made the Security Group backend throw the same error as AWS if the nb of sec groups limit is hit (#742)

* made the Security Group backend throw the same error as AWS if the security group limit is hit * included in the security group limit the count of grants to other security groups & updated the unit tests to cover these * refactored a few things about the sec group rule count limit
2017-01-19 02:37:55 +00:00 · 2017-01-19 02:37:55 +00:00 · a967ec0d39
commit a967ec0d39
parent d42432bfef
3 changed files with 171 additions and 0 deletions
--- a/moto/ec2/exceptions.py
+++ b/moto/ec2/exceptions.py
@ -318,3 +318,11 @@ class InvalidCIDRSubnetError(EC2ClientError):
            "InvalidParameterValue",
            "invalid CIDR subnet specification: {0}"
            .format(cidr))
+
+
+class RulesPerSecurityGroupLimitExceededError(EC2ClientError):
+    def __init__(self):
+        super(RulesPerSecurityGroupLimitExceededError, self).__init__(
+            "RulesPerSecurityGroupLimitExceeded",
+            'The maximum number of rules per security group '
+            'has been reached.')
--- a/moto/ec2/models.py
+++ b/moto/ec2/models.py
@ -58,6 +58,7 @@ from .exceptions import (
    InvalidVpnGatewayIdError,
    InvalidVpnConnectionIdError,
    InvalidCustomerGatewayIdError,
+    RulesPerSecurityGroupLimitExceededError,
 )
 from .utils import (
    EC2_RESOURCE_TO_PREFIX,
@ -1264,6 +1265,16 @@ class SecurityGroup(TaggedEC2Resource):
    def add_egress_rule(self, rule):
        self.egress_rules.append(rule)

+    def get_number_of_ingress_rules(self):
+        return sum(
+            len(rule.ip_ranges) + len(rule.source_groups)
+            for rule in self.ingress_rules)
+
+    def get_number_of_egress_rules(self):
+        return sum(
+            len(rule.ip_ranges) + len(rule.source_groups)
+            for rule in self.egress_rules)
+

 class SecurityGroupBackend(object):

@ -1360,6 +1371,10 @@ class SecurityGroupBackend(object):
                if not is_valid_cidr(cidr):
                    raise InvalidCIDRSubnetError(cidr=cidr)

+        self._verify_group_will_respect_rule_count_limit(
+            group, group.get_number_of_ingress_rules(),
+            ip_ranges, source_group_names, source_group_ids)
+
        source_group_names = source_group_names if source_group_names else []
        source_group_ids = source_group_ids if source_group_ids else []

@ -1425,6 +1440,10 @@ class SecurityGroupBackend(object):
                if not is_valid_cidr(cidr):
                    raise InvalidCIDRSubnetError(cidr=cidr)

+        self._verify_group_will_respect_rule_count_limit(
+            group, group.get_number_of_egress_rules(),
+            ip_ranges, source_group_names, source_group_ids)
+
        source_group_names = source_group_names if source_group_names else []
        source_group_ids = source_group_ids if source_group_ids else []

@ -1472,6 +1491,20 @@ class SecurityGroupBackend(object):
            return security_rule
        raise InvalidPermissionNotFoundError()

+    def _verify_group_will_respect_rule_count_limit(
+            self, group, current_rule_nb,
+            ip_ranges, source_group_names=None, source_group_ids=None):
+        max_nb_rules = 50 if group.vpc_id else 100
+        future_group_nb_rules = current_rule_nb
+        if ip_ranges:
+            future_group_nb_rules += len(ip_ranges)
+        if source_group_ids:
+            future_group_nb_rules += len(source_group_ids)
+        if source_group_names:
+            future_group_nb_rules += len(source_group_names)
+        if future_group_nb_rules > max_nb_rules:
+            raise RulesPerSecurityGroupLimitExceededError
+

 class SecurityGroupIngress(object):