comply with code-style and improve coverage

Signed-off-by: Abhishek Pandey <abhpandey@microsoft.com>

Author: abhishek-pandey-1

pkg/controller/security_group_test.go

@@ -5,9 +5,12 @@ import (
 
 	"github.com/stretchr/testify/require"
 	"go.uber.org/mock/gomock"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	kubeovnv1 "github.com/kubeovn/kube-ovn/pkg/apis/kubeovn/v1"
 	"github.com/kubeovn/kube-ovn/pkg/ovs"
 	"github.com/kubeovn/kube-ovn/pkg/ovsdb/ovnnb"
+	"github.com/kubeovn/kube-ovn/pkg/util"
 )
 
 func mockLsp() *ovnnb.LogicalSwitchPort {
@@ -72,3 +75,142 @@ func Test_securityGroupALLNotExist(t *testing.T) {
 		require.True(t, exist)
 	})
 }
+
+func Test_validateSgRule(t *testing.T) {
+	t.Parallel()
+
+	ctrl := &Controller{}
+	baseSG := func(rules ...kubeovnv1.SecurityGroupRule) *kubeovnv1.SecurityGroup {
+		return &kubeovnv1.SecurityGroup{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-sg"},
+			Spec: kubeovnv1.SecurityGroupSpec{
+				SecurityGroupTier: util.SecurityGroupTierMinimum,
+				IngressRules:      rules,
+			},
+		}
+	}
+
+	t.Run("valid local address as CIDR", func(t *testing.T) {
+		t.Parallel()
+
+		sg := baseSG(kubeovnv1.SecurityGroupRule{
+			IPVersion:     "ipv4",
+			Priority:      1,
+			RemoteType:    kubeovnv1.SgRemoteTypeAddress,
+			RemoteAddress: "10.0.0.0/8",
+			LocalAddress:  "192.168.1.0/24",
+			Protocol:      "all",
+			Policy:        kubeovnv1.SgPolicy(ovnnb.ACLActionAllow),
+		})
+		err := ctrl.validateSgRule(sg)
+		require.NoError(t, err)
+	})
+
+	t.Run("valid local address as IP", func(t *testing.T) {
+		t.Parallel()
+
+		sg := baseSG(kubeovnv1.SecurityGroupRule{
+			IPVersion:     "ipv4",
+			Priority:      1,
+			RemoteType:    kubeovnv1.SgRemoteTypeAddress,
+			RemoteAddress: "10.0.0.1",
+			LocalAddress:  "192.168.1.100",
+			Protocol:      "all",
+			Policy:        kubeovnv1.SgPolicy(ovnnb.ACLActionAllow),
+		})
+		err := ctrl.validateSgRule(sg)
+		require.NoError(t, err)
+	})
+
+	t.Run("invalid local address CIDR", func(t *testing.T) {
+		t.Parallel()
+
+		sg := baseSG(kubeovnv1.SecurityGroupRule{
+			IPVersion:     "ipv4",
+			Priority:      1,
+			RemoteType:    kubeovnv1.SgRemoteTypeAddress,
+			RemoteAddress: "10.0.0.1",
+			LocalAddress:  "999.999.999.0/24",
+			Protocol:      "all",
+			Policy:        kubeovnv1.SgPolicy(ovnnb.ACLActionAllow),
+		})
+		err := ctrl.validateSgRule(sg)
+		require.ErrorContains(t, err, "invalid CIDR")
+	})
+
+	t.Run("invalid local address IP", func(t *testing.T) {
+		t.Parallel()
+
+		sg := baseSG(kubeovnv1.SecurityGroupRule{
+			IPVersion:     "ipv4",
+			Priority:      1,
+			RemoteType:    kubeovnv1.SgRemoteTypeAddress,
+			RemoteAddress: "10.0.0.1",
+			LocalAddress:  "not-an-ip",
+			Protocol:      "all",
+			Policy:        kubeovnv1.SgPolicy(ovnnb.ACLActionAllow),
+		})
+		err := ctrl.validateSgRule(sg)
+		require.ErrorContains(t, err, "invalid ip address")
+	})
+
+	t.Run("valid local port range with TCP and local address", func(t *testing.T) {
+		t.Parallel()
+
+		sg := baseSG(kubeovnv1.SecurityGroupRule{
+			IPVersion:         "ipv4",
+			Priority:          1,
+			RemoteType:        kubeovnv1.SgRemoteTypeAddress,
+			RemoteAddress:     "10.0.0.1",
+			LocalAddress:      "192.168.1.100",
+			Protocol:          "tcp",
+			Policy:            kubeovnv1.SgPolicy(ovnnb.ACLActionAllow),
+			PortRangeMin:      80,
+			PortRangeMax:      443,
+			LocalPortRangeMin: 1024,
+			LocalPortRangeMax: 65535,
+		})
+		err := ctrl.validateSgRule(sg)
+		require.NoError(t, err)
+	})
+
+	t.Run("invalid local port range out of bounds", func(t *testing.T) {
+		t.Parallel()
+
+		sg := baseSG(kubeovnv1.SecurityGroupRule{
+			IPVersion:         "ipv4",
+			Priority:          1,
+			RemoteType:        kubeovnv1.SgRemoteTypeAddress,
+			RemoteAddress:     "10.0.0.1",
+			LocalAddress:      "192.168.1.100",
+			Protocol:          "tcp",
+			Policy:            kubeovnv1.SgPolicy(ovnnb.ACLActionAllow),
+			PortRangeMin:      80,
+			PortRangeMax:      443,
+			LocalPortRangeMin: 0,
+			LocalPortRangeMax: 65535,
+		})
+		err := ctrl.validateSgRule(sg)
+		require.ErrorContains(t, err, "portRange is out of range")
+	})
+
+	t.Run("invalid local port range min greater than max", func(t *testing.T) {
+		t.Parallel()
+
+		sg := baseSG(kubeovnv1.SecurityGroupRule{
+			IPVersion:         "ipv4",
+			Priority:          1,
+			RemoteType:        kubeovnv1.SgRemoteTypeAddress,
+			RemoteAddress:     "10.0.0.1",
+			LocalAddress:      "192.168.1.100",
+			Protocol:          "udp",
+			Policy:            kubeovnv1.SgPolicy(ovnnb.ACLActionAllow),
+			PortRangeMin:      80,
+			PortRangeMax:      443,
+			LocalPortRangeMin: 9000,
+			LocalPortRangeMax: 8000,
+		})
+		err := ctrl.validateSgRule(sg)
+		require.ErrorContains(t, err, "range Minimum value greater than maximum value")
+	})
+}

pkg/ovs/ovn-nb-acl.go

@@ -1066,8 +1066,8 @@ func (c *OVNNbClient) newSgRuleACL(sgName, direction string, rule kubeovnv1.Secu
 		portDirection = "inport"
 	}
 
-	remoteipKey := ipSuffix + "." + remoteSrcOrDst
-	localipKey := ipSuffix + "." + localSrcOrDst
+	remoteIPKey := ipSuffix + "." + remoteSrcOrDst
+	localIPKey := ipSuffix + "." + localSrcOrDst
 
 	/* match all traffic to or from pgName */
 	allIPMatch := NewAndACLMatch(
@@ -1077,10 +1077,9 @@ func (c *OVNNbClient) newSgRuleACL(sgName, direction string, rule kubeovnv1.Secu
 
 	/* allow allowed ip traffic */
 	// type address
-
 	allowedIPMatch := NewAndACLMatch(
 		allIPMatch,
-		NewACLMatch(remoteipKey, "==", rule.RemoteAddress, ""),
+		NewACLMatch(remoteIPKey, "==", rule.RemoteAddress, ""),
 	)
 
 	// type securityGroup
@@ -1091,15 +1090,15 @@ func (c *OVNNbClient) newSgRuleACL(sgName, direction string, rule kubeovnv1.Secu
 	if rule.RemoteType == kubeovnv1.SgRemoteTypeSg {
 		allowedIPMatch = NewAndACLMatch(
 			allIPMatch,
-			NewACLMatch(remoteipKey, "==", "$"+remotePgName, ""),
+			NewACLMatch(remoteIPKey, "==", "$"+remotePgName, ""),
 		)
 	}
 
 	// Add a rule to match local address only if it is set
 	if rule.LocalAddress != "" {
 		allowedIPMatch = NewAndACLMatch(
 			allowedIPMatch,
-			NewACLMatch(localipKey, "==", rule.LocalAddress, ""),
+			NewACLMatch(localIPKey, "==", rule.LocalAddress, ""),
 		)
 	}
 
@@ -1137,8 +1136,7 @@ func (c *OVNNbClient) newSgRuleACL(sgName, direction string, rule kubeovnv1.Secu
 	action := ovnnb.ACLActionDrop
 	if rule.Policy == kubeovnv1.SgPolicyAllow {
 		action = ovnnb.ACLActionAllowRelated
-	}
-	if rule.Policy == kubeovnv1.SgPolicyPass {
+	} else if rule.Policy == kubeovnv1.SgPolicyPass {
 		action = ovnnb.ACLActionPass
 	}
 

pkg/ovs/ovn-nb-acl_test.go

@@ -1380,6 +1380,79 @@ func (suite *OvnClientTestSuite) testNewSgRuleACL() {
 		expect.UUID = acl.UUID
 		require.Equal(t, expect, acl)
 	})
+
+	t.Run("create sg acl with local address", func(t *testing.T) {
+		t.Parallel()
+
+		sgRule := kubeovnv1.SecurityGroupRule{
+			IPVersion:     "ipv4",
+			RemoteType:    kubeovnv1.SgRemoteTypeAddress,
+			RemoteAddress: "10.10.10.0/24",
+			LocalAddress:  "192.168.1.0/24",
+			Protocol:      "all",
+			Priority:      5,
+			Policy:        "allow",
+		}
+		priority := strconv.Itoa(highestPriority - sgRule.Priority)
+
+		acl, err := nbClient.newSgRuleACL(sgName, ovnnb.ACLDirectionToLport, sgRule, util.SecurityGroupTierMinimum)
+		require.NoError(t, err)
+
+		match := fmt.Sprintf("outport == @%s && ip4 && ip4.src == %s && ip4.dst == %s", pgName, sgRule.RemoteAddress, sgRule.LocalAddress)
+		expect := newACL(pgName, ovnnb.ACLDirectionToLport, priority, match, ovnnb.ACLActionAllowRelated, util.NetpolACLTier)
+		expect.UUID = acl.UUID
+		require.Equal(t, expect, acl)
+	})
+
+	t.Run("create tcp sg acl with local address and source port", func(t *testing.T) {
+		t.Parallel()
+
+		sgRule := kubeovnv1.SecurityGroupRule{
+			IPVersion:         "ipv4",
+			RemoteType:        kubeovnv1.SgRemoteTypeAddress,
+			RemoteAddress:     "10.10.10.0/24",
+			LocalAddress:      "192.168.1.100",
+			Protocol:          "tcp",
+			Priority:          8,
+			Policy:            "allow",
+			PortRangeMin:      80,
+			PortRangeMax:      443,
+			LocalPortRangeMin: 1024,
+			LocalPortRangeMax: 65535,
+		}
+		priority := strconv.Itoa(highestPriority - sgRule.Priority)
+
+		acl, err := nbClient.newSgRuleACL(sgName, ovnnb.ACLDirectionToLport, sgRule, util.SecurityGroupTierMinimum)
+		require.NoError(t, err)
+
+		match := fmt.Sprintf("outport == @%s && ip4 && ip4.src == %s && ip4.dst == %s && %d <= tcp.dst <= %d && %d <= tcp.src <= %d",
+			pgName, sgRule.RemoteAddress, sgRule.LocalAddress, sgRule.PortRangeMin, sgRule.PortRangeMax, sgRule.LocalPortRangeMin, sgRule.LocalPortRangeMax)
+		expect := newACL(pgName, ovnnb.ACLDirectionToLport, priority, match, ovnnb.ACLActionAllowRelated, util.NetpolACLTier)
+		expect.UUID = acl.UUID
+		require.Equal(t, expect, acl)
+	})
+
+	t.Run("create pass policy sg acl", func(t *testing.T) {
+		t.Parallel()
+
+		sgRule := kubeovnv1.SecurityGroupRule{
+			IPVersion:     "ipv4",
+			RemoteType:    kubeovnv1.SgRemoteTypeAddress,
+			RemoteAddress: "10.10.10.0/24",
+			Protocol:      "icmp",
+			Priority:      10,
+			Policy:        kubeovnv1.SgPolicy(ovnnb.ACLActionPass),
+		}
+		priority := strconv.Itoa(highestPriority - sgRule.Priority)
+
+		acl, err := nbClient.newSgRuleACL(sgName, ovnnb.ACLDirectionToLport, sgRule, util.SecurityGroupTierMinimum)
+		require.NoError(t, err)
+
+		match := fmt.Sprintf("outport == @%s && ip4 && ip4.src == %s && icmp4", pgName, sgRule.RemoteAddress)
+		expect := newACL(pgName, ovnnb.ACLDirectionToLport, priority, match, ovnnb.ACLActionPass, util.NetpolACLTier)
+		expect.UUID = acl.UUID
+		require.Equal(t, expect, acl)
+	})
 }
 
 func (suite *OvnClientTestSuite) testCreateAcls() {