openstack
/
deb-neutron-fwaas
Code Issues Proposed changes

Use neutron-lib definition of neutron-fwaas API 

As a part of the neutron stadium, the neutron-fwaas project should shift
to use the neutron-fwaas API definitions in neutron-lib.  This makes
that change happen.

Co-Authored-By: Reedip <reedip14@gmail.com>
Change-Id: I6faf26d263788d21da078e570487ee4876d04efd
This commit is contained in:
Nate Johnston 2017-01-17 19:49:29 +00:00 committed by reedip
parent e73b214d73
commit e085237297
21 changed files with 389 additions and 1242 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

181
neutron_fwaas/common/exceptions.py Normal file
View File

@ -0,0 +1,181 @@
# Copyright 2017 NEC Technologies India Pvt. Ltd.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from neutron_fwaas._i18n import _
from neutron_lib import exceptions
# Firewall Exceptions
class FirewallNotFound(exceptions.NotFound):
message = _("Firewall %(firewall_id)s could not be found.")
class FirewallInUse(exceptions.InUse):
message = _("Firewall %(firewall_id)s is still active.")
class FirewallInPendingState(exceptions.Conflict):
message = _("Operation cannot be performed since associated Firewall "
"%(firewall_id)s is in %(pending_state)s.")
class FirewallPolicyNotFound(exceptions.NotFound):
message = _("Firewall Policy %(firewall_policy_id)s could not be found.")
class FirewallPolicyInUse(exceptions.InUse):
message = _("Firewall Policy %(firewall_policy_id)s is being used.")
class FirewallPolicyConflict(exceptions.Conflict):
"""FWaaS exception for firewall policy.
Occurs when admin policy tries to use another tenant's unshared
policy.
"""
message = _("Operation cannot be performed since Firewall Policy "
"%(firewall_policy_id)s is not shared and does not belong to "
"your tenant.")
class FirewallRuleSharingConflict(exceptions.Conflict):
"""FWaaS exception for firewall rules.
When a shared policy is created or updated with unshared rules,
this exception will be raised.
"""
message = _("Operation cannot be performed since Firewall Policy "
"%(firewall_policy_id)s is shared but Firewall Rule "
"%(firewall_rule_id)s is not shared.")
class FirewallPolicySharingConflict(exceptions.Conflict):
"""FWaaS exception for firewall policy.
When a policy is shared without sharing its associated rules,
this exception will be raised.
"""
message = _("Operation cannot be performed. Before sharing Firewall "
"Policy %(firewall_policy_id)s, share associated Firewall "
"Rule %(firewall_rule_id)s.")
class FirewallRuleNotFound(exceptions.NotFound):
message = _("Firewall Rule %(firewall_rule_id)s could not be found.")
class FirewallRuleInUse(exceptions.InUse):
message = _("Firewall Rule %(firewall_rule_id)s is being used.")
class FirewallRuleNotAssociatedWithPolicy(exceptions.InvalidInput):
message = _("Firewall Rule %(firewall_rule_id)s is not associated "
"with Firewall Policy %(firewall_policy_id)s.")
class FirewallRuleInvalidProtocol(exceptions.InvalidInput):
message = _("Firewall Rule protocol %(protocol)s is not supported. "
"Only protocol values %(values)s and their integer "
"representation (0 to 255) are supported.")
class FirewallRuleInvalidAction(exceptions.InvalidInput):
message = _("Firewall rule action %(action)s is not supported. "
"Only action values %(values)s are supported.")
class FirewallRuleInvalidICMPParameter(exceptions.InvalidInput):
message = _("%(param)s are not allowed when protocol "
"is set to ICMP.")
class FirewallRuleWithPortWithoutProtocolInvalid(exceptions.InvalidInput):
message = _("Source/destination port requires a protocol.")
class FirewallRuleInvalidPortValue(exceptions.InvalidInput):
message = _("Invalid value for port %(port)s.")
class FirewallRuleInfoMissing(exceptions.InvalidInput):
message = _("Missing rule info argument for insert/remove "
"rule operation.")
class FirewallIpAddressConflict(exceptions.InvalidInput):
message = _("Invalid input - IP addresses do not agree with IP Version.")
class FirewallInternalDriverError(exceptions.NeutronException):
"""FWaas exception for all driver errors.
On any failure or exception in the driver, driver should log it and
raise this exception to the agent
"""
message = _("%(driver)s: Internal driver error.")
class FirewallRuleConflict(exceptions.Conflict):
"""Firewall rule conflict exception.
Occurs when admin policy tries to use another tenant's unshared
rule.
"""
message = _("Operation cannot be performed since Firewall Rule "
"%(firewall_rule_id)s is not shared and belongs to "
"another tenant %(tenant_id)s.")
class FirewallRouterInUse(exceptions.InUse):
message = _("Router(s) %(router_ids)s provided already associated with "
"other Firewall(s).")
class FirewallGroupNotFound(exceptions.NotFound):
message = _("Firewall Group %(firewall_id)s could not be found.")
class FirewallGroupInUse(exceptions.InUse):
message = _("Firewall %(firewall_id)s is still active.")
class FirewallGroupInPendingState(exceptions.Conflict):
message = _("Operation cannot be performed since associated Firewall "
"%(firewall_id)s is in %(pending_state)s.")
class FirewallGroupPortInvalid(exceptions.Conflict):
message = _("Firewall Group Port %(port_id)s is invalid.")
class FirewallGroupPortInvalidProject(exceptions.Conflict):
message = _("Operation cannot be performed as port %(port_id)s "
"is in an invalid project %(tenant_id)s.")
class FirewallGroupPortInUse(exceptions.InUse):
message = _("Port(s) %(port_ids)s provided already associated with "
"other Firewall Group(s).")
class FirewallRuleAlreadyAssociated(exceptions.Conflict):
"""Firewall rule conflict exception.
Occurs when there is an attempt to assign a rule to a policy that
the rule is already associated with.
"""
message = _("Operation cannot be performed since Firewall Rule "
"%(firewall_rule_id)s is already associated with Firewall"
"Policy %(firewall_policy_id)s.")

3
neutron_fwaas/common/fwaas_constants.py
View File

@ -13,7 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
FIREWALL = 'FIREWALL'
FIREWALL = 'fwaas'
FIREWALL_V2 = 'fwaas_v2'
# Constants for "topics"
FIREWALL_PLUGIN = 'q-firewall-plugin'

57
neutron_fwaas/db/firewall/firewall_db.py
View File

@ -35,6 +35,7 @@ from sqlalchemy.orm import exc
import netaddr
from neutron_fwaas.common import exceptions
from neutron_fwaas.common import fwaas_constants
from neutron_fwaas.db.firewall import firewall_router_insertion_db \
as fw_r_ins_db
@ -110,19 +111,19 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
try:
return self._get_by_id(context, Firewall, id)
except exc.NoResultFound:
raise fw_ext.FirewallNotFound(firewall_id=id)
raise exceptions.FirewallNotFound(firewall_id=id)
def _get_firewall_policy(self, context, id):
try:
return self._get_by_id(context, FirewallPolicy, id)
except exc.NoResultFound:
raise fw_ext.FirewallPolicyNotFound(firewall_policy_id=id)
raise exceptions.FirewallPolicyNotFound(firewall_policy_id=id)
def _get_firewall_rule(self, context, id):
try:
return self._get_by_id(context, FirewallRule, id)
except exc.NoResultFound:
raise fw_ext.FirewallRuleNotFound(firewall_rule_id=id)
raise exceptions.FirewallRuleNotFound(firewall_rule_id=id)
def _make_firewall_dict(self, fw, fields=None):
res = {'id': fw['id'],
@ -197,7 +198,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
def _check_firewall_rule_conflict(self, fwr_db, fwp_db):
if not fwr_db['shared']:
if fwr_db['tenant_id'] != fwp_db['tenant_id']:
raise fw_ext.FirewallRuleConflict(
raise exceptions.FirewallRuleConflict(
firewall_rule_id=fwr_db['id'],
tenant_id=fwr_db['tenant_id'])
@ -219,20 +220,20 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
# If we find an invalid rule in the list we
# do not perform the update since this breaks
# the integrity of this list.
raise fw_ext.FirewallRuleNotFound(
raise exceptions.FirewallRuleNotFound(
firewall_rule_id=fwrule_id)
elif rules_dict[fwrule_id]['firewall_policy_id']:
if (rules_dict[fwrule_id]['firewall_policy_id'] !=
fwp_db['id']):
raise fw_ext.FirewallRuleInUse(
raise exceptions.FirewallRuleInUse(
firewall_rule_id=fwrule_id)
if 'shared' in fwp:
if fwp['shared'] and not rules_dict[fwrule_id]['shared']:
raise fw_ext.FirewallRuleSharingConflict(
raise exceptions.FirewallRuleSharingConflict(
firewall_rule_id=fwrule_id,
firewall_policy_id=fwp_db['id'])
elif fwp_db['shared'] and not rules_dict[fwrule_id]['shared']:
raise fw_ext.FirewallRuleSharingConflict(
raise exceptions.FirewallRuleSharingConflict(
firewall_rule_id=fwrule_id,
firewall_policy_id=fwp_db['id'])
for fwr_db in rules_in_db:
@ -252,7 +253,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
rules_in_db = fwp_db['firewall_rules']
for fwr_db in rules_in_db:
if not fwr_db['shared']:
raise fw_ext.FirewallPolicySharingConflict(
raise exceptions.FirewallPolicySharingConflict(
firewall_rule_id=fwr_db['id'],
firewall_policy_id=fwp_db['id'])
@ -295,7 +296,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
fwp_id = fw['firewall_policy_id']
fwp = self._get_firewall_policy(context, fwp_id)
if fw_tenant_id != fwp['tenant_id'] and not fwp['shared']:
raise fw_ext.FirewallPolicyConflict(firewall_policy_id=fwp_id)
raise exceptions.FirewallPolicyConflict(firewall_policy_id=fwp_id)
def _validate_fwr_src_dst_ip_version(self, fwr):
src_version = dst_version = None
@ -307,12 +308,12 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
rule_ip_version = fwr.get('ip_version', None)
if ((src_version and src_version != rule_ip_version) or
(dst_version and dst_version != rule_ip_version)):
raise fw_ext.FirewallIpAddressConflict()
raise exceptions.FirewallIpAddressConflict()
def _validate_fwr_port_range(self, min_port, max_port):
if int(min_port) > int(max_port):
port_range = '%s:%s' % (min_port, max_port)
raise fw_ext.FirewallRuleInvalidPortValue(port=port_range)
raise exceptions.FirewallRuleInvalidPortValue(port=port_range)
def _validate_fwr_protocol_parameters(self, fwr):
protocol = fwr.get('protocol', None)
@ -320,7 +321,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
nl_constants.PROTO_NAME_UDP):
if (fwr.get('source_port', None) or
fwr.get('destination_port', None)):
raise fw_ext.FirewallRuleInvalidICMPParameter(
raise exceptions.FirewallRuleInvalidICMPParameter(
param="Source, destination port")
def create_firewall(self, context, firewall, status=None):
@ -354,7 +355,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
self._validate_fw_parameters(context, fw, fw_db['tenant_id'])
count = context.session.query(Firewall).filter_by(id=id).update(fw)
if not count:
raise fw_ext.FirewallNotFound(firewall_id=id)
raise exceptions.FirewallNotFound(firewall_id=id)
return self.get_firewall(context, id)
def update_firewall_status(self, context, id, status, not_in=None):
@ -378,7 +379,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
# firewall is active
count = context.session.query(Firewall).filter_by(id=id).delete()
if not count:
raise fw_ext.FirewallNotFound(firewall_id=id)
raise exceptions.FirewallNotFound(firewall_id=id)
def get_firewall(self, context, id, fields=None):
LOG.debug("get_firewall() called")
@ -419,7 +420,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
if not fwp.get('shared', True) and fwp_db.firewalls:
for fw in fwp_db['firewalls']:
if fwp_db['tenant_id'] != fw['tenant_id']:
raise fw_ext.FirewallPolicyInUse(
raise exceptions.FirewallPolicyInUse(
firewall_policy_id=id)
# check any existing rules are not shared
if 'shared' in fwp and 'firewall_rules' not in fwp:
@ -440,7 +441,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
# being used
qry = context.session.query(Firewall)
if qry.filter_by(firewall_policy_id=id).first():
raise fw_ext.FirewallPolicyInUse(firewall_policy_id=id)
raise exceptions.FirewallPolicyInUse(firewall_policy_id=id)
else:
context.session.delete(fwp)
@ -467,7 +468,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
self._validate_fwr_src_dst_ip_version(fwr)
if not fwr['protocol'] and (fwr['source_port'] or
fwr['destination_port']):
raise fw_ext.FirewallRuleWithPortWithoutProtocolInvalid()
raise exceptions.FirewallRuleWithPortWithoutProtocolInvalid()
src_port_min, src_port_max = self._get_min_max_ports_from_range(
fwr['source_port'])
dst_port_min, dst_port_max = self._get_min_max_ports_from_range(
@ -503,7 +504,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
fwr_db.firewall_policy_id)
if 'shared' in fwr and not fwr['shared']:
if fwr_db['tenant_id'] != fwp_db['tenant_id']:
raise fw_ext.FirewallRuleInUse(firewall_rule_id=id)
raise exceptions.FirewallRuleInUse(firewall_rule_id=id)
if 'source_port' in fwr:
src_port_min, src_port_max = self._get_min_max_ports_from_range(
fwr['source_port'])
@ -524,7 +525,8 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
dport = fwr.get('destination_port_range_min',
fwr_db['destination_port_range_min'])
if sport or dport:
raise fw_ext.FirewallRuleWithPortWithoutProtocolInvalid()
raise exceptions.\
FirewallRuleWithPortWithoutProtocolInvalid()
fwr_db.update(fwr)
if fwr_db.firewall_policy_id:
fwp_db.audited = False
@ -535,7 +537,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
with context.session.begin(subtransactions=True):
fwr = self._get_firewall_rule(context, id)
if fwr.firewall_policy_id:
raise fw_ext.FirewallRuleInUse(firewall_rule_id=id)
raise exceptions.FirewallRuleInUse(firewall_rule_id=id)
context.session.delete(fwr)
def get_firewall_rule(self, context, id, fields=None):
@ -556,7 +558,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
def _validate_insert_remove_rule_request(self, id, rule_info):
if not rule_info or 'firewall_rule_id' not in rule_info:
raise fw_ext.FirewallRuleInfoMissing()
raise exceptions.FirewallRuleInfoMissing()
def insert_rule(self, context, id, rule_info):
LOG.debug("insert_rule() called")
@ -565,7 +567,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
insert_before = True
ref_firewall_rule_id = None
if not firewall_rule_id:
raise fw_ext.FirewallRuleNotFound(firewall_rule_id=None)
raise exceptions.FirewallRuleNotFound(firewall_rule_id=None)
if 'insert_before' in rule_info:
ref_firewall_rule_id = rule_info['insert_before']
if not ref_firewall_rule_id and 'insert_after' in rule_info:
@ -576,7 +578,8 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
fwr_db = self._get_firewall_rule(context, firewall_rule_id)
fwp_db = self._get_firewall_policy(context, id)
if fwr_db.firewall_policy_id:
raise fw_ext.FirewallRuleInUse(firewall_rule_id=fwr_db['id'])
raise exceptions.FirewallRuleInUse(
firewall_rule_id=fwr_db['id'])
self._check_firewall_rule_conflict(fwr_db, fwp_db)
if ref_firewall_rule_id:
# If reference_firewall_rule_id is set, the new rule
@ -587,7 +590,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
ref_fwr_db = self._get_firewall_rule(
context, ref_firewall_rule_id)
if ref_fwr_db.firewall_policy_id != id:
raise fw_ext.FirewallRuleNotAssociatedWithPolicy(
raise exceptions.FirewallRuleNotAssociatedWithPolicy(
firewall_rule_id=ref_fwr_db['id'],
firewall_policy_id=id)
if insert_before:
@ -609,11 +612,11 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin):
self._validate_insert_remove_rule_request(id, rule_info)
firewall_rule_id = rule_info['firewall_rule_id']
if not firewall_rule_id:
raise fw_ext.FirewallRuleNotFound(firewall_rule_id=None)
raise exceptions.FirewallRuleNotFound(firewall_rule_id=None)
with context.session.begin(subtransactions=True):
fwr_db = self._get_firewall_rule(context, firewall_rule_id)
if fwr_db.firewall_policy_id != id:
raise fw_ext.FirewallRuleNotAssociatedWithPolicy(
raise exceptions.FirewallRuleNotAssociatedWithPolicy(
firewall_rule_id=fwr_db['id'],
firewall_policy_id=id)
return self._process_rule_for_policy(context, id, fwr_db, None)

3
neutron_fwaas/db/firewall/firewall_router_insertion_db.py
View File

@ -13,13 +13,12 @@
# License for the specific language governing permissions and limitations
# under the License.
from neutron_lib.api.definitions import firewallrouterinsertion as fwrtrins
from neutron_lib.db import model_base
from oslo_log import helpers as log_helpers
from oslo_log import log as logging
import sqlalchemy as sa
from neutron_fwaas.extensions import firewallrouterinsertion as fwrtrins
LOG = logging.getLogger(__name__)

63
neutron_fwaas/db/firewall/v2/firewall_db_v2.py
View File

@ -14,6 +14,8 @@
# under the License.
from neutron.db import common_db_mixin as base_db
from neutron_fwaas.common import exceptions as f_exc
from neutron_fwaas.extensions import firewall_v2 as fw_v2_ext
from neutron_lib import constants as nl_constants
from neutron_lib.db import model_base
from oslo_config import cfg
@ -26,8 +28,6 @@ from sqlalchemy.orm import exc
import netaddr
from neutron_fwaas.extensions import firewall_v2 as fw_ext
LOG = logging.getLogger(__name__)
@ -119,25 +119,26 @@ class FirewallPolicy(model_base.BASEV2, model_base.HasId, HasName,
shared = sa.Column(sa.Boolean)
class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase,
base_db.CommonDbMixin):
def _get_firewall_group(self, context, id):
try:
return self._get_by_id(context, FirewallGroup, id)
except exc.NoResultFound:
raise fw_ext.FirewallGroupNotFound(firewall_id=id)
raise f_exc.FirewallGroupNotFound(firewall_id=id)
def _get_firewall_policy(self, context, id):
try:
return self._get_by_id(context, FirewallPolicy, id)
except exc.NoResultFound:
raise fw_ext.FirewallPolicyNotFound(firewall_policy_id=id)
raise f_exc.FirewallPolicyNotFound(firewall_policy_id=id)
def _get_firewall_rule(self, context, id):
try:
return self._get_by_id(context, FirewallRuleV2, id)
except exc.NoResultFound:
raise fw_ext.FirewallRuleNotFound(firewall_rule_id=id)
raise f_exc.FirewallRuleNotFound(firewall_rule_id=id)
def _validate_fwr_protocol_parameters(self, fwr, fwr_db=None):
protocol = fwr.get('protocol', None)
@ -147,7 +148,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
nl_constants.PROTO_NAME_UDP):
if (fwr.get('source_port', None) or
fwr.get('destination_port', None)):
raise fw_ext.FirewallRuleInvalidICMPParameter(
raise f_exc.FirewallRuleInvalidICMPParameter(
param="Source, destination port")
def _validate_fwr_src_dst_ip_version(self, fwr, fwr_db=None):
@ -162,12 +163,12 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
rule_ip_version = fwr_db.ip_version
if ((src_version and src_version != rule_ip_version) or
(dst_version and dst_version != rule_ip_version)):
raise fw_ext.FirewallIpAddressConflict()
raise f_exc.FirewallIpAddressConflict()
def _validate_fwr_port_range(self, min_port, max_port):
if int(min_port) > int(max_port):
port_range = '%s:%s' % (min_port, max_port)
raise fw_ext.FirewallRuleInvalidPortValue(port=port_range)
raise f_exc.FirewallRuleInvalidPortValue(port=port_range)
def _get_min_max_ports_from_range(self, port_range):
if not port_range:
@ -267,7 +268,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
def _check_firewall_rule_conflict(self, fwr_db, fwp_db):
if not fwr_db['shared']:
if fwr_db['tenant_id'] != fwp_db['tenant_id']:
raise fw_ext.FirewallRuleConflict(
raise f_exc.FirewallRuleConflict(
firewall_rule_id=fwr_db['id'],
tenant_id=fwr_db['tenant_id'])
@ -305,7 +306,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
try:
self._get_policy_rule_association_query(
context, firewall_policy_id, firewall_rule_id).one()
raise fw_ext.FirewallRuleAlreadyAssociated(
raise f_exc.FirewallRuleAlreadyAssociated(
firewall_rule_id=firewall_rule_id,
firewall_policy_id=firewall_policy_id)
except exc.NoResultFound:
@ -320,7 +321,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
return self._get_policy_rule_association_query(
context, firewall_policy_id, firewall_rule_id).one()
except exc.NoResultFound:
raise fw_ext.FirewallRuleNotAssociatedWithPolicy(
raise f_exc.FirewallRuleNotAssociatedWithPolicy(
firewall_rule_id=firewall_rule_id,
firewall_policy_id=firewall_policy_id)
@ -331,7 +332,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
self._validate_fwr_src_dst_ip_version(fwr)
if not fwr['protocol'] and (fwr['source_port'] or
fwr['destination_port']):
raise fw_ext.FirewallRuleWithPortWithoutProtocolInvalid()
raise f_exc.FirewallRuleWithPortWithoutProtocolInvalid()
src_port_min, src_port_max = self._get_min_max_ports_from_range(
fwr['source_port'])
dst_port_min, dst_port_max = self._get_min_max_ports_from_range(
@ -382,7 +383,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
dport = fwr.get('destination_port_range_min',
fwr_db['destination_port_range_min'])
if sport or dport:
raise fw_ext.FirewallRuleWithPortWithoutProtocolInvalid()
raise f_exc.FirewallRuleWithPortWithoutProtocolInvalid()
fwr_db.update(fwr)
# if the rule on a policy, fix audited flag
fwp_ids = self._get_policies_with_rule(context, id)
@ -397,7 +398,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
fwr = self._get_firewall_rule(context, id)
# make sure rule is not associated with any policy
if self._get_policies_with_rule(context, id):
raise fw_ext.FirewallRuleInUse(firewall_rule_id=id)
raise f_exc.FirewallRuleInUse(firewall_rule_id=id)
context.session.delete(fwr)
def insert_rule(self, context, id, rule_info):
@ -409,7 +410,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
insert_before = True
ref_firewall_rule_id = None
if not firewall_rule_id:
raise fw_ext.FirewallRuleNotFound(firewall_rule_id=None)
raise f_exc.FirewallRuleNotFound(firewall_rule_id=None)
if 'insert_before' in rule_info:
ref_firewall_rule_id = rule_info['insert_before']
if not ref_firewall_rule_id and 'insert_after' in rule_info:
@ -447,7 +448,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
self._validate_insert_remove_rule_request(id, rule_info)
firewall_rule_id = rule_info['firewall_rule_id']
if not firewall_rule_id:
raise fw_ext.FirewallRuleNotFound(firewall_rule_id=None)
raise f_exc.FirewallRuleNotFound(firewall_rule_id=None)
with context.session.begin(subtransactions=True):
self._get_firewall_rule(context, firewall_rule_id)
fwpra_db = self._get_policy_rule_association(context, id,
@ -468,7 +469,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
def _validate_insert_remove_rule_request(self, id, rule_info):
if not rule_info or 'firewall_rule_id' not in rule_info:
raise fw_ext.FirewallRuleInfoMissing()
raise f_exc.FirewallRuleInfoMissing()
def _delete_rules_in_policy(self, context, firewall_policy_id):
"""Delete the rules in the firewall policy."""
@ -522,15 +523,15 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
for fwrule_id in rule_id_list:
if fwrule_id not in rules_dict:
# Bail as soon as we find an invalid rule.
raise fw_ext.FirewallRuleNotFound(
raise f_exc.FirewallRuleNotFound(
firewall_rule_id=fwrule_id)
if 'shared' in fwp:
if fwp['shared'] and not rules_dict[fwrule_id]['shared']:
raise fw_ext.FirewallRuleSharingConflict(
raise f_exc.FirewallRuleSharingConflict(
firewall_rule_id=fwrule_id,
firewall_policy_id=fwp_db['id'])
elif fwp_db['shared'] and not rules_dict[fwrule_id]['shared']:
raise fw_ext.FirewallRuleSharingConflict(
raise f_exc.FirewallRuleSharingConflict(
firewall_rule_id=fwrule_id,
firewall_policy_id=fwp_db['id'])
else:
@ -539,7 +540,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
if not rules_dict[fwrule_id]['shared']:
if (rules_dict[fwrule_id]['tenant_id'] != fwp_db[
'tenant_id']):
raise fw_ext.FirewallRuleConflict(
raise f_exc.FirewallRuleConflict(
firewall_rule_id=fwrule_id,
tenant_id=rules_dict[fwrule_id]['tenant_id'])
@ -550,7 +551,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
fwr_db = self._get_firewall_rule(context,
entry.firewall_rule_id)
if not fwp_db['shared']:
raise fw_ext.FirewallPolicySharingConflict(
raise f_exc.FirewallPolicySharingConflict(
firewall_rule_id=fwr_db['id'],
firewall_policy_id=fwp_db['id'])
@ -578,7 +579,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
filters=filters)
for entry in fwg_with_fwp_id_db:
if entry.tenant_id != fwp_tenant_id:
raise fw_ext.FirewallPolicyInUse(
raise f_exc.FirewallPolicyInUse(
firewall_policy_id=fwp_id)
def _set_rules_for_policy(self, context, firewall_policy_db, fwp):
@ -660,9 +661,9 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
# check if policy in use
qry = context.session.query(FirewallGroup)
if qry.filter_by(ingress_firewall_policy_id=id).first():
raise fw_ext.FirewallPolicyInUse(firewall_policy_id=id)
raise f_exc.FirewallPolicyInUse(firewall_policy_id=id)
elif qry.filter_by(egress_firewall_policy_id=id).first():
raise fw_ext.FirewallPolicyInUse(firewall_policy_id=id)
raise f_exc.FirewallPolicyInUse(firewall_policy_id=id)
else:
# Policy is not being used, delete.
self._delete_rules_in_policy(context, id)
@ -686,7 +687,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
if fwp_id is not None:
fwp = self._get_firewall_policy(context, fwp_id)
if fwg_tenant_id != fwp['tenant_id'] and not fwp['shared']:
raise fw_ext.FirewallPolicyConflict(
raise f_exc.FirewallPolicyConflict(
firewall_policy_id=fwp_id)
if 'egress_firewall_policy_id' in fwg:
@ -694,7 +695,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
if fwp_id is not None:
fwp = self._get_firewall_policy(context, fwp_id)
if fwg_tenant_id != fwp['tenant_id'] and not fwp['shared']:
raise fw_ext.FirewallPolicyConflict(
raise f_exc.FirewallPolicyConflict(
firewall_policy_id=fwp_id)
return
@ -741,7 +742,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
FirewallGroupPortAssociation.firewall_group_id != fwg_id).all()
if fwg_ports:
port_ids = [entry.port_id for entry in fwg_ports]
raise fw_ext.FirewallGroupPortInUse(port_ids=port_ids)
raise f_exc.FirewallGroupPortInUse(port_ids=port_ids)
def create_firewall_group(self, context, firewall_group, status=None):
fwg = firewall_group['firewall_group']
@ -777,7 +778,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
count = context.session.query(
FirewallGroup).filter_by(id=id).update(fwg)
if not count:
raise fw_ext.FirewallGroupNotFound(firewall_id=id)
raise f_exc.FirewallGroupNotFound(firewall_id=id)
return self.get_firewall_group(context, id)
def update_firewall_group_status(self, context, id, status, not_in=None):
@ -801,7 +802,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin):
count = context.session.query(
FirewallGroup).filter_by(id=id).delete()
if not count:
raise fw_ext.FirewallGroupNotFound(firewall_id=id)
raise f_exc.FirewallGroupNotFound(firewall_id=id)
def get_firewall_group(self, context, id, fields=None):
LOG.debug("get_firewall_group() called")

355
neutron_fwaas/extensions/firewall.py
View File

@ -16,12 +16,8 @@
import abc
from neutron.api.v2 import resource_helper
from neutron_lib.api import converters
from neutron_lib.api.definitions import firewall
from neutron_lib.api import extensions
from neutron_lib.api import validators
from neutron_lib import constants
from neutron_lib.db import constants as db_const
from neutron_lib import exceptions as nexception
from neutron_lib.services import base as service_base
from oslo_config import cfg
from oslo_log import log as logging
@ -33,327 +29,6 @@ from neutron_fwaas.common import fwaas_constants
LOG = logging.getLogger(__name__)
# Firewall rule action
FWAAS_ALLOW = "allow"
FWAAS_DENY = "deny"
FWAAS_REJECT = "reject"
# Firewall resource path prefix
FIREWALL_PREFIX = "/fw"
# Firewall Exceptions
class FirewallNotFound(nexception.NotFound):
message = _("Firewall %(firewall_id)s could not be found.")
class FirewallInUse(nexception.InUse):
message = _("Firewall %(firewall_id)s is still active.")
class FirewallInPendingState(nexception.Conflict):
message = _("Operation cannot be performed since associated Firewall "
"%(firewall_id)s is in %(pending_state)s.")
class FirewallPolicyNotFound(nexception.NotFound):
message = _("Firewall Policy %(firewall_policy_id)s could not be found.")
class FirewallPolicyInUse(nexception.InUse):
message = _("Firewall Policy %(firewall_policy_id)s is being used.")
class FirewallPolicyConflict(nexception.Conflict):
"""FWaaS exception for firewall policy
Occurs when admin policy tries to use another tenant's unshared
policy.
"""
message = _("Operation cannot be performed since Firewall Policy "
"%(firewall_policy_id)s is not shared and does not belong to "
"your tenant.")
class FirewallRuleSharingConflict(nexception.Conflict):
"""FWaaS exception for firewall rules
When a shared policy is created or updated with unshared rules,
this exception will be raised.
"""
message = _("Operation cannot be performed since Firewall Policy "
"%(firewall_policy_id)s is shared but Firewall Rule "
"%(firewall_rule_id)s is not shared")
class FirewallPolicySharingConflict(nexception.Conflict):
"""FWaaS exception for firewall policy
When a policy is shared without sharing its associated rules,
this exception will be raised.
"""
message = _("Operation cannot be performed. Before sharing Firewall "
"Policy %(firewall_policy_id)s, share associated Firewall "
"Rule %(firewall_rule_id)s")
class FirewallRuleNotFound(nexception.NotFound):
message = _("Firewall Rule %(firewall_rule_id)s could not be found.")
class FirewallRuleInUse(nexception.InUse):
message = _("Firewall Rule %(firewall_rule_id)s is being used.")
class FirewallRuleNotAssociatedWithPolicy(nexception.InvalidInput):
message = _("Firewall Rule %(firewall_rule_id)s is not associated "
"with Firewall Policy %(firewall_policy_id)s.")
class FirewallRuleInvalidProtocol(nexception.InvalidInput):
message = _("Firewall Rule protocol %(protocol)s is not supported. "
"Only protocol values %(values)s and their integer "
"representation (0 to 255) are supported.")
class FirewallRuleInvalidAction(nexception.InvalidInput):
message = _("Firewall rule action %(action)s is not supported. "
"Only action values %(values)s are supported.")
class FirewallRuleInvalidICMPParameter(nexception.InvalidInput):
message = _("%(param)s are not allowed when protocol "
"is set to ICMP.")
class FirewallRuleWithPortWithoutProtocolInvalid(nexception.InvalidInput):
message = _("Source/destination port requires a protocol")
class FirewallRuleInvalidPortValue(nexception.InvalidInput):
message = _("Invalid value for port %(port)s.")
class FirewallRuleInfoMissing(nexception.InvalidInput):
message = _("Missing rule info argument for insert/remove "
"rule operation.")
class FirewallIpAddressConflict(nexception.InvalidInput):
message = _("Invalid input - IP addresses do not agree with IP Version")
class FirewallInternalDriverError(nexception.NeutronException):
"""Fwaas exception for all driver errors.
On any failure or exception in the driver, driver should log it and
raise this exception to the agent
"""
message = _("%(driver)s: Internal driver error.")
class FirewallRuleConflict(nexception.Conflict):
"""Firewall rule conflict exception.
Occurs when admin policy tries to use another tenant's unshared
rule.
"""
message = _("Operation cannot be performed since Firewall Rule "
"%(firewall_rule_id)s is not shared and belongs to "
"another tenant %(tenant_id)s")
fw_valid_protocol_values = [None, constants.PROTO_NAME_TCP,
constants.PROTO_NAME_UDP,
constants.PROTO_NAME_ICMP]
fw_valid_action_values = [FWAAS_ALLOW, FWAAS_DENY, FWAAS_REJECT]
def convert_protocol(value):
if value is None:
return
if (isinstance(value, six.integer_types) or
(isinstance(value, six.string_types) and value.isdigit())):
val = int(value)
if 0 <= val <= 255:
return val
else:
raise FirewallRuleInvalidProtocol(
protocol=value, values=fw_valid_protocol_values)
elif isinstance(value, six.string_types):
if value.lower() in fw_valid_protocol_values:
return value.lower()
raise FirewallRuleInvalidProtocol(
protocol=value, values=fw_valid_protocol_values)
def convert_action_to_case_insensitive(value):
if value is None:
return
else:
return value.lower()
def convert_port_to_string(value):
if value is None:
return
else:
return str(value)
def _validate_port_range(data, key_specs=None):
if data is None:
return
data = str(data)
ports = data.split(':')
for p in ports:
try:
val = int(p)
except (ValueError, TypeError):
msg = _("Port '%s' is not a valid number") % p
LOG.debug(msg)
return msg
if val <= 0 or val > 65535:
msg = _("Invalid port '%s'") % p
LOG.debug(msg)
return msg
def _validate_ip_or_subnet_or_none(data, valid_values=None):
if data is None:
return None
msg_ip = validators.validate_ip_address(data, valid_values)
if not msg_ip:
return
msg_subnet = validators.validate_subnet(data, valid_values)
if not msg_subnet:
return
return _("%(msg_ip)s and %(msg_subnet)s") % {'msg_ip': msg_ip,
'msg_subnet': msg_subnet}
validators.validators['type:port_range'] = _validate_port_range
validators.validators['type:ip_or_subnet_or_none'] = \
_validate_ip_or_subnet_or_none
RESOURCE_ATTRIBUTE_MAP = {
'firewall_rules': {
'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None},
'is_visible': True, 'primary_key': True},
'tenant_id': {'allow_post': True, 'allow_put': False,
'required_by_policy': True,
'is_visible': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': db_const.NAME_FIELD_SIZE},
'is_visible': True, 'default': ''},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string':
db_const.DESCRIPTION_FIELD_SIZE},
'is_visible': True, 'default': ''},
'firewall_policy_id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid_or_none': None},
'is_visible': True},
'shared': {'allow_post': True, 'allow_put': True,
'default': False,
'convert_to': converters.convert_to_boolean,
'is_visible': True, 'required_by_policy': True,
'enforce_policy': True},
'protocol': {'allow_post': True, 'allow_put': True,
'is_visible': True, 'default': None,
'convert_to': convert_protocol,
'validate': {'type:values': fw_valid_protocol_values}},
'ip_version': {'allow_post': True, 'allow_put': True,
'default': 4, 'convert_to': converters.convert_to_int,
'validate': {'type:values': [4, 6]},
'is_visible': True},
'source_ip_address': {'allow_post': True, 'allow_put': True,
'validate': {'type:ip_or_subnet_or_none': None},
'is_visible': True, 'default': None},
'destination_ip_address': {'allow_post': True, 'allow_put': True,
'validate': {'type:ip_or_subnet_or_none':
None},
'is_visible': True, 'default': None},
'source_port': {'allow_post': True, 'allow_put': True,
'validate': {'type:port_range': None},
'convert_to': convert_port_to_string,
'default': None, 'is_visible': True},
'destination_port': {'allow_post': True, 'allow_put': True,
'validate': {'type:port_range': None},
'convert_to': convert_port_to_string,
'default': None, 'is_visible': True},
'position': {'allow_post': False, 'allow_put': False,
'default': None, 'is_visible': True},
'action': {'allow_post': True, 'allow_put': True,
'convert_to': convert_action_to_case_insensitive,
'validate': {'type:values': fw_valid_action_values},
'is_visible': True, 'default': 'deny'},
'enabled': {'allow_post': True, 'allow_put': True,
'default': True, 'is_visible': True,
'convert_to': converters.convert_to_boolean},
},
'firewall_policies': {
'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None},
'is_visible': True,
'primary_key': True},
'tenant_id': {'allow_post': True, 'allow_put': False,
'required_by_policy': True,
'is_visible': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': db_const.NAME_FIELD_SIZE},
'is_visible': True, 'default': ''},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string':
db_const.DESCRIPTION_FIELD_SIZE},
'is_visible': True, 'default': ''},
'shared': {'allow_post': True, 'allow_put': True,
'default': False, 'enforce_policy': True,
'convert_to': converters.convert_to_boolean,
'is_visible': True, 'required_by_policy': True},
'firewall_rules': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_list': None},
'convert_to': converters.convert_none_to_empty_list,
'default': None, 'is_visible': True},
'audited': {'allow_post': True, 'allow_put': True,
'default': False, 'is_visible': True,
'convert_to': converters.convert_to_boolean},
},
'firewalls': {
'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None},
'is_visible': True,
'primary_key': True},
'tenant_id': {'allow_post': True, 'allow_put': False,
'required_by_policy': True,
'is_visible': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': db_const.NAME_FIELD_SIZE},
'is_visible': True, 'default': ''},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string':
db_const.DESCRIPTION_FIELD_SIZE},
'is_visible': True, 'default': ''},
'admin_state_up': {'allow_post': True, 'allow_put': True,
'default': True, 'is_visible': True,
'convert_to': converters.convert_to_boolean},
'status': {'allow_post': False, 'allow_put': False,
'is_visible': True},
'shared': {'allow_post': True, 'allow_put': True,
'default': False, 'enforce_policy': True,
'convert_to': converters.convert_to_boolean,
'is_visible': False, 'required_by_policy': True},
'firewall_policy_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_or_none': None},
'is_visible': True},
},
}
# A tenant may have a unique firewall and policy for each router
# when router insertion is used.
# Set default quotas to align with default l3 quota_router of 10
@ -380,32 +55,32 @@ class Firewall(extensions.ExtensionDescriptor):
@classmethod
def get_name(cls):
return "Firewall service"
return firewall.NAME
@classmethod
def get_alias(cls):
return "fwaas"
return firewall.ALIAS
@classmethod
def get_description(cls):
return "Extension for Firewall service"
return firewall.DESCRIPTION
@classmethod
def get_updated(cls):
return "2013-02-25T10:00:00-00:00"
return firewall.UPDATED_TIMESTAMP
@classmethod
def get_resources(cls):
"""Returns Ext Resources."""
special_mappings = {'firewall_policies': 'firewall_policy'}
plural_mappings = resource_helper.build_plural_mappings(
special_mappings, RESOURCE_ATTRIBUTE_MAP)
action_map = {'firewall_policy': {'insert_rule': 'PUT',
'remove_rule': 'PUT'}}
return resource_helper.build_resource_info(plural_mappings,
RESOURCE_ATTRIBUTE_MAP,
fwaas_constants.FIREWALL,
action_map=action_map,
register_quota=True)
special_mappings, firewall.RESOURCE_ATTRIBUTE_MAP)
return resource_helper.build_resource_info(
plural_mappings,
firewall.RESOURCE_ATTRIBUTE_MAP,
firewall.ALIAS,
action_map=firewall.ACTION_MAP,
register_quota=True)
@classmethod
def get_plugin_interface(cls):
@ -413,11 +88,11 @@ class Firewall(extensions.ExtensionDescriptor):
def update_attributes_map(self, attributes):
super(Firewall, self).update_attributes_map(
attributes, extension_attrs_map=RESOURCE_ATTRIBUTE_MAP)
attributes, extension_attrs_map=firewall.RESOURCE_ATTRIBUTE_MAP)
def get_extended_resources(self, version):
if version == "2.0":
return RESOURCE_ATTRIBUTE_MAP
return firewall.RESOURCE_ATTRIBUTE_MAP
else:
return {}

337
neutron_fwaas/extensions/firewall_v2.py
View File

@ -13,339 +13,48 @@
# under the License.
import abc
from neutron.api.v2 import resource_helper
from neutron_lib.api import converters
from neutron_fwaas.common import fwaas_constants
from neutron_lib.api.definitions import firewall_v2
from neutron_lib.api import extensions
from neutron_lib.db import constants as nl_db_constants
from neutron_lib import exceptions as nexception
from neutron_lib.services import base as service_base
import six
from neutron_fwaas._i18n import _
# Import firewall v1 API to get the validators
# TODO(shpadubi): pull the validators out of fwaas v1 into a separate file
from neutron_fwaas.extensions import firewall as fwaas_v1
FIREWALL_PREFIX = '/fwaas'
FIREWALL_CONST = 'FIREWALL_V2'
# Firewall Exceptions
class FirewallGroupNotFound(nexception.NotFound):
message = _("Firewall Group %(firewall_id)s could not be found.")
class FirewallGroupInUse(nexception.InUse):
message = _("Firewall %(firewall_id)s is still active.")
class FirewallGroupInPendingState(nexception.Conflict):
message = _("Operation cannot be performed since associated Firewall "
"%(firewall_id)s is in %(pending_state)s.")
class FirewallGroupPortInvalid(nexception.Conflict):
message = _("Firewall Group Port %(port_id)s is invalid")
class FirewallGroupPortInvalidProject(nexception.Conflict):
message = _("Operation cannot be performed as port %(port_id)s "
"is in an invalid project %(tenant_id)s.")
class FirewallGroupPortInUse(nexception.InUse):
message = _("Port(s) %(port_ids)s provided already associated with "
"other Firewall Group(s). ")
class FirewallPolicyNotFound(nexception.NotFound):
message = _("Firewall Policy %(firewall_policy_id)s could not be found.")
class FirewallPolicyInUse(nexception.InUse):
message = _("Firewall Policy %(firewall_policy_id)s is being used.")
class FirewallPolicyConflict(nexception.Conflict):
"""FWaaS exception for firewall policy
Occurs when admin policy tries to use another tenant's policy that
is not shared.
"""
message = _("Operation cannot be performed since Firewall Policy "
"%(firewall_policy_id)s is not shared and does not belong to "
"your tenant.")
class FirewallRuleSharingConflict(nexception.Conflict):
"""FWaaS exception for firewall rules
This exception will be raised when a shared policy is created or
updated with rules that are not shared.
"""
message = _("Operation cannot be performed since Firewall Policy "
"%(firewall_policy_id)s is shared but Firewall Rule "
"%(firewall_rule_id)s is not shared.")
class FirewallPolicySharingConflict(nexception.Conflict):
"""FWaaS exception for firewall policy
When a policy is 'shared' without sharing its associated rules,
this exception will be raised.
"""
message = _("Operation cannot be performed. Before sharing Firewall "
"Policy %(firewall_policy_id)s, share associated Firewall "
"Rule %(firewall_rule_id)s.")
class FirewallRuleNotFound(nexception.NotFound):
message = _("Firewall Rule %(firewall_rule_id)s could not be found.")
class FirewallRuleInUse(nexception.InUse):
message = _("Firewall Rule %(firewall_rule_id)s is being used.")
class FirewallRuleNotAssociatedWithPolicy(nexception.InvalidInput):
message = _("Firewall Rule %(firewall_rule_id)s is not associated "
"with Firewall Policy %(firewall_policy_id)s.")
class FirewallRuleInvalidProtocol(nexception.InvalidInput):
message = _("Firewall Rule protocol %(protocol)s is not supported. "
"Only protocol values %(values)s and their integer "
"representation (0 to 255) are supported.")
class FirewallRuleInvalidAction(nexception.InvalidInput):
message = _("Firewall rule action %(action)s is not supported. "
"Only action values %(values)s are supported.")
class FirewallRuleInvalidICMPParameter(nexception.InvalidInput):
message = _("%(param)s are not allowed when protocol "
"is set to ICMP.")
class FirewallRuleWithPortWithoutProtocolInvalid(nexception.InvalidInput):
message = _("Source/destination port requires a protocol")
class FirewallRuleInvalidPortValue(nexception.InvalidInput):
message = _("Invalid value for port %(port)s.")
class FirewallRuleInfoMissing(nexception.InvalidInput):
message = _("Missing rule info argument for insert/remove "
"rule operation.")
class FirewallIpAddressConflict(nexception.InvalidInput):
message = _("Invalid input - IP addresses do not agree with IP Version.")
class FirewallInternalDriverError(nexception.NeutronException):
"""Fwaas exception for all driver errors.
On any failure or exception in the driver, driver should log it and
raise this exception to the agent
"""
message = _("%(driver)s: Internal driver error.")
class FirewallRuleConflict(nexception.Conflict):
"""Firewall rule conflict exception.
Occurs when admin policy tries to use another tenant's rule that is
not shared
"""
message = _("Operation cannot be performed since Firewall Rule "
"%(firewall_rule_id)s is not shared and belongs to "
"another tenant %(tenant_id)s.")
class FirewallRuleAlreadyAssociated(nexception.Conflict):
"""Firewall rule conflict exception.
Occurs when there is an attempt to assign a rule to a policy that
the rule is already associated with.
"""
message = _("Operation cannot be performed since Firewall Rule "
"%(firewall_rule_id)s is already associated with Firewall"
"Policy %(firewall_policy_id)s.")
RESOURCE_ATTRIBUTE_MAP = {
'firewall_rules': {
'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None},
'is_visible': True, 'primary_key': True},
'tenant_id': {'allow_post': True, 'allow_put': False,
'required_by_policy': True,
'validate': {'type:string':
nl_db_constants.UUID_FIELD_SIZE},
'is_visible': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': nl_db_constants.NAME_FIELD_SIZE},
'is_visible': True, 'default': ''},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string':
nl_db_constants.DESCRIPTION_FIELD_SIZE},
'is_visible': True, 'default': ''},
'firewall_policy_id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid_or_none': None},
'is_visible': True},
'shared': {'allow_post': True, 'allow_put': True,
'default': False, 'is_visible': True,
'convert_to': converters.convert_to_boolean,
'required_by_policy': True, 'enforce_policy': True},
'protocol': {'allow_post': True, 'allow_put': True,
'is_visible': True, 'default': None,
'convert_to': fwaas_v1.convert_protocol,
'validate': {'type:values':
fwaas_v1.fw_valid_protocol_values}},
'ip_version': {'allow_post': True, 'allow_put': True,
'default': 4, 'convert_to': converters.convert_to_int,
'validate': {'type:values': [4, 6]},
'is_visible': True},
'source_ip_address': {'allow_post': True, 'allow_put': True,
'validate': {'type:ip_or_subnet_or_none': None},
'is_visible': True, 'default': None},
'destination_ip_address': {'allow_post': True, 'allow_put': True,
'validate': {'type:ip_or_subnet_or_none':
None},
'is_visible': True, 'default': None},
'source_port': {'allow_post': True, 'allow_put': True,
'validate': {'type:port_range': None},
'convert_to': fwaas_v1.convert_port_to_string,
'default': None, 'is_visible': True},
'destination_port': {'allow_post': True, 'allow_put': True,
'validate': {'type:port_range': None},
'convert_to': fwaas_v1.convert_port_to_string,
'default': None, 'is_visible': True},
'position': {'allow_post': False, 'allow_put': False,
'default': None, 'is_visible': True},
'action': {'allow_post': True, 'allow_put': True,
'convert_to': fwaas_v1.convert_action_to_case_insensitive,
'validate': {'type:values':
fwaas_v1.fw_valid_action_values},
'is_visible': True, 'default': 'deny'},
'enabled': {'allow_post': True, 'allow_put': True,
'convert_to': converters.convert_to_boolean,
'default': True, 'is_visible': True},
},
'firewall_groups': {
'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None},
'is_visible': True,
'primary_key': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': nl_db_constants.NAME_FIELD_SIZE},
'is_visible': True, 'default': ''},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string':
nl_db_constants.DESCRIPTION_FIELD_SIZE},
'is_visible': True, 'default': ''},
'admin_state_up': {'allow_post': True, 'allow_put': True,
'default': True, 'is_visible': True,
'convert_to': converters.convert_to_boolean},
'status': {'allow_post': False, 'allow_put': False,
'is_visible': True},
'shared': {'allow_post': True, 'allow_put': True, 'default': False,
'convert_to': converters.convert_to_boolean,
'is_visible': True, 'required_by_policy': True,
'enforce_policy': True},
'ports': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_list': None},
'convert_to': converters.convert_none_to_empty_list,
'default': None, 'is_visible': True},
'tenant_id': {'allow_post': True, 'allow_put': False,
'required_by_policy': True,
'validate': {'type:string':
nl_db_constants.UUID_FIELD_SIZE},
'is_visible': True},
'ingress_firewall_policy_id': {'allow_post': True,
'allow_put': True,
'validate': {'type:uuid_or_none':
None},
'default': None, 'is_visible': True},
'egress_firewall_policy_id': {'allow_post': True,
'allow_put': True,
'validate': {'type:uuid_or_none':
None},
'default': None, 'is_visible': True},
},
'firewall_policies': {
'id': {'allow_post': False, 'allow_put': False,
'validate': {'type:uuid': None},
'is_visible': True,
'primary_key': True},
'tenant_id': {'allow_post': True, 'allow_put': False,
'required_by_policy': True,
'validate': {'type:string':
nl_db_constants.UUID_FIELD_SIZE},
'is_visible': True},
'name': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': nl_db_constants.NAME_FIELD_SIZE},
'is_visible': True, 'default': ''},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string':
nl_db_constants.DESCRIPTION_FIELD_SIZE},
'is_visible': True, 'default': ''},
'shared': {'allow_post': True, 'allow_put': True, 'default': False,
'convert_to': converters.convert_to_boolean,
'is_visible': True, 'required_by_policy': True,
'enforce_policy': True},
'firewall_rules': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_list': None},
'convert_to': converters.convert_none_to_empty_list,
'default': None, 'is_visible': True},
'audited': {'allow_post': True, 'allow_put': True, 'default': False,
'convert_to': converters.convert_to_boolean,
'is_visible': True},
},
}
class Firewall_v2(extensions.ExtensionDescriptor):
api_definition = firewall_v2
@classmethod
def get_name(cls):
return "Firewall service v2"
return firewall_v2.NAME
@classmethod
def get_alias(cls):
return "fwaas_v2"
return firewall_v2.ALIAS
@classmethod
def get_description(cls):
return "Extension for Firewall service v2"
return firewall_v2.DESCRIPTION
@classmethod
def get_updated(cls):
return "2016-08-16T00:00:00-00:00"
return firewall_v2.UPDATED_TIMESTAMP
@classmethod
def get_resources(cls):
special_mappings = {'firewall_policies': 'firewall_policy'}
"""Returns Ext Resources."""
plural_mappings = resource_helper.build_plural_mappings(
special_mappings, RESOURCE_ATTRIBUTE_MAP)
action_map = {'firewall_policy': {'insert_rule': 'PUT',
'remove_rule': 'PUT'}}
return resource_helper.build_resource_info(plural_mappings,
RESOURCE_ATTRIBUTE_MAP,
FIREWALL_CONST,
action_map=action_map)
{}, firewall_v2.RESOURCE_ATTRIBUTE_MAP)
return resource_helper.build_resource_info(
plural_mappings,
firewall_v2.RESOURCE_ATTRIBUTE_MAP,
firewall_v2.ALIAS,
action_map=firewall_v2.ACTION_MAP,
register_quota=True)
@classmethod
def get_plugin_interface(cls):
@ -353,11 +62,11 @@ class Firewall_v2(extensions.ExtensionDescriptor):
def update_attributes_map(self, attributes):
super(Firewall_v2, self).update_attributes_map(
attributes, extension_attrs_map=RESOURCE_ATTRIBUTE_MAP)
attributes, extension_attrs_map=firewall_v2.RESOURCE_ATTRIBUTE_MAP)
def get_extended_resources(self, version):
if version == "2.0":
return RESOURCE_ATTRIBUTE_MAP
return firewall_v2.RESOURCE_ATTRIBUTE_MAP
else:
return {}
@ -366,10 +75,10 @@ class Firewall_v2(extensions.ExtensionDescriptor):
class Firewallv2PluginBase(service_base.ServicePluginBase):
def get_plugin_name(self):
return FIREWALL_CONST
return fwaas_constants.FIREWALL_V2
def get_plugin_type(self):
return FIREWALL_CONST
return fwaas_constants.FIREWALL_V2
def get_plugin_description(self):
return 'Firewall Service v2 Plugin'

29
neutron_fwaas/extensions/firewallrouterinsertion.py
View File

@ -13,25 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from neutron_lib.api.definitions import firewallrouterinsertion
from neutron_lib.api import extensions
from neutron_lib import constants
from neutron_lib import exceptions as nexception
from neutron_fwaas._i18n import _
class FirewallRouterInUse(nexception.InUse):
message = _("Router(s) %(router_ids)s provided already associated with "
"other Firewall(s). ")
EXTENDED_ATTRIBUTES_2_0 = {
'firewalls': {
'router_ids': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_list': None},
'is_visible': True, 'default': constants.ATTR_NOT_SPECIFIED},
}
}
class Firewallrouterinsertion(extensions.ExtensionDescriptor):
@ -55,22 +38,22 @@ class Firewallrouterinsertion(extensions.ExtensionDescriptor):
"""
@classmethod
def get_name(cls):
return "Firewall Router insertion"
return firewallrouterinsertion.NAME
@classmethod
def get_alias(cls):
return "fwaasrouterinsertion"
return firewallrouterinsertion.ALIAS
@classmethod
def get_description(cls):
return "Firewall Router insertion on specified set of routers"
return firewallrouterinsertion.DESCRIPTION
@classmethod
def get_updated(cls):
return "2015-01-27T10:00:00-00:00"
return firewallrouterinsertion.UPDATED_TIMESTAMP
def get_extended_resources(self, version):
if version == "2.0":
return EXTENDED_ATTRIBUTES_2_0
return firewallrouterinsertion.RESOURCE_ATTRIBUTE_MAP
else:
return {}

2
neutron_fwaas/services/firewall/agents/l3reference/firewall_l3_agent.py
View File

@ -21,10 +21,10 @@ from oslo_log import log as logging
from neutron_fwaas._i18n import _, _LE
from neutron_fwaas.common import fwaas_constants
from neutron_fwaas.common import resources as f_resources
from neutron_fwaas.extensions import firewall as fw_ext
from neutron_fwaas.services.firewall.agents import firewall_agent_api as api
from neutron_fwaas.services.firewall.agents import firewall_service
from neutron_lib.agent import l3_extension
from neutron_lib.api.definitions import firewall as fw_ext
from neutron_lib import constants as nl_constants
from neutron_lib import context

18
neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py
View File

@ -20,8 +20,8 @@ from oslo_utils import excutils
from neutron.agent.linux import iptables_manager
from neutron.common import utils
from neutron_fwaas._i18n import _LE
from neutron_fwaas.common import exceptions as exc
from neutron_fwaas.common import fwaas_constants as f_const
from neutron_fwaas.extensions import firewall as fw_ext
from neutron_fwaas.services.firewall.drivers import fwaas_base
LOG = logging.getLogger(__name__)
@ -92,9 +92,9 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
else:
self.apply_default_policy(agent_mode, apply_list, firewall)
except (LookupError, RuntimeError):
# catch known library exceptions and raise Fwaas generic exception
# catch known library exc and raise Fwaas generic exception
LOG.exception(_LE("Failed to create firewall: %s"), firewall['id'])
raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
raise exc.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
def _get_ipt_mgrs_with_if_prefix(self, agent_mode, router_info):
"""Gets the iptables manager along with the if prefix to apply rules.
@ -137,9 +137,9 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
ipt_mgr.defer_apply_off()
self.pre_firewall = None
except (LookupError, RuntimeError):
# catch known library exceptions and raise Fwaas generic exception
# catch known library exc and raise Fwaas generic exception
LOG.exception(_LE("Failed to delete firewall: %s"), fwid)
raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
raise exc.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
def update_firewall(self, agent_mode, apply_list, firewall):
LOG.debug('Updating firewall %(fw_id)s for tenant %(tid)s',
@ -157,9 +157,9 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
self.apply_default_policy(agent_mode, apply_list, firewall)
self.pre_firewall = dict(firewall)
except (LookupError, RuntimeError):
# catch known library exceptions and raise Fwaas generic exception
# catch known library exc and raise Fwaas generic exception
LOG.exception(_LE("Failed to update firewall: %s"), firewall['id'])
raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
raise exc.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
def apply_default_policy(self, agent_mode, apply_list, firewall):
LOG.debug('Applying firewall %(fw_id)s for tenant %(tid)s',
@ -182,10 +182,10 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
# apply the changes immediately (no defer in firewall path)
ipt_mgr.defer_apply_off()
except (LookupError, RuntimeError):
# catch known library exceptions and raise Fwaas generic exception
# catch known library exc and raise Fwaas generic exception
LOG.exception(
_LE("Failed to apply default policy on firewall: %s"), fwid)
raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
raise exc.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
def _setup_firewall(self, agent_mode, apply_list, firewall):
fwid = firewall['id']

4
neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas_v2.py
View File

@ -15,14 +15,14 @@
from neutron.agent.linux import iptables_manager
from neutron.agent.linux import utils as linux_utils
from neutron_lib.api.definitions import firewall as fw_ext
from oslo_log import log as logging
from neutron_fwaas._i18n import _LE
from neutron_fwaas.extensions import firewall as fw_ext
from neutron_fwaas.services.firewall.drivers import fwaas_base_v2
LOG = logging.getLogger(__name__)
FWAAS_DRIVER_NAME = 'Fwaas iptables driver'
FWAAS_DRIVER_NAME = 'FWaaS iptables driver'
FWAAS_DEFAULT_CHAIN = 'fwaas-default-policy'
FWAAS_TO_IPTABLE_ACTION_MAP = {'allow': 'ACCEPT',

18
neutron_fwaas/services/firewall/fwaas_plugin.py
View File

@ -12,6 +12,7 @@
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from neutron_lib import constants as nl_constants
from neutron_lib import context as neutron_context
from neutron_lib.plugins import directory
@ -19,15 +20,16 @@ from neutron_lib.plugins import directory
from neutron.common import rpc as n_rpc
from neutron.common import utils as n_utils
from neutron_lib.api.definitions import firewall as fw_ext
from oslo_config import cfg
from oslo_log import log as logging
import oslo_messaging
from neutron_fwaas._i18n import _LI, _LW
from neutron_fwaas._i18n import _
from neutron_fwaas.common import exceptions
from neutron_fwaas.common import fwaas_constants as f_const
from neutron_fwaas.db.firewall import firewall_db
from neutron_fwaas.db.firewall import firewall_router_insertion_db
from neutron_fwaas.extensions import firewall as fw_ext
LOG = logging.getLogger(__name__)
@ -72,13 +74,13 @@ class FirewallCallbacks(object):
self.plugin.delete_db_firewall_object(context, firewall_id)
return True
else:
LOG.warning(_LW('Firewall %(fw)s unexpectedly deleted by '
'agent, status was %(status)s'),
LOG.warning(_('Firewall %(fw)s unexpectedly deleted by '
'agent, status was %(status)s'),
{'fw': firewall_id, 'status': fw_db.status})
fw_db.update({"status": nl_constants.ERROR})
return False
except fw_ext.FirewallNotFound:
LOG.info(_LI('Firewall %s already deleted'), firewall_id)
except exceptions.FirewallNotFound:
LOG.info(_('Firewall %s already deleted'), firewall_id)
return True
def get_firewalls_for_tenant(self, context, **kwargs):
@ -151,7 +153,7 @@ class FirewallPlugin(
firewall_db.Firewall_db_mixin.
"""
supported_extension_aliases = ["fwaas", "fwaasrouterinsertion"]
path_prefix = fw_ext.FIREWALL_PREFIX
path_prefix = fw_ext.API_PREFIX
def __init__(self):
"""Do the initialization for the firewall service plugin here."""
@ -214,7 +216,7 @@ class FirewallPlugin(
if fwall['status'] in [nl_constants.PENDING_CREATE,
nl_constants.PENDING_UPDATE,
nl_constants.PENDING_DELETE]:
raise fw_ext.FirewallInPendingState(firewall_id=firewall_id,
raise exceptions.FirewallInPendingState(firewall_id=firewall_id,
pending_state=fwall['status'])
def _ensure_update_firewall_policy(self, context, firewall_policy_id):

13
neutron_fwaas/services/firewall/fwaas_plugin_v2.py
View File

@ -16,15 +16,16 @@ from neutron_lib import context as neutron_context
from neutron_lib.plugins import directory
from neutron.common import rpc as n_rpc
from neutron_lib.api.definitions import firewall_v2 as fw_ext
from neutron_lib import constants as nl_constants
from oslo_config import cfg
from oslo_log import log as logging
import oslo_messaging
from neutron_fwaas._i18n import _LI
from neutron_fwaas.common import exceptions
from neutron_fwaas.common import fwaas_constants
from neutron_fwaas.db.firewall.v2 import firewall_db_v2
from neutron_fwaas.extensions import firewall_v2 as fw_ext
LOG = logging.getLogger(__name__)
@ -102,7 +103,7 @@ class FirewallCallbacks(object):
{'fwg': fwg_id, 'status': fwg_db.status})
fwg_db.update({"status": nl_constants.ERROR})
return False
except fw_ext.FirewallGroupNotFound:
except exceptions.FirewallGroupNotFound:
LOG.info(_LI('Firewall group %s already deleted'), fwg_id)
return True
@ -144,7 +145,7 @@ class FirewallPluginV2(
firewall_db_v2.Firewall_db_mixin_v2.
"""
supported_extension_aliases = ["fwaas_v2"]
path_prefix = fw_ext.FIREWALL_PREFIX
path_prefix = fw_ext.API_PREFIX
def __init__(self):
"""Do the initialization for the firewall service plugin here."""
@ -194,7 +195,7 @@ class FirewallPluginV2(
if fwg['status'] in [nl_constants.PENDING_CREATE,
nl_constants.PENDING_UPDATE,
nl_constants.PENDING_DELETE]:
raise fw_ext.FirewallGroupInPendingState(firewall_id=fwg_id,
raise exceptions.FirewallGroupInPendingState(firewall_id=fwg_id,
pending_state=fwg['status'])
def _ensure_update_firewall_policy(self, context, firewall_policy_id):
@ -216,9 +217,9 @@ class FirewallPluginV2(
for port_id in fwg_ports:
port_db = self._core_plugin._get_port(context, port_id)
if port_db['device_owner'] != "network:router_interface":
raise fw_ext.FirewallGroupPortInvalid(port_id=port_id)
raise exceptions.FirewallGroupPortInvalid(port_id=port_id)
if port_db['tenant_id'] != tenant_id:
raise fw_ext.FirewallGroupPortInvalidProject(
raise exceptions.FirewallGroupPortInvalidProject(
port_id=port_id, tenant_id=port_db['tenant_id'])
return

1
neutron_fwaas/tests/tempest_plugin/tests/api/test_fwaas_extensions.py
View File

@ -328,6 +328,7 @@ class FWaaSExtensionTestJSON(base.BaseFWaaSTest):
self.assertNotIn(router1['id'], updated_firewall['router_ids'])
self.assertEqual(1, len(updated_firewall['router_ids']))
@decorators.skip_because(bug="1694363")
@decorators.idempotent_id('c60ceff5-d51f-451d-b6e6-cb983d16ab6b')
def test_firewall_insertion_mode_one_firewall_per_router(self):
# Create router required for an ACTIVE firewall

2
neutron_fwaas/tests/tempest_plugin/tests/scenario/test_fwaas.py
View File

@ -154,7 +154,7 @@ class TestFWaaS(base.FWaaSScenarioTest):
def _allow_ssh_and_icmp(self, ctx):
fw_ssh_rule = self.create_firewall_rule(
protocol="tcp",
destination_port=22,
destination_port='22',
action="allow")
fw_icmp_rule = self.create_firewall_rule(
protocol="icmp",

34
neutron_fwaas/tests/unit/db/firewall/test_firewall_db.py
View File

@ -24,11 +24,13 @@ from oslo_utils import uuidutils
import six
import webob.exc
from neutron_fwaas.common import exceptions
from neutron_fwaas.common import fwaas_constants as fw_const
from neutron_fwaas.db.firewall import firewall_db as fdb
from neutron_fwaas import extensions
from neutron_fwaas.extensions import firewall
from neutron_fwaas.services.firewall import fwaas_plugin
from neutron_fwaas.tests import base
from neutron_lib.api.definitions import firewall as nl_firewall
from neutron_lib import constants as nl_constants
from neutron_lib import context
from neutron_lib.exceptions import l3
@ -67,14 +69,14 @@ class FakeAgentApi(fwaas_plugin.FirewallCallbacks):
pass
def delete_firewall(self, context, firewall, **kwargs):
self.plugin = directory.get_plugin('FIREWALL')
self.plugin = directory.get_plugin(fw_const.FIREWALL)
self.firewall_deleted(context, firewall['id'], **kwargs)
class FirewallPluginDbTestCase(base.NeutronDbPluginV2TestCase):
resource_prefix_map = dict(
(k, firewall.FIREWALL_PREFIX)
for k in firewall.RESOURCE_ATTRIBUTE_MAP.keys()
(k, nl_firewall.API_PREFIX)
for k in nl_firewall.RESOURCE_ATTRIBUTE_MAP.keys()
)
def setUp(self, core_plugin=None, fw_plugin=None, ext_mgr=None):
@ -86,7 +88,7 @@ class FirewallPluginDbTestCase(base.NeutronDbPluginV2TestCase):
service_plugins = {'fw_plugin_name': fw_plugin}
fdb.Firewall_db_mixin.supported_extension_aliases = ["fwaas"]
fdb.Firewall_db_mixin.path_prefix = firewall.FIREWALL_PREFIX
fdb.Firewall_db_mixin.path_prefix = nl_firewall.API_PREFIX
super(FirewallPluginDbTestCase, self).setUp(
ext_mgr=ext_mgr,
service_plugins=service_plugins
@ -627,7 +629,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
req = self.new_delete_request('firewall_policies', fwp_id)
res = req.get_response(self.ext_api)
self.assertEqual(204, res.status_int)
self.assertRaises(firewall.FirewallPolicyNotFound,
self.assertRaises(exceptions.FirewallPolicyNotFound,
self.plugin.get_firewall_policy,
ctx, fwp_id)
@ -650,7 +652,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
req = self.new_delete_request('firewall_policies', fwp_id)
res = req.get_response(self.ext_api)
self.assertEqual(204, res.status_int)
self.assertRaises(firewall.FirewallPolicyNotFound,
self.assertRaises(exceptions.FirewallPolicyNotFound,
self.plugin.get_firewall_policy,
ctx, fwp_id)
fw_rule = self.plugin.get_firewall_rule(ctx, fr_id)
@ -684,8 +686,8 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
attrs['source_port'] = '10000'
attrs['destination_port'] = '80'
with self.firewall_rule(source_port=10000,
destination_port=80) as firewall_rule:
with self.firewall_rule(source_port='10000',
destination_port='80') as firewall_rule:
for k, v in six.iteritems(attrs):
self.assertEqual(v, firewall_rule['firewall_rule'][k])
@ -837,8 +839,8 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
with self.firewall_rule() as fwr:
data = {'firewall_rule': {'name': name,
'protocol': PROTOCOL,
'source_port': 10000,
'destination_port': 80}}
'source_port': '10000',
'destination_port': '80'}}
req = self.new_update_request('firewall_rules', data,
fwr['firewall_rule']['id'])
res = self.deserialize(self.fmt,
@ -914,7 +916,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
with self.firewall_rule(source_port=None,
destination_port=None,
protocol=None) as fwr:
data = {'firewall_rule': {'destination_port': 80,
data = {'firewall_rule': {'destination_port': '80',
'protocol': 'tcp'}}
req = self.new_update_request('firewall_rules', data,
fwr['firewall_rule']['id'])
@ -925,7 +927,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
with self.firewall_rule(source_port=None,
destination_port=None,
protocol=None) as fwr:
data = {'firewall_rule': {'destination_port': 80,
data = {'firewall_rule': {'destination_port': '80',
'protocol': 'icmp'}}
req = self.new_update_request('firewall_rules', data,
fwr['firewall_rule']['id'])
@ -980,7 +982,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
req = self.new_delete_request('firewall_rules', fwr_id)
res = req.get_response(self.ext_api)
self.assertEqual(204, res.status_int)
self.assertRaises(firewall.FirewallRuleNotFound,
self.assertRaises(exceptions.FirewallRuleNotFound,
self.plugin.get_firewall_rule,
ctx, fwr_id)
@ -1196,7 +1198,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
req = self.new_delete_request('firewalls', fw_id)
res = req.get_response(self.ext_api)
self.assertEqual(204, res.status_int)
self.assertRaises(firewall.FirewallNotFound,
self.assertRaises(exceptions.FirewallNotFound,
self.plugin.get_firewall,
ctx, fw_id)
@ -1481,7 +1483,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase):
def test_check_router_has_no_firewall_raises(self):
fw_plugin = mock.Mock()
directory.add_plugin('FIREWALL', fw_plugin)
directory.add_plugin(fw_const.FIREWALL, fw_plugin)
fw_plugin.get_firewalls.return_value = [mock.ANY]
kwargs = {
'context': mock.ANY,

48
neutron_fwaas/tests/unit/db/firewall/v2/test_firewall_db_v2.py
View File

@ -26,12 +26,12 @@ import six
import testtools
import webob.exc
from neutron_fwaas._i18n import _
from neutron_fwaas.common import exceptions
from neutron_fwaas.db.firewall.v2 import firewall_db_v2 as fdb
from neutron_fwaas import extensions
from neutron_fwaas.extensions import firewall_v2 as firewall
from neutron_fwaas.services.firewall import fwaas_plugin_v2
from neutron_fwaas.tests import base
from neutron_lib.api.definitions import firewall_v2 as nl_firewall
from neutron_lib import constants as nl_constants
from neutron_lib import context
from neutron_lib.plugins import directory
@ -69,14 +69,14 @@ class FakeAgentApi(fwaas_plugin_v2.FirewallCallbacks):
pass
def delete_firewall_group(self, context, firewall_group, **kwargs):
self.plugin = directory.get_plugin('FIREWALL_V2')
self.plugin = directory.get_plugin('fwaas_v2')
self.firewall_group_deleted(context, firewall_group['id'], **kwargs)
class FirewallPluginV2DbTestCase(base.NeutronDbPluginV2TestCase):
resource_prefix_map = dict(
(k, firewall.FIREWALL_PREFIX)
for k in firewall.RESOURCE_ATTRIBUTE_MAP.keys()
(k, nl_firewall.API_PREFIX)
for k in nl_firewall.RESOURCE_ATTRIBUTE_MAP.keys()
)
def setUp(self, core_plugin=None, fw_plugin=None, ext_mgr=None):
@ -89,7 +89,7 @@ class FirewallPluginV2DbTestCase(base.NeutronDbPluginV2TestCase):
service_plugins = {'fw_plugin_name': fw_plugin}
fdb.Firewall_db_mixin_v2.supported_extension_aliases = ["fwaas_v2"]
fdb.Firewall_db_mixin_v2.path_prefix = firewall.FIREWALL_PREFIX
fdb.Firewall_db_mixin_v2.path_prefix = nl_firewall.API_PREFIX
super(FirewallPluginV2DbTestCase, self).setUp(
ext_mgr=ext_mgr,
service_plugins=service_plugins
@ -664,7 +664,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
req = self.new_delete_request('firewall_policies', fwp_id)
res = req.get_response(self.ext_api)
self.assertEqual(204, res.status_int)
self.assertRaises(firewall.FirewallPolicyNotFound,
self.assertRaises(exceptions.FirewallPolicyNotFound,
self.plugin.get_firewall_policy,
ctx, fwp_id)
@ -688,7 +688,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
req = self.new_delete_request('firewall_policies', fwp_id)
res = req.get_response(self.ext_api)
self.assertEqual(204, res.status_int)
self.assertRaises(firewall.FirewallPolicyNotFound,
self.assertRaises(exceptions.FirewallPolicyNotFound,
self.plugin.get_firewall_policy,
ctx, fwp_id)
fw_rule = self.plugin.get_firewall_rule(ctx, fr_id)
@ -722,8 +722,8 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
attrs['source_port'] = '10000'
attrs['destination_port'] = '80'
with self.firewall_rule(source_port=10000,
destination_port=80) as firewall_rule:
with self.firewall_rule(source_port='10000',
destination_port='80') as firewall_rule:
for k, v in six.iteritems(attrs):
self.assertEqual(v, firewall_rule['firewall_rule'][k])
@ -876,8 +876,8 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
with self.firewall_rule() as fwr:
data = {'firewall_rule': {'name': name,
'protocol': PROTOCOL,
'source_port': 10000,
'destination_port': 80}}
'source_port': '10000',
'destination_port': '80'}}
req = self.new_update_request('firewall_rules', data,
fwr['firewall_rule']['id'])
res = self.deserialize(self.fmt,
@ -915,7 +915,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
def test_update_firewall_rule_with_port_and_no_proto(self):
with self.firewall_rule() as fwr:
data = {'firewall_rule': {'protocol': None,
'destination_port': 80}}
'destination_port': '80'}}
req = self.new_update_request('firewall_rules', data,
fwr['firewall_rule']['id'])
res = req.get_response(self.ext_api)
@ -935,7 +935,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
with self.firewall_rule(source_port=None,
destination_port=None,
protocol=None) as fwr:
data = {'firewall_rule': {'destination_port': 80}}
data = {'firewall_rule': {'destination_port': '80'}}
req = self.new_update_request('firewall_rules', data,
fwr['firewall_rule']['id'])
res = req.get_response(self.ext_api)
@ -953,7 +953,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
with self.firewall_rule(source_port=None,
destination_port=None,
protocol=None) as fwr:
data = {'firewall_rule': {'destination_port': 80,
data = {'firewall_rule': {'destination_port': '80',
'protocol': 'tcp'}}
req = self.new_update_request('firewall_rules', data,
fwr['firewall_rule']['id'])
@ -964,7 +964,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
with self.firewall_rule(source_port=None,
destination_port=None,
protocol=None) as fwr:
data = {'firewall_rule': {'destination_port': 80,
data = {'firewall_rule': {'destination_port': '80',
'protocol': 'icmp'}}
req = self.new_update_request('firewall_rules', data,
fwr['firewall_rule']['id'])
@ -974,7 +974,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
with self.firewall_rule(source_port=None,
destination_port=None,
protocol='icmp') as fwr:
data = {'firewall_rule': {'destination_port': 80}}
data = {'firewall_rule': {'destination_port': '80'}}
req = self.new_update_request('firewall_rules', data,
fwr['firewall_rule']['id'])
res = req.get_response(self.ext_api)
@ -1036,7 +1036,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
req = self.new_delete_request('firewall_rules', fwr_id)
res = req.get_response(self.ext_api)
self.assertEqual(204, res.status_int)
self.assertRaises(firewall.FirewallRuleNotFound,
self.assertRaises(exceptions.FirewallRuleNotFound,
self.plugin.get_firewall_rule,
ctx, fwr_id)
@ -1202,10 +1202,10 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
fwp_id = fwp['firewall_policy']['id']
with self.firewall_group(
ingress_firewall_policy_id=fwp_id,
admin_state_up=ADMIN_STATE_UP) as firewall:
admin_state_up=ADMIN_STATE_UP) as tfirewall:
data = {'firewall_group': {'name': name}}
req = self.new_update_request('firewall_groups', data,
firewall['firewall_group']['id'])
req = self.new_update_request(
'firewall_groups', data, tfirewall['firewall_group']['id'])
res = self.deserialize(self.fmt,
req.get_response(self.ext_api))
for k, v in six.iteritems(attrs):
@ -1277,8 +1277,8 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
fwp2_id = fwps[1]['firewall_policy']['id']
ctx = context.Context('not_admin', 'tenant1')
with self.firewall_group(ingress_firewall_policy_id=fwp1_id,
context=ctx) as firewall:
fw_id = firewall['firewall_group']['id']
context=ctx) as tfirewall:
fw_id = tfirewall['firewall_group']['id']
fw_db = self.plugin._get_firewall_group(ctx, fw_id)
fw_db['status'] = nl_constants.ACTIVE
# update firewall from fwp1 to fwp2(different tenant)
@ -1299,7 +1299,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase):
req = self.new_delete_request('firewall_groups', fw_id)
res = req.get_response(self.ext_api)
self.assertEqual(204, res.status_int)
self.assertRaises(firewall.FirewallGroupNotFound,
self.assertRaises(exceptions.FirewallGroupNotFound,
self.plugin.get_firewall_group,
ctx, fw_id)

0
neutron_fwaas/tests/unit/extensions/__init__.py
View File

419
neutron_fwaas/tests/unit/extensions/test_firewall_v2.py
View File

@ -1,419 +0,0 @@
# Copyright 2013 Big Switch Networks, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import copy
import mock
from neutron.tests.unit.api.v2 import test_base as test_api_v2
from neutron.tests.unit.extensions import base as test_api_v2_extension
from neutron_lib.db import constants as db_const
from oslo_utils import uuidutils
from webob import exc
import webtest
from neutron_fwaas.extensions import firewall_v2
_uuid = uuidutils.generate_uuid
_get_path = test_api_v2._get_path
_long_name = 'x' * (db_const.NAME_FIELD_SIZE + 1)
_long_description = 'y' * (db_const.DESCRIPTION_FIELD_SIZE + 1)
_long_tenant = 'z' * (db_const.PROJECT_ID_FIELD_SIZE + 1)
FIREWALL_CONST = 'FIREWALL_V2'
class FirewallExtensionTestCase(test_api_v2_extension.ExtensionTestCase):
fmt = 'json'
def setUp(self):
super(FirewallExtensionTestCase, self).setUp()
plural_mappings = {'firewall_policy': 'firewall_policies'}
self._setUpExtension(
'neutron_fwaas.extensions.firewall_v2.Firewallv2PluginBase',
FIREWALL_CONST, firewall_v2.RESOURCE_ATTRIBUTE_MAP,
firewall_v2.Firewall_v2, 'fwaas', plural_mappings=plural_mappings)
def _test_create_firewall_rule(self, src_port, dst_port):
rule_id = _uuid()
project_id = _uuid()
data = {'firewall_rule': {'description': 'descr_firewall_rule1',
'name': 'rule1',
'protocol': 'tcp',
'ip_version': 4,
'source_ip_address': '192.168.0.1',
'destination_ip_address': '127.0.0.1',
'source_port': src_port,
'destination_port': dst_port,
'action': 'allow',
'enabled': True,
'tenant_id': project_id,
'shared': False}}
expected_ret_val = copy.copy(data['firewall_rule'])
expected_ret_val['source_port'] = str(src_port)
expected_ret_val['destination_port'] = str(dst_port)
expected_ret_val['id'] = rule_id
instance = self.plugin.return_value
instance.create_firewall_rule.return_value = expected_ret_val
res = self.api.post(_get_path('fwaas/firewall_rules', fmt=self.fmt),
self.serialize(data),
content_type='application/%s' % self.fmt)
data['firewall_rule'].update({'project_id': project_id})
self.assertEqual(exc.HTTPCreated.code, res.status_int)
res = self.deserialize(res)
self.assertIn('firewall_rule', res)
self.assertEqual(expected_ret_val, res['firewall_rule'])
def test_create_firewall_rule_with_integer_ports(self):
self._test_create_firewall_rule(1, 10)
def test_create_firewall_rule_with_string_ports(self):
self._test_create_firewall_rule('1', '10')
def test_create_firewall_rule_with_port_range(self):
self._test_create_firewall_rule('1:20', '30:40')
def test_create_firewall_rule_invalid_long_name(self):
data = {'firewall_rule': {'description': 'descr_firewall_rule1',
'name': _long_name,
'protocol': 'tcp',
'ip_version': 4,
'source_ip_address': '192.168.0.1',
'destination_ip_address': '127.0.0.1',
'source_port': 1,
'destination_port': 1,
'action': 'allow',
'enabled': True,
'tenant_id': _uuid(),
'shared': False}}
res = self.api.post(_get_path('fwaas/firewall_rules', fmt=self.fmt),
self.serialize(data),
content_type='application/%s' % self.fmt,
status=exc.HTTPBadRequest.code)
self.assertIn('Invalid input for name', res.body.decode('utf-8'))
def test_create_firewall_rule_invalid_long_description(self):
data = {'firewall_rule': {'description': _long_description,
'name': 'rule1',
'protocol': 'tcp',
'ip_version': 4,
'source_ip_address': '192.168.0.1',
'destination_ip_address': '127.0.0.1',
'source_port': 1,
'destination_port': 1,
'action': 'allow',
'enabled': True,
'tenant_id': _uuid(),
'shared': False}}
res = self.api.post(_get_path('fwaas/firewall_rules', fmt=self.fmt),
self.serialize(data),
content_type='application/%s' % self.fmt,
status=exc.HTTPBadRequest.code)
self.assertIn('Invalid input for description',
res.body.decode('utf-8'))
def test_create_firewall_rule_invalid_long_tenant_id(self):
data = {'firewall_rule': {'description': 'desc',
'name': 'rule1',
'protocol': 'tcp',
'ip_version': 4,
'source_ip_address': '192.168.0.1',
'destination_ip_address': '127.0.0.1',
'source_port': 1,
'destination_port': 1,
'action': 'allow',
'enabled': True,
'tenant_id': _long_tenant,
'shared': False}}
res = self.api.post(_get_path('fwaas/firewall_rules', fmt=self.fmt),
self.serialize(data),
content_type='application/%s' % self.fmt,
status=exc.HTTPBadRequest.code)
self.assertIn('Invalid input for ', res.body.decode('utf-8'))
def test_firewall_rule_list(self):
rule_id = _uuid()
return_value = [{'tenant_id': _uuid(),
'id': rule_id}]
instance = self.plugin.return_value
instance.get_firewall_rules.return_value = return_value
res = self.api.get(_get_path('fwaas/firewall_rules', fmt=self.fmt))
instance.get_firewall_rules.assert_called_with(mock.ANY,
fields=mock.ANY,
filters=mock.ANY)
self.assertEqual(exc.HTTPOk.code, res.status_int)
def test_firewall_rule_get(self):
rule_id = _uuid()
return_value = {'tenant_id': _uuid(),
'id': rule_id}
instance = self.plugin.return_value
instance.get_firewall_rule.return_value = return_value
res = self.api.get(_get_path('fwaas/firewall_rules',
id=rule_id, fmt=self.fmt))
instance.get_firewall_rule.assert_called_with(mock.ANY,
rule_id,
fields=mock.ANY)
self.assertEqual(exc.HTTPOk.code, res.status_int)
res = self.deserialize(res)
self.assertIn('firewall_rule', res)
self.assertEqual(return_value, res['firewall_rule'])
def test_firewall_rule_update(self):
rule_id = _uuid()
update_data = {'firewall_rule': {'action': 'deny'}}
return_value = {'tenant_id': _uuid(),
'id': rule_id}
instance = self.plugin.return_value
instance.update_firewall_rule.return_value = return_value
res = self.api.put(_get_path('fwaas/firewall_rules', id=rule_id,
fmt=self.fmt),
self.serialize(update_data))
instance.update_firewall_rule.assert_called_with(
mock.ANY,
rule_id,
firewall_rule=update_data)
self.assertEqual(exc.HTTPOk.code, res.status_int)
res = self.deserialize(res)
self.assertIn('firewall_rule', res)
self.assertEqual(return_value, res['firewall_rule'])
def test_firewall_rule_delete(self):
self._test_entity_delete('firewall_rule')
def test_create_firewall_policy(self):
policy_id = _uuid()
project_id = _uuid()
data = {'firewall_policy': {'description': 'descr_firewall_policy1',
'name': 'new_fw_policy1',
'firewall_rules': [_uuid(), _uuid()],
'audited': False,
'tenant_id': project_id,
'shared': False}}
return_value = copy.copy(data['firewall_policy'])
return_value.update({'id': policy_id})
instance = self.plugin.return_value
instance.create_firewall_policy.return_value = return_value
res = self.api.post(_get_path('fwaas/firewall_policies',
fmt=self.fmt),
self.serialize(data),
content_type='application/%s' % self.fmt)
data['firewall_policy'].update({'project_id': project_id})
self.assertEqual(exc.HTTPCreated.code, res.status_int)
res = self.deserialize(res)
self.assertIn('firewall_policy', res)
self.assertEqual(return_value, res['firewall_policy'])
def test_create_firewall_policy_invalid_long_name(self):
data = {'firewall_policy': {'description': 'descr_firewall_policy1',
'name': _long_name,
'firewall_rules': [_uuid(), _uuid()],
'audited': False,
'tenant_id': _uuid(),
'shared': False}}
res = self.api.post(_get_path('fwaas/firewall_policies',
fmt=self.fmt),
self.serialize(data),
content_type='application/%s' % self.fmt,
status=exc.HTTPBadRequest.code)
self.assertIn('Invalid input for name', res.body.decode('utf-8'))
def test_create_firewall_policy_invalid_long_description(self):
data = {'firewall_policy': {'description': _long_description,
'name': 'new_fw_policy1',
'firewall_rules': [_uuid(), _uuid()],
'audited': False,
'tenant_id': _uuid(),
'shared': False}}
res = self.api.post(_get_path('fwaas/firewall_policies',
fmt=self.fmt),
self.serialize(data),
content_type='application/%s' % self.fmt,
status=exc.HTTPBadRequest.code)
self.assertIn('Invalid input for description',
res.body.decode('utf-8'))
def test_create_firewall_policy_invalid_long_tenant_id(self):
data = {'firewall_policy': {'description': 'desc',
'name': 'new_fw_policy1',
'firewall_rules': [_uuid(), _uuid()],
'audited': False,
'tenant_id': _long_tenant,
'shared': False}}
res = self.api.post(_get_path('fwaas/firewall_policies',
fmt=self.fmt),
self.serialize(data),
content_type='application/%s' % self.fmt,
status=exc.HTTPBadRequest.code)
self.assertIn('Invalid input for ', res.body.decode('utf-8'))
def test_firewall_policy_list(self):
policy_id = _uuid()
return_value = [{'tenant_id': _uuid(),
'id': policy_id}]
instance = self.plugin.return_value
instance.get_firewall_policies.return_value = return_value
res = self.api.get(_get_path('fwaas/firewall_policies',
fmt=self.fmt))
instance.get_firewall_policies.assert_called_with(mock.ANY,
fields=mock.ANY,
filters=mock.ANY)
self.assertEqual(exc.HTTPOk.code, res.status_int)
def test_firewall_policy_get(self):
policy_id = _uuid()
return_value = {'tenant_id': _uuid(),
'id': policy_id}
instance = self.plugin.return_value
instance.get_firewall_policy.return_value = return_value
res = self.api.get(_get_path('fwaas/firewall_policies',
id=policy_id, fmt=self.fmt))
instance.get_firewall_policy.assert_called_with(mock.ANY,
policy_id,
fields=mock.ANY)
self.assertEqual(exc.HTTPOk.code, res.status_int)
res = self.deserialize(res)
self.assertIn('firewall_policy', res)
self.assertEqual(return_value, res['firewall_policy'])
def test_firewall_policy_update(self):
policy_id = _uuid()
update_data = {'firewall_policy': {'audited': True}}
return_value = {'tenant_id': _uuid(),
'id': policy_id}
instance = self.plugin.return_value
instance.update_firewall_policy.return_value = return_value
res = self.api.put(_get_path('fwaas/firewall_policies',
id=policy_id,
fmt=self.fmt),
self.serialize(update_data))
instance.update_firewall_policy.assert_called_with(
mock.ANY,
policy_id,
firewall_policy=update_data)
self.assertEqual(exc.HTTPOk.code, res.status_int)
res = self.deserialize(res)
self.assertIn('firewall_policy', res)
self.assertEqual(return_value, res['firewall_policy'])
def test_firewall_policy_update_malformed_rules(self):
# emulating client request when no rule uuids are provided for
# --firewall_rules parameter
update_data = {'firewall_policy': {'firewall_rules': True}}
# have to check for generic AppError
self.assertRaises(
webtest.AppError,
self.api.put,
_get_path('fwaas/firewall_policies', id=_uuid(), fmt=self.fmt),
self.serialize(update_data))
def test_firewall_policy_delete(self):
self._test_entity_delete('firewall_policy')
def test_firewall_policy_insert_rule(self):
firewall_policy_id = _uuid()
firewall_rule_id = _uuid()
ref_firewall_rule_id = _uuid()
insert_data = {'firewall_rule_id': firewall_rule_id,
'insert_before': ref_firewall_rule_id,
'insert_after': None}
return_value = {'firewall_policy':
{'tenant_id': _uuid(),
'id': firewall_policy_id,
'firewall_rules': [ref_firewall_rule_id,
firewall_rule_id]}}
instance = self.plugin.return_value
instance.insert_rule.return_value = return_value
path = _get_path('fwaas/firewall_policies', id=firewall_policy_id,
action="insert_rule",
fmt=self.fmt)
res = self.api.put(path, self.serialize(insert_data))
instance.insert_rule.assert_called_with(mock.ANY, firewall_policy_id,
insert_data)
self.assertEqual(exc.HTTPOk.code, res.status_int)
res = self.deserialize(res)
self.assertEqual(return_value, res)
def test_firewall_policy_remove_rule(self):
firewall_policy_id = _uuid()
firewall_rule_id = _uuid()
remove_data = {'firewall_rule_id': firewall_rule_id}
return_value = {'firewall_policy':
{'tenant_id': _uuid(),
'id': firewall_policy_id,
'firewall_rules': []}}
instance = self.plugin.return_value
instance.remove_rule.return_value = return_value
path = _get_path('fwaas/firewall_policies', id=firewall_policy_id,
action="remove_rule",
fmt=self.fmt)
res = self.api.put(path, self.serialize(remove_data))
instance.remove_rule.assert_called_with(mock.ANY, firewall_policy_id,
remove_data)
self.assertEqual(exc.HTTPOk.code, res.status_int)
res = self.deserialize(res)
self.assertEqual(return_value, res)
def test_create_firewall_group_invalid_long_attributes(self):
long_targets = [{'name': _long_name},
{'description': _long_description},
{'tenant_id': _long_tenant}]
for target in long_targets:
data = {'firewall_group': {'description': 'fake_description',
'name': 'fake_name',
'tenant_id': 'fake-tenant_id',
'ingress_firewall_policy_id': None,
'egress_firewall_policy_id': None,
'admin_state_up': True,
'ports': [],
'shared': False}}
data['firewall_group'].update(target)
res = self.api.post(_get_path('fwaas/firewall_groups',
fmt=self.fmt),
self.serialize(data),
content_type='application/%s' % self.fmt,
status=exc.HTTPBadRequest.code)
#TODO(njohnston): Remove this when neutron starts returning
# project_id in a dependable fashion, as opposed to tenant_id.
target_attr_name = list(target)[0]
if target_attr_name == 'tenant_id':
target_attr_name = ''
self.assertIn('Invalid input for %s' % target_attr_name,
res.body.decode('utf-8'))

31
neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin.py
View File

@ -28,19 +28,24 @@ import six
import uuid
from webob import exc
from neutron_fwaas.common import exceptions
from neutron_fwaas.common import fwaas_constants as fw_const
from neutron_fwaas.db.firewall import firewall_db as fdb
import neutron_fwaas.extensions
from neutron_fwaas.extensions import firewall
from neutron_fwaas.extensions import firewallrouterinsertion
from neutron_fwaas.services.firewall import fwaas_plugin
from neutron_fwaas.tests import base
from neutron_fwaas.tests.unit.db.firewall import (
test_firewall_db as test_db_firewall)
import neutron_lib.api.definitions
from neutron_lib.api.definitions import firewall as fw
from neutron_lib.api.definitions import firewall_v2
from neutron_lib.api.definitions import firewallrouterinsertion
from neutron_lib import constants as nl_constants
from neutron_lib import context
from neutron_lib.plugins import directory
extensions_path = neutron_fwaas.extensions.__path__[0]
extensions_path = neutron_lib.api.definitions.__path__[0]
FW_PLUGIN_KLASS = (
"neutron_fwaas.services.firewall.fwaas_plugin.FirewallPlugin"
@ -51,8 +56,8 @@ class FirewallTestExtensionManager(test_l3_plugin.L3TestExtensionManager):
def get_resources(self):
res = super(FirewallTestExtensionManager, self).get_resources()
firewall.RESOURCE_ATTRIBUTE_MAP['firewalls'].update(
firewallrouterinsertion.EXTENDED_ATTRIBUTES_2_0['firewalls'])
fw.RESOURCE_ATTRIBUTE_MAP['firewalls'].update(
firewallrouterinsertion.RESOURCE_ATTRIBUTE_MAP['firewalls'])
return res + firewall.Firewall.get_resources()
def get_actions(self):
@ -94,12 +99,12 @@ class TestFirewallRouterInsertionBase(
self.setup_notification_driver()
self.l3_plugin = directory.get_plugin(nl_constants.L3)
self.plugin = directory.get_plugin('FIREWALL')
self.plugin = directory.get_plugin(fw_const.FIREWALL)
self.callbacks = self.plugin.endpoints[0]
def restore_attribute_map(self):
# Remove the fwaasrouterinsertion extension
firewall.RESOURCE_ATTRIBUTE_MAP['firewalls'].pop('router_ids')
fw.RESOURCE_ATTRIBUTE_MAP['firewalls'].pop('router_ids')
# Restore the original RESOURCE_ATTRIBUTE_MAP
attr.RESOURCE_ATTRIBUTE_MAP = self.saved_attr_map
@ -184,7 +189,7 @@ class TestFirewallCallbacks(TestFirewallRouterInsertionBase):
ctx.session.flush()
res = self.callbacks.firewall_deleted(ctx, fw_id)
self.assertTrue(res)
self.assertRaises(firewall.FirewallNotFound,
self.assertRaises(exceptions.FirewallNotFound,
self.plugin.get_firewall,
ctx, fw_id)
@ -219,7 +224,7 @@ class TestFirewallCallbacks(TestFirewallRouterInsertionBase):
observed = self.callbacks.firewall_deleted(ctx, fw_id)
self.assertTrue(observed)
self.assertRaises(firewall.FirewallNotFound,
self.assertRaises(exceptions.FirewallNotFound,
self.plugin.get_firewall,
ctx, fw_id)
@ -534,7 +539,7 @@ class TestFirewallPluginBase(TestFirewallRouterInsertionBase,
req = self.new_delete_request('firewalls', fw_id)
res = req.get_response(self.ext_api)
self.assertEqual(exc.HTTPNoContent.code, res.status_int)
self.assertRaises(firewall.FirewallNotFound,
self.assertRaises(exceptions.FirewallNotFound,
self.plugin.get_firewall,
ctx, fw_id)
@ -548,7 +553,7 @@ class TestFirewallPluginBase(TestFirewallRouterInsertionBase,
req = self.new_delete_request('firewalls', fw_id)
res = req.get_response(self.ext_api)
self.assertEqual(exc.HTTPNoContent.code, res.status_int)
self.assertRaises(firewall.FirewallNotFound,
self.assertRaises(exceptions.FirewallNotFound,
self.plugin.get_firewall,
ctx, fw_id)
@ -735,7 +740,7 @@ class TestFirewallRouterPluginBase(test_db_firewall.FirewallPluginDbTestCase,
fdb.Firewall_db_mixin.\
supported_extension_aliases = ["fwaas",
"fwaasrouterinsertion"]
fdb.Firewall_db_mixin.path_prefix = firewall.FIREWALL_PREFIX
fdb.Firewall_db_mixin.path_prefix = firewall_v2.API_PREFIX
super(test_db_firewall.FirewallPluginDbTestCase, self).setUp(
ext_mgr=ext_mgr,
@ -748,7 +753,7 @@ class TestFirewallRouterPluginBase(test_db_firewall.FirewallPluginDbTestCase,
self.ext_api = api_ext.ExtensionMiddleware(app, ext_mgr=ext_mgr)
self.l3_plugin = directory.get_plugin(nl_constants.L3)
self.plugin = directory.get_plugin('FIREWALL')
self.plugin = directory.get_plugin(fw_const.FIREWALL)
def test_get_firewall_tenant_ids_on_host_with_associated_router(self):
agent = helpers.register_l3_agent("host1")

13
neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin_v2.py
View File

@ -19,17 +19,20 @@ from neutron.tests.unit.extensions import test_l3 as test_l3_plugin
from oslo_config import cfg
import six
import neutron_fwaas.extensions
from neutron_fwaas.common import exceptions
from neutron_fwaas.extensions import firewall_v2
from neutron_fwaas.services.firewall import fwaas_plugin_v2
from neutron_fwaas.tests import base
from neutron_fwaas.tests.unit.db.firewall.v2 import (
test_firewall_db_v2 as test_db_firewall)
import neutron_lib.api.definitions
from neutron_lib import constants as nl_constants
from neutron_lib import context
from neutron_lib.plugins import directory
extensions_path = neutron_fwaas.extensions.__path__[0]
extensions_path = neutron_lib.api.definitions.__path__[0]
FW_PLUGIN_KLASS = (
"neutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2"
@ -111,7 +114,7 @@ class TestFirewallRouterPortBase(
self.setup_notification_driver()
self.l3_plugin = directory.get_plugin(nl_constants.L3)
self.plugin = directory.get_plugin('FIREWALL_V2')
self.plugin = directory.get_plugin('fwaas_v2')
self.callbacks = self.plugin.endpoints[0]
@ -159,7 +162,7 @@ class TestFirewallCallbacks(TestFirewallRouterPortBase):
observed = self.callbacks.firewall_group_deleted(ctx, fwg_id)
self.assertTrue(observed)
self.assertRaises(firewall_v2.FirewallGroupNotFound,
self.assertRaises(exceptions.FirewallGroupNotFound,
self.plugin.get_firewall_group,
ctx, fwg_id)
@ -195,7 +198,7 @@ class TestFirewallCallbacks(TestFirewallRouterPortBase):
ctx, fwg_id)
self.assertTrue(observed)
self.assertRaises(firewall_v2.FirewallGroupNotFound,
self.assertRaises(exceptions.FirewallGroupNotFound,
self.plugin.get_firewall_group,
ctx, fwg_id)