summaryrefslogtreecommitdiffstats
path: root/acl/acl-impl/src/main/java/io/fd/hc2vpp/acl/write/AclValidator.java
diff options
context:
space:
mode:
Diffstat (limited to 'acl/acl-impl/src/main/java/io/fd/hc2vpp/acl/write/AclValidator.java')
-rw-r--r--acl/acl-impl/src/main/java/io/fd/hc2vpp/acl/write/AclValidator.java233
1 files changed, 233 insertions, 0 deletions
diff --git a/acl/acl-impl/src/main/java/io/fd/hc2vpp/acl/write/AclValidator.java b/acl/acl-impl/src/main/java/io/fd/hc2vpp/acl/write/AclValidator.java
new file mode 100644
index 000000000..b7aaebcff
--- /dev/null
+++ b/acl/acl-impl/src/main/java/io/fd/hc2vpp/acl/write/AclValidator.java
@@ -0,0 +1,233 @@
+/*
+ * Copyright (c) 2018 Cisco and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.fd.hc2vpp.acl.write;
+
+import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.base.Preconditions.checkState;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Optional;
+import com.google.common.base.Preconditions;
+import com.google.common.collect.ImmutableSet;
+import io.fd.hc2vpp.acl.AclIIds;
+import io.fd.hc2vpp.acl.util.acl.AclDataExtractor;
+import io.fd.honeycomb.translate.write.DataValidationFailedException.CreateValidationFailedException;
+import io.fd.honeycomb.translate.write.DataValidationFailedException.DeleteValidationFailedException;
+import io.fd.honeycomb.translate.write.DataValidationFailedException.UpdateValidationFailedException;
+import io.fd.honeycomb.translate.write.Validator;
+import io.fd.honeycomb.translate.write.WriteContext;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Objects;
+import java.util.Set;
+import java.util.stream.Collectors;
+import javax.annotation.Nonnull;
+import org.opendaylight.yang.gen.v1.http.fd.io.hc2vpp.yang.vpp.acl.rev181022.VppAcl;
+import org.opendaylight.yang.gen.v1.http.fd.io.hc2vpp.yang.vpp.acl.rev181022.VppMacipAcl;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev181001.AclBase;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev181001.acls.Acl;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev181001.acls.AttachmentPoints;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev181001.acls.acl.Aces;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev181001.acls.acl.aces.Ace;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev181001.acls.acl.aces.ace.Matches;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev181001.acls.acl.aces.ace.matches.L3;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev181001.acls.acl.aces.ace.matches.l2.Eth;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev181001.acls.acl.aces.ace.matches.l3.Ipv4;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev181001.acls.acl.aces.ace.matches.l3.Ipv6;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev181001.acls.attachment.points.Interface;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev181001.acls.attachment.points._interface.acl.AclSets;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev181001.acls.attachment.points._interface.acl.acl.sets.AclSet;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev181001.acl.ipv4.header.fields.source.network.SourceIpv4Network;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev181001.acl.ipv6.header.fields.source.network.SourceIpv6Network;
+import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
+
+public final class AclValidator implements Validator<Acl>, AclDataExtractor {
+
+ private static final Set<Class<? extends AclBase>> SUPPORTED_ACL_TYPES =
+ ImmutableSet.of(VppAcl.class, VppMacipAcl.class);
+
+ @Override
+ public void validateWrite(final InstanceIdentifier<Acl> id, final Acl dataAfter, final WriteContext ctx)
+ throws CreateValidationFailedException {
+ try {
+ validateAcl(dataAfter);
+ } catch (RuntimeException e) {
+ throw new CreateValidationFailedException(id, dataAfter, e);
+ }
+ }
+
+ @Override
+ public void validateUpdate(final InstanceIdentifier<Acl> id, final Acl dataBefore, final Acl dataAfter,
+ final WriteContext ctx) throws UpdateValidationFailedException {
+ try {
+ validateAcl(dataAfter);
+ } catch (RuntimeException e) {
+ throw new UpdateValidationFailedException(id, dataBefore, dataAfter, e);
+ }
+ }
+
+ @Override
+ public void validateDelete(final InstanceIdentifier<Acl> id, final Acl dataBefore, final WriteContext ctx)
+ throws DeleteValidationFailedException {
+ try {
+ validateAcl(dataBefore);
+ final List<String> references = checkAclReferenced(ctx, dataBefore);
+ // references must be check, to not leave dead references in configuration
+ checkState(references.isEmpty(),
+ "%s cannot be removed, it is referenced in following interfaces %s", dataBefore, references);
+ } catch (RuntimeException e) {
+ throw new DeleteValidationFailedException(id, e);
+ }
+ }
+
+ private static void validateAcl(@Nonnull final Acl acl) {
+ hasAceList(acl);
+ isSupportedAclType(acl);
+ hasConsistentAceTypeForAclType(acl);
+ }
+
+ private static void hasAceList(final Acl acl) {
+ final Aces accessListEntries = acl.getAces();
+ checkArgument(accessListEntries != null, "The access-list-entries container is not defined.");
+ final List<Ace> ace = accessListEntries.getAce();
+ checkArgument(ace != null, "The ace list is not defined.");
+ checkArgument(!ace.isEmpty(), "The ace list is empty.");
+ }
+
+ private static void isSupportedAclType(final Acl acl) {
+ checkArgument(SUPPORTED_ACL_TYPES.contains(acl.getType()),
+ "Unsupported Acl type %s detected for acl %s, allowed types are %s", acl.getType(),
+ acl.getName(), SUPPORTED_ACL_TYPES);
+ }
+
+ private static void hasConsistentAceTypeForAclType(final Acl acl) {
+ Class<? extends AclBase> type = acl.getType();
+ Preconditions.checkNotNull(type, "Cannot resolve Acl type for validation of Acl: {}", acl);
+ Preconditions.checkNotNull(acl.getAces(), "ACEs are missing for validation of Acl: {}", acl);
+ Preconditions.checkNotNull(acl.getAces().getAce(), "List of ACEs is null for validation of Acl: {}", acl);
+ if (type.equals(VppAcl.class)) {
+ Set<Ace> unsupportedVppAcls =
+ acl.getAces().getAce().stream().filter(ace -> !isVppAce(ace)).collect(Collectors.toSet());
+ checkArgument(unsupportedVppAcls.isEmpty(), "Detected unsupported ace types [%s] for ACL %s",
+ unsupportedVppAcls, acl.getName());
+ }
+
+ if (type.equals(VppMacipAcl.class)) {
+ Set<Ace> unsupportedVppMacipAclAcls =
+ acl.getAces().getAce().stream().filter(ace -> !isVppMacipAclAce(ace)).collect(Collectors.toSet());
+ checkArgument(unsupportedVppMacipAclAcls.isEmpty(), "Detected unsupported ace types [%s] for ACL %s",
+ unsupportedVppMacipAclAcls, acl.getName());
+ }
+ }
+
+ private static boolean isVppMacipAclAce(final Ace ace) {
+ Matches matches = Preconditions
+ .checkNotNull(ace.getMatches(), "Cannot validate VppMacipAcl type for Ace: {}, matches are not defined",
+ ace);
+ if (matches.getL2() == null || !(matches.getL2() instanceof Eth)) {
+ return false;
+ }
+
+ org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev181001.acls.acl.aces.ace.matches.l2.eth.Eth
+ eth = ((Eth) matches.getL2()).getEth();
+ if (eth == null) {
+ return false;
+ }
+
+ return true;
+ }
+
+ private static boolean isVppAce(final Ace ace) {
+ Matches matches = Preconditions
+ .checkNotNull(ace.getMatches(), "Cannot validate VppMacipAcl type for Ace: {}, matches are not defined",
+ ace);
+ L3 l3 = matches.getL3();
+ if (l3 == null || (!(l3 instanceof Ipv4)) && (!(l3 instanceof Ipv6))) {
+ return false;
+ }
+
+ if (l3 instanceof Ipv4) {
+ org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev181001.acls.acl.aces.ace.matches.l3.ipv4.Ipv4
+ ipv4 = ((Ipv4) l3).getIpv4();
+ if (ipv4 == null || ipv4.getSourceNetwork() == null ||
+ !(ipv4.getSourceNetwork() instanceof SourceIpv4Network)) {
+ return false;
+ }
+ }
+
+ if (l3 instanceof Ipv6) {
+ org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev181001.acls.acl.aces.ace.matches.l3.ipv6.Ipv6
+ ipv6 = ((Ipv6) l3).getIpv6();
+ if (ipv6 == null || ipv6.getSourceNetwork() == null ||
+ !(ipv6.getSourceNetwork() instanceof SourceIpv6Network)) {
+ return false;
+ }
+ }
+
+ return true;
+ }
+
+ @VisibleForTesting
+ static List<String> checkAclReferenced(@Nonnull final WriteContext writeContext, @Nonnull final Acl acl) {
+ Preconditions.checkNotNull(acl.getType(), "Cannot validate acl: {}, type is not set.", acl);
+ if (!acl.getType().equals(VppAcl.class) && !acl.getType().equals(VppMacipAcl.class)) {
+ throw new IllegalArgumentException(String.format("Acl type %s not supported", acl.getType()));
+ }
+
+ Optional<AttachmentPoints> attachmentPointsOpt = writeContext.readAfter(AclIIds.ACLS_AP);
+ if (!attachmentPointsOpt.isPresent() || attachmentPointsOpt.get().getInterface() == null) {
+ return Collections.emptyList();
+ }
+
+ final List<Interface> interfaces = attachmentPointsOpt.get().getInterface();
+ if (interfaces == null) {
+ return Collections.emptyList();
+ }
+ final String aclName = acl.getName();
+
+ HashMap<String, AclSets> sets = getIngressAclSets(interfaces);
+ sets.putAll(getEgressAclSets(interfaces));
+ List<String> referencedIfcs = new ArrayList<>();
+ sets.forEach((ifc, aclSets) -> {
+ if (aclSets.getAclSet() != null) {
+ if (aclSets.getAclSet().stream()
+ .map(AclSet::getName)
+ .filter(Objects::nonNull)
+ .anyMatch(name -> name.equalsIgnoreCase(aclName))) {
+ referencedIfcs.add(ifc);
+ }
+ }
+ });
+ return referencedIfcs.stream().distinct().collect(Collectors.toList());
+ }
+
+ private static HashMap<String, AclSets> getEgressAclSets(final List<Interface> interfaces) {
+ HashMap<String, AclSets> map = new HashMap<>();
+ interfaces.stream().filter(anInterface -> anInterface.getEgress() != null)
+ .forEach(anInterface -> map.put(anInterface.getInterfaceId(), anInterface.getEgress().getAclSets()));
+ return map;
+ }
+
+ private static HashMap<String, AclSets> getIngressAclSets(final List<Interface> interfaces) {
+ HashMap<String, AclSets> map = new HashMap<>();
+ interfaces.stream().filter(anInterface -> anInterface.getIngress() != null)
+ .forEach(anInterface -> map.put(anInterface.getInterfaceId(), anInterface.getIngress().getAclSets()));
+ return map;
+ }
+}