gce-api/gceapi/tests/unit/api/test_firewalls.py

# Copyright 2014
# The Cloudscaling Group, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import copy

import gceapi.context
from gceapi.tests.unit.api import common


DEFAULT_FIREWALL = {
    "kind": "compute#firewall",
    "name": "default",
    "creationTimestamp": "",
    "sourceRanges": [
        "0.0.0.0/0",
    ],
    "allowed": [],
    "id": "1000226411104458008",
    "selfLink": ("http://localhost/compute/v1beta15/projects"
                 "/fake_project/global/firewalls/default"),
    "description": "[+]default",
}
FAKE_FIREWALL_1 = {
    "kind": "compute#firewall",
    "name": "fake-firewall-1",
    "creationTimestamp": "2013-12-25T09:01:00.396957Z",
    "sourceRanges": [
        "55.0.0.0/24",
        "44.0.0.0/24",
    ],
    "allowed": [
        {
            "IPProtocol": "udp",
            "ports": [
                "223-322",
            ],
        },
        {
            "IPProtocol": "icmp",
        },
        {
            "IPProtocol": "tcp",
            "ports": [
                "1234",
            ],
        },
    ],
    "id": "5486539087303205175",
    "network": ("http://localhost/compute/v1beta15/projects"
                "/fake_project/global/networks/private"),
    "selfLink": ("http://localhost/compute/v1beta15/projects"
                 "/fake_project/global/firewalls/fake-firewall-1"),
    "description": "simple firewall",
}
FAKE_FIREWALL_2 = {
    "kind": "compute#firewall",
    "name": "fake-firewall-2",
    "creationTimestamp": "",
    "sourceRanges": [
        "0.0.0.0/0",
    ],
    "allowed": [],
    "id": "5486539087303205174",
    "selfLink": ("http://localhost/compute/v1beta15/projects"
                 "/fake_project/global/firewalls/fake-firewall-2"),
    "description": "openstack sg w/o rules",
}
FAKE_FIREWALL_3 = {
    "kind": "compute#firewall",
    "name": "fake-firewall-3",
    "creationTimestamp": "2013-12-25T09:02:00.396957Z",
    "sourceRanges": [
        "77.0.0.0/24",
        "78.0.0.0/24",
    ],
    "allowed": [
        {
            "IPProtocol": "tcp",
            "ports": [
                "1000-2000",
            ],
        },
    ],
    "id": "5486539087303205173",
    "network": ("http://localhost/compute/v1beta15/projects/"
                "fake_project/global/networks/private"),
    "selfLink": ("http://localhost/compute/v1beta15/projects"
                 "/fake_project/global/firewalls/fake-firewall-3"),
    "description": "[+]openstack sg with cidr & secgroup rules",
}
FAKE_FIREWALL_4 = {
    "kind": "compute#firewall",
    "name": "fake-firewall-4",
    "creationTimestamp": "",
    "sourceRanges": [],
    "allowed": [],
    "id": "5486539087303205172",
    "selfLink": ("http://localhost/compute/v1beta15/projects"
                 "/fake_project/global/firewalls/fake-firewall-4"),
    "description": "[*]openstack sg too complex to translate into gce rules",
}
FAKE_FIREWALL_5 = {
    "kind": "compute#firewall",
    "name": "fake-firewall-5",
    "creationTimestamp": "",
    "sourceRanges": [],
    "allowed": [],
    "id": "5486539087303205171",
    "selfLink": ("http://localhost/compute/v1beta15/projects"
                 "/fake_project/global/firewalls/fake-firewall-5"),
    "description": "[*][+]openstack sg with combined & too complex rules",
}
FAKE_FIREWALL_6 = {
    "kind": "compute#firewall",
    "name": "fake-firewall-6",
    "creationTimestamp": "",
    "sourceRanges": [],
    "allowed": [],
    "id": "5486539087303205170",
    "selfLink": ("http://localhost/compute/v1beta15/projects"
                 "/fake_project/global/firewalls/fake-firewall-6"),
    "description": "[*]openstack sg with too complex icmp rule",
}
NEW_FIREWALL = {
    "kind": "compute#firewall",
    "name": "new-firewall",
    "creationTimestamp": "2013-12-25T09:03:00.396957Z",
    "sourceRanges": [
        "42.0.0.0/24",
        "41.0.0.0/24",
    ],
    "allowed": [
        {
            "IPProtocol": "udp",
            "ports": [
                "5000-6000", "6666",
            ],
        },
        {
            "IPProtocol": "icmp",
        },
        {
            "IPProtocol": "tcp",
            "ports": [
                "80", "8080",
            ],
        },
    ],
    "id": "8518771050733866051",
    "network": ("http://localhost/compute/v1beta15/projects"
                "/fake_project/global/networks/private"),
    "selfLink": ("http://localhost/compute/v1beta15/projects"
                 "/fake_project/global/firewalls/new-firewall"),
    "description": "new fake firewall",
}


class FirewallsControllerTest(common.GCEControllerTest):

    def setUp(self):
        super(FirewallsControllerTest, self).setUp()

    def test_list_firewalls_filtered(self):
        response = self.request_gce("/fake_project/global/firewalls"
                                    "?filter=name+eq+fake-firewall-5")
        self.assertEqual(200, response.status_int)
        response_body = copy.deepcopy(response.json_body)
        self.assertIn("items", response_body)
        expected_common = {
            "kind": "compute#firewallList",
            "id": "projects/fake_project/global/firewalls",
            "selfLink": ("http://localhost/compute/v1beta15/projects/"
                         "fake_project/global/firewalls")
        }
        response_firewalls = response_body.pop("items")
        self.assertDictEqual(expected_common, response_body)
        self.assertDictInListBySelfLink(FAKE_FIREWALL_5, response_firewalls)

    def test_list_firewalls(self):
        response = self.request_gce("/fake_project/global/firewalls")
        self.assertEqual(200, response.status_int)
        response_body = copy.deepcopy(response.json_body)
        self.assertIn("items", response_body)
        expected_common = {
            "kind": "compute#firewallList",
            "id": "projects/fake_project/global/firewalls",
            "selfLink": ("http://localhost/compute/v1beta15/projects/"
                         "fake_project/global/firewalls")
        }
        response_firewalls = response_body.pop("items")
        self.assertDictEqual(expected_common, response_body)
        self.assertDictInListBySelfLink(DEFAULT_FIREWALL, response_firewalls)
        self.assertDictInListBySelfLink(FAKE_FIREWALL_1, response_firewalls)
        self.assertDictInListBySelfLink(FAKE_FIREWALL_2, response_firewalls)
        self.assertDictInListBySelfLink(FAKE_FIREWALL_3, response_firewalls)
        self.assertDictInListBySelfLink(FAKE_FIREWALL_4, response_firewalls)
        self.assertDictInListBySelfLink(FAKE_FIREWALL_5, response_firewalls)
        self.assertDictInListBySelfLink(FAKE_FIREWALL_6, response_firewalls)

    def test_get_firewall(self):
        response = self.request_gce(
                "/fake_project/global/firewalls/fake-firewall-1")
        self.assertEqual(200, response.status_int)
        self.assertDictEqual(FAKE_FIREWALL_1, response.json_body)

    def test_create_firewall(self):
        self.add_to_instance_was_called = False

        def add_to_instance(dummy, context, instance, sg_id):
            self.assertIsInstance(context, gceapi.context.RequestContext)
            self.assertEqual("6472359b-d46b-4629-83a9-d2ec8d99468c",
                             instance["uuid"])
            self.assertEqual("5707a6f0-799d-4739-8740-3efc73f122aa", sg_id)
            self.add_to_instance_was_called = True

        request_body = {
            "network": ("http://localhost/compute/v1beta15/projects"
                        "/fake_project/global/networks/private"),
            "rules": [],
            "description": "new fake firewall",
            "sourceRanges": ["41.0.0.0/24", "42.0.0.0/24"],
            "allowed": [
                {"IPProtocol": "icmp"},
                {"IPProtocol": "tcp", "ports": ["80", "8080"]},
                {"IPProtocol": "udp", "ports": ["5000-6000", "6666"]},
            ],
            "name": "new-firewall",
        }
        response = self.request_gce("/fake_project/global/firewalls",
                                    method="POST",
                                    body=request_body)
        self.assertEqual(200, response.status_int)
        expected = {
            "operationType": "insert",
            "targetId": "8518771050733866051",
            "targetLink": "http://localhost/compute/v1beta15/projects/"
                          "fake_project/global/firewalls/new-firewall",
        }
        expected.update(common.COMMON_FINISHED_OPERATION)
        self.assertDictEqual(expected, response.json_body)
        # TODO(apavlov): reanimate this
        #self.assertTrue(self.add_to_instance_was_called)
        #response = self.request_gce(
        #        "/fake_project/global/firewalls/new-firewall")
        #self.assertEqual(200, response.status_int)
        #self.assertDictEqual(NEW_FIREWALL, response.json_body)

    def test_delete_firewall(self):
        self.remove_from_instance_was_called = False

        def remove_from_instance(dummy, context, instance, sg_name):
            self.assertIsInstance(context, gceapi.context.RequestContext)
            self.assertEqual("6472359b-d46b-4629-83a9-d2ec8d99468c",
                             instance["uuid"])
            self.assertEqual("1aaa637b-87f4-4e27-bc86-ff63d30264b2", sg_name)
            self.remove_from_instance_was_called = True

        response = self.request_gce(
                "/fake_project/global/firewalls/to-delete-firewall",
                method="DELETE")
        self.assertEqual(200, response.status_int)
        expected = {
            "operationType": "delete",
            "targetId": "7536069615864894672",
            "targetLink": "http://localhost/compute/v1beta15/projects/"
                          "fake_project/global/firewalls/to-delete-firewall",
        }
        expected.update(common.COMMON_FINISHED_OPERATION)
        self.assertDictEqual(expected, response.json_body)
        # TODO(apavlov): reanimate this
        #self.assertTrue(self.remove_from_instance_was_called)
        #response = self.request_gce(
        #        "/fake_project/global/firewalls/to-delete-firewall")
        #self.assertEqual(404, response.status_int)

    def test_delete_firewall_nonexistent(self):
        response = self.request_gce(
                "/fake_project/global/firewalls/fake-firewall",
                method="DELETE")
        self.assertEqual(404, response.status_int)