From 1a12349c056b52b488591abb1671ad94a6db6526 Mon Sep 17 00:00:00 2001 From: Ahmad Hassan Date: Fri, 30 Sep 2011 15:10:33 +0100 Subject: Verify security group parameters Introduced various sanity checks before adding security group rule into the database. The checks have been implemented both in EC2 and openstack extension code. Implemented the suggestions made in first patch by Brian Fixed the unit tests in security groups Fixed pep8 issues in security group unit tests Fixes bug 869979. Change-Id: I2ac28666e90e7bdeacb7b1c2676c0719cfb9e441 --- .../api/openstack/contrib/test_security_groups.py | 41 ++++++++++++++++++ nova/tests/test_api.py | 48 +++++++++++++++++++++- 2 files changed, 88 insertions(+), 1 deletion(-) (limited to 'nova/tests') diff --git a/nova/tests/api/openstack/contrib/test_security_groups.py b/nova/tests/api/openstack/contrib/test_security_groups.py index f55ce4a55..b3e1507e0 100644 --- a/nova/tests/api/openstack/contrib/test_security_groups.py +++ b/nova/tests/api/openstack/contrib/test_security_groups.py @@ -532,6 +532,47 @@ class TestSecurityGroupRules(test.TestCase): self.assertNotEquals(security_group_rule['id'], 0) self.assertEquals(security_group_rule['parent_group_id'], 2) + def test_create_by_invalid_cidr_json(self): + rules = { + "security_group_rule": { + "ip_protocol": "tcp", + "from_port": "22", + "to_port": "22", + "parent_group_id": 2, + "cidr": "10.2.3.124/2433"}} + rule = security_group_rule_template( + ip_protocol="tcp", + from_port=22, + to_port=22, + parent_group_id=2, + cidr="10.2.3.124/2433") + req = fakes.HTTPRequest.blank('/v1.1/123/os-security-group-rules') + self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create, + req, {'security_group_rule': rule}) + + def test_create_by_invalid_tcp_port_json(self): + rule = security_group_rule_template( + ip_protocol="tcp", + from_port=75534, + to_port=22, + parent_group_id=2, + cidr="10.2.3.124/24") + + req = fakes.HTTPRequest.blank('/v1.1/123/os-security-group-rules') + self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create, + req, {'security_group_rule': rule}) + + def test_create_by_invalid_icmp_port_json(self): + rule = security_group_rule_template( + ip_protocol="icmp", + from_port=1, + to_port=256, + parent_group_id=2, + cidr="10.2.3.124/24") + req = fakes.HTTPRequest.blank('/v1.1/123/os-security-group-rules') + self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create, + req, {'security_group_rule': rule}) + def test_create_add_existing_rules(self): rule = security_group_rule_template(cidr='10.0.0.0/24') diff --git a/nova/tests/test_api.py b/nova/tests/test_api.py index e9f1145dd..2d3d4b604 100644 --- a/nova/tests/test_api.py +++ b/nova/tests/test_api.py @@ -386,6 +386,50 @@ class ApiEc2TestCase(test.TestCase): group.connection = self.ec2 group.authorize('tcp', 80, 81, '0.0.0.0/0') + group.authorize('icmp', -1, -1, '0.0.0.0/0') + group.authorize('udp', 80, 81, '0.0.0.0/0') + # Invalid CIDR address + self.assertRaises(Exception, + group.authorize, 'tcp', 80, 81, '0.0.0.0/0444') + # Missing ports + self.assertRaises(Exception, + group.authorize, 'tcp', '0.0.0.0/0') + # from port cannot be greater than to port + self.assertRaises(Exception, + group.authorize, 'tcp', 100, 1, '0.0.0.0/0') + # For tcp, negative values are not allowed + self.assertRaises(Exception, + group.authorize, 'tcp', -1, 1, '0.0.0.0/0') + # For tcp, valid port range 1-65535 + self.assertRaises(Exception, + group.authorize, 'tcp', 1, 65599, '0.0.0.0/0') + # For icmp, only -1:-1 is allowed for type:code + self.assertRaises(Exception, + group.authorize, 'icmp', -1, 0, '0.0.0.0/0') + # Non valid type:code + self.assertRaises(Exception, + group.authorize, 'icmp', 0, 3, '0.0.0.0/0') + # Invalid Cidr for ICMP type + self.assertRaises(Exception, + group.authorize, 'icmp', -1, -1, '0.0.444.0/4') + # Invalid protocol + self.assertRaises(Exception, + group.authorize, 'xyz', 1, 14, '0.0.0.0/0') + # Invalid port + self.assertRaises(Exception, + group.authorize, 'tcp', " ", "81", '0.0.0.0/0') + # Invalid icmp port + self.assertRaises(Exception, + group.authorize, 'icmp', " ", "81", '0.0.0.0/0') + # Invalid CIDR Address + self.assertRaises(Exception, + group.authorize, 'icmp', -1, -1, '0.0.0.0') + # Invalid CIDR Address + self.assertRaises(Exception, + group.authorize, 'icmp', -1, -1, '0.0.0.0/') + # Invalid Cidr ports + self.assertRaises(Exception, + group.authorize, 'icmp', 1, 256, '0.0.0.0/0') self.expect_http() self.mox.ReplayAll() @@ -394,7 +438,7 @@ class ApiEc2TestCase(test.TestCase): group = [grp for grp in rv if grp.name == security_group_name][0] - self.assertEquals(len(group.rules), 1) + self.assertEquals(len(group.rules), 3) self.assertEquals(int(group.rules[0].from_port), 80) self.assertEquals(int(group.rules[0].to_port), 81) self.assertEquals(len(group.rules[0].grants), 1) @@ -405,6 +449,8 @@ class ApiEc2TestCase(test.TestCase): group.connection = self.ec2 group.revoke('tcp', 80, 81, '0.0.0.0/0') + group.revoke('icmp', -1, -1, '0.0.0.0/0') + group.revoke('udp', 80, 81, '0.0.0.0/0') self.expect_http() self.mox.ReplayAll() -- cgit