Merge "Support remote-address-group in SG rules"

Zuul · openstack-gerrit · commit bfa032cb1885 · 2021-01-20T17:03:39.000Z
diff --git a/openstackclient/network/v2/security_group_rule.py b/openstackclient/network/v2/security_group_rule.py
@@ -126,6 +126,12 @@ def update_parser_common(self, parser):
             metavar="<group>",
             help=_("Remote security group (name or ID)"),
         )
+        if self.is_neutron:
+            remote_group.add_argument(
+                "--remote-address-group",
+                metavar="<group>",
+                help=_("Remote address group (name or ID)"),
+            )
 
         # NOTE(efried): The --dst-port, --protocol, and --proto options exist
         # for both nova-network and neutron, but differ slightly. For the sake
@@ -328,6 +334,11 @@ def take_action_network(self, client, parsed_args):
                 parsed_args.remote_group,
                 ignore_missing=False
             ).id
+        elif parsed_args.remote_address_group is not None:
+            attrs['remote_address_group_id'] = client.find_address_group(
+                parsed_args.remote_address_group,
+                ignore_missing=False
+            ).id
         elif parsed_args.remote_ip is not None:
             attrs['remote_ip_prefix'] = parsed_args.remote_ip
         elif attrs['ethertype'] == 'IPv4':
@@ -507,6 +518,8 @@ def _get_column_headers(self, parsed_args):
             'Direction',
             'Remote Security Group',
         )
+        if self.is_neutron:
+            column_headers = column_headers + ('Remote Address Group',)
         if parsed_args.group is None:
             column_headers = column_headers + ('Security Group',)
         return column_headers
@@ -526,6 +539,7 @@ def take_action_network(self, client, parsed_args):
             'port_range',
             'direction',
             'remote_group_id',
+            'remote_address_group_id',
         )
 
         # Get the security group rules using the requested query.
diff --git a/openstackclient/tests/unit/network/v2/fakes.py b/openstackclient/tests/unit/network/v2/fakes.py
@@ -1382,6 +1382,7 @@ def create_one_security_group_rule(attrs=None):
             'port_range_min': None,
             'protocol': None,
             'remote_group_id': None,
+            'remote_address_group_id': None,
             'remote_ip_prefix': '0.0.0.0/0',
             'security_group_id': 'security-group-id-' + uuid.uuid4().hex,
             'tenant_id': 'project-id-' + uuid.uuid4().hex,
diff --git a/openstackclient/tests/unit/network/v2/test_security_group_rule_network.py b/openstackclient/tests/unit/network/v2/test_security_group_rule_network.py
@@ -46,6 +46,9 @@ class TestCreateSecurityGroupRuleNetwork(TestSecurityGroupRuleNetwork):
     _security_group = \
         network_fakes.FakeSecurityGroup.create_one_security_group()
 
+    # The address group to be used in security group rules
+    _address_group = network_fakes.FakeAddressGroup.create_one_address_group()
+
     expected_columns = (
         'description',
         'direction',
@@ -55,6 +58,7 @@ class TestCreateSecurityGroupRuleNetwork(TestSecurityGroupRuleNetwork):
         'port_range_min',
         'project_id',
         'protocol',
+        'remote_address_group_id',
         'remote_group_id',
         'remote_ip_prefix',
         'security_group_id',
@@ -77,6 +81,7 @@ def _setup_security_group_rule(self, attrs=None):
             self._security_group_rule.port_range_min,
             self._security_group_rule.project_id,
             self._security_group_rule.protocol,
+            self._security_group_rule.remote_address_group_id,
             self._security_group_rule.remote_group_id,
             self._security_group_rule.remote_ip_prefix,
             self._security_group_rule.security_group_id,
@@ -88,6 +93,9 @@ def setUp(self):
         self.network.find_security_group = mock.Mock(
             return_value=self._security_group)
 
+        self.network.find_address_group = mock.Mock(
+            return_value=self._address_group)
+
         self.projects_mock.get.return_value = self.project
         self.domains_mock.get.return_value = self.domain
 
@@ -103,6 +111,7 @@ def test_create_all_remote_options(self):
         arglist = [
             '--remote-ip', '10.10.0.0/24',
             '--remote-group', self._security_group.id,
+            '--remote-address-group', self._address_group.id,
             self._security_group.id,
         ]
         self.assertRaises(tests_utils.ParserException,
@@ -258,6 +267,34 @@ def test_create_protocol_any(self):
         self.assertEqual(self.expected_columns, columns)
         self.assertEqual(self.expected_data, data)
 
+    def test_create_remote_address_group(self):
+        self._setup_security_group_rule({
+            'protocol': 'icmp',
+            'remote_address_group_id': self._address_group.id,
+        })
+        arglist = [
+            '--protocol', 'icmp',
+            '--remote-address-group', self._address_group.name,
+            self._security_group.id,
+        ]
+        verifylist = [
+            ('remote_address_group', self._address_group.name),
+            ('group', self._security_group.id),
+        ]
+        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
+
+        columns, data = self.cmd.take_action(parsed_args)
+
+        self.network.create_security_group_rule.assert_called_once_with(**{
+            'direction': self._security_group_rule.direction,
+            'ethertype': self._security_group_rule.ether_type,
+            'protocol': self._security_group_rule.protocol,
+            'remote_address_group_id': self._address_group.id,
+            'security_group_id': self._security_group.id,
+        })
+        self.assertEqual(self.expected_columns, columns)
+        self.assertEqual(self.expected_data, data)
+
     def test_create_remote_group(self):
         self._setup_security_group_rule({
             'protocol': 'tcp',
@@ -878,6 +915,7 @@ class TestListSecurityGroupRuleNetwork(TestSecurityGroupRuleNetwork):
         'Port Range',
         'Direction',
         'Remote Security Group',
+        'Remote Address Group',
     )
     expected_columns_no_group = (
         'ID',
@@ -887,6 +925,7 @@ class TestListSecurityGroupRuleNetwork(TestSecurityGroupRuleNetwork):
         'Port Range',
         'Direction',
         'Remote Security Group',
+        'Remote Address Group',
         'Security Group',
     )
 
@@ -902,6 +941,7 @@ class TestListSecurityGroupRuleNetwork(TestSecurityGroupRuleNetwork):
                 _security_group_rule),
             _security_group_rule.direction,
             _security_group_rule.remote_group_id,
+            _security_group_rule.remote_address_group_id,
         ))
         expected_data_no_group.append((
             _security_group_rule.id,
@@ -912,6 +952,7 @@ class TestListSecurityGroupRuleNetwork(TestSecurityGroupRuleNetwork):
                 _security_group_rule),
             _security_group_rule.direction,
             _security_group_rule.remote_group_id,
+            _security_group_rule.remote_address_group_id,
             _security_group_rule.security_group_id,
         ))
 
@@ -1041,6 +1082,7 @@ class TestShowSecurityGroupRuleNetwork(TestSecurityGroupRuleNetwork):
         'port_range_min',
         'project_id',
         'protocol',
+        'remote_address_group_id',
         'remote_group_id',
         'remote_ip_prefix',
         'security_group_id',
@@ -1055,6 +1097,7 @@ class TestShowSecurityGroupRuleNetwork(TestSecurityGroupRuleNetwork):
         _security_group_rule.port_range_min,
         _security_group_rule.project_id,
         _security_group_rule.protocol,
+        _security_group_rule.remote_address_group_id,
         _security_group_rule.remote_group_id,
         _security_group_rule.remote_ip_prefix,
         _security_group_rule.security_group_id,
diff --git a/releasenotes/notes/bp-address-groups-in-sg-rules-b3b7742e4e6f5745.yaml b/releasenotes/notes/bp-address-groups-in-sg-rules-b3b7742e4e6f5745.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Add ``--remote-address-group`` option to ``security group rule create``
+    command for using an address group as the source/destination in security
+    group rules. Also add field ``remote_address_group_id`` to the output of
+    ``security group rule show`` and add column ``Remote Address Group`` to
+    the output of ``security group rule list``.
+    [Blueprint `address-groups-in-sg-rules <https://blueprints.launchpad.net/neutron/+spec/address-groups-in-sg-rules>`_]
