1 # Copyright (c) 2017 Cable Television Laboratories, Inc. ("CableLabs")
2 # and others. All rights reserved.
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at:
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
18 from neutronclient.common.exceptions import NotFound, Conflict
20 from snaps.config.security_group import (
21 SecurityGroupConfig, SecurityGroupRuleConfig)
22 from snaps.openstack.openstack_creator import OpenStackNetworkObject
23 from snaps.openstack.utils import keystone_utils
24 from snaps.openstack.utils import neutron_utils
26 __author__ = 'spisarski'
28 logger = logging.getLogger('OpenStackSecurityGroup')
31 class OpenStackSecurityGroup(OpenStackNetworkObject):
33 Class responsible for managing a Security Group in OpenStack
36 def __init__(self, os_creds, sec_grp_settings):
38 Constructor - all parameters are required
39 :param os_creds: The credentials to connect with OpenStack
40 :param sec_grp_settings: The settings used to create a security group
42 super(self.__class__, self).__init__(os_creds)
44 self.sec_grp_settings = sec_grp_settings
46 # Attributes instantiated on create()
47 self.__security_group = None
49 # dict where the rule settings object is the key
54 Loads existing security group.
55 :return: the security group domain object
57 super(self.__class__, self).initialize()
59 self.__security_group = neutron_utils.get_security_group(
60 self._neutron, sec_grp_settings=self.sec_grp_settings,
61 project_id=self.project_id)
62 if self.__security_group:
64 existing_rules = neutron_utils.get_rules_by_security_group(
65 self._neutron, self.__security_group)
67 for existing_rule in existing_rules:
69 rule_setting = self.__get_setting_from_rule(existing_rule)
70 self.__rules[rule_setting] = existing_rule
72 self.__security_group = neutron_utils.get_security_group_by_id(
73 self._neutron, self.__security_group.id)
75 return self.__security_group
79 Responsible for creating the security group.
80 :return: the security group domain object
84 if not self.__security_group:
86 'Creating security group %s...' % self.sec_grp_settings.name)
88 keystone = keystone_utils.keystone_client(self._os_creds)
89 self.__security_group = neutron_utils.create_security_group(
90 self._neutron, keystone, self.sec_grp_settings,
91 project_id=self.project_id)
93 # Get the rules added for free
94 auto_rules = neutron_utils.get_rules_by_security_group(
95 self._neutron, self.__security_group)
98 for auto_rule in auto_rules:
99 auto_rule_setting = self.__generate_rule_setting(auto_rule)
100 self.__rules[auto_rule_setting] = auto_rule
103 # Create the custom rules
104 for sec_grp_rule_setting in self.sec_grp_settings.rule_settings:
106 custom_rule = neutron_utils.create_security_group_rule(
107 self._neutron, sec_grp_rule_setting, self.project_id)
108 self.__rules[sec_grp_rule_setting] = custom_rule
109 except Conflict as e:
110 logger.warn('Unable to create rule due to conflict - %s',
113 # Refresh security group object to reflect the new rules added
114 self.__security_group = neutron_utils.get_security_group_by_id(
115 self._neutron, self.__security_group.id)
117 return self.__security_group
119 def __generate_rule_setting(self, rule):
121 Creates a SecurityGroupRuleConfig object for a given rule
122 :param rule: the rule from which to create the
123 SecurityGroupRuleConfig object
124 :return: the newly instantiated SecurityGroupRuleConfig object
126 sec_grp = neutron_utils.get_security_group_by_id(
127 self._neutron, rule.security_group_id)
129 setting = SecurityGroupRuleConfig(
130 description=rule.description,
131 direction=rule.direction,
132 ethertype=rule.ethertype,
133 port_range_min=rule.port_range_min,
134 port_range_max=rule.port_range_max,
135 protocol=rule.protocol,
136 remote_group_id=rule.remote_group_id,
137 remote_ip_prefix=rule.remote_ip_prefix,
138 sec_grp_name=sec_grp.name)
143 Removes and deletes the rules then the security group.
145 for setting, rule in self.__rules.items():
147 neutron_utils.delete_security_group_rule(self._neutron, rule)
148 except NotFound as e:
149 logger.warning('Rule not found, cannot delete - ' + str(e))
151 self.__rules = dict()
153 if self.__security_group:
155 neutron_utils.delete_security_group(self._neutron,
156 self.__security_group)
157 except NotFound as e:
159 'Security Group not found, cannot delete - ' + str(e))
161 self.__security_group = None
163 def get_security_group(self):
165 Returns the OpenStack security group object
168 return self.__security_group
172 Returns the associated rules
177 def add_rule(self, rule_setting):
179 Adds a rule to this security group
180 :param rule_setting: the rule configuration
182 rule_setting.sec_grp_name = self.sec_grp_settings.name
183 new_rule = neutron_utils.create_security_group_rule(
184 self._neutron, rule_setting, self.project_id)
185 self.__rules[rule_setting] = new_rule
186 self.sec_grp_settings.rule_settings.append(rule_setting)
188 def remove_rule(self, rule_id=None, rule_setting=None):
190 Removes a rule to this security group by id, name, or rule_setting
192 :param rule_id: the rule's id
193 :param rule_setting: the rule's setting object
195 rule_to_remove = None
196 if rule_id or rule_setting:
198 rule_to_remove = neutron_utils.get_rule_by_id(
199 self._neutron, self.__security_group, rule_id)
201 rule_to_remove = self.__rules.get(rule_setting)
204 neutron_utils.delete_security_group_rule(self._neutron,
206 rule_setting = self.__get_setting_from_rule(rule_to_remove)
208 self.__rules.pop(rule_setting)
210 logger.warning('Rule setting is None, cannot remove rule')
212 def __get_setting_from_rule(self, rule):
214 Returns the associated RuleSetting object for a given rule
215 :param rule: the Rule object
216 :return: the associated RuleSetting object or None
218 for rule_setting in self.sec_grp_settings.rule_settings:
219 if rule_setting.rule_eq(rule):
224 class SecurityGroupSettings(SecurityGroupConfig):
226 Class to hold the configuration settings required for creating OpenStack
227 SecurityGroup objects
228 deprecated - use snaps.config.security_group.SecurityGroupConfig instead
231 def __init__(self, **kwargs):
232 from warnings import warn
233 warn('Use snaps.config.security_group.SecurityGroupConfig instead',
235 super(self.__class__, self).__init__(**kwargs)
238 class Direction(enum.Enum):
241 deprecated - use snaps.config.security_group.Direction
247 class Protocol(enum.Enum):
250 deprecated - use snaps.config.security_group.Protocol
278 class Ethertype(enum.Enum):
281 deprecated - use snaps.config.security_group.Ethertype
287 class SecurityGroupRuleSettings(SecurityGroupRuleConfig):
289 Class to hold the configuration settings required for creating OpenStack
290 SecurityGroupRule objects
291 deprecated - use snaps.config.security_group.SecurityGroupRuleConfig
295 def __init__(self, **kwargs):
296 from warnings import warn
297 warn('Use snaps.config.security_group.SecurityGroupRuleConfig instead',
299 super(self.__class__, self).__init__(**kwargs)