@Test public void testAddPermissionsToNode() { IpPermission ssh = newPermission(22); IpPermission jmx = newPermission(31001); SecurityGroup sharedGroup = newGroup(customizer.getNameForSharedSecurityGroup()); SecurityGroup group = newGroup("id"); when(securityApi.listSecurityGroupsForNode(NODE_ID)).thenReturn(ImmutableSet.of(sharedGroup, group)); SecurityGroup updatedSecurityGroup = newGroup("id", ImmutableSet.of(ssh, jmx)); when(securityApi.addIpPermission(ssh, group)).thenReturn(updatedSecurityGroup); when(securityApi.addIpPermission(jmx, group)).thenReturn(updatedSecurityGroup); when(computeService.getContext().unwrap().getId()).thenReturn("aws-ec2"); customizer.addPermissionsToLocation(jcloudsMachineLocation, ImmutableList.of(ssh, jmx)); verify(securityApi, never()).createSecurityGroup(anyString(), any(Location.class)); verify(securityApi, times(1)).addIpPermission(ssh, group); verify(securityApi, times(1)).addIpPermission(jmx, group); }
@Override public void provisionNetwork(VirtualNetwork network) { String name = network.config().get(VirtualNetwork.NETWORK_ID); SecurityGroupExtension extension = location.getComputeService().getSecurityGroupExtension().get(); Set<SecurityGroup> groups = extension.listSecurityGroups(); String id = null; // Look for existing security group with the desired name for (SecurityGroup each : groups) { if (each.getName().equalsIgnoreCase(name)) { id = each.getId(); break; } } // If not found then create a new group if (id == null) { Location region = location.getComputeService().listAssignableLocations().iterator().next(); SecurityGroup added = extension.createSecurityGroup(name, region); id = added.getId(); IpPermission rules = IpPermission.builder() .cidrBlock(network.config().get(VirtualNetwork.NETWORK_CIDR).toString()) .ipProtocol(IpProtocol.TCP) .fromPort(1) .toPort(65535) .build(); extension.addIpPermission(rules, added); LOG.info("Added new security group {} with ID {}: {}", new Object[] { added.getName(), id, rules.toString() }); } // Use the OpenStack UUID as the virtual network id network.sensors().set(VirtualNetwork.NETWORK_ID, id); }
@Test(groups = { "integration", "live" }, singleThreaded = true, dependsOnMethods = "testAddIpPermissionsFromSpec") public void testAddIpPermissionForAnyProtocol() { ComputeService computeService = view.getComputeService(); Optional<SecurityGroupExtension> securityGroupExtension = computeService.getSecurityGroupExtension(); assertTrue(securityGroupExtension.isPresent(), "security group extension was not present"); SecurityGroup group = securityGroupExtension.get().getSecurityGroupById(groupId); assertNotNull(group, "No security group was found with id: " + groupId); IpPermission openAll = IpPermissions.permitAnyProtocol(); SecurityGroup allOpenSecurityGroup = securityGroupExtension.get().addIpPermission(openAll, group); assertTrue(allOpenSecurityGroup.getIpPermissions().contains(openAll)); }
@Test public void testSharedGroupLoadedWhenItExistsButIsNotCached() { Template template = mock(Template.class); TemplateOptions templateOptions = mock(TemplateOptions.class); when(template.getLocation()).thenReturn(location); when(template.getOptions()).thenReturn(templateOptions); JcloudsLocation jcloudsLocation = new JcloudsLocation(MutableMap.of("deferConstruction", true)); SecurityGroup shared = newGroup(customizer.getNameForSharedSecurityGroup()); SecurityGroup irrelevant = newGroup("irrelevant"); when(securityApi.createSecurityGroup(shared.getName(), location)).thenReturn(shared); when(securityApi.createSecurityGroup(irrelevant.getName(), location)).thenReturn(irrelevant); when(securityApi.listSecurityGroupsInLocation(location)).thenReturn(ImmutableSet.of(irrelevant, shared)); when(securityApi.addIpPermission(any(IpPermission.class), eq(shared))).thenReturn(shared); when(securityApi.addIpPermission(any(IpPermission.class), eq(irrelevant))).thenReturn(irrelevant); customizer.customize(jcloudsLocation, computeService, template); verify(securityApi).listSecurityGroupsInLocation(location); verify(securityApi, never()).createSecurityGroup(anyString(), any(Location.class)); }
@Test(groups = { "integration", "live" }, singleThreaded = true, dependsOnMethods = "testGetSecurityGroupById") public void testAddIpPermission() { skipIfSecurityGroupsNotSupported(); ComputeService computeService = view.getComputeService(); Optional<SecurityGroupExtension> securityGroupExtension = computeService.getSecurityGroupExtension(); assertTrue(securityGroupExtension.isPresent(), "security group extension was not present"); Optional<SecurityGroup> optGroup = getGroup(securityGroupExtension.get()); assertTrue(optGroup.isPresent()); SecurityGroup group = optGroup.get(); IpPermission portRangeIpPermission = createPortRangePermission(); IpPermission singlePortIpPermission = createSinglePortPermission(); Set<IpPermission> expectedPermissions = ImmutableSet.of(portRangeIpPermission, singlePortIpPermission); SecurityGroup onePermissionAdded = securityGroupExtension.get().addIpPermission(portRangeIpPermission, group); SecurityGroup twoPermissionsAdded = securityGroupExtension.get().addIpPermission(singlePortIpPermission, onePermissionAdded); assertEquals(twoPermissionsAdded.getIpPermissions(), expectedPermissions); }
@Test(groups = {"integration", "live"}, singleThreaded = true) public void testSecurityGroupCacheInvalidated() throws Exception { ComputeService computeService = view.getComputeService(); Optional<SecurityGroupExtension> securityGroupExtension = computeService.getSecurityGroupExtension(); assertTrue(securityGroupExtension.isPresent(), "security extension was not present"); final SecurityGroupExtension security = securityGroupExtension.get(); final SecurityGroup seedGroup = security.createSecurityGroup(secGroupNameToDelete, getNodeTemplate().getLocation()); boolean deleted = security.removeSecurityGroup(seedGroup.getId()); assertTrue(deleted, "just created security group failed deletion"); final SecurityGroup recreatedGroup = security.createSecurityGroup(secGroupNameToDelete, getNodeTemplate().getLocation()); // Makes sure the security group exists and is re-created and is not just returned from cache security.addIpPermission(IpPermission.builder() .fromPort(1000) .toPort(1000) .cidrBlock("1.1.1.1/32") .ipProtocol(IpProtocol.TCP) .build(), recreatedGroup); boolean deleted2 = security.removeSecurityGroup(recreatedGroup.getId()); assertTrue(deleted2, "just created security group failed deletion"); }
@Test public void testRemoveMultiplePermissionsFromNode() { IpPermission ssh = newPermission(22); IpPermission jmx = newPermission(31001); SecurityGroup sharedGroup = newGroup(customizer.getNameForSharedSecurityGroup()); SecurityGroup group = newGroup("id"); when(securityApi.listSecurityGroupsForNode(NODE_ID)).thenReturn(ImmutableSet.of(sharedGroup, group)); SecurityGroup updatedSecurityGroup = newGroup("id", ImmutableSet.of(ssh, jmx)); when(securityApi.addIpPermission(ssh, group)).thenReturn(updatedSecurityGroup); when(securityApi.addIpPermission(jmx, group)).thenReturn(updatedSecurityGroup); when(computeService.getContext().unwrap().getId()).thenReturn("aws-ec2"); customizer.addPermissionsToLocation(jcloudsMachineLocation, ImmutableList.of(ssh, jmx)); when(securityApi.removeIpPermission(ssh, group)).thenReturn(updatedSecurityGroup); when(securityApi.removeIpPermission(jmx, group)).thenReturn(updatedSecurityGroup); customizer.removePermissionsFromLocation(jcloudsMachineLocation, ImmutableList.of(ssh, jmx)); verify(securityApi, times(1)).removeIpPermission(ssh, group); verify(securityApi, times(1)).removeIpPermission(jmx, group); }
@Test public void testSecurityGroupAddedWhenJcloudsLocationCustomised() { Template template = mock(Template.class); TemplateOptions templateOptions = mock(TemplateOptions.class); when(template.getLocation()).thenReturn(location); when(template.getOptions()).thenReturn(templateOptions); SecurityGroup group = newGroup("id"); when(securityApi.createSecurityGroup(anyString(), eq(location))).thenReturn(group); when(securityApi.addIpPermission(any(IpPermission.class), eq(group))).thenReturn(group); // Two Brooklyn.JcloudsLocations added to same Jclouds.Location JcloudsLocation jcloudsLocationA = new JcloudsLocation(MutableMap.of("deferConstruction", true)); JcloudsLocation jcloudsLocationB = new JcloudsLocation(MutableMap.of("deferConstruction", true)); customizer.customize(jcloudsLocationA, computeService, template); customizer.customize(jcloudsLocationB, computeService, template); // One group with three permissions shared by both locations. // Expect TCP, UDP and ICMP between members of group and SSH to Brooklyn verify(securityApi).createSecurityGroup(anyString(), eq(location)); verify(securityApi, times(4)).addIpPermission(any(IpPermission.class), eq(group)); // New groups set on options verify(templateOptions, times(2)).securityGroups(anyString()); }
private Optional<SecurityGroup> getGroup(SecurityGroupExtension ext) { return Iterables.tryFind(ext.listSecurityGroups(), new Predicate<SecurityGroup>() { @Override public boolean apply(SecurityGroup input) { return input.getId().equals(groupId); } }); }
@Test public void testSecurityGroupsLoadedWhenAddingPermissionsToUncachedNode() { IpPermission ssh = newPermission(22); SecurityGroup sharedGroup = newGroup(customizer.getNameForSharedSecurityGroup()); SecurityGroup uniqueGroup = newGroup("unique"); when(securityApi.listSecurityGroupsForNode(NODE_ID)).thenReturn(ImmutableSet.of(sharedGroup, uniqueGroup)); when(computeService.getContext().unwrap().getId()).thenReturn("aws-ec2"); SecurityGroup updatedSecurityGroup = newGroup(uniqueGroup.getId(), ImmutableSet.of(ssh)); when(securityApi.addIpPermission(ssh, sharedGroup)).thenReturn(updatedSecurityGroup); SecurityGroup updatedUniqueSecurityGroup = newGroup(uniqueGroup.getId(), ImmutableSet.of(ssh)); when(securityApi.addIpPermission(ssh, updatedUniqueSecurityGroup)).thenReturn(updatedUniqueSecurityGroup); // Expect first call to list security groups on nodeId, second to use cached version customizer.addPermissionsToLocation(jcloudsMachineLocation, ImmutableSet.of(ssh)); customizer.addPermissionsToLocation(jcloudsMachineLocation, ImmutableSet.of(ssh)); verify(securityApi, times(1)).listSecurityGroupsForNode(NODE_ID); verify(securityApi, times(2)).addIpPermission(ssh, uniqueGroup); verify(securityApi, never()).addIpPermission(any(IpPermission.class), eq(sharedGroup)); }
@Test(groups = {"integration", "live"}, singleThreaded = true) public void testListSecurityGroups() throws Exception { skipIfSecurityGroupsNotSupported(); final long begin = new Date().getTime(); ComputeService computeService = view.getComputeService(); Optional<SecurityGroupExtension> securityGroupExtension = computeService.getSecurityGroupExtension(); assertTrue(securityGroupExtension.isPresent(), "security extension was not present"); logger.info("Loading security groups"); final SecurityGroupExtension security = securityGroupExtension.get(); Set<SecurityGroup> beforeAdd = security.listSecurityGroups(); int countBeforeAdd = beforeAdd.size(); logger.info("Found %d security groups", countBeforeAdd); String someUnlikelyName = String.valueOf(new Random().nextInt(1000000) + 1000000); logger.info("Adding security group %s", someUnlikelyName); final SecurityGroup testGroup = security.createSecurityGroup(someUnlikelyName, getNodeTemplate().getLocation()); try { verifyAndDeleteSecurityGroup(security, countBeforeAdd, testGroup); } catch (Exception e) { logger.error(e, "Exception caught, live test leaking security group %s", testGroup.getName()); throw e; } final long end = new Date().getTime(); assertTrue(end - begin < TimeUnit.MINUTES.toMillis(5)); // see https://issues.apache.org/jira/browse/JCLOUDS-1235 }
@Test public void testAddPermissionWhenNoExtension() { IpPermission ssh = newPermission(22); IpPermission jmx = newPermission(31001); when(securityApi.listSecurityGroupsForNode(NODE_ID)).thenReturn(Collections.<SecurityGroup>emptySet()); RuntimeException exception = null; try { customizer.addPermissionsToLocation(jcloudsMachineLocation, ImmutableList.of(ssh, jmx)); } catch(RuntimeException e){ exception = e; } assertNotNull(exception); }
@Test(groups = { "integration", "live" }, singleThreaded = true) public void testCreateSecurityGroup() throws RunNodesException, InterruptedException, ExecutionException { skipIfSecurityGroupsNotSupported(); ComputeService computeService = view.getComputeService(); Location location = getNodeTemplate().getLocation(); Optional<SecurityGroupExtension> securityGroupExtension = computeService.getSecurityGroupExtension(); assertTrue(securityGroupExtension.isPresent(), "security extension was not present"); SecurityGroup group = securityGroupExtension.get().createSecurityGroup(secGroupName, location); logger.info("Group created: %s", group); assertTrue(group.getName().contains(secGroupName)); groupId = group.getId(); }
private void verifyAndDeleteSecurityGroup(SecurityGroupExtension security, int countBeforeAdd, final SecurityGroup testGroup) { logger.info("Loading security groups"); Set<SecurityGroup> afterAdd = security.listSecurityGroups(); final int countAfterAdd = afterAdd.size(); logger.info("Found %d security groups", countAfterAdd); assertEquals(countAfterAdd, countBeforeAdd + 1); final Predicate<SecurityGroup> findTestGroup = new Predicate<SecurityGroup>() { @Override public boolean apply(SecurityGroup input) { return input.getName().equals(testGroup.getName()); } }; final SecurityGroup created = Iterables.find(afterAdd, findTestGroup); assertNotNull(created, "Did not find security group created as expected"); logger.info("Removing %s", testGroup.getName()); security.removeSecurityGroup(testGroup.getId()); logger.info("Loading security groups"); Set<SecurityGroup> afterRemove = security.listSecurityGroups(); final int sizeAfterRemove = afterRemove.size(); logger.info("Found %d security groups", sizeAfterRemove); assertEquals(sizeAfterRemove, countBeforeAdd); final Optional<SecurityGroup> removed = Iterables.tryFind(afterRemove, findTestGroup); assertTrue(!removed.isPresent(), "Did not remove test security group as expected"); } }
Iterable<String> securityGroupNames = Iterables.transform(securityGroupExtension.listSecurityGroups(), new Function<org.jclouds.compute.domain.SecurityGroup, String>() { @Override public String apply(@Nullable org.jclouds.compute.domain.SecurityGroup input) { for (SecurityGroup existingSecurityGroup : securityGroupExtension.listSecurityGroupsInLocation(template.getLocation())) { securityGroupCache.put(new RegionSecurityGroupNameAndPorts(region, existingSecurityGroup.getName(), inboundPorts), existingSecurityGroup);
SecurityGroup newGroup = securityGroupExtension.get().addIpPermission(IpProtocol.TCP, 50, 60, if (securityGroupExtension.get().supportsGroupIds()) { IpPermission.Builder secondBuilder = IpPermission.builder(); if (securityGroupExtension.get().supportsPortRangesForGroups()) { fromPort = 70; toPort = 80; SecurityGroup secondNewGroup = securityGroupExtension.get().addIpPermission(IpProtocol.TCP, fromPort, toPort, if (securityGroupExtension.get().supportsTenantIdGroupNamePairs() || securityGroupExtension.get().supportsTenantIdGroupIdPairs()) { IpPermission.Builder thirdBuilder = IpPermission.builder(); if (securityGroupExtension.get().supportsPortRangesForGroups()) { fromPort = 90; toPort = 100; thirdBuilder.fromPort(fromPort); thirdBuilder.toPort(toPort); if (securityGroupExtension.get().supportsTenantIdGroupIdPairs()) { thirdBuilder.tenantIdGroupNamePair(group.getOwnerId(), group.getProviderId()); } else if (securityGroupExtension.get().supportsTenantIdGroupNamePairs()) { thirdBuilder.tenantIdGroupNamePair(group.getOwnerId(), group.getName());
public boolean removeSecurityGroupCreatedByJcloudsAndInvalidateCache(Set<String> tags) { String securityGroupIdCreatedByJclouds = getSecurityGroupIdCreatedByJclouds(tags); if (securityGroupIdCreatedByJclouds == null) return true; return securityGroupExtension.removeSecurityGroup(securityGroupIdCreatedByJclouds); }
@Test(groups = { "integration", "live" }, singleThreaded = true, dependsOnMethods = "testAddIpPermissionsFromSpec") public void testAddIpPermissionWithCidrExclusionGroup() { skipIfSecurityGroupsNotSupported(); ComputeService computeService = view.getComputeService(); Optional<SecurityGroupExtension> securityGroupExtension = computeService.getSecurityGroupExtension(); assertTrue(securityGroupExtension.isPresent(), "security group extension was not present"); if (!securityGroupExtension.get().supportsExclusionCidrBlocks()) { throw new SkipException("Test cannot run without CIDR exclusion groups available."); } Optional<SecurityGroup> optGroup = getGroup(securityGroupExtension.get()); assertTrue(optGroup.isPresent()); SecurityGroup group = optGroup.get(); IpPermission cidrExclusionPermission = createCidrExclusionPermission(); Set<IpPermission> expectedPermissions = ImmutableSet.of(cidrExclusionPermission); SecurityGroup securityGroupWithExclusion = securityGroupExtension.get().addIpPermission(cidrExclusionPermission, group); assertTrue(securityGroupWithExclusion.getIpPermissions().containsAll(expectedPermissions)); }
@Test(groups = { "integration", "live" }, singleThreaded = true, dependsOnMethods = "testCreateSecurityGroup") public void testGetSecurityGroupById() throws RunNodesException, InterruptedException, ExecutionException { skipIfSecurityGroupsNotSupported(); ComputeService computeService = view.getComputeService(); Location location = getNodeTemplate().getLocation(); Optional<SecurityGroupExtension> securityGroupExtension = computeService.getSecurityGroupExtension(); assertTrue(securityGroupExtension.isPresent(), "security extension was not present"); SecurityGroup group = securityGroupExtension.get().getSecurityGroupById(groupId); logger.info("Group found: %s", group); assertTrue(group.getName().contains(secGroupName)); }
@Test(groups = { "integration", "live" }, singleThreaded = true, dependsOnMethods = "testAddIpPermission") public void testRemoveIpPermission() { skipIfSecurityGroupsNotSupported(); ComputeService computeService = view.getComputeService(); Optional<SecurityGroupExtension> securityGroupExtension = computeService.getSecurityGroupExtension(); assertTrue(securityGroupExtension.isPresent(), "security group extension was not present"); Optional<SecurityGroup> optGroup = getGroup(securityGroupExtension.get()); assertTrue(optGroup.isPresent()); SecurityGroup group = optGroup.get(); IpPermission portRangeIpPermission = createPortRangePermission(); IpPermission singlePortIpPermission = createSinglePortPermission(); SecurityGroup newGroup = securityGroupExtension.get().removeIpPermission(portRangeIpPermission, group); SecurityGroup emptyGroup = securityGroupExtension.get().removeIpPermission(singlePortIpPermission, newGroup); assertEquals(Iterables.size(emptyGroup.getIpPermissions()), 0, "Group should have no permissions, but has " + Iterables.size(emptyGroup.getIpPermissions())); }