Merge pull request #5501 from evandbrown/vpnval

provider/google: Validate VPN tunnel peer_ip
This commit is contained in:
Paul Hinze 2016-03-09 18:55:10 -06:00
commit 5ece31dc88
1 changed files with 92 additions and 3 deletions

View File

@ -1,8 +1,10 @@
package google package google
import ( import (
"bytes"
"fmt" "fmt"
"log" "log"
"net"
"github.com/hashicorp/terraform/helper/schema" "github.com/hashicorp/terraform/helper/schema"
@ -38,6 +40,7 @@ func resourceComputeVpnTunnel() *schema.Resource {
Type: schema.TypeString, Type: schema.TypeString,
Required: true, Required: true,
ForceNew: true, ForceNew: true,
ValidateFunc: validatePeerAddr,
}, },
"shared_secret": &schema.Schema{ "shared_secret": &schema.Schema{
Type: schema.TypeString, Type: schema.TypeString,
@ -177,3 +180,89 @@ func resourceComputeVpnTunnelDelete(d *schema.ResourceData, meta interface{}) er
return nil return nil
} }
// validatePeerAddr returns false if a tunnel's peer_ip property
// is invalid. Currently, only addresses that collide with RFC
// 5735 (https://tools.ietf.org/html/rfc5735) fail validation.
func validatePeerAddr(i interface{}, val string) ([]string, []error) {
ip := net.ParseIP(i.(string))
if ip == nil {
return nil, []error{fmt.Errorf("could not parse %q to IP address", val)}
}
for _, test := range invalidPeerAddrs {
if bytes.Compare(ip, test.from) >= 0 && bytes.Compare(ip, test.to) <= 0 {
return nil, []error{fmt.Errorf("address is invalid (is between %q and %q, conflicting with RFC5735)", test.from, test.to)}
}
}
return nil, nil
}
// invalidPeerAddrs is a collection of IP addres ranges that represent
// a conflict with RFC 5735 (https://tools.ietf.org/html/rfc5735#page-3).
// CIDR range notations in the RFC were converted to a (from, to) pair
// for easy checking with bytes.Compare.
var invalidPeerAddrs = []struct {
from net.IP
to net.IP
}{
{
from: net.ParseIP("0.0.0.0"),
to: net.ParseIP("0.255.255.255"),
},
{
from: net.ParseIP("10.0.0.0"),
to: net.ParseIP("10.255.255.255"),
},
{
from: net.ParseIP("127.0.0.0"),
to: net.ParseIP("127.255.255.255"),
},
{
from: net.ParseIP("169.254.0.0"),
to: net.ParseIP("169.254.255.255"),
},
{
from: net.ParseIP("172.16.0.0"),
to: net.ParseIP("172.31.255.255"),
},
{
from: net.ParseIP("192.0.0.0"),
to: net.ParseIP("192.0.0.255"),
},
{
from: net.ParseIP("192.0.2.0"),
to: net.ParseIP("192.0.2.255"),
},
{
from: net.ParseIP("192.88.99.0"),
to: net.ParseIP("192.88.99.255"),
},
{
from: net.ParseIP("192.168.0.0"),
to: net.ParseIP("192.168.255.255"),
},
{
from: net.ParseIP("198.18.0.0"),
to: net.ParseIP("198.19.255.255"),
},
{
from: net.ParseIP("198.51.100.0"),
to: net.ParseIP("198.51.100.255"),
},
{
from: net.ParseIP("203.0.113.0"),
to: net.ParseIP("203.0.113.255"),
},
{
from: net.ParseIP("224.0.0.0"),
to: net.ParseIP("239.255.255.255"),
},
{
from: net.ParseIP("240.0.0.0"),
to: net.ParseIP("255.255.255.255"),
},
{
from: net.ParseIP("255.255.255.255"),
to: net.ParseIP("255.255.255.255"),
},
}