Merge "Disallow setting /0 for network other than 0.0.0.0"

2013-02-12 13:45:43 +00:00
parent 31f08a3869 a92445e33d
commit b64c53e036
2 changed files with 39 additions and 0 deletions
--- a/nova/api/openstack/compute/contrib/security_groups.py
+++ b/nova/api/openstack/compute/contrib/security_groups.py
@@ -30,6 +30,7 @@ from nova.compute import api as compute_api
 from nova import db
 from nova import exception
 from nova.openstack.common import log as logging
+from nova.virt import netutils

 LOG = logging.getLogger(__name__)
 authorize = extensions.extension_authorizer('compute', 'security_groups')
@@ -332,6 +333,12 @@ class SecurityGroupRulesController(SecurityGroupControllerBase):

        values['parent_group_id'] = security_group.id

+        if 'cidr' in values:
+            net, prefixlen = netutils.get_net_and_prefixlen(values['cidr'])
+            if net != '0.0.0.0' and prefixlen == '0':
+                msg = _("Bad prefix for network in cidr %s") % values['cidr']
+                raise exc.HTTPBadRequest(explanation=msg)
+
        if self.security_group_api.rule_exists(security_group, values):
            msg = _('This rule already exists in group %s') % parent_group_id
            raise exc.HTTPBadRequest(explanation=msg)
--- a/nova/tests/api/openstack/compute/contrib/test_security_groups.py
+++ b/nova/tests/api/openstack/compute/contrib/test_security_groups.py
@@ -1011,6 +1011,38 @@ class TestSecurityGroupRules(test.TestCase):
                          self.controller.create,
                          req, {'security_group_rule': rule})

+    def test_create_rule_cidr_allow_all(self):
+        rule = security_group_rule_template(cidr='0.0.0.0/0')
+
+        req = fakes.HTTPRequest.blank('/v2/fake/os-security-group-rules')
+        res_dict = self.controller.create(req, {'security_group_rule': rule})
+
+        security_group_rule = res_dict['security_group_rule']
+        self.assertNotEquals(security_group_rule['id'], 0)
+        self.assertEquals(security_group_rule['parent_group_id'],
+                          self.parent_security_group['id'])
+        self.assertEquals(security_group_rule['ip_range']['cidr'],
+                          "0.0.0.0/0")
+
+    def test_create_rule_cidr_allow_some(self):
+        rule = security_group_rule_template(cidr='15.0.0.0/8')
+
+        req = fakes.HTTPRequest.blank('/v2/fake/os-security-group-rules')
+        res_dict = self.controller.create(req, {'security_group_rule': rule})
+
+        security_group_rule = res_dict['security_group_rule']
+        self.assertNotEquals(security_group_rule['id'], 0)
+        self.assertEquals(security_group_rule['parent_group_id'],
+                          self.parent_security_group['id'])
+        self.assertEquals(security_group_rule['ip_range']['cidr'],
+                          "15.0.0.0/8")
+
+    def test_create_rule_cidr_bad_netmask(self):
+        rule = security_group_rule_template(cidr='15.0.0.0/0')
+        req = fakes.HTTPRequest.blank('/v2/fake/os-security-group-rules')
+        self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create,
+                          req, {'security_group_rule': rule})
+

 class TestSecurityGroupRulesXMLDeserializer(test.TestCase):