Remove application-offer firewall reads

jack-w-shaw · jack-w-shaw · commit cf0767eadaf0 · 2023-03-03T11:45:36.000Z
This document is never written to, and it's intended functionality was
replaced by later work. They can be removed safely

The only way it can be written to is the user calling set-firewall-rule
with juju-application-offer, which is unsupported
diff --git a/apiserver/common/crossmodel/crossmodel.go b/apiserver/common/crossmodel/crossmodel.go
@@ -5,7 +5,6 @@ package crossmodel
 
 import (
 	"fmt"
-	"net"
 
 	"github.com/juju/errors"
 	"github.com/juju/loggo"
@@ -16,9 +15,7 @@ import (
 	"github.com/juju/juju/core/life"
 	corelogger "github.com/juju/juju/core/logger"
 	"github.com/juju/juju/core/migration"
-	"github.com/juju/juju/core/network/firewall"
 	"github.com/juju/juju/core/status"
-	"github.com/juju/juju/network"
 	"github.com/juju/juju/rpc/params"
 )
 
@@ -410,59 +407,10 @@ func PublishIngressNetworkChange(backend Backend, relationTag names.Tag, change
 		return errors.Trace(err)
 	}
 
-	logger.Debugf("relation %v requires ingress networks %v", rel, change.Networks)
-	if err := validateIngressNetworks(backend, change.Networks); err != nil {
-		return errors.Trace(err)
-	}
-
 	_, err = backend.SaveIngressNetworks(rel.Tag().Id(), change.Networks)
 	return err
 }
 
-func validateIngressNetworks(backend Backend, networks []string) error {
-	if len(networks) == 0 {
-		return nil
-	}
-
-	// Check that the required ingress is allowed.
-	rule, err := backend.FirewallRule(firewall.JujuApplicationOfferRule)
-	if err != nil && !errors.IsNotFound(err) {
-		return errors.Trace(err)
-	}
-	if errors.IsNotFound(err) {
-		return nil
-	}
-	var whitelistCIDRs, requestedCIDRs []*net.IPNet
-	if err := parseCIDRs(&whitelistCIDRs, rule.WhitelistCIDRs()); err != nil {
-		return errors.Trace(err)
-	}
-	if err := parseCIDRs(&requestedCIDRs, networks); err != nil {
-		return errors.Trace(err)
-	}
-	if len(whitelistCIDRs) > 0 {
-		for _, n := range requestedCIDRs {
-			if !network.SubnetInAnyRange(whitelistCIDRs, n) {
-				return &params.Error{
-					Code:    params.CodeForbidden,
-					Message: fmt.Sprintf("subnet %v not in firewall whitelist", n),
-				}
-			}
-		}
-	}
-	return nil
-}
-
-func parseCIDRs(cidrs *[]*net.IPNet, values []string) error {
-	for _, cidrStr := range values {
-		if _, ipNet, err := net.ParseCIDR(cidrStr); err != nil {
-			return err
-		} else {
-			*cidrs = append(*cidrs, ipNet)
-		}
-	}
-	return nil
-}
-
 type relationGetter interface {
 	// KeyRelation returns the relation identified by the input key.
 	KeyRelation(string) (Relation, error)
diff --git a/apiserver/common/crossmodel/interface.go b/apiserver/common/crossmodel/interface.go
@@ -12,7 +12,6 @@ import (
 
 	"github.com/juju/juju/core/crossmodel"
 	"github.com/juju/juju/core/network"
-	"github.com/juju/juju/core/network/firewall"
 	"github.com/juju/juju/core/permission"
 	"github.com/juju/juju/core/status"
 	"github.com/juju/juju/state"
@@ -94,9 +93,6 @@ type Backend interface {
 	// lifecycle of the offer.
 	WatchOffer(offerName string) state.NotifyWatcher
 
-	// FirewallRule returns the firewall rule for the specified service.
-	FirewallRule(service firewall.WellKnownServiceType) (*state.FirewallRule, error)
-
 	// ApplyOperation applies a model operation to the state.
 	ApplyOperation(op state.ModelOperation) error
 }
diff --git a/apiserver/common/crossmodel/state.go b/apiserver/common/crossmodel/state.go
@@ -8,7 +8,6 @@ import (
 	"github.com/juju/names/v4"
 
 	"github.com/juju/juju/core/crossmodel"
-	"github.com/juju/juju/core/network/firewall"
 	"github.com/juju/juju/state"
 )
 
@@ -199,11 +198,6 @@ func (s stateShim) IngressNetworks(relationKey string) (state.RelationNetworks,
 	return api.Networks(relationKey)
 }
 
-func (s stateShim) FirewallRule(service firewall.WellKnownServiceType) (*state.FirewallRule, error) {
-	api := state.NewFirewallRules(s.State)
-	return api.Rule(service)
-}
-
 type relationShim struct {
 	*state.Relation
 	st *state.State
diff --git a/apiserver/facades/controller/crossmodelrelations/crossmodelrelations_test.go b/apiserver/facades/controller/crossmodelrelations/crossmodelrelations_test.go
@@ -6,7 +6,6 @@ package crossmodelrelations_test
 import (
 	"bytes"
 	"context"
-	"regexp"
 	"time"
 
 	"github.com/go-macaroon-bakery/macaroon-bakery/v3/bakery"
@@ -26,7 +25,6 @@ import (
 	apiservertesting "github.com/juju/juju/apiserver/testing"
 	"github.com/juju/juju/core/crossmodel"
 	"github.com/juju/juju/core/life"
-	corefirewall "github.com/juju/juju/core/network/firewall"
 	"github.com/juju/juju/core/status"
 	"github.com/juju/juju/core/watcher"
 	"github.com/juju/juju/rpc/params"
@@ -350,48 +348,6 @@ func (s *crossmodelRelationsSuite) TestPublishIngressNetworkChanges(c *gc.C) {
 	})
 }
 
-func (s *crossmodelRelationsSuite) TestPublishIngressNetworkChangesRejected(c *gc.C) {
-	s.st.remoteApplications["db2"] = &mockRemoteApplication{}
-	s.st.relations["db2:db django:db"] = newMockRelation(1)
-	s.st.remoteEntities[names.NewApplicationTag("db2")] = "token-db2"
-	s.st.remoteEntities[names.NewRelationTag("db2:db django:db")] = "token-db2:db django:db"
-	s.st.offerConnectionsByKey["db2:db django:db"] = &mockOfferConnection{
-		offerUUID:       "hosted-db2-uuid",
-		sourcemodelUUID: "source-model-uuid",
-		relationKey:     "db2:db django:db",
-		relationId:      1,
-	}
-	mac, err := s.bakery.NewMacaroon(
-		context.TODO(),
-		bakery.LatestVersion,
-		[]checkers.Caveat{
-			checkers.DeclaredCaveat("source-model-uuid", s.st.ModelUUID()),
-			checkers.DeclaredCaveat("relation-key", "db2:db django:db"),
-			checkers.DeclaredCaveat("username", "mary"),
-		}, bakery.Op{"db2:db django:db", "relate"})
-
-	c.Assert(err, jc.ErrorIsNil)
-	rule := state.NewFirewallRule("", []string{"10.1.1.1/8"})
-	s.st.firewallRules[corefirewall.JujuApplicationOfferRule] = &rule
-	results, err := s.api.PublishIngressNetworkChanges(params.IngressNetworksChanges{
-		Changes: []params.IngressNetworksChangeEvent{
-			{
-				ApplicationToken: "token-db2",
-				RelationToken:    "token-db2:db django:db",
-				Networks:         []string{"1.2.3.4/32"},
-				Macaroons:        macaroon.Slice{mac.M()},
-			},
-		},
-	})
-	c.Assert(err, jc.ErrorIsNil)
-	err = results.Combine()
-	c.Assert(err, gc.ErrorMatches, regexp.QuoteMeta("subnet 1.2.3.4/32 not in firewall whitelist"))
-	s.st.CheckCalls(c, []testing.StubCall{
-		{"GetRemoteEntity", []interface{}{"token-db2:db django:db"}},
-		{"KeyRelation", []interface{}{"db2:db django:db"}},
-	})
-}
-
 func (s *crossmodelRelationsSuite) TestWatchEgressAddressesForRelations(c *gc.C) {
 	s.st.remoteEntities[names.NewRelationTag("db2:db django:db")] = "token-db2:db django:db"
 	s.st.offerConnectionsByKey["db2:db django:db"] = &mockOfferConnection{
diff --git a/apiserver/facades/controller/crossmodelrelations/mock_test.go b/apiserver/facades/controller/crossmodelrelations/mock_test.go
@@ -24,7 +24,6 @@ import (
 	"github.com/juju/juju/apiserver/facades/controller/crossmodelrelations"
 	"github.com/juju/juju/charmstore"
 	"github.com/juju/juju/core/crossmodel"
-	corefirewall "github.com/juju/juju/core/network/firewall"
 	"github.com/juju/juju/core/status"
 	"github.com/juju/juju/core/watcher"
 	"github.com/juju/juju/state"
@@ -54,7 +53,6 @@ type mockState struct {
 	offerConnections      map[int]*mockOfferConnection
 	offerConnectionsByKey map[string]*mockOfferConnection
 	remoteEntities        map[names.Tag]string
-	firewallRules         map[corefirewall.WellKnownServiceType]*state.FirewallRule
 	ingressNetworks       map[string][]string
 	migrationActive       bool
 }
@@ -69,7 +67,6 @@ func newMockState() *mockState {
 		offerNames:            make(map[string]string),
 		offerConnections:      make(map[int]*mockOfferConnection),
 		offerConnectionsByKey: make(map[string]*mockOfferConnection),
-		firewallRules:         make(map[corefirewall.WellKnownServiceType]*state.FirewallRule),
 		ingressNetworks:       make(map[string][]string),
 	}
 }
@@ -131,13 +128,6 @@ func (st *mockState) AddOfferConnection(arg state.AddOfferConnectionParams) (cro
 	return oc, nil
 }
 
-func (st *mockState) FirewallRule(service corefirewall.WellKnownServiceType) (*state.FirewallRule, error) {
-	if r, ok := st.firewallRules[service]; ok {
-		return r, nil
-	}
-	return nil, errors.NotFoundf("firewall rule for %v", service)
-}
-
 func (st *mockState) SaveIngressNetworks(relationKey string, cidrs []string) (state.RelationNetworks, error) {
 	st.ingressNetworks[relationKey] = cidrs
 	return nil, nil
diff --git a/apiserver/facades/controller/remoterelations/mocks/remoterelations_mocks.go b/apiserver/facades/controller/remoterelations/mocks/remoterelations_mocks.go
diff --git a/worker/firewaller/firewaller.go b/worker/firewaller/firewaller.go
@@ -49,7 +49,6 @@ type FirewallerAPI interface {
 	ControllerAPIInfoForModel(modelUUID string) (*api.Info, error)
 	MacaroonForRelation(relationKey string) (*macaroon.Macaroon, error)
 	SetRelationStatus(relationKey string, status relation.Status, message string) error
-	FirewallRules(applicationNames ...string) ([]params.FirewallRule, error)
 	AllSpaceInfos() (network.SpaceInfos, error)
 	WatchSubnets() (watcher.StringsWatcher, error)
 }
@@ -943,7 +942,7 @@ func (fw *Firewaller) ingressRulesForExposedMachineUnit(machine *machineData, un
 }
 
 // TODO(wallyworld) - consider making this configurable.
-const maxAllowedCIDRS = 20
+const maxAllowedCIDRS = 30
 
 func (fw *Firewaller) updateForRemoteRelationIngress(appTag names.ApplicationTag) (set.Strings, error) {
 	fw.logger.Debugf("finding egress rules for %v", appTag)
@@ -973,26 +972,9 @@ func (fw *Firewaller) updateForRemoteRelationIngress(appTag names.ApplicationTag
 		cidrs = set.NewStrings(merged...)
 	}
 
-	// If there's still too many after merging, look for any firewall whitelist.
+	// If there's still too many after merging, fall back to making public.
 	if cidrs.Size() > maxAllowedCIDRS {
-		cidrs = make(set.Strings)
-		rules, err := fw.firewallerApi.FirewallRules("juju-application-offer")
-		if err != nil {
-			return nil, errors.Trace(err)
-		}
-		if len(rules) > 0 {
-			rule := rules[0]
-			if len(rule.WhitelistCIDRS) > 0 {
-				for _, cidr := range rule.WhitelistCIDRS {
-					cidrs.Add(cidr)
-				}
-			}
-		}
-		// No relevant firewall rule exists, so go public.
-		if cidrs.Size() == 0 {
-			cidrs.Add(firewall.AllNetworksIPV4CIDR)
-			cidrs.Add(firewall.AllNetworksIPV6CIDR)
-		}
+		cidrs = set.NewStrings(firewall.AllNetworksIPV4CIDR, firewall.AllNetworksIPV6CIDR)
 	}
 
 	return cidrs, nil
diff --git a/worker/firewaller/firewaller_test.go b/worker/firewaller/firewaller_test.go
@@ -1281,23 +1281,12 @@ func (s *InstanceModeSuite) TestRemoteRelationProviderRoleOffering(c *gc.C) {
 
 func (s *InstanceModeSuite) TestRemoteRelationIngressFallbackToPublic(c *gc.C) {
 	var ingress []string
-	for i := 1; i < 30; i++ {
+	for i := 1; i < 40; i++ {
 		ingress = append(ingress, fmt.Sprintf("10.%d.0.1/32", i))
 	}
 	s.assertIngressCidrs(c, ingress, []string{"0.0.0.0/0", "::/0"})
 }
 
-func (s *InstanceModeSuite) TestRemoteRelationIngressFallbackToWhitelist(c *gc.C) {
-	fwRules := state.NewFirewallRules(s.State)
-	err := fwRules.Save(state.NewFirewallRule(firewall.JujuApplicationOfferRule, []string{"192.168.1.0/16"}))
-	c.Assert(err, jc.ErrorIsNil)
-	var ingress []string
-	for i := 1; i < 30; i++ {
-		ingress = append(ingress, fmt.Sprintf("10.%d.0.1/32", i))
-	}
-	s.assertIngressCidrs(c, ingress, []string{"192.168.1.0/16"})
-}
-
 func (s *InstanceModeSuite) TestRemoteRelationIngressMergesCIDRS(c *gc.C) {
 	ingress := []string{
 		"192.0.1.254/31",
@@ -1321,6 +1310,16 @@ func (s *InstanceModeSuite) TestRemoteRelationIngressMergesCIDRS(c *gc.C) {
 		"192.0.4.0/28",
 		"192.0.5.0/28",
 		"192.0.6.0/28",
+		"192.0.7.0/28",
+		"192.0.8.0/28",
+		"192.0.9.0/28",
+		"192.0.10.0/28",
+		"192.0.11.0/28",
+		"192.0.12.0/28",
+		"192.0.13.0/28",
+		"192.0.14.0/28",
+		"192.0.15.0/28",
+		"192.0.16.0/28",
 	}
 	expected := []string{
 		"192.0.1.254/31",
@@ -1329,6 +1328,16 @@ func (s *InstanceModeSuite) TestRemoteRelationIngressMergesCIDRS(c *gc.C) {
 		"192.0.4.0/28",
 		"192.0.5.0/28",
 		"192.0.6.0/28",
+		"192.0.7.0/28",
+		"192.0.8.0/28",
+		"192.0.9.0/28",
+		"192.0.10.0/28",
+		"192.0.11.0/28",
+		"192.0.12.0/28",
+		"192.0.13.0/28",
+		"192.0.14.0/28",
+		"192.0.15.0/28",
+		"192.0.16.0/28",
 	}
 	s.assertIngressCidrs(c, ingress, expected)
 }
