Skip to content

Commit

Permalink
plz
Browse files Browse the repository at this point in the history
  • Loading branch information
@bnaecker
bnaecker committed May 3, 2024
1 parent b7afb2d commit 28eab43
Show file tree
Hide file tree
Showing 16 changed files with 41 additions and 47 deletions.
14 changes: 5 additions & 9 deletions clients/nexus-client/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -465,15 +465,11 @@ impl TryFrom<&omicron_common::api::external::AllowedSourceIps>
use omicron_common::api::external::AllowedSourceIps;
match ips {
AllowedSourceIps::Any => Ok(types::AllowedSourceIps::Any),
AllowedSourceIps::List(list) => {
let list = list
.iter()
.map(TryInto::try_into)
.collect::<Result<Vec<_>, _>>()?;
Ok(types::AllowedSourceIps::List(types::IpAllowList::from(
list,
)))
}
AllowedSourceIps::List(list) => list
.iter()
.map(TryInto::try_into)
.collect::<Result<Vec<_>, _>>()
.map(types::AllowedSourceIps::List),
}
}
}
2 changes: 1 addition & 1 deletion dev-tools/omdb/tests/successes.out
View file
Original file line number Diff line number Diff line change
Expand Up @@ -440,7 +440,7 @@ task: "service_firewall_rule_propagation"
currently executing: no
last completed activation: <REDACTED ITERATIONS>, triggered by an explicit signal
started at <REDACTED TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
last completion reported error: Object (of type ById(..........<REDACTED_UUID>...........)) not found: allowed-source-ips
last completion reported error: Object (of type ById(..........<REDACTED_UUID>...........)) not found: allow-list

task: "service_zone_nat_tracker"
configured period: every 30s
Expand Down
9 changes: 5 additions & 4 deletions nexus/src/app/allow_list.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ impl super::Nexus {
opctx: &OpContext,
remote_addr: IpAddr,
params: params::AllowListUpdate,
) -> Result<(), Error> {
) -> Result<AllowList, Error> {
if let external::AllowedSourceIps::List(list) = &params.allowed_ips {
// Size limits on the allowlist.
const MAX_ALLOWLIST_LENGTH: usize = 1000;
Expand Down Expand Up @@ -78,10 +78,11 @@ impl super::Nexus {
};

// Actually insert the new allowlist.
self.db_datastore
let list = self
.db_datastore
.allow_list_upsert(opctx, params.allowed_ips.clone())
.await
.map(|_| ())?;
.and_then(AllowList::try_from)?;

// Notify the sled-agents of the updated firewall rules.
//
Expand Down Expand Up @@ -112,7 +113,7 @@ impl super::Nexus {
{
Ok(_) => {
info!(self.log, "plumbed updated IP allowlist to sled-agents");
Ok(())
Ok(list)
}
Err(e) => {
error!(
Expand Down
4 changes: 2 additions & 2 deletions nexus/src/external_api/http_entrypoints.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3776,7 +3776,7 @@ async fn networking_allow_list_view(
async fn networking_allow_list_update(
rqctx: RequestContext<Arc<ServerContext>>,
params: TypedBody<params::AllowListUpdate>,
) -> Result<HttpResponseUpdatedNoContent, HttpError> {
) -> Result<HttpResponseOk<views::AllowList>, HttpError> {
let apictx = rqctx.context();
let handler = async {
let nexus = &apictx.nexus;
Expand All @@ -3786,7 +3786,7 @@ async fn networking_allow_list_update(
nexus
.allow_list_upsert(&opctx, remote_addr, params)
.await
.map(|_| HttpResponseUpdatedNoContent())
.map(HttpResponseOk)
.map_err(HttpError::from)
};
apictx.external_latencies.instrument_dropshot_handler(&rqctx, handler).await
Expand Down
2 changes: 1 addition & 1 deletion nexus/tests/integration_tests/endpoints.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -869,7 +869,7 @@ pub static DEMO_USER_CREATE: Lazy<params::UserCreate> =

// Allowlist for user-facing services.
pub static ALLOW_LIST_URL: Lazy<String> =
Lazy::new(|| String::from("/v1/system/networking/allowed-source-ips"));
Lazy::new(|| String::from("/v1/system/networking/allow-list"));
pub static ALLOW_LIST_UPDATE: Lazy<params::AllowListUpdate> = Lazy::new(|| {
params::AllowListUpdate { allowed_ips: AllowedSourceIps::Any }
});
Expand Down
2 changes: 0 additions & 2 deletions nexus/tests/output/uncovered-authz-endpoints.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,10 @@ probe_delete (delete "/experimental/v1/probes/{probe
probe_list (get "/experimental/v1/probes")
probe_view (get "/experimental/v1/probes/{probe}")
ping (get "/v1/ping")
networking_allow_list_view (get "/v1/system/networking/allow-list")
device_auth_request (post "/device/auth")
device_auth_confirm (post "/device/confirm")
device_access_token (post "/device/token")
probe_create (post "/experimental/v1/probes")
login_saml (post "/login/{silo_name}/saml/{provider_name}")
login_local (post "/v1/login/{silo_name}/local")
logout (post "/v1/logout")
networking_allow_list_update (put "/v1/system/networking/allow-list")
2 changes: 0 additions & 2 deletions nexus/tests/output/unexpected-authz-endpoints.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,3 @@ PUT "/v1/vpc-router-routes/demo-router-route?project=demo-project&vpc=demo-vp
DELETE "/v1/vpc-router-routes/demo-router-route?project=demo-project&vpc=demo-vpc&router=demo-vpc-router"
PUT "/v1/system/update/repository?file_name=demo-repo.zip"
GET "/v1/system/update/repository/1.0.0"
GET "/v1/system/networking/allowed-source-ips"
PUT "/v1/system/networking/allowed-source-ips"
12 changes: 4 additions & 8 deletions openapi/bootstrap-agent.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,10 @@
]
},
"ips": {
"$ref": "#/components/schemas/IpAllowList"
"type": "array",
"items": {
"$ref": "#/components/schemas/IpNet"
}
}
},
"required": [
Expand Down Expand Up @@ -488,13 +491,6 @@
"request_id"
]
},
"IpAllowList": {
"description": "A non-empty allowlist of IP addresses or subnets",
"type": "array",
"items": {
"$ref": "#/components/schemas/IpNet"
}
},
"IpNet": {
"oneOf": [
{
Expand Down
11 changes: 9 additions & 2 deletions openapi/nexus.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6291,8 +6291,15 @@
"required": true
},
"responses": {
"204": {
"description": "resource updated"
"200": {
"description": "successful operation",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/AllowList"
}
}
}
},
"4XX": {
"$ref": "#/components/responses/Error"
Expand Down
12 changes: 4 additions & 8 deletions openapi/wicketd.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -728,7 +728,10 @@
]
},
"ips": {
"$ref": "#/components/schemas/IpAllowList"
"type": "array",
"items": {
"$ref": "#/components/schemas/IpNet"
}
}
},
"required": [
Expand Down Expand Up @@ -1493,13 +1496,6 @@
"installable"
]
},
"IpAllowList": {
"description": "A non-empty allowlist of IP addresses or subnets",
"type": "array",
"items": {
"$ref": "#/components/schemas/IpNet"
}
},
"IpNet": {
"oneOf": [
{
Expand Down
4 changes: 2 additions & 2 deletions oximeter/collector/tests/output/self-stat-schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@
}
],
"datum_type": "cumulative_u64",
"created": "2024-02-05T23:03:00.842290108Z"
"created": "2024-05-03T22:37:51.326086935Z"
},
"oximeter_collector:failed_collections": {
"timeseries_name": "oximeter_collector:failed_collections",
Expand Down Expand Up @@ -86,6 +86,6 @@
}
],
"datum_type": "cumulative_u64",
"created": "2024-02-05T23:03:00.842943988Z"
"created": "2024-05-03T22:37:51.327389025Z"
}
}
2 changes: 1 addition & 1 deletion schema/all-zone-requests.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -191,7 +191,7 @@
"fd12:3456::/64"
],
"type": "string",
"pattern": "^([fF][dD])[0-9a-fA-F]{2}:(([0-9a-fA-F]{1,4}:){6}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,6}:)([0-9a-fA-F]{1,4})?\\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$"
"pattern": "^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$"
},
"MacAddr": {
"title": "A MAC address",
Expand Down
2 changes: 1 addition & 1 deletion schema/all-zones-requests.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@
"fd12:3456::/64"
],
"type": "string",
"pattern": "^([fF][dD])[0-9a-fA-F]{2}:(([0-9a-fA-F]{1,4}:){6}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,6}:)([0-9a-fA-F]{1,4})?\\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$"
"pattern": "^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$"
},
"MacAddr": {
"title": "A MAC address",
Expand Down
2 changes: 1 addition & 1 deletion schema/rss-service-plan-v3.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,7 @@
"fd12:3456::/64"
],
"type": "string",
"pattern": "^([fF][dD])[0-9a-fA-F]{2}:(([0-9a-fA-F]{1,4}:){6}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,6}:)([0-9a-fA-F]{1,4})?\\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$"
"pattern": "^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$"
},
"MacAddr": {
"title": "A MAC address",
Expand Down
6 changes: 4 additions & 2 deletions schema/rss-sled-plan.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -431,7 +431,7 @@
"fd12:3456::/64"
],
"type": "string",
"pattern": "^([fF][dD])[0-9a-fA-F]{2}:(([0-9a-fA-F]{1,4}:){6}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,6}:)([0-9a-fA-F]{1,4})?\\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$"
"pattern": "^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$"
},
"Ipv6Network": {
"type": "string",
Expand Down Expand Up @@ -577,7 +577,6 @@
"description": "Configuration for the \"rack setup service\".\n\nThe Rack Setup Service should be responsible for one-time setup actions, such as CockroachDB placement and initialization. Without operator intervention, however, these actions need a way to be automated in our deployment.",
"type": "object",
"required": [
"allowed_source_ips",
"bootstrap_discovery",
"dns_servers",
"external_certificates",
Expand All @@ -591,6 +590,9 @@
"properties": {
"allowed_source_ips": {
"description": "IPs or subnets allowed to make requests to user-facing services",
"default": {
"allow": "any"
},
"allOf": [
{
"$ref": "#/definitions/AllowedSourceIps"
Expand Down
2 changes: 1 addition & 1 deletion schema/start-sled-agent-request.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
"fd12:3456::/64"
],
"type": "string",
"pattern": "^([fF][dD])[0-9a-fA-F]{2}:(([0-9a-fA-F]{1,4}:){6}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,6}:)([0-9a-fA-F]{1,4})?\\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$"
"pattern": "^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$"
},
"Ipv6Subnet": {
"description": "Wraps an [`Ipv6Network`] with a compile-time prefix length.",
Expand Down

0 comments on commit 28eab43

Please sign in to comment.