import network acl rules using csv (#12013)

Author: sudo87

api/src/main/java/com/cloud/event/EventTypes.java

@@ -582,6 +582,7 @@ public class EventTypes {
 
     // Network ACL
     public static final String EVENT_NETWORK_ACL_CREATE = "NETWORK.ACL.CREATE";
+    public static final String EVENT_NETWORK_ACL_IMPORT = "NETWORK.ACL.IMPORT";
     public static final String EVENT_NETWORK_ACL_DELETE = "NETWORK.ACL.DELETE";
     public static final String EVENT_NETWORK_ACL_REPLACE = "NETWORK.ACL.REPLACE";
     public static final String EVENT_NETWORK_ACL_UPDATE = "NETWORK.ACL.UPDATE";

api/src/main/java/com/cloud/network/vpc/NetworkACLService.java

@@ -19,6 +19,7 @@
 import java.util.List;
 
 import org.apache.cloudstack.api.command.user.network.CreateNetworkACLCmd;
+import org.apache.cloudstack.api.command.user.network.ImportNetworkACLCmd;
 import org.apache.cloudstack.api.command.user.network.ListNetworkACLListsCmd;
 import org.apache.cloudstack.api.command.user.network.ListNetworkACLsCmd;
 import org.apache.cloudstack.api.command.user.network.MoveNetworkAclItemCmd;
@@ -98,4 +99,6 @@ public interface NetworkACLService {
     NetworkACLItem moveNetworkAclRuleToNewPosition(MoveNetworkAclItemCmd moveNetworkAclItemCmd);
 
     NetworkACLItem moveRuleToTheTopInACLList(NetworkACLItem ruleBeingMoved);
+
+    List<NetworkACLItem> importNetworkACLRules(ImportNetworkACLCmd cmd) throws ResourceUnavailableException;
 }

api/src/main/java/org/apache/cloudstack/api/command/user/network/CreateNetworkACLCmd.java

@@ -58,7 +58,7 @@ public class CreateNetworkACLCmd extends BaseAsyncCreateCmd {
     private Integer publicEndPort;
 
     @Parameter(name = ApiConstants.CIDR_LIST, type = CommandType.LIST, collectionType = CommandType.STRING, description = "The CIDR list to allow traffic from/to. Multiple entries must be separated by a single comma character (,).")
-    private List<String> cidrlist;
+    private List<String> cidrList;
 
     @Parameter(name = ApiConstants.ICMP_TYPE, type = CommandType.INTEGER, description = "Type of the ICMP message being sent")
     private Integer icmpType;
@@ -118,8 +118,8 @@ public void setProtocol(String protocol) {
     }
 
     public List<String> getSourceCidrList() {
-        if (cidrlist != null) {
-            return cidrlist;
+        if (cidrList != null) {
+            return cidrList;
         } else {
             List<String> oneCidrList = new ArrayList<String>();
             oneCidrList.add(NetUtils.ALL_IP4_CIDRS);
@@ -238,6 +238,30 @@ public String getReason() {
         return reason;
     }
 
+    public void setCidrList(List<String> cidrList) {
+        this.cidrList = cidrList;
+    }
+
+    public void setIcmpType(Integer icmpType) {
+        this.icmpType = icmpType;
+    }
+
+    public void setIcmpCode(Integer icmpCode) {
+        this.icmpCode = icmpCode;
+    }
+
+    public void setNumber(Integer number) {
+        this.number = number;
+    }
+
+    public void setDisplay(Boolean display) {
+        this.display = display;
+    }
+
+    public void setReason(String reason) {
+        this.reason = reason;
+    }
+
     @Override
     public void create() {
         NetworkACLItem result = _networkACLService.createNetworkACLItem(this);

api/src/main/java/org/apache/cloudstack/api/command/user/network/ImportNetworkACLCmd.java

@@ -0,0 +1,132 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.user.network;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseAsyncCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.ListResponse;
+import org.apache.cloudstack.api.response.NetworkACLItemResponse;
+import org.apache.cloudstack.api.response.NetworkACLResponse;
+import org.apache.cloudstack.context.CallContext;
+import org.apache.commons.collections.MapUtils;
+
+import com.cloud.event.EventTypes;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.vpc.NetworkACLItem;
+import com.cloud.user.Account;
+
+@APICommand(name = "importNetworkACL", description = "Imports Network ACL rules.",
+        responseObject = NetworkACLItemResponse.class,
+        requestHasSensitiveInfo = false, responseHasSensitiveInfo = false,
+        since = "4.22.1")
+public class ImportNetworkACLCmd extends BaseAsyncCmd {
+
+    // ///////////////////////////////////////////////////
+    // ////////////// API parameters /////////////////////
+    // ///////////////////////////////////////////////////
+
+    @Parameter(
+            name = ApiConstants.ACL_ID,
+            type = CommandType.UUID,
+            entityType = NetworkACLResponse.class,
+            required = true,
+            description = "The ID of the Network ACL to which the rules will be imported"
+    )
+    private Long aclId;
+
+    @Parameter(name = ApiConstants.RULES, type = CommandType.MAP, required = true,
+            description = "Rules param list, id and protocol are must. Invalid rules will be discarded. Example: " +
+                    "rules[0].id=101&rules[0].protocol=tcp&rules[0].traffictype=ingress&rules[0].state=active&rules[0].cidrlist=192.168.1.0/24" +
+                    "&rules[0].tags=web&rules[0].aclid=acl-001&rules[0].aclname=web-acl&rules[0].number=1&rules[0].action=allow&rules[0].fordisplay=true" +
+                    "&rules[0].description=allow%20web%20traffic&rules[1].id=102&rules[1].protocol=udp&rules[1].traffictype=egress&rules[1].state=enabled" +
+                    "&rules[1].cidrlist=10.0.0.0/8&rules[1].tags=db&rules[1].aclid=acl-002&rules[1].aclname=db-acl&rules[1].number=2&rules[1].action=deny" +
+                    "&rules[1].fordisplay=false&rules[1].description=deny%20database%20traffic")
+    private Map rules;
+
+
+    // ///////////////////////////////////////////////////
+    // ///////////////// Accessors ///////////////////////
+    // ///////////////////////////////////////////////////
+
+    // Returns map, corresponds to a rule with the details in the keys:
+    // id, protocol, startport, endport, traffictype, state, cidrlist, tags, aclid, aclname, number, action, fordisplay, description
+    public Map getRules() {
+        return rules;
+    }
+
+    public Long getAclId() {
+        return aclId;
+    }
+
+    // ///////////////////////////////////////////////////
+    // ///////////// API Implementation///////////////////
+    // ///////////////////////////////////////////////////
+
+
+    @Override
+    public void execute() throws ResourceUnavailableException {
+        validateParams();
+        List<NetworkACLItem> importedRules = _networkACLService.importNetworkACLRules(this);
+        ListResponse<NetworkACLItemResponse> response = new ListResponse<>();
+        List<NetworkACLItemResponse> aclResponse = new ArrayList<>();
+        for (NetworkACLItem acl : importedRules) {
+            NetworkACLItemResponse ruleData = _responseGenerator.createNetworkACLItemResponse(acl);
+            aclResponse.add(ruleData);
+        }
+        response.setResponses(aclResponse, importedRules.size());
+        response.setResponseName(getCommandName());
+        setResponseObject(response);
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        Account account = CallContext.current().getCallingAccount();
+        if (account != null) {
+            return account.getId();
+        }
+        return Account.ACCOUNT_ID_SYSTEM;
+    }
+
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_NETWORK_ACL_IMPORT;
+    }
+
+    @Override
+    public String getEventDescription() {
+        return "Importing ACL rules for ACL ID: " + getAclId();
+    }
+
+
+    private void validateParams() {
+        if(MapUtils.isEmpty(rules)) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Rules parameter is empty or null");
+        }
+
+        if (getAclId() == null || _networkACLService.getNetworkACL(getAclId()) == null) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Unable to find Network ACL with provided ACL ID");
+        }
+    }
+}

server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java

@@ -26,15 +26,11 @@
 
 import javax.inject.Inject;
 
-import com.cloud.dc.DataCenter;
-import com.cloud.exception.PermissionDeniedException;
-import com.cloud.network.dao.NetrisProviderDao;
-import com.cloud.network.dao.NsxProviderDao;
-import com.cloud.network.element.NetrisProviderVO;
-import com.cloud.network.element.NsxProviderVO;
+import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.api.command.user.network.CreateNetworkACLCmd;
+import org.apache.cloudstack.api.command.user.network.ImportNetworkACLCmd;
 import org.apache.cloudstack.api.command.user.network.ListNetworkACLListsCmd;
 import org.apache.cloudstack.api.command.user.network.ListNetworkACLsCmd;
 import org.apache.cloudstack.api.command.user.network.MoveNetworkAclItemCmd;
@@ -43,19 +39,26 @@
 import org.apache.cloudstack.context.CallContext;
 import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang3.BooleanUtils;
 import org.apache.commons.lang3.ObjectUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.stereotype.Component;
 
+import com.cloud.dc.DataCenter;
 import com.cloud.event.ActionEvent;
 import com.cloud.event.EventTypes;
 import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.PermissionDeniedException;
 import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.network.Network;
 import com.cloud.network.NetworkModel;
 import com.cloud.network.Networks;
+import com.cloud.network.dao.NetrisProviderDao;
 import com.cloud.network.dao.NetworkDao;
 import com.cloud.network.dao.NetworkVO;
+import com.cloud.network.dao.NsxProviderDao;
+import com.cloud.network.element.NetrisProviderVO;
+import com.cloud.network.element.NsxProviderVO;
 import com.cloud.network.vpc.NetworkACLItem.Action;
 import com.cloud.network.vpc.NetworkACLItem.TrafficType;
 import com.cloud.network.vpc.dao.NetworkACLDao;
@@ -1070,6 +1073,111 @@ public NetworkACLItem moveRuleToTheTopInACLList(NetworkACLItem ruleBeingMoved) {
         return moveRuleToTheTop(ruleBeingMoved, allRules);
     }
 
+    @Override
+    public List<NetworkACLItem> importNetworkACLRules(ImportNetworkACLCmd cmd) throws ResourceUnavailableException {
+        long aclId = cmd.getAclId();
+        Map<Object, Object> rules = cmd.getRules();
+        List<NetworkACLItem> createdRules = new ArrayList<>();
+        List<String> errors = new ArrayList<>();
+        for (Map.Entry<Object, Object> entry : rules.entrySet()) {
+            try {
+                Map<String, Object> ruleMap = (Map<String, Object>) entry.getValue();
+                NetworkACLItem item = createACLRuleFromMap(ruleMap, aclId);
+                createdRules.add(item);
+            } catch (Exception ex) {
+                String error = "Failed to import rule at index " + entry.getKey() + ": " + ex.getMessage();
+                errors.add(error);
+                logger.error(error, ex);
+            }
+        }
+        // no rules got imported
+        if (createdRules.isEmpty() && !errors.isEmpty()) {
+            logger.error("Failed to import any ACL rules. Errors: {}", String.join("; ", errors));
+            throw new CloudRuntimeException("Failed to import any ACL rules.");
+        }
+
+        // apply ACL to network
+        if (!createdRules.isEmpty()) {
+            applyNetworkACL(aclId);
+        }
+        return createdRules;
+    }
+
+    private NetworkACLItem createACLRuleFromMap(Map<String, Object> ruleMap, long aclId) {
+        String protocol = (String) ruleMap.get(ApiConstants.PROTOCOL);
+        if (protocol == null || protocol.trim().isEmpty()) {
+            throw new InvalidParameterValueException("Protocol is required");
+        }
+        String action = (String) ruleMap.getOrDefault(ApiConstants.ACTION, "deny");
+        String trafficType = (String) ruleMap.getOrDefault(ApiConstants.TRAFFIC_TYPE, NetworkACLItem.TrafficType.Ingress);
+        String forDisplay = (String) ruleMap.getOrDefault(ApiConstants.FOR_DISPLAY, "true");
+
+        // Create ACL rule using the service
+        CreateNetworkACLCmd cmd = new CreateNetworkACLCmd();
+        cmd.setAclId(aclId);
+        cmd.setProtocol(protocol.toLowerCase());
+        cmd.setAction(action.toLowerCase());
+        cmd.setTrafficType(trafficType.toLowerCase());
+        cmd.setDisplay(BooleanUtils.toBoolean(forDisplay));
+
+        // Optional parameters
+        if (ruleMap.containsKey(ApiConstants.CIDR_LIST)) {
+            Object cidrObj = ruleMap.get(ApiConstants.CIDR_LIST);
+            List<String> cidrList = new ArrayList<>();
+            if (cidrObj instanceof String) {
+                for (String cidr : ((String) cidrObj).split(",")) {
+                    cidrList.add(cidr.trim());
+                }
+            } else if (cidrObj instanceof List) {
+                cidrList.addAll((List<String>) cidrObj);
+            }
+            cmd.setCidrList(cidrList);
+        }
+
+        if (ruleMap.containsKey(ApiConstants.START_PORT)) {
+            cmd.setPublicStartPort(parseInt(ruleMap.get(ApiConstants.START_PORT)));
+        }
+
+        if (ruleMap.containsKey(ApiConstants.END_PORT)) {
+            cmd.setPublicEndPort(parseInt(ruleMap.get(ApiConstants.END_PORT)));
+        }
+
+        if (ruleMap.containsKey(ApiConstants.NUMBER)) {
+            cmd.setNumber(parseInt(ruleMap.get(ApiConstants.NUMBER)));
+        }
+
+        if (ruleMap.containsKey(ApiConstants.ICMP_TYPE)) {
+            cmd.setIcmpType(parseInt(ruleMap.get(ApiConstants.ICMP_TYPE)));
+        }
+
+        if (ruleMap.containsKey(ApiConstants.ICMP_CODE)) {
+            cmd.setIcmpCode(parseInt(ruleMap.get(ApiConstants.ICMP_CODE)));
+        }
+
+        if (ruleMap.containsKey(ApiConstants.ACL_REASON)) {
+            cmd.setReason((String) ruleMap.get(ApiConstants.ACL_REASON));
+        }
+
+        return createNetworkACLItem(cmd);
+    }
+
+    private Integer parseInt(Object value) {
+        if (value == null) {
+            return null;
+        }
+        if (value instanceof Integer) {
+            return (Integer) value;
+        }
+        if (value instanceof String) {
+            try {
+                return Integer.parseInt((String) value);
+            } catch (NumberFormatException e) {
+                throw new InvalidParameterValueException("Invalid integer value: " + value);
+            }
+        }
+        throw new InvalidParameterValueException("Cannot convert to integer: " + value);
+    }
+
     /**
      * Validates the consistency of the ACL; the validation process is the following.
      * <ul>

server/src/main/java/com/cloud/server/ManagementServerImpl.java

@@ -454,6 +454,7 @@
 import org.apache.cloudstack.api.command.user.network.DeleteNetworkACLCmd;
 import org.apache.cloudstack.api.command.user.network.DeleteNetworkACLListCmd;
 import org.apache.cloudstack.api.command.user.network.DeleteNetworkCmd;
+import org.apache.cloudstack.api.command.user.network.ImportNetworkACLCmd;
 import org.apache.cloudstack.api.command.user.network.ListNetworkACLListsCmd;
 import org.apache.cloudstack.api.command.user.network.ListNetworkACLsCmd;
 import org.apache.cloudstack.api.command.user.network.ListNetworkOfferingsCmd;
@@ -4039,6 +4040,7 @@ public List<Class<?>> getCommands() {
         cmdList.add(EnableStaticNatCmd.class);
         cmdList.add(ListIpForwardingRulesCmd.class);
         cmdList.add(CreateNetworkACLCmd.class);
+        cmdList.add(ImportNetworkACLCmd.class);
         cmdList.add(CreateNetworkCmd.class);
         cmdList.add(DeleteNetworkACLCmd.class);
         cmdList.add(DeleteNetworkCmd.class);