def setup_security_group(self, context): group_name = "%s%s" % (context.project_id, CONF.vpn_key_suffix) group = { "user_id": context.user_id, "project_id": context.project_id, "name": group_name, "description": "Group for vpn", } try: group_ref = db.security_group_create(context, group) except exception.SecurityGroupExists: return group_name rule = { "parent_group_id": group_ref["id"], "cidr": "0.0.0.0/0", "protocol": "udp", "from_port": 1194, "to_port": 1194, } db.security_group_rule_create(context, rule) rule = { "parent_group_id": group_ref["id"], "cidr": "0.0.0.0/0", "protocol": "icmp", "from_port": -1, "to_port": -1, } db.security_group_rule_create(context, rule) # NOTE(vish): No need to trigger the group since the instance # has not been run yet. return group_name
def setup_security_group(self, context): group_name = '%s%s' % (context.project_id, CONF.vpn_key_suffix) if db.security_group_exists(context, context.project_id, group_name): return group_name group = { 'user_id': context.user_id, 'project_id': context.project_id, 'name': group_name, 'description': 'Group for vpn' } group_ref = db.security_group_create(context, group) rule = { 'parent_group_id': group_ref['id'], 'cidr': '0.0.0.0/0', 'protocol': 'udp', 'from_port': 1194, 'to_port': 1194 } db.security_group_rule_create(context, rule) rule = { 'parent_group_id': group_ref['id'], 'cidr': '0.0.0.0/0', 'protocol': 'icmp', 'from_port': -1, 'to_port': -1 } db.security_group_rule_create(context, rule) # NOTE(vish): No need to trigger the group since the instance # has not been run yet. return group_name
def ensure_default_security_group(self, context): """ Create security group for the security context if it does not already exist :param context: the security context """ try: db.security_group_get_by_name(context, context.project_id, 'default') except exception.NotFound: values = {'name': 'default', 'description': 'default', 'user_id': context.user_id, 'project_id': context.project_id} db.security_group_create(context, values)
def create(self, req, body): """Creates a new security group.""" context = req.environ['nova.context'] if not body: return exc.HTTPUnprocessableEntity() security_group = body.get('security_group', None) if security_group is None: return exc.HTTPUnprocessableEntity() group_name = security_group.get('name', None) group_description = security_group.get('description', None) self._validate_security_group_property(group_name, "name") self._validate_security_group_property(group_description, "description") group_name = group_name.strip() group_description = group_description.strip() LOG.audit(_("Create Security Group %s"), group_name, context=context) self.compute_api.ensure_default_security_group(context) if db.security_group_exists(context, context.project_id, group_name): msg = _('Security group %s already exists') % group_name raise exc.HTTPBadRequest(explanation=msg) group = {'user_id': context.user_id, 'project_id': context.project_id, 'name': group_name, 'description': group_description} group_ref = db.security_group_create(context, group) return {'security_group': self._format_security_group(context, group_ref)}
def setup_security_group(self, context): group_name = '%s%s' % (context.project_id, CONF.vpn_key_suffix) group = {'user_id': context.user_id, 'project_id': context.project_id, 'name': group_name, 'description': 'Group for vpn'} try: group_ref = db.security_group_create(context, group) except exception.SecurityGroupExists: return group_name rule = {'parent_group_id': group_ref['id'], 'cidr': '0.0.0.0/0', 'protocol': 'udp', 'from_port': 1194, 'to_port': 1194} db.security_group_rule_create(context, rule) rule = {'parent_group_id': group_ref['id'], 'cidr': '0.0.0.0/0', 'protocol': 'icmp', 'from_port': -1, 'to_port': -1} db.security_group_rule_create(context, rule) # NOTE(vish): No need to trigger the group since the instance # has not been run yet. return group_name
def create(self, req, body): """Creates a new security group.""" context = req.environ['nova.context'] if not body: raise exc.HTTPUnprocessableEntity() security_group = body.get('security_group', None) if security_group is None: raise exc.HTTPUnprocessableEntity() group_name = security_group.get('name', None) group_description = security_group.get('description', None) self._validate_security_group_property(group_name, "name") self._validate_security_group_property(group_description, "description") group_name = group_name.strip() group_description = group_description.strip() LOG.audit(_("Create Security Group %s"), group_name, context=context) self.compute_api.ensure_default_security_group(context) if db.security_group_exists(context, context.project_id, group_name): msg = _('Security group %s already exists') % group_name raise exc.HTTPBadRequest(explanation=msg) group = {'user_id': context.user_id, 'project_id': context.project_id, 'name': group_name, 'description': group_description} group_ref = db.security_group_create(context, group) return {'security_group': self._format_security_group(context, group_ref)}
def create_group(name, description, context): """ Create a OS security group. name -- Name of the group. description -- Description. context -- The os context. """ if db.security_group_exists(context, context.project_id, name): raise AttributeError('Security group already exists: ' + name) group = {'user_id': context.user_id, 'project_id': context.project_id, 'name': name, 'description': description} db.security_group_create(context, group) SEC_HANDLER.trigger_security_group_create_refresh(context, group)
def ensure_default_security_group(self, context): """ Create security group for the security context if it does not already exist :param context: the security context """ try: db.security_group_get_by_name(context, context.project_id, "default") except exception.NotFound: values = { "name": "default", "description": "default", "user_id": context.user_id, "project_id": context.project_id, } db.security_group_create(context, values)
def create_group(name, description, context): """ Create a OS security group. name -- Name of the group. description -- Description. context -- The os context. """ if db.security_group_exists(context, context.project_id, name): raise AttributeError('Security group %s already exists.') group = {'user_id': context.user_id, 'project_id': context.project_id, 'name': name, 'description': description} db.security_group_create(context, group) SEC_HANDLER.trigger_security_group_create_refresh(context, group)
def _create_group(self): values = { 'name': 'testgroup', 'description': 'testgroup', 'user_id': self.user_id, 'project_id': self.project_id } return db.security_group_create(self.context, values)
def ensure_default_security_group(self, context): """ Create security group for the security context if it does not already exist :param context: the security context """ try: db.security_group_get_by_name(context, context.project_id, 'default') except exception.NotFound: values = { 'name': 'default', 'description': 'default', 'user_id': context.user_id, 'project_id': context.project_id } db.security_group_create(context, values)
def create(self, req, body): """Creates a new security group.""" context = req.environ['nova.context'] authorize(context) if not body: raise exc.HTTPUnprocessableEntity() security_group = body.get('security_group', None) if security_group is None: raise exc.HTTPUnprocessableEntity() group_name = security_group.get('name', None) group_description = security_group.get('description', None) self._validate_security_group_property(group_name, "name") self._validate_security_group_property(group_description, "description") group_name = group_name.strip() group_description = group_description.strip() try: reservations = QUOTAS.reserve(context, security_groups=1) except exception.OverQuota: msg = _("Quota exceeded, too many security groups.") raise exc.HTTPBadRequest(explanation=msg) try: LOG.audit(_("Create Security Group %s"), group_name, context=context) self.compute_api.ensure_default_security_group(context) if db.security_group_exists(context, context.project_id, group_name): msg = _('Security group %s already exists') % group_name raise exc.HTTPBadRequest(explanation=msg) group = { 'user_id': context.user_id, 'project_id': context.project_id, 'name': group_name, 'description': group_description } group_ref = db.security_group_create(context, group) self.sgh.trigger_security_group_create_refresh(context, group) # Commit the reservation QUOTAS.commit(context, reservations) except Exception: with excutils.save_and_reraise_exception(): QUOTAS.rollback(context, reservations) return { 'security_group': self._format_security_group(context, group_ref) }
def create(self, req, body): context = req.environ["nova.context"] self.compute_api.ensure_default_security_group(context) name = body["security_group"].get("name") description = body["security_group"].get("description") if db.security_group_exists(context, context.project_id, name): raise exception.ApiError(_("group %s already exists") % name) group = {"user_id": context.user_id, "project_id": context.project_id, "name": name, "description": description} group_ref = db.security_group_create(context, group) return {"security_group": self._format_security_group(context, group_ref)}
def create(self, req, body): """Creates a new security group.""" context = req.environ['nova.context'] authorize(context) if not body: raise exc.HTTPUnprocessableEntity() security_group = body.get('security_group', None) if security_group is None: raise exc.HTTPUnprocessableEntity() group_name = security_group.get('name', None) group_description = security_group.get('description', None) self._validate_security_group_property(group_name, "name") self._validate_security_group_property(group_description, "description") group_name = group_name.strip() group_description = group_description.strip() try: reservations = QUOTAS.reserve(context, security_groups=1) except exception.OverQuota: msg = _("Quota exceeded, too many security groups.") raise exc.HTTPBadRequest(explanation=msg) try: LOG.audit(_("Create Security Group %s"), group_name, context=context) self.compute_api.ensure_default_security_group(context) if db.security_group_exists(context, context.project_id, group_name): msg = _('Security group %s already exists') % group_name raise exc.HTTPBadRequest(explanation=msg) group = {'user_id': context.user_id, 'project_id': context.project_id, 'name': group_name, 'description': group_description} group_ref = db.security_group_create(context, group) self.sgh.trigger_security_group_create_refresh(context, group) # Commit the reservation QUOTAS.commit(context, reservations) except Exception: with excutils.save_and_reraise_exception(): QUOTAS.rollback(context, reservations) return {'security_group': self._format_security_group(context, group_ref)}
def create_security_group(self, context, group_name, group_description): LOG.audit(_("Create Security Group %s"), group_name, context=context) self.compute_api.ensure_default_security_group(context) if db.security_group_exists(context, context.project_id, group_name): raise exception.ApiError(_('group %s already exists') % group_name) group = {'user_id': context.user_id, 'project_id': context.project_id, 'name': group_name, 'description': group_description} group_ref = db.security_group_create(context, group) return {'securityGroupSet': [self._format_security_group(context, group_ref)]}
def test_describe_security_groups(self): """Makes sure describe_security_groups works and filters results.""" sec = db.security_group_create(self.context, { 'project_id': self.context.project_id, 'name': 'test' }) result = self.cloud.describe_security_groups(self.context) # NOTE(vish): should have the default group as well self.assertEqual(len(result['securityGroupInfo']), 2) result = self.cloud.describe_security_groups(self.context, group_name=[sec['name']]) self.assertEqual(len(result['securityGroupInfo']), 1) self.assertEqual(result['securityGroupInfo'][0]['groupName'], sec['name']) db.security_group_destroy(self.context, sec['id'])
def test_describe_security_groups(self): """Makes sure describe_security_groups works and filters results.""" sec = db.security_group_create(self.context, {'project_id': self.context.project_id, 'name': 'test'}) result = self.cloud.describe_security_groups(self.context) # NOTE(vish): should have the default group as well self.assertEqual(len(result['securityGroupInfo']), 2) result = self.cloud.describe_security_groups(self.context, group_name=[sec['name']]) self.assertEqual(len(result['securityGroupInfo']), 1) self.assertEqual( result['securityGroupInfo'][0]['groupName'], sec['name']) db.security_group_destroy(self.context, sec['id'])
def create(self, req, body): context = req.environ['nova.context'] self.compute_api.ensure_default_security_group(context) name = body['security_group'].get('name') description = body['security_group'].get('description') if db.security_group_exists(context, context.project_id, name): raise exception.ApiError(_('group %s already exists') % name) group = {'user_id': context.user_id, 'project_id': context.project_id, 'name': name, 'description': description} group_ref = db.security_group_create(context, group) return {'security_group': self._format_security_group(context, group_ref)}
def create_security_group(self, context, group_name, group_description): LOG.audit(_("Create Security Group %s"), group_name, context=context) self.compute_api.ensure_default_security_group(context) if db.security_group_exists(context, context.project_id, group_name): raise exception.ApiError(_('group %s already exists') % group_name) group = { 'user_id': context.user_id, 'project_id': context.project_id, 'name': group_name, 'description': group_description } group_ref = db.security_group_create(context, group) return { 'securityGroupSet': [self._format_security_group(context, group_ref)] }
def create_security_group(context, values): values = values.copy() values['user_id'] = context.user_id values['project_id'] = context.project_id return db.security_group_create(context, values)
def test_static_filters(self): instance_ref = self._create_instance_ref() ip = '10.11.12.13' network_ref = db.project_get_network(self.context, 'fake') fixed_ip = {'address': ip, 'network_id': network_ref['id']} admin_ctxt = context.get_admin_context() db.fixed_ip_create(admin_ctxt, fixed_ip) db.fixed_ip_update(admin_ctxt, ip, {'allocated': True, 'instance_id': instance_ref['id']}) secgroup = db.security_group_create(admin_ctxt, {'user_id': 'fake', 'project_id': 'fake', 'name': 'testgroup', 'description': 'test group'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': -1, 'to_port': -1, 'cidr': '192.168.11.0/24'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': 8, 'to_port': -1, 'cidr': '192.168.11.0/24'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'tcp', 'from_port': 80, 'to_port': 81, 'cidr': '192.168.10.0/24'}) db.instance_add_security_group(admin_ctxt, instance_ref['id'], secgroup['id']) instance_ref = db.instance_get(admin_ctxt, instance_ref['id']) # self.fw.add_instance(instance_ref) def fake_iptables_execute(*cmd, **kwargs): process_input = kwargs.get('process_input', None) if cmd == ('sudo', 'ip6tables-save', '-t', 'filter'): return '\n'.join(self.in6_filter_rules), None if cmd == ('sudo', 'iptables-save', '-t', 'filter'): return '\n'.join(self.in_filter_rules), None if cmd == ('sudo', 'iptables-save', '-t', 'nat'): return '\n'.join(self.in_nat_rules), None if cmd == ('sudo', 'iptables-restore'): lines = process_input.split('\n') if '*filter' in lines: self.out_rules = lines return '', '' if cmd == ('sudo', 'ip6tables-restore'): lines = process_input.split('\n') if '*filter' in lines: self.out6_rules = lines return '', '' print cmd, kwargs from nova.network import linux_net linux_net.iptables_manager.execute = fake_iptables_execute self.fw.prepare_instance_filter(instance_ref) self.fw.apply_instance_filter(instance_ref) in_rules = filter(lambda l: not l.startswith('#'), self.in_filter_rules) for rule in in_rules: if not 'nova' in rule: self.assertTrue(rule in self.out_rules, 'Rule went missing: %s' % rule) instance_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-d 10.11.12.13 -j' in rule: instance_chain = rule.split(' ')[-1] break self.assertTrue(instance_chain, "The instance chain wasn't added") security_group_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-A %s -j' % instance_chain in rule: security_group_chain = rule.split(' ')[-1] break self.assertTrue(security_group_chain, "The security group chain wasn't added") regex = re.compile('-A .* -p icmp -s 192.168.11.0/24 -j ACCEPT') self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "ICMP acceptance rule wasn't added") regex = re.compile('-A .* -p icmp -s 192.168.11.0/24 -m icmp ' '--icmp-type 8 -j ACCEPT') self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "ICMP Echo Request acceptance rule wasn't added") regex = re.compile('-A .* -p tcp -s 192.168.10.0/24 -m multiport ' '--dports 80:81 -j ACCEPT') self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "TCP port 80/81 acceptance rule wasn't added") db.instance_destroy(admin_ctxt, instance_ref['id'])
def test_static_filters(self): instance_ref = db.instance_create( self.context, {"user_id": "fake", "project_id": "fake", "mac_address": "56:12:12:12:12:12"} ) ip = "10.11.12.13" network_ref = db.project_get_network(self.context, "fake") fixed_ip = {"address": ip, "network_id": network_ref["id"]} admin_ctxt = context.get_admin_context() db.fixed_ip_create(admin_ctxt, fixed_ip) db.fixed_ip_update(admin_ctxt, ip, {"allocated": True, "instance_id": instance_ref["id"]}) secgroup = db.security_group_create( admin_ctxt, {"user_id": "fake", "project_id": "fake", "name": "testgroup", "description": "test group"} ) db.security_group_rule_create( admin_ctxt, { "parent_group_id": secgroup["id"], "protocol": "icmp", "from_port": -1, "to_port": -1, "cidr": "192.168.11.0/24", }, ) db.security_group_rule_create( admin_ctxt, { "parent_group_id": secgroup["id"], "protocol": "icmp", "from_port": 8, "to_port": -1, "cidr": "192.168.11.0/24", }, ) db.security_group_rule_create( admin_ctxt, { "parent_group_id": secgroup["id"], "protocol": "tcp", "from_port": 80, "to_port": 81, "cidr": "192.168.10.0/24", }, ) db.instance_add_security_group(admin_ctxt, instance_ref["id"], secgroup["id"]) instance_ref = db.instance_get(admin_ctxt, instance_ref["id"]) # self.fw.add_instance(instance_ref) def fake_iptables_execute(cmd, process_input=None): if cmd == "sudo ip6tables-save -t filter": return "\n".join(self.in6_rules), None if cmd == "sudo iptables-save -t filter": return "\n".join(self.in_rules), None if cmd == "sudo iptables-restore": self.out_rules = process_input.split("\n") return "", "" if cmd == "sudo ip6tables-restore": self.out6_rules = process_input.split("\n") return "", "" self.fw.execute = fake_iptables_execute self.fw.prepare_instance_filter(instance_ref) self.fw.apply_instance_filter(instance_ref) in_rules = filter(lambda l: not l.startswith("#"), self.in_rules) for rule in in_rules: if not "nova" in rule: self.assertTrue(rule in self.out_rules, "Rule went missing: %s" % rule) instance_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if "-d 10.11.12.13 -j" in rule: instance_chain = rule.split(" ")[-1] break self.assertTrue(instance_chain, "The instance chain wasn't added") security_group_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if "-A %s -j" % instance_chain in rule: security_group_chain = rule.split(" ")[-1] break self.assertTrue(security_group_chain, "The security group chain wasn't added") self.assertTrue( "-A %s -p icmp -s 192.168.11.0/24 -j ACCEPT" % security_group_chain in self.out_rules, "ICMP acceptance rule wasn't added", ) self.assertTrue( "-A %s -p icmp -s 192.168.11.0/24 -m icmp --icmp-type " "8 -j ACCEPT" % security_group_chain in self.out_rules, "ICMP Echo Request acceptance rule wasn't added", ) self.assertTrue( "-A %s -p tcp -s 192.168.10.0/24 -m multiport " "--dports 80:81 -j ACCEPT" % security_group_chain in self.out_rules, "TCP port 80/81 acceptance rule wasn't added", ) db.instance_destroy(admin_ctxt, instance_ref["id"])
class OverrideHelper(create_instance_helper.CreateInstanceHelper): """Allows keypair name to be passed in request.""" def create_instance(self, req, body, create_method): if not body: raise faults.Fault(exc.HTTPUnprocessableEntity()) context = req.environ['nova.context'] password = self.controller._get_server_admin_password(body['server']) key_name = body['server'].get('key_name') key_data = None if key_name: try: key_pair = db.key_pair_get(context, context.user_id, key_name) key_name = key_pair['name'] key_data = key_pair['public_key'] except: msg = _("Can not load the requested key %s" % key_name) return faults.Fault(exc.HTTPBadRequest(msg)) else: key_name = None key_data = None key_pairs = db.key_pair_get_all_by_user(context, context.user_id) if key_pairs: key_pair = key_pairs[0] key_name = key_pair['name'] key_data = key_pair['public_key'] image_href = self.controller._image_ref_from_req_data(body) try: image_service, image_id = nova.image.get_image_service(image_href) kernel_id, ramdisk_id = self._get_kernel_ramdisk_from_image(req, image_service, image_id) images = set([str(x['id']) for x in image_service.index(context)]) assert str(image_id) in images except Exception, e: msg = _("Cannot find requested image %(image_href)s: %(e)s" % locals()) raise faults.Fault(exc.HTTPBadRequest(explanation=msg)) personality = body['server'].get('personality') injected_files = [] if personality: injected_files = self._get_injected_files(personality) flavor_id = self.controller._flavor_id_from_req_data(body) if not 'name' in body['server']: msg = _("Server name is not defined") raise exc.HTTPBadRequest(explanation=msg) zone_blob = body['server'].get('blob') name = body['server']['name'] self._validate_server_name(name) name = name.strip() reservation_id = body['server'].get('reservation_id') security_groups = filter(bool, body['server'] .get('security_groups', '') .split(',')) + ['default'] for group_name in security_groups: if not db.security_group_exists(context, context.project_id, group_name): group = {'user_id': context.user_id, 'project_id': context.project_id, 'name': group_name, 'description': ''} db.security_group_create(context, group) try: inst_type = \ instance_types.get_instance_type_by_flavor_id(flavor_id) extra_values = { 'instance_type': inst_type, 'image_ref': image_href, 'password': password} return (extra_values, create_method(context, inst_type, image_id, kernel_id=kernel_id, ramdisk_id=ramdisk_id, display_name=name, display_description=name, key_name=key_name, key_data=key_data, metadata=body['server'].get('metadata', {}), injected_files=injected_files, admin_password=password, zone_blob=zone_blob, user_data=body['server'].get('user_data', None), security_group=security_groups, reservation_id=reservation_id)) except quota.QuotaError as error: self._handle_quota_error(error) except exception.ImageNotFound as error: msg = _("Can not find requested image") raise faults.Fault(exc.HTTPBadRequest(explanation=msg))
def test_static_filters(self): instance_ref = db.instance_create(self.context, {'user_id': 'fake', 'project_id': 'fake', 'mac_address': '56:12:12:12:12:12'}) ip = '10.11.12.13' network_ref = db.project_get_network(self.context, 'fake') fixed_ip = {'address': ip, 'network_id': network_ref['id']} admin_ctxt = context.get_admin_context() db.fixed_ip_create(admin_ctxt, fixed_ip) db.fixed_ip_update(admin_ctxt, ip, {'allocated': True, 'instance_id': instance_ref['id']}) secgroup = db.security_group_create(admin_ctxt, {'user_id': 'fake', 'project_id': 'fake', 'name': 'testgroup', 'description': 'test group'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': -1, 'to_port': -1, 'cidr': '192.168.11.0/24'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': 8, 'to_port': -1, 'cidr': '192.168.11.0/24'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'tcp', 'from_port': 80, 'to_port': 81, 'cidr': '192.168.10.0/24'}) db.instance_add_security_group(admin_ctxt, instance_ref['id'], secgroup['id']) instance_ref = db.instance_get(admin_ctxt, instance_ref['id']) # self.fw.add_instance(instance_ref) def fake_iptables_execute(cmd, process_input=None): if cmd == 'sudo ip6tables-save -t filter': return '\n'.join(self.in6_rules), None if cmd == 'sudo iptables-save -t filter': return '\n'.join(self.in_rules), None if cmd == 'sudo iptables-restore': self.out_rules = process_input.split('\n') return '', '' if cmd == 'sudo ip6tables-restore': self.out6_rules = process_input.split('\n') return '', '' self.fw.execute = fake_iptables_execute self.fw.prepare_instance_filter(instance_ref) self.fw.apply_instance_filter(instance_ref) in_rules = filter(lambda l: not l.startswith('#'), self.in_rules) for rule in in_rules: if not 'nova' in rule: self.assertTrue(rule in self.out_rules, 'Rule went missing: %s' % rule) instance_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-d 10.11.12.13 -j' in rule: instance_chain = rule.split(' ')[-1] break self.assertTrue(instance_chain, "The instance chain wasn't added") security_group_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-A %s -j' % instance_chain in rule: security_group_chain = rule.split(' ')[-1] break self.assertTrue(security_group_chain, "The security group chain wasn't added") self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -j ACCEPT' % \ security_group_chain in self.out_rules, "ICMP acceptance rule wasn't added") self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -m icmp --icmp-type ' '8 -j ACCEPT' % security_group_chain in self.out_rules, "ICMP Echo Request acceptance rule wasn't added") self.assertTrue('-A %s -p tcp -s 192.168.10.0/24 -m multiport ' '--dports 80:81 -j ACCEPT' % security_group_chain \ in self.out_rules, "TCP port 80/81 acceptance rule wasn't added")
def _create_group(self): values = {'name': 'testgroup', 'description': 'testgroup', 'user_id': self.user_id, 'project_id': self.project_id} return db.security_group_create(self.context, values)
def test_static_filters(self): instance_ref = db.instance_create( self.context, { 'user_id': 'fake', 'project_id': 'fake', 'mac_address': '56:12:12:12:12:12' }) ip = '10.11.12.13' network_ref = db.project_get_network(self.context, 'fake') fixed_ip = {'address': ip, 'network_id': network_ref['id']} admin_ctxt = context.get_admin_context() db.fixed_ip_create(admin_ctxt, fixed_ip) db.fixed_ip_update(admin_ctxt, ip, { 'allocated': True, 'instance_id': instance_ref['id'] }) secgroup = db.security_group_create( admin_ctxt, { 'user_id': 'fake', 'project_id': 'fake', 'name': 'testgroup', 'description': 'test group' }) db.security_group_rule_create( admin_ctxt, { 'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': -1, 'to_port': -1, 'cidr': '192.168.11.0/24' }) db.security_group_rule_create( admin_ctxt, { 'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': 8, 'to_port': -1, 'cidr': '192.168.11.0/24' }) db.security_group_rule_create( admin_ctxt, { 'parent_group_id': secgroup['id'], 'protocol': 'tcp', 'from_port': 80, 'to_port': 81, 'cidr': '192.168.10.0/24' }) db.instance_add_security_group(admin_ctxt, instance_ref['id'], secgroup['id']) instance_ref = db.instance_get(admin_ctxt, instance_ref['id']) # self.fw.add_instance(instance_ref) def fake_iptables_execute(*cmd, **kwargs): process_input = kwargs.get('process_input', None) if cmd == ('sudo', 'ip6tables-save', '-t', 'filter'): return '\n'.join(self.in6_filter_rules), None if cmd == ('sudo', 'iptables-save', '-t', 'filter'): return '\n'.join(self.in_filter_rules), None if cmd == ('sudo', 'iptables-save', '-t', 'nat'): return '\n'.join(self.in_nat_rules), None if cmd == ('sudo', 'iptables-restore'): lines = process_input.split('\n') if '*filter' in lines: self.out_rules = lines return '', '' if cmd == ('sudo', 'ip6tables-restore'): lines = process_input.split('\n') if '*filter' in lines: self.out6_rules = lines return '', '' print cmd, kwargs from nova.network import linux_net linux_net.iptables_manager.execute = fake_iptables_execute self.fw.prepare_instance_filter(instance_ref) self.fw.apply_instance_filter(instance_ref) in_rules = filter(lambda l: not l.startswith('#'), self.in_filter_rules) for rule in in_rules: if not 'nova' in rule: self.assertTrue(rule in self.out_rules, 'Rule went missing: %s' % rule) instance_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-d 10.11.12.13 -j' in rule: instance_chain = rule.split(' ')[-1] break self.assertTrue(instance_chain, "The instance chain wasn't added") security_group_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-A %s -j' % instance_chain in rule: security_group_chain = rule.split(' ')[-1] break self.assertTrue(security_group_chain, "The security group chain wasn't added") regex = re.compile('-A .* -p icmp -s 192.168.11.0/24 -j ACCEPT') self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "ICMP acceptance rule wasn't added") regex = re.compile('-A .* -p icmp -s 192.168.11.0/24 -m icmp ' '--icmp-type 8 -j ACCEPT') self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "ICMP Echo Request acceptance rule wasn't added") regex = re.compile('-A .* -p tcp -s 192.168.10.0/24 -m multiport ' '--dports 80:81 -j ACCEPT') self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "TCP port 80/81 acceptance rule wasn't added") db.instance_destroy(admin_ctxt, instance_ref['id'])
def test_static_filters(self, mock_lock): mock_lock.return_value = threading.Semaphore() instance_ref = self._create_instance_ref() src_instance_ref = self._create_instance_ref() admin_ctxt = context.get_admin_context() secgroup = db.security_group_create(admin_ctxt, {'user_id': 'fake', 'project_id': 'fake', 'name': 'testgroup', 'description': 'test group'}) src_secgroup = db.security_group_create(admin_ctxt, {'user_id': 'fake', 'project_id': 'fake', 'name': 'testsourcegroup', 'description': 'src group'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': -1, 'to_port': -1, 'cidr': '192.168.11.0/24'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': 8, 'to_port': -1, 'cidr': '192.168.11.0/24'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'tcp', 'from_port': 80, 'to_port': 81, 'cidr': '192.168.10.0/24'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'tcp', 'from_port': 80, 'to_port': 81, 'group_id': src_secgroup['id']}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'group_id': src_secgroup['id']}) db.instance_add_security_group(admin_ctxt, instance_ref['uuid'], secgroup['id']) db.instance_add_security_group(admin_ctxt, src_instance_ref['uuid'], src_secgroup['id']) instance_ref = db.instance_get(admin_ctxt, instance_ref['id']) src_instance_ref = db.instance_get(admin_ctxt, src_instance_ref['id']) def fake_iptables_execute(*cmd, **kwargs): process_input = kwargs.get('process_input', None) if cmd == ('ip6tables-save', '-c'): return '\n'.join(self.in6_filter_rules), None if cmd == ('iptables-save', '-c'): return '\n'.join(self.in_rules), None if cmd == ('iptables-restore', '-c'): lines = process_input.split('\n') if '*filter' in lines: self.out_rules = lines return '', '' if cmd == ('ip6tables-restore', '-c',): lines = process_input.split('\n') if '*filter' in lines: self.out6_rules = lines return '', '' network_model = _fake_network_info(self.stubs, 1) linux_net.iptables_manager.execute = fake_iptables_execute self.stubs.Set(compute_utils, 'get_nw_info_for_instance', lambda instance: network_model) self.fw.prepare_instance_filter(instance_ref, network_model) self.fw.apply_instance_filter(instance_ref, network_model) in_rules = filter(lambda l: not l.startswith('#'), self.in_rules) for rule in in_rules: if 'nova' not in rule: self.assertTrue(rule in self.out_rules, 'Rule went missing: %s' % rule) instance_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now # last two octets change if re.search('-d 192.168.[0-9]{1,3}.[0-9]{1,3} -j', rule): instance_chain = rule.split(' ')[-1] break self.assertTrue(instance_chain, "The instance chain wasn't added") security_group_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-A %s -j' % instance_chain in rule: security_group_chain = rule.split(' ')[-1] break self.assertTrue(security_group_chain, "The security group chain wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p icmp ' '-s 192.168.11.0/24') self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "ICMP acceptance rule wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p icmp -m icmp ' '--icmp-type 8 -s 192.168.11.0/24') self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "ICMP Echo Request acceptance rule wasn't added") for ip in network_model.fixed_ips(): if ip['version'] != 4: continue regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p tcp -m multiport ' '--dports 80:81 -s %s' % ip['address']) self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "TCP port 80/81 acceptance rule wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -s ' '%s' % ip['address']) self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "Protocol/port-less acceptance rule wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p tcp ' '-m multiport --dports 80:81 -s 192.168.10.0/24') self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "TCP port 80/81 acceptance rule wasn't added") db.instance_destroy(admin_ctxt, instance_ref['uuid'])
def test_static_filters(self, mock_lock): mock_lock.return_value = threading.Semaphore() instance_ref = self._create_instance_ref() src_instance_ref = self._create_instance_ref() admin_ctxt = context.get_admin_context() secgroup = db.security_group_create( admin_ctxt, { 'user_id': 'fake', 'project_id': 'fake', 'name': 'testgroup', 'description': 'test group' }) src_secgroup = db.security_group_create( admin_ctxt, { 'user_id': 'fake', 'project_id': 'fake', 'name': 'testsourcegroup', 'description': 'src group' }) db.security_group_rule_create( admin_ctxt, { 'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': -1, 'to_port': -1, 'cidr': '192.168.11.0/24' }) db.security_group_rule_create( admin_ctxt, { 'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': 8, 'to_port': -1, 'cidr': '192.168.11.0/24' }) db.security_group_rule_create( admin_ctxt, { 'parent_group_id': secgroup['id'], 'protocol': 'tcp', 'from_port': 80, 'to_port': 81, 'cidr': '192.168.10.0/24' }) db.security_group_rule_create( admin_ctxt, { 'parent_group_id': secgroup['id'], 'protocol': 'tcp', 'from_port': 80, 'to_port': 81, 'group_id': src_secgroup['id'] }) db.security_group_rule_create(admin_ctxt, { 'parent_group_id': secgroup['id'], 'group_id': src_secgroup['id'] }) db.instance_add_security_group(admin_ctxt, instance_ref['uuid'], secgroup['id']) db.instance_add_security_group(admin_ctxt, src_instance_ref['uuid'], src_secgroup['id']) instance_ref = db.instance_get(admin_ctxt, instance_ref['id']) src_instance_ref = db.instance_get(admin_ctxt, src_instance_ref['id']) def fake_iptables_execute(*cmd, **kwargs): process_input = kwargs.get('process_input', None) if cmd == ('ip6tables-save', '-c'): return '\n'.join(self.in6_filter_rules), None if cmd == ('iptables-save', '-c'): return '\n'.join(self.in_rules), None if cmd == ('iptables-restore', '-c'): lines = process_input.split('\n') if '*filter' in lines: self.out_rules = lines return '', '' if cmd == ( 'ip6tables-restore', '-c', ): lines = process_input.split('\n') if '*filter' in lines: self.out6_rules = lines return '', '' network_model = _fake_network_info(self.stubs, 1) linux_net.iptables_manager.execute = fake_iptables_execute self.stubs.Set(compute_utils, 'get_nw_info_for_instance', lambda instance: network_model) self.fw.prepare_instance_filter(instance_ref, network_model) self.fw.apply_instance_filter(instance_ref, network_model) in_rules = filter(lambda l: not l.startswith('#'), self.in_rules) for rule in in_rules: if 'nova' not in rule: self.assertTrue(rule in self.out_rules, 'Rule went missing: %s' % rule) instance_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now # last two octets change if re.search('-d 192.168.[0-9]{1,3}.[0-9]{1,3} -j', rule): instance_chain = rule.split(' ')[-1] break self.assertTrue(instance_chain, "The instance chain wasn't added") security_group_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-A %s -j' % instance_chain in rule: security_group_chain = rule.split(' ')[-1] break self.assertTrue(security_group_chain, "The security group chain wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p icmp ' '-s 192.168.11.0/24') self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "ICMP acceptance rule wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p icmp -m icmp ' '--icmp-type 8 -s 192.168.11.0/24') self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "ICMP Echo Request acceptance rule wasn't added") for ip in network_model.fixed_ips(): if ip['version'] != 4: continue regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p tcp -m multiport ' '--dports 80:81 -s %s' % ip['address']) self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "TCP port 80/81 acceptance rule wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -s ' '%s' % ip['address']) self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "Protocol/port-less acceptance rule wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p tcp ' '-m multiport --dports 80:81 -s 192.168.10.0/24') self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "TCP port 80/81 acceptance rule wasn't added") db.instance_destroy(admin_ctxt, instance_ref['uuid'])