def _check_rules_for_policy_is_valid(self, context, fwp, fwp_db, rule_id_list, filters): rules_in_fwr_db = self._get_collection_query(context, FirewallRuleV2, filters=filters) rules_dict = dict((fwr_db['id'], fwr_db) for fwr_db in rules_in_fwr_db) for fwrule_id in rule_id_list: if fwrule_id not in rules_dict: # Bail as soon as we find an invalid rule. raise f_exc.FirewallRuleNotFound(firewall_rule_id=fwrule_id) if 'shared' in fwp: if fwp['shared'] and not rules_dict[fwrule_id]['shared']: raise f_exc.FirewallRuleSharingConflict( firewall_rule_id=fwrule_id, firewall_policy_id=fwp_db['id']) elif fwp_db['shared'] and not rules_dict[fwrule_id]['shared']: raise f_exc.FirewallRuleSharingConflict( firewall_rule_id=fwrule_id, firewall_policy_id=fwp_db['id']) else: # the policy is not shared, the rule and policy should be in # the same project if the rule is not shared. if not rules_dict[fwrule_id]['shared']: if (rules_dict[fwrule_id]['tenant_id'] != fwp_db['tenant_id']): raise f_exc.FirewallRuleConflict( firewall_rule_id=fwrule_id, project_id=rules_dict[fwrule_id]['tenant_id'])
def remove_rule(self, context, id, rule_info): LOG.debug("remove_rule() called") self._validate_insert_remove_rule_request(id, rule_info) firewall_rule_id = rule_info['firewall_rule_id'] if not firewall_rule_id: raise f_exc.FirewallRuleNotFound(firewall_rule_id=None) with context.session.begin(subtransactions=True): self._get_firewall_rule(context, firewall_rule_id) fwpra_db = self._get_policy_rule_association( context, id, firewall_rule_id) return self._process_rule_for_policy(context, id, firewall_rule_id, None, fwpra_db)
def _validate_insert_remove_rule_request(self, rule_info): """Validate rule_info dict Check that all mandatory fields are present, otherwise raise proper exception. """ if not rule_info or 'firewall_rule_id' not in rule_info: raise f_exc.FirewallRuleInfoMissing() # Validator doesn't return anything if the check passes if validators.validate_uuid(rule_info['firewall_rule_id']): raise f_exc.FirewallRuleNotFound( firewall_rule_id=rule_info['firewall_rule_id'])
def insert_rule(self, context, id, rule_info): LOG.debug("insert_rule() called") self._validate_insert_remove_rule_request(id, rule_info) firewall_rule_id = rule_info['firewall_rule_id'] # ensure rule is not already assigned to the policy self._ensure_rule_not_already_associated(context, id, firewall_rule_id) insert_before = True ref_firewall_rule_id = None if not firewall_rule_id: raise f_exc.FirewallRuleNotFound(firewall_rule_id=None) if 'insert_before' in rule_info: ref_firewall_rule_id = rule_info['insert_before'] if not ref_firewall_rule_id and 'insert_after' in rule_info: # If insert_before is set, we will ignore insert_after. ref_firewall_rule_id = rule_info['insert_after'] insert_before = False with context.session.begin(subtransactions=True): fwr_db = self._get_firewall_rule(context, firewall_rule_id) fwp_db = self._get_firewall_policy(context, id) self._check_firewall_rule_conflict(fwr_db, fwp_db) if ref_firewall_rule_id: # If reference_firewall_rule_id is set, the new rule # is inserted depending on the value of insert_before. # If insert_before is set, the new rule is inserted before # reference_firewall_rule_id, and if it is not set the new # rule is inserted after reference_firewall_rule_id. fwpra_db = self._get_policy_rule_association( context, id, ref_firewall_rule_id) if insert_before: position = fwpra_db.position else: position = fwpra_db.position + 1 else: # If reference_firewall_rule_id is not set, it is assumed # that the new rule needs to be inserted at the top. # insert_before field is ignored. # So default insertion is always at the top. # Also note that position numbering starts at 1. position = 1 return self._process_rule_for_policy(context, id, firewall_rule_id, position, None)
def _get_firewall_rule(self, context, id): try: return self._get_by_id(context, FirewallRuleV2, id) except exc.NoResultFound: raise f_exc.FirewallRuleNotFound(firewall_rule_id=id)