AuthorizeSecurityGroupIngress now works.

2010-09-09 15:13:04 +02:00
parent bd07d6b3b3
commit bd7ac72b97
5 changed files with 162 additions and 14 deletions
--- a/nova/db/api.py
+++ b/nova/db/api.py
@@ -461,6 +461,19 @@ def security_group_get_by_user(context, user_id):
    return IMPL.security_group_get_by_user(context, user_id)


+def security_group_get_by_user_and_name(context, user_id, name):
+    """Get user's named security group"""
+    return IMPL.security_group_get_by_user_and_name(context, user_id, name)
+
+
 def security_group_destroy(context, security_group_id):
    """Deletes a security group"""
    return IMPL.security_group_destroy(context, security_group_id)
+
+
+####################
+
+
+def security_group_rule_create(context, values):
+    """Create a new security group"""
+    return IMPL.security_group_rule_create(context, values)
--- a/nova/db/sqlalchemy/api.py
+++ b/nova/db/sqlalchemy/api.py
@@ -609,6 +609,14 @@ def security_group_get_by_user(_context, user_id):
                             .filter_by(deleted=False) \
                             .all()

+def security_group_get_by_user_and_name(_context, user_id, name):
+    with managed_session() as session:
+        return session.query(models.SecurityGroup) \
+                             .filter_by(user_id=user_id) \
+                             .filter_by(name=name) \
+                             .filter_by(deleted=False) \
+                             .one()
+
 def security_group_destroy(_context, security_group_id):
    with managed_session() as session:
        security_group = session.query(models.SecurityGroup) \
@@ -619,3 +627,14 @@ def security_group_get_all(_context):
    return models.SecurityGroup.all()


+
+
+###################
+
+
+def security_group_rule_create(_context, values):
+    security_group_rule_ref = models.SecurityGroupIngressRule()
+    for (key, value) in values.iteritems():
+        security_group_rule_ref[key] = value
+    security_group_rule_ref.save()
+    return security_group_rule_ref
--- a/nova/db/sqlalchemy/models.py
+++ b/nova/db/sqlalchemy/models.py
@@ -330,12 +330,11 @@ class SecurityGroupIngressRule(BASE, NovaBase):

    parent_security_group = Column(Integer, ForeignKey('security_group.id'))
    protocol = Column(String(5)) # "tcp", "udp", or "icmp"
-    fromport = Column(Integer)
-    toport = Column(Integer)
+    from_port = Column(Integer)
+    to_port = Column(Integer)

-    # Note: This is not the parent SecurityGroup's owner. It's the owner of
-    # the SecurityGroup we're granting access.
-    user_id = Column(String(255))
+    # Note: This is not the parent SecurityGroup. It's SecurityGroup we're
+    # granting access for.
    group_id = Column(Integer, ForeignKey('security_group.id'))

    @property
--- a/nova/endpoint/cloud.py
+++ b/nova/endpoint/cloud.py
@@ -214,14 +214,54 @@ class CloudController(object):
    @rbac.allow('all')
    def describe_security_groups(self, context, **kwargs):
        groups = {'securityGroupSet': 
-                    [{ 'groupDescription': group.description,
-                       'groupName' : group.name,
-                       'ownerId': context.user.id } for group in db.security_group_get_by_user(context, context.user.id) ] }
+                  [{ 'groupDescription': group.description,
+                     'groupName' : group.name,
+                     'ownerId': context.user.id } for group in \
+                         db.security_group_get_by_user(context,
+                                                       context.user.id) ] }

        return groups

    @rbac.allow('netadmin')
-    def authorize_security_group_ingress(self, context, group_name, **kwargs):
+    def authorize_security_group_ingress(self, context, group_name,
+                                         to_port=None, from_port=None,
+                                         ip_protocol=None, cidr_ip=None,
+                                         user_id=None,
+                                         source_security_group_name=None,
+                                         source_security_group_owner_id=None):
+        security_group = db.security_group_get_by_user_and_name(context,
+                                                                context.user.id,
+                                                                group_name)
+        values = { 'parent_security_group' : security_group.id }
+
+        # Aw, crap.
+        if source_security_group_name:
+            if source_security_group_owner_id:
+                other_user_id = source_security_group_owner_id
+            else: 
+                other_user_id = context.user.id
+
+            foreign_security_group = \
+                    db.security_group_get_by_user_and_name(context,
+                                                other_user_id,
+                                                source_security_group_name)
+            values['group_id'] = foreign_security_group.id
+        elif cidr_ip:
+            values['cidr'] = cidr_ip
+        else:
+            return { 'return': False }
+
+        if ip_protocol and from_port and to_port:
+            values['protocol'] = ip_protocol
+            values['from_port'] = from_port
+            values['to_port'] = to_port
+        else:
+            # If cidr based filtering, protocol and ports are mandatory
+            if 'cidr' in values:
+                print values
+                return None
+
+        security_group_rule = db.security_group_rule_create(context, values)
        return True

    @rbac.allow('netadmin')
@@ -234,6 +274,8 @@ class CloudController(object):

    @rbac.allow('netadmin')
    def delete_security_group(self, context, group_name, **kwargs):
+        security_group = db.security_group_get_by_user_and_name(context, context.user.id, group_name)
+        security_group.delete()
        return True

    @rbac.allow('projectmanager', 'sysadmin')
--- a/nova/tests/api_unittest.py
+++ b/nova/tests/api_unittest.py
@@ -233,20 +233,29 @@ class ApiEc2TestCase(test.BaseTestCase):
        self.manager.delete_user(user)

    def test_get_all_security_groups(self):
-        """Test that operations on security groups stick"""
+        """Test that we can retrieve security groups"""
        self.expect_http()
        self.mox.ReplayAll()
-        security_group_name = "".join(random.choice("sdiuisudfsdcnpaqwertasd") \
-                                      for x in range(random.randint(4, 8)))
        user = self.manager.create_user('fake', 'fake', 'fake', admin=True)
        project = self.manager.create_project('fake', 'fake', 'fake')

        rv = self.ec2.get_all_security_groups()
-        self.assertEquals(len(rv), 1)
-        self.assertEquals(rv[0].name,  'default')

+        self.assertEquals(len(rv), 1)
+        self.assertEquals(rv[0].name, 'default')
+
+        self.manager.delete_project(project)
+        self.manager.delete_user(user)
+
+    def test_create_delete_security_group(self):
+        """Test that we can create a security group"""
        self.expect_http()
        self.mox.ReplayAll()
+        user = self.manager.create_user('fake', 'fake', 'fake', admin=True)
+        project = self.manager.create_project('fake', 'fake', 'fake')
+
+        security_group_name = "".join(random.choice("sdiuisudfsdcnpaqwertasd") \
+                                      for x in range(random.randint(4, 8)))

        self.ec2.create_security_group(security_group_name, 'test group')

@@ -257,5 +266,71 @@ class ApiEc2TestCase(test.BaseTestCase):
        self.assertEquals(len(rv), 2)
        self.assertTrue(security_group_name in [group.name for group in rv])

+        self.expect_http()
+        self.mox.ReplayAll()
+
+        self.ec2.delete_security_group(security_group_name)
+
        self.manager.delete_project(project)
        self.manager.delete_user(user)
+
+    def test_authorize_security_group_cidr(self):
+        """Test that we can add rules to a security group"""
+        self.expect_http()
+        self.mox.ReplayAll()
+        user = self.manager.create_user('fake', 'fake', 'fake', admin=True)
+        project = self.manager.create_project('fake', 'fake', 'fake')
+
+        security_group_name = "".join(random.choice("sdiuisudfsdcnpaqwertasd") \
+                                      for x in range(random.randint(4, 8)))
+
+        group = self.ec2.create_security_group(security_group_name, 'test group')
+
+        self.expect_http()
+        self.mox.ReplayAll()
+        group.connection = self.ec2
+
+        group.authorize('tcp', 80, 80, '0.0.0.0/0')
+
+        self.expect_http()
+        self.mox.ReplayAll()
+
+        self.ec2.delete_security_group(security_group_name)
+
+        self.manager.delete_project(project)
+        self.manager.delete_user(user)
+
+        return
+
+    def test_authorize_security_group_foreign_group(self):
+        """Test that we can grant another security group access to a security group"""
+        self.expect_http()
+        self.mox.ReplayAll()
+        user = self.manager.create_user('fake', 'fake', 'fake', admin=True)
+        project = self.manager.create_project('fake', 'fake', 'fake')
+
+        security_group_name = "".join(random.choice("sdiuisudfsdcnpaqwertasd") \
+                                      for x in range(random.randint(4, 8)))
+
+        group = self.ec2.create_security_group(security_group_name, 'test group')
+
+        self.expect_http()
+        self.mox.ReplayAll()
+
+        other_group = self.ec2.create_security_group('appserver', 'The application tier')
+
+        self.expect_http()
+        self.mox.ReplayAll()
+        group.connection = self.ec2
+
+        group.authorize(src_group=other_group)
+
+        self.expect_http()
+        self.mox.ReplayAll()
+
+        self.ec2.delete_security_group(security_group_name)
+
+        self.manager.delete_project(project)
+        self.manager.delete_user(user)
+
+        return