Ejemplo n.º 1
0
    def _validate_security_group_rules(self, context, security_group_rule):
        """Check that rules being installed.

        Check that all rules belong to the same security
        group, remote_group_id/security_group_id belong to the same tenant,
        and rules are valid.
        """
        new_rules = set()
        tenant_ids = set()
        for rules in security_group_rule['security_group_rules']:
            rule = rules.get('security_group_rule')
            new_rules.add(rule['security_group_id'])

            # Check that port_range's are valid
            if (rule['port_range_min'] is None
                    and rule['port_range_max'] is None):
                pass
            elif (rule['port_range_min'] is not None
                  and rule['port_range_min'] <= rule['port_range_max']):
                if not rule['protocol']:
                    raise ext_sg.SecurityGroupProtocolRequiredWithPorts()
            else:
                raise ext_sg.SecurityGroupInvalidPortRange()

            if rule['remote_ip_prefix'] and rule['remote_group_id']:
                raise ext_sg.SecurityGroupRemoteGroupAndRemoteIpPrefix()

            if rule['tenant_id'] not in tenant_ids:
                tenant_ids.add(rule['tenant_id'])
            remote_group_id = rule.get('remote_group_id')
            # Check that remote_group_id exists for tenant
            if remote_group_id:
                self.get_security_group(context,
                                        remote_group_id,
                                        tenant_id=rule['tenant_id'])
        if len(new_rules) > 1:
            raise ext_sg.SecurityGroupNotSingleGroupRules()
        security_group_id = new_rules.pop()

        # Confirm single tenant and that the tenant has permission
        # to add rules to this security group.
        if len(tenant_ids) > 1:
            raise ext_sg.SecurityGroupRulesNotSingleTenant()
        for tenant_id in tenant_ids:
            self.get_security_group(context,
                                    security_group_id,
                                    tenant_id=tenant_id)
        return security_group_id
Ejemplo n.º 2
0
    def _validate_security_group_rules(self, context, security_group_rule):
        """Check that rules being installed all belong to the same security
        group, source_group_id/security_group_id belong to the same tenant,
        and rules are valid.
        """

        if (cfg.CONF.SECURITYGROUP.proxy_mode and not context.is_admin):
            raise ext_sg.SecurityGroupProxyModeNotAdmin()

        new_rules = set()
        tenant_ids = set()
        for rules in security_group_rule['security_group_rules']:
            rule = rules.get('security_group_rule')
            new_rules.add(rule['security_group_id'])

            if (cfg.CONF.SECURITYGROUP.proxy_mode
                    and not rule.get('external_id')):
                raise ext_sg.SecurityGroupProxyMode()
            if (not cfg.CONF.SECURITYGROUP.proxy_mode
                    and rule.get('external_id')):
                raise ext_sg.SecurityGroupNotProxyMode()

            # Check that protocol/ethertype are valid
            protocol = rule.get('protocol')
            if protocol and protocol not in self.sg_supported_protocols:
                raise ext_sg.SecurityGroupInvalidProtocolType(value=protocol)
            ethertype = rule.get('ethertype')
            if ethertype and ethertype not in self.sg_supported_ethertypes:
                raise ext_sg.SecurityGroupInvalidEtherType(value=ethertype)

            # Check that port_range's are valid
            if (rule['port_range_min'] is None
                    and rule['port_range_max'] is None):
                pass
            elif (rule['port_range_min'] is not None
                  and rule['port_range_min'] <= rule['port_range_max']):
                if not rule['protocol']:
                    raise ext_sg.SecurityGroupProtocolRequiredWithPorts()
            else:
                raise ext_sg.SecurityGroupInvalidPortRange()

            if rule['source_ip_prefix'] and rule['source_group_id']:
                raise ext_sg.SecurityGroupSourceGroupAndIpPrefix()

            if rule['tenant_id'] not in tenant_ids:
                tenant_ids.add(rule['tenant_id'])
            source_group_id = rule.get('source_group_id')
            # Check that source_group_id exists for tenant
            if source_group_id:
                self.get_security_group(context,
                                        source_group_id,
                                        tenant_id=rule['tenant_id'])
        if len(new_rules) > 1:
            raise ext_sg.SecurityGroupNotSingleGroupRules()
        security_group_id = new_rules.pop()

        # Confirm single tenant and that the tenant has permission
        # to add rules to this security group.
        if len(tenant_ids) > 1:
            raise ext_sg.SecurityGroupRulesNotSingleTenant()
        for tenant_id in tenant_ids:
            self.get_security_group(context,
                                    security_group_id,
                                    tenant_id=tenant_id)
        return security_group_id