Apply SSH security settings from UI

This commit change restriction for SSH access only from networks
provided on UI instead of all local networks by default.

DocImpact
Depends-On: I34c9907d781b81253ed6942c67b16f8480de3bb5
Change-Id: Ifca70a377c74d233fbca50de7245bce01079ad56
Closes-Bug: #1419657
Signed-off-by: Maksim Malchuk <mmalchuk@mirantis.com>

deployment/puppet/osnailyfacter/manifests/firewall/firewall.pp

@@ -5,6 +5,7 @@ class osnailyfacter::firewall::firewall {
   $network_scheme   = hiera_hash('network_scheme', {})
   $network_metadata = hiera_hash('network_metadata')
   $ironic_hash      = hiera_hash('ironic', {})
+  $ssh_hash         = hiera_hash('ssh', {})
   $roles            = hiera('roles')
   $storage_hash     = hiera('storage', {})
 
@@ -108,11 +109,19 @@ class osnailyfacter::firewall::firewall {
     action => 'accept',
   }
 
+  $all_networks = concat($admin_nets, $management_nets, $storage_nets)
+
+  if $ssh_hash['security_enabled'] {
+    $ssh_networks = pick($ssh_hash['security_networks'], $all_networks)
+  } else {
+    $ssh_networks = $all_networks
+  }
+
   openstack::firewall::multi_net {'020 ssh':
     port        => $ssh_port,
     proto       => 'tcp',
     action      => 'accept',
-    source_nets => concat($admin_nets, $management_nets, $storage_nets),
+    source_nets => $ssh_networks,
   }
 
   openstack::firewall::multi_net {'109 iscsi':
@@ -488,10 +497,10 @@ class osnailyfacter::firewall::firewall {
     if $storage_hash['objects_ceph'] {
       if member($roles, 'primary-controller') or member($roles, 'controller') {
         firewall {'012 RadosGW allow':
-          chain   => 'INPUT',
-          dport   => [ $radosgw_port, $swift_proxy_port ],
-          proto   => 'tcp',
-          action  => accept,
+          chain  => 'INPUT',
+          dport  => [ $radosgw_port, $swift_proxy_port ],
+          proto  => 'tcp',
+          action => accept,
         }
       }
     }

tests/noop/spec/hosts/firewall/firewall_spec.rb

@@ -23,6 +23,10 @@ describe manifest do
       Noop.puppet_function 'prepare_network_config', network_scheme
     end
 
+    let(:admin_nets) do
+      Noop.puppet_function 'get_routable_networks_for_network_role', network_scheme, 'fw-admin'
+    end
+
     let(:management_nets) do
       Noop.puppet_function 'get_routable_networks_for_network_role', network_scheme, 'management'
     end
@@ -55,6 +59,24 @@ describe manifest do
     roles = network_metadata['nodes'][node_name]['node_roles']
     mongodb_port = Noop.hiera('mongodb_port', '27017')
 
+    ssh_hash = Noop.hiera_hash 'ssh', {}
+
+    it 'should accept connections to the SSH service only from specified networks' do
+
+      if ssh_hash['security_enabled']
+        ssh_networks = Noop.puppet_function 'pick', ssh_hash['security_networks'], Noop.puppet_function, 'concat', admin_nets, management_nets, storage_nets
+      else
+        ssh_networks = Noop.puppet_function 'concat', admin_nets, management_nets, storage_nets
+      end
+
+      should contain_openstack__firewall__multi_net('020 ssh').with(
+        'port'        => [ 22 ],
+        'proto'       => 'tcp',
+        'action'      => 'accept',
+        'source_nets' => ssh_networks,
+      )
+    end
+
     if Noop.puppet_function 'member', roles, 'primary-controller' or Noop.puppet_function 'member', roles, 'controller'
       it 'should properly restrict rabbitmq admin traffic' do
         should contain_firewall('005 local rabbitmq admin').with(