예제 #1
0
def _validate_security_group_rule(context, rule):
    # TODO(mdietz): As per RM8615, Remote groups are not currently supported
    if rule.get("remote_group_id"):
        raise exceptions.InvalidInput(
            error_message="Remote groups are not currently supported")

    if "direction" in rule and rule["direction"] != "ingress":
        raise exceptions.InvalidInput(
            error_message="Non-ingress rules are not currently supported")

    protocol = rule.pop('protocol')
    port_range_min = rule['port_range_min']
    port_range_max = rule['port_range_max']
    ethertype = protocols.translate_ethertype(rule["ethertype"])

    if protocol:
        protocol = protocols.translate_protocol(protocol, rule["ethertype"])
        protocols.validate_protocol_with_port_ranges(ethertype,
                                                     protocol,
                                                     port_range_min,
                                                     port_range_max)
        rule['protocol'] = protocol
    else:
        if port_range_min is not None or port_range_max is not None:
            raise sg_ext.SecurityGroupProtocolRequiredWithPorts()

    rule["ethertype"] = ethertype

    protocols.validate_remote_ip_prefix(ethertype,
                                        rule.get("remote_ip_prefix"))

    return rule
예제 #2
0
def _validate_security_group_rule(context, rule):
    # TODO(mdietz): As per RM8615, Remote groups are not currently supported
    if rule.get("remote_group_id"):
        raise exceptions.InvalidInput(
            error_message="Remote groups are not currently supported")

    if "direction" in rule and rule["direction"] != "ingress":
        raise exceptions.InvalidInput(
            error_message="Non-ingress rules are not currently supported")

    protocol = rule.pop('protocol')
    port_range_min = rule['port_range_min']
    port_range_max = rule['port_range_max']

    if protocol:
        protocol = protocols.translate_protocol(protocol, rule["ethertype"])
        protocols.validate_protocol_with_port_ranges(protocol, port_range_min,
                                                     port_range_max)
        rule['protocol'] = protocol
    else:
        if port_range_min is not None or port_range_max is not None:
            raise sg_ext.SecurityGroupProtocolRequiredWithPorts()

    ethertype = protocols.translate_ethertype(rule["ethertype"])
    rule["ethertype"] = ethertype

    protocols.validate_remote_ip_prefix(ethertype,
                                        rule.get("remote_ip_prefix"))

    return rule
예제 #3
0
def _validate_security_group_rule(context, rule):
    # TODO(mdietz): As per RM8615, Remote groups are not currently supported
    if rule.get("remote_group_id"):
        raise exceptions.InvalidInput(
            error_message="Remote groups are not currently supported")

    direction = rule.get("direction")
    if direction == Capabilities.EGRESS:
        if Capabilities.EGRESS not in CONF.QUARK.environment_capabilities:
            raise q_exc.EgressSecurityGroupRulesNotEnabled()

    protocol = rule.pop('protocol')
    port_range_min = rule['port_range_min']
    port_range_max = rule['port_range_max']
    ethertype = protocols.translate_ethertype(rule["ethertype"])

    if protocol:
        protocol = protocols.translate_protocol(protocol, rule["ethertype"])
        protocols.validate_protocol_with_port_ranges(ethertype, protocol,
                                                     port_range_min,
                                                     port_range_max)
        rule['protocol'] = protocol
    else:
        if port_range_min is not None or port_range_max is not None:
            raise sg_ext.SecurityGroupProtocolRequiredWithPorts()

    rule["ethertype"] = ethertype

    protocols.validate_remote_ip_prefix(ethertype,
                                        rule.get("remote_ip_prefix"))

    return rule
예제 #4
0
def _validate_security_group_rule(context, rule):
    # TODO(mdietz): As per RM8615, Remote groups are not currently supported
    if rule.get("remote_group_id"):
        raise n_exc.InvalidInput(
            error_message="Remote groups are not currently supported")

    direction = rule.get("direction")
    if direction == Capabilities.EGRESS:
        if Capabilities.EGRESS not in CONF.QUARK.environment_capabilities:
            raise q_exc.EgressSecurityGroupRulesNotEnabled()

    protocol = rule.pop('protocol')
    port_range_min = rule['port_range_min']
    port_range_max = rule['port_range_max']
    ethertype = protocols.translate_ethertype(rule["ethertype"])

    if protocol:
        protocol = protocols.translate_protocol(protocol, rule["ethertype"])
        protocols.validate_protocol_with_port_ranges(ethertype,
                                                     protocol,
                                                     port_range_min,
                                                     port_range_max)
        rule['protocol'] = protocol
    else:
        if port_range_min is not None or port_range_max is not None:
            raise sg_ext.SecurityGroupProtocolRequiredWithPorts()

    rule["ethertype"] = ethertype

    protocols.validate_remote_ip_prefix(ethertype,
                                        rule.get("remote_ip_prefix"))

    return rule
예제 #5
0
def _validate_security_group_rule(context, rule):
    # TODO(mdietz): As per RM8615, Remote groups are not currently supported
    if rule.get("remote_group_id"):
        raise n_exc.InvalidInput(
            error_message="Remote groups are not currently supported")

    direction = rule.get("direction")
    if direction == env.Capabilities.EGRESS:
        if env.Capabilities.EGRESS not in CONF.QUARK.environment_capabilities:
            raise q_exc.EgressSecurityGroupRulesNotEnabled()

    protocol = rule.pop('protocol')
    # NOTE(roaet): these are not required by spec
    port_range_min = rule.get('port_range_min')
    port_range_max = rule.get('port_range_max')
    # TODO(anyone): this will error as None, so defaulting to ipv4
    et = rule.get('ethertype', 'IPv4')
    ethertype = protocols.translate_ethertype(et)

    if protocol:
        protocol = protocols.translate_protocol(protocol, et)
        protocols.validate_protocol_with_port_ranges(ethertype, protocol,
                                                     port_range_min,
                                                     port_range_max)
        rule['protocol'] = protocol
    else:
        if port_range_min is not None or port_range_max is not None:
            raise sg_ext.SecurityGroupProtocolRequiredWithPorts()

    rule["ethertype"] = ethertype

    protocols.validate_remote_ip_prefix(ethertype,
                                        rule.get("remote_ip_prefix"))

    return rule
예제 #6
0
def _validate_security_group_rule(context, rule):
    # TODO(mdietz): As per RM8615, Remote groups are not currently supported
    if rule.get("remote_group_id"):
        raise n_exc.InvalidInput(
            error_message="Remote groups are not currently supported")

    direction = rule.get("direction")
    if direction == env.Capabilities.EGRESS:
        if env.Capabilities.EGRESS not in CONF.QUARK.environment_capabilities:
            raise q_exc.EgressSecurityGroupRulesNotEnabled()

    protocol = rule.pop('protocol')
    # NOTE(roaet): these are not required by spec
    port_range_min = rule.get('port_range_min')
    port_range_max = rule.get('port_range_max')
    # TODO(anyone): this will error as None, so defaulting to ipv4
    et = rule.get('ethertype', 'IPv4')
    ethertype = protocols.translate_ethertype(et)

    if protocol:
        protocol = protocols.translate_protocol(protocol, et)
        protocols.validate_protocol_with_port_ranges(ethertype,
                                                     protocol,
                                                     port_range_min,
                                                     port_range_max)
        rule['protocol'] = protocol
    else:
        if port_range_min is not None or port_range_max is not None:
            raise sg_ext.SecurityGroupProtocolRequiredWithPorts()

    rule["ethertype"] = ethertype

    protocols.validate_remote_ip_prefix(ethertype,
                                        rule.get("remote_ip_prefix"))

    return rule
예제 #7
0
 def test_translate_protocol_invalid_ethertype(self):
     with self.assertRaises(q_exc.InvalidEthertype):
         protocols.translate_protocol(256, "IPv7")
예제 #8
0
 def test_translate_protocol_invalid_ethertype(self):
     with self.assertRaises(q_exc.InvalidEthertype):
         protocols.translate_protocol(256, "IPv7")
예제 #9
0
 def test_translate_protocol_over_range(self):
     with self.assertRaises(sg_ext.SecurityGroupRuleInvalidProtocol):
         protocols.translate_protocol(256, "IPv4")
예제 #10
0
 def test_invalid_protocol_string_fail(self):
     with self.assertRaises(sg_ext.SecurityGroupRuleInvalidProtocol):
         protocols.translate_protocol("DERP", "IPv4")
예제 #11
0
 def test_translate_protocol_icmpv6(self):
     proto = protocols.translate_protocol("icmp", "IPv6")
     self.assertEqual(proto, 58)
예제 #12
0
 def test_translate_protocol_int(self):
     proto = protocols.translate_protocol(17, "IPv4")
     self.assertEqual(proto, 17)
예제 #13
0
 def test_translate_protocol_string(self):
     proto = protocols.translate_protocol("udp", "IPv4")
     self.assertEqual(proto, 17)
예제 #14
0
 def test_translate_protocol_over_range(self):
     with self.assertRaises(sg_ext.SecurityGroupRuleInvalidProtocol):
         protocols.translate_protocol(256, "IPv4")
예제 #15
0
 def test_invalid_protocol_string_fail(self):
     with self.assertRaises(sg_ext.SecurityGroupRuleInvalidProtocol):
         protocols.translate_protocol("DERP", "IPv4")
예제 #16
0
 def test_translate_protocol_int(self):
     proto = protocols.translate_protocol(17, "IPv4")
     self.assertEqual(proto, 17)
예제 #17
0
 def test_translate_protocol_string(self):
     proto = protocols.translate_protocol("udp", "IPv4")
     self.assertEqual(proto, 17)
예제 #18
0
 def test_translate_protocol_icmpv6(self):
     proto = protocols.translate_protocol("icmp", "IPv6")
     self.assertEqual(proto, 58)