---
name: CrossProjectNetwork
description: >
  Identify cross-project network connections unless the projects are defined as
  being in the same group allowing for inter-connectivity.

  The first four rules below define by name which projects belong in the same
  group, where network inter-connectivity is expected. The use of name to
  specify projects works under the assumption of having a single keystone
  domain in which project names are unique. If names are unsuitable for
  your use case, the policy can be customized to use specify
  inter-connectivity groups by ID directly in the project_groups_by_id
  table.
rules:
  -
    comment: >
      User should customize this.  project_groups_by_name(group_id, project_name).
    rule: >
      project_groups_by_name(1, 'admin')
  -
    comment: >
      User should customize this.  project_groups_by_name(group_id, project_name).
    rule: >
      project_groups_by_name(1, 'service')
  -
    comment: >
      User should customize this.  project_groups_by_name(group_id, project_name).
    rule: >
      project_groups_by_name(2, 'demo')
  -
    comment: >
      User should customize this.  project_groups_by_name(group_id, project_name).
    rule: >
      project_groups_by_name(2, 'alt_demo')
  -
    comment: >
      Translates the project_groups_by_name defined above to
      project_groups_by_id. If desired, this rule can be replaced by explicit
      definition of the project_groups_by_id table.
    rule: >
      project_groups_by_id(group_id, project_id) :-
        project_groups_by_name(group_id, project_name),
        keystonev3:projects(name=project_name, id=project_id)
  -
    comment: "Define that projects belong to same group of expected inter-connectivity."
    rule: >
      same_group(project_a, project_b) :-
        project_groups_by_id(group_id, project_a),
        project_groups_by_id(group_id, project_b)
  -
    comment: >
      Identify servers associated to a port belonging to a different project
      not in the same group.
    rule: >
      unexpected_server_to_port(server_project_id, port_project_id, server_id, server_name) :-
        neutronv2:ports(id=port_id, tenant_id=port_project_id, network_id=network_id, device_id=server_id),
        nova:servers(id=server_id, name=server_name, tenant_id=server_project_id),
        not same_group(port_project_id, server_project_id)
  -
    comment: >
      Identify servers connected to a network belonging to a different project
      not in the same group.
    rule: >
      unexpected_server_to_network(server_project_id, network_project_id, server_id, server_name) :-
        neutronv2:ports(id=port_id, network_id=network_id, device_id=server_id),
        nova:servers(id=server_id, name=server_name, tenant_id=server_project_id),
        neutronv2:networks(id=network_id, tenant_id=network_project_id),
        not same_group(server_project_id, network_project_id)
  -
    comment: >
      Warn on servers associated to a port belonging to a different project
      not in the same group.
    rule: >
      warning(server_project_name, server_project_id, port_project_name, port_project_id, server_name, server_id) :-
        unexpected_server_to_port(server_project_id, port_project_id, server_id, server_name),
        keystonev3:projects(name=server_project_name, id=server_project_id),
        keystonev3:projects(name=port_project_id, id=port_project_name)
  -
    comment: >
      Error on servers connected to a network belonging to a different project
      not in the same group.
    rule: >
      error(server_project_name, server_project_id, network_project_name, network_project_id, server_name, server_id) :-
        unexpected_server_to_network(server_project_id, network_project_id, server_id, server_name),
        keystonev3:projects(name=server_project_name, id=server_project_id),
        keystonev3:projects(name=network_project_name, id=network_project_id)