Add security parentage validation

Change-Id: I325690a56114db03ba2d3ba0cf99e393678a97da
Closes-Bug: #1772594
(cherry picked from commit fb2c4b6)

o11nplugin-contrail-config/src/main/kotlin/net/juniper/contrail/vro/config/Actions.kt

@@ -42,6 +42,7 @@ val ipamHasNotAllocationMode = "ipamHasNotAllocationMode"
 val networkHasNotAllcationMode = "networkHasNotAllocationMode"
 val listElementProperty = "listElementProperty"
 val listTagTypes = "listTagTypes"
+val matchesSecurityScope = "matchesSecurityScope"
 
 val portOfVCVirtualMachine = "portOfVCVirtualMachine"
 val networkOfVCPortGroup = "networkOfVCPortGroup"

o11nplugin-contrail-config/src/main/kotlin/net/juniper/contrail/vro/config/constants/Constants.kt

@@ -17,6 +17,7 @@ val VirtualMachine = "VirtualMachine"
 val Configuration = "Configuration"
 val Connection = "Connection"
 val parent = "parent"
+val rule = "rule"
 val child = "child"
 val item = "item"
 val name = "name"

o11nplugin-contrail-tests/src/test/groovy/net/juniper/contrail/vro/tests/actions/SecurityScopeValidationSpec.groovy

@@ -0,0 +1,339 @@
+/*
+ * Copyright (c) 2018 Juniper Networks, Inc. All rights reserved.
+ */
+
+package net.juniper.contrail.vro.tests.actions
+
+import net.juniper.contrail.vro.tests.workflows.WorkflowSpec
+
+import static net.juniper.contrail.vro.config.Actions.matchesSecurityScope
+
+// workflowSpec is required for dependencies
+class SecurityScopeValidationSpec extends WorkflowSpec implements ValidationAsserts {
+    def validateSecurityScope = actionFromScript(matchesSecurityScope)
+    String securityScopeValidationMessage(badObjectName) {
+        return "$badObjectName comes from an inaccessible project."
+    }
+
+    def connection = dependencies.connection
+    def project1 = dependencies.someProject()
+    def project2 = dependencies.someProject()
+    def projectFirewallRule = dependencies.someProjectFirewallRule(project1)
+    def globalFirewallRule = dependencies.someGlobalFirewallRule()
+
+    def project1ServiceGroup = dependencies.someProjectServiceGroup(project1)
+    def project2ServiceGroup = dependencies.someProjectServiceGroup(project2)
+    def globalServiceGroup = dependencies.someGlobalServiceGroup()
+
+    def project1Tag = dependencies.someProjectTag(project1)
+    def project2Tag = dependencies.someProjectTag(project2)
+    def globalTag = dependencies.someGlobalTag()
+
+    def "Validating a null object when creating a project-scope firewall rule" () {
+        def children = null
+        def parent = project1
+        def arrayMode = false
+        def directMode = true
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it succeeds"
+        validationSuccess(result)
+    }
+
+    // Service Group, rule creation
+    def "Validating a same-project-scope Service Group when creating a project-scope firewall rule" () {
+        given:
+        def children = project1ServiceGroup
+        def parent = project1
+        def arrayMode = false
+        def directMode = true
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it succeeds"
+        validationSuccess(result)
+    }
+    def "Validating a different-project-scope Service Group when creating a project-scope firewall rule" () {
+        given:
+        def children = project2ServiceGroup
+        def parent = project1
+        def arrayMode = false
+        def directMode = true
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it fails"
+        validationFailure(result)
+    }
+    def "Validating a global-scope Service Group when creating a project-scope firewall rule" () {
+        given:
+        def children = globalServiceGroup
+        def parent = project1
+        def arrayMode = false
+        def directMode = true
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it succeeds"
+        validationSuccess(result)
+    }
+    def "Validating a project-scope Service Group when creating a global-scope firewall rule" () {
+        given:
+        def children = project1ServiceGroup
+        def parent = connection
+        def arrayMode = false
+        def directMode = true
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it fails"
+        validationFailure(result)
+    }
+    def "Validating a global-scope Service Group when creating a global-scope firewall rule" () {
+        given:
+        def children = globalServiceGroup
+        def parent = connection
+        def arrayMode = false
+        def directMode = true
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it succeeds"
+        validationSuccess(result)
+    }
+
+    // Tags, rule creation
+    def "Validating a same-project-scope Tag when creating a project-scope firewall rule" () {
+        given:
+        def children = [project1Tag]
+        def parent = project1
+        def arrayMode = true
+        def directMode = true
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it succeeds"
+        validationSuccess(result)
+    }
+    def "Validating a different-project-scope Tag when creating a project-scope firewall rule" () {
+        given:
+        def children = [project2Tag]
+        def parent = project1
+        def arrayMode = true
+        def directMode = true
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it fails"
+        validationFailure(result)
+    }
+    def "Validating a global-scope Tag when creating a project-scope firewall rule" () {
+        given:
+        def children = [globalTag]
+        def parent = project1
+        def arrayMode = true
+        def directMode = true
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it succeeds"
+        validationSuccess(result)
+    }
+    def "Validating a project-scope Tag when creating a global-scope firewall rule" () {
+        given:
+        def children = [project1Tag]
+        def parent = connection
+        def arrayMode = true
+        def directMode = true
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it fails"
+        validationFailure(result)
+    }
+    def "Validating a global-scope Tag when creating a global-scope firewall rule" () {
+        given:
+        def children = [globalTag]
+        def parent = connection
+        def arrayMode = true
+        def directMode = true
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it succeeds"
+        validationSuccess(result)
+    }
+    def "Validating a list of various Tags, one of which is wrong, when creating a project-scope firewall rule" () {
+        given:
+        def children = [project1Tag, project2Tag, globalTag]
+        def parent = project1
+        def arrayMode = true
+        def directMode = true
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it fails, naming the wrong tag"
+        validationFailureWith(result, securityScopeValidationMessage(project2Tag.name))
+    }
+
+
+    // Service Group, rule edition
+    def "Validating a same-project-scope Service Group when editing a project-scope firewall rule" () {
+        given:
+        def children = project1ServiceGroup
+        def parent = projectFirewallRule
+        def arrayMode = false
+        def directMode = false
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it succeeds"
+        validationSuccess(result)
+    }
+    def "Validating a different-project-scope Service Group when editing a project-scope firewall rule" () {
+        given:
+        def children = project2ServiceGroup
+        def parent = projectFirewallRule
+        def arrayMode = false
+        def directMode = false
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it fails"
+        validationFailure(result)
+    }
+    def "Validating a global-scope Service Group when editing a project-scope firewall rule" () {
+        given:
+        def children = globalServiceGroup
+        def parent = projectFirewallRule
+        def arrayMode = false
+        def directMode = false
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it succeeds"
+        validationSuccess(result)
+    }
+    def "Validating a project-scope Service Group when editing a global-scope firewall rule" () {
+        given:
+        def children = project1ServiceGroup
+        def parent = globalFirewallRule
+        def arrayMode = false
+        def directMode = false
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it fails"
+        validationFailure(result)
+    }
+    def "Validating a global-scope Service Group when editing a global-scope firewall rule" () {
+        given:
+        def children = globalServiceGroup
+        def parent = globalFirewallRule
+        def arrayMode = false
+        def directMode = false
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it succeeds"
+        validationSuccess(result)
+    }
+
+    // Tags, rule edition
+    def "Validating a same-project-scope Tag when editing a project-scope firewall rule" () {
+        given:
+        def children = [project1Tag]
+        def parent = projectFirewallRule
+        def arrayMode = true
+        def directMode = false
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it succeeds"
+        validationSuccess(result)
+    }
+    def "Validating a different-project-scope Tag when editing a project-scope firewall rule" () {
+        given:
+        def children = [project2Tag]
+        def parent = projectFirewallRule
+        def arrayMode = true
+        def directMode = false
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it fails"
+        validationFailure(result)
+    }
+    def "Validating a global-scope Tag when editing a project-scope firewall rule" () {
+        given:
+        def children = [globalTag]
+        def parent = projectFirewallRule
+        def arrayMode = true
+        def directMode = false
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it succeeds"
+        validationSuccess(result)
+    }
+    def "Validating a project-scope Tag when editing a global-scope firewall rule" () {
+        given:
+        def children = [project1Tag]
+        def parent = globalFirewallRule
+        def arrayMode = true
+        def directMode = false
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it fails"
+        validationFailure(result)
+    }
+    def "Validating a global-scope Tag when editing a global-scope firewall rule" () {
+        given:
+        def children = [globalTag]
+        def parent = globalFirewallRule
+        def arrayMode = true
+        def directMode = false
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it succeeds"
+        validationSuccess(result)
+    }
+    def "Validating a list of various Tags, one of which is wrong, when editing a project-scope firewall rule" () {
+        given:
+        def children = [project1Tag, project2Tag, globalTag]
+        def parent = projectFirewallRule
+        def arrayMode = true
+        def directMode = false
+
+        when: "executing validating script"
+        def result = invokeFunction(validateSecurityScope, children, parent, directMode, arrayMode)
+
+        then: "it fails, naming the wrong tag"
+        validationFailureWith(result, securityScopeValidationMessage(project2Tag.name))
+    }
+}

o11nplugin-contrail-tests/src/test/groovy/net/juniper/contrail/vro/tests/workflows/AddServiceToServiceGroupSpec.groovy

@@ -5,7 +5,6 @@
 package net.juniper.contrail.vro.tests.workflows
 
 import net.juniper.contrail.api.Status
-import net.juniper.contrail.api.types.NetworkPolicy
 import net.juniper.contrail.api.types.ServiceGroup
 
 class AddServiceToServiceGroupSpec extends WorkflowSpec {
@@ -19,7 +18,7 @@ class AddServiceToServiceGroupSpec extends WorkflowSpec {
 
     def "Adding service to a service group"() {
         given:
-        def serviceGroup = dependencies.someServiceGroup()
+        def serviceGroup = dependencies.someGlobalServiceGroup()
 
         def initialSize = serviceGroup.getFirewallServiceList()?.getFirewallService()?.size() ?: 0
         connectorMock.read(_) >> Status.success()

o11nplugin-contrail-tests/src/test/groovy/net/juniper/contrail/vro/tests/workflows/EditServiceOfServiceGroupSpec.groovy

@@ -24,7 +24,7 @@ class EditServiceOfServiceGroupSpec extends WorkflowSpec {
 
     def "Editing service of service group"() {
         given:
-        def serviceGroup = dependencies.someServiceGroup()
+        def serviceGroup = dependencies.someGlobalServiceGroup()
 
         connectorMock.read(_) >> Status.success()
         connectorMock.update(_) >> Status.success()

o11nplugin-contrail-tests/src/test/groovy/net/juniper/contrail/vro/tests/workflows/RemoveServiceFromServiceGroupSpec.groovy

@@ -19,7 +19,7 @@ class RemoveServiceFromServiceGroupSpec extends WorkflowSpec {
 
     def "Removing service from service group"() {
         given:
-        def serviceGroup = dependencies.someServiceGroup()
+        def serviceGroup = dependencies.someGlobalServiceGroup()
 
         def initialSize = serviceGroup.getFirewallServiceList()?.getFirewallService()?.size() ?: 0
         connectorMock.read(_) >> Status.success()