@Test(groups = { "integration", "live" }, singleThreaded = true, dependsOnMethods = "testAddIpPermissionsFromSpec") public void testAddIpPermissionForAnyProtocol() { ComputeService computeService = view.getComputeService(); Optional<SecurityGroupExtension> securityGroupExtension = computeService.getSecurityGroupExtension(); assertTrue(securityGroupExtension.isPresent(), "security group extension was not present"); SecurityGroup group = securityGroupExtension.get().getSecurityGroupById(groupId); assertNotNull(group, "No security group was found with id: " + groupId); IpPermission openAll = IpPermissions.permitAnyProtocol(); SecurityGroup allOpenSecurityGroup = securityGroupExtension.get().addIpPermission(openAll, group); assertTrue(allOpenSecurityGroup.getIpPermissions().contains(openAll)); }
@Test public void testAddPermissionsToNode() { IpPermission ssh = newPermission(22); IpPermission jmx = newPermission(31001); SecurityGroup sharedGroup = newGroup(customizer.getNameForSharedSecurityGroup()); SecurityGroup group = newGroup("id"); when(securityApi.listSecurityGroupsForNode(NODE_ID)).thenReturn(ImmutableSet.of(sharedGroup, group)); SecurityGroup updatedSecurityGroup = newGroup("id", ImmutableSet.of(ssh, jmx)); when(securityApi.addIpPermission(ssh, group)).thenReturn(updatedSecurityGroup); when(securityApi.addIpPermission(jmx, group)).thenReturn(updatedSecurityGroup); when(computeService.getContext().unwrap().getId()).thenReturn("aws-ec2"); customizer.addPermissionsToLocation(jcloudsMachineLocation, ImmutableList.of(ssh, jmx)); verify(securityApi, never()).createSecurityGroup(anyString(), any(Location.class)); verify(securityApi, times(1)).addIpPermission(ssh, group); verify(securityApi, times(1)).addIpPermission(jmx, group); }
@Test public void testAddRuleNotRetriedByDefault() { IpPermission ssh = newPermission(22); SecurityGroup sharedGroup = newGroup(customizer.getNameForSharedSecurityGroup()); SecurityGroup uniqueGroup = newGroup("unique"); when(securityApi.listSecurityGroupsForNode(NODE_ID)).thenReturn(ImmutableSet.of(sharedGroup, uniqueGroup)); when(securityApi.addIpPermission(eq(ssh), eq(uniqueGroup))) .thenThrow(new RuntimeException("exception creating " + ssh)); when(computeService.getContext().unwrap().getId()).thenReturn("aws-ec2"); try { customizer.addPermissionsToLocation(jcloudsMachineLocation, ImmutableList.of(ssh)); } catch (Exception e) { assertTrue(e.getMessage().contains("repeated errors from provider"), "message=" + e.getMessage()); } verify(securityApi, never()).createSecurityGroup(anyString(), any(Location.class)); verify(securityApi, times(1)).addIpPermission(ssh, uniqueGroup); }
@Test public void testSecurityGroupsLoadedWhenAddingPermissionsToUncachedNode() { IpPermission ssh = newPermission(22); SecurityGroup sharedGroup = newGroup(customizer.getNameForSharedSecurityGroup()); SecurityGroup uniqueGroup = newGroup("unique"); when(securityApi.listSecurityGroupsForNode(NODE_ID)).thenReturn(ImmutableSet.of(sharedGroup, uniqueGroup)); when(computeService.getContext().unwrap().getId()).thenReturn("aws-ec2"); SecurityGroup updatedSecurityGroup = newGroup(uniqueGroup.getId(), ImmutableSet.of(ssh)); when(securityApi.addIpPermission(ssh, sharedGroup)).thenReturn(updatedSecurityGroup); SecurityGroup updatedUniqueSecurityGroup = newGroup(uniqueGroup.getId(), ImmutableSet.of(ssh)); when(securityApi.addIpPermission(ssh, updatedUniqueSecurityGroup)).thenReturn(updatedUniqueSecurityGroup); // Expect first call to list security groups on nodeId, second to use cached version customizer.addPermissionsToLocation(jcloudsMachineLocation, ImmutableSet.of(ssh)); customizer.addPermissionsToLocation(jcloudsMachineLocation, ImmutableSet.of(ssh)); verify(securityApi, times(1)).listSecurityGroupsForNode(NODE_ID); verify(securityApi, times(2)).addIpPermission(ssh, uniqueGroup); verify(securityApi, never()).addIpPermission(any(IpPermission.class), eq(sharedGroup)); }
@Test(groups = { "integration", "live" }, singleThreaded = true, dependsOnMethods = "testGetSecurityGroupById") public void testAddIpPermission() { skipIfSecurityGroupsNotSupported(); ComputeService computeService = view.getComputeService(); Optional<SecurityGroupExtension> securityGroupExtension = computeService.getSecurityGroupExtension(); assertTrue(securityGroupExtension.isPresent(), "security group extension was not present"); Optional<SecurityGroup> optGroup = getGroup(securityGroupExtension.get()); assertTrue(optGroup.isPresent()); SecurityGroup group = optGroup.get(); IpPermission portRangeIpPermission = createPortRangePermission(); IpPermission singlePortIpPermission = createSinglePortPermission(); Set<IpPermission> expectedPermissions = ImmutableSet.of(portRangeIpPermission, singlePortIpPermission); SecurityGroup onePermissionAdded = securityGroupExtension.get().addIpPermission(portRangeIpPermission, group); SecurityGroup twoPermissionsAdded = securityGroupExtension.get().addIpPermission(singlePortIpPermission, onePermissionAdded); assertEquals(twoPermissionsAdded.getIpPermissions(), expectedPermissions); }
@Test public void testSecurityGroupAddedWhenJcloudsLocationCustomised() { Template template = mock(Template.class); TemplateOptions templateOptions = mock(TemplateOptions.class); when(template.getLocation()).thenReturn(location); when(template.getOptions()).thenReturn(templateOptions); SecurityGroup group = newGroup("id"); when(securityApi.createSecurityGroup(anyString(), eq(location))).thenReturn(group); when(securityApi.addIpPermission(any(IpPermission.class), eq(group))).thenReturn(group); // Two Brooklyn.JcloudsLocations added to same Jclouds.Location JcloudsLocation jcloudsLocationA = new JcloudsLocation(MutableMap.of("deferConstruction", true)); JcloudsLocation jcloudsLocationB = new JcloudsLocation(MutableMap.of("deferConstruction", true)); customizer.customize(jcloudsLocationA, computeService, template); customizer.customize(jcloudsLocationB, computeService, template); // One group with three permissions shared by both locations. // Expect TCP, UDP and ICMP between members of group and SSH to Brooklyn verify(securityApi).createSecurityGroup(anyString(), eq(location)); verify(securityApi, times(4)).addIpPermission(any(IpPermission.class), eq(group)); // New groups set on options verify(templateOptions, times(2)).securityGroups(anyString()); }
@Test public void testSharedGroupLoadedWhenItExistsButIsNotCached() { Template template = mock(Template.class); TemplateOptions templateOptions = mock(TemplateOptions.class); when(template.getLocation()).thenReturn(location); when(template.getOptions()).thenReturn(templateOptions); JcloudsLocation jcloudsLocation = new JcloudsLocation(MutableMap.of("deferConstruction", true)); SecurityGroup shared = newGroup(customizer.getNameForSharedSecurityGroup()); SecurityGroup irrelevant = newGroup("irrelevant"); when(securityApi.createSecurityGroup(shared.getName(), location)).thenReturn(shared); when(securityApi.createSecurityGroup(irrelevant.getName(), location)).thenReturn(irrelevant); when(securityApi.listSecurityGroupsInLocation(location)).thenReturn(ImmutableSet.of(irrelevant, shared)); when(securityApi.addIpPermission(any(IpPermission.class), eq(shared))).thenReturn(shared); when(securityApi.addIpPermission(any(IpPermission.class), eq(irrelevant))).thenReturn(irrelevant); customizer.customize(jcloudsLocation, computeService, template); verify(securityApi).listSecurityGroupsInLocation(location); verify(securityApi, never()).createSecurityGroup(anyString(), any(Location.class)); }
@Test public void testAddPermissionsToNodeUsesUncachedSecurityGroup() { JcloudsLocation jcloudsLocation = new JcloudsLocation(MutableMap.of("deferConstruction", true)); SecurityGroup sharedGroup = newGroup(customizer.getNameForSharedSecurityGroup()); SecurityGroup uniqueGroup = newGroup("unique"); Template template = mock(Template.class); TemplateOptions templateOptions = mock(TemplateOptions.class); when(template.getLocation()).thenReturn(location); when(template.getOptions()).thenReturn(templateOptions); when(securityApi.createSecurityGroup(anyString(), eq(location))).thenReturn(sharedGroup); when(securityApi.addIpPermission(any(IpPermission.class), eq(uniqueGroup))).thenReturn(uniqueGroup); when(securityApi.addIpPermission(any(IpPermission.class), eq(sharedGroup))).thenReturn(sharedGroup); when(computeService.getContext().unwrap().getId()).thenReturn("aws-ec2"); // Call customize to cache the shared group customizer.customize(jcloudsLocation, computeService, template); reset(securityApi); when(securityApi.listSecurityGroupsForNode(NODE_ID)).thenReturn(ImmutableSet.of(uniqueGroup, sharedGroup)); IpPermission ssh = newPermission(22); SecurityGroup updatedSharedSecurityGroup = newGroup(sharedGroup.getId(), ImmutableSet.of(ssh)); when(securityApi.addIpPermission(ssh, uniqueGroup)).thenReturn(updatedSharedSecurityGroup); SecurityGroup updatedUniqueSecurityGroup = newGroup("unique", ImmutableSet.of(ssh)); when(securityApi.addIpPermission(ssh, sharedGroup)).thenReturn(updatedUniqueSecurityGroup); customizer.addPermissionsToLocation(jcloudsMachineLocation, ImmutableSet.of(ssh)); // Expect the per-machine group to have been altered, not the shared group verify(securityApi).addIpPermission(ssh, uniqueGroup); verify(securityApi, never()).addIpPermission(any(IpPermission.class), eq(sharedGroup)); }
@Test public void testRemovePermissionsFromNode() { IpPermission ssh = newPermission(22); IpPermission jmx = newPermission(31001); SecurityGroup sharedGroup = newGroup(customizer.getNameForSharedSecurityGroup()); SecurityGroup group = newGroup("id"); when(securityApi.listSecurityGroupsForNode(NODE_ID)).thenReturn(ImmutableSet.of(sharedGroup, group)); SecurityGroup updatedSecurityGroup = newGroup("id", ImmutableSet.of(ssh, jmx)); when(securityApi.addIpPermission(ssh, group)).thenReturn(updatedSecurityGroup); when(securityApi.addIpPermission(jmx, group)).thenReturn(updatedSecurityGroup); when(computeService.getContext().unwrap().getId()).thenReturn("aws-ec2"); customizer.addPermissionsToLocation(jcloudsMachineLocation, ImmutableList.of(ssh, jmx)); customizer.removePermissionsFromLocation(jcloudsMachineLocation, ImmutableList.of(jmx)); verify(securityApi, never()).removeIpPermission(ssh, group); verify(securityApi, times(1)).removeIpPermission(jmx, group); }
@Test(groups = { "integration", "live" }, singleThreaded = true, dependsOnMethods = "testAddIpPermissionsFromSpec") public void testAddIpPermissionWithCidrExclusionGroup() { skipIfSecurityGroupsNotSupported(); ComputeService computeService = view.getComputeService(); Optional<SecurityGroupExtension> securityGroupExtension = computeService.getSecurityGroupExtension(); assertTrue(securityGroupExtension.isPresent(), "security group extension was not present"); if (!securityGroupExtension.get().supportsExclusionCidrBlocks()) { throw new SkipException("Test cannot run without CIDR exclusion groups available."); } Optional<SecurityGroup> optGroup = getGroup(securityGroupExtension.get()); assertTrue(optGroup.isPresent()); SecurityGroup group = optGroup.get(); IpPermission cidrExclusionPermission = createCidrExclusionPermission(); Set<IpPermission> expectedPermissions = ImmutableSet.of(cidrExclusionPermission); SecurityGroup securityGroupWithExclusion = securityGroupExtension.get().addIpPermission(cidrExclusionPermission, group); assertTrue(securityGroupWithExclusion.getIpPermissions().containsAll(expectedPermissions)); }
@Test public void testRemoveMultiplePermissionsFromNode() { IpPermission ssh = newPermission(22); IpPermission jmx = newPermission(31001); SecurityGroup sharedGroup = newGroup(customizer.getNameForSharedSecurityGroup()); SecurityGroup group = newGroup("id"); when(securityApi.listSecurityGroupsForNode(NODE_ID)).thenReturn(ImmutableSet.of(sharedGroup, group)); SecurityGroup updatedSecurityGroup = newGroup("id", ImmutableSet.of(ssh, jmx)); when(securityApi.addIpPermission(ssh, group)).thenReturn(updatedSecurityGroup); when(securityApi.addIpPermission(jmx, group)).thenReturn(updatedSecurityGroup); when(computeService.getContext().unwrap().getId()).thenReturn("aws-ec2"); customizer.addPermissionsToLocation(jcloudsMachineLocation, ImmutableList.of(ssh, jmx)); when(securityApi.removeIpPermission(ssh, group)).thenReturn(updatedSecurityGroup); when(securityApi.removeIpPermission(jmx, group)).thenReturn(updatedSecurityGroup); customizer.removePermissionsFromLocation(jcloudsMachineLocation, ImmutableList.of(ssh, jmx)); verify(securityApi, times(1)).removeIpPermission(ssh, group); verify(securityApi, times(1)).removeIpPermission(jmx, group); }
SecurityGroup uniqueGroup = newGroup("unique"); when(securityApi.listSecurityGroupsForNode(NODE_ID)).thenReturn(ImmutableSet.of(sharedGroup, uniqueGroup)); when(securityApi.addIpPermission(eq(ssh), eq(uniqueGroup))) .thenThrow(new RuntimeException(new Exception(message))) .thenThrow(new RuntimeException(new Exception(message))) verify(securityApi, times(3)).addIpPermission(ssh, uniqueGroup);
@Test public void testAddRuleRetriedOnAwsFailure() { IpPermission ssh = newPermission(22); SecurityGroup sharedGroup = newGroup(customizer.getNameForSharedSecurityGroup()); SecurityGroup uniqueGroup = newGroup("unique"); customizer.setRetryExceptionPredicate(JcloudsLocationSecurityGroupCustomizer.newAwsExceptionRetryPredicate()); when(securityApi.listSecurityGroupsForNode(NODE_ID)).thenReturn(ImmutableSet.of(sharedGroup, uniqueGroup)); when(securityApi.addIpPermission(any(IpPermission.class), eq(uniqueGroup))) .thenThrow(newAwsResponseExceptionWithCode("InvalidGroup.InUse")) .thenThrow(newAwsResponseExceptionWithCode("DependencyViolation")) .thenThrow(newAwsResponseExceptionWithCode("RequestLimitExceeded")) .thenThrow(newAwsResponseExceptionWithCode("Blocked")) .thenReturn(sharedGroup); when(computeService.getContext().unwrap().getId()).thenReturn("aws-ec2"); try { customizer.addPermissionsToLocation(jcloudsMachineLocation, ImmutableList.of(ssh)); } catch (Exception e) { String expected = "repeated errors from provider"; assertTrue(e.getMessage().contains(expected), "expected exception message to contain " + expected + ", was: " + e.getMessage()); } verify(securityApi, never()).createSecurityGroup(anyString(), any(Location.class)); verify(securityApi, times(4)).addIpPermission(ssh, uniqueGroup); }
@Override public void provisionNetwork(VirtualNetwork network) { String name = network.config().get(VirtualNetwork.NETWORK_ID); SecurityGroupExtension extension = location.getComputeService().getSecurityGroupExtension().get(); Set<SecurityGroup> groups = extension.listSecurityGroups(); String id = null; // Look for existing security group with the desired name for (SecurityGroup each : groups) { if (each.getName().equalsIgnoreCase(name)) { id = each.getId(); break; } } // If not found then create a new group if (id == null) { Location region = location.getComputeService().listAssignableLocations().iterator().next(); SecurityGroup added = extension.createSecurityGroup(name, region); id = added.getId(); IpPermission rules = IpPermission.builder() .cidrBlock(network.config().get(VirtualNetwork.NETWORK_CIDR).toString()) .ipProtocol(IpProtocol.TCP) .fromPort(1) .toPort(65535) .build(); extension.addIpPermission(rules, added); LOG.info("Added new security group {} with ID {}: {}", new Object[] { added.getName(), id, rules.toString() }); } // Use the OpenStack UUID as the virtual network id network.sensors().set(VirtualNetwork.NETWORK_ID, id); }
public void addIpPermissionCidrFromIpPermission() throws Exception { enqueueRegions(DEFAULT_REGION); enqueueXml(DEFAULT_REGION, "/authorize_securitygroup_ingress_response.xml"); enqueueXml(DEFAULT_REGION, "/describe_securitygroups_extension_cidr.xml"); enqueueXml(DEFAULT_REGION, "/availabilityZones.xml"); SecurityGroup newGroup = extension().addIpPermission(permByCidrBlock, group); assertEquals(1, newGroup.getIpPermissions().size()); IpPermission newPerm = Iterables.getOnlyElement(newGroup.getIpPermissions()); assertEquals(newPerm, permByCidrBlock); assertPosted(DEFAULT_REGION, "Action=DescribeRegions"); assertPosted(DEFAULT_REGION, "Action=AuthorizeSecurityGroupIngress&GroupId=sg-3c6ef654&IpPermissions.0.IpProtocol=tcp&IpPermissions.0.FromPort=22&IpPermissions.0.ToPort=40&IpPermissions.0.IpRanges.0.CidrIp=0.0.0.0/0"); assertPosted(DEFAULT_REGION, "Action=DescribeSecurityGroups&GroupId.1=sg-3c6ef654"); assertPosted(DEFAULT_REGION, "Action=DescribeAvailabilityZones"); }
public void addIpPermissionGroupFromIpPermission() throws Exception { enqueueRegions(DEFAULT_REGION); enqueueXml(DEFAULT_REGION, "/authorize_securitygroup_ingress_response.xml"); enqueueXml(DEFAULT_REGION, "/describe_securitygroups_extension_group.xml"); enqueueXml(DEFAULT_REGION, "/availabilityZones.xml"); SecurityGroup newGroup = extension().addIpPermission(permByGroup, group); assertEquals(1, newGroup.getIpPermissions().size()); IpPermission newPerm = Iterables.getOnlyElement(newGroup.getIpPermissions()); assertEquals(newPerm, permByGroup); assertPosted(DEFAULT_REGION, "Action=DescribeRegions"); assertPosted(DEFAULT_REGION, "Action=AuthorizeSecurityGroupIngress&GroupId=sg-3c6ef654&IpPermissions.0.IpProtocol=tcp&IpPermissions.0.FromPort=22&IpPermissions.0.ToPort=40&IpPermissions.0.Groups.0.UserId=993194456877&IpPermissions.0.Groups.0.GroupId=sg-3c6ef654"); assertPosted(DEFAULT_REGION, "Action=DescribeSecurityGroups&GroupId.1=sg-3c6ef654"); assertPosted(DEFAULT_REGION, "Action=DescribeAvailabilityZones"); }
@Test(groups = {"integration", "live"}, singleThreaded = true) public void testSecurityGroupCacheInvalidated() throws Exception { ComputeService computeService = view.getComputeService(); Optional<SecurityGroupExtension> securityGroupExtension = computeService.getSecurityGroupExtension(); assertTrue(securityGroupExtension.isPresent(), "security extension was not present"); final SecurityGroupExtension security = securityGroupExtension.get(); final SecurityGroup seedGroup = security.createSecurityGroup(secGroupNameToDelete, getNodeTemplate().getLocation()); boolean deleted = security.removeSecurityGroup(seedGroup.getId()); assertTrue(deleted, "just created security group failed deletion"); final SecurityGroup recreatedGroup = security.createSecurityGroup(secGroupNameToDelete, getNodeTemplate().getLocation()); // Makes sure the security group exists and is re-created and is not just returned from cache security.addIpPermission(IpPermission.builder() .fromPort(1000) .toPort(1000) .cidrBlock("1.1.1.1/32") .ipProtocol(IpProtocol.TCP) .build(), recreatedGroup); boolean deleted2 = security.removeSecurityGroup(recreatedGroup.getId()); assertTrue(deleted2, "just created security group failed deletion"); }
@Test(groups = {"integration", "live"}, singleThreaded = true) public void testSecurityGroupCacheInvalidatedWhenDeletedExternally() throws Exception { String testSecurityGroupName = secGroupNameToDelete + "-externally"; ComputeService computeService = view.getComputeService(); Optional<SecurityGroupExtension> securityGroupExtension = computeService.getSecurityGroupExtension(); assertTrue(securityGroupExtension.isPresent(), "security extension was not present"); final SecurityGroupExtension security = securityGroupExtension.get(); final SecurityGroup seedGroup = security.createSecurityGroup(testSecurityGroupName, getNodeTemplate().getLocation()); deleteSecurityGroupFromAnotherView(seedGroup); boolean deleted = security.removeSecurityGroup(seedGroup.getId()); assertFalse(deleted, "SG deleted externally so should've failed deletion"); final SecurityGroup recreatedGroup = security.createSecurityGroup(testSecurityGroupName, getNodeTemplate().getLocation()); // Makes sure the security group exists and is re-created and is not just returned from cache security.addIpPermission(IpPermission.builder() .fromPort(1000) .toPort(1000) .cidrBlock("1.1.1.1/32") .ipProtocol(IpProtocol.TCP) .build(), recreatedGroup); boolean deleted2 = security.removeSecurityGroup(recreatedGroup.getId()); assertTrue(deleted2, "just created security group failed deletion"); }
public void addIpPermissionGroupFromParams() throws Exception { enqueueRegions(DEFAULT_REGION); enqueueXml(DEFAULT_REGION, "/authorize_securitygroup_ingress_response.xml"); enqueueXml(DEFAULT_REGION, "/describe_securitygroups_extension_group.xml"); enqueueXml(DEFAULT_REGION, "/availabilityZones.xml"); SecurityGroup newGroup = extension() .addIpPermission(permByGroup.getIpProtocol(), permByGroup.getFromPort(), permByGroup.getToPort(), permByGroup.getTenantIdGroupNamePairs(), permByGroup.getCidrBlocks(), permByGroup.getGroupIds(), group); IpPermission newPerm = Iterables.getOnlyElement(newGroup.getIpPermissions()); assertEquals(newPerm, permByGroup); assertPosted(DEFAULT_REGION, "Action=DescribeRegions"); assertPosted(DEFAULT_REGION, "Action=AuthorizeSecurityGroupIngress&GroupId=sg-3c6ef654&IpPermissions.0.IpProtocol=tcp&IpPermissions.0.FromPort=22&IpPermissions.0.ToPort=40&IpPermissions.0.Groups.0.UserId=993194456877&IpPermissions.0.Groups.0.GroupId=sg-3c6ef654"); assertPosted(DEFAULT_REGION, "Action=DescribeSecurityGroups&GroupId.1=sg-3c6ef654"); assertPosted(DEFAULT_REGION, "Action=DescribeAvailabilityZones"); }
public void addIpPermissionCidrFromParams() throws Exception { enqueueRegions(DEFAULT_REGION); enqueueXml(DEFAULT_REGION, "/authorize_securitygroup_ingress_response.xml"); enqueueXml(DEFAULT_REGION, "/describe_securitygroups_extension_cidr.xml"); enqueueXml(DEFAULT_REGION, "/availabilityZones.xml"); SecurityGroup newGroup = extension() .addIpPermission(permByCidrBlock.getIpProtocol(), permByCidrBlock.getFromPort(), permByCidrBlock.getToPort(), permByCidrBlock.getTenantIdGroupNamePairs(), permByCidrBlock.getCidrBlocks(), permByCidrBlock.getGroupIds(), group); IpPermission newPerm = Iterables.getOnlyElement(newGroup.getIpPermissions()); assertEquals(newPerm, permByCidrBlock); assertPosted(DEFAULT_REGION, "Action=DescribeRegions"); assertPosted(DEFAULT_REGION, "Action=AuthorizeSecurityGroupIngress&GroupId=sg-3c6ef654&IpPermissions.0.IpProtocol=tcp&IpPermissions.0.FromPort=22&IpPermissions.0.ToPort=40&IpPermissions.0.IpRanges.0.CidrIp=0.0.0.0/0"); assertPosted(DEFAULT_REGION, "Action=DescribeSecurityGroups&GroupId.1=sg-3c6ef654"); assertPosted(DEFAULT_REGION, "Action=DescribeAvailabilityZones"); }