search

cyberark / conjur-policy-parser

Parser library for Conjur Policy YAML
MIT License
0 stars 1 forks source link

Add type validation for CIDR values in `restricted_to` #28

Closed micahlee closed 4 years ago

micahlee commented 4 years ago

This PR updates the type for restricted_to to a new :cidr type, that is validated at policy load to ensure this is a valid IPAddr string. If it is not valid, it returns a correct error to point the author to the line and column of the invalid value.

For example, with the policy:

- !host
  id: a-host
  restricted_to: [ 192.168.1.1, invalid_cidr ]

This will cause a validation error:

Error at line 3, column 32 in spec/round-trip/yaml/restricted_to.yml : Invalid IP address or CIDR range 'invalid_cidr'

Connected to #27

h-artzi commented 4 years ago

Currently, I believe if a user enters a list for example restricted_to : [ not_valid1, not_valid2 ] it will return Invalid IP address or CIDR range 'not_valid1' I would want it to return all attributes that are not valid so the user can fix them all at once.

micahlee commented 4 years ago

@h-artzi

Currently, I believe if a user enters a list for example restricted_to : [ not_valid1, not_valid2 ] it will return Invalid IP address or CIDR range 'not_valid1' I would want it to return all attributes that are not valid so the user can fix them all at once.

You are correct, and I've added a test case to highlight this behavior. Changing this will likely require a larger structural change to how the policy is parsed and errors are collected. I'm going to call that out of scope for this PR, but I did create an issue for it here: https://github.com/cyberark/conjur-policy-parser/issues/29