diff options
| author | Soren Hansen <soren.hansen@rackspace.com> | 2010-09-09 15:13:04 +0200 |
|---|---|---|
| committer | Soren Hansen <soren.hansen@rackspace.com> | 2010-09-09 15:13:04 +0200 |
| commit | bd7ac72b9774a181e51dde5dff09ed4c47b556a7 (patch) | |
| tree | f0e8cd1c8293b7d1c568e4ed498b4af40a1e315f | |
| parent | bd07d6b3b3e9ed3ef3e65e99b628c8b1aaf2f82c (diff) | |
AuthorizeSecurityGroupIngress now works.
| -rw-r--r-- | nova/db/api.py | 13 | ||||
| -rw-r--r-- | nova/db/sqlalchemy/api.py | 19 | ||||
| -rw-r--r-- | nova/db/sqlalchemy/models.py | 9 | ||||
| -rw-r--r-- | nova/endpoint/cloud.py | 50 | ||||
| -rw-r--r-- | nova/tests/api_unittest.py | 83 |
5 files changed, 161 insertions, 13 deletions
diff --git a/nova/db/api.py b/nova/db/api.py index b67e3afe0..af574d6de 100644 --- a/nova/db/api.py +++ b/nova/db/api.py @@ -461,6 +461,19 @@ def security_group_get_by_user(context, user_id): return IMPL.security_group_get_by_user(context, user_id) +def security_group_get_by_user_and_name(context, user_id, name): + """Get user's named security group""" + return IMPL.security_group_get_by_user_and_name(context, user_id, name) + + def security_group_destroy(context, security_group_id): """Deletes a security group""" return IMPL.security_group_destroy(context, security_group_id) + + +#################### + + +def security_group_rule_create(context, values): + """Create a new security group""" + return IMPL.security_group_rule_create(context, values) diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py index d790d3fac..c8d852f9d 100644 --- a/nova/db/sqlalchemy/api.py +++ b/nova/db/sqlalchemy/api.py @@ -609,6 +609,14 @@ def security_group_get_by_user(_context, user_id): .filter_by(deleted=False) \ .all() +def security_group_get_by_user_and_name(_context, user_id, name): + with managed_session() as session: + return session.query(models.SecurityGroup) \ + .filter_by(user_id=user_id) \ + .filter_by(name=name) \ + .filter_by(deleted=False) \ + .one() + def security_group_destroy(_context, security_group_id): with managed_session() as session: security_group = session.query(models.SecurityGroup) \ @@ -619,3 +627,14 @@ def security_group_get_all(_context): return models.SecurityGroup.all() + + +################### + + +def security_group_rule_create(_context, values): + security_group_rule_ref = models.SecurityGroupIngressRule() + for (key, value) in values.iteritems(): + security_group_rule_ref[key] = value + security_group_rule_ref.save() + return security_group_rule_ref diff --git a/nova/db/sqlalchemy/models.py b/nova/db/sqlalchemy/models.py index 28c25bfbc..330262a88 100644 --- a/nova/db/sqlalchemy/models.py +++ b/nova/db/sqlalchemy/models.py @@ -330,12 +330,11 @@ class SecurityGroupIngressRule(BASE, NovaBase): parent_security_group = Column(Integer, ForeignKey('security_group.id')) protocol = Column(String(5)) # "tcp", "udp", or "icmp" - fromport = Column(Integer) - toport = Column(Integer) + from_port = Column(Integer) + to_port = Column(Integer) - # Note: This is not the parent SecurityGroup's owner. It's the owner of - # the SecurityGroup we're granting access. - user_id = Column(String(255)) + # Note: This is not the parent SecurityGroup. It's SecurityGroup we're + # granting access for. group_id = Column(Integer, ForeignKey('security_group.id')) @property diff --git a/nova/endpoint/cloud.py b/nova/endpoint/cloud.py index 7df8bd081..0a929b865 100644 --- a/nova/endpoint/cloud.py +++ b/nova/endpoint/cloud.py @@ -214,14 +214,54 @@ class CloudController(object): @rbac.allow('all') def describe_security_groups(self, context, **kwargs): groups = {'securityGroupSet': - [{ 'groupDescription': group.description, - 'groupName' : group.name, - 'ownerId': context.user.id } for group in db.security_group_get_by_user(context, context.user.id) ] } + [{ 'groupDescription': group.description, + 'groupName' : group.name, + 'ownerId': context.user.id } for group in \ + db.security_group_get_by_user(context, + context.user.id) ] } return groups @rbac.allow('netadmin') - def authorize_security_group_ingress(self, context, group_name, **kwargs): + def authorize_security_group_ingress(self, context, group_name, + to_port=None, from_port=None, + ip_protocol=None, cidr_ip=None, + user_id=None, + source_security_group_name=None, + source_security_group_owner_id=None): + security_group = db.security_group_get_by_user_and_name(context, + context.user.id, + group_name) + values = { 'parent_security_group' : security_group.id } + + # Aw, crap. + if source_security_group_name: + if source_security_group_owner_id: + other_user_id = source_security_group_owner_id + else: + other_user_id = context.user.id + + foreign_security_group = \ + db.security_group_get_by_user_and_name(context, + other_user_id, + source_security_group_name) + values['group_id'] = foreign_security_group.id + elif cidr_ip: + values['cidr'] = cidr_ip + else: + return { 'return': False } + + if ip_protocol and from_port and to_port: + values['protocol'] = ip_protocol + values['from_port'] = from_port + values['to_port'] = to_port + else: + # If cidr based filtering, protocol and ports are mandatory + if 'cidr' in values: + print values + return None + + security_group_rule = db.security_group_rule_create(context, values) return True @rbac.allow('netadmin') @@ -234,6 +274,8 @@ class CloudController(object): @rbac.allow('netadmin') def delete_security_group(self, context, group_name, **kwargs): + security_group = db.security_group_get_by_user_and_name(context, context.user.id, group_name) + security_group.delete() return True @rbac.allow('projectmanager', 'sysadmin') diff --git a/nova/tests/api_unittest.py b/nova/tests/api_unittest.py index 87d99607d..6cd59541f 100644 --- a/nova/tests/api_unittest.py +++ b/nova/tests/api_unittest.py @@ -233,20 +233,29 @@ class ApiEc2TestCase(test.BaseTestCase): self.manager.delete_user(user) def test_get_all_security_groups(self): - """Test that operations on security groups stick""" + """Test that we can retrieve security groups""" self.expect_http() self.mox.ReplayAll() - security_group_name = "".join(random.choice("sdiuisudfsdcnpaqwertasd") \ - for x in range(random.randint(4, 8))) user = self.manager.create_user('fake', 'fake', 'fake', admin=True) project = self.manager.create_project('fake', 'fake', 'fake') rv = self.ec2.get_all_security_groups() + self.assertEquals(len(rv), 1) - self.assertEquals(rv[0].name, 'default') + self.assertEquals(rv[0].name, 'default') + + self.manager.delete_project(project) + self.manager.delete_user(user) + def test_create_delete_security_group(self): + """Test that we can create a security group""" self.expect_http() self.mox.ReplayAll() + user = self.manager.create_user('fake', 'fake', 'fake', admin=True) + project = self.manager.create_project('fake', 'fake', 'fake') + + security_group_name = "".join(random.choice("sdiuisudfsdcnpaqwertasd") \ + for x in range(random.randint(4, 8))) self.ec2.create_security_group(security_group_name, 'test group') @@ -257,5 +266,71 @@ class ApiEc2TestCase(test.BaseTestCase): self.assertEquals(len(rv), 2) self.assertTrue(security_group_name in [group.name for group in rv]) + self.expect_http() + self.mox.ReplayAll() + + self.ec2.delete_security_group(security_group_name) + self.manager.delete_project(project) self.manager.delete_user(user) + + def test_authorize_security_group_cidr(self): + """Test that we can add rules to a security group""" + self.expect_http() + self.mox.ReplayAll() + user = self.manager.create_user('fake', 'fake', 'fake', admin=True) + project = self.manager.create_project('fake', 'fake', 'fake') + + security_group_name = "".join(random.choice("sdiuisudfsdcnpaqwertasd") \ + for x in range(random.randint(4, 8))) + + group = self.ec2.create_security_group(security_group_name, 'test group') + + self.expect_http() + self.mox.ReplayAll() + group.connection = self.ec2 + + group.authorize('tcp', 80, 80, '0.0.0.0/0') + + self.expect_http() + self.mox.ReplayAll() + + self.ec2.delete_security_group(security_group_name) + + self.manager.delete_project(project) + self.manager.delete_user(user) + + return + + def test_authorize_security_group_foreign_group(self): + """Test that we can grant another security group access to a security group""" + self.expect_http() + self.mox.ReplayAll() + user = self.manager.create_user('fake', 'fake', 'fake', admin=True) + project = self.manager.create_project('fake', 'fake', 'fake') + + security_group_name = "".join(random.choice("sdiuisudfsdcnpaqwertasd") \ + for x in range(random.randint(4, 8))) + + group = self.ec2.create_security_group(security_group_name, 'test group') + + self.expect_http() + self.mox.ReplayAll() + + other_group = self.ec2.create_security_group('appserver', 'The application tier') + + self.expect_http() + self.mox.ReplayAll() + group.connection = self.ec2 + + group.authorize(src_group=other_group) + + self.expect_http() + self.mox.ReplayAll() + + self.ec2.delete_security_group(security_group_name) + + self.manager.delete_project(project) + self.manager.delete_user(user) + + return |