Merge pull request #3205 from gravitl/NET-1773-acls

NET-1773: block tag deletion if used by an acl policy

controllers/tags.go

@@ -216,6 +216,11 @@ func deleteTag(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 		return
 	}
+	// check if active policy is using the tag
+	if logic.CheckIfTagAsActivePolicy(tag.ID, tag.Network) {
+		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("tag is currently in use by an active policy"), "badrequest"))
+		return
+	}
 	err = logic.DeleteTag(models.TagID(tagID), true)
 	if err != nil {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))

logic/acls.go

@@ -621,6 +621,25 @@ func UpdateDeviceTag(OldID, newID models.TagID, netID models.NetworkID) {
 	}
 }
 
+func CheckIfTagAsActivePolicy(tagID models.TagID, netID models.NetworkID) bool {
+	acls := listDevicePolicies(netID)
+	for _, acl := range acls {
+		for _, srcTagI := range acl.Src {
+			if srcTagI.ID == models.DeviceAclID {
+				if tagID.String() == srcTagI.Value {
+					return true
+				}
+			}
+		}
+		for _, dstTagI := range acl.Dst {
+			if dstTagI.ID == models.DeviceAclID {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 // RemoveDeviceTagFromAclPolicies - remove device tag from acl policies
 func RemoveDeviceTagFromAclPolicies(tagID models.TagID, netID models.NetworkID) error {
 	acls := listDevicePolicies(netID)