diff --git a/app/models/white_ip.rb b/app/models/white_ip.rb index 02840263f..44db5c33d 100644 --- a/app/models/white_ip.rb +++ b/app/models/white_ip.rb @@ -39,13 +39,11 @@ class WhiteIp < ApplicationRecord def validate_max_ip_count return if errors.any? - total_exist = calculate_total_network_addresses(registrar.white_ips) - total_current = calculate_total_network_addresses([self]) - total = total_exist + total_current - limit = Setting.ip_whitelist_max_count - return unless total >= limit - - errors.add(:base, :ip_limit_exceeded, total: total, limit: limit) + if ipv4.present? + validate_ipv4_limit + elsif ipv6.present? + validate_ipv6_range + end end def valid_ipv4? @@ -106,21 +104,39 @@ class WhiteIp < ApplicationRecord end end - def count_network_addresses(ip) - address = IPAddr.new(ip) + def validate_ipv4_limit + total_exist = calculate_total_ipv4_addresses(registrar.white_ips) + total_current = calculate_total_ipv4_addresses([self]) + total = total_exist + total_current + limit = Setting.ip_whitelist_max_count + return unless total >= limit - if address.ipv4? - subnet_mask = address.prefix - (2**(32 - subnet_mask) - 2).abs - elsif address.ipv6? - subnet_mask = address.prefix - (2**(128 - subnet_mask) - 2).abs - else - 0 + errors.add(:base, :ip_limit_exceeded, total: total, limit: limit) + end + + def validate_ipv6_range + return unless ipv6.present? + + address = IPAddr.new(ipv6) + subnet_mask = address.prefix + + unless subnet_mask == 128 || subnet_mask == 64 + errors.add(:base, :ipv6_must_be_single_or_64_range) end end - def calculate_total_network_addresses(ips) - ips.sum { |ip| count_network_addresses(ip.ipv4.presence || ip.ipv6) } + def calculate_total_ipv4_addresses(ips) + ips.sum do |ip| + next 0 unless ip.ipv4.present? + count_ipv4_addresses(ip.ipv4) + end + end + + def count_ipv4_addresses(ip) + address = IPAddr.new(ip) + return 0 unless address.ipv4? + + subnet_mask = address.prefix + (2**(32 - subnet_mask) - 2).abs end end diff --git a/config/locales/en.yml b/config/locales/en.yml index 3b3cbb5b6..f9a144dba 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -155,6 +155,7 @@ en: ipv4_or_ipv6_must_be_present: 'IPv4 or IPv6 must be present' ip_must_be_one: 'Please enter only one IP address' ip_limit_exceeded: 'IP address limit exceeded. Total addresses: %{total}. Limit: %{limit}.' + ipv6_must_be_single_or_64_range: 'IPv6 address must be either a single address or a /64 range' ipv4: taken: 'has already been taken' ipv6: diff --git a/test/models/white_ip_test.rb b/test/models/white_ip_test.rb index 8541bb100..1c38c48c1 100644 --- a/test/models/white_ip_test.rb +++ b/test/models/white_ip_test.rb @@ -53,6 +53,35 @@ class WhiteIpTest < ActiveSupport::TestCase assert_not WhiteIp.include_ip?('192.168.1.1') end + def test_validates_ipv6_64_range + white_ip = WhiteIp.new + white_ip.registrar = registrars(:bestnames) + white_ip.ipv6 = '2001:db8::/64' + + assert white_ip.valid?, 'IPv6 /64 range should be valid' + end + + def test_validates_ipv6_single_address + white_ip = WhiteIp.new + white_ip.registrar = registrars(:bestnames) + white_ip.ipv6 = '2001:db8::1' + + assert white_ip.valid?, 'Single IPv6 address should be valid' + end + + def test_rejects_invalid_ipv6_range + white_ip = WhiteIp.new + white_ip.registrar = registrars(:bestnames) + + white_ip.ipv6 = '2001:db8::/48' + assert white_ip.invalid?, 'IPv6 /48 range should be invalid' + assert_includes white_ip.errors.full_messages, 'IPv6 address must be either a single address or a /64 range' + + white_ip.ipv6 = '2001:db8::/96' + assert white_ip.invalid?, 'IPv6 /96 range should be invalid' + assert_includes white_ip.errors.full_messages, 'IPv6 address must be either a single address or a /64 range' + end + private def valid_white_ip