/** * Moves a network ACL rule to the bottom of the list. This is executed by getting the 'number' field of the last ACL rule from the ACL list, and incrementing one. * This new value is assigned to the network ACL being moved and updated in the database using {@link NetworkACLItemDao#updateNumberFieldNetworkItem(long, int)}. */ protected NetworkACLItem moveRuleToTheBottom(NetworkACLItemVO ruleBeingMoved, List<NetworkACLItemVO> allAclRules) { NetworkACLItemVO lastAclRule = allAclRules.get(allAclRules.size() - 1); int newNumberFieldValue = lastAclRule.getNumber() + 1; ruleBeingMoved.setNumber(newNumberFieldValue); _networkACLItemDao.updateNumberFieldNetworkItem(ruleBeingMoved.getId(), newNumberFieldValue); return _networkACLItemDao.findById(ruleBeingMoved.getId()); }
@Override public boolean update(Long id, NetworkACLItemVO item) { boolean result = super.update(id, item); _networkACLItemCidrsDao.updateCidrs(item.getId(), item.getSourceCidrList()); return result; }
/** * Updates and applies the network ACL rule ({@link NetworkACLItemVO}). * We will first try to update the ACL rule in the database using {@link NetworkACLItemDao#update(Long, NetworkACLItemVO)}. If it does not work, a {@link CloudRuntimeException} is thrown. * If we manage to update the ACL rule in the database, we proceed to apply it using {@link #applyNetworkACL(long)}. If this does not work we throw a {@link CloudRuntimeException}. * If all is working we return the {@link NetworkACLItemVO} given as parameter. We wil set the state of the rule to {@link com.cloud.network.vpc.NetworkACLItem.State#Add}. */ @Override public NetworkACLItem updateNetworkACLItem(NetworkACLItemVO networkACLItemVO) throws ResourceUnavailableException { networkACLItemVO.setState(State.Add); if (_networkACLItemDao.update(networkACLItemVO.getId(), networkACLItemVO)) { if (applyNetworkACL(networkACLItemVO.getAclId())) { return networkACLItemVO; } else { throw new CloudRuntimeException("Failed to apply Network ACL rule: " + networkACLItemVO.getUuid()); } } throw new CloudRuntimeException(String.format("Network ACL rule [id=%s] acl rule list [id=%s] could not be updated.", networkACLItemVO.getUuid(), networkACLItemVO.getAclId())); }
@Override public void loadCidrs(NetworkACLItemVO item) { List<String> cidrs = _networkACLItemCidrsDao.getCidrs(item.getId()); item.setSourceCidrList(cidrs); }
List<NetworkACLItemVO> aclItemVos = _networkACLItemDao.listByACL(networkAclId); for (NetworkACLItemVO aclItem : aclItemVos) { String[] sourceCidrs = aclItem.getSourceCidrList().toArray(new String[aclItem.getSourceCidrList().size()]); aclItem.getNumber(), aclItem.getUuid(), aclItem.getAction().name(), aclItem.getTrafficType().name(), ((aclItem.getSourcePortStart() != null) ?aclItem.getSourcePortStart().toString() :null), ((aclItem.getSourcePortEnd() != null) ?aclItem.getSourcePortEnd().toString() :null), aclItem.getProtocol(), sourceCidrs));
protected NetworkACLItemDaoImpl() { super(); AllFieldsSearch = createSearchBuilder(); AllFieldsSearch.and("protocol", AllFieldsSearch.entity().getProtocol(), Op.EQ); AllFieldsSearch.and("state", AllFieldsSearch.entity().getState(), Op.EQ); AllFieldsSearch.and("id", AllFieldsSearch.entity().getId(), Op.EQ); AllFieldsSearch.and("aclId", AllFieldsSearch.entity().getAclId(), Op.EQ); AllFieldsSearch.and("trafficType", AllFieldsSearch.entity().getTrafficType(), Op.EQ); AllFieldsSearch.and("number", AllFieldsSearch.entity().getNumber(), Op.EQ); AllFieldsSearch.and("action", AllFieldsSearch.entity().getAction(), Op.EQ); AllFieldsSearch.done(); NotRevokedSearch = createSearchBuilder(); NotRevokedSearch.and("state", NotRevokedSearch.entity().getState(), Op.NEQ); NotRevokedSearch.and("protocol", NotRevokedSearch.entity().getProtocol(), Op.EQ); NotRevokedSearch.and("sourcePortStart", NotRevokedSearch.entity().getSourcePortStart(), Op.EQ); NotRevokedSearch.and("sourcePortEnd", NotRevokedSearch.entity().getSourcePortEnd(), Op.EQ); NotRevokedSearch.and("aclId", NotRevokedSearch.entity().getAclId(), Op.EQ); NotRevokedSearch.and("trafficType", NotRevokedSearch.entity().getTrafficType(), Op.EQ); NotRevokedSearch.done(); ReleaseSearch = createSearchBuilder(); ReleaseSearch.and("protocol", ReleaseSearch.entity().getProtocol(), Op.EQ); ReleaseSearch.and("ports", ReleaseSearch.entity().getSourcePortStart(), Op.IN); ReleaseSearch.done(); MaxNumberSearch = createSearchBuilder(Integer.class); MaxNumberSearch.select(null, SearchCriteria.Func.MAX, MaxNumberSearch.entity().getNumber()); MaxNumberSearch.and("aclId", MaxNumberSearch.entity().getAclId(), Op.EQ); MaxNumberSearch.done(); }
if (number != null) { NetworkACLItemVO aclNumber = _networkACLItemDao.findByAclAndNumber(acl.getId(), number); if (aclNumber != null && aclNumber.getId() != networkACLItemVo.getId()) { throw new InvalidParameterValueException("ACL item with number " + number + " already exists in ACL: " + acl.getUuid()); networkACLItemVo.setNumber(number); networkACLItemVo.setSourcePortStart(sourcePortStart); networkACLItemVo.setSourcePortEnd(sourcePortEnd); networkACLItemVo.setSourceCidrList(sourceCidrList); networkACLItemVo.setProtocol(protocol); networkACLItemVo.setIcmpCode(icmpCode); networkACLItemVo.setIcmpType(icmpType); networkACLItemVo.setAction(aclRuleAction); networkACLItemVo.setTrafficType(trafficType); networkACLItemVo.setUuid(customId); if (!isPartialUpgrade || display != networkACLItemVo.isDisplay()) { networkACLItemVo.setDisplay(display); networkACLItemVo.setReason(reason);
final SearchBuilder<NetworkACLItemVO> sb = _networkACLItemDao.createSearchBuilder(); sb.and("id", sb.entity().getId(), Op.EQ); sb.and("aclId", sb.entity().getAclId(), Op.EQ); sb.and("trafficType", sb.entity().getTrafficType(), Op.EQ); sb.and("protocol", sb.entity().getProtocol(), Op.EQ); sb.and("action", sb.entity().getAction(), Op.EQ); sb.groupBy(sb.entity().getId()); sb.join("tagSearch", tagSearch, sb.entity().getId(), tagSearch.entity().getResourceId(), JoinBuilder.JoinType.INNER); sb.join("vpcSearch", vpcSearch, sb.entity().getAclId(), vpcSearch.entity().getId(), JoinBuilder.JoinType.INNER);
String protocol = networkACLItemVO.getProtocol(); if (StringUtils.isBlank(protocol)) { return; Integer icmpCode = networkACLItemVO.getIcmpCode(); Integer icmpType = networkACLItemVO.getIcmpType(); Integer sourcePortStart = networkACLItemVO.getSourcePortStart(); Integer sourcePortEnd = networkACLItemVO.getSourcePortEnd(); if (isIcmpProtocol && (sourcePortStart != null || sourcePortEnd != null)) { throw new InvalidParameterValueException("Can't specify start/end port when protocol is ICMP");
Integer sourcePortStart = networkACLItemVO.getSourcePortStart(); Integer sourcePortEnd = networkACLItemVO.getSourcePortEnd(); if (sourcePortStart == null && sourcePortEnd == null) { return; throw new InvalidParameterValueException(String.format("Start port can't be bigger than end port [startport=%d,endport=%d]", sourcePortStart, sourcePortEnd)); String protocol = networkACLItemVO.getProtocol(); if ("all".equalsIgnoreCase(protocol)) { throw new InvalidParameterValueException("start port and end port must be null if protocol = 'all'");
@DB private void revokeRule(final NetworkACLItemVO rule) { if (rule.getState() == State.Staged) { if (s_logger.isDebugEnabled()) { s_logger.debug("Found a rule that is still in stage state so just removing it: " + rule); } _networkACLItemDao.remove(rule.getId()); } else if (rule.getState() == State.Add || rule.getState() == State.Active) { rule.setState(State.Revoke); _networkACLItemDao.update(rule.getId(), rule); } }
@Override public boolean revokeACLItemsForPrivateGw(final PrivateGateway gateway) throws ResourceUnavailableException { final long networkACLId = gateway.getNetworkACLId(); final List<NetworkACLItemVO> aclItems = _networkACLItemDao.listByACL(networkACLId); if (aclItems.isEmpty()) { s_logger.debug("Found no network ACL Items for private gateway 'id=" + gateway.getId() + "'"); return true; } if (s_logger.isDebugEnabled()) { s_logger.debug("Releasing " + aclItems.size() + " Network ACL Items for private gateway id=" + gateway.getId()); } for (final NetworkACLItemVO aclItem : aclItems) { // Mark all Network ACLs rules as Revoke, but don't update in DB if (aclItem.getState() == State.Add || aclItem.getState() == State.Active) { aclItem.setState(State.Revoke); } } final boolean success = applyACLToPrivateGw(gateway, aclItems); if (s_logger.isDebugEnabled() && success) { s_logger.debug("Successfully released Network ACLs for private gateway id=" + gateway.getId() + " and # of rules now = " + aclItems.size()); } return success; }
@Override public boolean revokeNetworkACLItem(final long ruleId) { final NetworkACLItemVO rule = _networkACLItemDao.findById(ruleId); revokeRule(rule); boolean success = false; try { applyNetworkACL(rule.getAclId()); success = true; } catch (final ResourceUnavailableException e) { return false; } return success; }
/** * Validates all of the CIDRs in the {@link NetworkACLItemVO#getSourceCidrList()}. * If the list is empty we do not execute any validation. Otherwise, all of the CIDRs are validated using {@link NetUtils#isValidIp4Cidr(String)}. */ protected void validateSourceCidrList(NetworkACLItemVO networkACLItemVO) { List<String> sourceCidrList = networkACLItemVO.getSourceCidrList(); if (CollectionUtils.isNotEmpty(sourceCidrList)) { for (String cidr : sourceCidrList) { if (!NetUtils.isValidIp4Cidr(cidr)) { throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Source cidrs formatting error " + cidr); } } } }
public void saveCidrs(NetworkACLItemVO networkACLItem, List<String> cidrList) { if (cidrList == null) { return; } _networkACLItemCidrsDao.persist(networkACLItem.getId(), cidrList); }
@Override public boolean revokeACLItemsForNetwork(final long networkId) throws ResourceUnavailableException { final Network network = _networkDao.findById(networkId); if (network.getNetworkACLId() == null) { return true; } final List<NetworkACLItemVO> aclItems = _networkACLItemDao.listByACL(network.getNetworkACLId()); if (aclItems.isEmpty()) { s_logger.debug("Found no network ACL Items for network id=" + networkId); return true; } if (s_logger.isDebugEnabled()) { s_logger.debug("Releasing " + aclItems.size() + " Network ACL Items for network id=" + networkId); } for (final NetworkACLItemVO aclItem : aclItems) { // Mark all Network ACLs rules as Revoke, but don't update in DB if (aclItem.getState() == State.Add || aclItem.getState() == State.Active) { aclItem.setState(State.Revoke); } } final boolean success = applyACLItemsToNetwork(network.getId(), aclItems); if (s_logger.isDebugEnabled() && success) { s_logger.debug("Successfully released Network ACLs for network id=" + networkId + " and # of rules now = " + aclItems.size()); } return success; }
@Override @ActionEvent(eventType = EventTypes.EVENT_NETWORK_ACL_ITEM_DELETE, eventDescription = "Deleting Network ACL Item", async = true) public boolean revokeNetworkACLItem(final long ruleId) { final NetworkACLItemVO aclItem = _networkACLItemDao.findById(ruleId); if (aclItem != null) { final NetworkACL acl = _networkAclMgr.getNetworkACL(aclItem.getAclId()); final Vpc vpc = _entityMgr.findById(Vpc.class, acl.getVpcId()); if (aclItem.getAclId() == NetworkACL.DEFAULT_ALLOW || aclItem.getAclId() == NetworkACL.DEFAULT_DENY) { throw new InvalidParameterValueException("ACL Items in default ACL cannot be deleted"); } final Account caller = CallContext.current().getCallingAccount(); _accountMgr.checkAccess(caller, null, true, vpc); } return _networkAclMgr.revokeNetworkACLItem(ruleId); }
@Override @DB public NetworkACLItemVO persist(NetworkACLItemVO networkAclItem) { TransactionLegacy txn = TransactionLegacy.currentTxn(); txn.start(); NetworkACLItemVO dbNetworkACLItem = super.persist(networkAclItem); saveCidrs(networkAclItem, networkAclItem.getSourceCidrList()); loadCidrs(dbNetworkACLItem); txn.commit(); return dbNetworkACLItem; }