test: add normalized ASN validation coverage

Fixes https://github.com/fosrl/newt/issues/383

.github/workflows/cicd.yml

@@ -62,7 +62,7 @@ jobs:
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
             - name: Monitor storage space
               run: |
@@ -134,7 +134,7 @@ jobs:
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
             - name: Monitor storage space
               run: |
@@ -201,7 +201,7 @@ jobs:
         timeout-minutes: 30
         steps:
             - name: Checkout code
-              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
             - name: Log in to Docker Hub
               uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
@@ -256,7 +256,7 @@ jobs:
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
             - name: Extract tag name
               id: get-tag

.github/workflows/linting.yml

@@ -21,7 +21,7 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Checkout code
-              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
             - name: Set up Node.js
               uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0

.github/workflows/test.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Node
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
@@ -62,7 +62,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Build Docker image sqlite
         run: make dev-build-sqlite
@@ -71,7 +71,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Build Docker image pg
         run: make dev-build-pg

server/lib/validators.test.ts

@@ -1,4 +1,7 @@
-import { isValidUrlGlobPattern } from "./validators";
+import {
+    getResourceRuleValueValidationError,
+    isValidUrlGlobPattern
+} from "./validators";
 import { assertEquals } from "@test/assert";
 
 function runTests() {
@@ -236,6 +239,43 @@ function runTests() {
         "Path with isolated percent sign should be invalid"
     );
 
+    // ASN validation tests
+    assertEquals(
+        getResourceRuleValueValidationError("ASN", "AS15169"),
+        null,
+        "Standard ASN should be valid"
+    );
+    assertEquals(
+        getResourceRuleValueValidationError("ASN", "  As15169  "),
+        null,
+        "Standard ASN should be valid with mixed case and whitespace"
+    );
+    assertEquals(
+        getResourceRuleValueValidationError("ASN", "ALL"),
+        null,
+        "ALL ASN selector should be valid"
+    );
+    assertEquals(
+        getResourceRuleValueValidationError("ASN", " all "),
+        null,
+        "ALL ASN selector should be valid with mixed case and whitespace"
+    );
+    assertEquals(
+        getResourceRuleValueValidationError("ASN", "AS0"),
+        null,
+        "AS0 alias should be valid"
+    );
+    assertEquals(
+        getResourceRuleValueValidationError("ASN", " as0 "),
+        null,
+        "AS0 alias should be valid with mixed case and whitespace"
+    );
+    assertEquals(
+        getResourceRuleValueValidationError("ASN", "not-an-asn"),
+        "Invalid ASN provided",
+        "Invalid ASN should return an error"
+    );
+
     console.log("All tests passed!");
 }
 

server/lib/validators.ts

@@ -100,7 +100,10 @@ export function getResourceRuleValueValidationError(
                 ? null
                 : "Invalid country code provided";
         case "ASN":
-            return /^AS\d+$/i.test(value.trim())
+            const normalizedValue = value.trim().toUpperCase();
+            return /^AS\d+$/.test(normalizedValue) ||
+                normalizedValue === "ALL" ||
+                normalizedValue === "AS0"
                 ? null
                 : "Invalid ASN provided";
         default:

src/components/newt-install-commands.tsx

@@ -139,7 +139,6 @@ Restart=always
 RestartSec=2
 UMask=0077
 
-NoNewPrivileges=true
 PrivateTmp=true
 
 [Install]

src/components/resource-policy/policy-access-rule-validation.ts

@@ -83,9 +83,19 @@ export function createPolicyRuleValueSchema(t: TranslateFn, match: string) {
                 { message: t("rulesErrorInvalidCountryDescription") }
             );
         case "ASN":
-            return required.refine((value) => /^AS\d+$/i.test(value.trim()), {
-                message: t("rulesErrorInvalidAsnDescription")
-            });
+            return required.refine(
+                (value) => {
+                    const normalizedValue = value.trim().toUpperCase();
+                    return (
+                        /^AS\d+$/.test(normalizedValue) ||
+                        normalizedValue === "ALL" ||
+                        normalizedValue === "AS0"
+                    );
+                },
+                {
+                    message: t("rulesErrorInvalidAsnDescription")
+                }
+            );
         default:
             return required;
     }