From 10d503b27b8e5abbd8802b3107acd35024761558 Mon Sep 17 00:00:00 2001 From: John Herndon Date: Tue, 2 Oct 2012 19:39:37 +0000 Subject: ip_protocol for ec2 security groups fix for bug 1057196. -Enforce restrictions on IP protocol in AuthorizeSecurityGroupIngress call. This value may only be: 'tcp', 'udp', 'icmp', '6', '17' or '1' -Ensure that ip protocol returned from DescribeSecurityGroups is in lower case, in case security group was set improperly in previous versions -Update EC2APIError in nova/exception.py to remove the HTTP error code from the message. The HTTP error code is inserted in nova.api.ec2.faults.Fault. Inserting the code in the EC2APIError causes the HTTP code to appear twice in the message -Update unit tests to expect new error message when invalid protocol is entered. -Fixing pep8 issues Change-Id: Iffe0f38abde327288e6a3960a72ad6a273f78aca --- nova/api/ec2/cloud.py | 11 ++++++++++- nova/exception.py | 5 +---- nova/tests/test_api.py | 2 +- nova/tests/test_exception.py | 1 - 4 files changed, 12 insertions(+), 7 deletions(-) diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py index 5cb07eeac..a27057aa7 100644 --- a/nova/api/ec2/cloud.py +++ b/nova/api/ec2/cloud.py @@ -460,7 +460,7 @@ class CloudController(object): r['groups'] += [{'groupName': source_group.name, 'userId': source_group.project_id}] if rule.protocol: - r['ipProtocol'] = rule.protocol + r['ipProtocol'] = rule.protocol.lower() r['fromPort'] = rule.from_port r['toPort'] = rule.to_port g['ipPermissions'] += [dict(r)] @@ -562,6 +562,14 @@ class CloudController(object): err = _("%s Not enough parameters to build a valid rule") raise exception.EC2APIError(err % rulesvalues) + def _validate_security_group_protocol(self, values): + validprotocols = ['tcp', 'udp', 'icmp', '6', '17', '1'] + if 'ip_protocol' in values and \ + values['ip_protocol'] not in validprotocols: + protocol = values['ip_protocol'] + err = _("Invalid IP protocol %(protocol)s.") % locals() + raise exception.EC2APIError(message=err, code="400") + def revoke_security_group_ingress(self, context, group_name=None, group_id=None, **kwargs): self._validate_group_identifier(group_name, group_id) @@ -605,6 +613,7 @@ class CloudController(object): prevalues = kwargs.get('ip_permissions', [kwargs]) postvalues = [] for values in prevalues: + self._validate_security_group_protocol(values) rulesvalues = self._rule_args_to_dict(context, values) self._validate_rulevalues(rulesvalues) for values_for_rule in rulesvalues: diff --git a/nova/exception.py b/nova/exception.py index b8df7ddcc..0b969e625 100644 --- a/nova/exception.py +++ b/nova/exception.py @@ -164,10 +164,7 @@ class EC2APIError(NovaException): def __init__(self, message=None, code=None): self.msg = message self.code = code - if code: - outstr = '%s: %s' % (code, message) - else: - outstr = '%s' % message + outstr = '%s' % message super(EC2APIError, self).__init__(outstr) diff --git a/nova/tests/test_api.py b/nova/tests/test_api.py index 4a4260705..d2710777b 100644 --- a/nova/tests/test_api.py +++ b/nova/tests/test_api.py @@ -448,7 +448,7 @@ class ApiEc2TestCase(test.TestCase): # Invalid Cidr for ICMP type _assert('Invalid CIDR', 'icmp', -1, -1, '0.0.444.0/4') # Invalid protocol - _assert('An unknown error has occurred', 'xyz', 1, 14, '0.0.0.0/0') + _assert('Invalid IP protocol', 'xyz', 1, 14, '0.0.0.0/0') # Invalid port _assert('An unknown error has occurred', 'tcp', " ", "81", '0.0.0.0/0') # Invalid icmp port diff --git a/nova/tests/test_exception.py b/nova/tests/test_exception.py index 0db8067a2..f7e4bc037 100644 --- a/nova/tests/test_exception.py +++ b/nova/tests/test_exception.py @@ -30,7 +30,6 @@ class EC2APIErrorTestCase(test.TestCase): self.assertEqual(err.msg, 'fake error') # with 'code' arg err = exception.EC2APIError('fake error', 'blah code') - self.assertEqual(err.__str__(), 'blah code: fake error') self.assertEqual(err.code, 'blah code') self.assertEqual(err.msg, 'fake error') -- cgit