1 package org.opendaylight.groupbasedpolicy.neutron.mapper.mapping.rule;
\r
3 import static com.google.common.base.Preconditions.checkNotNull;
\r
5 import java.util.ArrayList;
\r
6 import java.util.List;
\r
8 import javax.annotation.Nullable;
\r
10 import org.opendaylight.groupbasedpolicy.neutron.mapper.util.NeutronUtils;
\r
11 import org.opendaylight.groupbasedpolicy.neutron.mapper.util.Utils;
\r
12 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.sf.EtherTypeClassifier;
\r
13 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.sf.IpProtoClassifier;
\r
14 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.sf.L4Classifier;
\r
15 import org.opendaylight.neutron.spi.NeutronSecurityRule;
\r
16 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.IpPrefix;
\r
17 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.ClassifierName;
\r
18 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.ContractId;
\r
19 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.EndpointGroupId;
\r
20 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.ParameterName;
\r
21 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.SubjectName;
\r
22 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.TenantId;
\r
23 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.HasDirection.Direction;
\r
24 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.classifier.refs.ClassifierRef;
\r
25 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.classifier.refs.ClassifierRef.ConnectionTracking;
\r
26 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.classifier.refs.ClassifierRefBuilder;
\r
27 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.endpoint.identification.constraints.EndpointIdentificationConstraints;
\r
28 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.endpoint.identification.constraints.EndpointIdentificationConstraintsBuilder;
\r
29 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.endpoint.identification.constraints.endpoint.identification.constraints.L3EndpointIdentificationConstraintsBuilder;
\r
30 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.endpoint.identification.constraints.endpoint.identification.constraints.l3.endpoint.identification.constraints.PrefixConstraint;
\r
31 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.endpoint.identification.constraints.endpoint.identification.constraints.l3.endpoint.identification.constraints.PrefixConstraintBuilder;
\r
32 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.subject.feature.instance.ParameterValue;
\r
33 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.subject.feature.instance.ParameterValueBuilder;
\r
34 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.subject.feature.instance.parameter.value.RangeValueBuilder;
\r
35 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.contract.Clause;
\r
36 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.contract.ClauseBuilder;
\r
37 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.contract.clause.ConsumerMatchers;
\r
38 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.contract.clause.ConsumerMatchersBuilder;
\r
39 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.subject.feature.instances.ClassifierInstance;
\r
40 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.subject.feature.instances.ClassifierInstanceBuilder;
\r
42 import com.google.common.base.Strings;
\r
43 import com.google.common.collect.ImmutableList;
\r
45 public class SecRuleEntityDecoder {
\r
47 private SecRuleEntityDecoder() {
\r
48 throw new UnsupportedOperationException("Cannot create an instace.");
\r
51 public static TenantId getTenantId(NeutronSecurityRule secRule) {
\r
52 return new TenantId(Utils.normalizeUuid(secRule.getSecurityRuleTenantID()));
\r
55 public static EndpointGroupId getProviderEpgId(NeutronSecurityRule secRule) {
\r
56 return new EndpointGroupId(Utils.normalizeUuid(secRule.getSecurityRuleGroupID()));
\r
60 * @return {@code null} if {@link NeutronSecurityRule#getSecurityRemoteGroupID()} is null
\r
62 public static @Nullable EndpointGroupId getConsumerEpgId(NeutronSecurityRule secRule) {
\r
63 if (Strings.isNullOrEmpty(secRule.getSecurityRemoteGroupID())) {
\r
66 return new EndpointGroupId(Utils.normalizeUuid(secRule.getSecurityRemoteGroupID()));
\r
69 public static ContractId getContractId(NeutronSecurityRule secRule) {
\r
70 return new ContractId(Utils.normalizeUuid(secRule.getSecurityRuleUUID()));
\r
73 public static ClassifierInstance getClassifierInstance(NeutronSecurityRule secRule) {
\r
74 ClassifierInstanceBuilder classifierBuilder = new ClassifierInstanceBuilder();
\r
75 List<ParameterValue> params = new ArrayList<>();
\r
76 Integer portMin = secRule.getSecurityRulePortMin();
\r
77 Integer portMax = secRule.getSecurityRulePortMax();
\r
78 if (portMin != null && portMax != null) {
\r
79 classifierBuilder.setClassifierDefinitionId(L4Classifier.DEFINITION.getId());
\r
80 if (portMin.equals(portMax)) {
\r
81 params.add(new ParameterValueBuilder().setName(new ParameterName(L4Classifier.DST_PORT_PARAM))
\r
82 .setIntValue(portMin.longValue())
\r
85 params.add(new ParameterValueBuilder().setName(new ParameterName(L4Classifier.DST_PORT_RANGE_PARAM))
\r
87 new RangeValueBuilder().setMin(portMin.longValue()).setMax(portMax.longValue()).build())
\r
91 Long protocol = getProtocol(secRule);
\r
92 if (protocol != null) {
\r
93 if (classifierBuilder.getClassifierDefinitionId() == null) {
\r
94 classifierBuilder.setClassifierDefinitionId(IpProtoClassifier.DEFINITION.getId());
\r
96 params.add(new ParameterValueBuilder().setName(new ParameterName(IpProtoClassifier.PROTO_PARAM))
\r
97 .setIntValue(protocol)
\r
100 Long ethertype = getEtherType(secRule);
\r
101 if (ethertype != null) {
\r
102 if (classifierBuilder.getClassifierDefinitionId() == null) {
\r
103 classifierBuilder.setClassifierDefinitionId(EtherTypeClassifier.DEFINITION.getId());
\r
105 params.add(new ParameterValueBuilder().setName(new ParameterName(EtherTypeClassifier.ETHERTYPE_PARAM))
\r
106 .setIntValue(ethertype)
\r
109 ClassifierName classifierName = SecRuleNameDecoder.getClassifierInstanceName(secRule);
\r
110 return classifierBuilder.setParameterValue(params).setName(new ClassifierName(classifierName)).build();
\r
113 public static ClassifierRef getClassifierRef(NeutronSecurityRule secRule) {
\r
114 checkNotNull(secRule);
\r
115 ClassifierName classifierInstanceName = SecRuleNameDecoder.getClassifierInstanceName(secRule);
\r
116 ClassifierRefBuilder classifierRefBuilder = new ClassifierRefBuilder()
\r
117 .setConnectionTracking(ConnectionTracking.Reflexive).setInstanceName(classifierInstanceName);
\r
118 Direction direction = getDirection(secRule);
\r
119 classifierRefBuilder.setDirection(direction);
\r
120 ClassifierName classifierRefName = SecRuleNameDecoder.getClassifierRefName(secRule);
\r
121 return classifierRefBuilder.setName(classifierRefName).build();
\r
126 * @return direction resolved from {@link NeutronSecurityRule#getSecurityRuleDirection()}
\r
127 * @throws IllegalArgumentException if return value of
\r
128 * {@link NeutronSecurityRule#getSecurityRuleDirection()} is other than "ingress" or
\r
131 public static Direction getDirection(NeutronSecurityRule secRule) {
\r
132 String direction = secRule.getSecurityRuleDirection();
\r
133 if (NeutronUtils.INGRESS.equals(direction)) {
\r
134 return Direction.In;
\r
136 if (NeutronUtils.EGRESS.equals(direction)) {
\r
137 return Direction.Out;
\r
139 throw new IllegalArgumentException("Direction " + direction + " from security group rule "
\r
140 + secRule.getSecurityRuleUUID() + " is not supported. Direction can be only 'ingress' or 'egress'.");
\r
144 * @param secRule {@link NeutronSecurityRule#getSecurityRuleRemoteIpPrefix()} is used for EIC
\r
145 * and subject selection
\r
146 * @return clause with the subject and with a consumer matcher containing EIC
\r
148 public static Clause getClause(NeutronSecurityRule secRule) {
\r
149 checkNotNull(secRule);
\r
150 SubjectName subjectName = SecRuleNameDecoder.getSubjectName(secRule);
\r
151 ClauseBuilder clauseBuilder =
\r
152 new ClauseBuilder().setSubjectRefs(ImmutableList.of(subjectName)).setName(SecRuleNameDecoder.getClauseName(secRule));
\r
153 String remoteIpPrefix = secRule.getSecurityRuleRemoteIpPrefix();
\r
154 if (!Strings.isNullOrEmpty(remoteIpPrefix)) {
\r
155 clauseBuilder.setConsumerMatchers(createConsumerMatchersWithEic(remoteIpPrefix));
\r
157 return clauseBuilder.build();
\r
160 private static ConsumerMatchers createConsumerMatchersWithEic(String remoteIpPrefix) {
\r
161 IpPrefix ipPrefix = Utils.createIpPrefix(remoteIpPrefix);
\r
162 PrefixConstraint consumerPrefixConstraint = new PrefixConstraintBuilder().setIpPrefix(ipPrefix).build();
\r
163 EndpointIdentificationConstraints eic =
\r
164 new EndpointIdentificationConstraintsBuilder()
\r
165 .setL3EndpointIdentificationConstraints(new L3EndpointIdentificationConstraintsBuilder()
\r
166 .setPrefixConstraint(ImmutableList.<PrefixConstraint>of(consumerPrefixConstraint)).build())
\r
168 return new ConsumerMatchersBuilder().setEndpointIdentificationConstraints(eic).build();
\r
171 public static boolean isEtherTypeOfOneWithinTwo(NeutronSecurityRule one, NeutronSecurityRule two) {
\r
172 Long oneEtherType = getEtherType(one);
\r
173 Long twoEtherType = getEtherType(two);
\r
174 return twoIsNullOrEqualsOne(oneEtherType, twoEtherType);
\r
177 public static boolean isProtocolOfOneWithinTwo(NeutronSecurityRule one, NeutronSecurityRule two) {
\r
178 Long oneProtocol = getProtocol(one);
\r
179 Long twoProtocol = getProtocol(two);
\r
180 return twoIsNullOrEqualsOne(oneProtocol, twoProtocol);
\r
183 private static <T> boolean twoIsNullOrEqualsOne(T one, T two) {
\r
186 if (two.equals(one))
\r
191 public static boolean isPortsOfOneWithinTwo(NeutronSecurityRule one, NeutronSecurityRule two) {
\r
192 Integer onePortMin = one.getSecurityRulePortMin();
\r
193 Integer onePortMax = one.getSecurityRulePortMax();
\r
194 Integer twoPortMin = two.getSecurityRulePortMin();
\r
195 Integer twoPortMax = two.getSecurityRulePortMax();
\r
196 if (twoPortMin == null && twoPortMax == null) {
\r
199 if ((onePortMin != null && twoPortMin != null && onePortMin >= twoPortMin)
\r
200 && (onePortMax != null && twoPortMax != null && onePortMax <= twoPortMax)) {
\r
208 * @return {@code null} if {@link NeutronSecurityRule#getSecurityRuleEthertype()} is null or
\r
209 * empty; value of {@link EtherTypeClassifier#IPv4_VALUE} or
\r
210 * {@link EtherTypeClassifier#IPv6_VALUE}
\r
211 * @throws IllegalArgumentException if return value of
\r
212 * {@link NeutronSecurityRule#getSecurityRuleEthertype()} is not empty/null and is other
\r
213 * than "IPv4" or "IPv6"
\r
215 public static Long getEtherType(NeutronSecurityRule secRule) {
\r
216 String ethertype = secRule.getSecurityRuleEthertype();
\r
217 if (Strings.isNullOrEmpty(ethertype)) {
\r
220 if (NeutronUtils.IPv4.equals(ethertype)) {
\r
221 return EtherTypeClassifier.IPv4_VALUE;
\r
223 if (NeutronUtils.IPv6.equals(ethertype)) {
\r
224 return EtherTypeClassifier.IPv6_VALUE;
\r
226 throw new IllegalArgumentException("Ethertype " + ethertype + " is not supported.");
\r
231 * @return {@code null} if {@link NeutronSecurityRule#getSecurityRuleProtocol()} is null or
\r
232 * empty; Otherwise protocol number
\r
233 * @throws IllegalArgumentException if return value of
\r
234 * {@link NeutronSecurityRule#getSecurityRuleProtocol()} is not empty/null and is other
\r
235 * than "tcp", "udp", "icmp"
\r
237 public static Long getProtocol(NeutronSecurityRule secRule) {
\r
238 String protocol = secRule.getSecurityRuleProtocol();
\r
239 if (Strings.isNullOrEmpty(protocol)) {
\r
242 if (NeutronUtils.TCP.equals(protocol)) {
\r
243 return IpProtoClassifier.TCP_VALUE;
\r
245 if (NeutronUtils.UDP.equals(protocol)) {
\r
246 return IpProtoClassifier.UDP_VALUE;
\r
248 if (NeutronUtils.ICMP.equals(protocol)) {
\r
249 return IpProtoClassifier.ICMP_VALUE;
\r
251 throw new IllegalArgumentException("Protocol " + protocol + " is not supported.");
\r