def test_get(self):
self.mox.StubOutWithMock(db, 'security_group_get')
db.security_group_get(self.context, 1).AndReturn(fake_secgroup)
self.mox.ReplayAll()
secgroup = security_group.SecurityGroup.get(self.context, 1)
ovo_fixture.compare_obj(self, secgroup,
self._fix_deleted(fake_secgroup))
self.assertEqual(secgroup.obj_what_changed(), set())
def test_get(self):
self.mox.StubOutWithMock(db, "security_group_get")
db.security_group_get(self.context, 1).AndReturn(fake_secgroup)
self.mox.ReplayAll()
secgroup = security_group.SecurityGroup.get(self.context, 1)
self.assertEqual(self._fix_deleted(fake_secgroup), dict(secgroup.items()))
self.assertEqual(secgroup.obj_what_changed(), set())
self.assertRemotes()
def test_get(self):
self.mox.StubOutWithMock(db, 'security_group_get')
db.security_group_get(self.context, 1).AndReturn(fake_secgroup)
self.mox.ReplayAll()
secgroup = security_group.SecurityGroup.get(self.context, 1)
self.assertEqual(self._fix_deleted(fake_secgroup),
dict(secgroup.items()))
self.assertEqual(secgroup.obj_what_changed(), set())
def _rule_args_to_dict(self, context, to_port=None, from_port=None,
parent_group_id=None, ip_protocol=None,
cidr=None, group_id=None):
values = {}
if group_id:
try:
parent_group_id = int(parent_group_id)
group_id = int(group_id)
except ValueError:
msg = _("Parent or group id is not integer")
raise exception.InvalidInput(reason=msg)
if parent_group_id == group_id:
msg = _("Parent group id and group id cannot be same")
raise exception.InvalidInput(reason=msg)
values['group_id'] = group_id
#check if groupId exists
db.security_group_get(context, group_id)
elif cidr:
# If this fails, it throws an exception. This is what we want.
try:
cidr = urllib.unquote(cidr).decode()
netaddr.IPNetwork(cidr)
except Exception:
raise exception.InvalidCidr(cidr=cidr)
values['cidr'] = cidr
else:
values['cidr'] = '0.0.0.0/0'
if ip_protocol and from_port and to_port:
try:
from_port = int(from_port)
to_port = int(to_port)
except ValueError:
raise exception.InvalidPortRange(from_port=from_port,
to_port=to_port)
ip_protocol = str(ip_protocol)
if ip_protocol.upper() not in ['TCP', 'UDP', 'ICMP']:
raise exception.InvalidIpProtocol(protocol=ip_protocol)
if ((min(from_port, to_port) < -1) or
(max(from_port, to_port) > 65535)):
raise exception.InvalidPortRange(from_port=from_port,
to_port=to_port)
values['protocol'] = ip_protocol
values['from_port'] = from_port
values['to_port'] = to_port
else:
# If cidr based filtering, protocol and ports are mandatory
if 'cidr' in values:
return None
return values
def test_refresh(self):
updated_secgroup = dict(fake_secgroup, description='changed')
self.mox.StubOutWithMock(db, 'security_group_get')
db.security_group_get(self.context, 1).AndReturn(updated_secgroup)
self.mox.ReplayAll()
secgroup = security_group.SecurityGroup._from_db_object(
security_group.SecurityGroup(), fake_secgroup)
secgroup.refresh(self.context)
self.assertEqual(self._fix_deleted(updated_secgroup),
dict(secgroup.items()))
self.assertEqual(secgroup.obj_what_changed(), set())
self.assertRemotes()
def test_refresh(self):
updated_secgroup = dict(fake_secgroup, description='changed')
self.mox.StubOutWithMock(db, 'security_group_get')
db.security_group_get(self.context, 1).AndReturn(updated_secgroup)
self.mox.ReplayAll()
secgroup = security_group.SecurityGroup._from_db_object(
security_group.SecurityGroup(), fake_secgroup)
secgroup.refresh(self.context)
self.assertEqual(self._fix_deleted(updated_secgroup),
dict(secgroup.items()))
self.assertEqual(secgroup.obj_what_changed(), set())
self.assertRemotes()
def delete(self, req, id):
context = req.environ['nova.context']
authorize(context)
self.compute_api.ensure_default_security_group(context)
try:
id = int(id)
rule = db.security_group_rule_get(context, id)
except ValueError:
msg = _("Rule id is not integer")
raise exc.HTTPBadRequest(explanation=msg)
except exception.NotFound:
msg = _("Rule (%s) not found") % id
raise exc.HTTPNotFound(explanation=msg)
group_id = rule.parent_group_id
self.compute_api.ensure_default_security_group(context)
security_group = db.security_group_get(context, group_id)
msg = _("Revoke security group ingress %s")
LOG.audit(msg, security_group['name'], context=context)
db.security_group_rule_destroy(context, rule['id'])
self.sgh.trigger_security_group_rule_destroy_refresh(
context, [rule['id']])
self.compute_api.trigger_security_group_rules_refresh(context,
security_group_id=security_group['id'])
return webob.Response(status_int=202)
def get_by_security_group_id(cls, context, security_group_id):
db_secgroup = db.security_group_get(
context, security_group_id,
columns_to_join=['instances.info_cache',
'instances.system_metadata'])
return _make_instance_list(context, cls(), db_secgroup['instances'],
['info_cache', 'system_metadata'])
def create(self, req, body):
context = req.environ['nova.context']
group_id = body['security_group_rule']['parent_group_id']
self.compute_api.ensure_default_security_group(context)
security_group = db.security_group_get(context, group_id)
if not security_group:
raise exception.SecurityGroupNotFound(security_group_id=group_id)
msg = "Authorize security group ingress %s"
LOG.audit(_(msg), security_group['name'], context=context)
values = self._revoke_rule_args_to_dict(context,
**body['security_group_rule'])
if values is None:
raise exception.ApiError(_("Not enough parameters to build a "
"valid rule."))
values['parent_group_id'] = security_group.id
if self._security_group_rule_exists(security_group, values):
raise exception.ApiError(_('This rule already exists in group %s')
% group_id)
security_group_rule = db.security_group_rule_create(context, values)
self.compute_api.trigger_security_group_rules_refresh(context,
security_group_id=security_group['id'])
return {'security_group_rule': self._format_security_group_rule(
context,
security_group_rule)}
def get_by_security_group_id(cls, context, security_group_id):
db_secgroup = db.security_group_get(
context, security_group_id,
columns_to_join=['instances.info_cache',
'instances.system_metadata'])
return _make_instance_list(context, cls(), db_secgroup['instances'],
['info_cache', 'system_metadata'])
def delete(self, req, id):
context = req.environ['nova.context']
self.compute_api.ensure_default_security_group(context)
try:
id = int(id)
rule = db.security_group_rule_get(context, id)
except ValueError:
msg = _("Rule id is not integer")
raise exc.HTTPBadRequest(explanation=msg)
except exception.NotFound as exp:
msg = _("Rule (%s) not found") % id
raise exc.HTTPNotFound(explanation=msg)
group_id = rule.parent_group_id
self.compute_api.ensure_default_security_group(context)
security_group = db.security_group_get(context, group_id)
msg = _("Revoke security group ingress %s")
LOG.audit(msg, security_group['name'], context=context)
db.security_group_rule_destroy(context, rule['id'])
self.compute_api.trigger_security_group_rules_refresh(context,
security_group_id=security_group['id'])
return webob.Response(status_int=202)
def show(self, req, id):
context = req.environ['nova.context']
security_group = db.security_group_get(context, id)
return {
'security_group':
self._format_security_group(context, security_group)
}
def create(self, req, body):
context = req.environ['nova.context']
authorize(context)
if not body:
raise exc.HTTPUnprocessableEntity()
if not 'security_group_rule' in body:
raise exc.HTTPUnprocessableEntity()
self.compute_api.ensure_default_security_group(context)
sg_rule = body['security_group_rule']
parent_group_id = sg_rule.get('parent_group_id', None)
try:
parent_group_id = int(parent_group_id)
security_group = db.security_group_get(context, parent_group_id)
except ValueError:
msg = _("Parent group id is not integer")
raise exc.HTTPBadRequest(explanation=msg)
except exception.NotFound as exp:
msg = _("Security group (%s) not found") % parent_group_id
raise exc.HTTPNotFound(explanation=msg)
msg = _("Authorize security group ingress %s")
LOG.audit(msg, security_group['name'], context=context)
try:
values = self._rule_args_to_dict(
context,
to_port=sg_rule.get('to_port'),
from_port=sg_rule.get('from_port'),
parent_group_id=sg_rule.get('parent_group_id'),
ip_protocol=sg_rule.get('ip_protocol'),
cidr=sg_rule.get('cidr'),
group_id=sg_rule.get('group_id'))
except Exception as exp:
raise exc.HTTPBadRequest(explanation=unicode(exp))
if values is None:
msg = _("Not enough parameters to build a " "valid rule.")
raise exc.HTTPBadRequest(explanation=msg)
values['parent_group_id'] = security_group.id
if self._security_group_rule_exists(security_group, values):
msg = _('This rule already exists in group %s') % parent_group_id
raise exc.HTTPBadRequest(explanation=msg)
security_group_rule = db.security_group_rule_create(context, values)
self.sgh.trigger_security_group_rule_create_refresh(
context, [security_group_rule['id']])
self.compute_api.trigger_security_group_rules_refresh(
context, security_group_id=security_group['id'])
return {
"security_group_rule":
self._format_security_group_rule(context, security_group_rule)
}
def create(self, req, body):
context = req.environ['nova.context']
authorize(context)
if not body:
raise exc.HTTPUnprocessableEntity()
if not 'security_group_rule' in body:
raise exc.HTTPUnprocessableEntity()
self.compute_api.ensure_default_security_group(context)
sg_rule = body['security_group_rule']
parent_group_id = sg_rule.get('parent_group_id', None)
try:
parent_group_id = int(parent_group_id)
security_group = db.security_group_get(context, parent_group_id)
except ValueError:
msg = _("Parent group id is not integer")
raise exc.HTTPBadRequest(explanation=msg)
except exception.NotFound as exp:
msg = _("Security group (%s) not found") % parent_group_id
raise exc.HTTPNotFound(explanation=msg)
msg = _("Authorize security group ingress %s")
LOG.audit(msg, security_group['name'], context=context)
try:
values = self._rule_args_to_dict(context,
to_port=sg_rule.get('to_port'),
from_port=sg_rule.get('from_port'),
parent_group_id=sg_rule.get('parent_group_id'),
ip_protocol=sg_rule.get('ip_protocol'),
cidr=sg_rule.get('cidr'),
group_id=sg_rule.get('group_id'))
except Exception as exp:
raise exc.HTTPBadRequest(explanation=unicode(exp))
if values is None:
msg = _("Not enough parameters to build a "
"valid rule.")
raise exc.HTTPBadRequest(explanation=msg)
values['parent_group_id'] = security_group.id
if self._security_group_rule_exists(security_group, values):
msg = _('This rule already exists in group %s') % parent_group_id
raise exc.HTTPBadRequest(explanation=msg)
security_group_rule = db.security_group_rule_create(context, values)
self.sgh.trigger_security_group_rule_create_refresh(
context, [security_group_rule['id']])
self.compute_api.trigger_security_group_rules_refresh(context,
security_group_id=security_group['id'])
return {"security_group_rule": self._format_security_group_rule(
context,
security_group_rule)}
def _get_security_group(self, context, id):
try:
id = int(id)
security_group = db.security_group_get(context, id)
except ValueError:
msg = _("Security group id should be integer")
raise exc.HTTPBadRequest(explanation=msg)
except exception.NotFound as exp:
raise exc.HTTPNotFound(explanation=unicode(exp))
return security_group
def _get_security_group(self, context, id):
try:
id = int(id)
security_group = db.security_group_get(context, id)
except ValueError:
msg = _("Security group id should be integer")
raise exc.HTTPBadRequest(explanation=msg)
except exception.NotFound as exp:
raise exc.HTTPNotFound(explanation=unicode(exp))
return security_group
def refresh_security_group_rules(self, security_group_id):
"""Refresh security group rules from data store
Gets called when a rule has been added to or removed from
the security group."""
LOG.debug("refresh_security_group_rules: %s", locals())
ctxt = context.get_admin_context()
sg = db.security_group_get(ctxt, security_group_id)
for member in sg.instances:
if member.id in self._filters:
network_info = self._network_infos.get(member.id)
self.prepare_instance_filter(member, network_info)
LOG.debug("refresh_security_group_rules: end")
def trigger_security_group_rule_create_refresh(self, context, rule_ids):
LOG.debug('rule_ids=%r', rule_ids)
ctxt = context.elevated()
tenant_id = context.to_dict()['project_id']
for rule_id in rule_ids:
rule = db.security_group_rule_get(ctxt, rule_id)
group = db.security_group_get(ctxt, rule['parent_group_id'])
sg_id = rule['parent_group_id']
sg_name = group['name']
self.rule_manager.create_for_sg(tenant_id, sg_id, sg_name, rule)
def refresh_security_group_rules(self, security_group_id):
"""Refresh security group rules from data store
Gets called when a rule has been added to or removed from
the security group."""
LOG.debug("refresh_security_group_rules: %s", locals())
ctxt = context.get_admin_context()
sg = db.security_group_get(ctxt, security_group_id)
for member in sg.instances:
if member.id in self._filters:
network_info = self._network_infos.get(member.id)
self.prepare_instance_filter(member, network_info)
LOG.debug("refresh_security_group_rules: end")
def show(self, req, id):
"""Return data about the given security group."""
context = req.environ['nova.context']
try:
id = int(id)
security_group = db.security_group_get(context, id)
except ValueError:
msg = _("Security group id is not integer")
return exc.HTTPBadRequest(explanation=msg)
except exception.NotFound as exp:
return exc.HTTPNotFound(explanation=unicode(exp))
return {'security_group': self._format_security_group(context,
security_group)}
def test_destroy_instance_disassociates_security_groups(self):
"""Make sure destroying disassociates security groups"""
group = self._create_group()
ref = self.compute_api.create(
self.context,
instance_type=instance_types.get_default_instance_type(),
image_href=None,
security_group=['testgroup'])
try:
db.instance_destroy(self.context, ref[0]['id'])
group = db.security_group_get(self.context, group['id'])
self.assert_(len(group.instances) == 0)
finally:
db.security_group_destroy(self.context, group['id'])
def _format_security_group_rule(self, context, rule):
sg_rule = {}
sg_rule["id"] = rule.id
sg_rule["parent_group_id"] = rule.parent_group_id
sg_rule["ip_protocol"] = rule.protocol
sg_rule["from_port"] = rule.from_port
sg_rule["to_port"] = rule.to_port
sg_rule["group"] = {}
sg_rule["ip_range"] = {}
if rule.group_id:
source_group = db.security_group_get(context, rule.group_id)
sg_rule["group"] = {"name": source_group.name, "tenant_id": source_group.project_id}
else:
sg_rule["ip_range"] = {"cidr": rule.cidr}
return sg_rule
def test_destroy_instance_disassociates_security_groups(self):
"""Make sure destroying disassociates security groups"""
group = self._create_group()
ref = self.compute_api.create(
self.context,
instance_type=instance_types.get_default_instance_type(),
image_href=None,
security_group=['testgroup'])
try:
db.instance_destroy(self.context, ref[0]['id'])
group = db.security_group_get(self.context, group['id'])
self.assert_(len(group.instances) == 0)
finally:
db.security_group_destroy(self.context, group['id'])
def _format_security_group_rule(self, context, rule):
r = {}
r["id"] = rule.id
r["parent_group_id"] = rule.parent_group_id
r["group_id"] = rule.group_id
r["ip_protocol"] = rule.protocol
r["from_port"] = rule.from_port
r["to_port"] = rule.to_port
r["groups"] = []
r["ip_ranges"] = []
if rule.group_id:
source_group = db.security_group_get(context, rule.group_id)
r["groups"] += [{"name": source_group.name, "tenant_id": source_group.project_id}]
else:
r["ip_ranges"] += [{"cidr": rule.cidr}]
return r
def delete(self, req, id):
"""Delete a security group."""
context = req.environ['nova.context']
try:
id = int(id)
security_group = db.security_group_get(context, id)
except ValueError:
msg = _("Security group id is not integer")
return exc.HTTPBadRequest(explanation=msg)
except exception.SecurityGroupNotFound as exp:
return exc.HTTPNotFound(explanation=unicode(exp))
LOG.audit(_("Delete security group %s"), id, context=context)
db.security_group_destroy(context, security_group.id)
return exc.HTTPAccepted()
def test_create_instance_associates_security_groups(self):
"""Make sure create associates security groups"""
group = self._create_group()
ref = self.compute_api.create(
self.context,
instance_type=FLAGS.default_instance_type,
image_id=None,
security_group=['testgroup'])
try:
self.assertEqual(len(db.security_group_get_by_instance(
self.context, ref[0]['id'])), 1)
group = db.security_group_get(self.context, group['id'])
self.assert_(len(group.instances) == 1)
finally:
db.security_group_destroy(self.context, group['id'])
db.instance_destroy(self.context, ref[0]['id'])
def _format_security_group_rule(self, context, rule):
sg_rule = {}
sg_rule['id'] = rule.id
sg_rule['parent_group_id'] = rule.parent_group_id
sg_rule['ip_protocol'] = rule.protocol
sg_rule['from_port'] = rule.from_port
sg_rule['to_port'] = rule.to_port
sg_rule['group'] = {}
sg_rule['ip_range'] = {}
if rule.group_id:
source_group = db.security_group_get(context, rule.group_id)
sg_rule['group'] = {'name': source_group.name,
'tenant_id': source_group.project_id}
else:
sg_rule['ip_range'] = {'cidr': rule.cidr}
return sg_rule
def _format_security_group_rule(self, context, rule):
sg_rule = {}
sg_rule['id'] = rule.id
sg_rule['parent_group_id'] = rule.parent_group_id
sg_rule['ip_protocol'] = rule.protocol
sg_rule['from_port'] = rule.from_port
sg_rule['to_port'] = rule.to_port
sg_rule['group'] = {}
sg_rule['ip_range'] = {}
if rule.group_id:
source_group = db.security_group_get(context, rule.group_id)
sg_rule['group'] = {'name': source_group.name,
'tenant_id': source_group.project_id}
else:
sg_rule['ip_range'] = {'cidr': rule.cidr}
return sg_rule
def test_destroy_security_group_disassociates_instances(self):
"""Make sure destroying security groups disassociates instances"""
group = self._create_group()
ref = self.compute_api.create(
self.context,
instance_type=FLAGS.default_instance_type,
image_id=None,
security_group=['testgroup'])
try:
db.security_group_destroy(self.context, group['id'])
group = db.security_group_get(context.get_admin_context(
read_deleted=True), group['id'])
self.assert_(len(group.instances) == 0)
finally:
db.instance_destroy(self.context, ref[0]['id'])
def _format_security_group_rule(self, context, rule):
r = {}
r['id'] = rule.id
r['parent_group_id'] = rule.parent_group_id
r['group_id'] = rule.group_id
r['ip_protocol'] = rule.protocol
r['from_port'] = rule.from_port
r['to_port'] = rule.to_port
r['groups'] = []
r['ip_ranges'] = []
if rule.group_id:
source_group = db.security_group_get(context, rule.group_id)
r['groups'] += [{'name': source_group.name,
'tenant_id': source_group.project_id}]
else:
r['ip_ranges'] += [{'cidr': rule.cidr}]
return r
def remove_rule(rule, context):
"""
Remove a security rule.
rule -- The rule
context -- The os context.
"""
# TODO: check exception handling!
group_id = rule['parent_group_id']
# TODO(dizz): method seems to be gone!
# self.compute_api.ensure_default_security_group(extras['nova_ctx'])
security_group = db.security_group_get(context, group_id)
db.security_group_rule_destroy(context, rule['id'])
SEC_HANDLER.trigger_security_group_rule_destroy_refresh(context,
[rule['id']])
COMPUTE_API.trigger_security_group_rules_refresh(context,
security_group['id'])
def delete(self, req, id):
context = req.environ["nova.context"]
rule = sqlalchemy_api.security_group_rule_get(context, id)
if not rule:
raise exception.ApiError(_("Rule not found"))
group_id = rule.parent_group_id
self.compute_api.ensure_default_security_group(context)
security_group = db.security_group_get(context, group_id)
if not security_group:
raise exception.SecurityGroupNotFound(security_group_id=group_id)
msg = "Revoke security group ingress %s"
LOG.audit(_(msg), security_group["name"], context=context)
db.security_group_rule_destroy(context, rule["id"])
self.compute_api.trigger_security_group_rules_refresh(context, security_group_id=security_group["id"])
return exc.HTTPAccepted()
def delete(self, req, id):
context = req.environ['nova.context']
rule = sqlalchemy_api.security_group_rule_get(context, id)
if not rule:
raise exception.ApiError(_("Rule not found"))
group_id = rule.parent_group_id
self.compute_api.ensure_default_security_group(context)
security_group = db.security_group_get(context, group_id)
if not security_group:
raise exception.SecurityGroupNotFound(security_group_id=group_id)
msg = "Revoke security group ingress %s"
LOG.audit(_(msg), security_group['name'], context=context)
db.security_group_rule_destroy(context, rule['id'])
self.compute_api.trigger_security_group_rules_refresh(context,
security_group_id=security_group['id'])
return exc.HTTPAccepted()
def _format_security_group(self, context, group):
g = {}
g['groupDescription'] = group.description
g['groupName'] = group.name
g['ownerId'] = group.project_id
g['ipPermissions'] = []
for rule in group.rules:
r = {}
r['ipProtocol'] = rule.protocol
r['fromPort'] = rule.from_port
r['toPort'] = rule.to_port
r['groups'] = []
r['ipRanges'] = []
if rule.group_id:
source_group = db.security_group_get(context, rule.group_id)
r['groups'] += [{'groupName': source_group.name,
'userId': source_group.project_id}]
else:
r['ipRanges'] += [{'cidrIp': rule.cidr}]
g['ipPermissions'] += [r]
return g
def security_group_to_nwfilter_xml(self, security_group_id):
security_group = db.security_group_get(context.get_admin_context(),
security_group_id)
rule_xml = ""
v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'}
for rule in security_group.rules:
rule_xml += "<rule action='accept' direction='in' priority='300'>"
if rule.cidr:
version = netutils.get_ip_version(rule.cidr)
protocol = rule.protocol.lower()
if(FLAGS.use_ipv6 and version == 6):
net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr)
rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \
(v6protocol[protocol], net, prefixlen)
else:
net, mask = netutils.get_net_and_mask(rule.cidr)
rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \
(protocol, net, mask)
if protocol in ['tcp', 'udp']:
rule_xml += "dstportstart='%s' dstportend='%s' " % \
(rule.from_port, rule.to_port)
elif protocol == 'icmp':
LOG.info('rule.protocol: %r, rule.from_port: %r, '
'rule.to_port: %r', protocol,
rule.from_port, rule.to_port)
if rule.from_port != -1:
rule_xml += "type='%s' " % rule.from_port
if rule.to_port != -1:
rule_xml += "code='%s' " % rule.to_port
rule_xml += '/>\n'
rule_xml += "</rule>\n"
xml = "<filter name='nova-secgroup-%s' " % security_group_id
if(FLAGS.use_ipv6):
xml += "chain='root'>%s</filter>" % rule_xml
else:
xml += "chain='ipv4'>%s</filter>" % rule_xml
return xml
def security_group_to_nwfilter_xml(security_group_id):
security_group = db.security_group_get(context.get_admin_context(),
security_group_id)
rule_xml = ""
v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'}
for rule in security_group.rules:
rule_xml += "<rule action='accept' direction='in' priority='300'>"
if rule.cidr:
version = netutils.get_ip_version(rule.cidr)
if (FLAGS.use_ipv6 and version == 6):
net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr)
rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \
(v6protocol[rule.protocol], net, prefixlen)
else:
net, mask = netutils.get_net_and_mask(rule.cidr)
rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \
(rule.protocol, net, mask)
if rule.protocol in ['tcp', 'udp']:
rule_xml += "dstportstart='%s' dstportend='%s' " % \
(rule.from_port, rule.to_port)
elif rule.protocol == 'icmp':
LOG.info(
'rule.protocol: %r, rule.from_port: %r, '
'rule.to_port: %r', rule.protocol, rule.from_port,
rule.to_port)
if rule.from_port != -1:
rule_xml += "type='%s' " % rule.from_port
if rule.to_port != -1:
rule_xml += "code='%s' " % rule.to_port
rule_xml += '/>\n'
rule_xml += "</rule>\n"
xml = "<filter name='nova-secgroup-%s' " % security_group_id
if (FLAGS.use_ipv6):
xml += "chain='root'>%s</filter>" % rule_xml
else:
xml += "chain='ipv4'>%s</filter>" % rule_xml
return xml
def _format_security_group(self, context, group):
g = {}
g['groupDescription'] = group.description
g['groupName'] = group.name
g['ownerId'] = group.project_id
g['ipPermissions'] = []
for rule in group.rules:
r = {}
r['ipProtocol'] = rule.protocol
r['fromPort'] = rule.from_port
r['toPort'] = rule.to_port
r['groups'] = []
r['ipRanges'] = []
if rule.group_id:
source_group = db.security_group_get(context, rule.group_id)
r['groups'] += [{
'groupName': source_group.name,
'userId': source_group.project_id
}]
else:
r['ipRanges'] += [{'cidrIp': rule.cidr}]
g['ipPermissions'] += [r]
return g
def security_group_to_nwfilter_xml(self, security_group_id):
security_group = db.security_group_get(context.get_admin_context(), security_group_id)
rule_xml = ""
v6protocol = {"tcp": "tcp-ipv6", "udp": "udp-ipv6", "icmp": "icmpv6"}
for rule in security_group.rules:
rule_xml += "<rule action='accept' direction='in' priority='300'>"
if rule.cidr:
version = netutils.get_ip_version(rule.cidr)
if FLAGS.use_ipv6 and version == 6:
net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr)
rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % (v6protocol[rule.protocol], net, prefixlen)
else:
net, mask = netutils.get_net_and_mask(rule.cidr)
rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % (rule.protocol, net, mask)
if rule.protocol in ["tcp", "udp"]:
rule_xml += "dstportstart='%s' dstportend='%s' " % (rule.from_port, rule.to_port)
elif rule.protocol == "icmp":
LOG.info(
"rule.protocol: %r, rule.from_port: %r, " "rule.to_port: %r",
rule.protocol,
rule.from_port,
rule.to_port,
)
if rule.from_port != -1:
rule_xml += "type='%s' " % rule.from_port
if rule.to_port != -1:
rule_xml += "code='%s' " % rule.to_port
rule_xml += "/>\n"
rule_xml += "</rule>\n"
xml = "<filter name='nova-secgroup-%s' " % security_group_id
if FLAGS.use_ipv6:
xml += "chain='root'>%s</filter>" % rule_xml
else:
xml += "chain='ipv4'>%s</filter>" % rule_xml
return xml
def create_for_sg(self, tenant_id, sg_id, sg_name, rule):
LOG.debug('sg_ig=%r, sg_name=%r', sg_id, sg_name)
LOG.debug('parent_group_id=%r', rule['parent_group_id'])
LOG.debug('protocol=%r', rule['protocol'])
LOG.debug('from_port=%r', rule['from_port'])
LOG.debug('to_port=%r', rule['to_port'])
LOG.debug('cidr=%r', rule['cidr'])
cname = chain_name(sg_id, sg_name)
# search for the chain to put rules
chains = self.mido_api.get_chains({'tenant_id': tenant_id})
found = False
for c in chains:
if c.get_name() == cname:
sg_chain = c
found = True
assert found
LOG.debug('putting a rule to the chain id=%r', sg_chain.get_id())
# construct a corresponding rule
tp_src_start = tp_src_end = None
tp_dst_start = tp_dst_end = None
nw_src_address = None
nw_src_length = None
port_group_id = None
# handle source
if rule['cidr'] != None:
nw_src_address, nw_src_length = rule['cidr'].split('/')
else: # security group as a srouce
port_groups = self.mido_api.get_port_groups(
{'tenant_id': tenant_id})
ctxt = context.get_admin_context()
if self.virtapi:
self.security_group_api.get(id=rule['group_id'])
else:
group = db.security_group_get(ctxt, rule['group_id'])
pg_name = port_group_name(group['id'], group['name'])
found = False
for pg in port_groups:
if pg.get_name() == pg_name:
port_group_id = pg.get_id()
found = True
assert found
# dst ports
tp_dst_start, tp_dst_end = rule['from_port'], rule['to_port']
# protocol
if rule['protocol'] == 'tcp':
nw_proto = 6
elif rule['protocol'] == 'udp':
nw_proto = 17
elif rule['protocol'] == 'icmp':
nw_proto = 1
# extract type and code from reporposed fields
icmp_type = rule['from_port']
icmp_code = rule['to_port']
# translate -1(wildcard in OS) to midonet wildcard
if icmp_type == -1:
icmp_type = None
if icmp_code == -1:
icmp_code = None
# set data for midonet rule
tp_src_start = tp_src_end = icmp_type
tp_dst_start = tp_dst_end = icmp_code
tp_src = {'start': tp_src_start, 'end': tp_src_end}
tp_dst = {'start': tp_dst_start, 'end': tp_dst_end}
# create an accept rule
properties = self._properties(rule['id'])
chain = self.mido_api.get_chain(sg_chain.get_id())
chain.add_rule().port_group(port_group_id)\
.type('accept')\
.nw_proto(nw_proto)\
.nw_src_address(nw_src_address)\
.nw_src_length(nw_src_length)\
.tp_src(tp_src)\
.tp_dst(tp_dst)\
.properties(properties)\
.create()
def _rule_args_to_dict(self,
context,
to_port=None,
from_port=None,
parent_group_id=None,
ip_protocol=None,
cidr=None,
group_id=None):
values = {}
if group_id:
try:
parent_group_id = int(parent_group_id)
group_id = int(group_id)
except ValueError:
msg = _("Parent or group id is not integer")
raise exception.InvalidInput(reason=msg)
if parent_group_id == group_id:
msg = _("Parent group id and group id cannot be same")
raise exception.InvalidInput(reason=msg)
values['group_id'] = group_id
#check if groupId exists
db.security_group_get(context, group_id)
elif cidr:
# If this fails, it throws an exception. This is what we want.
try:
cidr = urllib.unquote(cidr).decode()
netaddr.IPNetwork(cidr)
except Exception:
raise exception.InvalidCidr(cidr=cidr)
values['cidr'] = cidr
else:
values['cidr'] = '0.0.0.0/0'
if ip_protocol and from_port and to_port:
try:
from_port = int(from_port)
to_port = int(to_port)
except ValueError:
raise exception.InvalidPortRange(from_port=from_port,
to_port=to_port)
ip_protocol = str(ip_protocol)
if ip_protocol.upper() not in ['TCP', 'UDP', 'ICMP']:
raise exception.InvalidIpProtocol(protocol=ip_protocol)
if ((min(from_port, to_port) < -1)
or (max(from_port, to_port) > 65535)):
raise exception.InvalidPortRange(from_port=from_port,
to_port=to_port)
values['protocol'] = ip_protocol
values['from_port'] = from_port
values['to_port'] = to_port
else:
# If cidr based filtering, protocol and ports are mandatory
if 'cidr' in values:
return None
return values
def _rule_args_to_dict(self, context, to_port=None, from_port=None,
parent_group_id=None, ip_protocol=None,
cidr=None, group_id=None):
values = {}
if group_id is not None:
try:
parent_group_id = int(parent_group_id)
group_id = int(group_id)
except ValueError:
msg = _("Parent or group id is not integer")
raise exception.InvalidInput(reason=msg)
if parent_group_id == group_id:
msg = _("Parent group id and group id cannot be same")
raise exception.InvalidInput(reason=msg)
values['group_id'] = group_id
#check if groupId exists
db.security_group_get(context, group_id)
elif cidr:
# If this fails, it throws an exception. This is what we want.
try:
cidr = urllib.unquote(cidr).decode()
except Exception:
raise exception.InvalidCidr(cidr=cidr)
if not utils.is_valid_cidr(cidr):
# Raise exception for non-valid address
raise exception.InvalidCidr(cidr=cidr)
values['cidr'] = cidr
else:
values['cidr'] = '0.0.0.0/0'
if ip_protocol and from_port and to_port:
ip_protocol = str(ip_protocol)
try:
from_port = int(from_port)
to_port = int(to_port)
except ValueError:
if ip_protocol.upper() == 'ICMP':
raise exception.InvalidInput(reason="Type and"
" Code must be integers for ICMP protocol type")
else:
raise exception.InvalidInput(reason="To and From ports "
"must be integers")
if ip_protocol.upper() not in ['TCP', 'UDP', 'ICMP']:
raise exception.InvalidIpProtocol(protocol=ip_protocol)
# Verify that from_port must always be less than
# or equal to to_port
if from_port > to_port:
raise exception.InvalidPortRange(from_port=from_port,
to_port=to_port, msg="Former value cannot"
" be greater than the later")
# Verify valid TCP, UDP port ranges
if (ip_protocol.upper() in ['TCP', 'UDP'] and
(from_port < 1 or to_port > 65535)):
raise exception.InvalidPortRange(from_port=from_port,
to_port=to_port, msg="Valid TCP ports should"
" be between 1-65535")
# Verify ICMP type and code
if (ip_protocol.upper() == "ICMP" and
(from_port < -1 or to_port > 255)):
raise exception.InvalidPortRange(from_port=from_port,
to_port=to_port, msg="For ICMP, the"
" type:code must be valid")
values['protocol'] = ip_protocol
values['from_port'] = from_port
values['to_port'] = to_port
else:
# If cidr based filtering, protocol and ports are mandatory
if 'cidr' in values:
return None
return values
def refresh(self):
self._from_db_object(self._context, self,
db.security_group_get(self._context, self.id))
def refresh(self, context):
SecurityGroup._from_db_object(context, self,
db.security_group_get(context,
self.id))
def get(cls, context, secgroup_id):
db_secgroup = db.security_group_get(context, secgroup_id)
return cls._from_db_object(context, cls(), db_secgroup)
def refresh(self, context):
SecurityGroup._from_db_object(self,
db.security_group_get(context,
self.id))
def show(self, req, id):
context = req.environ['nova.context']
security_group = db.security_group_get(context, id)
return {'security_group': self._format_security_group(context,
security_group)}
def _rule_args_to_dict(self, context, to_port=None, from_port=None,
parent_group_id=None, ip_protocol=None,
cidr=None, group_id=None):
values = {}
if group_id is not None:
try:
parent_group_id = int(parent_group_id)
group_id = int(group_id)
except ValueError:
msg = _("Parent or group id is not integer")
raise exception.InvalidInput(reason=msg)
values['group_id'] = group_id
#check if groupId exists
db.security_group_get(context, group_id)
elif cidr:
# If this fails, it throws an exception. This is what we want.
try:
cidr = urllib.unquote(cidr).decode()
except Exception:
raise exception.InvalidCidr(cidr=cidr)
if not utils.is_valid_cidr(cidr):
# Raise exception for non-valid address
raise exception.InvalidCidr(cidr=cidr)
values['cidr'] = cidr
else:
values['cidr'] = '0.0.0.0/0'
if group_id:
# Open everything if an explicit port range or type/code are not
# specified, but only if a source group was specified.
ip_proto_upper = ip_protocol.upper() if ip_protocol else ''
if (ip_proto_upper == 'ICMP' and
from_port is None and to_port is None):
from_port = -1
to_port = -1
elif (ip_proto_upper in ['TCP', 'UDP'] and from_port is None
and to_port is None):
from_port = 1
to_port = 65535
if ip_protocol and from_port is not None and to_port is not None:
ip_protocol = str(ip_protocol)
try:
from_port = int(from_port)
to_port = int(to_port)
except ValueError:
if ip_protocol.upper() == 'ICMP':
raise exception.InvalidInput(reason="Type and"
" Code must be integers for ICMP protocol type")
else:
raise exception.InvalidInput(reason="To and From ports "
"must be integers")
if ip_protocol.upper() not in ['TCP', 'UDP', 'ICMP']:
raise exception.InvalidIpProtocol(protocol=ip_protocol)
# Verify that from_port must always be less than
# or equal to to_port
if (ip_protocol.upper() in ['TCP', 'UDP'] and
from_port > to_port):
raise exception.InvalidPortRange(from_port=from_port,
to_port=to_port, msg="Former value cannot"
" be greater than the later")
# Verify valid TCP, UDP port ranges
if (ip_protocol.upper() in ['TCP', 'UDP'] and
(from_port < 1 or to_port > 65535)):
raise exception.InvalidPortRange(from_port=from_port,
to_port=to_port, msg="Valid TCP ports should"
" be between 1-65535")
# Verify ICMP type and code
if (ip_protocol.upper() == "ICMP" and
(from_port < -1 or from_port > 255 or
to_port < -1 or to_port > 255)):
raise exception.InvalidPortRange(from_port=from_port,
to_port=to_port, msg="For ICMP, the"
" type:code must be valid")
values['protocol'] = ip_protocol
values['from_port'] = from_port
values['to_port'] = to_port
else:
# If cidr based filtering, protocol and ports are mandatory
if 'cidr' in values:
return None
return values
def get(cls, context, secgroup_id):
db_secgroup = db.security_group_get(context, secgroup_id)
return cls._from_db_object(context, cls(), db_secgroup)
def refresh(self):
self._from_db_object(self._context, self,
db.security_group_get(self._context, self.id))
