Skip to content
This repository has been archived by the owner on Sep 4, 2021. It is now read-only.

Commit

Permalink
kube-aws: validate externalDNSName is a subdomain of hostedZone
Browse files Browse the repository at this point in the history
fixes #401
  • Loading branch information
cgag committed Apr 13, 2016
1 parent 27f7864 commit 134e1d7
Show file tree
Hide file tree
Showing 3 changed files with 99 additions and 4 deletions.
2 changes: 1 addition & 1 deletion multi-node/aws/pkg/cluster/cluster_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import (
)

const minimalConfigYaml = `
externalDNSName: test-external-dns-name
externalDNSName: test.staging.core-os.net
keyName: test-key-name
region: us-west-1
availabilityZone: us-west-1c
Expand Down
26 changes: 26 additions & 0 deletions multi-node/aws/pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -339,6 +339,11 @@ func (cfg Cluster) valid() error {
if cfg.RecordSetTTL < 1 {
return errors.New("TTL must be at least 1 second")
}
if !isSubdomain(cfg.ExternalDNSName, cfg.HostedZone) {
return fmt.Errorf("%s is not a subdomain of %s",
cfg.ExternalDNSName,
cfg.HostedZone)
}
} else {
if cfg.RecordSetTTL != newDefaultCluster().RecordSetTTL {
return errors.New(
Expand Down Expand Up @@ -516,3 +521,24 @@ func withTrailingDot(s string) string {
}
return s
}

func isSubdomain(sub, parent string) bool {
sub, parent = withTrailingDot(sub), withTrailingDot(parent)
subParts, parentParts := strings.Split(sub, "."), strings.Split(parent, ".")

if len(parentParts) > len(subParts) {
return false
}

subSuffixes := subParts[len(subParts)-len(parentParts):]

if len(subSuffixes) != len(parentParts) {
return false
}
for i := range subSuffixes {
if subSuffixes[i] != parentParts[i] {
return false
}
}
return true
}
75 changes: 72 additions & 3 deletions multi-node/aws/pkg/config/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,15 @@ import (
"testing"
)

const minimalConfigYaml = `externalDNSName: test-external-dns-name
const minimalConfigYaml = `externalDNSName: test.staging.core-os.net
keyName: test-key-name
region: us-west-1
availabilityZone: us-west-1c
clusterName: test-cluster-name
kmsKeyArn: "arn:aws:kms:us-west-1:xxxxxxxxx:key/xxxxxxxxxxxxxxxxxxx"
`

var goodNetworkingConfigs []string = []string{
var goodNetworkingConfigs = []string{
``, //Tests validity of default network config values
`
vpcCIDR: 10.4.3.0/24
Expand Down Expand Up @@ -41,10 +41,13 @@ hostedZone: ""
createRecordSet: true
recordSetTTL: 400
hostedZone: core-os.net
`, `
createRecordSet: true
hostedZone: "staging.core-os.net"
`,
}

var incorrectNetworkingConfigs []string = []string{
var incorrectNetworkingConfigs = []string{
`
vpcCIDR: 10.4.2.0/23
instanceCIDR: 10.4.3.0/24
Expand Down Expand Up @@ -102,6 +105,10 @@ hostedZone: ""
# recordSetTTL shouldn't be modified when createRecordSet is false
createRecordSet: false
recordSetTTL: 400
`, `
# whatever.com is not a superdomain of test.staging.core-os.net
createRecordSet: true
hostedZone: "whatever.com"
`,
}

Expand Down Expand Up @@ -184,3 +191,65 @@ dnsServiceIP: 10.6.142.100
}

}

func TestIsSubdomain(t *testing.T) {
validData := []struct {
sub string
parent string
}{
{
// single level
sub: "test.coreos.com",
parent: "coreos.com",
},
{
// multiple levels
sub: "cgag.staging.coreos.com",
parent: "coreos.com",
},
{
// trailing dots shouldn't matter
sub: "staging.coreos.com.",
parent: "coreos.com.",
},
{
// trailing dots shouldn't matter
sub: "a.b.c.",
parent: "b.c",
},
{
// multiple level parent domain
sub: "a.b.c.staging.core-os.net",
parent: "staging.core-os.net",
},
}

invalidData := []struct {
sub string
parent string
}{
{
// mismatch
sub: "staging.coreos.com",
parent: "example.com",
},
{
// superdomain is longer than subdomain
sub: "staging.coreos.com",
parent: "cgag.staging.coreos.com",
},
}

for _, valid := range validData {
if !isSubdomain(valid.sub, valid.parent) {
t.Errorf("%s should be a valid subdomain of %s", valid.sub, valid.parent)
}
}

for _, invalid := range invalidData {
if isSubdomain(invalid.sub, invalid.parent) {
t.Errorf("%s should not be a valid subdomain of %s", invalid.sub, invalid.parent)
}
}

}

0 comments on commit 134e1d7

Please sign in to comment.