[#78] iam: Don't check IP for private #79

Merged
dkirillov merged 1 commit from dkirillov/policy-engine:feature/67-drop_checking_ip_for_private into master 2024-05-27 08:15:14 +00:00
2 changed files with 6 additions and 14 deletions

View file

@ -306,19 +306,11 @@ func numericConvertFunction(val string) (string, error) {
} }
func ipConvertFunction(val string) (string, error) { func ipConvertFunction(val string) (string, error) {
var ipAddr netip.Addr if _, err := netip.ParsePrefix(val); err != nil {
if _, err = netip.ParseAddr(val); err != nil {
if prefix, err := netip.ParsePrefix(val); err != nil {
if ipAddr, err = netip.ParseAddr(val); err != nil {
return "", err return "", err
} }
val += "/32" val += "/32"
} else {
ipAddr = prefix.Addr()
}
if ipAddr.IsPrivate() {
return "", fmt.Errorf("invalid ip value '%s': must be public", val)
} }
return val, nil return val, nil

View file

@ -632,14 +632,14 @@ func TestIPConditions(t *testing.T) {
{ip: "203.0.113.1", expected: "203.0.113.1/32"}, {ip: "203.0.113.1", expected: "203.0.113.1/32"},
{ip: "203.0.113.1/", error: true}, {ip: "203.0.113.1/", error: true},
{ip: "203.0.113.1/33", error: true}, {ip: "203.0.113.1/33", error: true},
{ip: "192.168.0.1/24", error: true}, {ip: "192.168.0.1/24", expected: "192.168.0.1/24"},
{ip: "10.10.0.1/24", error: true}, {ip: "10.10.0.1/24", expected: "10.10.0.1/24"},
{ip: "172.16.0.1/24", error: true}, {ip: "172.16.0.1/24", expected: "172.16.0.1/24"},
{ip: "2001:DB8:1234:5678::/64", expected: "2001:DB8:1234:5678::/64"}, {ip: "2001:DB8:1234:5678::/64", expected: "2001:DB8:1234:5678::/64"},
{ip: "2001:DB8:1234:5678::", expected: "2001:DB8:1234:5678::/32"}, {ip: "2001:DB8:1234:5678::", expected: "2001:DB8:1234:5678::/32"},
{ip: "2001:DB8:1234:5678::/", error: true}, {ip: "2001:DB8:1234:5678::/", error: true},
{ip: "2001:DB8:1234:5678::/129", error: true}, {ip: "2001:DB8:1234:5678::/129", error: true},
{ip: "FC00::/64", error: true}, {ip: "FC00::/64", expected: "FC00::/64"},
} { } {
t.Run("", func(t *testing.T) { t.Run("", func(t *testing.T) {
actual, err := ipConvertFunction(tc.ip) actual, err := ipConvertFunction(tc.ip)