Disallow setting /0 for network other than 0.0.0.0

If something like 15.0.0.0/0 is set as an IP address range it ends up
being identical to 0.0.0.0/0 (i.e all access) which I don't think is
the intent of the user when they make the API call.

Change-Id: I3fc05371f461112feae4f1097777fede5fc6b948

2 files changed, 39 insertions, 0 deletions

diff --git a/nova/api/openstack/compute/contrib/security_groups.py b/nova/api/openstack/compute/contrib/security_groups.py
index a15c395ae..c49e7af70 100644
--- a/nova/api/openstack/compute/contrib/security_groups.py
+++ b/nova/api/openstack/compute/contrib/security_groups.py
@@ -30,6 +30,7 @@ from nova.compute import api as compute_api
 from nova import db
 from nova import exception
 from nova.openstack.common import log as logging
+from nova.virt import netutils
 
 LOG = logging.getLogger(__name__)
 authorize = extensions.extension_authorizer('compute', 'security_groups')
@@ -332,6 +333,12 @@ class SecurityGroupRulesController(SecurityGroupControllerBase):
 
         values['parent_group_id'] = security_group.id
 
+        if 'cidr' in values:
+            net, prefixlen = netutils.get_net_and_prefixlen(values['cidr'])
+            if net != '0.0.0.0' and prefixlen == '0':
+                msg = _("Bad prefix for network in cidr %s") % values['cidr']
+                raise exc.HTTPBadRequest(explanation=msg)
+
         if self.security_group_api.rule_exists(security_group, values):
             msg = _('This rule already exists in group %s') % parent_group_id
             raise exc.HTTPBadRequest(explanation=msg)
diff --git a/nova/tests/api/openstack/compute/contrib/test_security_groups.py b/nova/tests/api/openstack/compute/contrib/test_security_groups.py
index ccb58f858..58f1862c3 100644
--- a/nova/tests/api/openstack/compute/contrib/test_security_groups.py
+++ b/nova/tests/api/openstack/compute/contrib/test_security_groups.py
@@ -1011,6 +1011,38 @@ class TestSecurityGroupRules(test.TestCase):
                           self.controller.create,
                           req, {'security_group_rule': rule})
 
+    def test_create_rule_cidr_allow_all(self):
+        rule = security_group_rule_template(cidr='0.0.0.0/0')
+
+        req = fakes.HTTPRequest.blank('/v2/fake/os-security-group-rules')
+        res_dict = self.controller.create(req, {'security_group_rule': rule})
+
+        security_group_rule = res_dict['security_group_rule']
+        self.assertNotEquals(security_group_rule['id'], 0)
+        self.assertEquals(security_group_rule['parent_group_id'],
+                          self.parent_security_group['id'])
+        self.assertEquals(security_group_rule['ip_range']['cidr'],
+                          "0.0.0.0/0")
+
+    def test_create_rule_cidr_allow_some(self):
+        rule = security_group_rule_template(cidr='15.0.0.0/8')
+
+        req = fakes.HTTPRequest.blank('/v2/fake/os-security-group-rules')
+        res_dict = self.controller.create(req, {'security_group_rule': rule})
+
+        security_group_rule = res_dict['security_group_rule']
+        self.assertNotEquals(security_group_rule['id'], 0)
+        self.assertEquals(security_group_rule['parent_group_id'],
+                          self.parent_security_group['id'])
+        self.assertEquals(security_group_rule['ip_range']['cidr'],
+                          "15.0.0.0/8")
+
+    def test_create_rule_cidr_bad_netmask(self):
+        rule = security_group_rule_template(cidr='15.0.0.0/0')
+        req = fakes.HTTPRequest.blank('/v2/fake/os-security-group-rules')
+        self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create,
+                          req, {'security_group_rule': rule})
+
 
 class TestSecurityGroupRulesXMLDeserializer(test.TestCase):