private function GetServerSecurityGroupsList(DBServer $DBServer, OpenStack $osClient, \Scalr_Governance $governance = null)
{
$retval = $sgroups = $sgroupIds = $checkGroups = [];
$sgGovernance = false;
$allowAdditionalSgs = true;
if ($governance) {
$sgs = $governance->getValue($DBServer->platform, \Scalr_Governance::OPENSTACK_SECURITY_GROUPS);
if ($sgs !== null) {
$governanceSecurityGroups = @explode(",", $sgs);
if (!empty($governanceSecurityGroups)) {
foreach ($governanceSecurityGroups as $sg) {
if ($sg != '') {
array_push($checkGroups, trim($sg));
}
}
}
if (!empty($checkGroups)) {
$sgGovernance = true;
}
$allowAdditionalSgs = $governance->getValue($DBServer->platform, \Scalr_Governance::OPENSTACK_SECURITY_GROUPS, 'allow_additional_sec_groups');
}
}
if (!$sgGovernance || $allowAdditionalSgs) {
if ($DBServer->farmRoleId != 0) {
$dbFarmRole = $DBServer->GetFarmRoleObject();
if ($dbFarmRole->GetSetting(Entity\FarmRoleSetting::OPENSTACK_SECURITY_GROUPS_LIST) !== null) {
// New SG management
$sgs = @json_decode($dbFarmRole->GetSetting(Entity\FarmRoleSetting::OPENSTACK_SECURITY_GROUPS_LIST));
if (!empty($sgs)) {
foreach ($sgs as $sg) {
array_push($checkGroups, $sg);
}
}
} else {
// Old SG management
array_push($checkGroups, 'default');
array_push($checkGroups, \Scalr::config('scalr.aws.security_group_name'));
}
} else {
array_push($checkGroups, 'scalr-rb-system');
}
}
try {
$list = $osClient->listSecurityGroups();
do {
foreach ($list as $sg) {
$sgroups[strtolower($sg->name)] = $sg;
$sgroupIds[strtolower($sg->id)] = $sg;
}
if ($list instanceof PaginationInterface) {
$list = $list->getNextPage();
} else {
$list = false;
}
} while ($list !== false);
unset($list);
} catch (\Exception $e) {
throw new \Exception("GetServerSecurityGroupsList failed: {$e->getMessage()}");
}
foreach ($checkGroups as $groupName) {
if (preg_match('/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i', $groupName)) {
if (isset($sgroupIds[strtolower($groupName)])) {
$groupName = $sgroupIds[$groupName]->name;
} else {
throw new \Exception(sprintf(_("Security group '%s' is not found (1)"), $groupName));
}
} elseif (preg_match('/^\\d+$/', $groupName)) {
// In openstack IceHouse, SG ID is integer and not UUID
if (isset($sgroupIds[strtolower($groupName)])) {
$groupName = $sgroupIds[$groupName]->name;
} else {
throw new \Exception(sprintf(_("Security group '%s' is not found (1)"), $groupName));
}
}
if ($groupName == 'default') {
// Check default SG
array_push($retval, $groupName);
} elseif ($groupName == 'scalr-rb-system' || $groupName == \Scalr::config('scalr.aws.security_group_name')) {
// Check Roles builder SG
if (!isset($sgroups[strtolower($groupName)])) {
try {
$group = $osClient->createSecurityGroup($groupName, _("Scalr system security group"));
$groupId = $group->id;
} catch (\Exception $e) {
throw new \Exception("GetServerSecurityGroupsList failed on scalr.ip-pool: {$e->getMessage()}");
}
$r = new CreateSecurityGroupRule($groupId);
$r->direction = 'ingress';
$r->protocol = 'tcp';
$r->port_range_min = 1;
$r->port_range_max = 65535;
$r->remote_ip_prefix = "0.0.0.0/0";
$res = $osClient->createSecurityGroupRule($r);
$r = new CreateSecurityGroupRule($groupId);
$r->direction = 'ingress';
$r->protocol = 'udp';
$r->port_range_min = 1;
$r->port_range_max = 65535;
$r->remote_ip_prefix = "0.0.0.0/0";
$res = $osClient->createSecurityGroupRule($r);
}
array_push($retval, $groupName);
} else {
if (!isset($sgroups[strtolower($groupName)])) {
throw new \Exception(sprintf(_("Security group '%s' is not found (2)"), $groupName));
} else {
array_push($retval, $groupName);
}
}
}
return $retval;
}