AuthorizeSecurityGroupIngress now works.
This commit is contained in:
Soren Hansen
@@ -214,14 +214,54 @@ class CloudController(object):
|
|||||||
@rbac.allow('all')
|
@rbac.allow('all')
|
||||||
def describe_security_groups(self, context, **kwargs):
|
def describe_security_groups(self, context, **kwargs):
|
||||||
groups = {'securityGroupSet':
|
groups = {'securityGroupSet':
|
||||||
[{ 'groupDescription': group.description,
|
[{ 'groupDescription': group.description,
|
||||||
'groupName' : group.name,
|
'groupName' : group.name,
|
||||||
'ownerId': context.user.id } for group in db.security_group_get_by_user(context, context.user.id) ] }
|
'ownerId': context.user.id } for group in \
|
||||||
|
db.security_group_get_by_user(context,
|
||||||
|
context.user.id) ] }
|
||||||
|
|
||||||
return groups
|
return groups
|
||||||
|
|
||||||
@rbac.allow('netadmin')
|
@rbac.allow('netadmin')
|
||||||
def authorize_security_group_ingress(self, context, group_name, **kwargs):
|
def authorize_security_group_ingress(self, context, group_name,
|
||||||
|
to_port=None, from_port=None,
|
||||||
|
ip_protocol=None, cidr_ip=None,
|
||||||
|
user_id=None,
|
||||||
|
source_security_group_name=None,
|
||||||
|
source_security_group_owner_id=None):
|
||||||
|
security_group = db.security_group_get_by_user_and_name(context,
|
||||||
|
context.user.id,
|
||||||
|
group_name)
|
||||||
|
values = { 'parent_security_group' : security_group.id }
|
||||||
|
|
||||||
|
# Aw, crap.
|
||||||
|
if source_security_group_name:
|
||||||
|
if source_security_group_owner_id:
|
||||||
|
other_user_id = source_security_group_owner_id
|
||||||
|
else:
|
||||||
|
other_user_id = context.user.id
|
||||||
|
|
||||||
|
foreign_security_group = \
|
||||||
|
db.security_group_get_by_user_and_name(context,
|
||||||
|
other_user_id,
|
||||||
|
source_security_group_name)
|
||||||
|
values['group_id'] = foreign_security_group.id
|
||||||
|
elif cidr_ip:
|
||||||
|
values['cidr'] = cidr_ip
|
||||||
|
else:
|
||||||
|
return { 'return': False }
|
||||||
|
|
||||||
|
if ip_protocol and from_port and to_port:
|
||||||
|
values['protocol'] = ip_protocol
|
||||||
|
values['from_port'] = from_port
|
||||||
|
values['to_port'] = to_port
|
||||||
|
else:
|
||||||
|
# If cidr based filtering, protocol and ports are mandatory
|
||||||
|
if 'cidr' in values:
|
||||||
|
print values
|
||||||
|
return None
|
||||||
|
|
||||||
|
security_group_rule = db.security_group_rule_create(context, values)
|
||||||
return True
|
return True
|
||||||
|
|
||||||
@rbac.allow('netadmin')
|
@rbac.allow('netadmin')
|
||||||
@@ -234,6 +274,8 @@ class CloudController(object):
|
|||||||
|
|
||||||
@rbac.allow('netadmin')
|
@rbac.allow('netadmin')
|
||||||
def delete_security_group(self, context, group_name, **kwargs):
|
def delete_security_group(self, context, group_name, **kwargs):
|
||||||
|
security_group = db.security_group_get_by_user_and_name(context, context.user.id, group_name)
|
||||||
|
security_group.delete()
|
||||||
return True
|
return True
|
||||||
|
|
||||||
@rbac.allow('projectmanager', 'sysadmin')
|
@rbac.allow('projectmanager', 'sysadmin')
|
||||||
|
|||||||
@@ -233,20 +233,29 @@ class ApiEc2TestCase(test.BaseTestCase):
|
|||||||
self.manager.delete_user(user)
|
self.manager.delete_user(user)
|
||||||
|
|
||||||
def test_get_all_security_groups(self):
|
def test_get_all_security_groups(self):
|
||||||
"""Test that operations on security groups stick"""
|
"""Test that we can retrieve security groups"""
|
||||||
self.expect_http()
|
self.expect_http()
|
||||||
self.mox.ReplayAll()
|
self.mox.ReplayAll()
|
||||||
security_group_name = "".join(random.choice("sdiuisudfsdcnpaqwertasd") \
|
|
||||||
for x in range(random.randint(4, 8)))
|
|
||||||
user = self.manager.create_user('fake', 'fake', 'fake', admin=True)
|
user = self.manager.create_user('fake', 'fake', 'fake', admin=True)
|
||||||
project = self.manager.create_project('fake', 'fake', 'fake')
|
project = self.manager.create_project('fake', 'fake', 'fake')
|
||||||
|
|
||||||
rv = self.ec2.get_all_security_groups()
|
rv = self.ec2.get_all_security_groups()
|
||||||
self.assertEquals(len(rv), 1)
|
|
||||||
self.assertEquals(rv[0].name, 'default')
|
|
||||||
|
|
||||||
|
self.assertEquals(len(rv), 1)
|
||||||
|
self.assertEquals(rv[0].name, 'default')
|
||||||
|
|
||||||
|
self.manager.delete_project(project)
|
||||||
|
self.manager.delete_user(user)
|
||||||
|
|
||||||
|
def test_create_delete_security_group(self):
|
||||||
|
"""Test that we can create a security group"""
|
||||||
self.expect_http()
|
self.expect_http()
|
||||||
self.mox.ReplayAll()
|
self.mox.ReplayAll()
|
||||||
|
user = self.manager.create_user('fake', 'fake', 'fake', admin=True)
|
||||||
|
project = self.manager.create_project('fake', 'fake', 'fake')
|
||||||
|
|
||||||
|
security_group_name = "".join(random.choice("sdiuisudfsdcnpaqwertasd") \
|
||||||
|
for x in range(random.randint(4, 8)))
|
||||||
|
|
||||||
self.ec2.create_security_group(security_group_name, 'test group')
|
self.ec2.create_security_group(security_group_name, 'test group')
|
||||||
|
|
||||||
@@ -257,5 +266,71 @@ class ApiEc2TestCase(test.BaseTestCase):
|
|||||||
self.assertEquals(len(rv), 2)
|
self.assertEquals(len(rv), 2)
|
||||||
self.assertTrue(security_group_name in [group.name for group in rv])
|
self.assertTrue(security_group_name in [group.name for group in rv])
|
||||||
|
|
||||||
|
self.expect_http()
|
||||||
|
self.mox.ReplayAll()
|
||||||
|
|
||||||
|
self.ec2.delete_security_group(security_group_name)
|
||||||
|
|
||||||
self.manager.delete_project(project)
|
self.manager.delete_project(project)
|
||||||
self.manager.delete_user(user)
|
self.manager.delete_user(user)
|
||||||
|
|
||||||
|
def test_authorize_security_group_cidr(self):
|
||||||
|
"""Test that we can add rules to a security group"""
|
||||||
|
self.expect_http()
|
||||||
|
self.mox.ReplayAll()
|
||||||
|
user = self.manager.create_user('fake', 'fake', 'fake', admin=True)
|
||||||
|
project = self.manager.create_project('fake', 'fake', 'fake')
|
||||||
|
|
||||||
|
security_group_name = "".join(random.choice("sdiuisudfsdcnpaqwertasd") \
|
||||||
|
for x in range(random.randint(4, 8)))
|
||||||
|
|
||||||
|
group = self.ec2.create_security_group(security_group_name, 'test group')
|
||||||
|
|
||||||
|
self.expect_http()
|
||||||
|
self.mox.ReplayAll()
|
||||||
|
group.connection = self.ec2
|
||||||
|
|
||||||
|
group.authorize('tcp', 80, 80, '0.0.0.0/0')
|
||||||
|
|
||||||
|
self.expect_http()
|
||||||
|
self.mox.ReplayAll()
|
||||||
|
|
||||||
|
self.ec2.delete_security_group(security_group_name)
|
||||||
|
|
||||||
|
self.manager.delete_project(project)
|
||||||
|
self.manager.delete_user(user)
|
||||||
|
|
||||||
|
return
|
||||||
|
|
||||||
|
def test_authorize_security_group_foreign_group(self):
|
||||||
|
"""Test that we can grant another security group access to a security group"""
|
||||||
|
self.expect_http()
|
||||||
|
self.mox.ReplayAll()
|
||||||
|
user = self.manager.create_user('fake', 'fake', 'fake', admin=True)
|
||||||
|
project = self.manager.create_project('fake', 'fake', 'fake')
|
||||||
|
|
||||||
|
security_group_name = "".join(random.choice("sdiuisudfsdcnpaqwertasd") \
|
||||||
|
for x in range(random.randint(4, 8)))
|
||||||
|
|
||||||
|
group = self.ec2.create_security_group(security_group_name, 'test group')
|
||||||
|
|
||||||
|
self.expect_http()
|
||||||
|
self.mox.ReplayAll()
|
||||||
|
|
||||||
|
other_group = self.ec2.create_security_group('appserver', 'The application tier')
|
||||||
|
|
||||||
|
self.expect_http()
|
||||||
|
self.mox.ReplayAll()
|
||||||
|
group.connection = self.ec2
|
||||||
|
|
||||||
|
group.authorize(src_group=other_group)
|
||||||
|
|
||||||
|
self.expect_http()
|
||||||
|
self.mox.ReplayAll()
|
||||||
|
|
||||||
|
self.ec2.delete_security_group(security_group_name)
|
||||||
|
|
||||||
|
self.manager.delete_project(project)
|
||||||
|
self.manager.delete_user(user)
|
||||||
|
|
||||||
|
return
|
||||||
|
|||||||
Reference in New Issue
Block a user