def _example_collection(self): collection = cloud_models.Collection() webappsg = cloud_models.SecurityGroup(name='webapp') collection.nodes.add(cloud_models.Node(name='webapp', image='trusty', flavor='n1-standard-2', disk=37, networks=[], security_groups=set([webappsg]), private=mock.sentinel.webapp1priv)) collection.nodes.add(cloud_models.Node(name='webapp2', image='trusty', flavor='n1-standard-2', disk=37, networks=[], security_groups=set([webappsg]), script='#!/bin/bash\necho hello\n', private=mock.sentinel.webapp2priv)) collection.security_groups.add(webappsg) collection.security_group_rules.add(cloud_models.SecurityGroupRule(security_group=webappsg, source_ip='0.0.0.0/0', from_port=443, to_port=443, protocol='tcp')) collection.security_group_rules.add(cloud_models.SecurityGroupRule(security_group=webappsg, source_ip='212.10.10.10/32', from_port=8000, to_port=8080, protocol='tcp')) return collection
def test_detect_resources(self): node1 = models.Node(name='node1', flavor='n1-standard-4', image='ubuntu1404-12345678', networks=[], disk=20) node2 = models.Node(name='node2', flavor='n1-standard-4', image='ubuntu1404-12345678', networks=[], disk=20) node1.security_group_names = set(['webapp', 'ssh']) node2.security_group_names = set(['webapp']) sg_webapp = models.SecurityGroup(name='webapp') sg_ssh = models.SecurityGroup(name='ssh') sgr_https = models.SecurityGroupRule(security_group=sg_webapp, source_ip='0.0.0.0/0', from_port=443, to_port=443, protocol='tcp') sgr_ssh = models.SecurityGroupRule(security_group=sg_ssh, source_ip='0.0.0.0/0', from_port=22, to_port=22, protocol='tcp') class TestDriver(base.CloudDriver): def detect_nodes(self): return set([node1, node2]) def detect_firewalls(self): return (set([sg_webapp, sg_ssh]), set([sgr_https, sgr_ssh])) cloud_driver = TestDriver() collection = cloud_driver.detect_resources() self.assertIn(node1, collection.nodes) self.assertIn(node2, collection.nodes) self.assertIn(sg_webapp, collection.nodes['node1'].security_groups) self.assertIn(sg_ssh, collection.nodes['node1'].security_groups) self.assertIn(sg_webapp, collection.nodes['node2'].security_groups) self.assertIn(sg_webapp, collection.security_groups) self.assertIn(sg_ssh, collection.security_groups) self.assertIn(sgr_https, collection.security_group_rules) self.assertIn(sgr_ssh, collection.security_group_rules)
def test_format_ports(self): sg = cloud_models.SecurityGroup(name='sg') sgr1 = cloud_models.SecurityGroupRule(security_group=sg, source_ip='1.2.3.4', from_port=10, to_port=20, protocol='tcp') sgr2 = cloud_models.SecurityGroupRule(security_group=sg, source_ip='1.2.3.4', from_port=10, to_port=10, protocol='tcp') self.assertEquals(self.cloud_driver._format_ports(sgr1), '10-20') self.assertEquals(self.cloud_driver._format_ports(sgr2), '10')
def test_source_ranges(self): sg = cloud_models.SecurityGroup(name='sg') sgr1 = cloud_models.SecurityGroupRule(security_group=sg, source_ip='1.2.3.4', from_port=10, to_port=20, protocol='tcp') sgr2 = cloud_models.SecurityGroupRule(security_group=sg, source_ip='0.0.0.0/0', from_port=10, to_port=10, protocol='tcp') self.assertEquals(self.cloud_driver._source_ranges(sgr1), ['1.2.3.4']) self.assertEquals(self.cloud_driver._source_ranges(sgr2), None)
def test_detect_firewalls(self, connection): class AWSSecurityGroup(object): def __init__(self, id, name, ingress_rules): self.id = id self.name = name self.ingress_rules = ingress_rules sg1 = AWSSecurityGroup(id='sg-1234567', name='default', ingress_rules=[{ 'from_port': '80', 'to_port': '81', 'protocol': 'tcp', 'cidr_ips': ['1.2.3.4/32'] }, { 'from_port': '8080', 'to_port': '8081', 'protocol': 'udp', 'group_pairs': [{ 'group_id': 'sg-7654321' }] }]) sg2 = AWSSecurityGroup(id='sg-7654321', name='www', ingress_rules=[]) connection.ex_get_security_groups.return_value = [sg1, sg2] sg1_ = cloud_models.SecurityGroup(name='default') sg2_ = cloud_models.SecurityGroup(name='www') expected_sgs = set([sg1_, sg2_]) expected_sgrs = set([ cloud_models.SecurityGroupRule(security_group=sg1_, from_port=80, to_port=81, protocol='tcp', source_ip='1.2.3.4/32'), cloud_models.SecurityGroupRule(security_group=sg1_, from_port=8080, to_port=8081, protocol='udp', source_group='www') ]) self.assertEqual(self.cloud_driver.detect_firewalls(), (expected_sgs, expected_sgrs))
def test_delete_security_group_rule(self): sg = models.SecurityGroup(name='webapp') sgr = models.SecurityGroupRule(security_group=sg, source_ip='0.0.0.0/0', from_port=443, to_port=443, protocol='tcp') base.CloudDriver().delete_security_group_rule(sgr)
def test_detect_firewalls(self, connection): fw1, fw2, fw3, fw4 = self._get_firewalls() connection.ex_list_firewalls.return_value = [fw1, fw2, fw3, fw4] security_groups, security_group_rules = self.cloud_driver.detect_firewalls( ) self.assertIn(cloud_models.SecurityGroup(name='webapp'), security_groups) self.assertIn(cloud_models.SecurityGroup(name='dev'), security_groups) webapp = cloud_models.SecurityGroup(name='webapp') dev = cloud_models.SecurityGroup(name='dev') globalsg = cloud_models.SecurityGroup(name='global') self.assertIn(webapp, security_groups) self.assertIn(dev, security_groups) self.assertIn( cloud_models.SecurityGroupRule(security_group=webapp, source_ip='0.0.0.0/0', from_port=443, to_port=443, protocol='tcp'), security_group_rules) self.assertIn( cloud_models.SecurityGroupRule(security_group=globalsg, source_ip='0.0.0.0/0', from_port=22, to_port=22, protocol='tcp'), security_group_rules) self.assertIn( cloud_models.SecurityGroupRule(security_group=globalsg, source_ip='0.0.0.0/0', from_port=8000, to_port=8080, protocol='tcp'), security_group_rules) self.assertIn( cloud_models.SecurityGroupRule(security_group=webapp, source_group='frontend', from_port=21, to_port=21, protocol='tcp'), security_group_rules)
def setUp(self): self.sg1 = cloud_models.SecurityGroup(name='sg1') self.sgr1 = cloud_models.SecurityGroupRule(security_group=self.sg1, from_port=443, to_port=443, source_ip='0.0.0.0/0', protocol='tcp') self.sgr2 = cloud_models.SecurityGroupRule(security_group=self.sg1, from_port=80, to_port=80, source_ip='0.0.0.0/0', protocol='tcp') self.node1 = cloud_models.Node(name='node1', image='image', flavor='image', networks=[], disk=10, security_groups=set([self.sg1])) self.current = cloud_models.Collection() self.desired = cloud_models.Collection()
def test_delete_security_group_rule(self, connection): sg = cloud_models.SecurityGroup(name='sg') sgr = cloud_models.SecurityGroupRule(security_group=sg, source_ip='1.2.3.4', from_port=10, to_port=20, protocol='tcp', private=mock.sentinel.sgrpriv) self.cloud_driver.delete_security_group_rule(sgr) connection.ex_destroy_firewall.assert_called_with(mock.sentinel.sgrpriv)
def test_add_security_group_rule_with_source_group(self, sg_name_to_id, connection): sg = cloud_models.SecurityGroup(name='sg') sgr = cloud_models.SecurityGroupRule(security_group=sg, from_port=123, to_port=234, source_group='www', protocol='tcp') self.cloud_driver.create_security_group_rule(sgr) connection.ex_authorize_security_group_ingress.assert_called_with(id=sg_name_to_id.return_value, from_port=123, to_port=234, protocol='tcp', group_pairs=[{'group_name': 'www'}])
def test_create_security_group_rule(self, connection): sg = cloud_models.SecurityGroup(name='sg') sgr = cloud_models.SecurityGroupRule(security_group=sg, source_ip='1.2.3.4', from_port=10, to_port=20, protocol='tcp') self.cloud_driver.create_security_group_rule(sgr) connection.ex_create_firewall.assert_called_with(name='sg-tcp-10-20', allowed=[{'IPProtocol': 'tcp', 'ports': ['10-20']}], source_ranges=['1.2.3.4'], target_tags=['sg'])
def test_as_dict(self): sg = models.SecurityGroup(name='sgname') sgr = models.SecurityGroupRule(security_group=sg, from_port=8000, to_port=8080, source_ip='1.2.3.4/32', protocol='tcp') self.assertEquals( sgr.as_dict(), { 'from_port': 8000, 'protocol': 'tcp', 'security_group': 'sgname', 'source_ip': '1.2.3.4/32', 'to_port': 8080 })
def test_with_script(self, interpolate, log): collection = loader.load( self._get_full_path_for_test_data('with_script.yaml')) sg = cloud_models.SecurityGroup(name='webapp') script = '#!/bin/sh\nadduser --system web\napt-get install python-virtualenv\netc. etc. etc.\n' self.assertIn( cloud_models.Node(name='webapp1', flavor='webapp', image='trusty', disk=10, networks=[], security_groups=set([sg]), script=interpolate.return_value), collection.nodes) self.assertIn( cloud_models.Node(name='webapp2', flavor='webapp', image='trusty', disk=10, networks=[], security_groups=set([sg]), script=interpolate.return_value), collection.nodes) interpolate.assert_called_with(script, None) self.assertIn(sg, collection.security_groups) self.assertIn( cloud_models.SecurityGroupRule(security_group=sg, source_ip='0.0.0.0/0', from_port=443, to_port=443, protocol='tcp'), collection.security_group_rules) self.assertEqual(len(collection.nodes), 2) self.assertEqual(len(collection.security_groups), 1) self.assertEqual(len(collection.security_group_rules), 1) log.check(('aasemble.deployment.loader', 'DEBUG', 'Loaded node webapp1 from stack'), ('aasemble.deployment.loader', 'DEBUG', 'Loaded node webapp2 from stack'), ('aasemble.deployment.loader', 'DEBUG', 'Loaded security group webapp from stack'), ('aasemble.deployment.loader', 'DEBUG', 'Loaded security group rule from stack: tcp: 443-443'))
def detect_firewalls(self): security_group_set = set() security_group_rule_set = set() firewalls = self.connection.ex_list_firewalls() security_group_names = self._get_all_security_group_names(firewalls) security_groups = {} for security_group_name in security_group_names: LOG.info('Detected security group: %s' % security_group_name) security_group = cloud_models.SecurityGroup( name=security_group_name) security_groups[security_group_name] = security_group security_group_set.add(security_group) for firewall in firewalls: for tag in (firewall.target_tags or ['global']): for allowed in firewall.allowed: from_port, to_port = self._parse_port_spec(allowed) protocol = allowed['IPProtocol'] kwargs = { 'security_group': security_groups[tag], 'from_port': from_port, 'to_port': to_port, 'protocol': protocol } if firewall.source_tags: kwargs['source_group'] = firewall.source_tags[0] else: kwargs['source_ip'] = firewall.source_ranges[0] security_group_rule = cloud_models.SecurityGroupRule( **kwargs) security_group_rule.private = firewall LOG.info( 'Detected security group rule for security group %s: %s: %d-%d' % (tag, protocol, from_port, to_port)) security_group_rule_set.add(security_group_rule) return security_group_set, security_group_rule_set
def test_with_security_groups(self, log): collection = loader.load( self._get_full_path_for_test_data('with_security_groups.yaml')) sg = cloud_models.SecurityGroup(name='webapp') self.assertIn( cloud_models.Node(name='webapp1', flavor='webapp', image='trusty', disk=10, networks=[], security_groups=set([sg])), collection.nodes) self.assertIn( cloud_models.Node(name='webapp2', flavor='webapp', image='trusty', disk=10, networks=[], security_groups=set([sg])), collection.nodes) self.assertIn(sg, collection.security_groups) self.assertIn( cloud_models.SecurityGroupRule(security_group=sg, source_ip='0.0.0.0/0', from_port=443, to_port=443, protocol='tcp'), collection.security_group_rules) self.assertEqual(len(collection.nodes), 2) self.assertEqual(len(collection.security_groups), 1) self.assertEqual(len(collection.security_group_rules), 1) log.check(('aasemble.deployment.loader', 'DEBUG', 'Loaded node webapp1 from stack'), ('aasemble.deployment.loader', 'DEBUG', 'Loaded node webapp2 from stack'), ('aasemble.deployment.loader', 'DEBUG', 'Loaded security group webapp from stack'), ('aasemble.deployment.loader', 'DEBUG', 'Loaded security group rule from stack: tcp: 443-443'))
def detect_firewalls(self): security_group_set = set() security_group_rule_set = set() for security_group in self.connection.ex_get_security_groups(): sg = cloud_models.SecurityGroup(name=security_group.name) security_group_set.add(sg) for rule in security_group.ingress_rules: kwargs = {'security_group': sg, 'from_port': rule['from_port'] and int(rule['from_port']), 'to_port': rule['to_port'] and int(rule['to_port']), 'protocol': rule['protocol']} if 'cidr_ips' in rule and rule['cidr_ips']: kwargs['source_ip'] = rule['cidr_ips'][0] else: kwargs['source_group'] = self.sg_id_to_name(rule['group_pairs'][0]['group_id']) sgr = cloud_models.SecurityGroupRule(**kwargs) security_group_rule_set.add(sgr) return security_group_set, security_group_rule_set
def build_security_groups_and_rules(data): security_groups = set() security_group_rules = set() for name in data.get('security_groups', {}): LOG.debug('Loaded security group %s from stack' % name) security_group_info = data['security_groups'][name] security_group = cloud_models.SecurityGroup(name=name) security_groups.add(security_group) for rule in security_group_info: LOG.debug('Loaded security group rule from stack: %s: %d-%d' % (rule['protocol'], rule['from_port'], rule['to_port'])) kwargs = {'security_group': security_group, 'from_port': rule['from_port'], 'to_port': rule['to_port'], 'protocol': rule['protocol']} if 'cidr' in rule: kwargs['source_ip'] = rule['cidr'] elif 'source_group' in rule: kwargs['source_group'] = rule['source_group'] security_group_rule = cloud_models.SecurityGroupRule(**kwargs) security_group_rules.add(security_group_rule) return security_groups, security_group_rules
def test_cluster_data(self): collection = cloud_models.Collection() lb = cloud_models.Node(name='lb', image='trusty', flavor='512mb', disk=27, networks=[]) web1 = cloud_models.Node(name='web1', image='trusty', flavor='512mb', disk=27, networks=[]) web2 = cloud_models.Node(name='web2', image='trusty', flavor='512mb', disk=27, networks=[]) db = cloud_models.Node(name='db', image='trusty', flavor='512mb', disk=27, networks=[]) frontend_sg = cloud_models.SecurityGroup(name='frontend') frontend_http_sgr = cloud_models.SecurityGroupRule( security_group=frontend_sg, source_ip='0.0.0.0/0', from_port=80, to_port=80, protocol='tcp') frontend_https_sgr = cloud_models.SecurityGroupRule( security_group=frontend_sg, source_ip='0.0.0.0/0', from_port=443, to_port=443, protocol='tcp') lb.security_groups.add(frontend_sg) backend_sg = cloud_models.SecurityGroup(name='backend') backend_http_sgr = cloud_models.SecurityGroupRule( security_group=backend_sg, source_group='frontend', from_port=80, to_port=80, protocol='tcp') web1.security_groups.add(backend_sg) web2.security_groups.add(backend_sg) db_sg = cloud_models.SecurityGroup(name='mysql') mysql_sgr = cloud_models.SecurityGroupRule(security_group=db_sg, source_group='backend', from_port=3306, to_port=3306, protocol='tcp') db.security_groups.add(db_sg) collection.nodes.add(lb) collection.nodes.add(web1) collection.nodes.add(web2) collection.nodes.add(db) collection.nodes.add(db) collection.security_groups.add(frontend_sg) collection.security_groups.add(backend_sg) collection.security_groups.add(db_sg) collection.security_group_rules.add(frontend_http_sgr) collection.security_group_rules.add(frontend_https_sgr) collection.security_group_rules.add(backend_http_sgr) collection.security_group_rules.add(mysql_sgr) collection.urls.append( cloud_models.URLConfStatic(hostname='example.com', path='/foo/bar', local_path='/data')) collection.urls.append( cloud_models.URLConfBackend(hostname='example.com', path='/foo/bar', destination='somebackend/somepath')) self.maxDiff = None self.assertEqual( self.cloud_driver.cluster_data(collection), { 'containers': [{ 'host_network': True, 'image': 'aasemble/fwmanager', 'name': 'fwmanager', 'nodes': '.*', 'privileged': True }], 'tasks': [], 'proxyconf': { 'backends': ['somebackend'], 'domains': { 'example.com': { '/foo/bar': { 'destination': 'somebackend/somepath', 'type': 'backend' } } } }, 'fwconf': { 'security_groups': { 'backend': { 'nodes': ['web1', 'web2'], 'rules': [{ 'from_port': 80, 'protocol': 'tcp', 'source_group': 'frontend', 'to_port': 80 }] }, 'frontend': { 'nodes': ['lb'], 'rules': [{ 'from_port': 443, 'protocol': 'tcp', 'source_ip': '0.0.0.0/0', 'to_port': 443 }, { 'from_port': 80, 'protocol': 'tcp', 'source_ip': '0.0.0.0/0', 'to_port': 80 }] }, 'mysql': { 'nodes': ['db'], 'rules': [{ 'from_port': 3306, 'protocol': 'tcp', 'source_group': 'backend', 'to_port': 3306 }] } } } })