From 7498fa608def9613552cf0e26dcb03fddf7b298d Mon Sep 17 00:00:00 2001 From: John Tran Date: Fri, 15 Jul 2011 22:56:16 +0000 Subject: renamed priv method arg_to_dict since it's not just used for revoke. modified to conform to latest AWS EC2 API spec for authorize & revoke ingress params using the IpPermissions data structure, which nests lists of CIDR blocks (IpRanges) as well as lists of Group data --- nova/api/ec2/cloud.py | 83 ++++++++++++++++++++++++++++++++++++++++-------- nova/tests/test_cloud.py | 47 +++++++++++++++++++++++---- 2 files changed, 110 insertions(+), 20 deletions(-) diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py index acfd1361c..5c0c79429 100644 --- a/nova/api/ec2/cloud.py +++ b/nova/api/ec2/cloud.py @@ -441,7 +441,52 @@ class CloudController(object): g['ipPermissions'] += [r] return g - def _revoke_rule_args_to_dict(self, context, to_port=None, from_port=None, + def _rule_args_to_dict(self, context, kwargs): + rules = [] + if not kwargs.has_key('groups') and not kwargs.has_key('ip_ranges'): + rule = self._rule_dict_last_step(context, **kwargs) + if rule: + rules.append(rule) + return rules + if kwargs.has_key('ip_ranges'): + rules = self._cidr_args_split(kwargs) + finalset = [] + for rule in rules: + if rule.has_key('groups'): + groups_values = self._groups_args_split(rule) + for groups_value in groups_values: + finalset.append(groups_value) + else: + if rule: + finalset.append(rule) + return finalset + + def _cidr_args_split(self, kwargs): + cidr_args_split= [] + cidrs = kwargs['ip_ranges'] + for key, cidr in cidrs.iteritems(): + mykwargs = kwargs.copy() + del mykwargs['ip_ranges'] + mykwargs['cidr_ip'] = cidr['cidr_ip'] + cidr_args_split.append(mykwargs) + return cidr_args_split + + def _groups_args_split(self, kwargs): + groups_args_split= [] + groups = kwargs['groups'] + for key, group in groups.iteritems(): + mykwargs = kwargs.copy() + del mykwargs['groups'] + if group.has_key('group_name'): + mykwargs['source_security_group_name'] = group['group_name'] + if group.has_key('user_id'): + mykwargs['source_security_group_owner_id'] = group['user_id'] + if group.has_key('group_id'): + mykwargs['source_security_group_id'] = group['group_id'] + groups_args_split.append(mykwargs) + return groups_args_split + + def _rule_dict_last_step(self, context, to_port=None, from_port=None, ip_protocol=None, cidr_ip=None, user_id=None, source_security_group_name=None, source_security_group_owner_id=None): @@ -526,7 +571,7 @@ class CloudController(object): msg = "Revoke security group ingress %s" LOG.audit(_(msg), security_group['name'], context=context) - criteria = self._revoke_rule_args_to_dict(context, **kwargs) + criteria = self._rule_args_to_dict(context, kwargs)[0] if criteria is None: raise exception.ApiError(_("Not enough parameters to build a " "valid rule.")) @@ -567,21 +612,31 @@ class CloudController(object): msg = "Authorize security group ingress %s" LOG.audit(_(msg), security_group['name'], context=context) - values = self._revoke_rule_args_to_dict(context, **kwargs) - if values is None: - raise exception.ApiError(_("Not enough parameters to build a " - "valid rule.")) - values['parent_group_id'] = security_group.id - - if self._security_group_rule_exists(security_group, values): - raise exception.ApiError(_('This rule already exists in group %s') - % group_name) - - security_group_rule = db.security_group_rule_create(context, values) + prevalues = [] + try: + prevalues = kwargs['ip_permissions'] + except KeyError: + prevalues.append(kwargs) + postvalues = [] + for values in prevalues: + rulesvalues = self._rule_args_to_dict(context, values) + if not rulesvalues: + raise exception.ApiError(_("%s Not enough parameters to build a " + "valid rule." % rulesvalues)) + for values_for_rule in rulesvalues: + values_for_rule['parent_group_id'] = security_group.id + if self._security_group_rule_exists(security_group, values_for_rule): + raise exception.ApiError(_('%s - This rule already exists in group %s') + % (values_for_rule, group_name)) + postvalues.append(values_for_rule) + + for values_for_rule in postvalues: + security_group_rule = db.security_group_rule_create(context, values_for_rule) self.compute_api.trigger_security_group_rules_refresh(context, - security_group_id=security_group['id']) + security_group_id=security_group['id']) + group = db.security_group_get_by_name(context, context.project_id, security_group['name']) return True def _get_source_project_id(self, context, source_security_group_owner_id): diff --git a/nova/tests/test_cloud.py b/nova/tests/test_cloud.py index d71a03aff..7becf1963 100644 --- a/nova/tests/test_cloud.py +++ b/nova/tests/test_cloud.py @@ -239,25 +239,60 @@ class CloudTestCase(test.TestCase): delete = self.cloud.delete_security_group self.assertRaises(exception.ApiError, delete, self.context) - def test_authorize_revoke_security_group_ingress(self): + def test_authorize_security_group_ingress(self): kwargs = {'project_id': self.context.project_id, 'name': 'test'} sec = db.security_group_create(self.context, kwargs) authz = self.cloud.authorize_security_group_ingress kwargs = {'to_port': '999', 'from_port': '999', 'ip_protocol': 'tcp'} - authz(self.context, group_name=sec['name'], **kwargs) + self.assertTrue(authz(self.context, group_name=sec['name'], **kwargs)) + + def test_authorize_security_group_ingress_ip_permissions_ip_ranges(self): + kwargs = {'project_id': self.context.project_id, 'name': 'test'} + sec = db.security_group_create(self.context, kwargs) + authz = self.cloud.authorize_security_group_ingress + kwargs = {'ip_permissions': [{'to_port': 81, 'from_port': 81, + 'ip_ranges': {'1': {'cidr_ip': u'0.0.0.0/0'}, + '2': {'cidr_ip': u'10.10.10.10/32'}}, + 'ip_protocol': u'tcp'}]} + self.assertTrue(authz(self.context, group_name=sec['name'], **kwargs)) + + def test_authorize_security_group_ingress_ip_permissions_groups(self): + kwargs = {'project_id': self.context.project_id, 'name': 'test'} + sec = db.security_group_create(self.context, kwargs) + authz = self.cloud.authorize_security_group_ingress + kwargs = {'ip_permissions': [{'to_port': 81, 'from_port': 81, + 'ip_ranges': {'1': {'cidr_ip': u'0.0.0.0/0'}, '2': {'cidr_ip': u'10.10.10.10/32'}}, + 'groups': {'1': {'user_id': u'someuser', 'group_name': u'somegroup1'}, + '2': {'user_id': u'someuser', 'group_name': u'othergroup2'}}, + 'ip_protocol': u'tcp'}]} + self.assertTrue(authz(self.context, group_name=sec['name'], **kwargs)) + + def test_revoke_security_group_ingress(self): + kwargs = {'project_id': self.context.project_id, 'name': 'test'} + sec = db.security_group_create(self.context, kwargs) + authz = self.cloud.authorize_security_group_ingress + kwargs = {'to_port': '999', 'from_port': '999', 'ip_protocol': 'tcp'} + authz(self.context, group_id=sec['id'], **kwargs) revoke = self.cloud.revoke_security_group_ingress self.assertTrue(revoke(self.context, group_name=sec['name'], **kwargs)) - def test_authorize_revoke_security_group_ingress_by_id(self): - sec = db.security_group_create(self.context, - {'project_id': self.context.project_id, - 'name': 'test'}) + def test_revoke_security_group_ingress_by_id(self): + kwargs = {'project_id': self.context.project_id, 'name': 'test'} + sec = db.security_group_create(self.context, kwargs) authz = self.cloud.authorize_security_group_ingress kwargs = {'to_port': '999', 'from_port': '999', 'ip_protocol': 'tcp'} authz(self.context, group_id=sec['id'], **kwargs) revoke = self.cloud.revoke_security_group_ingress self.assertTrue(revoke(self.context, group_id=sec['id'], **kwargs)) + def test_authorize_security_group_ingress_by_id(self): + sec = db.security_group_create(self.context, + {'project_id': self.context.project_id, + 'name': 'test'}) + authz = self.cloud.authorize_security_group_ingress + kwargs = {'to_port': '999', 'from_port': '999', 'ip_protocol': 'tcp'} + self.assertTrue(authz(self.context, group_id=sec['id'], **kwargs)) + def test_authorize_security_group_ingress_missing_protocol_params(self): sec = db.security_group_create(self.context, {'project_id': self.context.project_id, -- cgit From b0a02feb7bd25380a75b83344e0ac3210a168387 Mon Sep 17 00:00:00 2001 From: John Tran Date: Sun, 17 Jul 2011 22:07:07 +0000 Subject: changed to avoid localization test failure --- nova/api/ec2/cloud.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py index 5c0c79429..4923a7666 100644 --- a/nova/api/ec2/cloud.py +++ b/nova/api/ec2/cloud.py @@ -626,8 +626,8 @@ class CloudController(object): for values_for_rule in rulesvalues: values_for_rule['parent_group_id'] = security_group.id if self._security_group_rule_exists(security_group, values_for_rule): - raise exception.ApiError(_('%s - This rule already exists in group %s') - % (values_for_rule, group_name)) + raise exception.ApiError(_('%s - This rule already exists in group') + % values_for_rule) postvalues.append(values_for_rule) for values_for_rule in postvalues: -- cgit From ab42384131077bae3986141279b605d8f994143c Mon Sep 17 00:00:00 2001 From: John Tran Date: Mon, 18 Jul 2011 03:45:16 +0000 Subject: resolved pep8 issues --- nova/api/ec2/cloud.py | 33 ++++++++++++++++++--------------- nova/tests/test_cloud.py | 14 +++++++++----- 2 files changed, 27 insertions(+), 20 deletions(-) diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py index 4923a7666..113faf13b 100644 --- a/nova/api/ec2/cloud.py +++ b/nova/api/ec2/cloud.py @@ -443,16 +443,16 @@ class CloudController(object): def _rule_args_to_dict(self, context, kwargs): rules = [] - if not kwargs.has_key('groups') and not kwargs.has_key('ip_ranges'): + if not 'groups' in kwargs and not 'ip_ranges' in kwargs: rule = self._rule_dict_last_step(context, **kwargs) if rule: rules.append(rule) return rules - if kwargs.has_key('ip_ranges'): + if 'ip_ranges' in kwargs: rules = self._cidr_args_split(kwargs) finalset = [] for rule in rules: - if rule.has_key('groups'): + if 'groups' in rule: groups_values = self._groups_args_split(rule) for groups_value in groups_values: finalset.append(groups_value) @@ -462,7 +462,7 @@ class CloudController(object): return finalset def _cidr_args_split(self, kwargs): - cidr_args_split= [] + cidr_args_split = [] cidrs = kwargs['ip_ranges'] for key, cidr in cidrs.iteritems(): mykwargs = kwargs.copy() @@ -472,16 +472,16 @@ class CloudController(object): return cidr_args_split def _groups_args_split(self, kwargs): - groups_args_split= [] + groups_args_split = [] groups = kwargs['groups'] for key, group in groups.iteritems(): mykwargs = kwargs.copy() del mykwargs['groups'] - if group.has_key('group_name'): + if 'group_name' in group: mykwargs['source_security_group_name'] = group['group_name'] - if group.has_key('user_id'): + if 'user_id' in group: mykwargs['source_security_group_owner_id'] = group['user_id'] - if group.has_key('group_id'): + if 'group_id' in group: mykwargs['source_security_group_id'] = group['group_id'] groups_args_split.append(mykwargs) return groups_args_split @@ -621,22 +621,25 @@ class CloudController(object): for values in prevalues: rulesvalues = self._rule_args_to_dict(context, values) if not rulesvalues: - raise exception.ApiError(_("%s Not enough parameters to build a " - "valid rule." % rulesvalues)) + err = "%s Not enough parameters to build a valid rule" + raise exception.ApiError(_(err % rulesvalues)) for values_for_rule in rulesvalues: values_for_rule['parent_group_id'] = security_group.id - if self._security_group_rule_exists(security_group, values_for_rule): - raise exception.ApiError(_('%s - This rule already exists in group') - % values_for_rule) + if self._security_group_rule_exists(security_group, + values_for_rule): + err = '%s - This rule already exists in group' + raise exception.ApiError(_(err) % values_for_rule) postvalues.append(values_for_rule) for values_for_rule in postvalues: - security_group_rule = db.security_group_rule_create(context, values_for_rule) + security_group_rule = db.security_group_rule_create(context, + values_for_rule) self.compute_api.trigger_security_group_rules_refresh(context, security_group_id=security_group['id']) - group = db.security_group_get_by_name(context, context.project_id, security_group['name']) + group = db.security_group_get_by_name(context, context.project_id, + security_group['name']) return True def _get_source_project_id(self, context, source_security_group_owner_id): diff --git a/nova/tests/test_cloud.py b/nova/tests/test_cloud.py index 7becf1963..0dc0b2d53 100644 --- a/nova/tests/test_cloud.py +++ b/nova/tests/test_cloud.py @@ -251,8 +251,9 @@ class CloudTestCase(test.TestCase): sec = db.security_group_create(self.context, kwargs) authz = self.cloud.authorize_security_group_ingress kwargs = {'ip_permissions': [{'to_port': 81, 'from_port': 81, - 'ip_ranges': {'1': {'cidr_ip': u'0.0.0.0/0'}, - '2': {'cidr_ip': u'10.10.10.10/32'}}, + 'ip_ranges': + {'1': {'cidr_ip': u'0.0.0.0/0'}, + '2': {'cidr_ip': u'10.10.10.10/32'}}, 'ip_protocol': u'tcp'}]} self.assertTrue(authz(self.context, group_name=sec['name'], **kwargs)) @@ -261,9 +262,12 @@ class CloudTestCase(test.TestCase): sec = db.security_group_create(self.context, kwargs) authz = self.cloud.authorize_security_group_ingress kwargs = {'ip_permissions': [{'to_port': 81, 'from_port': 81, - 'ip_ranges': {'1': {'cidr_ip': u'0.0.0.0/0'}, '2': {'cidr_ip': u'10.10.10.10/32'}}, - 'groups': {'1': {'user_id': u'someuser', 'group_name': u'somegroup1'}, - '2': {'user_id': u'someuser', 'group_name': u'othergroup2'}}, + 'ip_ranges':{'1': {'cidr_ip': u'0.0.0.0/0'}, + '2': {'cidr_ip': u'10.10.10.10/32'}}, + 'groups': {'1': {'user_id': u'someuser', + 'group_name': u'somegroup1'}, + '2': {'user_id': u'someuser', + 'group_name': u'othergroup2'}}, 'ip_protocol': u'tcp'}]} self.assertTrue(authz(self.context, group_name=sec['name'], **kwargs)) -- cgit