From b9f747fb4fd5a47188271c8241e7767ae993d013 Mon Sep 17 00:00:00 2001 From: Joseph Lawson Date: Mon, 6 Oct 2014 14:42:12 -0400 Subject: [PATCH] test ip_ranges when authorizing security group ingress rules --- moto/ec2/exceptions.py | 8 ++++++++ moto/ec2/models.py | 10 ++++++++-- moto/ec2/utils.py | 8 ++++++-- tests/test_ec2/test_security_groups.py | 11 +++++++++++ 4 files changed, 33 insertions(+), 4 deletions(-) diff --git a/moto/ec2/exceptions.py b/moto/ec2/exceptions.py index 3c9fdb568..306e898e0 100644 --- a/moto/ec2/exceptions.py +++ b/moto/ec2/exceptions.py @@ -284,6 +284,14 @@ class InvalidID(EC2ClientError): .format(resource_id)) +class InvalidCIDRSubnetError(EC2ClientError): + def __init__(self, cidr): + super(InvalidCIDRSubnetError, self).__init__( + "InvalidParameterValue", + "invalid CIDR subnet specification: {0}" + .format(cidr)) + + ERROR_RESPONSE = u""" diff --git a/moto/ec2/models.py b/moto/ec2/models.py index 3808d6e8e..ec5744e8a 100644 --- a/moto/ec2/models.py +++ b/moto/ec2/models.py @@ -48,7 +48,8 @@ from .exceptions import ( InvalidVPCPeeringConnectionIdError, InvalidVPCPeeringConnectionStateTransitionError, TagLimitExceeded, - InvalidID + InvalidID, + InvalidCIDRSubnetError ) from .utils import ( EC2_RESOURCE_TO_PREFIX, @@ -78,7 +79,8 @@ from .utils import ( generic_filter, is_valid_resource_id, get_prefix, - simple_aws_filter_to_re) + simple_aws_filter_to_re, + is_valid_cidr) def validate_resource_ids(resource_ids): @@ -1060,6 +1062,10 @@ class SecurityGroupBackend(object): if ip_ranges and not isinstance(ip_ranges, list): ip_ranges = [ip_ranges] + if ip_ranges: + for cidr in ip_ranges: + if not is_valid_cidr(cidr): + raise InvalidCIDRSubnetError(cidr=cidr) source_group_names = source_group_names if source_group_names else [] source_group_ids = source_group_ids if source_group_ids else [] diff --git a/moto/ec2/utils.py b/moto/ec2/utils.py index 9ab016994..1a590d6d7 100644 --- a/moto/ec2/utils.py +++ b/moto/ec2/utils.py @@ -362,7 +362,6 @@ def get_prefix(resource_id): if after.startswith('attach'): resource_id_prefix = EC2_RESOURCE_TO_PREFIX['network-interface-attachment'] if not resource_id_prefix in EC2_RESOURCE_TO_PREFIX.values(): - import re uuid4hex = re.compile('[0-9a-f]{12}4[0-9a-f]{3}[89ab][0-9a-f]{15}\Z', re.I) if uuid4hex.match(resource_id) is not None: resource_id_prefix = EC2_RESOURCE_TO_PREFIX['reserved-instance'] @@ -372,7 +371,6 @@ def get_prefix(resource_id): def is_valid_resource_id(resource_id): - import re valid_prefixes = EC2_RESOURCE_TO_PREFIX.values() resource_id_prefix = get_prefix(resource_id) if not resource_id_prefix in valid_prefixes: @@ -380,3 +378,9 @@ def is_valid_resource_id(resource_id): resource_id_pattern = resource_id_prefix + '-[0-9a-f]{8}' resource_pattern_re = re.compile(resource_id_pattern) return resource_pattern_re.match(resource_id) is not None + + +def is_valid_cidr(cird): + cidr_pattern = '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(\d|[1-2]\d|3[0-2]))$' + cidr_pattern_re = re.compile(cidr_pattern) + return cidr_pattern_re.match(cird) is not None diff --git a/tests/test_ec2/test_security_groups.py b/tests/test_ec2/test_security_groups.py index c44382ba6..b33b42439 100644 --- a/tests/test_ec2/test_security_groups.py +++ b/tests/test_ec2/test_security_groups.py @@ -221,3 +221,14 @@ def test_get_all_security_groups(): resp = conn.get_all_security_groups() resp.should.have.length_of(2) + + +@mock_ec2 +def test_authorize_bad_cidr_throws_invalid_parameter_value(): + conn = boto.connect_ec2('the_key', 'the_secret') + security_group = conn.create_security_group('test', 'test') + with assert_raises(EC2ResponseError) as cm: + security_group.authorize(ip_protocol="tcp", from_port="22", to_port="2222", cidr_ip="123.123.123.123") + cm.exception.code.should.equal('InvalidParameterValue') + cm.exception.status.should.equal(400) + cm.exception.request_id.should_not.be.none