[groupbasedpolicy.git] / neutron-mapper / src / main / java / org / opendaylight / groupbasedpolicy / neutron / mapper / mapping / rule / SecRuleEntityDecoder.java

/*\r
 * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved.\r
 *\r
 * This program and the accompanying materials are made available under the\r
 * terms of the Eclipse Public License v1.0 which accompanies this distribution,\r
 * and is available at http://www.eclipse.org/legal/epl-v10.html\r
 */\r
\r
package org.opendaylight.groupbasedpolicy.neutron.mapper.mapping.rule;\r
\r
import static com.google.common.base.Preconditions.checkNotNull;\r
\r
import java.util.ArrayList;\r
import java.util.List;\r
\r
import org.opendaylight.groupbasedpolicy.api.sf.EtherTypeClassifierDefinition;\r
import org.opendaylight.groupbasedpolicy.api.sf.IpProtoClassifierDefinition;\r
import org.opendaylight.groupbasedpolicy.api.sf.L4ClassifierDefinition;\r
import org.opendaylight.groupbasedpolicy.neutron.mapper.util.MappingUtils;\r
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.IpPrefix;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.ClassifierName;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.ContractId;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.ParameterName;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.SubjectName;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.neutron.gbp.mapper.rev150513.change.action.of.security.group.rules.input.action.ActionChoice;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.neutron.gbp.mapper.rev150513.change.action.of.security.group.rules.input.action.action.choice.AllowActionCase;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.neutron.gbp.mapper.rev150513.change.action.of.security.group.rules.input.action.action.choice.SfcActionCase;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.HasDirection.Direction;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.action.refs.ActionRef;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.classifier.refs.ClassifierRef;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.classifier.refs.ClassifierRef.ConnectionTracking;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.classifier.refs.ClassifierRefBuilder;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.endpoint.identification.constraints.EndpointIdentificationConstraints;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.endpoint.identification.constraints.EndpointIdentificationConstraintsBuilder;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.endpoint.identification.constraints.endpoint.identification.constraints.L3EndpointIdentificationConstraintsBuilder;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.endpoint.identification.constraints.endpoint.identification.constraints.l3.endpoint.identification.constraints.PrefixConstraint;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.endpoint.identification.constraints.endpoint.identification.constraints.l3.endpoint.identification.constraints.PrefixConstraintBuilder;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.subject.feature.instance.ParameterValue;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.subject.feature.instance.ParameterValueBuilder;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.subject.feature.instance.parameter.value.RangeValueBuilder;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.policy.contract.Clause;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.policy.contract.ClauseBuilder;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.policy.contract.clause.ConsumerMatchers;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.policy.contract.clause.ConsumerMatchersBuilder;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.policy.subject.feature.instances.ClassifierInstance;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.policy.subject.feature.instances.ClassifierInstanceBuilder;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.DirectionBase;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.DirectionEgress;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.DirectionIngress;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.EthertypeBase;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.EthertypeV4;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.EthertypeV6;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.ProtocolBase;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.ProtocolIcmp;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.ProtocolIcmpV6;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.ProtocolTcp;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.ProtocolUdp;\r
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.secgroups.rev150712.security.rules.attributes.security.rules.SecurityRule;\r
\r
import com.google.common.collect.ImmutableList;\r
\r
public class SecRuleEntityDecoder {\r
\r
    private SecRuleEntityDecoder() {\r
        throw new UnsupportedOperationException("Cannot create an instace.");\r
    }\r
\r
    public static ContractId getContractId(SecurityRule secRule) {\r
        return new ContractId(secRule.getId().getValue());\r
    }\r
\r
    public static ClassifierInstance getClassifierInstance(SecurityRule secRule) {\r
        ClassifierInstanceBuilder classifierBuilder = new ClassifierInstanceBuilder();\r
        List<ParameterValue> params = new ArrayList<>();\r
        Integer portMin = secRule.getPortRangeMin();\r
        Integer portMax = secRule.getPortRangeMax();\r
        if (portMin != null && portMax != null) {\r
            classifierBuilder.setClassifierDefinitionId(L4ClassifierDefinition.DEFINITION.getId());\r
            if (portMin.equals(portMax)) {\r
                params.add(new ParameterValueBuilder().setName(new ParameterName(L4ClassifierDefinition.DST_PORT_PARAM))\r
                    .setIntValue(portMin.longValue())\r
                    .build());\r
            } else {\r
                params.add(new ParameterValueBuilder().setName(new ParameterName(L4ClassifierDefinition.DST_PORT_RANGE_PARAM))\r
                    .setRangeValue(\r
                            new RangeValueBuilder().setMin(portMin.longValue()).setMax(portMax.longValue()).build())\r
                    .build());\r
            }\r
        }\r
        Long protocol = getProtocol(secRule);\r
        if (protocol != null) {\r
            if (classifierBuilder.getClassifierDefinitionId() == null) {\r
                classifierBuilder.setClassifierDefinitionId(IpProtoClassifierDefinition.DEFINITION.getId());\r
            }\r
            params.add(new ParameterValueBuilder().setName(new ParameterName(IpProtoClassifierDefinition.PROTO_PARAM))\r
                .setIntValue(protocol)\r
                .build());\r
        }\r
        Long ethertype = getEtherType(secRule);\r
        if (ethertype != null) {\r
            if (classifierBuilder.getClassifierDefinitionId() == null) {\r
                classifierBuilder.setClassifierDefinitionId(EtherTypeClassifierDefinition.DEFINITION.getId());\r
            }\r
            params.add(new ParameterValueBuilder().setName(new ParameterName(EtherTypeClassifierDefinition.ETHERTYPE_PARAM))\r
                .setIntValue(ethertype)\r
                .build());\r
        }\r
        ClassifierName classifierName = SecRuleNameDecoder.getClassifierInstanceName(secRule);\r
        return classifierBuilder.setParameterValue(params).setName(new ClassifierName(classifierName)).build();\r
    }\r
\r
    public static ActionRef createActionRefFromActionChoice(ActionChoice action) {\r
        if(action instanceof SfcActionCase){\r
            return MappingUtils.createSfcActionRef(((SfcActionCase) action).getSfcChainName());\r
        } else if (action instanceof AllowActionCase) {\r
            return MappingUtils.ACTION_REF_ALLOW;\r
        }\r
        return null;\r
    }\r
\r
    public static ClassifierRef getClassifierRef(SecurityRule secRule) {\r
        checkNotNull(secRule);\r
        ClassifierName classifierInstanceName = SecRuleNameDecoder.getClassifierInstanceName(secRule);\r
        ClassifierRefBuilder classifierRefBuilder = new ClassifierRefBuilder()\r
            .setConnectionTracking(ConnectionTracking.Reflexive).setInstanceName(classifierInstanceName);\r
        Direction direction = getDirection(secRule);\r
        classifierRefBuilder.setDirection(direction);\r
        ClassifierName classifierRefName = SecRuleNameDecoder.getClassifierRefName(secRule);\r
        return classifierRefBuilder.setName(classifierRefName).build();\r
    }\r
\r
    /**\r
     * @param secRule\r
     * @return direction resolved from {@link SecurityRule#getDirection()}\r
     * @throws IllegalArgumentException if return value of\r
     *         {@link SecurityRule#getDirection()} is other than {@link DirectionIngress} or\r
     *         {@link DirectionEgress}\r
     */\r
    public static Direction getDirection(SecurityRule secRule) {\r
        Class<? extends DirectionBase> direction = secRule.getDirection();\r
        if (direction == null) {\r
            throw new IllegalArgumentException("Direction cannot be null.");\r
        }\r
        if (direction.isAssignableFrom(DirectionIngress.class)) {\r
            return Direction.In;\r
        }\r
        if (direction.isAssignableFrom(DirectionEgress.class)) {\r
            return Direction.Out;\r
        }\r
        throw new IllegalArgumentException("Direction " + direction + " from security group rule "\r
                + secRule + " is not supported. Direction can be only 'ingress' or 'egress'.");\r
    }\r
\r
    /**\r
     * @param secRule {@link SecurityRule#getRemoteIpPrefix()} is used for EIC\r
     *        and subject selection\r
     * @return clause with the subject and with a consumer matcher containing EIC\r
     */\r
    public static Clause getClause(SecurityRule secRule) {\r
        checkNotNull(secRule);\r
        SubjectName subjectName = SecRuleNameDecoder.getSubjectName(secRule);\r
        ClauseBuilder clauseBuilder =\r
                new ClauseBuilder().setSubjectRefs(ImmutableList.of(subjectName)).setName(SecRuleNameDecoder.getClauseName(secRule));\r
        IpPrefix remoteIpPrefix = secRule.getRemoteIpPrefix();\r
        if (remoteIpPrefix != null) {\r
            clauseBuilder.setConsumerMatchers(createConsumerMatchersWithEic(remoteIpPrefix));\r
        }\r
        return clauseBuilder.build();\r
    }\r
\r
    private static ConsumerMatchers createConsumerMatchersWithEic(IpPrefix ipPrefix) {\r
        PrefixConstraint consumerPrefixConstraint = new PrefixConstraintBuilder().setIpPrefix(ipPrefix).build();\r
        EndpointIdentificationConstraints eic =\r
                new EndpointIdentificationConstraintsBuilder()\r
                    .setL3EndpointIdentificationConstraints(new L3EndpointIdentificationConstraintsBuilder()\r
                        .setPrefixConstraint(ImmutableList.<PrefixConstraint>of(consumerPrefixConstraint)).build())\r
                    .build();\r
        return new ConsumerMatchersBuilder().setEndpointIdentificationConstraints(eic).build();\r
    }\r
\r
    public static boolean isEtherTypeOfOneWithinTwo(SecurityRule one, SecurityRule two) {\r
        Long oneEtherType = getEtherType(one);\r
        Long twoEtherType = getEtherType(two);\r
        return twoIsNullOrEqualsOne(oneEtherType, twoEtherType);\r
    }\r
\r
    public static boolean isProtocolOfOneWithinTwo(SecurityRule one, SecurityRule two) {\r
        Long oneProtocol = getProtocol(one);\r
        Long twoProtocol = getProtocol(two);\r
        return twoIsNullOrEqualsOne(oneProtocol, twoProtocol);\r
    }\r
\r
    private static <T> boolean twoIsNullOrEqualsOne(T one, T two) {\r
        if (two == null)\r
            return true;\r
        if (two.equals(one))\r
            return true;\r
        return false;\r
    }\r
\r
    public static boolean isPortsOfOneWithinTwo(SecurityRule one, SecurityRule two) {\r
        Integer onePortMin = one.getPortRangeMin();\r
        Integer onePortMax = one.getPortRangeMax();\r
        Integer twoPortMin = two.getPortRangeMin();\r
        Integer twoPortMax = two.getPortRangeMax();\r
        if (twoPortMin == null && twoPortMax == null) {\r
            return true;\r
        }\r
        if ((onePortMin != null && twoPortMin != null && onePortMin >= twoPortMin)\r
                && (onePortMax != null && twoPortMax != null && onePortMax <= twoPortMax)) {\r
            return true;\r
        }\r
        return false;\r
    }\r
\r
    /**\r
     * @param secRule\r
     * @return {@code null} if {@link SecurityRule#getEthertype()} is null; Otherwise ethertype\r
     *         number\r
     * @throws IllegalArgumentException if return value of\r
     *         {@link SecurityRule#getEthertype()} is other {@link EthertypeV4} or\r
     *         {@link EthertypeV6}\r
     */\r
    public static Long getEtherType(SecurityRule secRule) {\r
        Class<? extends EthertypeBase> ethertype = secRule.getEthertype();\r
        if (ethertype == null) {\r
            return null;\r
        }\r
        if (ethertype.isAssignableFrom(EthertypeV4.class)) {\r
            return EtherTypeClassifierDefinition.IPv4_VALUE;\r
        }\r
        if (ethertype.isAssignableFrom(EthertypeV6.class)) {\r
            return EtherTypeClassifierDefinition.IPv6_VALUE;\r
        }\r
        throw new IllegalArgumentException("Ethertype " + ethertype + " is not supported.");\r
    }\r
\r
    /**\r
     * @param secRule\r
     * @return {@code null} if {@link SecurityRule#getProtocol()} is null; Otherwise protocol number\r
     * @throws IllegalArgumentException if return value of\r
     *         {@link SecurityRule#getProtocol()} is other than {@link ProtocolTcp},\r
     *         {@link ProtocolUdp}, {@link ProtocolIcmp}, {@link ProtocolIcmpV6}\r
     */\r
    public static Long getProtocol(SecurityRule secRule) {\r
        Class<? extends ProtocolBase> protocol = secRule.getProtocol();\r
        if (protocol == null) {\r
            return null;\r
        }\r
        if (protocol.isAssignableFrom(ProtocolTcp.class)) {\r
            return IpProtoClassifierDefinition.TCP_VALUE;\r
        }\r
        if (protocol.isAssignableFrom(ProtocolUdp.class)) {\r
            return IpProtoClassifierDefinition.UDP_VALUE;\r
        }\r
        if (protocol.isAssignableFrom(ProtocolIcmp.class)) {\r
            return IpProtoClassifierDefinition.ICMP_VALUE;\r
        }\r
        if (protocol.isAssignableFrom(ProtocolIcmpV6.class)) {\r
            return IpProtoClassifierDefinition.ICMPv6_VALUE;\r
        }\r
        throw new IllegalArgumentException("Neutron Security Rule Protocol value " + protocol + " is not supported.");\r
    }\r
}\r