def test_sync_security_group_rules(self, rule_definitions, existing_rules, expected_adds, expected_deletes): """ Test sync_security_group_rules() """ network = Mock() network.security_group_rules.return_value = existing_rules security_group = SecurityGroup.new( id="00000000-1234-1234-1234-000000000000") openstack_utils.sync_security_group_rules(security_group, rule_definitions, network=network) network.security_group_rules.assert_called_once_with( security_group_id=security_group.id) self.assertEqual(network.create_security_group_rule.call_count, len(expected_adds)) add_call_kwargs = [ c[1] for c in network.create_security_group_rule.call_args_list ] for rule in add_call_kwargs: self.assertEqual(rule.pop("security_group_id"), security_group.id) self.assertEqual(add_call_kwargs, expected_adds) self.assertEqual(network.delete_security_group_rule.call_count, len(expected_deletes)) deleted_ids = [ c[0][0].id for c in network.delete_security_group_rule.call_args_list ] self.assertEqual(deleted_ids, expected_deletes)
def check_security_groups(self): """ For security reasons, every edxapp AppServer should be in a security group that only allows access to a few ports, like 443 and 22. The security group with the name specified by settings.OPENEDX_APPSERVER_SECURITY_GROUP_NAME is created and managed by this code. """ self.logger.info('Checking security groups (OpenStack firewall settings)') network = get_openstack_connection(self.instance.openstack_region).network main_security_group = network.find_security_group(settings.OPENEDX_APPSERVER_SECURITY_GROUP_NAME) if not main_security_group: # We need to create this security group: main_security_group = network.create_security_group(name=settings.OPENEDX_APPSERVER_SECURITY_GROUP_NAME) description = 'Security group for Open EdX AppServers. Managed automatically by OpenCraft IM.' if main_security_group.description != description: network.update_security_group(main_security_group, description=description) # We manage this security group - update its rules to match the configured list of rules sync_security_group_rules(main_security_group, OPENEDX_APPSERVER_SECURITY_GROUP_RULES, network=network) # For any additional security groups, just verify that the group exists: groups = self.security_groups groups.remove(main_security_group.name) # We already checked this group for group_name in groups: if network.find_security_group(group_name) is None: raise Exception("Unable to find the OpenStack network security group called '{}'.".format(group_name))