def test_create(self, db_mock): rule = objects.SecurityGroupRule(context=self.context) rule.protocol = 'tcp' secgroup = objects.SecurityGroup() secgroup.id = 123 parentgroup = objects.SecurityGroup() parentgroup.id = 223 rule.grantee_group = secgroup rule.parent_group = parentgroup rule.create() updates = db_mock.call_args[0][1] self.assertEqual(fake_rule['id'], rule.id) self.assertEqual(updates['group_id'], rule.grantee_group.id) self.assertEqual(updates['parent_group_id'], rule.parent_group.id)
def _create_security_group(self, instance_ref): secgroup = objects.SecurityGroup(id=1, user_id='fake', project_id='fake', name='testgroup', description='test group description') secgroup_list = objects.SecurityGroupList() secgroup_list.objects.append(secgroup) instance_ref.security_groups = secgroup_list return secgroup
def test_get_by_security_group(self): secgroup = objects.SecurityGroup() secgroup.id = 123 rule = dict(fake_rule) rule['grantee_group'] = dict(test_security_group.fake_secgroup, id=123) stupid_method = 'security_group_rule_get_by_security_group' with mock.patch.object(db, stupid_method) as sgrgbsg: sgrgbsg.return_value = [rule] rules = (objects.SecurityGroupRuleList.get_by_security_group( self.context, secgroup)) self.assertEqual(1, len(rules)) self.assertEqual(123, rules[0].grantee_group.id)
def make_secgroup_list(security_groups): """A helper to make security group objects from a list of names. Note that this does not make them save-able or have the rest of the attributes they would normally have, but provides a quick way to fill, for example, an instance object during create. """ secgroups = objects.SecurityGroupList() secgroups.objects = [] for name in security_groups: secgroup = objects.SecurityGroup() secgroup.name = name secgroups.objects.append(secgroup) return secgroups
def make_secgroup_list(security_groups): """A helper to make security group objects from a list of names or uuids. Note that this does not make them save-able or have the rest of the attributes they would normally have, but provides a quick way to fill, for example, an instance object during create. """ secgroups = objects.SecurityGroupList() secgroups.objects = [] for sg in security_groups: secgroup = objects.SecurityGroup() if uuidutils.is_uuid_like(sg): # This is a neutron security group uuid so store in the uuid field. secgroup.uuid = sg else: # This is neutron's special 'default' security group secgroup.name = sg secgroups.objects.append(secgroup) return secgroups
def test_static_filters(self, mock_secrule, mock_instlist): UUID = "2674993b-6adb-4733-abd9-a7c10cc1f146" SRC_UUID = "0e0a76b2-7c52-4bc0-9a60-d83017e42c1a" instance_ref = self._create_instance_ref(UUID) src_instance_ref = self._create_instance_ref(SRC_UUID) secgroup = objects.SecurityGroup(id=1, user_id='fake', project_id='fake', name='testgroup', description='test group') src_secgroup = objects.SecurityGroup(id=2, user_id='fake', project_id='fake', name='testsourcegroup', description='src group') r1 = objects.SecurityGroupRule(parent_group_id=secgroup.id, protocol='icmp', from_port=-1, to_port=-1, cidr='192.168.11.0/24', grantee_group=None) r2 = objects.SecurityGroupRule(parent_group_id=secgroup.id, protocol='icmp', from_port=8, to_port=-1, cidr='192.168.11.0/24', grantee_group=None) r3 = objects.SecurityGroupRule(parent_group_id=secgroup.id, protocol='tcp', from_port=80, to_port=81, cidr='192.168.10.0/24', grantee_group=None) r4 = objects.SecurityGroupRule(parent_group_id=secgroup.id, protocol='tcp', from_port=80, to_port=81, cidr=None, grantee_group=src_secgroup, group_id=src_secgroup.id) r5 = objects.SecurityGroupRule(parent_group_id=secgroup.id, protocol=None, cidr=None, grantee_group=src_secgroup, group_id=src_secgroup.id) secgroup_list = objects.SecurityGroupList() secgroup_list.objects.append(secgroup) src_secgroup_list = objects.SecurityGroupList() src_secgroup_list.objects.append(src_secgroup) instance_ref.security_groups = secgroup_list src_instance_ref.security_groups = src_secgroup_list mock_secrule.return_value = objects.SecurityGroupRuleList( objects=[r1, r2, r3, r4, r5]) def _fake_instlist(ctxt, id): if id == src_secgroup.id: insts = objects.InstanceList() insts.objects.append(src_instance_ref) return insts else: insts = objects.InstanceList() insts.objects.append(instance_ref) return insts mock_instlist.side_effect = _fake_instlist def fake_iptables_execute(*cmd, **kwargs): process_input = kwargs.get('process_input', None) if cmd == ('ip6tables-save', '-c'): return '\n'.join(self.in6_filter_rules), None if cmd == ('iptables-save', '-c'): return '\n'.join(self.in_rules), None if cmd == ('iptables-restore', '-c'): lines = process_input.split('\n') if '*filter' in lines: self.out_rules = lines return '', '' if cmd == ( 'ip6tables-restore', '-c', ): lines = process_input.split('\n') if '*filter' in lines: self.out6_rules = lines return '', '' network_model = _fake_network_info(self, 1) linux_net.iptables_manager.execute = fake_iptables_execute self.stubs.Set(compute_utils, 'get_nw_info_for_instance', lambda instance: network_model) self.fw.prepare_instance_filter(instance_ref, network_model) self.fw.apply_instance_filter(instance_ref, network_model) in_rules = filter(lambda l: not l.startswith('#'), self.in_rules) for rule in in_rules: if 'nova' not in rule: self.assertIn(rule, self.out_rules, 'Rule went missing: %s' % rule) instance_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now # last two octets change if re.search('-d 192.168.[0-9]{1,3}.[0-9]{1,3} -j', rule): instance_chain = rule.split(' ')[-1] break self.assertTrue(instance_chain, "The instance chain wasn't added") security_group_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-A %s -j' % instance_chain in rule: security_group_chain = rule.split(' ')[-1] break self.assertTrue(security_group_chain, "The security group chain wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p icmp ' '-s 192.168.11.0/24') self.assertGreater(len(filter(regex.match, self.out_rules)), 0, "ICMP acceptance rule wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p icmp -m icmp ' '--icmp-type 8 -s 192.168.11.0/24') self.assertGreater(len(filter(regex.match, self.out_rules)), 0, "ICMP Echo Request acceptance rule wasn't added") for ip in network_model.fixed_ips(): if ip['version'] != 4: continue regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p tcp -m multiport ' '--dports 80:81 -s %s' % ip['address']) self.assertGreater(len(filter(regex.match, self.out_rules)), 0, "TCP port 80/81 acceptance rule wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -s ' '%s' % ip['address']) self.assertGreater( len(filter(regex.match, self.out_rules)), 0, "Protocol/port-less acceptance rule" " wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p tcp ' '-m multiport --dports 80:81 -s 192.168.10.0/24') self.assertGreater(len(filter(regex.match, self.out_rules)), 0, "TCP port 80/81 acceptance rule wasn't added")
def _from_db_subgroup(context, db_group): if db_group is None: return None return objects.SecurityGroup._from_db_object( context, objects.SecurityGroup(context), db_group)