Merge branch 'CFP-2401' of https://github.com/sap-contributions/cloud_controller_ng into CFP-2401

Author: serdarozerr

.github/workflows/bump_bbs_protos.yml

@@ -9,7 +9,7 @@ jobs:
   update-protos:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write
       pull-requests: write
     steps:
       - uses: hmarr/debug-action@v3

.github/workflows/docs_test.yml

@@ -21,7 +21,7 @@ permissions:
 jobs:
   Test-Docs:
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 60
     steps:
       - uses: hmarr/debug-action@v3
       - uses: actions/checkout@v4

.github/workflows/unit_tests.yml

@@ -39,7 +39,7 @@ jobs:
 
   Test-Postgres:
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 60
     strategy:
       fail-fast: false
       matrix:
@@ -72,7 +72,7 @@ jobs:
 
   Test-Mysql:
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 60
     strategy:
       fail-fast: false
       matrix:

.github/workflows/unit_tests_backwards_compatibility.yml

@@ -28,7 +28,7 @@ permissions:
 jobs:
   Test-Postgres-Backwards-Compatibillity:
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 60
     strategy:
       fail-fast: false
       max-parallel: 3
@@ -80,7 +80,7 @@ jobs:
 
   Test-Mysql-Backwards-Compatibillity:
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 60
     strategy:
       fail-fast: false
       max-parallel: 3

Gemfile

@@ -32,7 +32,7 @@ gem 'puma'
 gem 'rake'
 gem 'redis'
 gem 'rubyzip', '>= 1.3.0'
-gem 'sequel', '~> 5.93'
+gem 'sequel', '~> 5.94'
 gem 'sequel_pg', require: 'sequel'
 gem 'sinatra', '~> 3.2'
 gem 'sinatra-contrib'
@@ -82,7 +82,7 @@ group :test do
   gem 'rspec-collection_matchers'
   gem 'rspec-instafail'
   gem 'rspec-its'
-  gem 'rspec-rails', '~> 8.0.0'
+  gem 'rspec-rails', '~> 8.0.1'
   gem 'rspec-wait'
   gem 'rubocop', '~> 1.75.8'
   gem 'rubocop-capybara'

Gemfile.lock

@@ -106,7 +106,7 @@ GEM
     base64 (0.2.0)
     beefcake (1.0.0)
     benchmark (0.4.1)
-    bigdecimal (3.2.1)
+    bigdecimal (3.2.2)
     bit-struct (0.17)
     builder (3.3.0)
     byebug (12.0.0)
@@ -141,7 +141,7 @@ GEM
     digest-xxhash (0.2.9)
     docile (1.1.5)
     domain_name (0.6.20240107)
-    drb (2.2.1)
+    drb (2.2.3)
     erb (5.0.1)
     erubi (1.13.1)
     eventmachine (1.2.7)
@@ -281,7 +281,7 @@ GEM
     jaro_winkler (1.6.1)
     json (2.12.2)
     json-diff (0.4.1)
-    json-schema (5.1.1)
+    json-schema (5.2.1)
       addressable (~> 2.8)
       bigdecimal (~> 3.1)
     json_pure (2.8.1)
@@ -306,7 +306,7 @@ GEM
     logger (1.7.0)
     loggregator_emitter (5.2.0)
       beefcake (~> 1.0.0)
-    loofah (2.24.0)
+    loofah (2.24.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     machinist (1.0.6)
@@ -370,7 +370,7 @@ GEM
       prettyprint
     prettyprint (0.2.0)
     prism (1.4.0)
-    prometheus-client (4.2.4)
+    prometheus-client (4.2.5)
       base64
     pry (0.14.1)
       coderay (~> 1.1)
@@ -396,7 +396,7 @@ GEM
     rackup (1.0.1)
       rack (< 3)
       webrick
-    rails-dom-testing (2.2.0)
+    rails-dom-testing (2.3.0)
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
@@ -449,7 +449,7 @@ GEM
       rspec-mocks (~> 3.13.0)
     rspec-collection_matchers (1.2.1)
       rspec-expectations (>= 2.99.0.beta1)
-    rspec-core (3.13.4)
+    rspec-core (3.13.5)
       rspec-support (~> 3.13.0)
     rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
@@ -462,7 +462,7 @@ GEM
     rspec-mocks (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-rails (8.0.0)
+    rspec-rails (8.0.1)
       actionpack (>= 7.2)
       activesupport (>= 7.2)
       railties (>= 7.2)
@@ -519,7 +519,7 @@ GEM
       sexp_processor (~> 4.1)
     rubyzip (2.4.1)
     securerandom (0.4.1)
-    sequel (5.93.0)
+    sequel (5.94.0)
       bigdecimal
     sequel_pg (1.17.2)
       pg (>= 0.18.0, != 1.2.0)
@@ -546,7 +546,7 @@ GEM
       rack-protection (= 3.2.0)
       sinatra (= 3.2.0)
       tilt (~> 2.0)
-    solargraph (0.55.4)
+    solargraph (0.56.0)
       backport (~> 1.2)
       benchmark (~> 0.4)
       bundler (~> 2.0)
@@ -558,6 +558,7 @@ GEM
       observer (~> 0.1)
       ostruct (~> 0.6)
       parser (~> 3.0)
+      prism (~> 1.4)
       rbs (~> 3.3)
       reverse_markdown (~> 3.0)
       rubocop (~> 1.38)
@@ -610,7 +611,7 @@ GEM
     yard (0.9.37)
     yard-solargraph (0.1.0)
       yard (~> 0.9)
-    zeitwerk (2.7.2)
+    zeitwerk (2.7.3)
 
 PLATFORMS
   ruby
@@ -678,7 +679,7 @@ DEPENDENCIES
   rspec-collection_matchers
   rspec-instafail
   rspec-its
-  rspec-rails (~> 8.0.0)
+  rspec-rails (~> 8.0.1)
   rspec-wait
   rspec_api_documentation (>= 6.1.0)
   rubocop (~> 1.75.8)
@@ -689,7 +690,7 @@ DEPENDENCIES
   rubocop-rspec_rails
   rubocop-sequel (~> 0.4.1)
   rubyzip (>= 1.3.0)
-  sequel (~> 5.93)
+  sequel (~> 5.94)
   sequel_pg
   sinatra (~> 3.2)
   sinatra-contrib

app/messages/validators/security_group_rule_validator.rb

@@ -26,29 +26,28 @@ def validate(record)
       end
 
       validate_allowed_keys(rule, record, index)
-
-      add_rule_error("protocol must be 'tcp', 'udp', 'icmp', or 'all'", record, index) unless valid_protocol(rule[:protocol])
+      add_rule_error("protocol must be 'tcp', 'udp', 'icmp', 'icmpv6' or 'all'", record, index) unless valid_protocol(rule[:protocol])
 
       if valid_destination_type(rule[:destination], record, index)
         destinations = rule[:destination].split(',', -1)
         add_rule_error("maximum destinations per rule exceeded - must be under #{MAX_DESTINATIONS_PER_RULE}", record, index) unless destinations.length <= MAX_DESTINATIONS_PER_RULE
 
         destinations.each do |d|
-          validate_destination(d, record, index)
+          validate_destination(d, rule[:protocol], get_allowed_ip_version(rule), record, index)
         end
       end
 
       validate_description(rule, record, index)
       validate_log(rule, record, index)
+      validate_protocol(rule, record, index)
+    end
+  end
 
-      case rule[:protocol]
-      when 'tcp', 'udp'
-        validate_tcp_udp_protocol(rule, record, index)
-      when 'icmp'
-        validate_icmp_protocol(rule, record, index)
-      when 'all'
-        add_rule_error('ports are not allowed for protocols of type all', record, index) if rule[:ports]
-      end
+  def get_allowed_ip_version(rule)
+    if rule[:protocol] == 'icmp'
+      4
+    elsif rule[:protocol] == 'icmpv6'
+      6
     end
   end
 
@@ -57,7 +56,7 @@ def boolean?(value)
   end
 
   def valid_protocol(protocol)
-    protocol.is_a?(String) && %w[tcp udp icmp all].include?(protocol)
+    protocol.is_a?(String) && %w[tcp udp icmp icmpv6 all].include?(protocol)
   end
 
   def validate_allowed_keys(rule, record, index)
@@ -73,6 +72,20 @@ def validate_log(rule, record, index)
     add_rule_error('log must be a boolean', record, index) if rule[:log] && !boolean?(rule[:log])
   end
 
+  def validate_protocol(rule, record, index)
+    case rule[:protocol]
+    when 'tcp', 'udp'
+      validate_tcp_udp_protocol(rule, record, index)
+    when 'icmp'
+      validate_icmp_protocol(rule, record, index)
+    when 'icmpv6'
+      add_rule_error('icmpv6 cannot be used if enable_ipv6 is false', record, index) unless CloudController::RuleValidator.ipv6_enabled?
+      validate_icmp_protocol(rule, record, index)
+    when 'all'
+      add_rule_error('ports are not allowed for protocols of type all', record, index) if rule[:ports]
+    end
+  end
+
   def validate_tcp_udp_protocol(rule, record, index)
     add_rule_error('ports are required for protocols of type TCP and UDP', record, index) unless rule[:ports]
 
@@ -128,7 +141,7 @@ def valid_destination_type(destination, record, index)
     true
   end
 
-  def validate_destination(destination, record, index)
+  def validate_destination(destination, protocol, allowed_ip_version, record, index)
     error_message = 'destination must be a valid CIDR, IP address, or IP address range'
     error_message = 'destination must contain valid CIDR(s), IP address(es), or IP address range(s)' if CloudController::RuleValidator.comma_delimited_destinations_enabled?
     add_rule_error('empty destination specified in comma-delimited list', record, index) if destination.empty?
@@ -137,12 +150,14 @@ def validate_destination(destination, record, index)
 
     zeros_error_message = 'destination octets cannot contain leading zeros'
     add_rule_error(zeros_error_message, record, index) unless CloudController::RuleValidator.no_leading_zeros(address_list)
-
     if address_list.length == 1
-      add_rule_error(error_message, record, index) unless CloudController::RuleValidator.parse_ip(address_list.first)
-
+      parsed_ip = CloudController::RuleValidator.parse_ip(address_list.first)
+      add_rule_error(error_message, record, index) unless parsed_ip
+      add_rule_error("for protocol \"#{protocol}\" you cannot use IPv#{parsed_ip.version} addresses", record, index) \
+        unless valid_ip_version?(allowed_ip_version, parsed_ip)
     elsif address_list.length == 2
       ips = CloudController::RuleValidator.parse_ip(address_list)
+
       return add_rule_error('destination IP address range is invalid', record, index) unless ips
 
       sorted_ips = if ips.first.is_a?(NetAddr::IPv4)
@@ -153,12 +168,17 @@ def validate_destination(destination, record, index)
 
       reversed_range_error = 'beginning of IP address range is numerically greater than the end of its range (range endpoints are inverted)'
       add_rule_error(reversed_range_error, record, index) unless ips.first == sorted_ips.first
-
+      add_rule_error("for protocol \"#{protocol}\" you cannot use IPv#{ips.first.version} addresses", record, index) \
+        unless valid_ip_version?(allowed_ip_version, sorted_ips.first)
     else
       add_rule_error(error_message, record, index)
     end
   end
 
+  def valid_ip_version?(allowed_ip_version, parsed_ip)
+    parsed_ip.nil? || allowed_ip_version.nil? || parsed_ip.version == allowed_ip_version
+  end
+
   def add_rule_error(message, record, index)
     record.errors.add("Rules[#{index}]:", message)
   end

app/models/helpers/metadata_error.rb

@@ -9,7 +9,7 @@ def self.none
     end
 
     def to_s
-      "#<MetadataError is_valid:#{is_valid?} message:#{message}"
+      "#<MetadataError is_valid:#{is_valid?} message:#{message}>"
     end
   end
 end

app/models/runtime/security_group.rb

@@ -71,7 +71,7 @@ def validate_rules
         validation_errors = case protocol
                             when 'tcp', 'udp'
                               CloudController::TransportRuleValidator.validate(stringified_rule)
-                            when 'icmp'
+                            when 'icmp', 'icmpv6'
                               CloudController::ICMPRuleValidator.validate(stringified_rule)
                             when 'all'
                               CloudController::RuleValidator.validate(stringified_rule)

config/version

@@ -1 +1 @@
-3.197.0
+3.198.0