From f34a463dc7f3825fd3dbd6ec9f89926429b904cd Mon Sep 17 00:00:00 2001
From: Ali Egal <alegal@microsoft.com>
Date: Tue, 7 Apr 2020 22:14:18 -0700
Subject: [PATCH] placeholder for src/dest IP's + validation

---
 cns/NetworkContainerContract.go    | 13 +++++++++++++
 cns/hnsclient/hnsclient_windows.go |  8 ++++++++
 2 files changed, 21 insertions(+)

diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go
index 3d8fb158c..f56f3d9dc 100644
--- a/cns/NetworkContainerContract.go
+++ b/cns/NetworkContainerContract.go
@@ -253,9 +253,22 @@ func (networkContainerRequestPolicy *NetworkContainerRequestPolicies) Validate()
 			if err := json.Unmarshal(networkContainerRequestPolicy.Settings, &requestedAclPolicy); err != nil {
 				return fmt.Errorf("ACL policy failed to pass validation with error: %+v ", err)
 			}
+			//Deny request if ACL Action is empty
 			if len(strings.TrimSpace(string(requestedAclPolicy.Action))) == 0 {
 				return fmt.Errorf("Action field cannot be empty in ACL Policy")
 			}
+			//Deny request if ACL Action is not Allow or Deny
+			if !strings.EqualFold(requestedAclPolicy.Action, "Allow") && !strings.EqualFold(requestedAclPolicy.Action, "Deny") {
+				return fmt.Errorf("Only Allow or Deny is supported in Action field")
+			}
+			//Deny request if ACL Direction is empty
+			if len(strings.TrimSpace(string(requestedAclPolicy.Direction))) == 0 {
+				return fmt.Errorf("Direction field cannot be empty in ACL Policy")
+			}
+			//Deny request if ACL direction is not In or Out
+			if !strings.EqualFold(requestedAclPolicy.Direction, "In") && !strings.EqualFold(requestedAclPolicy.Direction, "Out") {
+				return fmt.Errorf("Only Allow or Deny is supported in Action field")
+			}
 			if requestedAclPolicy.Priority == 0 {
 				return fmt.Errorf("Priority field cannot be empty in ACL Policy")
 			}
diff --git a/cns/hnsclient/hnsclient_windows.go b/cns/hnsclient/hnsclient_windows.go
index d69bb2d5c..306236b8e 100644
--- a/cns/hnsclient/hnsclient_windows.go
+++ b/cns/hnsclient/hnsclient_windows.go
@@ -445,6 +445,14 @@ func configureAclSettingHostNCApipaEndpoint(
 				if err = json.Unmarshal(requestedPolicy.Settings, &requestedAclPolicy); err != nil {
 					return nil, fmt.Errorf("Failed to Unmarshal requested ACL policy: %+v with error: %S", requestedPolicy.Settings, err)
 				}
+				//Using {NetworkContainerIP} as a placeholder to signal using Network Container IP
+				if strings.EqualFold(requestedAclPolicy.LocalAddresses, "{NetworkContainerIP}") {
+					requestedAclPolicy.LocalAddresses = networkContainerApipaIP
+				}
+				//Using {HostApipaIP} as a placeholder to signal using Host Apipa IP
+				if strings.EqualFold(requestedAclPolicy.RemoteAddresses, "{HostApipaIP}") {
+					requestedAclPolicy.RemoteAddresses = hostApipaIP
+				}
 				logger.Printf("ACL Policy requested in NcGoalState %+v", requestedAclPolicy)
 				if err = addAclToEndpointPolicy(requestedAclPolicy, &endpointPolicies); err != nil {
 					return nil, err