def test_create(self, db_mock):
rule = objects.SecurityGroupRule(context=self.context)
rule.protocol = 'tcp'
secgroup = objects.SecurityGroup()
secgroup.id = 123
parentgroup = objects.SecurityGroup()
parentgroup.id = 223
rule.grantee_group = secgroup
rule.parent_group = parentgroup
rule.create()
updates = db_mock.call_args[0][1]
self.assertEqual(fake_rule['id'], rule.id)
self.assertEqual(updates['group_id'], rule.grantee_group.id)
self.assertEqual(updates['parent_group_id'], rule.parent_group.id)
def _create_security_group(self, instance_ref):
secgroup = objects.SecurityGroup(id=1,
user_id='fake',
project_id='fake',
name='testgroup',
description='test group description')
secgroup_list = objects.SecurityGroupList()
secgroup_list.objects.append(secgroup)
instance_ref.security_groups = secgroup_list
return secgroup
def test_get_by_security_group(self):
secgroup = objects.SecurityGroup()
secgroup.id = 123
rule = dict(fake_rule)
rule['grantee_group'] = dict(test_security_group.fake_secgroup, id=123)
stupid_method = 'security_group_rule_get_by_security_group'
with mock.patch.object(db, stupid_method) as sgrgbsg:
sgrgbsg.return_value = [rule]
rules = (objects.SecurityGroupRuleList.get_by_security_group(
self.context, secgroup))
self.assertEqual(1, len(rules))
self.assertEqual(123, rules[0].grantee_group.id)
def make_secgroup_list(security_groups):
"""A helper to make security group objects from a list of names.
Note that this does not make them save-able or have the rest of the
attributes they would normally have, but provides a quick way to fill,
for example, an instance object during create.
"""
secgroups = objects.SecurityGroupList()
secgroups.objects = []
for name in security_groups:
secgroup = objects.SecurityGroup()
secgroup.name = name
secgroups.objects.append(secgroup)
return secgroups
def make_secgroup_list(security_groups):
"""A helper to make security group objects from a list of names or uuids.
Note that this does not make them save-able or have the rest of the
attributes they would normally have, but provides a quick way to fill,
for example, an instance object during create.
"""
secgroups = objects.SecurityGroupList()
secgroups.objects = []
for sg in security_groups:
secgroup = objects.SecurityGroup()
if uuidutils.is_uuid_like(sg):
# This is a neutron security group uuid so store in the uuid field.
secgroup.uuid = sg
else:
# This is neutron's special 'default' security group
secgroup.name = sg
secgroups.objects.append(secgroup)
return secgroups
def test_static_filters(self, mock_secrule, mock_instlist):
UUID = "2674993b-6adb-4733-abd9-a7c10cc1f146"
SRC_UUID = "0e0a76b2-7c52-4bc0-9a60-d83017e42c1a"
instance_ref = self._create_instance_ref(UUID)
src_instance_ref = self._create_instance_ref(SRC_UUID)
secgroup = objects.SecurityGroup(id=1,
user_id='fake',
project_id='fake',
name='testgroup',
description='test group')
src_secgroup = objects.SecurityGroup(id=2,
user_id='fake',
project_id='fake',
name='testsourcegroup',
description='src group')
r1 = objects.SecurityGroupRule(parent_group_id=secgroup.id,
protocol='icmp',
from_port=-1,
to_port=-1,
cidr='192.168.11.0/24',
grantee_group=None)
r2 = objects.SecurityGroupRule(parent_group_id=secgroup.id,
protocol='icmp',
from_port=8,
to_port=-1,
cidr='192.168.11.0/24',
grantee_group=None)
r3 = objects.SecurityGroupRule(parent_group_id=secgroup.id,
protocol='tcp',
from_port=80,
to_port=81,
cidr='192.168.10.0/24',
grantee_group=None)
r4 = objects.SecurityGroupRule(parent_group_id=secgroup.id,
protocol='tcp',
from_port=80,
to_port=81,
cidr=None,
grantee_group=src_secgroup,
group_id=src_secgroup.id)
r5 = objects.SecurityGroupRule(parent_group_id=secgroup.id,
protocol=None,
cidr=None,
grantee_group=src_secgroup,
group_id=src_secgroup.id)
secgroup_list = objects.SecurityGroupList()
secgroup_list.objects.append(secgroup)
src_secgroup_list = objects.SecurityGroupList()
src_secgroup_list.objects.append(src_secgroup)
instance_ref.security_groups = secgroup_list
src_instance_ref.security_groups = src_secgroup_list
mock_secrule.return_value = objects.SecurityGroupRuleList(
objects=[r1, r2, r3, r4, r5])
def _fake_instlist(ctxt, id):
if id == src_secgroup.id:
insts = objects.InstanceList()
insts.objects.append(src_instance_ref)
return insts
else:
insts = objects.InstanceList()
insts.objects.append(instance_ref)
return insts
mock_instlist.side_effect = _fake_instlist
def fake_iptables_execute(*cmd, **kwargs):
process_input = kwargs.get('process_input', None)
if cmd == ('ip6tables-save', '-c'):
return '\n'.join(self.in6_filter_rules), None
if cmd == ('iptables-save', '-c'):
return '\n'.join(self.in_rules), None
if cmd == ('iptables-restore', '-c'):
lines = process_input.split('\n')
if '*filter' in lines:
self.out_rules = lines
return '', ''
if cmd == (
'ip6tables-restore',
'-c',
):
lines = process_input.split('\n')
if '*filter' in lines:
self.out6_rules = lines
return '', ''
network_model = _fake_network_info(self, 1)
linux_net.iptables_manager.execute = fake_iptables_execute
self.stubs.Set(compute_utils, 'get_nw_info_for_instance',
lambda instance: network_model)
self.fw.prepare_instance_filter(instance_ref, network_model)
self.fw.apply_instance_filter(instance_ref, network_model)
in_rules = filter(lambda l: not l.startswith('#'), self.in_rules)
for rule in in_rules:
if 'nova' not in rule:
self.assertIn(rule, self.out_rules,
'Rule went missing: %s' % rule)
instance_chain = None
for rule in self.out_rules:
# This is pretty crude, but it'll do for now
# last two octets change
if re.search('-d 192.168.[0-9]{1,3}.[0-9]{1,3} -j', rule):
instance_chain = rule.split(' ')[-1]
break
self.assertTrue(instance_chain, "The instance chain wasn't added")
security_group_chain = None
for rule in self.out_rules:
# This is pretty crude, but it'll do for now
if '-A %s -j' % instance_chain in rule:
security_group_chain = rule.split(' ')[-1]
break
self.assertTrue(security_group_chain,
"The security group chain wasn't added")
regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p icmp '
'-s 192.168.11.0/24')
self.assertGreater(len(filter(regex.match, self.out_rules)), 0,
"ICMP acceptance rule wasn't added")
regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p icmp -m icmp '
'--icmp-type 8 -s 192.168.11.0/24')
self.assertGreater(len(filter(regex.match, self.out_rules)), 0,
"ICMP Echo Request acceptance rule wasn't added")
for ip in network_model.fixed_ips():
if ip['version'] != 4:
continue
regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p tcp -m multiport '
'--dports 80:81 -s %s' % ip['address'])
self.assertGreater(len(filter(regex.match, self.out_rules)), 0,
"TCP port 80/81 acceptance rule wasn't added")
regex = re.compile('\[0\:0\] -A .* -j ACCEPT -s '
'%s' % ip['address'])
self.assertGreater(
len(filter(regex.match, self.out_rules)), 0,
"Protocol/port-less acceptance rule"
" wasn't added")
regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p tcp '
'-m multiport --dports 80:81 -s 192.168.10.0/24')
self.assertGreater(len(filter(regex.match, self.out_rules)), 0,
"TCP port 80/81 acceptance rule wasn't added")
def _from_db_subgroup(context, db_group):
if db_group is None:
return None
return objects.SecurityGroup._from_db_object(
context, objects.SecurityGroup(context), db_group)
