Merge "Revert "Use neutron-lib definition of neutron-fwaas API""
This commit is contained in:
commit
034c18cd5f
@ -1,181 +0,0 @@
|
||||
# Copyright 2017 NEC Technologies India Pvt. Ltd.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from neutron_fwaas._i18n import _
|
||||
from neutron_lib import exceptions
|
||||
|
||||
|
||||
# Firewall Exceptions
|
||||
class FirewallNotFound(exceptions.NotFound):
|
||||
message = _("Firewall %(firewall_id)s could not be found.")
|
||||
|
||||
|
||||
class FirewallInUse(exceptions.InUse):
|
||||
message = _("Firewall %(firewall_id)s is still active.")
|
||||
|
||||
|
||||
class FirewallInPendingState(exceptions.Conflict):
|
||||
message = _("Operation cannot be performed since associated Firewall "
|
||||
"%(firewall_id)s is in %(pending_state)s.")
|
||||
|
||||
|
||||
class FirewallPolicyNotFound(exceptions.NotFound):
|
||||
message = _("Firewall Policy %(firewall_policy_id)s could not be found.")
|
||||
|
||||
|
||||
class FirewallPolicyInUse(exceptions.InUse):
|
||||
message = _("Firewall Policy %(firewall_policy_id)s is being used.")
|
||||
|
||||
|
||||
class FirewallPolicyConflict(exceptions.Conflict):
|
||||
"""FWaaS exception for firewall policy.
|
||||
|
||||
Occurs when admin policy tries to use another tenant's unshared
|
||||
policy.
|
||||
"""
|
||||
message = _("Operation cannot be performed since Firewall Policy "
|
||||
"%(firewall_policy_id)s is not shared and does not belong to "
|
||||
"your tenant.")
|
||||
|
||||
|
||||
class FirewallRuleSharingConflict(exceptions.Conflict):
|
||||
"""FWaaS exception for firewall rules.
|
||||
|
||||
When a shared policy is created or updated with unshared rules,
|
||||
this exception will be raised.
|
||||
"""
|
||||
message = _("Operation cannot be performed since Firewall Policy "
|
||||
"%(firewall_policy_id)s is shared but Firewall Rule "
|
||||
"%(firewall_rule_id)s is not shared.")
|
||||
|
||||
|
||||
class FirewallPolicySharingConflict(exceptions.Conflict):
|
||||
"""FWaaS exception for firewall policy.
|
||||
|
||||
When a policy is shared without sharing its associated rules,
|
||||
this exception will be raised.
|
||||
"""
|
||||
message = _("Operation cannot be performed. Before sharing Firewall "
|
||||
"Policy %(firewall_policy_id)s, share associated Firewall "
|
||||
"Rule %(firewall_rule_id)s.")
|
||||
|
||||
|
||||
class FirewallRuleNotFound(exceptions.NotFound):
|
||||
message = _("Firewall Rule %(firewall_rule_id)s could not be found.")
|
||||
|
||||
|
||||
class FirewallRuleInUse(exceptions.InUse):
|
||||
message = _("Firewall Rule %(firewall_rule_id)s is being used.")
|
||||
|
||||
|
||||
class FirewallRuleNotAssociatedWithPolicy(exceptions.InvalidInput):
|
||||
message = _("Firewall Rule %(firewall_rule_id)s is not associated "
|
||||
"with Firewall Policy %(firewall_policy_id)s.")
|
||||
|
||||
|
||||
class FirewallRuleInvalidProtocol(exceptions.InvalidInput):
|
||||
message = _("Firewall Rule protocol %(protocol)s is not supported. "
|
||||
"Only protocol values %(values)s and their integer "
|
||||
"representation (0 to 255) are supported.")
|
||||
|
||||
|
||||
class FirewallRuleInvalidAction(exceptions.InvalidInput):
|
||||
message = _("Firewall rule action %(action)s is not supported. "
|
||||
"Only action values %(values)s are supported.")
|
||||
|
||||
|
||||
class FirewallRuleInvalidICMPParameter(exceptions.InvalidInput):
|
||||
message = _("%(param)s are not allowed when protocol "
|
||||
"is set to ICMP.")
|
||||
|
||||
|
||||
class FirewallRuleWithPortWithoutProtocolInvalid(exceptions.InvalidInput):
|
||||
message = _("Source/destination port requires a protocol.")
|
||||
|
||||
|
||||
class FirewallRuleInvalidPortValue(exceptions.InvalidInput):
|
||||
message = _("Invalid value for port %(port)s.")
|
||||
|
||||
|
||||
class FirewallRuleInfoMissing(exceptions.InvalidInput):
|
||||
message = _("Missing rule info argument for insert/remove "
|
||||
"rule operation.")
|
||||
|
||||
|
||||
class FirewallIpAddressConflict(exceptions.InvalidInput):
|
||||
message = _("Invalid input - IP addresses do not agree with IP Version.")
|
||||
|
||||
|
||||
class FirewallInternalDriverError(exceptions.NeutronException):
|
||||
"""FWaas exception for all driver errors.
|
||||
|
||||
On any failure or exception in the driver, driver should log it and
|
||||
raise this exception to the agent
|
||||
"""
|
||||
message = _("%(driver)s: Internal driver error.")
|
||||
|
||||
|
||||
class FirewallRuleConflict(exceptions.Conflict):
|
||||
"""Firewall rule conflict exception.
|
||||
|
||||
Occurs when admin policy tries to use another tenant's unshared
|
||||
rule.
|
||||
"""
|
||||
message = _("Operation cannot be performed since Firewall Rule "
|
||||
"%(firewall_rule_id)s is not shared and belongs to "
|
||||
"another tenant %(tenant_id)s.")
|
||||
|
||||
|
||||
class FirewallRouterInUse(exceptions.InUse):
|
||||
message = _("Router(s) %(router_ids)s provided already associated with "
|
||||
"other Firewall(s).")
|
||||
|
||||
|
||||
class FirewallGroupNotFound(exceptions.NotFound):
|
||||
message = _("Firewall Group %(firewall_id)s could not be found.")
|
||||
|
||||
|
||||
class FirewallGroupInUse(exceptions.InUse):
|
||||
message = _("Firewall %(firewall_id)s is still active.")
|
||||
|
||||
|
||||
class FirewallGroupInPendingState(exceptions.Conflict):
|
||||
message = _("Operation cannot be performed since associated Firewall "
|
||||
"%(firewall_id)s is in %(pending_state)s.")
|
||||
|
||||
|
||||
class FirewallGroupPortInvalid(exceptions.Conflict):
|
||||
message = _("Firewall Group Port %(port_id)s is invalid.")
|
||||
|
||||
|
||||
class FirewallGroupPortInvalidProject(exceptions.Conflict):
|
||||
message = _("Operation cannot be performed as port %(port_id)s "
|
||||
"is in an invalid project %(tenant_id)s.")
|
||||
|
||||
|
||||
class FirewallGroupPortInUse(exceptions.InUse):
|
||||
message = _("Port(s) %(port_ids)s provided already associated with "
|
||||
"other Firewall Group(s).")
|
||||
|
||||
|
||||
class FirewallRuleAlreadyAssociated(exceptions.Conflict):
|
||||
"""Firewall rule conflict exception.
|
||||
|
||||
Occurs when there is an attempt to assign a rule to a policy that
|
||||
the rule is already associated with.
|
||||
"""
|
||||
message = _("Operation cannot be performed since Firewall Rule "
|
||||
"%(firewall_rule_id)s is already associated with Firewall"
|
||||
"Policy %(firewall_policy_id)s.")
|
@ -13,8 +13,7 @@
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
FIREWALL = 'fwaas'
|
||||
FIREWALL_V2 = 'fwaas_v2'
|
||||
FIREWALL = 'FIREWALL'
|
||||
|
||||
# Constants for "topics"
|
||||
FIREWALL_PLUGIN = 'q-firewall-plugin'
|
||||
|
@ -35,7 +35,6 @@ from sqlalchemy.orm import exc
|
||||
|
||||
import netaddr
|
||||
|
||||
from neutron_fwaas.common import exceptions
|
||||
from neutron_fwaas.common import fwaas_constants
|
||||
from neutron_fwaas.db.firewall import firewall_router_insertion_db \
|
||||
as fw_r_ins_db
|
||||
@ -111,19 +110,19 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
try:
|
||||
return self._get_by_id(context, Firewall, id)
|
||||
except exc.NoResultFound:
|
||||
raise exceptions.FirewallNotFound(firewall_id=id)
|
||||
raise fw_ext.FirewallNotFound(firewall_id=id)
|
||||
|
||||
def _get_firewall_policy(self, context, id):
|
||||
try:
|
||||
return self._get_by_id(context, FirewallPolicy, id)
|
||||
except exc.NoResultFound:
|
||||
raise exceptions.FirewallPolicyNotFound(firewall_policy_id=id)
|
||||
raise fw_ext.FirewallPolicyNotFound(firewall_policy_id=id)
|
||||
|
||||
def _get_firewall_rule(self, context, id):
|
||||
try:
|
||||
return self._get_by_id(context, FirewallRule, id)
|
||||
except exc.NoResultFound:
|
||||
raise exceptions.FirewallRuleNotFound(firewall_rule_id=id)
|
||||
raise fw_ext.FirewallRuleNotFound(firewall_rule_id=id)
|
||||
|
||||
def _make_firewall_dict(self, fw, fields=None):
|
||||
res = {'id': fw['id'],
|
||||
@ -198,7 +197,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
def _check_firewall_rule_conflict(self, fwr_db, fwp_db):
|
||||
if not fwr_db['shared']:
|
||||
if fwr_db['tenant_id'] != fwp_db['tenant_id']:
|
||||
raise exceptions.FirewallRuleConflict(
|
||||
raise fw_ext.FirewallRuleConflict(
|
||||
firewall_rule_id=fwr_db['id'],
|
||||
tenant_id=fwr_db['tenant_id'])
|
||||
|
||||
@ -220,20 +219,20 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
# If we find an invalid rule in the list we
|
||||
# do not perform the update since this breaks
|
||||
# the integrity of this list.
|
||||
raise exceptions.FirewallRuleNotFound(
|
||||
raise fw_ext.FirewallRuleNotFound(
|
||||
firewall_rule_id=fwrule_id)
|
||||
elif rules_dict[fwrule_id]['firewall_policy_id']:
|
||||
if (rules_dict[fwrule_id]['firewall_policy_id'] !=
|
||||
fwp_db['id']):
|
||||
raise exceptions.FirewallRuleInUse(
|
||||
raise fw_ext.FirewallRuleInUse(
|
||||
firewall_rule_id=fwrule_id)
|
||||
if 'shared' in fwp:
|
||||
if fwp['shared'] and not rules_dict[fwrule_id]['shared']:
|
||||
raise exceptions.FirewallRuleSharingConflict(
|
||||
raise fw_ext.FirewallRuleSharingConflict(
|
||||
firewall_rule_id=fwrule_id,
|
||||
firewall_policy_id=fwp_db['id'])
|
||||
elif fwp_db['shared'] and not rules_dict[fwrule_id]['shared']:
|
||||
raise exceptions.FirewallRuleSharingConflict(
|
||||
raise fw_ext.FirewallRuleSharingConflict(
|
||||
firewall_rule_id=fwrule_id,
|
||||
firewall_policy_id=fwp_db['id'])
|
||||
for fwr_db in rules_in_db:
|
||||
@ -253,7 +252,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
rules_in_db = fwp_db['firewall_rules']
|
||||
for fwr_db in rules_in_db:
|
||||
if not fwr_db['shared']:
|
||||
raise exceptions.FirewallPolicySharingConflict(
|
||||
raise fw_ext.FirewallPolicySharingConflict(
|
||||
firewall_rule_id=fwr_db['id'],
|
||||
firewall_policy_id=fwp_db['id'])
|
||||
|
||||
@ -296,7 +295,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
fwp_id = fw['firewall_policy_id']
|
||||
fwp = self._get_firewall_policy(context, fwp_id)
|
||||
if fw_tenant_id != fwp['tenant_id'] and not fwp['shared']:
|
||||
raise exceptions.FirewallPolicyConflict(firewall_policy_id=fwp_id)
|
||||
raise fw_ext.FirewallPolicyConflict(firewall_policy_id=fwp_id)
|
||||
|
||||
def _validate_fwr_src_dst_ip_version(self, fwr):
|
||||
src_version = dst_version = None
|
||||
@ -308,12 +307,12 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
rule_ip_version = fwr.get('ip_version', None)
|
||||
if ((src_version and src_version != rule_ip_version) or
|
||||
(dst_version and dst_version != rule_ip_version)):
|
||||
raise exceptions.FirewallIpAddressConflict()
|
||||
raise fw_ext.FirewallIpAddressConflict()
|
||||
|
||||
def _validate_fwr_port_range(self, min_port, max_port):
|
||||
if int(min_port) > int(max_port):
|
||||
port_range = '%s:%s' % (min_port, max_port)
|
||||
raise exceptions.FirewallRuleInvalidPortValue(port=port_range)
|
||||
raise fw_ext.FirewallRuleInvalidPortValue(port=port_range)
|
||||
|
||||
def _validate_fwr_protocol_parameters(self, fwr):
|
||||
protocol = fwr.get('protocol', None)
|
||||
@ -321,7 +320,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
nl_constants.PROTO_NAME_UDP):
|
||||
if (fwr.get('source_port', None) or
|
||||
fwr.get('destination_port', None)):
|
||||
raise exceptions.FirewallRuleInvalidICMPParameter(
|
||||
raise fw_ext.FirewallRuleInvalidICMPParameter(
|
||||
param="Source, destination port")
|
||||
|
||||
def create_firewall(self, context, firewall, status=None):
|
||||
@ -355,7 +354,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
self._validate_fw_parameters(context, fw, fw_db['tenant_id'])
|
||||
count = context.session.query(Firewall).filter_by(id=id).update(fw)
|
||||
if not count:
|
||||
raise exceptions.FirewallNotFound(firewall_id=id)
|
||||
raise fw_ext.FirewallNotFound(firewall_id=id)
|
||||
return self.get_firewall(context, id)
|
||||
|
||||
def update_firewall_status(self, context, id, status, not_in=None):
|
||||
@ -379,7 +378,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
# firewall is active
|
||||
count = context.session.query(Firewall).filter_by(id=id).delete()
|
||||
if not count:
|
||||
raise exceptions.FirewallNotFound(firewall_id=id)
|
||||
raise fw_ext.FirewallNotFound(firewall_id=id)
|
||||
|
||||
def get_firewall(self, context, id, fields=None):
|
||||
LOG.debug("get_firewall() called")
|
||||
@ -420,7 +419,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
if not fwp.get('shared', True) and fwp_db.firewalls:
|
||||
for fw in fwp_db['firewalls']:
|
||||
if fwp_db['tenant_id'] != fw['tenant_id']:
|
||||
raise exceptions.FirewallPolicyInUse(
|
||||
raise fw_ext.FirewallPolicyInUse(
|
||||
firewall_policy_id=id)
|
||||
# check any existing rules are not shared
|
||||
if 'shared' in fwp and 'firewall_rules' not in fwp:
|
||||
@ -441,7 +440,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
# being used
|
||||
qry = context.session.query(Firewall)
|
||||
if qry.filter_by(firewall_policy_id=id).first():
|
||||
raise exceptions.FirewallPolicyInUse(firewall_policy_id=id)
|
||||
raise fw_ext.FirewallPolicyInUse(firewall_policy_id=id)
|
||||
else:
|
||||
context.session.delete(fwp)
|
||||
|
||||
@ -468,7 +467,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
self._validate_fwr_src_dst_ip_version(fwr)
|
||||
if not fwr['protocol'] and (fwr['source_port'] or
|
||||
fwr['destination_port']):
|
||||
raise exceptions.FirewallRuleWithPortWithoutProtocolInvalid()
|
||||
raise fw_ext.FirewallRuleWithPortWithoutProtocolInvalid()
|
||||
src_port_min, src_port_max = self._get_min_max_ports_from_range(
|
||||
fwr['source_port'])
|
||||
dst_port_min, dst_port_max = self._get_min_max_ports_from_range(
|
||||
@ -504,7 +503,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
fwr_db.firewall_policy_id)
|
||||
if 'shared' in fwr and not fwr['shared']:
|
||||
if fwr_db['tenant_id'] != fwp_db['tenant_id']:
|
||||
raise exceptions.FirewallRuleInUse(firewall_rule_id=id)
|
||||
raise fw_ext.FirewallRuleInUse(firewall_rule_id=id)
|
||||
if 'source_port' in fwr:
|
||||
src_port_min, src_port_max = self._get_min_max_ports_from_range(
|
||||
fwr['source_port'])
|
||||
@ -525,8 +524,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
dport = fwr.get('destination_port_range_min',
|
||||
fwr_db['destination_port_range_min'])
|
||||
if sport or dport:
|
||||
raise exceptions.\
|
||||
FirewallRuleWithPortWithoutProtocolInvalid()
|
||||
raise fw_ext.FirewallRuleWithPortWithoutProtocolInvalid()
|
||||
fwr_db.update(fwr)
|
||||
if fwr_db.firewall_policy_id:
|
||||
fwp_db.audited = False
|
||||
@ -537,7 +535,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
with context.session.begin(subtransactions=True):
|
||||
fwr = self._get_firewall_rule(context, id)
|
||||
if fwr.firewall_policy_id:
|
||||
raise exceptions.FirewallRuleInUse(firewall_rule_id=id)
|
||||
raise fw_ext.FirewallRuleInUse(firewall_rule_id=id)
|
||||
context.session.delete(fwr)
|
||||
|
||||
def get_firewall_rule(self, context, id, fields=None):
|
||||
@ -558,7 +556,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
|
||||
def _validate_insert_remove_rule_request(self, id, rule_info):
|
||||
if not rule_info or 'firewall_rule_id' not in rule_info:
|
||||
raise exceptions.FirewallRuleInfoMissing()
|
||||
raise fw_ext.FirewallRuleInfoMissing()
|
||||
|
||||
def insert_rule(self, context, id, rule_info):
|
||||
LOG.debug("insert_rule() called")
|
||||
@ -567,7 +565,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
insert_before = True
|
||||
ref_firewall_rule_id = None
|
||||
if not firewall_rule_id:
|
||||
raise exceptions.FirewallRuleNotFound(firewall_rule_id=None)
|
||||
raise fw_ext.FirewallRuleNotFound(firewall_rule_id=None)
|
||||
if 'insert_before' in rule_info:
|
||||
ref_firewall_rule_id = rule_info['insert_before']
|
||||
if not ref_firewall_rule_id and 'insert_after' in rule_info:
|
||||
@ -578,8 +576,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
fwr_db = self._get_firewall_rule(context, firewall_rule_id)
|
||||
fwp_db = self._get_firewall_policy(context, id)
|
||||
if fwr_db.firewall_policy_id:
|
||||
raise exceptions.FirewallRuleInUse(
|
||||
firewall_rule_id=fwr_db['id'])
|
||||
raise fw_ext.FirewallRuleInUse(firewall_rule_id=fwr_db['id'])
|
||||
self._check_firewall_rule_conflict(fwr_db, fwp_db)
|
||||
if ref_firewall_rule_id:
|
||||
# If reference_firewall_rule_id is set, the new rule
|
||||
@ -590,7 +587,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
ref_fwr_db = self._get_firewall_rule(
|
||||
context, ref_firewall_rule_id)
|
||||
if ref_fwr_db.firewall_policy_id != id:
|
||||
raise exceptions.FirewallRuleNotAssociatedWithPolicy(
|
||||
raise fw_ext.FirewallRuleNotAssociatedWithPolicy(
|
||||
firewall_rule_id=ref_fwr_db['id'],
|
||||
firewall_policy_id=id)
|
||||
if insert_before:
|
||||
@ -612,11 +609,11 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
|
||||
self._validate_insert_remove_rule_request(id, rule_info)
|
||||
firewall_rule_id = rule_info['firewall_rule_id']
|
||||
if not firewall_rule_id:
|
||||
raise exceptions.FirewallRuleNotFound(firewall_rule_id=None)
|
||||
raise fw_ext.FirewallRuleNotFound(firewall_rule_id=None)
|
||||
with context.session.begin(subtransactions=True):
|
||||
fwr_db = self._get_firewall_rule(context, firewall_rule_id)
|
||||
if fwr_db.firewall_policy_id != id:
|
||||
raise exceptions.FirewallRuleNotAssociatedWithPolicy(
|
||||
raise fw_ext.FirewallRuleNotAssociatedWithPolicy(
|
||||
firewall_rule_id=fwr_db['id'],
|
||||
firewall_policy_id=id)
|
||||
return self._process_rule_for_policy(context, id, fwr_db, None)
|
||||
|
@ -13,12 +13,13 @@
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from neutron_lib.api.definitions import firewallrouterinsertion as fwrtrins
|
||||
from neutron_lib.db import model_base
|
||||
from oslo_log import helpers as log_helpers
|
||||
from oslo_log import log as logging
|
||||
import sqlalchemy as sa
|
||||
|
||||
from neutron_fwaas.extensions import firewallrouterinsertion as fwrtrins
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
|
@ -14,8 +14,6 @@
|
||||
# under the License.
|
||||
|
||||
from neutron.db import common_db_mixin as base_db
|
||||
from neutron_fwaas.common import exceptions as f_exc
|
||||
from neutron_fwaas.extensions import firewall_v2 as fw_v2_ext
|
||||
from neutron_lib import constants as nl_constants
|
||||
from neutron_lib.db import model_base
|
||||
from oslo_config import cfg
|
||||
@ -28,6 +26,8 @@ from sqlalchemy.orm import exc
|
||||
|
||||
import netaddr
|
||||
|
||||
from neutron_fwaas.extensions import firewall_v2 as fw_ext
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
@ -119,26 +119,25 @@ class FirewallPolicy(model_base.BASEV2, model_base.HasId, HasName,
|
||||
shared = sa.Column(sa.Boolean)
|
||||
|
||||
|
||||
class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
base_db.CommonDbMixin):
|
||||
class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
|
||||
|
||||
def _get_firewall_group(self, context, id):
|
||||
try:
|
||||
return self._get_by_id(context, FirewallGroup, id)
|
||||
except exc.NoResultFound:
|
||||
raise f_exc.FirewallGroupNotFound(firewall_id=id)
|
||||
raise fw_ext.FirewallGroupNotFound(firewall_id=id)
|
||||
|
||||
def _get_firewall_policy(self, context, id):
|
||||
try:
|
||||
return self._get_by_id(context, FirewallPolicy, id)
|
||||
except exc.NoResultFound:
|
||||
raise f_exc.FirewallPolicyNotFound(firewall_policy_id=id)
|
||||
raise fw_ext.FirewallPolicyNotFound(firewall_policy_id=id)
|
||||
|
||||
def _get_firewall_rule(self, context, id):
|
||||
try:
|
||||
return self._get_by_id(context, FirewallRuleV2, id)
|
||||
except exc.NoResultFound:
|
||||
raise f_exc.FirewallRuleNotFound(firewall_rule_id=id)
|
||||
raise fw_ext.FirewallRuleNotFound(firewall_rule_id=id)
|
||||
|
||||
def _validate_fwr_protocol_parameters(self, fwr, fwr_db=None):
|
||||
protocol = fwr.get('protocol', None)
|
||||
@ -148,7 +147,7 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
nl_constants.PROTO_NAME_UDP):
|
||||
if (fwr.get('source_port', None) or
|
||||
fwr.get('destination_port', None)):
|
||||
raise f_exc.FirewallRuleInvalidICMPParameter(
|
||||
raise fw_ext.FirewallRuleInvalidICMPParameter(
|
||||
param="Source, destination port")
|
||||
|
||||
def _validate_fwr_src_dst_ip_version(self, fwr, fwr_db=None):
|
||||
@ -163,12 +162,12 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
rule_ip_version = fwr_db.ip_version
|
||||
if ((src_version and src_version != rule_ip_version) or
|
||||
(dst_version and dst_version != rule_ip_version)):
|
||||
raise f_exc.FirewallIpAddressConflict()
|
||||
raise fw_ext.FirewallIpAddressConflict()
|
||||
|
||||
def _validate_fwr_port_range(self, min_port, max_port):
|
||||
if int(min_port) > int(max_port):
|
||||
port_range = '%s:%s' % (min_port, max_port)
|
||||
raise f_exc.FirewallRuleInvalidPortValue(port=port_range)
|
||||
raise fw_ext.FirewallRuleInvalidPortValue(port=port_range)
|
||||
|
||||
def _get_min_max_ports_from_range(self, port_range):
|
||||
if not port_range:
|
||||
@ -268,7 +267,7 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
def _check_firewall_rule_conflict(self, fwr_db, fwp_db):
|
||||
if not fwr_db['shared']:
|
||||
if fwr_db['tenant_id'] != fwp_db['tenant_id']:
|
||||
raise f_exc.FirewallRuleConflict(
|
||||
raise fw_ext.FirewallRuleConflict(
|
||||
firewall_rule_id=fwr_db['id'],
|
||||
tenant_id=fwr_db['tenant_id'])
|
||||
|
||||
@ -306,7 +305,7 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
try:
|
||||
self._get_policy_rule_association_query(
|
||||
context, firewall_policy_id, firewall_rule_id).one()
|
||||
raise f_exc.FirewallRuleAlreadyAssociated(
|
||||
raise fw_ext.FirewallRuleAlreadyAssociated(
|
||||
firewall_rule_id=firewall_rule_id,
|
||||
firewall_policy_id=firewall_policy_id)
|
||||
except exc.NoResultFound:
|
||||
@ -321,7 +320,7 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
return self._get_policy_rule_association_query(
|
||||
context, firewall_policy_id, firewall_rule_id).one()
|
||||
except exc.NoResultFound:
|
||||
raise f_exc.FirewallRuleNotAssociatedWithPolicy(
|
||||
raise fw_ext.FirewallRuleNotAssociatedWithPolicy(
|
||||
firewall_rule_id=firewall_rule_id,
|
||||
firewall_policy_id=firewall_policy_id)
|
||||
|
||||
@ -332,7 +331,7 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
self._validate_fwr_src_dst_ip_version(fwr)
|
||||
if not fwr['protocol'] and (fwr['source_port'] or
|
||||
fwr['destination_port']):
|
||||
raise f_exc.FirewallRuleWithPortWithoutProtocolInvalid()
|
||||
raise fw_ext.FirewallRuleWithPortWithoutProtocolInvalid()
|
||||
src_port_min, src_port_max = self._get_min_max_ports_from_range(
|
||||
fwr['source_port'])
|
||||
dst_port_min, dst_port_max = self._get_min_max_ports_from_range(
|
||||
@ -383,7 +382,7 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
dport = fwr.get('destination_port_range_min',
|
||||
fwr_db['destination_port_range_min'])
|
||||
if sport or dport:
|
||||
raise f_exc.FirewallRuleWithPortWithoutProtocolInvalid()
|
||||
raise fw_ext.FirewallRuleWithPortWithoutProtocolInvalid()
|
||||
fwr_db.update(fwr)
|
||||
# if the rule on a policy, fix audited flag
|
||||
fwp_ids = self._get_policies_with_rule(context, id)
|
||||
@ -398,7 +397,7 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
fwr = self._get_firewall_rule(context, id)
|
||||
# make sure rule is not associated with any policy
|
||||
if self._get_policies_with_rule(context, id):
|
||||
raise f_exc.FirewallRuleInUse(firewall_rule_id=id)
|
||||
raise fw_ext.FirewallRuleInUse(firewall_rule_id=id)
|
||||
context.session.delete(fwr)
|
||||
|
||||
def insert_rule(self, context, id, rule_info):
|
||||
@ -410,7 +409,7 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
insert_before = True
|
||||
ref_firewall_rule_id = None
|
||||
if not firewall_rule_id:
|
||||
raise f_exc.FirewallRuleNotFound(firewall_rule_id=None)
|
||||
raise fw_ext.FirewallRuleNotFound(firewall_rule_id=None)
|
||||
if 'insert_before' in rule_info:
|
||||
ref_firewall_rule_id = rule_info['insert_before']
|
||||
if not ref_firewall_rule_id and 'insert_after' in rule_info:
|
||||
@ -448,7 +447,7 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
self._validate_insert_remove_rule_request(id, rule_info)
|
||||
firewall_rule_id = rule_info['firewall_rule_id']
|
||||
if not firewall_rule_id:
|
||||
raise f_exc.FirewallRuleNotFound(firewall_rule_id=None)
|
||||
raise fw_ext.FirewallRuleNotFound(firewall_rule_id=None)
|
||||
with context.session.begin(subtransactions=True):
|
||||
self._get_firewall_rule(context, firewall_rule_id)
|
||||
fwpra_db = self._get_policy_rule_association(context, id,
|
||||
@ -469,7 +468,7 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
|
||||
def _validate_insert_remove_rule_request(self, id, rule_info):
|
||||
if not rule_info or 'firewall_rule_id' not in rule_info:
|
||||
raise f_exc.FirewallRuleInfoMissing()
|
||||
raise fw_ext.FirewallRuleInfoMissing()
|
||||
|
||||
def _delete_rules_in_policy(self, context, firewall_policy_id):
|
||||
"""Delete the rules in the firewall policy."""
|
||||
@ -523,15 +522,15 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
for fwrule_id in rule_id_list:
|
||||
if fwrule_id not in rules_dict:
|
||||
# Bail as soon as we find an invalid rule.
|
||||
raise f_exc.FirewallRuleNotFound(
|
||||
raise fw_ext.FirewallRuleNotFound(
|
||||
firewall_rule_id=fwrule_id)
|
||||
if 'shared' in fwp:
|
||||
if fwp['shared'] and not rules_dict[fwrule_id]['shared']:
|
||||
raise f_exc.FirewallRuleSharingConflict(
|
||||
raise fw_ext.FirewallRuleSharingConflict(
|
||||
firewall_rule_id=fwrule_id,
|
||||
firewall_policy_id=fwp_db['id'])
|
||||
elif fwp_db['shared'] and not rules_dict[fwrule_id]['shared']:
|
||||
raise f_exc.FirewallRuleSharingConflict(
|
||||
raise fw_ext.FirewallRuleSharingConflict(
|
||||
firewall_rule_id=fwrule_id,
|
||||
firewall_policy_id=fwp_db['id'])
|
||||
else:
|
||||
@ -540,7 +539,7 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
if not rules_dict[fwrule_id]['shared']:
|
||||
if (rules_dict[fwrule_id]['tenant_id'] != fwp_db[
|
||||
'tenant_id']):
|
||||
raise f_exc.FirewallRuleConflict(
|
||||
raise fw_ext.FirewallRuleConflict(
|
||||
firewall_rule_id=fwrule_id,
|
||||
tenant_id=rules_dict[fwrule_id]['tenant_id'])
|
||||
|
||||
@ -551,7 +550,7 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
fwr_db = self._get_firewall_rule(context,
|
||||
entry.firewall_rule_id)
|
||||
if not fwp_db['shared']:
|
||||
raise f_exc.FirewallPolicySharingConflict(
|
||||
raise fw_ext.FirewallPolicySharingConflict(
|
||||
firewall_rule_id=fwr_db['id'],
|
||||
firewall_policy_id=fwp_db['id'])
|
||||
|
||||
@ -579,7 +578,7 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
filters=filters)
|
||||
for entry in fwg_with_fwp_id_db:
|
||||
if entry.tenant_id != fwp_tenant_id:
|
||||
raise f_exc.FirewallPolicyInUse(
|
||||
raise fw_ext.FirewallPolicyInUse(
|
||||
firewall_policy_id=fwp_id)
|
||||
|
||||
def _set_rules_for_policy(self, context, firewall_policy_db, fwp):
|
||||
@ -661,9 +660,9 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
# check if policy in use
|
||||
qry = context.session.query(FirewallGroup)
|
||||
if qry.filter_by(ingress_firewall_policy_id=id).first():
|
||||
raise f_exc.FirewallPolicyInUse(firewall_policy_id=id)
|
||||
raise fw_ext.FirewallPolicyInUse(firewall_policy_id=id)
|
||||
elif qry.filter_by(egress_firewall_policy_id=id).first():
|
||||
raise f_exc.FirewallPolicyInUse(firewall_policy_id=id)
|
||||
raise fw_ext.FirewallPolicyInUse(firewall_policy_id=id)
|
||||
else:
|
||||
# Policy is not being used, delete.
|
||||
self._delete_rules_in_policy(context, id)
|
||||
@ -687,7 +686,7 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
if fwp_id is not None:
|
||||
fwp = self._get_firewall_policy(context, fwp_id)
|
||||
if fwg_tenant_id != fwp['tenant_id'] and not fwp['shared']:
|
||||
raise f_exc.FirewallPolicyConflict(
|
||||
raise fw_ext.FirewallPolicyConflict(
|
||||
firewall_policy_id=fwp_id)
|
||||
|
||||
if 'egress_firewall_policy_id' in fwg:
|
||||
@ -695,7 +694,7 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
if fwp_id is not None:
|
||||
fwp = self._get_firewall_policy(context, fwp_id)
|
||||
if fwg_tenant_id != fwp['tenant_id'] and not fwp['shared']:
|
||||
raise f_exc.FirewallPolicyConflict(
|
||||
raise fw_ext.FirewallPolicyConflict(
|
||||
firewall_policy_id=fwp_id)
|
||||
return
|
||||
|
||||
@ -742,7 +741,7 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
FirewallGroupPortAssociation.firewall_group_id != fwg_id).all()
|
||||
if fwg_ports:
|
||||
port_ids = [entry.port_id for entry in fwg_ports]
|
||||
raise f_exc.FirewallGroupPortInUse(port_ids=port_ids)
|
||||
raise fw_ext.FirewallGroupPortInUse(port_ids=port_ids)
|
||||
|
||||
def create_firewall_group(self, context, firewall_group, status=None):
|
||||
fwg = firewall_group['firewall_group']
|
||||
@ -778,7 +777,7 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
count = context.session.query(
|
||||
FirewallGroup).filter_by(id=id).update(fwg)
|
||||
if not count:
|
||||
raise f_exc.FirewallGroupNotFound(firewall_id=id)
|
||||
raise fw_ext.FirewallGroupNotFound(firewall_id=id)
|
||||
return self.get_firewall_group(context, id)
|
||||
|
||||
def update_firewall_group_status(self, context, id, status, not_in=None):
|
||||
@ -802,7 +801,7 @@ class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
|
||||
count = context.session.query(
|
||||
FirewallGroup).filter_by(id=id).delete()
|
||||
if not count:
|
||||
raise f_exc.FirewallGroupNotFound(firewall_id=id)
|
||||
raise fw_ext.FirewallGroupNotFound(firewall_id=id)
|
||||
|
||||
def get_firewall_group(self, context, id, fields=None):
|
||||
LOG.debug("get_firewall_group() called")
|
||||
|
@ -16,8 +16,12 @@
|
||||
import abc
|
||||
|
||||
from neutron.api.v2 import resource_helper
|
||||
from neutron_lib.api.definitions import firewall
|
||||
from neutron_lib.api import converters
|
||||
from neutron_lib.api import extensions
|
||||
from neutron_lib.api import validators
|
||||
from neutron_lib import constants
|
||||
from neutron_lib.db import constants as db_const
|
||||
from neutron_lib import exceptions as nexception
|
||||
from neutron_lib.services import base as service_base
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
@ -29,6 +33,327 @@ from neutron_fwaas.common import fwaas_constants
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
# Firewall rule action
|
||||
FWAAS_ALLOW = "allow"
|
||||
FWAAS_DENY = "deny"
|
||||
FWAAS_REJECT = "reject"
|
||||
|
||||
# Firewall resource path prefix
|
||||
FIREWALL_PREFIX = "/fw"
|
||||
|
||||
|
||||
# Firewall Exceptions
|
||||
class FirewallNotFound(nexception.NotFound):
|
||||
message = _("Firewall %(firewall_id)s could not be found.")
|
||||
|
||||
|
||||
class FirewallInUse(nexception.InUse):
|
||||
message = _("Firewall %(firewall_id)s is still active.")
|
||||
|
||||
|
||||
class FirewallInPendingState(nexception.Conflict):
|
||||
message = _("Operation cannot be performed since associated Firewall "
|
||||
"%(firewall_id)s is in %(pending_state)s.")
|
||||
|
||||
|
||||
class FirewallPolicyNotFound(nexception.NotFound):
|
||||
message = _("Firewall Policy %(firewall_policy_id)s could not be found.")
|
||||
|
||||
|
||||
class FirewallPolicyInUse(nexception.InUse):
|
||||
message = _("Firewall Policy %(firewall_policy_id)s is being used.")
|
||||
|
||||
|
||||
class FirewallPolicyConflict(nexception.Conflict):
|
||||
"""FWaaS exception for firewall policy
|
||||
|
||||
Occurs when admin policy tries to use another tenant's unshared
|
||||
policy.
|
||||
"""
|
||||
message = _("Operation cannot be performed since Firewall Policy "
|
||||
"%(firewall_policy_id)s is not shared and does not belong to "
|
||||
"your tenant.")
|
||||
|
||||
|
||||
class FirewallRuleSharingConflict(nexception.Conflict):
|
||||
|
||||
"""FWaaS exception for firewall rules
|
||||
|
||||
When a shared policy is created or updated with unshared rules,
|
||||
this exception will be raised.
|
||||
"""
|
||||
message = _("Operation cannot be performed since Firewall Policy "
|
||||
"%(firewall_policy_id)s is shared but Firewall Rule "
|
||||
"%(firewall_rule_id)s is not shared")
|
||||
|
||||
|
||||
class FirewallPolicySharingConflict(nexception.Conflict):
|
||||
|
||||
"""FWaaS exception for firewall policy
|
||||
|
||||
When a policy is shared without sharing its associated rules,
|
||||
this exception will be raised.
|
||||
"""
|
||||
message = _("Operation cannot be performed. Before sharing Firewall "
|
||||
"Policy %(firewall_policy_id)s, share associated Firewall "
|
||||
"Rule %(firewall_rule_id)s")
|
||||
|
||||
|
||||
class FirewallRuleNotFound(nexception.NotFound):
|
||||
message = _("Firewall Rule %(firewall_rule_id)s could not be found.")
|
||||
|
||||
|
||||
class FirewallRuleInUse(nexception.InUse):
|
||||
message = _("Firewall Rule %(firewall_rule_id)s is being used.")
|
||||
|
||||
|
||||
class FirewallRuleNotAssociatedWithPolicy(nexception.InvalidInput):
|
||||
message = _("Firewall Rule %(firewall_rule_id)s is not associated "
|
||||
"with Firewall Policy %(firewall_policy_id)s.")
|
||||
|
||||
|
||||
class FirewallRuleInvalidProtocol(nexception.InvalidInput):
|
||||
message = _("Firewall Rule protocol %(protocol)s is not supported. "
|
||||
"Only protocol values %(values)s and their integer "
|
||||
"representation (0 to 255) are supported.")
|
||||
|
||||
|
||||
class FirewallRuleInvalidAction(nexception.InvalidInput):
|
||||
message = _("Firewall rule action %(action)s is not supported. "
|
||||
"Only action values %(values)s are supported.")
|
||||
|
||||
|
||||
class FirewallRuleInvalidICMPParameter(nexception.InvalidInput):
|
||||
message = _("%(param)s are not allowed when protocol "
|
||||
"is set to ICMP.")
|
||||
|
||||
|
||||
class FirewallRuleWithPortWithoutProtocolInvalid(nexception.InvalidInput):
|
||||
message = _("Source/destination port requires a protocol")
|
||||
|
||||
|
||||
class FirewallRuleInvalidPortValue(nexception.InvalidInput):
|
||||
message = _("Invalid value for port %(port)s.")
|
||||
|
||||
|
||||
class FirewallRuleInfoMissing(nexception.InvalidInput):
|
||||
message = _("Missing rule info argument for insert/remove "
|
||||
"rule operation.")
|
||||
|
||||
|
||||
class FirewallIpAddressConflict(nexception.InvalidInput):
|
||||
message = _("Invalid input - IP addresses do not agree with IP Version")
|
||||
|
||||
|
||||
class FirewallInternalDriverError(nexception.NeutronException):
|
||||
"""Fwaas exception for all driver errors.
|
||||
|
||||
On any failure or exception in the driver, driver should log it and
|
||||
raise this exception to the agent
|
||||
"""
|
||||
message = _("%(driver)s: Internal driver error.")
|
||||
|
||||
|
||||
class FirewallRuleConflict(nexception.Conflict):
|
||||
|
||||
"""Firewall rule conflict exception.
|
||||
|
||||
Occurs when admin policy tries to use another tenant's unshared
|
||||
rule.
|
||||
"""
|
||||
|
||||
message = _("Operation cannot be performed since Firewall Rule "
|
||||
"%(firewall_rule_id)s is not shared and belongs to "
|
||||
"another tenant %(tenant_id)s")
|
||||
|
||||
|
||||
fw_valid_protocol_values = [None, constants.PROTO_NAME_TCP,
|
||||
constants.PROTO_NAME_UDP,
|
||||
constants.PROTO_NAME_ICMP]
|
||||
fw_valid_action_values = [FWAAS_ALLOW, FWAAS_DENY, FWAAS_REJECT]
|
||||
|
||||
|
||||
def convert_protocol(value):
|
||||
if value is None:
|
||||
return
|
||||
if (isinstance(value, six.integer_types) or
|
||||
(isinstance(value, six.string_types) and value.isdigit())):
|
||||
val = int(value)
|
||||
if 0 <= val <= 255:
|
||||
return val
|
||||
else:
|
||||
raise FirewallRuleInvalidProtocol(
|
||||
protocol=value, values=fw_valid_protocol_values)
|
||||
elif isinstance(value, six.string_types):
|
||||
if value.lower() in fw_valid_protocol_values:
|
||||
return value.lower()
|
||||
raise FirewallRuleInvalidProtocol(
|
||||
protocol=value, values=fw_valid_protocol_values)
|
||||
|
||||
|
||||
def convert_action_to_case_insensitive(value):
|
||||
if value is None:
|
||||
return
|
||||
else:
|
||||
return value.lower()
|
||||
|
||||
|
||||
def convert_port_to_string(value):
|
||||
if value is None:
|
||||
return
|
||||
else:
|
||||
return str(value)
|
||||
|
||||
|
||||
def _validate_port_range(data, key_specs=None):
|
||||
if data is None:
|
||||
return
|
||||
data = str(data)
|
||||
ports = data.split(':')
|
||||
for p in ports:
|
||||
try:
|
||||
val = int(p)
|
||||
except (ValueError, TypeError):
|
||||
msg = _("Port '%s' is not a valid number") % p
|
||||
LOG.debug(msg)
|
||||
return msg
|
||||
if val <= 0 or val > 65535:
|
||||
msg = _("Invalid port '%s'") % p
|
||||
LOG.debug(msg)
|
||||
return msg
|
||||
|
||||
|
||||
def _validate_ip_or_subnet_or_none(data, valid_values=None):
|
||||
if data is None:
|
||||
return None
|
||||
msg_ip = validators.validate_ip_address(data, valid_values)
|
||||
if not msg_ip:
|
||||
return
|
||||
msg_subnet = validators.validate_subnet(data, valid_values)
|
||||
if not msg_subnet:
|
||||
return
|
||||
return _("%(msg_ip)s and %(msg_subnet)s") % {'msg_ip': msg_ip,
|
||||
'msg_subnet': msg_subnet}
|
||||
|
||||
|
||||
validators.validators['type:port_range'] = _validate_port_range
|
||||
validators.validators['type:ip_or_subnet_or_none'] = \
|
||||
_validate_ip_or_subnet_or_none
|
||||
|
||||
|
||||
RESOURCE_ATTRIBUTE_MAP = {
|
||||
'firewall_rules': {
|
||||
'id': {'allow_post': False, 'allow_put': False,
|
||||
'validate': {'type:uuid': None},
|
||||
'is_visible': True, 'primary_key': True},
|
||||
'tenant_id': {'allow_post': True, 'allow_put': False,
|
||||
'required_by_policy': True,
|
||||
'is_visible': True},
|
||||
'name': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:string': db_const.NAME_FIELD_SIZE},
|
||||
'is_visible': True, 'default': ''},
|
||||
'description': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:string':
|
||||
db_const.DESCRIPTION_FIELD_SIZE},
|
||||
'is_visible': True, 'default': ''},
|
||||
'firewall_policy_id': {'allow_post': False, 'allow_put': False,
|
||||
'validate': {'type:uuid_or_none': None},
|
||||
'is_visible': True},
|
||||
'shared': {'allow_post': True, 'allow_put': True,
|
||||
'default': False,
|
||||
'convert_to': converters.convert_to_boolean,
|
||||
'is_visible': True, 'required_by_policy': True,
|
||||
'enforce_policy': True},
|
||||
'protocol': {'allow_post': True, 'allow_put': True,
|
||||
'is_visible': True, 'default': None,
|
||||
'convert_to': convert_protocol,
|
||||
'validate': {'type:values': fw_valid_protocol_values}},
|
||||
'ip_version': {'allow_post': True, 'allow_put': True,
|
||||
'default': 4, 'convert_to': converters.convert_to_int,
|
||||
'validate': {'type:values': [4, 6]},
|
||||
'is_visible': True},
|
||||
'source_ip_address': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:ip_or_subnet_or_none': None},
|
||||
'is_visible': True, 'default': None},
|
||||
'destination_ip_address': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:ip_or_subnet_or_none':
|
||||
None},
|
||||
'is_visible': True, 'default': None},
|
||||
'source_port': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:port_range': None},
|
||||
'convert_to': convert_port_to_string,
|
||||
'default': None, 'is_visible': True},
|
||||
'destination_port': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:port_range': None},
|
||||
'convert_to': convert_port_to_string,
|
||||
'default': None, 'is_visible': True},
|
||||
'position': {'allow_post': False, 'allow_put': False,
|
||||
'default': None, 'is_visible': True},
|
||||
'action': {'allow_post': True, 'allow_put': True,
|
||||
'convert_to': convert_action_to_case_insensitive,
|
||||
'validate': {'type:values': fw_valid_action_values},
|
||||
'is_visible': True, 'default': 'deny'},
|
||||
'enabled': {'allow_post': True, 'allow_put': True,
|
||||
'default': True, 'is_visible': True,
|
||||
'convert_to': converters.convert_to_boolean},
|
||||
},
|
||||
'firewall_policies': {
|
||||
'id': {'allow_post': False, 'allow_put': False,
|
||||
'validate': {'type:uuid': None},
|
||||
'is_visible': True,
|
||||
'primary_key': True},
|
||||
'tenant_id': {'allow_post': True, 'allow_put': False,
|
||||
'required_by_policy': True,
|
||||
'is_visible': True},
|
||||
'name': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:string': db_const.NAME_FIELD_SIZE},
|
||||
'is_visible': True, 'default': ''},
|
||||
'description': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:string':
|
||||
db_const.DESCRIPTION_FIELD_SIZE},
|
||||
'is_visible': True, 'default': ''},
|
||||
'shared': {'allow_post': True, 'allow_put': True,
|
||||
'default': False, 'enforce_policy': True,
|
||||
'convert_to': converters.convert_to_boolean,
|
||||
'is_visible': True, 'required_by_policy': True},
|
||||
'firewall_rules': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:uuid_list': None},
|
||||
'convert_to': converters.convert_none_to_empty_list,
|
||||
'default': None, 'is_visible': True},
|
||||
'audited': {'allow_post': True, 'allow_put': True,
|
||||
'default': False, 'is_visible': True,
|
||||
'convert_to': converters.convert_to_boolean},
|
||||
},
|
||||
'firewalls': {
|
||||
'id': {'allow_post': False, 'allow_put': False,
|
||||
'validate': {'type:uuid': None},
|
||||
'is_visible': True,
|
||||
'primary_key': True},
|
||||
'tenant_id': {'allow_post': True, 'allow_put': False,
|
||||
'required_by_policy': True,
|
||||
'is_visible': True},
|
||||
'name': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:string': db_const.NAME_FIELD_SIZE},
|
||||
'is_visible': True, 'default': ''},
|
||||
'description': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:string':
|
||||
db_const.DESCRIPTION_FIELD_SIZE},
|
||||
'is_visible': True, 'default': ''},
|
||||
'admin_state_up': {'allow_post': True, 'allow_put': True,
|
||||
'default': True, 'is_visible': True,
|
||||
'convert_to': converters.convert_to_boolean},
|
||||
'status': {'allow_post': False, 'allow_put': False,
|
||||
'is_visible': True},
|
||||
'shared': {'allow_post': True, 'allow_put': True,
|
||||
'default': False, 'enforce_policy': True,
|
||||
'convert_to': converters.convert_to_boolean,
|
||||
'is_visible': False, 'required_by_policy': True},
|
||||
'firewall_policy_id': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:uuid_or_none': None},
|
||||
'is_visible': True},
|
||||
},
|
||||
}
|
||||
|
||||
# A tenant may have a unique firewall and policy for each router
|
||||
# when router insertion is used.
|
||||
# Set default quotas to align with default l3 quota_router of 10
|
||||
@ -55,32 +380,32 @@ class Firewall(extensions.ExtensionDescriptor):
|
||||
|
||||
@classmethod
|
||||
def get_name(cls):
|
||||
return firewall.NAME
|
||||
return "Firewall service"
|
||||
|
||||
@classmethod
|
||||
def get_alias(cls):
|
||||
return firewall.ALIAS
|
||||
return "fwaas"
|
||||
|
||||
@classmethod
|
||||
def get_description(cls):
|
||||
return firewall.DESCRIPTION
|
||||
return "Extension for Firewall service"
|
||||
|
||||
@classmethod
|
||||
def get_updated(cls):
|
||||
return firewall.UPDATED_TIMESTAMP
|
||||
return "2013-02-25T10:00:00-00:00"
|
||||
|
||||
@classmethod
|
||||
def get_resources(cls):
|
||||
"""Returns Ext Resources."""
|
||||
special_mappings = {'firewall_policies': 'firewall_policy'}
|
||||
plural_mappings = resource_helper.build_plural_mappings(
|
||||
special_mappings, firewall.RESOURCE_ATTRIBUTE_MAP)
|
||||
return resource_helper.build_resource_info(
|
||||
plural_mappings,
|
||||
firewall.RESOURCE_ATTRIBUTE_MAP,
|
||||
firewall.ALIAS,
|
||||
action_map=firewall.ACTION_MAP,
|
||||
register_quota=True)
|
||||
special_mappings, RESOURCE_ATTRIBUTE_MAP)
|
||||
action_map = {'firewall_policy': {'insert_rule': 'PUT',
|
||||
'remove_rule': 'PUT'}}
|
||||
return resource_helper.build_resource_info(plural_mappings,
|
||||
RESOURCE_ATTRIBUTE_MAP,
|
||||
fwaas_constants.FIREWALL,
|
||||
action_map=action_map,
|
||||
register_quota=True)
|
||||
|
||||
@classmethod
|
||||
def get_plugin_interface(cls):
|
||||
@ -88,11 +413,11 @@ class Firewall(extensions.ExtensionDescriptor):
|
||||
|
||||
def update_attributes_map(self, attributes):
|
||||
super(Firewall, self).update_attributes_map(
|
||||
attributes, extension_attrs_map=firewall.RESOURCE_ATTRIBUTE_MAP)
|
||||
attributes, extension_attrs_map=RESOURCE_ATTRIBUTE_MAP)
|
||||
|
||||
def get_extended_resources(self, version):
|
||||
if version == "2.0":
|
||||
return firewall.RESOURCE_ATTRIBUTE_MAP
|
||||
return RESOURCE_ATTRIBUTE_MAP
|
||||
else:
|
||||
return {}
|
||||
|
||||
|
@ -13,48 +13,339 @@
|
||||
# under the License.
|
||||
|
||||
import abc
|
||||
|
||||
from neutron.api.v2 import resource_helper
|
||||
|
||||
from neutron_fwaas.common import fwaas_constants
|
||||
from neutron_lib.api.definitions import firewall_v2
|
||||
from neutron_lib.api import converters
|
||||
from neutron_lib.api import extensions
|
||||
from neutron_lib.db import constants as nl_db_constants
|
||||
from neutron_lib import exceptions as nexception
|
||||
from neutron_lib.services import base as service_base
|
||||
|
||||
import six
|
||||
|
||||
from neutron_fwaas._i18n import _
|
||||
|
||||
# Import firewall v1 API to get the validators
|
||||
# TODO(shpadubi): pull the validators out of fwaas v1 into a separate file
|
||||
from neutron_fwaas.extensions import firewall as fwaas_v1
|
||||
|
||||
FIREWALL_PREFIX = '/fwaas'
|
||||
|
||||
FIREWALL_CONST = 'FIREWALL_V2'
|
||||
|
||||
|
||||
# Firewall Exceptions
|
||||
class FirewallGroupNotFound(nexception.NotFound):
|
||||
message = _("Firewall Group %(firewall_id)s could not be found.")
|
||||
|
||||
|
||||
class FirewallGroupInUse(nexception.InUse):
|
||||
message = _("Firewall %(firewall_id)s is still active.")
|
||||
|
||||
|
||||
class FirewallGroupInPendingState(nexception.Conflict):
|
||||
message = _("Operation cannot be performed since associated Firewall "
|
||||
"%(firewall_id)s is in %(pending_state)s.")
|
||||
|
||||
|
||||
class FirewallGroupPortInvalid(nexception.Conflict):
|
||||
message = _("Firewall Group Port %(port_id)s is invalid")
|
||||
|
||||
|
||||
class FirewallGroupPortInvalidProject(nexception.Conflict):
|
||||
message = _("Operation cannot be performed as port %(port_id)s "
|
||||
"is in an invalid project %(tenant_id)s.")
|
||||
|
||||
|
||||
class FirewallGroupPortInUse(nexception.InUse):
|
||||
message = _("Port(s) %(port_ids)s provided already associated with "
|
||||
"other Firewall Group(s). ")
|
||||
|
||||
|
||||
class FirewallPolicyNotFound(nexception.NotFound):
|
||||
message = _("Firewall Policy %(firewall_policy_id)s could not be found.")
|
||||
|
||||
|
||||
class FirewallPolicyInUse(nexception.InUse):
|
||||
message = _("Firewall Policy %(firewall_policy_id)s is being used.")
|
||||
|
||||
|
||||
class FirewallPolicyConflict(nexception.Conflict):
|
||||
"""FWaaS exception for firewall policy
|
||||
|
||||
Occurs when admin policy tries to use another tenant's policy that
|
||||
is not shared.
|
||||
"""
|
||||
|
||||
message = _("Operation cannot be performed since Firewall Policy "
|
||||
"%(firewall_policy_id)s is not shared and does not belong to "
|
||||
"your tenant.")
|
||||
|
||||
|
||||
class FirewallRuleSharingConflict(nexception.Conflict):
|
||||
"""FWaaS exception for firewall rules
|
||||
|
||||
This exception will be raised when a shared policy is created or
|
||||
updated with rules that are not shared.
|
||||
"""
|
||||
|
||||
message = _("Operation cannot be performed since Firewall Policy "
|
||||
"%(firewall_policy_id)s is shared but Firewall Rule "
|
||||
"%(firewall_rule_id)s is not shared.")
|
||||
|
||||
|
||||
class FirewallPolicySharingConflict(nexception.Conflict):
|
||||
"""FWaaS exception for firewall policy
|
||||
|
||||
When a policy is 'shared' without sharing its associated rules,
|
||||
this exception will be raised.
|
||||
"""
|
||||
|
||||
message = _("Operation cannot be performed. Before sharing Firewall "
|
||||
"Policy %(firewall_policy_id)s, share associated Firewall "
|
||||
"Rule %(firewall_rule_id)s.")
|
||||
|
||||
|
||||
class FirewallRuleNotFound(nexception.NotFound):
|
||||
message = _("Firewall Rule %(firewall_rule_id)s could not be found.")
|
||||
|
||||
|
||||
class FirewallRuleInUse(nexception.InUse):
|
||||
message = _("Firewall Rule %(firewall_rule_id)s is being used.")
|
||||
|
||||
|
||||
class FirewallRuleNotAssociatedWithPolicy(nexception.InvalidInput):
|
||||
message = _("Firewall Rule %(firewall_rule_id)s is not associated "
|
||||
"with Firewall Policy %(firewall_policy_id)s.")
|
||||
|
||||
|
||||
class FirewallRuleInvalidProtocol(nexception.InvalidInput):
|
||||
message = _("Firewall Rule protocol %(protocol)s is not supported. "
|
||||
"Only protocol values %(values)s and their integer "
|
||||
"representation (0 to 255) are supported.")
|
||||
|
||||
|
||||
class FirewallRuleInvalidAction(nexception.InvalidInput):
|
||||
message = _("Firewall rule action %(action)s is not supported. "
|
||||
"Only action values %(values)s are supported.")
|
||||
|
||||
|
||||
class FirewallRuleInvalidICMPParameter(nexception.InvalidInput):
|
||||
message = _("%(param)s are not allowed when protocol "
|
||||
"is set to ICMP.")
|
||||
|
||||
|
||||
class FirewallRuleWithPortWithoutProtocolInvalid(nexception.InvalidInput):
|
||||
message = _("Source/destination port requires a protocol")
|
||||
|
||||
|
||||
class FirewallRuleInvalidPortValue(nexception.InvalidInput):
|
||||
message = _("Invalid value for port %(port)s.")
|
||||
|
||||
|
||||
class FirewallRuleInfoMissing(nexception.InvalidInput):
|
||||
message = _("Missing rule info argument for insert/remove "
|
||||
"rule operation.")
|
||||
|
||||
|
||||
class FirewallIpAddressConflict(nexception.InvalidInput):
|
||||
message = _("Invalid input - IP addresses do not agree with IP Version.")
|
||||
|
||||
|
||||
class FirewallInternalDriverError(nexception.NeutronException):
|
||||
"""Fwaas exception for all driver errors.
|
||||
|
||||
On any failure or exception in the driver, driver should log it and
|
||||
raise this exception to the agent
|
||||
"""
|
||||
|
||||
message = _("%(driver)s: Internal driver error.")
|
||||
|
||||
|
||||
class FirewallRuleConflict(nexception.Conflict):
|
||||
"""Firewall rule conflict exception.
|
||||
|
||||
Occurs when admin policy tries to use another tenant's rule that is
|
||||
not shared
|
||||
"""
|
||||
|
||||
message = _("Operation cannot be performed since Firewall Rule "
|
||||
"%(firewall_rule_id)s is not shared and belongs to "
|
||||
"another tenant %(tenant_id)s.")
|
||||
|
||||
|
||||
class FirewallRuleAlreadyAssociated(nexception.Conflict):
|
||||
"""Firewall rule conflict exception.
|
||||
|
||||
Occurs when there is an attempt to assign a rule to a policy that
|
||||
the rule is already associated with.
|
||||
"""
|
||||
|
||||
message = _("Operation cannot be performed since Firewall Rule "
|
||||
"%(firewall_rule_id)s is already associated with Firewall"
|
||||
"Policy %(firewall_policy_id)s.")
|
||||
|
||||
|
||||
RESOURCE_ATTRIBUTE_MAP = {
|
||||
'firewall_rules': {
|
||||
'id': {'allow_post': False, 'allow_put': False,
|
||||
'validate': {'type:uuid': None},
|
||||
'is_visible': True, 'primary_key': True},
|
||||
'tenant_id': {'allow_post': True, 'allow_put': False,
|
||||
'required_by_policy': True,
|
||||
'validate': {'type:string':
|
||||
nl_db_constants.UUID_FIELD_SIZE},
|
||||
'is_visible': True},
|
||||
'name': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:string': nl_db_constants.NAME_FIELD_SIZE},
|
||||
'is_visible': True, 'default': ''},
|
||||
'description': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:string':
|
||||
nl_db_constants.DESCRIPTION_FIELD_SIZE},
|
||||
'is_visible': True, 'default': ''},
|
||||
'firewall_policy_id': {'allow_post': False, 'allow_put': False,
|
||||
'validate': {'type:uuid_or_none': None},
|
||||
'is_visible': True},
|
||||
'shared': {'allow_post': True, 'allow_put': True,
|
||||
'default': False, 'is_visible': True,
|
||||
'convert_to': converters.convert_to_boolean,
|
||||
'required_by_policy': True, 'enforce_policy': True},
|
||||
'protocol': {'allow_post': True, 'allow_put': True,
|
||||
'is_visible': True, 'default': None,
|
||||
'convert_to': fwaas_v1.convert_protocol,
|
||||
'validate': {'type:values':
|
||||
fwaas_v1.fw_valid_protocol_values}},
|
||||
'ip_version': {'allow_post': True, 'allow_put': True,
|
||||
'default': 4, 'convert_to': converters.convert_to_int,
|
||||
'validate': {'type:values': [4, 6]},
|
||||
'is_visible': True},
|
||||
'source_ip_address': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:ip_or_subnet_or_none': None},
|
||||
'is_visible': True, 'default': None},
|
||||
'destination_ip_address': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:ip_or_subnet_or_none':
|
||||
None},
|
||||
'is_visible': True, 'default': None},
|
||||
'source_port': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:port_range': None},
|
||||
'convert_to': fwaas_v1.convert_port_to_string,
|
||||
'default': None, 'is_visible': True},
|
||||
'destination_port': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:port_range': None},
|
||||
'convert_to': fwaas_v1.convert_port_to_string,
|
||||
'default': None, 'is_visible': True},
|
||||
'position': {'allow_post': False, 'allow_put': False,
|
||||
'default': None, 'is_visible': True},
|
||||
'action': {'allow_post': True, 'allow_put': True,
|
||||
'convert_to': fwaas_v1.convert_action_to_case_insensitive,
|
||||
'validate': {'type:values':
|
||||
fwaas_v1.fw_valid_action_values},
|
||||
'is_visible': True, 'default': 'deny'},
|
||||
'enabled': {'allow_post': True, 'allow_put': True,
|
||||
'convert_to': converters.convert_to_boolean,
|
||||
'default': True, 'is_visible': True},
|
||||
},
|
||||
'firewall_groups': {
|
||||
'id': {'allow_post': False, 'allow_put': False,
|
||||
'validate': {'type:uuid': None},
|
||||
'is_visible': True,
|
||||
'primary_key': True},
|
||||
'name': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:string': nl_db_constants.NAME_FIELD_SIZE},
|
||||
'is_visible': True, 'default': ''},
|
||||
'description': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:string':
|
||||
nl_db_constants.DESCRIPTION_FIELD_SIZE},
|
||||
'is_visible': True, 'default': ''},
|
||||
'admin_state_up': {'allow_post': True, 'allow_put': True,
|
||||
'default': True, 'is_visible': True,
|
||||
'convert_to': converters.convert_to_boolean},
|
||||
'status': {'allow_post': False, 'allow_put': False,
|
||||
'is_visible': True},
|
||||
'shared': {'allow_post': True, 'allow_put': True, 'default': False,
|
||||
'convert_to': converters.convert_to_boolean,
|
||||
'is_visible': True, 'required_by_policy': True,
|
||||
'enforce_policy': True},
|
||||
'ports': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:uuid_list': None},
|
||||
'convert_to': converters.convert_none_to_empty_list,
|
||||
'default': None, 'is_visible': True},
|
||||
'tenant_id': {'allow_post': True, 'allow_put': False,
|
||||
'required_by_policy': True,
|
||||
'validate': {'type:string':
|
||||
nl_db_constants.UUID_FIELD_SIZE},
|
||||
'is_visible': True},
|
||||
'ingress_firewall_policy_id': {'allow_post': True,
|
||||
'allow_put': True,
|
||||
'validate': {'type:uuid_or_none':
|
||||
None},
|
||||
'default': None, 'is_visible': True},
|
||||
'egress_firewall_policy_id': {'allow_post': True,
|
||||
'allow_put': True,
|
||||
'validate': {'type:uuid_or_none':
|
||||
None},
|
||||
'default': None, 'is_visible': True},
|
||||
},
|
||||
'firewall_policies': {
|
||||
'id': {'allow_post': False, 'allow_put': False,
|
||||
'validate': {'type:uuid': None},
|
||||
'is_visible': True,
|
||||
'primary_key': True},
|
||||
'tenant_id': {'allow_post': True, 'allow_put': False,
|
||||
'required_by_policy': True,
|
||||
'validate': {'type:string':
|
||||
nl_db_constants.UUID_FIELD_SIZE},
|
||||
'is_visible': True},
|
||||
'name': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:string': nl_db_constants.NAME_FIELD_SIZE},
|
||||
'is_visible': True, 'default': ''},
|
||||
'description': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:string':
|
||||
nl_db_constants.DESCRIPTION_FIELD_SIZE},
|
||||
'is_visible': True, 'default': ''},
|
||||
'shared': {'allow_post': True, 'allow_put': True, 'default': False,
|
||||
'convert_to': converters.convert_to_boolean,
|
||||
'is_visible': True, 'required_by_policy': True,
|
||||
'enforce_policy': True},
|
||||
'firewall_rules': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:uuid_list': None},
|
||||
'convert_to': converters.convert_none_to_empty_list,
|
||||
'default': None, 'is_visible': True},
|
||||
'audited': {'allow_post': True, 'allow_put': True, 'default': False,
|
||||
'convert_to': converters.convert_to_boolean,
|
||||
'is_visible': True},
|
||||
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
class Firewall_v2(extensions.ExtensionDescriptor):
|
||||
|
||||
api_definition = firewall_v2
|
||||
|
||||
@classmethod
|
||||
def get_name(cls):
|
||||
return firewall_v2.NAME
|
||||
return "Firewall service v2"
|
||||
|
||||
@classmethod
|
||||
def get_alias(cls):
|
||||
return firewall_v2.ALIAS
|
||||
return "fwaas_v2"
|
||||
|
||||
@classmethod
|
||||
def get_description(cls):
|
||||
return firewall_v2.DESCRIPTION
|
||||
return "Extension for Firewall service v2"
|
||||
|
||||
@classmethod
|
||||
def get_updated(cls):
|
||||
return firewall_v2.UPDATED_TIMESTAMP
|
||||
return "2016-08-16T00:00:00-00:00"
|
||||
|
||||
@classmethod
|
||||
def get_resources(cls):
|
||||
"""Returns Ext Resources."""
|
||||
special_mappings = {'firewall_policies': 'firewall_policy'}
|
||||
plural_mappings = resource_helper.build_plural_mappings(
|
||||
{}, firewall_v2.RESOURCE_ATTRIBUTE_MAP)
|
||||
return resource_helper.build_resource_info(
|
||||
plural_mappings,
|
||||
firewall_v2.RESOURCE_ATTRIBUTE_MAP,
|
||||
firewall_v2.ALIAS,
|
||||
action_map=firewall_v2.ACTION_MAP,
|
||||
register_quota=True)
|
||||
special_mappings, RESOURCE_ATTRIBUTE_MAP)
|
||||
action_map = {'firewall_policy': {'insert_rule': 'PUT',
|
||||
'remove_rule': 'PUT'}}
|
||||
return resource_helper.build_resource_info(plural_mappings,
|
||||
RESOURCE_ATTRIBUTE_MAP,
|
||||
FIREWALL_CONST,
|
||||
action_map=action_map)
|
||||
|
||||
@classmethod
|
||||
def get_plugin_interface(cls):
|
||||
@ -62,11 +353,11 @@ class Firewall_v2(extensions.ExtensionDescriptor):
|
||||
|
||||
def update_attributes_map(self, attributes):
|
||||
super(Firewall_v2, self).update_attributes_map(
|
||||
attributes, extension_attrs_map=firewall_v2.RESOURCE_ATTRIBUTE_MAP)
|
||||
attributes, extension_attrs_map=RESOURCE_ATTRIBUTE_MAP)
|
||||
|
||||
def get_extended_resources(self, version):
|
||||
if version == "2.0":
|
||||
return firewall_v2.RESOURCE_ATTRIBUTE_MAP
|
||||
return RESOURCE_ATTRIBUTE_MAP
|
||||
else:
|
||||
return {}
|
||||
|
||||
@ -75,10 +366,10 @@ class Firewall_v2(extensions.ExtensionDescriptor):
|
||||
class Firewallv2PluginBase(service_base.ServicePluginBase):
|
||||
|
||||
def get_plugin_name(self):
|
||||
return fwaas_constants.FIREWALL_V2
|
||||
return FIREWALL_CONST
|
||||
|
||||
def get_plugin_type(self):
|
||||
return fwaas_constants.FIREWALL_V2
|
||||
return FIREWALL_CONST
|
||||
|
||||
def get_plugin_description(self):
|
||||
return 'Firewall Service v2 Plugin'
|
||||
|
@ -13,8 +13,25 @@
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from neutron_lib.api.definitions import firewallrouterinsertion
|
||||
from neutron_lib.api import extensions
|
||||
from neutron_lib import constants
|
||||
from neutron_lib import exceptions as nexception
|
||||
|
||||
from neutron_fwaas._i18n import _
|
||||
|
||||
|
||||
class FirewallRouterInUse(nexception.InUse):
|
||||
message = _("Router(s) %(router_ids)s provided already associated with "
|
||||
"other Firewall(s). ")
|
||||
|
||||
|
||||
EXTENDED_ATTRIBUTES_2_0 = {
|
||||
'firewalls': {
|
||||
'router_ids': {'allow_post': True, 'allow_put': True,
|
||||
'validate': {'type:uuid_list': None},
|
||||
'is_visible': True, 'default': constants.ATTR_NOT_SPECIFIED},
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
class Firewallrouterinsertion(extensions.ExtensionDescriptor):
|
||||
@ -38,22 +55,22 @@ class Firewallrouterinsertion(extensions.ExtensionDescriptor):
|
||||
"""
|
||||
@classmethod
|
||||
def get_name(cls):
|
||||
return firewallrouterinsertion.NAME
|
||||
return "Firewall Router insertion"
|
||||
|
||||
@classmethod
|
||||
def get_alias(cls):
|
||||
return firewallrouterinsertion.ALIAS
|
||||
return "fwaasrouterinsertion"
|
||||
|
||||
@classmethod
|
||||
def get_description(cls):
|
||||
return firewallrouterinsertion.DESCRIPTION
|
||||
return "Firewall Router insertion on specified set of routers"
|
||||
|
||||
@classmethod
|
||||
def get_updated(cls):
|
||||
return firewallrouterinsertion.UPDATED_TIMESTAMP
|
||||
return "2015-01-27T10:00:00-00:00"
|
||||
|
||||
def get_extended_resources(self, version):
|
||||
if version == "2.0":
|
||||
return firewallrouterinsertion.RESOURCE_ATTRIBUTE_MAP
|
||||
return EXTENDED_ATTRIBUTES_2_0
|
||||
else:
|
||||
return {}
|
||||
|
@ -21,10 +21,10 @@ from oslo_log import log as logging
|
||||
from neutron_fwaas._i18n import _, _LE
|
||||
from neutron_fwaas.common import fwaas_constants
|
||||
from neutron_fwaas.common import resources as f_resources
|
||||
from neutron_fwaas.extensions import firewall as fw_ext
|
||||
from neutron_fwaas.services.firewall.agents import firewall_agent_api as api
|
||||
from neutron_fwaas.services.firewall.agents import firewall_service
|
||||
from neutron_lib.agent import l3_extension
|
||||
from neutron_lib.api.definitions import firewall as fw_ext
|
||||
from neutron_lib import constants as nl_constants
|
||||
from neutron_lib import context
|
||||
|
||||
|
@ -20,8 +20,8 @@ from oslo_utils import excutils
|
||||
from neutron.agent.linux import iptables_manager
|
||||
from neutron.common import utils
|
||||
from neutron_fwaas._i18n import _LE
|
||||
from neutron_fwaas.common import exceptions as exc
|
||||
from neutron_fwaas.common import fwaas_constants as f_const
|
||||
from neutron_fwaas.extensions import firewall as fw_ext
|
||||
from neutron_fwaas.services.firewall.drivers import fwaas_base
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
@ -92,9 +92,9 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
|
||||
else:
|
||||
self.apply_default_policy(agent_mode, apply_list, firewall)
|
||||
except (LookupError, RuntimeError):
|
||||
# catch known library exc and raise Fwaas generic exception
|
||||
# catch known library exceptions and raise Fwaas generic exception
|
||||
LOG.exception(_LE("Failed to create firewall: %s"), firewall['id'])
|
||||
raise exc.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
|
||||
raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
|
||||
|
||||
def _get_ipt_mgrs_with_if_prefix(self, agent_mode, router_info):
|
||||
"""Gets the iptables manager along with the if prefix to apply rules.
|
||||
@ -137,9 +137,9 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
|
||||
ipt_mgr.defer_apply_off()
|
||||
self.pre_firewall = None
|
||||
except (LookupError, RuntimeError):
|
||||
# catch known library exc and raise Fwaas generic exception
|
||||
# catch known library exceptions and raise Fwaas generic exception
|
||||
LOG.exception(_LE("Failed to delete firewall: %s"), fwid)
|
||||
raise exc.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
|
||||
raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
|
||||
|
||||
def update_firewall(self, agent_mode, apply_list, firewall):
|
||||
LOG.debug('Updating firewall %(fw_id)s for tenant %(tid)s',
|
||||
@ -157,9 +157,9 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
|
||||
self.apply_default_policy(agent_mode, apply_list, firewall)
|
||||
self.pre_firewall = dict(firewall)
|
||||
except (LookupError, RuntimeError):
|
||||
# catch known library exc and raise Fwaas generic exception
|
||||
# catch known library exceptions and raise Fwaas generic exception
|
||||
LOG.exception(_LE("Failed to update firewall: %s"), firewall['id'])
|
||||
raise exc.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
|
||||
raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
|
||||
|
||||
def apply_default_policy(self, agent_mode, apply_list, firewall):
|
||||
LOG.debug('Applying firewall %(fw_id)s for tenant %(tid)s',
|
||||
@ -182,10 +182,10 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
|
||||
# apply the changes immediately (no defer in firewall path)
|
||||
ipt_mgr.defer_apply_off()
|
||||
except (LookupError, RuntimeError):
|
||||
# catch known library exc and raise Fwaas generic exception
|
||||
# catch known library exceptions and raise Fwaas generic exception
|
||||
LOG.exception(
|
||||
_LE("Failed to apply default policy on firewall: %s"), fwid)
|
||||
raise exc.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
|
||||
raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
|
||||
|
||||
def _setup_firewall(self, agent_mode, apply_list, firewall):
|
||||
fwid = firewall['id']
|
||||
|
@ -15,14 +15,14 @@
|
||||
|
||||
from neutron.agent.linux import iptables_manager
|
||||
from neutron.agent.linux import utils as linux_utils
|
||||
from neutron_lib.api.definitions import firewall as fw_ext
|
||||
from oslo_log import log as logging
|
||||
|
||||
from neutron_fwaas._i18n import _LE
|
||||
from neutron_fwaas.extensions import firewall as fw_ext
|
||||
from neutron_fwaas.services.firewall.drivers import fwaas_base_v2
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
FWAAS_DRIVER_NAME = 'FWaaS iptables driver'
|
||||
FWAAS_DRIVER_NAME = 'Fwaas iptables driver'
|
||||
FWAAS_DEFAULT_CHAIN = 'fwaas-default-policy'
|
||||
|
||||
FWAAS_TO_IPTABLE_ACTION_MAP = {'allow': 'ACCEPT',
|
||||
|
@ -12,7 +12,6 @@
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from neutron_lib import constants as nl_constants
|
||||
from neutron_lib import context as neutron_context
|
||||
from neutron_lib.plugins import directory
|
||||
@ -20,16 +19,15 @@ from neutron_lib.plugins import directory
|
||||
from neutron.common import rpc as n_rpc
|
||||
from neutron.common import utils as n_utils
|
||||
|
||||
from neutron_lib.api.definitions import firewall as fw_ext
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
import oslo_messaging
|
||||
|
||||
from neutron_fwaas._i18n import _
|
||||
from neutron_fwaas.common import exceptions
|
||||
from neutron_fwaas._i18n import _LI, _LW
|
||||
from neutron_fwaas.common import fwaas_constants as f_const
|
||||
from neutron_fwaas.db.firewall import firewall_db
|
||||
from neutron_fwaas.db.firewall import firewall_router_insertion_db
|
||||
from neutron_fwaas.extensions import firewall as fw_ext
|
||||
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
@ -74,13 +72,13 @@ class FirewallCallbacks(object):
|
||||
self.plugin.delete_db_firewall_object(context, firewall_id)
|
||||
return True
|
||||
else:
|
||||
LOG.warning(_('Firewall %(fw)s unexpectedly deleted by '
|
||||
'agent, status was %(status)s'),
|
||||
LOG.warning(_LW('Firewall %(fw)s unexpectedly deleted by '
|
||||
'agent, status was %(status)s'),
|
||||
{'fw': firewall_id, 'status': fw_db.status})
|
||||
fw_db.update({"status": nl_constants.ERROR})
|
||||
return False
|
||||
except exceptions.FirewallNotFound:
|
||||
LOG.info(_('Firewall %s already deleted'), firewall_id)
|
||||
except fw_ext.FirewallNotFound:
|
||||
LOG.info(_LI('Firewall %s already deleted'), firewall_id)
|
||||
return True
|
||||
|
||||
def get_firewalls_for_tenant(self, context, **kwargs):
|
||||
@ -153,7 +151,7 @@ class FirewallPlugin(
|
||||
firewall_db.Firewall_db_mixin.
|
||||
"""
|
||||
supported_extension_aliases = ["fwaas", "fwaasrouterinsertion"]
|
||||
path_prefix = fw_ext.API_PREFIX
|
||||
path_prefix = fw_ext.FIREWALL_PREFIX
|
||||
|
||||
def __init__(self):
|
||||
"""Do the initialization for the firewall service plugin here."""
|
||||
@ -216,7 +214,7 @@ class FirewallPlugin(
|
||||
if fwall['status'] in [nl_constants.PENDING_CREATE,
|
||||
nl_constants.PENDING_UPDATE,
|
||||
nl_constants.PENDING_DELETE]:
|
||||
raise exceptions.FirewallInPendingState(firewall_id=firewall_id,
|
||||
raise fw_ext.FirewallInPendingState(firewall_id=firewall_id,
|
||||
pending_state=fwall['status'])
|
||||
|
||||
def _ensure_update_firewall_policy(self, context, firewall_policy_id):
|
||||
|
@ -16,7 +16,6 @@ from neutron_lib import context as neutron_context
|
||||
from neutron_lib.plugins import directory
|
||||
|
||||
from neutron.common import rpc as n_rpc
|
||||
from neutron_lib.api.definitions import firewall_v2 as fw_ext
|
||||
from neutron_lib import constants as nl_constants
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
@ -27,9 +26,9 @@ from neutron.plugins.common import constants
|
||||
from neutron.services import provider_configuration as provider_conf
|
||||
|
||||
from neutron_fwaas._i18n import _LI
|
||||
from neutron_fwaas.common import exceptions
|
||||
from neutron_fwaas.common import fwaas_constants
|
||||
from neutron_fwaas.db.firewall.v2 import firewall_db_v2
|
||||
from neutron_fwaas.extensions import firewall_v2 as fw_ext
|
||||
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
@ -113,7 +112,7 @@ class FirewallCallbacks(object):
|
||||
{'fwg': fwg_id, 'status': fwg_db.status})
|
||||
fwg_db.update({"status": nl_constants.ERROR})
|
||||
return False
|
||||
except exceptions.FirewallGroupNotFound:
|
||||
except fw_ext.FirewallGroupNotFound:
|
||||
LOG.info(_LI('Firewall group %s already deleted'), fwg_id)
|
||||
return True
|
||||
|
||||
@ -155,7 +154,7 @@ class FirewallPluginV2(
|
||||
firewall_db_v2.Firewall_db_mixin_v2.
|
||||
"""
|
||||
supported_extension_aliases = ["fwaas_v2"]
|
||||
path_prefix = fw_ext.API_PREFIX
|
||||
path_prefix = fw_ext.FIREWALL_PREFIX
|
||||
|
||||
def __init__(self):
|
||||
"""Do the initialization for the firewall service plugin here."""
|
||||
@ -208,7 +207,7 @@ class FirewallPluginV2(
|
||||
if fwg['status'] in [nl_constants.PENDING_CREATE,
|
||||
nl_constants.PENDING_UPDATE,
|
||||
nl_constants.PENDING_DELETE]:
|
||||
raise exceptions.FirewallGroupInPendingState(firewall_id=fwg_id,
|
||||
raise fw_ext.FirewallGroupInPendingState(firewall_id=fwg_id,
|
||||
pending_state=fwg['status'])
|
||||
|
||||
def _ensure_update_firewall_policy(self, context, firewall_policy_id):
|
||||
@ -230,9 +229,9 @@ class FirewallPluginV2(
|
||||
for port_id in fwg_ports:
|
||||
port_db = self._core_plugin._get_port(context, port_id)
|
||||
if port_db['device_owner'] != "network:router_interface":
|
||||
raise exceptions.FirewallGroupPortInvalid(port_id=port_id)
|
||||
raise fw_ext.FirewallGroupPortInvalid(port_id=port_id)
|
||||
if port_db['tenant_id'] != tenant_id:
|
||||
raise exceptions.FirewallGroupPortInvalidProject(
|
||||
raise fw_ext.FirewallGroupPortInvalidProject(
|
||||
port_id=port_id, tenant_id=port_db['tenant_id'])
|
||||
return
|
||||
|
||||
|
@ -328,7 +328,6 @@ class FWaaSExtensionTestJSON(base.BaseFWaaSTest):
|
||||
self.assertNotIn(router1['id'], updated_firewall['router_ids'])
|
||||
self.assertEqual(1, len(updated_firewall['router_ids']))
|
||||
|
||||
@decorators.skip_because(bug="1694363")
|
||||
@decorators.idempotent_id('c60ceff5-d51f-451d-b6e6-cb983d16ab6b')
|
||||
def test_firewall_insertion_mode_one_firewall_per_router(self):
|
||||
# Create router required for an ACTIVE firewall
|
||||
|
@ -154,7 +154,7 @@ class TestFWaaS(base.FWaaSScenarioTest):
|
||||
def _allow_ssh_and_icmp(self, ctx):
|
||||
fw_ssh_rule = self.create_firewall_rule(
|
||||
protocol="tcp",
|
||||
destination_port='22',
|
||||
destination_port=22,
|
||||
action="allow")
|
||||
fw_icmp_rule = self.create_firewall_rule(
|
||||
protocol="icmp",
|
||||
|
@ -24,13 +24,11 @@ from oslo_utils import uuidutils
|
||||
import six
|
||||
import webob.exc
|
||||
|
||||
from neutron_fwaas.common import exceptions
|
||||
from neutron_fwaas.common import fwaas_constants as fw_const
|
||||
from neutron_fwaas.db.firewall import firewall_db as fdb
|
||||
from neutron_fwaas import extensions
|
||||
from neutron_fwaas.extensions import firewall
|
||||
from neutron_fwaas.services.firewall import fwaas_plugin
|
||||
from neutron_fwaas.tests import base
|
||||
from neutron_lib.api.definitions import firewall as nl_firewall
|
||||
from neutron_lib import constants as nl_constants
|
||||
from neutron_lib import context
|
||||
from neutron_lib.exceptions import l3
|
||||
@ -69,14 +67,14 @@ class FakeAgentApi(fwaas_plugin.FirewallCallbacks):
|
||||
pass
|
||||
|
||||
def delete_firewall(self, context, firewall, **kwargs):
|
||||
self.plugin = directory.get_plugin(fw_const.FIREWALL)
|
||||
self.plugin = directory.get_plugin('FIREWALL')
|
||||
self.firewall_deleted(context, firewall['id'], **kwargs)
|
||||
|
||||
|
||||
class FirewallPluginDbTestCase(base.NeutronDbPluginV2TestCase):
|
||||
resource_prefix_map = dict(
|
||||
(k, nl_firewall.API_PREFIX)
|
||||
for k in nl_firewall.RESOURCE_ATTRIBUTE_MAP.keys()
|
||||
(k, firewall.FIREWALL_PREFIX)
|
||||
for k in firewall.RESOURCE_ATTRIBUTE_MAP.keys()
|
||||
)
|
||||
|
||||
def setUp(self, core_plugin=None, fw_plugin=None, ext_mgr=None):
|
||||
@ -88,7 +86,7 @@ class FirewallPluginDbTestCase(base.NeutronDbPluginV2TestCase):
|
||||
service_plugins = {'fw_plugin_name': fw_plugin}
|
||||
|
||||
fdb.Firewall_db_mixin.supported_extension_aliases = ["fwaas"]
|
||||
fdb.Firewall_db_mixin.path_prefix = nl_firewall.API_PREFIX
|
||||
fdb.Firewall_db_mixin.path_prefix = firewall.FIREWALL_PREFIX
|
||||
super(FirewallPluginDbTestCase, self).setUp(
|
||||
ext_mgr=ext_mgr,
|
||||
service_plugins=service_plugins
|
||||
@ -629,7 +627,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
|
||||
req = self.new_delete_request('firewall_policies', fwp_id)
|
||||
res = req.get_response(self.ext_api)
|
||||
self.assertEqual(204, res.status_int)
|
||||
self.assertRaises(exceptions.FirewallPolicyNotFound,
|
||||
self.assertRaises(firewall.FirewallPolicyNotFound,
|
||||
self.plugin.get_firewall_policy,
|
||||
ctx, fwp_id)
|
||||
|
||||
@ -652,7 +650,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
|
||||
req = self.new_delete_request('firewall_policies', fwp_id)
|
||||
res = req.get_response(self.ext_api)
|
||||
self.assertEqual(204, res.status_int)
|
||||
self.assertRaises(exceptions.FirewallPolicyNotFound,
|
||||
self.assertRaises(firewall.FirewallPolicyNotFound,
|
||||
self.plugin.get_firewall_policy,
|
||||
ctx, fwp_id)
|
||||
fw_rule = self.plugin.get_firewall_rule(ctx, fr_id)
|
||||
@ -686,8 +684,8 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
|
||||
|
||||
attrs['source_port'] = '10000'
|
||||
attrs['destination_port'] = '80'
|
||||
with self.firewall_rule(source_port='10000',
|
||||
destination_port='80') as firewall_rule:
|
||||
with self.firewall_rule(source_port=10000,
|
||||
destination_port=80) as firewall_rule:
|
||||
for k, v in six.iteritems(attrs):
|
||||
self.assertEqual(v, firewall_rule['firewall_rule'][k])
|
||||
|
||||
@ -839,8 +837,8 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
|
||||
with self.firewall_rule() as fwr:
|
||||
data = {'firewall_rule': {'name': name,
|
||||
'protocol': PROTOCOL,
|
||||
'source_port': '10000',
|
||||
'destination_port': '80'}}
|
||||
'source_port': 10000,
|
||||
'destination_port': 80}}
|
||||
req = self.new_update_request('firewall_rules', data,
|
||||
fwr['firewall_rule']['id'])
|
||||
res = self.deserialize(self.fmt,
|
||||
@ -916,7 +914,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
|
||||
with self.firewall_rule(source_port=None,
|
||||
destination_port=None,
|
||||
protocol=None) as fwr:
|
||||
data = {'firewall_rule': {'destination_port': '80',
|
||||
data = {'firewall_rule': {'destination_port': 80,
|
||||
'protocol': 'tcp'}}
|
||||
req = self.new_update_request('firewall_rules', data,
|
||||
fwr['firewall_rule']['id'])
|
||||
@ -927,7 +925,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
|
||||
with self.firewall_rule(source_port=None,
|
||||
destination_port=None,
|
||||
protocol=None) as fwr:
|
||||
data = {'firewall_rule': {'destination_port': '80',
|
||||
data = {'firewall_rule': {'destination_port': 80,
|
||||
'protocol': 'icmp'}}
|
||||
req = self.new_update_request('firewall_rules', data,
|
||||
fwr['firewall_rule']['id'])
|
||||
@ -982,7 +980,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
|
||||
req = self.new_delete_request('firewall_rules', fwr_id)
|
||||
res = req.get_response(self.ext_api)
|
||||
self.assertEqual(204, res.status_int)
|
||||
self.assertRaises(exceptions.FirewallRuleNotFound,
|
||||
self.assertRaises(firewall.FirewallRuleNotFound,
|
||||
self.plugin.get_firewall_rule,
|
||||
ctx, fwr_id)
|
||||
|
||||
@ -1198,7 +1196,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
|
||||
req = self.new_delete_request('firewalls', fw_id)
|
||||
res = req.get_response(self.ext_api)
|
||||
self.assertEqual(204, res.status_int)
|
||||
self.assertRaises(exceptions.FirewallNotFound,
|
||||
self.assertRaises(firewall.FirewallNotFound,
|
||||
self.plugin.get_firewall,
|
||||
ctx, fw_id)
|
||||
|
||||
@ -1483,7 +1481,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
|
||||
|
||||
def test_check_router_has_no_firewall_raises(self):
|
||||
fw_plugin = mock.Mock()
|
||||
directory.add_plugin(fw_const.FIREWALL, fw_plugin)
|
||||
directory.add_plugin('FIREWALL', fw_plugin)
|
||||
fw_plugin.get_firewalls.return_value = [mock.ANY]
|
||||
kwargs = {
|
||||
'context': mock.ANY,
|
||||
|
@ -26,12 +26,12 @@ import six
|
||||
import testtools
|
||||
import webob.exc
|
||||
|
||||
from neutron_fwaas.common import exceptions
|
||||
from neutron_fwaas._i18n import _
|
||||
from neutron_fwaas.db.firewall.v2 import firewall_db_v2 as fdb
|
||||
from neutron_fwaas import extensions
|
||||
from neutron_fwaas.extensions import firewall_v2 as firewall
|
||||
from neutron_fwaas.services.firewall import fwaas_plugin_v2
|
||||
from neutron_fwaas.tests import base
|
||||
from neutron_lib.api.definitions import firewall_v2 as nl_firewall
|
||||
from neutron_lib import constants as nl_constants
|
||||
from neutron_lib import context
|
||||
from neutron_lib.plugins import directory
|
||||
@ -69,14 +69,14 @@ class FakeAgentApi(fwaas_plugin_v2.FirewallCallbacks):
|
||||
pass
|
||||
|
||||
def delete_firewall_group(self, context, firewall_group, **kwargs):
|
||||
self.plugin = directory.get_plugin('fwaas_v2')
|
||||
self.plugin = directory.get_plugin('FIREWALL_V2')
|
||||
self.firewall_group_deleted(context, firewall_group['id'], **kwargs)
|
||||
|
||||
|
||||
class FirewallPluginV2DbTestCase(base.NeutronDbPluginV2TestCase):
|
||||
resource_prefix_map = dict(
|
||||
(k, nl_firewall.API_PREFIX)
|
||||
for k in nl_firewall.RESOURCE_ATTRIBUTE_MAP.keys()
|
||||
(k, firewall.FIREWALL_PREFIX)
|
||||
for k in firewall.RESOURCE_ATTRIBUTE_MAP.keys()
|
||||
)
|
||||
|
||||
def setUp(self, core_plugin=None, fw_plugin=None, ext_mgr=None):
|
||||
@ -89,7 +89,7 @@ class FirewallPluginV2DbTestCase(base.NeutronDbPluginV2TestCase):
|
||||
service_plugins = {'fw_plugin_name': fw_plugin}
|
||||
|
||||
fdb.Firewall_db_mixin_v2.supported_extension_aliases = ["fwaas_v2"]
|
||||
fdb.Firewall_db_mixin_v2.path_prefix = nl_firewall.API_PREFIX
|
||||
fdb.Firewall_db_mixin_v2.path_prefix = firewall.FIREWALL_PREFIX
|
||||
super(FirewallPluginV2DbTestCase, self).setUp(
|
||||
ext_mgr=ext_mgr,
|
||||
service_plugins=service_plugins
|
||||
@ -664,7 +664,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
|
||||
req = self.new_delete_request('firewall_policies', fwp_id)
|
||||
res = req.get_response(self.ext_api)
|
||||
self.assertEqual(204, res.status_int)
|
||||
self.assertRaises(exceptions.FirewallPolicyNotFound,
|
||||
self.assertRaises(firewall.FirewallPolicyNotFound,
|
||||
self.plugin.get_firewall_policy,
|
||||
ctx, fwp_id)
|
||||
|
||||
@ -688,7 +688,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
|
||||
req = self.new_delete_request('firewall_policies', fwp_id)
|
||||
res = req.get_response(self.ext_api)
|
||||
self.assertEqual(204, res.status_int)
|
||||
self.assertRaises(exceptions.FirewallPolicyNotFound,
|
||||
self.assertRaises(firewall.FirewallPolicyNotFound,
|
||||
self.plugin.get_firewall_policy,
|
||||
ctx, fwp_id)
|
||||
fw_rule = self.plugin.get_firewall_rule(ctx, fr_id)
|
||||
@ -722,8 +722,8 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
|
||||
|
||||
attrs['source_port'] = '10000'
|
||||
attrs['destination_port'] = '80'
|
||||
with self.firewall_rule(source_port='10000',
|
||||
destination_port='80') as firewall_rule:
|
||||
with self.firewall_rule(source_port=10000,
|
||||
destination_port=80) as firewall_rule:
|
||||
for k, v in six.iteritems(attrs):
|
||||
self.assertEqual(v, firewall_rule['firewall_rule'][k])
|
||||
|
||||
@ -876,8 +876,8 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
|
||||
with self.firewall_rule() as fwr:
|
||||
data = {'firewall_rule': {'name': name,
|
||||
'protocol': PROTOCOL,
|
||||
'source_port': '10000',
|
||||
'destination_port': '80'}}
|
||||
'source_port': 10000,
|
||||
'destination_port': 80}}
|
||||
req = self.new_update_request('firewall_rules', data,
|
||||
fwr['firewall_rule']['id'])
|
||||
res = self.deserialize(self.fmt,
|
||||
@ -915,7 +915,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
|
||||
def test_update_firewall_rule_with_port_and_no_proto(self):
|
||||
with self.firewall_rule() as fwr:
|
||||
data = {'firewall_rule': {'protocol': None,
|
||||
'destination_port': '80'}}
|
||||
'destination_port': 80}}
|
||||
req = self.new_update_request('firewall_rules', data,
|
||||
fwr['firewall_rule']['id'])
|
||||
res = req.get_response(self.ext_api)
|
||||
@ -935,7 +935,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
|
||||
with self.firewall_rule(source_port=None,
|
||||
destination_port=None,
|
||||
protocol=None) as fwr:
|
||||
data = {'firewall_rule': {'destination_port': '80'}}
|
||||
data = {'firewall_rule': {'destination_port': 80}}
|
||||
req = self.new_update_request('firewall_rules', data,
|
||||
fwr['firewall_rule']['id'])
|
||||
res = req.get_response(self.ext_api)
|
||||
@ -953,7 +953,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
|
||||
with self.firewall_rule(source_port=None,
|
||||
destination_port=None,
|
||||
protocol=None) as fwr:
|
||||
data = {'firewall_rule': {'destination_port': '80',
|
||||
data = {'firewall_rule': {'destination_port': 80,
|
||||
'protocol': 'tcp'}}
|
||||
req = self.new_update_request('firewall_rules', data,
|
||||
fwr['firewall_rule']['id'])
|
||||
@ -964,7 +964,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
|
||||
with self.firewall_rule(source_port=None,
|
||||
destination_port=None,
|
||||
protocol=None) as fwr:
|
||||
data = {'firewall_rule': {'destination_port': '80',
|
||||
data = {'firewall_rule': {'destination_port': 80,
|
||||
'protocol': 'icmp'}}
|
||||
req = self.new_update_request('firewall_rules', data,
|
||||
fwr['firewall_rule']['id'])
|
||||
@ -974,7 +974,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
|
||||
with self.firewall_rule(source_port=None,
|
||||
destination_port=None,
|
||||
protocol='icmp') as fwr:
|
||||
data = {'firewall_rule': {'destination_port': '80'}}
|
||||
data = {'firewall_rule': {'destination_port': 80}}
|
||||
req = self.new_update_request('firewall_rules', data,
|
||||
fwr['firewall_rule']['id'])
|
||||
res = req.get_response(self.ext_api)
|
||||
@ -1036,7 +1036,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
|
||||
req = self.new_delete_request('firewall_rules', fwr_id)
|
||||
res = req.get_response(self.ext_api)
|
||||
self.assertEqual(204, res.status_int)
|
||||
self.assertRaises(exceptions.FirewallRuleNotFound,
|
||||
self.assertRaises(firewall.FirewallRuleNotFound,
|
||||
self.plugin.get_firewall_rule,
|
||||
ctx, fwr_id)
|
||||
|
||||
@ -1202,10 +1202,10 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
|
||||
fwp_id = fwp['firewall_policy']['id']
|
||||
with self.firewall_group(
|
||||
ingress_firewall_policy_id=fwp_id,
|
||||
admin_state_up=ADMIN_STATE_UP) as tfirewall:
|
||||
admin_state_up=ADMIN_STATE_UP) as firewall:
|
||||
data = {'firewall_group': {'name': name}}
|
||||
req = self.new_update_request(
|
||||
'firewall_groups', data, tfirewall['firewall_group']['id'])
|
||||
req = self.new_update_request('firewall_groups', data,
|
||||
firewall['firewall_group']['id'])
|
||||
res = self.deserialize(self.fmt,
|
||||
req.get_response(self.ext_api))
|
||||
for k, v in six.iteritems(attrs):
|
||||
@ -1277,8 +1277,8 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
|
||||
fwp2_id = fwps[1]['firewall_policy']['id']
|
||||
ctx = context.Context('not_admin', 'tenant1')
|
||||
with self.firewall_group(ingress_firewall_policy_id=fwp1_id,
|
||||
context=ctx) as tfirewall:
|
||||
fw_id = tfirewall['firewall_group']['id']
|
||||
context=ctx) as firewall:
|
||||
fw_id = firewall['firewall_group']['id']
|
||||
fw_db = self.plugin._get_firewall_group(ctx, fw_id)
|
||||
fw_db['status'] = nl_constants.ACTIVE
|
||||
# update firewall from fwp1 to fwp2(different tenant)
|
||||
@ -1299,7 +1299,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
|
||||
req = self.new_delete_request('firewall_groups', fw_id)
|
||||
res = req.get_response(self.ext_api)
|
||||
self.assertEqual(204, res.status_int)
|
||||
self.assertRaises(exceptions.FirewallGroupNotFound,
|
||||
self.assertRaises(firewall.FirewallGroupNotFound,
|
||||
self.plugin.get_firewall_group,
|
||||
ctx, fw_id)
|
||||
|
||||
|
0
neutron_fwaas/tests/unit/extensions/__init__.py
Normal file
0
neutron_fwaas/tests/unit/extensions/__init__.py
Normal file
419
neutron_fwaas/tests/unit/extensions/test_firewall_v2.py
Normal file
419
neutron_fwaas/tests/unit/extensions/test_firewall_v2.py
Normal file
@ -0,0 +1,419 @@
|
||||
# Copyright 2013 Big Switch Networks, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import copy
|
||||
|
||||
import mock
|
||||
from neutron.tests.unit.api.v2 import test_base as test_api_v2
|
||||
from neutron.tests.unit.extensions import base as test_api_v2_extension
|
||||
from neutron_lib.db import constants as db_const
|
||||
from oslo_utils import uuidutils
|
||||
from webob import exc
|
||||
import webtest
|
||||
|
||||
from neutron_fwaas.extensions import firewall_v2
|
||||
|
||||
_uuid = uuidutils.generate_uuid
|
||||
_get_path = test_api_v2._get_path
|
||||
_long_name = 'x' * (db_const.NAME_FIELD_SIZE + 1)
|
||||
_long_description = 'y' * (db_const.DESCRIPTION_FIELD_SIZE + 1)
|
||||
_long_tenant = 'z' * (db_const.PROJECT_ID_FIELD_SIZE + 1)
|
||||
|
||||
FIREWALL_CONST = 'FIREWALL_V2'
|
||||
|
||||
|
||||
class FirewallExtensionTestCase(test_api_v2_extension.ExtensionTestCase):
|
||||
fmt = 'json'
|
||||
|
||||
def setUp(self):
|
||||
super(FirewallExtensionTestCase, self).setUp()
|
||||
plural_mappings = {'firewall_policy': 'firewall_policies'}
|
||||
self._setUpExtension(
|
||||
'neutron_fwaas.extensions.firewall_v2.Firewallv2PluginBase',
|
||||
FIREWALL_CONST, firewall_v2.RESOURCE_ATTRIBUTE_MAP,
|
||||
firewall_v2.Firewall_v2, 'fwaas', plural_mappings=plural_mappings)
|
||||
|
||||
def _test_create_firewall_rule(self, src_port, dst_port):
|
||||
rule_id = _uuid()
|
||||
project_id = _uuid()
|
||||
data = {'firewall_rule': {'description': 'descr_firewall_rule1',
|
||||
'name': 'rule1',
|
||||
'protocol': 'tcp',
|
||||
'ip_version': 4,
|
||||
'source_ip_address': '192.168.0.1',
|
||||
'destination_ip_address': '127.0.0.1',
|
||||
'source_port': src_port,
|
||||
'destination_port': dst_port,
|
||||
'action': 'allow',
|
||||
'enabled': True,
|
||||
'tenant_id': project_id,
|
||||
'shared': False}}
|
||||
expected_ret_val = copy.copy(data['firewall_rule'])
|
||||
expected_ret_val['source_port'] = str(src_port)
|
||||
expected_ret_val['destination_port'] = str(dst_port)
|
||||
expected_ret_val['id'] = rule_id
|
||||
instance = self.plugin.return_value
|
||||
instance.create_firewall_rule.return_value = expected_ret_val
|
||||
res = self.api.post(_get_path('fwaas/firewall_rules', fmt=self.fmt),
|
||||
self.serialize(data),
|
||||
content_type='application/%s' % self.fmt)
|
||||
data['firewall_rule'].update({'project_id': project_id})
|
||||
self.assertEqual(exc.HTTPCreated.code, res.status_int)
|
||||
res = self.deserialize(res)
|
||||
self.assertIn('firewall_rule', res)
|
||||
self.assertEqual(expected_ret_val, res['firewall_rule'])
|
||||
|
||||
def test_create_firewall_rule_with_integer_ports(self):
|
||||
self._test_create_firewall_rule(1, 10)
|
||||
|
||||
def test_create_firewall_rule_with_string_ports(self):
|
||||
self._test_create_firewall_rule('1', '10')
|
||||
|
||||
def test_create_firewall_rule_with_port_range(self):
|
||||
self._test_create_firewall_rule('1:20', '30:40')
|
||||
|
||||
def test_create_firewall_rule_invalid_long_name(self):
|
||||
data = {'firewall_rule': {'description': 'descr_firewall_rule1',
|
||||
'name': _long_name,
|
||||
'protocol': 'tcp',
|
||||
'ip_version': 4,
|
||||
'source_ip_address': '192.168.0.1',
|
||||
'destination_ip_address': '127.0.0.1',
|
||||
'source_port': 1,
|
||||
'destination_port': 1,
|
||||
'action': 'allow',
|
||||
'enabled': True,
|
||||
'tenant_id': _uuid(),
|
||||
'shared': False}}
|
||||
res = self.api.post(_get_path('fwaas/firewall_rules', fmt=self.fmt),
|
||||
self.serialize(data),
|
||||
content_type='application/%s' % self.fmt,
|
||||
status=exc.HTTPBadRequest.code)
|
||||
self.assertIn('Invalid input for name', res.body.decode('utf-8'))
|
||||
|
||||
def test_create_firewall_rule_invalid_long_description(self):
|
||||
data = {'firewall_rule': {'description': _long_description,
|
||||
'name': 'rule1',
|
||||
'protocol': 'tcp',
|
||||
'ip_version': 4,
|
||||
'source_ip_address': '192.168.0.1',
|
||||
'destination_ip_address': '127.0.0.1',
|
||||
'source_port': 1,
|
||||
'destination_port': 1,
|
||||
'action': 'allow',
|
||||
'enabled': True,
|
||||
'tenant_id': _uuid(),
|
||||
'shared': False}}
|
||||
res = self.api.post(_get_path('fwaas/firewall_rules', fmt=self.fmt),
|
||||
self.serialize(data),
|
||||
content_type='application/%s' % self.fmt,
|
||||
status=exc.HTTPBadRequest.code)
|
||||
self.assertIn('Invalid input for description',
|
||||
res.body.decode('utf-8'))
|
||||
|
||||
def test_create_firewall_rule_invalid_long_tenant_id(self):
|
||||
data = {'firewall_rule': {'description': 'desc',
|
||||
'name': 'rule1',
|
||||
'protocol': 'tcp',
|
||||
'ip_version': 4,
|
||||
'source_ip_address': '192.168.0.1',
|
||||
'destination_ip_address': '127.0.0.1',
|
||||
'source_port': 1,
|
||||
'destination_port': 1,
|
||||
'action': 'allow',
|
||||
'enabled': True,
|
||||
'tenant_id': _long_tenant,
|
||||
'shared': False}}
|
||||
res = self.api.post(_get_path('fwaas/firewall_rules', fmt=self.fmt),
|
||||
self.serialize(data),
|
||||
content_type='application/%s' % self.fmt,
|
||||
status=exc.HTTPBadRequest.code)
|
||||
self.assertIn('Invalid input for ', res.body.decode('utf-8'))
|
||||
|
||||
def test_firewall_rule_list(self):
|
||||
rule_id = _uuid()
|
||||
return_value = [{'tenant_id': _uuid(),
|
||||
'id': rule_id}]
|
||||
|
||||
instance = self.plugin.return_value
|
||||
instance.get_firewall_rules.return_value = return_value
|
||||
|
||||
res = self.api.get(_get_path('fwaas/firewall_rules', fmt=self.fmt))
|
||||
|
||||
instance.get_firewall_rules.assert_called_with(mock.ANY,
|
||||
fields=mock.ANY,
|
||||
filters=mock.ANY)
|
||||
self.assertEqual(exc.HTTPOk.code, res.status_int)
|
||||
|
||||
def test_firewall_rule_get(self):
|
||||
rule_id = _uuid()
|
||||
return_value = {'tenant_id': _uuid(),
|
||||
'id': rule_id}
|
||||
|
||||
instance = self.plugin.return_value
|
||||
instance.get_firewall_rule.return_value = return_value
|
||||
|
||||
res = self.api.get(_get_path('fwaas/firewall_rules',
|
||||
id=rule_id, fmt=self.fmt))
|
||||
|
||||
instance.get_firewall_rule.assert_called_with(mock.ANY,
|
||||
rule_id,
|
||||
fields=mock.ANY)
|
||||
self.assertEqual(exc.HTTPOk.code, res.status_int)
|
||||
res = self.deserialize(res)
|
||||
self.assertIn('firewall_rule', res)
|
||||
self.assertEqual(return_value, res['firewall_rule'])
|
||||
|
||||
def test_firewall_rule_update(self):
|
||||
rule_id = _uuid()
|
||||
update_data = {'firewall_rule': {'action': 'deny'}}
|
||||
return_value = {'tenant_id': _uuid(),
|
||||
'id': rule_id}
|
||||
|
||||
instance = self.plugin.return_value
|
||||
instance.update_firewall_rule.return_value = return_value
|
||||
|
||||
res = self.api.put(_get_path('fwaas/firewall_rules', id=rule_id,
|
||||
fmt=self.fmt),
|
||||
self.serialize(update_data))
|
||||
|
||||
instance.update_firewall_rule.assert_called_with(
|
||||
mock.ANY,
|
||||
rule_id,
|
||||
firewall_rule=update_data)
|
||||
self.assertEqual(exc.HTTPOk.code, res.status_int)
|
||||
res = self.deserialize(res)
|
||||
self.assertIn('firewall_rule', res)
|
||||
self.assertEqual(return_value, res['firewall_rule'])
|
||||
|
||||
def test_firewall_rule_delete(self):
|
||||
self._test_entity_delete('firewall_rule')
|
||||
|
||||
def test_create_firewall_policy(self):
|
||||
policy_id = _uuid()
|
||||
project_id = _uuid()
|
||||
data = {'firewall_policy': {'description': 'descr_firewall_policy1',
|
||||
'name': 'new_fw_policy1',
|
||||
'firewall_rules': [_uuid(), _uuid()],
|
||||
'audited': False,
|
||||
'tenant_id': project_id,
|
||||
'shared': False}}
|
||||
return_value = copy.copy(data['firewall_policy'])
|
||||
return_value.update({'id': policy_id})
|
||||
|
||||
instance = self.plugin.return_value
|
||||
instance.create_firewall_policy.return_value = return_value
|
||||
res = self.api.post(_get_path('fwaas/firewall_policies',
|
||||
fmt=self.fmt),
|
||||
self.serialize(data),
|
||||
content_type='application/%s' % self.fmt)
|
||||
data['firewall_policy'].update({'project_id': project_id})
|
||||
self.assertEqual(exc.HTTPCreated.code, res.status_int)
|
||||
res = self.deserialize(res)
|
||||
self.assertIn('firewall_policy', res)
|
||||
self.assertEqual(return_value, res['firewall_policy'])
|
||||
|
||||
def test_create_firewall_policy_invalid_long_name(self):
|
||||
data = {'firewall_policy': {'description': 'descr_firewall_policy1',
|
||||
'name': _long_name,
|
||||
'firewall_rules': [_uuid(), _uuid()],
|
||||
'audited': False,
|
||||
'tenant_id': _uuid(),
|
||||
'shared': False}}
|
||||
res = self.api.post(_get_path('fwaas/firewall_policies',
|
||||
fmt=self.fmt),
|
||||
self.serialize(data),
|
||||
content_type='application/%s' % self.fmt,
|
||||
status=exc.HTTPBadRequest.code)
|
||||
self.assertIn('Invalid input for name', res.body.decode('utf-8'))
|
||||
|
||||
def test_create_firewall_policy_invalid_long_description(self):
|
||||
data = {'firewall_policy': {'description': _long_description,
|
||||
'name': 'new_fw_policy1',
|
||||
'firewall_rules': [_uuid(), _uuid()],
|
||||
'audited': False,
|
||||
'tenant_id': _uuid(),
|
||||
'shared': False}}
|
||||
res = self.api.post(_get_path('fwaas/firewall_policies',
|
||||
fmt=self.fmt),
|
||||
self.serialize(data),
|
||||
content_type='application/%s' % self.fmt,
|
||||
status=exc.HTTPBadRequest.code)
|
||||
self.assertIn('Invalid input for description',
|
||||
res.body.decode('utf-8'))
|
||||
|
||||
def test_create_firewall_policy_invalid_long_tenant_id(self):
|
||||
data = {'firewall_policy': {'description': 'desc',
|
||||
'name': 'new_fw_policy1',
|
||||
'firewall_rules': [_uuid(), _uuid()],
|
||||
'audited': False,
|
||||
'tenant_id': _long_tenant,
|
||||
'shared': False}}
|
||||
res = self.api.post(_get_path('fwaas/firewall_policies',
|
||||
fmt=self.fmt),
|
||||
self.serialize(data),
|
||||
content_type='application/%s' % self.fmt,
|
||||
status=exc.HTTPBadRequest.code)
|
||||
self.assertIn('Invalid input for ', res.body.decode('utf-8'))
|
||||
|
||||
def test_firewall_policy_list(self):
|
||||
policy_id = _uuid()
|
||||
return_value = [{'tenant_id': _uuid(),
|
||||
'id': policy_id}]
|
||||
|
||||
instance = self.plugin.return_value
|
||||
instance.get_firewall_policies.return_value = return_value
|
||||
|
||||
res = self.api.get(_get_path('fwaas/firewall_policies',
|
||||
fmt=self.fmt))
|
||||
|
||||
instance.get_firewall_policies.assert_called_with(mock.ANY,
|
||||
fields=mock.ANY,
|
||||
filters=mock.ANY)
|
||||
self.assertEqual(exc.HTTPOk.code, res.status_int)
|
||||
|
||||
def test_firewall_policy_get(self):
|
||||
policy_id = _uuid()
|
||||
return_value = {'tenant_id': _uuid(),
|
||||
'id': policy_id}
|
||||
|
||||
instance = self.plugin.return_value
|
||||
instance.get_firewall_policy.return_value = return_value
|
||||
|
||||
res = self.api.get(_get_path('fwaas/firewall_policies',
|
||||
id=policy_id, fmt=self.fmt))
|
||||
|
||||
instance.get_firewall_policy.assert_called_with(mock.ANY,
|
||||
policy_id,
|
||||
fields=mock.ANY)
|
||||
self.assertEqual(exc.HTTPOk.code, res.status_int)
|
||||
res = self.deserialize(res)
|
||||
self.assertIn('firewall_policy', res)
|
||||
self.assertEqual(return_value, res['firewall_policy'])
|
||||
|
||||
def test_firewall_policy_update(self):
|
||||
policy_id = _uuid()
|
||||
update_data = {'firewall_policy': {'audited': True}}
|
||||
return_value = {'tenant_id': _uuid(),
|
||||
'id': policy_id}
|
||||
|
||||
instance = self.plugin.return_value
|
||||
instance.update_firewall_policy.return_value = return_value
|
||||
|
||||
res = self.api.put(_get_path('fwaas/firewall_policies',
|
||||
id=policy_id,
|
||||
fmt=self.fmt),
|
||||
self.serialize(update_data))
|
||||
|
||||
instance.update_firewall_policy.assert_called_with(
|
||||
mock.ANY,
|
||||
policy_id,
|
||||
firewall_policy=update_data)
|
||||
self.assertEqual(exc.HTTPOk.code, res.status_int)
|
||||
res = self.deserialize(res)
|
||||
self.assertIn('firewall_policy', res)
|
||||
self.assertEqual(return_value, res['firewall_policy'])
|
||||
|
||||
def test_firewall_policy_update_malformed_rules(self):
|
||||
# emulating client request when no rule uuids are provided for
|
||||
# --firewall_rules parameter
|
||||
update_data = {'firewall_policy': {'firewall_rules': True}}
|
||||
# have to check for generic AppError
|
||||
self.assertRaises(
|
||||
webtest.AppError,
|
||||
self.api.put,
|
||||
_get_path('fwaas/firewall_policies', id=_uuid(), fmt=self.fmt),
|
||||
self.serialize(update_data))
|
||||
|
||||
def test_firewall_policy_delete(self):
|
||||
self._test_entity_delete('firewall_policy')
|
||||
|
||||
def test_firewall_policy_insert_rule(self):
|
||||
firewall_policy_id = _uuid()
|
||||
firewall_rule_id = _uuid()
|
||||
ref_firewall_rule_id = _uuid()
|
||||
|
||||
insert_data = {'firewall_rule_id': firewall_rule_id,
|
||||
'insert_before': ref_firewall_rule_id,
|
||||
'insert_after': None}
|
||||
return_value = {'firewall_policy':
|
||||
{'tenant_id': _uuid(),
|
||||
'id': firewall_policy_id,
|
||||
'firewall_rules': [ref_firewall_rule_id,
|
||||
firewall_rule_id]}}
|
||||
|
||||
instance = self.plugin.return_value
|
||||
instance.insert_rule.return_value = return_value
|
||||
|
||||
path = _get_path('fwaas/firewall_policies', id=firewall_policy_id,
|
||||
action="insert_rule",
|
||||
fmt=self.fmt)
|
||||
res = self.api.put(path, self.serialize(insert_data))
|
||||
instance.insert_rule.assert_called_with(mock.ANY, firewall_policy_id,
|
||||
insert_data)
|
||||
self.assertEqual(exc.HTTPOk.code, res.status_int)
|
||||
res = self.deserialize(res)
|
||||
self.assertEqual(return_value, res)
|
||||
|
||||
def test_firewall_policy_remove_rule(self):
|
||||
firewall_policy_id = _uuid()
|
||||
firewall_rule_id = _uuid()
|
||||
|
||||
remove_data = {'firewall_rule_id': firewall_rule_id}
|
||||
return_value = {'firewall_policy':
|
||||
{'tenant_id': _uuid(),
|
||||
'id': firewall_policy_id,
|
||||
'firewall_rules': []}}
|
||||
|
||||
instance = self.plugin.return_value
|
||||
instance.remove_rule.return_value = return_value
|
||||
|
||||
path = _get_path('fwaas/firewall_policies', id=firewall_policy_id,
|
||||
action="remove_rule",
|
||||
fmt=self.fmt)
|
||||
res = self.api.put(path, self.serialize(remove_data))
|
||||
instance.remove_rule.assert_called_with(mock.ANY, firewall_policy_id,
|
||||
remove_data)
|
||||
self.assertEqual(exc.HTTPOk.code, res.status_int)
|
||||
res = self.deserialize(res)
|
||||
self.assertEqual(return_value, res)
|
||||
|
||||
def test_create_firewall_group_invalid_long_attributes(self):
|
||||
long_targets = [{'name': _long_name},
|
||||
{'description': _long_description},
|
||||
{'tenant_id': _long_tenant}]
|
||||
|
||||
for target in long_targets:
|
||||
data = {'firewall_group': {'description': 'fake_description',
|
||||
'name': 'fake_name',
|
||||
'tenant_id': 'fake-tenant_id',
|
||||
'ingress_firewall_policy_id': None,
|
||||
'egress_firewall_policy_id': None,
|
||||
'admin_state_up': True,
|
||||
'ports': [],
|
||||
'shared': False}}
|
||||
data['firewall_group'].update(target)
|
||||
res = self.api.post(_get_path('fwaas/firewall_groups',
|
||||
fmt=self.fmt),
|
||||
self.serialize(data),
|
||||
content_type='application/%s' % self.fmt,
|
||||
status=exc.HTTPBadRequest.code)
|
||||
#TODO(njohnston): Remove this when neutron starts returning
|
||||
# project_id in a dependable fashion, as opposed to tenant_id.
|
||||
target_attr_name = list(target)[0]
|
||||
if target_attr_name == 'tenant_id':
|
||||
target_attr_name = ''
|
||||
self.assertIn('Invalid input for %s' % target_attr_name,
|
||||
res.body.decode('utf-8'))
|
@ -27,25 +27,21 @@ import six
|
||||
import uuid
|
||||
from webob import exc
|
||||
|
||||
from neutron_fwaas.common import exceptions
|
||||
from neutron_fwaas.common import fwaas_constants as fw_const
|
||||
from neutron_fwaas.db.firewall import firewall_db as fdb
|
||||
import neutron_fwaas.extensions
|
||||
from neutron_fwaas.extensions import firewall
|
||||
from neutron_fwaas.extensions import firewallrouterinsertion
|
||||
from neutron_fwaas.services.firewall import fwaas_plugin
|
||||
from neutron_fwaas.tests import base
|
||||
from neutron_fwaas.tests.unit.db.firewall import (
|
||||
test_firewall_db as test_db_firewall)
|
||||
|
||||
from neutron_lib.api import attributes as attr
|
||||
import neutron_lib.api.definitions
|
||||
from neutron_lib.api.definitions import firewall as fw
|
||||
from neutron_lib.api.definitions import firewall_v2
|
||||
from neutron_lib.api.definitions import firewallrouterinsertion
|
||||
from neutron_lib import constants as nl_constants
|
||||
from neutron_lib import context
|
||||
from neutron_lib.plugins import directory
|
||||
|
||||
extensions_path = neutron_lib.api.definitions.__path__[0]
|
||||
extensions_path = neutron_fwaas.extensions.__path__[0]
|
||||
|
||||
FW_PLUGIN_KLASS = (
|
||||
"neutron_fwaas.services.firewall.fwaas_plugin.FirewallPlugin"
|
||||
@ -56,8 +52,8 @@ class FirewallTestExtensionManager(test_l3_plugin.L3TestExtensionManager):
|
||||
|
||||
def get_resources(self):
|
||||
res = super(FirewallTestExtensionManager, self).get_resources()
|
||||
fw.RESOURCE_ATTRIBUTE_MAP['firewalls'].update(
|
||||
firewallrouterinsertion.RESOURCE_ATTRIBUTE_MAP['firewalls'])
|
||||
firewall.RESOURCE_ATTRIBUTE_MAP['firewalls'].update(
|
||||
firewallrouterinsertion.EXTENDED_ATTRIBUTES_2_0['firewalls'])
|
||||
return res + firewall.Firewall.get_resources()
|
||||
|
||||
def get_actions(self):
|
||||
@ -99,12 +95,12 @@ class TestFirewallRouterInsertionBase(
|
||||
self.setup_notification_driver()
|
||||
|
||||
self.l3_plugin = directory.get_plugin(nl_constants.L3)
|
||||
self.plugin = directory.get_plugin(fw_const.FIREWALL)
|
||||
self.plugin = directory.get_plugin('FIREWALL')
|
||||
self.callbacks = self.plugin.endpoints[0]
|
||||
|
||||
def restore_attribute_map(self):
|
||||
# Remove the fwaasrouterinsertion extension
|
||||
fw.RESOURCE_ATTRIBUTE_MAP['firewalls'].pop('router_ids')
|
||||
firewall.RESOURCE_ATTRIBUTE_MAP['firewalls'].pop('router_ids')
|
||||
# Restore the original RESOURCE_ATTRIBUTE_MAP
|
||||
attr.RESOURCES = self.saved_attr_map
|
||||
|
||||
@ -189,7 +185,7 @@ class TestFirewallCallbacks(TestFirewallRouterInsertionBase):
|
||||
ctx.session.flush()
|
||||
res = self.callbacks.firewall_deleted(ctx, fw_id)
|
||||
self.assertTrue(res)
|
||||
self.assertRaises(exceptions.FirewallNotFound,
|
||||
self.assertRaises(firewall.FirewallNotFound,
|
||||
self.plugin.get_firewall,
|
||||
ctx, fw_id)
|
||||
|
||||
@ -224,7 +220,7 @@ class TestFirewallCallbacks(TestFirewallRouterInsertionBase):
|
||||
observed = self.callbacks.firewall_deleted(ctx, fw_id)
|
||||
self.assertTrue(observed)
|
||||
|
||||
self.assertRaises(exceptions.FirewallNotFound,
|
||||
self.assertRaises(firewall.FirewallNotFound,
|
||||
self.plugin.get_firewall,
|
||||
ctx, fw_id)
|
||||
|
||||
@ -539,7 +535,7 @@ class TestFirewallPluginBase(TestFirewallRouterInsertionBase,
|
||||
req = self.new_delete_request('firewalls', fw_id)
|
||||
res = req.get_response(self.ext_api)
|
||||
self.assertEqual(exc.HTTPNoContent.code, res.status_int)
|
||||
self.assertRaises(exceptions.FirewallNotFound,
|
||||
self.assertRaises(firewall.FirewallNotFound,
|
||||
self.plugin.get_firewall,
|
||||
ctx, fw_id)
|
||||
|
||||
@ -553,7 +549,7 @@ class TestFirewallPluginBase(TestFirewallRouterInsertionBase,
|
||||
req = self.new_delete_request('firewalls', fw_id)
|
||||
res = req.get_response(self.ext_api)
|
||||
self.assertEqual(exc.HTTPNoContent.code, res.status_int)
|
||||
self.assertRaises(exceptions.FirewallNotFound,
|
||||
self.assertRaises(firewall.FirewallNotFound,
|
||||
self.plugin.get_firewall,
|
||||
ctx, fw_id)
|
||||
|
||||
@ -740,7 +736,7 @@ class TestFirewallRouterPluginBase(test_db_firewall.FirewallPluginDbTestCase,
|
||||
fdb.Firewall_db_mixin.\
|
||||
supported_extension_aliases = ["fwaas",
|
||||
"fwaasrouterinsertion"]
|
||||
fdb.Firewall_db_mixin.path_prefix = firewall_v2.API_PREFIX
|
||||
fdb.Firewall_db_mixin.path_prefix = firewall.FIREWALL_PREFIX
|
||||
|
||||
super(test_db_firewall.FirewallPluginDbTestCase, self).setUp(
|
||||
ext_mgr=ext_mgr,
|
||||
@ -753,7 +749,7 @@ class TestFirewallRouterPluginBase(test_db_firewall.FirewallPluginDbTestCase,
|
||||
self.ext_api = api_ext.ExtensionMiddleware(app, ext_mgr=ext_mgr)
|
||||
|
||||
self.l3_plugin = directory.get_plugin(nl_constants.L3)
|
||||
self.plugin = directory.get_plugin(fw_const.FIREWALL)
|
||||
self.plugin = directory.get_plugin('FIREWALL')
|
||||
|
||||
def test_get_firewall_tenant_ids_on_host_with_associated_router(self):
|
||||
agent = helpers.register_l3_agent("host1")
|
||||
|
@ -19,20 +19,17 @@ from neutron.tests.unit.extensions import test_l3 as test_l3_plugin
|
||||
from oslo_config import cfg
|
||||
import six
|
||||
|
||||
|
||||
from neutron_fwaas.common import exceptions
|
||||
import neutron_fwaas.extensions
|
||||
from neutron_fwaas.extensions import firewall_v2
|
||||
from neutron_fwaas.services.firewall import fwaas_plugin_v2
|
||||
from neutron_fwaas.tests import base
|
||||
from neutron_fwaas.tests.unit.db.firewall.v2 import (
|
||||
test_firewall_db_v2 as test_db_firewall)
|
||||
|
||||
import neutron_lib.api.definitions
|
||||
from neutron_lib import constants as nl_constants
|
||||
from neutron_lib import context
|
||||
from neutron_lib.plugins import directory
|
||||
|
||||
extensions_path = neutron_lib.api.definitions.__path__[0]
|
||||
extensions_path = neutron_fwaas.extensions.__path__[0]
|
||||
|
||||
FW_PLUGIN_KLASS = (
|
||||
"neutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2"
|
||||
@ -114,7 +111,7 @@ class TestFirewallRouterPortBase(
|
||||
self.setup_notification_driver()
|
||||
|
||||
self.l3_plugin = directory.get_plugin(nl_constants.L3)
|
||||
self.plugin = directory.get_plugin('fwaas_v2')
|
||||
self.plugin = directory.get_plugin('FIREWALL_V2')
|
||||
self.callbacks = self.plugin.endpoints[0]
|
||||
|
||||
|
||||
@ -162,7 +159,7 @@ class TestFirewallCallbacks(TestFirewallRouterPortBase):
|
||||
observed = self.callbacks.firewall_group_deleted(ctx, fwg_id)
|
||||
self.assertTrue(observed)
|
||||
|
||||
self.assertRaises(exceptions.FirewallGroupNotFound,
|
||||
self.assertRaises(firewall_v2.FirewallGroupNotFound,
|
||||
self.plugin.get_firewall_group,
|
||||
ctx, fwg_id)
|
||||
|
||||
@ -198,7 +195,7 @@ class TestFirewallCallbacks(TestFirewallRouterPortBase):
|
||||
ctx, fwg_id)
|
||||
self.assertTrue(observed)
|
||||
|
||||
self.assertRaises(exceptions.FirewallGroupNotFound,
|
||||
self.assertRaises(firewall_v2.FirewallGroupNotFound,
|
||||
self.plugin.get_firewall_group,
|
||||
ctx, fwg_id)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user