moto/tests/test_ec2/test_security_groups.py

import boto
from boto.exception import EC2ResponseError
import sure  # noqa
from nose.tools import assert_raises

from moto import mock_ec2


@mock_ec2
def test_create_and_describe_security_group():
    conn = boto.connect_ec2('the_key', 'the_secret')
    security_group = conn.create_security_group('test security group', 'this is a test security group')

    security_group.name.should.equal('test security group')
    security_group.description.should.equal('this is a test security group')

    # Trying to create another group with the same name should throw an error
    with assert_raises(EC2ResponseError) as cm:
        conn.create_security_group('test security group', 'this is a test security group')
    cm.exception.code.should.equal('InvalidGroup.Duplicate')
    cm.exception.status.should.equal(400)
    cm.exception.request_id.should_not.be.none

    all_groups = conn.get_all_security_groups()
    all_groups.should.have.length_of(1)
    all_groups[0].name.should.equal('test security group')


@mock_ec2
def test_create_security_group_without_description_raises_error():
    conn = boto.connect_ec2('the_key', 'the_secret')

    with assert_raises(EC2ResponseError) as cm:
        conn.create_security_group('test security group', '')
    cm.exception.code.should.equal('MissingParameter')
    cm.exception.status.should.equal(400)
    cm.exception.request_id.should_not.be.none


@mock_ec2
def test_create_and_describe_vpc_security_group():
    conn = boto.connect_ec2('the_key', 'the_secret')
    vpc_id = 'vpc-5300000c'
    security_group = conn.create_security_group('test security group', 'this is a test security group', vpc_id=vpc_id)

    security_group.vpc_id.should.equal(vpc_id)

    security_group.name.should.equal('test security group')
    security_group.description.should.equal('this is a test security group')

    # Trying to create another group with the same name in the same VPC should throw an error
    with assert_raises(EC2ResponseError) as cm:
        conn.create_security_group('test security group', 'this is a test security group', vpc_id)
    cm.exception.code.should.equal('InvalidGroup.Duplicate')
    cm.exception.status.should.equal(400)
    cm.exception.request_id.should_not.be.none

    all_groups = conn.get_all_security_groups()

    all_groups[0].vpc_id.should.equal(vpc_id)

    all_groups.should.have.length_of(1)
    all_groups[0].name.should.equal('test security group')


@mock_ec2
def test_create_two_security_groups_with_same_name_in_different_vpc():
    conn = boto.connect_ec2('the_key', 'the_secret')
    vpc_id = 'vpc-5300000c'
    vpc_id2 = 'vpc-5300000d'

    conn.create_security_group('test security group', 'this is a test security group', vpc_id)
    conn.create_security_group('test security group', 'this is a test security group', vpc_id2)

    all_groups = conn.get_all_security_groups()

    all_groups.should.have.length_of(2)
    all_groups[0].name.should.equal('test security group')
    all_groups[1].name.should.equal('test security group')


@mock_ec2
def test_deleting_security_groups():
    conn = boto.connect_ec2('the_key', 'the_secret')
    security_group1 = conn.create_security_group('test1', 'test1')
    conn.create_security_group('test2', 'test2')

    conn.get_all_security_groups().should.have.length_of(2)

    # Deleting a group that doesn't exist should throw an error
    with assert_raises(EC2ResponseError) as cm:
        conn.delete_security_group('foobar')
    cm.exception.code.should.equal('InvalidGroup.NotFound')
    cm.exception.status.should.equal(400)
    cm.exception.request_id.should_not.be.none

    # Delete by name
    conn.delete_security_group('test2')
    conn.get_all_security_groups().should.have.length_of(1)

    # Delete by group id
    conn.delete_security_group(group_id=security_group1.id)
    conn.get_all_security_groups().should.have.length_of(0)


@mock_ec2
def test_delete_security_group_in_vpc():
    conn = boto.connect_ec2('the_key', 'the_secret')
    vpc_id = "vpc-12345"
    security_group1 = conn.create_security_group('test1', 'test1', vpc_id)

    # this should not throw an exception
    conn.delete_security_group(group_id=security_group1.id)


@mock_ec2
def test_authorize_ip_range_and_revoke():
    conn = boto.connect_ec2('the_key', 'the_secret')
    security_group = conn.create_security_group('test', 'test')

    success = security_group.authorize(ip_protocol="tcp", from_port="22", to_port="2222", cidr_ip="123.123.123.123/32")
    assert success.should.be.true

    security_group = conn.get_all_security_groups()[0]
    int(security_group.rules[0].to_port).should.equal(2222)
    security_group.rules[0].grants[0].cidr_ip.should.equal("123.123.123.123/32")

    # Wrong Cidr should throw error
    with assert_raises(EC2ResponseError) as cm:
        security_group.revoke(ip_protocol="tcp", from_port="22", to_port="2222", cidr_ip="123.123.123.122/32")
    cm.exception.code.should.equal('InvalidPermission.NotFound')
    cm.exception.status.should.equal(400)
    cm.exception.request_id.should_not.be.none

    # Actually revoke
    security_group.revoke(ip_protocol="tcp", from_port="22", to_port="2222", cidr_ip="123.123.123.123/32")

    security_group = conn.get_all_security_groups()[0]
    security_group.rules.should.have.length_of(0)


@mock_ec2
def test_authorize_other_group_and_revoke():
    conn = boto.connect_ec2('the_key', 'the_secret')
    security_group = conn.create_security_group('test', 'test')
    other_security_group = conn.create_security_group('other', 'other')
    wrong_group = conn.create_security_group('wrong', 'wrong')

    success = security_group.authorize(ip_protocol="tcp", from_port="22", to_port="2222", src_group=other_security_group)
    assert success.should.be.true

    security_group = [group for group in conn.get_all_security_groups() if group.name == 'test'][0]
    int(security_group.rules[0].to_port).should.equal(2222)
    security_group.rules[0].grants[0].group_id.should.equal(other_security_group.id)

    # Wrong source group should throw error
    with assert_raises(EC2ResponseError) as cm:
        security_group.revoke(ip_protocol="tcp", from_port="22", to_port="2222", src_group=wrong_group)
    cm.exception.code.should.equal('InvalidPermission.NotFound')
    cm.exception.status.should.equal(400)
    cm.exception.request_id.should_not.be.none

    # Actually revoke
    security_group.revoke(ip_protocol="tcp", from_port="22", to_port="2222", src_group=other_security_group)

    security_group = [group for group in conn.get_all_security_groups() if group.name == 'test'][0]
    security_group.rules.should.have.length_of(0)


@mock_ec2
def test_authorize_group_in_vpc():
    conn = boto.connect_ec2('the_key', 'the_secret')
    vpc_id = "vpc-12345"

    # create 2 groups in a vpc
    security_group = conn.create_security_group('test1', 'test1', vpc_id)
    other_security_group = conn.create_security_group('test2', 'test2', vpc_id)

    success = security_group.authorize(ip_protocol="tcp", from_port="22", to_port="2222", src_group=other_security_group)
    success.should.be.true

    # Check that the rule is accurate
    security_group = [group for group in conn.get_all_security_groups() if group.name == 'test1'][0]
    int(security_group.rules[0].to_port).should.equal(2222)
    security_group.rules[0].grants[0].group_id.should.equal(other_security_group.id)

    # Now revome the rule
    success = security_group.revoke(ip_protocol="tcp", from_port="22", to_port="2222", src_group=other_security_group)
    success.should.be.true

    # And check that it gets revoked
    security_group = [group for group in conn.get_all_security_groups() if group.name == 'test1'][0]
    security_group.rules.should.have.length_of(0)
adding ec2 stubs 2013-02-22 04:13:01 +00:00			`import boto`
add, delete, describe security groups 2013-02-23 20:26:54 +00:00			`from boto.exception import EC2ResponseError`
Cleanup flake8 2013-08-03 21:21:25 +00:00			`import sure # noqa`
Error handling: Model-level validations, proper error responses. 2014-08-25 17:54:47 +00:00			`from nose.tools import assert_raises`
adding ec2 stubs 2013-02-22 04:13:01 +00:00
			`from moto import mock_ec2`


			`@mock_ec2`
add, delete, describe security groups 2013-02-23 20:26:54 +00:00			`def test_create_and_describe_security_group():`
			`conn = boto.connect_ec2('the_key', 'the_secret')`
			`security_group = conn.create_security_group('test security group', 'this is a test security group')`

pep8 2013-03-05 13:35:18 +00:00			`security_group.name.should.equal('test security group')`
add, delete, describe security groups 2013-02-23 20:26:54 +00:00			`security_group.description.should.equal('this is a test security group')`

			`# Trying to create another group with the same name should throw an error`
Error handling: Model-level validations, proper error responses. 2014-08-25 17:54:47 +00:00			`with assert_raises(EC2ResponseError) as cm:`
			`conn.create_security_group('test security group', 'this is a test security group')`
			`cm.exception.code.should.equal('InvalidGroup.Duplicate')`
			`cm.exception.status.should.equal(400)`
			`cm.exception.request_id.should_not.be.none`
add, delete, describe security groups 2013-02-23 20:26:54 +00:00
			`all_groups = conn.get_all_security_groups()`
			`all_groups.should.have.length_of(1)`
			`all_groups[0].name.should.equal('test security group')`

test which verifies authorizing rules within a VPC is broken see issue #108 2014-03-20 23:22:37 +00:00
Require a GroupDescription for security group creation. Closes #112. 2014-05-11 21:37:00 +00:00			`@mock_ec2`
			`def test_create_security_group_without_description_raises_error():`
			`conn = boto.connect_ec2('the_key', 'the_secret')`
Error handling: Model-level validations, proper error responses. 2014-08-25 17:54:47 +00:00
			`with assert_raises(EC2ResponseError) as cm:`
			`conn.create_security_group('test security group', '')`
			`cm.exception.code.should.equal('MissingParameter')`
			`cm.exception.status.should.equal(400)`
			`cm.exception.request_id.should_not.be.none`
Require a GroupDescription for security group creation. Closes #112. 2014-05-11 21:37:00 +00:00

added new vpc security group test. failing 2013-10-31 00:55:13 +00:00			`@mock_ec2`
			`def test_create_and_describe_vpc_security_group():`
			`conn = boto.connect_ec2('the_key', 'the_secret')`
			`vpc_id = 'vpc-5300000c'`
missed a commit 2013-12-06 01:56:46 +00:00			`security_group = conn.create_security_group('test security group', 'this is a test security group', vpc_id=vpc_id)`
added new vpc security group test. failing 2013-10-31 00:55:13 +00:00
			`security_group.vpc_id.should.equal(vpc_id)`

			`security_group.name.should.equal('test security group')`
			`security_group.description.should.equal('this is a test security group')`

reworked internals, groups is now a dict of dicts. need to fix errors coming back from revoking and deleting groups 2013-10-31 03:11:15 +00:00			`# Trying to create another group with the same name in the same VPC should throw an error`
Error handling: Model-level validations, proper error responses. 2014-08-25 17:54:47 +00:00			`with assert_raises(EC2ResponseError) as cm:`
			`conn.create_security_group('test security group', 'this is a test security group', vpc_id)`
			`cm.exception.code.should.equal('InvalidGroup.Duplicate')`
			`cm.exception.status.should.equal(400)`
			`cm.exception.request_id.should_not.be.none`
added new vpc security group test. failing 2013-10-31 00:55:13 +00:00
			`all_groups = conn.get_all_security_groups()`

			`all_groups[0].vpc_id.should.equal(vpc_id)`

			`all_groups.should.have.length_of(1)`
			`all_groups[0].name.should.equal('test security group')`

Extend security group testing for VPC. 2014-05-11 21:13:48 +00:00
reworked internals, groups is now a dict of dicts. need to fix errors coming back from revoking and deleting groups 2013-10-31 03:11:15 +00:00			`@mock_ec2`
			`def test_create_two_security_groups_with_same_name_in_different_vpc():`
			`conn = boto.connect_ec2('the_key', 'the_secret')`
			`vpc_id = 'vpc-5300000c'`
			`vpc_id2 = 'vpc-5300000d'`

Extend security group testing for VPC. 2014-05-11 21:13:48 +00:00			`conn.create_security_group('test security group', 'this is a test security group', vpc_id)`
			`conn.create_security_group('test security group', 'this is a test security group', vpc_id2)`
reworked internals, groups is now a dict of dicts. need to fix errors coming back from revoking and deleting groups 2013-10-31 03:11:15 +00:00
			`all_groups = conn.get_all_security_groups()`

			`all_groups.should.have.length_of(2)`
			`all_groups[0].name.should.equal('test security group')`
			`all_groups[1].name.should.equal('test security group')`

add, delete, describe security groups 2013-02-23 20:26:54 +00:00
			`@mock_ec2`
			`def test_deleting_security_groups():`
			`conn = boto.connect_ec2('the_key', 'the_secret')`
			`security_group1 = conn.create_security_group('test1', 'test1')`
pep8 2013-02-26 05:31:01 +00:00			`conn.create_security_group('test2', 'test2')`
add, delete, describe security groups 2013-02-23 20:26:54 +00:00
			`conn.get_all_security_groups().should.have.length_of(2)`

			`# Deleting a group that doesn't exist should throw an error`
Error handling: Model-level validations, proper error responses. 2014-08-25 17:54:47 +00:00			`with assert_raises(EC2ResponseError) as cm:`
			`conn.delete_security_group('foobar')`
			`cm.exception.code.should.equal('InvalidGroup.NotFound')`
			`cm.exception.status.should.equal(400)`
			`cm.exception.request_id.should_not.be.none`
add, delete, describe security groups 2013-02-23 20:26:54 +00:00
			`# Delete by name`
			`conn.delete_security_group('test2')`
			`conn.get_all_security_groups().should.have.length_of(1)`

			`# Delete by group id`
updated SC methods to work with a group_id, which must be used if it's a group in a VPC 2013-12-06 22:34:13 +00:00			`conn.delete_security_group(group_id=security_group1.id)`
add, delete, describe security groups 2013-02-23 20:26:54 +00:00			`conn.get_all_security_groups().should.have.length_of(0)`
add security group ingress rules 2013-02-23 21:27:43 +00:00
Extend security group testing for VPC. 2014-05-11 21:13:48 +00:00
security group deletion 2013-12-06 01:00:35 +00:00			`@mock_ec2`
			`def test_delete_security_group_in_vpc():`
			`conn = boto.connect_ec2('the_key', 'the_secret')`
			`vpc_id = "vpc-12345"`
			`security_group1 = conn.create_security_group('test1', 'test1', vpc_id)`

missed a commit 2013-12-06 01:56:46 +00:00			`# this should not throw an exception`
updated SC methods to work with a group_id, which must be used if it's a group in a VPC 2013-12-06 22:34:13 +00:00			`conn.delete_security_group(group_id=security_group1.id)`
security group deletion 2013-12-06 01:00:35 +00:00
add security group ingress rules 2013-02-23 21:27:43 +00:00
			`@mock_ec2`
			`def test_authorize_ip_range_and_revoke():`
			`conn = boto.connect_ec2('the_key', 'the_secret')`
			`security_group = conn.create_security_group('test', 'test')`

			`success = security_group.authorize(ip_protocol="tcp", from_port="22", to_port="2222", cidr_ip="123.123.123.123/32")`
			`assert success.should.be.true`

			`security_group = conn.get_all_security_groups()[0]`
			`int(security_group.rules[0].to_port).should.equal(2222)`
			`security_group.rules[0].grants[0].cidr_ip.should.equal("123.123.123.123/32")`

			`# Wrong Cidr should throw error`
Error handling: Model-level validations, proper error responses. 2014-08-25 17:54:47 +00:00			`with assert_raises(EC2ResponseError) as cm:`
			`security_group.revoke(ip_protocol="tcp", from_port="22", to_port="2222", cidr_ip="123.123.123.122/32")`
			`cm.exception.code.should.equal('InvalidPermission.NotFound')`
			`cm.exception.status.should.equal(400)`
			`cm.exception.request_id.should_not.be.none`
add security group ingress rules 2013-02-23 21:27:43 +00:00
			`# Actually revoke`
			`security_group.revoke(ip_protocol="tcp", from_port="22", to_port="2222", cidr_ip="123.123.123.123/32")`

			`security_group = conn.get_all_security_groups()[0]`
			`security_group.rules.should.have.length_of(0)`

pep8 2013-02-26 05:31:01 +00:00
add security group ingress rules 2013-02-23 21:27:43 +00:00			`@mock_ec2`
			`def test_authorize_other_group_and_revoke():`
			`conn = boto.connect_ec2('the_key', 'the_secret')`
			`security_group = conn.create_security_group('test', 'test')`
			`other_security_group = conn.create_security_group('other', 'other')`
			`wrong_group = conn.create_security_group('wrong', 'wrong')`

			`success = security_group.authorize(ip_protocol="tcp", from_port="22", to_port="2222", src_group=other_security_group)`
			`assert success.should.be.true`

			`security_group = [group for group in conn.get_all_security_groups() if group.name == 'test'][0]`
			`int(security_group.rules[0].to_port).should.equal(2222)`
			`security_group.rules[0].grants[0].group_id.should.equal(other_security_group.id)`

			`# Wrong source group should throw error`
Error handling: Model-level validations, proper error responses. 2014-08-25 17:54:47 +00:00			`with assert_raises(EC2ResponseError) as cm:`
			`security_group.revoke(ip_protocol="tcp", from_port="22", to_port="2222", src_group=wrong_group)`
			`cm.exception.code.should.equal('InvalidPermission.NotFound')`
			`cm.exception.status.should.equal(400)`
			`cm.exception.request_id.should_not.be.none`
add security group ingress rules 2013-02-23 21:27:43 +00:00
			`# Actually revoke`
			`security_group.revoke(ip_protocol="tcp", from_port="22", to_port="2222", src_group=other_security_group)`

			`security_group = [group for group in conn.get_all_security_groups() if group.name == 'test'][0]`
			`security_group.rules.should.have.length_of(0)`
test which verifies authorizing rules within a VPC is broken see issue #108 2014-03-20 23:22:37 +00:00
Extend security group testing for VPC. 2014-05-11 21:13:48 +00:00
test which verifies authorizing rules within a VPC is broken see issue #108 2014-03-20 23:22:37 +00:00			`@mock_ec2`
We're getting back the correct group from get_security_group_from_id, but hitting another issue with the source_group_name also using an id rather than a name 2014-03-21 00:26:08 +00:00			`def test_authorize_group_in_vpc():`
test which verifies authorizing rules within a VPC is broken see issue #108 2014-03-20 23:22:37 +00:00			`conn = boto.connect_ec2('the_key', 'the_secret')`
			`vpc_id = "vpc-12345"`

			`# create 2 groups in a vpc`
Extend security group testing for VPC. 2014-05-11 21:13:48 +00:00			`security_group = conn.create_security_group('test1', 'test1', vpc_id)`
			`other_security_group = conn.create_security_group('test2', 'test2', vpc_id)`
test which verifies authorizing rules within a VPC is broken see issue #108 2014-03-20 23:22:37 +00:00
Extend security group testing for VPC. 2014-05-11 21:13:48 +00:00			`success = security_group.authorize(ip_protocol="tcp", from_port="22", to_port="2222", src_group=other_security_group)`
removed unnecessary itertools chain. added success test case around authorize & revoke 2014-03-21 20:31:00 +00:00			`success.should.be.true`
test which verifies authorizing rules within a VPC is broken see issue #108 2014-03-20 23:22:37 +00:00
Extend security group testing for VPC. 2014-05-11 21:13:48 +00:00			`# Check that the rule is accurate`
			`security_group = [group for group in conn.get_all_security_groups() if group.name == 'test1'][0]`
			`int(security_group.rules[0].to_port).should.equal(2222)`
			`security_group.rules[0].grants[0].group_id.should.equal(other_security_group.id)`
test which verifies authorizing rules within a VPC is broken see issue #108 2014-03-20 23:22:37 +00:00
Extend security group testing for VPC. 2014-05-11 21:13:48 +00:00			`# Now revome the rule`
			`success = security_group.revoke(ip_protocol="tcp", from_port="22", to_port="2222", src_group=other_security_group)`
			`success.should.be.true`

			`# And check that it gets revoked`
			`security_group = [group for group in conn.get_all_security_groups() if group.name == 'test1'][0]`
			`security_group.rules.should.have.length_of(0)`