From c761a6636cc5963b43799eb35547800f2d8351fc Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Wed, 4 Jun 2025 15:12:13 -0400
Subject: [PATCH] added bounds for /agent/access#[autoStartPort|autoEndPort]
 (#967)

---
 .../agent/remote_access_responses.go          | 51 +++++++++++++++++++
 rest_server_zrok/embedded_spec.go             | 16 ++++--
 .../operations/agent/remote_access.go         | 51 +++++++++++++++++++
 .../src/test/test_remote_access_request.py    |  4 +-
 .../zrok_api/models/remote_access_request.py  |  7 +--
 specs/zrok.yml                                |  4 ++
 6 files changed, 124 insertions(+), 9 deletions(-)

diff --git a/rest_client_zrok/agent/remote_access_responses.go b/rest_client_zrok/agent/remote_access_responses.go
index decc7569..9f055e30 100644
--- a/rest_client_zrok/agent/remote_access_responses.go
+++ b/rest_client_zrok/agent/remote_access_responses.go
@@ -11,9 +11,11 @@ import (
 	"fmt"
 	"io"
 
+	"github.com/go-openapi/errors"
 	"github.com/go-openapi/runtime"
 	"github.com/go-openapi/strfmt"
 	"github.com/go-openapi/swag"
+	"github.com/go-openapi/validate"
 )
 
 // RemoteAccessReader is a Reader for the RemoteAccess structure.
@@ -301,12 +303,16 @@ type RemoteAccessBody struct {
 	AutoAddress string `json:"autoAddress,omitempty"`
 
 	// auto end port
+	// Maximum: 65535
+	// Minimum: 1
 	AutoEndPort int64 `json:"autoEndPort,omitempty"`
 
 	// auto mode
 	AutoMode bool `json:"autoMode,omitempty"`
 
 	// auto start port
+	// Maximum: 65535
+	// Minimum: 1
 	AutoStartPort int64 `json:"autoStartPort,omitempty"`
 
 	// bind address
@@ -324,6 +330,51 @@ type RemoteAccessBody struct {
 
 // Validate validates this remote access body
 func (o *RemoteAccessBody) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := o.validateAutoEndPort(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := o.validateAutoStartPort(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (o *RemoteAccessBody) validateAutoEndPort(formats strfmt.Registry) error {
+	if swag.IsZero(o.AutoEndPort) { // not required
+		return nil
+	}
+
+	if err := validate.MinimumInt("body"+"."+"autoEndPort", "body", o.AutoEndPort, 1, false); err != nil {
+		return err
+	}
+
+	if err := validate.MaximumInt("body"+"."+"autoEndPort", "body", o.AutoEndPort, 65535, false); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (o *RemoteAccessBody) validateAutoStartPort(formats strfmt.Registry) error {
+	if swag.IsZero(o.AutoStartPort) { // not required
+		return nil
+	}
+
+	if err := validate.MinimumInt("body"+"."+"autoStartPort", "body", o.AutoStartPort, 1, false); err != nil {
+		return err
+	}
+
+	if err := validate.MaximumInt("body"+"."+"autoStartPort", "body", o.AutoStartPort, 65535, false); err != nil {
+		return err
+	}
+
 	return nil
 }
 
diff --git a/rest_server_zrok/embedded_spec.go b/rest_server_zrok/embedded_spec.go
index 378e6315..feab35be 100644
--- a/rest_server_zrok/embedded_spec.go
+++ b/rest_server_zrok/embedded_spec.go
@@ -206,13 +206,17 @@ func init() {
                   "type": "string"
                 },
                 "autoEndPort": {
-                  "type": "integer"
+                  "type": "integer",
+                  "maximum": 65535,
+                  "minimum": 1
                 },
                 "autoMode": {
                   "type": "boolean"
                 },
                 "autoStartPort": {
-                  "type": "integer"
+                  "type": "integer",
+                  "maximum": 65535,
+                  "minimum": 1
                 },
                 "bindAddress": {
                   "type": "string"
@@ -3026,13 +3030,17 @@ func init() {
                   "type": "string"
                 },
                 "autoEndPort": {
-                  "type": "integer"
+                  "type": "integer",
+                  "maximum": 65535,
+                  "minimum": 1
                 },
                 "autoMode": {
                   "type": "boolean"
                 },
                 "autoStartPort": {
-                  "type": "integer"
+                  "type": "integer",
+                  "maximum": 65535,
+                  "minimum": 1
                 },
                 "bindAddress": {
                   "type": "string"
diff --git a/rest_server_zrok/operations/agent/remote_access.go b/rest_server_zrok/operations/agent/remote_access.go
index 11c9afe4..a4b2b0dc 100644
--- a/rest_server_zrok/operations/agent/remote_access.go
+++ b/rest_server_zrok/operations/agent/remote_access.go
@@ -9,9 +9,11 @@ import (
 	"context"
 	"net/http"
 
+	"github.com/go-openapi/errors"
 	"github.com/go-openapi/runtime/middleware"
 	"github.com/go-openapi/strfmt"
 	"github.com/go-openapi/swag"
+	"github.com/go-openapi/validate"
 
 	"github.com/openziti/zrok/rest_model_zrok"
 )
@@ -82,12 +84,16 @@ type RemoteAccessBody struct {
 	AutoAddress string `json:"autoAddress,omitempty"`
 
 	// auto end port
+	// Maximum: 65535
+	// Minimum: 1
 	AutoEndPort int64 `json:"autoEndPort,omitempty"`
 
 	// auto mode
 	AutoMode bool `json:"autoMode,omitempty"`
 
 	// auto start port
+	// Maximum: 65535
+	// Minimum: 1
 	AutoStartPort int64 `json:"autoStartPort,omitempty"`
 
 	// bind address
@@ -105,6 +111,51 @@ type RemoteAccessBody struct {
 
 // Validate validates this remote access body
 func (o *RemoteAccessBody) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := o.validateAutoEndPort(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if err := o.validateAutoStartPort(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (o *RemoteAccessBody) validateAutoEndPort(formats strfmt.Registry) error {
+	if swag.IsZero(o.AutoEndPort) { // not required
+		return nil
+	}
+
+	if err := validate.MinimumInt("body"+"."+"autoEndPort", "body", o.AutoEndPort, 1, false); err != nil {
+		return err
+	}
+
+	if err := validate.MaximumInt("body"+"."+"autoEndPort", "body", o.AutoEndPort, 65535, false); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (o *RemoteAccessBody) validateAutoStartPort(formats strfmt.Registry) error {
+	if swag.IsZero(o.AutoStartPort) { // not required
+		return nil
+	}
+
+	if err := validate.MinimumInt("body"+"."+"autoStartPort", "body", o.AutoStartPort, 1, false); err != nil {
+		return err
+	}
+
+	if err := validate.MaximumInt("body"+"."+"autoStartPort", "body", o.AutoStartPort, 65535, false); err != nil {
+		return err
+	}
+
 	return nil
 }
 
diff --git a/sdk/python/src/test/test_remote_access_request.py b/sdk/python/src/test/test_remote_access_request.py
index 4af86217..10ee0886 100644
--- a/sdk/python/src/test/test_remote_access_request.py
+++ b/sdk/python/src/test/test_remote_access_request.py
@@ -40,8 +40,8 @@ class TestRemoteAccessRequest(unittest.TestCase):
                 bind_address = '',
                 auto_mode = True,
                 auto_address = '',
-                auto_start_port = 56,
-                auto_end_port = 56,
+                auto_start_port = 1,
+                auto_end_port = 1,
                 response_headers = [
                     ''
                     ]
diff --git a/sdk/python/src/zrok_api/models/remote_access_request.py b/sdk/python/src/zrok_api/models/remote_access_request.py
index 137b0d87..d83aba48 100644
--- a/sdk/python/src/zrok_api/models/remote_access_request.py
+++ b/sdk/python/src/zrok_api/models/remote_access_request.py
@@ -17,8 +17,9 @@ import pprint
 import re  # noqa: F401
 import json
 
-from pydantic import BaseModel, ConfigDict, Field, StrictBool, StrictInt, StrictStr
+from pydantic import BaseModel, ConfigDict, Field, StrictBool, StrictStr
 from typing import Any, ClassVar, Dict, List, Optional
+from typing_extensions import Annotated
 from typing import Optional, Set
 from typing_extensions import Self
 
@@ -31,8 +32,8 @@ class RemoteAccessRequest(BaseModel):
     bind_address: Optional[StrictStr] = Field(default=None, alias="bindAddress")
     auto_mode: Optional[StrictBool] = Field(default=None, alias="autoMode")
     auto_address: Optional[StrictStr] = Field(default=None, alias="autoAddress")
-    auto_start_port: Optional[StrictInt] = Field(default=None, alias="autoStartPort")
-    auto_end_port: Optional[StrictInt] = Field(default=None, alias="autoEndPort")
+    auto_start_port: Optional[Annotated[int, Field(le=65535, strict=True, ge=1)]] = Field(default=None, alias="autoStartPort")
+    auto_end_port: Optional[Annotated[int, Field(le=65535, strict=True, ge=1)]] = Field(default=None, alias="autoEndPort")
     response_headers: Optional[List[StrictStr]] = Field(default=None, alias="responseHeaders")
     __properties: ClassVar[List[str]] = ["envZId", "token", "bindAddress", "autoMode", "autoAddress", "autoStartPort", "autoEndPort", "responseHeaders"]
 
diff --git a/specs/zrok.yml b/specs/zrok.yml
index ad1ab71d..6a552985 100644
--- a/specs/zrok.yml
+++ b/specs/zrok.yml
@@ -640,8 +640,12 @@ paths:
                 type: string
               autoStartPort:
                 type: integer
+                minimum: 1
+                maximum: 65535
               autoEndPort:
                 type: integer
+                minimum: 1
+                maximum: 65535
               responseHeaders:
                 type: array
                 items: