private void createSecurityGroupInRegion(String region, String name, int... ports) { checkNotNull(region, "region"); checkNotNull(name, "name"); logger.debug(">> creating securityGroup region(%s) name(%s)", region, name); try { securityClient.createSecurityGroupInRegion(region, name, name); boolean created = securityGroupEventualConsistencyDelay.apply(new RegionAndName(region, name)); if (!created) throw new RuntimeException(String.format("security group %s/%s is not available after creating", region, name)); logger.debug("<< created securityGroup(%s)", name); for (int port : ports) { createIngressRuleForTCPPort(region, name, port); } if (ports.length > 0) { authorizeGroupToItself(region, name); } } catch (IllegalStateException e) { logger.debug("<< reused securityGroup(%s)", name); } }
private void createSecurityGroupInRegion(String region, String name, int... ports) { checkNotNull(region, "region"); checkNotNull(name, "name"); logger.debug(">> creating securityGroup region(%s) name(%s)", region, name); try { securityClient.createSecurityGroupInRegion(region, name, name); boolean created = securityGroupEventualConsistencyDelay.apply(new RegionAndName(region, name)); if (!created) throw new RuntimeException(String.format("security group %s/%s is not available after creating", region, name)); logger.debug("<< created securityGroup(%s)", name); for (int port : ports) { createIngressRuleForTCPPort(region, name, port); } if (ports.length > 0) { authorizeGroupToItself(region, name); } } catch (IllegalStateException e) { logger.debug("<< reused securityGroup(%s)", name); } }
private void initSecurityGroup(TemplateBuilderSpec spec, String securityGroup) { if (!isEC2) { return; } // in case of AWS, we are going to create the security group, if it doesn't exist AWSEC2Api ec2Api = compute.getContext().unwrapApi(AWSEC2Api.class); SecurityGroupApi securityGroupApi = ec2Api.getSecurityGroupApi().get(); String region = spec.getLocationId(); if (region == null) { region = "us-east-1"; } Set<SecurityGroup> securityGroups = securityGroupApi.describeSecurityGroupsInRegion(region, securityGroup); if (!securityGroups.isEmpty()) { LOGGER.info("Security group: '" + securityGroup + "' is found in region '" + region + '\''); return; } LOGGER.info("Security group: '" + securityGroup + "' is not found in region '" + region + "', creating it on the fly"); securityGroupApi.createSecurityGroupInRegion(region, securityGroup, securityGroup); for (Map.Entry<Integer, Integer> portRangeEntry : portRangeMap.entrySet()) { int startPort = portRangeEntry.getKey(); int endPort = portRangeEntry.getValue(); securityGroupApi.authorizeSecurityGroupIngressInRegion(region, securityGroup, TCP, startPort, endPort, CIDR_RANGE); } }
private void createSecurityGroupInRegion(String region, String name, int... ports) { checkNotNull(region, "region"); checkNotNull(name, "name"); logger.debug(">> creating securityGroup region(%s) name(%s)", region, name); try { securityClient.createSecurityGroupInRegion(region, name, name); boolean created = securityGroupEventualConsistencyDelay.apply(new RegionAndName(region, name)); if (!created) throw new RuntimeException(String.format("security group %s/%s is not available after creating", region, name)); logger.debug("<< created securityGroup(%s)", name); for (int port : ports) { createIngressRuleForTCPPort(region, name, port); } if (ports.length > 0) { authorizeGroupToItself(region, name); } } catch (IllegalStateException e) { logger.debug("<< reused securityGroup(%s)", name); } }
@Test public void testIllegalStateExceptionCreatingGroupJustReturns() throws ExecutionException { SecurityGroupApi client = createMock(SecurityGroupApi.class); Predicate<RegionAndName> tester = Predicates.alwaysTrue(); client.createSecurityGroupInRegion("region", "group", "group"); expectLastCall().andThrow(new IllegalStateException()); replay(client); CreateSecurityGroupIfNeeded function = new CreateSecurityGroupIfNeeded(client, tester); assertEquals("group", function.load(new RegionNameAndIngressRules("region", "group", new int[] { 22 }, true, null))); verify(client); }
@Test(expectedExceptions = RuntimeException.class) public void testWhenEventualConsistencyExpiresIllegalStateException() throws ExecutionException { SecurityGroupApi client = createMock(SecurityGroupApi.class); Predicate<RegionAndName> tester = Predicates.alwaysFalse(); client.createSecurityGroupInRegion("region", "group", "group"); replay(client); CreateSecurityGroupIfNeeded function = new CreateSecurityGroupIfNeeded(client, tester); function.load(new RegionNameAndIngressRules("region", "group", new int[] { 22 }, true, null)); } }
@Test(enabled = false) void testCreateSecurityGroupIngressCidr() throws InterruptedException, ExecutionException, TimeoutException { securityGroupName = instancePrefix + "ingress"; try { client.getSecurityGroupApi().get().deleteSecurityGroupInRegion(null, securityGroupName); } catch (Exception e) { } client.getSecurityGroupApi().get().createSecurityGroupInRegion(null, securityGroupName, securityGroupName); for (int port : new int[] { 80, 443, 22 }) { client.getSecurityGroupApi().get().authorizeSecurityGroupIngressInRegion(null, securityGroupName, IpProtocol.TCP, port, port, "0.0.0.0/0"); } }
@SuppressWarnings("unchecked") @Test public void testWhenPort22AndToItselfAuthorizesIngressTwice() throws ExecutionException { SecurityGroupApi client = createMock(SecurityGroupApi.class); Predicate<RegionAndName> tester = Predicates.alwaysTrue(); SecurityGroup group = createNiceMock(SecurityGroup.class); Set<SecurityGroup> groups = ImmutableSet.<SecurityGroup> of(group); client.createSecurityGroupInRegion("region", "group", "group"); client.authorizeSecurityGroupIngressInRegion("region", "group", IpProtocol.TCP, 22, 22, "0.0.0.0/0"); expect(client.describeSecurityGroupsInRegion("region", "group")).andReturn(Set.class.cast(groups)); expect(group.getOwnerId()).andReturn("ownerId"); client.authorizeSecurityGroupIngressInRegion("region", "group", new UserIdGroupPair("ownerId", "group")); replay(client); replay(group); CreateSecurityGroupIfNeeded function = new CreateSecurityGroupIfNeeded(client, tester); assertEquals("group", function.load(new RegionNameAndIngressRules("region", "group", new int[] { 22 }, true, null))); verify(client); verify(group); }
securityGroupApi.createSecurityGroupInRegion(region, securityGroup, securityGroup);
@Test void testCreateSecurityGroup() { String groupName = PREFIX + "1"; cleanupAndSleep(groupName); try { String groupDescription = PREFIX + "1 description"; client.deleteSecurityGroupInRegion(null, groupName); client.createSecurityGroupInRegion(null, groupName, groupDescription); verifySecurityGroup(groupName, groupDescription); } finally { client.deleteSecurityGroupInRegion(null, groupName); } }
@Test(enabled = false) void testCreateSecurityGroupIngressCidr() throws InterruptedException, ExecutionException, TimeoutException { securityGroupName = INSTANCE_PREFIX + "ingress"; try { client.getSecurityGroupApi().get().deleteSecurityGroupInRegion(null, securityGroupName); } catch (Exception e) { } client.getSecurityGroupApi().get().createSecurityGroupInRegion(null, securityGroupName, securityGroupName); client.getSecurityGroupApi().get().authorizeSecurityGroupIngressInRegion(null, securityGroupName, IpProtocol.TCP, 80, 80, "0.0.0.0/0"); client.getSecurityGroupApi().get().authorizeSecurityGroupIngressInRegion(null, securityGroupName, IpProtocol.TCP, 443, 443, "0.0.0.0/0"); client.getSecurityGroupApi().get().authorizeSecurityGroupIngressInRegion(null, securityGroupName, IpProtocol.TCP, 22, 22, "0.0.0.0/0"); }
for (String sg : config.getSecurityGroups()) { try { client.getSecurityGroupApi().get().createSecurityGroupInRegion(config.getRegion(), sg, sg); client.getSecurityGroupApi().get().authorizeSecurityGroupIngressInRegion(config.getRegion(), sg, IpProtocol.TCP, config.getInboundPorts()[0],
cleanupAndSleep(group1Name); try { client.createSecurityGroupInRegion(null, group1Name, group1Name); client.createSecurityGroupInRegion(null, group2Name, group2Name); ensureGroupsExist(group1Name, group2Name); client.authorizeSecurityGroupIngressInRegion(null, group1Name, IpProtocol.TCP, 80, 80, "0.0.0.0/0");
@Test void testAuthorizeSecurityGroupIngressCidr() { String groupName = PREFIX + "ingress"; cleanupAndSleep(groupName); try { client.createSecurityGroupInRegion(null, groupName, groupName); client.authorizeSecurityGroupIngressInRegion(null, groupName, IpProtocol.TCP, 80, 80, "0.0.0.0/0"); assertEventually(new GroupHasPermission(client, groupName, new TCPPort80AllIPs())); client.revokeSecurityGroupIngressInRegion(null, groupName, IpProtocol.TCP, 80, 80, "0.0.0.0/0"); assertEventually(new GroupHasNoPermissions(client, groupName)); } finally { client.deleteSecurityGroupInRegion(null, groupName); } }
@Test void testAuthorizeSecurityGroupIngressSourcePort() { String groupName = PREFIX + "ingress"; cleanupAndSleep(groupName); try { client.createSecurityGroupInRegion(null, groupName, groupName); client.authorizeSecurityGroupIngressInRegion(null, groupName, IpProtocol.TCP, 80, 80, "0.0.0.0/0"); assertEventually(new GroupHasPermission(client, groupName, new TCPPort80AllIPs())); client.revokeSecurityGroupIngressInRegion(null, groupName, IpProtocol.TCP, 80, 80, "0.0.0.0/0"); assertEventually(new GroupHasNoPermissions(client, groupName)); } finally { client.deleteSecurityGroupInRegion(null, groupName); } }
@Test(timeout = TestConstants.ITEST_TIMEOUT) public void testFirewallAuthorizationIsIdempotent() throws IOException { if (EC2ComputeService.class.isInstance(context.getComputeService())) { EC2Api api = context.unwrapApi(EC2Api.class); String groupName = "jclouds#" + clusterSpec.getClusterName(); api.getSecurityGroupApi().get().createSecurityGroupInRegion(region, groupName, "group description"); try { manager.addRule( Rule.create().destination(instances).port(23344) ); /* The second call should not throw an exception. */ manager.addRule( Rule.create().destination(instances).port(23344) ); manager.authorizeAllRules(); } finally { api.getSecurityGroupApi().get() .deleteSecurityGroupInRegion(region, groupName); } } }
securityGroupClient.createSecurityGroupInRegion(null, group, group); securityGroupClient.authorizeSecurityGroupIngressInRegion(null, group, IpProtocol.TCP, 22, 22, "0.0.0.0/0");