From 1a63a1e958385810eabe01b0b395aea66f9632dc Mon Sep 17 00:00:00 2001 From: Ahmad Hassan Date: Fri, 30 Sep 2011 15:10:33 +0100 Subject: [PATCH] Verify security group parameters Introduced various sanity checks before adding security group rule into the database. The checks have been implemented both in EC2 and openstack extension code. Implemented the suggestions made in first patch by Brian Fixed the unit tests in security groups Fixed pep8 issues in security group unit tests Fixes bug 869979. Change-Id: I2ac28666e90e7bdeacb7b1c2676c0719cfb9e441 --- nova/tests/test_api.py | 48 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/nova/tests/test_api.py b/nova/tests/test_api.py index e9f1145d..2d3d4b60 100644 --- a/nova/tests/test_api.py +++ b/nova/tests/test_api.py @@ -386,6 +386,50 @@ class ApiEc2TestCase(test.TestCase): group.connection = self.ec2 group.authorize('tcp', 80, 81, '0.0.0.0/0') + group.authorize('icmp', -1, -1, '0.0.0.0/0') + group.authorize('udp', 80, 81, '0.0.0.0/0') + # Invalid CIDR address + self.assertRaises(Exception, + group.authorize, 'tcp', 80, 81, '0.0.0.0/0444') + # Missing ports + self.assertRaises(Exception, + group.authorize, 'tcp', '0.0.0.0/0') + # from port cannot be greater than to port + self.assertRaises(Exception, + group.authorize, 'tcp', 100, 1, '0.0.0.0/0') + # For tcp, negative values are not allowed + self.assertRaises(Exception, + group.authorize, 'tcp', -1, 1, '0.0.0.0/0') + # For tcp, valid port range 1-65535 + self.assertRaises(Exception, + group.authorize, 'tcp', 1, 65599, '0.0.0.0/0') + # For icmp, only -1:-1 is allowed for type:code + self.assertRaises(Exception, + group.authorize, 'icmp', -1, 0, '0.0.0.0/0') + # Non valid type:code + self.assertRaises(Exception, + group.authorize, 'icmp', 0, 3, '0.0.0.0/0') + # Invalid Cidr for ICMP type + self.assertRaises(Exception, + group.authorize, 'icmp', -1, -1, '0.0.444.0/4') + # Invalid protocol + self.assertRaises(Exception, + group.authorize, 'xyz', 1, 14, '0.0.0.0/0') + # Invalid port + self.assertRaises(Exception, + group.authorize, 'tcp', " ", "81", '0.0.0.0/0') + # Invalid icmp port + self.assertRaises(Exception, + group.authorize, 'icmp', " ", "81", '0.0.0.0/0') + # Invalid CIDR Address + self.assertRaises(Exception, + group.authorize, 'icmp', -1, -1, '0.0.0.0') + # Invalid CIDR Address + self.assertRaises(Exception, + group.authorize, 'icmp', -1, -1, '0.0.0.0/') + # Invalid Cidr ports + self.assertRaises(Exception, + group.authorize, 'icmp', 1, 256, '0.0.0.0/0') self.expect_http() self.mox.ReplayAll() @@ -394,7 +438,7 @@ class ApiEc2TestCase(test.TestCase): group = [grp for grp in rv if grp.name == security_group_name][0] - self.assertEquals(len(group.rules), 1) + self.assertEquals(len(group.rules), 3) self.assertEquals(int(group.rules[0].from_port), 80) self.assertEquals(int(group.rules[0].to_port), 81) self.assertEquals(len(group.rules[0].grants), 1) @@ -405,6 +449,8 @@ class ApiEc2TestCase(test.TestCase): group.connection = self.ec2 group.revoke('tcp', 80, 81, '0.0.0.0/0') + group.revoke('icmp', -1, -1, '0.0.0.0/0') + group.revoke('udp', 80, 81, '0.0.0.0/0') self.expect_http() self.mox.ReplayAll()