etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

api: fix ipv6 firewall apis default role permissions (#6579) 

Fixes #6575

* fixes ipv6 firewall apis default role permissions
* test: use user apiclient for ipv6 firewall apis

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
This commit is contained in:
Abhishek Kumar 2022-07-31 16:49:29 +05:30 committed by GitHub
parent b62f59ac95
commit 9a264c1369
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 49 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/CreateIpv6FirewallRuleCmd.java
View File

@ -43,7 +43,12 @@ import com.cloud.network.rules.FirewallRule;
import com.cloud.user.Account; import com.cloud.user.Account;
import com.cloud.utils.net.NetUtils; import com.cloud.utils.net.NetUtils;
@APICommand(name = CreateIpv6FirewallRuleCmd.APINAME, description = "Creates an Ipv6 firewall rule in the given network (the network has to belong to VPC)", responseObject = FirewallRuleResponse.class, requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) @APICommand(name = CreateIpv6FirewallRuleCmd.APINAME,
description = "Creates an Ipv6 firewall rule in the given network (the network has to belong to VPC)",
responseObject = FirewallRuleResponse.class,
requestHasSensitiveInfo = false,
responseHasSensitiveInfo = false,
authorized = {RoleType.Admin, RoleType.ResourceAdmin, RoleType.DomainAdmin, RoleType.User})
public class CreateIpv6FirewallRuleCmd extends BaseAsyncCreateCmd { public class CreateIpv6FirewallRuleCmd extends BaseAsyncCreateCmd {
public static final Logger s_logger = Logger.getLogger(CreateIpv6FirewallRuleCmd.class.getName()); public static final Logger s_logger = Logger.getLogger(CreateIpv6FirewallRuleCmd.class.getName());

9
api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/DeleteIpv6FirewallRuleCmd.java
View File

@ -16,6 +16,7 @@
// under the License. // under the License.
package org.apache.cloudstack.api.command.user.ipv6; package org.apache.cloudstack.api.command.user.ipv6;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandResourceType; import org.apache.cloudstack.api.ApiCommandResourceType;
import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.ApiConstants;
@ -33,8 +34,12 @@ import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.rules.FirewallRule; import com.cloud.network.rules.FirewallRule;
import com.cloud.user.Account; import com.cloud.user.Account;
@APICommand(name = DeleteIpv6FirewallRuleCmd.APINAME, description = "Deletes a IPv6 firewall rule", responseObject = SuccessResponse.class, @APICommand(name = DeleteIpv6FirewallRuleCmd.APINAME,
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) description = "Deletes a IPv6 firewall rule",
responseObject = SuccessResponse.class,
requestHasSensitiveInfo = false,
responseHasSensitiveInfo = false,
authorized = {RoleType.Admin, RoleType.ResourceAdmin, RoleType.DomainAdmin, RoleType.User})
public class DeleteIpv6FirewallRuleCmd extends BaseAsyncCmd { public class DeleteIpv6FirewallRuleCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(DeleteIpv6FirewallRuleCmd.class.getName()); public static final Logger s_logger = Logger.getLogger(DeleteIpv6FirewallRuleCmd.class.getName());
public static final String APINAME = "deleteIpv6FirewallRule"; public static final String APINAME = "deleteIpv6FirewallRule";

8
api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/ListIpv6FirewallRulesCmd.java
View File

@ -34,8 +34,12 @@ import org.apache.log4j.Logger;
import com.cloud.network.rules.FirewallRule; import com.cloud.network.rules.FirewallRule;
import com.cloud.utils.Pair; import com.cloud.utils.Pair;
@APICommand(name = ListIpv6FirewallRulesCmd.APINAME, description = "Lists all IPv6 firewall rules", responseObject = FirewallRuleResponse.class, @APICommand(name = ListIpv6FirewallRulesCmd.APINAME,
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) description = "Lists all IPv6 firewall rules",
responseObject = FirewallRuleResponse.class,
requestHasSensitiveInfo = false,
responseHasSensitiveInfo = false,
authorized = {RoleType.Admin, RoleType.ResourceAdmin, RoleType.DomainAdmin, RoleType.User})
public class ListIpv6FirewallRulesCmd extends BaseListTaggedResourcesCmd implements IListFirewallRulesCmd { public class ListIpv6FirewallRulesCmd extends BaseListTaggedResourcesCmd implements IListFirewallRulesCmd {
public static final Logger s_logger = Logger.getLogger(ListIpv6FirewallRulesCmd.class.getName()); public static final Logger s_logger = Logger.getLogger(ListIpv6FirewallRulesCmd.class.getName());

7
api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/UpdateIpv6FirewallRuleCmd.java
View File

@ -34,7 +34,12 @@ import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.rules.FirewallRule; import com.cloud.network.rules.FirewallRule;
import com.cloud.user.Account; import com.cloud.user.Account;
@APICommand(name = UpdateIpv6FirewallRuleCmd.APINAME, description = "Updates Ipv6 firewall rule with specified ID", responseObject = FirewallRuleResponse.class, requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) @APICommand(name = UpdateIpv6FirewallRuleCmd.APINAME,
description = "Updates Ipv6 firewall rule with specified ID",
responseObject = FirewallRuleResponse.class,
requestHasSensitiveInfo = false,
responseHasSensitiveInfo = false,
authorized = {RoleType.Admin, RoleType.ResourceAdmin, RoleType.DomainAdmin, RoleType.User})
public class UpdateIpv6FirewallRuleCmd extends BaseAsyncCustomIdCmd { public class UpdateIpv6FirewallRuleCmd extends BaseAsyncCustomIdCmd {
public static final Logger s_logger = Logger.getLogger(UpdateIpv6FirewallRuleCmd.class.getName()); public static final Logger s_logger = Logger.getLogger(UpdateIpv6FirewallRuleCmd.class.getName());

24
test/integration/component/test_network_ipv6.py
View File

@ -209,6 +209,10 @@ class TestIpv6Network(cloudstackTestCase):
def setUp(self): def setUp(self):
self.services = self.testClient.getParsedTestDataConfig() self.services = self.testClient.getParsedTestDataConfig()
self.apiclient = self.testClient.getApiClient() self.apiclient = self.testClient.getApiClient()
self.userapiclient = self.testClient.getUserApiClient(
UserName=self.account.name,
DomainName=self.account.domain
)
self.dbclient = self.testClient.getDbConnection() self.dbclient = self.testClient.getDbConnection()
self.thread = None self.thread = None
self.cleanup = [] self.cleanup = []
@ -266,10 +270,8 @@ class TestIpv6Network(cloudstackTestCase):
def deployNetwork(self): def deployNetwork(self):
self.services["network"]["networkoffering"] = self.network_offering.id self.services["network"]["networkoffering"] = self.network_offering.id
self.network = Network.create( self.network = Network.create(
self.apiclient, self.userapiclient,
self.services["network"], self.services["network"],
self.account.name,
self.account.domainid,
zoneid=self.zone.id zoneid=self.zone.id
) )
self.cleanup.append(self.network) self.cleanup.append(self.network)
@ -279,11 +281,9 @@ class TestIpv6Network(cloudstackTestCase):
assert False, "get_test_template() failed to return template" assert False, "get_test_template() failed to return template"
self.services["virtual_machine"]["zoneid"] = self.zone.id self.services["virtual_machine"]["zoneid"] = self.zone.id
self.virtual_machine = VirtualMachine.create( self.virtual_machine = VirtualMachine.create(
self.apiclient, self.userapiclient,
self.services["virtual_machine"], self.services["virtual_machine"],
templateid=self.template.id, templateid=self.template.id,
accountid=self.account.name,
domainid=self.account.domainid,
networkids=self.network.id, networkids=self.network.id,
serviceofferingid=self.service_offering.id serviceofferingid=self.service_offering.id
) )
@ -541,11 +541,11 @@ class TestIpv6Network(cloudstackTestCase):
"IPv6 gateway for VM %s NIC is empty" % nic.traffictype) "IPv6 gateway for VM %s NIC is empty" % nic.traffictype)
def restartNetworkWithCleanup(self): def restartNetworkWithCleanup(self):
self.network.restart(self.apiclient, cleanup=True) self.network.restart(self.userapiclient, cleanup=True)
time.sleep(SLEEP_BEFORE_VR_CHANGES) time.sleep(SLEEP_BEFORE_VR_CHANGES)
def updateNetworkWithOffering(self): def updateNetworkWithOffering(self):
self.network.update(self.apiclient, networkofferingid=self.network_offering_update.id) self.network.update(self.userapiclient, networkofferingid=self.network_offering_update.id)
time.sleep(SLEEP_BEFORE_VR_CHANGES) time.sleep(SLEEP_BEFORE_VR_CHANGES)
def createIpv6FirewallRuleInNetwork(self, network_id, traffic_type, source_cidr, dest_cidr, protocol, def createIpv6FirewallRuleInNetwork(self, network_id, traffic_type, source_cidr, dest_cidr, protocol,
@ -567,7 +567,7 @@ class TestIpv6Network(cloudstackTestCase):
cmd.icmptype = icmp_type cmd.icmptype = icmp_type
if icmp_code is not None: if icmp_code is not None:
cmd.icmpcode = icmp_code cmd.icmpcode = icmp_code
fw_rule = self.apiclient.createIpv6FirewallRule(cmd) fw_rule = self.userapiclient.createIpv6FirewallRule(cmd)
return fw_rule return fw_rule
def deployRoutingTestResources(self): def deployRoutingTestResources(self):
@ -655,7 +655,7 @@ class TestIpv6Network(cloudstackTestCase):
cmd = deleteIpv6FirewallRule.deleteIpv6FirewallRuleCmd() cmd = deleteIpv6FirewallRule.deleteIpv6FirewallRuleCmd()
cmd.id = fw2.id cmd.id = fw2.id
self.apiclient.deleteIpv6FirewallRule(cmd) self.userapiclient.deleteIpv6FirewallRule(cmd)
def createAndVerifyIpv6FirewallRule(self, traffic_type, source_cidr, dest_cidr, protocol, def createAndVerifyIpv6FirewallRule(self, traffic_type, source_cidr, dest_cidr, protocol,
start_port, end_port, icmp_type, icmp_code, parsed_rule, delete=False): start_port, end_port, icmp_type, icmp_code, parsed_rule, delete=False):
@ -664,7 +664,7 @@ class TestIpv6Network(cloudstackTestCase):
start_port, end_port, icmp_type, icmp_code) start_port, end_port, icmp_type, icmp_code)
cmd = listIpv6FirewallRules.listIpv6FirewallRulesCmd() cmd = listIpv6FirewallRules.listIpv6FirewallRulesCmd()
cmd.id = fw_rule.id cmd.id = fw_rule.id
rules = self.apiclient.listIpv6FirewallRules(cmd) rules = self.userapiclient.listIpv6FirewallRules(cmd)
self.assertTrue( self.assertTrue(
isinstance(rules, list), isinstance(rules, list),
"Check listIpv6FirewallRules response returns a valid list" "Check listIpv6FirewallRules response returns a valid list"
@ -702,7 +702,7 @@ class TestIpv6Network(cloudstackTestCase):
if delete == True: if delete == True:
cmd = deleteIpv6FirewallRule.deleteIpv6FirewallRuleCmd() cmd = deleteIpv6FirewallRule.deleteIpv6FirewallRuleCmd()
cmd.id = fw_rule.id cmd.id = fw_rule.id
self.apiclient.deleteIpv6FirewallRule(cmd) self.userapiclient.deleteIpv6FirewallRule(cmd)
res = self.getRouterProcessStatus(self.getNetworkRouter(self.network), routerCmd) res = self.getRouterProcessStatus(self.getNetworkRouter(self.network), routerCmd)
self.assertFalse(parsed_rule in res, self.assertFalse(parsed_rule in res,
"Firewall rule present in nft list chain failure despite delete for rule: %s" % parsed_rule) "Firewall rule present in nft list chain failure despite delete for rule: %s" % parsed_rule)

24
test/integration/smoke/test_network_ipv6.py
View File

@ -209,6 +209,10 @@ class TestIpv6Network(cloudstackTestCase):
def setUp(self): def setUp(self):
self.services = self.testClient.getParsedTestDataConfig() self.services = self.testClient.getParsedTestDataConfig()
self.apiclient = self.testClient.getApiClient() self.apiclient = self.testClient.getApiClient()
self.userapiclient = self.testClient.getUserApiClient(
UserName=self.account.name,
DomainName=self.account.domain
)
self.dbclient = self.testClient.getDbConnection() self.dbclient = self.testClient.getDbConnection()
self.thread = None self.thread = None
self.cleanup = [] self.cleanup = []
@ -266,10 +270,8 @@ class TestIpv6Network(cloudstackTestCase):
def deployNetwork(self): def deployNetwork(self):
self.services["network"]["networkoffering"] = self.network_offering.id self.services["network"]["networkoffering"] = self.network_offering.id
self.network = Network.create( self.network = Network.create(
self.apiclient, self.userapiclient,
self.services["network"], self.services["network"],
self.account.name,
self.account.domainid,
zoneid=self.zone.id zoneid=self.zone.id
) )
self.cleanup.append(self.network) self.cleanup.append(self.network)
@ -279,11 +281,9 @@ class TestIpv6Network(cloudstackTestCase):
assert False, "get_test_template() failed to return template" assert False, "get_test_template() failed to return template"
self.services["virtual_machine"]["zoneid"] = self.zone.id self.services["virtual_machine"]["zoneid"] = self.zone.id
self.virtual_machine = VirtualMachine.create( self.virtual_machine = VirtualMachine.create(
self.apiclient, self.userapiclient,
self.services["virtual_machine"], self.services["virtual_machine"],
templateid=self.template.id, templateid=self.template.id,
accountid=self.account.name,
domainid=self.account.domainid,
networkids=self.network.id, networkids=self.network.id,
serviceofferingid=self.service_offering.id serviceofferingid=self.service_offering.id
) )
@ -541,11 +541,11 @@ class TestIpv6Network(cloudstackTestCase):
"IPv6 gateway for VM %s NIC is empty" % nic.traffictype) "IPv6 gateway for VM %s NIC is empty" % nic.traffictype)
def restartNetworkWithCleanup(self): def restartNetworkWithCleanup(self):
self.network.restart(self.apiclient, cleanup=True) self.network.restart(self.userapiclient, cleanup=True)
time.sleep(SLEEP_BEFORE_VR_CHANGES) time.sleep(SLEEP_BEFORE_VR_CHANGES)
def updateNetworkWithOffering(self): def updateNetworkWithOffering(self):
self.network.update(self.apiclient, networkofferingid=self.network_offering_update.id) self.network.update(self.userapiclient, networkofferingid=self.network_offering_update.id)
time.sleep(SLEEP_BEFORE_VR_CHANGES) time.sleep(SLEEP_BEFORE_VR_CHANGES)
def createIpv6FirewallRuleInNetwork(self, network_id, traffic_type, source_cidr, dest_cidr, protocol, def createIpv6FirewallRuleInNetwork(self, network_id, traffic_type, source_cidr, dest_cidr, protocol,
@ -567,7 +567,7 @@ class TestIpv6Network(cloudstackTestCase):
cmd.icmptype = icmp_type cmd.icmptype = icmp_type
if icmp_code is not None: if icmp_code is not None:
cmd.icmpcode = icmp_code cmd.icmpcode = icmp_code
fw_rule = self.apiclient.createIpv6FirewallRule(cmd) fw_rule = self.userapiclient.createIpv6FirewallRule(cmd)
return fw_rule return fw_rule
def deployRoutingTestResources(self): def deployRoutingTestResources(self):
@ -655,7 +655,7 @@ class TestIpv6Network(cloudstackTestCase):
cmd = deleteIpv6FirewallRule.deleteIpv6FirewallRuleCmd() cmd = deleteIpv6FirewallRule.deleteIpv6FirewallRuleCmd()
cmd.id = fw2.id cmd.id = fw2.id
self.apiclient.deleteIpv6FirewallRule(cmd) self.userapiclient.deleteIpv6FirewallRule(cmd)
def createAndVerifyIpv6FirewallRule(self, traffic_type, source_cidr, dest_cidr, protocol, def createAndVerifyIpv6FirewallRule(self, traffic_type, source_cidr, dest_cidr, protocol,
start_port, end_port, icmp_type, icmp_code, parsed_rule, delete=False): start_port, end_port, icmp_type, icmp_code, parsed_rule, delete=False):
@ -664,7 +664,7 @@ class TestIpv6Network(cloudstackTestCase):
start_port, end_port, icmp_type, icmp_code) start_port, end_port, icmp_type, icmp_code)
cmd = listIpv6FirewallRules.listIpv6FirewallRulesCmd() cmd = listIpv6FirewallRules.listIpv6FirewallRulesCmd()
cmd.id = fw_rule.id cmd.id = fw_rule.id
rules = self.apiclient.listIpv6FirewallRules(cmd) rules = self.userapiclient.listIpv6FirewallRules(cmd)
self.assertTrue( self.assertTrue(
isinstance(rules, list), isinstance(rules, list),
"Check listIpv6FirewallRules response returns a valid list" "Check listIpv6FirewallRules response returns a valid list"
@ -702,7 +702,7 @@ class TestIpv6Network(cloudstackTestCase):
if delete == True: if delete == True:
cmd = deleteIpv6FirewallRule.deleteIpv6FirewallRuleCmd() cmd = deleteIpv6FirewallRule.deleteIpv6FirewallRuleCmd()
cmd.id = fw_rule.id cmd.id = fw_rule.id
self.apiclient.deleteIpv6FirewallRule(cmd) self.userapiclient.deleteIpv6FirewallRule(cmd)
res = self.getRouterProcessStatus(self.getNetworkRouter(self.network), routerCmd) res = self.getRouterProcessStatus(self.getNetworkRouter(self.network), routerCmd)
self.assertFalse(parsed_rule in res, self.assertFalse(parsed_rule in res,
"Firewall rule present in nft list chain failure despite delete for rule: %s" % parsed_rule) "Firewall rule present in nft list chain failure despite delete for rule: %s" % parsed_rule)