def _validate_and_cleanse_policy(self, context, policy_data): """Validate every field of the policy and raise exceptions if any. This is a simple syntax validation. Actual funtional validation is performed at the backend by BCF and error message returned is bubbled up to the Horizon GUI. :param context: context of the transaction :param policy_data: the policy resource to be validated """ policy_data['tenant_id'] = Util.get_tenant_id_for_create( context, policy_data) V4ANY = '0.0.0.0/0' CIDRALL = ['any', 'external'] source = (V4ANY if policy_data['source'] in CIDRALL else policy_data['source']) destination = (V4ANY if policy_data['destination'] in CIDRALL else policy_data['destination']) errors = [ validators.validate_subnet(source), validators.validate_subnet(destination), self._validate_nexthops(policy_data['nexthops']), self._validate_action(policy_data['action']), self._validate_priority(policy_data['priority']), self._validate_port_number(policy_data['source_port']), self._validate_port_number(policy_data['destination_port']), self._validate_port_protocol(policy_data) ] errors = [m for m in errors if m] if errors: LOG.debug(errors) raise n_exc.InvalidInput(error_message=errors) return self._cleanse_policy(policy_data)
def _check_peer_cidrs(self, peer_cidrs): """Ensure all CIDRs have the valid format.""" for peer_cidr in peer_cidrs: msg = validators.validate_subnet(peer_cidr) if msg: raise vpnaas.IPsecSiteConnectionPeerCidrError( peer_cidr=peer_cidr)
def _check_peer_cidrs(self, peer_cidrs): """Ensure all CIDRs have the valid format.""" for peer_cidr in peer_cidrs: msg = validators.validate_subnet(peer_cidr) if msg: raise vpnaas.IPsecSiteConnectionPeerCidrError( peer_cidr=peer_cidr)
def _validate_cidrs(self, cidrs): """Ensure valid IPv4/6 CIDRs.""" for cidr in cidrs: msg = validators.validate_subnet(cidr) if msg: raise vpnaas.InvalidEndpointInEndpointGroup( group_type=constants.CIDR_ENDPOINT, endpoint=cidr, why=_("Invalid CIDR"))
def _validate_cidrs(self, cidrs): """Ensure valid IPv4/6 CIDRs.""" for cidr in cidrs: msg = validators.validate_subnet(cidr) if msg: raise vpnaas.InvalidEndpointInEndpointGroup( group_type=constants.CIDR_ENDPOINT, endpoint=cidr, why=_("Invalid CIDR"))
def _validate_allowed_address_pairs(address_pairs, valid_values=None): """Validates a list of allowed address pair dicts. Validation herein requires the caller to have registered the max_allowed_address_pair oslo config option in the global CONF prior to having this validator used. :param address_pairs: A list of address pair dicts to validate. :param valid_values: Not used. :returns: None :raises: AllowedAddressPairExhausted if the address pairs requested exceeds cfg.CONF.max_allowed_address_pair. AllowedAddressPairsMissingIP if any address pair dicts are missing and IP address. DuplicateAddressPairInRequest if duplicated IPs are in the list of address pair dicts. Otherwise a HTTPBadRequest is raised if any of the address pairs are invalid. """ unique_check = {} if not isinstance(address_pairs, list): raise exc.HTTPBadRequest(_("Allowed address pairs must be a list.")) if len(address_pairs) > cfg.CONF.max_allowed_address_pair: raise exceptions.AllowedAddressPairExhausted( quota=cfg.CONF.max_allowed_address_pair) for address_pair in address_pairs: msg = validators.validate_dict(address_pair) if msg: return msg # mac_address is optional, if not set we use the mac on the port if 'mac_address' in address_pair: msg = validators.validate_mac_address(address_pair['mac_address']) if msg: raise exc.HTTPBadRequest(msg) if 'ip_address' not in address_pair: raise exceptions.AllowedAddressPairsMissingIP() mac = address_pair.get('mac_address') ip_address = address_pair['ip_address'] if (mac, ip_address) not in unique_check: unique_check[(mac, ip_address)] = None else: raise exceptions.DuplicateAddressPairInRequest( mac_address=mac, ip_address=ip_address) invalid_attrs = set(address_pair.keys()) - set( ['mac_address', 'ip_address']) if invalid_attrs: msg = (_("Unrecognized attribute(s) '%s'") % ', '.join( set(address_pair.keys()) - set(['mac_address', 'ip_address']))) raise exc.HTTPBadRequest(msg) if '/' in ip_address: msg = validators.validate_subnet(ip_address) else: msg = validators.validate_ip_address(ip_address) if msg: raise exc.HTTPBadRequest(msg)
def _validate_ip_or_subnet_or_none(data, valid_values=None): if data is None: return None msg_ip = validators.validate_ip_address(data, valid_values) if not msg_ip: return msg_subnet = validators.validate_subnet(data, valid_values) if not msg_subnet: return return _("%(msg_ip)s and %(msg_subnet)s") % {'msg_ip': msg_ip, 'msg_subnet': msg_subnet}
def validate(self, value, context, template=None): try: netaddr.IPNetwork(value, implicit_prefix=True) msg = validators.validate_subnet(value) if msg is not None: self._error_message = msg return False return True except Exception as ex: self._error_message = 'Invalid net cidr %s ' % six.text_type(ex) return False
def _validate_ip_or_subnet_or_none(data, valid_values=None): if data is None: return None msg_ip = validators.validate_ip_address(data, valid_values) if not msg_ip: return msg_subnet = validators.validate_subnet(data, valid_values) if not msg_subnet: return return _("%(msg_ip)s and %(msg_subnet)s") % {'msg_ip': msg_ip, 'msg_subnet': msg_subnet}
def validate(self, value, context, template=None): try: netaddr.IPNetwork(value, implicit_prefix=True) msg = validators.validate_subnet(value) if msg is not None: self._error_message = msg return False return True except Exception as ex: self._error_message = 'Invalid net cidr %s ' % six.text_type(ex) return False
def convert_to_valid_router_rules(data): """Validates and converts router rules to the appropriate data structure Example argument = [{'source': 'any', 'destination': 'any', 'action':'deny'}, {'source': '1.1.1.1/32', 'destination': 'external', 'action':'permit', 'nexthops': ['1.1.1.254', '1.1.1.253']} ] """ V4ANY = '0.0.0.0/0' CIDRALL = ['any', 'external'] if not isinstance(data, list): emsg = _("Invalid data format for router rule: '%s'") % data LOG.debug(emsg) raise nexception.InvalidInput(error_message=emsg) _validate_uniquerules(data) rules = [] expected_keys = ['source', 'destination', 'action', 'priority'] for rule in data: rule['nexthops'] = rule.get('nexthops', []) if not isinstance(rule['nexthops'], list): rule['nexthops'] = rule['nexthops'].split('+') src = V4ANY if rule['source'] in CIDRALL else rule['source'] dst = V4ANY if rule['destination'] in CIDRALL else rule['destination'] errors = [ validators._verify_dict_keys(expected_keys, rule, False), validators.validate_subnet(dst), validators.validate_subnet(src), _validate_nexthops(rule['nexthops']), _validate_action(rule['action']), _validate_priority(rule['priority']) ] errors = [m for m in errors if m] if errors: LOG.debug(errors) raise nexception.InvalidInput(error_message=errors) rules.append(rule) return rules
def convert_to_valid_router_rules(data): """Validates and converts router rules to the appropriate data structure Example argument = [{'source': 'any', 'destination': 'any', 'action':'deny'}, {'source': '1.1.1.1/32', 'destination': 'external', 'action':'permit', 'nexthops': ['1.1.1.254', '1.1.1.253']} ] """ V4ANY = '0.0.0.0/0' CIDRALL = ['any', 'external'] if not isinstance(data, list): emsg = _("Invalid data format for router rule: '%s'") % data LOG.debug(emsg) raise nexception.InvalidInput(error_message=emsg) _validate_uniquerules(data) rules = [] expected_keys = ['source', 'destination', 'action', 'priority'] for rule in data: rule['nexthops'] = rule.get('nexthops', []) if not isinstance(rule['nexthops'], list): rule['nexthops'] = rule['nexthops'].split('+') src = V4ANY if rule['source'] in CIDRALL else rule['source'] dst = V4ANY if rule['destination'] in CIDRALL else rule['destination'] errors = [validators._verify_dict_keys(expected_keys, rule, False), validators.validate_subnet(dst), validators.validate_subnet(src), _validate_nexthops(rule['nexthops']), _validate_action(rule['action']), _validate_priority(rule['priority'])] errors = [m for m in errors if m] if errors: LOG.debug(errors) raise nexception.InvalidInput(error_message=errors) rules.append(rule) return rules
def validate(self, value, context, template=None): try: if '/' in value: msg = validators.validate_subnet(value) else: msg = validators.validate_ip_address(value) if msg is not None: self._error_message = msg return False else: return True except Exception: self._error_message = '{} is not a valid IP or CIDR'.format(value) return False
def _validate_allowed_address_pairs(address_pairs, valid_values=None): unique_check = {} if not isinstance(address_pairs, list): raise webob.exc.HTTPBadRequest( _("Allowed address pairs must be a list.")) if len(address_pairs) > cfg.CONF.max_allowed_address_pair: raise AllowedAddressPairExhausted( quota=cfg.CONF.max_allowed_address_pair) for address_pair in address_pairs: msg = validators.validate_dict(address_pair) if msg: return msg # mac_address is optional, if not set we use the mac on the port if 'mac_address' in address_pair: msg = validators.validate_mac_address(address_pair['mac_address']) if msg: raise webob.exc.HTTPBadRequest(msg) if 'ip_address' not in address_pair: raise AllowedAddressPairsMissingIP() mac = address_pair.get('mac_address') ip_address = address_pair['ip_address'] if (mac, ip_address) not in unique_check: unique_check[(mac, ip_address)] = None else: raise DuplicateAddressPairInRequest(mac_address=mac, ip_address=ip_address) invalid_attrs = set(address_pair.keys()) - set(['mac_address', 'ip_address']) if invalid_attrs: msg = (_("Unrecognized attribute(s) '%s'") % ', '.join(set(address_pair.keys()) - set(['mac_address', 'ip_address']))) raise webob.exc.HTTPBadRequest(msg) if '/' in ip_address: msg = validators.validate_subnet(ip_address) else: msg = validators.validate_ip_address(ip_address) if msg: raise webob.exc.HTTPBadRequest(msg)
def _validate_allowed_address_pairs(address_pairs, valid_values=None): unique_check = {} if not isinstance(address_pairs, list): raise webob.exc.HTTPBadRequest( _("Allowed address pairs must be a list.")) if len(address_pairs) > cfg.CONF.max_allowed_address_pair: raise AllowedAddressPairExhausted( quota=cfg.CONF.max_allowed_address_pair) for address_pair in address_pairs: msg = validators.validate_dict(address_pair) if msg: return msg # mac_address is optional, if not set we use the mac on the port if 'mac_address' in address_pair: msg = validators.validate_mac_address(address_pair['mac_address']) if msg: raise webob.exc.HTTPBadRequest(msg) if 'ip_address' not in address_pair: raise AllowedAddressPairsMissingIP() mac = address_pair.get('mac_address') ip_address = address_pair['ip_address'] if (mac, ip_address) not in unique_check: unique_check[(mac, ip_address)] = None else: raise DuplicateAddressPairInRequest(mac_address=mac, ip_address=ip_address) invalid_attrs = set(address_pair.keys()) - set( ['mac_address', 'ip_address']) if invalid_attrs: msg = (_("Unrecognized attribute(s) '%s'") % ', '.join( set(address_pair.keys()) - set(['mac_address', 'ip_address']))) raise webob.exc.HTTPBadRequest(msg) if '/' in ip_address: msg = validators.validate_subnet(ip_address) else: msg = validators.validate_ip_address(ip_address) if msg: raise webob.exc.HTTPBadRequest(msg)