Add test for icmpv6 with IPv6 address range

jochenehret · jochenehret · commit f305692b304c · 2025-07-04T10:44:29.000+02:00
* and fix version check
diff --git a/app/messages/validators/security_group_rule_validator.rb b/app/messages/validators/security_group_rule_validator.rb
@@ -26,7 +26,6 @@ def validate(record)
       end
 
       validate_allowed_keys(rule, record, index)
-
       add_rule_error("protocol must be 'tcp', 'udp', 'icmp', 'icmpv6' or 'all'", record, index) unless valid_protocol(rule[:protocol])
 
       if valid_destination_type(rule[:destination], record, index)
@@ -46,9 +45,9 @@ def validate(record)
 
   def get_allowed_ip_version(rule)
     if rule[:protocol] == 'icmp'
-      NetAddr::IPv4Net
+      4
     elsif rule[:protocol] == 'icmpv6'
-      NetAddr::IPv6Net
+      6
     end
   end
 
@@ -158,6 +157,7 @@ def validate_destination(destination, protocol, allowed_ip_version, record, inde
         unless valid_ip_version?(allowed_ip_version, parsed_ip)
     elsif address_list.length == 2
       ips = CloudController::RuleValidator.parse_ip(address_list)
+
       return add_rule_error('destination IP address range is invalid', record, index) unless ips
 
       sorted_ips = if ips.first.is_a?(NetAddr::IPv4)
@@ -169,14 +169,14 @@ def validate_destination(destination, protocol, allowed_ip_version, record, inde
       reversed_range_error = 'beginning of IP address range is numerically greater than the end of its range (range endpoints are inverted)'
       add_rule_error(reversed_range_error, record, index) unless ips.first == sorted_ips.first
       add_rule_error("for protocol \"#{protocol}\" you cannot use IPv#{ips.first.version} addresses", record, index) \
-        unless valid_ip_version?(allowed_ip_version, ips.first)
+        unless valid_ip_version?(allowed_ip_version, sorted_ips.first)
     else
       add_rule_error(error_message, record, index)
     end
   end
 
   def valid_ip_version?(allowed_ip_version, parsed_ip)
-    parsed_ip.nil? || allowed_ip_version.nil? || parsed_ip.is_a?(allowed_ip_version)
+    parsed_ip.nil? || allowed_ip_version.nil? || parsed_ip.version == allowed_ip_version
   end
 
   def add_rule_error(message, record, index)
diff --git a/spec/unit/messages/validators/security_group_rule_validator_spec.rb b/spec/unit/messages/validators/security_group_rule_validator_spec.rb
@@ -1408,6 +1408,23 @@ def self.name
           end
         end
 
+        context 'icmpv6 protocol contains an IPv6 destination range' do
+          let(:rules) do
+            [
+              {
+                protocol: 'icmpv6',
+                destination: '2001:0db8::1-2001:0db8::ff',
+                type: -1,
+                code: 255
+              }
+            ]
+          end
+
+          it 'is valid' do
+            expect(subject).to be_valid
+          end
+        end
+
         context 'icmpv6 protocol contains a comma-delimited list of IPv6 destinations' do
           before do
             TestConfig.config[:security_groups][:enable_comma_delimited_destinations] = true
