1
0
Fork 0
mirror of https://github.com/fog/fog.git synced 2022-11-09 13:51:43 -05:00

Merge pull request #578 from dpiddy/aws-security-groups-update

[aws|compute] Update security group operations.
This commit is contained in:
Dan Peterson 2011-10-28 11:55:53 -07:00
commit eb282c4fb6
6 changed files with 476 additions and 106 deletions

View file

@ -13,11 +13,23 @@ module Fog
# * 'SourceSecurityGroupName'<~String> - Name of security group to authorize
# * 'SourceSecurityGroupOwnerId'<~String> - Name of owner to authorize
# or
# * 'CidrIp' - CIDR range
# * 'FromPort' - Start of port range (or -1 for ICMP wildcard)
# * 'GroupName' - Name of group to modify
# * 'IpProtocol' - Ip protocol, must be in ['tcp', 'udp', 'icmp']
# * 'ToPort' - End of port range (or -1 for ICMP wildcard)
# * 'CidrIp'<~String> - CIDR range
# * 'FromPort'<~Integer> - Start of port range (or -1 for ICMP wildcard)
# * 'IpProtocol'<~String> - Ip protocol, must be in ['tcp', 'udp', 'icmp']
# * 'ToPort'<~Integer> - End of port range (or -1 for ICMP wildcard)
# or
# * 'IpPermissions'<~Array>:
# * permission<~Hash>:
# * 'FromPort'<~Integer> - Start of port range (or -1 for ICMP wildcard)
# * 'Groups'<~Array>:
# * group<~Hash>:
# * 'GroupName'<~String> - Name of security group to authorize
# * 'UserId'<~String> - Name of owner to authorize
# * 'IpProtocol'<~String> - Ip protocol, must be in ['tcp', 'udp', 'icmp']
# * 'IpRanges'<~Array>:
# * ip_range<~Hash>:
# * 'CidrIp'<~String> - CIDR range
# * 'ToPort'<~Integer> - End of port range (or -1 for ICMP wildcard)
#
# === Returns
# * response<~Excon::Response>:
@ -30,8 +42,13 @@ module Fog
if group_name.is_a?(Hash)
Fog::Logger.deprecation("Fog::AWS::Compute#authorize_security_group_ingress now requires the 'group_name' parameter. Only specifying an options hash is now deprecated [light_black](#{caller.first})[/]")
options = group_name
group_name = options['GroupName']
group_name = options.delete('GroupName')
end
if ip_permissions = options.delete('IpPermissions')
options.merge!(indexed_ip_permissions_params(ip_permissions))
end
request({
'Action' => 'AuthorizeSecurityGroupIngress',
'GroupName' => group_name,
@ -40,6 +57,29 @@ module Fog
}.merge!(options))
end
private
def indexed_ip_permissions_params(ip_permissions)
params = {}
ip_permissions.each_with_index do |permission, key_index|
key_index += 1
params[format('IpPermissions.%d.IpProtocol', key_index)] = permission['IpProtocol']
params[format('IpPermissions.%d.FromPort', key_index)] = permission['FromPort']
params[format('IpPermissions.%d.ToPort', key_index)] = permission['ToPort']
(permission['Groups'] || []).each_with_index do |group, group_index|
group_index += 1
params[format('IpPermissions.%d.Groups.%d.UserId', key_index, group_index)] = group['UserId']
params[format('IpPermissions.%d.Groups.%d.GroupName', key_index, group_index)] = group['GroupName']
params[format('IpPermissions.%d.Groups.%d.GroupId', key_index, group_index)] = group['GroupId']
end
(permission['IpRanges'] || []).each_with_index do |ip_range, range_index|
range_index += 1
params[format('IpPermissions.%d.IpRanges.%d.CidrIp', key_index, range_index)] = ip_range['CidrIp']
end
end
params.reject {|k, v| v.nil? }
end
end
class Mock
@ -48,43 +88,38 @@ module Fog
if group_name.is_a?(Hash)
Fog::Logger.deprecation("Fog::AWS::Compute#authorize_security_group_ingress now requires the 'group_name' parameter. Only specifying an options hash is now deprecated [light_black](#{caller.first})[/]")
options = group_name
group_name = options['GroupName']
group_name = options.delete('GroupName')
end
verify_permission_options(options)
response = Excon::Response.new
group = self.data[:security_groups][group_name]
if group
group['ipPermissions'] ||= []
if group_name && source_group_name = options['SourceSecurityGroupName']
['tcp', 'udp'].each do |protocol|
group['ipPermissions'] << {
'groups' => [{'groupName' => source_group_name, 'userId' => (options['SourceSecurityGroupOwnerId'] || self.data[:owner_id]) }],
'fromPort' => 1,
'ipRanges' => [],
'ipProtocol' => protocol,
'toPort' => 65535
}
end
group['ipPermissions'] << {
'groups' => [{'groupName' => source_group_name, 'userId' => (options['SourceSecurityGroupOwnerId'] || self.data[:owner_id]) }],
'fromPort' => -1,
'ipRanges' => [],
'ipProtocol' => 'icmp',
'toPort' => -1
}
else
group['ipPermissions'] << {
'groups' => [],
'fromPort' => options['FromPort'],
'ipRanges' => [],
'ipProtocol' => options['IpProtocol'],
'toPort' => options['ToPort']
}
if options['CidrIp']
group['ipPermissions'].last['ipRanges'] << { 'cidrIp' => options['CidrIp'] }
normalized_permissions = normalize_permissions(options)
normalized_permissions.each do |permission|
if matching_group_permission = find_matching_permission(group, permission)
if permission['groups'].any? {|pg| matching_group_permission['groups'].include?(pg) }
raise Fog::Compute::AWS::Error, "InvalidPermission.Duplicate => The permission '123' has already been authorized in the specified group"
end
if permission['ipRanges'].any? {|pr| matching_group_permission['ipRanges'].include?(pr) }
raise Fog::Compute::AWS::Error, "InvalidPermission.Duplicate => The permission '123' has already been authorized in the specified group"
end
end
end
normalized_permissions.each do |permission|
if matching_group_permission = find_matching_permission(group, permission)
matching_group_permission['groups'] += permission['groups']
matching_group_permission['ipRanges'] += permission['ipRanges']
else
group['ipPermissions'] << permission
end
end
response.status = 200
response.body = {
'requestId' => Fog::AWS::Mock.request_id,
@ -96,6 +131,76 @@ module Fog
end
end
private
def verify_permission_options(options)
if options.empty?
raise Fog::Compute::AWS::Error.new("InvalidRequest => The request received was invalid.")
end
if options['IpProtocol'] && !['tcp', 'udp', 'icmp'].include?(options['IpProtocol'])
raise Fog::Compute::AWS::Error.new("InvalidPermission.Malformed => Unsupported IP protocol \"#{options['IpProtocol']}\" - supported: [tcp, udp, icmp]")
end
if options['IpProtocol'] && (!options['FromPort'] || !options['ToPort'])
raise Fog::Compute::AWS::Error.new("InvalidPermission.Malformed => TCP/UDP port (-1) out of range")
end
if options.has_key?('IpPermissions')
if !options['IpPermissions'].is_a?(Array) || options['IpPermissions'].empty?
raise Fog::Compute::AWS::Error.new("InvalidRequest => The request received was invalid.")
end
options['IpPermissions'].each {|p| verify_permission_options(p) }
end
end
def normalize_permissions(options)
normalized_permissions = []
if options['SourceSecurityGroupName']
['tcp', 'udp'].each do |protocol|
normalized_permissions << {
'ipProtocol' => protocol,
'fromPort' => 1,
'toPort' => 65535,
'groups' => [{'groupName' => options['SourceSecurityGroupName'], 'userId' => options['SourceSecurityGroupOwnerId'] || self.data[:owner_id]}],
'ipRanges' => []
}
end
normalized_permissions << {
'ipProtocol' => 'icmp',
'fromPort' => -1,
'toPort' => -1,
'groups' => [{'groupName' => options['SourceSecurityGroupName'], 'userId' => options['SourceSecurityGroupOwnerId'] || self.data[:owner_id]}],
'ipRanges' => []
}
elsif options['CidrIp']
normalized_permissions << {
'ipProtocol' => options['IpProtocol'],
'fromPort' => Integer(options['FromPort']),
'toPort' => Integer(options['ToPort']),
'groups' => [],
'ipRanges' => [{'cidrIp' => options['CidrIp']}]
}
elsif options['IpPermissions']
options['IpPermissions'].each do |permission|
normalized_permissions << {
'ipProtocol' => permission['IpProtocol'],
'fromPort' => Integer(permission['FromPort']),
'toPort' => Integer(permission['ToPort']),
'groups' => (permission['Groups'] || []).map {|g| {'groupName' => g['GroupName'], 'userId' => g['UserId'] || self.data[:owner_id]} },
'ipRanges' => (permission['IpRanges'] || []).map {|r| { 'cidrIp' => r['CidrIp'] } }
}
end
end
normalized_permissions
end
def find_matching_permission(group, permission)
group['ipPermissions'].detect {|group_permission|
permission['ipProtocol'] == group_permission['ipProtocol'] &&
permission['fromPort'] == group_permission['fromPort'] &&
permission['toPort'] == group_permission['toPort'] }
end
end
end
end

View file

@ -30,8 +30,33 @@ module Fog
class Mock
def delete_security_group(name)
if name == 'default'
raise Fog::Compute::AWS::Error.new("InvalidGroup.Reserved => The security group 'default' is reserved")
end
response = Excon::Response.new
if self.data[:security_groups][name]
used_by_groups = []
self.region_data.each do |access_key, key_data|
key_data[:security_groups].each do |group_name, group|
next if group == self.data[:security_groups][name]
group['ipPermissions'].each do |group_ip_permission|
group_ip_permission['groups'].each do |group_group_permission|
if group_group_permission['groupName'] == name &&
group_group_permission['userId'] == self.data[:owner_id]
used_by_groups << "#{key_data[:owner_id]}:#{group_name}"
end
end
end
end
end
unless used_by_groups.empty?
raise Fog::Compute::AWS::Error.new("InvalidGroup.InUse => Group #{self.data[:owner_id]}:#{name} is used by groups: #{used_by_groups.uniq.join(" ")}")
end
self.data[:security_groups].delete(name)
response.status = 200
response.body = {

View file

@ -8,15 +8,28 @@ module Fog
# Remove permissions from a security group
#
# ==== Parameters
# * 'GroupName'<~String> - Name of group
# * group_name<~String> - Name of group
# * options<~Hash>:
# * 'SourceSecurityGroupName'<~String> - Name of security group to authorize
# * 'SourceSecurityGroupOwnerId'<~String> - Name of owner to authorize
# or
# * 'CidrIp' - CIDR range
# * 'FromPort' - Start of port range (or -1 for ICMP wildcard)
# * 'IpProtocol' - Ip protocol, must be in ['tcp', 'udp', 'icmp']
# * 'ToPort' - End of port range (or -1 for ICMP wildcard)
# * 'CidrIp'<~String> - CIDR range
# * 'FromPort'<~Integer> - Start of port range (or -1 for ICMP wildcard)
# * 'IpProtocol'<~String> - Ip protocol, must be in ['tcp', 'udp', 'icmp']
# * 'ToPort'<~Integer> - End of port range (or -1 for ICMP wildcard)
# or
# * 'IpPermissions'<~Array>:
# * permission<~Hash>:
# * 'FromPort'<~Integer> - Start of port range (or -1 for ICMP wildcard)
# * 'Groups'<~Array>:
# * group<~Hash>:
# * 'GroupName'<~String> - Name of security group to authorize
# * 'UserId'<~String> - Name of owner to authorize
# * 'IpProtocol'<~String> - Ip protocol, must be in ['tcp', 'udp', 'icmp']
# * 'IpRanges'<~Array>:
# * ip_range<~Hash>:
# * 'CidrIp'<~String> - CIDR range
# * 'ToPort'<~Integer> - End of port range (or -1 for ICMP wildcard)
#
# === Returns
# * response<~Excon::Response>:
@ -29,8 +42,13 @@ module Fog
if group_name.is_a?(Hash)
Fog::Logger.deprecation("Fog::AWS::Compute#revoke_security_group_ingress now requires the 'group_name' parameter. Only specifying an options hash is now deprecated [light_black](#{caller.first})[/]")
options = group_name
group_name = options['GroupName']
group_name = options.delete('GroupName')
end
if ip_permissions = options.delete('IpPermissions')
options.merge!(indexed_ip_permissions_params(ip_permissions))
end
request({
'Action' => 'RevokeSecurityGroupIngress',
'GroupName' => group_name,
@ -47,34 +65,28 @@ module Fog
if group_name.is_a?(Hash)
Fog::Logger.deprecation("Fog::AWS::Compute#revoke_security_group_ingress now requires the 'group_name' parameter. Only specifying an options hash is now deprecated [light_black](#{caller.first})[/]")
options = group_name
group_name = options['GroupName']
group_name = options.delete('GroupName')
end
verify_permission_options(options)
response = Excon::Response.new
group = self.data[:security_groups][group_name]
if group
if source_group_name = options['SourceSecurityGroupName']
group['ipPermissions'].delete_if do |permission|
if source_owner_id = options['SourceSecurityGroupOwnerId']
permission['groups'].first['groupName'] == source_group_name && permission['groups'].first['userId'] == source_owner_id
else
permission['groups'].first['groupName'] == source_group_name
normalized_permissions = normalize_permissions(options)
normalized_permissions.each do |permission|
if matching_permission = find_matching_permission(group, permission)
matching_permission['ipRanges'] -= permission['ipRanges']
matching_permission['groups'] -= permission['groups']
if matching_permission['ipRanges'].empty? && matching_permission['groups'].empty?
group['ipPermissions'].delete(matching_permission)
end
end
else
ingress = group['ipPermissions'].select {|permission|
permission['fromPort'] == options['FromPort'] &&
permission['ipProtocol'] == options['IpProtocol'] &&
permission['toPort'] == options['ToPort'] &&
(
permission['ipRanges'].empty? ||
(
permission['ipRanges'].first &&
permission['ipRanges'].first['cidrIp'] == options['CidrIp']
)
)
}.first
group['ipPermissions'].delete(ingress)
end
response.status = 200
response.body = {
'requestId' => Fog::AWS::Mock.request_id,

View file

@ -2,17 +2,10 @@ Shindo.tests("Fog::Compute[:aws] | security_group", ['aws']) do
model_tests(Fog::Compute[:aws].security_groups, {:description => 'foggroupdescription', :name => 'foggroupname'}, true)
tests("a group with trailing whitespace") do
@group = Fog::Compute[:aws].security_groups.create(:name => "foggroup with spaces ", :description => " fog group desc ")
test("name is correct") do
@group.name == "foggroup with spaces "
end
tests("authorize and revoke helpers") do
@group = Fog::Compute[:aws].security_groups.create(:name => "foggroup", :description => "fog group desc")
test("description is correct") do
@group.description == " fog group desc "
end
@other_group = Fog::Compute[:aws].security_groups.create(:name => 'other group', :description => 'another group')
@other_group = Fog::Compute[:aws].security_groups.create(:name => 'fog other group', :description => 'another fog group')
test("authorize access by another security group") do
@group.authorize_group_and_owner(@other_group.name)
@ -26,6 +19,18 @@ Shindo.tests("Fog::Compute[:aws] | security_group", ['aws']) do
@group.ip_permissions.empty?
end
test("authorize access to a port range") do
@group.authorize_port_range(5000..6000)
@group.reload
@group.ip_permissions.size == 1
end
test("revoke access to a port range") do
@group.revoke_port_range(5000..6000)
@group.reload
@group.ip_permissions.empty?
end
@other_group.destroy
@group.destroy
end

View file

@ -25,25 +25,207 @@ Shindo.tests('Fog::Compute[:aws] | security group requests', ['aws']) do
Fog::Compute[:aws].create_security_group('fog_security_group', 'tests group').body
end
tests("#authorize_security_group_ingress('fog_security_group', {'FromPort' => 80, 'IpProtocol' => 'tcp', 'toPort' => 80})").formats(AWS::Compute::Formats::BASIC) do
Fog::Compute[:aws].authorize_security_group_ingress(
'fog_security_group',
{
'FromPort' => 80,
'IpProtocol' => 'tcp',
'ToPort' => 80,
}
).body
tests("#create_security_group('fog_security_group_two', 'tests group')").formats(AWS::Compute::Formats::BASIC) do
Fog::Compute[:aws].create_security_group('fog_security_group_two', 'tests group').body
end
tests("#authorize_security_group_ingress('fog_security_group', {'SourceSecurityGroupName' => 'fog_security_group', 'SourceSecurityGroupOwnerId' => '#{@owner_id}'})").formats(AWS::Compute::Formats::BASIC) do
Fog::Compute[:aws].authorize_security_group_ingress(
'fog_security_group',
to_be_revoked = []
expected_permissions = []
permission = { 'SourceSecurityGroupName' => 'default' }
tests("#authorize_security_group_ingress('fog_security_group', #{permission.inspect})").formats(AWS::Compute::Formats::BASIC) do
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', permission).body
end
to_be_revoked.push([permission, expected_permissions.dup])
expected_permissions = [
{"groups"=>[{"groupName"=>"default", "userId"=>@owner_id}],
"fromPort"=>1,
"ipRanges"=>[],
"ipProtocol"=>"tcp",
"toPort"=>65535},
{"groups"=>[{"groupName"=>"default", "userId"=>@owner_id}],
"fromPort"=>1,
"ipRanges"=>[],
"ipProtocol"=>"udp",
"toPort"=>65535},
{"groups"=>[{"groupName"=>"default", "userId"=>@owner_id}],
"fromPort"=>-1,
"ipRanges"=>[],
"ipProtocol"=>"icmp",
"toPort"=>-1}
]
tests("#describe_security_groups('group-name' => 'fog_security_group')").returns([]) do
array_differences(expected_permissions, Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body['securityGroupInfo'].first['ipPermissions'])
end
permission = { 'SourceSecurityGroupName' => 'fog_security_group_two', 'SourceSecurityGroupOwnerId' => @owner_id }
tests("#authorize_security_group_ingress('fog_security_group', #{permission.inspect})").formats(AWS::Compute::Formats::BASIC) do
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', permission).body
end
to_be_revoked.push([permission, expected_permissions.dup])
expected_permissions = [
{"groups"=>
[{"userId"=>@owner_id, "groupName"=>"default"},
{"userId"=>@owner_id, "groupName"=>"fog_security_group_two"}],
"ipRanges"=>[],
"ipProtocol"=>"tcp",
"fromPort"=>1,
"toPort"=>65535},
{"groups"=>
[{"userId"=>@owner_id, "groupName"=>"default"},
{"userId"=>@owner_id, "groupName"=>"fog_security_group_two"}],
"ipRanges"=>[],
"ipProtocol"=>"udp",
"fromPort"=>1,
"toPort"=>65535},
{"groups"=>
[{"userId"=>@owner_id, "groupName"=>"default"},
{"userId"=>@owner_id, "groupName"=>"fog_security_group_two"}],
"ipRanges"=>[],
"ipProtocol"=>"icmp",
"fromPort"=>-1,
"toPort"=>-1}
]
tests("#describe_security_groups('group-name' => 'fog_security_group')").returns([]) do
array_differences(expected_permissions, Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body['securityGroupInfo'].first['ipPermissions'])
end
permission = { 'IpProtocol' => 'tcp', 'FromPort' => '22', 'ToPort' => '22' }
tests("#authorize_security_group_ingress('fog_security_group', #{permission.inspect})").formats(AWS::Compute::Formats::BASIC) do
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', permission).body
end
to_be_revoked.push([permission, expected_permissions.dup])
# previous did nothing
tests("#describe_security_groups('group-name' => 'fog_security_group')").returns([]) do
array_differences(expected_permissions, Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body['securityGroupInfo'].first['ipPermissions'])
end
permission = { 'IpProtocol' => 'tcp', 'FromPort' => '22', 'ToPort' => '22', 'CidrIp' => '10.0.0.0/8' }
tests("#authorize_security_group_ingress('fog_security_group', #{permission.inspect})").formats(AWS::Compute::Formats::BASIC) do
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', permission).body
end
to_be_revoked.push([permission, expected_permissions.dup])
expected_permissions += [
{"groups"=>[],
"ipRanges"=>[{"cidrIp"=>"10.0.0.0/8"}],
"ipProtocol"=>"tcp",
"fromPort"=>22,
"toPort"=>22}
]
tests("#describe_security_groups('group-name' => 'fog_security_group')").returns([]) do
array_differences(expected_permissions, Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body['securityGroupInfo'].first['ipPermissions'])
end
# authorize with nested IpProtocol without IpRanges or Groups does nothing
permissions = {
'IpPermissions' => [
{ 'IpProtocol' => 'tcp', 'FromPort' => '22', 'ToPort' => '22' }
]
}
tests("#authorize_security_group_ingress('fog_security_group', #{permissions.inspect})").formats(AWS::Compute::Formats::BASIC) do
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', permissions).body
end
to_be_revoked.push([permissions, expected_permissions.dup])
# previous did nothing
tests("#describe_security_groups('group-name' => 'fog_security_group')").returns([]) do
array_differences(expected_permissions, Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body['securityGroupInfo'].first['ipPermissions'])
end
# authorize with nested IpProtocol with IpRanges
permissions = {
'IpPermissions' => [
{
'SourceSecurityGroupName' => 'fog_security_group',
'SourceSecurityGroupOwnerId' => @owner_id
'IpProtocol' => 'tcp', 'FromPort' => '80', 'ToPort' => '80',
'IpRanges' => [{ 'CidrIp' => '192.168.0.0/24' }]
}
).body
]
}
tests("#authorize_security_group_ingress('fog_security_group', #{permissions.inspect})").formats(AWS::Compute::Formats::BASIC) do
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', permissions).body
end
to_be_revoked.push([permissions, expected_permissions.dup])
expected_permissions += [
{"groups"=>[],
"ipRanges"=>[{"cidrIp"=>"192.168.0.0/24"}],
"ipProtocol"=>"tcp",
"fromPort"=>80,
"toPort"=>80}
]
tests("#describe_security_groups('group-name' => 'fog_security_group')").returns([]) do
array_differences(expected_permissions, Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body['securityGroupInfo'].first['ipPermissions'])
end
# authorize with nested IpProtocol with Groups
permissions = {
'IpPermissions' => [
{
'IpProtocol' => 'tcp', 'FromPort' => '8000', 'ToPort' => '8000',
'Groups' => [{ 'GroupName' => 'fog_security_group_two' }]
}
]
}
tests("#authorize_security_group_ingress('fog_security_group', #{permissions.inspect})").formats(AWS::Compute::Formats::BASIC) do
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', permissions).body
end
to_be_revoked.push([permissions, expected_permissions.dup])
expected_permissions += [
{"groups"=>[{"userId"=>@owner_id, "groupName"=>"fog_security_group_two"}],
"ipRanges"=>[],
"ipProtocol"=>"tcp",
"fromPort"=>8000,
"toPort"=>8000}
]
tests("#describe_security_groups('group-name' => 'fog_security_group')").returns([]) do
array_differences(expected_permissions, Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body['securityGroupInfo'].first['ipPermissions'])
end
# authorize with nested IpProtocol with IpRanges and Groups
# try integers on this one instead of strings
permissions = {
'IpPermissions' => [
{
'IpProtocol' => 'tcp', 'FromPort' => 9000, 'ToPort' => 9000,
'IpRanges' => [{ 'CidrIp' => '172.16.0.0/24' }],
'Groups' => [{ 'GroupName' => 'fog_security_group_two' }]
}
]
}
tests("#authorize_security_group_ingress('fog_security_group', #{permissions.inspect})").formats(AWS::Compute::Formats::BASIC) do
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', permissions).body
end
to_be_revoked.push([permissions, expected_permissions.dup])
expected_permissions += [
{"groups"=>
[{"userId"=>@owner_id, "groupName"=>"fog_security_group_two"}],
"ipRanges"=>[{"cidrIp"=>"172.16.0.0/24"}],
"ipProtocol"=>"tcp",
"fromPort"=>9000,
"toPort"=>9000}
]
tests("#describe_security_groups('group-name' => 'fog_security_group')").returns([]) do
array_differences(expected_permissions, Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body['securityGroupInfo'].first['ipPermissions'])
end
tests("#describe_security_groups").formats(@security_groups_format) do
@ -54,36 +236,29 @@ Shindo.tests('Fog::Compute[:aws] | security group requests', ['aws']) do
Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body
end
tests("#revoke_security_group_ingress('fog_security_group', {'FromPort' => 80, 'IpProtocol' => 'tcp', 'toPort' => 80})").formats(AWS::Compute::Formats::BASIC) do
Fog::Compute[:aws].revoke_security_group_ingress(
'fog_security_group',
{
'FromPort' => 80,
'IpProtocol' => 'tcp',
'ToPort' => 80,
}
).body
end
to_be_revoked.reverse.each do |permission, expected_permissions_after|
tests("#revoke_security_group_ingress('fog_security_group', #{permission.inspect})").formats(AWS::Compute::Formats::BASIC) do
Fog::Compute[:aws].revoke_security_group_ingress('fog_security_group', permission).body
end
tests("#revoke_security_group_ingress('fog_security_group', {'SourceSecurityGroupName' => 'fog_security_group', 'SourceSecurityGroupOwnerId' => '#{@owner_id}'})").formats(AWS::Compute::Formats::BASIC) do
Fog::Compute[:aws].revoke_security_group_ingress(
'fog_security_group',
{
'GroupName' => 'fog_security_group',
'SourceSecurityGroupName' => 'fog_security_group',
'SourceSecurityGroupOwnerId' => @owner_id
}
).body
tests("#describe_security_groups('group-name' => 'fog_security_group')").returns([]) do
array_differences(expected_permissions_after, Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body['securityGroupInfo'].first['ipPermissions'])
end
end
tests("#delete_security_group('fog_security_group')").formats(AWS::Compute::Formats::BASIC) do
Fog::Compute[:aws].delete_security_group('fog_security_group').body
end
tests("#delete_security_group('fog_security_group_two')").formats(AWS::Compute::Formats::BASIC) do
Fog::Compute[:aws].delete_security_group('fog_security_group_two').body
end
end
tests('failure') do
@security_group = Fog::Compute[:aws].security_groups.create(:description => 'tests group', :name => 'fog_security_group')
@other_security_group = Fog::Compute[:aws].security_groups.create(:description => 'tests group', :name => 'fog_other_security_group')
tests("duplicate #create_security_group(#{@security_group.name}, #{@security_group.description})").raises(Fog::Compute::AWS::Error) do
Fog::Compute[:aws].create_security_group(@security_group.name, @security_group.description)
@ -110,6 +285,46 @@ Shindo.tests('Fog::Compute[:aws] | security group requests', ['aws']) do
)
end
tests("#authorize_security_group_ingress('fog_security_group', {'IpPermissions' => [{'IpProtocol' => 'tcp', 'FromPort' => 80, 'ToPort' => 80, 'IpRanges' => [{'CidrIp' => '10.0.0.0/8'}]}]})").formats(AWS::Compute::Formats::BASIC) do
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', {'IpPermissions' => [{'IpProtocol' => 'tcp', 'FromPort' => 80, 'ToPort' => 80, 'IpRanges' => [{'CidrIp' => '10.0.0.0/8'}]}]}).body
end
tests("#authorize_security_group_ingress('fog_security_group', {'IpPermissions' => [{'IpProtocol' => 'tcp', 'FromPort' => 80, 'ToPort' => 80, 'IpRanges' => [{'CidrIp' => '10.0.0.0/8'}]}]})").raises(Fog::Compute::AWS::Error) do
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', {'IpPermissions' => [{'IpProtocol' => 'tcp', 'FromPort' => 80, 'ToPort' => 80, 'IpRanges' => [{'CidrIp' => '10.0.0.0/8'}]}]})
end
tests("#authorize_security_group_ingress('fog_security_group', {'IpPermissions' => [{'Groups' => [{'GroupName' => '#{@other_security_group.name}'}], 'FromPort' => 80, 'ToPort' => 80, 'IpProtocol' => 'tcp'}]})").formats(AWS::Compute::Formats::BASIC) do
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', {'IpPermissions' => [{'Groups' => [{'GroupName' => @other_security_group.name}], 'FromPort' => 80, 'ToPort' => 80, 'IpProtocol' => 'tcp'}]}).body
end
tests("#delete_security_group('#{@other_security_group.name}')").raises(Fog::Compute::AWS::Error) do
Fog::Compute[:aws].delete_security_group(@other_security_group.name)
end
broken_params = [
{},
{ "IpProtocol" => "what" },
{ "IpProtocol" => "tcp" },
{ "IpProtocol" => "what", "FromPort" => 1, "ToPort" => 1 },
]
broken_params += broken_params.map do |broken_params_item|
{ "IpPermissions" => [broken_params_item] }
end
broken_params += [
{ "IpPermissions" => [] },
{ "IpPermissions" => nil }
]
broken_params.each do |broken_params_item|
tests("#authorize_security_group_ingress('fog_security_group', #{broken_params_item.inspect})").raises(Fog::Compute::AWS::Error) do
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', broken_params_item)
end
tests("#revoke_security_group_ingress('fog_security_group', #{broken_params_item.inspect})").raises(Fog::Compute::AWS::Error) do
Fog::Compute[:aws].revoke_security_group_ingress('fog_security_group', broken_params_item)
end
end
tests("#revoke_security_group_ingress('not_a_group_name', {'FromPort' => 80, 'IpProtocol' => 'tcp', 'toPort' => 80})").raises(Fog::Compute::AWS::NotFound) do
Fog::Compute[:aws].revoke_security_group_ingress(
'not_a_group_name',
@ -136,7 +351,11 @@ Shindo.tests('Fog::Compute[:aws] | security group requests', ['aws']) do
end
@security_group.destroy
@other_security_group.destroy
tests("#delete_security_group('default')").raises(Fog::Compute::AWS::Error) do
Fog::Compute[:aws].delete_security_group('default')
end
end
end

View file

@ -7,6 +7,10 @@ def lorem_file
File.open(File.dirname(__FILE__) + '/lorem.txt', 'r')
end
def array_differences(array_a, array_b)
(array_a - array_b) | (array_b - array_a)
end
# check to see which credentials are available and add others to the skipped tags list
all_providers = ['aws', 'bluebox', 'brightbox', 'dnsimple', 'dnsmadeeasy', 'dynect', 'ecloud', 'glesys', 'gogrid', 'google', 'linode', 'local', 'ninefold', 'newservers', 'openstack', 'rackspace', 'slicehost', 'stormondemand', 'voxel', 'zerigo']
available_providers = Fog.available_providers.map {|provider| provider.downcase}