From e5fb0b607d763530647a1f97848f95158cb88ffb Mon Sep 17 00:00:00 2001 From: Ignasi Barrera Date: Fri, 10 Oct 2014 00:47:53 +0200 Subject: [PATCH] Allow to configure CIDR exclusion blocks --- .../CloudStackSecurityGroupExtension.java | 5 ++ .../extensions/EC2SecurityGroupExtension.java | 5 ++ .../org/jclouds/ec2/util/IpPermissions.java | 2 +- ...ribeSecurityGroupsResponseHandlerTest.java | 8 +- .../NovaSecurityGroupExtension.java | 6 ++ .../extensions/SecurityGroupExtension.java | 7 ++ .../StubSecurityGroupExtension.java | 5 ++ .../org/jclouds/net/domain/IpPermission.java | 76 ++++++++++++++----- .../org/jclouds/net/util/IpPermissions.java | 25 ++++-- .../BaseSecurityGroupExtensionLiveTest.java | 64 +++++++++++++++- .../jclouds/net/util/IpPermissionsTest.java | 39 ++++++++++ 11 files changed, 209 insertions(+), 33 deletions(-) diff --git a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/extensions/CloudStackSecurityGroupExtension.java b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/extensions/CloudStackSecurityGroupExtension.java index 70f7728cab..da1ab8492a 100644 --- a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/extensions/CloudStackSecurityGroupExtension.java +++ b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/extensions/CloudStackSecurityGroupExtension.java @@ -279,4 +279,9 @@ public class CloudStackSecurityGroupExtension implements SecurityGroupExtension return false; } + @Override + public boolean supportsExclusionCidrBlocks() { + return false; + } + } diff --git a/apis/ec2/src/main/java/org/jclouds/ec2/compute/extensions/EC2SecurityGroupExtension.java b/apis/ec2/src/main/java/org/jclouds/ec2/compute/extensions/EC2SecurityGroupExtension.java index 612b52913c..6160fe684c 100644 --- a/apis/ec2/src/main/java/org/jclouds/ec2/compute/extensions/EC2SecurityGroupExtension.java +++ b/apis/ec2/src/main/java/org/jclouds/ec2/compute/extensions/EC2SecurityGroupExtension.java @@ -333,6 +333,11 @@ public class EC2SecurityGroupExtension implements SecurityGroupExtension { return false; } + @Override + public boolean supportsExclusionCidrBlocks() { + return false; + } + protected Iterable pollSecurityGroups() { Iterable> groups = transform(regions.get(), allSecurityGroupsInRegion()); diff --git a/apis/ec2/src/main/java/org/jclouds/ec2/util/IpPermissions.java b/apis/ec2/src/main/java/org/jclouds/ec2/util/IpPermissions.java index 5b26f4800a..36fe18e209 100644 --- a/apis/ec2/src/main/java/org/jclouds/ec2/util/IpPermissions.java +++ b/apis/ec2/src/main/java/org/jclouds/ec2/util/IpPermissions.java @@ -42,7 +42,7 @@ public class IpPermissions extends IpPermission { protected IpPermissions(IpProtocol ipProtocol, int fromPort, int toPort, Multimap userIdGroupPairs, Iterable groupIds, Iterable ipRanges) { super(ipProtocol, fromPort, toPort, userIdGroupPairs, groupIds, userIdGroupPairs.isEmpty() ? ipRanges - : ImmutableSet. of()); + : ImmutableSet. of(), ImmutableSet. of()); } /** diff --git a/apis/ec2/src/test/java/org/jclouds/ec2/xml/DescribeSecurityGroupsResponseHandlerTest.java b/apis/ec2/src/test/java/org/jclouds/ec2/xml/DescribeSecurityGroupsResponseHandlerTest.java index d534b01501..6e81bd19b9 100644 --- a/apis/ec2/src/test/java/org/jclouds/ec2/xml/DescribeSecurityGroupsResponseHandlerTest.java +++ b/apis/ec2/src/test/java/org/jclouds/ec2/xml/DescribeSecurityGroupsResponseHandlerTest.java @@ -46,10 +46,10 @@ public class DescribeSecurityGroupsResponseHandlerTest extends BaseEC2HandlerTes Set expected = ImmutableSet.of( new SecurityGroup(defaultRegion, "sg-3c6ef654", "WebServers", "UYY3TLBUXIEON5NQVUUX6OMPWBZIQNFM", "Web Servers", ImmutableSet.of(new IpPermission(IpProtocol.TCP, 80, 80, ImmutableMultimap. of(), - ImmutableSet. of(), ImmutableSet.of("0.0.0.0/0")))), + ImmutableSet. of(), ImmutableSet.of("0.0.0.0/0"), ImmutableSet. of()))), new SecurityGroup(defaultRegion, "sg-867309ab", "RangedPortsBySource", "UYY3TLBUXIEON5NQVUUX6OMPWBZIQNFM", "Group A", ImmutableSet.of(new IpPermission(IpProtocol.TCP, 6000, 7000, ImmutableMultimap - . of(), ImmutableSet. of(), ImmutableSet. of())))); + . of(), ImmutableSet. of(), ImmutableSet. of(), ImmutableSet. of())))); DescribeSecurityGroupsResponseHandler handler = injector.getInstance(DescribeSecurityGroupsResponseHandler.class); addDefaultRegionToHandler(handler); @@ -70,9 +70,9 @@ public class DescribeSecurityGroupsResponseHandlerTest extends BaseEC2HandlerTes new SecurityGroup(defaultRegion, "sg-3c6ef654", "jclouds#cluster#world", "UYY3TLBUXIEON5NQVUUX6OMPWBZIQNFM", "Cluster", ImmutableSet.of( new IpPermission(IpProtocol.TCP, 22, 22, ImmutableMultimap. of(), - ImmutableSet. of(), ImmutableSet.of("0.0.0.0/0")), + ImmutableSet. of(), ImmutableSet.of("0.0.0.0/0"), ImmutableSet. of()), new IpPermission(IpProtocol.ALL, -1, -1, userIdGroupPairs, - ImmutableSet. of(), ImmutableSet. of())))); + ImmutableSet. of(), ImmutableSet. of(), ImmutableSet. of())))); DescribeSecurityGroupsResponseHandler handler = injector.getInstance(DescribeSecurityGroupsResponseHandler.class); addDefaultRegionToHandler(handler); diff --git a/apis/openstack-nova/src/main/java/org/jclouds/openstack/nova/v2_0/compute/extensions/NovaSecurityGroupExtension.java b/apis/openstack-nova/src/main/java/org/jclouds/openstack/nova/v2_0/compute/extensions/NovaSecurityGroupExtension.java index c6f78b445e..1a5c4fe689 100644 --- a/apis/openstack-nova/src/main/java/org/jclouds/openstack/nova/v2_0/compute/extensions/NovaSecurityGroupExtension.java +++ b/apis/openstack-nova/src/main/java/org/jclouds/openstack/nova/v2_0/compute/extensions/NovaSecurityGroupExtension.java @@ -330,6 +330,11 @@ public class NovaSecurityGroupExtension implements SecurityGroupExtension { return false; } + @Override + public boolean supportsExclusionCidrBlocks() { + return false; + } + protected Iterable pollSecurityGroups() { Iterable> groups = transform(regionIds.get(), allSecurityGroupsInRegion()); @@ -368,4 +373,5 @@ public class NovaSecurityGroupExtension implements SecurityGroupExtension { } }; } + } diff --git a/compute/src/main/java/org/jclouds/compute/extensions/SecurityGroupExtension.java b/compute/src/main/java/org/jclouds/compute/extensions/SecurityGroupExtension.java index d165deccea..26a3a67aed 100644 --- a/compute/src/main/java/org/jclouds/compute/extensions/SecurityGroupExtension.java +++ b/compute/src/main/java/org/jclouds/compute/extensions/SecurityGroupExtension.java @@ -23,6 +23,7 @@ import org.jclouds.domain.Location; import org.jclouds.net.domain.IpPermission; import org.jclouds.net.domain.IpProtocol; +import com.google.common.annotations.Beta; import com.google.common.collect.Multimap; /** @@ -180,4 +181,10 @@ public interface SecurityGroupExtension { */ boolean supportsPortRangesForGroups(); + /** + * Returns true if this SecurityGroupExtension supports exclusion CIDR groups. + */ + @Beta + boolean supportsExclusionCidrBlocks(); + } diff --git a/compute/src/main/java/org/jclouds/compute/stub/extensions/StubSecurityGroupExtension.java b/compute/src/main/java/org/jclouds/compute/stub/extensions/StubSecurityGroupExtension.java index 4a57d73c8e..f0f219f6dd 100644 --- a/compute/src/main/java/org/jclouds/compute/stub/extensions/StubSecurityGroupExtension.java +++ b/compute/src/main/java/org/jclouds/compute/stub/extensions/StubSecurityGroupExtension.java @@ -245,4 +245,9 @@ public class StubSecurityGroupExtension implements SecurityGroupExtension { public boolean supportsPortRangesForGroups() { return true; } + + @Override + public boolean supportsExclusionCidrBlocks() { + return true; + } } diff --git a/compute/src/main/java/org/jclouds/net/domain/IpPermission.java b/compute/src/main/java/org/jclouds/net/domain/IpPermission.java index 6ae7209451..522acd8ce3 100644 --- a/compute/src/main/java/org/jclouds/net/domain/IpPermission.java +++ b/compute/src/main/java/org/jclouds/net/domain/IpPermission.java @@ -56,6 +56,7 @@ public class IpPermission implements Comparable { private Multimap tenantIdGroupNamePairs = LinkedHashMultimap.create(); private Set groupIds = Sets.newLinkedHashSet(); private Set cidrBlocks = Sets.newLinkedHashSet(); + private Set exclusionCidrBlocks = Sets.newLinkedHashSet(); /** * @@ -113,16 +114,39 @@ public class IpPermission implements Comparable { * @see IpPermission#getCidrBlocks() */ public Builder cidrBlocks(Iterable cidrBlocks) { - Iterables.addAll(this.cidrBlocks, transform(cidrBlocks, - new Function() { - @Override - public String apply(String input) { - checkArgument(isCidrFormat(input), - "input %s is not a valid CIDR", - input); - return input; - } - })); + Iterables.addAll(this.cidrBlocks, transform(cidrBlocks, new Function() { + @Override + public String apply(String input) { + checkArgument(isCidrFormat(input), "input %s is not a valid CIDR", input); + return input; + } + })); + return this; + } + + /** + * @see IpPermission#getExclusionCidrBlocks() + */ + @Beta + public Builder exclusionCidrBlock(String exclusionCidrBlock) { + checkArgument(isCidrFormat(exclusionCidrBlock), "exclusionCidrBlock %s is not a valid CIDR", + exclusionCidrBlock); + this.exclusionCidrBlocks.add(exclusionCidrBlock); + return this; + } + + /** + * @see IpPermission#getExclusionCidrBlocks() + */ + @Beta + public Builder exclusionCidrBlocks(Iterable exclusionCidrBlocks) { + Iterables.addAll(this.exclusionCidrBlocks, transform(exclusionCidrBlocks, new Function() { + @Override + public String apply(String input) { + checkArgument(isCidrFormat(input), "input %s is not a valid CIDR", input); + return input; + } + })); return this; } @@ -143,7 +167,8 @@ public class IpPermission implements Comparable { } public IpPermission build() { - return new IpPermission(ipProtocol, fromPort, toPort, tenantIdGroupNamePairs, groupIds, cidrBlocks); + return new IpPermission(ipProtocol, fromPort, toPort, tenantIdGroupNamePairs, groupIds, cidrBlocks, + exclusionCidrBlocks); } } @@ -153,16 +178,19 @@ public class IpPermission implements Comparable { private final Set groupIds; private final IpProtocol ipProtocol; private final Set cidrBlocks; + private final Set exclusionCidrBlocks; public IpPermission(IpProtocol ipProtocol, int fromPort, int toPort, - Multimap tenantIdGroupNamePairs, Iterable groupIds, Iterable cidrBlocks) { + Multimap tenantIdGroupNamePairs, Iterable groupIds, Iterable cidrBlocks, + Iterable exclusionCidrBlocks) { this.fromPort = fromPort; this.toPort = toPort; this.tenantIdGroupNamePairs = ImmutableMultimap.copyOf(checkNotNull(tenantIdGroupNamePairs, - "tenantIdGroupNamePairs")); + "tenantIdGroupNamePairs")); this.ipProtocol = checkNotNull(ipProtocol, "ipProtocol"); this.groupIds = ImmutableSet.copyOf(checkNotNull(groupIds, "groupIds")); this.cidrBlocks = ImmutableSet.copyOf(checkNotNull(cidrBlocks, "cidrBlocks")); + this.exclusionCidrBlocks = ImmutableSet.copyOf(checkNotNull(exclusionCidrBlocks, "exclusionCidrBlocks")); } /** @@ -217,6 +245,14 @@ public class IpPermission implements Comparable { return cidrBlocks; } + /** + * source of traffic is a all but this exclusionCidrBlocks + */ + @Beta + public Set getExclusionCidrBlocks() { + return exclusionCidrBlocks; + } + @Override public boolean equals(Object o) { if (this == o) @@ -226,13 +262,15 @@ public class IpPermission implements Comparable { return false; IpPermission that = IpPermission.class.cast(o); return equal(this.ipProtocol, that.ipProtocol) && equal(this.fromPort, that.fromPort) - && equal(this.toPort, that.toPort) && equal(this.tenantIdGroupNamePairs, that.tenantIdGroupNamePairs) - && equal(this.groupIds, that.groupIds) && equal(this.cidrBlocks, that.cidrBlocks); + && equal(this.toPort, that.toPort) && equal(this.tenantIdGroupNamePairs, that.tenantIdGroupNamePairs) + && equal(this.groupIds, that.groupIds) && equal(this.cidrBlocks, that.cidrBlocks) + && equal(this.exclusionCidrBlocks, that.exclusionCidrBlocks); } @Override public int hashCode() { - return Objects.hashCode(ipProtocol, fromPort, toPort, tenantIdGroupNamePairs, groupIds, cidrBlocks); + return Objects.hashCode(ipProtocol, fromPort, toPort, tenantIdGroupNamePairs, groupIds, cidrBlocks, + exclusionCidrBlocks); } @Override @@ -241,9 +279,9 @@ public class IpPermission implements Comparable { } protected ToStringHelper string() { - return MoreObjects.toStringHelper("").add("ipProtocol", ipProtocol).add("fromPort", fromPort).add("toPort", toPort) - .add("tenantIdGroupNamePairs", tenantIdGroupNamePairs).add("groupIds", groupIds).add("cidrBlocks", - cidrBlocks); + return MoreObjects.toStringHelper("").add("ipProtocol", ipProtocol).add("fromPort", fromPort) + .add("toPort", toPort).add("tenantIdGroupNamePairs", tenantIdGroupNamePairs).add("groupIds", groupIds) + .add("cidrBlocks", cidrBlocks).add("exclusionCidrBlocks", exclusionCidrBlocks); } } diff --git a/compute/src/main/java/org/jclouds/net/util/IpPermissions.java b/compute/src/main/java/org/jclouds/net/util/IpPermissions.java index ff3602a36e..cc922916c5 100644 --- a/compute/src/main/java/org/jclouds/net/util/IpPermissions.java +++ b/compute/src/main/java/org/jclouds/net/util/IpPermissions.java @@ -32,9 +32,11 @@ import com.google.common.collect.Multimap; public class IpPermissions extends IpPermission { protected IpPermissions(IpProtocol ipProtocol, int fromPort, int toPort, - Multimap tenantIdGroupPairs, Iterable groupIds, Iterable cidrBlocks) { + Multimap tenantIdGroupPairs, Iterable groupIds, Iterable cidrBlocks, + Iterable exclusionCidrBlocks) { super(ipProtocol, fromPort, toPort, tenantIdGroupPairs, groupIds, tenantIdGroupPairs.size() == 0 ? cidrBlocks - : ImmutableSet. of()); + : ImmutableSet. of(), tenantIdGroupPairs.size() == 0 ? exclusionCidrBlocks : ImmutableSet + . of()); } public static ICMPTypeSelection permitICMP() { @@ -105,7 +107,7 @@ public class IpPermissions extends IpPermission { protected ToGroupSourceSelection(IpProtocol ipProtocol, int fromPort, int toPort) { super(ipProtocol, fromPort, toPort, ImmutableMultimap. of(), ImmutableSet. of(), - ImmutableSet.of("0.0.0.0/0")); + ImmutableSet.of("0.0.0.0/0"), ImmutableSet. of()); } public IpPermissions originatingFromSecurityGroupId(String groupId) { @@ -114,7 +116,7 @@ public class IpPermissions extends IpPermission { public IpPermissions originatingFromSecurityGroupIds(Iterable groupIds) { return new IpPermissions(getIpProtocol(), getFromPort(), getToPort(), getTenantIdGroupNamePairs(), groupIds, - ImmutableSet. of()); + ImmutableSet. of(), ImmutableSet. of()); } } @@ -128,8 +130,17 @@ public class IpPermissions extends IpPermission { } public IpPermissions originatingFromCidrBlocks(Iterable cidrIps) { - return new IpPermissions(getIpProtocol(), getFromPort(), getToPort(), - ImmutableMultimap. of(), ImmutableSet. of(), cidrIps); + return new IpPermissions(getIpProtocol(), getFromPort(), getToPort(), ImmutableMultimap. of(), + ImmutableSet. of(), cidrIps, ImmutableSet. of()); + } + + public IpPermissions exceptOriginatingFromCidrBlock(String excludedCidrIp) { + return exceptOriginatingFromCidrBlocks(ImmutableSet.of(checkNotNull(excludedCidrIp, "excludedCidrIp"))); + } + + public IpPermissions exceptOriginatingFromCidrBlocks(Iterable excludedCidrIps) { + return new IpPermissions(getIpProtocol(), getFromPort(), getToPort(), ImmutableMultimap. of(), + ImmutableSet. of(), ImmutableSet. of(), excludedCidrIps); } public IpPermissions originatingFromTenantAndSecurityGroup(String tenantId, String groupName) { @@ -139,7 +150,7 @@ public class IpPermissions extends IpPermission { public IpPermissions toTenantsGroupsNamed(Multimap tenantIdGroupNamePairs) { return new IpPermissions(getIpProtocol(), getFromPort(), getToPort(), tenantIdGroupNamePairs, getGroupIds(), - ImmutableSet. of()); + ImmutableSet. of(), ImmutableSet. of()); } } } diff --git a/compute/src/test/java/org/jclouds/compute/extensions/internal/BaseSecurityGroupExtensionLiveTest.java b/compute/src/test/java/org/jclouds/compute/extensions/internal/BaseSecurityGroupExtensionLiveTest.java index 258b8cbd67..06bd18b4ba 100644 --- a/compute/src/test/java/org/jclouds/compute/extensions/internal/BaseSecurityGroupExtensionLiveTest.java +++ b/compute/src/test/java/org/jclouds/compute/extensions/internal/BaseSecurityGroupExtensionLiveTest.java @@ -17,6 +17,7 @@ package org.jclouds.compute.extensions.internal; import static org.testng.Assert.assertEquals; +import static org.testng.Assert.assertFalse; import static org.testng.Assert.assertTrue; import java.util.Set; @@ -311,9 +312,57 @@ public abstract class BaseSecurityGroupExtensionLiveTest extends BaseComputeServ } */ + + @Test(groups = { "integration", "live" }, singleThreaded = true, dependsOnMethods = "testAddIpPermissionsFromSpec") + public void testAddIpPermissionWithCidrExclusionGroup() { + skipIfSecurityGroupsNotSupported(); + + ComputeService computeService = view.getComputeService(); + + Optional securityGroupExtension = computeService.getSecurityGroupExtension(); + assertTrue(securityGroupExtension.isPresent(), "security group extension was not present"); + if (!securityGroupExtension.get().supportsExclusionCidrBlocks()) { + throw new SkipException("Test cannot run without CIDR exclusion groups available."); + } + + Optional optGroup = getGroup(securityGroupExtension.get()); + assertTrue(optGroup.isPresent()); + SecurityGroup group = optGroup.get(); + + IpPermission cidrExclusionPermission = createCidrExclusionPermission(); + Set expectedPermissions = ImmutableSet.of(cidrExclusionPermission); + + SecurityGroup securityGriupWithExclusion = securityGroupExtension.get().addIpPermission(cidrExclusionPermission, group); + + assertTrue(securityGriupWithExclusion.getIpPermissions().containsAll(expectedPermissions)); + } + + @Test(groups = { "integration", "live" }, singleThreaded = true, dependsOnMethods = "testAddIpPermissionWithCidrExclusionGroup") + public void testRemoveIpPermissionWithCidrExclusionGroup() { + skipIfSecurityGroupsNotSupported(); + + ComputeService computeService = view.getComputeService(); + + Optional securityGroupExtension = computeService.getSecurityGroupExtension(); + assertTrue(securityGroupExtension.isPresent(), "security group extension was not present"); + if (!securityGroupExtension.get().supportsExclusionCidrBlocks()) { + throw new SkipException("Test cannot run without CIDR exclusion groups available."); + } + + Optional optGroup = getGroup(securityGroupExtension.get()); + assertTrue(optGroup.isPresent()); + SecurityGroup group = optGroup.get(); + + IpPermission cidrExclusionPermission = createCidrExclusionPermission(); + + SecurityGroup emptyGroup = securityGroupExtension.get().removeIpPermission(cidrExclusionPermission, group); + + assertFalse(emptyGroup.getIpPermissions().contains(cidrExclusionPermission)); + } + // testDeleteSecurityGroup currently disabled until I can find a way to get it to delete the security group while a terminated // instance is still floating around in EC2. - abayer, 6/14/13 - @Test(groups = { "integration", "live" }, singleThreaded = true, dependsOnMethods = "testAddIpPermissionsFromSpec") + @Test(groups = { "integration", "live" }, singleThreaded = true, dependsOnMethods = "testRemoveIpPermissionWithCidrExclusionGroup", alwaysRun = true) public void testDeleteSecurityGroup() { skipIfSecurityGroupsNotSupported(); @@ -329,7 +378,7 @@ public abstract class BaseSecurityGroupExtensionLiveTest extends BaseComputeServ SecurityGroup group = optGroup.get(); assertTrue(securityGroupExtension.get().removeSecurityGroup(group.getId())); } - + private Multimap emptyMultimap() { return LinkedHashMultimap.create(); } @@ -358,6 +407,17 @@ public abstract class BaseSecurityGroupExtensionLiveTest extends BaseComputeServ return builder.build(); } + private IpPermission createCidrExclusionPermission() { + IpPermission.Builder builder = IpPermission.builder(); + + builder.ipProtocol(IpProtocol.TCP); + builder.fromPort(10); + builder.toPort(20); + builder.exclusionCidrBlock("10.0.0.0/8"); + + return builder.build(); + } + private IpPermission createSinglePortPermission() { IpPermission.Builder builder = IpPermission.builder(); diff --git a/compute/src/test/java/org/jclouds/net/util/IpPermissionsTest.java b/compute/src/test/java/org/jclouds/net/util/IpPermissionsTest.java index 5d05a2891e..4c6ad3d4be 100644 --- a/compute/src/test/java/org/jclouds/net/util/IpPermissionsTest.java +++ b/compute/src/test/java/org/jclouds/net/util/IpPermissionsTest.java @@ -42,6 +42,13 @@ public class IpPermissionsTest { .cidrBlock("a.0.0.0/0").build()); } + @Test(expectedExceptions = IllegalArgumentException.class) + public void testAllProtocolInvalidExclusionCidr() { + IpPermissions authorization = IpPermissions.permitAnyProtocol(); + assertEquals(authorization, IpPermission.builder().ipProtocol(IpProtocol.ALL).fromPort(1).toPort(65535) + .exclusionCidrBlock("a.0.0.0/0").build()); + } + @Test(expectedExceptions = IllegalArgumentException.class) public void testAllProtocolInvalidCidrMultiple() { IpPermissions authorization = IpPermissions.permitAnyProtocol(); @@ -49,24 +56,49 @@ public class IpPermissionsTest { .cidrBlocks(ImmutableSet.of("a.0.0.0/0", "0.0.0.0/0")).build()); } + @Test(expectedExceptions = IllegalArgumentException.class) + public void testAllProtocolInvalidExclusionCidrMultiple() { + IpPermissions authorization = IpPermissions.permitAnyProtocol(); + assertEquals(authorization, IpPermission.builder().ipProtocol(IpProtocol.ALL).fromPort(1).toPort(65535) + .exclusionCidrBlocks(ImmutableSet.of("a.0.0.0/0", "0.0.0.0/0")).build()); + } + public void testAllProtocolCidrBound() { IpPermissions authorization = IpPermissions.permit(IpProtocol.ALL).originatingFromCidrBlock("1.1.1.1/32"); assertEquals(authorization, IpPermission.builder().ipProtocol(IpProtocol.ALL).fromPort(1).toPort(65535) .cidrBlock("1.1.1.1/32").build()); } + public void testAllProtocolExclusionCidrBound() { + IpPermissions authorization = IpPermissions.permit(IpProtocol.ALL).exceptOriginatingFromCidrBlock("1.1.1.1/32"); + assertEquals(authorization, IpPermission.builder().ipProtocol(IpProtocol.ALL).fromPort(1).toPort(65535) + .exclusionCidrBlock("1.1.1.1/32").build()); + } + public void testJustProtocolAndCidr() { IpPermissions authorization = IpPermissions.permit(IpProtocol.TCP).originatingFromCidrBlock("1.1.1.1/32"); assertEquals(authorization, IpPermission.builder().ipProtocol(IpProtocol.TCP).fromPort(1).toPort(65535) .cidrBlock("1.1.1.1/32").build()); } + public void testJustProtocolAndExcludedCidr() { + IpPermissions authorization = IpPermissions.permit(IpProtocol.TCP).exceptOriginatingFromCidrBlock("1.1.1.1/32"); + assertEquals(authorization, IpPermission.builder().ipProtocol(IpProtocol.TCP).fromPort(1).toPort(65535) + .exclusionCidrBlock("1.1.1.1/32").build()); + } + public void testAnyProtocol() { IpPermissions authorization = IpPermissions.permitAnyProtocol().originatingFromCidrBlock("1.1.1.1/32"); assertEquals(authorization, IpPermission.builder().ipProtocol(IpProtocol.ALL).fromPort(1).toPort(65535) .cidrBlock("1.1.1.1/32").build()); } + public void testAnyProtocolWithExcludedCidr() { + IpPermissions authorization = IpPermissions.permitAnyProtocol().exceptOriginatingFromCidrBlock("1.1.1.1/32"); + assertEquals(authorization, IpPermission.builder().ipProtocol(IpProtocol.ALL).fromPort(1).toPort(65535) + .exclusionCidrBlock("1.1.1.1/32").build()); + } + public void testMultipleCidrs() { IpPermissions authorization = IpPermissions.permit(IpProtocol.TCP).originatingFromCidrBlocks( ImmutableSet.of("1.1.1.1/32", "1.1.1.2/32")); @@ -74,6 +106,13 @@ public class IpPermissionsTest { .cidrBlocks(ImmutableSet.of("1.1.1.1/32", "1.1.1.2/32")).build()); } + public void testMultipleCidrsExclusions() { + IpPermissions authorization = IpPermissions.permit(IpProtocol.TCP).exceptOriginatingFromCidrBlocks( + ImmutableSet.of("1.1.1.1/32", "1.1.1.2/32")); + assertEquals(authorization, IpPermission.builder().ipProtocol(IpProtocol.TCP).fromPort(1).toPort(65535) + .exclusionCidrBlocks(ImmutableSet.of("1.1.1.1/32", "1.1.1.2/32")).build()); + } + public void testProtocolFromAndToPortAndGroupIds() { IpPermissions authorization = IpPermissions.permit(IpProtocol.UDP).fromPort(11).to(53) .originatingFromSecurityGroupId("groupId");