9c41d7c392
If the firewall rules are not shared and if they belong to different tenants, then admin should not be able to create a policy using these rules and he should not be able to insert such rules into policies. An exception should be raised in such case. Added new exception “FirewallRuleConflict” to handle such conditions. Co-Authored-By: Koteswara Rao Kelam<koteswara.kelam@hp.com> Change-Id: I984eb76069bd1493a77bf523bec2bd81abb14abb Closes-bug: 1327057
471 lines
17 KiB
Python
471 lines
17 KiB
Python
# Copyright 2013 Big Switch Networks, Inc.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import abc
|
|
|
|
from oslo.config import cfg
|
|
import six
|
|
|
|
from neutron.api import extensions
|
|
from neutron.api.v2 import attributes as attr
|
|
from neutron.api.v2 import resource_helper
|
|
from neutron.common import exceptions as qexception
|
|
from neutron.openstack.common import log as logging
|
|
from neutron.plugins.common import constants
|
|
from neutron.services import service_base
|
|
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
|
|
# Firewall Exceptions
|
|
class FirewallNotFound(qexception.NotFound):
|
|
message = _("Firewall %(firewall_id)s could not be found.")
|
|
|
|
|
|
class FirewallInUse(qexception.InUse):
|
|
message = _("Firewall %(firewall_id)s is still active.")
|
|
|
|
|
|
class FirewallInPendingState(qexception.Conflict):
|
|
message = _("Operation cannot be performed since associated Firewall "
|
|
"%(firewall_id)s is in %(pending_state)s.")
|
|
|
|
|
|
class FirewallPolicyNotFound(qexception.NotFound):
|
|
message = _("Firewall Policy %(firewall_policy_id)s could not be found.")
|
|
|
|
|
|
class FirewallPolicyInUse(qexception.InUse):
|
|
message = _("Firewall Policy %(firewall_policy_id)s is being used.")
|
|
|
|
|
|
class FirewallRuleSharingConflict(qexception.Conflict):
|
|
|
|
"""FWaaS exception for firewall rules
|
|
|
|
When a shared policy is created or updated with unshared rules,
|
|
this exception will be raised.
|
|
"""
|
|
message = _("Operation cannot be performed since Firewall Policy "
|
|
"%(firewall_policy_id)s is shared but Firewall Rule "
|
|
"%(firewall_rule_id)s is not shared")
|
|
|
|
|
|
class FirewallPolicySharingConflict(qexception.Conflict):
|
|
|
|
"""FWaaS exception for firewall policy
|
|
|
|
When a policy is shared without sharing its associated rules,
|
|
this exception will be raised.
|
|
"""
|
|
message = _("Operation cannot be performed. Before sharing Firewall "
|
|
"Policy %(firewall_policy_id)s, share associated Firewall "
|
|
"Rule %(firewall_rule_id)s")
|
|
|
|
|
|
class FirewallRuleNotFound(qexception.NotFound):
|
|
message = _("Firewall Rule %(firewall_rule_id)s could not be found.")
|
|
|
|
|
|
class FirewallRuleInUse(qexception.InUse):
|
|
message = _("Firewall Rule %(firewall_rule_id)s is being used.")
|
|
|
|
|
|
class FirewallRuleNotAssociatedWithPolicy(qexception.InvalidInput):
|
|
message = _("Firewall Rule %(firewall_rule_id)s is not associated "
|
|
" with Firewall Policy %(firewall_policy_id)s.")
|
|
|
|
|
|
class FirewallRuleInvalidProtocol(qexception.InvalidInput):
|
|
message = _("Firewall Rule protocol %(protocol)s is not supported. "
|
|
"Only protocol values %(values)s and their integer "
|
|
"representation (0 to 255) are supported.")
|
|
|
|
|
|
class FirewallRuleInvalidAction(qexception.InvalidInput):
|
|
message = _("Firewall rule action %(action)s is not supported. "
|
|
"Only action values %(values)s are supported.")
|
|
|
|
|
|
class FirewallRuleInvalidICMPParameter(qexception.InvalidInput):
|
|
message = _("%(param)s are not allowed when protocol "
|
|
"is set to ICMP.")
|
|
|
|
|
|
class FirewallRuleWithPortWithoutProtocolInvalid(qexception.InvalidInput):
|
|
message = _("Source/destination port requires a protocol")
|
|
|
|
|
|
class FirewallInvalidPortValue(qexception.InvalidInput):
|
|
message = _("Invalid value for port %(port)s.")
|
|
|
|
|
|
class FirewallRuleInfoMissing(qexception.InvalidInput):
|
|
message = _("Missing rule info argument for insert/remove "
|
|
"rule operation.")
|
|
|
|
|
|
class FirewallInternalDriverError(qexception.NeutronException):
|
|
"""Fwaas exception for all driver errors.
|
|
|
|
On any failure or exception in the driver, driver should log it and
|
|
raise this exception to the agent
|
|
"""
|
|
message = _("%(driver)s: Internal driver error.")
|
|
|
|
|
|
class FirewallRuleConflict(qexception.Conflict):
|
|
|
|
"""Firewall rule conflict exception.
|
|
|
|
Occurs when admin policy tries to use another tenant's unshared
|
|
rule.
|
|
"""
|
|
|
|
message = _("Operation cannot be performed since Firewall Rule "
|
|
"%(firewall_rule_id)s is not shared and belongs to "
|
|
"another tenant %(tenant_id)s")
|
|
|
|
|
|
fw_valid_protocol_values = [None, constants.TCP, constants.UDP, constants.ICMP]
|
|
fw_valid_action_values = [constants.FWAAS_ALLOW, constants.FWAAS_DENY]
|
|
|
|
|
|
def convert_protocol(value):
|
|
if value is None:
|
|
return
|
|
if value.isdigit():
|
|
val = int(value)
|
|
if 0 <= val <= 255:
|
|
return val
|
|
else:
|
|
raise FirewallRuleInvalidProtocol(protocol=value,
|
|
values=
|
|
fw_valid_protocol_values)
|
|
elif value.lower() in fw_valid_protocol_values:
|
|
return value.lower()
|
|
else:
|
|
raise FirewallRuleInvalidProtocol(protocol=value,
|
|
values=
|
|
fw_valid_protocol_values)
|
|
|
|
|
|
def convert_action_to_case_insensitive(value):
|
|
if value is None:
|
|
return
|
|
else:
|
|
return value.lower()
|
|
|
|
|
|
def convert_port_to_string(value):
|
|
if value is None:
|
|
return
|
|
else:
|
|
return str(value)
|
|
|
|
|
|
def _validate_port_range(data, key_specs=None):
|
|
if data is None:
|
|
return
|
|
data = str(data)
|
|
ports = data.split(':')
|
|
for p in ports:
|
|
try:
|
|
val = int(p)
|
|
except (ValueError, TypeError):
|
|
msg = _("Port '%s' is not a valid number") % p
|
|
LOG.debug(msg)
|
|
return msg
|
|
if val <= 0 or val > 65535:
|
|
msg = _("Invalid port '%s'") % p
|
|
LOG.debug(msg)
|
|
return msg
|
|
|
|
|
|
def _validate_ip_or_subnet_or_none(data, valid_values=None):
|
|
if data is None:
|
|
return None
|
|
msg_ip = attr._validate_ip_address(data, valid_values)
|
|
if not msg_ip:
|
|
return
|
|
msg_subnet = attr._validate_subnet(data, valid_values)
|
|
if not msg_subnet:
|
|
return
|
|
return _("%(msg_ip)s and %(msg_subnet)s") % {'msg_ip': msg_ip,
|
|
'msg_subnet': msg_subnet}
|
|
|
|
|
|
attr.validators['type:port_range'] = _validate_port_range
|
|
attr.validators['type:ip_or_subnet_or_none'] = _validate_ip_or_subnet_or_none
|
|
|
|
|
|
RESOURCE_ATTRIBUTE_MAP = {
|
|
'firewall_rules': {
|
|
'id': {'allow_post': False, 'allow_put': False,
|
|
'validate': {'type:uuid': None},
|
|
'is_visible': True, 'primary_key': True},
|
|
'tenant_id': {'allow_post': True, 'allow_put': False,
|
|
'required_by_policy': True,
|
|
'is_visible': True},
|
|
'name': {'allow_post': True, 'allow_put': True,
|
|
'validate': {'type:string': None},
|
|
'is_visible': True, 'default': ''},
|
|
'description': {'allow_post': True, 'allow_put': True,
|
|
'validate': {'type:string': None},
|
|
'is_visible': True, 'default': ''},
|
|
'firewall_policy_id': {'allow_post': False, 'allow_put': False,
|
|
'validate': {'type:uuid_or_none': None},
|
|
'is_visible': True},
|
|
'shared': {'allow_post': True, 'allow_put': True,
|
|
'default': False, 'convert_to': attr.convert_to_boolean,
|
|
'is_visible': True, 'required_by_policy': True,
|
|
'enforce_policy': True},
|
|
'protocol': {'allow_post': True, 'allow_put': True,
|
|
'is_visible': True, 'default': None,
|
|
'convert_to': convert_protocol,
|
|
'validate': {'type:values': fw_valid_protocol_values}},
|
|
'ip_version': {'allow_post': True, 'allow_put': True,
|
|
'default': 4, 'convert_to': attr.convert_to_int,
|
|
'validate': {'type:values': [4, 6]},
|
|
'is_visible': True},
|
|
'source_ip_address': {'allow_post': True, 'allow_put': True,
|
|
'validate': {'type:ip_or_subnet_or_none': None},
|
|
'is_visible': True, 'default': None},
|
|
'destination_ip_address': {'allow_post': True, 'allow_put': True,
|
|
'validate': {'type:ip_or_subnet_or_none':
|
|
None},
|
|
'is_visible': True, 'default': None},
|
|
'source_port': {'allow_post': True, 'allow_put': True,
|
|
'validate': {'type:port_range': None},
|
|
'convert_to': convert_port_to_string,
|
|
'default': None, 'is_visible': True},
|
|
'destination_port': {'allow_post': True, 'allow_put': True,
|
|
'validate': {'type:port_range': None},
|
|
'convert_to': convert_port_to_string,
|
|
'default': None, 'is_visible': True},
|
|
'position': {'allow_post': False, 'allow_put': False,
|
|
'default': None, 'is_visible': True},
|
|
'action': {'allow_post': True, 'allow_put': True,
|
|
'convert_to': convert_action_to_case_insensitive,
|
|
'validate': {'type:values': fw_valid_action_values},
|
|
'is_visible': True, 'default': 'deny'},
|
|
'enabled': {'allow_post': True, 'allow_put': True,
|
|
'default': True, 'convert_to': attr.convert_to_boolean,
|
|
'is_visible': True},
|
|
},
|
|
'firewall_policies': {
|
|
'id': {'allow_post': False, 'allow_put': False,
|
|
'validate': {'type:uuid': None},
|
|
'is_visible': True,
|
|
'primary_key': True},
|
|
'tenant_id': {'allow_post': True, 'allow_put': False,
|
|
'required_by_policy': True,
|
|
'is_visible': True},
|
|
'name': {'allow_post': True, 'allow_put': True,
|
|
'validate': {'type:string': None},
|
|
'is_visible': True, 'default': ''},
|
|
'description': {'allow_post': True, 'allow_put': True,
|
|
'validate': {'type:string': None},
|
|
'is_visible': True, 'default': ''},
|
|
'shared': {'allow_post': True, 'allow_put': True,
|
|
'default': False, 'convert_to': attr.convert_to_boolean,
|
|
'is_visible': True, 'required_by_policy': True,
|
|
'enforce_policy': True},
|
|
'firewall_rules': {'allow_post': True, 'allow_put': True,
|
|
'validate': {'type:uuid_list': None},
|
|
'convert_to': attr.convert_none_to_empty_list,
|
|
'default': None, 'is_visible': True},
|
|
'audited': {'allow_post': True, 'allow_put': True,
|
|
'default': False, 'convert_to': attr.convert_to_boolean,
|
|
'is_visible': True},
|
|
},
|
|
'firewalls': {
|
|
'id': {'allow_post': False, 'allow_put': False,
|
|
'validate': {'type:uuid': None},
|
|
'is_visible': True,
|
|
'primary_key': True},
|
|
'tenant_id': {'allow_post': True, 'allow_put': False,
|
|
'required_by_policy': True,
|
|
'is_visible': True},
|
|
'name': {'allow_post': True, 'allow_put': True,
|
|
'validate': {'type:string': None},
|
|
'is_visible': True, 'default': ''},
|
|
'description': {'allow_post': True, 'allow_put': True,
|
|
'validate': {'type:string': None},
|
|
'is_visible': True, 'default': ''},
|
|
'admin_state_up': {'allow_post': True, 'allow_put': True,
|
|
'default': True,
|
|
'convert_to': attr.convert_to_boolean,
|
|
'is_visible': True},
|
|
'status': {'allow_post': False, 'allow_put': False,
|
|
'is_visible': True},
|
|
'shared': {'allow_post': True, 'allow_put': True,
|
|
'default': False, 'convert_to': attr.convert_to_boolean,
|
|
'is_visible': False, 'required_by_policy': True,
|
|
'enforce_policy': True},
|
|
'firewall_policy_id': {'allow_post': True, 'allow_put': True,
|
|
'validate': {'type:uuid_or_none': None},
|
|
'is_visible': True},
|
|
},
|
|
}
|
|
|
|
firewall_quota_opts = [
|
|
cfg.IntOpt('quota_firewall',
|
|
default=1,
|
|
help=_('Number of firewalls allowed per tenant. '
|
|
'A negative value means unlimited.')),
|
|
cfg.IntOpt('quota_firewall_policy',
|
|
default=1,
|
|
help=_('Number of firewall policies allowed per tenant. '
|
|
'A negative value means unlimited.')),
|
|
cfg.IntOpt('quota_firewall_rule',
|
|
default=100,
|
|
help=_('Number of firewall rules allowed per tenant. '
|
|
'A negative value means unlimited.')),
|
|
]
|
|
cfg.CONF.register_opts(firewall_quota_opts, 'QUOTAS')
|
|
|
|
|
|
class Firewall(extensions.ExtensionDescriptor):
|
|
|
|
@classmethod
|
|
def get_name(cls):
|
|
return "Firewall service"
|
|
|
|
@classmethod
|
|
def get_alias(cls):
|
|
return "fwaas"
|
|
|
|
@classmethod
|
|
def get_description(cls):
|
|
return "Extension for Firewall service"
|
|
|
|
@classmethod
|
|
def get_namespace(cls):
|
|
return "http://wiki.openstack.org/Neutron/FWaaS/API_1.0"
|
|
|
|
@classmethod
|
|
def get_updated(cls):
|
|
return "2013-02-25T10:00:00-00:00"
|
|
|
|
@classmethod
|
|
def get_resources(cls):
|
|
special_mappings = {'firewall_policies': 'firewall_policy'}
|
|
plural_mappings = resource_helper.build_plural_mappings(
|
|
special_mappings, RESOURCE_ATTRIBUTE_MAP)
|
|
attr.PLURALS.update(plural_mappings)
|
|
action_map = {'firewall_policy': {'insert_rule': 'PUT',
|
|
'remove_rule': 'PUT'}}
|
|
return resource_helper.build_resource_info(plural_mappings,
|
|
RESOURCE_ATTRIBUTE_MAP,
|
|
constants.FIREWALL,
|
|
action_map=action_map)
|
|
|
|
@classmethod
|
|
def get_plugin_interface(cls):
|
|
return FirewallPluginBase
|
|
|
|
def update_attributes_map(self, attributes):
|
|
super(Firewall, self).update_attributes_map(
|
|
attributes, extension_attrs_map=RESOURCE_ATTRIBUTE_MAP)
|
|
|
|
def get_extended_resources(self, version):
|
|
if version == "2.0":
|
|
return RESOURCE_ATTRIBUTE_MAP
|
|
else:
|
|
return {}
|
|
|
|
|
|
@six.add_metaclass(abc.ABCMeta)
|
|
class FirewallPluginBase(service_base.ServicePluginBase):
|
|
|
|
def get_plugin_name(self):
|
|
return constants.FIREWALL
|
|
|
|
def get_plugin_type(self):
|
|
return constants.FIREWALL
|
|
|
|
def get_plugin_description(self):
|
|
return 'Firewall service plugin'
|
|
|
|
@abc.abstractmethod
|
|
def get_firewalls(self, context, filters=None, fields=None):
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def get_firewall(self, context, id, fields=None):
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def create_firewall(self, context, firewall):
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def update_firewall(self, context, id, firewall):
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def delete_firewall(self, context, id):
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def get_firewall_rules(self, context, filters=None, fields=None):
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def get_firewall_rule(self, context, id, fields=None):
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def create_firewall_rule(self, context, firewall_rule):
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def update_firewall_rule(self, context, id, firewall_rule):
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def delete_firewall_rule(self, context, id):
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def get_firewall_policy(self, context, id, fields=None):
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def get_firewall_policies(self, context, filters=None, fields=None):
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def create_firewall_policy(self, context, firewall_policy):
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def update_firewall_policy(self, context, id, firewall_policy):
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def delete_firewall_policy(self, context, id):
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def insert_rule(self, context, id, rule_info):
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def remove_rule(self, context, id, rule_info):
|
|
pass
|