diff options
| author | Jenkins <jenkins@review.openstack.org> | 2013-02-12 13:45:43 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2013-02-12 13:45:43 +0000 |
| commit | b64c53e0368ea63d8cd4beb71dabce9987b9bb54 (patch) | |
| tree | f2a80700f5bf237353f8fb027c4286c0daf2c962 | |
| parent | 31f08a3869f3f88fa0cc3af48b920bda0394f4c5 (diff) | |
| parent | a92445e33d2cb27bc37a6db2fb736007fe7a7a16 (diff) | |
| download | nova-b64c53e0368ea63d8cd4beb71dabce9987b9bb54.tar.gz nova-b64c53e0368ea63d8cd4beb71dabce9987b9bb54.tar.xz nova-b64c53e0368ea63d8cd4beb71dabce9987b9bb54.zip | |
Merge "Disallow setting /0 for network other than 0.0.0.0"
| -rw-r--r-- | nova/api/openstack/compute/contrib/security_groups.py | 7 | ||||
| -rw-r--r-- | nova/tests/api/openstack/compute/contrib/test_security_groups.py | 32 |
2 files changed, 39 insertions, 0 deletions
diff --git a/nova/api/openstack/compute/contrib/security_groups.py b/nova/api/openstack/compute/contrib/security_groups.py index a15c395ae..c49e7af70 100644 --- a/nova/api/openstack/compute/contrib/security_groups.py +++ b/nova/api/openstack/compute/contrib/security_groups.py @@ -30,6 +30,7 @@ from nova.compute import api as compute_api from nova import db from nova import exception from nova.openstack.common import log as logging +from nova.virt import netutils LOG = logging.getLogger(__name__) authorize = extensions.extension_authorizer('compute', 'security_groups') @@ -332,6 +333,12 @@ class SecurityGroupRulesController(SecurityGroupControllerBase): values['parent_group_id'] = security_group.id + if 'cidr' in values: + net, prefixlen = netutils.get_net_and_prefixlen(values['cidr']) + if net != '0.0.0.0' and prefixlen == '0': + msg = _("Bad prefix for network in cidr %s") % values['cidr'] + raise exc.HTTPBadRequest(explanation=msg) + if self.security_group_api.rule_exists(security_group, values): msg = _('This rule already exists in group %s') % parent_group_id raise exc.HTTPBadRequest(explanation=msg) diff --git a/nova/tests/api/openstack/compute/contrib/test_security_groups.py b/nova/tests/api/openstack/compute/contrib/test_security_groups.py index 231923e6d..75da8efa5 100644 --- a/nova/tests/api/openstack/compute/contrib/test_security_groups.py +++ b/nova/tests/api/openstack/compute/contrib/test_security_groups.py @@ -1011,6 +1011,38 @@ class TestSecurityGroupRules(test.TestCase): self.controller.create, req, {'security_group_rule': rule}) + def test_create_rule_cidr_allow_all(self): + rule = security_group_rule_template(cidr='0.0.0.0/0') + + req = fakes.HTTPRequest.blank('/v2/fake/os-security-group-rules') + res_dict = self.controller.create(req, {'security_group_rule': rule}) + + security_group_rule = res_dict['security_group_rule'] + self.assertNotEquals(security_group_rule['id'], 0) + self.assertEquals(security_group_rule['parent_group_id'], + self.parent_security_group['id']) + self.assertEquals(security_group_rule['ip_range']['cidr'], + "0.0.0.0/0") + + def test_create_rule_cidr_allow_some(self): + rule = security_group_rule_template(cidr='15.0.0.0/8') + + req = fakes.HTTPRequest.blank('/v2/fake/os-security-group-rules') + res_dict = self.controller.create(req, {'security_group_rule': rule}) + + security_group_rule = res_dict['security_group_rule'] + self.assertNotEquals(security_group_rule['id'], 0) + self.assertEquals(security_group_rule['parent_group_id'], + self.parent_security_group['id']) + self.assertEquals(security_group_rule['ip_range']['cidr'], + "15.0.0.0/8") + + def test_create_rule_cidr_bad_netmask(self): + rule = security_group_rule_template(cidr='15.0.0.0/0') + req = fakes.HTTPRequest.blank('/v2/fake/os-security-group-rules') + self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create, + req, {'security_group_rule': rule}) + class TestSecurityGroupRulesXMLDeserializer(test.TestCase): |