From cb7cef977b6dd4dc28033249d8fe6288bcce3540 Mon Sep 17 00:00:00 2001
From: Dmitry_Eremeev <Dmitry-Eremeev-progmaticlab@yandex.ru>
Date: Thu, 6 Feb 2020 15:01:23 +0300
Subject: [PATCH] Openstack API interface changed.

If rules are created or searched with full permissions (ports 1 - 65535),
they are created or found with "null" ports
instead of (ports 1 - 65535).

Depends-On: I24d1a0016f76f6813a9f62294e7eeb9785fa711b
Change-Id: Ic3fbe89720135039ba2c2afaebf3fafebac4d7e3
---
 README.rst                   | 65 ++++++++++++++++++++++++++++++++++++
 ec2api/api/security_group.py | 25 ++++++++++++--
 ec2api/tests/unit/fakes.py   | 16 ++++-----
 3 files changed, 95 insertions(+), 11 deletions(-)

diff --git a/README.rst b/README.rst
index 3b6a2d65..c85d3b2c 100644
--- a/README.rst
+++ b/README.rst
@@ -43,6 +43,71 @@ the local.conf or localrc the following line:
 
  enable_plugin ec2-api https://opendev.org/openstack/ec2-api
 
+Devstack installation with ec2-api and ec2api-tempest-plugin for tests running:
+1. install packages: awscli, git, python3, python3-devel
+2. clone devstack repository
+
+::
+
+ git clone https://opendev.org/openstack/devstack
+
+3. grant all permissions for your user for directory: "/opt"
+4. create folder "/opt/stack/logs/"
+5. clone repository "ec2api-tempest-plugin" to stack folder:
+
+::
+
+ git clone https://github.com/openstack/ec2api-tempest-plugin /opt/stack/ec2api-tempest-plugin
+
+6. create local.conf:
+
+::
+
+ [[local|localrc]]
+ ADMIN_PASSWORD=secret
+ DATABASE_PASSWORD=$ADMIN_PASSWORD
+ RABBIT_PASSWORD=$ADMIN_PASSWORD
+ SERVICE_PASSWORD=$ADMIN_PASSWORD
+ enable_plugin ec2-api https://opendev.org/openstack/ec2-api
+ enable_plugin neutron-tempest-plugin https://github.com/openstack/neutron-tempest-plugin
+ TEMPEST_PLUGINS='/opt/stack/ec2api-tempest-plugin'
+
+7. go to devstack folder and start installation
+
+::
+
+ cd ~/devstack/
+ ./stack.sh
+ sudo systemctl enable httpd
+
+8. check installed devstack
+
+::
+
+ source ~/devstack/accrc/admin/admin
+ tempest list-plugins
+ ps -aux | grep "ec2"
+ aws --endpoint-url http://<IP-ADDRESS> --region <REGION> --profile admin ec2 describe-images
+ openstack catalog list
+ openstack flavor list
+ openstack image list
+ sudo journalctl -u devstack@ec2-api.service
+
+9. run integration tests (ec2 tempest test)
+
+::
+
+ cd /opt/stack/tempest
+ tox -eall -- ec2api_tempest_plugin --concurrency 1
+ tox -eall ec2api_tempest_plugin.api.test_network_interfaces.NetworkInterfaceTest.test_create_max_network_interface
+
+10. run ec2-api unit tests
+
+::
+
+ cd /opt/stack/ec2-api
+ tox -epy36 ec2api.tests.unit.test_security_group.SecurityGroupTestCase.test_describe_security_groups_no_default_vpc
+
 To configure OpenStack for EC2 API metadata service:
 
 for Nova-network
diff --git a/ec2api/api/security_group.py b/ec2api/api/security_group.py
index 97bdd01b..d439be1c 100644
--- a/ec2api/api/security_group.py
+++ b/ec2api/api/security_group.py
@@ -311,7 +311,15 @@ def _build_rules(context, group_id, group_name, ip_permissions, direction):
             os_security_group_rule_body['port_range_min'] = rule['from_port']
         if to_port != -1:
             os_security_group_rule_body['port_range_max'] = rule['to_port']
-
+        # NOTE(Dmitry_Eremeev): Neutron behaviour changed.
+        # If rule with full port range is created (1 - 65535), then Neutron
+        # creates rule without ports specified.
+        # If a rule with full port range must be deleted, then Neutron cannot
+        # find a rule with this range in order to delete it, but it can find
+        # a rule which has not ports in its properties.
+        if ((from_port == 1) and (to_port in [255, 65535])):
+            for item in ['port_range_min', 'port_range_max']:
+                del os_security_group_rule_body[item]
         # TODO(Alex) AWS protocol claims support of multiple groups and cidrs,
         # however, neutron doesn't support it at the moment.
         # It's possible in the future to convert list values incoming from
@@ -442,11 +450,22 @@ def _format_security_group(security_group, os_security_group,
         # them.
         if os_rule.get('ethertype', 'IPv4') == 'IPv6':
             continue
+        # NOTE(Dmitry_Eremeev): Neutron behaviour changed.
+        # If rule with full port range (except icmp protocol) is created
+        # (1 - 65535), then Neutron creates rule without ports specified.
+        # Ports passed for rule creation don't match ports in created rule.
+        # That's why default values were changed to match full port
+        # range (1 - 65535)
+        if os_rule.get('protocol') in ["icmp", 1]:
+            min_port = max_port = -1
+        else:
+            min_port = 1
+            max_port = 65535
         ec2_rule = {'ipProtocol': -1 if os_rule['protocol'] is None
                     else os_rule['protocol'],
-                    'fromPort': -1 if os_rule['port_range_min'] is None
+                    'fromPort': min_port if os_rule['port_range_min'] is None
                     else os_rule['port_range_min'],
-                    'toPort': -1 if os_rule['port_range_max'] is None
+                    'toPort': max_port if os_rule['port_range_max'] is None
                     else os_rule['port_range_max']}
         remote_group_id = os_rule['remote_group_id']
         if remote_group_id is not None:
diff --git a/ec2api/tests/unit/fakes.py b/ec2api/tests/unit/fakes.py
index 39c9ce9a..3da0ab98 100644
--- a/ec2api/tests/unit/fakes.py
+++ b/ec2api/tests/unit/fakes.py
@@ -1277,9 +1277,9 @@ EC2_SECURITY_GROUP_DEFAULT = {
     'ipPermissions': None,
     'groupName': NAME_DEFAULT_OS_SECURITY_GROUP,
     'ipPermissionsEgress':
-    [{'toPort': -1,
+    [{'toPort': 65535,
       'ipProtocol': -1,
-      'fromPort': -1}],
+      'fromPort': 1}],
     'ownerId': ID_OS_PROJECT,
     'groupId': ID_EC2_SECURITY_GROUP_DEFAULT
 }
@@ -1289,9 +1289,9 @@ EC2_SECURITY_GROUP_1 = {
     'ipPermissions': None,
     'groupName': NAME_DEFAULT_OS_SECURITY_GROUP,
     'ipPermissionsEgress':
-    [{'toPort': -1,
+    [{'toPort': 65535,
       'ipProtocol': -1,
-      'fromPort': -1}],
+      'fromPort': 1}],
     'ownerId': ID_OS_PROJECT,
     'groupId': ID_EC2_SECURITY_GROUP_1
 }
@@ -1307,7 +1307,7 @@ EC2_SECURITY_GROUP_2 = {
       }],
     'groupName': 'groupname2',
     'ipPermissionsEgress':
-    [{'toPort': -1,
+    [{'toPort': 65535,
       'ipProtocol': 100,
       'fromPort': 10,
       'groups':
@@ -1337,7 +1337,7 @@ EC2_SECURITY_GROUP_4 = {
       }],
     'groupName': 'groupname2',
     'ipPermissionsEgress':
-    [{'toPort': -1,
+    [{'toPort': 65535,
       'ipProtocol': 100,
       'fromPort': 10,
       'groups':
@@ -1353,9 +1353,9 @@ EC2_SECURITY_GROUP_5 = {
     'groupDescription': 'Group description',
     'ipPermissions': None,
     'ipPermissionsEgress':
-    [{'toPort': -1,
+    [{'toPort': 65535,
       'ipProtocol': -1,
-      'fromPort': -1}],
+      'fromPort': 1}],
     'groupName': 'groupname2',
     'ownerId': ID_OS_PROJECT,
     'groupId': ID_EC2_SECURITY_GROUP_5