vmware-nsx/neutron/plugins/nec/drivers/pfc.py
Daniel Gollub 9cff9c3aa0 Replace HTTPSConnection in NEC plugin
Replace HTTPSConnection in NEC plugin PFC driver with Requests.

SSL Verification is from now on enabled by default.

This changes the default behaviour and is the primary intention of this
change: verify SSL certificates.

This might break existing configuration/setups where the SSL certificate
used by the NEC PFC driver would not pass the verification.

SecurityImpact
DocImpact
Partial-Bug: 1188189

Change-Id: I1e5fdc9c2ed5b812aa6509d1639bd499acc5c337
2014-04-03 23:28:19 +09:00

375 lines
14 KiB
Python

# vim: tabstop=4 shiftwidth=4 softtabstop=4
#
# Copyright 2012 NEC Corporation. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# @author: Ryota MIBU
# @author: Akihiro MOTOKI
import re
import uuid
import netaddr
from neutron.api.v2 import attributes
from neutron.common import constants
from neutron.common import exceptions as qexc
from neutron.common import log as call_log
from neutron import manager
from neutron.plugins.nec.common import ofc_client
from neutron.plugins.nec.extensions import packetfilter as ext_pf
from neutron.plugins.nec import ofc_driver_base
class InvalidOFCIdFormat(qexc.NeutronException):
message = _("OFC %(resource)s ID has an invalid format: %(ofc_id)s")
class PFCDriverBase(ofc_driver_base.OFCDriverBase):
"""Base Class for PDC Drivers.
PFCDriverBase provides methods to handle PFC resources through REST API.
This uses ofc resource path instead of ofc resource ID.
The class implements the API for PFC V4.0 or later.
"""
router_supported = False
match_ofc_network_id = re.compile(
"^/tenants/(?P<tenant_id>[^/]+)/networks/(?P<network_id>[^/]+)$")
match_ofc_port_id = re.compile(
"^/tenants/(?P<tenant_id>[^/]+)/networks/(?P<network_id>[^/]+)"
"/ports/(?P<port_id>[^/]+)$")
def __init__(self, conf_ofc):
self.client = ofc_client.OFCClient(host=conf_ofc.host,
port=conf_ofc.port,
use_ssl=conf_ofc.use_ssl,
key_file=conf_ofc.key_file,
cert_file=conf_ofc.cert_file,
insecure_ssl=conf_ofc.insecure_ssl)
@classmethod
def filter_supported(cls):
return False
def _generate_pfc_str(self, raw_str):
"""Generate PFC acceptable String."""
return re.sub(r'[^0-9a-zA-Z]', '_', raw_str)
def _generate_pfc_id(self, id_str):
"""Generate ID on PFC.
Currently, PFC ID must be less than 32.
Shorten UUID string length from 36 to 31 by follows:
* delete UUID Version and hyphen (see RFC4122)
* ensure str length
"""
try:
# openstack.common.uuidutils.is_uuid_like() returns
# False for KeyStone tenant_id, so uuid.UUID is used
# directly here to accept tenant_id as UUID string
uuid_str = str(uuid.UUID(id_str)).replace('-', '')
uuid_no_version = uuid_str[:12] + uuid_str[13:]
return uuid_no_version[:31]
except Exception:
return self._generate_pfc_str(id_str)[:31]
def _generate_pfc_description(self, desc):
"""Generate Description on PFC.
Currently, PFC Description must be less than 128.
"""
return self._generate_pfc_str(desc)[:127]
def _extract_ofc_network_id(self, ofc_network_id):
match = self.match_ofc_network_id.match(ofc_network_id)
if match:
return match.group('network_id')
raise InvalidOFCIdFormat(resource='network', ofc_id=ofc_network_id)
def _extract_ofc_port_id(self, ofc_port_id):
match = self.match_ofc_port_id.match(ofc_port_id)
if match:
return {'tenant': match.group('tenant_id'),
'network': match.group('network_id'),
'port': match.group('port_id')}
raise InvalidOFCIdFormat(resource='port', ofc_id=ofc_port_id)
def create_tenant(self, description, tenant_id=None):
ofc_tenant_id = self._generate_pfc_id(tenant_id)
body = {'id': ofc_tenant_id}
self.client.post('/tenants', body=body)
return '/tenants/' + ofc_tenant_id
def delete_tenant(self, ofc_tenant_id):
return self.client.delete(ofc_tenant_id)
def create_network(self, ofc_tenant_id, description, network_id=None):
path = "%s/networks" % ofc_tenant_id
pfc_desc = self._generate_pfc_description(description)
body = {'description': pfc_desc}
res = self.client.post(path, body=body)
ofc_network_id = res['id']
return path + '/' + ofc_network_id
def delete_network(self, ofc_network_id):
return self.client.delete(ofc_network_id)
def create_port(self, ofc_network_id, portinfo,
port_id=None, filters=None):
path = "%s/ports" % ofc_network_id
body = {'datapath_id': portinfo.datapath_id,
'port': str(portinfo.port_no),
'vid': str(portinfo.vlan_id)}
if self.filter_supported() and filters:
body['filters'] = [self._extract_ofc_filter_id(pf[1])
for pf in filters]
res = self.client.post(path, body=body)
ofc_port_id = res['id']
return path + '/' + ofc_port_id
def delete_port(self, ofc_port_id):
return self.client.delete(ofc_port_id)
class PFCFilterDriverMixin(object):
"""PFC PacketFilter Driver Mixin."""
filters_path = "/filters"
filter_path = "/filters/%s"
# PFC specific constants
MIN_PRIORITY = 1
MAX_PRIORITY = 32766
CREATE_ONLY_FIELDS = ['action', 'priority']
PFC_ALLOW_ACTION = "pass"
PFC_DROP_ACTION = "drop"
match_ofc_filter_id = re.compile("^/filters/(?P<filter_id>[^/]+)$")
@classmethod
def filter_supported(cls):
return True
def _set_param(self, filter_dict, body, key, create, convert_to=None):
if key in filter_dict:
if filter_dict[key]:
if convert_to:
body[key] = convert_to(filter_dict[key])
else:
body[key] = filter_dict[key]
elif not create:
body[key] = ""
def _generate_body(self, filter_dict, apply_ports=None, create=True):
body = {}
if create:
# action : pass, drop (mandatory)
if filter_dict['action'].lower() in ext_pf.ALLOW_ACTIONS:
body['action'] = self.PFC_ALLOW_ACTION
else:
body['action'] = self.PFC_DROP_ACTION
# priority : mandatory
body['priority'] = filter_dict['priority']
for key in ['src_mac', 'dst_mac', 'src_port', 'dst_port']:
self._set_param(filter_dict, body, key, create)
for key in ['src_cidr', 'dst_cidr']:
# CIDR must contain netmask even if it is an address.
convert_to = lambda x: str(netaddr.IPNetwork(x))
self._set_param(filter_dict, body, key, create, convert_to)
# protocol : decimal (0-255)
if 'protocol' in filter_dict:
if (not filter_dict['protocol'] or
# In the case of ARP, ip_proto should be set to wildcard.
# eth_type is set during adding an entry to DB layer.
filter_dict['protocol'].lower() == ext_pf.PROTO_NAME_ARP):
if not create:
body['protocol'] = ""
elif filter_dict['protocol'].lower() == constants.PROTO_NAME_ICMP:
body['protocol'] = constants.PROTO_NUM_ICMP
elif filter_dict['protocol'].lower() == constants.PROTO_NAME_TCP:
body['protocol'] = constants.PROTO_NUM_TCP
elif filter_dict['protocol'].lower() == constants.PROTO_NAME_UDP:
body['protocol'] = constants.PROTO_NUM_UDP
else:
body['protocol'] = int(filter_dict['protocol'], 0)
# eth_type : hex (0x0-0xFFFF)
self._set_param(filter_dict, body, 'eth_type', create, hex)
# apply_ports
if apply_ports:
# each element of apply_ports is a tuple of (neutron_id, ofc_id),
body['apply_ports'] = []
for p in apply_ports:
try:
body['apply_ports'].append(self._extract_ofc_port_id(p[1]))
except InvalidOFCIdFormat:
pass
return body
def _validate_filter_common(self, filter_dict):
# Currently PFC support only IPv4 CIDR.
for field in ['src_cidr', 'dst_cidr']:
if (not filter_dict.get(field) or
filter_dict[field] == attributes.ATTR_NOT_SPECIFIED):
continue
net = netaddr.IPNetwork(filter_dict[field])
if net.version != 4:
raise ext_pf.PacketFilterIpVersionNonSupported(
version=net.version, field=field, value=filter_dict[field])
if ('priority' in filter_dict and
not (self.MIN_PRIORITY <= filter_dict['priority']
<= self.MAX_PRIORITY)):
raise ext_pf.PacketFilterInvalidPriority(
min=self.MIN_PRIORITY, max=self.MAX_PRIORITY)
def _validate_duplicate_priority(self, context, filter_dict):
plugin = manager.NeutronManager.get_plugin()
filters = {'network_id': [filter_dict['network_id']],
'priority': [filter_dict['priority']]}
ret = plugin.get_packet_filters(context, filters=filters,
fields=['id'])
if ret:
raise ext_pf.PacketFilterDuplicatedPriority(
priority=filter_dict['priority'])
def validate_filter_create(self, context, filter_dict):
self._validate_filter_common(filter_dict)
self._validate_duplicate_priority(context, filter_dict)
def validate_filter_update(self, context, filter_dict):
for field in self.CREATE_ONLY_FIELDS:
if field in filter_dict:
raise ext_pf.PacketFilterUpdateNotSupported(field=field)
self._validate_filter_common(filter_dict)
@call_log.log
def create_filter(self, ofc_network_id, filter_dict,
portinfo=None, filter_id=None, apply_ports=None):
body = self._generate_body(filter_dict, apply_ports, create=True)
res = self.client.post(self.filters_path, body=body)
# filter_id passed from a caller is not used.
# ofc_filter_id is generated by PFC because the prefix of
# filter_id has special meaning and it is internally used.
ofc_filter_id = res['id']
return self.filter_path % ofc_filter_id
@call_log.log
def update_filter(self, ofc_filter_id, filter_dict):
body = self._generate_body(filter_dict, create=False)
self.client.put(ofc_filter_id, body)
@call_log.log
def delete_filter(self, ofc_filter_id):
return self.client.delete(ofc_filter_id)
def _extract_ofc_filter_id(self, ofc_filter_id):
match = self.match_ofc_filter_id.match(ofc_filter_id)
if match:
return match.group('filter_id')
raise InvalidOFCIdFormat(resource='filter', ofc_id=ofc_filter_id)
def convert_ofc_filter_id(self, context, ofc_filter_id):
# PFC Packet Filter is supported after the format of mapping tables
# are changed, so it is enough just to return ofc_filter_id
return ofc_filter_id
class PFCRouterDriverMixin(object):
router_supported = True
router_nat_supported = False
def create_router(self, ofc_tenant_id, router_id, description):
path = '%s/routers' % ofc_tenant_id
res = self.client.post(path, body=None)
ofc_router_id = res['id']
return path + '/' + ofc_router_id
def delete_router(self, ofc_router_id):
return self.client.delete(ofc_router_id)
def add_router_interface(self, ofc_router_id, ofc_net_id,
ip_address=None, mac_address=None):
# ip_address : <ip_address>/<netmask> (e.g., 10.0.0.0/24)
path = '%s/interfaces' % ofc_router_id
body = {'net_id': self._extract_ofc_network_id(ofc_net_id)}
if ip_address:
body['ip_address'] = ip_address
if mac_address:
body['mac_address'] = mac_address
res = self.client.post(path, body=body)
return path + '/' + res['id']
def update_router_interface(self, ofc_router_inf_id,
ip_address=None, mac_address=None):
# ip_address : <ip_address>/<netmask> (e.g., 10.0.0.0/24)
if not ip_address and not mac_address:
return
body = {}
if ip_address:
body['ip_address'] = ip_address
if mac_address:
body['mac_address'] = mac_address
return self.client.put(ofc_router_inf_id, body=body)
def delete_router_interface(self, ofc_router_inf_id):
return self.client.delete(ofc_router_inf_id)
def list_router_routes(self, ofc_router_id):
path = '%s/routes' % ofc_router_id
ret = self.client.get(path)
# Prepend ofc_router_id to route_id
for r in ret['routes']:
r['id'] = ofc_router_id + '/routes/' + r['id']
return ret['routes']
def add_router_route(self, ofc_router_id, destination, nexthop):
path = '%s/routes' % ofc_router_id
body = {'destination': destination,
'nexthop': nexthop}
ret = self.client.post(path, body=body)
return path + '/' + ret['id']
def delete_router_route(self, ofc_router_route_id):
return self.client.delete(ofc_router_route_id)
class PFCV3Driver(PFCDriverBase):
def create_tenant(self, description, tenant_id):
ofc_tenant_id = self._generate_pfc_id(tenant_id)
return "/tenants/" + ofc_tenant_id
def delete_tenant(self, ofc_tenant_id):
pass
class PFCV4Driver(PFCDriverBase):
pass
class PFCV5Driver(PFCRouterDriverMixin, PFCDriverBase):
pass
class PFCV51Driver(PFCFilterDriverMixin, PFCV5Driver):
pass