def _get_ports_being_logged(context, sg_log): """Return a list of ports being logged for a log_resource""" target_id = sg_log['target_id'] resource_id = sg_log['resource_id'] # if 'target_id' (port_id) is specified in a log_resource if target_id is not None: port_ids = [target_id] # if 'resource_id' (sg_id) is specified in a log_resource elif resource_id is not None: port_ids = _get_ports_attached_to_sg(context, resource_id) # both 'resource_id' and 'target_id' aren't specified in a log_resource else: port_ids = _get_ports_filter_in_tenant(context, sg_log['project_id']) # list of validated ports's being logged validated_port_ids = [] ports = port_objects.Port.get_objects(context, id=port_ids) for port in ports: if port.status != const.PORT_STATUS_ACTIVE: continue if validators.validate_log_type_for_port('security_group', port): validated_port_ids.append(port.id) else: msg = ("Logging type %(log_type)s is not supported on " "port %(port_id)s." % { 'log_type': 'security_group', 'port_id': port.id }) LOG.warning(msg) return validated_port_ids
def _test_validate_log_type_for_port(self, port, expected_result): driver_manager = self._create_manager_with_drivers({ 'driver-A': { 'is_loaded': True, 'supported_logging_types': ['security_group'], 'vif_types': [portbindings.VIF_TYPE_OVS], 'vnic_types': [portbindings.VNIC_NORMAL] } }) is_log_type_supported_mock = mock.Mock() if expected_result: is_log_type_supported_mock.return_value = expected_result log_driver = list(driver_manager.drivers)[0] log_driver.is_logging_type_supported = (is_log_type_supported_mock) class FakeLoggingPlugin(object): def __init__(self): self.driver_manager = driver_manager directory.add_plugin(constants.LOG_API, FakeLoggingPlugin()) self.assertEqual( expected_result, validators.validate_log_type_for_port('security_group', port)) if expected_result: is_log_type_supported_mock.assert_called_once_with( 'security_group') else: is_log_type_supported_mock.assert_not_called()
def validate_security_group_request(context, log_data): """Validate a log request This method validates log request is satisfied or not. A ResourceNotFound will be raised if resource_id in log_data not exists or a TargetResourceNotFound will be raised if target_id in log_data not exists. This method will also raise a LoggingTypeNotSupported, if there is no log_driver supporting for resource_type in log_data. In addition, if log_data specify both resource_id and target_id. A InvalidResourceConstraint will be raised if there is no constraint between resource_id and target_id. """ resource_id = log_data.get('resource_id') target_id = log_data.get('target_id') if resource_id: _check_sg_exists(context, resource_id) if target_id: port = _get_port(context, target_id) if not validators.validate_log_type_for_port(log_const.SECURITY_GROUP, port): raise log_exc.LoggingTypeNotSupported( log_type=log_const.SECURITY_GROUP, port_id=target_id) if resource_id and target_id: _check_port_bound_sg(context, resource_id, target_id)
def _get_ports_being_logged(context, sg_log): """Return a list of ports being logged for a log_resource""" target_id = sg_log['target_id'] resource_id = sg_log['resource_id'] # if 'target_id' (port_id) is specified in a log_resource if target_id is not None: port_ids = [target_id] # if 'resource_id' (sg_id) is specified in a log_resource elif resource_id is not None: port_ids = _get_ports_attached_to_sg(context, resource_id) # both 'resource_id' and 'target_id' aren't specified in a log_resource else: port_ids = _get_ports_filter_in_tenant(context, sg_log['project_id']) # list of validated ports's being logged validated_port_ids = [] ports = port_objects.Port.get_objects(context, id=port_ids) for port in ports: if port.status != const.PORT_STATUS_ACTIVE: continue if validators.validate_log_type_for_port('security_group', port): validated_port_ids.append(port.id) else: msg = ("Logging type %(log_type)s is not supported on " "port %(port_id)s." % {'log_type': 'security_group', 'port_id': port.id}) LOG.warning(msg) return validated_port_ids
def _test_validate_log_type_for_port(self, port, expected_result): driver_manager = self._create_manager_with_drivers({ 'driver-A': { 'is_loaded': True, 'supported_logging_types': ['security_group'], 'vif_types': [portbindings.VIF_TYPE_OVS], 'vnic_types': [portbindings.VNIC_NORMAL] } }) is_log_type_supported_mock = mock.Mock() if expected_result: is_log_type_supported_mock.return_value = expected_result log_driver = list(driver_manager.drivers)[0] log_driver.is_logging_type_supported = ( is_log_type_supported_mock ) class FakeLoggingPlugin(object): def __init__(self): self.driver_manager = driver_manager directory.add_plugin(plugin_const.LOG_API, FakeLoggingPlugin()) self.assertEqual( expected_result, validators.validate_log_type_for_port('security_group', port)) if expected_result: is_log_type_supported_mock.assert_called_once_with( 'security_group') else: is_log_type_supported_mock.assert_not_called()
def validate_security_group_request(context, log_data): """Validate a log request This method validates log request is satisfied or not. A ResourceNotFound will be raised if resource_id in log_data not exists or a TargetResourceNotFound will be raised if target_id in log_data not exists. This method will also raise a LoggingTypeNotSupported, if there is no log_driver supporting for resource_type in log_data. In addition, if log_data specify both resource_id and target_id. A InvalidResourceConstraint will be raised if there is no constraint between resource_id and target_id. """ resource_id = log_data.get('resource_id') target_id = log_data.get('target_id') if resource_id: _check_sg_exists(context, resource_id) if target_id: port = _get_port(context, target_id) if not validators.validate_log_type_for_port( log_const.SECURITY_GROUP, port): raise log_exc.LoggingTypeNotSupported( log_type=log_const.SECURITY_GROUP, port_id=target_id) if resource_id and target_id: _check_port_bound_sg(context, resource_id, target_id)
def _check_fwg_port(context, port_id): # Checking port exists port = ports.Port.get_object(context, id=port_id) if not port: raise log_exc.TargetResourceNotFound(target_id=port_id) device_owner = port.get('device_owner', '') # Checking supported firewall group logging for vm port if device_owner.startswith(nl_const.DEVICE_OWNER_COMPUTE_PREFIX): if not validators.validate_log_type_for_port( log_const.FIREWALL_GROUP, port): raise log_exc.LoggingTypeNotSupported( log_type=log_const.FIREWALL_GROUP, port_id=port_id) # Checking supported firewall group for router interface, DVR interface, # and HA replicated interface elif device_owner not in nl_const.ROUTER_INTERFACE_OWNERS: raise log_exc.LoggingTypeNotSupported( log_type=log_const.FIREWALL_GROUP, port_id=port_id) # Checking port status port_status = port.get('status') if port_status != nl_const.PORT_STATUS_ACTIVE: raise fwg_log_exc.PortIsNotReadyForLogging(target_id=port_id, port_status=port_status) # Checking whether router port or vm port binding with any firewall group fwg_id = fwg_plugin.driver.firewall_db.get_fwg_attached_to_port( context, port_id=port_id) if not fwg_id: raise fwg_log_exc.TargetResourceNotAssociated(target_id=port_id) fwg = fwg_plugin.get_firewall_group(context, id=fwg_id) if fwg['status'] != nl_const.ACTIVE: raise fwg_log_exc.FWGIsNotReadyForLogging(fwg_id=fwg_id, fwg_status=fwg['status'])