Handle duplicate/invalid entries in migration SSH inbound addresses

An error (e.g a typo) in a custom tripleo-heat-templates environment
file could lead to an invalid match block in /etc/ssh/sshd_config.
SSH fails-safe and refuses all logins in this case.

This change validates the migration_ssh_localaddrs parameter is an
array of IP addresses and removes and duplicate entries.

Change-Id: Ibcf144d960fe52f0eab0d5015bd30cf7c1e37e25
Closes-Bug: #1688308

1 files changed, 7 insertions, 3 deletions

diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp
index 6065e62..d786940 100644
--- a/manifests/profile/base/nova.pp
+++ b/manifests/profile/base/nova.pp
@@ -129,6 +129,10 @@ class tripleo::profile::base::nova (
     $memcache_servers = suffix(hiera('memcached_node_ips'), ':11211')
   }
 
+  validate_array($migration_ssh_localaddrs)
+  $migration_ssh_localaddrs.each |$x| { validate_ip_address($x) }
+  $migration_ssh_localaddrs_real = unique($migration_ssh_localaddrs)
+
   if $step >= 4 or ($step >= 3 and $sync_db) {
     $oslomsg_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_use_ssl)))
     include ::nova::config
@@ -183,10 +187,10 @@ class tripleo::profile::base::nova (
         # Nova SSH tunnel setup (cold-migration)
 
         # Server side
-        if !empty($migration_ssh_localaddrs) {
-          $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs,','))
+        if !empty($migration_ssh_localaddrs_real) {
+          $allow_type = sprintf('LocalAddress %s User', join($migration_ssh_localaddrs_real,','))
           $deny_type = 'LocalAddress'
-          $deny_name = sprintf('!%s', join($migration_ssh_localaddrs,',!'))
+          $deny_name = sprintf('!%s', join($migration_ssh_localaddrs_real,',!'))
 
           ssh::server::match_block { 'nova_migration deny':
             name    => $deny_name,