def test_user_can_remove_rule_from_security_group(self):
rule_to_remain = factories.SecurityGroupRuleFactory(
security_group=self.security_group)
rule_to_delete = factories.SecurityGroupRuleFactory(
security_group=self.security_group)
self.client.force_authenticate(self.fixture.admin)
response = self.client.post(self.url, data=[{'id': rule_to_remain.id}])
self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED)
exist_rules = self.security_group.rules.all()
self.assertIn(rule_to_remain, exist_rules)
self.assertNotIn(rule_to_delete, exist_rules)
def test_security_group_rules_are_updated_when_one_more_rule_is_added(
self):
openstack_security_group = openstack_factories.SecurityGroupFactory(
tenant=self.tenant, state=StateMixin.States.UPDATING)
openstack_factories.SecurityGroupRuleFactory(
security_group=openstack_security_group)
security_group = factories.SecurityGroupFactory(
settings=self.service_settings,
backend_id=openstack_security_group.backend_id,
)
openstack_security_group.set_ok()
openstack_security_group.save()
self.assertEqual(security_group.rules.count(), 1,
'Security group rule has not been added')
self.assertEqual(
security_group.rules.first().protocol,
openstack_security_group.rules.first().protocol,
)
self.assertEqual(
security_group.rules.first().from_port,
openstack_security_group.rules.first().from_port,
)
self.assertEqual(
security_group.rules.first().to_port,
openstack_security_group.rules.first().to_port,
)
def test_security_group_create(self):
openstack_security_group = openstack_factories.SecurityGroupFactory(
tenant=self.tenant, state=StateMixin.States.CREATING)
openstack_security_rule = openstack_factories.SecurityGroupRuleFactory(
security_group=openstack_security_group)
self.assertEqual(models.SecurityGroup.objects.count(), 0)
openstack_security_group.set_ok()
openstack_security_group.save()
self.assertEqual(models.SecurityGroup.objects.count(), 1)
self.assertTrue(
models.SecurityGroup.objects.filter(
settings=self.service_settings,
backend_id=openstack_security_group.backend_id,
).exists())
security_group_property = models.SecurityGroup.objects.get(
settings=self.service_settings,
backend_id=openstack_security_group.backend_id,
)
self.assertTrue(
security_group_property.rules.filter(
backend_id=openstack_security_rule.backend_id).exists())
def test_pending_security_groups_are_not_duplicated(self):
original_security_group = factories.SecurityGroupFactory(tenant=self.tenant)
factories.SecurityGroupRuleFactory(security_group=original_security_group)
security_group_in_progress = factories.SecurityGroupFactory(
state=models.SecurityGroup.States.UPDATING, tenant=self.tenant
)
factories.SecurityGroupRuleFactory(security_group=security_group_in_progress)
security_groups = [original_security_group, security_group_in_progress]
self.mocked_neutron().list_security_groups.return_value = self._form_backend_security_groups(
security_groups
)
self.backend.pull_tenant_security_groups(self.tenant)
backend_ids = [sg.backend_id for sg in security_groups]
actual_security_groups_count = models.SecurityGroup.objects.filter(
backend_id__in=backend_ids
).count()
self.assertEqual(actual_security_groups_count, len(security_groups))
def test_rule_without_backend_id_is_skipped_when_group_is_imported(self):
group1 = openstack_factories.SecurityGroupFactory(tenant=self.tenant)
group2 = openstack_factories.SecurityGroupFactory(tenant=self.tenant)
rule = openstack_factories.SecurityGroupRuleFactory(
security_group=group1, remote_group=group2, backend_id='')
self.assertFalse(
models.SecurityGroupRule.objects.filter(
backend_id=rule.backend_id,
security_group__backend_id=group1.backend_id,
remote_group__backend_id=group2.backend_id,
).exists())
def test_when_group_is_imported_remote_group_is_imported_too(self):
group1 = openstack_factories.SecurityGroupFactory(tenant=self.tenant)
group2 = openstack_factories.SecurityGroupFactory(tenant=self.tenant)
rule = openstack_factories.SecurityGroupRuleFactory(
security_group=group1, remote_group=group2)
self.assertTrue(
models.SecurityGroupRule.objects.filter(
backend_id=rule.backend_id,
security_group__backend_id=group1.backend_id,
remote_group__backend_id=group2.backend_id,
).exists())
def test_when_rule_is_updated_remote_group_is_synced(self):
group1 = openstack_factories.SecurityGroupFactory(tenant=self.tenant)
group2 = openstack_factories.SecurityGroupFactory(tenant=self.tenant)
rule = openstack_factories.SecurityGroupRuleFactory(
security_group=group1)
rule.remote_group = group2
rule.save(update_fields=['remote_group'])
self.assertTrue(
models.SecurityGroupRule.objects.filter(
backend_id=rule.backend_id,
security_group__backend_id=group1.backend_id,
remote_group__backend_id=group2.backend_id,
).exists())
def test_rule_without_backend_id_is_synced_when_backend_id_is_assigned(
self):
group1 = openstack_factories.SecurityGroupFactory(tenant=self.tenant)
group2 = openstack_factories.SecurityGroupFactory(tenant=self.tenant)
rule = openstack_factories.SecurityGroupRuleFactory(
security_group=group1, remote_group=group2, backend_id='')
rule.backend_id = 'valid_backend_id'
rule.save()
self.assertTrue(
models.SecurityGroupRule.objects.filter(
backend_id=rule.backend_id,
security_group__backend_id=group1.backend_id,
remote_group__backend_id=group2.backend_id,
).exists())
def test_rule_is_not_updated_if_port_range_is_invalid(self):
rule = factories.SecurityGroupRuleFactory(
security_group=self.security_group, from_port=2222, to_port=2222)
self.client.force_authenticate(self.fixture.admin)
data = [{
'protocol': rule.protocol,
'from_port': 125,
'to_port': 25,
'cidr': rule.cidr,
}]
response = self.client.post(self.url, data=data)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
rule.refresh_from_db()
self.assertEqual(rule.from_port, 2222)
self.assertEqual(rule.to_port, 2222)
def test_when_security_group_is_created_remote_group_is_filled(self):
group1 = openstack_factories.SecurityGroupFactory(
tenant=self.tenant, state=StateMixin.States.CREATING)
group2 = openstack_factories.SecurityGroupFactory(tenant=self.tenant)
openstack_security_rule = openstack_factories.SecurityGroupRuleFactory(
security_group=group1, remote_group=group2)
group1.set_ok()
group1.save()
self.assertTrue(
models.SecurityGroupRule.objects.filter(
backend_id=openstack_security_rule.backend_id,
security_group__backend_id=group1.backend_id,
remote_group__backend_id=group2.backend_id,
).exists())
def test_security_group_rules_are_deleted(self):
# Arrange
openstack_security_group = openstack_factories.SecurityGroupFactory(
tenant=self.tenant, state=StateMixin.States.UPDATING)
rule = openstack_factories.SecurityGroupRuleFactory(
security_group=openstack_security_group)
security_group = factories.SecurityGroupFactory(
settings=self.service_settings,
backend_id=openstack_security_group.backend_id,
)
# Act
openstack_security_group.set_ok()
openstack_security_group.save()
rule.delete()
# Assert
self.assertEqual(security_group.rules.count(), 0,
'Security group rule has not been deleted')
def test_user_can_add_new_security_group_rule_and_leave_existing(self):
exist_rule = factories.SecurityGroupRuleFactory(
security_group=self.security_group)
self.client.force_authenticate(self.fixture.admin)
new_rule_data = {
'protocol': 'udp',
'from_port': 100,
'to_port': 8001,
'cidr': '11.11.1.2/24',
}
response = self.client.post(self.url,
data=[{
'id': exist_rule.id
}, new_rule_data])
self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED)
self.assertEqual(self.security_group.rules.count(), 2)
self.assertTrue(
self.security_group.rules.filter(id=exist_rule.id).exists())
self.assertTrue(
self.security_group.rules.filter(**new_rule_data).exists())
def test_egress_rules_are_not_modified(self):
security_group = self.fixture.security_group
rule = factories.SecurityGroupRuleFactory(security_group=security_group)
INGRESS_RULE_ID = 'c0b09f00-1d49-4e64-a0a7-8a186d928138'
self.mocked_neutron().show_security_group.return_value = {
'security_group': {
'security_group_rules': [
{
"direction": "egress",
"ethertype": "IPv4",
"id": "93aa42e5-80db-4581-9391-3a608bd0e448",
"port_range_max": None,
"port_range_min": None,
"protocol": None,
"remote_group_id": None,
"remote_ip_prefix": None,
"security_group_id": "85cc3048-abc3-43cc-89b3-377341426ac5",
"project_id": "e4f50856753b4dc6afee5fa6b9b6c550",
"revision_number": 1,
"created_at": "2018-03-19T19:16:56Z",
"updated_at": "2018-03-19T19:16:56Z",
"tenant_id": "e4f50856753b4dc6afee5fa6b9b6c550",
"description": "",
},
{
"direction": "ingress",
"ethertype": "IPv6",
"id": INGRESS_RULE_ID,
"port_range_max": None,
"port_range_min": None,
"protocol": None,
"remote_group_id": "85cc3048-abc3-43cc-89b3-377341426ac5",
"remote_ip_prefix": None,
"security_group_id": "85cc3048-abc3-43cc-89b3-377341426ac5",
"project_id": "e4f50856753b4dc6afee5fa6b9b6c550",
"revision_number": 2,
"created_at": "2018-03-19T19:16:56Z",
"updated_at": "2018-03-19T19:16:56Z",
"tenant_id": "e4f50856753b4dc6afee5fa6b9b6c550",
"description": "",
},
]
}
}
self.backend.push_security_group_rules(security_group)
self.mocked_neutron().delete_security_group_rule.assert_called_once_with(
INGRESS_RULE_ID
)
self.mocked_neutron().create_security_group_rule.assert_called_once_with(
{
'security_group_rule': {
'security_group_id': security_group.backend_id,
'direction': 'ingress',
'protocol': rule.protocol,
'port_range_min': rule.from_port,
'port_range_max': rule.to_port,
'remote_ip_prefix': rule.cidr,
}
}
)
