cyberark · micahlee · Aug 19, 2020 · Aug 19, 2020
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Unreleased
 * Allow the usage of relative paths on revoke and deny policies.
+* Return validation error when `restricted_to` values are not correct CIDR
+  notated IP addresses or ranges.
+  [cyberark/conjur-policy-parser#27](https://github.com/cyberark/conjur-policy-parser/issues/27)
 
 # v3.0.4
 * Throw an error when a policy has duplicate members on a resource 
@@ -23,4 +26,3 @@
 
 * Add deletion statements `delete`, `deny`, and `revoke`.
 
-
diff --git a/lib/conjur/policy/types/base.rb b/lib/conjur/policy/types/base.rb
@@ -121,6 +121,21 @@ def expect_string name, value
             String
         end
 
+        # +value+ must be a CIDR.
+        def expect_cidr name, value
+          # A CIDR value is valid if it can be parsed as an IPAddr object
+          validate_cidr = lambda do
+            IPAddr.new(value)
+          rescue IPAddr::Error
+            raise "Invalid IP address or CIDR range '#{value}'"
+          end
+
+          expect_type name,
+            value,
+            "CIDR",
+            validate_cidr
+        end
+
         # +value+ must be a Integer.
         def expect_integer name, value
           expect_type name,

diff --git a/lib/conjur/policy/types/records.rb b/lib/conjur/policy/types/records.rb
@@ -147,7 +147,7 @@ class User < Record
 
         attribute :uidnumber, kind: :integer, singular: true, dsl_accessor: true
         attribute :public_key, kind: :string, dsl_accessor: true
-        attribute :restricted_to, kind: :string, dsl_accessor: true
+        attribute :restricted_to, kind: :cidr, dsl_accessor: true
 
         def id_attribute; 'login'; end
 
@@ -171,7 +171,7 @@ class Host < Record
         include ActsAsResource
         include ActsAsRole
 
-        attribute :restricted_to, kind: :string, dsl_accessor: true
+        attribute :restricted_to, kind: :cidr, dsl_accessor: true
 
         def custom_attribute_names
           [ :restricted_to ]

diff --git a/spec/errors/yaml/invalid-cidr-in-array.yml b/spec/errors/yaml/invalid-cidr-in-array.yml
@@ -0,0 +1,5 @@
+# 4, 46
+# Invalid IP address or CIDR range 'invalid_cidr'
+- !host
+  id: a-host
+  restricted_to: [ 192.168.1.1, invalid_cidr ]
diff --git a/spec/errors/yaml/invalid-cidr.yml b/spec/errors/yaml/invalid-cidr.yml
@@ -0,0 +1,5 @@
+# 5, 0
+# Invalid IP address or CIDR range 'invalid_cidr'
+- !host
+  id: a-host
+  restricted_to: invalid_cidr
diff --git a/spec/errors/yaml/multiple-invalid-cidr-in-array.yml b/spec/errors/yaml/multiple-invalid-cidr-in-array.yml
@@ -0,0 +1,5 @@
+# 4, 60
+# Invalid IP address or CIDR range 'first_invalid_cidr'
+- !host
+  id: a-host
+  restricted_to: [ first_invalid_cidr, second_invalid_cidr ]
diff --git a/spec/yaml_loader_spec.rb b/spec/yaml_loader_spec.rb
@@ -49,4 +49,7 @@
   it_should_behave_like 'error message', 'incorrect-type-for-field-2'
   it_should_behave_like 'error message', 'incorrect-type-for-array-field'
   it_should_behave_like 'error message', 'no-such-attribute'
+  it_should_behave_like 'error message', 'invalid-cidr'
+  it_should_behave_like 'error message', 'invalid-cidr-in-array'
+  it_should_behave_like 'error message', 'multiple-invalid-cidr-in-array'
 end