From 6611297f72a975d07c9f42f6a189525bde19497e Mon Sep 17 00:00:00 2001
From: Soren Hansen <soren.hansen@rackspace.com>
Date: Mon, 6 Dec 2010 22:19:29 +0100
Subject: [PATCH 1/4] Add iptables based security groups implementation.

---
 nova/db/sqlalchemy/api.py | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py
index afa55fc03..21b991548 100644
--- a/nova/db/sqlalchemy/api.py
+++ b/nova/db/sqlalchemy/api.py
@@ -574,12 +574,14 @@ def instance_get(context, instance_id, session=None):
     if is_admin_context(context):
         result = session.query(models.Instance).\
                          options(joinedload('security_groups')).\
+                         options(joinedload_all('security_groups.rules')).\
                          filter_by(id=instance_id).\
                          filter_by(deleted=can_read_deleted(context)).\
                          first()
     elif is_user_context(context):
         result = session.query(models.Instance).\
                          options(joinedload('security_groups')).\
+                         options(joinedload_all('security_groups.rules')).\
                          filter_by(project_id=context.project_id).\
                          filter_by(id=instance_id).\
                          filter_by(deleted=False).\
@@ -1505,6 +1507,24 @@ def security_group_rule_get(context, security_group_rule_id, session=None):
     return result
 
 
+@require_context
+def security_group_rule_get_by_security_group(context, security_group_id, session=None):
+    if not session:
+        session = get_session()
+    if is_admin_context(context):
+        result = session.query(models.SecurityGroupIngressRule).\
+                         filter_by(deleted=can_read_deleted(context)).\
+                         filter_by(parent_group_id=security_group_id).\
+                         all()
+    else:
+        # TODO(vish): Join to group and check for project_id
+        result = session.query(models.SecurityGroupIngressRule).\
+                         filter_by(deleted=False).\
+                         filter_by(parent_group_id=security_group_id).\
+                         all()
+    return result
+
+
 @require_context
 def security_group_rule_create(context, values):
     security_group_rule_ref = models.SecurityGroupIngressRule()

From 03d46d013811a6e2921b66e2b3937703c2f5bb89 Mon Sep 17 00:00:00 2001
From: Soren Hansen <soren.hansen@rackspace.com>
Date: Mon, 13 Dec 2010 16:42:35 +0100
Subject: [PATCH 2/4] Move security group refresh logic into ComputeAPI.

Add a trigger_security_group_members_refresh to ComputeAPI which
finds the hosts that have instances that have security groups that
reference a security group in which a new instance has just been placed,
and sends a refresh_security_group_members to each of them.
---
 nova/db/api.py            |  7 +++++++
 nova/db/sqlalchemy/api.py | 19 +++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/nova/db/api.py b/nova/db/api.py
index 8f9dc2443..6fa80c247 100644
--- a/nova/db/api.py
+++ b/nova/db/api.py
@@ -711,6 +711,13 @@ def security_group_rule_get_by_security_group(context, security_group_id):
                                                           security_group_id)
 
 
+def security_group_rule_get_by_security_group_grantee(context,
+                                                      security_group_id):
+    """Get all rules that grant access to the given security group."""
+    return IMPL.security_group_rule_get_by_security_group_grantee(context,
+                                                              security_group_id)
+
+
 def security_group_rule_destroy(context, security_group_rule_id):
     """Deletes a security group rule."""
     return IMPL.security_group_rule_destroy(context, security_group_rule_id)
diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py
index 5214dd62b..deb248f82 100644
--- a/nova/db/sqlalchemy/api.py
+++ b/nova/db/sqlalchemy/api.py
@@ -1532,6 +1532,25 @@ def security_group_rule_get_by_security_group(context, security_group_id, sessio
     return result
 
 
+@require_context
+def security_group_rule_get_by_security_group_grantee(context,
+                                                      security_group_id,
+                                                      session=None):
+    if not session:
+        session = get_session()
+    if is_admin_context(context):
+        result = session.query(models.SecurityGroupIngressRule).\
+                         filter_by(deleted=can_read_deleted(context)).\
+                         filter_by(group_id=security_group_id).\
+                         all()
+    else:
+        result = session.query(models.SecurityGroupIngressRule).\
+                         filter_by(deleted=False).\
+                         filter_by(group_id=security_group_id).\
+                         all()
+    return result
+
+
 @require_context
 def security_group_rule_create(context, values):
     security_group_rule_ref = models.SecurityGroupIngressRule()

From af5b2cbb929b94582f5887db69c56e05d79eec63 Mon Sep 17 00:00:00 2001
From: Soren Hansen <soren.hansen@rackspace.com>
Date: Wed, 15 Dec 2010 14:04:06 +0100
Subject: [PATCH 3/4] Lots of PEP-8 work.

---
 nova/db/api.py            | 2 +-
 nova/db/sqlalchemy/api.py | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/nova/db/api.py b/nova/db/api.py
index 6fa80c247..67796c246 100644
--- a/nova/db/api.py
+++ b/nova/db/api.py
@@ -715,7 +715,7 @@ def security_group_rule_get_by_security_group_grantee(context,
                                                       security_group_id):
     """Get all rules that grant access to the given security group."""
     return IMPL.security_group_rule_get_by_security_group_grantee(context,
-                                                              security_group_id)
+                                                             security_group_id)
 
 
 def security_group_rule_destroy(context, security_group_rule_id):
diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py
index deb248f82..4e3ef5771 100644
--- a/nova/db/sqlalchemy/api.py
+++ b/nova/db/sqlalchemy/api.py
@@ -1515,7 +1515,8 @@ def security_group_rule_get(context, security_group_rule_id, session=None):
 
 
 @require_context
-def security_group_rule_get_by_security_group(context, security_group_id, session=None):
+def security_group_rule_get_by_security_group(context, security_group_id,
+                                              session=None):
     if not session:
         session = get_session()
     if is_admin_context(context):

From c4604b17112ffb1c8cccacfd9ab0a3e73b2fccb2 Mon Sep 17 00:00:00 2001
From: Soren Hansen <soren@linux2go.dk>
Date: Fri, 7 Jan 2011 12:08:22 +0100
Subject: [PATCH 4/4] Remove redundant import of nova.context. Use db instance
 attribute rather than module directly.

---
 nova/db/sqlalchemy/api.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py
index 14ccc989f..eb87355b6 100644
--- a/nova/db/sqlalchemy/api.py
+++ b/nova/db/sqlalchemy/api.py
@@ -650,7 +650,6 @@ def instance_get(context, instance_id, session=None):
     if is_admin_context(context):
         result = session.query(models.Instance).\
                          options(joinedload_all('fixed_ip.floating_ips')).\
-                         options(joinedload('security_groups')).\
                          options(joinedload_all('security_groups.rules')).\
                          options(joinedload('volumes')).\
                          filter_by(id=instance_id).\
@@ -659,7 +658,6 @@ def instance_get(context, instance_id, session=None):
     elif is_user_context(context):
         result = session.query(models.Instance).\
                          options(joinedload_all('fixed_ip.floating_ips')).\
-                         options(joinedload('security_groups')).\
                          options(joinedload_all('security_groups.rules')).\
                          options(joinedload('volumes')).\
                          filter_by(project_id=context.project_id).\