[Freeipa-devel] [freeipa PR#58] Ip addr validation (synchronize)
mbasti-rh's pull request #58: "Ip addr validation" was synchronize
See the full pull-request at https://github.com/freeipa/freeipa/pull/58
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/58/head:pr58
git checkout pr58
From 7fc0b28b05acca51ffbdfbb04a7e1dc4212ae9a0 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Fri, 2 Sep 2016 13:25:19 +0200
Subject: [PATCH 1/4] Allow network ip addresses
Currently cloud environments uses heavily prefix /32 (/128) what makes
IPA validators to fail. IPA should not care if IP address is network or not.
This commit allows usage of network addresses in:
* host plugin
* dns plugin
* server-installer
* client-installer
https://fedorahosted.org/freeipa/ticket/5814
---
ipapython/ipautil.py| 9 +
ipaserver/plugins/dns.py| 5 ++---
ipatests/test_ipapython/test_ipautil.py | 6 --
3 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 8de9acf..8a9aa0e 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -132,8 +132,8 @@ class CheckedIPAddress(UnsafeIPAddress):
Reserved or link-local addresses are never accepted.
"""
def __init__(self, addr, match_local=False, parse_netmask=True,
- allow_network=False, allow_loopback=False,
- allow_broadcast=False, allow_multicast=False):
+ allow_loopback=False, allow_broadcast=False,
+ allow_multicast=False):
super(CheckedIPAddress, self).__init__(addr)
if isinstance(addr, CheckedIPAddress):
@@ -199,14 +199,15 @@ def __init__(self, addr, match_local=False, parse_netmask=True,
elif self.version == 6:
self._net = netaddr.IPNetwork(str(self) + '/64')
-if not allow_network and self == self._net.network:
-raise ValueError("cannot use IP network address {}".format(addr))
if not allow_broadcast and (self.version == 4 and
self == self._net.broadcast):
raise ValueError("cannot use broadcast IP address {}".format(addr))
self.prefixlen = self._net.prefixlen
+def is_network_addr(self):
+return self == self._net.network
+
def valid_ip(addr):
return netaddr.valid_ipv4(addr) or netaddr.valid_ipv6(addr)
diff --git a/ipaserver/plugins/dns.py b/ipaserver/plugins/dns.py
index f048351..a5f11a4 100644
--- a/ipaserver/plugins/dns.py
+++ b/ipaserver/plugins/dns.py
@@ -413,8 +413,7 @@ def _validate_bind_aci(ugettext, bind_acis):
bind_aci = bind_aci[1:]
try:
-ip = CheckedIPAddress(bind_aci, parse_netmask=True,
- allow_network=True, allow_loopback=True)
+CheckedIPAddress(bind_aci, parse_netmask=True, allow_loopback=True)
except (netaddr.AddrFormatError, ValueError) as e:
return unicode(e)
except UnboundLocalError:
@@ -439,7 +438,7 @@ def _normalize_bind_aci(bind_acis):
try:
ip = CheckedIPAddress(bind_aci, parse_netmask=True,
- allow_network=True, allow_loopback=True)
+ allow_loopback=True)
if '/' in bind_aci:# addr with netmask
netmask = "/%s" % ip.prefixlen
else:
diff --git a/ipatests/test_ipapython/test_ipautil.py b/ipatests/test_ipapython/test_ipautil.py
index 8c0b9c4..ea9251b 100644
--- a/ipatests/test_ipapython/test_ipautil.py
+++ b/ipatests/test_ipapython/test_ipautil.py
@@ -44,6 +44,7 @@ def check_ipaddress():
def test_ip_address():
addrs = [
+('0.0.0.0/0',),
('10.11.12.13', (10, 11, 12, 13), 8),
('10.11.12.13/14', (10, 11, 12, 13), 14),
('10.11.12.13%zoneid',),
@@ -53,10 +54,11 @@ def test_ip_address():
('127.0.0.1',),
('241.1.2.3',),
('169.254.1.2',),
-('10.11.12.0/24',),
+('10.11.12.0/24', (10, 11, 12, 0), 24),
('224.5.6.7',),
('10.11.12.255/24',),
+('::/0',),
('2001::1', (0x2001, 0, 0, 0, 0, 0, 0, 1), 64),
('2001::1/72', (0x2001, 0, 0, 0, 0, 0, 0, 1), 72),
('2001::1%zoneid', (0x2001, 0, 0, 0, 0, 0, 0, 1), 64),
@@ -66,7 +68,7 @@ def test_ip_address():
('::1',),
('6789::1',),
('fe89::1',),
-('2001::/64',),
+('2001::/64', (0x2001, 0, 0, 0, 0, 0, 0, 0), 64),
('ff01::1',),
('junk',)
From e4167ec9df06a0508602968ea9d9b69b370a56c5 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Fri, 2 Sep 2016 17:07:03 +0200
Subject: [PATCH 2/4] Allow broadcast ip addresses
Currently environments may use prefix /31 on point-to-point connections what
makes IPA validators to fail. IPA should not care if IP address is broadcast
or not. In some cases (when prefix is not specified) IP
[Freeipa-devel] [freeipa PR#58] Ip addr validation (synchronize)
mbasti-rh's pull request #58: "Ip addr validation" was synchronize
See the full pull-request at https://github.com/freeipa/freeipa/pull/58
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/58/head:pr58
git checkout pr58
From 7fc0b28b05acca51ffbdfbb04a7e1dc4212ae9a0 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Fri, 2 Sep 2016 13:25:19 +0200
Subject: [PATCH 1/4] Allow network ip addresses
Currently cloud environments uses heavily prefix /32 (/128) what makes
IPA validators to fail. IPA should not care if IP address is network or not.
This commit allows usage of network addresses in:
* host plugin
* dns plugin
* server-installer
* client-installer
https://fedorahosted.org/freeipa/ticket/5814
---
ipapython/ipautil.py| 9 +
ipaserver/plugins/dns.py| 5 ++---
ipatests/test_ipapython/test_ipautil.py | 6 --
3 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 8de9acf..8a9aa0e 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -132,8 +132,8 @@ class CheckedIPAddress(UnsafeIPAddress):
Reserved or link-local addresses are never accepted.
"""
def __init__(self, addr, match_local=False, parse_netmask=True,
- allow_network=False, allow_loopback=False,
- allow_broadcast=False, allow_multicast=False):
+ allow_loopback=False, allow_broadcast=False,
+ allow_multicast=False):
super(CheckedIPAddress, self).__init__(addr)
if isinstance(addr, CheckedIPAddress):
@@ -199,14 +199,15 @@ def __init__(self, addr, match_local=False, parse_netmask=True,
elif self.version == 6:
self._net = netaddr.IPNetwork(str(self) + '/64')
-if not allow_network and self == self._net.network:
-raise ValueError("cannot use IP network address {}".format(addr))
if not allow_broadcast and (self.version == 4 and
self == self._net.broadcast):
raise ValueError("cannot use broadcast IP address {}".format(addr))
self.prefixlen = self._net.prefixlen
+def is_network_addr(self):
+return self == self._net.network
+
def valid_ip(addr):
return netaddr.valid_ipv4(addr) or netaddr.valid_ipv6(addr)
diff --git a/ipaserver/plugins/dns.py b/ipaserver/plugins/dns.py
index f048351..a5f11a4 100644
--- a/ipaserver/plugins/dns.py
+++ b/ipaserver/plugins/dns.py
@@ -413,8 +413,7 @@ def _validate_bind_aci(ugettext, bind_acis):
bind_aci = bind_aci[1:]
try:
-ip = CheckedIPAddress(bind_aci, parse_netmask=True,
- allow_network=True, allow_loopback=True)
+CheckedIPAddress(bind_aci, parse_netmask=True, allow_loopback=True)
except (netaddr.AddrFormatError, ValueError) as e:
return unicode(e)
except UnboundLocalError:
@@ -439,7 +438,7 @@ def _normalize_bind_aci(bind_acis):
try:
ip = CheckedIPAddress(bind_aci, parse_netmask=True,
- allow_network=True, allow_loopback=True)
+ allow_loopback=True)
if '/' in bind_aci:# addr with netmask
netmask = "/%s" % ip.prefixlen
else:
diff --git a/ipatests/test_ipapython/test_ipautil.py b/ipatests/test_ipapython/test_ipautil.py
index 8c0b9c4..ea9251b 100644
--- a/ipatests/test_ipapython/test_ipautil.py
+++ b/ipatests/test_ipapython/test_ipautil.py
@@ -44,6 +44,7 @@ def check_ipaddress():
def test_ip_address():
addrs = [
+('0.0.0.0/0',),
('10.11.12.13', (10, 11, 12, 13), 8),
('10.11.12.13/14', (10, 11, 12, 13), 14),
('10.11.12.13%zoneid',),
@@ -53,10 +54,11 @@ def test_ip_address():
('127.0.0.1',),
('241.1.2.3',),
('169.254.1.2',),
-('10.11.12.0/24',),
+('10.11.12.0/24', (10, 11, 12, 0), 24),
('224.5.6.7',),
('10.11.12.255/24',),
+('::/0',),
('2001::1', (0x2001, 0, 0, 0, 0, 0, 0, 1), 64),
('2001::1/72', (0x2001, 0, 0, 0, 0, 0, 0, 1), 72),
('2001::1%zoneid', (0x2001, 0, 0, 0, 0, 0, 0, 1), 64),
@@ -66,7 +68,7 @@ def test_ip_address():
('::1',),
('6789::1',),
('fe89::1',),
-('2001::/64',),
+('2001::/64', (0x2001, 0, 0, 0, 0, 0, 0, 0), 64),
('ff01::1',),
('junk',)
From e4167ec9df06a0508602968ea9d9b69b370a56c5 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Fri, 2 Sep 2016 17:07:03 +0200
Subject: [PATCH 2/4] Allow broadcast ip addresses
Currently environments may use prefix /31 on point-to-point connections what
makes IPA validators to fail. IPA should not care if IP address is broadcast
or not. In some cases (when prefix is not specified) IP
