placeholder for src/dest IP's + validation

aegal · aegal · commit f34a463dc7f3 · 2020-04-07T22:14:18.000-07:00
diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go
@@ -253,9 +253,22 @@ func (networkContainerRequestPolicy *NetworkContainerRequestPolicies) Validate()
 			if err := json.Unmarshal(networkContainerRequestPolicy.Settings, &requestedAclPolicy); err != nil {
 				return fmt.Errorf("ACL policy failed to pass validation with error: %+v ", err)
 			}
+			//Deny request if ACL Action is empty
 			if len(strings.TrimSpace(string(requestedAclPolicy.Action))) == 0 {
 				return fmt.Errorf("Action field cannot be empty in ACL Policy")
 			}
+			//Deny request if ACL Action is not Allow or Deny
+			if !strings.EqualFold(requestedAclPolicy.Action, "Allow") && !strings.EqualFold(requestedAclPolicy.Action, "Deny") {
+				return fmt.Errorf("Only Allow or Deny is supported in Action field")
+			}
+			//Deny request if ACL Direction is empty
+			if len(strings.TrimSpace(string(requestedAclPolicy.Direction))) == 0 {
+				return fmt.Errorf("Direction field cannot be empty in ACL Policy")
+			}
+			//Deny request if ACL direction is not In or Out
+			if !strings.EqualFold(requestedAclPolicy.Direction, "In") && !strings.EqualFold(requestedAclPolicy.Direction, "Out") {
+				return fmt.Errorf("Only Allow or Deny is supported in Action field")
+			}
 			if requestedAclPolicy.Priority == 0 {
 				return fmt.Errorf("Priority field cannot be empty in ACL Policy")
 			}
diff --git a/cns/hnsclient/hnsclient_windows.go b/cns/hnsclient/hnsclient_windows.go
@@ -445,6 +445,14 @@ func configureAclSettingHostNCApipaEndpoint(
 				if err = json.Unmarshal(requestedPolicy.Settings, &requestedAclPolicy); err != nil {
 					return nil, fmt.Errorf("Failed to Unmarshal requested ACL policy: %+v with error: %S", requestedPolicy.Settings, err)
 				}
+				//Using {NetworkContainerIP} as a placeholder to signal using Network Container IP
+				if strings.EqualFold(requestedAclPolicy.LocalAddresses, "{NetworkContainerIP}") {
+					requestedAclPolicy.LocalAddresses = networkContainerApipaIP
+				}
+				//Using {HostApipaIP} as a placeholder to signal using Host Apipa IP
+				if strings.EqualFold(requestedAclPolicy.RemoteAddresses, "{HostApipaIP}") {
+					requestedAclPolicy.RemoteAddresses = hostApipaIP
+				}
 				logger.Printf("ACL Policy requested in NcGoalState %+v", requestedAclPolicy)
 				if err = addAclToEndpointPolicy(requestedAclPolicy, &endpointPolicies); err != nil {
 					return nil, err
