From 9a366b8ca146a248b33fcdc98b1d56345b3e36c6 Mon Sep 17 00:00:00 2001
From: huabing zhao <zhaohuabing@gmail.com>
Date: Thu, 23 May 2024 15:34:44 -0700
Subject: [PATCH] address comments

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
---
 api/v1alpha1/authorization_types.go                |  2 +-
 api/v1alpha1/shared_types.go                       |  5 +++++
 api/v1alpha1/zz_generated.deepcopy.go              |  2 +-
 .../gateway.envoyproxy.io_securitypolicies.yaml    |  4 ++++
 internal/gatewayapi/securitypolicy.go              |  2 +-
 .../securitypolicy-with-authoriztion.in.yaml       |  3 ---
 .../securitypolicy-with-authoriztion.out.yaml      |  3 ---
 site/content/en/latest/api/extension_types.md      | 14 +++++++++++++-
 8 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
index e49c7410b24..02db76e15f9 100644
--- a/api/v1alpha1/authorization_types.go
+++ b/api/v1alpha1/authorization_types.go
@@ -50,7 +50,7 @@ type Principal struct {
 	// or the proxy protocol.
 	// You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
 	// the `ClientTrafficPolicy` to configure how the client IP is detected.
-	ClientCIDRs []string `json:"clientCIDRs,omitempty"`
+	ClientCIDRs []CIDR `json:"clientCIDRs,omitempty"`
 }
 
 // AuthorizationAction defines the action to be taken if a rule matches.
diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go
index e07c8ec158e..7446ccf368d 100644
--- a/api/v1alpha1/shared_types.go
+++ b/api/v1alpha1/shared_types.go
@@ -446,3 +446,8 @@ type BackendRef struct {
 	// Only service Kind is supported for now.
 	gwapiv1.BackendObjectReference `json:",inline"`
 }
+
+// CIDR defines a CIDR Address range.
+// A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64".
+// +kubebuilder:validation:Pattern=`((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+))`
+type CIDR string
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index b4ab56fe21e..dc713cdf55e 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -3363,7 +3363,7 @@ func (in *Principal) DeepCopyInto(out *Principal) {
 	*out = *in
 	if in.ClientCIDRs != nil {
 		in, out := &in.ClientCIDRs, &out.ClientCIDRs
-		*out = make([]string, len(*in))
+		*out = make([]CIDR, len(*in))
 		copy(*out, *in)
 	}
 }
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index 1041c204c0d..289480e09eb 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -99,6 +99,10 @@ spec:
                                 You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
                                 the `ClientTrafficPolicy` to configure how the client IP is detected.
                               items:
+                                description: |-
+                                  CIDR defines a CIDR Address range.
+                                  A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64".
+                                pattern: ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+))
                                 type: string
                               type: array
                           type: object
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
index 972dc039bd9..abd5b20ecab 100644
--- a/internal/gatewayapi/securitypolicy.go
+++ b/internal/gatewayapi/securitypolicy.go
@@ -879,7 +879,7 @@ func (t *Translator) buildAuthorization(policy *egv1a1.SecurityPolicy) (*ir.Auth
 		principal := ir.Principal{}
 
 		for _, cidr := range rule.Principal.ClientCIDRs {
-			cidrMatch, err := parseCIDR(cidr)
+			cidrMatch, err := parseCIDR(string(cidr))
 			if err != nil {
 				return nil, fmt.Errorf("unable to translate authorization rule: %w", err)
 			}
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion.in.yaml
index 57ed9a378b2..fe89f0dd84a 100644
--- a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion.in.yaml
+++ b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion.in.yaml
@@ -77,7 +77,6 @@ securityPolicies:
   metadata:
     namespace: envoy-gateway
     name: policy-for-gateway  # This policy should attach httproute-2
-    uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
   spec:
     targetRef:
       group: gateway.networking.k8s.io
@@ -96,7 +95,6 @@ securityPolicies:
   metadata:
     namespace: default
     name: policy-for-http-route-1   # This policy should attach httproute-1
-    uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
   spec:
     targetRef:
       group: gateway.networking.k8s.io
@@ -122,7 +120,6 @@ securityPolicies:
   metadata:
     namespace: default
     name: policy-for-http-route-3   # This policy should attach httproute-3
-    uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
   spec:
     targetRef:
       group: gateway.networking.k8s.io
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion.out.yaml
index b8f3876609c..1f6103bb2c2 100755
--- a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion.out.yaml
+++ b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion.out.yaml
@@ -177,7 +177,6 @@ securityPolicies:
     creationTimestamp: null
     name: policy-for-http-route-1
     namespace: default
-    uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
   spec:
     authorization:
       defaultAction: Allow
@@ -219,7 +218,6 @@ securityPolicies:
     creationTimestamp: null
     name: policy-for-http-route-3
     namespace: default
-    uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
   spec:
     authorization:
       defaultAction: null
@@ -248,7 +246,6 @@ securityPolicies:
     creationTimestamp: null
     name: policy-for-gateway
     namespace: envoy-gateway
-    uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
   spec:
     authorization:
       defaultAction: Deny
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index fddee062e33..e44fa36a6cf 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -455,6 +455,18 @@ _Appears in:_
 | `Replace` | Replace replaces the default bootstrap with the provided one.<br /> | 
 
 
+#### CIDR
+
+_Underlying type:_ _string_
+
+CIDR defines a CIDR Address range.
+A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64".
+
+_Appears in:_
+- [Principal](#principal)
+
+
+
 #### CORS
 
 
@@ -2444,7 +2456,7 @@ _Appears in:_
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
-| `clientCIDRs` | _string array_ |  true  | ClientCIDRs are the IP CIDR ranges of the client.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br /><br />The client IP is inferred from the x-forwarder-for header, a custom header,<br />or the proxy protocol.<br />You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in<br />the `ClientTrafficPolicy` to configure how the client IP is detected. |
+| `clientCIDRs` | _[CIDR](#cidr) array_ |  true  | ClientCIDRs are the IP CIDR ranges of the client.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br /><br />The client IP is inferred from the x-forwarder-for header, a custom header,<br />or the proxy protocol.<br />You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in<br />the `ClientTrafficPolicy` to configure how the client IP is detected. |
 
 
 #### ProcessingModeOptions