Merge lp:~tpatil/nova/os-security-groups into lp:~hudson-openstack/nova/trunk
- os-security-groups
- Merge into trunk
Status: | Merged |
---|---|
Approved by: | Jesse Andrews |
Approved revision: | 1369 |
Merged at revision: | 1417 |
Proposed branch: | lp:~tpatil/nova/os-security-groups |
Merge into: | lp:~hudson-openstack/nova/trunk |
Diff against target: |
1337 lines (+1249/-5) 6 files modified
nova/api/openstack/contrib/security_groups.py (+466/-0) nova/api/openstack/extensions.py (+9/-2) nova/db/api.py (+5/-0) nova/exception.py (+4/-0) nova/tests/api/openstack/contrib/test_security_groups.py (+761/-0) nova/tests/api/openstack/test_extensions.py (+4/-3) |
To merge this branch: | bzr merge lp:~tpatil/nova/os-security-groups |
Related bugs: | |
Related blueprints: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Jesse Andrews (community) | Approve | ||
Tushar Patil (community) | Needs Fixing | ||
Ed Leafe (community) | Approve | ||
Review via email: mp+70375@code.launchpad.net |
Commit message
Description of the change
Support for management of security groups in OS API as a new extension.
Tushar Patil (tpatil) wrote : | # |
Along with the review comments, I am also going to add code in the Create Server API to take security group as an additional parameter to launch the server with the specified security group.
Vish Ishaya (vishvananda) wrote : | # |
it should be 1+ security groups. You can also do that in another patch. No need to make the first one more complicated.
On Aug 5, 2011, at 10:22 AM, Tushar Patil wrote:
> Along with the review comments, I am also going to add code in the Create Server API to take security group as an additional parameter to launch the server with the specified security group.
> --
> https:/
> You are subscribed to branch lp:nova.
Vish Ishaya (vishvananda) wrote : | # |
Bonus points in the other patch for add_security_group to instance and delete_
Tushar Patil (tpatil) wrote : | # |
> it should be 1+ security groups. You can also do that in another patch. No
> need to make the first one more complicated.
>
> On Aug 5, 2011, at 10:22 AM, Tushar Patil wrote:
>
> > Along with the review comments, I am also going to add code in the Create
> Server API to take security group as an additional parameter to launch the
> server with the specified security group.
Ok, I will add this code in another patch.
Tushar Patil (tpatil) wrote : | # |
> I'm concerned about the security of some of the methods. You check for
> context.is_admin in the index() method to limit the returned values, but it
> looks like destructive methods like 'delete()' can be invoked on any ID
> whether one is an admin or not, with no restriction on project. Can you
> explain where the ability to interact with a security group you do not have
> rights to is enforced?
>
Before calling security_
For admin users, project id check is not required.
You can check the implementation of "security_
I have fixed all your review comments.
Ed Leafe (ed-leafe) wrote : | # |
The changes look good; thanks for pointing me to the filtering in sqlalchemy/api.py - that's what I was looking for.
One minor problem: lines 210 and 337 still have the localization function call around 'msg'; it's not needed, and should be removed. Only literal strings ever need to be localized.
Tushar Patil (tpatil) wrote : | # |
> The changes look good; thanks for pointing me to the filtering in
> sqlalchemy/api.py - that's what I was looking for.
>
> One minor problem: lines 210 and 337 still have the localization function call
> around 'msg'; it's not needed, and should be removed. Only literal strings
> ever need to be localized.
I should have noticed this before. Anyway I have fixed it now.
Tushar Patil (tpatil) wrote : | # |
> Bonus points in the other patch for add_security_group to instance and
> delete_
Seems like a good idea. Also I think it will be good to add one more method to list instances using a specified security group.
Anthony Young (sleepsonthefloor) wrote : | # |
I see that this convention from the ec2 code made it to this branch.
if context.is_admin:
groups = db.security_
My preference would be to not list everything for admin users by default, as that makes it hard to use admin accounts as users. I'd rather use a separate parameter to specify that you in fact want a complete list, or have a separate admin api call. That said, I think that servers api behaves like this right now (I don't like that either :)
Tushar Patil (tpatil) wrote : | # |
> I see that this convention from the ec2 code made it to this branch.
>
> if context.is_admin:
> groups = db.security_
>
> My preference would be to not list everything for admin users by default, as
> that makes it hard to use admin accounts as users. I'd rather use a separate
> parameter to specify that you in fact want a complete list, or have a separate
> admin api call. That said, I think that servers api behaves like this right
> now (I don't like that either :)
You are right, I have copied this code from Openstack EC2 API and I also agree with you that there should be separate admin API to fetch all security groups.
For now, I will simply remove this code and will add admin API to fetch all security groups sometime later after diablo timeframe.
Vish Ishaya (vishvananda) wrote : | # |
> For now, I will simply remove this code and will add admin API to fetch all security groups sometime later after diablo timeframe.
This is looking good. I will fire this off once you have made this change.
Tushar Patil (tpatil) wrote : | # |
> Bonus points in the other patch for add_security_group to instance and
> delete_
I have already implemented both these methods but until this branch doesn't get merged into trunk I cannot create another branch because of dependency.
Vish Ishaya (vishvananda) wrote : | # |
> I have already implemented both these methods but until this branch doesn't
> get merged into trunk I cannot create another branch because of dependency.
Sure, just add the is_admin change and we'll get this one in. Then you can propose your other branches.
Tushar Patil (tpatil) wrote : | # |
os-keypairs branch is merged into trunk and this is implemented as an extension, so this has impact on my branch as it will break test_extensions unit testcases. I will again merge trunk changes into my branch and make sure all unit testcases are executed properly.
Tushar Patil (tpatil) wrote : | # |
I have fixed broken unit test-cases and is_admin change.
Please review my branch.
Jesse Andrews (anotherjesse) wrote : | # |
Added support to python-novaclient here:
https:/
LGTM
Jesse Andrews (anotherjesse) wrote : | # |
perhaps the ResourceExtension should be:
os-security-
os-security-
the keypairs, quotas, floating ips, ... have had dashes instead of underscores and prefixed with os-
Tushar Patil (tpatil) wrote : | # |
> perhaps the ResourceExtension should be:
>
> os-security-groups
> os-security-
>
> the keypairs, quotas, floating ips, ... have had dashes instead of underscores
> and prefixed with os-
OK, I will prefix os- to the newly added extensions and make changes at the relevant places.
Tushar Patil (tpatil) wrote : | # |
Prefixed with os- for the newly added extensions. Please review.
Jesse Andrews (anotherjesse) wrote : | # |
lgtm - with ed's prior approve I think we have a merge! checking with vish
Preview Diff
1 | === added file 'nova/api/openstack/contrib/security_groups.py' |
2 | --- nova/api/openstack/contrib/security_groups.py 1970-01-01 00:00:00 +0000 |
3 | +++ nova/api/openstack/contrib/security_groups.py 2011-08-12 00:06:25 +0000 |
4 | @@ -0,0 +1,466 @@ |
5 | +# Copyright 2011 OpenStack LLC. |
6 | +# All Rights Reserved. |
7 | +# |
8 | +# Licensed under the Apache License, Version 2.0 (the "License"); you may |
9 | +# not use this file except in compliance with the License. You may obtain |
10 | +# a copy of the License at |
11 | +# |
12 | +# http://www.apache.org/licenses/LICENSE-2.0 |
13 | +# |
14 | +# Unless required by applicable law or agreed to in writing, software |
15 | +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
16 | +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
17 | +# License for the specific language governing permissions and limitations |
18 | +# under the License. |
19 | + |
20 | +"""The security groups extension.""" |
21 | + |
22 | +import netaddr |
23 | +import urllib |
24 | +from webob import exc |
25 | +import webob |
26 | + |
27 | +from nova import compute |
28 | +from nova import db |
29 | +from nova import exception |
30 | +from nova import flags |
31 | +from nova import log as logging |
32 | +from nova.api.openstack import common |
33 | +from nova.api.openstack import extensions |
34 | +from nova.api.openstack import wsgi |
35 | + |
36 | + |
37 | +from xml.dom import minidom |
38 | + |
39 | + |
40 | +LOG = logging.getLogger("nova.api.contrib.security_groups") |
41 | +FLAGS = flags.FLAGS |
42 | + |
43 | + |
44 | +class SecurityGroupController(object): |
45 | + """The Security group API controller for the OpenStack API.""" |
46 | + |
47 | + def __init__(self): |
48 | + self.compute_api = compute.API() |
49 | + super(SecurityGroupController, self).__init__() |
50 | + |
51 | + def _format_security_group_rule(self, context, rule): |
52 | + sg_rule = {} |
53 | + sg_rule['id'] = rule.id |
54 | + sg_rule['parent_group_id'] = rule.parent_group_id |
55 | + sg_rule['ip_protocol'] = rule.protocol |
56 | + sg_rule['from_port'] = rule.from_port |
57 | + sg_rule['to_port'] = rule.to_port |
58 | + sg_rule['group'] = {} |
59 | + sg_rule['ip_range'] = {} |
60 | + if rule.group_id: |
61 | + source_group = db.security_group_get(context, rule.group_id) |
62 | + sg_rule['group'] = {'name': source_group.name, |
63 | + 'tenant_id': source_group.project_id} |
64 | + else: |
65 | + sg_rule['ip_range'] = {'cidr': rule.cidr} |
66 | + return sg_rule |
67 | + |
68 | + def _format_security_group(self, context, group): |
69 | + security_group = {} |
70 | + security_group['id'] = group.id |
71 | + security_group['description'] = group.description |
72 | + security_group['name'] = group.name |
73 | + security_group['tenant_id'] = group.project_id |
74 | + security_group['rules'] = [] |
75 | + for rule in group.rules: |
76 | + security_group['rules'] += [self._format_security_group_rule( |
77 | + context, rule)] |
78 | + return security_group |
79 | + |
80 | + def show(self, req, id): |
81 | + """Return data about the given security group.""" |
82 | + context = req.environ['nova.context'] |
83 | + try: |
84 | + id = int(id) |
85 | + security_group = db.security_group_get(context, id) |
86 | + except ValueError: |
87 | + msg = _("Security group id is not integer") |
88 | + return exc.HTTPBadRequest(explanation=msg) |
89 | + except exception.NotFound as exp: |
90 | + return exc.HTTPNotFound(explanation=unicode(exp)) |
91 | + |
92 | + return {'security_group': self._format_security_group(context, |
93 | + security_group)} |
94 | + |
95 | + def delete(self, req, id): |
96 | + """Delete a security group.""" |
97 | + context = req.environ['nova.context'] |
98 | + try: |
99 | + id = int(id) |
100 | + security_group = db.security_group_get(context, id) |
101 | + except ValueError: |
102 | + msg = _("Security group id is not integer") |
103 | + return exc.HTTPBadRequest(explanation=msg) |
104 | + except exception.SecurityGroupNotFound as exp: |
105 | + return exc.HTTPNotFound(explanation=unicode(exp)) |
106 | + |
107 | + LOG.audit(_("Delete security group %s"), id, context=context) |
108 | + db.security_group_destroy(context, security_group.id) |
109 | + |
110 | + return exc.HTTPAccepted() |
111 | + |
112 | + def index(self, req): |
113 | + """Returns a list of security groups""" |
114 | + context = req.environ['nova.context'] |
115 | + |
116 | + self.compute_api.ensure_default_security_group(context) |
117 | + groups = db.security_group_get_by_project(context, |
118 | + context.project_id) |
119 | + limited_list = common.limited(groups, req) |
120 | + result = [self._format_security_group(context, group) |
121 | + for group in limited_list] |
122 | + |
123 | + return {'security_groups': |
124 | + list(sorted(result, |
125 | + key=lambda k: (k['tenant_id'], k['name'])))} |
126 | + |
127 | + def create(self, req, body): |
128 | + """Creates a new security group.""" |
129 | + context = req.environ['nova.context'] |
130 | + if not body: |
131 | + return exc.HTTPUnprocessableEntity() |
132 | + |
133 | + security_group = body.get('security_group', None) |
134 | + |
135 | + if security_group is None: |
136 | + return exc.HTTPUnprocessableEntity() |
137 | + |
138 | + group_name = security_group.get('name', None) |
139 | + group_description = security_group.get('description', None) |
140 | + |
141 | + self._validate_security_group_property(group_name, "name") |
142 | + self._validate_security_group_property(group_description, |
143 | + "description") |
144 | + group_name = group_name.strip() |
145 | + group_description = group_description.strip() |
146 | + |
147 | + LOG.audit(_("Create Security Group %s"), group_name, context=context) |
148 | + self.compute_api.ensure_default_security_group(context) |
149 | + if db.security_group_exists(context, context.project_id, group_name): |
150 | + msg = _('Security group %s already exists') % group_name |
151 | + raise exc.HTTPBadRequest(explanation=msg) |
152 | + |
153 | + group = {'user_id': context.user_id, |
154 | + 'project_id': context.project_id, |
155 | + 'name': group_name, |
156 | + 'description': group_description} |
157 | + group_ref = db.security_group_create(context, group) |
158 | + |
159 | + return {'security_group': self._format_security_group(context, |
160 | + group_ref)} |
161 | + |
162 | + def _validate_security_group_property(self, value, typ): |
163 | + """ typ will be either 'name' or 'description', |
164 | + depending on the caller |
165 | + """ |
166 | + try: |
167 | + val = value.strip() |
168 | + except AttributeError: |
169 | + msg = _("Security group %s is not a string or unicode") % typ |
170 | + raise exc.HTTPBadRequest(explanation=msg) |
171 | + if not val: |
172 | + msg = _("Security group %s cannot be empty.") % typ |
173 | + raise exc.HTTPBadRequest(explanation=msg) |
174 | + if len(val) > 255: |
175 | + msg = _("Security group %s should not be greater " |
176 | + "than 255 characters.") % typ |
177 | + raise exc.HTTPBadRequest(explanation=msg) |
178 | + |
179 | + |
180 | +class SecurityGroupRulesController(SecurityGroupController): |
181 | + |
182 | + def create(self, req, body): |
183 | + context = req.environ['nova.context'] |
184 | + |
185 | + if not body: |
186 | + raise exc.HTTPUnprocessableEntity() |
187 | + |
188 | + if not 'security_group_rule' in body: |
189 | + raise exc.HTTPUnprocessableEntity() |
190 | + |
191 | + self.compute_api.ensure_default_security_group(context) |
192 | + |
193 | + sg_rule = body['security_group_rule'] |
194 | + parent_group_id = sg_rule.get('parent_group_id', None) |
195 | + try: |
196 | + parent_group_id = int(parent_group_id) |
197 | + security_group = db.security_group_get(context, parent_group_id) |
198 | + except ValueError: |
199 | + msg = _("Parent group id is not integer") |
200 | + return exc.HTTPBadRequest(explanation=msg) |
201 | + except exception.NotFound as exp: |
202 | + msg = _("Security group (%s) not found") % parent_group_id |
203 | + return exc.HTTPNotFound(explanation=msg) |
204 | + |
205 | + msg = _("Authorize security group ingress %s") |
206 | + LOG.audit(msg, security_group['name'], context=context) |
207 | + |
208 | + try: |
209 | + values = self._rule_args_to_dict(context, |
210 | + to_port=sg_rule.get('to_port'), |
211 | + from_port=sg_rule.get('from_port'), |
212 | + parent_group_id=sg_rule.get('parent_group_id'), |
213 | + ip_protocol=sg_rule.get('ip_protocol'), |
214 | + cidr=sg_rule.get('cidr'), |
215 | + group_id=sg_rule.get('group_id')) |
216 | + except Exception as exp: |
217 | + raise exc.HTTPBadRequest(explanation=unicode(exp)) |
218 | + |
219 | + if values is None: |
220 | + msg = _("Not enough parameters to build a " |
221 | + "valid rule.") |
222 | + raise exc.HTTPBadRequest(explanation=msg) |
223 | + |
224 | + values['parent_group_id'] = security_group.id |
225 | + |
226 | + if self._security_group_rule_exists(security_group, values): |
227 | + msg = _('This rule already exists in group %s') % parent_group_id |
228 | + raise exc.HTTPBadRequest(explanation=msg) |
229 | + |
230 | + security_group_rule = db.security_group_rule_create(context, values) |
231 | + |
232 | + self.compute_api.trigger_security_group_rules_refresh(context, |
233 | + security_group_id=security_group['id']) |
234 | + |
235 | + return {'security_group_rule': self._format_security_group_rule( |
236 | + context, |
237 | + security_group_rule)} |
238 | + |
239 | + def _security_group_rule_exists(self, security_group, values): |
240 | + """Indicates whether the specified rule values are already |
241 | + defined in the given security group. |
242 | + """ |
243 | + for rule in security_group.rules: |
244 | + if 'group_id' in values: |
245 | + if rule['group_id'] == values['group_id']: |
246 | + return True |
247 | + else: |
248 | + is_duplicate = True |
249 | + for key in ('cidr', 'from_port', 'to_port', 'protocol'): |
250 | + if rule[key] != values[key]: |
251 | + is_duplicate = False |
252 | + break |
253 | + if is_duplicate: |
254 | + return True |
255 | + return False |
256 | + |
257 | + def _rule_args_to_dict(self, context, to_port=None, from_port=None, |
258 | + parent_group_id=None, ip_protocol=None, |
259 | + cidr=None, group_id=None): |
260 | + values = {} |
261 | + |
262 | + if group_id: |
263 | + try: |
264 | + parent_group_id = int(parent_group_id) |
265 | + group_id = int(group_id) |
266 | + except ValueError: |
267 | + msg = _("Parent or group id is not integer") |
268 | + raise exception.InvalidInput(reason=msg) |
269 | + |
270 | + if parent_group_id == group_id: |
271 | + msg = _("Parent group id and group id cannot be same") |
272 | + raise exception.InvalidInput(reason=msg) |
273 | + |
274 | + values['group_id'] = group_id |
275 | + #check if groupId exists |
276 | + db.security_group_get(context, group_id) |
277 | + elif cidr: |
278 | + # If this fails, it throws an exception. This is what we want. |
279 | + try: |
280 | + cidr = urllib.unquote(cidr).decode() |
281 | + netaddr.IPNetwork(cidr) |
282 | + except Exception: |
283 | + raise exception.InvalidCidr(cidr=cidr) |
284 | + values['cidr'] = cidr |
285 | + else: |
286 | + values['cidr'] = '0.0.0.0/0' |
287 | + |
288 | + if ip_protocol and from_port and to_port: |
289 | + |
290 | + try: |
291 | + from_port = int(from_port) |
292 | + to_port = int(to_port) |
293 | + except ValueError: |
294 | + raise exception.InvalidPortRange(from_port=from_port, |
295 | + to_port=to_port) |
296 | + ip_protocol = str(ip_protocol) |
297 | + if ip_protocol.upper() not in ['TCP', 'UDP', 'ICMP']: |
298 | + raise exception.InvalidIpProtocol(protocol=ip_protocol) |
299 | + if ((min(from_port, to_port) < -1) or |
300 | + (max(from_port, to_port) > 65535)): |
301 | + raise exception.InvalidPortRange(from_port=from_port, |
302 | + to_port=to_port) |
303 | + |
304 | + values['protocol'] = ip_protocol |
305 | + values['from_port'] = from_port |
306 | + values['to_port'] = to_port |
307 | + else: |
308 | + # If cidr based filtering, protocol and ports are mandatory |
309 | + if 'cidr' in values: |
310 | + return None |
311 | + |
312 | + return values |
313 | + |
314 | + def delete(self, req, id): |
315 | + context = req.environ['nova.context'] |
316 | + |
317 | + self.compute_api.ensure_default_security_group(context) |
318 | + try: |
319 | + id = int(id) |
320 | + rule = db.security_group_rule_get(context, id) |
321 | + except ValueError: |
322 | + msg = _("Rule id is not integer") |
323 | + return exc.HTTPBadRequest(explanation=msg) |
324 | + except exception.NotFound as exp: |
325 | + msg = _("Rule (%s) not found") % id |
326 | + return exc.HTTPNotFound(explanation=msg) |
327 | + |
328 | + group_id = rule.parent_group_id |
329 | + self.compute_api.ensure_default_security_group(context) |
330 | + security_group = db.security_group_get(context, group_id) |
331 | + |
332 | + msg = _("Revoke security group ingress %s") |
333 | + LOG.audit(msg, security_group['name'], context=context) |
334 | + |
335 | + db.security_group_rule_destroy(context, rule['id']) |
336 | + self.compute_api.trigger_security_group_rules_refresh(context, |
337 | + security_group_id=security_group['id']) |
338 | + |
339 | + return exc.HTTPAccepted() |
340 | + |
341 | + |
342 | +class Security_groups(extensions.ExtensionDescriptor): |
343 | + def get_name(self): |
344 | + return "SecurityGroups" |
345 | + |
346 | + def get_alias(self): |
347 | + return "security_groups" |
348 | + |
349 | + def get_description(self): |
350 | + return "Security group support" |
351 | + |
352 | + def get_namespace(self): |
353 | + return "http://docs.openstack.org/ext/securitygroups/api/v1.1" |
354 | + |
355 | + def get_updated(self): |
356 | + return "2011-07-21T00:00:00+00:00" |
357 | + |
358 | + def get_resources(self): |
359 | + resources = [] |
360 | + |
361 | + metadata = _get_metadata() |
362 | + body_serializers = { |
363 | + 'application/xml': wsgi.XMLDictSerializer(metadata=metadata, |
364 | + xmlns=wsgi.XMLNS_V11), |
365 | + } |
366 | + serializer = wsgi.ResponseSerializer(body_serializers, None) |
367 | + |
368 | + body_deserializers = { |
369 | + 'application/xml': SecurityGroupXMLDeserializer(), |
370 | + } |
371 | + deserializer = wsgi.RequestDeserializer(body_deserializers) |
372 | + |
373 | + res = extensions.ResourceExtension('os-security-groups', |
374 | + controller=SecurityGroupController(), |
375 | + deserializer=deserializer, |
376 | + serializer=serializer) |
377 | + |
378 | + resources.append(res) |
379 | + |
380 | + body_deserializers = { |
381 | + 'application/xml': SecurityGroupRulesXMLDeserializer(), |
382 | + } |
383 | + deserializer = wsgi.RequestDeserializer(body_deserializers) |
384 | + |
385 | + res = extensions.ResourceExtension('os-security-group-rules', |
386 | + controller=SecurityGroupRulesController(), |
387 | + deserializer=deserializer, |
388 | + serializer=serializer) |
389 | + resources.append(res) |
390 | + return resources |
391 | + |
392 | + |
393 | +class SecurityGroupXMLDeserializer(wsgi.MetadataXMLDeserializer): |
394 | + """ |
395 | + Deserializer to handle xml-formatted security group requests. |
396 | + """ |
397 | + def create(self, string): |
398 | + """Deserialize an xml-formatted security group create request""" |
399 | + dom = minidom.parseString(string) |
400 | + security_group = {} |
401 | + sg_node = self.find_first_child_named(dom, |
402 | + 'security_group') |
403 | + if sg_node is not None: |
404 | + if sg_node.hasAttribute('name'): |
405 | + security_group['name'] = sg_node.getAttribute('name') |
406 | + desc_node = self.find_first_child_named(sg_node, |
407 | + "description") |
408 | + if desc_node: |
409 | + security_group['description'] = self.extract_text(desc_node) |
410 | + return {'body': {'security_group': security_group}} |
411 | + |
412 | + |
413 | +class SecurityGroupRulesXMLDeserializer(wsgi.MetadataXMLDeserializer): |
414 | + """ |
415 | + Deserializer to handle xml-formatted security group requests. |
416 | + """ |
417 | + |
418 | + def create(self, string): |
419 | + """Deserialize an xml-formatted security group create request""" |
420 | + dom = minidom.parseString(string) |
421 | + security_group_rule = self._extract_security_group_rule(dom) |
422 | + return {'body': {'security_group_rule': security_group_rule}} |
423 | + |
424 | + def _extract_security_group_rule(self, node): |
425 | + """Marshal the security group rule attribute of a parsed request""" |
426 | + sg_rule = {} |
427 | + sg_rule_node = self.find_first_child_named(node, |
428 | + 'security_group_rule') |
429 | + if sg_rule_node is not None: |
430 | + ip_protocol_node = self.find_first_child_named(sg_rule_node, |
431 | + "ip_protocol") |
432 | + if ip_protocol_node is not None: |
433 | + sg_rule['ip_protocol'] = self.extract_text(ip_protocol_node) |
434 | + |
435 | + from_port_node = self.find_first_child_named(sg_rule_node, |
436 | + "from_port") |
437 | + if from_port_node is not None: |
438 | + sg_rule['from_port'] = self.extract_text(from_port_node) |
439 | + |
440 | + to_port_node = self.find_first_child_named(sg_rule_node, "to_port") |
441 | + if to_port_node is not None: |
442 | + sg_rule['to_port'] = self.extract_text(to_port_node) |
443 | + |
444 | + parent_group_id_node = self.find_first_child_named(sg_rule_node, |
445 | + "parent_group_id") |
446 | + if parent_group_id_node is not None: |
447 | + sg_rule['parent_group_id'] = self.extract_text( |
448 | + parent_group_id_node) |
449 | + |
450 | + group_id_node = self.find_first_child_named(sg_rule_node, |
451 | + "group_id") |
452 | + if group_id_node is not None: |
453 | + sg_rule['group_id'] = self.extract_text(group_id_node) |
454 | + |
455 | + cidr_node = self.find_first_child_named(sg_rule_node, "cidr") |
456 | + if cidr_node is not None: |
457 | + sg_rule['cidr'] = self.extract_text(cidr_node) |
458 | + |
459 | + return sg_rule |
460 | + |
461 | + |
462 | +def _get_metadata(): |
463 | + metadata = { |
464 | + "attributes": { |
465 | + "security_group": ["id", "tenant_id", "name"], |
466 | + "rule": ["id", "parent_group_id"], |
467 | + "security_group_rule": ["id", "parent_group_id"], |
468 | + } |
469 | + } |
470 | + return metadata |
471 | |
472 | === modified file 'nova/api/openstack/extensions.py' |
473 | --- nova/api/openstack/extensions.py 2011-08-09 22:46:57 +0000 |
474 | +++ nova/api/openstack/extensions.py 2011-08-12 00:06:25 +0000 |
475 | @@ -266,9 +266,13 @@ |
476 | for resource in ext_mgr.get_resources(): |
477 | LOG.debug(_('Extended resource: %s'), |
478 | resource.collection) |
479 | + if resource.serializer is None: |
480 | + resource.serializer = serializer |
481 | + |
482 | mapper.resource(resource.collection, resource.collection, |
483 | controller=wsgi.Resource( |
484 | - resource.controller, serializer=serializer), |
485 | + resource.controller, resource.deserializer, |
486 | + resource.serializer), |
487 | collection=resource.collection_actions, |
488 | member=resource.member_actions, |
489 | parent_resource=resource.parent) |
490 | @@ -461,7 +465,8 @@ |
491 | """Add top level resources to the OpenStack API in nova.""" |
492 | |
493 | def __init__(self, collection, controller, parent=None, |
494 | - collection_actions=None, member_actions=None): |
495 | + collection_actions=None, member_actions=None, |
496 | + deserializer=None, serializer=None): |
497 | if not collection_actions: |
498 | collection_actions = {} |
499 | if not member_actions: |
500 | @@ -471,6 +476,8 @@ |
501 | self.parent = parent |
502 | self.collection_actions = collection_actions |
503 | self.member_actions = member_actions |
504 | + self.deserializer = deserializer |
505 | + self.serializer = serializer |
506 | |
507 | |
508 | class ExtensionsXMLSerializer(wsgi.XMLDictSerializer): |
509 | |
510 | === modified file 'nova/db/api.py' |
511 | --- nova/db/api.py 2011-07-07 12:56:15 +0000 |
512 | +++ nova/db/api.py 2011-08-12 00:06:25 +0000 |
513 | @@ -1102,6 +1102,11 @@ |
514 | return IMPL.security_group_rule_destroy(context, security_group_rule_id) |
515 | |
516 | |
517 | +def security_group_rule_get(context, security_group_rule_id): |
518 | + """Gets a security group rule.""" |
519 | + return IMPL.security_group_rule_get(context, security_group_rule_id) |
520 | + |
521 | + |
522 | ################### |
523 | |
524 | |
525 | |
526 | === modified file 'nova/exception.py' |
527 | --- nova/exception.py 2011-08-09 12:47:47 +0000 |
528 | +++ nova/exception.py 2011-08-12 00:06:25 +0000 |
529 | @@ -209,6 +209,10 @@ |
530 | message = _("Invalid content type %(content_type)s.") |
531 | |
532 | |
533 | +class InvalidCidr(Invalid): |
534 | + message = _("Invalid cidr %(cidr)s.") |
535 | + |
536 | + |
537 | # Cannot be templated as the error syntax varies. |
538 | # msg needs to be constructed when raised. |
539 | class InvalidParameterValue(Invalid): |
540 | |
541 | === added file 'nova/tests/api/openstack/contrib/test_security_groups.py' |
542 | --- nova/tests/api/openstack/contrib/test_security_groups.py 1970-01-01 00:00:00 +0000 |
543 | +++ nova/tests/api/openstack/contrib/test_security_groups.py 2011-08-12 00:06:25 +0000 |
544 | @@ -0,0 +1,761 @@ |
545 | +# vim: tabstop=4 shiftwidth=4 softtabstop=4 |
546 | + |
547 | +# Copyright 2011 OpenStack LLC |
548 | +# |
549 | +# Licensed under the Apache License, Version 2.0 (the "License"); you may |
550 | +# not use this file except in compliance with the License. You may obtain |
551 | +# a copy of the License at |
552 | +# |
553 | +# http://www.apache.org/licenses/LICENSE-2.0 |
554 | +# |
555 | +# Unless required by applicable law or agreed to in writing, software |
556 | +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
557 | +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
558 | +# License for the specific language governing permissions and limitations |
559 | +# under the License. |
560 | + |
561 | +import json |
562 | +import unittest |
563 | +import webob |
564 | +from xml.dom import minidom |
565 | + |
566 | +from nova import test |
567 | +from nova.api.openstack.contrib import security_groups |
568 | +from nova.tests.api.openstack import fakes |
569 | + |
570 | + |
571 | +def _get_create_request_json(body_dict): |
572 | + req = webob.Request.blank('/v1.1/os-security-groups') |
573 | + req.headers['Content-Type'] = 'application/json' |
574 | + req.method = 'POST' |
575 | + req.body = json.dumps(body_dict) |
576 | + return req |
577 | + |
578 | + |
579 | +def _create_security_group_json(security_group): |
580 | + body_dict = _create_security_group_request_dict(security_group) |
581 | + request = _get_create_request_json(body_dict) |
582 | + response = request.get_response(fakes.wsgi_app()) |
583 | + return response |
584 | + |
585 | + |
586 | +def _create_security_group_request_dict(security_group): |
587 | + sg = {} |
588 | + if security_group is not None: |
589 | + name = security_group.get('name', None) |
590 | + description = security_group.get('description', None) |
591 | + if name: |
592 | + sg['name'] = security_group['name'] |
593 | + if description: |
594 | + sg['description'] = security_group['description'] |
595 | + return {'security_group': sg} |
596 | + |
597 | + |
598 | +class TestSecurityGroups(test.TestCase): |
599 | + def setUp(self): |
600 | + super(TestSecurityGroups, self).setUp() |
601 | + |
602 | + def tearDown(self): |
603 | + super(TestSecurityGroups, self).tearDown() |
604 | + |
605 | + def _create_security_group_request_dict(self, security_group): |
606 | + sg = {} |
607 | + if security_group is not None: |
608 | + name = security_group.get('name', None) |
609 | + description = security_group.get('description', None) |
610 | + if name: |
611 | + sg['name'] = security_group['name'] |
612 | + if description: |
613 | + sg['description'] = security_group['description'] |
614 | + return {'security_group': sg} |
615 | + |
616 | + def _format_create_xml_request_body(self, body_dict): |
617 | + sg = body_dict['security_group'] |
618 | + body_parts = [] |
619 | + body_parts.extend([ |
620 | + '<?xml version="1.0" encoding="UTF-8"?>', |
621 | + '<security_group xmlns="http://docs.openstack.org/ext/' |
622 | + 'securitygroups/api/v1.1"', |
623 | + ' name="%s">' % (sg['name'])]) |
624 | + if 'description' in sg: |
625 | + body_parts.append('<description>%s</description>' |
626 | + % sg['description']) |
627 | + body_parts.append('</security_group>') |
628 | + return ''.join(body_parts) |
629 | + |
630 | + def _get_create_request_xml(self, body_dict): |
631 | + req = webob.Request.blank('/v1.1/os-security-groups') |
632 | + req.headers['Content-Type'] = 'application/xml' |
633 | + req.content_type = 'application/xml' |
634 | + req.accept = 'application/xml' |
635 | + req.method = 'POST' |
636 | + req.body = self._format_create_xml_request_body(body_dict) |
637 | + return req |
638 | + |
639 | + def _create_security_group_xml(self, security_group): |
640 | + body_dict = self._create_security_group_request_dict(security_group) |
641 | + request = self._get_create_request_xml(body_dict) |
642 | + response = request.get_response(fakes.wsgi_app()) |
643 | + return response |
644 | + |
645 | + def _delete_security_group(self, id): |
646 | + request = webob.Request.blank('/v1.1/os-security-groups/%s' |
647 | + % id) |
648 | + request.method = 'DELETE' |
649 | + response = request.get_response(fakes.wsgi_app()) |
650 | + return response |
651 | + |
652 | + def test_create_security_group_json(self): |
653 | + security_group = {} |
654 | + security_group['name'] = "test" |
655 | + security_group['description'] = "group-description" |
656 | + response = _create_security_group_json(security_group) |
657 | + res_dict = json.loads(response.body) |
658 | + self.assertEqual(res_dict['security_group']['name'], "test") |
659 | + self.assertEqual(res_dict['security_group']['description'], |
660 | + "group-description") |
661 | + self.assertEquals(response.status_int, 200) |
662 | + |
663 | + def test_create_security_group_xml(self): |
664 | + security_group = {} |
665 | + security_group['name'] = "test" |
666 | + security_group['description'] = "group-description" |
667 | + response = \ |
668 | + self._create_security_group_xml(security_group) |
669 | + |
670 | + self.assertEquals(response.status_int, 200) |
671 | + dom = minidom.parseString(response.body) |
672 | + sg = dom.childNodes[0] |
673 | + self.assertEquals(sg.nodeName, 'security_group') |
674 | + self.assertEqual(security_group['name'], sg.getAttribute('name')) |
675 | + |
676 | + def test_create_security_group_with_no_name_json(self): |
677 | + security_group = {} |
678 | + security_group['description'] = "group-description" |
679 | + response = _create_security_group_json(security_group) |
680 | + self.assertEquals(response.status_int, 400) |
681 | + |
682 | + def test_create_security_group_with_no_description_json(self): |
683 | + security_group = {} |
684 | + security_group['name'] = "test" |
685 | + response = _create_security_group_json(security_group) |
686 | + self.assertEquals(response.status_int, 400) |
687 | + |
688 | + def test_create_security_group_with_blank_name_json(self): |
689 | + security_group = {} |
690 | + security_group['name'] = "" |
691 | + security_group['description'] = "group-description" |
692 | + response = _create_security_group_json(security_group) |
693 | + self.assertEquals(response.status_int, 400) |
694 | + |
695 | + def test_create_security_group_with_whitespace_name_json(self): |
696 | + security_group = {} |
697 | + security_group['name'] = " " |
698 | + security_group['description'] = "group-description" |
699 | + response = _create_security_group_json(security_group) |
700 | + self.assertEquals(response.status_int, 400) |
701 | + |
702 | + def test_create_security_group_with_blank_description_json(self): |
703 | + security_group = {} |
704 | + security_group['name'] = "test" |
705 | + security_group['description'] = "" |
706 | + response = _create_security_group_json(security_group) |
707 | + self.assertEquals(response.status_int, 400) |
708 | + |
709 | + def test_create_security_group_with_whitespace_description_json(self): |
710 | + security_group = {} |
711 | + security_group['name'] = "name" |
712 | + security_group['description'] = " " |
713 | + response = _create_security_group_json(security_group) |
714 | + self.assertEquals(response.status_int, 400) |
715 | + |
716 | + def test_create_security_group_with_duplicate_name_json(self): |
717 | + security_group = {} |
718 | + security_group['name'] = "test" |
719 | + security_group['description'] = "group-description" |
720 | + response = _create_security_group_json(security_group) |
721 | + |
722 | + self.assertEquals(response.status_int, 200) |
723 | + response = _create_security_group_json(security_group) |
724 | + self.assertEquals(response.status_int, 400) |
725 | + |
726 | + def test_create_security_group_with_no_body_json(self): |
727 | + request = _get_create_request_json(body_dict=None) |
728 | + response = request.get_response(fakes.wsgi_app()) |
729 | + self.assertEquals(response.status_int, 422) |
730 | + |
731 | + def test_create_security_group_with_no_security_group(self): |
732 | + body_dict = {} |
733 | + body_dict['no-securityGroup'] = None |
734 | + request = _get_create_request_json(body_dict) |
735 | + response = request.get_response(fakes.wsgi_app()) |
736 | + self.assertEquals(response.status_int, 422) |
737 | + |
738 | + def test_create_security_group_above_255_characters_name_json(self): |
739 | + security_group = {} |
740 | + security_group['name'] = ("1234567890123456" |
741 | + "1234567890123456789012345678901234567890" |
742 | + "1234567890123456789012345678901234567890" |
743 | + "1234567890123456789012345678901234567890" |
744 | + "1234567890123456789012345678901234567890" |
745 | + "1234567890123456789012345678901234567890" |
746 | + "1234567890123456789012345678901234567890") |
747 | + security_group['description'] = "group-description" |
748 | + response = _create_security_group_json(security_group) |
749 | + |
750 | + self.assertEquals(response.status_int, 400) |
751 | + |
752 | + def test_create_security_group_above_255_characters_description_json(self): |
753 | + security_group = {} |
754 | + security_group['name'] = "test" |
755 | + security_group['description'] = ("1234567890123456" |
756 | + "1234567890123456789012345678901234567890" |
757 | + "1234567890123456789012345678901234567890" |
758 | + "1234567890123456789012345678901234567890" |
759 | + "1234567890123456789012345678901234567890" |
760 | + "1234567890123456789012345678901234567890" |
761 | + "1234567890123456789012345678901234567890") |
762 | + response = _create_security_group_json(security_group) |
763 | + self.assertEquals(response.status_int, 400) |
764 | + |
765 | + def test_create_security_group_non_string_name_json(self): |
766 | + security_group = {} |
767 | + security_group['name'] = 12 |
768 | + security_group['description'] = "group-description" |
769 | + response = _create_security_group_json(security_group) |
770 | + self.assertEquals(response.status_int, 400) |
771 | + |
772 | + def test_create_security_group_non_string_description_json(self): |
773 | + security_group = {} |
774 | + security_group['name'] = "test" |
775 | + security_group['description'] = 12 |
776 | + response = _create_security_group_json(security_group) |
777 | + self.assertEquals(response.status_int, 400) |
778 | + |
779 | + def test_get_security_group_list(self): |
780 | + security_group = {} |
781 | + security_group['name'] = "test" |
782 | + security_group['description'] = "group-description" |
783 | + response = _create_security_group_json(security_group) |
784 | + |
785 | + req = webob.Request.blank('/v1.1/os-security-groups') |
786 | + req.headers['Content-Type'] = 'application/json' |
787 | + req.method = 'GET' |
788 | + response = req.get_response(fakes.wsgi_app()) |
789 | + res_dict = json.loads(response.body) |
790 | + |
791 | + expected = {'security_groups': [ |
792 | + {'id': 1, |
793 | + 'name':"default", |
794 | + 'tenant_id': "fake", |
795 | + "description":"default", |
796 | + "rules": [] |
797 | + }, |
798 | + ] |
799 | + } |
800 | + expected['security_groups'].append( |
801 | + { |
802 | + 'id': 2, |
803 | + 'name': "test", |
804 | + 'tenant_id': "fake", |
805 | + "description": "group-description", |
806 | + "rules": [] |
807 | + } |
808 | + ) |
809 | + self.assertEquals(response.status_int, 200) |
810 | + self.assertEquals(res_dict, expected) |
811 | + |
812 | + def test_get_security_group_by_id(self): |
813 | + security_group = {} |
814 | + security_group['name'] = "test" |
815 | + security_group['description'] = "group-description" |
816 | + response = _create_security_group_json(security_group) |
817 | + |
818 | + res_dict = json.loads(response.body) |
819 | + req = webob.Request.blank('/v1.1/os-security-groups/%s' % |
820 | + res_dict['security_group']['id']) |
821 | + req.headers['Content-Type'] = 'application/json' |
822 | + req.method = 'GET' |
823 | + response = req.get_response(fakes.wsgi_app()) |
824 | + res_dict = json.loads(response.body) |
825 | + |
826 | + expected = { |
827 | + 'security_group': { |
828 | + 'id': 2, |
829 | + 'name': "test", |
830 | + 'tenant_id': "fake", |
831 | + 'description': "group-description", |
832 | + 'rules': [] |
833 | + } |
834 | + } |
835 | + self.assertEquals(response.status_int, 200) |
836 | + self.assertEquals(res_dict, expected) |
837 | + |
838 | + def test_get_security_group_by_invalid_id(self): |
839 | + req = webob.Request.blank('/v1.1/os-security-groups/invalid') |
840 | + req.headers['Content-Type'] = 'application/json' |
841 | + req.method = 'GET' |
842 | + response = req.get_response(fakes.wsgi_app()) |
843 | + self.assertEquals(response.status_int, 400) |
844 | + |
845 | + def test_get_security_group_by_non_existing_id(self): |
846 | + req = webob.Request.blank('/v1.1/os-security-groups/111111111') |
847 | + req.headers['Content-Type'] = 'application/json' |
848 | + req.method = 'GET' |
849 | + response = req.get_response(fakes.wsgi_app()) |
850 | + self.assertEquals(response.status_int, 404) |
851 | + |
852 | + def test_delete_security_group_by_id(self): |
853 | + security_group = {} |
854 | + security_group['name'] = "test" |
855 | + security_group['description'] = "group-description" |
856 | + response = _create_security_group_json(security_group) |
857 | + security_group = json.loads(response.body)['security_group'] |
858 | + response = self._delete_security_group(security_group['id']) |
859 | + self.assertEquals(response.status_int, 202) |
860 | + |
861 | + response = self._delete_security_group(security_group['id']) |
862 | + self.assertEquals(response.status_int, 404) |
863 | + |
864 | + def test_delete_security_group_by_invalid_id(self): |
865 | + response = self._delete_security_group('invalid') |
866 | + self.assertEquals(response.status_int, 400) |
867 | + |
868 | + def test_delete_security_group_by_non_existing_id(self): |
869 | + response = self._delete_security_group(11111111) |
870 | + self.assertEquals(response.status_int, 404) |
871 | + |
872 | + |
873 | +class TestSecurityGroupRules(test.TestCase): |
874 | + def setUp(self): |
875 | + super(TestSecurityGroupRules, self).setUp() |
876 | + security_group = {} |
877 | + security_group['name'] = "authorize-revoke" |
878 | + security_group['description'] = ("Security group created for " |
879 | + " authorize-revoke testing") |
880 | + response = _create_security_group_json(security_group) |
881 | + security_group = json.loads(response.body) |
882 | + self.parent_security_group = security_group['security_group'] |
883 | + |
884 | + rules = { |
885 | + "security_group_rule": { |
886 | + "ip_protocol": "tcp", |
887 | + "from_port": "22", |
888 | + "to_port": "22", |
889 | + "parent_group_id": self.parent_security_group['id'], |
890 | + "cidr": "10.0.0.0/24" |
891 | + } |
892 | + } |
893 | + res = self._create_security_group_rule_json(rules) |
894 | + self.assertEquals(res.status_int, 200) |
895 | + self.security_group_rule = json.loads(res.body)['security_group_rule'] |
896 | + |
897 | + def tearDown(self): |
898 | + super(TestSecurityGroupRules, self).tearDown() |
899 | + |
900 | + def _create_security_group_rule_json(self, rules): |
901 | + request = webob.Request.blank('/v1.1/os-security-group-rules') |
902 | + request.headers['Content-Type'] = 'application/json' |
903 | + request.method = 'POST' |
904 | + request.body = json.dumps(rules) |
905 | + response = request.get_response(fakes.wsgi_app()) |
906 | + return response |
907 | + |
908 | + def _delete_security_group_rule(self, id): |
909 | + request = webob.Request.blank('/v1.1/os-security-group-rules/%s' |
910 | + % id) |
911 | + request.method = 'DELETE' |
912 | + response = request.get_response(fakes.wsgi_app()) |
913 | + return response |
914 | + |
915 | + def test_create_by_cidr_json(self): |
916 | + rules = { |
917 | + "security_group_rule": { |
918 | + "ip_protocol": "tcp", |
919 | + "from_port": "22", |
920 | + "to_port": "22", |
921 | + "parent_group_id": 2, |
922 | + "cidr": "10.2.3.124/24" |
923 | + } |
924 | + } |
925 | + |
926 | + response = self._create_security_group_rule_json(rules) |
927 | + security_group_rule = json.loads(response.body)['security_group_rule'] |
928 | + self.assertEquals(response.status_int, 200) |
929 | + self.assertNotEquals(security_group_rule['id'], 0) |
930 | + self.assertEquals(security_group_rule['parent_group_id'], 2) |
931 | + self.assertEquals(security_group_rule['ip_range']['cidr'], |
932 | + "10.2.3.124/24") |
933 | + |
934 | + def test_create_by_group_id_json(self): |
935 | + rules = { |
936 | + "security_group_rule": { |
937 | + "ip_protocol": "tcp", |
938 | + "from_port": "22", |
939 | + "to_port": "22", |
940 | + "group_id": "1", |
941 | + "parent_group_id": "%s" |
942 | + % self.parent_security_group['id'], |
943 | + } |
944 | + } |
945 | + |
946 | + response = self._create_security_group_rule_json(rules) |
947 | + self.assertEquals(response.status_int, 200) |
948 | + security_group_rule = json.loads(response.body)['security_group_rule'] |
949 | + self.assertNotEquals(security_group_rule['id'], 0) |
950 | + self.assertEquals(security_group_rule['parent_group_id'], 2) |
951 | + |
952 | + def test_create_add_existing_rules_json(self): |
953 | + rules = { |
954 | + "security_group_rule": { |
955 | + "ip_protocol": "tcp", |
956 | + "from_port": "22", |
957 | + "to_port": "22", |
958 | + "cidr": "10.0.0.0/24", |
959 | + "parent_group_id": "%s" % self.parent_security_group['id'], |
960 | + } |
961 | + } |
962 | + |
963 | + response = self._create_security_group_rule_json(rules) |
964 | + self.assertEquals(response.status_int, 400) |
965 | + |
966 | + def test_create_with_no_body_json(self): |
967 | + request = webob.Request.blank('/v1.1/os-security-group-rules') |
968 | + request.headers['Content-Type'] = 'application/json' |
969 | + request.method = 'POST' |
970 | + request.body = json.dumps(None) |
971 | + response = request.get_response(fakes.wsgi_app()) |
972 | + self.assertEquals(response.status_int, 422) |
973 | + |
974 | + def test_create_with_no_security_group_rule_in_body_json(self): |
975 | + request = webob.Request.blank('/v1.1/os-security-group-rules') |
976 | + request.headers['Content-Type'] = 'application/json' |
977 | + request.method = 'POST' |
978 | + body_dict = {'test': "test"} |
979 | + request.body = json.dumps(body_dict) |
980 | + response = request.get_response(fakes.wsgi_app()) |
981 | + self.assertEquals(response.status_int, 422) |
982 | + |
983 | + def test_create_with_invalid_parent_group_id_json(self): |
984 | + rules = { |
985 | + "security_group_rule": { |
986 | + "ip_protocol": "tcp", |
987 | + "from_port": "22", |
988 | + "to_port": "22", |
989 | + "parent_group_id": "invalid" |
990 | + } |
991 | + } |
992 | + |
993 | + response = self._create_security_group_rule_json(rules) |
994 | + self.assertEquals(response.status_int, 400) |
995 | + |
996 | + def test_create_with_non_existing_parent_group_id_json(self): |
997 | + rules = { |
998 | + "security_group_rule": { |
999 | + "ip_protocol": "tcp", |
1000 | + "from_port": "22", |
1001 | + "to_port": "22", |
1002 | + "group_id": "invalid", |
1003 | + "parent_group_id": "1111111111111" |
1004 | + } |
1005 | + } |
1006 | + |
1007 | + response = self._create_security_group_rule_json(rules) |
1008 | + self.assertEquals(response.status_int, 404) |
1009 | + |
1010 | + def test_create_with_invalid_protocol_json(self): |
1011 | + rules = { |
1012 | + "security_group_rule": { |
1013 | + "ip_protocol": "invalid-protocol", |
1014 | + "from_port": "22", |
1015 | + "to_port": "22", |
1016 | + "cidr": "10.2.2.0/24", |
1017 | + "parent_group_id": "%s" % self.parent_security_group['id'], |
1018 | + } |
1019 | + } |
1020 | + |
1021 | + response = self._create_security_group_rule_json(rules) |
1022 | + self.assertEquals(response.status_int, 400) |
1023 | + |
1024 | + def test_create_with_no_protocol_json(self): |
1025 | + rules = { |
1026 | + "security_group_rule": { |
1027 | + "from_port": "22", |
1028 | + "to_port": "22", |
1029 | + "cidr": "10.2.2.0/24", |
1030 | + "parent_group_id": "%s" % self.parent_security_group['id'], |
1031 | + } |
1032 | + } |
1033 | + |
1034 | + response = self._create_security_group_rule_json(rules) |
1035 | + self.assertEquals(response.status_int, 400) |
1036 | + |
1037 | + def test_create_with_invalid_from_port_json(self): |
1038 | + rules = { |
1039 | + "security_group_rule": { |
1040 | + "ip_protocol": "tcp", |
1041 | + "from_port": "666666", |
1042 | + "to_port": "22", |
1043 | + "cidr": "10.2.2.0/24", |
1044 | + "parent_group_id": "%s" % self.parent_security_group['id'], |
1045 | + } |
1046 | + } |
1047 | + |
1048 | + response = self._create_security_group_rule_json(rules) |
1049 | + self.assertEquals(response.status_int, 400) |
1050 | + |
1051 | + def test_create_with_invalid_to_port_json(self): |
1052 | + rules = { |
1053 | + "security_group_rule": { |
1054 | + "ip_protocol": "tcp", |
1055 | + "from_port": "22", |
1056 | + "to_port": "666666", |
1057 | + "cidr": "10.2.2.0/24", |
1058 | + "parent_group_id": "%s" % self.parent_security_group['id'], |
1059 | + } |
1060 | + } |
1061 | + |
1062 | + response = self._create_security_group_rule_json(rules) |
1063 | + self.assertEquals(response.status_int, 400) |
1064 | + |
1065 | + def test_create_with_non_numerical_from_port_json(self): |
1066 | + rules = { |
1067 | + "security_group_rule": { |
1068 | + "ip_protocol": "tcp", |
1069 | + "from_port": "invalid", |
1070 | + "to_port": "22", |
1071 | + "cidr": "10.2.2.0/24", |
1072 | + "parent_group_id": "%s" % self.parent_security_group['id'], |
1073 | + } |
1074 | + } |
1075 | + |
1076 | + response = self._create_security_group_rule_json(rules) |
1077 | + self.assertEquals(response.status_int, 400) |
1078 | + |
1079 | + def test_create_with_non_numerical_to_port_json(self): |
1080 | + rules = { |
1081 | + "security_group_rule": { |
1082 | + "ip_protocol": "tcp", |
1083 | + "from_port": "22", |
1084 | + "to_port": "invalid", |
1085 | + "cidr": "10.2.2.0/24", |
1086 | + "parent_group_id": "%s" % self.parent_security_group['id'], |
1087 | + } |
1088 | + } |
1089 | + |
1090 | + response = self._create_security_group_rule_json(rules) |
1091 | + self.assertEquals(response.status_int, 400) |
1092 | + |
1093 | + def test_create_with_no_to_port_json(self): |
1094 | + rules = { |
1095 | + "security_group_rule": { |
1096 | + "ip_protocol": "tcp", |
1097 | + "from_port": "22", |
1098 | + "cidr": "10.2.2.0/24", |
1099 | + "parent_group_id": "%s" % self.parent_security_group['id'], |
1100 | + } |
1101 | + } |
1102 | + |
1103 | + response = self._create_security_group_rule_json(rules) |
1104 | + self.assertEquals(response.status_int, 400) |
1105 | + |
1106 | + def test_create_with_invalid_cidr_json(self): |
1107 | + rules = { |
1108 | + "security_group_rule": { |
1109 | + "ip_protocol": "tcp", |
1110 | + "from_port": "22", |
1111 | + "to_port": "22", |
1112 | + "cidr": "10.2.22222.0/24", |
1113 | + "parent_group_id": "%s" % self.parent_security_group['id'], |
1114 | + } |
1115 | + } |
1116 | + |
1117 | + response = self._create_security_group_rule_json(rules) |
1118 | + self.assertEquals(response.status_int, 400) |
1119 | + |
1120 | + def test_create_with_no_cidr_group_json(self): |
1121 | + rules = { |
1122 | + "security_group_rule": { |
1123 | + "ip_protocol": "tcp", |
1124 | + "from_port": "22", |
1125 | + "to_port": "22", |
1126 | + "parent_group_id": "%s" % self.parent_security_group['id'], |
1127 | + } |
1128 | + } |
1129 | + |
1130 | + response = self._create_security_group_rule_json(rules) |
1131 | + security_group_rule = json.loads(response.body)['security_group_rule'] |
1132 | + self.assertEquals(response.status_int, 200) |
1133 | + self.assertNotEquals(security_group_rule['id'], 0) |
1134 | + self.assertEquals(security_group_rule['parent_group_id'], |
1135 | + self.parent_security_group['id']) |
1136 | + self.assertEquals(security_group_rule['ip_range']['cidr'], |
1137 | + "0.0.0.0/0") |
1138 | + |
1139 | + def test_create_with_invalid_group_id_json(self): |
1140 | + rules = { |
1141 | + "security_group_rule": { |
1142 | + "ip_protocol": "tcp", |
1143 | + "from_port": "22", |
1144 | + "to_port": "22", |
1145 | + "group_id": "invalid", |
1146 | + "parent_group_id": "%s" % self.parent_security_group['id'], |
1147 | + } |
1148 | + } |
1149 | + |
1150 | + response = self._create_security_group_rule_json(rules) |
1151 | + self.assertEquals(response.status_int, 400) |
1152 | + |
1153 | + def test_create_with_empty_group_id_json(self): |
1154 | + rules = { |
1155 | + "security_group_rule": { |
1156 | + "ip_protocol": "tcp", |
1157 | + "from_port": "22", |
1158 | + "to_port": "22", |
1159 | + "group_id": "invalid", |
1160 | + "parent_group_id": "%s" % self.parent_security_group['id'], |
1161 | + } |
1162 | + } |
1163 | + |
1164 | + response = self._create_security_group_rule_json(rules) |
1165 | + self.assertEquals(response.status_int, 400) |
1166 | + |
1167 | + def test_create_with_invalid_group_id_json(self): |
1168 | + rules = { |
1169 | + "security_group_rule": { |
1170 | + "ip_protocol": "tcp", |
1171 | + "from_port": "22", |
1172 | + "to_port": "22", |
1173 | + "group_id": "222222", |
1174 | + "parent_group_id": "%s" % self.parent_security_group['id'], |
1175 | + } |
1176 | + } |
1177 | + |
1178 | + response = self._create_security_group_rule_json(rules) |
1179 | + self.assertEquals(response.status_int, 400) |
1180 | + |
1181 | + def test_create_rule_with_same_group_parent_id_json(self): |
1182 | + rules = { |
1183 | + "security_group_rule": { |
1184 | + "ip_protocol": "tcp", |
1185 | + "from_port": "22", |
1186 | + "to_port": "22", |
1187 | + "group_id": "%s" % self.parent_security_group['id'], |
1188 | + "parent_group_id": "%s" % self.parent_security_group['id'], |
1189 | + } |
1190 | + } |
1191 | + |
1192 | + response = self._create_security_group_rule_json(rules) |
1193 | + self.assertEquals(response.status_int, 400) |
1194 | + |
1195 | + def test_delete(self): |
1196 | + response = self._delete_security_group_rule( |
1197 | + self.security_group_rule['id']) |
1198 | + self.assertEquals(response.status_int, 202) |
1199 | + |
1200 | + response = self._delete_security_group_rule( |
1201 | + self.security_group_rule['id']) |
1202 | + self.assertEquals(response.status_int, 404) |
1203 | + |
1204 | + def test_delete_invalid_rule_id(self): |
1205 | + response = self._delete_security_group_rule('invalid') |
1206 | + self.assertEquals(response.status_int, 400) |
1207 | + |
1208 | + def test_delete_non_existing_rule_id(self): |
1209 | + response = self._delete_security_group_rule(22222222222222) |
1210 | + self.assertEquals(response.status_int, 404) |
1211 | + |
1212 | + |
1213 | +class TestSecurityGroupRulesXMLDeserializer(unittest.TestCase): |
1214 | + |
1215 | + def setUp(self): |
1216 | + self.deserializer = security_groups.SecurityGroupRulesXMLDeserializer() |
1217 | + |
1218 | + def test_create_request(self): |
1219 | + serial_request = """ |
1220 | +<security_group_rule> |
1221 | + <parent_group_id>12</parent_group_id> |
1222 | + <from_port>22</from_port> |
1223 | + <to_port>22</to_port> |
1224 | + <group_id></group_id> |
1225 | + <ip_protocol>tcp</ip_protocol> |
1226 | + <cidr>10.0.0.0/24</cidr> |
1227 | +</security_group_rule>""" |
1228 | + request = self.deserializer.deserialize(serial_request, 'create') |
1229 | + expected = { |
1230 | + "security_group_rule": { |
1231 | + "parent_group_id": "12", |
1232 | + "from_port": "22", |
1233 | + "to_port": "22", |
1234 | + "ip_protocol": "tcp", |
1235 | + "group_id": "", |
1236 | + "cidr": "10.0.0.0/24", |
1237 | + }, |
1238 | + } |
1239 | + self.assertEquals(request['body'], expected) |
1240 | + |
1241 | + def test_create_no_protocol_request(self): |
1242 | + serial_request = """ |
1243 | +<security_group_rule> |
1244 | + <parent_group_id>12</parent_group_id> |
1245 | + <from_port>22</from_port> |
1246 | + <to_port>22</to_port> |
1247 | + <group_id></group_id> |
1248 | + <cidr>10.0.0.0/24</cidr> |
1249 | +</security_group_rule>""" |
1250 | + request = self.deserializer.deserialize(serial_request, 'create') |
1251 | + expected = { |
1252 | + "security_group_rule": { |
1253 | + "parent_group_id": "12", |
1254 | + "from_port": "22", |
1255 | + "to_port": "22", |
1256 | + "group_id": "", |
1257 | + "cidr": "10.0.0.0/24", |
1258 | + }, |
1259 | + } |
1260 | + self.assertEquals(request['body'], expected) |
1261 | + |
1262 | + |
1263 | +class TestSecurityGroupXMLDeserializer(unittest.TestCase): |
1264 | + |
1265 | + def setUp(self): |
1266 | + self.deserializer = security_groups.SecurityGroupXMLDeserializer() |
1267 | + |
1268 | + def test_create_request(self): |
1269 | + serial_request = """ |
1270 | +<security_group name="test"> |
1271 | + <description>test</description> |
1272 | +</security_group>""" |
1273 | + request = self.deserializer.deserialize(serial_request, 'create') |
1274 | + expected = { |
1275 | + "security_group": { |
1276 | + "name": "test", |
1277 | + "description": "test", |
1278 | + }, |
1279 | + } |
1280 | + self.assertEquals(request['body'], expected) |
1281 | + |
1282 | + def test_create_no_description_request(self): |
1283 | + serial_request = """ |
1284 | +<security_group name="test"> |
1285 | +</security_group>""" |
1286 | + request = self.deserializer.deserialize(serial_request, 'create') |
1287 | + expected = { |
1288 | + "security_group": { |
1289 | + "name": "test", |
1290 | + }, |
1291 | + } |
1292 | + self.assertEquals(request['body'], expected) |
1293 | + |
1294 | + def test_create_no_name_request(self): |
1295 | + serial_request = """ |
1296 | +<security_group> |
1297 | +<description>test</description> |
1298 | +</security_group>""" |
1299 | + request = self.deserializer.deserialize(serial_request, 'create') |
1300 | + expected = { |
1301 | + "security_group": { |
1302 | + "description": "test", |
1303 | + }, |
1304 | + } |
1305 | + self.assertEquals(request['body'], expected) |
1306 | |
1307 | === modified file 'nova/tests/api/openstack/test_extensions.py' |
1308 | --- nova/tests/api/openstack/test_extensions.py 2011-08-10 19:08:35 +0000 |
1309 | +++ nova/tests/api/openstack/test_extensions.py 2011-08-12 00:06:25 +0000 |
1310 | @@ -97,7 +97,8 @@ |
1311 | names = [x['name'] for x in data['extensions']] |
1312 | names.sort() |
1313 | self.assertEqual(names, ["FlavorExtraSpecs", "Floating_ips", |
1314 | - "Fox In Socks", "Hosts", "Keypairs", "Multinic", "Volumes"]) |
1315 | + "Fox In Socks", "Hosts", "Keypairs", "Multinic", "SecurityGroups", |
1316 | + "Volumes"]) |
1317 | |
1318 | # Make sure that at least Fox in Sox is correct. |
1319 | (fox_ext,) = [ |
1320 | @@ -108,7 +109,7 @@ |
1321 | 'updated': '2011-01-22T13:25:27-06:00', |
1322 | 'description': 'The Fox In Socks Extension', |
1323 | 'alias': 'FOXNSOX', |
1324 | - 'links': [], |
1325 | + 'links': [] |
1326 | }, |
1327 | ) |
1328 | |
1329 | @@ -144,7 +145,7 @@ |
1330 | |
1331 | # Make sure we have all the extensions. |
1332 | exts = root.findall('{0}extension'.format(NS)) |
1333 | - self.assertEqual(len(exts), 7) |
1334 | + self.assertEqual(len(exts), 8) |
1335 | |
1336 | # Make sure that at least Fox in Sox is correct. |
1337 | (fox_ext,) = [x for x in exts if x.get('alias') == 'FOXNSOX'] |
In '_format_ security_ group_rule( )' and '_format_ security_ group() ', you should avoid the use of single-character variable names. I can sort of guess what they represent, but it's better to use descriptive names.
There are several 'standards' for the indentation of continued lines, but right-alignment is not one of them. It does nothing for either consistency of indentation or readability. The preferred method is to indent two level (i.e., 8 spaces) on a continued line; you can also indent more than that if you wish to align the text with something on the line above.
One specific case is line 322: it's a continuation line, but is only indented one level, making it the same indentation level as the block that follows. While the Python interpreter can make sense of this, it is visually inaccurate to humans reading the code.
Lines 642-6 actually outdent continued lines. That should never happen.
I'm concerned about the security of some of the methods. You check for context.is_admin in the index() method to limit the returned values, but it looks like destructive methods like 'delete()' can be invoked on any ID whether one is an admin or not, with no restriction on project. Can you explain where the ability to interact with a security group you do not have rights to is enforced?
The two methods '_validate_ security_ group_name( )' and '_validate_ security_ group_descripti on()' use the same logic and is essentially duplicated code. That logic should be refactored out into a single method that checks the value that is called by those methods. It could also be greatly simplified:
def validate_name(self, value, typ): est(explanation =msg) est(explanation =msg) est(explanation =msg)
# NOTE: 'typ' will be either 'name' or 'description', depending on the caller.
try:
val = value.strip()
except AttributeError:
msg = _("Security group %s is not a string or unicode") % typ
raise exc.HTTPBadRequ
if not val:
msg = _("Security group %s cannot be empty.") % typ
raise exc.HTTPBadRequ
if len(val) > 255:
msg = _("Security group %s should not be greater than 255 characters.") % typ
raise exc.HTTPBadRequ
The localization is incorrect in lines 227-8. Since localized strings are extracted from the script file, not during runtime, the text to be localized will never be included. The lines should be re-written as: group[' name'], context=context)
msg = _("Authorize security group ingress %s")
LOG.audit(msg, security_