def test_get(self): self.mox.StubOutWithMock(db, 'security_group_get') db.security_group_get(self.context, 1).AndReturn(fake_secgroup) self.mox.ReplayAll() secgroup = security_group.SecurityGroup.get(self.context, 1) ovo_fixture.compare_obj(self, secgroup, self._fix_deleted(fake_secgroup)) self.assertEqual(secgroup.obj_what_changed(), set())
def test_get(self): self.mox.StubOutWithMock(db, "security_group_get") db.security_group_get(self.context, 1).AndReturn(fake_secgroup) self.mox.ReplayAll() secgroup = security_group.SecurityGroup.get(self.context, 1) self.assertEqual(self._fix_deleted(fake_secgroup), dict(secgroup.items())) self.assertEqual(secgroup.obj_what_changed(), set()) self.assertRemotes()
def test_get(self): self.mox.StubOutWithMock(db, 'security_group_get') db.security_group_get(self.context, 1).AndReturn(fake_secgroup) self.mox.ReplayAll() secgroup = security_group.SecurityGroup.get(self.context, 1) self.assertEqual(self._fix_deleted(fake_secgroup), dict(secgroup.items())) self.assertEqual(secgroup.obj_what_changed(), set())
def _rule_args_to_dict(self, context, to_port=None, from_port=None, parent_group_id=None, ip_protocol=None, cidr=None, group_id=None): values = {} if group_id: try: parent_group_id = int(parent_group_id) group_id = int(group_id) except ValueError: msg = _("Parent or group id is not integer") raise exception.InvalidInput(reason=msg) if parent_group_id == group_id: msg = _("Parent group id and group id cannot be same") raise exception.InvalidInput(reason=msg) values['group_id'] = group_id #check if groupId exists db.security_group_get(context, group_id) elif cidr: # If this fails, it throws an exception. This is what we want. try: cidr = urllib.unquote(cidr).decode() netaddr.IPNetwork(cidr) except Exception: raise exception.InvalidCidr(cidr=cidr) values['cidr'] = cidr else: values['cidr'] = '0.0.0.0/0' if ip_protocol and from_port and to_port: try: from_port = int(from_port) to_port = int(to_port) except ValueError: raise exception.InvalidPortRange(from_port=from_port, to_port=to_port) ip_protocol = str(ip_protocol) if ip_protocol.upper() not in ['TCP', 'UDP', 'ICMP']: raise exception.InvalidIpProtocol(protocol=ip_protocol) if ((min(from_port, to_port) < -1) or (max(from_port, to_port) > 65535)): raise exception.InvalidPortRange(from_port=from_port, to_port=to_port) values['protocol'] = ip_protocol values['from_port'] = from_port values['to_port'] = to_port else: # If cidr based filtering, protocol and ports are mandatory if 'cidr' in values: return None return values
def test_refresh(self): updated_secgroup = dict(fake_secgroup, description='changed') self.mox.StubOutWithMock(db, 'security_group_get') db.security_group_get(self.context, 1).AndReturn(updated_secgroup) self.mox.ReplayAll() secgroup = security_group.SecurityGroup._from_db_object( security_group.SecurityGroup(), fake_secgroup) secgroup.refresh(self.context) self.assertEqual(self._fix_deleted(updated_secgroup), dict(secgroup.items())) self.assertEqual(secgroup.obj_what_changed(), set()) self.assertRemotes()
def delete(self, req, id): context = req.environ['nova.context'] authorize(context) self.compute_api.ensure_default_security_group(context) try: id = int(id) rule = db.security_group_rule_get(context, id) except ValueError: msg = _("Rule id is not integer") raise exc.HTTPBadRequest(explanation=msg) except exception.NotFound: msg = _("Rule (%s) not found") % id raise exc.HTTPNotFound(explanation=msg) group_id = rule.parent_group_id self.compute_api.ensure_default_security_group(context) security_group = db.security_group_get(context, group_id) msg = _("Revoke security group ingress %s") LOG.audit(msg, security_group['name'], context=context) db.security_group_rule_destroy(context, rule['id']) self.sgh.trigger_security_group_rule_destroy_refresh( context, [rule['id']]) self.compute_api.trigger_security_group_rules_refresh(context, security_group_id=security_group['id']) return webob.Response(status_int=202)
def get_by_security_group_id(cls, context, security_group_id): db_secgroup = db.security_group_get( context, security_group_id, columns_to_join=['instances.info_cache', 'instances.system_metadata']) return _make_instance_list(context, cls(), db_secgroup['instances'], ['info_cache', 'system_metadata'])
def create(self, req, body): context = req.environ['nova.context'] group_id = body['security_group_rule']['parent_group_id'] self.compute_api.ensure_default_security_group(context) security_group = db.security_group_get(context, group_id) if not security_group: raise exception.SecurityGroupNotFound(security_group_id=group_id) msg = "Authorize security group ingress %s" LOG.audit(_(msg), security_group['name'], context=context) values = self._revoke_rule_args_to_dict(context, **body['security_group_rule']) if values is None: raise exception.ApiError(_("Not enough parameters to build a " "valid rule.")) values['parent_group_id'] = security_group.id if self._security_group_rule_exists(security_group, values): raise exception.ApiError(_('This rule already exists in group %s') % group_id) security_group_rule = db.security_group_rule_create(context, values) self.compute_api.trigger_security_group_rules_refresh(context, security_group_id=security_group['id']) return {'security_group_rule': self._format_security_group_rule( context, security_group_rule)}
def delete(self, req, id): context = req.environ['nova.context'] self.compute_api.ensure_default_security_group(context) try: id = int(id) rule = db.security_group_rule_get(context, id) except ValueError: msg = _("Rule id is not integer") raise exc.HTTPBadRequest(explanation=msg) except exception.NotFound as exp: msg = _("Rule (%s) not found") % id raise exc.HTTPNotFound(explanation=msg) group_id = rule.parent_group_id self.compute_api.ensure_default_security_group(context) security_group = db.security_group_get(context, group_id) msg = _("Revoke security group ingress %s") LOG.audit(msg, security_group['name'], context=context) db.security_group_rule_destroy(context, rule['id']) self.compute_api.trigger_security_group_rules_refresh(context, security_group_id=security_group['id']) return webob.Response(status_int=202)
def show(self, req, id): context = req.environ['nova.context'] security_group = db.security_group_get(context, id) return { 'security_group': self._format_security_group(context, security_group) }
def create(self, req, body): context = req.environ['nova.context'] authorize(context) if not body: raise exc.HTTPUnprocessableEntity() if not 'security_group_rule' in body: raise exc.HTTPUnprocessableEntity() self.compute_api.ensure_default_security_group(context) sg_rule = body['security_group_rule'] parent_group_id = sg_rule.get('parent_group_id', None) try: parent_group_id = int(parent_group_id) security_group = db.security_group_get(context, parent_group_id) except ValueError: msg = _("Parent group id is not integer") raise exc.HTTPBadRequest(explanation=msg) except exception.NotFound as exp: msg = _("Security group (%s) not found") % parent_group_id raise exc.HTTPNotFound(explanation=msg) msg = _("Authorize security group ingress %s") LOG.audit(msg, security_group['name'], context=context) try: values = self._rule_args_to_dict( context, to_port=sg_rule.get('to_port'), from_port=sg_rule.get('from_port'), parent_group_id=sg_rule.get('parent_group_id'), ip_protocol=sg_rule.get('ip_protocol'), cidr=sg_rule.get('cidr'), group_id=sg_rule.get('group_id')) except Exception as exp: raise exc.HTTPBadRequest(explanation=unicode(exp)) if values is None: msg = _("Not enough parameters to build a " "valid rule.") raise exc.HTTPBadRequest(explanation=msg) values['parent_group_id'] = security_group.id if self._security_group_rule_exists(security_group, values): msg = _('This rule already exists in group %s') % parent_group_id raise exc.HTTPBadRequest(explanation=msg) security_group_rule = db.security_group_rule_create(context, values) self.sgh.trigger_security_group_rule_create_refresh( context, [security_group_rule['id']]) self.compute_api.trigger_security_group_rules_refresh( context, security_group_id=security_group['id']) return { "security_group_rule": self._format_security_group_rule(context, security_group_rule) }
def create(self, req, body): context = req.environ['nova.context'] authorize(context) if not body: raise exc.HTTPUnprocessableEntity() if not 'security_group_rule' in body: raise exc.HTTPUnprocessableEntity() self.compute_api.ensure_default_security_group(context) sg_rule = body['security_group_rule'] parent_group_id = sg_rule.get('parent_group_id', None) try: parent_group_id = int(parent_group_id) security_group = db.security_group_get(context, parent_group_id) except ValueError: msg = _("Parent group id is not integer") raise exc.HTTPBadRequest(explanation=msg) except exception.NotFound as exp: msg = _("Security group (%s) not found") % parent_group_id raise exc.HTTPNotFound(explanation=msg) msg = _("Authorize security group ingress %s") LOG.audit(msg, security_group['name'], context=context) try: values = self._rule_args_to_dict(context, to_port=sg_rule.get('to_port'), from_port=sg_rule.get('from_port'), parent_group_id=sg_rule.get('parent_group_id'), ip_protocol=sg_rule.get('ip_protocol'), cidr=sg_rule.get('cidr'), group_id=sg_rule.get('group_id')) except Exception as exp: raise exc.HTTPBadRequest(explanation=unicode(exp)) if values is None: msg = _("Not enough parameters to build a " "valid rule.") raise exc.HTTPBadRequest(explanation=msg) values['parent_group_id'] = security_group.id if self._security_group_rule_exists(security_group, values): msg = _('This rule already exists in group %s') % parent_group_id raise exc.HTTPBadRequest(explanation=msg) security_group_rule = db.security_group_rule_create(context, values) self.sgh.trigger_security_group_rule_create_refresh( context, [security_group_rule['id']]) self.compute_api.trigger_security_group_rules_refresh(context, security_group_id=security_group['id']) return {"security_group_rule": self._format_security_group_rule( context, security_group_rule)}
def _get_security_group(self, context, id): try: id = int(id) security_group = db.security_group_get(context, id) except ValueError: msg = _("Security group id should be integer") raise exc.HTTPBadRequest(explanation=msg) except exception.NotFound as exp: raise exc.HTTPNotFound(explanation=unicode(exp)) return security_group
def refresh_security_group_rules(self, security_group_id): """Refresh security group rules from data store Gets called when a rule has been added to or removed from the security group.""" LOG.debug("refresh_security_group_rules: %s", locals()) ctxt = context.get_admin_context() sg = db.security_group_get(ctxt, security_group_id) for member in sg.instances: if member.id in self._filters: network_info = self._network_infos.get(member.id) self.prepare_instance_filter(member, network_info) LOG.debug("refresh_security_group_rules: end")
def trigger_security_group_rule_create_refresh(self, context, rule_ids): LOG.debug('rule_ids=%r', rule_ids) ctxt = context.elevated() tenant_id = context.to_dict()['project_id'] for rule_id in rule_ids: rule = db.security_group_rule_get(ctxt, rule_id) group = db.security_group_get(ctxt, rule['parent_group_id']) sg_id = rule['parent_group_id'] sg_name = group['name'] self.rule_manager.create_for_sg(tenant_id, sg_id, sg_name, rule)
def show(self, req, id): """Return data about the given security group.""" context = req.environ['nova.context'] try: id = int(id) security_group = db.security_group_get(context, id) except ValueError: msg = _("Security group id is not integer") return exc.HTTPBadRequest(explanation=msg) except exception.NotFound as exp: return exc.HTTPNotFound(explanation=unicode(exp)) return {'security_group': self._format_security_group(context, security_group)}
def test_destroy_instance_disassociates_security_groups(self): """Make sure destroying disassociates security groups""" group = self._create_group() ref = self.compute_api.create( self.context, instance_type=instance_types.get_default_instance_type(), image_href=None, security_group=['testgroup']) try: db.instance_destroy(self.context, ref[0]['id']) group = db.security_group_get(self.context, group['id']) self.assert_(len(group.instances) == 0) finally: db.security_group_destroy(self.context, group['id'])
def _format_security_group_rule(self, context, rule): sg_rule = {} sg_rule["id"] = rule.id sg_rule["parent_group_id"] = rule.parent_group_id sg_rule["ip_protocol"] = rule.protocol sg_rule["from_port"] = rule.from_port sg_rule["to_port"] = rule.to_port sg_rule["group"] = {} sg_rule["ip_range"] = {} if rule.group_id: source_group = db.security_group_get(context, rule.group_id) sg_rule["group"] = {"name": source_group.name, "tenant_id": source_group.project_id} else: sg_rule["ip_range"] = {"cidr": rule.cidr} return sg_rule
def _format_security_group_rule(self, context, rule): r = {} r["id"] = rule.id r["parent_group_id"] = rule.parent_group_id r["group_id"] = rule.group_id r["ip_protocol"] = rule.protocol r["from_port"] = rule.from_port r["to_port"] = rule.to_port r["groups"] = [] r["ip_ranges"] = [] if rule.group_id: source_group = db.security_group_get(context, rule.group_id) r["groups"] += [{"name": source_group.name, "tenant_id": source_group.project_id}] else: r["ip_ranges"] += [{"cidr": rule.cidr}] return r
def delete(self, req, id): """Delete a security group.""" context = req.environ['nova.context'] try: id = int(id) security_group = db.security_group_get(context, id) except ValueError: msg = _("Security group id is not integer") return exc.HTTPBadRequest(explanation=msg) except exception.SecurityGroupNotFound as exp: return exc.HTTPNotFound(explanation=unicode(exp)) LOG.audit(_("Delete security group %s"), id, context=context) db.security_group_destroy(context, security_group.id) return exc.HTTPAccepted()
def test_create_instance_associates_security_groups(self): """Make sure create associates security groups""" group = self._create_group() ref = self.compute_api.create( self.context, instance_type=FLAGS.default_instance_type, image_id=None, security_group=['testgroup']) try: self.assertEqual(len(db.security_group_get_by_instance( self.context, ref[0]['id'])), 1) group = db.security_group_get(self.context, group['id']) self.assert_(len(group.instances) == 1) finally: db.security_group_destroy(self.context, group['id']) db.instance_destroy(self.context, ref[0]['id'])
def _format_security_group_rule(self, context, rule): sg_rule = {} sg_rule['id'] = rule.id sg_rule['parent_group_id'] = rule.parent_group_id sg_rule['ip_protocol'] = rule.protocol sg_rule['from_port'] = rule.from_port sg_rule['to_port'] = rule.to_port sg_rule['group'] = {} sg_rule['ip_range'] = {} if rule.group_id: source_group = db.security_group_get(context, rule.group_id) sg_rule['group'] = {'name': source_group.name, 'tenant_id': source_group.project_id} else: sg_rule['ip_range'] = {'cidr': rule.cidr} return sg_rule
def test_destroy_security_group_disassociates_instances(self): """Make sure destroying security groups disassociates instances""" group = self._create_group() ref = self.compute_api.create( self.context, instance_type=FLAGS.default_instance_type, image_id=None, security_group=['testgroup']) try: db.security_group_destroy(self.context, group['id']) group = db.security_group_get(context.get_admin_context( read_deleted=True), group['id']) self.assert_(len(group.instances) == 0) finally: db.instance_destroy(self.context, ref[0]['id'])
def _format_security_group_rule(self, context, rule): r = {} r['id'] = rule.id r['parent_group_id'] = rule.parent_group_id r['group_id'] = rule.group_id r['ip_protocol'] = rule.protocol r['from_port'] = rule.from_port r['to_port'] = rule.to_port r['groups'] = [] r['ip_ranges'] = [] if rule.group_id: source_group = db.security_group_get(context, rule.group_id) r['groups'] += [{'name': source_group.name, 'tenant_id': source_group.project_id}] else: r['ip_ranges'] += [{'cidr': rule.cidr}] return r
def remove_rule(rule, context): """ Remove a security rule. rule -- The rule context -- The os context. """ # TODO: check exception handling! group_id = rule['parent_group_id'] # TODO(dizz): method seems to be gone! # self.compute_api.ensure_default_security_group(extras['nova_ctx']) security_group = db.security_group_get(context, group_id) db.security_group_rule_destroy(context, rule['id']) SEC_HANDLER.trigger_security_group_rule_destroy_refresh(context, [rule['id']]) COMPUTE_API.trigger_security_group_rules_refresh(context, security_group['id'])
def delete(self, req, id): context = req.environ["nova.context"] rule = sqlalchemy_api.security_group_rule_get(context, id) if not rule: raise exception.ApiError(_("Rule not found")) group_id = rule.parent_group_id self.compute_api.ensure_default_security_group(context) security_group = db.security_group_get(context, group_id) if not security_group: raise exception.SecurityGroupNotFound(security_group_id=group_id) msg = "Revoke security group ingress %s" LOG.audit(_(msg), security_group["name"], context=context) db.security_group_rule_destroy(context, rule["id"]) self.compute_api.trigger_security_group_rules_refresh(context, security_group_id=security_group["id"]) return exc.HTTPAccepted()
def delete(self, req, id): context = req.environ['nova.context'] rule = sqlalchemy_api.security_group_rule_get(context, id) if not rule: raise exception.ApiError(_("Rule not found")) group_id = rule.parent_group_id self.compute_api.ensure_default_security_group(context) security_group = db.security_group_get(context, group_id) if not security_group: raise exception.SecurityGroupNotFound(security_group_id=group_id) msg = "Revoke security group ingress %s" LOG.audit(_(msg), security_group['name'], context=context) db.security_group_rule_destroy(context, rule['id']) self.compute_api.trigger_security_group_rules_refresh(context, security_group_id=security_group['id']) return exc.HTTPAccepted()
def _format_security_group(self, context, group): g = {} g['groupDescription'] = group.description g['groupName'] = group.name g['ownerId'] = group.project_id g['ipPermissions'] = [] for rule in group.rules: r = {} r['ipProtocol'] = rule.protocol r['fromPort'] = rule.from_port r['toPort'] = rule.to_port r['groups'] = [] r['ipRanges'] = [] if rule.group_id: source_group = db.security_group_get(context, rule.group_id) r['groups'] += [{'groupName': source_group.name, 'userId': source_group.project_id}] else: r['ipRanges'] += [{'cidrIp': rule.cidr}] g['ipPermissions'] += [r] return g
def security_group_to_nwfilter_xml(self, security_group_id): security_group = db.security_group_get(context.get_admin_context(), security_group_id) rule_xml = "" v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'} for rule in security_group.rules: rule_xml += "<rule action='accept' direction='in' priority='300'>" if rule.cidr: version = netutils.get_ip_version(rule.cidr) protocol = rule.protocol.lower() if(FLAGS.use_ipv6 and version == 6): net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (v6protocol[protocol], net, prefixlen) else: net, mask = netutils.get_net_and_mask(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (protocol, net, mask) if protocol in ['tcp', 'udp']: rule_xml += "dstportstart='%s' dstportend='%s' " % \ (rule.from_port, rule.to_port) elif protocol == 'icmp': LOG.info('rule.protocol: %r, rule.from_port: %r, ' 'rule.to_port: %r', protocol, rule.from_port, rule.to_port) if rule.from_port != -1: rule_xml += "type='%s' " % rule.from_port if rule.to_port != -1: rule_xml += "code='%s' " % rule.to_port rule_xml += '/>\n' rule_xml += "</rule>\n" xml = "<filter name='nova-secgroup-%s' " % security_group_id if(FLAGS.use_ipv6): xml += "chain='root'>%s</filter>" % rule_xml else: xml += "chain='ipv4'>%s</filter>" % rule_xml return xml
def security_group_to_nwfilter_xml(security_group_id): security_group = db.security_group_get(context.get_admin_context(), security_group_id) rule_xml = "" v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'} for rule in security_group.rules: rule_xml += "<rule action='accept' direction='in' priority='300'>" if rule.cidr: version = netutils.get_ip_version(rule.cidr) if (FLAGS.use_ipv6 and version == 6): net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (v6protocol[rule.protocol], net, prefixlen) else: net, mask = netutils.get_net_and_mask(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (rule.protocol, net, mask) if rule.protocol in ['tcp', 'udp']: rule_xml += "dstportstart='%s' dstportend='%s' " % \ (rule.from_port, rule.to_port) elif rule.protocol == 'icmp': LOG.info( 'rule.protocol: %r, rule.from_port: %r, ' 'rule.to_port: %r', rule.protocol, rule.from_port, rule.to_port) if rule.from_port != -1: rule_xml += "type='%s' " % rule.from_port if rule.to_port != -1: rule_xml += "code='%s' " % rule.to_port rule_xml += '/>\n' rule_xml += "</rule>\n" xml = "<filter name='nova-secgroup-%s' " % security_group_id if (FLAGS.use_ipv6): xml += "chain='root'>%s</filter>" % rule_xml else: xml += "chain='ipv4'>%s</filter>" % rule_xml return xml
def _format_security_group(self, context, group): g = {} g['groupDescription'] = group.description g['groupName'] = group.name g['ownerId'] = group.project_id g['ipPermissions'] = [] for rule in group.rules: r = {} r['ipProtocol'] = rule.protocol r['fromPort'] = rule.from_port r['toPort'] = rule.to_port r['groups'] = [] r['ipRanges'] = [] if rule.group_id: source_group = db.security_group_get(context, rule.group_id) r['groups'] += [{ 'groupName': source_group.name, 'userId': source_group.project_id }] else: r['ipRanges'] += [{'cidrIp': rule.cidr}] g['ipPermissions'] += [r] return g
def security_group_to_nwfilter_xml(self, security_group_id): security_group = db.security_group_get(context.get_admin_context(), security_group_id) rule_xml = "" v6protocol = {"tcp": "tcp-ipv6", "udp": "udp-ipv6", "icmp": "icmpv6"} for rule in security_group.rules: rule_xml += "<rule action='accept' direction='in' priority='300'>" if rule.cidr: version = netutils.get_ip_version(rule.cidr) if FLAGS.use_ipv6 and version == 6: net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % (v6protocol[rule.protocol], net, prefixlen) else: net, mask = netutils.get_net_and_mask(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % (rule.protocol, net, mask) if rule.protocol in ["tcp", "udp"]: rule_xml += "dstportstart='%s' dstportend='%s' " % (rule.from_port, rule.to_port) elif rule.protocol == "icmp": LOG.info( "rule.protocol: %r, rule.from_port: %r, " "rule.to_port: %r", rule.protocol, rule.from_port, rule.to_port, ) if rule.from_port != -1: rule_xml += "type='%s' " % rule.from_port if rule.to_port != -1: rule_xml += "code='%s' " % rule.to_port rule_xml += "/>\n" rule_xml += "</rule>\n" xml = "<filter name='nova-secgroup-%s' " % security_group_id if FLAGS.use_ipv6: xml += "chain='root'>%s</filter>" % rule_xml else: xml += "chain='ipv4'>%s</filter>" % rule_xml return xml
def create_for_sg(self, tenant_id, sg_id, sg_name, rule): LOG.debug('sg_ig=%r, sg_name=%r', sg_id, sg_name) LOG.debug('parent_group_id=%r', rule['parent_group_id']) LOG.debug('protocol=%r', rule['protocol']) LOG.debug('from_port=%r', rule['from_port']) LOG.debug('to_port=%r', rule['to_port']) LOG.debug('cidr=%r', rule['cidr']) cname = chain_name(sg_id, sg_name) # search for the chain to put rules chains = self.mido_api.get_chains({'tenant_id': tenant_id}) found = False for c in chains: if c.get_name() == cname: sg_chain = c found = True assert found LOG.debug('putting a rule to the chain id=%r', sg_chain.get_id()) # construct a corresponding rule tp_src_start = tp_src_end = None tp_dst_start = tp_dst_end = None nw_src_address = None nw_src_length = None port_group_id = None # handle source if rule['cidr'] != None: nw_src_address, nw_src_length = rule['cidr'].split('/') else: # security group as a srouce port_groups = self.mido_api.get_port_groups( {'tenant_id': tenant_id}) ctxt = context.get_admin_context() if self.virtapi: self.security_group_api.get(id=rule['group_id']) else: group = db.security_group_get(ctxt, rule['group_id']) pg_name = port_group_name(group['id'], group['name']) found = False for pg in port_groups: if pg.get_name() == pg_name: port_group_id = pg.get_id() found = True assert found # dst ports tp_dst_start, tp_dst_end = rule['from_port'], rule['to_port'] # protocol if rule['protocol'] == 'tcp': nw_proto = 6 elif rule['protocol'] == 'udp': nw_proto = 17 elif rule['protocol'] == 'icmp': nw_proto = 1 # extract type and code from reporposed fields icmp_type = rule['from_port'] icmp_code = rule['to_port'] # translate -1(wildcard in OS) to midonet wildcard if icmp_type == -1: icmp_type = None if icmp_code == -1: icmp_code = None # set data for midonet rule tp_src_start = tp_src_end = icmp_type tp_dst_start = tp_dst_end = icmp_code tp_src = {'start': tp_src_start, 'end': tp_src_end} tp_dst = {'start': tp_dst_start, 'end': tp_dst_end} # create an accept rule properties = self._properties(rule['id']) chain = self.mido_api.get_chain(sg_chain.get_id()) chain.add_rule().port_group(port_group_id)\ .type('accept')\ .nw_proto(nw_proto)\ .nw_src_address(nw_src_address)\ .nw_src_length(nw_src_length)\ .tp_src(tp_src)\ .tp_dst(tp_dst)\ .properties(properties)\ .create()
def _rule_args_to_dict(self, context, to_port=None, from_port=None, parent_group_id=None, ip_protocol=None, cidr=None, group_id=None): values = {} if group_id is not None: try: parent_group_id = int(parent_group_id) group_id = int(group_id) except ValueError: msg = _("Parent or group id is not integer") raise exception.InvalidInput(reason=msg) if parent_group_id == group_id: msg = _("Parent group id and group id cannot be same") raise exception.InvalidInput(reason=msg) values['group_id'] = group_id #check if groupId exists db.security_group_get(context, group_id) elif cidr: # If this fails, it throws an exception. This is what we want. try: cidr = urllib.unquote(cidr).decode() except Exception: raise exception.InvalidCidr(cidr=cidr) if not utils.is_valid_cidr(cidr): # Raise exception for non-valid address raise exception.InvalidCidr(cidr=cidr) values['cidr'] = cidr else: values['cidr'] = '0.0.0.0/0' if ip_protocol and from_port and to_port: ip_protocol = str(ip_protocol) try: from_port = int(from_port) to_port = int(to_port) except ValueError: if ip_protocol.upper() == 'ICMP': raise exception.InvalidInput(reason="Type and" " Code must be integers for ICMP protocol type") else: raise exception.InvalidInput(reason="To and From ports " "must be integers") if ip_protocol.upper() not in ['TCP', 'UDP', 'ICMP']: raise exception.InvalidIpProtocol(protocol=ip_protocol) # Verify that from_port must always be less than # or equal to to_port if from_port > to_port: raise exception.InvalidPortRange(from_port=from_port, to_port=to_port, msg="Former value cannot" " be greater than the later") # Verify valid TCP, UDP port ranges if (ip_protocol.upper() in ['TCP', 'UDP'] and (from_port < 1 or to_port > 65535)): raise exception.InvalidPortRange(from_port=from_port, to_port=to_port, msg="Valid TCP ports should" " be between 1-65535") # Verify ICMP type and code if (ip_protocol.upper() == "ICMP" and (from_port < -1 or to_port > 255)): raise exception.InvalidPortRange(from_port=from_port, to_port=to_port, msg="For ICMP, the" " type:code must be valid") values['protocol'] = ip_protocol values['from_port'] = from_port values['to_port'] = to_port else: # If cidr based filtering, protocol and ports are mandatory if 'cidr' in values: return None return values
def refresh(self): self._from_db_object(self._context, self, db.security_group_get(self._context, self.id))
def refresh(self, context): SecurityGroup._from_db_object(context, self, db.security_group_get(context, self.id))
def get(cls, context, secgroup_id): db_secgroup = db.security_group_get(context, secgroup_id) return cls._from_db_object(context, cls(), db_secgroup)
def refresh(self, context): SecurityGroup._from_db_object(self, db.security_group_get(context, self.id))
def show(self, req, id): context = req.environ['nova.context'] security_group = db.security_group_get(context, id) return {'security_group': self._format_security_group(context, security_group)}
def _rule_args_to_dict(self, context, to_port=None, from_port=None, parent_group_id=None, ip_protocol=None, cidr=None, group_id=None): values = {} if group_id is not None: try: parent_group_id = int(parent_group_id) group_id = int(group_id) except ValueError: msg = _("Parent or group id is not integer") raise exception.InvalidInput(reason=msg) values['group_id'] = group_id #check if groupId exists db.security_group_get(context, group_id) elif cidr: # If this fails, it throws an exception. This is what we want. try: cidr = urllib.unquote(cidr).decode() except Exception: raise exception.InvalidCidr(cidr=cidr) if not utils.is_valid_cidr(cidr): # Raise exception for non-valid address raise exception.InvalidCidr(cidr=cidr) values['cidr'] = cidr else: values['cidr'] = '0.0.0.0/0' if group_id: # Open everything if an explicit port range or type/code are not # specified, but only if a source group was specified. ip_proto_upper = ip_protocol.upper() if ip_protocol else '' if (ip_proto_upper == 'ICMP' and from_port is None and to_port is None): from_port = -1 to_port = -1 elif (ip_proto_upper in ['TCP', 'UDP'] and from_port is None and to_port is None): from_port = 1 to_port = 65535 if ip_protocol and from_port is not None and to_port is not None: ip_protocol = str(ip_protocol) try: from_port = int(from_port) to_port = int(to_port) except ValueError: if ip_protocol.upper() == 'ICMP': raise exception.InvalidInput(reason="Type and" " Code must be integers for ICMP protocol type") else: raise exception.InvalidInput(reason="To and From ports " "must be integers") if ip_protocol.upper() not in ['TCP', 'UDP', 'ICMP']: raise exception.InvalidIpProtocol(protocol=ip_protocol) # Verify that from_port must always be less than # or equal to to_port if (ip_protocol.upper() in ['TCP', 'UDP'] and from_port > to_port): raise exception.InvalidPortRange(from_port=from_port, to_port=to_port, msg="Former value cannot" " be greater than the later") # Verify valid TCP, UDP port ranges if (ip_protocol.upper() in ['TCP', 'UDP'] and (from_port < 1 or to_port > 65535)): raise exception.InvalidPortRange(from_port=from_port, to_port=to_port, msg="Valid TCP ports should" " be between 1-65535") # Verify ICMP type and code if (ip_protocol.upper() == "ICMP" and (from_port < -1 or from_port > 255 or to_port < -1 or to_port > 255)): raise exception.InvalidPortRange(from_port=from_port, to_port=to_port, msg="For ICMP, the" " type:code must be valid") values['protocol'] = ip_protocol values['from_port'] = from_port values['to_port'] = to_port else: # If cidr based filtering, protocol and ports are mandatory if 'cidr' in values: return None return values