fix: get_live_service_vips uses config API, require CIDR prefix for ip_range
- tests/integration/conftest.py: get_live_service_vips() now reads from the config API's service_ips field instead of docker exec. The docker exec approach spawns a fresh Python process that imports firewall_manager with its hardcoded initial SERVICE_IPS, ignoring any update_service_ips() calls made at runtime. The config API always computes VIPs from the current ip_range, so it matches what the running app actually uses when writing iptables rules. - api/app.py: reject ip_range values without a CIDR prefix (e.g. '10.0.0.1') with a 400. Bare IPs are parsed as /32 by ipaddress.ip_network(strict=False), which shifts all VIP offsets and produces unusable Docker subnet configs. - tests/integration/test_config_api.py: update bare-ip test to expect 400 now that the API enforces the prefix requirement. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+4
-1
@@ -447,7 +447,10 @@ def update_config():
|
||||
_ipa.ip_network('192.168.0.0/16'),
|
||||
]
|
||||
try:
|
||||
_net = _ipa.ip_network(identity_updates['ip_range'], strict=False)
|
||||
_raw = str(identity_updates['ip_range'])
|
||||
if '/' not in _raw:
|
||||
return jsonify({'error': 'ip_range must include a CIDR prefix (e.g. 172.20.0.0/16)'}), 400
|
||||
_net = _ipa.ip_network(_raw, strict=False)
|
||||
if not any(_net.subnet_of(r) for r in _rfc1918):
|
||||
return jsonify({'error': (
|
||||
'ip_range must be within an RFC-1918 private range '
|
||||
|
||||
Reference in New Issue
Block a user