Merge pull request #641 from joshbranham/handle-invalid-subnet-id-fla…

…g-usage OSD-27029: Guard against improper usage of the --subnet-id flag
openshift · Dec 6, 2024 · 7612e92 · 7612e92
2 parents f8426aa + da0b7b4
commit 7612e92
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/cmd/network/aws.go b/cmd/network/aws.go
@@ -217,7 +217,6 @@ func (e *EgressVerification) isSubnetPublic(ctx context.Context, subnetID string
 	var routeTable string
 
 	// Try and find a Route Table associated with the given subnet
-
 	routeTable, err := utils.FindRouteTableForSubnetForVerification(e.awsClient, subnetID)
 
 	// Check that the RouteTable for the subnet has a default route to 0.0.0.0/0

diff --git a/cmd/network/verification.go b/cmd/network/verification.go
@@ -121,6 +121,9 @@ func NewCmdValidateEgress() *cobra.Command {
   # Override automatic selection of a subnet or security group id
   osdctl network verify-egress --cluster-id my-rosa-cluster --subnet-id subnet-abcd --security-group sg-abcd
 
+  # Run against multiple manually supplied subnet IDs
+  osdctl network verify-egress --cluster-id my-rosa-cluster --subnet-id subnet-abcd --subnet-id subnet-efgh
+
   # Override automatic selection of the list of endpoints to check
   osdctl network verify-egress --cluster-id my-rosa-cluster --platform hostedcluster
 
@@ -174,6 +177,10 @@ func (e *EgressVerification) Run(ctx context.Context) {
 	}
 	e.log = logger
 
+	if err := e.validateInput(); err != nil {
+		log.Fatalf("network verification failed to validate input: %s", err)
+	}
+
 	e.cpuArch = cpu.ArchitectureByName(e.CpuArchName)
 	if e.CpuArchName != "" && !e.cpuArch.IsValid() {
 		log.Fatalf("%s is not a valid CPU architecture", e.CpuArchName)
@@ -522,6 +529,16 @@ func (e *EgressVerification) fetchCluster(ctx context.Context) error {
 	return nil
 }
 
+func (e *EgressVerification) validateInput() error {
+	// Validate proper usage of --subnet-id flag
+	if len(e.SubnetIds) == 1 && len(strings.Split(e.SubnetIds[0], ",")) > 1 {
+		return fmt.Errorf("multiple subnets passed to a single --subnet-id flag, you must pass the flag per subnet, eg " +
+			"--subnet-id foo --subnet-id bar")
+	}
+
+	return nil
+}
+
 func printVersion() {
 	version, err := utils.GetDependencyVersion(networkVerifierDepPath)
 	if err != nil {

diff --git a/pkg/utils/network.go b/pkg/utils/network.go
@@ -88,7 +88,6 @@ func findDefaultRouteTableForVPC(awsClient aws.Client, vpcID string) (string, er
 // Try and find a Route Table associated with the given subnet for Egress Verification
 
 func FindRouteTableForSubnetForVerification(verificationAwsClient verificationAWSClient, subnetID string) (string, error) {
-
 	var routeTable string
 	describeRouteTablesOutput, err := verificationAwsClient.DescribeRouteTables(context.TODO(), &ec2.DescribeRouteTablesInput{
 		Filters: []types.Filter{