Add security scope validation to all reference-adding workflows

Change-Id: I2266e6a519feba203c729692eff1432ea3d0a9ad Closes-Bug: #1772594 (cherry picked from commit 879485c)
Juniper · Jun 18, 2018 · 6ef7f40 · 6ef7f40
1 parent 5929a1d
commit 6ef7f40
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/o11nplugin-contrail-config/buildNumber.properties b/o11nplugin-contrail-config/buildNumber.properties
@@ -1,3 +1,3 @@
 #maven.buildNumber.plugin properties file
-#Tue Jun 12 14:22:55 CEST 2018
-buildNumber=1460
+#Thu Jun 14 17:13:15 CEST 2018
+buildNumber=1461
diff --git a/o11nplugin-contrail-config/src/main/kotlin/net/juniper/contrail/vro/config/Config.kt b/o11nplugin-contrail-config/src/main/kotlin/net/juniper/contrail/vro/config/Config.kt
@@ -162,6 +162,15 @@ val readUponQuery = setOf(
     the<FirewallRule>()
 )
 
+val validateSecurityScope = setOf(
+    the<ApplicationPolicySet>(),
+    the<FirewallPolicy>(),
+    the<FirewallRule>(),
+    the<AddressGroup>(),
+    the<ServiceGroup>(),
+    the<Tag>()
+)
+
 private inline fun <reified T> the() =
     T::class.java.simpleName
 
@@ -234,6 +243,9 @@ fun ObjectClass.hasCustomAddReferenceWorkflow(child: Class<*>) =
 fun ObjectClass.hasCustomRemoveReferenceWorkflow(child: Class<*>) =
     customRemoveReference.containsUnordered(simpleName, child.simpleName)
 
+val ObjectClass.needsSecurityScopeValidation get() =
+    validateSecurityScope.contains(simpleName)
+
 infix fun String.isDisplayableChildOf(parent: String) =
     this != parent &&
     ! hiddenRelations.containsUnordered(parent, this) &&

diff --git a/...erator/src/main/kotlin/net/juniper/contrail/vro/generator/workflows/ReferenceWorkflows.kt b/...erator/src/main/kotlin/net/juniper/contrail/vro/generator/workflows/ReferenceWorkflows.kt
@@ -4,8 +4,11 @@
 
 package net.juniper.contrail.vro.generator.workflows
 
+import net.juniper.contrail.api.types.Project
 import net.juniper.contrail.vro.config.constants.child
 import net.juniper.contrail.vro.config.constants.item
+import net.juniper.contrail.vro.config.isA
+import net.juniper.contrail.vro.config.needsSecurityScopeValidation
 import net.juniper.contrail.vro.config.propertyValue
 import net.juniper.contrail.vro.generator.model.ForwardRelation
 import net.juniper.contrail.vro.workflows.dsl.WorkflowDefinition
@@ -16,6 +19,7 @@ import net.juniper.contrail.vro.workflows.dsl.asBrowserRoot
 import net.juniper.contrail.vro.workflows.dsl.actionCallTo
 import net.juniper.contrail.vro.workflows.model.reference
 import net.juniper.contrail.vro.schema.Schema
+import net.juniper.contrail.vro.workflows.custom.matchesSecurityScope
 import net.juniper.contrail.vro.workflows.dsl.parentConnection
 import net.juniper.contrail.vro.workflows.util.addRelationWorkflowName
 import net.juniper.contrail.vro.workflows.util.childDescriptionInCreateRelation
@@ -30,6 +34,7 @@ fun addReferenceWorkflow(relation: ForwardRelation, schema: Schema): WorkflowDef
     val childClass = relation.declaredChildClass
     val workflowName = schema.addRelationWorkflowName(parentClass, childClass)
     val scriptBody = relation.addReferenceRelationScriptBody()
+    val directValidation = parentClass.isA<Project>()
 
     return workflow(workflowName).withScript(scriptBody) {
         parameter(item, parentClass.reference) {
@@ -42,6 +47,8 @@ fun addReferenceWorkflow(relation: ForwardRelation, schema: Schema): WorkflowDef
             description = schema.childDescriptionInCreateRelation(parentClass, childClass, ignoreMissing = true)
             mandatory = true
             browserRoot = item.parentConnection
+            if (childClass.needsSecurityScopeValidation)
+                validWhen = matchesSecurityScope(item, directValidation)
         }
     }
 }