EC2 verify security group consistency for ENI creation - EUCA-10300

clc/modules/cluster-manager/src/main/java/com/eucalyptus/compute/vpc/VpcManager.java

@@ -518,14 +518,18 @@ public NetworkInterface get( ) {
         try {
           final Subnet subnet = subnets.lookupByName( accountFullName, subnetId, Functions.<Subnet>identity() );
           final Vpc vpc = subnet.getVpc( );
-          final Set<NetworkGroup> groups = request.getGroupSet( )==null ?
+          final Set<NetworkGroup> groups = request.getGroupSet( )==null || request.getGroupSet( ).groupIds( ).isEmpty( ) ?
               Sets.newHashSet( securityGroups.lookupDefault( vpc.getDisplayName( ), Functions.<NetworkGroup>identity( ) ) ) :
               Sets.newHashSet( Iterables.transform(
                   request.getGroupSet( ).groupIds( ),
                   RestrictedTypes.resolver( NetworkGroup.class ) ) );
           if ( groups.size( ) > VpcConfiguration.getSecurityGroupsPerNetworkInterface( ) ) {
             throw new ClientComputeException( "SecurityGroupsPerInterfaceLimitExceeded", "Security group limit exceeded" );
           }
+          if ( !Collections.singleton( vpc.getDisplayName( ) ).equals(
+              Sets.newHashSet( Iterables.transform( groups, NetworkGroups.vpcId( ) ) ) ) ) {
+            throw Exceptions.toUndeclared( new ClientComputeException( "InvalidParameterValue", "Invalid security groups (inconsistent VPC)" ) );
+          }
           final String identifier = Identifier.eni.generate();
           if ( privateIp != null ) {
             final Cidr cidr = Cidr.parse( subnet.getCidr( ) );