def _validate_security_group_rule(context, rule):
# TODO(mdietz): As per RM8615, Remote groups are not currently supported
if rule.get("remote_group_id"):
raise exceptions.InvalidInput(
error_message="Remote groups are not currently supported")
if "direction" in rule and rule["direction"] != "ingress":
raise exceptions.InvalidInput(
error_message="Non-ingress rules are not currently supported")
protocol = rule.pop('protocol')
port_range_min = rule['port_range_min']
port_range_max = rule['port_range_max']
ethertype = protocols.translate_ethertype(rule["ethertype"])
if protocol:
protocol = protocols.translate_protocol(protocol, rule["ethertype"])
protocols.validate_protocol_with_port_ranges(ethertype,
protocol,
port_range_min,
port_range_max)
rule['protocol'] = protocol
else:
if port_range_min is not None or port_range_max is not None:
raise sg_ext.SecurityGroupProtocolRequiredWithPorts()
rule["ethertype"] = ethertype
protocols.validate_remote_ip_prefix(ethertype,
rule.get("remote_ip_prefix"))
return rule
def _validate_security_group_rule(context, rule):
# TODO(mdietz): As per RM8615, Remote groups are not currently supported
if rule.get("remote_group_id"):
raise exceptions.InvalidInput(
error_message="Remote groups are not currently supported")
if "direction" in rule and rule["direction"] != "ingress":
raise exceptions.InvalidInput(
error_message="Non-ingress rules are not currently supported")
protocol = rule.pop('protocol')
port_range_min = rule['port_range_min']
port_range_max = rule['port_range_max']
if protocol:
protocol = protocols.translate_protocol(protocol, rule["ethertype"])
protocols.validate_protocol_with_port_ranges(protocol, port_range_min,
port_range_max)
rule['protocol'] = protocol
else:
if port_range_min is not None or port_range_max is not None:
raise sg_ext.SecurityGroupProtocolRequiredWithPorts()
ethertype = protocols.translate_ethertype(rule["ethertype"])
rule["ethertype"] = ethertype
protocols.validate_remote_ip_prefix(ethertype,
rule.get("remote_ip_prefix"))
return rule
def _validate_security_group_rule(context, rule):
# TODO(mdietz): As per RM8615, Remote groups are not currently supported
if rule.get("remote_group_id"):
raise exceptions.InvalidInput(
error_message="Remote groups are not currently supported")
direction = rule.get("direction")
if direction == Capabilities.EGRESS:
if Capabilities.EGRESS not in CONF.QUARK.environment_capabilities:
raise q_exc.EgressSecurityGroupRulesNotEnabled()
protocol = rule.pop('protocol')
port_range_min = rule['port_range_min']
port_range_max = rule['port_range_max']
ethertype = protocols.translate_ethertype(rule["ethertype"])
if protocol:
protocol = protocols.translate_protocol(protocol, rule["ethertype"])
protocols.validate_protocol_with_port_ranges(ethertype, protocol,
port_range_min,
port_range_max)
rule['protocol'] = protocol
else:
if port_range_min is not None or port_range_max is not None:
raise sg_ext.SecurityGroupProtocolRequiredWithPorts()
rule["ethertype"] = ethertype
protocols.validate_remote_ip_prefix(ethertype,
rule.get("remote_ip_prefix"))
return rule
def _validate_security_group_rule(context, rule):
# TODO(mdietz): As per RM8615, Remote groups are not currently supported
if rule.get("remote_group_id"):
raise n_exc.InvalidInput(
error_message="Remote groups are not currently supported")
direction = rule.get("direction")
if direction == Capabilities.EGRESS:
if Capabilities.EGRESS not in CONF.QUARK.environment_capabilities:
raise q_exc.EgressSecurityGroupRulesNotEnabled()
protocol = rule.pop('protocol')
port_range_min = rule['port_range_min']
port_range_max = rule['port_range_max']
ethertype = protocols.translate_ethertype(rule["ethertype"])
if protocol:
protocol = protocols.translate_protocol(protocol, rule["ethertype"])
protocols.validate_protocol_with_port_ranges(ethertype,
protocol,
port_range_min,
port_range_max)
rule['protocol'] = protocol
else:
if port_range_min is not None or port_range_max is not None:
raise sg_ext.SecurityGroupProtocolRequiredWithPorts()
rule["ethertype"] = ethertype
protocols.validate_remote_ip_prefix(ethertype,
rule.get("remote_ip_prefix"))
return rule
def _validate_security_group_rule(context, rule):
# TODO(mdietz): As per RM8615, Remote groups are not currently supported
if rule.get("remote_group_id"):
raise n_exc.InvalidInput(
error_message="Remote groups are not currently supported")
direction = rule.get("direction")
if direction == env.Capabilities.EGRESS:
if env.Capabilities.EGRESS not in CONF.QUARK.environment_capabilities:
raise q_exc.EgressSecurityGroupRulesNotEnabled()
protocol = rule.pop('protocol')
# NOTE(roaet): these are not required by spec
port_range_min = rule.get('port_range_min')
port_range_max = rule.get('port_range_max')
# TODO(anyone): this will error as None, so defaulting to ipv4
et = rule.get('ethertype', 'IPv4')
ethertype = protocols.translate_ethertype(et)
if protocol:
protocol = protocols.translate_protocol(protocol, et)
protocols.validate_protocol_with_port_ranges(ethertype, protocol,
port_range_min,
port_range_max)
rule['protocol'] = protocol
else:
if port_range_min is not None or port_range_max is not None:
raise sg_ext.SecurityGroupProtocolRequiredWithPorts()
rule["ethertype"] = ethertype
protocols.validate_remote_ip_prefix(ethertype,
rule.get("remote_ip_prefix"))
return rule
def _validate_security_group_rule(context, rule):
# TODO(mdietz): As per RM8615, Remote groups are not currently supported
if rule.get("remote_group_id"):
raise n_exc.InvalidInput(
error_message="Remote groups are not currently supported")
direction = rule.get("direction")
if direction == env.Capabilities.EGRESS:
if env.Capabilities.EGRESS not in CONF.QUARK.environment_capabilities:
raise q_exc.EgressSecurityGroupRulesNotEnabled()
protocol = rule.pop('protocol')
# NOTE(roaet): these are not required by spec
port_range_min = rule.get('port_range_min')
port_range_max = rule.get('port_range_max')
# TODO(anyone): this will error as None, so defaulting to ipv4
et = rule.get('ethertype', 'IPv4')
ethertype = protocols.translate_ethertype(et)
if protocol:
protocol = protocols.translate_protocol(protocol, et)
protocols.validate_protocol_with_port_ranges(ethertype,
protocol,
port_range_min,
port_range_max)
rule['protocol'] = protocol
else:
if port_range_min is not None or port_range_max is not None:
raise sg_ext.SecurityGroupProtocolRequiredWithPorts()
rule["ethertype"] = ethertype
protocols.validate_remote_ip_prefix(ethertype,
rule.get("remote_ip_prefix"))
return rule
def test_translate_protocol_invalid_ethertype(self):
with self.assertRaises(q_exc.InvalidEthertype):
protocols.translate_protocol(256, "IPv7")
def test_translate_protocol_invalid_ethertype(self):
with self.assertRaises(q_exc.InvalidEthertype):
protocols.translate_protocol(256, "IPv7")
def test_translate_protocol_over_range(self):
with self.assertRaises(sg_ext.SecurityGroupRuleInvalidProtocol):
protocols.translate_protocol(256, "IPv4")
def test_invalid_protocol_string_fail(self):
with self.assertRaises(sg_ext.SecurityGroupRuleInvalidProtocol):
protocols.translate_protocol("DERP", "IPv4")
def test_translate_protocol_icmpv6(self):
proto = protocols.translate_protocol("icmp", "IPv6")
self.assertEqual(proto, 58)
def test_translate_protocol_int(self):
proto = protocols.translate_protocol(17, "IPv4")
self.assertEqual(proto, 17)
def test_translate_protocol_string(self):
proto = protocols.translate_protocol("udp", "IPv4")
self.assertEqual(proto, 17)
def test_translate_protocol_over_range(self):
with self.assertRaises(sg_ext.SecurityGroupRuleInvalidProtocol):
protocols.translate_protocol(256, "IPv4")
def test_invalid_protocol_string_fail(self):
with self.assertRaises(sg_ext.SecurityGroupRuleInvalidProtocol):
protocols.translate_protocol("DERP", "IPv4")
def test_translate_protocol_int(self):
proto = protocols.translate_protocol(17, "IPv4")
self.assertEqual(proto, 17)
def test_translate_protocol_string(self):
proto = protocols.translate_protocol("udp", "IPv4")
self.assertEqual(proto, 17)
def test_translate_protocol_icmpv6(self):
proto = protocols.translate_protocol("icmp", "IPv6")
self.assertEqual(proto, 58)