Adds the destination and source fwg to fwr
This will add the source and destination firewall group id to firewall rules. Change-Id: If69b87fc58d36aa7d879ace8e73bc0f7534a1ef4
This commit is contained in:
parent
86a67409e6
commit
a385656802
|
@ -47,6 +47,10 @@ _attr_map = (
|
||||||
('destination_port', 'Destination Port', column_util.LIST_LONG_ONLY),
|
('destination_port', 'Destination Port', column_util.LIST_LONG_ONLY),
|
||||||
('shared', 'Shared', column_util.LIST_LONG_ONLY),
|
('shared', 'Shared', column_util.LIST_LONG_ONLY),
|
||||||
('tenant_id', 'Project', column_util.LIST_LONG_ONLY),
|
('tenant_id', 'Project', column_util.LIST_LONG_ONLY),
|
||||||
|
('source_firewall_group_id', 'Source Firewall Group ID',
|
||||||
|
column_util.LIST_LONG_ONLY),
|
||||||
|
('destination_firewall_group_id', 'Destination Firewall Group ID',
|
||||||
|
column_util.LIST_LONG_ONLY),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@ -145,11 +149,30 @@ def _get_common_parser(parser):
|
||||||
'--disable-rule',
|
'--disable-rule',
|
||||||
action='store_true',
|
action='store_true',
|
||||||
help=_('Disable this rule'))
|
help=_('Disable this rule'))
|
||||||
|
src_fwg_group = parser.add_mutually_exclusive_group()
|
||||||
|
src_fwg_group.add_argument(
|
||||||
|
'--source-firewall-group',
|
||||||
|
metavar='<source-firewall-group>',
|
||||||
|
help=_('Source firewall group (name or ID)'))
|
||||||
|
src_fwg_group.add_argument(
|
||||||
|
'--no-source-firewall-group',
|
||||||
|
action='store_true',
|
||||||
|
help=_('No associated destination firewall group'))
|
||||||
|
dst_fwg_group = parser.add_mutually_exclusive_group()
|
||||||
|
dst_fwg_group.add_argument(
|
||||||
|
'--destination-firewall-group',
|
||||||
|
metavar='<destination-firewall-group>',
|
||||||
|
help=_('Destination firewall group (name or ID)'))
|
||||||
|
dst_fwg_group.add_argument(
|
||||||
|
'--no-destination-firewall-group',
|
||||||
|
action='store_true',
|
||||||
|
help=_('No associated destination firewall group'))
|
||||||
return parser
|
return parser
|
||||||
|
|
||||||
|
|
||||||
def _get_common_attrs(client_manager, parsed_args, is_create=True):
|
def _get_common_attrs(client_manager, parsed_args, is_create=True):
|
||||||
attrs = {}
|
attrs = {}
|
||||||
|
client = client_manager.neutronclient
|
||||||
if is_create:
|
if is_create:
|
||||||
if 'project' in parsed_args and parsed_args.project is not None:
|
if 'project' in parsed_args and parsed_args.project is not None:
|
||||||
attrs['tenant_id'] = osc_utils.find_project(
|
attrs['tenant_id'] = osc_utils.find_project(
|
||||||
|
@ -193,6 +216,18 @@ def _get_common_attrs(client_manager, parsed_args, is_create=True):
|
||||||
attrs['shared'] = True
|
attrs['shared'] = True
|
||||||
if parsed_args.no_share or parsed_args.private:
|
if parsed_args.no_share or parsed_args.private:
|
||||||
attrs['shared'] = False
|
attrs['shared'] = False
|
||||||
|
if parsed_args.source_firewall_group:
|
||||||
|
attrs['source_firewall_group_id'] = client.find_resource(
|
||||||
|
const.FWG, parsed_args.source_firewall_group,
|
||||||
|
cmd_resource=const.CMD_FWG)['id']
|
||||||
|
if parsed_args.no_source_firewall_group:
|
||||||
|
attrs['source_firewall_group_id'] = None
|
||||||
|
if parsed_args.destination_firewall_group:
|
||||||
|
attrs['destination_firewall_group_id'] = client.find_resource(
|
||||||
|
const.FWG, parsed_args.destination_firewall_group,
|
||||||
|
cmd_resource=const.CMD_FWG)['id']
|
||||||
|
if parsed_args.no_destination_firewall_group:
|
||||||
|
attrs['destination_firewall_group_id'] = None
|
||||||
return attrs
|
return attrs
|
||||||
|
|
||||||
|
|
||||||
|
@ -391,6 +426,16 @@ class UnsetFirewallRule(command.Command):
|
||||||
'--enable-rule',
|
'--enable-rule',
|
||||||
action='store_true',
|
action='store_true',
|
||||||
help=_('Disable this rule'))
|
help=_('Disable this rule'))
|
||||||
|
|
||||||
|
parser.add_argument(
|
||||||
|
'--source-firewall-group',
|
||||||
|
action='store_true',
|
||||||
|
help=_('Source firewall group (name or ID)'))
|
||||||
|
|
||||||
|
parser.add_argument(
|
||||||
|
'--destination-firewall-group',
|
||||||
|
action='store_true',
|
||||||
|
help=_('Destination firewall group (name or ID)'))
|
||||||
return parser
|
return parser
|
||||||
|
|
||||||
def _get_attrs(self, client_manager, parsed_args):
|
def _get_attrs(self, client_manager, parsed_args):
|
||||||
|
@ -407,6 +452,10 @@ class UnsetFirewallRule(command.Command):
|
||||||
attrs['shared'] = False
|
attrs['shared'] = False
|
||||||
if parsed_args.enable_rule:
|
if parsed_args.enable_rule:
|
||||||
attrs['enabled'] = False
|
attrs['enabled'] = False
|
||||||
|
if parsed_args.source_firewall_group:
|
||||||
|
attrs['source_firewall_group_id'] = None
|
||||||
|
if parsed_args.source_firewall_group:
|
||||||
|
attrs['destination_firewall_group_id'] = None
|
||||||
return attrs
|
return attrs
|
||||||
|
|
||||||
def take_action(self, parsed_args):
|
def take_action(self, parsed_args):
|
||||||
|
|
|
@ -127,4 +127,8 @@ class FirewallRule(FakeFWaaS):
|
||||||
('shared', False),
|
('shared', False),
|
||||||
('tenant_id', 'tenant-id-' +
|
('tenant_id', 'tenant-id-' +
|
||||||
uuidutils.generate_uuid(dashed=False)),
|
uuidutils.generate_uuid(dashed=False)),
|
||||||
|
('source_firewall_group_id', 'firewall-group-id-' +
|
||||||
|
uuidutils.generate_uuid(dashed=False)),
|
||||||
|
('destination_firewall_group_id', 'firewall-group-id-' +
|
||||||
|
uuidutils.generate_uuid(dashed=False)),
|
||||||
))
|
))
|
||||||
|
|
|
@ -37,6 +37,10 @@ CONVERT_MAP = {
|
||||||
'disable_rule': 'enabled',
|
'disable_rule': 'enabled',
|
||||||
'share': 'shared',
|
'share': 'shared',
|
||||||
'no_share': 'shared',
|
'no_share': 'shared',
|
||||||
|
'source_firewall_group': 'source_firewall_group_id',
|
||||||
|
'destination_firewall_group': 'destination_firewall_group_id',
|
||||||
|
'no_source_firewall_group': 'source_firewall_group_id',
|
||||||
|
'no_destination_firewall_group': 'destination_firewall_group_id',
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -114,11 +118,14 @@ class TestFirewallRule(test_fakes.TestNeutronClientOSCV2):
|
||||||
'Destination Port',
|
'Destination Port',
|
||||||
'Shared',
|
'Shared',
|
||||||
'Project',
|
'Project',
|
||||||
|
'Source Firewall Group ID',
|
||||||
|
'Destination Firewall Group ID',
|
||||||
)
|
)
|
||||||
self.data = _generate_data()
|
self.data = _generate_data()
|
||||||
self.ordered_headers = (
|
self.ordered_headers = (
|
||||||
'Action',
|
'Action',
|
||||||
'Description',
|
'Description',
|
||||||
|
'Destination Firewall Group ID',
|
||||||
'Destination IP Address',
|
'Destination IP Address',
|
||||||
'Destination Port',
|
'Destination Port',
|
||||||
'Enabled',
|
'Enabled',
|
||||||
|
@ -128,12 +135,14 @@ class TestFirewallRule(test_fakes.TestNeutronClientOSCV2):
|
||||||
'Project',
|
'Project',
|
||||||
'Protocol',
|
'Protocol',
|
||||||
'Shared',
|
'Shared',
|
||||||
|
'Source Firewall Group ID',
|
||||||
'Source IP Address',
|
'Source IP Address',
|
||||||
'Source Port',
|
'Source Port',
|
||||||
)
|
)
|
||||||
self.ordered_data = (
|
self.ordered_data = (
|
||||||
_fwr['action'],
|
_fwr['action'],
|
||||||
_fwr['description'],
|
_fwr['description'],
|
||||||
|
_fwr['destination_firewall_group_id'],
|
||||||
_fwr['destination_ip_address'],
|
_fwr['destination_ip_address'],
|
||||||
_fwr['destination_port'],
|
_fwr['destination_port'],
|
||||||
_fwr['enabled'],
|
_fwr['enabled'],
|
||||||
|
@ -143,12 +152,14 @@ class TestFirewallRule(test_fakes.TestNeutronClientOSCV2):
|
||||||
_fwr['tenant_id'],
|
_fwr['tenant_id'],
|
||||||
_replace_display_columns('protocol', _fwr['protocol']),
|
_replace_display_columns('protocol', _fwr['protocol']),
|
||||||
_fwr['shared'],
|
_fwr['shared'],
|
||||||
|
_fwr['source_firewall_group_id'],
|
||||||
_fwr['source_ip_address'],
|
_fwr['source_ip_address'],
|
||||||
_fwr['source_port'],
|
_fwr['source_port'],
|
||||||
)
|
)
|
||||||
self.ordered_columns = (
|
self.ordered_columns = (
|
||||||
'action',
|
'action',
|
||||||
'description',
|
'description',
|
||||||
|
'destination_firewall_group_id',
|
||||||
'destination_ip_address',
|
'destination_ip_address',
|
||||||
'destination_port',
|
'destination_port',
|
||||||
'enabled',
|
'enabled',
|
||||||
|
@ -158,6 +169,7 @@ class TestFirewallRule(test_fakes.TestNeutronClientOSCV2):
|
||||||
'tenant_id',
|
'tenant_id',
|
||||||
'protocol',
|
'protocol',
|
||||||
'shared',
|
'shared',
|
||||||
|
'source_firewall_group_id',
|
||||||
'source_ip_address',
|
'source_ip_address',
|
||||||
'source_port',
|
'source_port',
|
||||||
)
|
)
|
||||||
|
@ -201,6 +213,10 @@ class TestCreateFirewallRule(TestFirewallRule, common.TestCreateFWaaS):
|
||||||
action = args.get('action') or 'deny'
|
action = args.get('action') or 'deny'
|
||||||
ip_version = args.get('ip_version') or '4'
|
ip_version = args.get('ip_version') or '4'
|
||||||
destination_port = args.get('destination_port') or '0:65535'
|
destination_port = args.get('destination_port') or '0:65535'
|
||||||
|
destination_firewall_group = args.get(
|
||||||
|
'destination_firewall_group') or 'my-dst-fwg'
|
||||||
|
source_firewall_group = args.get(
|
||||||
|
'source_firewall_group') or 'my-src-fwg'
|
||||||
tenant_id = args.get('tenant_id') or 'my-tenant'
|
tenant_id = args.get('tenant_id') or 'my-tenant'
|
||||||
arglist = [
|
arglist = [
|
||||||
'--description', description,
|
'--description', description,
|
||||||
|
@ -215,7 +231,10 @@ class TestCreateFirewallRule(TestFirewallRule, common.TestCreateFWaaS):
|
||||||
'--project', tenant_id,
|
'--project', tenant_id,
|
||||||
'--disable-rule',
|
'--disable-rule',
|
||||||
'--share',
|
'--share',
|
||||||
|
'--source-firewall-group', source_firewall_group,
|
||||||
|
'--destination-firewall-group', destination_firewall_group
|
||||||
]
|
]
|
||||||
|
|
||||||
verifylist = [
|
verifylist = [
|
||||||
('name', name),
|
('name', name),
|
||||||
('description', description),
|
('description', description),
|
||||||
|
@ -229,10 +248,23 @@ class TestCreateFirewallRule(TestFirewallRule, common.TestCreateFWaaS):
|
||||||
('action', action),
|
('action', action),
|
||||||
('disable_rule', True),
|
('disable_rule', True),
|
||||||
('project', tenant_id),
|
('project', tenant_id),
|
||||||
|
('source_firewall_group', source_firewall_group),
|
||||||
|
('destination_firewall_group', destination_firewall_group)
|
||||||
]
|
]
|
||||||
return arglist, verifylist
|
return arglist, verifylist
|
||||||
|
|
||||||
def _test_create_with_all_params(self, args={}):
|
def _test_create_with_all_params(self, args={}):
|
||||||
|
def _mock_fwr(*args, **kwargs):
|
||||||
|
if self.neutronclient.find_resource.call_count == 1:
|
||||||
|
self.neutronclient.find_resource.assert_called_once_with(
|
||||||
|
const.FWG, 'my-src-fwg', cmd_resource=const.CMD_FWG)
|
||||||
|
if self.neutronclient.find_resource.call_count == 2:
|
||||||
|
self.neutronclient.find_resource.assert_called_with(
|
||||||
|
const.FWG, 'my-dst-fwg', cmd_resource=const.CMD_FWG)
|
||||||
|
return {'id': args[1]}
|
||||||
|
|
||||||
|
self.neutronclient.find_resource.side_effect = mock.Mock(
|
||||||
|
side_effect=_mock_fwr)
|
||||||
arglist, verifylist = self._set_all_params(args)
|
arglist, verifylist = self._set_all_params(args)
|
||||||
request, response = _generate_req_and_res(verifylist)
|
request, response = _generate_req_and_res(verifylist)
|
||||||
self._update_expect_response(request, response)
|
self._update_expect_response(request, response)
|
||||||
|
@ -278,6 +310,34 @@ class TestCreateFirewallRule(TestFirewallRule, common.TestCreateFWaaS):
|
||||||
testtools.matchers._impl.MismatchError,
|
testtools.matchers._impl.MismatchError,
|
||||||
self.check_parser, self.cmd, arglist, verifylist)
|
self.check_parser, self.cmd, arglist, verifylist)
|
||||||
|
|
||||||
|
def test_create_with_src_fwg_and_no(self):
|
||||||
|
fwg = 'my-fwg'
|
||||||
|
arglist = [
|
||||||
|
'--source-firewall-group', fwg,
|
||||||
|
'--no-source-firewall-group',
|
||||||
|
]
|
||||||
|
verifylist = [
|
||||||
|
('source_firewall_group', fwg),
|
||||||
|
('no_source_firewall_group', True),
|
||||||
|
]
|
||||||
|
self.assertRaises(
|
||||||
|
utils.ParserException,
|
||||||
|
self.check_parser, self.cmd, arglist, verifylist)
|
||||||
|
|
||||||
|
def test_create_with_dst_fwg_and_no(self):
|
||||||
|
fwg = 'my-fwg'
|
||||||
|
arglist = [
|
||||||
|
'--destination-firewall-group', fwg,
|
||||||
|
'--no-destination-firewall-group',
|
||||||
|
]
|
||||||
|
verifylist = [
|
||||||
|
('destination_firewall_group', fwg),
|
||||||
|
('no_destination_firewall_group', True),
|
||||||
|
]
|
||||||
|
self.assertRaises(
|
||||||
|
utils.ParserException,
|
||||||
|
self.check_parser, self.cmd, arglist, verifylist)
|
||||||
|
|
||||||
|
|
||||||
class TestListFirewallRule(TestFirewallRule):
|
class TestListFirewallRule(TestFirewallRule):
|
||||||
|
|
||||||
|
@ -326,7 +386,8 @@ class TestListFirewallRule(TestFirewallRule):
|
||||||
|
|
||||||
self.mocked.assert_called_once_with()
|
self.mocked.assert_called_once_with()
|
||||||
self.assertEqual(list(self.headers), headers)
|
self.assertEqual(list(self.headers), headers)
|
||||||
self.assertListItemEqual([self.data], list(data))
|
m = list(data)
|
||||||
|
self.assertListItemEqual([self.data], m)
|
||||||
|
|
||||||
def test_list_with_no_option(self):
|
def test_list_with_no_option(self):
|
||||||
arglist = []
|
arglist = []
|
||||||
|
@ -646,6 +707,74 @@ class TestSetFirewallRule(TestFirewallRule, common.TestSetFWaaS):
|
||||||
self.assertRaises(
|
self.assertRaises(
|
||||||
exceptions.CommandError, self.cmd.take_action, parsed_args)
|
exceptions.CommandError, self.cmd.take_action, parsed_args)
|
||||||
|
|
||||||
|
def test_set_no_destination_fwg(self):
|
||||||
|
target = self.resource['id']
|
||||||
|
arglist = [
|
||||||
|
target,
|
||||||
|
'--no-destination-firewall-group',
|
||||||
|
]
|
||||||
|
verifylist = [
|
||||||
|
(self.res, target),
|
||||||
|
('no_destination_firewall_group', True),
|
||||||
|
]
|
||||||
|
parsed_args = self.check_parser(self.cmd, arglist, verifylist)
|
||||||
|
result = self.cmd.take_action(parsed_args)
|
||||||
|
|
||||||
|
self.mocked.assert_called_once_with(
|
||||||
|
target, {self.res: {'destination_firewall_group_id': None}})
|
||||||
|
self.assertIsNone(result)
|
||||||
|
|
||||||
|
def test_set_no_source_fwg(self):
|
||||||
|
target = self.resource['id']
|
||||||
|
arglist = [
|
||||||
|
target,
|
||||||
|
'--no-source-firewall-group',
|
||||||
|
]
|
||||||
|
verifylist = [
|
||||||
|
(self.res, target),
|
||||||
|
('no_source_firewall_group', True),
|
||||||
|
]
|
||||||
|
parsed_args = self.check_parser(self.cmd, arglist, verifylist)
|
||||||
|
result = self.cmd.take_action(parsed_args)
|
||||||
|
|
||||||
|
self.mocked.assert_called_once_with(
|
||||||
|
target, {self.res: {'source_firewall_group_id': None}})
|
||||||
|
self.assertIsNone(result)
|
||||||
|
|
||||||
|
def test_create_with_src_fwg_and_no(self):
|
||||||
|
target = self.resource['id']
|
||||||
|
fwg = 'my-fwg'
|
||||||
|
arglist = [
|
||||||
|
target,
|
||||||
|
'--source-firewall-group', fwg,
|
||||||
|
'--no-source-firewall-group',
|
||||||
|
]
|
||||||
|
verifylist = [
|
||||||
|
(self.res, target),
|
||||||
|
('source_firewall_group', fwg),
|
||||||
|
('no_source_firewall_group', True),
|
||||||
|
]
|
||||||
|
self.assertRaises(
|
||||||
|
utils.ParserException,
|
||||||
|
self.check_parser, self.cmd, arglist, verifylist)
|
||||||
|
|
||||||
|
def test_create_with_dst_fwg_and_no(self):
|
||||||
|
target = self.resource['id']
|
||||||
|
fwg = 'my-fwg'
|
||||||
|
arglist = [
|
||||||
|
target,
|
||||||
|
'--destination-firewall-group', fwg,
|
||||||
|
'--no-destination-firewall-group',
|
||||||
|
]
|
||||||
|
verifylist = [
|
||||||
|
(self.res, target),
|
||||||
|
('destination_firewall_group', fwg),
|
||||||
|
('no_destination_firewall_group', True),
|
||||||
|
]
|
||||||
|
self.assertRaises(
|
||||||
|
utils.ParserException,
|
||||||
|
self.check_parser, self.cmd, arglist, verifylist)
|
||||||
|
|
||||||
|
|
||||||
class TestUnsetFirewallRule(TestFirewallRule, common.TestUnsetFWaaS):
|
class TestUnsetFirewallRule(TestFirewallRule, common.TestUnsetFWaaS):
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Adds the remote source firewall group and the remote destination
|
||||||
|
firewall group field to the firewall rules.
|
Loading…
Reference in New Issue