def _check_only_from(
agent_only_from: Union[None, str, Sequence[str]],
config_only_from: Union[None, str, list[str]],
fail_state: State,
) -> CheckResult:
if agent_only_from is None or config_only_from is None:
return
# do we really need 'normalize_ip_addresses'? It deals with '{' expansion.
allowed_nets = set(normalize_ip_addresses(agent_only_from))
expected_nets = set(normalize_ip_addresses(config_only_from))
if allowed_nets == expected_nets:
yield Result(
state=State.OK,
notice=f"Allowed IP ranges: {' '.join(allowed_nets)}",
)
return
infotexts = []
exceeding = allowed_nets - expected_nets
if exceeding:
infotexts.append("exceeding: %s" % " ".join(sorted(exceeding)))
missing = expected_nets - allowed_nets
if missing:
infotexts.append("missing: %s" % " ".join(sorted(missing)))
yield Result(
state=fail_state,
summary=f"Unexpected allowed IP ranges ({', '.join(infotexts)})",
)
def _check_only_from(
self,
agent_only_from: Optional[str],
) -> Optional[Tuple[ServiceState, ServiceDetails]]:
if agent_only_from is None:
return None
config_only_from = self.only_from
if config_only_from is None:
return None
allowed_nets = set(normalize_ip_addresses(agent_only_from))
expected_nets = set(normalize_ip_addresses(config_only_from))
if allowed_nets == expected_nets:
return 0, "Allowed IP ranges: %s%s" % (" ".join(allowed_nets),
state_markers[0])
infotexts = []
exceeding = allowed_nets - expected_nets
if exceeding:
infotexts.append("exceeding: %s" % " ".join(sorted(exceeding)))
missing = expected_nets - allowed_nets
if missing:
infotexts.append("missing: %s" % " ".join(sorted(missing)))
mismatch_state = self.exit_spec.get("restricted_address_mismatch", 1)
assert isinstance(mismatch_state, int)
return mismatch_state, "Unexpected allowed IP ranges (%s)%s" % (
", ".join(infotexts),
state_markers[mismatch_state],
)
def _sub_result_only_from(
self,
agent_info: Dict[str, Optional[str]],
) -> Optional[ServiceCheckResult]:
agent_only_from = agent_info.get("onlyfrom")
if agent_only_from is None:
return None
config_only_from = self.only_from
if config_only_from is None:
return None
allowed_nets = set(normalize_ip_addresses(agent_only_from))
expected_nets = set(normalize_ip_addresses(config_only_from))
if allowed_nets == expected_nets:
return 0, "Allowed IP ranges: %s%s" % (" ".join(allowed_nets), state_markers[0]), []
infotexts = []
exceeding = allowed_nets - expected_nets
if exceeding:
infotexts.append("exceeding: %s" % " ".join(sorted(exceeding)))
missing = expected_nets - allowed_nets
if missing:
infotexts.append("missing: %s" % " ".join(sorted(missing)))
mismatch_state = self.exit_spec.get("restricted_address_mismatch", 1)
assert isinstance(mismatch_state, int)
return (mismatch_state, "Unexpected allowed IP ranges (%s)%s" %
(", ".join(infotexts), state_markers[mismatch_state]), [])
def test_normalize_ip():
assert normalize_ip_addresses("1.2.{3,4,5}.6") == [
"1.2.3.6", "1.2.4.6", "1.2.5.6"
]
assert normalize_ip_addresses(["0.0.0.0",
"1.1.1.1/32"]) == ["0.0.0.0", "1.1.1.1/32"]
assert normalize_ip_addresses("0.0.0.0 1.1.1.1/32") == [
"0.0.0.0", "1.1.1.1/32"
]