Skip to content
This repository has been archived by the owner on Feb 25, 2021. It is now read-only.

Commit

Permalink
Add type validation for CIDR values in restricted_to
Browse files Browse the repository at this point in the history
  • Loading branch information
micahlee committed Aug 19, 2020
1 parent cbb10b7 commit 4bf1d7a
Show file tree
Hide file tree
Showing 6 changed files with 32 additions and 3 deletions.
4 changes: 3 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
# Unreleased
* Allow the usage of relative paths on revoke and deny policies.
* Return validation error when `restricted_to` values are not correct CIDR
notated IP addresses or ranges.
[cyberark/conjur-policy-parser#27](https://github.com/cyberark/conjur-policy-parser/issues/27)

# v3.0.4
* Throw an error when a policy has duplicate members on a resource
Expand All @@ -23,4 +26,3 @@

* Add deletion statements `delete`, `deny`, and `revoke`.


15 changes: 15 additions & 0 deletions lib/conjur/policy/types/base.rb
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,21 @@ def expect_string name, value
String
end

# +value+ must be a CIDR.
def expect_cidr name, value
# A CIDR value is valid if it can be parsed as an IPAddr object
validate_cidr = lambda do
IPAddr.new(value)
rescue IPAddr::Error
raise "Invalid IP address or CIDR range '#{value}'"
end

expect_type name,
value,
"CIDR",
validate_cidr
end

# +value+ must be a Integer.
def expect_integer name, value
expect_type name,
Expand Down
4 changes: 2 additions & 2 deletions lib/conjur/policy/types/records.rb
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@ class User < Record

attribute :uidnumber, kind: :integer, singular: true, dsl_accessor: true
attribute :public_key, kind: :string, dsl_accessor: true
attribute :restricted_to, kind: :string, dsl_accessor: true
attribute :restricted_to, kind: :cidr, dsl_accessor: true

def id_attribute; 'login'; end

Expand All @@ -171,7 +171,7 @@ class Host < Record
include ActsAsResource
include ActsAsRole

attribute :restricted_to, kind: :string, dsl_accessor: true
attribute :restricted_to, kind: :cidr, dsl_accessor: true

def custom_attribute_names
[ :restricted_to ]
Expand Down
5 changes: 5 additions & 0 deletions spec/errors/yaml/invalid-cidr-in-array.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# 4, 46
# Invalid IP address or CIDR range 'invalid_cidr'
- !host
id: a-host
restricted_to: [ 192.168.1.1, invalid_cidr ]
5 changes: 5 additions & 0 deletions spec/errors/yaml/invalid-cidr.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# 5, 0
# Invalid IP address or CIDR range 'invalid_cidr'
- !host
id: a-host
restricted_to: invalid_cidr
2 changes: 2 additions & 0 deletions spec/yaml_loader_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -49,4 +49,6 @@
it_should_behave_like 'error message', 'incorrect-type-for-field-2'
it_should_behave_like 'error message', 'incorrect-type-for-array-field'
it_should_behave_like 'error message', 'no-such-attribute'
it_should_behave_like 'error message', 'invalid-cidr'
it_should_behave_like 'error message', 'invalid-cidr-in-array'
end

0 comments on commit 4bf1d7a

Please sign in to comment.