Fix validation of networks

vitobotta · Jan 2, 2023 · fb82783 · fb82783
1 parent 873ea35
commit fb82783
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 64 deletions.
diff --git a/README.md b/README.md
@@ -64,23 +64,23 @@ brew install vitobotta/tap/hetzner_k3s
 #### Binary installation (Intel)
 
 ```bash
-wget https://github.com/vitobotta/hetzner-k3s/releases/download/v0.6.8/hetzner-k3s-mac-amd64
+wget https://github.com/vitobotta/hetzner-k3s/releases/download/v0.6.9/hetzner-k3s-mac-amd64
 chmod +x hetzner-k3s-mac-x64
 sudo mv hetzner-k3s-mac-x64 /usr/local/bin/hetzner-k3s
 ```
 
 #### Binary installation (Apple Silicon/M1)
 
 ```bash
-wget https://github.com/vitobotta/hetzner-k3s/releases/download/v0.6.8/hetzner-k3s-mac-arm64
+wget https://github.com/vitobotta/hetzner-k3s/releases/download/v0.6.9/hetzner-k3s-mac-arm64
 chmod +x hetzner-k3s-mac-arm
 sudo mv hetzner-k3s-mac-arm /usr/local/bin/hetzner-k3s
 ```
 
 ### Linux
 
 ```bash
-wget https://github.com/vitobotta/hetzner-k3s/releases/download/v0.6.8/hetzner-k3s-linux-x86_64
+wget https://github.com/vitobotta/hetzner-k3s/releases/download/v0.6.9/hetzner-k3s-linux-x86_64
 chmod +x hetzner-k3s-linux-x86_64
 sudo mv hetzner-k3s-linux-x86_64 /usr/local/bin/hetzner-k3s
 ```

diff --git a/src/configuration/loader.cr b/src/configuration/loader.cr
@@ -98,8 +98,8 @@ class Configuration::Loader
       Settings::PublicSSHKeyPath.new(errors, public_ssh_key_path).validate
       Settings::PrivateSSHKeyPath.new(errors, private_ssh_key_path).validate
       Settings::ExistingNetworkName.new(errors, hetzner_client, settings.existing_network).validate
-      Settings::Networks.new(errors, settings.ssh_allowed_networks).validate("SSH")
-      Settings::Networks.new(errors, settings.api_allowed_networks).validate("API")
+      Settings::Networks.new(errors, settings.ssh_allowed_networks, "SSH").validate
+      Settings::Networks.new(errors, settings.api_allowed_networks, "API").validate
       validate_masters_pool
       validate_worker_node_pools
     when :delete

diff --git a/src/configuration/settings/networks.cr b/src/configuration/settings/networks.cr
@@ -1,25 +1,67 @@
-require "../../network"
+require "ipaddress"
+require "crest"
 
 class Configuration::Settings::Networks
   getter errors : Array(String)
   getter networks : Array(String)
+  getter network_type : String
 
-  def initialize(@errors, @networks)
+  def initialize(@errors, @networks, @network_type)
   end
 
-  def validate(network_type : String)
+  def validate
     if networks
       if networks.empty?
         errors << "#{network_type} allowed networks are required"
       else
-        networks.each do |network|
-          Network.new(network, network_type).validate.each do |error|
-            errors << error
-          end
-        end
+        validate_networks
+        validate_current_ip_must_be_included_in_at_least_one_network
       end
     else
       errors << "#{network_type} allowed networks are required"
     end
   end
+
+  private def validate_networks
+    networks.each do |cidr|
+      begin
+        IPAddress.new(cidr).network?
+      rescue ArgumentError
+        errors << "#{network_type} allowed network #{cidr} is not a valid network in CIDR notation"
+      end
+    end
+  end
+
+  private def validate_current_ip_must_be_included_in_at_least_one_network
+    current_ip = IPAddress.new("127.0.0.1")
+
+    begin
+      current_ip = IPAddress.new(Crest.get("http://whatismyip.akamai.com").body)
+    rescue ex : Crest::RequestFailed
+      errors << "Unable to determine your current IP (necessary to validate allowed networks for SSH and API)"
+      return
+    end
+
+    included = false
+
+    networks.each do |cidr|
+      begin
+        network = IPAddress.new(cidr).network
+
+        if network.includes? current_ip
+          included = true
+        end
+      rescue ex: ArgumentError
+        if ex.message =~ /Invalid netmask/
+          errors << "#{network_type} allowed network #{cidr} has an invalid netmark"
+        else
+          errors << "#{network_type} allowed network #{cidr} is not a valid network in CIDR notation"
+        end
+      end
+    end
+
+    unless included
+      errors << "Your current IP #{current_ip} must belong to at least one of the #{network_type} allowed networks"
+    end
+  end
 end
diff --git a/src/hetzner-k3s.cr b/src/hetzner-k3s.cr
@@ -8,7 +8,7 @@ require "./cluster/upgrade"
 
 module Hetzner::K3s
   class CLI < Admiral::Command
-    VERSION = "0.6.8"
+    VERSION = "0.6.9"
 
     class Create < Admiral::Command
       define_help description: "create - Create a cluster"

diff --git a/src/network.cr b/src/network.cr