diff --git a/neutron_fwaas/common/exceptions.py b/neutron_fwaas/common/exceptions.py new file mode 100644 index 000000000..71bf081b6 --- /dev/null +++ b/neutron_fwaas/common/exceptions.py @@ -0,0 +1,181 @@ +# Copyright 2017 NEC Technologies India Pvt. Ltd. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from neutron_fwaas._i18n import _ +from neutron_lib import exceptions + + +# Firewall Exceptions +class FirewallNotFound(exceptions.NotFound): + message = _("Firewall %(firewall_id)s could not be found.") + + +class FirewallInUse(exceptions.InUse): + message = _("Firewall %(firewall_id)s is still active.") + + +class FirewallInPendingState(exceptions.Conflict): + message = _("Operation cannot be performed since associated Firewall " + "%(firewall_id)s is in %(pending_state)s.") + + +class FirewallPolicyNotFound(exceptions.NotFound): + message = _("Firewall Policy %(firewall_policy_id)s could not be found.") + + +class FirewallPolicyInUse(exceptions.InUse): + message = _("Firewall Policy %(firewall_policy_id)s is being used.") + + +class FirewallPolicyConflict(exceptions.Conflict): + """FWaaS exception for firewall policy. + + Occurs when admin policy tries to use another tenant's unshared + policy. + """ + message = _("Operation cannot be performed since Firewall Policy " + "%(firewall_policy_id)s is not shared and does not belong to " + "your tenant.") + + +class FirewallRuleSharingConflict(exceptions.Conflict): + """FWaaS exception for firewall rules. + + When a shared policy is created or updated with unshared rules, + this exception will be raised. + """ + message = _("Operation cannot be performed since Firewall Policy " + "%(firewall_policy_id)s is shared but Firewall Rule " + "%(firewall_rule_id)s is not shared.") + + +class FirewallPolicySharingConflict(exceptions.Conflict): + """FWaaS exception for firewall policy. + + When a policy is shared without sharing its associated rules, + this exception will be raised. + """ + message = _("Operation cannot be performed. Before sharing Firewall " + "Policy %(firewall_policy_id)s, share associated Firewall " + "Rule %(firewall_rule_id)s.") + + +class FirewallRuleNotFound(exceptions.NotFound): + message = _("Firewall Rule %(firewall_rule_id)s could not be found.") + + +class FirewallRuleInUse(exceptions.InUse): + message = _("Firewall Rule %(firewall_rule_id)s is being used.") + + +class FirewallRuleNotAssociatedWithPolicy(exceptions.InvalidInput): + message = _("Firewall Rule %(firewall_rule_id)s is not associated " + "with Firewall Policy %(firewall_policy_id)s.") + + +class FirewallRuleInvalidProtocol(exceptions.InvalidInput): + message = _("Firewall Rule protocol %(protocol)s is not supported. " + "Only protocol values %(values)s and their integer " + "representation (0 to 255) are supported.") + + +class FirewallRuleInvalidAction(exceptions.InvalidInput): + message = _("Firewall rule action %(action)s is not supported. " + "Only action values %(values)s are supported.") + + +class FirewallRuleInvalidICMPParameter(exceptions.InvalidInput): + message = _("%(param)s are not allowed when protocol " + "is set to ICMP.") + + +class FirewallRuleWithPortWithoutProtocolInvalid(exceptions.InvalidInput): + message = _("Source/destination port requires a protocol.") + + +class FirewallRuleInvalidPortValue(exceptions.InvalidInput): + message = _("Invalid value for port %(port)s.") + + +class FirewallRuleInfoMissing(exceptions.InvalidInput): + message = _("Missing rule info argument for insert/remove " + "rule operation.") + + +class FirewallIpAddressConflict(exceptions.InvalidInput): + message = _("Invalid input - IP addresses do not agree with IP Version.") + + +class FirewallInternalDriverError(exceptions.NeutronException): + """FWaas exception for all driver errors. + + On any failure or exception in the driver, driver should log it and + raise this exception to the agent + """ + message = _("%(driver)s: Internal driver error.") + + +class FirewallRuleConflict(exceptions.Conflict): + """Firewall rule conflict exception. + + Occurs when admin policy tries to use another tenant's unshared + rule. + """ + message = _("Operation cannot be performed since Firewall Rule " + "%(firewall_rule_id)s is not shared and belongs to " + "another tenant %(tenant_id)s.") + + +class FirewallRouterInUse(exceptions.InUse): + message = _("Router(s) %(router_ids)s provided already associated with " + "other Firewall(s).") + + +class FirewallGroupNotFound(exceptions.NotFound): + message = _("Firewall Group %(firewall_id)s could not be found.") + + +class FirewallGroupInUse(exceptions.InUse): + message = _("Firewall %(firewall_id)s is still active.") + + +class FirewallGroupInPendingState(exceptions.Conflict): + message = _("Operation cannot be performed since associated Firewall " + "%(firewall_id)s is in %(pending_state)s.") + + +class FirewallGroupPortInvalid(exceptions.Conflict): + message = _("Firewall Group Port %(port_id)s is invalid.") + + +class FirewallGroupPortInvalidProject(exceptions.Conflict): + message = _("Operation cannot be performed as port %(port_id)s " + "is in an invalid project %(tenant_id)s.") + + +class FirewallGroupPortInUse(exceptions.InUse): + message = _("Port(s) %(port_ids)s provided already associated with " + "other Firewall Group(s).") + + +class FirewallRuleAlreadyAssociated(exceptions.Conflict): + """Firewall rule conflict exception. + + Occurs when there is an attempt to assign a rule to a policy that + the rule is already associated with. + """ + message = _("Operation cannot be performed since Firewall Rule " + "%(firewall_rule_id)s is already associated with Firewall" + "Policy %(firewall_policy_id)s.") diff --git a/neutron_fwaas/common/fwaas_constants.py b/neutron_fwaas/common/fwaas_constants.py index 45e3a65ae..81ffb1613 100644 --- a/neutron_fwaas/common/fwaas_constants.py +++ b/neutron_fwaas/common/fwaas_constants.py @@ -13,7 +13,8 @@ # License for the specific language governing permissions and limitations # under the License. -FIREWALL = 'FIREWALL' +FIREWALL = 'fwaas' +FIREWALL_V2 = 'fwaas_v2' # Constants for "topics" FIREWALL_PLUGIN = 'q-firewall-plugin' diff --git a/neutron_fwaas/db/firewall/firewall_db.py b/neutron_fwaas/db/firewall/firewall_db.py index 5265e576c..c8e68ae52 100644 --- a/neutron_fwaas/db/firewall/firewall_db.py +++ b/neutron_fwaas/db/firewall/firewall_db.py @@ -35,6 +35,7 @@ from sqlalchemy.orm import exc import netaddr +from neutron_fwaas.common import exceptions from neutron_fwaas.common import fwaas_constants from neutron_fwaas.db.firewall import firewall_router_insertion_db \ as fw_r_ins_db @@ -110,19 +111,19 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): try: return self._get_by_id(context, Firewall, id) except exc.NoResultFound: - raise fw_ext.FirewallNotFound(firewall_id=id) + raise exceptions.FirewallNotFound(firewall_id=id) def _get_firewall_policy(self, context, id): try: return self._get_by_id(context, FirewallPolicy, id) except exc.NoResultFound: - raise fw_ext.FirewallPolicyNotFound(firewall_policy_id=id) + raise exceptions.FirewallPolicyNotFound(firewall_policy_id=id) def _get_firewall_rule(self, context, id): try: return self._get_by_id(context, FirewallRule, id) except exc.NoResultFound: - raise fw_ext.FirewallRuleNotFound(firewall_rule_id=id) + raise exceptions.FirewallRuleNotFound(firewall_rule_id=id) def _make_firewall_dict(self, fw, fields=None): res = {'id': fw['id'], @@ -197,7 +198,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): def _check_firewall_rule_conflict(self, fwr_db, fwp_db): if not fwr_db['shared']: if fwr_db['tenant_id'] != fwp_db['tenant_id']: - raise fw_ext.FirewallRuleConflict( + raise exceptions.FirewallRuleConflict( firewall_rule_id=fwr_db['id'], tenant_id=fwr_db['tenant_id']) @@ -219,20 +220,20 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): # If we find an invalid rule in the list we # do not perform the update since this breaks # the integrity of this list. - raise fw_ext.FirewallRuleNotFound( + raise exceptions.FirewallRuleNotFound( firewall_rule_id=fwrule_id) elif rules_dict[fwrule_id]['firewall_policy_id']: if (rules_dict[fwrule_id]['firewall_policy_id'] != fwp_db['id']): - raise fw_ext.FirewallRuleInUse( + raise exceptions.FirewallRuleInUse( firewall_rule_id=fwrule_id) if 'shared' in fwp: if fwp['shared'] and not rules_dict[fwrule_id]['shared']: - raise fw_ext.FirewallRuleSharingConflict( + raise exceptions.FirewallRuleSharingConflict( firewall_rule_id=fwrule_id, firewall_policy_id=fwp_db['id']) elif fwp_db['shared'] and not rules_dict[fwrule_id]['shared']: - raise fw_ext.FirewallRuleSharingConflict( + raise exceptions.FirewallRuleSharingConflict( firewall_rule_id=fwrule_id, firewall_policy_id=fwp_db['id']) for fwr_db in rules_in_db: @@ -252,7 +253,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): rules_in_db = fwp_db['firewall_rules'] for fwr_db in rules_in_db: if not fwr_db['shared']: - raise fw_ext.FirewallPolicySharingConflict( + raise exceptions.FirewallPolicySharingConflict( firewall_rule_id=fwr_db['id'], firewall_policy_id=fwp_db['id']) @@ -295,7 +296,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): fwp_id = fw['firewall_policy_id'] fwp = self._get_firewall_policy(context, fwp_id) if fw_tenant_id != fwp['tenant_id'] and not fwp['shared']: - raise fw_ext.FirewallPolicyConflict(firewall_policy_id=fwp_id) + raise exceptions.FirewallPolicyConflict(firewall_policy_id=fwp_id) def _validate_fwr_src_dst_ip_version(self, fwr): src_version = dst_version = None @@ -307,12 +308,12 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): rule_ip_version = fwr.get('ip_version', None) if ((src_version and src_version != rule_ip_version) or (dst_version and dst_version != rule_ip_version)): - raise fw_ext.FirewallIpAddressConflict() + raise exceptions.FirewallIpAddressConflict() def _validate_fwr_port_range(self, min_port, max_port): if int(min_port) > int(max_port): port_range = '%s:%s' % (min_port, max_port) - raise fw_ext.FirewallRuleInvalidPortValue(port=port_range) + raise exceptions.FirewallRuleInvalidPortValue(port=port_range) def _validate_fwr_protocol_parameters(self, fwr): protocol = fwr.get('protocol', None) @@ -320,7 +321,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): nl_constants.PROTO_NAME_UDP): if (fwr.get('source_port', None) or fwr.get('destination_port', None)): - raise fw_ext.FirewallRuleInvalidICMPParameter( + raise exceptions.FirewallRuleInvalidICMPParameter( param="Source, destination port") def create_firewall(self, context, firewall, status=None): @@ -354,7 +355,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): self._validate_fw_parameters(context, fw, fw_db['tenant_id']) count = context.session.query(Firewall).filter_by(id=id).update(fw) if not count: - raise fw_ext.FirewallNotFound(firewall_id=id) + raise exceptions.FirewallNotFound(firewall_id=id) return self.get_firewall(context, id) def update_firewall_status(self, context, id, status, not_in=None): @@ -378,7 +379,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): # firewall is active count = context.session.query(Firewall).filter_by(id=id).delete() if not count: - raise fw_ext.FirewallNotFound(firewall_id=id) + raise exceptions.FirewallNotFound(firewall_id=id) def get_firewall(self, context, id, fields=None): LOG.debug("get_firewall() called") @@ -419,7 +420,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): if not fwp.get('shared', True) and fwp_db.firewalls: for fw in fwp_db['firewalls']: if fwp_db['tenant_id'] != fw['tenant_id']: - raise fw_ext.FirewallPolicyInUse( + raise exceptions.FirewallPolicyInUse( firewall_policy_id=id) # check any existing rules are not shared if 'shared' in fwp and 'firewall_rules' not in fwp: @@ -440,7 +441,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): # being used qry = context.session.query(Firewall) if qry.filter_by(firewall_policy_id=id).first(): - raise fw_ext.FirewallPolicyInUse(firewall_policy_id=id) + raise exceptions.FirewallPolicyInUse(firewall_policy_id=id) else: context.session.delete(fwp) @@ -467,7 +468,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): self._validate_fwr_src_dst_ip_version(fwr) if not fwr['protocol'] and (fwr['source_port'] or fwr['destination_port']): - raise fw_ext.FirewallRuleWithPortWithoutProtocolInvalid() + raise exceptions.FirewallRuleWithPortWithoutProtocolInvalid() src_port_min, src_port_max = self._get_min_max_ports_from_range( fwr['source_port']) dst_port_min, dst_port_max = self._get_min_max_ports_from_range( @@ -503,7 +504,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): fwr_db.firewall_policy_id) if 'shared' in fwr and not fwr['shared']: if fwr_db['tenant_id'] != fwp_db['tenant_id']: - raise fw_ext.FirewallRuleInUse(firewall_rule_id=id) + raise exceptions.FirewallRuleInUse(firewall_rule_id=id) if 'source_port' in fwr: src_port_min, src_port_max = self._get_min_max_ports_from_range( fwr['source_port']) @@ -524,7 +525,8 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): dport = fwr.get('destination_port_range_min', fwr_db['destination_port_range_min']) if sport or dport: - raise fw_ext.FirewallRuleWithPortWithoutProtocolInvalid() + raise exceptions.\ + FirewallRuleWithPortWithoutProtocolInvalid() fwr_db.update(fwr) if fwr_db.firewall_policy_id: fwp_db.audited = False @@ -535,7 +537,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): with context.session.begin(subtransactions=True): fwr = self._get_firewall_rule(context, id) if fwr.firewall_policy_id: - raise fw_ext.FirewallRuleInUse(firewall_rule_id=id) + raise exceptions.FirewallRuleInUse(firewall_rule_id=id) context.session.delete(fwr) def get_firewall_rule(self, context, id, fields=None): @@ -556,7 +558,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): def _validate_insert_remove_rule_request(self, id, rule_info): if not rule_info or 'firewall_rule_id' not in rule_info: - raise fw_ext.FirewallRuleInfoMissing() + raise exceptions.FirewallRuleInfoMissing() def insert_rule(self, context, id, rule_info): LOG.debug("insert_rule() called") @@ -565,7 +567,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): insert_before = True ref_firewall_rule_id = None if not firewall_rule_id: - raise fw_ext.FirewallRuleNotFound(firewall_rule_id=None) + raise exceptions.FirewallRuleNotFound(firewall_rule_id=None) if 'insert_before' in rule_info: ref_firewall_rule_id = rule_info['insert_before'] if not ref_firewall_rule_id and 'insert_after' in rule_info: @@ -576,7 +578,8 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): fwr_db = self._get_firewall_rule(context, firewall_rule_id) fwp_db = self._get_firewall_policy(context, id) if fwr_db.firewall_policy_id: - raise fw_ext.FirewallRuleInUse(firewall_rule_id=fwr_db['id']) + raise exceptions.FirewallRuleInUse( + firewall_rule_id=fwr_db['id']) self._check_firewall_rule_conflict(fwr_db, fwp_db) if ref_firewall_rule_id: # If reference_firewall_rule_id is set, the new rule @@ -587,7 +590,7 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): ref_fwr_db = self._get_firewall_rule( context, ref_firewall_rule_id) if ref_fwr_db.firewall_policy_id != id: - raise fw_ext.FirewallRuleNotAssociatedWithPolicy( + raise exceptions.FirewallRuleNotAssociatedWithPolicy( firewall_rule_id=ref_fwr_db['id'], firewall_policy_id=id) if insert_before: @@ -609,11 +612,11 @@ class Firewall_db_mixin(fw_ext.FirewallPluginBase, base_db.CommonDbMixin): self._validate_insert_remove_rule_request(id, rule_info) firewall_rule_id = rule_info['firewall_rule_id'] if not firewall_rule_id: - raise fw_ext.FirewallRuleNotFound(firewall_rule_id=None) + raise exceptions.FirewallRuleNotFound(firewall_rule_id=None) with context.session.begin(subtransactions=True): fwr_db = self._get_firewall_rule(context, firewall_rule_id) if fwr_db.firewall_policy_id != id: - raise fw_ext.FirewallRuleNotAssociatedWithPolicy( + raise exceptions.FirewallRuleNotAssociatedWithPolicy( firewall_rule_id=fwr_db['id'], firewall_policy_id=id) return self._process_rule_for_policy(context, id, fwr_db, None) diff --git a/neutron_fwaas/db/firewall/firewall_router_insertion_db.py b/neutron_fwaas/db/firewall/firewall_router_insertion_db.py index 76f1503b0..2229b4df0 100644 --- a/neutron_fwaas/db/firewall/firewall_router_insertion_db.py +++ b/neutron_fwaas/db/firewall/firewall_router_insertion_db.py @@ -13,13 +13,12 @@ # License for the specific language governing permissions and limitations # under the License. +from neutron_lib.api.definitions import firewallrouterinsertion as fwrtrins from neutron_lib.db import model_base from oslo_log import helpers as log_helpers from oslo_log import log as logging import sqlalchemy as sa -from neutron_fwaas.extensions import firewallrouterinsertion as fwrtrins - LOG = logging.getLogger(__name__) diff --git a/neutron_fwaas/db/firewall/v2/firewall_db_v2.py b/neutron_fwaas/db/firewall/v2/firewall_db_v2.py index ae72744e7..8492efb85 100644 --- a/neutron_fwaas/db/firewall/v2/firewall_db_v2.py +++ b/neutron_fwaas/db/firewall/v2/firewall_db_v2.py @@ -14,6 +14,8 @@ # under the License. from neutron.db import common_db_mixin as base_db +from neutron_fwaas.common import exceptions as f_exc +from neutron_fwaas.extensions import firewall_v2 as fw_v2_ext from neutron_lib import constants as nl_constants from neutron_lib.db import model_base from oslo_config import cfg @@ -26,8 +28,6 @@ from sqlalchemy.orm import exc import netaddr -from neutron_fwaas.extensions import firewall_v2 as fw_ext - LOG = logging.getLogger(__name__) @@ -119,25 +119,26 @@ class FirewallPolicy(model_base.BASEV2, model_base.HasId, HasName, shared = sa.Column(sa.Boolean) -class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): +class Firewall_db_mixin_v2(fw_v2_ext.Firewallv2PluginBase, + base_db.CommonDbMixin): def _get_firewall_group(self, context, id): try: return self._get_by_id(context, FirewallGroup, id) except exc.NoResultFound: - raise fw_ext.FirewallGroupNotFound(firewall_id=id) + raise f_exc.FirewallGroupNotFound(firewall_id=id) def _get_firewall_policy(self, context, id): try: return self._get_by_id(context, FirewallPolicy, id) except exc.NoResultFound: - raise fw_ext.FirewallPolicyNotFound(firewall_policy_id=id) + raise f_exc.FirewallPolicyNotFound(firewall_policy_id=id) def _get_firewall_rule(self, context, id): try: return self._get_by_id(context, FirewallRuleV2, id) except exc.NoResultFound: - raise fw_ext.FirewallRuleNotFound(firewall_rule_id=id) + raise f_exc.FirewallRuleNotFound(firewall_rule_id=id) def _validate_fwr_protocol_parameters(self, fwr, fwr_db=None): protocol = fwr.get('protocol', None) @@ -147,7 +148,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): nl_constants.PROTO_NAME_UDP): if (fwr.get('source_port', None) or fwr.get('destination_port', None)): - raise fw_ext.FirewallRuleInvalidICMPParameter( + raise f_exc.FirewallRuleInvalidICMPParameter( param="Source, destination port") def _validate_fwr_src_dst_ip_version(self, fwr, fwr_db=None): @@ -162,12 +163,12 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): rule_ip_version = fwr_db.ip_version if ((src_version and src_version != rule_ip_version) or (dst_version and dst_version != rule_ip_version)): - raise fw_ext.FirewallIpAddressConflict() + raise f_exc.FirewallIpAddressConflict() def _validate_fwr_port_range(self, min_port, max_port): if int(min_port) > int(max_port): port_range = '%s:%s' % (min_port, max_port) - raise fw_ext.FirewallRuleInvalidPortValue(port=port_range) + raise f_exc.FirewallRuleInvalidPortValue(port=port_range) def _get_min_max_ports_from_range(self, port_range): if not port_range: @@ -267,7 +268,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): def _check_firewall_rule_conflict(self, fwr_db, fwp_db): if not fwr_db['shared']: if fwr_db['tenant_id'] != fwp_db['tenant_id']: - raise fw_ext.FirewallRuleConflict( + raise f_exc.FirewallRuleConflict( firewall_rule_id=fwr_db['id'], tenant_id=fwr_db['tenant_id']) @@ -305,7 +306,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): try: self._get_policy_rule_association_query( context, firewall_policy_id, firewall_rule_id).one() - raise fw_ext.FirewallRuleAlreadyAssociated( + raise f_exc.FirewallRuleAlreadyAssociated( firewall_rule_id=firewall_rule_id, firewall_policy_id=firewall_policy_id) except exc.NoResultFound: @@ -320,7 +321,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): return self._get_policy_rule_association_query( context, firewall_policy_id, firewall_rule_id).one() except exc.NoResultFound: - raise fw_ext.FirewallRuleNotAssociatedWithPolicy( + raise f_exc.FirewallRuleNotAssociatedWithPolicy( firewall_rule_id=firewall_rule_id, firewall_policy_id=firewall_policy_id) @@ -331,7 +332,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): self._validate_fwr_src_dst_ip_version(fwr) if not fwr['protocol'] and (fwr['source_port'] or fwr['destination_port']): - raise fw_ext.FirewallRuleWithPortWithoutProtocolInvalid() + raise f_exc.FirewallRuleWithPortWithoutProtocolInvalid() src_port_min, src_port_max = self._get_min_max_ports_from_range( fwr['source_port']) dst_port_min, dst_port_max = self._get_min_max_ports_from_range( @@ -382,7 +383,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): dport = fwr.get('destination_port_range_min', fwr_db['destination_port_range_min']) if sport or dport: - raise fw_ext.FirewallRuleWithPortWithoutProtocolInvalid() + raise f_exc.FirewallRuleWithPortWithoutProtocolInvalid() fwr_db.update(fwr) # if the rule on a policy, fix audited flag fwp_ids = self._get_policies_with_rule(context, id) @@ -397,7 +398,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): fwr = self._get_firewall_rule(context, id) # make sure rule is not associated with any policy if self._get_policies_with_rule(context, id): - raise fw_ext.FirewallRuleInUse(firewall_rule_id=id) + raise f_exc.FirewallRuleInUse(firewall_rule_id=id) context.session.delete(fwr) def insert_rule(self, context, id, rule_info): @@ -409,7 +410,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): insert_before = True ref_firewall_rule_id = None if not firewall_rule_id: - raise fw_ext.FirewallRuleNotFound(firewall_rule_id=None) + raise f_exc.FirewallRuleNotFound(firewall_rule_id=None) if 'insert_before' in rule_info: ref_firewall_rule_id = rule_info['insert_before'] if not ref_firewall_rule_id and 'insert_after' in rule_info: @@ -447,7 +448,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): self._validate_insert_remove_rule_request(id, rule_info) firewall_rule_id = rule_info['firewall_rule_id'] if not firewall_rule_id: - raise fw_ext.FirewallRuleNotFound(firewall_rule_id=None) + raise f_exc.FirewallRuleNotFound(firewall_rule_id=None) with context.session.begin(subtransactions=True): self._get_firewall_rule(context, firewall_rule_id) fwpra_db = self._get_policy_rule_association(context, id, @@ -468,7 +469,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): def _validate_insert_remove_rule_request(self, id, rule_info): if not rule_info or 'firewall_rule_id' not in rule_info: - raise fw_ext.FirewallRuleInfoMissing() + raise f_exc.FirewallRuleInfoMissing() def _delete_rules_in_policy(self, context, firewall_policy_id): """Delete the rules in the firewall policy.""" @@ -522,15 +523,15 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): for fwrule_id in rule_id_list: if fwrule_id not in rules_dict: # Bail as soon as we find an invalid rule. - raise fw_ext.FirewallRuleNotFound( + raise f_exc.FirewallRuleNotFound( firewall_rule_id=fwrule_id) if 'shared' in fwp: if fwp['shared'] and not rules_dict[fwrule_id]['shared']: - raise fw_ext.FirewallRuleSharingConflict( + raise f_exc.FirewallRuleSharingConflict( firewall_rule_id=fwrule_id, firewall_policy_id=fwp_db['id']) elif fwp_db['shared'] and not rules_dict[fwrule_id]['shared']: - raise fw_ext.FirewallRuleSharingConflict( + raise f_exc.FirewallRuleSharingConflict( firewall_rule_id=fwrule_id, firewall_policy_id=fwp_db['id']) else: @@ -539,7 +540,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): if not rules_dict[fwrule_id]['shared']: if (rules_dict[fwrule_id]['tenant_id'] != fwp_db[ 'tenant_id']): - raise fw_ext.FirewallRuleConflict( + raise f_exc.FirewallRuleConflict( firewall_rule_id=fwrule_id, tenant_id=rules_dict[fwrule_id]['tenant_id']) @@ -550,7 +551,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): fwr_db = self._get_firewall_rule(context, entry.firewall_rule_id) if not fwp_db['shared']: - raise fw_ext.FirewallPolicySharingConflict( + raise f_exc.FirewallPolicySharingConflict( firewall_rule_id=fwr_db['id'], firewall_policy_id=fwp_db['id']) @@ -578,7 +579,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): filters=filters) for entry in fwg_with_fwp_id_db: if entry.tenant_id != fwp_tenant_id: - raise fw_ext.FirewallPolicyInUse( + raise f_exc.FirewallPolicyInUse( firewall_policy_id=fwp_id) def _set_rules_for_policy(self, context, firewall_policy_db, fwp): @@ -660,9 +661,9 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): # check if policy in use qry = context.session.query(FirewallGroup) if qry.filter_by(ingress_firewall_policy_id=id).first(): - raise fw_ext.FirewallPolicyInUse(firewall_policy_id=id) + raise f_exc.FirewallPolicyInUse(firewall_policy_id=id) elif qry.filter_by(egress_firewall_policy_id=id).first(): - raise fw_ext.FirewallPolicyInUse(firewall_policy_id=id) + raise f_exc.FirewallPolicyInUse(firewall_policy_id=id) else: # Policy is not being used, delete. self._delete_rules_in_policy(context, id) @@ -686,7 +687,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): if fwp_id is not None: fwp = self._get_firewall_policy(context, fwp_id) if fwg_tenant_id != fwp['tenant_id'] and not fwp['shared']: - raise fw_ext.FirewallPolicyConflict( + raise f_exc.FirewallPolicyConflict( firewall_policy_id=fwp_id) if 'egress_firewall_policy_id' in fwg: @@ -694,7 +695,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): if fwp_id is not None: fwp = self._get_firewall_policy(context, fwp_id) if fwg_tenant_id != fwp['tenant_id'] and not fwp['shared']: - raise fw_ext.FirewallPolicyConflict( + raise f_exc.FirewallPolicyConflict( firewall_policy_id=fwp_id) return @@ -741,7 +742,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): FirewallGroupPortAssociation.firewall_group_id != fwg_id).all() if fwg_ports: port_ids = [entry.port_id for entry in fwg_ports] - raise fw_ext.FirewallGroupPortInUse(port_ids=port_ids) + raise f_exc.FirewallGroupPortInUse(port_ids=port_ids) def create_firewall_group(self, context, firewall_group, status=None): fwg = firewall_group['firewall_group'] @@ -777,7 +778,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): count = context.session.query( FirewallGroup).filter_by(id=id).update(fwg) if not count: - raise fw_ext.FirewallGroupNotFound(firewall_id=id) + raise f_exc.FirewallGroupNotFound(firewall_id=id) return self.get_firewall_group(context, id) def update_firewall_group_status(self, context, id, status, not_in=None): @@ -801,7 +802,7 @@ class Firewall_db_mixin_v2(fw_ext.Firewallv2PluginBase, base_db.CommonDbMixin): count = context.session.query( FirewallGroup).filter_by(id=id).delete() if not count: - raise fw_ext.FirewallGroupNotFound(firewall_id=id) + raise f_exc.FirewallGroupNotFound(firewall_id=id) def get_firewall_group(self, context, id, fields=None): LOG.debug("get_firewall_group() called") diff --git a/neutron_fwaas/extensions/firewall.py b/neutron_fwaas/extensions/firewall.py index ca0c35c26..e67b3945f 100644 --- a/neutron_fwaas/extensions/firewall.py +++ b/neutron_fwaas/extensions/firewall.py @@ -16,12 +16,8 @@ import abc from neutron.api.v2 import resource_helper -from neutron_lib.api import converters +from neutron_lib.api.definitions import firewall from neutron_lib.api import extensions -from neutron_lib.api import validators -from neutron_lib import constants -from neutron_lib.db import constants as db_const -from neutron_lib import exceptions as nexception from neutron_lib.services import base as service_base from oslo_config import cfg from oslo_log import log as logging @@ -33,327 +29,6 @@ from neutron_fwaas.common import fwaas_constants LOG = logging.getLogger(__name__) -# Firewall rule action -FWAAS_ALLOW = "allow" -FWAAS_DENY = "deny" -FWAAS_REJECT = "reject" - -# Firewall resource path prefix -FIREWALL_PREFIX = "/fw" - - -# Firewall Exceptions -class FirewallNotFound(nexception.NotFound): - message = _("Firewall %(firewall_id)s could not be found.") - - -class FirewallInUse(nexception.InUse): - message = _("Firewall %(firewall_id)s is still active.") - - -class FirewallInPendingState(nexception.Conflict): - message = _("Operation cannot be performed since associated Firewall " - "%(firewall_id)s is in %(pending_state)s.") - - -class FirewallPolicyNotFound(nexception.NotFound): - message = _("Firewall Policy %(firewall_policy_id)s could not be found.") - - -class FirewallPolicyInUse(nexception.InUse): - message = _("Firewall Policy %(firewall_policy_id)s is being used.") - - -class FirewallPolicyConflict(nexception.Conflict): - """FWaaS exception for firewall policy - - Occurs when admin policy tries to use another tenant's unshared - policy. - """ - message = _("Operation cannot be performed since Firewall Policy " - "%(firewall_policy_id)s is not shared and does not belong to " - "your tenant.") - - -class FirewallRuleSharingConflict(nexception.Conflict): - - """FWaaS exception for firewall rules - - When a shared policy is created or updated with unshared rules, - this exception will be raised. - """ - message = _("Operation cannot be performed since Firewall Policy " - "%(firewall_policy_id)s is shared but Firewall Rule " - "%(firewall_rule_id)s is not shared") - - -class FirewallPolicySharingConflict(nexception.Conflict): - - """FWaaS exception for firewall policy - - When a policy is shared without sharing its associated rules, - this exception will be raised. - """ - message = _("Operation cannot be performed. Before sharing Firewall " - "Policy %(firewall_policy_id)s, share associated Firewall " - "Rule %(firewall_rule_id)s") - - -class FirewallRuleNotFound(nexception.NotFound): - message = _("Firewall Rule %(firewall_rule_id)s could not be found.") - - -class FirewallRuleInUse(nexception.InUse): - message = _("Firewall Rule %(firewall_rule_id)s is being used.") - - -class FirewallRuleNotAssociatedWithPolicy(nexception.InvalidInput): - message = _("Firewall Rule %(firewall_rule_id)s is not associated " - "with Firewall Policy %(firewall_policy_id)s.") - - -class FirewallRuleInvalidProtocol(nexception.InvalidInput): - message = _("Firewall Rule protocol %(protocol)s is not supported. " - "Only protocol values %(values)s and their integer " - "representation (0 to 255) are supported.") - - -class FirewallRuleInvalidAction(nexception.InvalidInput): - message = _("Firewall rule action %(action)s is not supported. " - "Only action values %(values)s are supported.") - - -class FirewallRuleInvalidICMPParameter(nexception.InvalidInput): - message = _("%(param)s are not allowed when protocol " - "is set to ICMP.") - - -class FirewallRuleWithPortWithoutProtocolInvalid(nexception.InvalidInput): - message = _("Source/destination port requires a protocol") - - -class FirewallRuleInvalidPortValue(nexception.InvalidInput): - message = _("Invalid value for port %(port)s.") - - -class FirewallRuleInfoMissing(nexception.InvalidInput): - message = _("Missing rule info argument for insert/remove " - "rule operation.") - - -class FirewallIpAddressConflict(nexception.InvalidInput): - message = _("Invalid input - IP addresses do not agree with IP Version") - - -class FirewallInternalDriverError(nexception.NeutronException): - """Fwaas exception for all driver errors. - - On any failure or exception in the driver, driver should log it and - raise this exception to the agent - """ - message = _("%(driver)s: Internal driver error.") - - -class FirewallRuleConflict(nexception.Conflict): - - """Firewall rule conflict exception. - - Occurs when admin policy tries to use another tenant's unshared - rule. - """ - - message = _("Operation cannot be performed since Firewall Rule " - "%(firewall_rule_id)s is not shared and belongs to " - "another tenant %(tenant_id)s") - - -fw_valid_protocol_values = [None, constants.PROTO_NAME_TCP, - constants.PROTO_NAME_UDP, - constants.PROTO_NAME_ICMP] -fw_valid_action_values = [FWAAS_ALLOW, FWAAS_DENY, FWAAS_REJECT] - - -def convert_protocol(value): - if value is None: - return - if (isinstance(value, six.integer_types) or - (isinstance(value, six.string_types) and value.isdigit())): - val = int(value) - if 0 <= val <= 255: - return val - else: - raise FirewallRuleInvalidProtocol( - protocol=value, values=fw_valid_protocol_values) - elif isinstance(value, six.string_types): - if value.lower() in fw_valid_protocol_values: - return value.lower() - raise FirewallRuleInvalidProtocol( - protocol=value, values=fw_valid_protocol_values) - - -def convert_action_to_case_insensitive(value): - if value is None: - return - else: - return value.lower() - - -def convert_port_to_string(value): - if value is None: - return - else: - return str(value) - - -def _validate_port_range(data, key_specs=None): - if data is None: - return - data = str(data) - ports = data.split(':') - for p in ports: - try: - val = int(p) - except (ValueError, TypeError): - msg = _("Port '%s' is not a valid number") % p - LOG.debug(msg) - return msg - if val <= 0 or val > 65535: - msg = _("Invalid port '%s'") % p - LOG.debug(msg) - return msg - - -def _validate_ip_or_subnet_or_none(data, valid_values=None): - if data is None: - return None - msg_ip = validators.validate_ip_address(data, valid_values) - if not msg_ip: - return - msg_subnet = validators.validate_subnet(data, valid_values) - if not msg_subnet: - return - return _("%(msg_ip)s and %(msg_subnet)s") % {'msg_ip': msg_ip, - 'msg_subnet': msg_subnet} - - -validators.validators['type:port_range'] = _validate_port_range -validators.validators['type:ip_or_subnet_or_none'] = \ - _validate_ip_or_subnet_or_none - - -RESOURCE_ATTRIBUTE_MAP = { - 'firewall_rules': { - 'id': {'allow_post': False, 'allow_put': False, - 'validate': {'type:uuid': None}, - 'is_visible': True, 'primary_key': True}, - 'tenant_id': {'allow_post': True, 'allow_put': False, - 'required_by_policy': True, - 'is_visible': True}, - 'name': {'allow_post': True, 'allow_put': True, - 'validate': {'type:string': db_const.NAME_FIELD_SIZE}, - 'is_visible': True, 'default': ''}, - 'description': {'allow_post': True, 'allow_put': True, - 'validate': {'type:string': - db_const.DESCRIPTION_FIELD_SIZE}, - 'is_visible': True, 'default': ''}, - 'firewall_policy_id': {'allow_post': False, 'allow_put': False, - 'validate': {'type:uuid_or_none': None}, - 'is_visible': True}, - 'shared': {'allow_post': True, 'allow_put': True, - 'default': False, - 'convert_to': converters.convert_to_boolean, - 'is_visible': True, 'required_by_policy': True, - 'enforce_policy': True}, - 'protocol': {'allow_post': True, 'allow_put': True, - 'is_visible': True, 'default': None, - 'convert_to': convert_protocol, - 'validate': {'type:values': fw_valid_protocol_values}}, - 'ip_version': {'allow_post': True, 'allow_put': True, - 'default': 4, 'convert_to': converters.convert_to_int, - 'validate': {'type:values': [4, 6]}, - 'is_visible': True}, - 'source_ip_address': {'allow_post': True, 'allow_put': True, - 'validate': {'type:ip_or_subnet_or_none': None}, - 'is_visible': True, 'default': None}, - 'destination_ip_address': {'allow_post': True, 'allow_put': True, - 'validate': {'type:ip_or_subnet_or_none': - None}, - 'is_visible': True, 'default': None}, - 'source_port': {'allow_post': True, 'allow_put': True, - 'validate': {'type:port_range': None}, - 'convert_to': convert_port_to_string, - 'default': None, 'is_visible': True}, - 'destination_port': {'allow_post': True, 'allow_put': True, - 'validate': {'type:port_range': None}, - 'convert_to': convert_port_to_string, - 'default': None, 'is_visible': True}, - 'position': {'allow_post': False, 'allow_put': False, - 'default': None, 'is_visible': True}, - 'action': {'allow_post': True, 'allow_put': True, - 'convert_to': convert_action_to_case_insensitive, - 'validate': {'type:values': fw_valid_action_values}, - 'is_visible': True, 'default': 'deny'}, - 'enabled': {'allow_post': True, 'allow_put': True, - 'default': True, 'is_visible': True, - 'convert_to': converters.convert_to_boolean}, - }, - 'firewall_policies': { - 'id': {'allow_post': False, 'allow_put': False, - 'validate': {'type:uuid': None}, - 'is_visible': True, - 'primary_key': True}, - 'tenant_id': {'allow_post': True, 'allow_put': False, - 'required_by_policy': True, - 'is_visible': True}, - 'name': {'allow_post': True, 'allow_put': True, - 'validate': {'type:string': db_const.NAME_FIELD_SIZE}, - 'is_visible': True, 'default': ''}, - 'description': {'allow_post': True, 'allow_put': True, - 'validate': {'type:string': - db_const.DESCRIPTION_FIELD_SIZE}, - 'is_visible': True, 'default': ''}, - 'shared': {'allow_post': True, 'allow_put': True, - 'default': False, 'enforce_policy': True, - 'convert_to': converters.convert_to_boolean, - 'is_visible': True, 'required_by_policy': True}, - 'firewall_rules': {'allow_post': True, 'allow_put': True, - 'validate': {'type:uuid_list': None}, - 'convert_to': converters.convert_none_to_empty_list, - 'default': None, 'is_visible': True}, - 'audited': {'allow_post': True, 'allow_put': True, - 'default': False, 'is_visible': True, - 'convert_to': converters.convert_to_boolean}, - }, - 'firewalls': { - 'id': {'allow_post': False, 'allow_put': False, - 'validate': {'type:uuid': None}, - 'is_visible': True, - 'primary_key': True}, - 'tenant_id': {'allow_post': True, 'allow_put': False, - 'required_by_policy': True, - 'is_visible': True}, - 'name': {'allow_post': True, 'allow_put': True, - 'validate': {'type:string': db_const.NAME_FIELD_SIZE}, - 'is_visible': True, 'default': ''}, - 'description': {'allow_post': True, 'allow_put': True, - 'validate': {'type:string': - db_const.DESCRIPTION_FIELD_SIZE}, - 'is_visible': True, 'default': ''}, - 'admin_state_up': {'allow_post': True, 'allow_put': True, - 'default': True, 'is_visible': True, - 'convert_to': converters.convert_to_boolean}, - 'status': {'allow_post': False, 'allow_put': False, - 'is_visible': True}, - 'shared': {'allow_post': True, 'allow_put': True, - 'default': False, 'enforce_policy': True, - 'convert_to': converters.convert_to_boolean, - 'is_visible': False, 'required_by_policy': True}, - 'firewall_policy_id': {'allow_post': True, 'allow_put': True, - 'validate': {'type:uuid_or_none': None}, - 'is_visible': True}, - }, -} - # A tenant may have a unique firewall and policy for each router # when router insertion is used. # Set default quotas to align with default l3 quota_router of 10 @@ -380,32 +55,32 @@ class Firewall(extensions.ExtensionDescriptor): @classmethod def get_name(cls): - return "Firewall service" + return firewall.NAME @classmethod def get_alias(cls): - return "fwaas" + return firewall.ALIAS @classmethod def get_description(cls): - return "Extension for Firewall service" + return firewall.DESCRIPTION @classmethod def get_updated(cls): - return "2013-02-25T10:00:00-00:00" + return firewall.UPDATED_TIMESTAMP @classmethod def get_resources(cls): + """Returns Ext Resources.""" special_mappings = {'firewall_policies': 'firewall_policy'} plural_mappings = resource_helper.build_plural_mappings( - special_mappings, RESOURCE_ATTRIBUTE_MAP) - action_map = {'firewall_policy': {'insert_rule': 'PUT', - 'remove_rule': 'PUT'}} - return resource_helper.build_resource_info(plural_mappings, - RESOURCE_ATTRIBUTE_MAP, - fwaas_constants.FIREWALL, - action_map=action_map, - register_quota=True) + special_mappings, firewall.RESOURCE_ATTRIBUTE_MAP) + return resource_helper.build_resource_info( + plural_mappings, + firewall.RESOURCE_ATTRIBUTE_MAP, + firewall.ALIAS, + action_map=firewall.ACTION_MAP, + register_quota=True) @classmethod def get_plugin_interface(cls): @@ -413,11 +88,11 @@ class Firewall(extensions.ExtensionDescriptor): def update_attributes_map(self, attributes): super(Firewall, self).update_attributes_map( - attributes, extension_attrs_map=RESOURCE_ATTRIBUTE_MAP) + attributes, extension_attrs_map=firewall.RESOURCE_ATTRIBUTE_MAP) def get_extended_resources(self, version): if version == "2.0": - return RESOURCE_ATTRIBUTE_MAP + return firewall.RESOURCE_ATTRIBUTE_MAP else: return {} diff --git a/neutron_fwaas/extensions/firewall_v2.py b/neutron_fwaas/extensions/firewall_v2.py index 1adf10cff..348c8f504 100644 --- a/neutron_fwaas/extensions/firewall_v2.py +++ b/neutron_fwaas/extensions/firewall_v2.py @@ -13,339 +13,48 @@ # under the License. import abc + from neutron.api.v2 import resource_helper -from neutron_lib.api import converters + +from neutron_fwaas.common import fwaas_constants +from neutron_lib.api.definitions import firewall_v2 from neutron_lib.api import extensions -from neutron_lib.db import constants as nl_db_constants -from neutron_lib import exceptions as nexception from neutron_lib.services import base as service_base + import six -from neutron_fwaas._i18n import _ - -# Import firewall v1 API to get the validators -# TODO(shpadubi): pull the validators out of fwaas v1 into a separate file -from neutron_fwaas.extensions import firewall as fwaas_v1 - -FIREWALL_PREFIX = '/fwaas' - -FIREWALL_CONST = 'FIREWALL_V2' - - -# Firewall Exceptions -class FirewallGroupNotFound(nexception.NotFound): - message = _("Firewall Group %(firewall_id)s could not be found.") - - -class FirewallGroupInUse(nexception.InUse): - message = _("Firewall %(firewall_id)s is still active.") - - -class FirewallGroupInPendingState(nexception.Conflict): - message = _("Operation cannot be performed since associated Firewall " - "%(firewall_id)s is in %(pending_state)s.") - - -class FirewallGroupPortInvalid(nexception.Conflict): - message = _("Firewall Group Port %(port_id)s is invalid") - - -class FirewallGroupPortInvalidProject(nexception.Conflict): - message = _("Operation cannot be performed as port %(port_id)s " - "is in an invalid project %(tenant_id)s.") - - -class FirewallGroupPortInUse(nexception.InUse): - message = _("Port(s) %(port_ids)s provided already associated with " - "other Firewall Group(s). ") - - -class FirewallPolicyNotFound(nexception.NotFound): - message = _("Firewall Policy %(firewall_policy_id)s could not be found.") - - -class FirewallPolicyInUse(nexception.InUse): - message = _("Firewall Policy %(firewall_policy_id)s is being used.") - - -class FirewallPolicyConflict(nexception.Conflict): - """FWaaS exception for firewall policy - - Occurs when admin policy tries to use another tenant's policy that - is not shared. - """ - - message = _("Operation cannot be performed since Firewall Policy " - "%(firewall_policy_id)s is not shared and does not belong to " - "your tenant.") - - -class FirewallRuleSharingConflict(nexception.Conflict): - """FWaaS exception for firewall rules - - This exception will be raised when a shared policy is created or - updated with rules that are not shared. - """ - - message = _("Operation cannot be performed since Firewall Policy " - "%(firewall_policy_id)s is shared but Firewall Rule " - "%(firewall_rule_id)s is not shared.") - - -class FirewallPolicySharingConflict(nexception.Conflict): - """FWaaS exception for firewall policy - - When a policy is 'shared' without sharing its associated rules, - this exception will be raised. - """ - - message = _("Operation cannot be performed. Before sharing Firewall " - "Policy %(firewall_policy_id)s, share associated Firewall " - "Rule %(firewall_rule_id)s.") - - -class FirewallRuleNotFound(nexception.NotFound): - message = _("Firewall Rule %(firewall_rule_id)s could not be found.") - - -class FirewallRuleInUse(nexception.InUse): - message = _("Firewall Rule %(firewall_rule_id)s is being used.") - - -class FirewallRuleNotAssociatedWithPolicy(nexception.InvalidInput): - message = _("Firewall Rule %(firewall_rule_id)s is not associated " - "with Firewall Policy %(firewall_policy_id)s.") - - -class FirewallRuleInvalidProtocol(nexception.InvalidInput): - message = _("Firewall Rule protocol %(protocol)s is not supported. " - "Only protocol values %(values)s and their integer " - "representation (0 to 255) are supported.") - - -class FirewallRuleInvalidAction(nexception.InvalidInput): - message = _("Firewall rule action %(action)s is not supported. " - "Only action values %(values)s are supported.") - - -class FirewallRuleInvalidICMPParameter(nexception.InvalidInput): - message = _("%(param)s are not allowed when protocol " - "is set to ICMP.") - - -class FirewallRuleWithPortWithoutProtocolInvalid(nexception.InvalidInput): - message = _("Source/destination port requires a protocol") - - -class FirewallRuleInvalidPortValue(nexception.InvalidInput): - message = _("Invalid value for port %(port)s.") - - -class FirewallRuleInfoMissing(nexception.InvalidInput): - message = _("Missing rule info argument for insert/remove " - "rule operation.") - - -class FirewallIpAddressConflict(nexception.InvalidInput): - message = _("Invalid input - IP addresses do not agree with IP Version.") - - -class FirewallInternalDriverError(nexception.NeutronException): - """Fwaas exception for all driver errors. - - On any failure or exception in the driver, driver should log it and - raise this exception to the agent - """ - - message = _("%(driver)s: Internal driver error.") - - -class FirewallRuleConflict(nexception.Conflict): - """Firewall rule conflict exception. - - Occurs when admin policy tries to use another tenant's rule that is - not shared - """ - - message = _("Operation cannot be performed since Firewall Rule " - "%(firewall_rule_id)s is not shared and belongs to " - "another tenant %(tenant_id)s.") - - -class FirewallRuleAlreadyAssociated(nexception.Conflict): - """Firewall rule conflict exception. - - Occurs when there is an attempt to assign a rule to a policy that - the rule is already associated with. - """ - - message = _("Operation cannot be performed since Firewall Rule " - "%(firewall_rule_id)s is already associated with Firewall" - "Policy %(firewall_policy_id)s.") - - -RESOURCE_ATTRIBUTE_MAP = { - 'firewall_rules': { - 'id': {'allow_post': False, 'allow_put': False, - 'validate': {'type:uuid': None}, - 'is_visible': True, 'primary_key': True}, - 'tenant_id': {'allow_post': True, 'allow_put': False, - 'required_by_policy': True, - 'validate': {'type:string': - nl_db_constants.UUID_FIELD_SIZE}, - 'is_visible': True}, - 'name': {'allow_post': True, 'allow_put': True, - 'validate': {'type:string': nl_db_constants.NAME_FIELD_SIZE}, - 'is_visible': True, 'default': ''}, - 'description': {'allow_post': True, 'allow_put': True, - 'validate': {'type:string': - nl_db_constants.DESCRIPTION_FIELD_SIZE}, - 'is_visible': True, 'default': ''}, - 'firewall_policy_id': {'allow_post': False, 'allow_put': False, - 'validate': {'type:uuid_or_none': None}, - 'is_visible': True}, - 'shared': {'allow_post': True, 'allow_put': True, - 'default': False, 'is_visible': True, - 'convert_to': converters.convert_to_boolean, - 'required_by_policy': True, 'enforce_policy': True}, - 'protocol': {'allow_post': True, 'allow_put': True, - 'is_visible': True, 'default': None, - 'convert_to': fwaas_v1.convert_protocol, - 'validate': {'type:values': - fwaas_v1.fw_valid_protocol_values}}, - 'ip_version': {'allow_post': True, 'allow_put': True, - 'default': 4, 'convert_to': converters.convert_to_int, - 'validate': {'type:values': [4, 6]}, - 'is_visible': True}, - 'source_ip_address': {'allow_post': True, 'allow_put': True, - 'validate': {'type:ip_or_subnet_or_none': None}, - 'is_visible': True, 'default': None}, - 'destination_ip_address': {'allow_post': True, 'allow_put': True, - 'validate': {'type:ip_or_subnet_or_none': - None}, - 'is_visible': True, 'default': None}, - 'source_port': {'allow_post': True, 'allow_put': True, - 'validate': {'type:port_range': None}, - 'convert_to': fwaas_v1.convert_port_to_string, - 'default': None, 'is_visible': True}, - 'destination_port': {'allow_post': True, 'allow_put': True, - 'validate': {'type:port_range': None}, - 'convert_to': fwaas_v1.convert_port_to_string, - 'default': None, 'is_visible': True}, - 'position': {'allow_post': False, 'allow_put': False, - 'default': None, 'is_visible': True}, - 'action': {'allow_post': True, 'allow_put': True, - 'convert_to': fwaas_v1.convert_action_to_case_insensitive, - 'validate': {'type:values': - fwaas_v1.fw_valid_action_values}, - 'is_visible': True, 'default': 'deny'}, - 'enabled': {'allow_post': True, 'allow_put': True, - 'convert_to': converters.convert_to_boolean, - 'default': True, 'is_visible': True}, - }, - 'firewall_groups': { - 'id': {'allow_post': False, 'allow_put': False, - 'validate': {'type:uuid': None}, - 'is_visible': True, - 'primary_key': True}, - 'name': {'allow_post': True, 'allow_put': True, - 'validate': {'type:string': nl_db_constants.NAME_FIELD_SIZE}, - 'is_visible': True, 'default': ''}, - 'description': {'allow_post': True, 'allow_put': True, - 'validate': {'type:string': - nl_db_constants.DESCRIPTION_FIELD_SIZE}, - 'is_visible': True, 'default': ''}, - 'admin_state_up': {'allow_post': True, 'allow_put': True, - 'default': True, 'is_visible': True, - 'convert_to': converters.convert_to_boolean}, - 'status': {'allow_post': False, 'allow_put': False, - 'is_visible': True}, - 'shared': {'allow_post': True, 'allow_put': True, 'default': False, - 'convert_to': converters.convert_to_boolean, - 'is_visible': True, 'required_by_policy': True, - 'enforce_policy': True}, - 'ports': {'allow_post': True, 'allow_put': True, - 'validate': {'type:uuid_list': None}, - 'convert_to': converters.convert_none_to_empty_list, - 'default': None, 'is_visible': True}, - 'tenant_id': {'allow_post': True, 'allow_put': False, - 'required_by_policy': True, - 'validate': {'type:string': - nl_db_constants.UUID_FIELD_SIZE}, - 'is_visible': True}, - 'ingress_firewall_policy_id': {'allow_post': True, - 'allow_put': True, - 'validate': {'type:uuid_or_none': - None}, - 'default': None, 'is_visible': True}, - 'egress_firewall_policy_id': {'allow_post': True, - 'allow_put': True, - 'validate': {'type:uuid_or_none': - None}, - 'default': None, 'is_visible': True}, - }, - 'firewall_policies': { - 'id': {'allow_post': False, 'allow_put': False, - 'validate': {'type:uuid': None}, - 'is_visible': True, - 'primary_key': True}, - 'tenant_id': {'allow_post': True, 'allow_put': False, - 'required_by_policy': True, - 'validate': {'type:string': - nl_db_constants.UUID_FIELD_SIZE}, - 'is_visible': True}, - 'name': {'allow_post': True, 'allow_put': True, - 'validate': {'type:string': nl_db_constants.NAME_FIELD_SIZE}, - 'is_visible': True, 'default': ''}, - 'description': {'allow_post': True, 'allow_put': True, - 'validate': {'type:string': - nl_db_constants.DESCRIPTION_FIELD_SIZE}, - 'is_visible': True, 'default': ''}, - 'shared': {'allow_post': True, 'allow_put': True, 'default': False, - 'convert_to': converters.convert_to_boolean, - 'is_visible': True, 'required_by_policy': True, - 'enforce_policy': True}, - 'firewall_rules': {'allow_post': True, 'allow_put': True, - 'validate': {'type:uuid_list': None}, - 'convert_to': converters.convert_none_to_empty_list, - 'default': None, 'is_visible': True}, - 'audited': {'allow_post': True, 'allow_put': True, 'default': False, - 'convert_to': converters.convert_to_boolean, - 'is_visible': True}, - - }, -} - class Firewall_v2(extensions.ExtensionDescriptor): + api_definition = firewall_v2 + @classmethod def get_name(cls): - return "Firewall service v2" + return firewall_v2.NAME @classmethod def get_alias(cls): - return "fwaas_v2" + return firewall_v2.ALIAS @classmethod def get_description(cls): - return "Extension for Firewall service v2" + return firewall_v2.DESCRIPTION @classmethod def get_updated(cls): - return "2016-08-16T00:00:00-00:00" + return firewall_v2.UPDATED_TIMESTAMP @classmethod def get_resources(cls): - special_mappings = {'firewall_policies': 'firewall_policy'} + """Returns Ext Resources.""" plural_mappings = resource_helper.build_plural_mappings( - special_mappings, RESOURCE_ATTRIBUTE_MAP) - action_map = {'firewall_policy': {'insert_rule': 'PUT', - 'remove_rule': 'PUT'}} - return resource_helper.build_resource_info(plural_mappings, - RESOURCE_ATTRIBUTE_MAP, - FIREWALL_CONST, - action_map=action_map) + {}, firewall_v2.RESOURCE_ATTRIBUTE_MAP) + return resource_helper.build_resource_info( + plural_mappings, + firewall_v2.RESOURCE_ATTRIBUTE_MAP, + firewall_v2.ALIAS, + action_map=firewall_v2.ACTION_MAP, + register_quota=True) @classmethod def get_plugin_interface(cls): @@ -353,11 +62,11 @@ class Firewall_v2(extensions.ExtensionDescriptor): def update_attributes_map(self, attributes): super(Firewall_v2, self).update_attributes_map( - attributes, extension_attrs_map=RESOURCE_ATTRIBUTE_MAP) + attributes, extension_attrs_map=firewall_v2.RESOURCE_ATTRIBUTE_MAP) def get_extended_resources(self, version): if version == "2.0": - return RESOURCE_ATTRIBUTE_MAP + return firewall_v2.RESOURCE_ATTRIBUTE_MAP else: return {} @@ -366,10 +75,10 @@ class Firewall_v2(extensions.ExtensionDescriptor): class Firewallv2PluginBase(service_base.ServicePluginBase): def get_plugin_name(self): - return FIREWALL_CONST + return fwaas_constants.FIREWALL_V2 def get_plugin_type(self): - return FIREWALL_CONST + return fwaas_constants.FIREWALL_V2 def get_plugin_description(self): return 'Firewall Service v2 Plugin' diff --git a/neutron_fwaas/extensions/firewallrouterinsertion.py b/neutron_fwaas/extensions/firewallrouterinsertion.py index 8c2a88600..60cc4b3b7 100644 --- a/neutron_fwaas/extensions/firewallrouterinsertion.py +++ b/neutron_fwaas/extensions/firewallrouterinsertion.py @@ -13,25 +13,8 @@ # License for the specific language governing permissions and limitations # under the License. +from neutron_lib.api.definitions import firewallrouterinsertion from neutron_lib.api import extensions -from neutron_lib import constants -from neutron_lib import exceptions as nexception - -from neutron_fwaas._i18n import _ - - -class FirewallRouterInUse(nexception.InUse): - message = _("Router(s) %(router_ids)s provided already associated with " - "other Firewall(s). ") - - -EXTENDED_ATTRIBUTES_2_0 = { - 'firewalls': { - 'router_ids': {'allow_post': True, 'allow_put': True, - 'validate': {'type:uuid_list': None}, - 'is_visible': True, 'default': constants.ATTR_NOT_SPECIFIED}, - } -} class Firewallrouterinsertion(extensions.ExtensionDescriptor): @@ -55,22 +38,22 @@ class Firewallrouterinsertion(extensions.ExtensionDescriptor): """ @classmethod def get_name(cls): - return "Firewall Router insertion" + return firewallrouterinsertion.NAME @classmethod def get_alias(cls): - return "fwaasrouterinsertion" + return firewallrouterinsertion.ALIAS @classmethod def get_description(cls): - return "Firewall Router insertion on specified set of routers" + return firewallrouterinsertion.DESCRIPTION @classmethod def get_updated(cls): - return "2015-01-27T10:00:00-00:00" + return firewallrouterinsertion.UPDATED_TIMESTAMP def get_extended_resources(self, version): if version == "2.0": - return EXTENDED_ATTRIBUTES_2_0 + return firewallrouterinsertion.RESOURCE_ATTRIBUTE_MAP else: return {} diff --git a/neutron_fwaas/services/firewall/agents/l3reference/firewall_l3_agent.py b/neutron_fwaas/services/firewall/agents/l3reference/firewall_l3_agent.py index 25d4149ff..04a6ce9c3 100644 --- a/neutron_fwaas/services/firewall/agents/l3reference/firewall_l3_agent.py +++ b/neutron_fwaas/services/firewall/agents/l3reference/firewall_l3_agent.py @@ -21,10 +21,10 @@ from oslo_log import log as logging from neutron_fwaas._i18n import _, _LE from neutron_fwaas.common import fwaas_constants from neutron_fwaas.common import resources as f_resources -from neutron_fwaas.extensions import firewall as fw_ext from neutron_fwaas.services.firewall.agents import firewall_agent_api as api from neutron_fwaas.services.firewall.agents import firewall_service from neutron_lib.agent import l3_extension +from neutron_lib.api.definitions import firewall as fw_ext from neutron_lib import constants as nl_constants from neutron_lib import context diff --git a/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py b/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py index 16cb5f333..067d39801 100644 --- a/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py +++ b/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py @@ -20,8 +20,8 @@ from oslo_utils import excutils from neutron.agent.linux import iptables_manager from neutron.common import utils from neutron_fwaas._i18n import _LE +from neutron_fwaas.common import exceptions as exc from neutron_fwaas.common import fwaas_constants as f_const -from neutron_fwaas.extensions import firewall as fw_ext from neutron_fwaas.services.firewall.drivers import fwaas_base LOG = logging.getLogger(__name__) @@ -92,9 +92,9 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase): else: self.apply_default_policy(agent_mode, apply_list, firewall) except (LookupError, RuntimeError): - # catch known library exceptions and raise Fwaas generic exception + # catch known library exc and raise Fwaas generic exception LOG.exception(_LE("Failed to create firewall: %s"), firewall['id']) - raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME) + raise exc.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME) def _get_ipt_mgrs_with_if_prefix(self, agent_mode, router_info): """Gets the iptables manager along with the if prefix to apply rules. @@ -137,9 +137,9 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase): ipt_mgr.defer_apply_off() self.pre_firewall = None except (LookupError, RuntimeError): - # catch known library exceptions and raise Fwaas generic exception + # catch known library exc and raise Fwaas generic exception LOG.exception(_LE("Failed to delete firewall: %s"), fwid) - raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME) + raise exc.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME) def update_firewall(self, agent_mode, apply_list, firewall): LOG.debug('Updating firewall %(fw_id)s for tenant %(tid)s', @@ -157,9 +157,9 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase): self.apply_default_policy(agent_mode, apply_list, firewall) self.pre_firewall = dict(firewall) except (LookupError, RuntimeError): - # catch known library exceptions and raise Fwaas generic exception + # catch known library exc and raise Fwaas generic exception LOG.exception(_LE("Failed to update firewall: %s"), firewall['id']) - raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME) + raise exc.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME) def apply_default_policy(self, agent_mode, apply_list, firewall): LOG.debug('Applying firewall %(fw_id)s for tenant %(tid)s', @@ -182,10 +182,10 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase): # apply the changes immediately (no defer in firewall path) ipt_mgr.defer_apply_off() except (LookupError, RuntimeError): - # catch known library exceptions and raise Fwaas generic exception + # catch known library exc and raise Fwaas generic exception LOG.exception( _LE("Failed to apply default policy on firewall: %s"), fwid) - raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME) + raise exc.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME) def _setup_firewall(self, agent_mode, apply_list, firewall): fwid = firewall['id'] diff --git a/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas_v2.py b/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas_v2.py index 906eb7fd4..d31db23e8 100644 --- a/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas_v2.py +++ b/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas_v2.py @@ -15,14 +15,14 @@ from neutron.agent.linux import iptables_manager from neutron.agent.linux import utils as linux_utils +from neutron_lib.api.definitions import firewall as fw_ext from oslo_log import log as logging from neutron_fwaas._i18n import _LE -from neutron_fwaas.extensions import firewall as fw_ext from neutron_fwaas.services.firewall.drivers import fwaas_base_v2 LOG = logging.getLogger(__name__) -FWAAS_DRIVER_NAME = 'Fwaas iptables driver' +FWAAS_DRIVER_NAME = 'FWaaS iptables driver' FWAAS_DEFAULT_CHAIN = 'fwaas-default-policy' FWAAS_TO_IPTABLE_ACTION_MAP = {'allow': 'ACCEPT', diff --git a/neutron_fwaas/services/firewall/fwaas_plugin.py b/neutron_fwaas/services/firewall/fwaas_plugin.py index cc86ae6c1..cd4842586 100644 --- a/neutron_fwaas/services/firewall/fwaas_plugin.py +++ b/neutron_fwaas/services/firewall/fwaas_plugin.py @@ -12,6 +12,7 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. + from neutron_lib import constants as nl_constants from neutron_lib import context as neutron_context from neutron_lib.plugins import directory @@ -19,15 +20,16 @@ from neutron_lib.plugins import directory from neutron.common import rpc as n_rpc from neutron.common import utils as n_utils +from neutron_lib.api.definitions import firewall as fw_ext from oslo_config import cfg from oslo_log import log as logging import oslo_messaging -from neutron_fwaas._i18n import _LI, _LW +from neutron_fwaas._i18n import _ +from neutron_fwaas.common import exceptions from neutron_fwaas.common import fwaas_constants as f_const from neutron_fwaas.db.firewall import firewall_db from neutron_fwaas.db.firewall import firewall_router_insertion_db -from neutron_fwaas.extensions import firewall as fw_ext LOG = logging.getLogger(__name__) @@ -72,13 +74,13 @@ class FirewallCallbacks(object): self.plugin.delete_db_firewall_object(context, firewall_id) return True else: - LOG.warning(_LW('Firewall %(fw)s unexpectedly deleted by ' - 'agent, status was %(status)s'), + LOG.warning(_('Firewall %(fw)s unexpectedly deleted by ' + 'agent, status was %(status)s'), {'fw': firewall_id, 'status': fw_db.status}) fw_db.update({"status": nl_constants.ERROR}) return False - except fw_ext.FirewallNotFound: - LOG.info(_LI('Firewall %s already deleted'), firewall_id) + except exceptions.FirewallNotFound: + LOG.info(_('Firewall %s already deleted'), firewall_id) return True def get_firewalls_for_tenant(self, context, **kwargs): @@ -151,7 +153,7 @@ class FirewallPlugin( firewall_db.Firewall_db_mixin. """ supported_extension_aliases = ["fwaas", "fwaasrouterinsertion"] - path_prefix = fw_ext.FIREWALL_PREFIX + path_prefix = fw_ext.API_PREFIX def __init__(self): """Do the initialization for the firewall service plugin here.""" @@ -214,7 +216,7 @@ class FirewallPlugin( if fwall['status'] in [nl_constants.PENDING_CREATE, nl_constants.PENDING_UPDATE, nl_constants.PENDING_DELETE]: - raise fw_ext.FirewallInPendingState(firewall_id=firewall_id, + raise exceptions.FirewallInPendingState(firewall_id=firewall_id, pending_state=fwall['status']) def _ensure_update_firewall_policy(self, context, firewall_policy_id): diff --git a/neutron_fwaas/services/firewall/fwaas_plugin_v2.py b/neutron_fwaas/services/firewall/fwaas_plugin_v2.py index 9fc7bc089..cb578d785 100644 --- a/neutron_fwaas/services/firewall/fwaas_plugin_v2.py +++ b/neutron_fwaas/services/firewall/fwaas_plugin_v2.py @@ -16,15 +16,16 @@ from neutron_lib import context as neutron_context from neutron_lib.plugins import directory from neutron.common import rpc as n_rpc +from neutron_lib.api.definitions import firewall_v2 as fw_ext from neutron_lib import constants as nl_constants from oslo_config import cfg from oslo_log import log as logging import oslo_messaging from neutron_fwaas._i18n import _LI +from neutron_fwaas.common import exceptions from neutron_fwaas.common import fwaas_constants from neutron_fwaas.db.firewall.v2 import firewall_db_v2 -from neutron_fwaas.extensions import firewall_v2 as fw_ext LOG = logging.getLogger(__name__) @@ -102,7 +103,7 @@ class FirewallCallbacks(object): {'fwg': fwg_id, 'status': fwg_db.status}) fwg_db.update({"status": nl_constants.ERROR}) return False - except fw_ext.FirewallGroupNotFound: + except exceptions.FirewallGroupNotFound: LOG.info(_LI('Firewall group %s already deleted'), fwg_id) return True @@ -144,7 +145,7 @@ class FirewallPluginV2( firewall_db_v2.Firewall_db_mixin_v2. """ supported_extension_aliases = ["fwaas_v2"] - path_prefix = fw_ext.FIREWALL_PREFIX + path_prefix = fw_ext.API_PREFIX def __init__(self): """Do the initialization for the firewall service plugin here.""" @@ -194,7 +195,7 @@ class FirewallPluginV2( if fwg['status'] in [nl_constants.PENDING_CREATE, nl_constants.PENDING_UPDATE, nl_constants.PENDING_DELETE]: - raise fw_ext.FirewallGroupInPendingState(firewall_id=fwg_id, + raise exceptions.FirewallGroupInPendingState(firewall_id=fwg_id, pending_state=fwg['status']) def _ensure_update_firewall_policy(self, context, firewall_policy_id): @@ -216,9 +217,9 @@ class FirewallPluginV2( for port_id in fwg_ports: port_db = self._core_plugin._get_port(context, port_id) if port_db['device_owner'] != "network:router_interface": - raise fw_ext.FirewallGroupPortInvalid(port_id=port_id) + raise exceptions.FirewallGroupPortInvalid(port_id=port_id) if port_db['tenant_id'] != tenant_id: - raise fw_ext.FirewallGroupPortInvalidProject( + raise exceptions.FirewallGroupPortInvalidProject( port_id=port_id, tenant_id=port_db['tenant_id']) return diff --git a/neutron_fwaas/tests/tempest_plugin/tests/api/test_fwaas_extensions.py b/neutron_fwaas/tests/tempest_plugin/tests/api/test_fwaas_extensions.py index f10cf5b3d..ee84adf4c 100644 --- a/neutron_fwaas/tests/tempest_plugin/tests/api/test_fwaas_extensions.py +++ b/neutron_fwaas/tests/tempest_plugin/tests/api/test_fwaas_extensions.py @@ -328,6 +328,7 @@ class FWaaSExtensionTestJSON(base.BaseFWaaSTest): self.assertNotIn(router1['id'], updated_firewall['router_ids']) self.assertEqual(1, len(updated_firewall['router_ids'])) + @decorators.skip_because(bug="1694363") @decorators.idempotent_id('c60ceff5-d51f-451d-b6e6-cb983d16ab6b') def test_firewall_insertion_mode_one_firewall_per_router(self): # Create router required for an ACTIVE firewall diff --git a/neutron_fwaas/tests/tempest_plugin/tests/scenario/test_fwaas.py b/neutron_fwaas/tests/tempest_plugin/tests/scenario/test_fwaas.py index a1a80d717..f911fc3c6 100644 --- a/neutron_fwaas/tests/tempest_plugin/tests/scenario/test_fwaas.py +++ b/neutron_fwaas/tests/tempest_plugin/tests/scenario/test_fwaas.py @@ -154,7 +154,7 @@ class TestFWaaS(base.FWaaSScenarioTest): def _allow_ssh_and_icmp(self, ctx): fw_ssh_rule = self.create_firewall_rule( protocol="tcp", - destination_port=22, + destination_port='22', action="allow") fw_icmp_rule = self.create_firewall_rule( protocol="icmp", diff --git a/neutron_fwaas/tests/unit/db/firewall/test_firewall_db.py b/neutron_fwaas/tests/unit/db/firewall/test_firewall_db.py index 5f08c02da..8206d91d5 100644 --- a/neutron_fwaas/tests/unit/db/firewall/test_firewall_db.py +++ b/neutron_fwaas/tests/unit/db/firewall/test_firewall_db.py @@ -24,11 +24,13 @@ from oslo_utils import uuidutils import six import webob.exc +from neutron_fwaas.common import exceptions +from neutron_fwaas.common import fwaas_constants as fw_const from neutron_fwaas.db.firewall import firewall_db as fdb from neutron_fwaas import extensions -from neutron_fwaas.extensions import firewall from neutron_fwaas.services.firewall import fwaas_plugin from neutron_fwaas.tests import base +from neutron_lib.api.definitions import firewall as nl_firewall from neutron_lib import constants as nl_constants from neutron_lib import context from neutron_lib.exceptions import l3 @@ -67,14 +69,14 @@ class FakeAgentApi(fwaas_plugin.FirewallCallbacks): pass def delete_firewall(self, context, firewall, **kwargs): - self.plugin = directory.get_plugin('FIREWALL') + self.plugin = directory.get_plugin(fw_const.FIREWALL) self.firewall_deleted(context, firewall['id'], **kwargs) class FirewallPluginDbTestCase(base.NeutronDbPluginV2TestCase): resource_prefix_map = dict( - (k, firewall.FIREWALL_PREFIX) - for k in firewall.RESOURCE_ATTRIBUTE_MAP.keys() + (k, nl_firewall.API_PREFIX) + for k in nl_firewall.RESOURCE_ATTRIBUTE_MAP.keys() ) def setUp(self, core_plugin=None, fw_plugin=None, ext_mgr=None): @@ -86,7 +88,7 @@ class FirewallPluginDbTestCase(base.NeutronDbPluginV2TestCase): service_plugins = {'fw_plugin_name': fw_plugin} fdb.Firewall_db_mixin.supported_extension_aliases = ["fwaas"] - fdb.Firewall_db_mixin.path_prefix = firewall.FIREWALL_PREFIX + fdb.Firewall_db_mixin.path_prefix = nl_firewall.API_PREFIX super(FirewallPluginDbTestCase, self).setUp( ext_mgr=ext_mgr, service_plugins=service_plugins @@ -627,7 +629,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase): req = self.new_delete_request('firewall_policies', fwp_id) res = req.get_response(self.ext_api) self.assertEqual(204, res.status_int) - self.assertRaises(firewall.FirewallPolicyNotFound, + self.assertRaises(exceptions.FirewallPolicyNotFound, self.plugin.get_firewall_policy, ctx, fwp_id) @@ -650,7 +652,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase): req = self.new_delete_request('firewall_policies', fwp_id) res = req.get_response(self.ext_api) self.assertEqual(204, res.status_int) - self.assertRaises(firewall.FirewallPolicyNotFound, + self.assertRaises(exceptions.FirewallPolicyNotFound, self.plugin.get_firewall_policy, ctx, fwp_id) fw_rule = self.plugin.get_firewall_rule(ctx, fr_id) @@ -684,8 +686,8 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase): attrs['source_port'] = '10000' attrs['destination_port'] = '80' - with self.firewall_rule(source_port=10000, - destination_port=80) as firewall_rule: + with self.firewall_rule(source_port='10000', + destination_port='80') as firewall_rule: for k, v in six.iteritems(attrs): self.assertEqual(v, firewall_rule['firewall_rule'][k]) @@ -837,8 +839,8 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase): with self.firewall_rule() as fwr: data = {'firewall_rule': {'name': name, 'protocol': PROTOCOL, - 'source_port': 10000, - 'destination_port': 80}} + 'source_port': '10000', + 'destination_port': '80'}} req = self.new_update_request('firewall_rules', data, fwr['firewall_rule']['id']) res = self.deserialize(self.fmt, @@ -914,7 +916,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase): with self.firewall_rule(source_port=None, destination_port=None, protocol=None) as fwr: - data = {'firewall_rule': {'destination_port': 80, + data = {'firewall_rule': {'destination_port': '80', 'protocol': 'tcp'}} req = self.new_update_request('firewall_rules', data, fwr['firewall_rule']['id']) @@ -925,7 +927,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase): with self.firewall_rule(source_port=None, destination_port=None, protocol=None) as fwr: - data = {'firewall_rule': {'destination_port': 80, + data = {'firewall_rule': {'destination_port': '80', 'protocol': 'icmp'}} req = self.new_update_request('firewall_rules', data, fwr['firewall_rule']['id']) @@ -980,7 +982,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase): req = self.new_delete_request('firewall_rules', fwr_id) res = req.get_response(self.ext_api) self.assertEqual(204, res.status_int) - self.assertRaises(firewall.FirewallRuleNotFound, + self.assertRaises(exceptions.FirewallRuleNotFound, self.plugin.get_firewall_rule, ctx, fwr_id) @@ -1196,7 +1198,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase): req = self.new_delete_request('firewalls', fw_id) res = req.get_response(self.ext_api) self.assertEqual(204, res.status_int) - self.assertRaises(firewall.FirewallNotFound, + self.assertRaises(exceptions.FirewallNotFound, self.plugin.get_firewall, ctx, fw_id) @@ -1481,7 +1483,7 @@ class TestFirewallDBPlugin(FirewallPluginDbTestCase): def test_check_router_has_no_firewall_raises(self): fw_plugin = mock.Mock() - directory.add_plugin('FIREWALL', fw_plugin) + directory.add_plugin(fw_const.FIREWALL, fw_plugin) fw_plugin.get_firewalls.return_value = [mock.ANY] kwargs = { 'context': mock.ANY, diff --git a/neutron_fwaas/tests/unit/db/firewall/v2/test_firewall_db_v2.py b/neutron_fwaas/tests/unit/db/firewall/v2/test_firewall_db_v2.py index 082dcbb97..5b0dc7904 100644 --- a/neutron_fwaas/tests/unit/db/firewall/v2/test_firewall_db_v2.py +++ b/neutron_fwaas/tests/unit/db/firewall/v2/test_firewall_db_v2.py @@ -26,12 +26,12 @@ import six import testtools import webob.exc -from neutron_fwaas._i18n import _ +from neutron_fwaas.common import exceptions from neutron_fwaas.db.firewall.v2 import firewall_db_v2 as fdb from neutron_fwaas import extensions -from neutron_fwaas.extensions import firewall_v2 as firewall from neutron_fwaas.services.firewall import fwaas_plugin_v2 from neutron_fwaas.tests import base +from neutron_lib.api.definitions import firewall_v2 as nl_firewall from neutron_lib import constants as nl_constants from neutron_lib import context from neutron_lib.plugins import directory @@ -69,14 +69,14 @@ class FakeAgentApi(fwaas_plugin_v2.FirewallCallbacks): pass def delete_firewall_group(self, context, firewall_group, **kwargs): - self.plugin = directory.get_plugin('FIREWALL_V2') + self.plugin = directory.get_plugin('fwaas_v2') self.firewall_group_deleted(context, firewall_group['id'], **kwargs) class FirewallPluginV2DbTestCase(base.NeutronDbPluginV2TestCase): resource_prefix_map = dict( - (k, firewall.FIREWALL_PREFIX) - for k in firewall.RESOURCE_ATTRIBUTE_MAP.keys() + (k, nl_firewall.API_PREFIX) + for k in nl_firewall.RESOURCE_ATTRIBUTE_MAP.keys() ) def setUp(self, core_plugin=None, fw_plugin=None, ext_mgr=None): @@ -89,7 +89,7 @@ class FirewallPluginV2DbTestCase(base.NeutronDbPluginV2TestCase): service_plugins = {'fw_plugin_name': fw_plugin} fdb.Firewall_db_mixin_v2.supported_extension_aliases = ["fwaas_v2"] - fdb.Firewall_db_mixin_v2.path_prefix = firewall.FIREWALL_PREFIX + fdb.Firewall_db_mixin_v2.path_prefix = nl_firewall.API_PREFIX super(FirewallPluginV2DbTestCase, self).setUp( ext_mgr=ext_mgr, service_plugins=service_plugins @@ -664,7 +664,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase): req = self.new_delete_request('firewall_policies', fwp_id) res = req.get_response(self.ext_api) self.assertEqual(204, res.status_int) - self.assertRaises(firewall.FirewallPolicyNotFound, + self.assertRaises(exceptions.FirewallPolicyNotFound, self.plugin.get_firewall_policy, ctx, fwp_id) @@ -688,7 +688,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase): req = self.new_delete_request('firewall_policies', fwp_id) res = req.get_response(self.ext_api) self.assertEqual(204, res.status_int) - self.assertRaises(firewall.FirewallPolicyNotFound, + self.assertRaises(exceptions.FirewallPolicyNotFound, self.plugin.get_firewall_policy, ctx, fwp_id) fw_rule = self.plugin.get_firewall_rule(ctx, fr_id) @@ -722,8 +722,8 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase): attrs['source_port'] = '10000' attrs['destination_port'] = '80' - with self.firewall_rule(source_port=10000, - destination_port=80) as firewall_rule: + with self.firewall_rule(source_port='10000', + destination_port='80') as firewall_rule: for k, v in six.iteritems(attrs): self.assertEqual(v, firewall_rule['firewall_rule'][k]) @@ -876,8 +876,8 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase): with self.firewall_rule() as fwr: data = {'firewall_rule': {'name': name, 'protocol': PROTOCOL, - 'source_port': 10000, - 'destination_port': 80}} + 'source_port': '10000', + 'destination_port': '80'}} req = self.new_update_request('firewall_rules', data, fwr['firewall_rule']['id']) res = self.deserialize(self.fmt, @@ -915,7 +915,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase): def test_update_firewall_rule_with_port_and_no_proto(self): with self.firewall_rule() as fwr: data = {'firewall_rule': {'protocol': None, - 'destination_port': 80}} + 'destination_port': '80'}} req = self.new_update_request('firewall_rules', data, fwr['firewall_rule']['id']) res = req.get_response(self.ext_api) @@ -935,7 +935,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase): with self.firewall_rule(source_port=None, destination_port=None, protocol=None) as fwr: - data = {'firewall_rule': {'destination_port': 80}} + data = {'firewall_rule': {'destination_port': '80'}} req = self.new_update_request('firewall_rules', data, fwr['firewall_rule']['id']) res = req.get_response(self.ext_api) @@ -953,7 +953,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase): with self.firewall_rule(source_port=None, destination_port=None, protocol=None) as fwr: - data = {'firewall_rule': {'destination_port': 80, + data = {'firewall_rule': {'destination_port': '80', 'protocol': 'tcp'}} req = self.new_update_request('firewall_rules', data, fwr['firewall_rule']['id']) @@ -964,7 +964,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase): with self.firewall_rule(source_port=None, destination_port=None, protocol=None) as fwr: - data = {'firewall_rule': {'destination_port': 80, + data = {'firewall_rule': {'destination_port': '80', 'protocol': 'icmp'}} req = self.new_update_request('firewall_rules', data, fwr['firewall_rule']['id']) @@ -974,7 +974,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase): with self.firewall_rule(source_port=None, destination_port=None, protocol='icmp') as fwr: - data = {'firewall_rule': {'destination_port': 80}} + data = {'firewall_rule': {'destination_port': '80'}} req = self.new_update_request('firewall_rules', data, fwr['firewall_rule']['id']) res = req.get_response(self.ext_api) @@ -1036,7 +1036,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase): req = self.new_delete_request('firewall_rules', fwr_id) res = req.get_response(self.ext_api) self.assertEqual(204, res.status_int) - self.assertRaises(firewall.FirewallRuleNotFound, + self.assertRaises(exceptions.FirewallRuleNotFound, self.plugin.get_firewall_rule, ctx, fwr_id) @@ -1202,10 +1202,10 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase): fwp_id = fwp['firewall_policy']['id'] with self.firewall_group( ingress_firewall_policy_id=fwp_id, - admin_state_up=ADMIN_STATE_UP) as firewall: + admin_state_up=ADMIN_STATE_UP) as tfirewall: data = {'firewall_group': {'name': name}} - req = self.new_update_request('firewall_groups', data, - firewall['firewall_group']['id']) + req = self.new_update_request( + 'firewall_groups', data, tfirewall['firewall_group']['id']) res = self.deserialize(self.fmt, req.get_response(self.ext_api)) for k, v in six.iteritems(attrs): @@ -1277,8 +1277,8 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase): fwp2_id = fwps[1]['firewall_policy']['id'] ctx = context.Context('not_admin', 'tenant1') with self.firewall_group(ingress_firewall_policy_id=fwp1_id, - context=ctx) as firewall: - fw_id = firewall['firewall_group']['id'] + context=ctx) as tfirewall: + fw_id = tfirewall['firewall_group']['id'] fw_db = self.plugin._get_firewall_group(ctx, fw_id) fw_db['status'] = nl_constants.ACTIVE # update firewall from fwp1 to fwp2(different tenant) @@ -1299,7 +1299,7 @@ class TestFirewallDBPluginV2(FirewallPluginV2DbTestCase): req = self.new_delete_request('firewall_groups', fw_id) res = req.get_response(self.ext_api) self.assertEqual(204, res.status_int) - self.assertRaises(firewall.FirewallGroupNotFound, + self.assertRaises(exceptions.FirewallGroupNotFound, self.plugin.get_firewall_group, ctx, fw_id) diff --git a/neutron_fwaas/tests/unit/extensions/__init__.py b/neutron_fwaas/tests/unit/extensions/__init__.py deleted file mode 100644 index e69de29bb..000000000 diff --git a/neutron_fwaas/tests/unit/extensions/test_firewall_v2.py b/neutron_fwaas/tests/unit/extensions/test_firewall_v2.py deleted file mode 100644 index f2ccfd621..000000000 --- a/neutron_fwaas/tests/unit/extensions/test_firewall_v2.py +++ /dev/null @@ -1,419 +0,0 @@ -# Copyright 2013 Big Switch Networks, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import copy - -import mock -from neutron.tests.unit.api.v2 import test_base as test_api_v2 -from neutron.tests.unit.extensions import base as test_api_v2_extension -from neutron_lib.db import constants as db_const -from oslo_utils import uuidutils -from webob import exc -import webtest - -from neutron_fwaas.extensions import firewall_v2 - -_uuid = uuidutils.generate_uuid -_get_path = test_api_v2._get_path -_long_name = 'x' * (db_const.NAME_FIELD_SIZE + 1) -_long_description = 'y' * (db_const.DESCRIPTION_FIELD_SIZE + 1) -_long_tenant = 'z' * (db_const.PROJECT_ID_FIELD_SIZE + 1) - -FIREWALL_CONST = 'FIREWALL_V2' - - -class FirewallExtensionTestCase(test_api_v2_extension.ExtensionTestCase): - fmt = 'json' - - def setUp(self): - super(FirewallExtensionTestCase, self).setUp() - plural_mappings = {'firewall_policy': 'firewall_policies'} - self._setUpExtension( - 'neutron_fwaas.extensions.firewall_v2.Firewallv2PluginBase', - FIREWALL_CONST, firewall_v2.RESOURCE_ATTRIBUTE_MAP, - firewall_v2.Firewall_v2, 'fwaas', plural_mappings=plural_mappings) - - def _test_create_firewall_rule(self, src_port, dst_port): - rule_id = _uuid() - project_id = _uuid() - data = {'firewall_rule': {'description': 'descr_firewall_rule1', - 'name': 'rule1', - 'protocol': 'tcp', - 'ip_version': 4, - 'source_ip_address': '192.168.0.1', - 'destination_ip_address': '127.0.0.1', - 'source_port': src_port, - 'destination_port': dst_port, - 'action': 'allow', - 'enabled': True, - 'tenant_id': project_id, - 'shared': False}} - expected_ret_val = copy.copy(data['firewall_rule']) - expected_ret_val['source_port'] = str(src_port) - expected_ret_val['destination_port'] = str(dst_port) - expected_ret_val['id'] = rule_id - instance = self.plugin.return_value - instance.create_firewall_rule.return_value = expected_ret_val - res = self.api.post(_get_path('fwaas/firewall_rules', fmt=self.fmt), - self.serialize(data), - content_type='application/%s' % self.fmt) - data['firewall_rule'].update({'project_id': project_id}) - self.assertEqual(exc.HTTPCreated.code, res.status_int) - res = self.deserialize(res) - self.assertIn('firewall_rule', res) - self.assertEqual(expected_ret_val, res['firewall_rule']) - - def test_create_firewall_rule_with_integer_ports(self): - self._test_create_firewall_rule(1, 10) - - def test_create_firewall_rule_with_string_ports(self): - self._test_create_firewall_rule('1', '10') - - def test_create_firewall_rule_with_port_range(self): - self._test_create_firewall_rule('1:20', '30:40') - - def test_create_firewall_rule_invalid_long_name(self): - data = {'firewall_rule': {'description': 'descr_firewall_rule1', - 'name': _long_name, - 'protocol': 'tcp', - 'ip_version': 4, - 'source_ip_address': '192.168.0.1', - 'destination_ip_address': '127.0.0.1', - 'source_port': 1, - 'destination_port': 1, - 'action': 'allow', - 'enabled': True, - 'tenant_id': _uuid(), - 'shared': False}} - res = self.api.post(_get_path('fwaas/firewall_rules', fmt=self.fmt), - self.serialize(data), - content_type='application/%s' % self.fmt, - status=exc.HTTPBadRequest.code) - self.assertIn('Invalid input for name', res.body.decode('utf-8')) - - def test_create_firewall_rule_invalid_long_description(self): - data = {'firewall_rule': {'description': _long_description, - 'name': 'rule1', - 'protocol': 'tcp', - 'ip_version': 4, - 'source_ip_address': '192.168.0.1', - 'destination_ip_address': '127.0.0.1', - 'source_port': 1, - 'destination_port': 1, - 'action': 'allow', - 'enabled': True, - 'tenant_id': _uuid(), - 'shared': False}} - res = self.api.post(_get_path('fwaas/firewall_rules', fmt=self.fmt), - self.serialize(data), - content_type='application/%s' % self.fmt, - status=exc.HTTPBadRequest.code) - self.assertIn('Invalid input for description', - res.body.decode('utf-8')) - - def test_create_firewall_rule_invalid_long_tenant_id(self): - data = {'firewall_rule': {'description': 'desc', - 'name': 'rule1', - 'protocol': 'tcp', - 'ip_version': 4, - 'source_ip_address': '192.168.0.1', - 'destination_ip_address': '127.0.0.1', - 'source_port': 1, - 'destination_port': 1, - 'action': 'allow', - 'enabled': True, - 'tenant_id': _long_tenant, - 'shared': False}} - res = self.api.post(_get_path('fwaas/firewall_rules', fmt=self.fmt), - self.serialize(data), - content_type='application/%s' % self.fmt, - status=exc.HTTPBadRequest.code) - self.assertIn('Invalid input for ', res.body.decode('utf-8')) - - def test_firewall_rule_list(self): - rule_id = _uuid() - return_value = [{'tenant_id': _uuid(), - 'id': rule_id}] - - instance = self.plugin.return_value - instance.get_firewall_rules.return_value = return_value - - res = self.api.get(_get_path('fwaas/firewall_rules', fmt=self.fmt)) - - instance.get_firewall_rules.assert_called_with(mock.ANY, - fields=mock.ANY, - filters=mock.ANY) - self.assertEqual(exc.HTTPOk.code, res.status_int) - - def test_firewall_rule_get(self): - rule_id = _uuid() - return_value = {'tenant_id': _uuid(), - 'id': rule_id} - - instance = self.plugin.return_value - instance.get_firewall_rule.return_value = return_value - - res = self.api.get(_get_path('fwaas/firewall_rules', - id=rule_id, fmt=self.fmt)) - - instance.get_firewall_rule.assert_called_with(mock.ANY, - rule_id, - fields=mock.ANY) - self.assertEqual(exc.HTTPOk.code, res.status_int) - res = self.deserialize(res) - self.assertIn('firewall_rule', res) - self.assertEqual(return_value, res['firewall_rule']) - - def test_firewall_rule_update(self): - rule_id = _uuid() - update_data = {'firewall_rule': {'action': 'deny'}} - return_value = {'tenant_id': _uuid(), - 'id': rule_id} - - instance = self.plugin.return_value - instance.update_firewall_rule.return_value = return_value - - res = self.api.put(_get_path('fwaas/firewall_rules', id=rule_id, - fmt=self.fmt), - self.serialize(update_data)) - - instance.update_firewall_rule.assert_called_with( - mock.ANY, - rule_id, - firewall_rule=update_data) - self.assertEqual(exc.HTTPOk.code, res.status_int) - res = self.deserialize(res) - self.assertIn('firewall_rule', res) - self.assertEqual(return_value, res['firewall_rule']) - - def test_firewall_rule_delete(self): - self._test_entity_delete('firewall_rule') - - def test_create_firewall_policy(self): - policy_id = _uuid() - project_id = _uuid() - data = {'firewall_policy': {'description': 'descr_firewall_policy1', - 'name': 'new_fw_policy1', - 'firewall_rules': [_uuid(), _uuid()], - 'audited': False, - 'tenant_id': project_id, - 'shared': False}} - return_value = copy.copy(data['firewall_policy']) - return_value.update({'id': policy_id}) - - instance = self.plugin.return_value - instance.create_firewall_policy.return_value = return_value - res = self.api.post(_get_path('fwaas/firewall_policies', - fmt=self.fmt), - self.serialize(data), - content_type='application/%s' % self.fmt) - data['firewall_policy'].update({'project_id': project_id}) - self.assertEqual(exc.HTTPCreated.code, res.status_int) - res = self.deserialize(res) - self.assertIn('firewall_policy', res) - self.assertEqual(return_value, res['firewall_policy']) - - def test_create_firewall_policy_invalid_long_name(self): - data = {'firewall_policy': {'description': 'descr_firewall_policy1', - 'name': _long_name, - 'firewall_rules': [_uuid(), _uuid()], - 'audited': False, - 'tenant_id': _uuid(), - 'shared': False}} - res = self.api.post(_get_path('fwaas/firewall_policies', - fmt=self.fmt), - self.serialize(data), - content_type='application/%s' % self.fmt, - status=exc.HTTPBadRequest.code) - self.assertIn('Invalid input for name', res.body.decode('utf-8')) - - def test_create_firewall_policy_invalid_long_description(self): - data = {'firewall_policy': {'description': _long_description, - 'name': 'new_fw_policy1', - 'firewall_rules': [_uuid(), _uuid()], - 'audited': False, - 'tenant_id': _uuid(), - 'shared': False}} - res = self.api.post(_get_path('fwaas/firewall_policies', - fmt=self.fmt), - self.serialize(data), - content_type='application/%s' % self.fmt, - status=exc.HTTPBadRequest.code) - self.assertIn('Invalid input for description', - res.body.decode('utf-8')) - - def test_create_firewall_policy_invalid_long_tenant_id(self): - data = {'firewall_policy': {'description': 'desc', - 'name': 'new_fw_policy1', - 'firewall_rules': [_uuid(), _uuid()], - 'audited': False, - 'tenant_id': _long_tenant, - 'shared': False}} - res = self.api.post(_get_path('fwaas/firewall_policies', - fmt=self.fmt), - self.serialize(data), - content_type='application/%s' % self.fmt, - status=exc.HTTPBadRequest.code) - self.assertIn('Invalid input for ', res.body.decode('utf-8')) - - def test_firewall_policy_list(self): - policy_id = _uuid() - return_value = [{'tenant_id': _uuid(), - 'id': policy_id}] - - instance = self.plugin.return_value - instance.get_firewall_policies.return_value = return_value - - res = self.api.get(_get_path('fwaas/firewall_policies', - fmt=self.fmt)) - - instance.get_firewall_policies.assert_called_with(mock.ANY, - fields=mock.ANY, - filters=mock.ANY) - self.assertEqual(exc.HTTPOk.code, res.status_int) - - def test_firewall_policy_get(self): - policy_id = _uuid() - return_value = {'tenant_id': _uuid(), - 'id': policy_id} - - instance = self.plugin.return_value - instance.get_firewall_policy.return_value = return_value - - res = self.api.get(_get_path('fwaas/firewall_policies', - id=policy_id, fmt=self.fmt)) - - instance.get_firewall_policy.assert_called_with(mock.ANY, - policy_id, - fields=mock.ANY) - self.assertEqual(exc.HTTPOk.code, res.status_int) - res = self.deserialize(res) - self.assertIn('firewall_policy', res) - self.assertEqual(return_value, res['firewall_policy']) - - def test_firewall_policy_update(self): - policy_id = _uuid() - update_data = {'firewall_policy': {'audited': True}} - return_value = {'tenant_id': _uuid(), - 'id': policy_id} - - instance = self.plugin.return_value - instance.update_firewall_policy.return_value = return_value - - res = self.api.put(_get_path('fwaas/firewall_policies', - id=policy_id, - fmt=self.fmt), - self.serialize(update_data)) - - instance.update_firewall_policy.assert_called_with( - mock.ANY, - policy_id, - firewall_policy=update_data) - self.assertEqual(exc.HTTPOk.code, res.status_int) - res = self.deserialize(res) - self.assertIn('firewall_policy', res) - self.assertEqual(return_value, res['firewall_policy']) - - def test_firewall_policy_update_malformed_rules(self): - # emulating client request when no rule uuids are provided for - # --firewall_rules parameter - update_data = {'firewall_policy': {'firewall_rules': True}} - # have to check for generic AppError - self.assertRaises( - webtest.AppError, - self.api.put, - _get_path('fwaas/firewall_policies', id=_uuid(), fmt=self.fmt), - self.serialize(update_data)) - - def test_firewall_policy_delete(self): - self._test_entity_delete('firewall_policy') - - def test_firewall_policy_insert_rule(self): - firewall_policy_id = _uuid() - firewall_rule_id = _uuid() - ref_firewall_rule_id = _uuid() - - insert_data = {'firewall_rule_id': firewall_rule_id, - 'insert_before': ref_firewall_rule_id, - 'insert_after': None} - return_value = {'firewall_policy': - {'tenant_id': _uuid(), - 'id': firewall_policy_id, - 'firewall_rules': [ref_firewall_rule_id, - firewall_rule_id]}} - - instance = self.plugin.return_value - instance.insert_rule.return_value = return_value - - path = _get_path('fwaas/firewall_policies', id=firewall_policy_id, - action="insert_rule", - fmt=self.fmt) - res = self.api.put(path, self.serialize(insert_data)) - instance.insert_rule.assert_called_with(mock.ANY, firewall_policy_id, - insert_data) - self.assertEqual(exc.HTTPOk.code, res.status_int) - res = self.deserialize(res) - self.assertEqual(return_value, res) - - def test_firewall_policy_remove_rule(self): - firewall_policy_id = _uuid() - firewall_rule_id = _uuid() - - remove_data = {'firewall_rule_id': firewall_rule_id} - return_value = {'firewall_policy': - {'tenant_id': _uuid(), - 'id': firewall_policy_id, - 'firewall_rules': []}} - - instance = self.plugin.return_value - instance.remove_rule.return_value = return_value - - path = _get_path('fwaas/firewall_policies', id=firewall_policy_id, - action="remove_rule", - fmt=self.fmt) - res = self.api.put(path, self.serialize(remove_data)) - instance.remove_rule.assert_called_with(mock.ANY, firewall_policy_id, - remove_data) - self.assertEqual(exc.HTTPOk.code, res.status_int) - res = self.deserialize(res) - self.assertEqual(return_value, res) - - def test_create_firewall_group_invalid_long_attributes(self): - long_targets = [{'name': _long_name}, - {'description': _long_description}, - {'tenant_id': _long_tenant}] - - for target in long_targets: - data = {'firewall_group': {'description': 'fake_description', - 'name': 'fake_name', - 'tenant_id': 'fake-tenant_id', - 'ingress_firewall_policy_id': None, - 'egress_firewall_policy_id': None, - 'admin_state_up': True, - 'ports': [], - 'shared': False}} - data['firewall_group'].update(target) - res = self.api.post(_get_path('fwaas/firewall_groups', - fmt=self.fmt), - self.serialize(data), - content_type='application/%s' % self.fmt, - status=exc.HTTPBadRequest.code) - #TODO(njohnston): Remove this when neutron starts returning - # project_id in a dependable fashion, as opposed to tenant_id. - target_attr_name = list(target)[0] - if target_attr_name == 'tenant_id': - target_attr_name = '' - self.assertIn('Invalid input for %s' % target_attr_name, - res.body.decode('utf-8')) diff --git a/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin.py b/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin.py index 03be98687..d825f0b60 100644 --- a/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin.py +++ b/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin.py @@ -28,19 +28,24 @@ import six import uuid from webob import exc +from neutron_fwaas.common import exceptions +from neutron_fwaas.common import fwaas_constants as fw_const from neutron_fwaas.db.firewall import firewall_db as fdb -import neutron_fwaas.extensions from neutron_fwaas.extensions import firewall -from neutron_fwaas.extensions import firewallrouterinsertion from neutron_fwaas.services.firewall import fwaas_plugin from neutron_fwaas.tests import base from neutron_fwaas.tests.unit.db.firewall import ( test_firewall_db as test_db_firewall) + +import neutron_lib.api.definitions +from neutron_lib.api.definitions import firewall as fw +from neutron_lib.api.definitions import firewall_v2 +from neutron_lib.api.definitions import firewallrouterinsertion from neutron_lib import constants as nl_constants from neutron_lib import context from neutron_lib.plugins import directory -extensions_path = neutron_fwaas.extensions.__path__[0] +extensions_path = neutron_lib.api.definitions.__path__[0] FW_PLUGIN_KLASS = ( "neutron_fwaas.services.firewall.fwaas_plugin.FirewallPlugin" @@ -51,8 +56,8 @@ class FirewallTestExtensionManager(test_l3_plugin.L3TestExtensionManager): def get_resources(self): res = super(FirewallTestExtensionManager, self).get_resources() - firewall.RESOURCE_ATTRIBUTE_MAP['firewalls'].update( - firewallrouterinsertion.EXTENDED_ATTRIBUTES_2_0['firewalls']) + fw.RESOURCE_ATTRIBUTE_MAP['firewalls'].update( + firewallrouterinsertion.RESOURCE_ATTRIBUTE_MAP['firewalls']) return res + firewall.Firewall.get_resources() def get_actions(self): @@ -94,12 +99,12 @@ class TestFirewallRouterInsertionBase( self.setup_notification_driver() self.l3_plugin = directory.get_plugin(nl_constants.L3) - self.plugin = directory.get_plugin('FIREWALL') + self.plugin = directory.get_plugin(fw_const.FIREWALL) self.callbacks = self.plugin.endpoints[0] def restore_attribute_map(self): # Remove the fwaasrouterinsertion extension - firewall.RESOURCE_ATTRIBUTE_MAP['firewalls'].pop('router_ids') + fw.RESOURCE_ATTRIBUTE_MAP['firewalls'].pop('router_ids') # Restore the original RESOURCE_ATTRIBUTE_MAP attr.RESOURCE_ATTRIBUTE_MAP = self.saved_attr_map @@ -184,7 +189,7 @@ class TestFirewallCallbacks(TestFirewallRouterInsertionBase): ctx.session.flush() res = self.callbacks.firewall_deleted(ctx, fw_id) self.assertTrue(res) - self.assertRaises(firewall.FirewallNotFound, + self.assertRaises(exceptions.FirewallNotFound, self.plugin.get_firewall, ctx, fw_id) @@ -219,7 +224,7 @@ class TestFirewallCallbacks(TestFirewallRouterInsertionBase): observed = self.callbacks.firewall_deleted(ctx, fw_id) self.assertTrue(observed) - self.assertRaises(firewall.FirewallNotFound, + self.assertRaises(exceptions.FirewallNotFound, self.plugin.get_firewall, ctx, fw_id) @@ -534,7 +539,7 @@ class TestFirewallPluginBase(TestFirewallRouterInsertionBase, req = self.new_delete_request('firewalls', fw_id) res = req.get_response(self.ext_api) self.assertEqual(exc.HTTPNoContent.code, res.status_int) - self.assertRaises(firewall.FirewallNotFound, + self.assertRaises(exceptions.FirewallNotFound, self.plugin.get_firewall, ctx, fw_id) @@ -548,7 +553,7 @@ class TestFirewallPluginBase(TestFirewallRouterInsertionBase, req = self.new_delete_request('firewalls', fw_id) res = req.get_response(self.ext_api) self.assertEqual(exc.HTTPNoContent.code, res.status_int) - self.assertRaises(firewall.FirewallNotFound, + self.assertRaises(exceptions.FirewallNotFound, self.plugin.get_firewall, ctx, fw_id) @@ -735,7 +740,7 @@ class TestFirewallRouterPluginBase(test_db_firewall.FirewallPluginDbTestCase, fdb.Firewall_db_mixin.\ supported_extension_aliases = ["fwaas", "fwaasrouterinsertion"] - fdb.Firewall_db_mixin.path_prefix = firewall.FIREWALL_PREFIX + fdb.Firewall_db_mixin.path_prefix = firewall_v2.API_PREFIX super(test_db_firewall.FirewallPluginDbTestCase, self).setUp( ext_mgr=ext_mgr, @@ -748,7 +753,7 @@ class TestFirewallRouterPluginBase(test_db_firewall.FirewallPluginDbTestCase, self.ext_api = api_ext.ExtensionMiddleware(app, ext_mgr=ext_mgr) self.l3_plugin = directory.get_plugin(nl_constants.L3) - self.plugin = directory.get_plugin('FIREWALL') + self.plugin = directory.get_plugin(fw_const.FIREWALL) def test_get_firewall_tenant_ids_on_host_with_associated_router(self): agent = helpers.register_l3_agent("host1") diff --git a/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin_v2.py b/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin_v2.py index 13a9d9112..6e00b057c 100644 --- a/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin_v2.py +++ b/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin_v2.py @@ -19,17 +19,20 @@ from neutron.tests.unit.extensions import test_l3 as test_l3_plugin from oslo_config import cfg import six -import neutron_fwaas.extensions + +from neutron_fwaas.common import exceptions from neutron_fwaas.extensions import firewall_v2 from neutron_fwaas.services.firewall import fwaas_plugin_v2 from neutron_fwaas.tests import base from neutron_fwaas.tests.unit.db.firewall.v2 import ( test_firewall_db_v2 as test_db_firewall) + +import neutron_lib.api.definitions from neutron_lib import constants as nl_constants from neutron_lib import context from neutron_lib.plugins import directory -extensions_path = neutron_fwaas.extensions.__path__[0] +extensions_path = neutron_lib.api.definitions.__path__[0] FW_PLUGIN_KLASS = ( "neutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2" @@ -111,7 +114,7 @@ class TestFirewallRouterPortBase( self.setup_notification_driver() self.l3_plugin = directory.get_plugin(nl_constants.L3) - self.plugin = directory.get_plugin('FIREWALL_V2') + self.plugin = directory.get_plugin('fwaas_v2') self.callbacks = self.plugin.endpoints[0] @@ -159,7 +162,7 @@ class TestFirewallCallbacks(TestFirewallRouterPortBase): observed = self.callbacks.firewall_group_deleted(ctx, fwg_id) self.assertTrue(observed) - self.assertRaises(firewall_v2.FirewallGroupNotFound, + self.assertRaises(exceptions.FirewallGroupNotFound, self.plugin.get_firewall_group, ctx, fwg_id) @@ -195,7 +198,7 @@ class TestFirewallCallbacks(TestFirewallRouterPortBase): ctx, fwg_id) self.assertTrue(observed) - self.assertRaises(firewall_v2.FirewallGroupNotFound, + self.assertRaises(exceptions.FirewallGroupNotFound, self.plugin.get_firewall_group, ctx, fwg_id)