Example #1
0
def _check_only_from(
    agent_only_from: Union[None, str, Sequence[str]],
    config_only_from: Union[None, str, list[str]],
    fail_state: State,
) -> CheckResult:
    if agent_only_from is None or config_only_from is None:
        return

    # do we really need 'normalize_ip_addresses'? It deals with '{' expansion.
    allowed_nets = set(normalize_ip_addresses(agent_only_from))
    expected_nets = set(normalize_ip_addresses(config_only_from))
    if allowed_nets == expected_nets:
        yield Result(
            state=State.OK,
            notice=f"Allowed IP ranges: {' '.join(allowed_nets)}",
        )
        return

    infotexts = []
    exceeding = allowed_nets - expected_nets
    if exceeding:
        infotexts.append("exceeding: %s" % " ".join(sorted(exceeding)))

    missing = expected_nets - allowed_nets
    if missing:
        infotexts.append("missing: %s" % " ".join(sorted(missing)))

    yield Result(
        state=fail_state,
        summary=f"Unexpected allowed IP ranges ({', '.join(infotexts)})",
    )
Example #2
0
    def _check_only_from(
        self,
        agent_only_from: Optional[str],
    ) -> Optional[Tuple[ServiceState, ServiceDetails]]:
        if agent_only_from is None:
            return None

        config_only_from = self.only_from
        if config_only_from is None:
            return None

        allowed_nets = set(normalize_ip_addresses(agent_only_from))
        expected_nets = set(normalize_ip_addresses(config_only_from))
        if allowed_nets == expected_nets:
            return 0, "Allowed IP ranges: %s%s" % (" ".join(allowed_nets),
                                                   state_markers[0])

        infotexts = []
        exceeding = allowed_nets - expected_nets
        if exceeding:
            infotexts.append("exceeding: %s" % " ".join(sorted(exceeding)))

        missing = expected_nets - allowed_nets
        if missing:
            infotexts.append("missing: %s" % " ".join(sorted(missing)))

        mismatch_state = self.exit_spec.get("restricted_address_mismatch", 1)
        assert isinstance(mismatch_state, int)
        return mismatch_state, "Unexpected allowed IP ranges (%s)%s" % (
            ", ".join(infotexts),
            state_markers[mismatch_state],
        )
Example #3
0
    def _sub_result_only_from(
        self,
        agent_info: Dict[str, Optional[str]],
    ) -> Optional[ServiceCheckResult]:
        agent_only_from = agent_info.get("onlyfrom")
        if agent_only_from is None:
            return None

        config_only_from = self.only_from
        if config_only_from is None:
            return None

        allowed_nets = set(normalize_ip_addresses(agent_only_from))
        expected_nets = set(normalize_ip_addresses(config_only_from))
        if allowed_nets == expected_nets:
            return 0, "Allowed IP ranges: %s%s" % (" ".join(allowed_nets), state_markers[0]), []

        infotexts = []
        exceeding = allowed_nets - expected_nets
        if exceeding:
            infotexts.append("exceeding: %s" % " ".join(sorted(exceeding)))

        missing = expected_nets - allowed_nets
        if missing:
            infotexts.append("missing: %s" % " ".join(sorted(missing)))

        mismatch_state = self.exit_spec.get("restricted_address_mismatch", 1)
        assert isinstance(mismatch_state, int)
        return (mismatch_state, "Unexpected allowed IP ranges (%s)%s" %
                (", ".join(infotexts), state_markers[mismatch_state]), [])
Example #4
0
def test_normalize_ip():
    assert normalize_ip_addresses("1.2.{3,4,5}.6") == [
        "1.2.3.6", "1.2.4.6", "1.2.5.6"
    ]
    assert normalize_ip_addresses(["0.0.0.0",
                                   "1.1.1.1/32"]) == ["0.0.0.0", "1.1.1.1/32"]
    assert normalize_ip_addresses("0.0.0.0 1.1.1.1/32") == [
        "0.0.0.0", "1.1.1.1/32"
    ]