Fix sonarcloud

netbirdio · Jun 6, 2024 · 41d1caf · 41d1caf
1 parent c97ae04
commit 41d1caf
Show file tree

Hide file tree

Showing 3 changed files with 159 additions and 125 deletions.
diff --git a/management/server/policy.go b/management/server/policy.go
@@ -459,36 +459,17 @@ func (am *DefaultAccountManager) savePolicy(account *Account, policy *Policy) (e
 	return
 }
 
-func toProtocolFirewallRules(update []*FirewallRule) []*proto.FirewallRule {
-	result := make([]*proto.FirewallRule, len(update))
-	for i := range update {
-		direction := proto.RuleDirection_IN
-		if update[i].Direction == firewallRuleDirectionOUT {
-			direction = proto.RuleDirection_OUT
-		}
-		action := proto.RuleAction_ACCEPT
-		if update[i].Action == string(PolicyTrafficActionDrop) {
-			action = proto.RuleAction_DROP
-		}
-
-		protocol := proto.RuleProtocol_UNKNOWN
-		switch PolicyRuleProtocolType(update[i].Protocol) {
-		case PolicyRuleProtocolALL:
-			protocol = proto.RuleProtocol_ALL
-		case PolicyRuleProtocolTCP:
-			protocol = proto.RuleProtocol_TCP
-		case PolicyRuleProtocolUDP:
-			protocol = proto.RuleProtocol_UDP
-		case PolicyRuleProtocolICMP:
-			protocol = proto.RuleProtocol_ICMP
-		}
+func toProtocolFirewallRules(rules []*FirewallRule) []*proto.FirewallRule {
+	result := make([]*proto.FirewallRule, len(rules))
+	for i := range rules {
+		rule := rules[i]
 
 		result[i] = &proto.FirewallRule{
-			PeerIP:    update[i].PeerIP,
-			Direction: direction,
-			Action:    action,
-			Protocol:  protocol,
-			Port:      update[i].Port,
+			PeerIP:    rule.PeerIP,
+			Direction: getProtoDirection(rule.Direction),
+			Action:    getProtoAction(rule.Action),
+			Protocol:  getProtoProtocol(rule.Protocol),
+			Port:      rule.Port,
 		}
 	}
 	return result

diff --git a/management/server/route.go b/management/server/route.go
@@ -1,20 +1,19 @@
 package server
 
 import (
+	"fmt"
 	"net/netip"
 	"slices"
 	"strconv"
-	"strings"
 	"unicode/utf8"
 
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/rs/xid"
-	log "github.com/sirupsen/logrus"
-
 	"github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server/activity"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/status"
 	"github.com/netbirdio/netbird/route"
+	"github.com/rs/xid"
+	log "github.com/sirupsen/logrus"
 )
 
 // RouteFirewallRule a firewall rule applicable for a routed network.
@@ -418,7 +417,7 @@ func generateRouteFirewallRules(route *route.Route, rule *PolicyRule, groupPeers
 			continue
 		}
 
-		rr := RouteFirewallRule{
+		baseRule := RouteFirewallRule{
 			PeerIP:      peer.IP.String(),
 			Direction:   direction,
 			Action:      string(rule.Action),
@@ -427,40 +426,71 @@ func generateRouteFirewallRules(route *route.Route, rule *PolicyRule, groupPeers
 			NetworkType: int(route.NetworkType),
 		}
 
-		ruleID := rule.ID + rr.PeerIP + strconv.Itoa(firewallRuleDirectionIN) +
-			rr.Protocol + rr.Action + strings.Join(rule.Ports, ",")
-		if _, ok := rulesExists[ruleID]; ok {
+		// generate rule for port range
+		if len(rule.Ports) == 0 {
+			rules = append(rules, generateRulesWithPortRanges(baseRule, rule, rulesExists)...)
 			continue
 		}
-		rulesExists[ruleID] = struct{}{}
+		rules = append(rules, generateRulesWithPorts(baseRule, rule, rulesExists)...)
+	}
 
-		if len(rule.Ports) == 0 {
-			if len(rule.PortRanges) == 0 {
-				rules = append(rules, &rr)
-				continue
-			}
+	return rules
+}
 
+// generateRuleIDBase generates the base rule ID for checking duplicates.
+func generateRuleIDBase(rule *PolicyRule, baseRule RouteFirewallRule) string {
+	return rule.ID + baseRule.PeerIP + strconv.Itoa(firewallRuleDirectionIN) + baseRule.Protocol + baseRule.Action
+}
+
+// generateRulesForPeer generates rules for a given peer based on ports and port ranges.
+func generateRulesWithPortRanges(baseRule RouteFirewallRule, rule *PolicyRule, rulesExists map[string]struct{}) []*RouteFirewallRule {
+	rules := make([]*RouteFirewallRule, 0)
+
+	ruleIDBase := generateRuleIDBase(rule, baseRule)
+	if len(rule.Ports) == 0 {
+		if len(rule.PortRanges) == 0 {
+			if _, ok := rulesExists[ruleIDBase]; !ok {
+				rulesExists[ruleIDBase] = struct{}{}
+				rules = append(rules, &baseRule)
+			}
+		} else {
 			for _, portRange := range rule.PortRanges {
-				pr := rr
-				pr.PortRange = portRange
-				rules = append(rules, &pr)
+				ruleID := fmt.Sprintf("%s%d-%d", ruleIDBase, portRange.Start, portRange.End)
+				if _, ok := rulesExists[ruleID]; !ok {
+					rulesExists[ruleID] = struct{}{}
+					pr := baseRule
+					pr.PortRange = portRange
+					rules = append(rules, &pr)
+				}
 			}
-			continue
 		}
+		return rules
+	}
 
-		for _, port := range rule.Ports {
-			pr := rr // clone rule and add set new port
+	return rules
+}
 
-			p, err := strconv.ParseUint(port, 10, 16)
-			if err != nil {
-				log.Errorf("failed to parse port %s for rule: %s", port, rule.ID)
-				continue
-			}
+// generateRulesWithPorts generates rules when specific ports are provided.
+func generateRulesWithPorts(baseRule RouteFirewallRule, rule *PolicyRule, rulesExists map[string]struct{}) []*RouteFirewallRule {
+	rules := make([]*RouteFirewallRule, 0)
+	ruleIDBase := generateRuleIDBase(rule, baseRule)
 
-			pr.Port = uint16(p)
-			rules = append(rules, &pr)
+	for _, port := range rule.Ports {
+		ruleID := ruleIDBase + port
+		if _, ok := rulesExists[ruleID]; ok {
+			continue
+		}
+		rulesExists[ruleID] = struct{}{}
+
+		pr := baseRule
+		p, err := strconv.ParseUint(port, 10, 16)
+		if err != nil {
+			log.Errorf("failed to parse port %s for rule: %s", port, rule.ID)
+			continue
 		}
 
+		pr.Port = uint16(p)
+		rules = append(rules, &pr)
 	}
 
 	return rules
@@ -486,58 +516,76 @@ func toProtocolRoutes(routes []*route.Route) []*proto.Route {
 	return protoRoutes
 }
 
-func toProtocolRoutesFirewallRules(update []*RouteFirewallRule) []*proto.RouteFirewallRule {
-	result := make([]*proto.RouteFirewallRule, len(update))
-	for i := range update {
-		direction := proto.RuleDirection_IN
-		if update[i].Direction == firewallRuleDirectionOUT {
-			direction = proto.RuleDirection_OUT
-		}
-		action := proto.RuleAction_ACCEPT
-		if update[i].Action == string(PolicyTrafficActionDrop) {
-			action = proto.RuleAction_DROP
+func toProtocolRoutesFirewallRules(rules []*RouteFirewallRule) []*proto.RouteFirewallRule {
+	result := make([]*proto.RouteFirewallRule, len(rules))
+	for i := range rules {
+		rule := rules[i]
+		result[i] = &proto.RouteFirewallRule{
+			PeerIP:      rule.PeerIP,
+			Direction:   getProtoDirection(rule.Direction),
+			Action:      getProtoAction(rule.Action),
+			NetworkType: getProtoNetworkType(rule.NetworkType),
+			Destination: rule.Destination,
+			Protocol:    getProtoProtocol(rule.Protocol),
+			PortInfo:    getProtoPortInfo(rule),
 		}
+	}
 
-		protocol := proto.RuleProtocol_UNKNOWN
-		switch PolicyRuleProtocolType(update[i].Protocol) {
-		case PolicyRuleProtocolALL:
-			protocol = proto.RuleProtocol_ALL
-		case PolicyRuleProtocolTCP:
-			protocol = proto.RuleProtocol_TCP
-		case PolicyRuleProtocolUDP:
-			protocol = proto.RuleProtocol_UDP
-		case PolicyRuleProtocolICMP:
-			protocol = proto.RuleProtocol_ICMP
-		}
+	return result
+}
 
-		networkType := proto.RouteFirewallRule_IPV4
-		if route.NetworkType(update[i].NetworkType) == route.IPv6Network {
-			networkType = proto.RouteFirewallRule_IPV6
-		}
+// getProtoDirection converts the direction to proto.RuleDirection.
+func getProtoDirection(direction int) proto.RuleDirection {
+	if direction == firewallRuleDirectionOUT {
+		return proto.RuleDirection_OUT
+	}
+	return proto.RuleDirection_IN
+}
 
-		var portInfo proto.PortInfo
-		if update[i].Port != 0 {
-			portInfo.PortSelection = &proto.PortInfo_Port{Port: uint32(update[i].Port)}
-		} else {
-			if portRange := update[i].PortRange; portRange.Start != 0 && portRange.End != 0 {
-				portInfo.PortSelection = &proto.PortInfo_Range_{
-					Range: &proto.PortInfo_Range{
-						Start: uint32(portRange.Start),
-						End:   uint32(portRange.End),
-					},
-				}
-			}
-		}
+// getProtoAction converts the action to proto.RuleAction.
+func getProtoAction(action string) proto.RuleAction {
+	if action == string(PolicyTrafficActionDrop) {
+		return proto.RuleAction_DROP
+	}
+	return proto.RuleAction_ACCEPT
+}
 
-		result[i] = &proto.RouteFirewallRule{
-			PeerIP:      update[i].PeerIP,
-			Direction:   direction,
-			Action:      action,
-			NetworkType: networkType,
-			Destination: update[i].Destination,
-			Protocol:    protocol,
-			PortInfo:    &portInfo,
+// getProtoProtocol converts the protocol to proto.RuleProtocol.
+func getProtoProtocol(protocol string) proto.RuleProtocol {
+	switch PolicyRuleProtocolType(protocol) {
+	case PolicyRuleProtocolALL:
+		return proto.RuleProtocol_ALL
+	case PolicyRuleProtocolTCP:
+		return proto.RuleProtocol_TCP
+	case PolicyRuleProtocolUDP:
+		return proto.RuleProtocol_UDP
+	case PolicyRuleProtocolICMP:
+		return proto.RuleProtocol_ICMP
+	default:
+		return proto.RuleProtocol_UNKNOWN
+	}
+}
+
+// getProtoNetworkType converts the network type to proto.RouteFirewallRule_NetworkType.
+func getProtoNetworkType(networkType int) proto.RouteFirewallRule_NetworkType {
+	if route.NetworkType(networkType) == route.IPv6Network {
+		return proto.RouteFirewallRule_IPV6
+	}
+	return proto.RouteFirewallRule_IPV4
+}
+
+// getProtoPortInfo converts the port info to proto.PortInfo.
+func getProtoPortInfo(rule *RouteFirewallRule) *proto.PortInfo {
+	var portInfo proto.PortInfo
+	if rule.Port != 0 {
+		portInfo.PortSelection = &proto.PortInfo_Port{Port: uint32(rule.Port)}
+	} else if portRange := rule.PortRange; portRange.Start != 0 && portRange.End != 0 {
+		portInfo.PortSelection = &proto.PortInfo_Range_{
+			Range: &proto.PortInfo_Range{
+				Start: uint32(portRange.Start),
+				End:   uint32(portRange.End),
+			},
 		}
 	}
-	return result
+	return &portInfo
 }