@Override public SecurityGroup removeIpPermission(IpPermission ipPermission, SecurityGroup group) { String region = group.getLocation().getId(); RegionAndId groupRegionAndId = RegionAndId.fromSlashEncoded(group.getId()); String id = groupRegionAndId.getId(); if (!sgApi.isPresent()) { return null; org.jclouds.openstack.nova.v2_0.domain.SecurityGroup securityGroup = sgApi.get().get(id); if (!ipPermission.getCidrBlocks().isEmpty()) { for (String cidr : ipPermission.getCidrBlocks()) { for (SecurityGroupRule rule : filter(securityGroup.getRules(), and(ruleCidr(cidr), ruleProtocol(ipPermission.getIpProtocol()), ruleStartPort(ipPermission.getFromPort()), ruleEndPort(ipPermission.getToPort())))) { sgApi.get().deleteRule(rule.getId()); if (!ipPermission.getGroupIds().isEmpty()) { for (String groupId : ipPermission.getGroupIds()) { for (SecurityGroupRule rule : filter(securityGroup.getRules(), and(ruleGroup(groupId), ruleProtocol(ipPermission.getIpProtocol()), ruleStartPort(ipPermission.getFromPort()), ruleEndPort(ipPermission.getToPort())))) { sgApi.get().deleteRule(rule.getId());
@Override public SecurityGroup addIpPermission(IpPermission ipPermission, SecurityGroup group) { String region = AWSUtils.getRegionFromLocationOrNull(group.getLocation()); String name = group.getName(); if (!ipPermission.getCidrBlocks().isEmpty()) { for (String cidr : ipPermission.getCidrBlocks()) { client.getSecurityGroupApi().get(). authorizeSecurityGroupIngressInRegion(region, name, ipPermission.getIpProtocol(), ipPermission.getFromPort(), ipPermission.getToPort(), cidr); } } if (!ipPermission.getTenantIdGroupNamePairs().isEmpty()) { for (String userId : ipPermission.getTenantIdGroupNamePairs().keySet()) { for (String groupName : ipPermission.getTenantIdGroupNamePairs().get(userId)) { client.getSecurityGroupApi().get(). authorizeSecurityGroupIngressInRegion(region, name, new UserIdGroupPair(userId, groupName)); } } } return getSecurityGroupById(new RegionAndName(region, group.getName()).slashEncode()); }
@Override public SecurityGroup addIpPermission(IpPermission ipPermission, SecurityGroup group) { return addIpPermission(ipPermission.getIpProtocol(), ipPermission.getFromPort(), ipPermission.getToPort(), ipPermission.getTenantIdGroupNamePairs(), ipPermission.getCidrBlocks(), ipPermission.getGroupIds(), group); }
@Override public SecurityGroup addIpPermission(IpPermission ipPermission, SecurityGroup group) { checkNotNull(group, "group"); checkNotNull(ipPermission, "ipPermission"); String id = checkNotNull(group.getId(), "group.getId()"); if (!ipPermission.getCidrBlocks().isEmpty()) { jobComplete.apply(api.getSecurityGroupApi().authorizeIngressPortsToCIDRs(id, ipPermission.getIpProtocol().toString().toUpperCase(), ipPermission.getFromPort(), ipPermission.getToPort(), ipPermission.getCidrBlocks())); } if (!ipPermission.getTenantIdGroupNamePairs().isEmpty()) { jobComplete.apply(api.getSecurityGroupApi().authorizeIngressPortsToSecurityGroups(id, ipPermission.getIpProtocol().toString().toUpperCase(), ipPermission.getFromPort(), ipPermission.getToPort(), ipPermission.getTenantIdGroupNamePairs())); } return getSecurityGroupById(id); }
@Override public boolean apply(SecurityGroup scipPermission) { for (IpPermission ipPermission : scipPermission.getIpPermissions()) { if (ipPermission.getFromPort() == fromPort && ipPermission.getToPort() == toPort && ipPermission.getIpProtocol() == ipProtocol) { return true; } } return false; } };
ImmutableList.of(addRule, queryAsyncJobResultAuthorizeIngress, getWithRule), ImmutableList.of(addRuleResponse, queryAsyncJobResultAuthorizeIngressResponse, getWithRuleResponse) ).getSecurityGroupExtension().get(); ImmutableSet.of("1.1.1.1/24"), emptyStringSet(), origGroup); assertEquals(1, newGroup.getIpPermissions().size()); IpPermission newPerm = Iterables.getOnlyElement(newGroup.getIpPermissions()); assertNotNull(newPerm); assertEquals(newPerm.getIpProtocol(), IpProtocol.UDP); assertEquals(newPerm.getFromPort(), 11); assertEquals(newPerm.getToPort(), 11); assertEquals(newPerm.getCidrBlocks().size(), 1); assertTrue(newPerm.getCidrBlocks().contains("1.1.1.1/24"));
@Test(groups = {"integration", "live"}, singleThreaded = true) public void testSecurityGroupCacheInvalidated() throws Exception { ComputeService computeService = view.getComputeService(); Optional<SecurityGroupExtension> securityGroupExtension = computeService.getSecurityGroupExtension(); assertTrue(securityGroupExtension.isPresent(), "security extension was not present"); final SecurityGroupExtension security = securityGroupExtension.get(); final SecurityGroup seedGroup = security.createSecurityGroup(secGroupNameToDelete, getNodeTemplate().getLocation()); boolean deleted = security.removeSecurityGroup(seedGroup.getId()); assertTrue(deleted, "just created security group failed deletion"); final SecurityGroup recreatedGroup = security.createSecurityGroup(secGroupNameToDelete, getNodeTemplate().getLocation()); // Makes sure the security group exists and is re-created and is not just returned from cache security.addIpPermission(IpPermission.builder() .fromPort(1000) .toPort(1000) .cidrBlock("1.1.1.1/32") .ipProtocol(IpProtocol.TCP) .build(), recreatedGroup); boolean deleted2 = security.removeSecurityGroup(recreatedGroup.getId()); assertTrue(deleted2, "just created security group failed deletion"); }
@Test(expectedExceptions = IllegalArgumentException.class) public void testAllProtocolInvalidCidrMultiple() { IpPermissions authorization = IpPermissions.permitAnyProtocol(); assertEquals(authorization, IpPermission.builder().ipProtocol(IpProtocol.ALL).fromPort(1).toPort(65535) .cidrBlocks(ImmutableSet.of("a.0.0.0/0", "0.0.0.0/0")).build()); }
@Override public SecurityGroup addIpPermission(IpProtocol protocol, int startPort, int endPort, Multimap<String, String> tenantIdGroupNamePairs, Iterable<String> ipRanges, Iterable<String> groupIds, SecurityGroup group) { String region = AWSUtils.getRegionFromLocationOrNull(group.getLocation()); String id = group.getProviderId(); IpPermission.Builder builder = IpPermission.builder(); builder.ipProtocol(protocol); builder.fromPort(startPort); builder.toPort(endPort); if (!Iterables.isEmpty(ipRanges)) { for (String cidr : ipRanges) { builder.cidrBlock(cidr); } } if (!tenantIdGroupNamePairs.isEmpty()) { for (String userId : tenantIdGroupNamePairs.keySet()) { for (String groupString : tenantIdGroupNamePairs.get(userId)) { String[] parts = AWSUtils.parseHandle(groupString); String groupId = parts[1]; builder.tenantIdGroupNamePair(userId, groupId); } } } client.getSecurityGroupApi().get().authorizeSecurityGroupIngressInRegion(region, id, builder.build()); return getSecurityGroupById(group.getId()); }
public void testRemoveIpPermissionGroupFromIpPermission() { HttpRequest revokeRule = HttpRequest.builder().method("GET") .endpoint("http://localhost:8080/client/api") .addQueryParam("response", "json") .addQueryParam("command", "revokeSecurityGroupIngress") .addQueryParam("id", "5") .addQueryParam("apiKey", "APIKEY") .addQueryParam("signature", "bEzvrLtO7aEWkIqJgUeTnd+0XbY=") .addHeader("Accept", "application/json") .build(); HttpResponse getWithRuleResponse = HttpResponse.builder().statusCode(200) .payload(payloadFromResource("/getsecuritygroupresponse_extension_byid_with_group.json")) .build(); SecurityGroupExtension extension = orderedRequestsSendResponses( ImmutableList.of(getWithRule, revokeRule, queryAsyncJobResultAuthorizeIngress, getWithRule), ImmutableList.of(getWithRuleResponse, revokeRuleResponse, queryAsyncJobResultAuthorizeIngressResponse, getEmptyResponse) ).getSecurityGroupExtension().get(); IpPermission.Builder builder = IpPermission.builder(); builder.ipProtocol(IpProtocol.TCP); builder.fromPort(22); builder.toPort(22); builder.tenantIdGroupNamePair("adrian", "adriancole"); IpPermission perm = builder.build(); SecurityGroup origGroup = new SecurityGroupBuilder().id("13").build(); SecurityGroup newGroup = extension.removeIpPermission(perm, origGroup); assertEquals(newGroup.getIpPermissions().size(), 0); }
@Test public void testApplyWithCidr() { NovaSecurityGroupInRegionToSecurityGroup parser = createGroupParser(); SecurityGroupInRegion origGroup = new SecurityGroupInRegion(securityGroupWithCidr(), region.getId(), allGroups); SecurityGroup newGroup = parser.apply(origGroup); assertEquals(newGroup.getId(), origGroup.getRegion() + "/" + origGroup.getSecurityGroup().getId()); assertEquals(newGroup.getProviderId(), origGroup.getSecurityGroup().getId()); assertEquals(newGroup.getName(), origGroup.getSecurityGroup().getName()); assertEquals(newGroup.getOwnerId(), origGroup.getSecurityGroup().getTenantId()); final IpPermission permission = Iterables.getOnlyElement(newGroup.getIpPermissions()); assertEquals(permission.getFromPort(), 10); assertEquals(permission.getToPort(), 20); assertEquals(Iterables.getOnlyElement(permission.getCidrBlocks()), IP_RANGE); assertTrue(permission.getGroupIds().isEmpty()); assertEquals(newGroup.getLocation().getId(), origGroup.getRegion()); }
@Override public SecurityGroup addIpPermission(IpProtocol protocol, int startPort, int endPort, Multimap<String, String> tenantIdGroupNamePairs, Iterable<String> ipRanges, Iterable<String> groupIds, SecurityGroup group) { String region = AWSUtils.getRegionFromLocationOrNull(group.getLocation()); String id = group.getProviderId(); IpPermission.Builder builder = IpPermission.builder(); builder.ipProtocol(protocol); builder.fromPort(startPort); builder.toPort(endPort); if (Iterables.size(ipRanges) > 0) { for (String cidr : ipRanges) { builder.cidrBlock(cidr); } } if (tenantIdGroupNamePairs.size() > 0) { for (String userId : tenantIdGroupNamePairs.keySet()) { for (String groupString : tenantIdGroupNamePairs.get(userId)) { String[] parts = AWSUtils.parseHandle(groupString); String groupId = parts[1]; builder.tenantIdGroupNamePair(userId, groupId); } } } client.getSecurityGroupApi().get().authorizeSecurityGroupIngressInRegion(region, id, builder.build()); return getSecurityGroupById(group.getId()); }
public void addIpPermissionCidrFromParams() throws Exception { enqueueRegions(DEFAULT_REGION); enqueueXml(DEFAULT_REGION, "/authorize_securitygroup_ingress_response.xml"); enqueueXml(DEFAULT_REGION, "/describe_securitygroups_extension_cidr.xml"); enqueueXml(DEFAULT_REGION, "/availabilityZones.xml"); SecurityGroup newGroup = extension() .addIpPermission(permByCidrBlock.getIpProtocol(), permByCidrBlock.getFromPort(), permByCidrBlock.getToPort(), permByCidrBlock.getTenantIdGroupNamePairs(), permByCidrBlock.getCidrBlocks(), permByCidrBlock.getGroupIds(), group); IpPermission newPerm = Iterables.getOnlyElement(newGroup.getIpPermissions()); assertEquals(newPerm, permByCidrBlock); assertPosted(DEFAULT_REGION, "Action=DescribeRegions"); assertPosted(DEFAULT_REGION, "Action=AuthorizeSecurityGroupIngress&GroupId=sg-3c6ef654&IpPermissions.0.IpProtocol=tcp&IpPermissions.0.FromPort=22&IpPermissions.0.ToPort=40&IpPermissions.0.IpRanges.0.CidrIp=0.0.0.0/0"); assertPosted(DEFAULT_REGION, "Action=DescribeSecurityGroups&GroupId.1=sg-3c6ef654"); assertPosted(DEFAULT_REGION, "Action=DescribeAvailabilityZones"); }
checkNotNull(ipPermission, "ipPermission"); checkNotNull(api.getNetworkApiForProject(userProject.get()).get(group.getId()) == null, "network for group is null"); ListOptions options = new ListOptions.Builder().filter("network eq .*/" + group.getName()); String uniqueFwName = namingConvention.createWithoutPrefix().uniqueNameForGroup(group.getName()); fwOptions.name(uniqueFwName); fwOptions.network(group.getUri()); if (!ipPermission.getGroupIds().isEmpty()) { fwOptions.sourceTags(ipPermission.getGroupIds()); if (!ipPermission.getCidrBlocks().isEmpty()) { fwOptions.sourceRanges(ipPermission.getCidrBlocks()); ruleBuilder.IpProtocol(ipPermission.getIpProtocol()); if (ipPermission.getToPort() > 0) { ruleBuilder.addPortRange(ipPermission.getFromPort(), ipPermission.getToPort()); MILLISECONDS).apply(operation); checkState(!operation.get().getHttpError().isPresent(), "Could not create firewall, operation failed" + operation); return getSecurityGroupById(group.getId());
/** * Removes all rules. */ @Override public void flush(ComputeService service, NodeMetadata node) { String region = AWSUtils.parseHandle(node.getId())[0]; EC2Api ec2Api = service.getContext().unwrapApi(EC2Api.class); String groupName = "jclouds#" + node.getGroup() + "#" + region; Set<SecurityGroup> matchedSecurityGroups = ec2Api.getSecurityGroupApi().get().describeSecurityGroupsInRegion(region, groupName); for (SecurityGroup securityGroup : matchedSecurityGroups) { for (IpPermission ipPermission : securityGroup) { for (String cdr : ipPermission.getCidrBlocks()) { ec2Api.getSecurityGroupApi().get().revokeSecurityGroupIngressInRegion(region, groupName, IpProtocol.TCP, ipPermission.getFromPort(), ipPermission.getToPort(), cdr ); } } } //We want at least ssh access from everywhere. authorize(service, node, "0.0.0.0/0", 22); }
@Override public void provisionNetwork(VirtualNetwork network) { String name = network.config().get(VirtualNetwork.NETWORK_ID); SecurityGroupExtension extension = location.getComputeService().getSecurityGroupExtension().get(); Set<SecurityGroup> groups = extension.listSecurityGroups(); String id = null; // Look for existing security group with the desired name for (SecurityGroup each : groups) { if (each.getName().equalsIgnoreCase(name)) { id = each.getId(); break; } } // If not found then create a new group if (id == null) { Location region = location.getComputeService().listAssignableLocations().iterator().next(); SecurityGroup added = extension.createSecurityGroup(name, region); id = added.getId(); IpPermission rules = IpPermission.builder() .cidrBlock(network.config().get(VirtualNetwork.NETWORK_CIDR).toString()) .ipProtocol(IpProtocol.TCP) .fromPort(1) .toPort(65535) .build(); extension.addIpPermission(rules, added); LOG.info("Added new security group {} with ID {}: {}", new Object[] { added.getName(), id, rules.toString() }); } // Use the OpenStack UUID as the virtual network id network.sensors().set(VirtualNetwork.NETWORK_ID, id); }
@Override public SecurityGroup removeIpPermission(IpProtocol protocol, int startPort, int endPort, Multimap<String, String> tenantIdGroupNamePairs, Iterable<String> ipRanges, Iterable<String> groupIds, SecurityGroup group) { IpPermission.Builder ipBuilder = IpPermission.builder(); ipBuilder.ipProtocol(protocol); ipBuilder.fromPort(startPort); ipBuilder.toPort(endPort); if (!tenantIdGroupNamePairs.isEmpty()) { ipBuilder.tenantIdGroupNamePairs(tenantIdGroupNamePairs); } if (!Iterables.isEmpty(ipRanges)) { ipBuilder.cidrBlocks(ipRanges); } if (!Iterables.isEmpty(groupIds)) { ipBuilder.groupIds(groupIds); } IpPermission perm = ipBuilder.build(); SecurityGroupBuilder builder = SecurityGroupBuilder.fromSecurityGroup(checkNotNull(group, "group")); builder.ipPermissions(); builder.ipPermissions(filter(group.getIpPermissions(), not(equalTo(perm)))); SecurityGroup newGroup = builder.build(); if (groups.containsKey(newGroup.getId())) { groups.remove(newGroup.getId()); } groups.put(newGroup.getId(), newGroup); return newGroup; }
@Override public IpPermission apply(SecurityGroupRule rule) { IpPermission.Builder builder = IpPermission.builder(); builder.ipProtocol(rule.getIpProtocol()); builder.fromPort(rule.getFromPort()); builder.toPort(rule.getToPort()); if (rule.getGroup() != null) { String region = getFirst(filter(locationIndex.get().keySet(), isSecurityGroupInRegion(rule.getGroup().getName())), null); if (region != null) { SecurityGroupInRegion group = groupMap.getUnchecked(RegionAndName.fromRegionAndName(region, rule.getGroup().getName())); builder.groupId(region + "/" + group.getSecurityGroup().getId()); } } if (rule.getIpRange() != null) builder.cidrBlock(rule.getIpRange()); return builder.build(); }
@Override public SecurityGroup removeIpPermission(IpProtocol protocol, int startPort, int endPort, Multimap<String, String> tenantIdGroupNamePairs, Iterable<String> ipRanges, Iterable<String> groupIds, SecurityGroup group) { IpPermission.Builder ipBuilder = IpPermission.builder(); ipBuilder.ipProtocol(protocol); ipBuilder.fromPort(startPort); ipBuilder.toPort(endPort); if (tenantIdGroupNamePairs.size() > 0) { ipBuilder.tenantIdGroupNamePairs(tenantIdGroupNamePairs); } if (Iterables.size(ipRanges) > 0) { ipBuilder.cidrBlocks(ipRanges); } if (Iterables.size(groupIds) > 0) { ipBuilder.groupIds(groupIds); } IpPermission perm = ipBuilder.build(); SecurityGroupBuilder builder = SecurityGroupBuilder.fromSecurityGroup(checkNotNull(group, "group")); builder.ipPermissions(); builder.ipPermissions(filter(group.getIpPermissions(), not(equalTo(perm)))); SecurityGroup newGroup = builder.build(); if (groups.containsKey(newGroup.getId())) { groups.remove(newGroup.getId()); } groups.put(newGroup.getId(), newGroup); return newGroup; }