Merge "extend security_group and _rule with project id"

2017-05-08 11:57:46 +00:00 · 2017-05-08 11:57:46 +00:00 · 88ac7b484e
commit 88ac7b484e
parent 8848a6b6bf 2f8285db72
3 changed files with 115 additions and 21 deletions
--- a/shade/openstackcloud.py
+++ b/shade/openstackcloud.py
@ -6753,11 +6753,14 @@ class OpenStackCloud(_normalize.Normalizer):
            error_message="Error deleting port {0}".format(name_or_id))
        return True

-    def create_security_group(self, name, description):
+    def create_security_group(self, name, description, project_id=None):
        """Create a new security group

        :param string name: A name for the security group.
        :param string description: Describes the security group.
+        :param string project_id: 
+            Specify the project ID this security group will be created
+            on (admin-only).

        :returns: A ``munch.Munch`` representing the new security group.

@ -6773,19 +6776,17 @@ class OpenStackCloud(_normalize.Normalizer):
            )

        group = None
+        security_group_json = {'security_group': {'name': name, 'description': description}}
+        if project_id is not None:
+            security_group_json['security_group']['tenant_id'] = project_id
        if self._use_neutron_secgroups():
            group = self._network_client.post(
                '/security-groups.json',
-                json={'security_group': 
-                    {'name': name, 'description': description}},
+                json=security_group_json,
                error_message="Error creating security group {0}".format(name))
-
        else:
            group = self._compute_client.post(
-                '/os-security-groups', json={
-                    'security_group': {
-                        'name': name, 'description': description}
-                })
+                '/os-security-groups', json=security_group_json)
        return self._normalize_secgroup(group)

    def delete_security_group(self, name_or_id):
@ -6872,7 +6873,8 @@ class OpenStackCloud(_normalize.Normalizer):
                                   remote_ip_prefix=None,
                                   remote_group_id=None,
                                   direction='ingress',
-                                   ethertype='IPv4'):
+                                   ethertype='IPv4',
+                                   project_id=None):
        """Create a new security group rule

        :param string secgroup_name_or_id:
@ -6910,6 +6912,9 @@ class OpenStackCloud(_normalize.Normalizer):
        :param string ethertype:
            Must be IPv4 or IPv6, and addresses represented in CIDR must
            match the ingress or egress rules.
+        :param string project_id:
+            Specify the project ID this security group will be created
+            on (admin-only).

        :returns: A ``munch.Munch`` representing the new security group rule.

@ -6941,6 +6946,8 @@ class OpenStackCloud(_normalize.Normalizer):
                'direction': direction,
                'ethertype': ethertype
            }
+            if project_id is not None:
+                rule_def['tenant_id'] = project_id

            rule = self._network_client.post(
                '/security-group-rules.json',
@ -6977,15 +6984,18 @@ class OpenStackCloud(_normalize.Normalizer):
                    port_range_min = 1
                    port_range_max = 65535

+            security_group_rule_dict = dict(security_group_rule = dict(
+                parent_group_id=secgroup['id'],
+                ip_protocol=protocol,
+                from_port=port_range_min,
+                to_port=port_range_max,
+                cidr=remote_ip_prefix,
+                group_id=remote_group_id
+            ))
+            if project_id is not None:
+                security_group_rule_dict['security_group_rule']['tenant_id'] = project_id
            rule = self._compute_client.post(
-                '/os-security-group-rules', json=dict(security_group_rule=dict(
-                    parent_group_id=secgroup['id'],
-                    ip_protocol=protocol,
-                    from_port=port_range_min,
-                    to_port=port_range_max,
-                    cidr=remote_ip_prefix,
-                    group_id=remote_group_id
-                ))
+                '/os-security-group-rules', json=security_group_rule_dict
            )
            return self._normalize_secgroup_rule(rule)

--- a/shade/tests/fakes.py
+++ b/shade/tests/fakes.py
@ -311,10 +311,11 @@ class FakeMachinePort(object):


 class FakeSecgroup(object):
-    def __init__(self, id, name, description='', rules=None):
+    def __init__(self, id, name, description='', project_id=None, rules=None):
        self.id = id
        self.name = name
        self.description = description
+        self.project_id = project_id
        self.rules = rules


--- a/shade/tests/unit/test_security_groups.py
+++ b/shade/tests/unit/test_security_groups.py
@ -188,6 +188,44 @@ class TestSecurityGroups(base.RequestsMockTestCase):

        self.assert_calls()

+    def test_create_security_group_neutron_specific_tenant(self):
+        self.cloud.secgroup_source = 'neutron'
+        project_id = "861808a93da0484ea1767967c4df8a23"
+        group_name = self.getUniqueString()
+        group_desc = 'security group from' \
+                     ' test_create_security_group_neutron_specific_tenant'
+        new_group = meta.obj_to_dict(
+            fakes.FakeSecgroup(
+                id='2',
+                name=group_name,
+                description=group_desc,
+                project_id=project_id,
+                rules=[]))
+        self.register_uris([
+            dict(method='POST',
+                 uri=self.get_mock_url(
+                     'network', 'public',
+                     append=['v2.0', 'security-groups.json']),
+                 json={'security_group': new_group},
+                 validate=dict(
+                     json={'security_group': {
+                         'name': group_name,
+                         'description': group_desc,
+                         'tenant_id': project_id
+                     }}))
+        ])
+
+        r = self.cloud.create_security_group(
+            group_name,
+            group_desc,
+            project_id
+        )
+        self.assertEqual(group_name, r['name'])
+        self.assertEqual(group_desc, r['description'])
+        self.assertEqual(project_id, r['tenant_id'])
+
+        self.assert_calls()
+
    def test_create_security_group_nova(self):
        group_name = self.getUniqueString()
        self.has_neutron = False
@ -206,7 +244,7 @@ class TestSecurityGroups(base.RequestsMockTestCase):
                 validate=dict(json={
                     'security_group': {
                         'name': group_name,
-                         'description': group_desc,
+                         'description': group_desc
                     }})),
        ])

@ -294,8 +332,8 @@ class TestSecurityGroups(base.RequestsMockTestCase):

        expected_new_rule = copy.copy(expected_args)
        expected_new_rule['id'] = '1234'
-        expected_new_rule['project_id'] = ''
-        expected_new_rule['tenant_id'] = expected_new_rule['project_id']
+        expected_new_rule['tenant_id'] = ''
+        expected_new_rule['project_id'] = expected_new_rule['tenant_id']

        self.register_uris([
            dict(method='GET',
@ -319,6 +357,51 @@ class TestSecurityGroups(base.RequestsMockTestCase):
        self.assertEqual(expected_new_rule, new_rule)
        self.assert_calls()

+    def test_create_security_group_rule_neutron_specific_tenant(self):
+        self.cloud.secgroup_source = 'neutron'
+        args = dict(
+            port_range_min=-1,
+            port_range_max=40000,
+            protocol='tcp',
+            remote_ip_prefix='0.0.0.0/0',
+            remote_group_id='456',
+            direction='egress',
+            ethertype='IPv6',
+            project_id='861808a93da0484ea1767967c4df8a23'
+        )
+        expected_args = copy.copy(args)
+        # For neutron, -1 port should be converted to None
+        expected_args['port_range_min'] = None
+        expected_args['security_group_id'] = neutron_grp_dict['id']
+        expected_args['tenant_id'] = expected_args['project_id']
+        expected_args.pop('project_id')
+
+        expected_new_rule = copy.copy(expected_args)
+        expected_new_rule['id'] = '1234'
+        expected_new_rule['project_id'] = expected_new_rule['tenant_id']
+
+        self.register_uris([
+            dict(method='GET',
+                 uri=self.get_mock_url(
+                     'network', 'public',
+                     append=['v2.0', 'security-groups.json']),
+                 json={'security_groups': [neutron_grp_dict]}),
+            dict(method='POST',
+                 uri=self.get_mock_url(
+                     'network', 'public',
+                     append=['v2.0', 'security-group-rules.json']),
+                 json={'security_group_rule': expected_new_rule},
+                 validate=dict(json={
+                     'security_group_rule': expected_args}))
+        ])
+        new_rule = self.cloud.create_security_group_rule(
+            secgroup_name_or_id=neutron_grp_dict['id'], ** args)
+        # NOTE(slaweq): don't check location and properties in new rule
+        new_rule.pop("location")
+        new_rule.pop("properties")
+        self.assertEqual(expected_new_rule, new_rule)
+        self.assert_calls()
+
    def test_create_security_group_rule_nova(self):
        self.has_neutron = False
        self.cloud.secgroup_source = 'nova'