def test_detect_resources(self):
node1 = models.Node(name='node1',
flavor='n1-standard-4',
image='ubuntu1404-12345678',
networks=[],
disk=20)
node2 = models.Node(name='node2',
flavor='n1-standard-4',
image='ubuntu1404-12345678',
networks=[],
disk=20)
node1.security_group_names = set(['webapp', 'ssh'])
node2.security_group_names = set(['webapp'])
sg_webapp = models.SecurityGroup(name='webapp')
sg_ssh = models.SecurityGroup(name='ssh')
sgr_https = models.SecurityGroupRule(security_group=sg_webapp,
source_ip='0.0.0.0/0',
from_port=443,
to_port=443,
protocol='tcp')
sgr_ssh = models.SecurityGroupRule(security_group=sg_ssh,
source_ip='0.0.0.0/0',
from_port=22,
to_port=22,
protocol='tcp')
class TestDriver(base.CloudDriver):
def detect_nodes(self):
return set([node1, node2])
def detect_firewalls(self):
return (set([sg_webapp, sg_ssh]), set([sgr_https, sgr_ssh]))
cloud_driver = TestDriver()
collection = cloud_driver.detect_resources()
self.assertIn(node1, collection.nodes)
self.assertIn(node2, collection.nodes)
self.assertIn(sg_webapp, collection.nodes['node1'].security_groups)
self.assertIn(sg_ssh, collection.nodes['node1'].security_groups)
self.assertIn(sg_webapp, collection.nodes['node2'].security_groups)
self.assertIn(sg_webapp, collection.security_groups)
self.assertIn(sg_ssh, collection.security_groups)
self.assertIn(sgr_https, collection.security_group_rules)
self.assertIn(sgr_ssh, collection.security_group_rules)
def test_detect_firewalls(self, connection):
class AWSSecurityGroup(object):
def __init__(self, id, name, ingress_rules):
self.id = id
self.name = name
self.ingress_rules = ingress_rules
sg1 = AWSSecurityGroup(id='sg-1234567',
name='default',
ingress_rules=[{
'from_port': '80',
'to_port': '81',
'protocol': 'tcp',
'cidr_ips': ['1.2.3.4/32']
}, {
'from_port':
'8080',
'to_port':
'8081',
'protocol':
'udp',
'group_pairs': [{
'group_id': 'sg-7654321'
}]
}])
sg2 = AWSSecurityGroup(id='sg-7654321', name='www', ingress_rules=[])
connection.ex_get_security_groups.return_value = [sg1, sg2]
sg1_ = cloud_models.SecurityGroup(name='default')
sg2_ = cloud_models.SecurityGroup(name='www')
expected_sgs = set([sg1_, sg2_])
expected_sgrs = set([
cloud_models.SecurityGroupRule(security_group=sg1_,
from_port=80,
to_port=81,
protocol='tcp',
source_ip='1.2.3.4/32'),
cloud_models.SecurityGroupRule(security_group=sg1_,
from_port=8080,
to_port=8081,
protocol='udp',
source_group='www')
])
self.assertEqual(self.cloud_driver.detect_firewalls(),
(expected_sgs, expected_sgrs))
def _example_collection(self):
collection = cloud_models.Collection()
webappsg = cloud_models.SecurityGroup(name='webapp')
collection.nodes.add(cloud_models.Node(name='webapp',
image='trusty',
flavor='n1-standard-2',
disk=37,
networks=[],
security_groups=set([webappsg]),
private=mock.sentinel.webapp1priv))
collection.nodes.add(cloud_models.Node(name='webapp2',
image='trusty',
flavor='n1-standard-2',
disk=37,
networks=[],
security_groups=set([webappsg]),
script='#!/bin/bash\necho hello\n',
private=mock.sentinel.webapp2priv))
collection.security_groups.add(webappsg)
collection.security_group_rules.add(cloud_models.SecurityGroupRule(security_group=webappsg,
source_ip='0.0.0.0/0',
from_port=443,
to_port=443,
protocol='tcp'))
collection.security_group_rules.add(cloud_models.SecurityGroupRule(security_group=webappsg,
source_ip='212.10.10.10/32',
from_port=8000,
to_port=8080,
protocol='tcp'))
return collection
def test_delete_security_group_rule(self):
sg = models.SecurityGroup(name='webapp')
sgr = models.SecurityGroupRule(security_group=sg,
source_ip='0.0.0.0/0',
from_port=443,
to_port=443,
protocol='tcp')
base.CloudDriver().delete_security_group_rule(sgr)
def test_detect_firewalls(self, connection):
fw1, fw2, fw3, fw4 = self._get_firewalls()
connection.ex_list_firewalls.return_value = [fw1, fw2, fw3, fw4]
security_groups, security_group_rules = self.cloud_driver.detect_firewalls(
)
self.assertIn(cloud_models.SecurityGroup(name='webapp'),
security_groups)
self.assertIn(cloud_models.SecurityGroup(name='dev'), security_groups)
webapp = cloud_models.SecurityGroup(name='webapp')
dev = cloud_models.SecurityGroup(name='dev')
globalsg = cloud_models.SecurityGroup(name='global')
self.assertIn(webapp, security_groups)
self.assertIn(dev, security_groups)
self.assertIn(
cloud_models.SecurityGroupRule(security_group=webapp,
source_ip='0.0.0.0/0',
from_port=443,
to_port=443,
protocol='tcp'),
security_group_rules)
self.assertIn(
cloud_models.SecurityGroupRule(security_group=globalsg,
source_ip='0.0.0.0/0',
from_port=22,
to_port=22,
protocol='tcp'),
security_group_rules)
self.assertIn(
cloud_models.SecurityGroupRule(security_group=globalsg,
source_ip='0.0.0.0/0',
from_port=8000,
to_port=8080,
protocol='tcp'),
security_group_rules)
self.assertIn(
cloud_models.SecurityGroupRule(security_group=webapp,
source_group='frontend',
from_port=21,
to_port=21,
protocol='tcp'),
security_group_rules)
def test_delete_security_group_rule(self, connection):
sg = cloud_models.SecurityGroup(name='sg')
sgr = cloud_models.SecurityGroupRule(security_group=sg,
source_ip='1.2.3.4',
from_port=10,
to_port=20,
protocol='tcp',
private=mock.sentinel.sgrpriv)
self.cloud_driver.delete_security_group_rule(sgr)
connection.ex_destroy_firewall.assert_called_with(mock.sentinel.sgrpriv)
def test_create_security_group_rule(self, connection):
sg = cloud_models.SecurityGroup(name='sg')
sgr = cloud_models.SecurityGroupRule(security_group=sg,
source_ip='1.2.3.4',
from_port=10,
to_port=20,
protocol='tcp')
self.cloud_driver.create_security_group_rule(sgr)
connection.ex_create_firewall.assert_called_with(name='sg-tcp-10-20',
allowed=[{'IPProtocol': 'tcp',
'ports': ['10-20']}],
source_ranges=['1.2.3.4'],
target_tags=['sg'])
def test_add_security_group_rule_with_source_group(self, sg_name_to_id, connection):
sg = cloud_models.SecurityGroup(name='sg')
sgr = cloud_models.SecurityGroupRule(security_group=sg,
from_port=123,
to_port=234,
source_group='www',
protocol='tcp')
self.cloud_driver.create_security_group_rule(sgr)
connection.ex_authorize_security_group_ingress.assert_called_with(id=sg_name_to_id.return_value,
from_port=123,
to_port=234,
protocol='tcp',
group_pairs=[{'group_name': 'www'}])
def test_format_ports(self):
sg = cloud_models.SecurityGroup(name='sg')
sgr1 = cloud_models.SecurityGroupRule(security_group=sg,
source_ip='1.2.3.4',
from_port=10,
to_port=20,
protocol='tcp')
sgr2 = cloud_models.SecurityGroupRule(security_group=sg,
source_ip='1.2.3.4',
from_port=10,
to_port=10,
protocol='tcp')
self.assertEquals(self.cloud_driver._format_ports(sgr1), '10-20')
self.assertEquals(self.cloud_driver._format_ports(sgr2), '10')
def test_source_ranges(self):
sg = cloud_models.SecurityGroup(name='sg')
sgr1 = cloud_models.SecurityGroupRule(security_group=sg,
source_ip='1.2.3.4',
from_port=10,
to_port=20,
protocol='tcp')
sgr2 = cloud_models.SecurityGroupRule(security_group=sg,
source_ip='0.0.0.0/0',
from_port=10,
to_port=10,
protocol='tcp')
self.assertEquals(self.cloud_driver._source_ranges(sgr1), ['1.2.3.4'])
self.assertEquals(self.cloud_driver._source_ranges(sgr2), None)
def test_as_dict(self):
sg = models.SecurityGroup(name='sgname')
sgr = models.SecurityGroupRule(security_group=sg,
from_port=8000,
to_port=8080,
source_ip='1.2.3.4/32',
protocol='tcp')
self.assertEquals(
sgr.as_dict(), {
'from_port': 8000,
'protocol': 'tcp',
'security_group': 'sgname',
'source_ip': '1.2.3.4/32',
'to_port': 8080
})
def test_with_script(self, interpolate, log):
collection = loader.load(
self._get_full_path_for_test_data('with_script.yaml'))
sg = cloud_models.SecurityGroup(name='webapp')
script = '#!/bin/sh\nadduser --system web\napt-get install python-virtualenv\netc. etc. etc.\n'
self.assertIn(
cloud_models.Node(name='webapp1',
flavor='webapp',
image='trusty',
disk=10,
networks=[],
security_groups=set([sg]),
script=interpolate.return_value),
collection.nodes)
self.assertIn(
cloud_models.Node(name='webapp2',
flavor='webapp',
image='trusty',
disk=10,
networks=[],
security_groups=set([sg]),
script=interpolate.return_value),
collection.nodes)
interpolate.assert_called_with(script, None)
self.assertIn(sg, collection.security_groups)
self.assertIn(
cloud_models.SecurityGroupRule(security_group=sg,
source_ip='0.0.0.0/0',
from_port=443,
to_port=443,
protocol='tcp'),
collection.security_group_rules)
self.assertEqual(len(collection.nodes), 2)
self.assertEqual(len(collection.security_groups), 1)
self.assertEqual(len(collection.security_group_rules), 1)
log.check(('aasemble.deployment.loader', 'DEBUG',
'Loaded node webapp1 from stack'),
('aasemble.deployment.loader', 'DEBUG',
'Loaded node webapp2 from stack'),
('aasemble.deployment.loader', 'DEBUG',
'Loaded security group webapp from stack'),
('aasemble.deployment.loader', 'DEBUG',
'Loaded security group rule from stack: tcp: 443-443'))
def detect_firewalls(self):
security_group_set = set()
security_group_rule_set = set()
firewalls = self.connection.ex_list_firewalls()
security_group_names = self._get_all_security_group_names(firewalls)
security_groups = {}
for security_group_name in security_group_names:
LOG.info('Detected security group: %s' % security_group_name)
security_group = cloud_models.SecurityGroup(
name=security_group_name)
security_groups[security_group_name] = security_group
security_group_set.add(security_group)
for firewall in firewalls:
for tag in (firewall.target_tags or ['global']):
for allowed in firewall.allowed:
from_port, to_port = self._parse_port_spec(allowed)
protocol = allowed['IPProtocol']
kwargs = {
'security_group': security_groups[tag],
'from_port': from_port,
'to_port': to_port,
'protocol': protocol
}
if firewall.source_tags:
kwargs['source_group'] = firewall.source_tags[0]
else:
kwargs['source_ip'] = firewall.source_ranges[0]
security_group_rule = cloud_models.SecurityGroupRule(
**kwargs)
security_group_rule.private = firewall
LOG.info(
'Detected security group rule for security group %s: %s: %d-%d'
% (tag, protocol, from_port, to_port))
security_group_rule_set.add(security_group_rule)
return security_group_set, security_group_rule_set
def setUp(self):
self.sg1 = cloud_models.SecurityGroup(name='sg1')
self.sgr1 = cloud_models.SecurityGroupRule(security_group=self.sg1,
from_port=443,
to_port=443,
source_ip='0.0.0.0/0',
protocol='tcp')
self.sgr2 = cloud_models.SecurityGroupRule(security_group=self.sg1,
from_port=80,
to_port=80,
source_ip='0.0.0.0/0',
protocol='tcp')
self.node1 = cloud_models.Node(name='node1',
image='image',
flavor='image',
networks=[],
disk=10,
security_groups=set([self.sg1]))
self.current = cloud_models.Collection()
self.desired = cloud_models.Collection()
def test_with_security_groups(self, log):
collection = loader.load(
self._get_full_path_for_test_data('with_security_groups.yaml'))
sg = cloud_models.SecurityGroup(name='webapp')
self.assertIn(
cloud_models.Node(name='webapp1',
flavor='webapp',
image='trusty',
disk=10,
networks=[],
security_groups=set([sg])), collection.nodes)
self.assertIn(
cloud_models.Node(name='webapp2',
flavor='webapp',
image='trusty',
disk=10,
networks=[],
security_groups=set([sg])), collection.nodes)
self.assertIn(sg, collection.security_groups)
self.assertIn(
cloud_models.SecurityGroupRule(security_group=sg,
source_ip='0.0.0.0/0',
from_port=443,
to_port=443,
protocol='tcp'),
collection.security_group_rules)
self.assertEqual(len(collection.nodes), 2)
self.assertEqual(len(collection.security_groups), 1)
self.assertEqual(len(collection.security_group_rules), 1)
log.check(('aasemble.deployment.loader', 'DEBUG',
'Loaded node webapp1 from stack'),
('aasemble.deployment.loader', 'DEBUG',
'Loaded node webapp2 from stack'),
('aasemble.deployment.loader', 'DEBUG',
'Loaded security group webapp from stack'),
('aasemble.deployment.loader', 'DEBUG',
'Loaded security group rule from stack: tcp: 443-443'))
def detect_firewalls(self):
security_group_set = set()
security_group_rule_set = set()
for security_group in self.connection.ex_get_security_groups():
sg = cloud_models.SecurityGroup(name=security_group.name)
security_group_set.add(sg)
for rule in security_group.ingress_rules:
kwargs = {'security_group': sg,
'from_port': rule['from_port'] and int(rule['from_port']),
'to_port': rule['to_port'] and int(rule['to_port']),
'protocol': rule['protocol']}
if 'cidr_ips' in rule and rule['cidr_ips']:
kwargs['source_ip'] = rule['cidr_ips'][0]
else:
kwargs['source_group'] = self.sg_id_to_name(rule['group_pairs'][0]['group_id'])
sgr = cloud_models.SecurityGroupRule(**kwargs)
security_group_rule_set.add(sgr)
return security_group_set, security_group_rule_set
def build_security_groups_and_rules(data):
security_groups = set()
security_group_rules = set()
for name in data.get('security_groups', {}):
LOG.debug('Loaded security group %s from stack' % name)
security_group_info = data['security_groups'][name]
security_group = cloud_models.SecurityGroup(name=name)
security_groups.add(security_group)
for rule in security_group_info:
LOG.debug('Loaded security group rule from stack: %s: %d-%d' % (rule['protocol'], rule['from_port'], rule['to_port']))
kwargs = {'security_group': security_group,
'from_port': rule['from_port'],
'to_port': rule['to_port'],
'protocol': rule['protocol']}
if 'cidr' in rule:
kwargs['source_ip'] = rule['cidr']
elif 'source_group' in rule:
kwargs['source_group'] = rule['source_group']
security_group_rule = cloud_models.SecurityGroupRule(**kwargs)
security_group_rules.add(security_group_rule)
return security_groups, security_group_rules
def test_as_dict(self):
sg = models.SecurityGroup(name='sgname')
self.assertEquals(sg.as_dict(), {'name': 'sgname'})
def test_cluster_data(self):
collection = cloud_models.Collection()
lb = cloud_models.Node(name='lb',
image='trusty',
flavor='512mb',
disk=27,
networks=[])
web1 = cloud_models.Node(name='web1',
image='trusty',
flavor='512mb',
disk=27,
networks=[])
web2 = cloud_models.Node(name='web2',
image='trusty',
flavor='512mb',
disk=27,
networks=[])
db = cloud_models.Node(name='db',
image='trusty',
flavor='512mb',
disk=27,
networks=[])
frontend_sg = cloud_models.SecurityGroup(name='frontend')
frontend_http_sgr = cloud_models.SecurityGroupRule(
security_group=frontend_sg,
source_ip='0.0.0.0/0',
from_port=80,
to_port=80,
protocol='tcp')
frontend_https_sgr = cloud_models.SecurityGroupRule(
security_group=frontend_sg,
source_ip='0.0.0.0/0',
from_port=443,
to_port=443,
protocol='tcp')
lb.security_groups.add(frontend_sg)
backend_sg = cloud_models.SecurityGroup(name='backend')
backend_http_sgr = cloud_models.SecurityGroupRule(
security_group=backend_sg,
source_group='frontend',
from_port=80,
to_port=80,
protocol='tcp')
web1.security_groups.add(backend_sg)
web2.security_groups.add(backend_sg)
db_sg = cloud_models.SecurityGroup(name='mysql')
mysql_sgr = cloud_models.SecurityGroupRule(security_group=db_sg,
source_group='backend',
from_port=3306,
to_port=3306,
protocol='tcp')
db.security_groups.add(db_sg)
collection.nodes.add(lb)
collection.nodes.add(web1)
collection.nodes.add(web2)
collection.nodes.add(db)
collection.nodes.add(db)
collection.security_groups.add(frontend_sg)
collection.security_groups.add(backend_sg)
collection.security_groups.add(db_sg)
collection.security_group_rules.add(frontend_http_sgr)
collection.security_group_rules.add(frontend_https_sgr)
collection.security_group_rules.add(backend_http_sgr)
collection.security_group_rules.add(mysql_sgr)
collection.urls.append(
cloud_models.URLConfStatic(hostname='example.com',
path='/foo/bar',
local_path='/data'))
collection.urls.append(
cloud_models.URLConfBackend(hostname='example.com',
path='/foo/bar',
destination='somebackend/somepath'))
self.maxDiff = None
self.assertEqual(
self.cloud_driver.cluster_data(collection), {
'containers': [{
'host_network': True,
'image': 'aasemble/fwmanager',
'name': 'fwmanager',
'nodes': '.*',
'privileged': True
}],
'tasks': [],
'proxyconf': {
'backends': ['somebackend'],
'domains': {
'example.com': {
'/foo/bar': {
'destination': 'somebackend/somepath',
'type': 'backend'
}
}
}
},
'fwconf': {
'security_groups': {
'backend': {
'nodes': ['web1', 'web2'],
'rules': [{
'from_port': 80,
'protocol': 'tcp',
'source_group': 'frontend',
'to_port': 80
}]
},
'frontend': {
'nodes': ['lb'],
'rules': [{
'from_port': 443,
'protocol': 'tcp',
'source_ip': '0.0.0.0/0',
'to_port': 443
}, {
'from_port': 80,
'protocol': 'tcp',
'source_ip': '0.0.0.0/0',
'to_port': 80
}]
},
'mysql': {
'nodes': ['db'],
'rules': [{
'from_port': 3306,
'protocol': 'tcp',
'source_group': 'backend',
'to_port': 3306
}]
}
}
}
})
def test_add_security_group(self, connection):
sg = cloud_models.SecurityGroup(name='sg1')
self.cloud_driver.create_security_group(sg)
connection.ex_create_security_group.assert_called_with(
'sg1', 'some description')
def test_add_security_group_duplicate_does_not_reaise(self, connection):
sg = cloud_models.SecurityGroup(name='sg1')
connection.ex_create_security_group.side_effect = libcloud.common.exceptions.BaseHTTPError(
400, 'InvalidGroup.Duplicate: we already have that one')
self.cloud_driver.create_security_group(sg)
def test_add_security_group_other_error_raises(self, connection):
sg = cloud_models.SecurityGroup(name='sg1')
connection.ex_create_security_group.side_effect = libcloud.common.exceptions.BaseHTTPError(
400, 'NotInvalidGroup.NotDuplicate: another error')
self.assertRaises(libcloud.common.exceptions.BaseHTTPError,
self.cloud_driver.create_security_group, sg)
def test_delete_security_group(self):
sg = models.SecurityGroup(name='webapp')
base.CloudDriver().delete_security_group(sg)
