Merge pull request #97 from slackhq/fw-group

Detect group array usage and try to be kind
This commit is contained in:
Nathan Brown 2019-12-13 13:51:09 -08:00 committed by GitHub
commit 8b029e7907
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 51 additions and 3 deletions

View File

@ -272,7 +272,7 @@ func AddFirewallRulesFromConfig(inbound bool, config *Config, fw FirewallInterfa
for i, t := range rs { for i, t := range rs {
var groups []string var groups []string
r, err := convertRule(t) r, err := convertRule(t, table, i)
if err != nil { if err != nil {
return fmt.Errorf("%s rule #%v; %s", table, i, err) return fmt.Errorf("%s rule #%v; %s", table, i, err)
} }
@ -664,7 +664,7 @@ type rule struct {
CASha string CASha string
} }
func convertRule(p interface{}) (rule, error) { func convertRule(p interface{}, table string, i int) (rule, error) {
r := rule{} r := rule{}
m, ok := p.(map[interface{}]interface{}) m, ok := p.(map[interface{}]interface{})
@ -684,11 +684,21 @@ func convertRule(p interface{}) (rule, error) {
r.Code = toString("code", m) r.Code = toString("code", m)
r.Proto = toString("proto", m) r.Proto = toString("proto", m)
r.Host = toString("host", m) r.Host = toString("host", m)
r.Group = toString("group", m)
r.Cidr = toString("cidr", m) r.Cidr = toString("cidr", m)
r.CAName = toString("ca_name", m) r.CAName = toString("ca_name", m)
r.CASha = toString("ca_sha", m) r.CASha = toString("ca_sha", m)
// Make sure group isn't an array
if v, ok := m["group"].([]interface{}); ok {
if len(v) > 1 {
return r, errors.New("group should contain a single value, an array with more than one entry was provided")
}
l.Warnf("%s rule #%v; group was an array with a single value, converting to simple value", table, i)
m["group"] = v[0]
}
r.Group = toString("group", m)
if rg, ok := m["groups"]; ok { if rg, ok := m["groups"]; ok {
switch reflect.TypeOf(rg).Kind() { switch reflect.TypeOf(rg).Kind() {
case reflect.Slice: case reflect.Slice:

View File

@ -1,6 +1,7 @@
package nebula package nebula
import ( import (
"bytes"
"encoding/binary" "encoding/binary"
"errors" "errors"
"math" "math"
@ -676,6 +677,43 @@ func TestTCPRTTTracking(t *testing.T) {
assert.Equal(t, uint32(0), c.Seq) assert.Equal(t, uint32(0), c.Seq)
} }
func TestFirewall_convertRule(t *testing.T) {
ob := &bytes.Buffer{}
out := l.Out
l.SetOutput(ob)
defer l.SetOutput(out)
// Ensure group array of 1 is converted and a warning is printed
c := map[interface{}]interface{}{
"group": []interface{}{"group1"},
}
r, err := convertRule(c, "test", 1)
assert.Contains(t, ob.String(), "test rule #1; group was an array with a single value, converting to simple value")
assert.Nil(t, err)
assert.Equal(t, "group1", r.Group)
// Ensure group array of > 1 is errord
ob.Reset()
c = map[interface{}]interface{}{
"group": []interface{}{"group1", "group2"},
}
r, err = convertRule(c, "test", 1)
assert.Equal(t, "", ob.String())
assert.Error(t, err, "group should contain a single value, an array with more than one entry was provided")
// Make sure a well formed group is alright
ob.Reset()
c = map[interface{}]interface{}{
"group": "group1",
}
r, err = convertRule(c, "test", 1)
assert.Nil(t, err)
assert.Equal(t, "group1", r.Group)
}
type addRuleCall struct { type addRuleCall struct {
incoming bool incoming bool
proto uint8 proto uint8