def _set_features(self):
if Topology.nuage_release.major_release == '4.0':
self.full_external_id_support = Topology.from_nuage('4.0R5')
self.vsd_managed_dualstack_subnets = Topology.from_nuage('4.0VZ')
else:
self.full_external_id_support = True
self.ml2_limited_exceptions = False
self.full_os_networking = True
self.vsd_managed_dualstack_subnets = Topology.is_ml2
self.os_managed_dualstack_subnets = (Topology.from_nuage('5.1')
and self.ipv6_enabled)
self.project_name_in_vsd = Topology.from_nuage('5.1')
self.stateless_security_groups = Topology.from_nuage('5.2')
self.route_to_underlay = Topology.from_nuage('5.2')
self.switchdev_offload = Topology.from_nuage('6.0')
def test_create_update_delete_sg(self):
sg = self.create_security_group()
sg2 = self.create_security_group()
# Create for ipversions:
# - normal rule, for all applicable protocols
# - normal rule, TCP protocol, port 80
# - normal rule, UDP protocol, port 80, egress
# - networkmacro rule for 90.0.0.0/24
# - remote group id rule for SG2
for ip_version in self.ip_versions:
ethertype = 'IPv' + str(ip_version)
# - normal rule, for all applicable protocols
if ip_version == 6:
if Topology.up_to_openstack('stein'):
protocols = (n_constants.IPV6_PROTO_NAME +
[n_constants.IPV6_PROTO_NAME_LEGACY])
else:
# Train onwards, legacy is canonicalized
# https://review.opendev.org/#/c/453346/14
protocols = n_constants.IPV6_PROTO_NAME
else:
protocols = n_constants.IPV4_PROTO_NAME
for protocol in protocols:
self.create_security_group_rule_with_manager(
sg,
protocol=protocol,
direction='ingress',
ethertype=ethertype)
# - normal rule, TCP protocol, port 80
self.create_security_group_rule_with_manager(sg,
protocol='tcp',
direction='ingress',
ethertype=ethertype,
port_range_min=80,
port_range_max=80)
# - normal rule, UDP protocol, port 80, egress
self.create_security_group_rule_with_manager(sg,
protocol='udp',
direction='egress',
ethertype=ethertype,
port_range_min=80,
port_range_max=80)
# - networkmacro rule for 90.0.0.0/24 or cafe:babe::/64
remote_ip_prefix = ('90.0.0.0/24'
if ip_version == 4 else 'cafe:babe::/64')
self.create_security_group_rule_with_manager(
sg,
direction='egress',
ethertype=ethertype,
remote_ip_prefix=remote_ip_prefix)
# - remote group id rule for SG2
self.create_security_group_rule_with_manager(
sg,
direction='egress',
ethertype=ethertype,
remote_group_id=sg2['id'])
port = self.create_port(self.network, security_groups=[sg['id']])
# Verify VSD
# Get updated SG with SGRules
sg = self.get_security_group(sg['id'])
self._verify_sg(sg, ports=[port])
# Update Security group name
name = "updated SG name"
sg = self.update_security_group(sg, name=name)
self._verify_sg(sg, ports=[port])
# Delete port from SG
self.delete_port(port)
# cleanup happens before 20.10, not after.
pg_expected = Topology.from_nuage('20.10')
self._verify_sg(sg, ports=[], pg_expected_without_port=pg_expected)
def _verify_sg_rule(self,
pg,
sg,
sg_rule,
is_reverse_rule=False,
domain=None):
"""_verify_sg_rule
:param pg: Policygroup
:param sg: Securitygroup
:param sg_rule: security group rule to check
:param is_reverse_rule: True if the rule is a reverse rule of an actual
sg_rule. Used for not checking the reverse of a
reverse rule.
:param domain: VSD domain where ACL is located
"""
domain = domain or self.domain
is_ipv4 = sg_rule['ethertype'] == 'IPv4'
stateful_icmp_types = (n_constants.STATEFUL_ICMP_V4_TYPES if is_ipv4
else n_constants.STATEFUL_ICMP_V6_TYPES)
ext_id_filter = self.vsd.get_external_id_filter(sg_rule['id'])
if sg_rule['direction'] == 'ingress':
acl_entry = domain.egress_acl_entry_templates.get_first(
filter=ext_id_filter)
else:
acl_entry = domain.ingress_acl_entry_templates.get_first(
filter=ext_id_filter)
self.assertIsNotNone(
acl_entry, "aclEntryTemplate not found for "
"SG Rule: {}".format(sg_rule))
# Remote group id refers to another Policy Group
remote_pg = None
if sg_rule.get('remote_group_id'):
ext_id_filter = self.vsd.get_external_id_filter(
sg_rule['remote_group_id'])
remote_pgs = domain.policy_groups.get(ext_id_filter)
self.assertNotEmpty(remote_pgs, "Remote PG not found")
remote_pg = remote_pgs[0]
# Remote ip prefix refers to enterprise network / network macro
enterprise_network = None
if sg_rule.get('remote_ip_prefix'):
ip_network = netaddr.IPNetwork(sg_rule['remote_ip_prefix'])
enterprise_network = self._get_enterprise_network(ip_network)
# Ethertype
self.assertEqual(n_constants.PROTO_NAME_TO_NUM[sg_rule['ethertype']],
acl_entry.ether_type)
# Protocol
os_protocol = sg_rule['protocol']
try:
expected_protocol = int(os_protocol)
except (ValueError, TypeError):
if not os_protocol:
expected_protocol = 'ANY'
elif os_protocol == 'icmp' and sg_rule['ethertype'] == 'IPv6':
expected_protocol = n_constants.PROTO_NAME_TO_NUM['icmpv6']
else:
expected_protocol = n_constants.PROTO_NAME_TO_NUM[os_protocol]
self.assertEqual(expected_protocol, acl_entry.protocol)
# Stateful
if not sg['stateful']:
expected_stateful = False
elif str(os_protocol) in ['icmp', 'icmpv6', 'ipv6-icmp', 1, 58]:
if Topology.up_to_nuage('5.4') and not is_ipv4:
# no support for icmp v6 in 5.4
expected_stateful = True
else:
# ICMP rules are not stateful unless special cases
if (not sg_rule['port_range_min']
and not sg_rule['port_range_max']):
expected_stateful = False
elif (sg_rule['port_range_min'] not in stateful_icmp_types):
expected_stateful = False
else:
expected_stateful = True
else:
expected_stateful = True
self.assertEqual(expected_stateful, acl_entry.stateful)
# Network Type
if (sg_rule.get('remote_group_id')
or sg_rule.get('remote_external_group_id')):
expected_network_type = 'POLICYGROUP'
elif sg_rule.get('remote_ip_prefix'):
expected_network_type = 'ENTERPRISE_NETWORK'
else:
if Topology.from_nuage('20.10'):
expected_network_type = 'ANY'
else:
# Legacy usage of ANY network macro / enterprise network
expected_network_type = 'ENTERPRISE_NETWORK'
self.assertEqual(expected_network_type, acl_entry.network_type)
# Network ID
if sg_rule.get('remote_external_group_id'):
expected_network_id = sg_rule['remote_external_group_id']
elif sg_rule.get('remote_ip_prefix'):
expected_network_id = enterprise_network.id
elif sg_rule.get('remote_group_id'):
expected_network_id = remote_pg.id
else:
if Topology.from_nuage('20.10'):
# No network id, as ANY type is used
expected_network_id = None
else:
# Legacy usage of ANY network macro / enterprise network
address = '0.0.0.0/0' if is_ipv4 else '::/0'
ip_network = netaddr.IPNetwork(address)
enterprise_network = self._get_enterprise_network(ip_network)
expected_network_id = enterprise_network.id
self.assertEqual(expected_network_id, acl_entry.network_id)
# Location type
self.assertEqual('POLICYGROUP', acl_entry.location_type)
# Location ID
self.assertEqual(pg.id, acl_entry.location_id)
# Action
self.assertEqual('FORWARD', acl_entry.action)
# DSCP
self.assertEqual('*', acl_entry.dscp)
# TCP/UDP specific attributes
if sg_rule['protocol'] in ['tcp', 'udp']:
# Source port
self.assertEqual('*', acl_entry.source_port)
# Destination port
if (not sg_rule['port_range_min']
and not sg_rule['port_range_max']):
expected_dest_port = '*'
elif sg_rule['port_range_min'] == sg_rule['port_range_max']:
expected_dest_port = str(sg_rule['port_range_min'])
else:
expected_dest_port = '{}-{}'.format(sg_rule['port_range_min'],
sg_rule['port_range_max'])
self.assertEqual(expected_dest_port, acl_entry.destination_port)
# ICMP specific attributes
elif sg_rule['protocol'] in ['icmp', 'icmpv6', 'ipv6-icmp', 1, 58]:
if sg_rule['port_range_min']:
self.assertEqual(str(sg_rule['port_range_min']),
acl_entry.icmp_type)
if sg_rule['port_range_max']:
self.assertEqual(str(sg_rule['port_range_max']),
acl_entry.icmp_code)
# check reverse ICMP rule if needed
if Topology.up_to_nuage('5.4') and not is_ipv4:
# no support for icmpv6 reverse rules
return
else:
acl_icmp_type = (int(acl_entry.icmp_type)
if acl_entry.icmp_type != '*' else '*')
if (acl_icmp_type not in stateful_icmp_types
and not is_reverse_rule):
sg_rule['direction'] = ('ingress' if sg_rule['direction']
== 'egress' else 'egress')
self._verify_sg_rule(pg,
sg,
sg_rule,
is_reverse_rule=True,
domain=domain)
class AllowedAddressPairTest(base.BaseNetworkTest):
_interface = 'json'
_address_in_vsd = 'address'
@classmethod
def setup_clients(cls):
super(AllowedAddressPairTest, cls).setup_clients()
cls.nuage_client = NuageRestClient()
@classmethod
def resource_setup(cls):
super(AllowedAddressPairTest, cls).resource_setup()
if not utils.is_extension_enabled('allowed-address-pairs', 'network'):
msg = "Allowed Address Pairs extension not enabled."
raise cls.skipException(msg)
cls.network = cls.create_network()
cls.subnet = cls.create_subnet(cls.network)
cls.ext_net_id = CONF.network.public_network_id
cls.l3network = cls.create_network()
cls.l3subnet = cls.create_subnet(cls.l3network)
cls.router = cls.create_router(data_utils.rand_name('router-'),
external_network_id=cls.ext_net_id)
cls.create_router_interface(cls.router['id'], cls.l3subnet['id'])
def _verify_port_by_id(self, port_id):
body = self.ports_client.list_ports()
ports = body['ports']
port = [p for p in ports if p['id'] == port_id]
msg = 'Created port not found in list of ports returned by Neutron'
self.assertTrue(port, msg)
def _verify_port_allowed_address_fields(self, port, addrpair_ip,
addrpair_mac):
ip_address = port['allowed_address_pairs'][0]['ip_address']
mac_address = port['allowed_address_pairs'][0]['mac_address']
self.assertEqual(addrpair_ip, ip_address)
self.assertEqual(addrpair_mac, mac_address)
def create_port(self, network, cleanup=True, **kwargs):
if CONF.network.port_vnic_type and 'binding:vnic_type' not in kwargs:
kwargs['binding:vnic_type'] = CONF.network.port_vnic_type
if CONF.network.port_profile and 'binding:profile' not in kwargs:
kwargs['binding:profile'] = CONF.network.port_profile
port = super(AllowedAddressPairTest,
self).create_port(network, **kwargs)
if cleanup:
self.addCleanup(self.ports_client.delete_port, port['id'])
return port
def test_create_address_pair_on_l2domain_with_no_mac(self):
# Create port with allowed address pair attribute
# For /32 cidr
addrpair_port = self.create_port(self.network,
device_owner='nuage:vip')
allowed_address_pairs = [{
'ip_address':
addrpair_port['fixed_ips'][0]['ip_address']
}]
port = self.create_port(network=self.network,
allowed_address_pairs=allowed_address_pairs)
# routersubnetbind
new_router = self.create_router('r')
self.create_router_interface(new_router['id'],
port['fixed_ips'][0]['subnet_id'])
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(
port, addrpair_port['fixed_ips'][0]['ip_address'],
port['mac_address'])
self.routers_client.remove_router_interface(
new_router['id'], subnet_id=port['fixed_ips'][0]['subnet_id'])
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(
port, addrpair_port['fixed_ips'][0]['ip_address'],
port['mac_address'])
# Check address spoofing is disabled on vport in VSD
nuage_subnet = self.nuage_client.get_l2domain(by_subnet=self.subnet)
port_ext_id = self.nuage_client.get_vsd_external_id(port['id'])
nuage_vport = self.nuage_client.get_vport(n_constants.L2_DOMAIN,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_ENABLED, nuage_vport[0]['addressSpoofing'])
@testtools.skipIf(CONF.nuage_sut.ipam_driver == 'nuage_vsd_managed',
'This scenario cannot be reproduced with vsd ipam. '
'Extra validation for vsd ipam prevents it.')
def test_create_address_pair_on_l2domain_update_fixed_ip(self):
# Create port with allowed address pair attribute
# For /32 cidr
port = self.create_port(self.network)
allowed_address_pairs = [{
'ip_address':
port['fixed_ips'][0]['ip_address'],
'mac_address':
port['mac_address']
}]
port = self.update_port(port,
allowed_address_pairs=allowed_address_pairs)
# Check address spoofing is disabled on vport in VSD
nuage_subnet = self.nuage_client.get_l2domain(by_subnet=self.subnet)
port_ext_id = self.nuage_client.get_vsd_external_id(port['id'])
nuage_vport = self.nuage_client.get_vport(n_constants.L2_DOMAIN,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing'])
# Update fixed ip
# Get free IP in subnet
addrpair_port = self.create_port(self.network, cleanup=False)
ip = addrpair_port['fixed_ips'][0]['ip_address']
self.ports_client.delete_port(addrpair_port['id'])
subnet_id = port['fixed_ips'][0]['subnet_id']
self.update_port(port,
fixed_ips=[{
'subnet_id': subnet_id,
'ip_address': ip
}])
nuage_vport = self.nuage_client.get_vport(n_constants.L2_DOMAIN,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_ENABLED, nuage_vport[0]['addressSpoofing'])
@decorators.attr(type='smoke')
def test_create_address_pair_on_l2domain_with_mac_routersubnetbind(self):
# Create port with allowed address pair attribute
# For /32 cidr
addrpair_port = self.create_port(self.network,
device_owner='nuage:vip')
allowed_address_pairs = [{
'ip_address':
addrpair_port['fixed_ips'][0]['ip_address'],
'mac_address':
addrpair_port['mac_address']
}]
port = self.create_port(network=self.network,
allowed_address_pairs=allowed_address_pairs)
# routersubnetbind
new_router = self.create_router('r')
self.create_router_interface(new_router['id'],
port['fixed_ips'][0]['subnet_id'])
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(
port, addrpair_port['fixed_ips'][0]['ip_address'],
addrpair_port['mac_address'])
self.routers_client.remove_router_interface(
new_router['id'], subnet_id=port['fixed_ips'][0]['subnet_id'])
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(
port, addrpair_port['fixed_ips'][0]['ip_address'],
addrpair_port['mac_address'])
# Check address spoofing is disabled on vport in VSD
nuage_subnet = self.nuage_client.get_l2domain(by_subnet=self.subnet)
port_ext_id = self.nuage_client.get_vsd_external_id(port['id'])
nuage_vport = self.nuage_client.get_vport(n_constants.L2_DOMAIN,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_ENABLED, nuage_vport[0]['addressSpoofing'])
def test_create_address_pair_on_l2domain_with_cidr(self):
# Create port with AAP for non /32 cidr
ip_address = '30.30.0.0/24'
mac_address = 'fe:a0:36:4b:c8:70'
allowed_address_pairs = [{
'ip_address': ip_address,
'mac_address': mac_address
}]
port = self.create_port(network=self.network,
allowed_address_pairs=allowed_address_pairs)
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(port, ip_address, mac_address)
# Check address spoofing is disabled on vport in VSD
nuage_subnet = self.nuage_client.get_l2domain(by_subnet=self.subnet)
port_ext_id = self.nuage_client.get_vsd_external_id(port['id'])
nuage_vport = self.nuage_client.get_vport(n_constants.L2_DOMAIN,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_ENABLED, nuage_vport[0]['addressSpoofing'])
def test_create_address_pair_on_l2domain_with_cidr_routersubnetbind(self):
# Create port with AAP for non /32 cidr
ip_address = '30.30.0.0/24'
mac_address = 'fe:a0:36:4b:c8:70'
allowed_address_pairs = [{
'ip_address': ip_address,
'mac_address': mac_address
}]
port = self.create_port(network=self.network,
allowed_address_pairs=allowed_address_pairs)
# routersubnetbind
new_router = self.create_router('r')
self.create_router_interface(new_router['id'],
port['fixed_ips'][0]['subnet_id'])
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(port, ip_address, mac_address)
self.routers_client.remove_router_interface(
new_router['id'], subnet_id=port['fixed_ips'][0]['subnet_id'])
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(port, ip_address, mac_address)
# Check address spoofing is disabled on vport in VSD
nuage_subnet = self.nuage_client.get_l2domain(by_subnet=self.subnet)
port_ext_id = self.nuage_client.get_vsd_external_id(port['id'])
nuage_vport = self.nuage_client.get_vport(n_constants.L2_DOMAIN,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_ENABLED, nuage_vport[0]['addressSpoofing'])
@decorators.attr(type='smoke')
def test_create_address_pair_on_l3subnet_with_mac(self):
# Create port with allowed address pair attribute
addrpair_port = self.create_port(self.l3network,
device_owner='nuage:vip')
allowed_address_pairs = [{
'ip_address':
addrpair_port['fixed_ips'][0]['ip_address'],
'mac_address':
addrpair_port['mac_address']
}]
port = self.create_port(network=self.l3network,
allowed_address_pairs=allowed_address_pairs)
# routersubnetbind
self.routers_client.remove_router_interface(
self.router['id'], subnet_id=port['fixed_ips'][0]['subnet_id'])
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(
port, addrpair_port['fixed_ips'][0]['ip_address'],
addrpair_port['mac_address'])
self.create_router_interface(self.router['id'],
port['fixed_ips'][0]['subnet_id'])
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(
port, addrpair_port['fixed_ips'][0]['ip_address'],
addrpair_port['mac_address'])
# Check VIP is created in VSD
l3domain_ext_id = self.nuage_client.get_vsd_external_id(
self.router['id'])
nuage_domain = self.nuage_client.get_resource(
n_constants.DOMAIN,
filters='externalID',
filter_values=l3domain_ext_id)
nuage_subnet = self.nuage_client.get_domain_subnet(
n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet)
port_ext_id = self.nuage_client.get_vsd_external_id(port['id'])
nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing'])
nuage_vip = self.nuage_client.get_virtual_ip(
n_constants.VPORT,
nuage_vport[0]['ID'],
filters='virtualIP',
filter_values=str(addrpair_port['fixed_ips'][0]['ip_address']))
self.assertEqual(addrpair_port['mac_address'], nuage_vip[0]['MAC'])
self.assertEqual(nuage_vip[0]['externalID'],
self.nuage_client.get_vsd_external_id(port['id']))
@decorators.attr(type='smoke')
def test_create_address_pair_on_l3subnet_with_mac_routersubnetbind(self):
# Create port with allowed address pair attribute
addrpair_port = self.create_port(self.l3network,
device_owner='nuage:vip')
allowed_address_pairs = [{
'ip_address':
addrpair_port['fixed_ips'][0]['ip_address'],
'mac_address':
addrpair_port['mac_address']
}]
port = self.create_port(network=self.l3network,
allowed_address_pairs=allowed_address_pairs)
# routersubnetbind
self.routers_client.remove_router_interface(
self.router['id'], subnet_id=port['fixed_ips'][0]['subnet_id'])
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(
port, addrpair_port['fixed_ips'][0]['ip_address'],
addrpair_port['mac_address'])
self.create_router_interface(self.router['id'],
port['fixed_ips'][0]['subnet_id'])
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(
port, addrpair_port['fixed_ips'][0]['ip_address'],
addrpair_port['mac_address'])
# Check VIP is created in VSD
l3domain_ext_id = self.nuage_client.get_vsd_external_id(
self.router['id'])
nuage_domain = self.nuage_client.get_resource(
n_constants.DOMAIN,
filters='externalID',
filter_values=l3domain_ext_id)
nuage_subnet = self.nuage_client.get_domain_subnet(
n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet)
port_ext_id = self.nuage_client.get_vsd_external_id(port['id'])
nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing'])
nuage_vip = self.nuage_client.get_virtual_ip(
n_constants.VPORT,
nuage_vport[0]['ID'],
filters='virtualIP',
filter_values=str(addrpair_port['fixed_ips'][0]['ip_address']))
self.assertEqual(addrpair_port['mac_address'], nuage_vip[0]['MAC'])
self.assertEqual(nuage_vip[0]['externalID'],
self.nuage_client.get_vsd_external_id(port['id']))
def test_create_address_pair_on_l3subnet_with_no_mac(self):
# Create port with allowed address pair attribute
addrpair_port = self.create_port(self.l3network,
device_owner='nuage:vip')
allowed_address_pairs = [{
'ip_address':
addrpair_port['fixed_ips'][0]['ip_address']
}]
port = self.create_port(network=self.l3network,
allowed_address_pairs=allowed_address_pairs)
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_by_id(port['id'])
self._verify_port_allowed_address_fields(
port, addrpair_port['fixed_ips'][0]['ip_address'],
port['mac_address'])
# Check VIP is created in VSD
l3domain_ext_id = self.nuage_client.get_vsd_external_id(
self.router['id'])
nuage_domain = self.nuage_client.get_resource(
n_constants.DOMAIN,
filters='externalID',
filter_values=l3domain_ext_id)
nuage_subnet = self.nuage_client.get_domain_subnet(
n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet)
port_ext_id = self.nuage_client.get_vsd_external_id(port['id'])
nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing'])
nuage_vip = self.nuage_client.get_virtual_ip(
n_constants.VPORT,
nuage_vport[0]['ID'],
filters='virtualIP',
filter_values=str(addrpair_port['fixed_ips'][0]['ip_address']))
self.assertEqual(port['mac_address'], nuage_vip[0]['MAC'])
self.assertEqual(nuage_vip[0]['externalID'],
self.nuage_client.get_vsd_external_id(port['id']))
def test_create_address_pair_on_l3subnet_with_cidr(self):
# Create port with allowed address pair attribute
ip_address = '30.30.0.0/24'
mac_address = 'fe:a0:36:4b:c8:70'
allowed_address_pairs = [{
'ip_address': ip_address,
'mac_address': mac_address
}]
port = self.create_port(network=self.l3network,
allowed_address_pairs=allowed_address_pairs)
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(port, ip_address, mac_address)
# Check VIP is created in VSD
l3domain_ext_id = self.nuage_client.get_vsd_external_id(
self.router['id'])
nuage_domain = self.nuage_client.get_resource(
n_constants.DOMAIN,
filters='externalID',
filter_values=l3domain_ext_id)
nuage_subnet = self.nuage_client.get_domain_subnet(
n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet)
port_ext_id = self.nuage_client.get_vsd_external_id(port['id'])
nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_ENABLED, nuage_vport[0]['addressSpoofing'])
def test_create_address_pair_on_l3subnet_with_cidr_routersubnetbind(self):
# Create port with allowed address pair attribute
ip_address = '30.30.0.0/24'
mac_address = 'fe:a0:36:4b:c8:70'
allowed_address_pairs = [{
'ip_address': ip_address,
'mac_address': mac_address
}]
port = self.create_port(network=self.l3network,
allowed_address_pairs=allowed_address_pairs)
# routersubnetbind
self.routers_client.remove_router_interface(
self.router['id'], subnet_id=port['fixed_ips'][0]['subnet_id'])
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(port, ip_address, mac_address)
self.create_router_interface(self.router['id'],
port['fixed_ips'][0]['subnet_id'])
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(port, ip_address, mac_address)
# Check VIP is created in VSD
l3domain_ext_id = self.nuage_client.get_vsd_external_id(
self.router['id'])
nuage_domain = self.nuage_client.get_resource(
n_constants.DOMAIN,
filters='externalID',
filter_values=l3domain_ext_id)
nuage_subnet = self.nuage_client.get_domain_subnet(
n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet)
port_ext_id = self.nuage_client.get_vsd_external_id(port['id'])
nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_ENABLED, nuage_vport[0]['addressSpoofing'])
@decorators.attr(type='smoke')
def test_update_address_pair_on_l3subnet(self):
addrpair_port_1 = self.create_port(self.l3network,
device_owner='nuage:vip')
allowed_address_pairs = [{
'ip_address':
addrpair_port_1['fixed_ips'][0]['ip_address'],
'mac_address':
addrpair_port_1['mac_address']
}]
port = self.create_port(network=self.l3network,
allowed_address_pairs=allowed_address_pairs)
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(
port, allowed_address_pairs[0]['ip_address'],
allowed_address_pairs[0]['mac_address'])
# Check VIP is created in VSD
l3domain_ext_id = self.nuage_client.get_vsd_external_id(
self.router['id'])
nuage_domain = self.nuage_client.get_resource(
n_constants.DOMAIN,
filters='externalID',
filter_values=l3domain_ext_id)
nuage_subnet = self.nuage_client.get_domain_subnet(
n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet)
port_ext_id = self.nuage_client.get_vsd_external_id(port['id'])
nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing'])
nuage_vip = self.nuage_client.get_virtual_ip(
n_constants.VPORT,
nuage_vport[0]['ID'],
filters='virtualIP',
filter_values=str(addrpair_port_1['fixed_ips'][0]['ip_address']))
self.assertEqual(addrpair_port_1['mac_address'], nuage_vip[0]['MAC'])
self.assertEqual(nuage_vip[0]['externalID'],
self.nuage_client.get_vsd_external_id(port['id']))
# Update the address pairs
# Create port with allowed address pair attribute
addrpair_port_2 = self.create_port(self.l3network,
device_owner='nuage:vip')
allowed_address_pairs = [{
'ip_address':
addrpair_port_2['fixed_ips'][0]['ip_address'],
'mac_address':
addrpair_port_2['mac_address']
}]
port = self.update_port(port,
allowed_address_pairs=allowed_address_pairs)
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(
port, addrpair_port_2['fixed_ips'][0]['ip_address'],
addrpair_port_2['mac_address'])
# Verify new VIP is created
port_ext_id = self.nuage_client.get_vsd_external_id(port['id'])
nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing'])
nuage_vip = self.nuage_client.get_virtual_ip(
n_constants.VPORT,
nuage_vport[0]['ID'],
filters='virtualIP',
filter_values=str(addrpair_port_2['fixed_ips'][0]['ip_address']))
self.assertEqual(addrpair_port_2['mac_address'], nuage_vip[0]['MAC'])
self.assertEqual(nuage_vip[0]['externalID'],
self.nuage_client.get_vsd_external_id(port['id']))
# Verify old VIP is deleted
nuage_vip = self.nuage_client.get_virtual_ip(
n_constants.VPORT,
nuage_vport[0]['ID'],
filters='virtualIP',
filter_values=str(addrpair_port_1['fixed_ips'][0]['ip_address']))
self.assertEmpty(nuage_vip)
# Subnet attach/detach are not fully synchronous
@decorators.attr(type='smoke')
def test_update_address_pair_on_l3subnet_routersubnetbind(self):
# Test now uses fixed ips, so random error when a port is created
# with the ip of the dhcp port in L2 is prevented.
ip = IPAddress(self.l3subnet['allocation_pools'][0]['start'])
ip += 2 # first ip or second ip is external dhcp port
addrpair_port_1 = self.create_port(self.l3network,
fixed_ips=[{
'subnet_id':
self.l3subnet['id'],
'ip_address':
str(ip)
}],
device_owner='nuage:vip')
ip += 1
allowed_address_pairs = [{
'ip_address':
addrpair_port_1['fixed_ips'][0]['ip_address'],
'mac_address':
addrpair_port_1['mac_address']
}]
port = self.create_port(network=self.l3network,
allowed_address_pairs=allowed_address_pairs,
fixed_ips=[{
'subnet_id': self.l3subnet['id'],
'ip_address': str(ip)
}])
ip += 1
# routersubnetbind
self.routers_client.remove_router_interface(
self.router['id'], subnet_id=port['fixed_ips'][0]['subnet_id'])
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(
port, allowed_address_pairs[0]['ip_address'],
allowed_address_pairs[0]['mac_address'])
self.create_router_interface(self.router['id'],
port['fixed_ips'][0]['subnet_id'])
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(
port, allowed_address_pairs[0]['ip_address'],
allowed_address_pairs[0]['mac_address'])
# Check VIP is created in VSD
l3domain_ext_id = self.nuage_client.get_vsd_external_id(
self.router['id'])
nuage_domain = self.nuage_client.get_resource(
n_constants.DOMAIN,
filters='externalID',
filter_values=l3domain_ext_id)
nuage_subnet = self.nuage_client.get_domain_subnet(
n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet)
port_ext_id = self.nuage_client.get_vsd_external_id(port['id'])
nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing'])
nuage_vip = self.nuage_client.get_virtual_ip(
n_constants.VPORT,
nuage_vport[0]['ID'],
filters='virtualIP',
filter_values=str(addrpair_port_1['fixed_ips'][0]['ip_address']))
self.assertEqual(addrpair_port_1['mac_address'], nuage_vip[0]['MAC'])
self.assertEqual(nuage_vip[0]['externalID'],
self.nuage_client.get_vsd_external_id(port['id']))
# Update the address pairs
# Create port with allowed address pair attribute
addrpair_port_2 = self.create_port(self.l3network,
fixed_ips=[{
'subnet_id':
self.l3subnet['id'],
'ip_address':
str(ip)
}],
device_owner='nuage:vip')
ip += 1
allowed_address_pairs = [{
'ip_address':
addrpair_port_2['fixed_ips'][0]['ip_address'],
'mac_address':
addrpair_port_2['mac_address']
}]
port = self.update_port(port,
allowed_address_pairs=allowed_address_pairs)
# routersubnetbind
self.routers_client.remove_router_interface(
self.router['id'], subnet_id=port['fixed_ips'][0]['subnet_id'])
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(
port, addrpair_port_2['fixed_ips'][0]['ip_address'],
addrpair_port_2['mac_address'])
self.create_router_interface(self.router['id'],
port['fixed_ips'][0]['subnet_id'])
nuage_subnet = self.nuage_client.get_domain_subnet(
n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet)
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(
port, addrpair_port_2['fixed_ips'][0]['ip_address'],
addrpair_port_2['mac_address'])
# Verify new VIP is created
port_ext_id = self.nuage_client.get_vsd_external_id(port['id'])
nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing'])
nuage_vip = self.nuage_client.get_virtual_ip(
n_constants.VPORT,
nuage_vport[0]['ID'],
filters='virtualIP',
filter_values=str(addrpair_port_2['fixed_ips'][0]['ip_address']))
self.assertEqual(addrpair_port_2['mac_address'], nuage_vip[0]['MAC'])
self.assertEqual(nuage_vip[0]['externalID'],
self.nuage_client.get_vsd_external_id(port['id']))
# Verify old VIP is deleted
nuage_vip = self.nuage_client.get_virtual_ip(
n_constants.VPORT,
nuage_vport[0]['ID'],
filters='virtualIP',
filter_values=str(addrpair_port_1['fixed_ips'][0]['ip_address']))
self.assertEmpty(nuage_vip)
def test_fip_allowed_address_pairs_assoc(self):
if self._ip_version == 6:
self.skipTest('Skipping FIP to VIP in IPV6')
post_body = {"device_owner": 'nuage:vip'}
addrpair_port = self.create_port(self.l3network, **post_body)
allowed_address_pairs = [{
'ip_address':
addrpair_port['fixed_ips'][0]['ip_address'],
'mac_address':
addrpair_port['mac_address']
}]
port = self.create_port(network=self.l3network,
allowed_address_pairs=allowed_address_pairs)
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(
port, allowed_address_pairs[0]['ip_address'],
allowed_address_pairs[0]['mac_address'])
body = self.floating_ips_client.create_floatingip(
floating_network_id=self.ext_net_id, port_id=addrpair_port['id'])
created_floating_ip = body['floatingip']
self.assertIsNotNone(created_floating_ip['id'])
self.assertEqual(created_floating_ip['fixed_ip_address'],
addrpair_port['fixed_ips'][0]['ip_address'])
# VSD validation of VIP to FIP association
l3dom_ext_id = self.nuage_client.get_vsd_external_id(self.router['id'])
nuage_domain = self.nuage_client.get_l3domain(
filters='externalID', filter_values=l3dom_ext_id)
nuage_domain_fip = self.nuage_client.get_floatingip(
n_constants.DOMAIN, nuage_domain[0]['ID'])
nuage_subnet = self.nuage_client.get_domain_subnet(
n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet)
port_ext_id = self.nuage_client.get_vsd_external_id(port['id'])
nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
nuage_vip = self.nuage_client.get_virtual_ip(
n_constants.VPORT,
nuage_vport[0]['ID'],
filters='virtualIP',
filter_values=str(addrpair_port['fixed_ips'][0]['ip_address']))
self.assertEqual(nuage_domain_fip[0]['ID'],
nuage_vip[0]['associatedFloatingIPID'])
self.assertEqual(nuage_domain_fip[0]['assignedToObjectType'],
'virtualip')
self.assertEqual(nuage_vip[0]['externalID'],
self.nuage_client.get_vsd_external_id(port['id']))
self.floating_ips_client.delete_floatingip(created_floating_ip['id'])
def test_allowed_address_pair_extraroute(self):
addrpair_port = self.create_port(self.l3network,
device_owner='nuage:vip')
allowed_address_pairs = [{
'ip_address':
addrpair_port['fixed_ips'][0]['ip_address'],
'mac_address':
addrpair_port['mac_address']
}]
port = self.create_port(network=self.l3network,
allowed_address_pairs=allowed_address_pairs)
self._verify_port_by_id(port['id'])
# Confirm port was created with allowed address pair attribute
self._verify_port_allowed_address_fields(
port, addrpair_port['fixed_ips'][0]['ip_address'],
addrpair_port['mac_address'])
# update the extra route
next_hop = addrpair_port['fixed_ips'][0]['ip_address']
destination = ('2003:a:b::5/128'
if self._ip_version == 6 else '201.1.1.5/32')
test_routes = [{'nexthop': next_hop, 'destination': destination}]
extra_route = self.routers_client.update_router(self.router['id'],
routes=test_routes)
self.addCleanup(self.routers_client.update_router,
self.router['id'],
routes=None)
self.assertEqual(1, len(extra_route['router']['routes']))
self.assertEqual(destination,
extra_route['router']['routes'][0]['destination'])
self.assertEqual(next_hop,
extra_route['router']['routes'][0]['nexthop'])
show_body = self.routers_client.show_router(self.router['id'])
self.assertEqual(destination,
show_body['router']['routes'][0]['destination'])
self.assertEqual(next_hop, show_body['router']['routes'][0]['nexthop'])
# Check VIP is created in VSD
l3domain_ext_id = self.nuage_client.get_vsd_external_id(
self.router['id'])
nuage_domain = self.nuage_client.get_resource(
n_constants.DOMAIN,
filters='externalID',
filter_values=l3domain_ext_id)
nuage_subnet = self.nuage_client.get_domain_subnet(
n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet)
port_ext_id = self.nuage_client.get_vsd_external_id(port['id'])
nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing'])
nuage_vip = self.nuage_client.get_virtual_ip(
n_constants.VPORT,
nuage_vport[0]['ID'],
filters='virtualIP',
filter_values=str(addrpair_port['fixed_ips'][0]['ip_address']))
self.assertEqual(addrpair_port['mac_address'], nuage_vip[0]['MAC'])
self.assertEqual(nuage_vip[0]['externalID'],
self.nuage_client.get_vsd_external_id(port['id']))
# Check static roues on VSD
nuage_static_route = self.nuage_client.get_staticroute(
parent=n_constants.DOMAIN, parent_id=nuage_domain[0]['ID'])
self.assertEqual(nuage_static_route[0]['nextHopIp'], next_hop,
"wrong nexthop")
@testtools.skipUnless(
Topology.from_nuage('20.10R2')
or Topology.from_nuage('6.0.12', within_stream='6.0')
or Topology.from_nuage('5.4.1.U16', within_stream='5.4'),
"Single IP VIP CIDR not allowed on older releases.")
def test_allowed_address_pair_single_ip_cidr(self):
"""test_allowed_address_pair_single_ip_cidr
Test that using CIDR notation with an address range of only one ip
is allowed.
"""
addrpair_port = self.create_port(self.l3network,
device_owner='nuage:vip')
cidr_suffix = '/32' if self._ip_version == 4 else '/128'
ip_address = addrpair_port['fixed_ips'][0]['ip_address'] + cidr_suffix
mac_address = addrpair_port['mac_address']
allowed_address_pairs = [{
'ip_address': ip_address,
'mac_address': mac_address
}]
port = self.create_port(network=self.l3network,
allowed_address_pairs=allowed_address_pairs)
self._verify_port_allowed_address_fields(port, ip_address, mac_address)
# Check VIP is created in VSD
l3domain_ext_id = self.nuage_client.get_vsd_external_id(
self.router['id'])
nuage_domain = self.nuage_client.get_resource(
n_constants.DOMAIN,
filters='externalID',
filter_values=l3domain_ext_id)
nuage_subnet = self.nuage_client.get_domain_subnet(
n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet)
port_ext_id = self.nuage_client.get_vsd_external_id(port['id'])
nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing'])
nuage_vip = self.nuage_client.get_virtual_ip(
n_constants.VPORT,
nuage_vport[0]['ID'],
filters='virtualIP',
filter_values=addrpair_port['fixed_ips'][0]['ip_address'])
self.assertEqual(addrpair_port['mac_address'], nuage_vip[0]['MAC'])
self.assertEqual(nuage_vip[0]['externalID'],
self.nuage_client.get_vsd_external_id(port['id']))
# Verify clearing
self.update_port(port=port, allowed_address_pairs=[])
nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing'])
nuage_vip = self.nuage_client.get_virtual_ip(
n_constants.VPORT,
nuage_vport[0]['ID'],
filters='virtualIP',
filter_values=addrpair_port['fixed_ips'][0]['ip_address'])
self.assertIsNot(nuage_vip, "Found VIP after deleting address pair")
@testtools.skipUnless(
Topology.from_nuage('20.10R2')
or Topology.from_nuage('6.0.12', within_stream='6.0')
or Topology.from_nuage('5.4.1.U16', within_stream='5.4'),
"Single IP VIP CIDR not allowed on older releases.")
def test_allowed_address_pair_single_ip_cidr_delete_other_aap(self):
"""test_allowed_address_pair_single_ip_cidr_delete_other_aap
Test that using CIDR notation with an address range of only one ip
is allowed, a second AAP does not interfere and deleting that second
AAP does not delete the original /32 CIDR AAP. This tests the deletion
of AAP flow.
"""
addrpair_port = self.create_port(self.l3network,
device_owner='nuage:vip')
addrpair_port2 = self.create_port(self.l3network,
device_owner='nuage:vip')
cidr_suffix = '/32' if self._ip_version == 4 else '/128'
ip_address = addrpair_port['fixed_ips'][0]['ip_address'] + cidr_suffix
mac_address = addrpair_port['mac_address']
allowed_address_pairs = [{
'ip_address': ip_address,
'mac_address': mac_address
}]
port = self.create_port(network=self.l3network,
allowed_address_pairs=allowed_address_pairs)
self._verify_port_allowed_address_fields(port, ip_address, mac_address)
# Update port with second ip
ip_address2 = addrpair_port2['fixed_ips'][0]['ip_address']
mac_address2 = addrpair_port2['mac_address']
allowed_address_pairs_update = [
{
'ip_address': ip_address,
'mac_address': mac_address
},
{
'ip_address': ip_address2,
'mac_address': mac_address2
},
]
self.update_port(port,
allowed_address_pairs=allowed_address_pairs_update)
# Check VIPs are created in VSD
l3domain_ext_id = self.nuage_client.get_vsd_external_id(
self.router['id'])
nuage_domain = self.nuage_client.get_resource(
n_constants.DOMAIN,
filters='externalID',
filter_values=l3domain_ext_id)
nuage_subnet = self.nuage_client.get_domain_subnet(
n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet)
port_ext_id = self.nuage_client.get_vsd_external_id(port['id'])
nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing'])
# First VIP
nuage_vip = self.nuage_client.get_virtual_ip(
n_constants.VPORT,
nuage_vport[0]['ID'],
filters='virtualIP',
filter_values=addrpair_port['fixed_ips'][0]['ip_address'])
self.assertEqual(addrpair_port['mac_address'], nuage_vip[0]['MAC'])
self.assertEqual(nuage_vip[0]['externalID'],
self.nuage_client.get_vsd_external_id(port['id']))
# Second vip
nuage_vip = self.nuage_client.get_virtual_ip(
n_constants.VPORT,
nuage_vport[0]['ID'],
filters='virtualIP',
filter_values=addrpair_port2['fixed_ips'][0]['ip_address'])
self.assertEqual(addrpair_port2['mac_address'], nuage_vip[0]['MAC'])
self.assertEqual(nuage_vip[0]['externalID'],
self.nuage_client.get_vsd_external_id(port['id']))
# Verify clearing to only first address pair
self.update_port(port, allowed_address_pairs=allowed_address_pairs)
nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK,
nuage_subnet[0]['ID'],
filters='externalID',
filter_values=port_ext_id)
self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing'])
nuage_vip = self.nuage_client.get_virtual_ip(
n_constants.VPORT,
nuage_vport[0]['ID'],
filters='virtualIP',
filter_values=addrpair_port['fixed_ips'][0]['ip_address'])
self.assertEqual(addrpair_port['mac_address'], nuage_vip[0]['MAC'])
self.assertEqual(nuage_vip[0]['externalID'],
self.nuage_client.get_vsd_external_id(port['id']))
def _verify_fip_vsd(self,
subnet,
port,
created_floating_ip,
ingress_rate_limit=None,
egress_rate_limit=None):
# verifying on Domain level that the floating ip is added
external_id = self.nuage_client.get_vsd_external_id(
created_floating_ip['router_id'])
nuage_domain = self.nuage_client.get_l3domain(
filters='externalID', filter_values=external_id)
nuage_domain_fips = self.nuage_client.get_floatingip(
constants.DOMAIN, nuage_domain[0]['ID'])
# The VSD FIP has same IP address than OpenStack FIP
self.assertIn(
created_floating_ip['floating_ip_address'],
[nuage_fip['address'] for nuage_fip in nuage_domain_fips])
# The VSD externalID for FIP matches the OpenStack ID
external_id = self.nuage_client.get_vsd_external_id(
created_floating_ip['id'])
self.assertIn(
external_id,
[nuage_fip['externalID'] for nuage_fip in nuage_domain_fips])
# Check vsd
vsd_subnets = self.nuage_client.get_domain_subnet(None,
None,
by_subnet=subnet)
self.assertEqual(1, len(vsd_subnets))
vports = self.nuage_client.get_vport(
constants.SUBNETWORK, vsd_subnets[0]['ID'], 'externalID',
self.nuage_client.get_vsd_external_id(port['id']))
self.assertEqual(1, len(vports))
qos = self.nuage_client.get_qos(constants.VPORT, vports[0]['ID'])
if Topology.from_nuage('20.10'):
self.assertEqual(0, len(qos))
nuage_fip = [
fip for fip in nuage_domain_fips
if fip['externalID'] == external_id
][0]
associated_ingress_rate_limit = nuage_fip.get(
'ingressRateLimiterID')
associated_egress_rate_limit = nuage_fip.get('egressRateLimiterID')
if ingress_rate_limit is not None:
# Get Ratelimiter
external_id = 'egress_{}'.format(created_floating_ip['id'])
ratelimiter = self.nuage_client.get_ratelimiter(external_id)
if ingress_rate_limit == constants.UNLIMITED:
self.assertIsNone(ratelimiter)
self.assertIsNone(associated_egress_rate_limit)
else:
self.assertEqualFiprate(
ingress_rate_limit,
self.convert_mbps_to_kbps(
ratelimiter['peakInformationRate']))
self.assertEqual(associated_egress_rate_limit,
ratelimiter['ID'])
if egress_rate_limit is not None:
external_id = 'ingress_{}'.format(created_floating_ip['id'])
ratelimiter = self.nuage_client.get_ratelimiter(external_id)
if egress_rate_limit == constants.UNLIMITED:
self.assertIsNone(ratelimiter)
self.assertIsNone(associated_ingress_rate_limit)
else:
self.assertEqualFiprate(
egress_rate_limit,
self.convert_mbps_to_kbps(
ratelimiter['peakInformationRate']))
self.assertEqual(associated_ingress_rate_limit,
ratelimiter['ID'])
else:
self.assertEqual(1, len(qos))
self.assertEqual(True, qos[0]['FIPRateLimitingActive'])
if ingress_rate_limit is not None:
self.assertEqualFiprate(
ingress_rate_limit,
self.convert_mbps_to_kbps(
qos[0]['EgressFIPPeakInformationRate']))
if egress_rate_limit is not None:
self.assertEqualFiprate(
egress_rate_limit,
self.convert_mbps_to_kbps(
qos[0]['FIPPeakInformationRate']))
self.assertEqual(
self.nuage_client.get_vsd_external_id(
created_floating_ip['id']), qos[0]['externalID'])
# Copyright 2020 NOKIA
# All Rights Reserved.
import getpass
import inspect
from nuage_tempest_plugin.lib.topology import Topology
if Topology.up_to_nuage('20.10'):
from vspk import v5_0 as vspk5
else:
vspk5 = None
if Topology.from_nuage('6.0'):
from vspk import v6 as vspk6
else:
vspk6 = None
CONF = Topology.get_conf()
LOG = Topology.get_logger(__name__)
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
# CAUTION : THIS SUITE IS HIGHLY INTRUSIVE
# - it relies heavily on devstack env
# - it installs new packages in the tox env (like neutron)
# - it changes the neutron branch out of which neutron runs
# - it restarts neutron
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
def test_create_floatingip_without_rate_limiting(self):
# Create port
port = self.create_port(network=self.network)
# Associate a fip to the port
body = self.floating_ips_client.create_floatingip(
floating_network_id=self.ext_net_id,
port_id=port['id'],
fixed_ip_address=port['fixed_ips'][0]['ip_address'])
created_floating_ip = body['floatingip']
self.addCleanup(self.floating_ips_client.delete_floatingip,
created_floating_ip['id'])
self.assertIsNotNone(created_floating_ip['id'])
fip_id = created_floating_ip['id']
body = self.floating_ips_client.show_floatingip(fip_id)
fip = body['floatingip']
self.assertIsNotNone(fip.get('nuage_ingress_fip_rate_kbps'))
self.assertIsNotNone(fip.get('nuage_egress_fip_rate_kbps'))
# Check vsd
vsd_subnets = self.nuage_client.get_domain_subnet(
None, None, by_subnet=self.subnet)
self.assertEqual(1, len(vsd_subnets))
vports = self.nuage_client.get_vport(constants.SUBNETWORK,
vsd_subnets[0]['ID'],
'externalID', port['id'])
self.assertEqual(1, len(vports))
qos = self.nuage_client.get_qos(constants.VPORT, vports[0]['ID'])
if Topology.from_nuage('20.10'):
self.assertEqual(0, len(qos))
external_id_domain = self.nuage_client.get_vsd_external_id(
created_floating_ip['router_id'])
nuage_domain = self.nuage_client.get_l3domain(
filters='externalID', filter_values=external_id_domain)
nuage_domain_fips = self.nuage_client.get_floatingip(
constants.DOMAIN, nuage_domain[0]['ID'])
nuage_fip = [
nuage_fip for nuage_fip in nuage_domain_fips
if nuage_fip['externalID'].startswith(fip_id)
][0]
associated_ingress_rate_limit = nuage_fip['ingressRateLimiterID']
associated_egress_rate_limit = nuage_fip['egressRateLimiterID']
# Infinity for egress expected
self.assertIsNone(associated_egress_rate_limit)
# Infinity for ingress expected
self.assertIsNone(associated_ingress_rate_limit)
else:
self.assertEqual(1, len(vports))
qos = self.nuage_client.get_qos(constants.VPORT, vports[0]['ID'])
self.assertEqual(1, len(qos))
self.assertEqual(self.nuage_client.get_vsd_external_id(fip_id),
qos[0]['externalID'])
self.assertEqual(True, qos[0]['FIPRateLimitingActive'])
self.assertEqual('INFINITY', qos[0]['FIPPeakInformationRate'])
self.assertEqual('INFINITY',
qos[0]['EgressFIPPeakInformationRate'])
def test_create_floatingip_with_rate_limiting(self):
rate_limit = 10000
# Create port
port = self.create_port(network=self.network)
# Associate a fip to the port
body = self.floating_ips_client.create_floatingip(
floating_network_id=self.ext_net_id,
port_id=port['id'],
fixed_ip_address=port['fixed_ips'][0]['ip_address'],
nuage_egress_fip_rate_kbps=rate_limit)
created_floating_ip = body['floatingip']
self.addCleanup(self.floating_ips_client.delete_floatingip,
created_floating_ip['id'])
self.assertIsNotNone(created_floating_ip['id'])
fip_id = created_floating_ip['id']
body = self.floating_ips_client.show_floatingip(fip_id)
fip = body['floatingip']
# rate_limit is in kbps now!
self.assertThat(
fip, ContainsDict({'nuage_ingress_fip_rate_kbps': Equals(-1)}))
self.assertThat(
fip,
ContainsDict({'nuage_egress_fip_rate_kbps': Equals(rate_limit)}))
# attribute 'nuage_fip_rate' is no longer in response
self.assertIsNone(fip.get('nuage_fip_rate'))
# Check vsd
vsd_subnets = self.nuage_client.get_domain_subnet(
None, None, by_subnet=self.subnet)
self.assertEqual(1, len(vsd_subnets))
vports = self.nuage_client.get_vport(constants.SUBNETWORK,
vsd_subnets[0]['ID'],
'externalID', port['id'])
self.assertEqual(1, len(vports))
qos = self.nuage_client.get_qos(constants.VPORT, vports[0]['ID'])
if Topology.from_nuage('20.10'):
self.assertEqual(0, len(qos))
external_id_domain = self.nuage_client.get_vsd_external_id(
created_floating_ip['router_id'])
nuage_domain = self.nuage_client.get_l3domain(
filters='externalID', filter_values=external_id_domain)
nuage_domain_fips = self.nuage_client.get_floatingip(
constants.DOMAIN, nuage_domain[0]['ID'])
nuage_fip = [
nuage_fip for nuage_fip in nuage_domain_fips
if nuage_fip['externalID'].startswith(fip_id)
][0]
associated_ingress_rate_limit = nuage_fip['ingressRateLimiterID']
associated_egress_rate_limit = nuage_fip['egressRateLimiterID']
# Infinity for egress expected
self.assertIsNone(associated_egress_rate_limit)
# Ingress:
external_id = 'ingress_{}'.format(created_floating_ip['id'])
ratelimiter = self.nuage_client.get_ratelimiter(external_id)
self.assertEqual(str(float(rate_limit / 1000)),
ratelimiter['peakInformationRate'])
self.assertEqual(associated_ingress_rate_limit, ratelimiter['ID'])
else:
self.assertEqual(1, len(qos))
self.assertThat(
qos[0],
ContainsDict({
'externalID':
Equals(self.nuage_client.get_vsd_external_id(fip_id))
}))
self.assertThat(
qos[0], ContainsDict({'FIPRateLimitingActive': Equals(True)}))
self.assertThat(
qos[0],
ContainsDict({
'FIPPeakInformationRate':
Equals(str(float(rate_limit / 1000)))
}))
self.assertThat(
qos[0], ContainsDict({'FIPPeakBurstSize': Equals(str(100))}))
self.assertThat(
qos[0],
ContainsDict(
{'EgressFIPPeakInformationRate': Equals('INFINITY')}))
self.assertThat(
qos[0],
ContainsDict({'EgressFIPPeakBurstSize': Equals(str(100))}))
# Copyright 2015 Alcatel-Lucent
# All Rights Reserved.
from tempest.lib import exceptions as lib_exc
from tempest.test import decorators
from nuage_tempest_plugin.lib.topology import Topology
from nuage_tempest_plugin.tests.api.floating_ip import \
base_nuage_bidirectional_fip_rate_limit
if Topology.from_nuage('20.5'):
MSG_INVALID_INPUT_IN = ("Bad request: 'nuage_ingress_fip_rate_kbps' "
"should be an integer number between 0 and "
"2147483647, -1 for unlimited or 'default' "
"for the configured default value.")
MSG_INVALID_INPUT_EG = ("Bad request: 'nuage_egress_fip_rate_kbps' "
"should be an integer number between 0 and "
"2147483647, -1 for unlimited or 'default' for "
"the configured default value.")
else:
MSG_INVALID_INPUT_IN = ("'nuage_ingress_fip_rate_kbps' should be a "
"number higher than 0, -1 for unlimited or "
"'default' for the configured default value.")
MSG_INVALID_INPUT_EG = ("'nuage_egress_fip_rate_kbps' should be a number "
"higher than 0, -1 for unlimited or 'default' "
"for the configured default value.")
MSG_INVALID_INPUT_FOR_OPERATION = "Invalid input for operation: " + \
"'nuage_fip_rate' should be a number " \
"higher than 0, -1 for unlimited " + \
class NuageExtSecGroup(test_security_groups_nuage.SecGroupTestNuageBase):
if Topology.from_nuage('20.5'):
expected_exception_from_topology = exceptions.BadRequest
else:
expected_exception_from_topology = exceptions.ServerFault
@classmethod
def setup_clients(cls):
super(NuageExtSecGroup, cls).setup_clients()
cls.nuageclient = nuage_client.NuageRestClient()
cls.client = NuageNetworkClientJSON(
cls.os_primary.auth_provider,
**cls.os_primary.default_params)
@classmethod
def resource_setup(cls):
super(NuageExtSecGroup, cls).resource_setup()
cls.external_secgroups = []
@classmethod
def resource_cleanup(cls):
super(NuageExtSecGroup, cls).resource_cleanup()
@classmethod
def _create_external_security_group(cls, **kwargs):
body = cls.client.create_nuage_external_security_group(**kwargs)
ext_sg = body['nuage_external_security_group']
cls.external_secgroups.append(ext_sg)
return ext_sg
@classmethod
def _delete_external_security_group(cls, esg_id):
try:
cls.client.delete_nuage_external_security_group(esg_id)
except Exception as exc:
LOG.exception(exc)
@classmethod
def _create_external_security_group_rule(cls, **kwargs):
body = cls.client.create_nuage_external_security_group_rule(**kwargs)
ext_sg_rule = body['nuage_external_security_group_rule']
cls.external_secgroups.append(ext_sg_rule)
return ext_sg_rule
def _verify_external_secgroup_properties(self, actual_esg,
expected_esg):
self.assertEqual(actual_esg['name'], expected_esg['name'])
self.assertEqual(actual_esg['extended_community_id'],
expected_esg['EVPNCommunityTag'])
self.assertEqual(actual_esg['id'],
expected_esg['ID'])
def _verify_external_secgroup_rule_properties(self, actual_esgr,
expected_esgr, origin_sg):
self.assertEqual(actual_esgr['id'], expected_esgr['ID'])
self.assertEqual(actual_esgr['protocol'], expected_esgr['protocol'])
self.assertEqual(actual_esgr['origin_group_id'], origin_sg['id'])
def _get_nuage_external_acl(self, esg_router, ext_sg_rule, isList=False):
l3domain_ext_id = self.nuageclient.get_vsd_external_id(
esg_router['id'])
l3domain = self.nuageclient.get_l3domain(
filters='externalID',
filter_values=l3domain_ext_id)
if ext_sg_rule['direction'] == 'egress':
nuage_eacl_template = self.nuageclient.\
get_egressacl_template(constants.DOMAIN,
l3domain[0]['ID'])
if not isList:
nuage_entrytemplate = self.nuageclient.\
get_egressacl_entrytemplate(
constants.EGRESS_ACL_TEMPLATE,
nuage_eacl_template[0]['ID'],
filters='ID',
filter_values=ext_sg_rule['id'])
else:
nuage_entrytemplate = self.nuageclient.\
get_egressacl_entrytemplate(
constants.EGRESS_ACL_TEMPLATE,
nuage_eacl_template[0]['ID'])
else:
nuage_iacl_template = self.nuageclient.\
get_ingressacl_template(
constants.DOMAIN,
l3domain[0]['ID'])
if not isList:
nuage_entrytemplate = self.nuageclient.\
get_ingressacl_entrytemplate(
constants.INGRESS_ACL_TEMPLATE,
nuage_iacl_template[0]['ID'],
filters='ID',
filter_values=ext_sg_rule['id'])
else:
nuage_entrytemplate = self.nuageclient. \
get_ingressacl_entrytemplate(
constants.INGRESS_ACL_TEMPLATE,
nuage_iacl_template[0]['ID'])
return nuage_entrytemplate
def test_create_show_list_delete_ext_secgroup(self, *args):
router_name = data_utils.rand_name('router-')
body = self.routers_client.create_router(name=router_name)
esg_router = body['router']
self.addCleanup(self.routers_client.delete_router, esg_router['id'])
name = data_utils.rand_name('esg-')
kwargs = {'name': name,
'router_id': esg_router['id'],
'extended_community_id': "1:1"}
ext_sg = self._create_external_security_group(**kwargs)
self.addCleanup(self._delete_external_security_group, ext_sg['id'])
self.assertEqual(ext_sg['name'], name)
self.assertEqual(ext_sg['extended_community_id'],
"1:1")
# VSD verification of external security group
res_path = self.nuageclient.build_resource_path(
constants.POLICYGROUP,
resource_id=ext_sg['id'])
show_vsd_resp = self.nuageclient.get(res_path)
show_resp = self.client.show_nuage_external_security_group(
ext_sg['id'])
self._verify_external_secgroup_properties(
show_resp['nuage_external_security_group'],
show_vsd_resp[0])
self.assertEqual(self.nuage_client.get_vsd_external_id(
esg_router['id']), show_vsd_resp[0]['externalID'])
# list_external_security_group
res_path = self.nuageclient.build_resource_path(
constants.POLICYGROUP,
resource_id=ext_sg['id'])
list_vsd_resp = self.nuageclient.get(res_path)
list_resp = self.client.list_nuage_external_security_group(
esg_router['id'])
self._verify_external_secgroup_properties(
list_resp['nuage_external_security_groups'][0],
list_vsd_resp[0])
def test_create_show_list_delete_ext_secgroup_rule(self):
router_name = data_utils.rand_name('router-')
body = self.routers_client.create_router(name=router_name)
esg_router = body['router']
self.addCleanup(self.routers_client.delete_router, esg_router['id'])
body, name = self._create_security_group()
sec_group = body['security_group']
name = data_utils.rand_name('esg-')
kwargs = {'name': name,
'router_id': esg_router['id'],
'extended_community_id': "1:1"}
ext_sg = self._create_external_security_group(**kwargs)
self.addCleanup(self._delete_external_security_group, ext_sg['id'])
kwargs = {'protocol': 'tcp',
'direction': 'egress',
'origin_group_id': sec_group['id'],
'remote_external_group_id': ext_sg['id']}
ext_sg_rule = self._create_external_security_group_rule(**kwargs)
# Show operation and VSD verification of external security group
show_resp = self.client.show_nuage_external_security_group_rule(
ext_sg_rule['id'])
show_vsd_resp = self._get_nuage_external_acl(esg_router, ext_sg_rule)
self._verify_external_secgroup_rule_properties(
show_resp['nuage_external_security_group_rule'],
show_vsd_resp[0], sec_group)
# Create second rule
kwargs = {'protocol': 'udp',
'port_range_min': 300,
'port_range_max': 500,
'direction': 'egress',
'origin_group_id': sec_group['id'],
'remote_external_group_id': ext_sg['id']}
self._create_external_security_group_rule(**kwargs)
# Create third rule
kwargs = {'protocol': 'vrrp',
'direction': 'egress',
'origin_group_id': sec_group['id'],
'remote_external_group_id': ext_sg['id']}
self._create_external_security_group_rule(**kwargs)
# List Operation on secgroup rules
list_resp = self.client.list_nuage_external_security_group_rule(
ext_sg['id'])['nuage_external_security_group_rules']
list_vsd_resp = self._get_nuage_external_acl(
esg_router, ext_sg_rule, True)
for resp, vsd_resp in zip(list_resp, list_vsd_resp):
self._verify_external_secgroup_rule_properties(
resp, vsd_resp, sec_group)
for vsd_resp in list_vsd_resp:
self.assertEqual(self.nuage_client.get_vsd_external_id(
esg_router['id']), vsd_resp['externalID'])
def test_create_show_list_delete_ext_secgroup_l2domain(self):
net_name = data_utils.rand_name('network-')
network = self.create_network(net_name)
esg_subnet = self.create_subnet(network)
name = data_utils.rand_name('esg-')
kwargs = {'name': name,
'subnet_id': esg_subnet['id'],
'extended_community_id': "4:4"}
ext_sg = self._create_external_security_group(**kwargs)
self.addCleanup(self._delete_external_security_group, ext_sg['id'])
self.assertEqual(ext_sg['name'], name)
self.assertEqual(ext_sg['extended_community_id'],
"4:4")
# VSD verification of external security group
res_path = self.nuageclient.build_resource_path(
constants.POLICYGROUP,
resource_id=ext_sg['id'])
show_vsd_resp = self.nuageclient.get(res_path)
show_resp = self.client.show_nuage_external_security_group(
ext_sg['id'])
self._verify_external_secgroup_properties(
show_resp['nuage_external_security_group'],
show_vsd_resp[0])
self.assertEqual(self.nuage_client.get_vsd_external_id(
esg_subnet['id']), show_vsd_resp[0]['externalID'])
# list_external_security_group
res_path = self.nuageclient.build_resource_path(
constants.POLICYGROUP,
resource_id=ext_sg['id'])
list_vsd_resp = self.nuageclient.get(res_path)
list_resp = self.client.list_nuage_external_security_group_l2domain(
esg_subnet['id'])
self._verify_external_secgroup_properties(
list_resp['nuage_external_security_groups'][0],
list_vsd_resp[0])
def test_create_delete_invalid_ext_secgroup(self):
router_name = data_utils.rand_name('router-')
body = self.routers_client.create_router(name=router_name)
esg_router = body['router']
self.addCleanup(self.routers_client.delete_router, esg_router['id'])
self._create_security_group()
name = data_utils.rand_name('esg-')
# Missing pararmeter: external_communtiy_tag in input
kwargs = {'name': name,
'router_id': esg_router['id']}
self.assertRaises(
exceptions.BadRequest,
self.client.create_nuage_external_security_group,
**kwargs)
# Invalid external_communtiy_tag_value
kwargs = {'name': name,
'router_id': esg_router['id'],
'extended_community_id': "4"}
self.assertRaises(
self.expected_exception_from_topology,
self.client.create_nuage_external_security_group,
**kwargs)
# Missing pararmeter: router/subnet ID in input
kwargs = {'name': name,
'router_id': '11111111-1111-1111-1111111111111111',
'extended_community_id': "2:2"}
self.assertRaises(
exceptions.BadRequest,
self.client.create_nuage_external_security_group,
**kwargs)
# Try deleting invalid external_secgroup
self.assertRaises(
exceptions.NotFound,
self.client.delete_nuage_external_security_group,
'11111111-1111-1111-1111111111111111')
def test_create_delete_invalid_ext_secgroup_rule(self):
router_name = data_utils.rand_name('router-')
body = self.routers_client.create_router(name=router_name)
esg_router = body['router']
self.addCleanup(self.routers_client.delete_router, esg_router['id'])
body, name = self._create_security_group()
sec_group = body['security_group']
name = data_utils.rand_name('esg-')
kwargs = {'name': name,
'router_id': esg_router['id'],
'extended_community_id': "1:1"}
ext_sg = self._create_external_security_group(**kwargs)
# Missing mandatory parameter: origin_group_id in input
kwargs = {'protocol': 'tcp',
'direction': 'egress',
'remote_external_group_id': ext_sg['id']}
self.assertRaises(
self.expected_exception_from_topology,
self.client.create_nuage_external_security_group_rule,
**kwargs)
# Invalid remote_group_id value
kwargs = {'protocol': 'tcp',
'direction': 'egress',
'origin_group_id': sec_group['id'],
'remote_external_group_id':
'11111111-1111-1111-1111111111111111'}
self.assertRaises(
self.expected_exception_from_topology,
self.client.create_nuage_external_security_group_rule,
**kwargs)
# Try deleting invalid external_secgroup_rule
self.assertRaises(
exceptions.NotFound,
self.client.delete_nuage_external_security_group_rule,
'11111111-1111-1111-1111111111111111')
def test_neutron_nuage_commands_help(self):
help_text = self.cli.neutron('help')
lines = help_text.split('\n')
self.assertFirstLineStartsWith(lines, 'usage: neutron')
commands = []
cmds_start = lines.index('Commands for API v2.0:')
command_pattern = re.compile('^ {2}([a-z0-9\-_]+)')
for line in lines[cmds_start:]:
match = command_pattern.match(line)
if match:
commands.append(match.group(1))
commands = set(commands)
wanted_commands = {'nuage-netpartition-create'}
if utils.is_extension_enabled('net-partition', 'network'):
wanted_commands = wanted_commands.union(self._crud_command_list(
'nuage-netpartition', update=False))
if utils.is_extension_enabled('appdesigner', 'network'):
wanted_commands = wanted_commands.union(self._crud_command_list(
'nuage-appdport'))
wanted_commands = wanted_commands.union(self._crud_command_list(
'nuage-service'))
wanted_commands = wanted_commands.union(self._crud_command_list(
'nuage-tier'))
wanted_commands = wanted_commands.union(self._crud_command_list(
'nuage-application'))
wanted_commands = wanted_commands.union(self._crud_command_list(
'nuage-applicationdomain'))
wanted_commands = wanted_commands.union(self._crud_command_list(
'nuage-flow'))
if utils.is_extension_enabled('nuage-redirect-target', 'network'):
wanted_commands.add('nuage-redirect-target-vip-create')
wanted_commands = wanted_commands.union(self._crud_command_list(
'nuage-redirect-target', update=False))
wanted_commands = wanted_commands.union(self._crud_command_list(
'nuage-redirect-target-rule', update=False))
if Topology.from_nuage('4.0'):
wanted_commands.add('nuage-policy-group-list')
wanted_commands.add('nuage-policy-group-show')
wanted_commands.add('nuage-floatingip-list')
wanted_commands.add('nuage-floatingip-show')
wanted_commands = wanted_commands.union(self._crud_command_list(
'nuage-external-security-group', update=False))
wanted_commands = wanted_commands.union(self._crud_command_list(
'nuage-external-security-group-rule', update=False))
if utils.is_extension_enabled('nuage-gateway', 'network'):
wanted_commands.add('nuage-gateway-list')
wanted_commands.add('nuage-gateway-show')
wanted_commands.add('nuage-gateway-port-list')
wanted_commands.add('nuage-gateway-port-show')
wanted_commands.add('nuage-gateway-vlan-assign')
wanted_commands.add('nuage-gateway-vlan-create')
wanted_commands.add('nuage-gateway-vlan-list')
wanted_commands.add('nuage-gateway-vlan-delete')
wanted_commands.add('nuage-gateway-vlan-show')
wanted_commands.add('nuage-gateway-vlan-unassign')
wanted_commands = wanted_commands.union(self._crud_command_list(
'nuage-gateway-vport', update=False))
self.assertFalse(wanted_commands - commands)
class NuageExtSecGroup(nuage_test.NuageBaseTest):
if Topology.from_nuage('20.5'):
expected_exception_from_topology = exceptions.BadRequest
else:
expected_exception_from_topology = exceptions.ServerFault
@classmethod
def resource_setup(cls):
super(NuageExtSecGroup, cls).resource_setup()
cls.network = cls.create_cls_network()
cls.subnet4 = cls.create_cls_subnet(cls.network, ip_version=4)
cls.subnet6 = cls.create_cls_subnet(cls.network, ip_version=6)
cls.router = cls.create_cls_router()
cls.router_cls_attach(cls.router, cls.subnet4)
cls.router_cls_attach(cls.router, cls.subnet6)
cls.domain = cls.vsd.get_l3_domain_by_subnet(cls.subnet4)
def _create_external_security_group(self, cleanup=True, **kwargs):
body = self.plugin_network_client.create_nuage_external_security_group(
**kwargs)
ext_sg = body['nuage_external_security_group']
if cleanup:
self.addCleanup(self._delete_external_security_group,
ext_sg['id'])
return ext_sg
def _delete_external_security_group(self, esg_id):
self.plugin_network_client.delete_nuage_external_security_group(esg_id)
def _create_external_security_group_rule(self, **kwargs):
body = (self.plugin_network_client.
create_nuage_external_security_group_rule(**kwargs))
ext_sg_rule = body['nuage_external_security_group_rule']
return ext_sg_rule
def _verify_external_secgroup_properties(self, actual_esg,
vsd_pg):
self.assertEqual(actual_esg['name'], vsd_pg.name)
self.assertEqual(actual_esg['extended_community_id'],
vsd_pg.evpn_community_tag)
self.assertEqual(actual_esg['id'], vsd_pg.id)
def _verify_external_secgroup_rule_properties(self, actual_esgr,
vsd_pg, origin_sg):
self.assertEqual(actual_esgr['id'], vsd_pg.id)
self.assertEqual(actual_esgr['protocol'], vsd_pg.protocol)
self.assertEqual(actual_esgr['origin_group_id'], origin_sg['id'])
def _get_nuage_external_acl(self, ext_sg_rule=None):
if ext_sg_rule:
template = self.vsd.vspk.NUEgressACLEntryTemplate(
id=ext_sg_rule['id'])
template.fetch()
return template
else:
return self.domain.egress_acl_entry_templates.get()
def test_create_show_list_delete_ext_secgroup(self):
name = self.get_randomized_name()
kwargs = {'name': name,
'router_id': self.router['id'],
'extended_community_id': "1:1"}
ext_sg = self._create_external_security_group(**kwargs)
self.assertEqual(ext_sg['name'], name)
self.assertEqual(ext_sg['extended_community_id'],
"1:1")
# VSD verification of external security group
ext_pg = self.vsd.vspk.NUPolicyGroup(id=ext_sg['id'])
ext_pg.fetch()
show_resp = (self.plugin_network_client.
show_nuage_external_security_group(ext_sg['id']))
self._verify_external_secgroup_properties(
show_resp['nuage_external_security_group'],
ext_pg)
router_ext_id = self.vsd.external_id(self.router['id'])
self.assertEqual(router_ext_id, ext_pg.external_id)
# list_external_security_group
list_resp = (self.plugin_network_client.
list_nuage_external_security_group(self.router['id']))
self._verify_external_secgroup_properties(
list_resp['nuage_external_security_groups'][0],
ext_pg)
def test_create_show_list_delete_ext_secgroup_rule(self):
sec_group = self.create_security_group()
name = self.get_randomized_name()
kwargs = {'name': name,
'router_id': self.router['id'],
'extended_community_id': "1:1"}
ext_sg = self._create_external_security_group(**kwargs)
kwargs = {'protocol': 'tcp',
'direction': 'egress',
'origin_group_id': sec_group['id'],
'remote_external_group_id': ext_sg['id']}
ext_sg_rule = self._create_external_security_group_rule(**kwargs)
# Show operation and VSD verification of external security group
show_resp = (
self.plugin_network_client.
show_nuage_external_security_group_rule(ext_sg_rule['id']))
show_vsd_resp = self._get_nuage_external_acl(ext_sg_rule)
self._verify_external_secgroup_rule_properties(
show_resp['nuage_external_security_group_rule'],
show_vsd_resp, sec_group)
# Create second rule
kwargs = {'protocol': 'udp',
'port_range_min': 300,
'port_range_max': 500,
'direction': 'egress',
'origin_group_id': sec_group['id'],
'remote_external_group_id': ext_sg['id']}
self._create_external_security_group_rule(**kwargs)
# Create third rule
kwargs = {'protocol': 'vrrp',
'direction': 'egress',
'origin_group_id': sec_group['id'],
'remote_external_group_id': ext_sg['id']}
self._create_external_security_group_rule(**kwargs)
# List Operation on secgroup rules
list_resp = (self.plugin_network_client.
list_nuage_external_security_group_rule(
ext_sg['id'])['nuage_external_security_group_rules'])
list_vsd_resp = self._get_nuage_external_acl()
for resp, vsd_resp in zip(list_resp, list_vsd_resp):
self._verify_external_secgroup_rule_properties(
resp, vsd_resp, sec_group)
router_ext_id = self.vsd.external_id(self.router['id'])
for vsd_resp in list_vsd_resp:
self.assertEqual(router_ext_id, vsd_resp.external_id)
def test_create_show_list_delete_ext_secgroup_l2domain(self):
network = self.create_network()
esg_subnet = self.create_subnet(network)
name = self.get_randomized_name()
kwargs = {'name': name,
'subnet_id': esg_subnet['id'],
'extended_community_id': "4:4"}
ext_sg = self._create_external_security_group(**kwargs)
self.assertEqual(ext_sg['name'], name)
self.assertEqual(ext_sg['extended_community_id'],
"4:4")
# VSD verification of external security group
ext_pg = self.vsd.vspk.NUPolicyGroup(id=ext_sg['id'])
ext_pg.fetch()
show_resp = (self.plugin_network_client.
show_nuage_external_security_group(ext_sg['id']))
self._verify_external_secgroup_properties(
show_resp['nuage_external_security_group'],
ext_pg)
subnet_ext_id = self.vsd.external_id(esg_subnet['id'])
self.assertEqual(subnet_ext_id, ext_pg.external_id)
# list_external_security_group
list_resp = (
self.plugin_network_client.
list_nuage_external_security_group_l2domain(esg_subnet['id']))
self._verify_external_secgroup_properties(
list_resp['nuage_external_security_groups'][0],
ext_pg)
def test_create_delete_invalid_ext_secgroup(self):
name = self.get_randomized_name()
# Missing pararmeter: external_communtiy_tag in input
kwargs = {'name': name,
'router_id': self.router['id']}
self.assertRaises(
exceptions.BadRequest,
self.plugin_network_client.create_nuage_external_security_group,
**kwargs)
# Invalid external_communtiy_tag_value
kwargs = {'name': name,
'router_id': self.router['id'],
'extended_community_id': "4"}
self.assertRaises(
self.expected_exception_from_topology,
self.plugin_network_client.create_nuage_external_security_group,
**kwargs)
# Missing pararmeter: router/subnet ID in input
kwargs = {'name': name,
'router_id': '11111111-1111-1111-1111111111111111',
'extended_community_id': "2:2"}
self.assertRaises(
exceptions.BadRequest,
self.plugin_network_client.create_nuage_external_security_group,
**kwargs)
# Try deleting invalid external_secgroup
self.assertRaises(
exceptions.NotFound,
self.plugin_network_client.delete_nuage_external_security_group,
'11111111-1111-1111-1111111111111111')
def test_create_delete_invalid_ext_secgroup_rule(self):
sec_group = self.create_security_group()
name = self.get_randomized_name()
kwargs = {'name': name,
'router_id': self.router['id'],
'extended_community_id': "1:1"}
ext_sg = self._create_external_security_group(**kwargs)
# Missing mandatory parameter: origin_group_id in input
kwargs = {'protocol': 'tcp',
'direction': 'egress',
'remote_external_group_id': ext_sg['id']}
self.assertRaises(
self.expected_exception_from_topology,
self.plugin_network_client.
create_nuage_external_security_group_rule,
**kwargs)
# Invalid remote_group_id value
kwargs = {'protocol': 'tcp',
'direction': 'egress',
'origin_group_id': sec_group['id'],
'remote_external_group_id':
'11111111-1111-1111-1111111111111111'}
self.assertRaises(
self.expected_exception_from_topology,
self.plugin_network_client.
create_nuage_external_security_group_rule,
**kwargs)
# Try deleting invalid external_secgroup_rule
self.assertRaises(
exceptions.NotFound,
self.plugin_network_client.
delete_nuage_external_security_group_rule,
'11111111-1111-1111-1111111111111111')
