Require network API objects to have IPv4 addresses

danwinship · danwinship · commit f98ead5ca3dc · 2017-10-12T13:14:08.000-04:00
diff --git a/pkg/network/apis/network/validation/validation.go b/pkg/network/apis/network/validation/validation.go
@@ -16,6 +16,28 @@ import (
 	"github.com/openshift/origin/pkg/util/netutils"
 )
 
+func validateCIDRv4(cidr string) (*net.IPNet, error) {
+	ipnet, err := netutils.ParseCIDRMask(cidr)
+	if err != nil {
+		return nil, err
+	}
+	if ipnet.IP.To4() == nil {
+		return nil, fmt.Errorf("must be an IPv4 network")
+	}
+	return ipnet, nil
+}
+
+func validateIPv4(ip string) (net.IP, error) {
+	bytes := net.ParseIP(ip)
+	if bytes == nil {
+		return nil, fmt.Errorf("invalid IP address")
+	}
+	if bytes.To4() == nil {
+		return nil, fmt.Errorf("must be an IPv4 address")
+	}
+	return bytes, nil
+}
+
 var defaultClusterNetwork *networkapi.ClusterNetwork
 
 // SetDefaultClusterNetwork sets the expected value of the default ClusterNetwork record
@@ -30,7 +52,7 @@ func ValidateClusterNetwork(clusterNet *networkapi.ClusterNetwork) field.ErrorLi
 
 	if len(clusterNet.Network) != 0 || clusterNet.HostSubnetLength != 0 {
 		//In the case that a user manually makes a clusterNetwork object with clusterNet.Network and clusterNet.HostubnetLength at least make sure they are valid values
-		clusterIPNet, err := netutils.ParseCIDRMask(clusterNet.Network)
+		clusterIPNet, err := validateCIDRv4(clusterNet.Network)
 		if err != nil {
 			allErrs = append(allErrs, field.Invalid(field.NewPath("network"), clusterNet.Network, err.Error()))
 		} else {
@@ -46,12 +68,12 @@ func ValidateClusterNetwork(clusterNet *networkapi.ClusterNetwork) field.ErrorLi
 	if len(clusterNet.ClusterNetworks) == 0 && len(clusterNet.Network) == 0 {
 		allErrs = append(allErrs, field.Invalid(field.NewPath("clusterNetworks"), clusterNet.ClusterNetworks, "must have at least one cluster network CIDR"))
 	}
-	serviceIPNet, err := netutils.ParseCIDRMask(clusterNet.ServiceNetwork)
+	serviceIPNet, err := validateCIDRv4(clusterNet.ServiceNetwork)
 	if err != nil {
 		allErrs = append(allErrs, field.Invalid(field.NewPath("serviceNetwork"), clusterNet.ServiceNetwork, err.Error()))
 	}
 	for i, cn := range clusterNet.ClusterNetworks {
-		clusterIPNet, err := netutils.ParseCIDRMask(cn.CIDR)
+		clusterIPNet, err := validateCIDRv4(cn.CIDR)
 		if err != nil {
 			allErrs = append(allErrs, field.Invalid(field.NewPath("clusterNetworks").Index(i).Child("cidr"), cn.CIDR, err.Error()))
 			continue
@@ -115,18 +137,19 @@ func ValidateHostSubnet(hs *networkapi.HostSubnet) field.ErrorList {
 			allErrs = append(allErrs, field.Invalid(field.NewPath("subnet"), hs.Subnet, "field cannot be empty"))
 		}
 	} else {
-		_, err := netutils.ParseCIDRMask(hs.Subnet)
+		_, err := validateCIDRv4(hs.Subnet)
 		if err != nil {
 			allErrs = append(allErrs, field.Invalid(field.NewPath("subnet"), hs.Subnet, err.Error()))
 		}
 	}
+	// In theory this has to be IPv4, but it's possible some clusters might be limping along with IPv6 values?
 	if net.ParseIP(hs.HostIP) == nil {
 		allErrs = append(allErrs, field.Invalid(field.NewPath("hostIP"), hs.HostIP, "invalid IP address"))
 	}
 
 	for i, egressIP := range hs.EgressIPs {
-		if net.ParseIP(egressIP) == nil {
-			allErrs = append(allErrs, field.Invalid(field.NewPath("egressIPs").Index(i), egressIP, "invalid IP address"))
+		if _, err := validateIPv4(egressIP); err != nil {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("egressIPs").Index(i), egressIP, err.Error()))
 		}
 	}
 
@@ -157,8 +180,8 @@ func ValidateNetNamespace(netnamespace *networkapi.NetNamespace) field.ErrorList
 	}
 
 	for i, ip := range netnamespace.EgressIPs {
-		if net.ParseIP(ip) == nil {
-			allErrs = append(allErrs, field.Invalid(field.NewPath("egressIPs").Index(i), ip, "invalid IP address"))
+		if _, err := validateIPv4(ip); err != nil {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("egressIPs").Index(i), ip, err.Error()))
 		}
 	}
 
diff --git a/pkg/network/apis/network/validation/validation_test.go b/pkg/network/apis/network/validation/validation_test.go
@@ -154,6 +154,24 @@ func TestValidateClusterNetwork(t *testing.T) {
 			},
 			expectedErrors: 1,
 		},
+		{
+			name: "IPv6 ClusterNetwork",
+			cn: &networkapi.ClusterNetwork{
+				ObjectMeta:      metav1.ObjectMeta{Name: "any"},
+				ClusterNetworks: []networkapi.ClusterNetworkEntry{{CIDR: "fe80:1234::/64", HostSubnetLength: 8}},
+				ServiceNetwork:  "172.30.0.0/16",
+			},
+			expectedErrors: 1,
+		},
+		{
+			name: "IPv6 ServiceNetwork",
+			cn: &networkapi.ClusterNetwork{
+				ObjectMeta:      metav1.ObjectMeta{Name: "any"},
+				ClusterNetworks: []networkapi.ClusterNetworkEntry{{CIDR: "10.20.0.0/16", HostSubnetLength: 8}},
+				ServiceNetwork:  "fe80:1234::/64",
+			},
+			expectedErrors: 1,
+		},
 	}
 
 	for _, tc := range tests {
@@ -331,6 +349,34 @@ func TestValidateHostSubnet(t *testing.T) {
 			},
 			expectedErrors: 2,
 		},
+		{
+			name: "IPv6 subnet",
+			hs: &networkapi.HostSubnet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "abc.def.com",
+				},
+				Host:   "abc.def.com",
+				HostIP: "10.20.30.40",
+				Subnet: "fe80:1234::/64",
+			},
+			expectedErrors: 1,
+		},
+		{
+			name: "IPv6 EgressIP",
+			hs: &networkapi.HostSubnet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "abc.def.com",
+				},
+				Host:   "abc.def.com",
+				HostIP: "10.20.30.40",
+				Subnet: "8.8.8.0/24",
+				EgressIPs: []string{
+					"192.168.1.99",
+					"1234::5678",
+				},
+			},
+			expectedErrors: 1,
+		},
 	}
 
 	for _, tc := range tests {
@@ -412,9 +458,9 @@ func TestValidateNetNamespace(t *testing.T) {
 				},
 				NetName:   "abc",
 				NetID:     12345,
-				EgressIPs: []string{"example.com", ""},
+				EgressIPs: []string{"example.com", "", "1234::5678"},
 			},
-			expectedErrors: 2,
+			expectedErrors: 3,
 		},
 	}
 
@@ -615,6 +661,27 @@ func TestValidateEgressNetworkPolicy(t *testing.T) {
 			},
 			expectedErrors: 1,
 		},
+		{
+			// IPv6 CIDRSelectors are currently useless, but they don't break anything
+			name: "IPv6 CIDR",
+			fw: &networkapi.EgressNetworkPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "default",
+					Namespace: "testing",
+				},
+				Spec: networkapi.EgressNetworkPolicySpec{
+					Egress: []networkapi.EgressNetworkPolicyRule{
+						{
+							Type: networkapi.EgressNetworkPolicyRuleAllow,
+							To: networkapi.EgressNetworkPolicyPeer{
+								CIDRSelector: "fe80::/64",
+							},
+						},
+					},
+				},
+			},
+			expectedErrors: 0,
+		},
 	}
 
 	for _, tc := range tests {
