def _get_ports_being_logged(context, sg_log):
"""Return a list of ports being logged for a log_resource"""
target_id = sg_log['target_id']
resource_id = sg_log['resource_id']
# if 'target_id' (port_id) is specified in a log_resource
if target_id is not None:
port_ids = [target_id]
# if 'resource_id' (sg_id) is specified in a log_resource
elif resource_id is not None:
port_ids = _get_ports_attached_to_sg(context, resource_id)
# both 'resource_id' and 'target_id' aren't specified in a log_resource
else:
port_ids = _get_ports_filter_in_tenant(context, sg_log['project_id'])
# list of validated ports's being logged
validated_port_ids = []
ports = port_objects.Port.get_objects(context, id=port_ids)
for port in ports:
if port.status != const.PORT_STATUS_ACTIVE:
continue
if validators.validate_log_type_for_port('security_group', port):
validated_port_ids.append(port.id)
else:
msg = ("Logging type %(log_type)s is not supported on "
"port %(port_id)s." % {
'log_type': 'security_group',
'port_id': port.id
})
LOG.warning(msg)
return validated_port_ids
def _test_validate_log_type_for_port(self, port, expected_result):
driver_manager = self._create_manager_with_drivers({
'driver-A': {
'is_loaded': True,
'supported_logging_types': ['security_group'],
'vif_types': [portbindings.VIF_TYPE_OVS],
'vnic_types': [portbindings.VNIC_NORMAL]
}
})
is_log_type_supported_mock = mock.Mock()
if expected_result:
is_log_type_supported_mock.return_value = expected_result
log_driver = list(driver_manager.drivers)[0]
log_driver.is_logging_type_supported = (is_log_type_supported_mock)
class FakeLoggingPlugin(object):
def __init__(self):
self.driver_manager = driver_manager
directory.add_plugin(constants.LOG_API, FakeLoggingPlugin())
self.assertEqual(
expected_result,
validators.validate_log_type_for_port('security_group', port))
if expected_result:
is_log_type_supported_mock.assert_called_once_with(
'security_group')
else:
is_log_type_supported_mock.assert_not_called()
def validate_security_group_request(context, log_data):
"""Validate a log request
This method validates log request is satisfied or not.
A ResourceNotFound will be raised if resource_id in log_data not exists or
a TargetResourceNotFound will be raised if target_id in log_data not
exists. This method will also raise a LoggingTypeNotSupported, if there is
no log_driver supporting for resource_type in log_data.
In addition, if log_data specify both resource_id and target_id. A
InvalidResourceConstraint will be raised if there is no constraint between
resource_id and target_id.
"""
resource_id = log_data.get('resource_id')
target_id = log_data.get('target_id')
if resource_id:
_check_sg_exists(context, resource_id)
if target_id:
port = _get_port(context, target_id)
if not validators.validate_log_type_for_port(log_const.SECURITY_GROUP,
port):
raise log_exc.LoggingTypeNotSupported(
log_type=log_const.SECURITY_GROUP, port_id=target_id)
if resource_id and target_id:
_check_port_bound_sg(context, resource_id, target_id)
def _get_ports_being_logged(context, sg_log):
"""Return a list of ports being logged for a log_resource"""
target_id = sg_log['target_id']
resource_id = sg_log['resource_id']
# if 'target_id' (port_id) is specified in a log_resource
if target_id is not None:
port_ids = [target_id]
# if 'resource_id' (sg_id) is specified in a log_resource
elif resource_id is not None:
port_ids = _get_ports_attached_to_sg(context, resource_id)
# both 'resource_id' and 'target_id' aren't specified in a log_resource
else:
port_ids = _get_ports_filter_in_tenant(context, sg_log['project_id'])
# list of validated ports's being logged
validated_port_ids = []
ports = port_objects.Port.get_objects(context, id=port_ids)
for port in ports:
if port.status != const.PORT_STATUS_ACTIVE:
continue
if validators.validate_log_type_for_port('security_group', port):
validated_port_ids.append(port.id)
else:
msg = ("Logging type %(log_type)s is not supported on "
"port %(port_id)s." %
{'log_type': 'security_group', 'port_id': port.id})
LOG.warning(msg)
return validated_port_ids
def _test_validate_log_type_for_port(self, port, expected_result):
driver_manager = self._create_manager_with_drivers({
'driver-A': {
'is_loaded': True,
'supported_logging_types': ['security_group'],
'vif_types': [portbindings.VIF_TYPE_OVS],
'vnic_types': [portbindings.VNIC_NORMAL]
}
})
is_log_type_supported_mock = mock.Mock()
if expected_result:
is_log_type_supported_mock.return_value = expected_result
log_driver = list(driver_manager.drivers)[0]
log_driver.is_logging_type_supported = (
is_log_type_supported_mock
)
class FakeLoggingPlugin(object):
def __init__(self):
self.driver_manager = driver_manager
directory.add_plugin(plugin_const.LOG_API, FakeLoggingPlugin())
self.assertEqual(
expected_result,
validators.validate_log_type_for_port('security_group', port))
if expected_result:
is_log_type_supported_mock.assert_called_once_with(
'security_group')
else:
is_log_type_supported_mock.assert_not_called()
def validate_security_group_request(context, log_data):
"""Validate a log request
This method validates log request is satisfied or not.
A ResourceNotFound will be raised if resource_id in log_data not exists or
a TargetResourceNotFound will be raised if target_id in log_data not
exists. This method will also raise a LoggingTypeNotSupported, if there is
no log_driver supporting for resource_type in log_data.
In addition, if log_data specify both resource_id and target_id. A
InvalidResourceConstraint will be raised if there is no constraint between
resource_id and target_id.
"""
resource_id = log_data.get('resource_id')
target_id = log_data.get('target_id')
if resource_id:
_check_sg_exists(context, resource_id)
if target_id:
port = _get_port(context, target_id)
if not validators.validate_log_type_for_port(
log_const.SECURITY_GROUP, port):
raise log_exc.LoggingTypeNotSupported(
log_type=log_const.SECURITY_GROUP,
port_id=target_id)
if resource_id and target_id:
_check_port_bound_sg(context, resource_id, target_id)
def _check_fwg_port(context, port_id):
# Checking port exists
port = ports.Port.get_object(context, id=port_id)
if not port:
raise log_exc.TargetResourceNotFound(target_id=port_id)
device_owner = port.get('device_owner', '')
# Checking supported firewall group logging for vm port
if device_owner.startswith(nl_const.DEVICE_OWNER_COMPUTE_PREFIX):
if not validators.validate_log_type_for_port(
log_const.FIREWALL_GROUP, port):
raise log_exc.LoggingTypeNotSupported(
log_type=log_const.FIREWALL_GROUP,
port_id=port_id)
# Checking supported firewall group for router interface, DVR interface,
# and HA replicated interface
elif device_owner not in nl_const.ROUTER_INTERFACE_OWNERS:
raise log_exc.LoggingTypeNotSupported(
log_type=log_const.FIREWALL_GROUP, port_id=port_id)
# Checking port status
port_status = port.get('status')
if port_status != nl_const.PORT_STATUS_ACTIVE:
raise fwg_log_exc.PortIsNotReadyForLogging(target_id=port_id,
port_status=port_status)
# Checking whether router port or vm port binding with any firewall group
fwg_id = fwg_plugin.driver.firewall_db.get_fwg_attached_to_port(
context, port_id=port_id)
if not fwg_id:
raise fwg_log_exc.TargetResourceNotAssociated(target_id=port_id)
fwg = fwg_plugin.get_firewall_group(context, id=fwg_id)
if fwg['status'] != nl_const.ACTIVE:
raise fwg_log_exc.FWGIsNotReadyForLogging(fwg_id=fwg_id,
fwg_status=fwg['status'])
