def test_acl_hash_entries(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1_obj = self.create_virtual_network(vn1_name, "10.2.1.0/24") vn2_obj = self.create_virtual_network(vn2_name, "20.2.1.0/24") np = self.create_network_policy(vn1_obj, vn2_obj) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj.set_network_policy(np, vnp) vn2_obj.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) gevent.sleep(5) acl = self._vnc_lib.access_control_list_read( fq_name=self.get_ri_name(vn1_obj)) acl2 = self._vnc_lib.access_control_list_read( fq_name=self.get_ri_name(vn2_obj)) acl_hash = acl.access_control_list_hash acl_hash2 = acl2.access_control_list_hash self.assertEqual(acl_hash, hash(acl.access_control_list_entries)) self.assertEqual(acl_hash2, hash(acl2.access_control_list_entries)) self.schema_transformer_restart() vn1_obj.del_network_policy(np) vn2_obj.del_network_policy(np) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) self.delete_network_policy(np) self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
def _attach_policy(self, vn_obj, *policies): for policy in policies or []: vn_obj.add_network_policy(policy, \ VirtualNetworkPolicyType(sequence=SequenceType(0, 0))) self._vnc_lib.virtual_network_update(vn_obj) for policy in policies or []: self._vnc_lib.ref_relax_for_delete(vn_obj.uuid, policy.uuid)
def test_policy_with_cidr_and_vn(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24") vn2 = self.create_virtual_network(vn2_name, ["10.2.1.0/24", "10.2.2.0/24"]) rules = [] rule1 = { "protocol": "icmp", "direction": "<>", "src-port": "any", "src": { "type": "vn", "value": vn1 }, "dst": [{ "type": "cidr_list", "value": ["10.2.1.0/24"] }, { "type": "vn", "value": vn2 }], "dst-port": "any", "action": "pass" } rules.append(rule1) np = self.create_network_policy_with_multiple_rules(rules) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1) for obj in [vn1]: ident_name = self.get_obj_imid(obj) gevent.sleep(2) self.assertThat(FakeIfmapClient._graph, Contains(ident_name)) self.check_vn_ri_state(fq_name=self.get_ri_name(vn1)) self.check_acl_match_dst_cidr(fq_name=self.get_ri_name(vn1), ip_prefix="10.2.1.0", ip_len=24) self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn1), src_vn=':'.join(vn1.get_fq_name()), dst_vn=':'.join(vn2.get_fq_name())) # cleanup self.delete_network_policy(np, auto_policy=True) self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2.get_fq_name()) # check if vn is deleted self.check_vn_is_deleted(uuid=vn1.uuid) self.check_vn_is_deleted(uuid=vn2.uuid)
def test_basic_policy(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1_obj = VirtualNetwork(vn1_name) vn2_obj = VirtualNetwork(vn2_name) np = self.create_network_policy(vn1_obj, vn2_obj) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj.set_network_policy(np, vnp) vn2_obj.set_network_policy(np, vnp) self._vnc_lib.virtual_network_create(vn1_obj) self._vnc_lib.virtual_network_create(vn2_obj) for obj in [vn1_obj, vn2_obj]: self.assertTill(self.vnc_db_has_ident, obj=obj) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj)) vn1_obj.del_network_policy(np) vn2_obj.del_network_policy(np) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj)) self.delete_network_policy(np) self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name()) self.check_vn_is_deleted(uuid=vn1_obj.uuid) self.check_ri_is_deleted(fq_name=self.get_ri_name(vn2_obj))
def test_policy_with_cidr(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24") vn2 = self.create_virtual_network(vn2_name, "10.2.1.0/24") rules = [] rule1 = { "protocol": "icmp", "direction": "<>", "src": { "type": "vn", "value": vn1 }, "dst": { "type": "cidr", "value": "10.2.1.1/32" }, "action": "deny" } rule2 = { "protocol": "icmp", "direction": "<>", "src": { "type": "vn", "value": vn1 }, "dst": { "type": "cidr", "value": "10.2.1.2/32" }, "action": "deny" } rules.append(rule1) rules.append(rule2) np = self.create_network_policy_with_multiple_rules(rules) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1) self.assertTill(self.vnc_db_has_ident, obj=vn1) self.check_vn_ri_state(fq_name=self.get_ri_name(vn1)) self.check_acl_match_dst_cidr(fq_name=self.get_ri_name(vn1), ip_prefix="10.2.1.1", ip_len=32) self.check_acl_match_dst_cidr(fq_name=self.get_ri_name(vn1), ip_prefix="10.2.1.2", ip_len=32) # cleanup self.delete_network_policy(np, auto_policy=True) self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2.get_fq_name()) # check if vn is deleted self.check_vn_is_deleted(uuid=vn1.uuid)
def test_multiple_policy(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1_obj = VirtualNetwork(vn1_name) vn2_obj = VirtualNetwork(vn2_name) np1 = self.create_network_policy(vn1_obj, vn2_obj) np2 = self.create_network_policy(vn2_obj, vn1_obj) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj.set_network_policy(np1, vnp) vn2_obj.set_network_policy(np2, vnp) self._vnc_lib.virtual_network_create(vn1_obj) self._vnc_lib.virtual_network_create(vn2_obj) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj)) np1.network_policy_entries.policy_rule[ 0].action_list.simple_action = 'deny' np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) expr = ( "('contrail:connection contrail:routing-instance:%s' in FakeIfmapClient._graph['8443']['contrail:routing-instance:%s']['links'])" % (':'.join(self.get_ri_name(vn2_obj)), ':'.join( self.get_ri_name(vn1_obj)))) self.assertTill(expr) np1.network_policy_entries.policy_rule[ 0].action_list.simple_action = 'pass' np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) np2.network_policy_entries.policy_rule[ 0].action_list.simple_action = 'deny' np2.set_network_policy_entries(np2.network_policy_entries) self._vnc_lib.network_policy_update(np2) expr = ( "('contrail:connection contrail:routing-instance:%s' in FakeIfmapClient._graph['8443']['contrail:routing-instance:%s']['links'])" % (':'.join(self.get_ri_name(vn1_obj)), ':'.join( self.get_ri_name(vn2_obj)))) self.assertTill(expr) vn1_obj.del_network_policy(np1) vn2_obj.del_network_policy(np2) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj)) self.delete_network_policy(np1) self.delete_network_policy(np2) self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name()) self.check_vn_is_deleted(uuid=vn1_obj.uuid)
def test_multiple_policy(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1_obj = VirtualNetwork(vn1_name) vn2_obj = VirtualNetwork(vn2_name) np1 = self.create_network_policy(vn1_obj, vn2_obj) np2 = self.create_network_policy(vn2_obj, vn1_obj) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj.set_network_policy(np1, vnp) vn2_obj.set_network_policy(np2, vnp) self._vnc_lib.virtual_network_create(vn1_obj) self._vnc_lib.virtual_network_create(vn2_obj) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj)) np1.network_policy_entries.policy_rule[ 0].action_list.simple_action = 'deny' np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) self.assertTill( self.ifmap_ident_has_link, type_fq_name=('routing-instance', self.get_ri_name(vn1_obj)), link_name='contrail:connection contrail:routing-instance:%s' % ':'.join(self.get_ri_name(vn2_obj))) np1.network_policy_entries.policy_rule[ 0].action_list.simple_action = 'pass' np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) np2.network_policy_entries.policy_rule[ 0].action_list.simple_action = 'deny' np2.set_network_policy_entries(np2.network_policy_entries) self._vnc_lib.network_policy_update(np2) self.assertTill( self.ifmap_ident_has_link, type_fq_name=('routing-instance', self.get_ri_name(vn2_obj)), link_name='contrail:connection contrail:routing-instance:%s' % ':'.join(self.get_ri_name(vn1_obj))) vn1_obj.del_network_policy(np1) vn2_obj.del_network_policy(np2) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj)) self.delete_network_policy(np1) self.delete_network_policy(np2) self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name()) self.check_vn_is_deleted(uuid=vn1_obj.uuid)
def test_policy_processing_time_optimization_acl_with_vn(self): # Create VNs vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24") vn2 = self.create_virtual_network(vn2_name, "10.2.1.0/24") # Create policy rules = [] rule1 = {"protocol": "icmp", "direction": "<>", "src": {"type": "vn", "value": vn1}, "dst": {"type": "cidr", "value": "10.2.1.2/32"}, "action": "deny" } rules.append(rule1) np = self.create_network_policy_with_multiple_rules(rules) self._vnc_lib.network_policy_update(np) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) # Attach policy to vn1 vn1.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1) orignal_vn_eval = VirtualNetworkST.evaluate # if we dont sleep now for some time than following mock function gets # picked for the above vn update vn1.vn_evaluate_hit = False def mock_vn_evaluate(vn_obj): if vn1.get_fq_name_str() == vn_obj.name: vn1.vn_evaluate_hit = True orignal_vn_eval(vn_obj) # end evaluate gevent.sleep(3) VirtualNetworkST.evaluate = mock_vn_evaluate vn2.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn2) # if we dont sleep now for some time than for the # above code original vn # evaluate gets picked up due to the next line gevent.sleep(3) if not vn1.vn_evaluate_hit: self.assertTrue(False, 'Error: Did not execute evaluate of vn1') VirtualNetworkST.evaluate = orignal_vn_eval # cleanup self.delete_network_policy(np, auto_policy=True) self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2.get_fq_name()) # check if vn is deleted self.check_vn_is_deleted(uuid=vn1.uuid) self.check_vn_is_deleted(uuid=vn2.uuid)
def test_multiple_policy(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1_obj = VirtualNetwork(vn1_name) vn2_obj = VirtualNetwork(vn2_name) np1 = self.create_network_policy(vn1_obj, vn2_obj) np2 = self.create_network_policy(vn2_obj, vn1_obj) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj.set_network_policy(np1, vnp) vn2_obj.set_network_policy(np2, vnp) self._vnc_lib.virtual_network_create(vn1_obj) self._vnc_lib.virtual_network_create(vn2_obj) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj)) np1.network_policy_entries.policy_rule[0].action_list.simple_action = \ 'deny' np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj)) np1.network_policy_entries.policy_rule[0].action_list.simple_action = \ 'pass' np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) np2.network_policy_entries.policy_rule[0].action_list.simple_action = \ 'deny' np2.set_network_policy_entries(np2.network_policy_entries) self._vnc_lib.network_policy_update(np2) self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj)) vn1_obj.del_network_policy(np1) vn2_obj.del_network_policy(np2) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) self.delete_network_policy(np1) self.delete_network_policy(np2) self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name()) self.check_vn_is_deleted(uuid=vn1_obj.uuid) self.check_vn_is_deleted(uuid=vn2_obj.uuid)
def test_compressed_policy_with_cidr(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24") vn2 = self.create_virtual_network(vn2_name, "10.2.1.0/24") rules = [] rule = { "protocol": "any", "direction": "<>", "src": { "type": "cidr", "value": "10.1.1.1/32" }, "dst": { "type": "cidr", "value": "10.2.1.1/32" }, "action": "deny" } rules.append(rule) np = self.create_network_policy_with_multiple_rules(rules) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1.set_network_policy(np, vnp) vn2.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1) self._vnc_lib.virtual_network_update(vn2) self.assertTill(self.vnc_db_has_ident, obj=vn1) self.assertTill(self.vnc_db_has_ident, obj=vn2) self.check_vn_ri_state(fq_name=self.get_ri_name(vn1)) self.check_vn_ri_state(fq_name=self.get_ri_name(vn2)) self.check_compress_acl_match_condition( np._network_policy_entries.policy_rule[0].dst_addresses, fq_name=self.get_ri_name(vn1)) self.check_compress_acl_match_condition( np._network_policy_entries.policy_rule[0].src_addresses, fq_name=self.get_ri_name(vn2)) # cleanup self.delete_network_policy(np, auto_policy=True) self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2.get_fq_name()) # check if vn is deleted self.check_vn_is_deleted(uuid=vn1.uuid) self.check_vn_is_deleted(uuid=vn2.uuid)
def bind_policies(self, policy_fq_names): if self._api == 'contrail': self.vnc_obj.set_network_policy_list([], True) self.vnc_api.virtual_network_update(self.vnc_obj) for seq, policy in enumerate(policy_fq_names): policy_obj = self._vnc.get_network_policy(policy) seq_obj = SequenceType(major=seq, minor=0) self.vnc_obj.add_network_policy( policy_obj, VirtualNetworkPolicyType(sequence=seq_obj)) self.vnc_api.virtual_network_update(self.vnc_obj) else: net_req = {'policys': policy_fq_names} self._qh.update_network(self.uuid, {'network': net_req}) self.update() self._policies = policy_fq_names
def test_basic_policy(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1_obj = VirtualNetwork(vn1_name) vn2_obj = VirtualNetwork(vn2_name) np = self.create_network_policy(vn1_obj, vn2_obj) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj.set_network_policy(np, vnp) vn2_obj.set_network_policy(np, vnp) self._vnc_lib.virtual_network_create(vn1_obj) self._vnc_lib.virtual_network_create(vn2_obj) for obj in [vn1_obj, vn2_obj]: ident_name = self.get_obj_imid(obj) gevent.sleep(2) self.assertThat(FakeIfmapClient._graph['8443'], Contains(ident_name)) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj)) vn1_obj.del_network_policy(np) vn2_obj.del_network_policy(np) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj)) self.delete_network_policy(np) self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name()) self.check_vn_is_deleted(uuid=vn1_obj.uuid) self.check_ri_is_deleted(fq_name=self.get_ri_name(vn2_obj))
def test_provider_network(self): """ Test description. Verify: 1. Check creating a non-provider VNs with non-provider VNs connected to it is not allowed 2. Check a non provider-VN can not be created with is_provider_network property set to True 3. Check is_provider_network property of a provider-VN is True by default 4. Check is_provider_network property of a provider-VN can be set as True 5. Check is_provider_network property of provider-VN can not be set as False 6. Check is_provider_network property of non provider-VN can not be set as True 7. Check is_provider_network property of non provider-VN can be set as False 8. Check setting other parameters of a non provider-VN is not affected 9. Check db_resync sets is_provider_network property of provider-VN as True (simulating upgrade case) 10. Check non provider VNs can be added to provider VN 11. Check the provider-VN can be added to a VN 12. Check non provider-VN can not be added to a VN 13. Check many VNs can be linked to the provider-VN 14. Check (provider-vn -> any-VN),DENY acl rule is added to the provider-VN 15. Check (VN -> provider-VN),DENY acl rule is added to the VN 16. Adding a (VN -> provider-VN),PASS acl rule at VN removes (VN -> provider-VN),DENY acl rule Assumption: ip-fabric VN is the provider-VN """ # create two VNs - vn1, vn2 vn1_name = self.id() + '_vn1' vn2_name = self.id() + '_vn2' vn3_name = self.id() + '_vn3' vn4_name = self.id() + '_vn4' vn1_obj1 = VirtualNetwork(vn1_name) vn2_obj1 = VirtualNetwork(vn2_name) vn3_obj1 = VirtualNetwork(vn3_name) vn4_obj1 = VirtualNetwork(vn4_name) self._vnc_lib.virtual_network_create(vn1_obj1) self._vnc_lib.virtual_network_create(vn2_obj1) self._vnc_lib.virtual_network_create(vn3_obj1) # try creating non provider_vn with linked # non provider_vn (linked before creating) vn4_obj1.add_virtual_network(vn3_obj1) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create, vn4_obj1) vn4_obj1.add_virtual_network(vn2_obj1) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create, vn4_obj1) # remove vn3_obj1 and vn2_obj1 # as its not allowed vn4_obj1.del_virtual_network(vn3_obj1) vn4_obj1.del_virtual_network(vn2_obj1) # set is_provider_network on a non provider-vn # and try creating it vn4_obj1.set_is_provider_network(True) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create, vn4_obj1) # set it as False and retry creating it vn4_obj1.set_is_provider_network(False) self._vnc_lib.virtual_network_create(vn4_obj1) # Check updating other parameters of a non provider VN # when no provider VN is not connected vn4_obj1.set_mac_aging_time(400) self._vnc_lib.virtual_network_update(vn4_obj1) # retrieve provider network, assuming ip-fabric for now provider_fq_name = ['default-domain', 'default-project', 'ip-fabric'] provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_fq_name) self.assertEqual(provider_vn.get_is_provider_network(), True) # check is_provider_network of provider_vn # can be set to True (ie only as its default) provider_vn.set_is_provider_network(True) self._vnc_lib.virtual_network_update(provider_vn) # check is_provider_network of provider_vn # can not be set to False provider_vn.set_is_provider_network(False) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update, provider_vn) # check is_provider_network of non provider_vn # can be set to False vn4_obj1.set_is_provider_network(False) self._vnc_lib.virtual_network_update(vn4_obj1) # check is_provider_network of non provider_vn # can not be set to True vn4_obj1.set_is_provider_network(True) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update, vn4_obj1) # check db_resync sets is_provider_network property # as True in provider-vn self._api_server._db_conn.db_resync() provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_fq_name) self.assertEqual(provider_vn.get_is_provider_network(), True) # check adding vn3 and vn2 to provider vn provider_vn.add_virtual_network(vn2_obj1) provider_vn.add_virtual_network(vn3_obj1) self._vnc_lib.virtual_network_update(provider_vn) gevent.sleep(5) provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_vn.get_fq_name()) self.assertEqual(len(provider_vn.virtual_network_refs), 2) linked_uuids = [ ref['uuid'] for ref in provider_vn.virtual_network_refs ] self.assertIn(vn3_obj1.uuid, linked_uuids) self.assertIn(vn2_obj1.uuid, linked_uuids) VirtualNetworkST._dict = {} VirtualNetworkST.reinit() provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_vn.get_fq_name()) vn3_obj1 = self._vnc_lib.virtual_network_read( fq_name=vn3_obj1.get_fq_name()) vn2_obj1 = self._vnc_lib.virtual_network_read( fq_name=vn2_obj1.get_fq_name()) self.assertEqual(len(provider_vn.virtual_network_refs), 2) linked_uuids = [ ref['uuid'] for ref in provider_vn.virtual_network_refs ] self.assertIn(vn3_obj1.uuid, linked_uuids) self.assertIn(vn2_obj1.uuid, linked_uuids) self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(provider_vn), src_vn=':'.join(provider_fq_name), dst_vn='any') self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn2_obj1), src_vn=vn2_obj1.get_fq_name_str(), dst_vn=':'.join(provider_fq_name)) self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn3_obj1), src_vn=vn3_obj1.get_fq_name_str(), dst_vn=':'.join(provider_fq_name)) # check adding provider vn to vn1 works vn1_obj1.add_virtual_network(provider_vn) self._vnc_lib.virtual_network_update(vn1_obj1) gevent.sleep(2) vn1_obj2 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj1.get_fq_name()) self.assertEqual(vn1_obj2.virtual_network_refs[0]['to'], provider_fq_name) self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn1_obj2), src_vn=vn1_obj2.get_fq_name_str(), dst_vn=':'.join(provider_fq_name)) # Check updating other parameters of a non provider VN # when a provider VN is connected vn1_obj2.set_mac_aging_time(400) self._vnc_lib.virtual_network_update(vn1_obj2) # create a policy to allow icp between vn1 <> vn2 # and update vn1 vn1_to_vn2_rule = { "protocol": "icmp", "direction": "<>", "src": { "type": "vn", "value": vn1_obj2 }, "dst": [{ "type": "vn", "value": vn2_obj1 }], "action": "pass" } np = self.create_network_policy_with_multiple_rules([vn1_to_vn2_rule]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj2.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1_obj2) vn1_obj3 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj2.get_fq_name()) # check linking a non provider network is not allowed vn1_obj3.add_virtual_network(vn2_obj1) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update, vn1_obj3) vn1_obj4 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj3.get_fq_name()) self.assertEqual(vn1_obj4.virtual_network_refs[0]['to'], provider_fq_name) self.assertNotEqual(vn1_obj4.virtual_network_refs[0]['to'], vn2_obj1.get_fq_name()) # check the provider-network got a deny rule to any VN provider_to_vn1_rule = { "protocol": "icmp", "direction": ">", "src": { "type": "vn", "value": provider_vn }, "dst": [{ "type": "vn", "value": vn1_obj4 }], "action": "pass" } np = self.create_network_policy_with_multiple_rules( [provider_to_vn1_rule]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) provider_vn.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(provider_vn) self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(provider_vn), src_vn=':'.join(provider_fq_name), dst_vn='any') # check the network connected to provider-network # got a deny rule to provider-network self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn1_obj4), src_vn=':'.join( vn1_obj4.get_fq_name()), dst_vn=':'.join(provider_fq_name)) # add an explicit policy to allow traffic to provider network # and the implicit deny is removed vn1_to_provider_rule = { "protocol": "any", "direction": ">", "src": { "type": "vn", "value": vn1_obj4 }, "dst": [{ "type": "vn", "value": provider_vn }], "action": "pass" } np = self.create_network_policy_with_multiple_rules( [vn1_to_provider_rule]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj4.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1_obj4) vn1_obj5 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj4.get_fq_name()) self.check_acl_no_implicit_deny_rule( fq_name=self.get_ri_name(vn1_obj5), src_vn=':'.join(vn1_obj5.get_fq_name()), dst_vn=':'.join(provider_fq_name)) self.check_acl_allow_rule(fq_name=self.get_ri_name(vn1_obj5), src_vn=':'.join(vn1_obj5.get_fq_name()), dst_vn=':'.join(provider_fq_name)) # adding explicit policy to allow traffic to provider network # do not change deny rule in provider network self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(provider_vn), src_vn=':'.join(provider_fq_name), dst_vn='any')
def test_security_logging_object_with_policy_and_security_group(self): # Add a Network Policy Rule and a Security Group Rule to a # SLO vn1_name = self.id() + 'vn1' vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24") rule1 = { "protocol": "udp", "direction": "<>", "src": { "type": "vn", "value": vn1 }, "dst": { "type": "cidr", "value": "10.2.1.1/32" }, "action": "deny" } np = self.create_network_policy_with_multiple_rules([rule1]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1) sg_obj = SecurityGroup(name=self.id() + '_sg1') self._vnc_lib.security_group_create(sg_obj) sgr_uuid = str(uuid.uuid4()) sg_rule = PolicyRuleType( rule_uuid=sgr_uuid, direction='>', protocol='tcp', src_addresses=[AddressType(subnet=SubnetType('11.0.0.0', 24))], src_ports=[PortType(0, 65535)], dst_addresses=[AddressType(security_group='local')], dst_ports=[PortType(0, 65535)], ether_type='IPv4') sg_policy_rules = PolicyEntriesType([sg_rule]) sg_obj.set_security_group_entries(sg_policy_rules) self._vnc_lib.security_group_update(sg_obj) project = self._vnc_lib.project_read( fq_name=[u'default-domain', u'default-project']) slo_name = self.id() + '_slo1' slo_obj = SecurityLoggingObject(name=slo_name, parent_obj=project, security_logging_object_rate=300) self._vnc_lib.security_logging_object_create(slo_obj) self.wait_to_get_object(SecurityLoggingObjectST, slo_obj.get_fq_name_str()) np_rule1 = np.get_network_policy_entries().get_policy_rule()[0] np_fqdn = np.get_fq_name_str() np_rule1_uuid = np_rule1.get_rule_uuid() slo_rule_entries = [] slo_rule_entries.append( SecurityLoggingObjectRuleEntryType(np_rule1_uuid, rate=300)) slo_rule_entries.append( SecurityLoggingObjectRuleEntryType(sgr_uuid, rate=300)) slo_obj = self._vnc_lib.security_logging_object_read( fq_name=slo_obj.get_fq_name()) slo_obj.add_network_policy(np, None) sg_obj = self._vnc_lib.security_group_read(id=sg_obj.get_uuid()) slo_obj.add_security_group(sg_obj, None) self._vnc_lib.security_logging_object_update(slo_obj) st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str()) self.check_rules_in_slo(st_slo, np_fqdn, slo_rule_entries) slo_obj.del_network_policy(np) slo_obj.del_security_group(sg_obj) self._vnc_lib.security_logging_object_update(slo_obj) st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str()) self.check_rules_in_slo(st_slo, None, []) # cleanup self.delete_network_policy(np, auto_policy=True) self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name()) self._vnc_lib.security_logging_object_delete( fq_name=slo_obj.get_fq_name()) # check if vn is deleted self.check_vn_is_deleted(uuid=vn1.uuid)
def test_security_logging_object_with_network_policy_update(self): vn1_name = self.id() + 'vn1' vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24") np = self.create_network_policy_with_multiple_rules([]) np_fqdn = np.get_fq_name_str() seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1) project = self._vnc_lib.project_read( fq_name=[u'default-domain', u'default-project']) slo_name = self.id() + '_slo1' slo_obj = SecurityLoggingObject(name=slo_name, parent_obj=project, security_logging_object_rate=300) self._vnc_lib.security_logging_object_create(slo_obj) self.wait_to_get_object(SecurityLoggingObjectST, slo_obj.get_fq_name_str()) slo_obj.add_network_policy(np, None) self._vnc_lib.security_logging_object_update(slo_obj) npr_uuid = str(uuid.uuid4()) action_list = ActionListType() action_list.simple_action = 'pass' np_rule = PolicyRuleType( rule_uuid=npr_uuid, direction='>', protocol='tcp', src_addresses=[AddressType(subnet=SubnetType('11.0.0.0', 24))], src_ports=[PortType(0, 65535)], dst_addresses=[AddressType(subnet=SubnetType('10.0.0.0', 24))], dst_ports=[PortType(0, 65535)], ether_type='IPv4', action_list=action_list) np.set_network_policy_entries(PolicyEntriesType([np_rule])) self._vnc_lib.network_policy_update(np) slo_obj = self._vnc_lib.security_logging_object_read( fq_name=slo_obj.get_fq_name()) expected_rule_list = [ SecurityLoggingObjectRuleEntryType(npr_uuid, rate=300) ] st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str()) self.check_rules_in_slo(st_slo, np_fqdn, expected_rule_list) slo_obj.del_network_policy(np) self._vnc_lib.security_logging_object_update(slo_obj) st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str()) self.check_rules_in_slo(st_slo, None, []) # cleanup self.delete_network_policy(np, auto_policy=True) self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name()) self._vnc_lib.security_logging_object_delete( fq_name=slo_obj.get_fq_name()) # check if vn is deleted self.check_vn_is_deleted(uuid=vn1.uuid)
def test_security_logging_object_with_wildcard_rules(self): vn1_name = self.id() + 'vn1' vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24") rules = [] rule1 = { "protocol": "udp", "direction": "<>", "src": { "type": "vn", "value": vn1 }, "dst": { "type": "cidr", "value": "10.2.1.1/32" }, "action": "deny" } rule2 = { "protocol": "icmp", "direction": "<>", "src": { "type": "vn", "value": vn1 }, "dst": { "type": "cidr", "value": "10.2.1.2/32" }, "action": "deny" } rules.append(rule1) rules.append(rule2) np = self.create_network_policy_with_multiple_rules(rules) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1) project = self._vnc_lib.project_read( fq_name=[u'default-domain', u'default-project']) slo_name = self.id() + '_slo1' slo_obj = SecurityLoggingObject(name=slo_name, parent_obj=project, security_logging_object_rate=300) self._vnc_lib.security_logging_object_create(slo_obj) self.wait_to_get_object(SecurityLoggingObjectST, slo_obj.get_fq_name_str()) np_rule1 = np.get_network_policy_entries().get_policy_rule()[0] np_rule2 = np.get_network_policy_entries().get_policy_rule()[1] np_fqdn = np.get_fq_name_str() np_rule1_uuid = np_rule1.get_rule_uuid() np_rule2_uuid = np_rule2.get_rule_uuid() slo_rule_entries = [] slo_rule_entries.append( SecurityLoggingObjectRuleEntryType(np_rule1_uuid, rate=300)) slo_rule_entries.append( SecurityLoggingObjectRuleEntryType(np_rule2_uuid, rate=300)) slo_obj = self._vnc_lib.security_logging_object_read( fq_name=slo_obj.get_fq_name()) slo_obj.add_network_policy(np, None) self._vnc_lib.security_logging_object_update(slo_obj) st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str()) self.check_rules_in_slo(st_slo, np_fqdn, slo_rule_entries) slo_obj.del_network_policy(np) self._vnc_lib.security_logging_object_update(slo_obj) st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str()) self.check_rules_in_slo(st_slo, None, []) # cleanup self.delete_network_policy(np, auto_policy=True) self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name()) self._vnc_lib.security_logging_object_delete( fq_name=slo_obj.get_fq_name()) # check if vn is deleted self.check_vn_is_deleted(uuid=vn1.uuid)
def test_policy_in_policy(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn3_name = self.id() + 'vn3' vn1_obj = VirtualNetwork(vn1_name) vn2_obj = VirtualNetwork(vn2_name) np1 = self.create_network_policy(vn1_obj, vn2_obj) np2 = self.create_network_policy(vn2_obj, vn1_obj) np1.network_policy_entries.policy_rule[0].dst_addresses[ 0].virtual_network = None np1.network_policy_entries.policy_rule[0].dst_addresses[ 0].network_policy = np2.get_fq_name_str() np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) np2.network_policy_entries.policy_rule[0].src_addresses[ 0].virtual_network = 'local' np2.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np2) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj.set_network_policy(np1, vnp) vn2_obj.set_network_policy(np2, vnp) self._vnc_lib.virtual_network_create(vn1_obj) self._vnc_lib.virtual_network_create(vn2_obj) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj)) vn3_obj = VirtualNetwork(vn3_name) vn3_obj.set_network_policy(np2, vnp) self._vnc_lib.virtual_network_create(vn3_obj) self.check_ri_ref_present(self.get_ri_name(vn3_obj), self.get_ri_name(vn1_obj)) vn3_obj.del_network_policy(np2) self._vnc_lib.virtual_network_update(vn3_obj) @retries(5) def _match_acl_rule(): acl = self._vnc_lib.access_control_list_read( fq_name=self.get_ri_name(vn1_obj)) for rule in acl.get_access_control_list_entries().get_acl_rule(): if (rule.match_condition.dst_address.virtual_network == vn3_obj.get_fq_name_str()): raise Exception("ACL rule still present") _match_acl_rule() vn1_obj.del_network_policy(np1) vn2_obj.del_network_policy(np2) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) self.delete_network_policy(np1) self.delete_network_policy(np2) self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn3_obj.get_fq_name()) self.check_vn_is_deleted(uuid=vn1_obj.uuid)
def test_policy_processing_time_optimization_subnet_only(self): # Create VNs vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24") vn2 = self.create_virtual_network(vn2_name, "10.2.1.0/24") # Create policy rules = [] rule1 = { "protocol": "icmp", "direction": "<>", "src": { "type": "cidr", "value": "20.2.1.2/32" }, "dst": { "type": "cidr", "value": "10.2.1.2/32" }, "action": "deny" } rules.append(rule1) np = self.create_network_policy_with_multiple_rules(rules) self._vnc_lib.network_policy_update(np) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) # Attach policy to vn1 vn1.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1) orignal_vn_eval = config_db.VirtualNetworkST.evaluate # if we dont sleep now for some time than following mock function gets picked # for the above vn update gevent.sleep(3) # Mock the VirtualNetworkST evaluate function and attach the policy to vn2 # Test fails if vn1 evaluate funcation is hit. def mock_vn_evaluate(self): if vn1.get_fq_name_str() == self.name: self.assertTrue(False, 'Error: Should not have run evaluate of vn1') orignal_vn_eval() #end evaluate config_db.VirtualNetworkST.evaluate = mock_vn_evaluate vn2.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn2) # if we dont sleep now for some time than for the above code original vn evaluate gets # picked up due to the next line gevent.sleep(3) config_db.VirtualNetworkST.evaluate = orignal_vn_eval # cleanup self.delete_network_policy(np, auto_policy=True) self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2.get_fq_name()) # check if vn is deleted self.check_vn_is_deleted(uuid=vn1.uuid) self.check_vn_is_deleted(uuid=vn2.uuid)
def _attach_policy(self, policy, *vn_objects): for vn_obj in vn_objects: vn_obj.add_network_policy(policy, \ VirtualNetworkPolicyType(sequence=SequenceType(0, 0))) self._vnc_lib.virtual_network_update(vn_obj) self._vnc_lib.ref_relax_for_delete(vn_obj.uuid, policy.uuid)