policy import should check whether the resource kind in the yaml file…

… is the same

controller/rest/admission.go

@@ -1349,7 +1349,7 @@ func importAdmCtrl(scope string, loginDomainRoles access.DomainRole, importTask
 
 	json_data, _ := ioutil.ReadFile(importTask.TempFilename)
 	var secRule resource.NvAdmCtrlSecurityRule
-	if err := json.Unmarshal(json_data, &secRule); err != nil {
+	if err := json.Unmarshal(json_data, &secRule); err != nil || secRule.Kind == nil || *secRule.Kind != resource.NvAdmCtrlSecurityRuleKind {
 		msg := "Invalid security rule(s)"
 		log.WithFields(log.Fields{"error": err}).Error(msg)
 		postImportOp(fmt.Errorf(msg), importTask, loginDomainRoles, "", share.IMPORT_TYPE_ADMCTRL)

controller/rest/dlp_rule.go

@@ -1686,17 +1686,27 @@ func importDlp(scope string, loginDomainRoles access.DomainRole, importTask shar
 	var secRuleList resource.NvDlpSecurityRuleList
 	var secRule resource.NvDlpSecurityRule
 	var secRules []*resource.NvDlpSecurityRule = []*resource.NvDlpSecurityRule{nil}
-	if err1 := json.Unmarshal(json_data, &secRuleList); err1 != nil || len(secRuleList.Items) == 0 {
-		if err2 := json.Unmarshal(json_data, &secRule); err2 != nil {
-			msg := "Invalid security rule(s)"
-			log.WithFields(log.Fields{"error1": err1, "error2": err2}).Error(msg)
-			postImportOp(fmt.Errorf(msg), importTask, loginDomainRoles, "", share.IMPORT_TYPE_DLP)
-			return nil
+	var invalidCrdKind bool
+	var err error
+	if err = json.Unmarshal(json_data, &secRuleList); err != nil || len(secRuleList.Items) == 0 {
+		if err = json.Unmarshal(json_data, &secRule); err == nil {
+			secRules[0] = &secRule
 		}
-		secRules[0] = &secRule
 	} else {
 		secRules = secRuleList.Items
 	}
+	for _, r := range secRules {
+		if r.Kind == nil || *r.Kind != resource.NvDlpSecurityRuleKind {
+			invalidCrdKind = true
+			break
+		}
+	}
+	if invalidCrdKind || len(secRules) == 0 {
+		msg := "Invalid security rule(s)"
+		log.WithFields(log.Fields{"error": err}).Error(msg)
+		postImportOp(fmt.Errorf(msg), importTask, loginDomainRoles, "", share.IMPORT_TYPE_DLP)
+		return nil
+	}
 
 	var inc float32
 	var progress float32 // progress percentage
@@ -1709,7 +1719,6 @@ func importDlp(scope string, loginDomainRoles access.DomainRole, importTask shar
 	importTask.Status = share.IMPORT_RUNNING
 	clusHelper.PutImportTask(&importTask)
 
-	var err error
 	var crdHandler nvCrdHandler
 	crdHandler.Init(share.CLUSLockPolicyKey)
 	if crdHandler.AcquireLock(clusterLockWait) {

controller/rest/group.go

@@ -1618,17 +1618,27 @@ func importGroupPolicy(scope string, loginDomainRoles access.DomainRole, importT
 	var secRuleList resource.NvSecurityRuleList
 	var secRule resource.NvSecurityRule
 	var secRules []*resource.NvSecurityRule = []*resource.NvSecurityRule{nil}
-	if err1 := json.Unmarshal(json_data, &secRuleList); err1 != nil || len(secRuleList.Items) == 0 {
-		if err2 := json.Unmarshal(json_data, &secRule); err2 != nil {
-			msg := "Invalid security rule(s)"
-			log.WithFields(log.Fields{"error1": err1, "error2": err2}).Error(msg)
-			postImportOp(fmt.Errorf(msg), importTask, loginDomainRoles, "", share.IMPORT_TYPE_GROUP_POLICY)
-			return nil
-		}
-		secRules[0] = &secRule
+	var invalidCrdKind bool
+	var err error
+	if err = json.Unmarshal(json_data, &secRuleList); err != nil || len(secRuleList.Items) == 0 {
+		if err = json.Unmarshal(json_data, &secRule); err == nil {
+			secRules[0] = &secRule
+		}
 	} else {
 		secRules = secRuleList.Items
 	}
+	for _, r := range secRules {
+		if r.Kind == nil || (*r.Kind != resource.NvSecurityRuleKind && *r.Kind != resource.NvClusterSecurityRuleKind) {
+			invalidCrdKind = true
+			break
+		}
+	}
+	if invalidCrdKind || len(secRules) == 0 {
+		msg := "Invalid security rule(s)"
+		log.WithFields(log.Fields{"error": err}).Error(msg)
+		postImportOp(fmt.Errorf(msg), importTask, loginDomainRoles, "", share.IMPORT_TYPE_GROUP_POLICY)
+		return nil
+	}
 
 	var inc float32
 	var progress float32 // progress percentage
@@ -1641,7 +1651,6 @@ func importGroupPolicy(scope string, loginDomainRoles access.DomainRole, importT
 	importTask.Status = share.IMPORT_RUNNING
 	clusHelper.PutImportTask(&importTask)
 
-	var err error
 	var crdHandler nvCrdHandler
 	crdHandler.Init(share.CLUSLockPolicyKey)
 	if crdHandler.AcquireLock(clusterLockWait) {

controller/rest/waf_rule.go

@@ -1243,17 +1243,27 @@ func importWaf(scope string, loginDomainRoles access.DomainRole, importTask shar
 	var secRuleList resource.NvWafSecurityRuleList
 	var secRule resource.NvWafSecurityRule
 	var secRules []*resource.NvWafSecurityRule = []*resource.NvWafSecurityRule{nil}
-	if err1 := json.Unmarshal(json_data, &secRuleList); err1 != nil || len(secRuleList.Items) == 0 {
-		if err2 := json.Unmarshal(json_data, &secRule); err2 != nil {
-			msg := "Invalid security rule(s)"
-			log.WithFields(log.Fields{"error1": err1, "error2": err2}).Error(msg)
-			postImportOp(fmt.Errorf(msg), importTask, loginDomainRoles, "", share.IMPORT_TYPE_WAF)
-			return nil
+	var invalidCrdKind bool
+	var err error
+	if err = json.Unmarshal(json_data, &secRuleList); err != nil || len(secRuleList.Items) == 0 {
+		if err = json.Unmarshal(json_data, &secRule); err == nil {
+			secRules[0] = &secRule
 		}
-		secRules[0] = &secRule
 	} else {
 		secRules = secRuleList.Items
 	}
+	for _, r := range secRules {
+		if r.Kind == nil || *r.Kind != resource.NvWafSecurityRuleKind {
+			invalidCrdKind = true
+			break
+		}
+	}
+	if invalidCrdKind || len(secRules) == 0 {
+		msg := "Invalid security rule(s)"
+		log.WithFields(log.Fields{"error": err}).Error(msg)
+		postImportOp(fmt.Errorf(msg), importTask, loginDomainRoles, "", share.IMPORT_TYPE_WAF)
+		return nil
+	}
 
 	var inc float32
 	var progress float32 // progress percentage
@@ -1266,7 +1276,6 @@ func importWaf(scope string, loginDomainRoles access.DomainRole, importTask shar
 	importTask.Status = share.IMPORT_RUNNING
 	clusHelper.PutImportTask(&importTask)
 
-	var err error
 	var crdHandler nvCrdHandler
 	crdHandler.Init(share.CLUSLockPolicyKey)
 	if crdHandler.AcquireLock(clusterLockWait) {