From cdecea33a172533a47ef1f73dfaf817c52f7c1ff Mon Sep 17 00:00:00 2001
From: Olivia Song <sonyingy@amazon.com>
Date: Fri, 24 Sep 2021 11:36:40 -0700
Subject: [PATCH] add boundary cases and refactor
 computeRestrictedIngressPermissionsPerSG

---
 pkg/targetgroupbinding/networking_manager.go  |  18 +-
 .../networking_manager_test.go                | 198 ++++++++++++++++++
 2 files changed, 208 insertions(+), 8 deletions(-)

diff --git a/pkg/targetgroupbinding/networking_manager.go b/pkg/targetgroupbinding/networking_manager.go
index 389087fc8..7d9000d28 100644
--- a/pkg/targetgroupbinding/networking_manager.go
+++ b/pkg/targetgroupbinding/networking_manager.go
@@ -288,15 +288,17 @@ func (m *defaultNetworkingManager) computeRestrictedIngressPermissionsPerSG(ctx
 				}
 				permForCurrGroup := perms[0]
 				for _, perm := range perms {
-					if awssdk.Int64Value(perm.Permission.FromPort) > 0 && awssdk.Int64Value(perm.Permission.FromPort) < minPort {
-						minPort = awssdk.Int64Value(perm.Permission.FromPort)
+					if awssdk.Int64Value(perm.Permission.FromPort) == 0 && awssdk.Int64Value(perm.Permission.ToPort) == 0 {
+						minPort = defaultTgbMinPort
+						maxPort = defaultTgbMaxPort
+					} else {
+						if awssdk.Int64Value(perm.Permission.FromPort) < minPort {
+							minPort = awssdk.Int64Value(perm.Permission.FromPort)
+						}
+						if awssdk.Int64Value(perm.Permission.ToPort) > maxPort {
+							maxPort = awssdk.Int64Value(perm.Permission.ToPort)
+						}
 					}
-					if awssdk.Int64Value(perm.Permission.ToPort) > maxPort {
-						maxPort = awssdk.Int64Value(perm.Permission.ToPort)
-					}
-				}
-				if minPort > maxPort {
-					minPort, maxPort = defaultTgbMinPort, defaultTgbMaxPort
 				}
 				permForCurrGroup.Permission.FromPort = awssdk.Int64(minPort)
 				permForCurrGroup.Permission.ToPort = awssdk.Int64(maxPort)
diff --git a/pkg/targetgroupbinding/networking_manager_test.go b/pkg/targetgroupbinding/networking_manager_test.go
index fd8bcdc7d..305e58748 100644
--- a/pkg/targetgroupbinding/networking_manager_test.go
+++ b/pkg/targetgroupbinding/networking_manager_test.go
@@ -869,6 +869,204 @@ func Test_defaultNetworkingManager_computeRestrictedIngressPermissionsPerSG(t *t
 		fields fields
 		want   map[string][]networking.IPPermissionInfo
 	}{
+		{
+			name: "single sg, port not assigned",
+			fields: fields{
+				ingressPermissionsPerSGByTGB: map[types.NamespacedName]map[string][]networking.IPPermissionInfo{
+					types.NamespacedName{Namespace: "ns-1", Name: "tgb-1"}: {
+						"sg-a": {
+							{
+								Permission: ec2sdk.IpPermission{
+									IpProtocol: awssdk.String("tcp"),
+									FromPort: nil,
+									ToPort: nil,
+									UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
+										{GroupId: awssdk.String("group-1")},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			want: map[string][]networking.IPPermissionInfo{
+				"sg-a": {
+					{
+						Permission: ec2sdk.IpPermission{
+							IpProtocol: awssdk.String("tcp"),
+							FromPort:   awssdk.Int64(0),
+							ToPort:     awssdk.Int64(65535),
+							UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
+								{GroupId: awssdk.String("group-1")},
+							},
+						},
+						Labels: map[string]string(nil),
+					},
+				},
+			},
+		},
+		{
+			name: "multiple sgs, port not assigned",
+			fields: fields{
+				ingressPermissionsPerSGByTGB: map[types.NamespacedName]map[string][]networking.IPPermissionInfo{
+					types.NamespacedName{Namespace: "ns-1", Name: "tgb-1"}: {
+						"sg-a": {
+							{
+								Permission: ec2sdk.IpPermission{
+									IpProtocol: awssdk.String("tcp"),
+									FromPort: nil,
+									ToPort: nil,
+									UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
+										{GroupId: awssdk.String("group-1")},
+									},
+								},
+							},
+						},
+					},
+					types.NamespacedName{Namespace: "ns-1", Name: "tgb-2"}: {
+						"sg-b": {
+							{
+								Permission: ec2sdk.IpPermission{
+									IpProtocol: awssdk.String("tcp"),
+									FromPort: nil,
+									ToPort: nil,
+									UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
+										{GroupId: awssdk.String("group-2")},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			want: map[string][]networking.IPPermissionInfo{
+				"sg-a": {
+					{
+						Permission: ec2sdk.IpPermission{
+							IpProtocol: awssdk.String("tcp"),
+							FromPort:   awssdk.Int64(0),
+							ToPort:     awssdk.Int64(65535),
+							UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
+								{GroupId: awssdk.String("group-1")},
+							},
+						},
+						Labels: map[string]string(nil),
+					},
+				},
+				"sg-b": {
+					{
+						Permission: ec2sdk.IpPermission{
+							IpProtocol: awssdk.String("tcp"),
+							FromPort:   awssdk.Int64(0),
+							ToPort:     awssdk.Int64(65535),
+							UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
+								{GroupId: awssdk.String("group-2")},
+							},
+						},
+						Labels: map[string]string(nil),
+					},
+				},
+			},
+		},
+		{
+			name: "single sg, port range 0 - 65535",
+			fields: fields{
+				ingressPermissionsPerSGByTGB: map[types.NamespacedName]map[string][]networking.IPPermissionInfo{
+					types.NamespacedName{Namespace: "ns-1", Name: "tgb-1"}: {
+						"sg-a": {
+							{
+								Permission: ec2sdk.IpPermission{
+									IpProtocol: awssdk.String("tcp"),
+									FromPort:   awssdk.Int64(0),
+									ToPort:     awssdk.Int64(65535),
+									UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
+										{GroupId: awssdk.String("group-1")},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			want: map[string][]networking.IPPermissionInfo{
+				"sg-a": {
+					{
+						Permission: ec2sdk.IpPermission{
+							IpProtocol: awssdk.String("tcp"),
+							FromPort:   awssdk.Int64(0),
+							ToPort:     awssdk.Int64(65535),
+							UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
+								{GroupId: awssdk.String("group-1")},
+							},
+						},
+						Labels: map[string]string(nil),
+					},
+				},
+			},
+		},
+		{
+			name: "multiple sgs, port range 0 - 65535",
+			fields: fields{
+				ingressPermissionsPerSGByTGB: map[types.NamespacedName]map[string][]networking.IPPermissionInfo{
+					types.NamespacedName{Namespace: "ns-1", Name: "tgb-1"}: {
+						"sg-a": {
+							{
+								Permission: ec2sdk.IpPermission{
+									IpProtocol: awssdk.String("tcp"),
+									FromPort:   awssdk.Int64(0),
+									ToPort:     awssdk.Int64(65535),
+									UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
+										{GroupId: awssdk.String("group-1")},
+									},
+								},
+							},
+						},
+					},
+					types.NamespacedName{Namespace: "ns-1", Name: "tgb-2"}: {
+						"sg-b": {
+							{
+								Permission: ec2sdk.IpPermission{
+									IpProtocol: awssdk.String("tcp"),
+									FromPort:   awssdk.Int64(0),
+									ToPort:     awssdk.Int64(65535),
+									UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
+										{GroupId: awssdk.String("group-2")},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			want: map[string][]networking.IPPermissionInfo{
+				"sg-a": {
+					{
+						Permission: ec2sdk.IpPermission{
+							IpProtocol: awssdk.String("tcp"),
+							FromPort:   awssdk.Int64(0),
+							ToPort:     awssdk.Int64(65535),
+							UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
+								{GroupId: awssdk.String("group-1")},
+							},
+						},
+						Labels: map[string]string(nil),
+					},
+				},
+				"sg-b": {
+					{
+						Permission: ec2sdk.IpPermission{
+							IpProtocol: awssdk.String("tcp"),
+							FromPort:   awssdk.Int64(0),
+							ToPort:     awssdk.Int64(65535),
+							UserIdGroupPairs: []*ec2sdk.UserIdGroupPair{
+								{GroupId: awssdk.String("group-2")},
+							},
+						},
+						Labels: map[string]string(nil),
+					},
+				},
+			},
+		},
 		{
 			name: "single sg, single protocol",
 			fields: fields{