NSX: Fix custom ACL check (#2)

Pearl1594 · nvazquez · commit e645f724b59f · 2024-02-03T17:14:21.000-03:00
* NSX: Fix custom ACL check

* NSX: Fix custom ACL check
diff --git a/server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java b/server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java
@@ -20,6 +20,7 @@
 import java.util.Collections;
 import java.util.Comparator;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Objects;
 
@@ -344,7 +345,7 @@ public NetworkACLItem createNetworkACLItem(CreateNetworkACLCmd createNetworkACLC
         if (isGlobalAcl(acl.getVpcId()) && !Account.Type.ADMIN.equals(caller.getType())) {
             throw new PermissionDeniedException("Only Root Admins can create rules for a global ACL.");
         }
-        validateNsxConstraints(acl.getVpcId(), icmpType);
+        validateNsxConstraints(acl.getVpcId(), protocol, icmpType, icmpCode, sourcePortStart, sourcePortEnd);
         validateAclRuleNumber(createNetworkACLCmd, acl);
 
         NetworkACLItem.Action ruleAction = validateAndCreateNetworkAclRuleAction(action);
@@ -435,18 +436,27 @@ protected void validateNetworkAcl(NetworkACL acl) {
         }
     }
 
-    private void validateNsxConstraints(Long vpcId, Integer icpmType) {
+    private void validateNsxConstraints(long vpcId, String protocol, Integer icmpType,
+                                        Integer icmpCode, Integer sourcePortStart, Integer sourcePortEnd) {
         VpcVO vpc = _vpcDao.findById(vpcId);
         final DataCenter dc = _entityMgr.findById(DataCenter.class, vpc.getZoneId());
         final NsxProviderVO nsxProvider = nsxProviderDao.findByZoneId(dc.getId());
         if (Objects.isNull(nsxProvider)) {
             return;
         }
-        if (icpmType == -1) {
+
+        if (NetUtils.ICMP_PROTO.equals(protocol.toLowerCase(Locale.ROOT)) && (icmpType == -1 || icmpCode == -1)) {
             String errorMsg = "Passing -1 for ICMP type is not supported for NSX enabled zones";
             s_logger.error(errorMsg);
             throw new InvalidParameterValueException(errorMsg);
         }
+
+        if (List.of(NetUtils.TCP_PROTO, NetUtils.UDP_PROTO).contains(protocol.toLowerCase(Locale.ROOT)) &&
+                (Objects.isNull(sourcePortStart) || Objects.isNull(sourcePortEnd))) {
+            String errorMsg = "Source start and end ports are required to be passed";
+            s_logger.error(errorMsg);
+            throw new InvalidParameterValueException(errorMsg);
+        }
     }
 
     /**
@@ -838,7 +848,8 @@ public NetworkACLItem updateNetworkACLItem(UpdateNetworkACLItemCmd updateNetwork
 
         NetworkACL acl = _networkAclMgr.getNetworkACL(networkACLItemVo.getAclId());
         validateNetworkAcl(acl);
-        validateNsxConstraints(acl.getVpcId(), networkACLItemVo.getIcmpType());
+        validateNsxConstraints(acl.getVpcId(), networkACLItemVo.getProtocol(), networkACLItemVo.getIcmpType(),
+                networkACLItemVo.getIcmpCode(), networkACLItemVo.getSourcePortStart(), networkACLItemVo.getSourcePortEnd());
         Account account = CallContext.current().getCallingAccount();
         validateGlobalAclPermissionAndAclAssociatedToVpc(acl, account, "Only Root Admins can update global ACLs.");
 
