Handle cidrs correctly

2025-07-28 14:44:55 +02:00 · 2025-04-16 22:07:07 -04:00 · 2025-04-16 22:07:07 -04:00 · d664aa204f
commit d664aa204f
parent db0328fa71
4 changed files with 34 additions and 14 deletions
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@ -275,12 +275,3 @@ export async function getNextAvailableOrgSubnet(): Promise<string> {

    return subnet;
 }
-
-export function isValidCidr(cidr: string): boolean {
-    try {
-        cidrToRange(cidr);
-        return true;
-    } catch (e) {
-        return false;
-    }
-}
--- a/server/routers/client/createClient.ts
+++ b/server/routers/client/createClient.ts
@ -9,7 +9,8 @@ import {
    userClients,
    olms,
    clientSites,
-    exitNodes
+    exitNodes,
+    orgs
 } from "@server/db/schema";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@ -19,7 +20,8 @@ import { eq, and } from "drizzle-orm";
 import { fromError } from "zod-validation-error";
 import moment from "moment";
 import { hashPassword } from "@server/auth/password";
-import { isValidCIDR } from "@server/lib/validators";
+import { isValidCIDR, isValidIP } from "@server/lib/validators";
+import { isIpInCidr } from "@server/lib/ip";

 const createClientParamsSchema = z
    .object({
@ -78,7 +80,7 @@ export async function createClient(
            );
        }

-        if (subnet && !isValidCIDR(subnet)) {
+        if (subnet && !isValidIP(subnet)) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
@ -87,6 +89,31 @@ export async function createClient(
            );
        }

+        const [org] = await db
+            .select()
+            .from(orgs)
+            .where(eq(orgs.orgId, orgId));
+
+        if (!org) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Organization with ID ${orgId} not found`
+                )
+            );
+        }
+
+        if (subnet && !isIpInCidr(subnet, org.subnet)) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "IP is not in the CIDR range of the subnet."
+                )
+            );
+        }
+
+        const updatedSubnet = `${subnet}/${org.subnet.split("/")[1]}`; // we want the block size of the whole org
+
        await db.transaction(async (trx) => {
            // TODO: more intelligent way to pick the exit node

@ -123,7 +150,7 @@ export async function createClient(
                    exitNodeId: exitNode.exitNodeId,
                    orgId,
                    name,
-                    subnet,
+                    subnet: updatedSubnet,
                    type
                })
                .returning();
--- a/server/routers/client/pickClientDefaults.ts
+++ b/server/routers/client/pickClientDefaults.ts
@ -44,7 +44,7 @@ export async function pickClientDefaults(

        const newSubnet = await getNextAvailableClientSubnet(orgId);

-        const subnet = `${newSubnet.split("/")[0]}/${config.getRawConfig().orgs.block_size}`; // we want the block size of the whole org
+        const subnet = newSubnet.split("/")[0];

        return response<PickClientDefaultsResponse>(res, {
            data: {
--- a/server/routers/newt/handleGetConfigMessage.ts
+++ b/server/routers/newt/handleGetConfigMessage.ts
@ -73,6 +73,8 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
            return;
        }

+        // TODO: WE NEED TO PULL THE CIDR FROM THE DB SUBNET ON THE ORG INSTEAD BECAUSE IT CAN BE DIFFERENT
+        // TODO: SOMEHOW WE NEED TO ALLOW THEM TO PUT IN THEIR OWN ADDRESS
        address = `${address.split("/")[0]}/${config.getRawConfig().orgs.block_size}`; // we want the block size of the whole org

        // Update the site with new WireGuard info