renamed priv method arg_to_dict since it's not just used for revoke. modified to conform to latest AWS EC2 API spec for authorize & revoke ingress params using the IpPermissions data structure, which nests lists of CIDR blocks (IpRanges) as well as lists of Group data

2 files changed, 110 insertions, 20 deletions

diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py
index acfd1361c..5c0c79429 100644
--- a/nova/api/ec2/cloud.py
+++ b/nova/api/ec2/cloud.py
@@ -441,7 +441,52 @@ class CloudController(object):
             g['ipPermissions'] += [r]
         return g
 
-    def _revoke_rule_args_to_dict(self, context, to_port=None, from_port=None,
+    def _rule_args_to_dict(self, context, kwargs):
+        rules = []
+        if not kwargs.has_key('groups') and not kwargs.has_key('ip_ranges'):
+            rule = self._rule_dict_last_step(context, **kwargs)
+            if rule:
+                rules.append(rule)
+            return rules
+        if kwargs.has_key('ip_ranges'):
+            rules = self._cidr_args_split(kwargs)
+        finalset = []
+        for rule in rules:
+            if rule.has_key('groups'):
+                groups_values = self._groups_args_split(rule)
+                for groups_value in groups_values:
+                    finalset.append(groups_value)
+            else:
+                if rule:
+                    finalset.append(rule)
+        return finalset
+
+    def _cidr_args_split(self, kwargs):
+        cidr_args_split= []
+        cidrs = kwargs['ip_ranges']
+        for key, cidr in cidrs.iteritems():
+            mykwargs = kwargs.copy()
+            del mykwargs['ip_ranges']
+            mykwargs['cidr_ip'] = cidr['cidr_ip']
+            cidr_args_split.append(mykwargs)
+        return cidr_args_split
+
+    def _groups_args_split(self, kwargs):
+        groups_args_split= []
+        groups = kwargs['groups']
+        for key, group in groups.iteritems():
+            mykwargs = kwargs.copy()
+            del mykwargs['groups']
+            if group.has_key('group_name'):
+                mykwargs['source_security_group_name'] = group['group_name']
+            if group.has_key('user_id'):
+                mykwargs['source_security_group_owner_id'] = group['user_id']
+            if group.has_key('group_id'):
+                mykwargs['source_security_group_id'] = group['group_id']
+            groups_args_split.append(mykwargs)
+        return groups_args_split
+
+    def _rule_dict_last_step(self, context, to_port=None, from_port=None,
                                   ip_protocol=None, cidr_ip=None, user_id=None,
                                   source_security_group_name=None,
                                   source_security_group_owner_id=None):
@@ -526,7 +571,7 @@ class CloudController(object):
         msg = "Revoke security group ingress %s"
         LOG.audit(_(msg), security_group['name'], context=context)
 
-        criteria = self._revoke_rule_args_to_dict(context, **kwargs)
+        criteria = self._rule_args_to_dict(context, kwargs)[0]
         if criteria is None:
             raise exception.ApiError(_("Not enough parameters to build a "
                                        "valid rule."))
@@ -567,21 +612,31 @@ class CloudController(object):
 
         msg = "Authorize security group ingress %s"
         LOG.audit(_(msg), security_group['name'], context=context)
-        values = self._revoke_rule_args_to_dict(context, **kwargs)
-        if values is None:
-            raise exception.ApiError(_("Not enough parameters to build a "
-                                       "valid rule."))
-        values['parent_group_id'] = security_group.id
-
-        if self._security_group_rule_exists(security_group, values):
-            raise exception.ApiError(_('This rule already exists in group %s')
-                                     % group_name)
-
-        security_group_rule = db.security_group_rule_create(context, values)
+        prevalues = []
+        try:
+            prevalues = kwargs['ip_permissions']
+        except KeyError:
+            prevalues.append(kwargs)
+        postvalues = []
+        for values in prevalues:
+            rulesvalues = self._rule_args_to_dict(context, values)
+            if not rulesvalues:
+                raise exception.ApiError(_("%s Not enough parameters to build a "
+                                           "valid rule." % rulesvalues))
+            for values_for_rule in rulesvalues:
+                values_for_rule['parent_group_id'] = security_group.id
+                if self._security_group_rule_exists(security_group, values_for_rule):
+                    raise exception.ApiError(_('%s - This rule already exists in group %s')
+                                                % (values_for_rule, group_name))
+                postvalues.append(values_for_rule)
+
+        for values_for_rule in postvalues:
+            security_group_rule = db.security_group_rule_create(context, values_for_rule)
 
         self.compute_api.trigger_security_group_rules_refresh(context,
-                                      security_group_id=security_group['id'])
+                                  security_group_id=security_group['id'])
 
+        group = db.security_group_get_by_name(context, context.project_id, security_group['name'])
         return True
 
     def _get_source_project_id(self, context, source_security_group_owner_id):
diff --git a/nova/tests/test_cloud.py b/nova/tests/test_cloud.py
index d71a03aff..7becf1963 100644
--- a/nova/tests/test_cloud.py
+++ b/nova/tests/test_cloud.py
@@ -239,25 +239,60 @@ class CloudTestCase(test.TestCase):
         delete = self.cloud.delete_security_group
         self.assertRaises(exception.ApiError, delete, self.context)
 
-    def test_authorize_revoke_security_group_ingress(self):
+    def test_authorize_security_group_ingress(self):
         kwargs = {'project_id': self.context.project_id, 'name': 'test'}
         sec = db.security_group_create(self.context, kwargs)
         authz = self.cloud.authorize_security_group_ingress
         kwargs = {'to_port': '999', 'from_port': '999', 'ip_protocol': 'tcp'}
-        authz(self.context, group_name=sec['name'], **kwargs)
+        self.assertTrue(authz(self.context, group_name=sec['name'], **kwargs))
+
+    def test_authorize_security_group_ingress_ip_permissions_ip_ranges(self):
+        kwargs = {'project_id': self.context.project_id, 'name': 'test'}
+        sec = db.security_group_create(self.context, kwargs)
+        authz = self.cloud.authorize_security_group_ingress
+        kwargs = {'ip_permissions': [{'to_port': 81, 'from_port': 81,
+                                      'ip_ranges': {'1': {'cidr_ip': u'0.0.0.0/0'},
+                                                   '2': {'cidr_ip': u'10.10.10.10/32'}},
+                                      'ip_protocol': u'tcp'}]}
+        self.assertTrue(authz(self.context, group_name=sec['name'], **kwargs))
+
+    def test_authorize_security_group_ingress_ip_permissions_groups(self):
+        kwargs = {'project_id': self.context.project_id, 'name': 'test'}
+        sec = db.security_group_create(self.context, kwargs)
+        authz = self.cloud.authorize_security_group_ingress
+        kwargs = {'ip_permissions': [{'to_port': 81, 'from_port': 81,
+                  'ip_ranges': {'1': {'cidr_ip': u'0.0.0.0/0'}, '2': {'cidr_ip': u'10.10.10.10/32'}},
+                  'groups': {'1': {'user_id': u'someuser', 'group_name': u'somegroup1'},
+                             '2': {'user_id': u'someuser', 'group_name': u'othergroup2'}},
+                  'ip_protocol': u'tcp'}]}
+        self.assertTrue(authz(self.context, group_name=sec['name'], **kwargs))
+
+    def test_revoke_security_group_ingress(self):
+        kwargs = {'project_id': self.context.project_id, 'name': 'test'}
+        sec = db.security_group_create(self.context, kwargs)
+        authz = self.cloud.authorize_security_group_ingress
+        kwargs = {'to_port': '999', 'from_port': '999', 'ip_protocol': 'tcp'}
+        authz(self.context, group_id=sec['id'], **kwargs)
         revoke = self.cloud.revoke_security_group_ingress
         self.assertTrue(revoke(self.context, group_name=sec['name'], **kwargs))
 
-    def test_authorize_revoke_security_group_ingress_by_id(self):
-        sec = db.security_group_create(self.context,
-                                       {'project_id': self.context.project_id,
-                                        'name': 'test'})
+    def test_revoke_security_group_ingress_by_id(self):
+        kwargs = {'project_id': self.context.project_id, 'name': 'test'}
+        sec = db.security_group_create(self.context, kwargs)
         authz = self.cloud.authorize_security_group_ingress
         kwargs = {'to_port': '999', 'from_port': '999', 'ip_protocol': 'tcp'}
         authz(self.context, group_id=sec['id'], **kwargs)
         revoke = self.cloud.revoke_security_group_ingress
         self.assertTrue(revoke(self.context, group_id=sec['id'], **kwargs))
 
+    def test_authorize_security_group_ingress_by_id(self):
+        sec = db.security_group_create(self.context,
+                                       {'project_id': self.context.project_id,
+                                        'name': 'test'})
+        authz = self.cloud.authorize_security_group_ingress
+        kwargs = {'to_port': '999', 'from_port': '999', 'ip_protocol': 'tcp'}
+        self.assertTrue(authz(self.context, group_id=sec['id'], **kwargs))
+
     def test_authorize_security_group_ingress_missing_protocol_params(self):
         sec = db.security_group_create(self.context,
                                        {'project_id': self.context.project_id,