// ClosePorts sends a request to the GCE API to close the provided port
// ranges on the named firewall. If the firewall does not exist nothing
// happens. If the firewall is left with no ports then it is removed.
// Otherwise it will be left with just the open ports it has that do not
// match the provided port ranges. The call blocks until the ports are
// closed or the request fails.
func (gce Connection) ClosePorts(fwname string, ports ...network.PortRange) error {
// Compose the full set of open ports.
currentPorts, err := gce.Ports(fwname)
if err != nil {
return errors.Trace(err)
}
inputPortsSet := network.NewPortSet(ports...)
if inputPortsSet.IsEmpty() {
return nil
}
currentPortsSet := network.NewPortSet(currentPorts...)
newPortsSet := currentPortsSet.Difference(inputPortsSet)
// Send the request, depending on the current ports.
if newPortsSet.IsEmpty() {
// Delete a firewall.
// TODO(ericsnow) Handle case where firewall does not exist.
if err := gce.raw.RemoveFirewall(gce.projectID, fwname); err != nil {
return errors.Annotatef(err, "closing port(s) %+v", ports)
}
return nil
}
// Update an existing firewall.
firewall := firewallSpec(fwname, newPortsSet)
if err := gce.raw.UpdateFirewall(gce.projectID, fwname, firewall); err != nil {
return errors.Annotatef(err, "closing port(s) %+v", ports)
}
return nil
}
// OpenPorts sends a request to the GCE API to open the provided port
// ranges on the named firewall. If the firewall does not exist yet it
// is created, with the provided port ranges opened. Otherwise the
// existing firewall is updated to add the provided port ranges to the
// ports it already has open. The call blocks until the ports are
// opened or the request fails.
func (gce Connection) OpenPorts(fwname string, ports ...network.PortRange) error {
// TODO(ericsnow) Short-circuit if ports is empty.
// Compose the full set of open ports.
currentPorts, err := gce.Ports(fwname)
if err != nil {
return errors.Trace(err)
}
inputPortsSet := network.NewPortSet(ports...)
if inputPortsSet.IsEmpty() {
return nil
}
currentPortsSet := network.NewPortSet(currentPorts...)
// Send the request, depending on the current ports.
if currentPortsSet.IsEmpty() {
// Create a new firewall.
firewall := firewallSpec(fwname, inputPortsSet)
if err := gce.raw.AddFirewall(gce.projectID, firewall); err != nil {
return errors.Annotatef(err, "opening port(s) %+v", ports)
}
return nil
}
// Update an existing firewall.
newPortsSet := currentPortsSet.Union(inputPortsSet)
firewall := firewallSpec(fwname, newPortsSet)
if err := gce.raw.UpdateFirewall(gce.projectID, fwname, firewall); err != nil {
return errors.Annotatef(err, "opening port(s) %+v", ports)
}
return nil
}
func (s *PortSetSuite) TestPortSetUnion(c *gc.C) {
portSet1 := network.NewPortSet(s.portRange2)
portSet2 := network.NewPortSet(s.portRange3)
result := portSet1.Union(portSet2)
s.checkPortSetTCP(c, result, 79, 80, 81)
}
func (s *PortSetSuite) TestPortSetIntersection(c *gc.C) {
s.portRange2.ToPort = 83
portSet1 := network.NewPortSet(s.portRange2)
portSet2 := network.NewPortSet(s.portRange3)
result := portSet1.Intersection(portSet2)
s.checkPortSetTCP(c, result, 80, 81)
}
func (s *PortSetSuite) TestPortSetDifference(c *gc.C) {
s.portRange2.ToPort = 83
portSet1 := network.NewPortSet(s.portRange2)
portSet2 := network.NewPortSet(s.portRange3)
result := portSet1.Difference(portSet2)
s.checkPortSetTCP(c, result, 82, 83)
}
func (s *PortSetSuite) TestPortSetIntersectionEmpty(c *gc.C) {
portSet1 := network.NewPortSet(s.portRange1)
portSet2 := network.NewPortSet(s.portRange2)
result := portSet1.Intersection(portSet2)
isEmpty := result.IsEmpty()
c.Check(isEmpty, jc.IsTrue)
}
func (s *PortSetSuite) TestPortSetDifferenceEmpty(c *gc.C) {
portSet1 := network.NewPortSet(s.portRange2)
result := portSet1.Difference(portSet1)
isEmpty := result.IsEmpty()
c.Check(isEmpty, jc.IsTrue)
}
func (s *PortSetSuite) TestPortSetAdd(c *gc.C) {
portSet := network.NewPortSet(s.portRange2)
c.Check(portSet.IsEmpty(), jc.IsFalse)
portSet.Add("tcp", 81)
s.checkPortSetTCP(c, portSet, 80, 81)
}
func (s *networkSuite) TestFirewallSpec(c *gc.C) {
ports := network.NewPortSet(
network.MustParsePortRange("80-81/tcp"),
network.MustParsePortRange("8888/tcp"),
network.MustParsePortRange("1234/udp"),
)
fw := google.FirewallSpec("spam", ports)
allowed := []*compute.FirewallAllowed{{
IPProtocol: "tcp",
Ports: []string{"80", "81", "8888"},
}, {
IPProtocol: "udp",
Ports: []string{"1234"},
}}
sort.Sort(ByIPProtocol(fw.Allowed))
for i := range fw.Allowed {
sort.Strings(fw.Allowed[i].Ports)
}
c.Check(fw, jc.DeepEquals, &compute.Firewall{
Name: "spam",
TargetTags: []string{"spam"},
SourceRanges: []string{"0.0.0.0/0"},
Allowed: allowed,
})
}
func (s *PortSetSuite) TestPortSetAddRanges(c *gc.C) {
s.portRange2.ToPort = 83
portSet := network.NewPortSet(s.portRange2)
c.Check(portSet.IsEmpty(), jc.IsFalse)
portSet.AddRanges(s.portRange3)
s.checkPortSetTCP(c, portSet, s.getPorts(79, 83)...)
}
func (s *PortSetSuite) TestPortSetRemoveRanges(c *gc.C) {
portSet := network.NewPortSet(s.portRange1)
portSet.RemoveRanges(
s.portRange2,
network.PortRange{7000, 8049, "tcp"},
network.PortRange{8051, 8074, "tcp"},
network.PortRange{8080, 9000, "tcp"},
)
s.checkPortSetTCP(c, portSet, 8050, 8075, 8076, 8077, 8078, 8079)
}
func (s *PortSetSuite) TestPortSetContainsNotFound(c *gc.C) {
portSet := network.NewPortSet(s.portRange2)
isfound := portSet.Contains("tcp", 81)
c.Assert(isfound, jc.IsFalse)
}
func (s *PortSetSuite) TestPortSetSize(c *gc.C) {
portSet := network.NewPortSet(s.portRange1)
c.Assert(portSet.Size(), gc.Equals, 100)
}
func (s *PortSetSuite) TestPortSetIsEmpty(c *gc.C) {
portSet := network.NewPortSet()
c.Assert(portSet.IsEmpty(), jc.IsTrue)
}
func (s *PortSetSuite) TestNewPortSet(c *gc.C) {
portSet := network.NewPortSet(s.portRange1)
c.Assert(portSet.IsEmpty(), jc.IsFalse)
s.checkPortSetTCP(c, portSet, s.getPorts(8000, 8099)...)
}
func (s *PortSetSuite) TestPortSetPortStrings(c *gc.C) {
portSet := network.NewPortSet(s.portRange3)
ports := portSet.PortStrings("tcp")
c.Check(ports, jc.SameContents, []string{"79", "80", "81"})
}
func (s *PortSetSuite) TestPortSetPortNumbers(c *gc.C) {
portSet := network.NewPortSet(s.portRange3)
ports := portSet.PortNumbers("tcp")
c.Check(ports, jc.SameContents, []int{79, 80, 81})
}
func (s *PortSetSuite) TestPortSetPorts(c *gc.C) {
portSet := network.NewPortSet(s.portRange3)
ports := portSet.Ports()
s.checkPorts(c, ports, "tcp", 79, 80, 81)
}
func (s *PortSetSuite) TestPortSetProtocols(c *gc.C) {
portSet := network.NewPortSet(s.portRange2, s.portRange4)
protocols := portSet.Protocols()
c.Check(protocols, jc.SameContents, []string{"tcp", "udp"})
}
func (s *PortSetSuite) TestPortSetContainsRangesOverlapping(c *gc.C) {
portSet := network.NewPortSet(s.portRange1)
isfound := portSet.ContainsRanges(network.PortRange{7000, 8049, "tcp"})
c.Assert(isfound, jc.IsFalse)
}
func (s *PortSetSuite) TestPortSetContainsRangesSingleNoMatch(c *gc.C) {
portSet := network.NewPortSet(s.portRange1)
isfound := portSet.ContainsRanges(s.portRange2)
c.Assert(isfound, jc.IsFalse)
}
func (s *PortSetSuite) TestPortSetContainsRangesSingleMatch(c *gc.C) {
portSet := network.NewPortSet(s.portRange1)
isfound := portSet.ContainsRanges(network.PortRange{8080, 8080, "tcp"})
c.Assert(isfound, jc.IsTrue)
}
func (s *PortSetSuite) TestPortSetIsNotEmpty(c *gc.C) {
portSet := network.NewPortSet(s.portRange2)
c.Assert(portSet.IsEmpty(), jc.IsFalse)
}
func (s *PortSetSuite) TestPortSetRemove(c *gc.C) {
portSet := network.NewPortSet(s.portRange2)
portSet.Remove("tcp", 80)
c.Assert(portSet.Ports(), gc.HasLen, 0)
}