forked from Juniper/contrail
-
Notifications
You must be signed in to change notification settings - Fork 0
/
policy_entries_type.go
94 lines (76 loc) · 2.02 KB
/
policy_entries_type.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
package models
import (
"github.com/Juniper/asf/pkg/errutil"
uuid "github.com/satori/go.uuid"
)
// CheckNetworkPolicyRules validates policy rules from policy entries for Network Policy.
func (e *PolicyEntriesType) CheckNetworkPolicyRules() error {
if e == nil {
return nil
}
rules := e.GetPolicyRule()
if err := checkPolicyEntriesRules(rules); err != nil {
return err
}
for _, rule := range rules {
if rule.ActionList == nil {
return errutil.ErrorBadRequest("Check Policy Rules failed. Action is required.")
}
if rule.HasSecurityGroup() {
return errutil.ErrorBadRequest("Config Error: Policy Rule refering to Security Group is not allowed")
}
}
return nil
}
// CheckSecurityGroupRules validates policy rules from policy entries for Security Group.
func (e *PolicyEntriesType) CheckSecurityGroupRules() error {
if e == nil {
return nil
}
rules := e.GetPolicyRule()
if err := checkPolicyEntriesRules(rules); err != nil {
return err
}
for _, rule := range rules {
if err := rule.ValidateSubnetsWithEthertype(); err != nil {
return err
}
if !rule.IsAnySecurityGroupAddrLocal() {
return errutil.ErrorBadRequest("At least one of source " +
"or destination addresses must be 'local'")
}
}
return nil
}
// FillRuleUUIDs adds UUID to every PolicyRule within PolicyEntriesType
// which doesn't have one.
func (e *PolicyEntriesType) FillRuleUUIDs() {
if e == nil {
return
}
for i, rule := range e.PolicyRule {
if rule.GetRuleUUID() == "" {
e.PolicyRule[i].RuleUUID = uuid.NewV4().String()
}
}
}
func checkPolicyEntriesRules(rules []*PolicyRuleType) error {
for i, rule := range rules {
remainingRules := rules[i+1:]
if isRuleInRules(rule, remainingRules) {
return errutil.ErrorConflictf("Rule already exists: %v", rule.GetRuleUUID())
}
if err := rule.ValidateProtocol(); err != nil {
return err
}
}
return nil
}
func isRuleInRules(rule *PolicyRuleType, rules []*PolicyRuleType) bool {
for _, r := range rules {
if r.EqualRule(*rule) {
return true
}
}
return false
}