From 186612daf708b0ad3199bbf77ea8d3ed0f5eb48e Mon Sep 17 00:00:00 2001
From: Dmytro Dovbii <ddovbii@mirantis.com>
Date: Tue, 19 Jan 2016 11:36:37 +0200
Subject: [PATCH] [Core-Library] Add ability to specify direction and ethetype
 for groups

Previously there was no way to specify in which direction security rule
should be applied, only ingress was supported. Also it was impossible
to create IPv6 rules.
This patch added ability to specify direction and ethertype for
Neutron security groups and direction - for AWS security groups

Change-Id: Iba5be7a8a94c34eab3e0e06f95e5358a84a5dd7b
Closes-Bug: #1532317
---
 .../system/AwsSecurityGroupManager.yaml       | 46 +++++++++++++++++--
 .../system/NeutronSecurityGroupManager.yaml   | 42 +++++++++++++++--
 .../Classes/system/SecurityGroupManager.yaml  | 14 ++++++
 3 files changed, 95 insertions(+), 7 deletions(-)

diff --git a/meta/io.murano/Classes/system/AwsSecurityGroupManager.yaml b/meta/io.murano/Classes/system/AwsSecurityGroupManager.yaml
index 2214d7a9..1966e99a 100644
--- a/meta/io.murano/Classes/system/AwsSecurityGroupManager.yaml
+++ b/meta/io.murano/Classes/system/AwsSecurityGroupManager.yaml
@@ -27,6 +27,37 @@ Methods:
               ToPort: $.int().notNull()
               IpProtocol: $.string().notNull()
               External: $.bool().notNull()
+              Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
+      - groupName:
+          Contract: $.string().notNull()
+          Default: $this.defaultGroupName
+    Body:
+      - $._addGroup(ingress, $rules, $groupName)
+
+  addGroupEgress:
+    Arguments:
+      - rules:
+          Contract:
+            - FromPort: $.int().notNull()
+              ToPort: $.int().notNull()
+              IpProtocol: $.string().notNull()
+              External: $.bool().notNull()
+              Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
+      - groupName:
+          Contract: $.string().notNull()
+          Default: $this.defaultGroupName
+    Body:
+      - $._addGroup(egress, $rules, $groupName)
+
+  _addGroup:
+    Arguments:
+      - rules:
+          Contract:
+            - FromPort: $.int().notNull()
+              ToPort: $.int().notNull()
+              IpProtocol: $.string().notNull()
+              External: $.bool().notNull()
+              Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
       - groupName:
           Contract: $.string().notNull()
           Default: $this.defaultGroupName
@@ -39,6 +70,15 @@ Methods:
             ext_key: remote_mode
             ext_val: remote_group_id
 
+      - $ethertype: $rules.where($.get(Ethertype) = IPv6)
+      - If: len($ethertype) > 0
+        Then:
+          - $msg: 'Unable to add security group. IPv6 is not supported.'
+          - $._environment.reporter.report_error($this, $msg)
+          - Throw: UnsupportedPropertyValue
+            Message: $msg
+      - $groupDirection: dict(egress => SecurityGroupEgress).get($direction, SecurityGroupIngress)
+
       - $stack: $.environment.stack
       - $template:
           resources:
@@ -46,14 +86,14 @@ Methods:
               type: 'AWS::EC2::SecurityGroup'
               properties:
                 GroupDescription: format('Composite security group of Murano environment {0}', $.environment.name)
-                SecurityGroupIngress:
+                $groupDirection:
                   - FromPort: '-1'
                     ToPort: '-1'
                     IpProtocol: icmp
                     CidrIp: '0.0.0.0/0'
       - $.environment.stack.updateTemplate($template)
 
-      - $ingress: $rules.select(dict(
+      - $rulesList: $rules.select(dict(
             FromPort => str($.FromPort),
             ToPort => str($.ToPort),
             IpProtocol => $.IpProtocol,
@@ -65,5 +105,5 @@ Methods:
             $groupName:
               type: 'AWS::EC2::SecurityGroup'
               properties:
-                SecurityGroupIngress: $ingress
+                $groupDirection: $rulesList
       - $.environment.stack.updateTemplate($template)
diff --git a/meta/io.murano/Classes/system/NeutronSecurityGroupManager.yaml b/meta/io.murano/Classes/system/NeutronSecurityGroupManager.yaml
index 1c22206d..ab085ee8 100644
--- a/meta/io.murano/Classes/system/NeutronSecurityGroupManager.yaml
+++ b/meta/io.murano/Classes/system/NeutronSecurityGroupManager.yaml
@@ -27,9 +27,41 @@ Methods:
               ToPort: $.int().notNull()
               IpProtocol: $.string().notNull()
               External: $.bool().notNull()
+              Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
       - groupName:
           Contract: $.string().notNull()
           Default: $this.defaultGroupName
+    Body:
+      - $._addGroup(ingress, $rules, $groupName)
+
+  addGroupEgress:
+    Arguments:
+      - rules:
+          Contract:
+            - FromPort: $.int().notNull()
+              ToPort: $.int().notNull()
+              IpProtocol: $.string().notNull()
+              External: $.bool().notNull()
+              Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
+      - groupName:
+          Contract: $.string().notNull()
+          Default: $this.defaultGroupName
+    Body:
+      - $._addGroup(egress, $rules, $groupName)
+
+  _addGroup:
+    Arguments:
+      - direction:
+          Contract: $.string().notNull().check($ in list(ingress, egress))
+      - rules:
+          Contract:
+            - FromPort: $.int().notNull()
+              ToPort: $.int().notNull()
+              IpProtocol: $.string().notNull()
+              External: $.bool().notNull()
+              Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
+      - groupName:
+          Contract: $.string().notNull()
     Body:
       - $ext_keys:
           true:
@@ -53,11 +85,13 @@ Methods:
                     remote_ip_prefix: '0.0.0.0/0'
       - $.environment.stack.updateTemplate($template)
 
-      - $ingress: $rules.select(dict(
+      - $rulesList: $rules.select(dict(
             port_range_min => $.FromPort,
             port_range_max => $.ToPort,
             protocol => $.IpProtocol,
-            $ext_keys.get($.External).ext_key => $ext_keys.get($.External).ext_val
+            ethertype => $.get(Ethertype, IPv4),
+            $ext_keys.get($.External).ext_key => $ext_keys.get($.External).ext_val,
+            direction => $direction
           ))
 
       - $template:
@@ -65,5 +99,5 @@ Methods:
             $groupName:
               type: 'OS::Neutron::SecurityGroup'
               properties:
-                rules: $ingress
-      - $.environment.stack.updateTemplate($template)
+                rules: $rulesList
+      - $.environment.stack.updateTemplate($template)
\ No newline at end of file
diff --git a/meta/io.murano/Classes/system/SecurityGroupManager.yaml b/meta/io.murano/Classes/system/SecurityGroupManager.yaml
index aca2632b..e6e48fe1 100644
--- a/meta/io.murano/Classes/system/SecurityGroupManager.yaml
+++ b/meta/io.murano/Classes/system/SecurityGroupManager.yaml
@@ -33,6 +33,20 @@ Methods:
               ToPort: $.int().notNull()
               IpProtocol: $.string().notNull()
               External: $.bool().notNull()
+              Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
       - groupName:
           Contract: $.string().notNull()
           Default: $this.defaultGroupName
+
+  addGroupEgress:
+    Arguments:
+      - rules:
+          Contract:
+            - FromPort: $.int().notNull()
+              ToPort: $.int().notNull()
+              IpProtocol: $.string().notNull()
+              External: $.bool().notNull()
+              Ethertype: $.string().check($ in list(null, 'IPv4', 'IPv6'))
+      - groupName:
+          Contract: $.string().notNull()
+          Default: $this.defaultGroupName
\ No newline at end of file