Add support to add and remove ACL rules when CIDR list is passed when creating LB rules (#53)

* Add support to add and remove ACL rules when CIDR list is passed when creating LB rules

* add deny all rule

* delete the deny rule as well

Author: Pearl1594

api/src/main/java/com/cloud/network/netris/NetrisNetworkRule.java

@@ -29,13 +29,17 @@ public enum NetrisRuleAction {
     private SDNProviderNetworkRule baseRule;
     private NetrisRuleAction aclAction;
     private List<NetrisLbBackend> lbBackends;
+    private String lbRuleName;
+    private String lbCidrList;
     private String reason;
 
     public NetrisNetworkRule(Builder builder) {
         this.baseRule = builder.baseRule;
         this.aclAction = builder.aclAction;
         this.lbBackends = builder.lbBackends;
         this.reason = builder.reason;
+        this.lbCidrList = builder.lbCidrList;
+        this.lbRuleName = builder.lbRuleName;
     }
 
     public NetrisRuleAction getAclAction() {
@@ -50,6 +54,10 @@ public String getReason() {
         return reason;
     }
 
+    public String getLbCidrList() {return lbCidrList; }
+
+    public String getLbRuleName() { return lbRuleName; }
+
     public SDNProviderNetworkRule getBaseRule() {
         return baseRule;
     }
@@ -60,6 +68,8 @@ public static class Builder {
         private NetrisRuleAction aclAction;
         private List<NetrisLbBackend> lbBackends;
         private String reason;
+        private String lbCidrList;
+        private String lbRuleName;
 
         public Builder baseRule(SDNProviderNetworkRule baseRule) {
             this.baseRule = baseRule;
@@ -81,6 +91,16 @@ public Builder reason(String reason) {
             return this;
         }
 
+        public Builder lbCidrList(String lbCidrList) {
+            this.lbCidrList = lbCidrList;
+            return this;
+        }
+
+        public Builder lbRuleName(String lbRuleName) {
+            this.lbRuleName = lbRuleName;
+            return this;
+        }
+
         public NetrisNetworkRule build() {
             return new NetrisNetworkRule(this);
         }

plugins/network-elements/netris/src/main/java/org/apache/cloudstack/agent/api/CreateOrUpdateNetrisLoadBalancerRuleCommand.java

@@ -28,6 +28,8 @@ public class CreateOrUpdateNetrisLoadBalancerRuleCommand extends NetrisCommand {
     List<NetrisLbBackend> lbBackends;
     private String publicIp;
     private final Long lbId;
+    private String cidrList;
+    private String ruleName;
 
     public CreateOrUpdateNetrisLoadBalancerRuleCommand(long zoneId, Long accountId, Long domainId, String name, Long id, boolean isVpc,
                                                        List<NetrisLbBackend> lbBackends, long lbId, String publicIp, String publicPort,
@@ -69,4 +71,20 @@ public Long getLbId() {
     public String getPublicIp() {
         return publicIp;
     }
+
+    public String getCidrList() {
+        return cidrList;
+    }
+
+    public void setCidrList(String cidrList) {
+        this.cidrList = cidrList;
+    }
+
+    public String getRuleName() {
+        return ruleName;
+    }
+
+    public void setRuleName(String ruleName) {
+        this.ruleName = ruleName;
+    }
 }

plugins/network-elements/netris/src/main/java/org/apache/cloudstack/agent/api/DeleteNetrisLoadBalancerRuleCommand.java

@@ -18,6 +18,8 @@
 
 public class DeleteNetrisLoadBalancerRuleCommand extends NetrisCommand {
     private Long lbId;
+    private String ruleName;
+    private String cidrList;
 
     public DeleteNetrisLoadBalancerRuleCommand(long zoneId, Long accountId, Long domainId, String name, Long id, boolean isVpc, Long lbId) {
         super(zoneId, accountId, domainId, name, id, isVpc);
@@ -31,4 +33,20 @@ public Long getLbId() {
     public void setLbId(Long lbId) {
         this.lbId = lbId;
     }
+
+    public String getRuleName() {
+        return ruleName;
+    }
+
+    public void setRuleName(String ruleName) {
+        this.ruleName = ruleName;
+    }
+
+    public String getCidrList() {
+        return cidrList;
+    }
+
+    public void setCidrList(String cidrList) {
+        this.cidrList = cidrList;
+    }
 }

plugins/network-elements/netris/src/main/java/org/apache/cloudstack/resource/NetrisResource.java

@@ -319,15 +319,15 @@ private Answer executeRequest(DeleteNetrisNatRuleCommand cmd) {
     }
 
     private Answer executeRequest(CreateNetrisACLCommand cmd) {
-        boolean result = netrisApiClient.addAclRule(cmd);
+        boolean result = netrisApiClient.addAclRule(cmd, false);
         if (!result) {
             return new NetrisAnswer(cmd, false, String.format("Creation of Netris ACL rule: %s failed", cmd.getNetrisAclName()));
         }
         return new NetrisAnswer(cmd, true, "OK");
     }
 
     private Answer executeRequest(DeleteNetrisACLCommand cmd) {
-        boolean result = netrisApiClient.deleteAclRule(cmd);
+        boolean result = netrisApiClient.deleteAclRule(cmd, false);
         if (!result) {
             return new NetrisAnswer(cmd, false, String.format("Failed to delete Netris ACLs: %s", String.join("'", cmd.getAclRuleNames())));
         }

plugins/network-elements/netris/src/main/java/org/apache/cloudstack/service/NetrisApiClient.java

@@ -81,8 +81,8 @@ public interface NetrisApiClient {
     boolean createOrUpdateDNATRule(CreateOrUpdateNetrisNatCommand cmd);
     boolean createStaticNatRule(CreateOrUpdateNetrisNatCommand cmd);
     boolean deleteNatRule(DeleteNetrisNatRuleCommand cmd);
-    boolean addAclRule(CreateNetrisACLCommand cmd);
-    boolean deleteAclRule(DeleteNetrisACLCommand cmd);
+    boolean addAclRule(CreateNetrisACLCommand cmd, boolean forLb);
+    boolean deleteAclRule(DeleteNetrisACLCommand cmd, boolean forLb);
     boolean addOrUpdateStaticRoute(AddOrUpdateNetrisStaticRouteCommand cmd);
     boolean deleteStaticRoute(DeleteNetrisStaticRouteCommand cmd);
     boolean releaseNatIp(ReleaseNatIpCommand cmd);

plugins/network-elements/netris/src/main/java/org/apache/cloudstack/service/NetrisApiClientImpl.java

@@ -17,6 +17,7 @@
 package org.apache.cloudstack.service;
 
 import com.cloud.network.netris.NetrisLbBackend;
+import com.cloud.network.netris.NetrisNetworkRule;
 import com.cloud.utils.Pair;
 import com.cloud.utils.exception.CloudRuntimeException;
 import com.cloud.utils.net.NetUtils;
@@ -131,6 +132,7 @@
 import java.util.List;
 import java.util.Locale;
 import java.util.Objects;
+import java.util.concurrent.atomic.AtomicInteger;
 import java.util.stream.Collectors;
 
 public class NetrisApiClientImpl implements NetrisApiClient {
@@ -330,7 +332,7 @@ public boolean deleteNatRule(DeleteNetrisNatRuleCommand cmd) {
     }
 
     @Override
-    public boolean addAclRule(CreateNetrisACLCommand cmd) {
+    public boolean addAclRule(CreateNetrisACLCommand cmd, boolean forLb) {
         String aclName = cmd.getNetrisAclName();
         try {
             AclApi aclApi = apiClient.getApiStubForMethod(AclApi.class);
@@ -366,10 +368,18 @@ public boolean addAclRule(CreateNetrisACLCommand cmd) {
             if (NatPutBody.ProtocolEnum.ICMP.name().equalsIgnoreCase(protocol)) {
                 aclAddItem.setIcmpType(cmd.getIcmpType());
             }
-            String netrisVpcName = getNetrisVpcName(cmd, cmd.getVpcId(), cmd.getVpcName());
-            VPCListing vpcResource = getNetrisVpcResource(netrisVpcName);
-            if (Objects.isNull(vpcResource)) {
-                return false;
+            VPCListing vpcResource;
+            String netrisVpcName;
+            if (forLb) {
+                vpcResource = getSystemVpc();
+                netrisVpcName = vpcResource.getName();
+
+            } else {
+                netrisVpcName = getNetrisVpcName(cmd, cmd.getVpcId(), cmd.getVpcName());
+                vpcResource = getNetrisVpcResource(netrisVpcName);
+                if (Objects.isNull(vpcResource)) {
+                    return false;
+                }
             }
             AclBodyVpc vpc = new AclBodyVpc().id(vpcResource.getId());
             aclAddItem.setVpc(vpc);
@@ -387,13 +397,19 @@ public boolean addAclRule(CreateNetrisACLCommand cmd) {
     }
 
     @Override
-    public boolean deleteAclRule(DeleteNetrisACLCommand cmd) {
+    public boolean deleteAclRule(DeleteNetrisACLCommand cmd, boolean forLb) {
         List<String> aclNames = cmd.getAclRuleNames();
         try {
             AclApi aclApi = apiClient.getApiStubForMethod(AclApi.class);
 
-            String suffix = getNetrisVpcNameSuffix(cmd.getVpcId(), cmd.getVpcName(), cmd.getId(), cmd.getName(), cmd.isVpc());
-            String vpcName = NetrisResourceObjectUtils.retrieveNetrisResourceObjectName(cmd, NetrisResourceObjectUtils.NetrisObjectType.VPC, suffix);
+            String vpcName;
+            if (!forLb) {
+                String suffix = getNetrisVpcNameSuffix(cmd.getVpcId(), cmd.getVpcName(), cmd.getId(), cmd.getName(), cmd.isVpc());
+                vpcName = NetrisResourceObjectUtils.retrieveNetrisResourceObjectName(cmd, NetrisResourceObjectUtils.NetrisObjectType.VPC, suffix);
+            } else {
+                VPCListing vpcResource = getSystemVpc();
+                vpcName = vpcResource.getName();
+            }
             Pair<Boolean, List<BigDecimal>> resultAndMatchingAclIds = getMatchingAclIds(aclNames, vpcName);
             Boolean result = resultAndMatchingAclIds.first();
             List<BigDecimal> matchingAclIds = resultAndMatchingAclIds.second();
@@ -661,12 +677,65 @@ public boolean createOrUpdateLbRule(CreateOrUpdateNetrisLoadBalancerRuleCommand
             if (ObjectUtils.allNull(editResponse, createResponse) || Boolean.FALSE.equals(success)) {
                 throw new CloudRuntimeException(String.format("Failed to %s Netris LB rule", updateRule ? "update" : "create"));
             }
+            if (Objects.nonNull(cmd.getCidrList())) {
+                applyAclRulesForLb(cmd, lbName);
+            }
         } catch (ApiException e) {
             logAndThrowException("Failed to create Netris load balancer rule", e);
         }
         return true;
     }
 
+    private void applyAclRulesForLb(CreateOrUpdateNetrisLoadBalancerRuleCommand cmd, String lbName) {
+        // Add deny all rule first
+        addAclRule(createNetrisACLRuleCommand(cmd, lbName, "ANY",
+                NetrisNetworkRule.NetrisRuleAction.DENY.name().toLowerCase(Locale.ROOT), 0), true);
+        AtomicInteger cidrIndex = new AtomicInteger(1);
+        for (String cidr : cmd.getCidrList().split(" ")) {
+            try {
+                addAclRule(createNetrisACLRuleCommand(cmd, lbName, cidr,
+                        NetrisNetworkRule.NetrisRuleAction.PERMIT.name().toLowerCase(Locale.ROOT),
+                        cidrIndex.getAndIncrement()), true);
+            } catch (Exception e) {
+                throw new CloudRuntimeException(String.format("Failed to add Netris ACL rule for LB CIDR %s", cidr), e);
+            }
+        }
+    }
+
+    private CreateNetrisACLCommand createNetrisACLRuleCommand(CreateOrUpdateNetrisLoadBalancerRuleCommand cmd, String netrisLbName, String cidr, String action, int index) {
+        Long zoneId = cmd.getZoneId();
+        Long accountId = cmd.getAccountId();
+        Long domainId = cmd.getDomainId();
+        String networkName = null;
+        Long networkId = null;
+        String vpcName = null;
+        Long vpcId = null;
+        boolean isVpc = cmd.isVpc();
+        if (isVpc) {
+            vpcId = cmd.getId();
+            vpcName = cmd.getName();
+        } else {
+            networkName = cmd.getName();
+            networkId = cmd.getId();
+        }
+        String destinationPrefix = cmd.getPublicIp() + "/32";
+        String srcPort = cmd.getPublicPort();
+        String dstPort = cmd.getPublicPort();
+        CreateNetrisACLCommand aclCommand = new CreateNetrisACLCommand(zoneId, accountId, domainId, networkName, networkId,
+                vpcName, vpcId, Objects.nonNull(vpcId), action, NetrisServiceImpl.getPrefix(cidr), NetrisServiceImpl.getPrefix(destinationPrefix),
+                Integer.parseInt(srcPort), Integer.parseInt(dstPort), cmd.getProtocol());
+        String aclName;
+        if (isVpc) {
+            aclName =  String.format("V%s-LBACL%s-%s", vpcId, index, cmd.getRuleName());
+        } else {
+            aclName = String.format("N%s-LBACL%s-%s", networkId, index, cmd.getRuleName());
+        }
+        String netrisAclName = NetrisResourceObjectUtils.retrieveNetrisResourceObjectName(cmd, NetrisResourceObjectUtils.NetrisObjectType.ACL, aclName);
+        aclCommand.setNetrisAclName(netrisAclName);
+        aclCommand.setReason(String.format("ACL Rule for CIDR %s of LB %s ", aclName, netrisLbName));
+        return aclCommand;
+    }
+
     private L4lbAddOrUpdateItem getL4LbRule(CreateOrUpdateNetrisLoadBalancerRuleCommand cmd, VPCListing vpcResource, String lbName,
                                             String publicIp, List<NetrisLbBackend> lbBackends, boolean updateRule) {
         L4lbAddOrUpdateItem l4lbAddItem = updateRule ? new L4LbEditItem() : new L4LbAddItem();
@@ -729,6 +798,7 @@ public boolean deleteLbRule(DeleteNetrisLoadBalancerRuleCommand cmd) {
             networkId = cmd.getId();
         }
         Long lbId = cmd.getLbId();
+        String cidrList = cmd.getCidrList();
         try {
             String suffix = getNetrisVpcNameSuffix(vpcId, vpcName, networkId, networkName, isVpc);
             String netrisVpcName = NetrisResourceObjectUtils.retrieveNetrisResourceObjectName(cmd, NetrisResourceObjectUtils.NetrisObjectType.VPC, suffix);
@@ -748,12 +818,56 @@ public boolean deleteLbRule(DeleteNetrisLoadBalancerRuleCommand cmd) {
 
             L4LoadBalancerApi lbApi = apiClient.getApiStubForMethod(L4LoadBalancerApi.class);
             lbApi.apiV2L4lbIdDelete(matchingLbId.get(0).intValue());
+            if (Objects.nonNull(cidrList)) {
+                deleteAclRulesForLb(cmd);
+            }
         } catch (ApiException e) {
             logAndThrowException("Failed to delete Netris load balancer rule", e);
         }
         return true;
     }
 
+    private void deleteAclRulesForLb(DeleteNetrisLoadBalancerRuleCommand cmd) {
+        // delete the deny rule
+        deleteAclRule(deleteNetrisACLCommand(cmd, 0), true);
+        AtomicInteger cidrIndex = new AtomicInteger(1);
+        for (String cidr : cmd.getCidrList().split(" ")) {
+            try {
+                deleteAclRule(deleteNetrisACLCommand(cmd, cidrIndex.getAndIncrement()), true);
+            } catch (Exception e) {
+                throw new CloudRuntimeException(String.format("Failed to delete Netris ACL rule for LB CIDR %s", cidr), e);
+            }
+        }
+    }
+
+    private DeleteNetrisACLCommand deleteNetrisACLCommand(DeleteNetrisLoadBalancerRuleCommand cmd, int index) {
+        Long zoneId = cmd.getZoneId();
+        Long accountId = cmd.getAccountId();
+        Long domainId = cmd.getDomainId();
+        String networkName = null;
+        Long networkId = null;
+        String vpcName = null;
+        Long vpcId = null;
+        boolean isVpc = cmd.isVpc();
+        if (isVpc) {
+            vpcId = cmd.getId();
+            vpcName = cmd.getName();
+        } else {
+            networkName = cmd.getName();
+            networkId = cmd.getId();
+        }
+        DeleteNetrisACLCommand deleteAclCommand = new DeleteNetrisACLCommand(zoneId, accountId, domainId, networkName, networkId, isVpc, vpcId, vpcName);
+        String aclName;
+        if (isVpc) {
+            aclName =  String.format("V%s-LBACL%s-%s", vpcId, index, cmd.getRuleName());
+        } else {
+            aclName = String.format("N%s-LBACL%s-%s", networkId, index, cmd.getRuleName());
+        }
+        String netrisAclName = NetrisResourceObjectUtils.retrieveNetrisResourceObjectName(cmd, NetrisResourceObjectUtils.NetrisObjectType.ACL, aclName);
+        deleteAclCommand.setAclRuleNames(Collections.singletonList(netrisAclName));
+        return deleteAclCommand;
+    }
+
     private Pair<Boolean, List<BigDecimal>> getMatchingLbRule(String lbName, String vpcName) {
         try {
             VPCListing vpcResource = getVpcByNameAndTenant(vpcName);

plugins/network-elements/netris/src/main/java/org/apache/cloudstack/service/NetrisElement.java

@@ -764,6 +764,8 @@ public boolean applyLBRules(Network network, List<LoadBalancingRule> rules) thro
             NetrisNetworkRule networkRule = new NetrisNetworkRule.Builder()
                     .baseRule(baseNetworkRule)
                     .lbBackends(lbBackends)
+                    .lbCidrList(loadBalancingRule.getCidrList())
+                    .lbRuleName(loadBalancingRule.getName())
                     .build();
             if (Arrays.asList(FirewallRule.State.Add, FirewallRule.State.Active).contains(loadBalancingRule.getState())) {
                 result &= netrisService.createOrUpdateLbRule(networkRule);

plugins/network-elements/netris/src/main/java/org/apache/cloudstack/service/NetrisServiceImpl.java

@@ -405,7 +405,7 @@ public boolean addFirewallRules(Network network, List<NetrisNetworkRule> firewal
         return answer.getResult();
     }
 
-    private String getPrefix(String prefix) {
+    public static String getPrefix(String prefix) {
         if ("ANY".equals(prefix)) {
             return NetUtils.ALL_IP4_CIDRS;
         }
@@ -464,6 +464,10 @@ public boolean createOrUpdateLbRule(NetrisNetworkRule rule) {
                 baseRule.getDomainId(), baseRule.getNetworkResourceName(), baseRule.getNetworkResourceId(), baseRule.isVpcResource(),
                 rule.getLbBackends(), baseRule.getRuleId(), baseRule.getPublicIp(), baseRule.getPublicPort(),
                 baseRule.getPrivatePort(), baseRule.getAlgorithm(), baseRule.getProtocol());
+        if (Objects.nonNull(rule.getLbCidrList())) {
+            cmd.setCidrList(rule.getLbCidrList());
+        }
+        cmd.setRuleName(rule.getLbRuleName());
         NetrisAnswer answer = sendNetrisCommand(cmd, baseRule.getZoneId());
         return answer.getResult();
     }
@@ -474,6 +478,10 @@ public boolean deleteLbRule(NetrisNetworkRule rule) {
         DeleteNetrisLoadBalancerRuleCommand cmd = new DeleteNetrisLoadBalancerRuleCommand(baseRule.getZoneId(), baseRule.getAccountId(),
                 baseRule.getDomainId(), baseRule.getNetworkResourceName(), baseRule.getNetworkResourceId(), baseRule.isVpcResource(),
                 baseRule.getRuleId());
+        if (Objects.nonNull(rule.getLbCidrList())) {
+            cmd.setCidrList(rule.getLbCidrList());
+        }
+        cmd.setRuleName(rule.getLbRuleName());
         NetrisAnswer answer = sendNetrisCommand(cmd, baseRule.getZoneId());
         return answer.getResult();
     }