test/units/modules/cloud/amazon/test_ec2_group.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

from ansible.modules.cloud.amazon import ec2_group as group_module


def test_from_permission():
    internal_http = {
        u'FromPort': 80,
        u'IpProtocol': 'tcp',
        u'IpRanges': [
            {
                u'CidrIp': '10.0.0.0/8',
                u'Description': 'Foo Bar Baz'
            },
        ],
        u'Ipv6Ranges': [
            {u'CidrIpv6': 'fe80::94cc:8aff:fef6:9cc/64'},
        ],
        u'PrefixListIds': [],
        u'ToPort': 80,
        u'UserIdGroupPairs': [],
    }
    perms = list(group_module.rule_from_group_permission(internal_http))
    assert len(perms) == 2
    assert perms[0].target == '10.0.0.0/8'
    assert perms[0].target_type == 'ipv4'
    assert perms[0].description == 'Foo Bar Baz'
    assert perms[1].target == 'fe80::94cc:8aff:fef6:9cc/64'

    global_egress = {
        'IpProtocol': '-1',
        'IpRanges': [{'CidrIp': '0.0.0.0/0'}],
        'Ipv6Ranges': [],
        'PrefixListIds': [],
        'UserIdGroupPairs': []
    }
    perms = list(group_module.rule_from_group_permission(global_egress))
    assert len(perms) == 1
    assert perms[0].target == '0.0.0.0/0'
    assert perms[0].port_range == (None, None)

    internal_prefix_http = {
        u'FromPort': 80,
        u'IpProtocol': 'tcp',
        u'PrefixListIds': [
            {'PrefixListId': 'p-1234'}
        ],
        u'ToPort': 80,
        u'UserIdGroupPairs': [],
    }
    perms = list(group_module.rule_from_group_permission(internal_prefix_http))
    assert len(perms) == 1
    assert perms[0].target == 'p-1234'


def test_rule_to_permission():
    tests = [
        group_module.Rule((22, 22), 'udp', 'sg-1234567890', 'group', None),
        group_module.Rule((1, 65535), 'tcp', '0.0.0.0/0', 'ipv4', "All TCP from everywhere"),
        group_module.Rule((443, 443), 'tcp', 'ip-123456', 'ip_prefix', "Traffic to privatelink IPs"),
        group_module.Rule((443, 443), 'tcp', 'feed:dead:::beef/64', 'ipv6', None),
    ]
    for test in tests:
        perm = group_module.to_permission(test)
        assert perm['FromPort'], perm['ToPort'] == test.port_range
        assert perm['IpProtocol'] == test.protocol


def test_validate_ip():
    class Warner(object):
        def warn(self, msg):
            return
    ips = [
        ('1.1.1.1/24', '1.1.1.0/24'),
        ('192.168.56.101/16', '192.168.0.0/16'),
        # Don't modify IPv6 CIDRs, AWS supports /128 and device ranges
        ('1203:8fe0:fe80:b897:8990:8a7c:99bf:323d/128', '1203:8fe0:fe80:b897:8990:8a7c:99bf:323d/128'),
    ]

    for ip, net in ips:
        assert group_module.validate_ip(Warner(), ip) == net