From e6f6af6b937c4eeb02293eb9f29cec8217f20779 Mon Sep 17 00:00:00 2001
From: Panagiotis Xynos <panos@engineerbetter.com>
Date: Fri, 11 Jan 2019 15:11:32 +0000
Subject: [PATCH] check that user IP is contained in director security group
 cidrs

this allows for CIDRs in the security group other than /32

Signed-off-by: Colin Simmons <colin.simmons@engineerbetter.com>
---
 iaas/aws.go | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/iaas/aws.go b/iaas/aws.go
index 2d5feff5..50c09155 100644
--- a/iaas/aws.go
+++ b/iaas/aws.go
@@ -2,6 +2,7 @@ package iaas
 
 import (
 	"fmt"
+	"net"
 	"strings"
 	"time"
 
@@ -112,7 +113,7 @@ func (a *AWSProvider) listZones() ([]string, error) {
 // CheckForWhitelistedIP checks if the specified IP is whitelisted in the security group
 func (a *AWSProvider) CheckForWhitelistedIP(ip, securityGroup string) (bool, error) {
 
-	cidr := fmt.Sprintf("%s/32", ip)
+	parsedIP := net.ParseIP(ip)
 
 	ec2Client := ec2.New(a.sess)
 
@@ -130,7 +131,11 @@ func (a *AWSProvider) CheckForWhitelistedIP(ip, securityGroup string) (bool, err
 	port22, port6868, port25555 := false, false, false
 	for _, entry := range ingressPermissions {
 		for _, sgIP := range entry.IpRanges {
-			checkPorts(*sgIP.CidrIp, cidr, &port22, &port6868, &port25555, *entry.FromPort)
+			_, parsedCIDR, err := net.ParseCIDR(*sgIP.CidrIp)
+			if err != nil {
+				return false, err
+			}
+			checkPorts(parsedCIDR, parsedIP, &port22, &port6868, &port25555, *entry.FromPort)
 		}
 	}
 
@@ -141,8 +146,8 @@ func (a *AWSProvider) CheckForWhitelistedIP(ip, securityGroup string) (bool, err
 	return false, nil
 }
 
-func checkPorts(sgCidr, cidr string, port22, port6868, port25555 *bool, fromPort int64) {
-	if sgCidr == cidr {
+func checkPorts(cidr *net.IPNet, ip net.IP, port22, port6868, port25555 *bool, fromPort int64) {
+	if cidr.Contains(ip) {
 		switch fromPort {
 		case 22:
 			*port22 = true