Add unit tests for detectConflicts method and smoke tests

Author: nvazquez

server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java

@@ -400,17 +400,9 @@ public void detectRulesConflict(FirewallRule newRule) throws NetworkRuleConflict
             assert (rules.size() >= 1);
         }
 
-        NetworkVO newRuleNetwork = _networkDao.findById(newRule.getNetworkId());
-        if (newRuleNetwork == null) {
-            throw new InvalidParameterValueException("Unable to create firewall rule as cannot find network by id=" + newRule.getNetworkId());
-        }
-        boolean isNewRuleOnVpcNetwork = newRuleNetwork.getVpcId() != null;
-        boolean isVpcConserveModeEnabled = false;
-        if (isNewRuleOnVpcNetwork) {
-            Vpc vpc = _vpcMgr.getActiveVpc(newRuleNetwork.getVpcId());
-            VpcOfferingVO vpcOffering = vpc != null ? vpcOfferingDao.findById(vpc.getVpcOfferingId()) : null;
-            isVpcConserveModeEnabled = vpcOffering != null && vpcOffering.isConserveMode();
-        }
+        NetworkVO newRuleNetwork = getNewRuleNetwork(newRule);
+        boolean newRuleIsOnVpcNetwork = isNewRuleOnVpcNetwork(newRuleNetwork);
+        boolean vpcConserveModeEnabled = isVpcConserveModeEnabled(newRuleNetwork);
 
         for (FirewallRuleVO rule : rules) {
             if (rule.getId() == newRule.getId()) {
@@ -461,10 +453,10 @@ public void detectRulesConflict(FirewallRule newRule) throws NetworkRuleConflict
 
             // Checking if the rule applied is to the same network that is passed in the rule.
             // (except for VPCs with conserve mode = true)
-            if ((!isNewRuleOnVpcNetwork || !isVpcConserveModeEnabled)
+            if ((!newRuleIsOnVpcNetwork || !vpcConserveModeEnabled)
                     && rule.getNetworkId() != newRule.getNetworkId() && rule.getState() != State.Revoke) {
                 String errMsg = String.format("New rule is for a different network than what's specified in rule %s", rule.getXid());
-                if (isNewRuleOnVpcNetwork) {
+                if (newRuleIsOnVpcNetwork) {
                     errMsg += String.format(" - VPC id=%s is not using conserve mode", newRuleNetwork.getVpcId());
                 }
                 throw new NetworkRuleConflictException(errMsg);
@@ -516,6 +508,27 @@ public void detectRulesConflict(FirewallRule newRule) throws NetworkRuleConflict
         }
     }
 
+    protected boolean isVpcConserveModeEnabled(NetworkVO newRuleNetwork) {
+        if (isNewRuleOnVpcNetwork(newRuleNetwork)) {
+            Vpc vpc = _vpcMgr.getActiveVpc(newRuleNetwork.getVpcId());
+            VpcOfferingVO vpcOffering = vpc != null ? vpcOfferingDao.findById(vpc.getVpcOfferingId()) : null;
+            return vpcOffering != null && vpcOffering.isConserveMode();
+        }
+        return false;
+    }
+
+    protected boolean isNewRuleOnVpcNetwork(NetworkVO newRuleNetwork) {
+        return newRuleNetwork.getVpcId() != null;
+    }
+
+    protected NetworkVO getNewRuleNetwork(FirewallRule newRule) {
+        NetworkVO newRuleNetwork = _networkDao.findById(newRule.getNetworkId());
+        if (newRuleNetwork == null) {
+            throw new InvalidParameterValueException("Unable to create firewall rule as cannot find network by id=" + newRule.getNetworkId());
+        }
+        return newRuleNetwork;
+    }
+
     protected boolean checkIfRulesHaveConflictingPortRanges(FirewallRule newRule, FirewallRule rule, boolean oneOfRulesIsFirewall, boolean bothRulesFirewall, boolean bothRulesPortForwarding, boolean duplicatedCidrs) {
         String rulesAsString = String.format("[%s] and [%s]", rule, newRule);
 

server/src/test/java/com/cloud/network/firewall/FirewallManagerTest.java

@@ -32,7 +32,10 @@
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.FirewallRule.Purpose;
 import com.cloud.network.rules.FirewallRuleVO;
+import com.cloud.network.vpc.Vpc;
 import com.cloud.network.vpc.VpcManager;
+import com.cloud.network.vpc.VpcOfferingVO;
+import com.cloud.network.vpc.dao.VpcOfferingDao;
 import com.cloud.user.AccountManager;
 import com.cloud.user.DomainManager;
 import com.cloud.utils.component.ComponentContext;
@@ -81,6 +84,8 @@ public class FirewallManagerTest {
     FirewallRulesDao _firewallDao;
     @Mock
     NetworkDao _networkDao;
+    @Mock
+    VpcOfferingDao vpcOfferingDao;
 
     @Spy
     @InjectMocks
@@ -168,54 +173,102 @@ public void testApplyFWRules() {
         }
     }
 
-    @Test
-    public void testDetectRulesConflict() {
-        List<FirewallRuleVO> ruleList = new ArrayList<FirewallRuleVO>();
-        FirewallRuleVO rule1 = spy(new FirewallRuleVO("rule1", 3, 500, "UDP", 1, 2, 1, Purpose.Vpn, null, null, null, null));
-        FirewallRuleVO rule2 = spy(new FirewallRuleVO("rule2", 3, 1701, "UDP", 1, 2, 1, Purpose.Vpn, null, null, null, null));
-        FirewallRuleVO rule3 = spy(new FirewallRuleVO("rule3", 3, 4500, "UDP", 1, 2, 1, Purpose.Vpn, null, null, null, null));
+    private List<FirewallRuleVO> createExistingFirewallListRulesList(long existingNetworkId) {
+        List<FirewallRuleVO> ruleList = new ArrayList<>();
+        FirewallRuleVO rule1 = spy(new FirewallRuleVO("rule1", 3, 500, "UDP", existingNetworkId, 2, 1, Purpose.Vpn, null, null, null, null));
+        FirewallRuleVO rule2 = spy(new FirewallRuleVO("rule2", 3, 1701, "UDP", existingNetworkId, 2, 1, Purpose.Vpn, null, null, null, null));
+        FirewallRuleVO rule3 = spy(new FirewallRuleVO("rule3", 3, 4500, "UDP", existingNetworkId, 2, 1, Purpose.Vpn, null, null, null, null));
 
         List<String> sString = Arrays.asList("10.1.1.1/24","192.168.1.1/24");
         List<String> dString1 = Arrays.asList("10.1.1.1/25");
-        List<String> dString2 = Arrays.asList("10.1.1.128/25");
 
-        FirewallRuleVO rule4 = spy(new FirewallRuleVO("rule4", 3L, 10, 20, "TCP", 1, 2, 1, Purpose.Firewall, sString, dString1, null, null,
+        FirewallRuleVO rule4 = spy(new FirewallRuleVO("rule4", 3L, 10, 20, "TCP", existingNetworkId, 2, 1, Purpose.Firewall, sString, dString1, null, null,
                 null, FirewallRule.TrafficType.Egress));
 
+        when(rule1.getId()).thenReturn(1L);
+        when(rule2.getId()).thenReturn(2L);
+        when(rule3.getId()).thenReturn(3L);
+        when(rule4.getId()).thenReturn(4L);
+
         ruleList.add(rule1);
         ruleList.add(rule2);
         ruleList.add(rule3);
         ruleList.add(rule4);
 
-        FirewallManagerImpl firewallMgr = (FirewallManagerImpl)_firewallMgr;
+        return ruleList;
+    }
 
-        when(firewallMgr._firewallDao.listByIpAndPurposeAndNotRevoked(3,null)).thenReturn(ruleList);
-        when(rule1.getId()).thenReturn(1L);
-        when(rule2.getId()).thenReturn(2L);
-        when(rule3.getId()).thenReturn(3L);
-        when(rule4.getId()).thenReturn(4L);
+    private List<FirewallRule> createNewRuleList(long newNetworkId) {
+        List<String> sString = Arrays.asList("10.1.1.1/24","192.168.1.1/24");
+        List<String> dString2 = Arrays.asList("10.1.1.128/25");
 
-        FirewallRule newRule1 = new FirewallRuleVO("newRule1", 3, 500, "TCP", 1, 2, 1, Purpose.PortForwarding, null, null, null, null);
-        FirewallRule newRule2 = new FirewallRuleVO("newRule2", 3, 1701, "TCP", 1, 2, 1, Purpose.PortForwarding, null, null, null, null);
-        FirewallRule newRule3 = new FirewallRuleVO("newRule3", 3, 4500, "TCP", 1, 2, 1, Purpose.PortForwarding, null, null, null, null);
-        FirewallRule newRule4 = new FirewallRuleVO("newRule4", 3L, 15, 25, "TCP", 1, 2, 1, Purpose.Firewall, sString, dString2, null, null,
+        FirewallRule newRule1 = new FirewallRuleVO("newRule1", 3, 500, "TCP", newNetworkId, 2, 1, Purpose.PortForwarding, null, null, null, null);
+        FirewallRule newRule2 = new FirewallRuleVO("newRule2", 3, 1701, "TCP", newNetworkId, 2, 1, Purpose.PortForwarding, null, null, null, null);
+        FirewallRule newRule3 = new FirewallRuleVO("newRule3", 3, 4500, "TCP", newNetworkId, 2, 1, Purpose.PortForwarding, null, null, null, null);
+        FirewallRule newRule4 = new FirewallRuleVO("newRule4", 3L, 15, 25, "TCP", newNetworkId, 2, 1, Purpose.Firewall, sString, dString2, null, null,
                 null, FirewallRule.TrafficType.Egress);
+        return Arrays.asList(newRule1, newRule2, newRule3, newRule4);
+    }
+
+    @Test
+    public void testDetectRulesConflictIsolatedNetwork() {
+        List<FirewallRuleVO> ruleList = createExistingFirewallListRulesList(1L);
+        when(_firewallMgr._firewallDao.listByIpAndPurposeAndNotRevoked(3,null)).thenReturn(ruleList);
+
+        List<FirewallRule> newRuleList = createNewRuleList(1L);
 
         NetworkVO networkVO = Mockito.mock(NetworkVO.class);
-        when(firewallMgr._networkDao.findById(1L)).thenReturn(networkVO);
+        when(_firewallMgr._networkDao.findById(1L)).thenReturn(networkVO);
         when(networkVO.getVpcId()).thenReturn(null);
 
         try {
-            firewallMgr.detectRulesConflict(newRule1);
-            firewallMgr.detectRulesConflict(newRule2);
-            firewallMgr.detectRulesConflict(newRule3);
-            firewallMgr.detectRulesConflict(newRule4);
+            for (FirewallRule newRule : newRuleList) {
+                _firewallMgr.detectRulesConflict(newRule);
+            }
         }
         catch (NetworkRuleConflictException ex) {
             Assert.fail();
         }
     }
 
+    private void testDetectRulesConflictVpcBase(boolean vpcConserveMode) throws NetworkRuleConflictException {
+        long existingNetworkId = 1L;
+        long newNetworkId = 2L;
+        long vpcId = 10L;
+
+        List<FirewallRuleVO> ruleList = createExistingFirewallListRulesList(existingNetworkId);
+        when(_firewallMgr._firewallDao.listByIpAndPurposeAndNotRevoked(3,null)).thenReturn(ruleList);
+
+        List<FirewallRule> newRuleList = createNewRuleList(newNetworkId);
+
+        NetworkVO newNetworkVO = Mockito.mock(NetworkVO.class);
+        Vpc vpc = Mockito.mock(Vpc.class);
+        VpcOfferingVO vpcOffering = Mockito.mock(VpcOfferingVO.class);
+
+        when(_firewallMgr._networkDao.findById(2L)).thenReturn(newNetworkVO);
+        when(newNetworkVO.getVpcId()).thenReturn(vpcId);
+        when(_vpcMgr.getActiveVpc(vpcId)).thenReturn(vpc);
+        when(vpc.getVpcOfferingId()).thenReturn(1L);
+        when(vpcOfferingDao.findById(1L)).thenReturn(vpcOffering);
+        when(vpcOffering.isConserveMode()).thenReturn(vpcConserveMode);
+
+        for (FirewallRule newRule : newRuleList) {
+            _firewallMgr.detectRulesConflict(newRule);
+        }
+    }
+
+    @Test
+    public void testDetectRulesConflictVpcConserveMode() throws NetworkRuleConflictException {
+        // When VPC conserve mode is enabled, rules can be created for multiple network tiers
+        testDetectRulesConflictVpcBase(true);
+    }
+
+    @Test(expected = NetworkRuleConflictException.class)
+    public void testDetectRulesConflictVpcConserveModeFalse() throws NetworkRuleConflictException {
+        // When VPC conserve mode is disabled, an exception should be thrown when attempting to create rules on different network tiers
+        testDetectRulesConflictVpcBase(false);
+    }
+
     @Test
     public void checkIfRulesHaveConflictingPortRangesTestOnlyOneRuleIsFirewallReturnsFalse()
     {