mirror of
https://github.com/yunionio/cloudpods.git
synced 2026-05-07 22:24:32 +08:00
265 lines
7.2 KiB
Go
265 lines
7.2 KiB
Go
// Copyright 2019 Yunion
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package zstack
|
|
|
|
import (
|
|
"fmt"
|
|
"net/url"
|
|
"strings"
|
|
|
|
"yunion.io/x/jsonutils"
|
|
"yunion.io/x/pkg/errors"
|
|
"yunion.io/x/pkg/util/secrules"
|
|
|
|
api "yunion.io/x/onecloud/pkg/apis/compute"
|
|
"yunion.io/x/onecloud/pkg/cloudprovider"
|
|
"yunion.io/x/onecloud/pkg/multicloud"
|
|
)
|
|
|
|
type SSecurityGroupRule struct {
|
|
ZStackBasic
|
|
SecurityGroupUUID string `json:"securityGroupUuid"`
|
|
Type string `json:"type"`
|
|
IPVersion int `json:"ipVersion"`
|
|
StartPort int `json:"startPort"`
|
|
EndPort int `json:"endPort"`
|
|
Protocol string `json:"protocol"`
|
|
State string `json:"state"`
|
|
AllowedCIDR string `json:"allowedCidr"`
|
|
RemoteSecurityGroupUUID string `json:"remoteSecurityGroupUuid"`
|
|
ZStackTime
|
|
}
|
|
|
|
type SSecurityGroup struct {
|
|
multicloud.SSecurityGroup
|
|
multicloud.ZStackTags
|
|
region *SRegion
|
|
|
|
ZStackBasic
|
|
State string `json:"state"`
|
|
IPVersion int `json:"ipVersion"`
|
|
ZStackTime
|
|
InternalID int `json:"internalId"`
|
|
Rules []SSecurityGroupRule `json:"rules"`
|
|
AttachedL3NetworkUUIDs []string `json:"attachedL3NetworkUuids"`
|
|
}
|
|
|
|
func (region *SRegion) GetSecurityGroup(secgroupId string) (*SSecurityGroup, error) {
|
|
secgroup := &SSecurityGroup{region: region}
|
|
return secgroup, region.client.getResource("security-groups", secgroupId, secgroup)
|
|
}
|
|
|
|
func (region *SRegion) GetSecurityGroups(secgroupId string, instanceId string, name string) ([]SSecurityGroup, error) {
|
|
secgroups := []SSecurityGroup{}
|
|
params := url.Values{}
|
|
if len(secgroupId) > 0 {
|
|
params.Add("q", "uuid="+secgroupId)
|
|
}
|
|
if len(instanceId) > 0 {
|
|
params.Add("q", "vmNic.vmInstanceUuid="+instanceId)
|
|
}
|
|
if len(name) > 0 {
|
|
params.Add("q", "name="+name)
|
|
}
|
|
err := region.client.listAll("security-groups", params, &secgroups)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
for i := 0; i < len(secgroups); i++ {
|
|
secgroups[i].region = region
|
|
}
|
|
return secgroups, nil
|
|
}
|
|
|
|
func (self *SSecurityGroup) GetVpcId() string {
|
|
return api.NORMAL_VPC_ID
|
|
}
|
|
|
|
func (self *SSecurityGroup) GetId() string {
|
|
return self.UUID
|
|
}
|
|
|
|
func (self *SSecurityGroup) GetGlobalId() string {
|
|
return self.UUID
|
|
}
|
|
|
|
func (self *SSecurityGroup) GetDescription() string {
|
|
return self.Description
|
|
}
|
|
|
|
func (rule *SSecurityGroupRule) toRule() (cloudprovider.SecurityRule, error) {
|
|
r := cloudprovider.SecurityRule{
|
|
ExternalId: rule.UUID,
|
|
SecurityRule: secrules.SecurityRule{
|
|
Direction: secrules.DIR_IN,
|
|
Action: secrules.SecurityRuleAllow,
|
|
Priority: 1,
|
|
Protocol: secrules.PROTO_ANY,
|
|
PortStart: rule.StartPort,
|
|
PortEnd: rule.EndPort,
|
|
},
|
|
}
|
|
r.ParseCIDR(rule.AllowedCIDR)
|
|
if rule.Type == "Egress" {
|
|
r.Direction = secrules.DIR_OUT
|
|
}
|
|
if rule.Protocol != "ALL" {
|
|
r.Protocol = strings.ToLower(rule.Protocol)
|
|
}
|
|
err := r.ValidateRule()
|
|
if err != nil {
|
|
return r, errors.Wrap(err, "invalid rule")
|
|
}
|
|
return r, nil
|
|
}
|
|
|
|
func (self *SSecurityGroup) GetRules() ([]cloudprovider.SecurityRule, error) {
|
|
rules := []cloudprovider.SecurityRule{}
|
|
for i := 0; i < len(self.Rules); i++ {
|
|
if self.Rules[i].IPVersion == 4 {
|
|
rule, err := self.Rules[i].toRule()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
rules = append(rules, rule)
|
|
}
|
|
}
|
|
return rules, nil
|
|
}
|
|
|
|
func (self *SSecurityGroup) GetName() string {
|
|
return self.Name
|
|
}
|
|
|
|
func (self *SSecurityGroup) GetStatus() string {
|
|
return ""
|
|
}
|
|
|
|
func (self *SSecurityGroup) IsEmulated() bool {
|
|
return false
|
|
}
|
|
|
|
func (self *SSecurityGroup) Refresh() error {
|
|
new, err := self.region.GetSecurityGroup(self.UUID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return jsonutils.Update(self, new)
|
|
}
|
|
|
|
func (self *SSecurityGroup) GetProjectId() string {
|
|
return ""
|
|
}
|
|
|
|
func (region *SRegion) AddSecurityGroupRule(secgroupId string, rules []cloudprovider.SecurityRule) error {
|
|
ruleParam := []map[string]interface{}{}
|
|
for _, rule := range rules {
|
|
Type := "Ingress"
|
|
if rule.Direction == secrules.DIR_OUT {
|
|
Type = "Egress"
|
|
}
|
|
protocol := "ALL"
|
|
if rule.Protocol != secrules.PROTO_ANY {
|
|
protocol = strings.ToUpper(rule.Protocol)
|
|
}
|
|
if rule.Protocol == secrules.PROTO_ICMP || rule.Protocol == secrules.PROTO_ANY {
|
|
rule.PortStart = -1
|
|
rule.PortEnd = -1
|
|
rule.Ports = []int{}
|
|
}
|
|
if len(rule.Ports) > 0 {
|
|
for _, port := range rule.Ports {
|
|
ruleParam = append(ruleParam, map[string]interface{}{
|
|
"type": Type,
|
|
"startPort": port,
|
|
"endPort": port,
|
|
"protocol": protocol,
|
|
"allowedCidr": rule.IPNet.String(),
|
|
})
|
|
}
|
|
} else {
|
|
if protocol != "ALL" {
|
|
// TCP UDP端口不能为-1
|
|
if (rule.Protocol == secrules.PROTO_TCP || rule.Protocol == secrules.PROTO_UDP) &&
|
|
(rule.PortStart <= 0 && rule.PortEnd <= 0) {
|
|
rule.PortStart = 0
|
|
rule.PortEnd = 65535
|
|
}
|
|
ruleParam = append(ruleParam, map[string]interface{}{
|
|
"type": Type,
|
|
"startPort": rule.PortStart,
|
|
"endPort": rule.PortEnd,
|
|
"protocol": protocol,
|
|
"allowedCidr": rule.IPNet.String(),
|
|
})
|
|
} else {
|
|
ruleParam = append(ruleParam, map[string]interface{}{
|
|
"type": Type,
|
|
"protocol": protocol,
|
|
"allowedCidr": rule.IPNet.String(),
|
|
})
|
|
}
|
|
}
|
|
}
|
|
if len(ruleParam) > 0 {
|
|
params := map[string]interface{}{
|
|
"params": map[string]interface{}{
|
|
"rules": ruleParam,
|
|
},
|
|
}
|
|
return region.client.create(fmt.Sprintf("security-groups/%s/rules", secgroupId), jsonutils.Marshal(params), nil)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (region *SRegion) DeleteSecurityGroupRules(ruleIds []string) error {
|
|
if len(ruleIds) > 0 {
|
|
ids := []string{}
|
|
for _, ruleId := range ruleIds {
|
|
ids = append(ids, fmt.Sprintf("ruleUuids=%s", ruleId))
|
|
}
|
|
resource := fmt.Sprintf("security-groups/rules?%s", strings.Join(ids, "&"))
|
|
return region.client.delete(resource, "", "")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (region *SRegion) CreateSecurityGroup(name, desc string) (*SSecurityGroup, error) {
|
|
secgroup := &SSecurityGroup{region: region}
|
|
params := map[string]map[string]string{
|
|
"params": {
|
|
"name": name,
|
|
"description": desc,
|
|
},
|
|
}
|
|
return secgroup, region.client.create("security-groups", jsonutils.Marshal(params), secgroup)
|
|
}
|
|
|
|
func (self *SSecurityGroup) SyncRules(common, inAdds, outAdds, inDels, outDels []cloudprovider.SecurityRule) error {
|
|
deleteIds := []string{}
|
|
for _, r := range append(inDels, outDels...) {
|
|
deleteIds = append(deleteIds, r.ExternalId)
|
|
}
|
|
err := self.region.DeleteSecurityGroupRules(deleteIds)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "DeleteSecurityGroupRules(%s)", deleteIds)
|
|
}
|
|
return self.region.AddSecurityGroupRule(self.UUID, append(inAdds, outAdds...))
|
|
}
|
|
|
|
func (self *SSecurityGroup) Delete() error {
|
|
return self.region.client.delete("security-groups", self.UUID, "Permissive")
|
|
}
|