1 # Copyright (c) 2017 Cable Television Laboratories, Inc. ("CableLabs")
2 # and others. All rights reserved.
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at:
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
18 from neutronclient.common.exceptions import NotFound, Conflict
20 from snaps.config.security_group import (
21 SecurityGroupConfig, SecurityGroupRuleConfig)
22 from snaps.openstack.openstack_creator import OpenStackNetworkObject
23 from snaps.openstack.utils import keystone_utils
24 from snaps.openstack.utils import neutron_utils
26 __author__ = 'spisarski'
28 logger = logging.getLogger('OpenStackSecurityGroup')
31 class OpenStackSecurityGroup(OpenStackNetworkObject):
33 Class responsible for managing a Security Group in OpenStack
36 def __init__(self, os_creds, sec_grp_settings):
38 Constructor - all parameters are required
39 :param os_creds: The credentials to connect with OpenStack
40 :param sec_grp_settings: The settings used to create a security group
42 super(self.__class__, self).__init__(os_creds)
44 self.sec_grp_settings = sec_grp_settings
46 # Attributes instantiated on create()
47 self.__security_group = None
49 # dict where the rule settings object is the key
54 Loads existing security group.
55 :return: the security group domain object
57 super(self.__class__, self).initialize()
59 self.__security_group = neutron_utils.get_security_group(
60 self._neutron, sec_grp_settings=self.sec_grp_settings)
61 if self.__security_group:
63 existing_rules = neutron_utils.get_rules_by_security_group(
64 self._neutron, self.__security_group)
66 for existing_rule in existing_rules:
68 rule_setting = self.__get_setting_from_rule(existing_rule)
69 self.__rules[rule_setting] = existing_rule
71 self.__security_group = neutron_utils.get_security_group_by_id(
72 self._neutron, self.__security_group.id)
74 return self.__security_group
78 Responsible for creating the security group.
79 :return: the security group domain object
83 if not self.__security_group:
85 'Creating security group %s...' % self.sec_grp_settings.name)
87 keystone = keystone_utils.keystone_client(self._os_creds)
88 self.__security_group = neutron_utils.create_security_group(
89 self._neutron, keystone,
90 self.sec_grp_settings)
92 # Get the rules added for free
93 auto_rules = neutron_utils.get_rules_by_security_group(
94 self._neutron, self.__security_group)
97 for auto_rule in auto_rules:
98 auto_rule_setting = self.__generate_rule_setting(auto_rule)
99 self.__rules[auto_rule_setting] = auto_rule
102 # Create the custom rules
103 for sec_grp_rule_setting in self.sec_grp_settings.rule_settings:
105 custom_rule = neutron_utils.create_security_group_rule(
106 self._neutron, sec_grp_rule_setting)
107 self.__rules[sec_grp_rule_setting] = custom_rule
108 except Conflict as e:
109 logger.warn('Unable to create rule due to conflict - %s',
112 # Refresh security group object to reflect the new rules added
113 self.__security_group = neutron_utils.get_security_group(
114 self._neutron, sec_grp_settings=self.sec_grp_settings)
116 return self.__security_group
118 def __generate_rule_setting(self, rule):
120 Creates a SecurityGroupRuleConfig object for a given rule
121 :param rule: the rule from which to create the
122 SecurityGroupRuleConfig object
123 :return: the newly instantiated SecurityGroupRuleConfig object
125 sec_grp = neutron_utils.get_security_group_by_id(
126 self._neutron, rule.security_group_id)
128 setting = SecurityGroupRuleConfig(
129 description=rule.description,
130 direction=rule.direction,
131 ethertype=rule.ethertype,
132 port_range_min=rule.port_range_min,
133 port_range_max=rule.port_range_max,
134 protocol=rule.protocol,
135 remote_group_id=rule.remote_group_id,
136 remote_ip_prefix=rule.remote_ip_prefix,
137 sec_grp_name=sec_grp.name)
142 Removes and deletes the rules then the security group.
144 for setting, rule in self.__rules.items():
146 neutron_utils.delete_security_group_rule(self._neutron, rule)
147 except NotFound as e:
148 logger.warning('Rule not found, cannot delete - ' + str(e))
150 self.__rules = dict()
152 if self.__security_group:
154 neutron_utils.delete_security_group(self._neutron,
155 self.__security_group)
156 except NotFound as e:
158 'Security Group not found, cannot delete - ' + str(e))
160 self.__security_group = None
162 def get_security_group(self):
164 Returns the OpenStack security group object
167 return self.__security_group
171 Returns the associated rules
176 def add_rule(self, rule_setting):
178 Adds a rule to this security group
179 :param rule_setting: the rule configuration
181 rule_setting.sec_grp_name = self.sec_grp_settings.name
182 new_rule = neutron_utils.create_security_group_rule(self._neutron,
184 self.__rules[rule_setting] = new_rule
185 self.sec_grp_settings.rule_settings.append(rule_setting)
187 def remove_rule(self, rule_id=None, rule_setting=None):
189 Removes a rule to this security group by id, name, or rule_setting
191 :param rule_id: the rule's id
192 :param rule_setting: the rule's setting object
194 rule_to_remove = None
195 if rule_id or rule_setting:
197 rule_to_remove = neutron_utils.get_rule_by_id(
198 self._neutron, self.__security_group, rule_id)
200 rule_to_remove = self.__rules.get(rule_setting)
203 neutron_utils.delete_security_group_rule(self._neutron,
205 rule_setting = self.__get_setting_from_rule(rule_to_remove)
207 self.__rules.pop(rule_setting)
209 logger.warning('Rule setting is None, cannot remove rule')
211 def __get_setting_from_rule(self, rule):
213 Returns the associated RuleSetting object for a given rule
214 :param rule: the Rule object
215 :return: the associated RuleSetting object or None
217 for rule_setting in self.sec_grp_settings.rule_settings:
218 if rule_setting.rule_eq(rule):
223 class SecurityGroupSettings(SecurityGroupConfig):
225 Class to hold the configuration settings required for creating OpenStack
226 SecurityGroup objects
227 deprecated - use snaps.config.security_group.SecurityGroupConfig instead
230 def __init__(self, **kwargs):
231 from warnings import warn
232 warn('Use snaps.config.security_group.SecurityGroupConfig instead',
234 super(self.__class__, self).__init__(**kwargs)
237 class Direction(enum.Enum):
240 deprecated - use snaps.config.security_group.Direction
246 class Protocol(enum.Enum):
249 deprecated - use snaps.config.security_group.Protocol
277 class Ethertype(enum.Enum):
280 deprecated - use snaps.config.security_group.Ethertype
286 class SecurityGroupRuleSettings(SecurityGroupRuleConfig):
288 Class to hold the configuration settings required for creating OpenStack
289 SecurityGroupRule objects
290 deprecated - use snaps.config.security_group.SecurityGroupRuleConfig
294 def __init__(self, **kwargs):
295 from warnings import warn
296 warn('Use snaps.config.security_group.SecurityGroupRuleConfig instead',
298 super(self.__class__, self).__init__(**kwargs)