feat(server): add firewall rule enable/disable commands

mgajda · mgajda · commit 08f34be35216 · 2025-12-13T11:57:56.000+01:00
Implements #244 - Enable/disable specific firewall rules via CLI UpCloud API does not support modifying individual firewall rules directly. Instead, this implementation: 1. Fetches all firewall rules for the server 2. Modifies the target rule's action field (accept/drop) 3. Replaces the entire ruleset atomically using CreateFirewallRules This pattern follows the Terraform provider implementation and is the only viable approach with current UpCloud API design. Changes: - Add `upctl server firewall rule enable <uuid> --position <N>` command - Add `upctl server firewall rule disable <uuid> --position <N>` command - Comprehensive tests for both commands - Input validation for position (1-1000) - Clear error messages when rule position not found Usage Examples: # Create firewall rules first upctl server firewall create my-server --direction in --action drop --comment "Block SSH" --protocol tcp --destination-port-start 22 --destination-port-end 22 upctl server firewall create my-server --direction in --action accept --comment "Allow HTTP" --protocol tcp --destination-port-start 80 --destination-port-end 80 upctl server firewall create my-server --direction in --action accept --comment "Allow HTTPS" --protocol tcp --destination-port-start 443 --destination-port-end 443 # View current rules to get positions upctl server firewall show my-server # Enable a specific rule (sets action to "accept") upctl server firewall rule enable my-server --position 1 # Disable a specific rule (sets action to "drop") upctl server firewall rule disable my-server --position 3 Note: Rules are identified by position (1-1000). Use the comment field when creating rules to help identify them later.
diff --git a/internal/commands/base/base.go b/internal/commands/base/base.go
@@ -81,6 +81,11 @@ func BuildCommands(rootCmd *cobra.Command, conf *config.Config) {
 	commands.BuildCommand(serverfirewall.DeleteCommand(), serverFirewallCommand.Cobra(), conf)
 	commands.BuildCommand(serverfirewall.ShowCommand(), serverFirewallCommand.Cobra(), conf)
 
+	// Server firewall rule operations
+	serverFirewallRuleCommand := commands.BuildCommand(serverfirewall.BaseServerFirewallRuleCommand(), serverFirewallCommand.Cobra(), conf)
+	commands.BuildCommand(serverfirewall.RuleEnableCommand(), serverFirewallRuleCommand.Cobra(), conf)
+	commands.BuildCommand(serverfirewall.RuleDisableCommand(), serverFirewallRuleCommand.Cobra(), conf)
+
 	// Storages
 	storageCommand := commands.BuildCommand(storage.BaseStorageCommand(), rootCmd, conf)
 	commands.BuildCommand(storage.ListCommand(), storageCommand.Cobra(), conf)
diff --git a/internal/commands/server/firewall/rule.go b/internal/commands/server/firewall/rule.go
@@ -0,0 +1,19 @@
+package serverfirewall
+
+import (
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/commands"
+)
+
+// BaseServerFirewallRuleCommand is the root command for all 'server firewall rule' commands
+func BaseServerFirewallRuleCommand() commands.Command {
+	return &serverFirewallRuleCommand{
+		commands.New(
+			"rule",
+			"Manage individual firewall rules. Enable or disable specific rules by position.",
+		),
+	}
+}
+
+type serverFirewallRuleCommand struct {
+	*commands.BaseCommand
+}
diff --git a/internal/commands/server/firewall/rule_disable.go b/internal/commands/server/firewall/rule_disable.go
@@ -0,0 +1,87 @@
+package serverfirewall
+
+import (
+	"fmt"
+
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/commands"
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/completion"
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/output"
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/resolver"
+	"github.com/UpCloudLtd/upcloud-go-api/v8/upcloud"
+	"github.com/UpCloudLtd/upcloud-go-api/v8/upcloud/request"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+type ruleDisableCommand struct {
+	*commands.BaseCommand
+	rulePosition int
+	completion.Server
+	resolver.CachingServer
+}
+
+// RuleDisableCommand creates the "server firewall rule disable" command
+func RuleDisableCommand() commands.Command {
+	return &ruleDisableCommand{
+		BaseCommand: commands.New(
+			"disable",
+			"Disable a specific firewall rule by changing its action to drop",
+			"upctl server firewall rule disable 00038afc-d526-4148-af0e-d2f1eeaded9b --position 5",
+		),
+	}
+}
+
+// InitCommand implements Command.InitCommand
+func (s *ruleDisableCommand) InitCommand() {
+	flagSet := &pflag.FlagSet{}
+	flagSet.IntVar(&s.rulePosition, "position", 0, "Rule position. Available: 1-1000")
+	s.AddFlags(flagSet)
+
+	commands.Must(s.Cobra().MarkFlagRequired("position"))
+	commands.Must(s.Cobra().RegisterFlagCompletionFunc("position", cobra.NoFileCompletions))
+}
+
+// Execute implements commands.MultipleArgumentCommand
+func (s *ruleDisableCommand) Execute(exec commands.Executor, arg string) (output.Output, error) {
+	if s.rulePosition < 1 || s.rulePosition > 1000 {
+		return nil, fmt.Errorf("invalid position (1-1000 allowed)")
+	}
+
+	msg := fmt.Sprintf("Disabling firewall rule %d on server %v", s.rulePosition, arg)
+	exec.PushProgressStarted(msg)
+
+	// Fetch current firewall rules
+	currentRules, err := exec.Firewall().GetFirewallRules(exec.Context(), &request.GetFirewallRulesRequest{
+		ServerUUID: arg,
+	})
+	if err != nil {
+		return commands.HandleError(exec, msg, err)
+	}
+
+	// Find and modify the target rule
+	ruleFound := false
+	for i := range currentRules.FirewallRules {
+		if currentRules.FirewallRules[i].Position == s.rulePosition {
+			currentRules.FirewallRules[i].Action = upcloud.FirewallRuleActionDrop
+			ruleFound = true
+			break
+		}
+	}
+
+	if !ruleFound {
+		return nil, fmt.Errorf("firewall rule at position %d not found on server %s", s.rulePosition, arg)
+	}
+
+	// Replace entire ruleset atomically
+	err = exec.Firewall().CreateFirewallRules(exec.Context(), &request.CreateFirewallRulesRequest{
+		ServerUUID:    arg,
+		FirewallRules: currentRules.FirewallRules,
+	})
+	if err != nil {
+		return commands.HandleError(exec, msg, err)
+	}
+
+	exec.PushProgressSuccess(msg)
+
+	return output.None{}, nil
+}
diff --git a/internal/commands/server/firewall/rule_disable_test.go b/internal/commands/server/firewall/rule_disable_test.go
@@ -0,0 +1,149 @@
+package serverfirewall
+
+import (
+	"testing"
+
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/commands"
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/config"
+	smock "github.com/UpCloudLtd/upcloud-cli/v3/internal/mock"
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/mockexecute"
+
+	"github.com/UpCloudLtd/upcloud-go-api/v8/upcloud"
+	"github.com/UpCloudLtd/upcloud-go-api/v8/upcloud/request"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+)
+
+func TestRuleDisableCommand(t *testing.T) {
+	serverUUID := "1fdfda29-ead1-4855-b71f-1e33eb2ca9de"
+
+	currentRules := &upcloud.FirewallRules{
+		FirewallRules: []upcloud.FirewallRule{
+			{
+				Position:  1,
+				Direction: "in",
+				Action:    "accept",
+				Protocol:  "tcp",
+			},
+			{
+				Position:  2,
+				Direction: "in",
+				Action:    "accept",
+				Protocol:  "tcp",
+			},
+			{
+				Position:  5,
+				Direction: "out",
+				Action:    "accept",
+				Protocol:  "udp",
+			},
+		},
+	}
+
+	for _, test := range []struct {
+		name        string
+		flags       []string
+		arg         string
+		expectedErr string
+		checkMocks  func(*testing.T, *smock.Service)
+	}{
+		{
+			name:        "Missing position flag",
+			flags:       []string{},
+			arg:         serverUUID,
+			expectedErr: `required flag(s) "position" not set`,
+		},
+		{
+			name:        "Invalid position - too low",
+			flags:       []string{"--position", "0"},
+			arg:         serverUUID,
+			expectedErr: "invalid position (1-1000 allowed)",
+		},
+		{
+			name:        "Invalid position - too high",
+			flags:       []string{"--position", "1001"},
+			arg:         serverUUID,
+			expectedErr: "invalid position (1-1000 allowed)",
+		},
+		{
+			name:  "Successfully disable rule at position 2",
+			flags: []string{"--position", "2"},
+			arg:   serverUUID,
+			checkMocks: func(t *testing.T, mService *smock.Service) {
+				mService.AssertCalled(t, "GetFirewallRules", &request.GetFirewallRulesRequest{
+					ServerUUID: serverUUID,
+				})
+
+				mService.AssertCalled(t, "CreateFirewallRules", mock.MatchedBy(func(req interface{}) bool {
+					r, ok := req.(*request.CreateFirewallRulesRequest)
+					if !ok {
+						return false
+					}
+					if r.ServerUUID != serverUUID {
+						return false
+					}
+					for _, rule := range r.FirewallRules {
+						if rule.Position == 2 {
+							return rule.Action == upcloud.FirewallRuleActionDrop
+						}
+					}
+					return false
+				}))
+			},
+		},
+		{
+			name:  "Successfully disable rule at position 1",
+			flags: []string{"--position", "1"},
+			arg:   serverUUID,
+			checkMocks: func(t *testing.T, mService *smock.Service) {
+				mService.AssertCalled(t, "CreateFirewallRules", mock.MatchedBy(func(req interface{}) bool {
+					r, ok := req.(*request.CreateFirewallRulesRequest)
+					if !ok {
+						return false
+					}
+					if r.ServerUUID != serverUUID {
+						return false
+					}
+					for _, rule := range r.FirewallRules {
+						if rule.Position == 1 {
+							return rule.Action == upcloud.FirewallRuleActionDrop
+						}
+					}
+					return false
+				}))
+			},
+		},
+		{
+			name:        "Rule position not found",
+			flags:       []string{"--position", "99"},
+			arg:         serverUUID,
+			expectedErr: "firewall rule at position 99 not found on server",
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			mService := smock.Service{}
+
+			mService.On("GetFirewallRules", mock.MatchedBy(func(req interface{}) bool {
+				r, ok := req.(*request.GetFirewallRulesRequest)
+				return ok && r.ServerUUID == serverUUID
+			})).Return(currentRules, nil)
+
+			mService.On("CreateFirewallRules", mock.Anything).Return(nil)
+
+			conf := config.New()
+			cc := commands.BuildCommand(RuleDisableCommand(), nil, conf)
+
+			cc.Cobra().SetArgs(append(test.flags, test.arg))
+			_, err := mockexecute.MockExecute(cc, &mService, conf)
+
+			if test.expectedErr != "" {
+				assert.ErrorContains(t, err, test.expectedErr)
+			} else {
+				assert.NoError(t, err)
+				if test.checkMocks != nil {
+					test.checkMocks(t, &mService)
+				}
+			}
+		})
+	}
+}
diff --git a/internal/commands/server/firewall/rule_enable.go b/internal/commands/server/firewall/rule_enable.go
@@ -0,0 +1,87 @@
+package serverfirewall
+
+import (
+	"fmt"
+
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/commands"
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/completion"
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/output"
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/resolver"
+	"github.com/UpCloudLtd/upcloud-go-api/v8/upcloud"
+	"github.com/UpCloudLtd/upcloud-go-api/v8/upcloud/request"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+type ruleEnableCommand struct {
+	*commands.BaseCommand
+	rulePosition int
+	completion.Server
+	resolver.CachingServer
+}
+
+// RuleEnableCommand creates the "server firewall rule enable" command
+func RuleEnableCommand() commands.Command {
+	return &ruleEnableCommand{
+		BaseCommand: commands.New(
+			"enable",
+			"Enable a specific firewall rule by changing its action to accept",
+			"upctl server firewall rule enable 00038afc-d526-4148-af0e-d2f1eeaded9b --position 5",
+		),
+	}
+}
+
+// InitCommand implements Command.InitCommand
+func (s *ruleEnableCommand) InitCommand() {
+	flagSet := &pflag.FlagSet{}
+	flagSet.IntVar(&s.rulePosition, "position", 0, "Rule position. Available: 1-1000")
+	s.AddFlags(flagSet)
+
+	commands.Must(s.Cobra().MarkFlagRequired("position"))
+	commands.Must(s.Cobra().RegisterFlagCompletionFunc("position", cobra.NoFileCompletions))
+}
+
+// Execute implements commands.MultipleArgumentCommand
+func (s *ruleEnableCommand) Execute(exec commands.Executor, arg string) (output.Output, error) {
+	if s.rulePosition < 1 || s.rulePosition > 1000 {
+		return nil, fmt.Errorf("invalid position (1-1000 allowed)")
+	}
+
+	msg := fmt.Sprintf("Enabling firewall rule %d on server %v", s.rulePosition, arg)
+	exec.PushProgressStarted(msg)
+
+	// Fetch current firewall rules
+	currentRules, err := exec.Firewall().GetFirewallRules(exec.Context(), &request.GetFirewallRulesRequest{
+		ServerUUID: arg,
+	})
+	if err != nil {
+		return commands.HandleError(exec, msg, err)
+	}
+
+	// Find and modify the target rule
+	ruleFound := false
+	for i := range currentRules.FirewallRules {
+		if currentRules.FirewallRules[i].Position == s.rulePosition {
+			currentRules.FirewallRules[i].Action = upcloud.FirewallRuleActionAccept
+			ruleFound = true
+			break
+		}
+	}
+
+	if !ruleFound {
+		return nil, fmt.Errorf("firewall rule at position %d not found on server %s", s.rulePosition, arg)
+	}
+
+	// Replace entire ruleset atomically
+	err = exec.Firewall().CreateFirewallRules(exec.Context(), &request.CreateFirewallRulesRequest{
+		ServerUUID:    arg,
+		FirewallRules: currentRules.FirewallRules,
+	})
+	if err != nil {
+		return commands.HandleError(exec, msg, err)
+	}
+
+	exec.PushProgressSuccess(msg)
+
+	return output.None{}, nil
+}
diff --git a/internal/commands/server/firewall/rule_enable_test.go b/internal/commands/server/firewall/rule_enable_test.go
