context, _name, property_name, is_hash, should_hash)
       # Range can be passed as `-` but will always be set/returned as `:`
       is_hash[property_name] == should_hash[property_name].gsub(%r{-}, ':') if should_hash[property_name].is_a?(String)
       is_hash[property_name] == should_hash[property_name].map { |port| port.to_s.gsub(%r{-}, ':') } if should_hash[property_name].is_a?(Array)
+    when :string_hex
+      # Compare the values with any whitespace removed
+      is = is_hash[property_name].to_s.gsub(%r{\s+}, '')
+      should = should_hash[property_name].to_s.gsub(%r{\s+}, '')
+
+      is == should
     else
       # Ensure that if both values are arrays, that they are sorted prior to comparison
       return nil unless is_hash[property_name].is_a?(Array) && should_hash[property_name].is_a?(Array)

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
@@ -341,21 +341,21 @@
       DESC
     },
     src_range: {
-      type: 'Optional[Pattern[/^(?:!\s)?\d+\.\d+\.\d+\.\d+-\d+\.\d+\.\d+\.\d++$/]]',
+      type: 'Optional[String[1]]',
       desc: <<-DESC
       The source IP range. For example:
 
           src_range => '192.168.1.1-192.168.1.10'
 
-      You can also negate the range by putting ! in front. For example:
+      You can also negate the range by apending a `!`` to the front. For example:
 
-          ! src_range => '192.168.1.1-192.168.1.10'
+          src_range => '! 192.168.1.1-192.168.1.10'
 
       The source IP range must be in 'IP1-IP2' format.
       DESC
     },
     dst_range: {
-      type: 'Optional[Pattern[/^(?:!\s)?\d+\.\d+\.\d+\.\d+-\d+\.\d+\.\d+\.\d+$/]]',
+      type: 'Optional[String[1]]',
       desc: <<-DESC
       The destination IP range. For example:
 
@@ -1189,7 +1189,7 @@
       DESC
     },
     to: {
-      type: 'Optional[Pattern[/^\d+\.\d+\.\d+\.\d+(?:\/\d+)?$/]]',
+      type: 'Optional[String[1]]',
       desc: <<-DESC
       For NETMAP this will replace the destination IP
       DESC