diff --git a/CHANGELOG.md b/CHANGELOG.md index 2f3b777..0839c80 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Unreleased * Allow the usage of relative paths on revoke and deny policies. +* Return validation error when `restricted_to` values are not correct CIDR + notated IP addresses or ranges. + [cyberark/conjur-policy-parser#27](https://github.com/cyberark/conjur-policy-parser/issues/27) # v3.0.4 * Throw an error when a policy has duplicate members on a resource @@ -23,4 +26,3 @@ * Add deletion statements `delete`, `deny`, and `revoke`. - diff --git a/lib/conjur/policy/types/base.rb b/lib/conjur/policy/types/base.rb index 1f7ca00..e5a20f1 100644 --- a/lib/conjur/policy/types/base.rb +++ b/lib/conjur/policy/types/base.rb @@ -121,6 +121,21 @@ def expect_string name, value String end + # +value+ must be a CIDR. + def expect_cidr name, value + # A CIDR value is valid if it can be parsed as an IPAddr object + validate_cidr = lambda do + IPAddr.new(value) + rescue IPAddr::Error + raise "Invalid IP address or CIDR range '#{value}'" + end + + expect_type name, + value, + "CIDR", + validate_cidr + end + # +value+ must be a Integer. def expect_integer name, value expect_type name, diff --git a/lib/conjur/policy/types/records.rb b/lib/conjur/policy/types/records.rb index 281aafc..feb7a7c 100644 --- a/lib/conjur/policy/types/records.rb +++ b/lib/conjur/policy/types/records.rb @@ -147,7 +147,7 @@ class User < Record attribute :uidnumber, kind: :integer, singular: true, dsl_accessor: true attribute :public_key, kind: :string, dsl_accessor: true - attribute :restricted_to, kind: :string, dsl_accessor: true + attribute :restricted_to, kind: :cidr, dsl_accessor: true def id_attribute; 'login'; end @@ -171,7 +171,7 @@ class Host < Record include ActsAsResource include ActsAsRole - attribute :restricted_to, kind: :string, dsl_accessor: true + attribute :restricted_to, kind: :cidr, dsl_accessor: true def custom_attribute_names [ :restricted_to ] diff --git a/spec/errors/yaml/invalid-cidr-in-array.yml b/spec/errors/yaml/invalid-cidr-in-array.yml new file mode 100644 index 0000000..d447e19 --- /dev/null +++ b/spec/errors/yaml/invalid-cidr-in-array.yml @@ -0,0 +1,5 @@ +# 4, 46 +# Invalid IP address or CIDR range 'invalid_cidr' +- !host + id: a-host + restricted_to: [ 192.168.1.1, invalid_cidr ] diff --git a/spec/errors/yaml/invalid-cidr.yml b/spec/errors/yaml/invalid-cidr.yml new file mode 100644 index 0000000..1f233bb --- /dev/null +++ b/spec/errors/yaml/invalid-cidr.yml @@ -0,0 +1,5 @@ +# 5, 0 +# Invalid IP address or CIDR range 'invalid_cidr' +- !host + id: a-host + restricted_to: invalid_cidr diff --git a/spec/errors/yaml/multiple-invalid-cidr-in-array.yml b/spec/errors/yaml/multiple-invalid-cidr-in-array.yml new file mode 100644 index 0000000..30fb05c --- /dev/null +++ b/spec/errors/yaml/multiple-invalid-cidr-in-array.yml @@ -0,0 +1,5 @@ +# 4, 60 +# Invalid IP address or CIDR range 'first_invalid_cidr' +- !host + id: a-host + restricted_to: [ first_invalid_cidr, second_invalid_cidr ] diff --git a/spec/yaml_loader_spec.rb b/spec/yaml_loader_spec.rb index 96a0053..74556b4 100644 --- a/spec/yaml_loader_spec.rb +++ b/spec/yaml_loader_spec.rb @@ -49,4 +49,7 @@ it_should_behave_like 'error message', 'incorrect-type-for-field-2' it_should_behave_like 'error message', 'incorrect-type-for-array-field' it_should_behave_like 'error message', 'no-such-attribute' + it_should_behave_like 'error message', 'invalid-cidr' + it_should_behave_like 'error message', 'invalid-cidr-in-array' + it_should_behave_like 'error message', 'multiple-invalid-cidr-in-array' end