test ip_ranges when authorizing security group ingress rules

moto/ec2/exceptions.py

@@ -284,6 +284,14 @@ class InvalidID(EC2ClientError):
             .format(resource_id))
 
 
+class InvalidCIDRSubnetError(EC2ClientError):
+    def __init__(self, cidr):
+        super(InvalidCIDRSubnetError, self).__init__(
+            "InvalidParameterValue",
+            "invalid CIDR subnet specification: {0}"
+            .format(cidr))
+
+
 ERROR_RESPONSE = u"""<?xml version="1.0" encoding="UTF-8"?>
   <Response>
     <Errors>

moto/ec2/models.py

@@ -48,7 +48,8 @@ from .exceptions import (
     InvalidVPCPeeringConnectionIdError,
     InvalidVPCPeeringConnectionStateTransitionError,
     TagLimitExceeded,
-    InvalidID
+    InvalidID,
+    InvalidCIDRSubnetError
 )
 from .utils import (
     EC2_RESOURCE_TO_PREFIX,
@@ -78,7 +79,8 @@ from .utils import (
     generic_filter,
     is_valid_resource_id,
     get_prefix,
-    simple_aws_filter_to_re)
+    simple_aws_filter_to_re,
+    is_valid_cidr)
 
 
 def validate_resource_ids(resource_ids):
@@ -1060,6 +1062,10 @@ class SecurityGroupBackend(object):
 
         if ip_ranges and not isinstance(ip_ranges, list):
             ip_ranges = [ip_ranges]
+        if ip_ranges:
+            for cidr in ip_ranges:
+                if not is_valid_cidr(cidr):
+                    raise InvalidCIDRSubnetError(cidr=cidr)
 
         source_group_names = source_group_names if source_group_names else []
         source_group_ids = source_group_ids if source_group_ids else []

moto/ec2/utils.py

@@ -362,7 +362,6 @@ def get_prefix(resource_id):
         if after.startswith('attach'):
             resource_id_prefix = EC2_RESOURCE_TO_PREFIX['network-interface-attachment']
     if not resource_id_prefix in EC2_RESOURCE_TO_PREFIX.values():
-        import re
         uuid4hex = re.compile('[0-9a-f]{12}4[0-9a-f]{3}[89ab][0-9a-f]{15}\Z', re.I)
         if uuid4hex.match(resource_id) is not None:
             resource_id_prefix = EC2_RESOURCE_TO_PREFIX['reserved-instance']
@@ -372,7 +371,6 @@ def get_prefix(resource_id):
 
 
 def is_valid_resource_id(resource_id):
-    import re
     valid_prefixes = EC2_RESOURCE_TO_PREFIX.values()
     resource_id_prefix = get_prefix(resource_id)
     if not resource_id_prefix in valid_prefixes:
@@ -380,3 +378,9 @@ def is_valid_resource_id(resource_id):
     resource_id_pattern = resource_id_prefix + '-[0-9a-f]{8}'
     resource_pattern_re = re.compile(resource_id_pattern)
     return resource_pattern_re.match(resource_id) is not None
+
+
+def is_valid_cidr(cird):
+    cidr_pattern = '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(\d|[1-2]\d|3[0-2]))$'
+    cidr_pattern_re = re.compile(cidr_pattern)
+    return cidr_pattern_re.match(cird) is not None

tests/test_ec2/test_security_groups.py

@@ -221,3 +221,14 @@ def test_get_all_security_groups():
 
     resp = conn.get_all_security_groups()
     resp.should.have.length_of(2)
+
+
+@mock_ec2
+def test_authorize_bad_cidr_throws_invalid_parameter_value():
+    conn = boto.connect_ec2('the_key', 'the_secret')
+    security_group = conn.create_security_group('test', 'test')
+    with assert_raises(EC2ResponseError) as cm:
+        security_group.authorize(ip_protocol="tcp", from_port="22", to_port="2222", cidr_ip="123.123.123.123")
+    cm.exception.code.should.equal('InvalidParameterValue')
+    cm.exception.status.should.equal(400)
+    cm.exception.request_id.should_not.be.none