1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
Shindo.tests("Fog::Compute[:aws] | security_group", ['aws']) do
model_tests(Fog::Compute[:aws].security_groups, {:description => 'foggroupdescription', :name => 'foggroupname'}, true)
tests("authorize and revoke helpers") do
@group = Fog::Compute[:aws].security_groups.create(:name => "foggroup", :description => "fog group desc")
@other_group = Fog::Compute[:aws].security_groups.create(:name => 'fog other group', :description => 'another fog group')
@other_group.reload
@other_user_id = Fog::AWS::Mock.owner_id
@other_users_group_id = Fog::AWS::Mock.security_group_id
test("authorize access by another security group") do
@group.authorize_group_and_owner(@other_group.name)
@group.reload
@group.ip_permissions.size == 3
end
test("revoke access from another security group") do
@group.revoke_group_and_owner(@other_group.name)
@group.reload
@group.ip_permissions.empty?
end
test("authorize access to a port range") do
@group.authorize_port_range(5000..6000)
@group.reload
@group.ip_permissions.size == 1
end
test("revoke access to a port range") do
@group.revoke_port_range(5000..6000)
@group.reload
@group.ip_permissions.empty?
end
test("authorize access at a port range (egress rule)") do
@group.authorize_port_range(5000..6000, :direction => 'egress')
@group.reload
ip_permission_egress = @group.ip_permissions_egress.find do |permission|
permission['fromPort'] == 5000 &&
permission['toPort'] == 6000 &&
permission['ipProtocol'] == 'tcp' &&
permission['ipRanges'] == [{ 'cidrIp' => '0.0.0.0/0' }]
end
!ip_permission_egress.nil?
end
test("revoke access at a port range (egress rule)") do
@group.revoke_port_range(5000..6000, :direction => 'egress')
@group.reload
ip_permission_egress = @group.ip_permissions_egress.find do |permission|
permission['fromPort'] == 5000 &&
permission['toPort'] == 6000 &&
permission['ipProtocol'] == 'tcp' &&
permission['ipRanges'] == [{ 'cidrIp' => '0.0.0.0/0' }]
end
ip_permission_egress.nil?
end
group_forms = [
"#{@other_group.owner_id}:#{@other_group.group_id}", # deprecated form
@other_group.group_id,
{@other_group.owner_id => @other_group.group_id},
]
group_forms.each do |group_arg|
test("authorize port range access by another security group #{group_arg.inspect}") do
@other_group.reload
@group.authorize_port_range(5000..6000, {:group => group_arg})
@group.reload
@group.ip_permissions.size == 1
end
test("revoke port range access by another security group") do
@other_group.reload
@group.revoke_port_range(5000..6000, {:group => group_arg})
@group.reload
@group.ip_permissions.empty?
end
end
[
{ @other_user_id => @other_users_group_id }
].each do |group_arg|
test("does not authorize port range access by an invalid security group #{group_arg.inspect}") do
raises(Fog::AWS::Compute::NotFound, "The security group '#{@other_users_group_id}' does not exist") {
@other_group.reload
@group.authorize_port_range(5000..6000, {:group => group_arg})
}
end
end
@other_group.destroy
@group.destroy
end
end
|
