fix: don't allow random IPs

This is another guard against potentially corrupted data in Nautobot.

Author: skrobul

python/understack-workflows/tests/test_netapp_value_objects.py

@@ -436,10 +436,10 @@ def test_from_nexthop_ip_third_octet_128(self):
     def test_from_nexthop_ip_various_valid_ips(self):
         """Test route destination calculation with various valid IP patterns."""
         test_cases = [
-            ("192.168.0.1", "100.126.0.0/17"),
-            ("10.0.0.254", "100.126.0.0/17"),
-            ("172.16.128.1", "100.126.128.0/17"),
-            ("203.0.128.100", "100.126.128.0/17"),
+            ("100.64.0.1", "100.126.0.0/17"),
+            ("100.65.0.254", "100.126.0.0/17"),
+            ("100.66.128.1", "100.126.128.0/17"),
+            ("100.67.128.100", "100.126.128.0/17"),
         ]
 
         for nexthop_ip, expected_destination in test_cases:
@@ -490,6 +490,182 @@ def test_calculate_destination_invalid_ip_format(self):
             with pytest.raises((ValueError, ipaddress.AddressValueError)):
                 RouteSpec._calculate_destination(invalid_format)
 
+    def test_calculate_destination_comprehensive_third_octet_zero(self):
+        """Test comprehensive route destination calculation for third octet = 0."""
+        # Test various IP addresses with third octet = 0 within 100.64.0.0/10 subnet
+        test_ips = [
+            "100.64.0.1",
+            "100.65.0.1",
+            "100.66.0.254",
+            "100.67.0.100",
+            "100.68.0.3",
+            "100.127.0.255",
+        ]
+
+        for ip in test_ips:
+            destination = RouteSpec._calculate_destination(ip)
+            assert destination == "100.126.0.0/17", f"Failed for IP: {ip}"
+
+    def test_calculate_destination_comprehensive_third_octet_128(self):
+        """Test comprehensive route destination calculation for third octet = 128."""
+        # Test various IP addresses with third octet = 128 within 100.64.0.0/10 subnet
+        test_ips = [
+            "100.64.128.1",
+            "100.65.128.1",
+            "100.66.128.254",
+            "100.67.128.100",
+            "100.68.128.3",
+            "100.127.128.255",
+        ]
+
+        for ip in test_ips:
+            destination = RouteSpec._calculate_destination(ip)
+            assert destination == "100.126.128.0/17", f"Failed for IP: {ip}"
+
+    def test_calculate_destination_comprehensive_invalid_patterns(self):
+        """Test comprehensive error handling for all invalid third octet values."""
+        # Test all invalid third octet values (not 0 or 128) within 100.64.0.0/10 subnet
+        invalid_third_octets = [1, 2, 63, 64, 127, 129, 192, 254, 255]
+
+        for third_octet in invalid_third_octets:
+            invalid_ip = f"100.64.{third_octet}.1"
+            with pytest.raises(ValueError, match="Unsupported IP pattern"):
+                RouteSpec._calculate_destination(invalid_ip)
+
+    def test_from_nexthop_ip_comprehensive_valid_patterns(self):
+        """Test RouteSpec.from_nexthop_ip with comprehensive valid IP patterns."""
+        # Test cases: (nexthop_ip, expected_destination) - all within 100.64.0.0/10
+        test_cases = [
+            # Third octet = 0 cases
+            ("100.64.0.1", "100.126.0.0/17"),
+            ("100.65.0.254", "100.126.0.0/17"),
+            ("100.66.0.100", "100.126.0.0/17"),
+            ("100.67.0.50", "100.126.0.0/17"),
+            ("100.127.0.17", "100.126.0.0/17"),  # From design document example
+            # Third octet = 128 cases
+            ("100.64.128.1", "100.126.128.0/17"),
+            ("100.65.128.254", "100.126.128.0/17"),
+            ("100.66.128.100", "100.126.128.0/17"),
+            ("100.67.128.50", "100.126.128.0/17"),
+            ("100.127.128.17", "100.126.128.0/17"),  # From design document example
+        ]
+
+        svm_name = "os-550e8400-e29b-41d4-a716-446655440000"  # Valid UUID format
+
+        for nexthop_ip, expected_destination in test_cases:
+            spec = RouteSpec.from_nexthop_ip(svm_name, nexthop_ip)
+            assert spec.svm_name == svm_name
+            assert spec.gateway == nexthop_ip
+            assert spec.destination == expected_destination
+
+    def test_from_nexthop_ip_comprehensive_invalid_patterns(self):
+        """Test RouteSpec.from_nexthop_ip with comprehensive invalid IP patterns."""
+        svm_name = "os-550e8400-e29b-41d4-a716-446655440000"
+
+        # Test invalid third octet values within 100.64.0.0/10 subnet
+        invalid_third_octets = [1, 2, 63, 64, 127, 129, 192, 254, 255]
+
+        for third_octet in invalid_third_octets:
+            invalid_ip = f"100.64.{third_octet}.1"
+            with pytest.raises(ValueError, match="Unsupported IP pattern"):
+                RouteSpec.from_nexthop_ip(svm_name, invalid_ip)
+
+    def test_from_nexthop_ip_edge_cases(self):
+        """Test RouteSpec.from_nexthop_ip with edge case IP addresses."""
+        svm_name = "os-550e8400-e29b-41d4-a716-446655440000"
+
+        # Edge cases for third octet = 0 within 100.64.0.0/10 subnet
+        edge_cases_zero = [
+            "100.64.0.1",
+            "100.127.0.1",
+            "100.65.0.1",
+        ]
+
+        for ip in edge_cases_zero:
+            spec = RouteSpec.from_nexthop_ip(svm_name, ip)
+            assert spec.destination == "100.126.0.0/17"
+            assert spec.gateway == ip
+
+        # Edge cases for third octet = 128 within 100.64.0.0/10 subnet
+        edge_cases_128 = [
+            "100.64.128.1",
+            "100.127.128.255",
+            "100.65.128.1",
+        ]
+
+        for ip in edge_cases_128:
+            spec = RouteSpec.from_nexthop_ip(svm_name, ip)
+            assert spec.destination == "100.126.128.0/17"
+            assert spec.gateway == ip
+
+    def test_calculate_destination_boundary_values(self):
+        """Test _calculate_destination with boundary values for third octet."""
+        # Test exact boundary values within 100.64.0.0/10 subnet
+        assert RouteSpec._calculate_destination("100.64.0.1") == "100.126.0.0/17"
+        assert RouteSpec._calculate_destination("100.64.128.1") == "100.126.128.0/17"
+
+        # Test values just outside boundaries should fail
+        with pytest.raises(ValueError, match="Unsupported IP pattern"):
+            RouteSpec._calculate_destination("100.64.1.1")  # Just above 0
+
+        with pytest.raises(ValueError, match="Unsupported IP pattern"):
+            RouteSpec._calculate_destination("100.64.127.1")  # Just below 128
+
+        with pytest.raises(ValueError, match="Unsupported IP pattern"):
+            RouteSpec._calculate_destination("100.64.129.1")  # Just above 128
+
+    def test_calculate_destination_subnet_validation(self):
+        """Test _calculate_destination validates IP is within 100.64.0.0/10 subnet."""
+        # Test IPs outside 100.64.0.0/10 subnet should fail
+        invalid_subnet_ips = [
+            "192.168.0.1",  # Private network
+            "10.0.0.1",  # Private network
+            "172.16.0.1",  # Private network
+            "8.8.8.8",  # Public network
+            "100.63.0.1",  # Just below 100.64.0.0/10
+            "100.128.0.1",  # Just above 100.64.0.0/10
+            "101.64.0.1",  # Outside range
+            "99.64.0.1",  # Outside range
+        ]
+
+        for invalid_ip in invalid_subnet_ips:
+            with pytest.raises(ValueError, match="not within required 100.64.0.0/10"):
+                RouteSpec._calculate_destination(invalid_ip)
+
+    def test_from_nexthop_ip_subnet_validation(self):
+        """Test RouteSpec.from_nexthop_ip validates IP is within 100.64.0.0/10."""
+        svm_name = "os-550e8400-e29b-41d4-a716-446655440000"
+
+        # Test IPs outside 100.64.0.0/10 subnet should fail
+        invalid_subnet_ips = [
+            "192.168.0.1",  # Private network
+            "10.0.0.1",  # Private network
+            "172.16.128.1",  # Private network
+            "8.8.8.8",  # Public network
+            "100.63.0.1",  # Just below 100.64.0.0/10
+            "100.128.0.1",  # Just above 100.64.0.0/10
+        ]
+
+        for invalid_ip in invalid_subnet_ips:
+            with pytest.raises(ValueError, match="not within required 100.64.0.0/10"):
+                RouteSpec.from_nexthop_ip(svm_name, invalid_ip)
+
+    def test_calculate_destination_valid_subnet_range(self):
+        """Test _calculate_destination accepts valid IPs within 100.64.0.0/10 subnet."""
+        # Test boundary IPs within 100.64.0.0/10 subnet
+        valid_subnet_ips = [
+            ("100.64.0.1", "100.126.0.0/17"),  # Start of range, third octet 0
+            ("100.64.128.1", "100.126.128.0/17"),  # Start of range, third octet 128
+            ("100.127.0.1", "100.126.0.0/17"),  # End of range, third octet 0
+            ("100.127.128.1", "100.126.128.0/17"),  # End of range, third octet 128
+            ("100.65.0.100", "100.126.0.0/17"),  # Middle of range, third octet 0
+            ("100.66.128.200", "100.126.128.0/17"),  # Middle of range, third octet 128
+        ]
+
+        for valid_ip, expected_destination in valid_subnet_ips:
+            destination = RouteSpec._calculate_destination(valid_ip)
+            assert destination == expected_destination
+
 
 class TestRouteResult:
     """Test cases for RouteResult value object."""

python/understack-workflows/understack_workflows/netapp/value_objects.py

@@ -212,9 +212,17 @@ def _calculate_destination(nexthop_ip: str) -> str:
             str: Route destination in CIDR format
 
         Raises:
-            ValueError: If IP pattern is not supported (third octet not 0 or 128)
+            ValueError: If IP is not in 100.64.0.0/10 subnet or third octet not 0 or 128
         """
         ip = ipaddress.IPv4Address(nexthop_ip)
+
+        # Validate that IP is within 100.64.0.0/10 subnet
+        carrier_grade_nat_network = ipaddress.IPv4Network("100.64.0.0/10")
+        if ip not in carrier_grade_nat_network:
+            raise ValueError(
+                f"IP address {nexthop_ip} is not within required 100.64.0.0/10 subnet"
+            )
+
         third_octet = int(str(ip).split(".")[2])
 
         if third_octet == 0: