def _validate_security_group_rule(context, rule):
# TODO(mdietz): As per RM8615, Remote groups are not currently supported
if rule.get("remote_group_id"):
raise exceptions.InvalidInput(
error_message="Remote groups are not currently supported")
if "direction" in rule and rule["direction"] != "ingress":
raise exceptions.InvalidInput(
error_message="Non-ingress rules are not currently supported")
protocol = rule.pop('protocol')
port_range_min = rule['port_range_min']
port_range_max = rule['port_range_max']
if protocol:
protocol = protocols.translate_protocol(protocol, rule["ethertype"])
protocols.validate_protocol_with_port_ranges(protocol, port_range_min,
port_range_max)
rule['protocol'] = protocol
else:
if port_range_min is not None or port_range_max is not None:
raise sg_ext.SecurityGroupProtocolRequiredWithPorts()
ethertype = protocols.translate_ethertype(rule["ethertype"])
rule["ethertype"] = ethertype
protocols.validate_remote_ip_prefix(ethertype,
rule.get("remote_ip_prefix"))
return rule
def _validate_security_group_rule(context, rule):
# TODO(mdietz): As per RM8615, Remote groups are not currently supported
if rule.get("remote_group_id"):
raise n_exc.InvalidInput(
error_message="Remote groups are not currently supported")
direction = rule.get("direction")
if direction == env.Capabilities.EGRESS:
if env.Capabilities.EGRESS not in CONF.QUARK.environment_capabilities:
raise q_exc.EgressSecurityGroupRulesNotEnabled()
protocol = rule.pop('protocol')
# NOTE(roaet): these are not required by spec
port_range_min = rule.get('port_range_min')
port_range_max = rule.get('port_range_max')
# TODO(anyone): this will error as None, so defaulting to ipv4
et = rule.get('ethertype', 'IPv4')
ethertype = protocols.translate_ethertype(et)
if protocol:
protocol = protocols.translate_protocol(protocol, et)
protocols.validate_protocol_with_port_ranges(ethertype, protocol,
port_range_min,
port_range_max)
rule['protocol'] = protocol
else:
if port_range_min is not None or port_range_max is not None:
raise sg_ext.SecurityGroupProtocolRequiredWithPorts()
rule["ethertype"] = ethertype
protocols.validate_remote_ip_prefix(ethertype,
rule.get("remote_ip_prefix"))
return rule
def _validate_security_group_rule(context, rule):
# TODO(mdietz): As per RM8615, Remote groups are not currently supported
if rule.get("remote_group_id"):
raise n_exc.InvalidInput(
error_message="Remote groups are not currently supported")
direction = rule.get("direction")
if direction == Capabilities.EGRESS:
if Capabilities.EGRESS not in CONF.QUARK.environment_capabilities:
raise q_exc.EgressSecurityGroupRulesNotEnabled()
protocol = rule.pop('protocol')
port_range_min = rule['port_range_min']
port_range_max = rule['port_range_max']
ethertype = protocols.translate_ethertype(rule["ethertype"])
if protocol:
protocol = protocols.translate_protocol(protocol, rule["ethertype"])
protocols.validate_protocol_with_port_ranges(ethertype,
protocol,
port_range_min,
port_range_max)
rule['protocol'] = protocol
else:
if port_range_min is not None or port_range_max is not None:
raise sg_ext.SecurityGroupProtocolRequiredWithPorts()
rule["ethertype"] = ethertype
protocols.validate_remote_ip_prefix(ethertype,
rule.get("remote_ip_prefix"))
return rule
def _validate_security_group_rule(context, rule):
# TODO(mdietz): As per RM8615, Remote groups are not currently supported
if rule.get("remote_group_id"):
raise exceptions.InvalidInput(
error_message="Remote groups are not currently supported")
if "direction" in rule and rule["direction"] != "ingress":
raise exceptions.InvalidInput(
error_message="Non-ingress rules are not currently supported")
protocol = rule.pop('protocol')
port_range_min = rule['port_range_min']
port_range_max = rule['port_range_max']
ethertype = protocols.translate_ethertype(rule["ethertype"])
if protocol:
protocol = protocols.translate_protocol(protocol, rule["ethertype"])
protocols.validate_protocol_with_port_ranges(ethertype,
protocol,
port_range_min,
port_range_max)
rule['protocol'] = protocol
else:
if port_range_min is not None or port_range_max is not None:
raise sg_ext.SecurityGroupProtocolRequiredWithPorts()
rule["ethertype"] = ethertype
protocols.validate_remote_ip_prefix(ethertype,
rule.get("remote_ip_prefix"))
return rule
def _validate_security_group_rule(context, rule):
# TODO(mdietz): As per RM8615, Remote groups are not currently supported
if rule.get("remote_group_id"):
raise exceptions.InvalidInput(
error_message="Remote groups are not currently supported")
direction = rule.get("direction")
if direction == Capabilities.EGRESS:
if Capabilities.EGRESS not in CONF.QUARK.environment_capabilities:
raise q_exc.EgressSecurityGroupRulesNotEnabled()
protocol = rule.pop('protocol')
port_range_min = rule['port_range_min']
port_range_max = rule['port_range_max']
ethertype = protocols.translate_ethertype(rule["ethertype"])
if protocol:
protocol = protocols.translate_protocol(protocol, rule["ethertype"])
protocols.validate_protocol_with_port_ranges(ethertype, protocol,
port_range_min,
port_range_max)
rule['protocol'] = protocol
else:
if port_range_min is not None or port_range_max is not None:
raise sg_ext.SecurityGroupProtocolRequiredWithPorts()
rule["ethertype"] = ethertype
protocols.validate_remote_ip_prefix(ethertype,
rule.get("remote_ip_prefix"))
return rule
def _validate_security_group_rule(context, rule):
# TODO(mdietz): As per RM8615, Remote groups are not currently supported
if rule.get("remote_group_id"):
raise n_exc.InvalidInput(
error_message="Remote groups are not currently supported")
direction = rule.get("direction")
if direction == env.Capabilities.EGRESS:
if env.Capabilities.EGRESS not in CONF.QUARK.environment_capabilities:
raise q_exc.EgressSecurityGroupRulesNotEnabled()
protocol = rule.pop('protocol')
# NOTE(roaet): these are not required by spec
port_range_min = rule.get('port_range_min')
port_range_max = rule.get('port_range_max')
# TODO(anyone): this will error as None, so defaulting to ipv4
et = rule.get('ethertype', 'IPv4')
ethertype = protocols.translate_ethertype(et)
if protocol:
protocol = protocols.translate_protocol(protocol, et)
protocols.validate_protocol_with_port_ranges(ethertype,
protocol,
port_range_min,
port_range_max)
rule['protocol'] = protocol
else:
if port_range_min is not None or port_range_max is not None:
raise sg_ext.SecurityGroupProtocolRequiredWithPorts()
rule["ethertype"] = ethertype
protocols.validate_remote_ip_prefix(ethertype,
rule.get("remote_ip_prefix"))
return rule
def test_create_security_rule_min_greater_than_max_fails(self):
with self.assertRaises(sg_ext.SecurityGroupInvalidPortRange):
protocols.validate_protocol_with_port_ranges(
ethertype=0x800, protocol=6, port_range_min=10,
port_range_max=9)
def test_create_security_rule_min_greater_than_max_fails(self):
with self.assertRaises(sg_ext.SecurityGroupInvalidPortRange):
protocols.validate_protocol_with_port_ranges(protocol=6,
port_range_min=10,
port_range_max=9)
