fix: [M3-9917] - Internal Akamai Employee Firewall Policy banner logic (linode#12166)

* save progress

* clean up logic

* unit test

* add comment

* Added changeset: Issue preventing Internal Akamai Employees from creating Linodes using VLAN interfaces

---------

Co-authored-by: Banks Nussman <[email protected]>

Author: bnussman-akamai

packages/manager/.changeset/pr-12166-fixed-1746574391327.md

@@ -0,0 +1,5 @@
+---
+"@linode/manager": Fixed
+---
+
+Issue preventing Internal Akamai Employees from creating Linodes using VLAN interfaces ([#12166](https://github.com/linode/manager/pull/12166))

packages/manager/src/features/Linodes/LinodeCreate/Actions.tsx

@@ -10,6 +10,7 @@ import { useIsLinodeInterfacesEnabled } from 'src/utilities/linodes';
 
 import { ApiAwarenessModal } from './ApiAwarenessModal/ApiAwarenessModal';
 import {
+  getDoesEmployeeNeedToAssignFirewall,
   getLinodeCreatePayload,
   useLinodeCreateQueryParams,
 } from './utilities';
@@ -29,34 +30,18 @@ export const Actions = () => {
     globalGrantType: 'add_linodes',
   });
 
-  const [
-    legacyFirewallId,
-    firstLinodeInterfaceFirewallId,
-    firstLinodeInterfaceType,
-    interfaceGeneration,
-  ] = useWatch({
-    name: [
-      'firewall_id',
-      'linodeInterfaces.0.firewall_id',
-      'linodeInterfaces.0.purpose',
-      'interface_generation',
-    ],
+  const [legacyFirewallId, linodeInterfaces, interfaceGeneration] = useWatch({
     control,
+    name: ['firewall_id', 'linodeInterfaces', 'interface_generation'],
   });
 
-  const firewallId =
-    interfaceGeneration === 'linode'
-      ? firstLinodeInterfaceFirewallId
-      : legacyFirewallId;
-
-  const userNeedsToTakeActionAboutInternalFirewallPolicy =
-    interfaceGeneration === 'linode' && firstLinodeInterfaceType === 'vlan'
-      ? false
-      : 'firewallOverride' in formState.errors && !firewallId;
-
-  const disableSubmitButton =
-    isLinodeCreateRestricted ||
-    userNeedsToTakeActionAboutInternalFirewallPolicy;
+  const userNeedsToAssignFirewall =
+    'firewallOverride' in formState.errors &&
+    getDoesEmployeeNeedToAssignFirewall(
+      legacyFirewallId,
+      linodeInterfaces,
+      interfaceGeneration
+    );
 
   const onOpenAPIAwareness = async () => {
     sendApiAwarenessClickEvent('Button', 'View Code Snippets');
@@ -80,7 +65,7 @@ export const Actions = () => {
       </Button>
       <Button
         buttonType="primary"
-        disabled={disableSubmitButton}
+        disabled={isLinodeCreateRestricted || userNeedsToAssignFirewall}
         loading={formState.isSubmitting}
         type="submit"
       >

packages/manager/src/features/Linodes/LinodeCreate/FirewallAuthorization.tsx

@@ -5,7 +5,10 @@ import { useController, useFormContext, useWatch } from 'react-hook-form';
 import { AkamaiBanner } from 'src/components/AkamaiBanner/AkamaiBanner';
 import { useFlags } from 'src/hooks/useFlags';
 
-import type { LinodeCreateFormValues } from './utilities';
+import {
+  getDoesEmployeeNeedToAssignFirewall,
+  type LinodeCreateFormValues,
+} from './utilities';
 
 export const FirewallAuthorization = () => {
   const flags = useFlags();
@@ -17,34 +20,18 @@ export const FirewallAuthorization = () => {
     name: 'firewallOverride',
   });
 
-  const [
-    legacyFirewallId,
-    firstLinodeInterfaceFirewallId,
-    firstLinodeInterfaceType,
-    interfaceGeneration,
-  ] = useWatch({
-    name: [
-      'firewall_id',
-      'linodeInterfaces.0.firewall_id',
-      'linodeInterfaces.0.purpose',
-      'interface_generation',
-    ],
+  const [legacyFirewallId, linodeInterfaces, interfaceGeneration] = useWatch({
     control,
+    name: ['firewall_id', 'linodeInterfaces', 'interface_generation'],
   });
 
-  // Special case ❗️
-  // VLAN interfaces do not support Firewalls, so we hide this notice
-  // if that's what the user selects.
-  if (firstLinodeInterfaceType === 'vlan' && interfaceGeneration === 'linode') {
-    return null;
-  }
-
-  const firewallId =
-    interfaceGeneration === 'linode'
-      ? firstLinodeInterfaceFirewallId
-      : legacyFirewallId;
+  const userNeedsToAssignFirewall = getDoesEmployeeNeedToAssignFirewall(
+    legacyFirewallId,
+    linodeInterfaces,
+    interfaceGeneration
+  );
 
-  if (firewallId || !(fieldState.isDirty || fieldState.error)) {
+  if (!userNeedsToAssignFirewall || !(fieldState.isDirty || fieldState.error)) {
     return null;
   }
 

packages/manager/src/features/Linodes/LinodeCreate/resolvers.ts

@@ -11,7 +11,10 @@ import {
   CreateLinodeFromStackScriptSchema,
   CreateLinodeSchema,
 } from './schemas';
-import { getInterfacesPayload } from './utilities';
+import {
+  getDoesEmployeeNeedToAssignFirewall,
+  getInterfacesPayload,
+} from './utilities';
 
 import type {
   LinodeCreateFormContext,
@@ -87,22 +90,24 @@ export const getLinodeCreateResolver = (
       }
     }
 
-    // If we're dealing with an employee account and they did not bypass
-    // the firewall banner....
-    if (context?.secureVMNoticesEnabled && !values.firewallOverride) {
-      // Get the selected Firewall ID depending on what Interface Generation is selected
-      const firewallId =
-        values.interface_generation === 'linode'
-          ? values.linodeInterfaces[0].firewall_id
-          : values.firewall_id;
-
-      if (!firewallId) {
-        (errors as FieldErrors<LinodeCreateFormValues>)['firewallOverride'] = {
-          // This message does not get surfaced, see FirewallAuthorization.tsx
-          message: 'You must select a Firewall or bypass the Firewall policy.',
-          type: 'validate',
-        };
-      }
+    // If
+    // - we're dealing with an employee account
+    // - and the employee did not bypass/override the Firewall warning
+    // - and their networking configuration "requires" a firewall
+    if (
+      context?.secureVMNoticesEnabled &&
+      !values.firewallOverride &&
+      getDoesEmployeeNeedToAssignFirewall(
+        values.firewall_id,
+        values.linodeInterfaces,
+        values.interface_generation
+      )
+    ) {
+      (errors as FieldErrors<LinodeCreateFormValues>)['firewallOverride'] = {
+        // This message does not get surfaced, but triggers an error so that FirewallAuthorization.tsx renders
+        message: 'You must select a Firewall or bypass the Firewall policy.',
+        type: 'validate',
+      };
     }
 
     if (errors) {

packages/manager/src/features/Linodes/LinodeCreate/utilities.test.tsx

@@ -9,6 +9,7 @@ import {
 
 import {
   getDefaultInterfaceGenerationFromAccountSetting,
+  getDoesEmployeeNeedToAssignFirewall,
   getInterfacesPayload,
   getIsValidLinodeLabelCharacter,
   getLinodeCreatePayload,
@@ -437,3 +438,121 @@ describe('getDefaultInterfaceGenerationFromAccountSetting', () => {
     ).toBe('linode');
   });
 });
+
+describe('getDoesEmployeeNeedToAssignFirewall', () => {
+  describe('Legacy Interfaces', () => {
+    it('returns true when no firewall is selected', () => {
+      expect(
+        getDoesEmployeeNeedToAssignFirewall(null, [], 'legacy_config')
+      ).toBe(true);
+    });
+    it('returns false when a firewall is selected', () => {
+      expect(getDoesEmployeeNeedToAssignFirewall(5, [], 'legacy_config')).toBe(
+        false
+      );
+    });
+  });
+
+  describe('Linode Interfaces', () => {
+    it('should return true for a public Linode Interface without a firewall selected', () => {
+      expect(
+        getDoesEmployeeNeedToAssignFirewall(
+          null,
+          [
+            {
+              public: {},
+              purpose: 'public',
+              vpc: null,
+              default_route: null,
+              vlan: null,
+            },
+          ],
+          'linode'
+        )
+      ).toBe(true);
+    });
+
+    it('should return false for a public Linode Interface with a firewall selected', () => {
+      expect(
+        getDoesEmployeeNeedToAssignFirewall(
+          null,
+          [
+            {
+              public: {},
+              purpose: 'public',
+              vpc: null,
+              firewall_id: 5,
+              default_route: null,
+              vlan: null,
+            },
+          ],
+          'linode'
+        )
+      ).toBe(false);
+    });
+
+    it('should return true for VPC Linode Interface without a firewall selected', () => {
+      expect(
+        getDoesEmployeeNeedToAssignFirewall(
+          5,
+          [
+            {
+              vpc: { vpc_id: 1, subnet_id: 2 },
+              purpose: 'vpc',
+              public: null,
+              firewall_id: null,
+              default_route: null,
+              vlan: null,
+            },
+          ],
+          'linode'
+        )
+      ).toBe(true);
+    });
+
+    it('should return false when only a VLAN Linode Interface is selected', () => {
+      expect(
+        getDoesEmployeeNeedToAssignFirewall(
+          5,
+          [
+            {
+              vpc: null,
+              purpose: 'vlan',
+              public: null,
+              default_route: null,
+              vlan: { vlan_label: 'my-vlan-1' },
+            },
+          ],
+          'linode'
+        )
+      ).toBe(false);
+    });
+
+    // Currently, the Linode Create flow only allows one Linode interface, but we built it to support
+    // many interfaces if we ever want to allow it.
+    it('should require a firewall when a Public and VLAN Linode Interface are selected', () => {
+      expect(
+        getDoesEmployeeNeedToAssignFirewall(
+          5,
+          [
+            {
+              purpose: 'public',
+              public: {},
+              vpc: null,
+              vlan: null,
+              default_route: null,
+            },
+            {
+              vpc: null,
+              purpose: 'vlan',
+              public: null,
+              default_route: null,
+              vlan: { vlan_label: 'my-vlan-1' },
+            },
+          ],
+          'linode'
+        )
+      ).toBe(true);
+    });
+  });
+});

packages/manager/src/features/Linodes/LinodeCreate/utilities.ts

@@ -693,3 +693,32 @@ export const getDefaultInterfaceGenerationFromAccountSetting = (
   }
   return undefined;
 };
+
+/**
+ * getDoesEmployeeNeedToAssignFirewall
+ *
+ * @returns
+ * `true` if an internal Akamai employee should be creating their Linode
+ * with a Firewall given the current network Configuration.
+ *
+ * `false` if the user has satisified the Firewall requirment or
+ * their network configuration does not require a Firewall.
+ */
+export const getDoesEmployeeNeedToAssignFirewall = (
+  legacyFirewallId: LinodeCreateFormValues['firewall_id'],
+  linodeInterfaces: LinodeCreateFormValues['linodeInterfaces'],
+  interfaceGeneration: LinodeCreateFormValues['interface_generation']
+) => {
+  if (interfaceGeneration === 'linode') {
+    // VLAN Linode interfaces do not support Firewalls, so we don't consider them.
+    const interfacesThatMayHaveInternetConnectivity = linodeInterfaces.filter(
+      (i) => i.purpose !== 'vlan'
+    );
+
+    return !interfacesThatMayHaveInternetConnectivity.every(
+      (i) => i.firewall_id
+    );
+  }
+
+  return !legacyFirewallId;
+};