Refactor giant if & add unit tests

winterhazel · winterhazel · commit 1fac7e26a5c6 · 2024-10-25T15:41:02.000-03:00
diff --git a/engine/components-api/src/main/java/com/cloud/network/rules/FirewallManager.java b/engine/components-api/src/main/java/com/cloud/network/rules/FirewallManager.java
@@ -33,19 +33,18 @@ public interface FirewallManager extends FirewallService {
      * 1. one to one nat ip forwarding
      * 2. port forwarding
      * 3. load balancing
-     *
+     * <p>
      * and conflicts are detected between those two rules. In this case, it
      * is possible for both rules to be rolled back when, technically, we should
      * and the user can simply re-add one of the rules themselves.
      *
-     * @param newRule
-     *            the new rule created.
+     * @param newRule the new rule created.
      * @throws NetworkRuleConflictException
      */
     void detectRulesConflict(FirewallRule newRule) throws NetworkRuleConflictException;
 
     void validateFirewallRule(Account caller, IPAddressVO ipAddress, Integer portStart, Integer portEnd, String proto, Purpose purpose, FirewallRuleType type,
-        Long networkid, FirewallRule.TrafficType trafficType);
+                              Long networkid, FirewallRule.TrafficType trafficType);
 
     boolean applyRules(List<? extends FirewallRule> rules, boolean continueOnError, boolean updateRulesInDB) throws ResourceUnavailableException;
 
@@ -73,7 +72,7 @@ void validateFirewallRule(Account caller, IPAddressVO ipAddress, Integer portSta
 //            throws NetworkRuleConflictException;
 
     FirewallRule createRuleForAllCidrs(long ipAddrId, Account caller, Integer startPort, Integer endPort, String protocol, Integer icmpCode, Integer icmpType,
-        Long relatedRuleId, long networkId) throws NetworkRuleConflictException;
+                                       Long relatedRuleId, long networkId) throws NetworkRuleConflictException;
 
     boolean revokeAllFirewallRulesForNetwork(long networkId, long userId, Account caller) throws ResourceUnavailableException;
 
diff --git a/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java
@@ -40,6 +40,7 @@
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.network.RoutedIpv4Manager;
+import org.apache.commons.lang3.ObjectUtils;
 import org.springframework.stereotype.Component;
 
 import com.cloud.configuration.Config;
@@ -410,12 +411,13 @@ public void detectRulesConflict(FirewallRule newRule) throws NetworkRuleConflict
                 _firewallDao.loadSourceCidrs(rule);
                 _firewallDao.loadSourceCidrs((FirewallRuleVO)newRule);
 
+                if (ObjectUtils.anyNull(rule.getSourceCidrList(), newRule.getSourceCidrList())) {
+                    continue;
+                }
+
                 _firewallDao.loadDestinationCidrs(rule);
                 _firewallDao.loadDestinationCidrs((FirewallRuleVO) newRule);
 
-                if (rule.getSourceCidrList() == null || newRule.getSourceCidrList() == null) {
-                    continue;
-                }
                 duplicatedCidrs = (detectConflictingCidrs(rule.getSourceCidrList(), newRule.getSourceCidrList()) && detectConflictingCidrs(rule.getDestinationCidrList(), newRule.getDestinationCidrList()));
             }
 
@@ -424,7 +426,7 @@ public void detectRulesConflict(FirewallRule newRule) throws NetworkRuleConflict
                 _firewallDao.loadSourceCidrs(rule);
                 _firewallDao.loadSourceCidrs((FirewallRuleVO) newRule);
 
-                if (rule.getSourceCidrList() == null || newRule.getSourceCidrList() == null) {
+                if (ObjectUtils.anyNull(rule.getSourceCidrList(), newRule.getSourceCidrList())) {
                     continue;
                 }
 
@@ -464,18 +466,7 @@ public void detectRulesConflict(FirewallRule newRule) throws NetworkRuleConflict
 
             if (!notNullPorts) {
                 continue;
-            } else if (!oneOfRulesIsFirewall &&
-                !((bothRulesFirewall || bothRulesPortForwarding) && !duplicatedCidrs) &&
-                ((rule.getSourcePortStart().intValue() <= newRule.getSourcePortStart().intValue() &&
-                    rule.getSourcePortEnd().intValue() >= newRule.getSourcePortStart().intValue()) ||
-                    (rule.getSourcePortStart().intValue() <= newRule.getSourcePortEnd().intValue() &&
-                    rule.getSourcePortEnd().intValue() >= newRule.getSourcePortEnd().intValue()) ||
-                    (newRule.getSourcePortStart().intValue() <= rule.getSourcePortStart().intValue() &&
-                    newRule.getSourcePortEnd().intValue() >= rule.getSourcePortStart().intValue()) ||
-                (newRule.getSourcePortStart().intValue() <= rule.getSourcePortEnd().intValue() &&
-                newRule.getSourcePortEnd().intValue() >= rule.getSourcePortEnd().intValue()))) {
-                //Above else if conditions checks for the conflicting port ranges.
-
+            } else if (checkIfRulesHaveConflictingPortRanges(newRule, rule, oneOfRulesIsFirewall, bothRulesFirewall, bothRulesPortForwarding, duplicatedCidrs)) {
                 // we allow port forwarding rules with the same parameters but different protocols
                 boolean allowPf =
                     (rule.getPurpose() == Purpose.PortForwarding && newRule.getPurpose() == Purpose.PortForwarding && !newRule.getProtocol().equalsIgnoreCase(
@@ -502,6 +493,45 @@ public void detectRulesConflict(FirewallRule newRule) throws NetworkRuleConflict
         }
     }
 
+    protected boolean checkIfRulesHaveConflictingPortRanges(FirewallRule newRule, FirewallRule rule, boolean oneOfRulesIsFirewall, boolean bothRulesFirewall, boolean bothRulesPortForwarding, boolean duplicatedCidrs) {
+        String rulesAsString = String.format("[%s] and [%s]", rule, newRule);
+
+        if (oneOfRulesIsFirewall) {
+            logger.debug("Only one of the rules (%s) is firewall; therefore, their port ranges will not conflict.",
+                    rulesAsString);
+            return false;
+        }
+
+        if ((bothRulesFirewall || bothRulesPortForwarding) && !duplicatedCidrs) {
+            logger.debug("Both rules (%s) are firewall/port forwarding, but they do not have duplicated CIDRs; therefore, their port ranges will not conflict.",
+                    rulesAsString);
+            return false;
+        }
+
+        if (rule.getSourcePortStart() <= newRule.getSourcePortStart() && rule.getSourcePortEnd() >= newRule.getSourcePortStart()) {
+            logger.debug("Rules (%s) have conflicting port ranges.", rulesAsString);
+            return true;
+        }
+
+        if (rule.getSourcePortStart() <= newRule.getSourcePortEnd() && rule.getSourcePortEnd() >= newRule.getSourcePortEnd()) {
+            logger.debug("Rules (%s) have conflicting port ranges.", rulesAsString);
+            return true;
+        }
+
+        if (newRule.getSourcePortStart() <= rule.getSourcePortStart() && newRule.getSourcePortEnd() >= rule.getSourcePortStart()) {
+            logger.debug("Rules (%s) have conflicting port ranges.", rulesAsString);
+            return true;
+        }
+
+        if (newRule.getSourcePortStart() <= rule.getSourcePortEnd() && newRule.getSourcePortEnd() >= rule.getSourcePortEnd()) {
+            logger.debug("Rules (%s) have conflicting port ranges.", rulesAsString);
+            return true;
+        }
+
+        logger.debug("Rules (%s) do not have conflicting port ranges.", rulesAsString);
+        return false;
+    }
+
     @Override
     public void validateFirewallRule(Account caller, IPAddressVO ipAddress, Integer portStart, Integer portEnd, String proto, Purpose purpose, FirewallRuleType type,
         Long networkId, FirewallRule.TrafficType trafficType) {
diff --git a/server/src/test/java/com/cloud/network/firewall/FirewallManagerTest.java b/server/src/test/java/com/cloud/network/firewall/FirewallManagerTest.java
@@ -27,26 +27,26 @@
 import com.cloud.network.element.FirewallServiceProvider;
 import com.cloud.network.element.VirtualRouterElement;
 import com.cloud.network.element.VpcVirtualRouterElement;
-import com.cloud.network.rules.FirewallManager;
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.FirewallRule.Purpose;
 import com.cloud.network.rules.FirewallRuleVO;
 import com.cloud.network.vpc.VpcManager;
 import com.cloud.user.AccountManager;
 import com.cloud.user.DomainManager;
 import com.cloud.utils.component.ComponentContext;
-import junit.framework.Assert;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.LogManager;
 import org.junit.After;
+import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Ignore;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.MockitoAnnotations;
+import org.mockito.Spy;
 import org.mockito.junit.MockitoJUnitRunner;
 
 import java.util.ArrayList;
@@ -111,19 +111,42 @@ public void testInjected() {
     @Mock
     FirewallRulesDao _firewallDao;
 
+    @Spy
     @InjectMocks
-    FirewallManager _firewallMgr = new FirewallManagerImpl();
+    FirewallManagerImpl _firewallMgr;
+
+    FirewallRule fwRule50to150;
+    FirewallRule fwRule100to200;
+    FirewallRule fwRule151to200;
+
+    FirewallRule pfRule50to150;
+    FirewallRule pfRule100to200;
+    FirewallRule pfRule151to200;
+
 
     @Before
     public void initMocks() {
         closeable = MockitoAnnotations.openMocks(this);
+
+        fwRule50to150 = createFirewallRule(50, 150, Purpose.Firewall);
+        fwRule100to200 = createFirewallRule(100, 150, Purpose.Firewall);
+        fwRule151to200 = createFirewallRule(151, 200, Purpose.Firewall);
+
+        pfRule50to150 = createFirewallRule(50, 150, Purpose.PortForwarding);
+        pfRule100to200 = createFirewallRule(100, 150, Purpose.PortForwarding);
+        pfRule151to200 = createFirewallRule(151, 200, Purpose.PortForwarding);
     }
 
     @After
     public void tearDown() throws Exception {
         closeable.close();
     }
 
+    private FirewallRule createFirewallRule(int startPort, int endPort, Purpose purpose) {
+        return new FirewallRuleVO("xid", 1L, startPort, endPort, "TCP", 2, 3, 4, purpose, new ArrayList<>(),
+                new ArrayList<>(), 5, 6, null, FirewallRule.TrafficType.Ingress);
+    }
+
     @Ignore("Requires database to be set up")
     @Test
     public void testApplyRules() {
@@ -218,6 +241,75 @@ public void testDetectRulesConflict() {
         }
     }
 
+    @Test
+    public void checkIfRulesHaveConflictingPortRangesTestOnlyOneRuleIsFirewallReturnsFalse()
+    {
+        boolean result = _firewallMgr.checkIfRulesHaveConflictingPortRanges(fwRule50to150, pfRule50to150, true, false, false, true);
+
+        Assert.assertFalse(result);
+    }
+
+    @Test
+    public void checkIfRulesHaveConflictingPortRangesTestBothRulesAreFirewallButNoDuplicateCidrsReturnsFalse()
+    {
+        boolean result = _firewallMgr.checkIfRulesHaveConflictingPortRanges(fwRule50to150, fwRule50to150, false, true, false, false);
+
+        Assert.assertFalse(result);
+    }
+
+    @Test
+    public void checkIfRulesHaveConflictingPortRangesTestBothRulesArePortForwardingButNoDuplicateCidrsReturnsFalse()
+    {
+        boolean result = _firewallMgr.checkIfRulesHaveConflictingPortRanges(pfRule50to150, pfRule50to150, false, false, true, false);
+
+        Assert.assertFalse(result);
+    }
+
+    @Test
+    public void checkIfRulesHaveConflictingPortRangesTestBothRulesAreFirewallAndDuplicatedCidrsAndNewRuleSourceStartPortIsInsideExistingRangeReturnsTrue()
+    {
+        boolean result = _firewallMgr.checkIfRulesHaveConflictingPortRanges(fwRule100to200, fwRule50to150, false, true, false, true);
+
+        Assert.assertTrue(result);
+    }
+
+    @Test
+    public void checkIfRulesHaveConflictingPortRangesTestBothRulesAreFirewallAndDuplicatedCidrsAndNewRuleSourceEndPortIsInsideExistingRangeReturnsTrue()
+    {
+        boolean result = _firewallMgr.checkIfRulesHaveConflictingPortRanges(fwRule50to150, fwRule100to200, false, true, false, true);
+
+        Assert.assertTrue(result);
+    }
+
+    @Test
+    public void checkIfRulesHaveConflictingPortRangesTestBothRulesArePortForwardingAndDuplicatedCidrsAndNewRuleSourceStartPortIsInsideExistingRangeReturnsTrue()
+    {
+        boolean result = _firewallMgr.checkIfRulesHaveConflictingPortRanges(pfRule50to150, pfRule100to200, false, false, true, true);
+
+        Assert.assertTrue(result);
+    }
+
+    @Test
+    public void checkIfRulesHaveConflictingPortRangesTestBothRulesArePortForwardingAndDuplicatedCidrsAndNewRuleSourceEndPortIsInsideExistingRangeReturnsTrue()
+    {
+        boolean result = _firewallMgr.checkIfRulesHaveConflictingPortRanges(pfRule50to150, pfRule100to200, false, false, true, true);
+
+        Assert.assertTrue(result);
+    }
+
+    @Test
+    public void checkIfRulesHaveConflictingPortRangesTestBothRulesAreFirewallAndDuplicatedCidrsAndNoRangeConflictReturnsFalse()
+    {
+        boolean result = _firewallMgr.checkIfRulesHaveConflictingPortRanges(fwRule50to150, fwRule151to200, false, true, false, true);
 
+        Assert.assertFalse(result);
+    }
 
+    @Test
+    public void checkIfRulesHaveConflictingPortRangesTestBothRulesArePortForwardingAndDuplicatedCidrsAndNoRangeConflictReturnsFalse()
+    {
+        boolean result = _firewallMgr.checkIfRulesHaveConflictingPortRanges(pfRule50to150, pfRule151to200, false, false, true, true);
+
+        Assert.assertFalse(result);
+    }
 }
