mirror of
https://github.com/fog/fog.git
synced 2022-11-09 13:51:43 -05:00
Merge pull request #578 from dpiddy/aws-security-groups-update
[aws|compute] Update security group operations.
This commit is contained in:
commit
eb282c4fb6
6 changed files with 476 additions and 106 deletions
|
@ -13,11 +13,23 @@ module Fog
|
|||
# * 'SourceSecurityGroupName'<~String> - Name of security group to authorize
|
||||
# * 'SourceSecurityGroupOwnerId'<~String> - Name of owner to authorize
|
||||
# or
|
||||
# * 'CidrIp' - CIDR range
|
||||
# * 'FromPort' - Start of port range (or -1 for ICMP wildcard)
|
||||
# * 'GroupName' - Name of group to modify
|
||||
# * 'IpProtocol' - Ip protocol, must be in ['tcp', 'udp', 'icmp']
|
||||
# * 'ToPort' - End of port range (or -1 for ICMP wildcard)
|
||||
# * 'CidrIp'<~String> - CIDR range
|
||||
# * 'FromPort'<~Integer> - Start of port range (or -1 for ICMP wildcard)
|
||||
# * 'IpProtocol'<~String> - Ip protocol, must be in ['tcp', 'udp', 'icmp']
|
||||
# * 'ToPort'<~Integer> - End of port range (or -1 for ICMP wildcard)
|
||||
# or
|
||||
# * 'IpPermissions'<~Array>:
|
||||
# * permission<~Hash>:
|
||||
# * 'FromPort'<~Integer> - Start of port range (or -1 for ICMP wildcard)
|
||||
# * 'Groups'<~Array>:
|
||||
# * group<~Hash>:
|
||||
# * 'GroupName'<~String> - Name of security group to authorize
|
||||
# * 'UserId'<~String> - Name of owner to authorize
|
||||
# * 'IpProtocol'<~String> - Ip protocol, must be in ['tcp', 'udp', 'icmp']
|
||||
# * 'IpRanges'<~Array>:
|
||||
# * ip_range<~Hash>:
|
||||
# * 'CidrIp'<~String> - CIDR range
|
||||
# * 'ToPort'<~Integer> - End of port range (or -1 for ICMP wildcard)
|
||||
#
|
||||
# === Returns
|
||||
# * response<~Excon::Response>:
|
||||
|
@ -30,8 +42,13 @@ module Fog
|
|||
if group_name.is_a?(Hash)
|
||||
Fog::Logger.deprecation("Fog::AWS::Compute#authorize_security_group_ingress now requires the 'group_name' parameter. Only specifying an options hash is now deprecated [light_black](#{caller.first})[/]")
|
||||
options = group_name
|
||||
group_name = options['GroupName']
|
||||
group_name = options.delete('GroupName')
|
||||
end
|
||||
|
||||
if ip_permissions = options.delete('IpPermissions')
|
||||
options.merge!(indexed_ip_permissions_params(ip_permissions))
|
||||
end
|
||||
|
||||
request({
|
||||
'Action' => 'AuthorizeSecurityGroupIngress',
|
||||
'GroupName' => group_name,
|
||||
|
@ -40,6 +57,29 @@ module Fog
|
|||
}.merge!(options))
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def indexed_ip_permissions_params(ip_permissions)
|
||||
params = {}
|
||||
ip_permissions.each_with_index do |permission, key_index|
|
||||
key_index += 1
|
||||
params[format('IpPermissions.%d.IpProtocol', key_index)] = permission['IpProtocol']
|
||||
params[format('IpPermissions.%d.FromPort', key_index)] = permission['FromPort']
|
||||
params[format('IpPermissions.%d.ToPort', key_index)] = permission['ToPort']
|
||||
(permission['Groups'] || []).each_with_index do |group, group_index|
|
||||
group_index += 1
|
||||
params[format('IpPermissions.%d.Groups.%d.UserId', key_index, group_index)] = group['UserId']
|
||||
params[format('IpPermissions.%d.Groups.%d.GroupName', key_index, group_index)] = group['GroupName']
|
||||
params[format('IpPermissions.%d.Groups.%d.GroupId', key_index, group_index)] = group['GroupId']
|
||||
end
|
||||
(permission['IpRanges'] || []).each_with_index do |ip_range, range_index|
|
||||
range_index += 1
|
||||
params[format('IpPermissions.%d.IpRanges.%d.CidrIp', key_index, range_index)] = ip_range['CidrIp']
|
||||
end
|
||||
end
|
||||
params.reject {|k, v| v.nil? }
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
class Mock
|
||||
|
@ -48,43 +88,38 @@ module Fog
|
|||
if group_name.is_a?(Hash)
|
||||
Fog::Logger.deprecation("Fog::AWS::Compute#authorize_security_group_ingress now requires the 'group_name' parameter. Only specifying an options hash is now deprecated [light_black](#{caller.first})[/]")
|
||||
options = group_name
|
||||
group_name = options['GroupName']
|
||||
group_name = options.delete('GroupName')
|
||||
end
|
||||
|
||||
verify_permission_options(options)
|
||||
|
||||
response = Excon::Response.new
|
||||
group = self.data[:security_groups][group_name]
|
||||
|
||||
if group
|
||||
group['ipPermissions'] ||= []
|
||||
if group_name && source_group_name = options['SourceSecurityGroupName']
|
||||
['tcp', 'udp'].each do |protocol|
|
||||
group['ipPermissions'] << {
|
||||
'groups' => [{'groupName' => source_group_name, 'userId' => (options['SourceSecurityGroupOwnerId'] || self.data[:owner_id]) }],
|
||||
'fromPort' => 1,
|
||||
'ipRanges' => [],
|
||||
'ipProtocol' => protocol,
|
||||
'toPort' => 65535
|
||||
}
|
||||
normalized_permissions = normalize_permissions(options)
|
||||
|
||||
normalized_permissions.each do |permission|
|
||||
if matching_group_permission = find_matching_permission(group, permission)
|
||||
if permission['groups'].any? {|pg| matching_group_permission['groups'].include?(pg) }
|
||||
raise Fog::Compute::AWS::Error, "InvalidPermission.Duplicate => The permission '123' has already been authorized in the specified group"
|
||||
end
|
||||
group['ipPermissions'] << {
|
||||
'groups' => [{'groupName' => source_group_name, 'userId' => (options['SourceSecurityGroupOwnerId'] || self.data[:owner_id]) }],
|
||||
'fromPort' => -1,
|
||||
'ipRanges' => [],
|
||||
'ipProtocol' => 'icmp',
|
||||
'toPort' => -1
|
||||
}
|
||||
|
||||
if permission['ipRanges'].any? {|pr| matching_group_permission['ipRanges'].include?(pr) }
|
||||
raise Fog::Compute::AWS::Error, "InvalidPermission.Duplicate => The permission '123' has already been authorized in the specified group"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
normalized_permissions.each do |permission|
|
||||
if matching_group_permission = find_matching_permission(group, permission)
|
||||
matching_group_permission['groups'] += permission['groups']
|
||||
matching_group_permission['ipRanges'] += permission['ipRanges']
|
||||
else
|
||||
group['ipPermissions'] << {
|
||||
'groups' => [],
|
||||
'fromPort' => options['FromPort'],
|
||||
'ipRanges' => [],
|
||||
'ipProtocol' => options['IpProtocol'],
|
||||
'toPort' => options['ToPort']
|
||||
}
|
||||
if options['CidrIp']
|
||||
group['ipPermissions'].last['ipRanges'] << { 'cidrIp' => options['CidrIp'] }
|
||||
group['ipPermissions'] << permission
|
||||
end
|
||||
end
|
||||
|
||||
response.status = 200
|
||||
response.body = {
|
||||
'requestId' => Fog::AWS::Mock.request_id,
|
||||
|
@ -96,6 +131,76 @@ module Fog
|
|||
end
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def verify_permission_options(options)
|
||||
if options.empty?
|
||||
raise Fog::Compute::AWS::Error.new("InvalidRequest => The request received was invalid.")
|
||||
end
|
||||
if options['IpProtocol'] && !['tcp', 'udp', 'icmp'].include?(options['IpProtocol'])
|
||||
raise Fog::Compute::AWS::Error.new("InvalidPermission.Malformed => Unsupported IP protocol \"#{options['IpProtocol']}\" - supported: [tcp, udp, icmp]")
|
||||
end
|
||||
if options['IpProtocol'] && (!options['FromPort'] || !options['ToPort'])
|
||||
raise Fog::Compute::AWS::Error.new("InvalidPermission.Malformed => TCP/UDP port (-1) out of range")
|
||||
end
|
||||
if options.has_key?('IpPermissions')
|
||||
if !options['IpPermissions'].is_a?(Array) || options['IpPermissions'].empty?
|
||||
raise Fog::Compute::AWS::Error.new("InvalidRequest => The request received was invalid.")
|
||||
end
|
||||
options['IpPermissions'].each {|p| verify_permission_options(p) }
|
||||
end
|
||||
end
|
||||
|
||||
def normalize_permissions(options)
|
||||
normalized_permissions = []
|
||||
|
||||
if options['SourceSecurityGroupName']
|
||||
['tcp', 'udp'].each do |protocol|
|
||||
normalized_permissions << {
|
||||
'ipProtocol' => protocol,
|
||||
'fromPort' => 1,
|
||||
'toPort' => 65535,
|
||||
'groups' => [{'groupName' => options['SourceSecurityGroupName'], 'userId' => options['SourceSecurityGroupOwnerId'] || self.data[:owner_id]}],
|
||||
'ipRanges' => []
|
||||
}
|
||||
end
|
||||
normalized_permissions << {
|
||||
'ipProtocol' => 'icmp',
|
||||
'fromPort' => -1,
|
||||
'toPort' => -1,
|
||||
'groups' => [{'groupName' => options['SourceSecurityGroupName'], 'userId' => options['SourceSecurityGroupOwnerId'] || self.data[:owner_id]}],
|
||||
'ipRanges' => []
|
||||
}
|
||||
elsif options['CidrIp']
|
||||
normalized_permissions << {
|
||||
'ipProtocol' => options['IpProtocol'],
|
||||
'fromPort' => Integer(options['FromPort']),
|
||||
'toPort' => Integer(options['ToPort']),
|
||||
'groups' => [],
|
||||
'ipRanges' => [{'cidrIp' => options['CidrIp']}]
|
||||
}
|
||||
elsif options['IpPermissions']
|
||||
options['IpPermissions'].each do |permission|
|
||||
normalized_permissions << {
|
||||
'ipProtocol' => permission['IpProtocol'],
|
||||
'fromPort' => Integer(permission['FromPort']),
|
||||
'toPort' => Integer(permission['ToPort']),
|
||||
'groups' => (permission['Groups'] || []).map {|g| {'groupName' => g['GroupName'], 'userId' => g['UserId'] || self.data[:owner_id]} },
|
||||
'ipRanges' => (permission['IpRanges'] || []).map {|r| { 'cidrIp' => r['CidrIp'] } }
|
||||
}
|
||||
end
|
||||
end
|
||||
|
||||
normalized_permissions
|
||||
end
|
||||
|
||||
def find_matching_permission(group, permission)
|
||||
group['ipPermissions'].detect {|group_permission|
|
||||
permission['ipProtocol'] == group_permission['ipProtocol'] &&
|
||||
permission['fromPort'] == group_permission['fromPort'] &&
|
||||
permission['toPort'] == group_permission['toPort'] }
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -30,8 +30,33 @@ module Fog
|
|||
|
||||
class Mock
|
||||
def delete_security_group(name)
|
||||
if name == 'default'
|
||||
raise Fog::Compute::AWS::Error.new("InvalidGroup.Reserved => The security group 'default' is reserved")
|
||||
end
|
||||
|
||||
response = Excon::Response.new
|
||||
if self.data[:security_groups][name]
|
||||
|
||||
used_by_groups = []
|
||||
self.region_data.each do |access_key, key_data|
|
||||
key_data[:security_groups].each do |group_name, group|
|
||||
next if group == self.data[:security_groups][name]
|
||||
|
||||
group['ipPermissions'].each do |group_ip_permission|
|
||||
group_ip_permission['groups'].each do |group_group_permission|
|
||||
if group_group_permission['groupName'] == name &&
|
||||
group_group_permission['userId'] == self.data[:owner_id]
|
||||
used_by_groups << "#{key_data[:owner_id]}:#{group_name}"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
unless used_by_groups.empty?
|
||||
raise Fog::Compute::AWS::Error.new("InvalidGroup.InUse => Group #{self.data[:owner_id]}:#{name} is used by groups: #{used_by_groups.uniq.join(" ")}")
|
||||
end
|
||||
|
||||
self.data[:security_groups].delete(name)
|
||||
response.status = 200
|
||||
response.body = {
|
||||
|
|
|
@ -8,15 +8,28 @@ module Fog
|
|||
# Remove permissions from a security group
|
||||
#
|
||||
# ==== Parameters
|
||||
# * 'GroupName'<~String> - Name of group
|
||||
# * group_name<~String> - Name of group
|
||||
# * options<~Hash>:
|
||||
# * 'SourceSecurityGroupName'<~String> - Name of security group to authorize
|
||||
# * 'SourceSecurityGroupOwnerId'<~String> - Name of owner to authorize
|
||||
# or
|
||||
# * 'CidrIp' - CIDR range
|
||||
# * 'FromPort' - Start of port range (or -1 for ICMP wildcard)
|
||||
# * 'IpProtocol' - Ip protocol, must be in ['tcp', 'udp', 'icmp']
|
||||
# * 'ToPort' - End of port range (or -1 for ICMP wildcard)
|
||||
# * 'CidrIp'<~String> - CIDR range
|
||||
# * 'FromPort'<~Integer> - Start of port range (or -1 for ICMP wildcard)
|
||||
# * 'IpProtocol'<~String> - Ip protocol, must be in ['tcp', 'udp', 'icmp']
|
||||
# * 'ToPort'<~Integer> - End of port range (or -1 for ICMP wildcard)
|
||||
# or
|
||||
# * 'IpPermissions'<~Array>:
|
||||
# * permission<~Hash>:
|
||||
# * 'FromPort'<~Integer> - Start of port range (or -1 for ICMP wildcard)
|
||||
# * 'Groups'<~Array>:
|
||||
# * group<~Hash>:
|
||||
# * 'GroupName'<~String> - Name of security group to authorize
|
||||
# * 'UserId'<~String> - Name of owner to authorize
|
||||
# * 'IpProtocol'<~String> - Ip protocol, must be in ['tcp', 'udp', 'icmp']
|
||||
# * 'IpRanges'<~Array>:
|
||||
# * ip_range<~Hash>:
|
||||
# * 'CidrIp'<~String> - CIDR range
|
||||
# * 'ToPort'<~Integer> - End of port range (or -1 for ICMP wildcard)
|
||||
#
|
||||
# === Returns
|
||||
# * response<~Excon::Response>:
|
||||
|
@ -29,8 +42,13 @@ module Fog
|
|||
if group_name.is_a?(Hash)
|
||||
Fog::Logger.deprecation("Fog::AWS::Compute#revoke_security_group_ingress now requires the 'group_name' parameter. Only specifying an options hash is now deprecated [light_black](#{caller.first})[/]")
|
||||
options = group_name
|
||||
group_name = options['GroupName']
|
||||
group_name = options.delete('GroupName')
|
||||
end
|
||||
|
||||
if ip_permissions = options.delete('IpPermissions')
|
||||
options.merge!(indexed_ip_permissions_params(ip_permissions))
|
||||
end
|
||||
|
||||
request({
|
||||
'Action' => 'RevokeSecurityGroupIngress',
|
||||
'GroupName' => group_name,
|
||||
|
@ -47,34 +65,28 @@ module Fog
|
|||
if group_name.is_a?(Hash)
|
||||
Fog::Logger.deprecation("Fog::AWS::Compute#revoke_security_group_ingress now requires the 'group_name' parameter. Only specifying an options hash is now deprecated [light_black](#{caller.first})[/]")
|
||||
options = group_name
|
||||
group_name = options['GroupName']
|
||||
group_name = options.delete('GroupName')
|
||||
end
|
||||
|
||||
verify_permission_options(options)
|
||||
|
||||
response = Excon::Response.new
|
||||
group = self.data[:security_groups][group_name]
|
||||
|
||||
if group
|
||||
if source_group_name = options['SourceSecurityGroupName']
|
||||
group['ipPermissions'].delete_if do |permission|
|
||||
if source_owner_id = options['SourceSecurityGroupOwnerId']
|
||||
permission['groups'].first['groupName'] == source_group_name && permission['groups'].first['userId'] == source_owner_id
|
||||
else
|
||||
permission['groups'].first['groupName'] == source_group_name
|
||||
normalized_permissions = normalize_permissions(options)
|
||||
|
||||
normalized_permissions.each do |permission|
|
||||
if matching_permission = find_matching_permission(group, permission)
|
||||
matching_permission['ipRanges'] -= permission['ipRanges']
|
||||
matching_permission['groups'] -= permission['groups']
|
||||
|
||||
if matching_permission['ipRanges'].empty? && matching_permission['groups'].empty?
|
||||
group['ipPermissions'].delete(matching_permission)
|
||||
end
|
||||
end
|
||||
else
|
||||
ingress = group['ipPermissions'].select {|permission|
|
||||
permission['fromPort'] == options['FromPort'] &&
|
||||
permission['ipProtocol'] == options['IpProtocol'] &&
|
||||
permission['toPort'] == options['ToPort'] &&
|
||||
(
|
||||
permission['ipRanges'].empty? ||
|
||||
(
|
||||
permission['ipRanges'].first &&
|
||||
permission['ipRanges'].first['cidrIp'] == options['CidrIp']
|
||||
)
|
||||
)
|
||||
}.first
|
||||
group['ipPermissions'].delete(ingress)
|
||||
end
|
||||
|
||||
response.status = 200
|
||||
response.body = {
|
||||
'requestId' => Fog::AWS::Mock.request_id,
|
||||
|
|
|
@ -2,17 +2,10 @@ Shindo.tests("Fog::Compute[:aws] | security_group", ['aws']) do
|
|||
|
||||
model_tests(Fog::Compute[:aws].security_groups, {:description => 'foggroupdescription', :name => 'foggroupname'}, true)
|
||||
|
||||
tests("a group with trailing whitespace") do
|
||||
@group = Fog::Compute[:aws].security_groups.create(:name => "foggroup with spaces ", :description => " fog group desc ")
|
||||
test("name is correct") do
|
||||
@group.name == "foggroup with spaces "
|
||||
end
|
||||
tests("authorize and revoke helpers") do
|
||||
@group = Fog::Compute[:aws].security_groups.create(:name => "foggroup", :description => "fog group desc")
|
||||
|
||||
test("description is correct") do
|
||||
@group.description == " fog group desc "
|
||||
end
|
||||
|
||||
@other_group = Fog::Compute[:aws].security_groups.create(:name => 'other group', :description => 'another group')
|
||||
@other_group = Fog::Compute[:aws].security_groups.create(:name => 'fog other group', :description => 'another fog group')
|
||||
|
||||
test("authorize access by another security group") do
|
||||
@group.authorize_group_and_owner(@other_group.name)
|
||||
|
@ -26,6 +19,18 @@ Shindo.tests("Fog::Compute[:aws] | security_group", ['aws']) do
|
|||
@group.ip_permissions.empty?
|
||||
end
|
||||
|
||||
test("authorize access to a port range") do
|
||||
@group.authorize_port_range(5000..6000)
|
||||
@group.reload
|
||||
@group.ip_permissions.size == 1
|
||||
end
|
||||
|
||||
test("revoke access to a port range") do
|
||||
@group.revoke_port_range(5000..6000)
|
||||
@group.reload
|
||||
@group.ip_permissions.empty?
|
||||
end
|
||||
|
||||
@other_group.destroy
|
||||
@group.destroy
|
||||
end
|
||||
|
|
|
@ -25,25 +25,207 @@ Shindo.tests('Fog::Compute[:aws] | security group requests', ['aws']) do
|
|||
Fog::Compute[:aws].create_security_group('fog_security_group', 'tests group').body
|
||||
end
|
||||
|
||||
tests("#authorize_security_group_ingress('fog_security_group', {'FromPort' => 80, 'IpProtocol' => 'tcp', 'toPort' => 80})").formats(AWS::Compute::Formats::BASIC) do
|
||||
Fog::Compute[:aws].authorize_security_group_ingress(
|
||||
'fog_security_group',
|
||||
{
|
||||
'FromPort' => 80,
|
||||
'IpProtocol' => 'tcp',
|
||||
'ToPort' => 80,
|
||||
}
|
||||
).body
|
||||
tests("#create_security_group('fog_security_group_two', 'tests group')").formats(AWS::Compute::Formats::BASIC) do
|
||||
Fog::Compute[:aws].create_security_group('fog_security_group_two', 'tests group').body
|
||||
end
|
||||
|
||||
tests("#authorize_security_group_ingress('fog_security_group', {'SourceSecurityGroupName' => 'fog_security_group', 'SourceSecurityGroupOwnerId' => '#{@owner_id}'})").formats(AWS::Compute::Formats::BASIC) do
|
||||
Fog::Compute[:aws].authorize_security_group_ingress(
|
||||
'fog_security_group',
|
||||
{
|
||||
'SourceSecurityGroupName' => 'fog_security_group',
|
||||
'SourceSecurityGroupOwnerId' => @owner_id
|
||||
to_be_revoked = []
|
||||
expected_permissions = []
|
||||
|
||||
permission = { 'SourceSecurityGroupName' => 'default' }
|
||||
tests("#authorize_security_group_ingress('fog_security_group', #{permission.inspect})").formats(AWS::Compute::Formats::BASIC) do
|
||||
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', permission).body
|
||||
end
|
||||
|
||||
to_be_revoked.push([permission, expected_permissions.dup])
|
||||
|
||||
expected_permissions = [
|
||||
{"groups"=>[{"groupName"=>"default", "userId"=>@owner_id}],
|
||||
"fromPort"=>1,
|
||||
"ipRanges"=>[],
|
||||
"ipProtocol"=>"tcp",
|
||||
"toPort"=>65535},
|
||||
{"groups"=>[{"groupName"=>"default", "userId"=>@owner_id}],
|
||||
"fromPort"=>1,
|
||||
"ipRanges"=>[],
|
||||
"ipProtocol"=>"udp",
|
||||
"toPort"=>65535},
|
||||
{"groups"=>[{"groupName"=>"default", "userId"=>@owner_id}],
|
||||
"fromPort"=>-1,
|
||||
"ipRanges"=>[],
|
||||
"ipProtocol"=>"icmp",
|
||||
"toPort"=>-1}
|
||||
]
|
||||
|
||||
tests("#describe_security_groups('group-name' => 'fog_security_group')").returns([]) do
|
||||
array_differences(expected_permissions, Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body['securityGroupInfo'].first['ipPermissions'])
|
||||
end
|
||||
|
||||
permission = { 'SourceSecurityGroupName' => 'fog_security_group_two', 'SourceSecurityGroupOwnerId' => @owner_id }
|
||||
tests("#authorize_security_group_ingress('fog_security_group', #{permission.inspect})").formats(AWS::Compute::Formats::BASIC) do
|
||||
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', permission).body
|
||||
end
|
||||
|
||||
to_be_revoked.push([permission, expected_permissions.dup])
|
||||
|
||||
expected_permissions = [
|
||||
{"groups"=>
|
||||
[{"userId"=>@owner_id, "groupName"=>"default"},
|
||||
{"userId"=>@owner_id, "groupName"=>"fog_security_group_two"}],
|
||||
"ipRanges"=>[],
|
||||
"ipProtocol"=>"tcp",
|
||||
"fromPort"=>1,
|
||||
"toPort"=>65535},
|
||||
{"groups"=>
|
||||
[{"userId"=>@owner_id, "groupName"=>"default"},
|
||||
{"userId"=>@owner_id, "groupName"=>"fog_security_group_two"}],
|
||||
"ipRanges"=>[],
|
||||
"ipProtocol"=>"udp",
|
||||
"fromPort"=>1,
|
||||
"toPort"=>65535},
|
||||
{"groups"=>
|
||||
[{"userId"=>@owner_id, "groupName"=>"default"},
|
||||
{"userId"=>@owner_id, "groupName"=>"fog_security_group_two"}],
|
||||
"ipRanges"=>[],
|
||||
"ipProtocol"=>"icmp",
|
||||
"fromPort"=>-1,
|
||||
"toPort"=>-1}
|
||||
]
|
||||
|
||||
tests("#describe_security_groups('group-name' => 'fog_security_group')").returns([]) do
|
||||
array_differences(expected_permissions, Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body['securityGroupInfo'].first['ipPermissions'])
|
||||
end
|
||||
|
||||
permission = { 'IpProtocol' => 'tcp', 'FromPort' => '22', 'ToPort' => '22' }
|
||||
tests("#authorize_security_group_ingress('fog_security_group', #{permission.inspect})").formats(AWS::Compute::Formats::BASIC) do
|
||||
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', permission).body
|
||||
end
|
||||
|
||||
to_be_revoked.push([permission, expected_permissions.dup])
|
||||
|
||||
# previous did nothing
|
||||
tests("#describe_security_groups('group-name' => 'fog_security_group')").returns([]) do
|
||||
array_differences(expected_permissions, Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body['securityGroupInfo'].first['ipPermissions'])
|
||||
end
|
||||
|
||||
permission = { 'IpProtocol' => 'tcp', 'FromPort' => '22', 'ToPort' => '22', 'CidrIp' => '10.0.0.0/8' }
|
||||
tests("#authorize_security_group_ingress('fog_security_group', #{permission.inspect})").formats(AWS::Compute::Formats::BASIC) do
|
||||
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', permission).body
|
||||
end
|
||||
|
||||
to_be_revoked.push([permission, expected_permissions.dup])
|
||||
|
||||
expected_permissions += [
|
||||
{"groups"=>[],
|
||||
"ipRanges"=>[{"cidrIp"=>"10.0.0.0/8"}],
|
||||
"ipProtocol"=>"tcp",
|
||||
"fromPort"=>22,
|
||||
"toPort"=>22}
|
||||
]
|
||||
|
||||
tests("#describe_security_groups('group-name' => 'fog_security_group')").returns([]) do
|
||||
array_differences(expected_permissions, Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body['securityGroupInfo'].first['ipPermissions'])
|
||||
end
|
||||
|
||||
# authorize with nested IpProtocol without IpRanges or Groups does nothing
|
||||
permissions = {
|
||||
'IpPermissions' => [
|
||||
{ 'IpProtocol' => 'tcp', 'FromPort' => '22', 'ToPort' => '22' }
|
||||
]
|
||||
}
|
||||
).body
|
||||
tests("#authorize_security_group_ingress('fog_security_group', #{permissions.inspect})").formats(AWS::Compute::Formats::BASIC) do
|
||||
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', permissions).body
|
||||
end
|
||||
|
||||
to_be_revoked.push([permissions, expected_permissions.dup])
|
||||
|
||||
# previous did nothing
|
||||
tests("#describe_security_groups('group-name' => 'fog_security_group')").returns([]) do
|
||||
array_differences(expected_permissions, Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body['securityGroupInfo'].first['ipPermissions'])
|
||||
end
|
||||
|
||||
# authorize with nested IpProtocol with IpRanges
|
||||
permissions = {
|
||||
'IpPermissions' => [
|
||||
{
|
||||
'IpProtocol' => 'tcp', 'FromPort' => '80', 'ToPort' => '80',
|
||||
'IpRanges' => [{ 'CidrIp' => '192.168.0.0/24' }]
|
||||
}
|
||||
]
|
||||
}
|
||||
tests("#authorize_security_group_ingress('fog_security_group', #{permissions.inspect})").formats(AWS::Compute::Formats::BASIC) do
|
||||
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', permissions).body
|
||||
end
|
||||
|
||||
to_be_revoked.push([permissions, expected_permissions.dup])
|
||||
|
||||
expected_permissions += [
|
||||
{"groups"=>[],
|
||||
"ipRanges"=>[{"cidrIp"=>"192.168.0.0/24"}],
|
||||
"ipProtocol"=>"tcp",
|
||||
"fromPort"=>80,
|
||||
"toPort"=>80}
|
||||
]
|
||||
|
||||
tests("#describe_security_groups('group-name' => 'fog_security_group')").returns([]) do
|
||||
array_differences(expected_permissions, Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body['securityGroupInfo'].first['ipPermissions'])
|
||||
end
|
||||
|
||||
# authorize with nested IpProtocol with Groups
|
||||
permissions = {
|
||||
'IpPermissions' => [
|
||||
{
|
||||
'IpProtocol' => 'tcp', 'FromPort' => '8000', 'ToPort' => '8000',
|
||||
'Groups' => [{ 'GroupName' => 'fog_security_group_two' }]
|
||||
}
|
||||
]
|
||||
}
|
||||
tests("#authorize_security_group_ingress('fog_security_group', #{permissions.inspect})").formats(AWS::Compute::Formats::BASIC) do
|
||||
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', permissions).body
|
||||
end
|
||||
|
||||
to_be_revoked.push([permissions, expected_permissions.dup])
|
||||
|
||||
expected_permissions += [
|
||||
{"groups"=>[{"userId"=>@owner_id, "groupName"=>"fog_security_group_two"}],
|
||||
"ipRanges"=>[],
|
||||
"ipProtocol"=>"tcp",
|
||||
"fromPort"=>8000,
|
||||
"toPort"=>8000}
|
||||
]
|
||||
|
||||
tests("#describe_security_groups('group-name' => 'fog_security_group')").returns([]) do
|
||||
array_differences(expected_permissions, Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body['securityGroupInfo'].first['ipPermissions'])
|
||||
end
|
||||
|
||||
# authorize with nested IpProtocol with IpRanges and Groups
|
||||
# try integers on this one instead of strings
|
||||
permissions = {
|
||||
'IpPermissions' => [
|
||||
{
|
||||
'IpProtocol' => 'tcp', 'FromPort' => 9000, 'ToPort' => 9000,
|
||||
'IpRanges' => [{ 'CidrIp' => '172.16.0.0/24' }],
|
||||
'Groups' => [{ 'GroupName' => 'fog_security_group_two' }]
|
||||
}
|
||||
]
|
||||
}
|
||||
tests("#authorize_security_group_ingress('fog_security_group', #{permissions.inspect})").formats(AWS::Compute::Formats::BASIC) do
|
||||
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', permissions).body
|
||||
end
|
||||
|
||||
to_be_revoked.push([permissions, expected_permissions.dup])
|
||||
|
||||
expected_permissions += [
|
||||
{"groups"=>
|
||||
[{"userId"=>@owner_id, "groupName"=>"fog_security_group_two"}],
|
||||
"ipRanges"=>[{"cidrIp"=>"172.16.0.0/24"}],
|
||||
"ipProtocol"=>"tcp",
|
||||
"fromPort"=>9000,
|
||||
"toPort"=>9000}
|
||||
]
|
||||
|
||||
tests("#describe_security_groups('group-name' => 'fog_security_group')").returns([]) do
|
||||
array_differences(expected_permissions, Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body['securityGroupInfo'].first['ipPermissions'])
|
||||
end
|
||||
|
||||
tests("#describe_security_groups").formats(@security_groups_format) do
|
||||
|
@ -54,36 +236,29 @@ Shindo.tests('Fog::Compute[:aws] | security group requests', ['aws']) do
|
|||
Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body
|
||||
end
|
||||
|
||||
tests("#revoke_security_group_ingress('fog_security_group', {'FromPort' => 80, 'IpProtocol' => 'tcp', 'toPort' => 80})").formats(AWS::Compute::Formats::BASIC) do
|
||||
Fog::Compute[:aws].revoke_security_group_ingress(
|
||||
'fog_security_group',
|
||||
{
|
||||
'FromPort' => 80,
|
||||
'IpProtocol' => 'tcp',
|
||||
'ToPort' => 80,
|
||||
}
|
||||
).body
|
||||
to_be_revoked.reverse.each do |permission, expected_permissions_after|
|
||||
tests("#revoke_security_group_ingress('fog_security_group', #{permission.inspect})").formats(AWS::Compute::Formats::BASIC) do
|
||||
Fog::Compute[:aws].revoke_security_group_ingress('fog_security_group', permission).body
|
||||
end
|
||||
|
||||
tests("#revoke_security_group_ingress('fog_security_group', {'SourceSecurityGroupName' => 'fog_security_group', 'SourceSecurityGroupOwnerId' => '#{@owner_id}'})").formats(AWS::Compute::Formats::BASIC) do
|
||||
Fog::Compute[:aws].revoke_security_group_ingress(
|
||||
'fog_security_group',
|
||||
{
|
||||
'GroupName' => 'fog_security_group',
|
||||
'SourceSecurityGroupName' => 'fog_security_group',
|
||||
'SourceSecurityGroupOwnerId' => @owner_id
|
||||
}
|
||||
).body
|
||||
tests("#describe_security_groups('group-name' => 'fog_security_group')").returns([]) do
|
||||
array_differences(expected_permissions_after, Fog::Compute[:aws].describe_security_groups('group-name' => 'fog_security_group').body['securityGroupInfo'].first['ipPermissions'])
|
||||
end
|
||||
end
|
||||
|
||||
tests("#delete_security_group('fog_security_group')").formats(AWS::Compute::Formats::BASIC) do
|
||||
Fog::Compute[:aws].delete_security_group('fog_security_group').body
|
||||
end
|
||||
|
||||
tests("#delete_security_group('fog_security_group_two')").formats(AWS::Compute::Formats::BASIC) do
|
||||
Fog::Compute[:aws].delete_security_group('fog_security_group_two').body
|
||||
end
|
||||
|
||||
end
|
||||
tests('failure') do
|
||||
|
||||
@security_group = Fog::Compute[:aws].security_groups.create(:description => 'tests group', :name => 'fog_security_group')
|
||||
@other_security_group = Fog::Compute[:aws].security_groups.create(:description => 'tests group', :name => 'fog_other_security_group')
|
||||
|
||||
tests("duplicate #create_security_group(#{@security_group.name}, #{@security_group.description})").raises(Fog::Compute::AWS::Error) do
|
||||
Fog::Compute[:aws].create_security_group(@security_group.name, @security_group.description)
|
||||
|
@ -110,6 +285,46 @@ Shindo.tests('Fog::Compute[:aws] | security group requests', ['aws']) do
|
|||
)
|
||||
end
|
||||
|
||||
tests("#authorize_security_group_ingress('fog_security_group', {'IpPermissions' => [{'IpProtocol' => 'tcp', 'FromPort' => 80, 'ToPort' => 80, 'IpRanges' => [{'CidrIp' => '10.0.0.0/8'}]}]})").formats(AWS::Compute::Formats::BASIC) do
|
||||
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', {'IpPermissions' => [{'IpProtocol' => 'tcp', 'FromPort' => 80, 'ToPort' => 80, 'IpRanges' => [{'CidrIp' => '10.0.0.0/8'}]}]}).body
|
||||
end
|
||||
|
||||
tests("#authorize_security_group_ingress('fog_security_group', {'IpPermissions' => [{'IpProtocol' => 'tcp', 'FromPort' => 80, 'ToPort' => 80, 'IpRanges' => [{'CidrIp' => '10.0.0.0/8'}]}]})").raises(Fog::Compute::AWS::Error) do
|
||||
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', {'IpPermissions' => [{'IpProtocol' => 'tcp', 'FromPort' => 80, 'ToPort' => 80, 'IpRanges' => [{'CidrIp' => '10.0.0.0/8'}]}]})
|
||||
end
|
||||
|
||||
tests("#authorize_security_group_ingress('fog_security_group', {'IpPermissions' => [{'Groups' => [{'GroupName' => '#{@other_security_group.name}'}], 'FromPort' => 80, 'ToPort' => 80, 'IpProtocol' => 'tcp'}]})").formats(AWS::Compute::Formats::BASIC) do
|
||||
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', {'IpPermissions' => [{'Groups' => [{'GroupName' => @other_security_group.name}], 'FromPort' => 80, 'ToPort' => 80, 'IpProtocol' => 'tcp'}]}).body
|
||||
end
|
||||
|
||||
tests("#delete_security_group('#{@other_security_group.name}')").raises(Fog::Compute::AWS::Error) do
|
||||
Fog::Compute[:aws].delete_security_group(@other_security_group.name)
|
||||
end
|
||||
|
||||
broken_params = [
|
||||
{},
|
||||
{ "IpProtocol" => "what" },
|
||||
{ "IpProtocol" => "tcp" },
|
||||
{ "IpProtocol" => "what", "FromPort" => 1, "ToPort" => 1 },
|
||||
]
|
||||
broken_params += broken_params.map do |broken_params_item|
|
||||
{ "IpPermissions" => [broken_params_item] }
|
||||
end
|
||||
broken_params += [
|
||||
{ "IpPermissions" => [] },
|
||||
{ "IpPermissions" => nil }
|
||||
]
|
||||
|
||||
broken_params.each do |broken_params_item|
|
||||
tests("#authorize_security_group_ingress('fog_security_group', #{broken_params_item.inspect})").raises(Fog::Compute::AWS::Error) do
|
||||
Fog::Compute[:aws].authorize_security_group_ingress('fog_security_group', broken_params_item)
|
||||
end
|
||||
|
||||
tests("#revoke_security_group_ingress('fog_security_group', #{broken_params_item.inspect})").raises(Fog::Compute::AWS::Error) do
|
||||
Fog::Compute[:aws].revoke_security_group_ingress('fog_security_group', broken_params_item)
|
||||
end
|
||||
end
|
||||
|
||||
tests("#revoke_security_group_ingress('not_a_group_name', {'FromPort' => 80, 'IpProtocol' => 'tcp', 'toPort' => 80})").raises(Fog::Compute::AWS::NotFound) do
|
||||
Fog::Compute[:aws].revoke_security_group_ingress(
|
||||
'not_a_group_name',
|
||||
|
@ -136,7 +351,11 @@ Shindo.tests('Fog::Compute[:aws] | security group requests', ['aws']) do
|
|||
end
|
||||
|
||||
@security_group.destroy
|
||||
@other_security_group.destroy
|
||||
|
||||
tests("#delete_security_group('default')").raises(Fog::Compute::AWS::Error) do
|
||||
Fog::Compute[:aws].delete_security_group('default')
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -7,6 +7,10 @@ def lorem_file
|
|||
File.open(File.dirname(__FILE__) + '/lorem.txt', 'r')
|
||||
end
|
||||
|
||||
def array_differences(array_a, array_b)
|
||||
(array_a - array_b) | (array_b - array_a)
|
||||
end
|
||||
|
||||
# check to see which credentials are available and add others to the skipped tags list
|
||||
all_providers = ['aws', 'bluebox', 'brightbox', 'dnsimple', 'dnsmadeeasy', 'dynect', 'ecloud', 'glesys', 'gogrid', 'google', 'linode', 'local', 'ninefold', 'newservers', 'openstack', 'rackspace', 'slicehost', 'stormondemand', 'voxel', 'zerigo']
|
||||
available_providers = Fog.available_providers.map {|provider| provider.downcase}
|
||||
|
|
Loading…
Reference in a new issue