protected List<Long> getAffectedVmsForIngressRules(List<IngressRuleVO> allowingRules) { Set<Long> distinctGroups = new HashSet<Long>(); List<Long> affectedVms = new ArrayList<Long>(); for (IngressRuleVO allowingRule : allowingRules) { distinctGroups.add(allowingRule.getSecurityGroupId()); } for (Long groupId : distinctGroups) { // allVmUpdates.putAll(generateRulesetForGroupMembers(groupId)); affectedVms.addAll(_securityGroupVMMapDao.listVmIdsBySecurityGroup(groupId)); } return affectedVms; }
@Override @DB public boolean revokeSecurityGroupIngress(RevokeSecurityGroupIngressCmd cmd) { // input validation Account caller = UserContext.current().getCaller(); Long id = cmd.getId(); IngressRuleVO rule = _ingressRuleDao.findById(id); if (rule == null) { s_logger.debug("Unable to find ingress rule with id " + id); throw new InvalidParameterValueException("Unable to find ingress rule with id " + id); } // Check permissions SecurityGroup securityGroup = _securityGroupDao.findById(rule.getSecurityGroupId()); _accountMgr.checkAccess(caller, null, securityGroup); SecurityGroupVO groupHandle = null; final Transaction txn = Transaction.currentTxn(); try { txn.start(); // acquire lock on parent group (preserving this logic) groupHandle = _securityGroupDao.acquireInLockTable(rule.getSecurityGroupId()); if (groupHandle == null) { s_logger.warn("Could not acquire lock on security group id: " + rule.getSecurityGroupId()); return false; } _ingressRuleDao.remove(id); s_logger.debug("revokeSecurityGroupIngress succeeded for ingress rule id: " + id); final ArrayList<Long> affectedVms = new ArrayList<Long>(); affectedVms.addAll(_securityGroupVMMapDao.listVmIdsBySecurityGroup(groupHandle.getId())); scheduleRulesetUpdateToHosts(affectedVms, true, null); return true; } catch (Exception e) { s_logger.warn("Exception caught when deleting ingress rules ", e); throw new CloudRuntimeException("Exception caught when deleting ingress rules", e); } finally { if (groupHandle != null) { _securityGroupDao.releaseFromLockTable(groupHandle.getId()); } txn.commit(); } }
protected Map<PortAndProto, Set<String>> generateRulesForVM(Long userVmId) { Map<PortAndProto, Set<String>> allowed = new TreeMap<PortAndProto, Set<String>>(); List<SecurityGroupVMMapVO> groupsForVm = _securityGroupVMMapDao.listByInstanceId(userVmId); for (SecurityGroupVMMapVO mapVO : groupsForVm) { List<IngressRuleVO> rules = _ingressRuleDao.listBySecurityGroupId(mapVO.getSecurityGroupId()); for (IngressRuleVO rule : rules) { PortAndProto portAndProto = new PortAndProto(rule.getProtocol(), rule.getStartPort(), rule.getEndPort()); Set<String> cidrs = allowed.get(portAndProto); if (cidrs == null) { cidrs = new TreeSet<String>(new CidrComparator()); } if (rule.getAllowedNetworkId() != null) { List<SecurityGroupVMMapVO> allowedInstances = _securityGroupVMMapDao.listBySecurityGroup(rule.getAllowedNetworkId(), State.Running); for (SecurityGroupVMMapVO ngmapVO : allowedInstances) { Nic defaultNic = _networkMgr.getDefaultNic(ngmapVO.getInstanceId()); if (defaultNic != null) { String cidr = defaultNic.getIp4Address(); cidr = cidr + "/32"; cidrs.add(cidr); } } } else if (rule.getAllowedSourceIpCidr() != null) { cidrs.add(rule.getAllowedSourceIpCidr()); } if (cidrs.size() > 0) { allowed.put(portAndProto, cidrs); } } } return allowed; }