From f452123480d9b3e150041587d0a2c3d0547a195f Mon Sep 17 00:00:00 2001 From: Ali Egal Date: Tue, 31 Mar 2020 20:03:58 -0700 Subject: [PATCH 01/14] Consume ACL for APIPA Endpoint from CreateNC Req --- cns/NetworkContainerContract.go | 41 +++++++++++++++-- cns/hnsclient/hnsclient_windows.go | 46 +++++++++++++++++-- cns/restserver/restserver.go | 3 +- .../Azure/azure-container-networking | 1 + 4 files changed, 81 insertions(+), 10 deletions(-) create mode 160000 vendor/github.com/Azure/azure-container-networking diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index b3617415ac..4e5b483011 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -2,6 +2,11 @@ package cns import ( "encoding/json" + "errors" + "fmt" + "strings" + + "github.com/Microsoft/hcsshim/hcn" ) // Container Network Service DNC Contract @@ -63,12 +68,14 @@ type CreateNetworkContainerRequest struct { Routes []Route AllowHostToNCCommunication bool AllowNCToHostCommunication bool + EndpointPolicies []NetworkContainerRequestPolicies } -// ConfigureContainerNetworkingRequest - specifies request to attach/detach container to network. -type ConfigureContainerNetworkingRequest struct { - Containerid string - NetworkContainerid string +// NetworkContainerRequestPolicies - specifies policies associated with create network request +type NetworkContainerRequestPolicies struct { + Type string + EndpointType string + Settings json.RawMessage } // KubernetesPodInfo is an OrchestratorContext that holds PodName and PodNamespace. @@ -220,3 +227,29 @@ type UnpublishNetworkContainerResponse struct { UnpublishStatusCode int UnpublishResponseBody []byte } + +// Validate - Validates network container request policies +func (networkContainerRequestPolicy *NetworkContainerRequestPolicies) Validate() error { + + // validate ACL policy + if strings.EqualFold(networkContainerRequestPolicy.Type, "ACLPolicy") { + + var requestedAclPolicy hcn.AclPolicySetting + + if err := json.Unmarshal(networkContainerRequestPolicy.Settings, &requestedAclPolicy); err != nil { + + return fmt.Errorf("ACL policy failed to pass validation with error: %+v ", err) + } + + if requestedAclPolicy.Action == "" { + return errors.New("Action field cannot be empty in ACL Policy") + } + + if requestedAclPolicy.Priority == 0 { + return errors.New("Priority field cannot be empty in ACL Policy") + } + + } + + return nil +} diff --git a/cns/hnsclient/hnsclient_windows.go b/cns/hnsclient/hnsclient_windows.go index 49fcc22edc..e949ff57b7 100644 --- a/cns/hnsclient/hnsclient_windows.go +++ b/cns/hnsclient/hnsclient_windows.go @@ -66,6 +66,12 @@ const ( // aclPriority200 indicates the ACL priority of 200 aclPriority200 = 200 + + // aclPolicyType indicates a ACL policy + aclPolicyType = "ACLPolicy" + + //signals a APIPA endpoint type + apipaEndpointType = "APIPA" ) var ( @@ -347,7 +353,8 @@ func configureAclSettingHostNCApipaEndpoint( networkContainerApipaIP string, hostApipaIP string, allowNCToHostCommunication bool, - allowHostToNCCommunication bool) ([]hcn.EndpointPolicy, error) { + allowHostToNCCommunication bool, + ncRequestedPolicies []cns.NetworkContainerRequestPolicies) ([]hcn.EndpointPolicy, error) { var ( err error endpointPolicies []hcn.EndpointPolicy @@ -426,6 +433,31 @@ func configureAclSettingHostNCApipaEndpoint( return nil, err } } + + } + + if ncRequestedPolicies != nil { + // Iterate thru the requested endpoint policies where policy type is ACL, endpoint type is APIPA + // include the raw json message in the endpoint policies + for _, requestedPolicy := range ncRequestedPolicies { + + if strings.EqualFold(requestedPolicy.Type, aclPolicyType) && strings.EqualFold(requestedPolicy.EndpointType, apipaEndpointType) { + + var requestedAclPolicy hcn.AclPolicySetting + + if err := json.Unmarshal(requestedPolicy.Settings, &requestedAclPolicy); err != nil { + + return nil, fmt.Errorf("Failed to Unmarshal requested ACL policy: %+v with error: %S", requestedPolicy.Settings, err) + } + + logger.Printf("ACL Policy requested in NcGoalState %+v ", requestedAclPolicy) + + if err = addAclToEndpointPolicy(requestedAclPolicy, &endpointPolicies); err != nil { + return nil, err + } + + } + } } return endpointPolicies, nil @@ -436,7 +468,8 @@ func configureHostNCApipaEndpoint( networkID string, localIPConfiguration cns.IPConfiguration, allowNCToHostCommunication bool, - allowHostToNCCommunication bool) (*hcn.HostComputeEndpoint, error) { + allowHostToNCCommunication bool, + ncPolicies []cns.NetworkContainerRequestPolicies) (*hcn.HostComputeEndpoint, error) { endpoint := &hcn.HostComputeEndpoint{ Name: endpointName, HostComputeNetwork: networkID, @@ -455,7 +488,8 @@ func configureHostNCApipaEndpoint( networkContainerApipaIP, hostApipaIP, allowNCToHostCommunication, - allowHostToNCCommunication) + allowHostToNCCommunication, + ncPolicies) if err != nil { logger.Errorf("[Azure CNS] Failed to configure ACL for HostNCApipaEndpoint. Error: %v", err) @@ -490,7 +524,8 @@ func CreateHostNCApipaEndpoint( networkContainerID string, localIPConfiguration cns.IPConfiguration, allowNCToHostCommunication bool, - allowHostToNCCommunication bool) (string, error) { + allowHostToNCCommunication bool, + ncPolicies []cns.NetworkContainerRequestPolicies) (string, error) { var ( network *hcn.HostComputeNetwork endpoint *hcn.HostComputeEndpoint @@ -528,7 +563,8 @@ func CreateHostNCApipaEndpoint( network.Id, localIPConfiguration, allowNCToHostCommunication, - allowHostToNCCommunication); err != nil { + allowHostToNCCommunication, + ncPolicies); err != nil { logger.Errorf("[Azure CNS] Failed to configure HostNCApipaEndpoint: %s. Error: %v", endpointName, err) return "", err } diff --git a/cns/restserver/restserver.go b/cns/restserver/restserver.go index 0366c0149f..97beff3368 100644 --- a/cns/restserver/restserver.go +++ b/cns/restserver/restserver.go @@ -1697,7 +1697,8 @@ func (service *HTTPRestService) createHostNCApipaEndpoint(w http.ResponseWriter, req.NetworkContainerID, networkContainerDetails.CreateNetworkContainerRequest.LocalIPConfiguration, networkContainerDetails.CreateNetworkContainerRequest.AllowNCToHostCommunication, - networkContainerDetails.CreateNetworkContainerRequest.AllowHostToNCCommunication); err != nil { + networkContainerDetails.CreateNetworkContainerRequest.AllowHostToNCCommunication, + networkContainerDetails.CreateNetworkContainerRequest.EndpointPolicies); err != nil { returnMessage = fmt.Sprintf("CreateHostNCApipaEndpoint failed with error: %v", err) returnCode = UnexpectedError } diff --git a/vendor/github.com/Azure/azure-container-networking b/vendor/github.com/Azure/azure-container-networking new file mode 160000 index 0000000000..a4e9e99406 --- /dev/null +++ b/vendor/github.com/Azure/azure-container-networking @@ -0,0 +1 @@ +Subproject commit a4e9e99406b4c106ee39c708059b73506bc84c6d From eaafe09dd91173c1039823286c4f5cab617d234a Mon Sep 17 00:00:00 2001 From: Ali Egal Date: Tue, 31 Mar 2020 20:06:06 -0700 Subject: [PATCH 02/14] Consume ACL for APIPA Endpoint from CreateNC Req --- vendor/github.com/Azure/azure-container-networking | 1 - 1 file changed, 1 deletion(-) delete mode 160000 vendor/github.com/Azure/azure-container-networking diff --git a/vendor/github.com/Azure/azure-container-networking b/vendor/github.com/Azure/azure-container-networking deleted file mode 160000 index a4e9e99406..0000000000 --- a/vendor/github.com/Azure/azure-container-networking +++ /dev/null @@ -1 +0,0 @@ -Subproject commit a4e9e99406b4c106ee39c708059b73506bc84c6d From ff140673e1b285eacff25ebd24a6e488aec523c9 Mon Sep 17 00:00:00 2001 From: Ali Egal Date: Wed, 1 Apr 2020 14:28:00 -0700 Subject: [PATCH 03/14] addressing comments --- cns/NetworkContainerContract.go | 27 +++++++++++++-------------- cns/hnsclient/hnsclient_linux.go | 3 ++- cns/hnsclient/hnsclient_windows.go | 12 ++---------- 3 files changed, 17 insertions(+), 25 deletions(-) diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index 4e5b483011..a4491c47cb 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -2,7 +2,6 @@ package cns import ( "encoding/json" - "errors" "fmt" "strings" @@ -78,6 +77,12 @@ type NetworkContainerRequestPolicies struct { Settings json.RawMessage } +// ConfigureContainerNetworkingRequest - specifies request to attach/detach container to network. +type ConfigureContainerNetworkingRequest struct { + Containerid string + NetworkContainerid string +} + // KubernetesPodInfo is an OrchestratorContext that holds PodName and PodNamespace. type KubernetesPodInfo struct { PodName string @@ -230,26 +235,20 @@ type UnpublishNetworkContainerResponse struct { // Validate - Validates network container request policies func (networkContainerRequestPolicy *NetworkContainerRequestPolicies) Validate() error { - // validate ACL policy if strings.EqualFold(networkContainerRequestPolicy.Type, "ACLPolicy") { - var requestedAclPolicy hcn.AclPolicySetting - if err := json.Unmarshal(networkContainerRequestPolicy.Settings, &requestedAclPolicy); err != nil { - return fmt.Errorf("ACL policy failed to pass validation with error: %+v ", err) } - - if requestedAclPolicy.Action == "" { - return errors.New("Action field cannot be empty in ACL Policy") - } - - if requestedAclPolicy.Priority == 0 { - return errors.New("Priority field cannot be empty in ACL Policy") + if requestedAclPolicy != nil { + if len(strings.TrimSpace(requestedAclPolicy.Action)) == 0 { + return fmt.Errorf("Action field cannot be empty in ACL Policy") + } + if requestedAclPolicy.Priority == 0 { + return fmt.Errorf("Priority field cannot be empty in ACL Policy") + } } - } - return nil } diff --git a/cns/hnsclient/hnsclient_linux.go b/cns/hnsclient/hnsclient_linux.go index a78acb9fb8..0a9d62c3c7 100644 --- a/cns/hnsclient/hnsclient_linux.go +++ b/cns/hnsclient/hnsclient_linux.go @@ -38,7 +38,8 @@ func CreateHostNCApipaEndpoint( networkContainerID string, localIPConfiguration cns.IPConfiguration, allowNCToHostCommunication bool, - allowHostToNCCommunication bool) (string, error) { + allowHostToNCCommunication bool, + ncPolicies []cns.NetworkContainerRequestPolicies) (string, error) { return "", nil } diff --git a/cns/hnsclient/hnsclient_windows.go b/cns/hnsclient/hnsclient_windows.go index e949ff57b7..d69bb2d5cd 100644 --- a/cns/hnsclient/hnsclient_windows.go +++ b/cns/hnsclient/hnsclient_windows.go @@ -440,26 +440,18 @@ func configureAclSettingHostNCApipaEndpoint( // Iterate thru the requested endpoint policies where policy type is ACL, endpoint type is APIPA // include the raw json message in the endpoint policies for _, requestedPolicy := range ncRequestedPolicies { - if strings.EqualFold(requestedPolicy.Type, aclPolicyType) && strings.EqualFold(requestedPolicy.EndpointType, apipaEndpointType) { - var requestedAclPolicy hcn.AclPolicySetting - - if err := json.Unmarshal(requestedPolicy.Settings, &requestedAclPolicy); err != nil { - + if err = json.Unmarshal(requestedPolicy.Settings, &requestedAclPolicy); err != nil { return nil, fmt.Errorf("Failed to Unmarshal requested ACL policy: %+v with error: %S", requestedPolicy.Settings, err) } - - logger.Printf("ACL Policy requested in NcGoalState %+v ", requestedAclPolicy) - + logger.Printf("ACL Policy requested in NcGoalState %+v", requestedAclPolicy) if err = addAclToEndpointPolicy(requestedAclPolicy, &endpointPolicies); err != nil { return nil, err } - } } } - return endpointPolicies, nil } From 42ff442cb223c4ca34d14fd5e01e41d7f2775f72 Mon Sep 17 00:00:00 2001 From: Ali Egal Date: Wed, 1 Apr 2020 17:29:04 -0700 Subject: [PATCH 04/14] remove line --- cns/NetworkContainerContract.go | 1 - 1 file changed, 1 deletion(-) diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index a4491c47cb..6a3f24cfc8 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -67,7 +67,6 @@ type CreateNetworkContainerRequest struct { Routes []Route AllowHostToNCCommunication bool AllowNCToHostCommunication bool - EndpointPolicies []NetworkContainerRequestPolicies } // NetworkContainerRequestPolicies - specifies policies associated with create network request From 8bc949b9ac65431fb70a65a902f992db0628e137 Mon Sep 17 00:00:00 2001 From: Ali Egal Date: Wed, 1 Apr 2020 17:31:18 -0700 Subject: [PATCH 05/14] revert last commit --- cns/NetworkContainerContract.go | 1 + 1 file changed, 1 insertion(+) diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index 6a3f24cfc8..a4491c47cb 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -67,6 +67,7 @@ type CreateNetworkContainerRequest struct { Routes []Route AllowHostToNCCommunication bool AllowNCToHostCommunication bool + EndpointPolicies []NetworkContainerRequestPolicies } // NetworkContainerRequestPolicies - specifies policies associated with create network request From 143cb49f6442a5a1628cdae6394d8625a1bd68ce Mon Sep 17 00:00:00 2001 From: Ali Egal Date: Wed, 1 Apr 2020 19:10:47 -0700 Subject: [PATCH 06/14] fixing build error --- cns/NetworkContainerContract.go | 12 +++++------- src/github.com/Azure/azure-container-networking | 1 + vendor/github.com/Azure/azure-container-networking | 1 + 3 files changed, 7 insertions(+), 7 deletions(-) create mode 160000 src/github.com/Azure/azure-container-networking create mode 160000 vendor/github.com/Azure/azure-container-networking diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index a4491c47cb..7c6a404e20 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -241,13 +241,11 @@ func (networkContainerRequestPolicy *NetworkContainerRequestPolicies) Validate() if err := json.Unmarshal(networkContainerRequestPolicy.Settings, &requestedAclPolicy); err != nil { return fmt.Errorf("ACL policy failed to pass validation with error: %+v ", err) } - if requestedAclPolicy != nil { - if len(strings.TrimSpace(requestedAclPolicy.Action)) == 0 { - return fmt.Errorf("Action field cannot be empty in ACL Policy") - } - if requestedAclPolicy.Priority == 0 { - return fmt.Errorf("Priority field cannot be empty in ACL Policy") - } + if len(strings.TrimSpace(string(requestedAclPolicy.Action))) == 0 { + return fmt.Errorf("Action field cannot be empty in ACL Policy") + } + if requestedAclPolicy.Priority == 0 { + return fmt.Errorf("Priority field cannot be empty in ACL Policy") } } return nil diff --git a/src/github.com/Azure/azure-container-networking b/src/github.com/Azure/azure-container-networking new file mode 160000 index 0000000000..dc1ecbfd95 --- /dev/null +++ b/src/github.com/Azure/azure-container-networking @@ -0,0 +1 @@ +Subproject commit dc1ecbfd9514cf5c82dd640c0081b82b89f497f8 diff --git a/vendor/github.com/Azure/azure-container-networking b/vendor/github.com/Azure/azure-container-networking new file mode 160000 index 0000000000..dc1ecbfd95 --- /dev/null +++ b/vendor/github.com/Azure/azure-container-networking @@ -0,0 +1 @@ +Subproject commit dc1ecbfd9514cf5c82dd640c0081b82b89f497f8 From 7db604dff45656e86fa3e61d13e5b364292e8189 Mon Sep 17 00:00:00 2001 From: Ali Egal Date: Wed, 1 Apr 2020 19:28:06 -0700 Subject: [PATCH 07/14] remove unintended folder --- src/github.com/Azure/azure-container-networking | 1 - vendor/github.com/Azure/azure-container-networking | 1 - 2 files changed, 2 deletions(-) delete mode 160000 src/github.com/Azure/azure-container-networking delete mode 160000 vendor/github.com/Azure/azure-container-networking diff --git a/src/github.com/Azure/azure-container-networking b/src/github.com/Azure/azure-container-networking deleted file mode 160000 index dc1ecbfd95..0000000000 --- a/src/github.com/Azure/azure-container-networking +++ /dev/null @@ -1 +0,0 @@ -Subproject commit dc1ecbfd9514cf5c82dd640c0081b82b89f497f8 diff --git a/vendor/github.com/Azure/azure-container-networking b/vendor/github.com/Azure/azure-container-networking deleted file mode 160000 index dc1ecbfd95..0000000000 --- a/vendor/github.com/Azure/azure-container-networking +++ /dev/null @@ -1 +0,0 @@ -Subproject commit dc1ecbfd9514cf5c82dd640c0081b82b89f497f8 From 73ebf2deb2a2c554c187a9cdf4c0ddcc06d98459 Mon Sep 17 00:00:00 2001 From: Ali Egal Date: Wed, 1 Apr 2020 21:04:16 -0700 Subject: [PATCH 08/14] testing build issue with importing hcsshim --- cns/NetworkContainerContract.go | 17 ++++++++++++++--- src/github.com/Azure/azure-container-networking | 1 + 2 files changed, 15 insertions(+), 3 deletions(-) create mode 160000 src/github.com/Azure/azure-container-networking diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index 7c6a404e20..545bda1e6b 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -4,8 +4,6 @@ import ( "encoding/json" "fmt" "strings" - - "github.com/Microsoft/hcsshim/hcn" ) // Container Network Service DNC Contract @@ -233,11 +231,24 @@ type UnpublishNetworkContainerResponse struct { UnpublishResponseBody []byte } +// Testing +type AclPolicyTestSetting struct { + Protocols string `json:","` + Action string `json:","` + Direction string `json:","` + LocalAddresses string `json:","` + RemoteAddresses string `json:","` + LocalPorts string `json:","` + RemotePorts string `json:","` + RuleType string `json:","` + Priority uint16 `json:","` +} + // Validate - Validates network container request policies func (networkContainerRequestPolicy *NetworkContainerRequestPolicies) Validate() error { // validate ACL policy if strings.EqualFold(networkContainerRequestPolicy.Type, "ACLPolicy") { - var requestedAclPolicy hcn.AclPolicySetting + var requestedAclPolicy AclPolicyTestSetting if err := json.Unmarshal(networkContainerRequestPolicy.Settings, &requestedAclPolicy); err != nil { return fmt.Errorf("ACL policy failed to pass validation with error: %+v ", err) } diff --git a/src/github.com/Azure/azure-container-networking b/src/github.com/Azure/azure-container-networking new file mode 160000 index 0000000000..dc1ecbfd95 --- /dev/null +++ b/src/github.com/Azure/azure-container-networking @@ -0,0 +1 @@ +Subproject commit dc1ecbfd9514cf5c82dd640c0081b82b89f497f8 From 4feb4aeb7ed73bfa0f36df452dd0394562fda4be Mon Sep 17 00:00:00 2001 From: Ali Egal Date: Wed, 1 Apr 2020 21:08:50 -0700 Subject: [PATCH 09/14] remove folder --- src/github.com/Azure/azure-container-networking | 1 - 1 file changed, 1 deletion(-) delete mode 160000 src/github.com/Azure/azure-container-networking diff --git a/src/github.com/Azure/azure-container-networking b/src/github.com/Azure/azure-container-networking deleted file mode 160000 index dc1ecbfd95..0000000000 --- a/src/github.com/Azure/azure-container-networking +++ /dev/null @@ -1 +0,0 @@ -Subproject commit dc1ecbfd9514cf5c82dd640c0081b82b89f497f8 From a6ddef1d673a40feb6e53dd3ed141e7ee9837006 Mon Sep 17 00:00:00 2001 From: Ali Egal Date: Thu, 2 Apr 2020 09:23:27 -0700 Subject: [PATCH 10/14] change struct name --- cns/NetworkContainerContract.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index 545bda1e6b..03d1b41f5e 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -231,8 +231,8 @@ type UnpublishNetworkContainerResponse struct { UnpublishResponseBody []byte } -// Testing -type AclPolicyTestSetting struct { +// ValidAclPolicySetting - Used to validate ACL policy +type ValidAclPolicySetting struct { Protocols string `json:","` Action string `json:","` Direction string `json:","` @@ -248,7 +248,7 @@ type AclPolicyTestSetting struct { func (networkContainerRequestPolicy *NetworkContainerRequestPolicies) Validate() error { // validate ACL policy if strings.EqualFold(networkContainerRequestPolicy.Type, "ACLPolicy") { - var requestedAclPolicy AclPolicyTestSetting + var requestedAclPolicy ValidAclPolicySetting if err := json.Unmarshal(networkContainerRequestPolicy.Settings, &requestedAclPolicy); err != nil { return fmt.Errorf("ACL policy failed to pass validation with error: %+v ", err) } From 7758c58462e7c763929c56b7b83a9aed154ab81a Mon Sep 17 00:00:00 2001 From: Ali Egal Date: Thu, 2 Apr 2020 13:34:06 -0700 Subject: [PATCH 11/14] include a nil check on pointer --- cns/NetworkContainerContract.go | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index 03d1b41f5e..17768d859a 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -247,16 +247,18 @@ type ValidAclPolicySetting struct { // Validate - Validates network container request policies func (networkContainerRequestPolicy *NetworkContainerRequestPolicies) Validate() error { // validate ACL policy - if strings.EqualFold(networkContainerRequestPolicy.Type, "ACLPolicy") { - var requestedAclPolicy ValidAclPolicySetting - if err := json.Unmarshal(networkContainerRequestPolicy.Settings, &requestedAclPolicy); err != nil { - return fmt.Errorf("ACL policy failed to pass validation with error: %+v ", err) - } - if len(strings.TrimSpace(string(requestedAclPolicy.Action))) == 0 { - return fmt.Errorf("Action field cannot be empty in ACL Policy") - } - if requestedAclPolicy.Priority == 0 { - return fmt.Errorf("Priority field cannot be empty in ACL Policy") + if networkContainerRequestPolicy != nil { + if strings.EqualFold(networkContainerRequestPolicy.Type, "ACLPolicy") { + var requestedAclPolicy ValidAclPolicySetting + if err := json.Unmarshal(networkContainerRequestPolicy.Settings, &requestedAclPolicy); err != nil { + return fmt.Errorf("ACL policy failed to pass validation with error: %+v ", err) + } + if len(strings.TrimSpace(string(requestedAclPolicy.Action))) == 0 { + return fmt.Errorf("Action field cannot be empty in ACL Policy") + } + if requestedAclPolicy.Priority == 0 { + return fmt.Errorf("Priority field cannot be empty in ACL Policy") + } } } return nil From 404eb16aac8fa90c42819fe8403130b31acc1e18 Mon Sep 17 00:00:00 2001 From: Ali Egal Date: Fri, 3 Apr 2020 12:45:42 -0700 Subject: [PATCH 12/14] restrict to only APIPA --- cns/NetworkContainerContract.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index 17768d859a..3d8fb158c6 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -248,7 +248,7 @@ type ValidAclPolicySetting struct { func (networkContainerRequestPolicy *NetworkContainerRequestPolicies) Validate() error { // validate ACL policy if networkContainerRequestPolicy != nil { - if strings.EqualFold(networkContainerRequestPolicy.Type, "ACLPolicy") { + if strings.EqualFold(networkContainerRequestPolicy.Type, "ACLPolicy") && strings.EqualFold(networkContainerRequestPolicy.EndpointType, "APIPA") { var requestedAclPolicy ValidAclPolicySetting if err := json.Unmarshal(networkContainerRequestPolicy.Settings, &requestedAclPolicy); err != nil { return fmt.Errorf("ACL policy failed to pass validation with error: %+v ", err) @@ -259,6 +259,8 @@ func (networkContainerRequestPolicy *NetworkContainerRequestPolicies) Validate() if requestedAclPolicy.Priority == 0 { return fmt.Errorf("Priority field cannot be empty in ACL Policy") } + } else { + return fmt.Errorf("Only ACL Policies on APIPA endpoint supported") } } return nil From f34a463dc7f3825fd3dbd6ec9f89926429b904cd Mon Sep 17 00:00:00 2001 From: Ali Egal Date: Tue, 7 Apr 2020 22:14:18 -0700 Subject: [PATCH 13/14] placeholder for src/dest IP's + validation --- cns/NetworkContainerContract.go | 13 +++++++++++++ cns/hnsclient/hnsclient_windows.go | 8 ++++++++ 2 files changed, 21 insertions(+) diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index 3d8fb158c6..f56f3d9dc8 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -253,9 +253,22 @@ func (networkContainerRequestPolicy *NetworkContainerRequestPolicies) Validate() if err := json.Unmarshal(networkContainerRequestPolicy.Settings, &requestedAclPolicy); err != nil { return fmt.Errorf("ACL policy failed to pass validation with error: %+v ", err) } + //Deny request if ACL Action is empty if len(strings.TrimSpace(string(requestedAclPolicy.Action))) == 0 { return fmt.Errorf("Action field cannot be empty in ACL Policy") } + //Deny request if ACL Action is not Allow or Deny + if !strings.EqualFold(requestedAclPolicy.Action, "Allow") && !strings.EqualFold(requestedAclPolicy.Action, "Deny") { + return fmt.Errorf("Only Allow or Deny is supported in Action field") + } + //Deny request if ACL Direction is empty + if len(strings.TrimSpace(string(requestedAclPolicy.Direction))) == 0 { + return fmt.Errorf("Direction field cannot be empty in ACL Policy") + } + //Deny request if ACL direction is not In or Out + if !strings.EqualFold(requestedAclPolicy.Direction, "In") && !strings.EqualFold(requestedAclPolicy.Direction, "Out") { + return fmt.Errorf("Only Allow or Deny is supported in Action field") + } if requestedAclPolicy.Priority == 0 { return fmt.Errorf("Priority field cannot be empty in ACL Policy") } diff --git a/cns/hnsclient/hnsclient_windows.go b/cns/hnsclient/hnsclient_windows.go index d69bb2d5cd..306236b8ed 100644 --- a/cns/hnsclient/hnsclient_windows.go +++ b/cns/hnsclient/hnsclient_windows.go @@ -445,6 +445,14 @@ func configureAclSettingHostNCApipaEndpoint( if err = json.Unmarshal(requestedPolicy.Settings, &requestedAclPolicy); err != nil { return nil, fmt.Errorf("Failed to Unmarshal requested ACL policy: %+v with error: %S", requestedPolicy.Settings, err) } + //Using {NetworkContainerIP} as a placeholder to signal using Network Container IP + if strings.EqualFold(requestedAclPolicy.LocalAddresses, "{NetworkContainerIP}") { + requestedAclPolicy.LocalAddresses = networkContainerApipaIP + } + //Using {HostApipaIP} as a placeholder to signal using Host Apipa IP + if strings.EqualFold(requestedAclPolicy.RemoteAddresses, "{HostApipaIP}") { + requestedAclPolicy.RemoteAddresses = hostApipaIP + } logger.Printf("ACL Policy requested in NcGoalState %+v", requestedAclPolicy) if err = addAclToEndpointPolicy(requestedAclPolicy, &endpointPolicies); err != nil { return nil, err From e44eca0afa8ef63a3b538d0fc2ac768f6fde8296 Mon Sep 17 00:00:00 2001 From: Ali Egal Date: Tue, 7 Apr 2020 22:32:22 -0700 Subject: [PATCH 14/14] typo --- cns/NetworkContainerContract.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index f56f3d9dc8..f25cd05a12 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -267,7 +267,7 @@ func (networkContainerRequestPolicy *NetworkContainerRequestPolicies) Validate() } //Deny request if ACL direction is not In or Out if !strings.EqualFold(requestedAclPolicy.Direction, "In") && !strings.EqualFold(requestedAclPolicy.Direction, "Out") { - return fmt.Errorf("Only Allow or Deny is supported in Action field") + return fmt.Errorf("Only In or Out is supported in Direction field") } if requestedAclPolicy.Priority == 0 { return fmt.Errorf("Priority field cannot be empty in ACL Policy")