Added routines to bypass and route around firewalls. Added unit tests to ensure those routines must be used carefully

Author: SLsthompson

lib/softlayer/BareMetalServer.rb

@@ -60,15 +60,7 @@ def cancel!(reason = :unneeded, comment = '')
     # you may have to use +SoftLayer_Hardware_Server+ as a type or service.  That
     # service object is available thorugh the hardware_server_service method
     def service
-      return softlayer_client[:Hardware].object_with_id(self.id)
-    end
-
-    ##
-    # Returns the SoftLayer_Hardware_Server service for this bare metal server
-    # This service is used less often than SoftLayer_Hardware, but may be required
-    # for some operations
-    def hardware_server_service
-      self.softlayer_client[:Hardware_Server].object_with_id(self.id)
+      return softlayer_client[:Hardware_Server].object_with_id(self.id)
     end
 
     ##
@@ -145,27 +137,6 @@ def firewall_port_speed
       return [max_group_speed, max_ungrouped_speed].max
     end
 
-    ##
-    # Change the current port speed of the server
-    #
-    # +new_speed+ is expressed Mbps and should be 0, 10, 100, or 1000.
-    # Ports have a maximum speed that will limit the actual speed set
-    # on the port.
-    #
-    # Set +public+ to +false+ in order to change the speed of the
-    # primary private network interface.
-    #
-    def change_port_speed(new_speed, public = true)
-      if public
-        self.hardware_server_service.setPublicNetworkInterfaceSpeed(new_speed)
-      else
-        self.hardware_server_service.setPrivateNetworkInterfaceSpeed(new_speed)
-      end
-
-      self.refresh_details()
-      self
-    end
-
     ##
     # Retrive the bare metal server with the given server ID from the
     # SoftLayer API
@@ -180,7 +151,7 @@ def self.server_with_id(server_id, options = {})
       softlayer_client = options[:client] || Client.default_client
       raise "#{__method__} requires a client but none was given and Client::default_client is not set" if !softlayer_client
 
-      hardware_service = softlayer_client[:Hardware]
+      hardware_service = softlayer_client[:Hardware_Server]
       hardware_service = hardware_service.object_mask(default_object_mask.to_sl_object_mask)
 
       if options.has_key?(:object_mask)

lib/softlayer/Config.rb

@@ -72,8 +72,8 @@ def Config.globals_settings
 
 		def Config.environment_settings
 			result = {}
-			result[:username] =  ENV["SL_USERNAME"] if ENV["SL_USERNAME"]
-			result[:api_key] = ENV["SL_API_KEY"] if ENV["SL_API_KEY"]
+			result[:username] =  ENV['SL_USERNAME'] if ENV['SL_USERNAME']
+			result[:api_key] = ENV['SL_API_KEY'] if ENV['SL_API_KEY']
 			result
 		end
 

lib/softlayer/Server.rb

@@ -94,7 +94,7 @@ def reboot!(reboot_technique = :default_reboot)
       when :power_cycle
         self.service.rebootHard
       else
-        raise RuntimeError, "Unrecognized reboot technique in SoftLayer::Server#reboot!}"
+        raise ArgumentError, "Unrecognized reboot technique in SoftLayer::Server#reboot!}"
       end
     end
 
@@ -117,7 +117,7 @@ def softlayer_properties(object_mask = nil)
     # Change the notes of the server
     # raises ArgumentError if you pass nil as the notes
     def notes=(new_notes)
-      raise ArgumentError.new("The new notes cannot be nil") unless new_notes
+      raise ArgumentError, "The new notes cannot be nil" unless new_notes
 
       edit_template = {
         "notes" => new_notes
@@ -131,7 +131,7 @@ def notes=(new_notes)
     # Change the user metadata for the server.
     #
     def user_metadata=(new_metadata)
-      raise ArgumentError.new("Cannot set user metadata to nil") unless new_metadata
+      raise ArgumentError, "Cannot set user metadata to nil" unless new_metadata
       self.service.setUserMetadata([new_metadata])
       self.refresh_details()
     end
@@ -141,8 +141,8 @@ def user_metadata=(new_metadata)
     # Raises an ArgumentError if the new hostname is nil or empty
     #
     def set_hostname!(new_hostname)
-      raise ArgumentError.new("The new hostname cannot be nil") unless new_hostname
-      raise ArgumentError.new("The new hostname cannot be empty") if new_hostname.empty?
+      raise ArgumentError, "The new hostname cannot be nil" unless new_hostname
+      raise ArgumentError, "The new hostname cannot be empty" if new_hostname.empty?
 
       edit_template = {
         "hostname" => new_hostname
@@ -159,8 +159,8 @@ def set_hostname!(new_hostname)
     # no further validation is done on the domain name
     #
     def set_domain!(new_domain)
-      raise ArgumentError.new("The new hostname cannot be nil") unless new_domain
-      raise ArgumentError.new("The new hostname cannot be empty") if new_domain.empty?
+      raise ArgumentError, "The new hostname cannot be nil" unless new_domain
+      raise ArgumentError, "The new hostname cannot be empty" if new_domain.empty?
 
       edit_template = {
         "domain" => new_domain
@@ -188,11 +188,16 @@ def firewall_port_speed
     # on the port.
     #
     # Set +public+ to +false+ in order to change the speed of the
-    # primary private network interface.
-    #
-    # This is an abstract method implemented by subclasses
+    # private network interface.
     def change_port_speed(new_speed, public = true)
-      raise "The abstract change_port_speed method of SoftLayer::Server was called. Subclasses should implement the method for their particular service"
+      if public
+        self.service.setPublicNetworkInterfaceSpeed(new_speed)
+      else
+        self.service.setPrivateNetworkInterfaceSpeed(new_speed)
+      end
+
+      self.refresh_details()
+      self
     end
 
     ##

lib/softlayer/ServerFirewall.rb

@@ -112,6 +112,40 @@ def change_rules!(rules_data)
       self.softlayer_client[:Network_Firewall_Update_Request].createObject(change_object)
     end
 
+    ##
+    # This method asks the firewall to ignore its rule set and pass all traffic
+    # through the firewall. Compare the behavior of this routine with
+    # change_routing_bypass!
+    #
+    # It is important to note that changing the bypass to :bypass_firewall_rules 
+    # removes ALL the protection offered by the firewall. This routine should be 
+    # used with extreme discretion.
+    #
+    # Note that this routine queues a rule change and rule changes may take
+    # time to process. The change will probably not take effect immediately
+    #
+    # The two symbols accepted as arguments by this routine are:
+    # :apply_firewall_rules - The rules of the firewall are applied to traffic. This is the default operating mode of the firewall
+    # :bypass_firewall_rules - The rules of the firewall are ignored. In this configuration the firewall provides no protection.
+    #
+    def change_rules_bypass!(bypass_symbol)
+      change_object = {
+        "networkComponentFirewallId" => self.id,
+        "rules" => self.rules
+      }
+
+      case bypass_symbol
+      when :apply_firewall_rules
+        change_object['bypassFlag'] = false
+        self.softlayer_client[:Network_Firewall_Update_Request].createObject(change_object)
+      when :bypass_firewall_rules
+        change_object['bypassFlag'] = true
+        self.softlayer_client[:Network_Firewall_Update_Request].createObject(change_object)
+      else
+        raise ArgumentError, "An invalid parameter was sent to #{__method__}. It accepts :apply_firewall_rules and :bypass_firewall_rules"
+      end
+    end
+
     ##
     # Locate and return all the server firewalls in the environment.
     #
@@ -128,7 +162,7 @@ def change_rules!(rules_data)
     # The collection of all those VLANs becomes the set of firewalls
     # for the account.
     #
-    def self.find_firewalls(client)
+    def self.find_firewalls(client = nil)
       softlayer_client = client || Client.default_client
       raise "#{__method__} requires a client but none was given and Client::default_client is not set" if !softlayer_client
 

lib/softlayer/ServerFirewallOrder.rb

@@ -17,7 +17,7 @@ class ServerFirewallOrder
     def initialize (server)
       @server = server
 
-      raise ArgumentError.new("Server does not have an active Public interface") if server.firewall_port_speed == 0
+      raise ArgumentError, "Server does not have an active Public interface" if server.firewall_port_speed == 0
     end
 
     ##

lib/softlayer/VLANFirewall.rb

@@ -70,13 +70,78 @@ class VLANFirewall < SoftLayer::ModelBase
     # depending on the system load and other circumstances.
     def change_rules!(rules_data)
       change_object = {
-        "firewallContextAccessControlListId" => self.id,
+        "firewallContextAccessControlListId" => rules_ACL_id(),
         "rules" => rules_data
       }
 
       self.softlayer_client[:Network_Firewall_Update_Request].createObject(change_object)
     end
 
+    ##
+    # This method asks the firewall to ignore its rule set and pass all traffic
+    # through the firewall. Compare the behavior of this routine with
+    # change_routing_bypass!
+    #
+    # It is important to note that changing the bypass to :bypass_firewall_rules 
+    # removes ALL the protection offered by the firewall. This routine should be 
+    # used with extreme discretion.
+    #
+    # Note that this routine queues a rule change and rule changes may take
+    # time to process. The change will probably not take effect immediately
+    #
+    # The two symbols accepted as arguments by this routine are:
+    # :apply_firewall_rules - The rules of the firewall are applied to traffic. This is the default operating mode of the firewall
+    # :bypass_firewall_rules - The rules of the firewall are ignored. In this configuration the firewall provides no protection.
+    #
+    def change_rules_bypass!(bypass_symbol)
+      change_object = {
+        "firewallContextAccessControlListId" => rules_ACL_id(),
+        "rules" => self.rules
+      }
+
+      case bypass_symbol
+      when :apply_firewall_rules
+        change_object['bypassFlag'] = false
+        self.softlayer_client[:Network_Firewall_Update_Request].createObject(change_object)
+      when :bypass_firewall_rules
+        change_object['bypassFlag'] = true
+        self.softlayer_client[:Network_Firewall_Update_Request].createObject(change_object)
+      else
+        raise ArgumentError, "An invalid parameter was sent to #{__method__}. It accepts :apply_firewall_rules and :bypass_firewall_rules"
+      end
+    end
+
+    ##
+    # This method allows you to route traffic around the firewall
+    # and directly to the servers it protects. Compare the behavior of this routine with
+    # change_rules_bypass!
+    #
+    # It is important to note that changing the routing to :route_around_firewall
+    # removes ALL the protection offered by the firewall. This routine should be 
+    # used with extreme discretion.
+    #
+    # Note that this routine constructs a transaction. The Routing change
+    # may not happen immediately.
+    #
+    # The two symbols accepted as arguments by the routine are:
+    # :route_through_firewall - Network traffic is sent through the firewall to the servers in the VLAN segment it protects.  This is the usual operating mode of the firewall.
+    # :route_around_firewall - Network traffic will be sent directly to the servers in the VLAN segment protected by this firewall.  This means that the firewall will *NOT* be protecting those servers.
+    #
+    def change_routing_bypass!(routing_symbol)
+      vlan_firewall_id = self['networkVlanFirewall']['id']
+
+      raise "Could not identify the device for a VLAN firewall" if !vlan_firewall_id
+
+      case routing_symbol
+      when :route_through_firewall
+        self.softlayer_client[:Network_Vlan_Firewall].object_with_id(vlan_firewall_id).updateRouteBypass(false)
+      when :route_around_firewall
+        self.softlayer_client[:Network_Vlan_Firewall].object_with_id(vlan_firewall_id).updateRouteBypass(true)
+      else
+        raise ArgumentError, "An invalid parameter was sent to #{__method__}. It accepts :route_through_firewall and :route_around_firewall"
+      end
+    end
+
     ##
     # Returns the name of the primary router the firewall is attached to.
     # This is often a "customer router" in one of the datacenters.
@@ -108,7 +173,7 @@ def high_availability?
     #
     # This list is obtained by asking the account for all the VLANs
     # it has that also have a networkVlanFirewall component.
-    def self.find_firewalls(client)
+    def self.find_firewalls(client = nil)
       softlayer_client = client || Client.default_client
       raise "#{__method__} requires a client but none was given and Client::default_client is not set" if !softlayer_client
 
@@ -117,8 +182,8 @@ def self.find_firewalls(client)
         filter.accept("networkVlans.networkVlanFirewall").when_it is_not_null
       }
 
-      vlan_firewalls = client[:Account].object_mask(vlan_firewall_mask).object_filter(vlan_firewall_filter).getNetworkVlans
-      vlan_firewalls.collect { |firewall_data| SoftLayer::VLANFirewall.new(client, firewall_data)}
+      vlan_firewalls = softlayer_client[:Account].object_mask(vlan_firewall_mask).object_filter(vlan_firewall_filter).getNetworkVlans
+      vlan_firewalls.collect { |firewall_data| SoftLayer::VLANFirewall.new(softlayer_client, firewall_data)}
     end
 
 
@@ -157,7 +222,7 @@ def rules_ACL_id
     end
 
     def self.vlan_firewall_mask
-      return "mask[primaryRouter,highAvailabilityFirewallFlag,"+
+      return "mask[primaryRouter,highAvailabilityFirewallFlag," +
         "firewallInterfaces.firewallContextAccessControlLists," +
         "networkVlanFirewall[id, datacenter, primaryIpAddress, firewallType, fullyQualifiedDomainName]]"
     end
@@ -167,7 +232,16 @@ def self.default_rules_mask
     end
 
     def self.default_rules_mask_keys
-      ['orderValue','action','destinationIpAddress','destinationIpSubnetMask',"protocol","destinationPortRangeStart","destinationPortRangeEnd",'sourceIpAddress',"sourceIpSubnetMask","version"]
+      ['orderValue',
+       'action',
+       'destinationIpAddress',
+       'destinationIpSubnetMask',
+       'protocol',
+       'destinationPortRangeStart',
+       'destinationPortRangeEnd',
+       'sourceIpAddress',
+       'sourceIpSubnetMask',
+       'version']
     end
   end # class Firewall
 end # module SoftLayer

lib/softlayer/VirtualServer.rb

@@ -65,27 +65,6 @@ class VirtualServer < Server
       end
     end
 
-    ##
-    # Change the current port speed of the server
-    #
-    # +new_speed+ is expressed Mbps and should be 0, 10, 100, or 1000.
-    # Ports have a maximum speed that will limit the actual speed set
-    # on the port.
-    #
-    # Set +public+ to +false+ in order to change the speed of the
-    # primary private network interface.
-    #
-    def change_port_speed(new_speed, public = true)
-      if public
-        self.service.setPublicNetworkInterfaceSpeed(new_speed)
-      else
-        self.service.setPrivateNetworkInterfaceSpeed(new_speed)
-      end
-
-      self.refresh_details()
-      self
-    end
-
     ##
     # IMMEDIATELY cancel this virtual server
     #

spec/BareMetalServer_spec.rb

@@ -26,16 +26,20 @@
 		SoftLayer::BareMetalServer.new(mock_client, { "id" => 12345 })
 	end
 
-  it "identifies itself with the SoftLayer_Hardware service" do
+  it "identifies itself with the SoftLayer_Hardware_Server service" do
     service = sample_server.service
     expect(service.server_object_id).to eq(12345)
-    expect(service.target.service_name).to eq "SoftLayer_Hardware"
+    expect(service.target.service_name).to eq "SoftLayer_Hardware_Server"
   end
 
 	it_behaves_like "server with port speed" do
 		let (:server) { sample_server }
 	end
 
+  it_behaves_like "server with mutable hostname" do
+		let (:server) { sample_server }
+  end
+  
 	it "can be cancelled" do
 		mock_client = SoftLayer::Client.new(:username => "fakeuser", :api_key => "DEADBEEFBADF00D")
 		allow(mock_client).to receive(:[]) do |service_name|