def test_repeated_policy_modify(self):
     """ Configure policies based on topology; Replace VN's existing policy [same policy name but with different rule set] multiple times and verify.
     """
     ###
     # Get config for test from topology
     # very simple topo will do, one vn, one vm, multiple policies with n
     # rules
     topology_class_name = sdn_single_vm_multiple_policy_topology.sdn_single_vm_multiple_policy_config
     self.logger.info("Scenario for the test used is: %s" %
                      (topology_class_name))
     # set project name
     try:
         # provided by wrapper module if run in parallel test env
         topo = topology_class_name(project=self.project.project_name,
                                    username=self.project.username,
                                    password=self.project.password)
     except NameError:
         topo = topology_class_name()
     ###
     # Test setup: Configure policy, VN, & VM
     # return {'result':result, 'msg': err_msg, 'data': [self.topo, config_topo]}
     # Returned topo is of following format:
     # config_topo= {'policy': policy_fixt, 'vn': vn_fixture, 'vm': vm_fixture}
     setup_obj = self.useFixture(sdnTopoSetupFixture(
         self.connections, topo))
     out = setup_obj.topo_setup()
     assertEqual(out['result'], True, out['msg'])
     if out['result']:
         topo, config_topo = out['data']
     ###
     # Verify [and assert on fail] after setup
     # Calling system policy verification, pick any policy fixture to
     # access fixture verification
     policy_name = topo.policy_list[0]
     system_vna_verify_policy(self, config_topo['policy'][policy_name],
                              topo, 'setup')
     ###
     # Test procedure:
     # Test repeated update of a policy attached to a VM
     test_vm = topo.vmc_list[0]
     test_vn = topo.vn_of_vm[test_vm]
     test_vn_fix = config_topo['vn'][test_vn]
     test_vn_id = test_vn_fix.vn_id
     for policy in topo.policy_list:
         # set new policy for test_vn to policy
         test_policy_fq_names = []
         name = config_topo['policy'][policy].policy_fq_name
         test_policy_fq_names.append(name)
         state = "policy for %s updated to %s" % (test_vn, policy)
         test_vn_fix.bind_policies(test_policy_fq_names, test_vn_id)
         # wait for tables update before checking after making changes to
         # system
         time.sleep(5)
         self.logger.info("new policy list of vn %s is %s" %
                          (test_vn, policy))
         # update expected topology with this new info for verification
         updated_topo = policy_test_utils.update_topo(topo, test_vn, policy)
         system_vna_verify_policy(self, config_topo['policy'][policy],
                                  updated_topo, state)
     return True
 def test_repeated_policy_modify(self):
     """ Configure policies based on topology; Replace VN's existing policy [same policy name but with different rule set] multiple times and verify.
     """
     ###
     # Get config for test from topology
     # very simple topo will do, one vn, one vm, multiple policies with n
     # rules
     topology_class_name = sdn_single_vm_multiple_policy_topology.sdn_single_vm_multiple_policy_config
     self.logger.info("Scenario for the test used is: %s" % (topology_class_name))
     # set project name
     try:
         # provided by wrapper module if run in parallel test env
         topo = topology_class_name(
             project=self.project.project_name, username=self.project.username, password=self.project.password
         )
     except NameError:
         topo = topology_class_name()
     ###
     # Test setup: Configure policy, VN, & VM
     # return {'result':result, 'msg': err_msg, 'data': [self.topo, config_topo]}
     # Returned topo is of following format:
     # config_topo= {'policy': policy_fixt, 'vn': vn_fixture, 'vm': vm_fixture}
     setup_obj = self.useFixture(sdnTopoSetupFixture(self.connections, topo))
     out = setup_obj.topo_setup()
     assertEqual(out["result"], True, out["msg"])
     if out["result"]:
         topo, config_topo = out["data"]
     ###
     # Verify [and assert on fail] after setup
     # Calling system policy verification, pick any policy fixture to
     # access fixture verification
     policy_name = topo.policy_list[0]
     system_vna_verify_policy(self, config_topo["policy"][policy_name], topo, "setup")
     ###
     # Test procedure:
     # Test repeated update of a policy attached to a VM
     test_vm = topo.vmc_list[0]
     test_vn = topo.vn_of_vm[test_vm]
     test_vn_fix = config_topo["vn"][test_vn]
     test_vn_id = test_vn_fix.vn_id
     for policy in topo.policy_list:
         # set new policy for test_vn to policy
         test_policy_fq_names = []
         name = config_topo["policy"][policy].policy_fq_name
         test_policy_fq_names.append(name)
         state = "policy for %s updated to %s" % (test_vn, policy)
         test_vn_fix.bind_policies(test_policy_fq_names, test_vn_id)
         # wait for tables update before checking after making changes to
         # system
         time.sleep(5)
         self.logger.info("new policy list of vn %s is %s" % (test_vn, policy))
         # update expected topology with this new info for verification
         updated_topo = policy_test_utils.update_topo(topo, test_vn, policy)
         system_vna_verify_policy(self, config_topo["policy"][policy], updated_topo, state)
     return True
    def test_policy_modify_vn_policy(self):
        """ Configure policies based on topology;
        """
        ###
        # Get config for test from topology
        # very simple topo will do, one vn, one vm, one policy, 3 rules
        topology_class_name = sdn_single_vm_policy_topology.sdn_single_vm_policy_config

        self.logger.info("Scenario for the test used is: %s" %
                         (topology_class_name))
        # set project name
        try:
            # provided by wrapper module if run in parallel test env
            topo = topology_class_name(project=self.project.project_name,
                                       username=self.project.username,
                                       password=self.project.password)
        except NameError:
            topo = topology_class_name()
        ###
        # Test setup: Configure policy, VN, & VM
        # return {'result':result, 'msg': err_msg, 'data': [self.topo, config_topo]}
        # Returned topo is of following format:
        # config_topo= {'policy': policy_fixt, 'vn': vn_fixture, 'vm': vm_fixture}
        setup_obj = self.useFixture(sdnTopoSetupFixture(
            self.connections, topo))
        out = setup_obj.topo_setup()
        assertEqual(out['result'], True, out['msg'])
        if out['result']:
            topo, config_topo = out['data']
        ###
        # Verify [and assert on fail] after setup
        # Calling system policy verification, pick any policy fixture to
        # access fixture verification
        policy_name = topo.policy_list[0]
        system_vna_verify_policy(self, config_topo['policy'][policy_name],
                                 topo, 'setup')
        ###
        # Test procedure:
        # Test adding new policy to VN's exiting policy list
        state = "add policy: "
        test_vm = topo.vmc_list[0]
        test_vn = topo.vn_of_vm[test_vm]
        # Init test data, take backup of current topology
        initial_vn_policy_list = copy.copy(topo.vn_policy[test_vn])
        new_policy_to_add = policy_test_utils.get_policy_not_in_vn(
            initial_vn_policy_list, topo.policy_list)
        if not new_policy_to_add:
            result = 'False'
            msg = "test %s cannot be run as required config not available in topology; aborting test"
            self.logger.info(msg)
            assertEqual(result, True, msg)
        initial_policy_vn_list = copy.copy(topo.policy_vn[new_policy_to_add])
        new_vn_policy_list = copy.copy(initial_vn_policy_list)
        new_policy_vn_list = copy.copy(initial_policy_vn_list)
        new_vn_policy_list.append(new_policy_to_add)
        new_policy_vn_list.append(test_vn)
        test_vn_fix = config_topo['vn'][test_vn]
        test_vn_id = test_vn_fix.vn_id
        # configure new policy
        config_topo['policy'][new_policy_to_add] = self.useFixture(
            PolicyFixture(policy_name=new_policy_to_add,
                          rules_list=topo.rules[new_policy_to_add],
                          inputs=self.inputs,
                          connections=self.connections))
        # get new policy_set to be pushed for the vn
        test_policy_fq_names = []
        for policy in new_vn_policy_list:
            name = config_topo['policy'][policy].policy_fq_name
            test_policy_fq_names.append(name)
        self.logger.info("adding policy %s to vn %s" %
                         (new_policy_to_add, test_vn))
        test_vn_fix.bind_policies(test_policy_fq_names, test_vn_id)
        # wait for tables update before checking after making changes to system
        time.sleep(5)
        self.logger.info("New policy list of VN %s is %s" %
                         (test_vn, new_vn_policy_list))
        # update expected topology with this new info for verification
        topo.vn_policy[test_vn] = new_vn_policy_list
        topo.policy_vn[new_policy_to_add] = new_policy_vn_list
        system_vna_verify_policy(self,
                                 config_topo['policy'][new_policy_to_add],
                                 topo, state)
        # Test unbinding all policies from VN
        state = "unbinding all policies"
        test_vn_fix.unbind_policies(test_vn_id)
        # wait for tables update before checking after making changes to system
        time.sleep(5)
        current_vn_policy_list = new_vn_policy_list
        new_vn_policy_list = []
        self.logger.info("New policy list of VN %s is %s" %
                         (test_vn, new_vn_policy_list))
        # update expected topology with this new info for verification
        topo.vn_policy[test_vn] = new_vn_policy_list
        for policy in current_vn_policy_list:
            topo.policy_vn[policy].remove(test_vn)
        system_vna_verify_policy(self,
                                 config_topo['policy'][new_policy_to_add],
                                 topo, state)
        return True
Exemple #4
0
    def test_policy_RT_import_export(self):
        ''' Test to validate RT imported/exported in control node.
        Verification is implemented in vn_fixture to compare fixture route data with the data in control node..
        Verification expects test code to compile policy allowed VN info, which is used to validate data in CN.
        Test calls get_policy_peer_vns [internally call get_allowed_peer_vns_by_policy for each VN]. This data is
        fed to verify_vn_route_target, which internally calls get_rt_info to build expected list. This is compared
        against actual by calling cn_ref.get_cn_routing_instance and getting rt info.  '''

        vn1_name = 'vn40'
        vn1_subnets = ['40.1.1.0/24']
        vn2_name = 'vn41'
        vn2_subnets = ['41.1.1.0/24']
        vn3_name = 'vn42'
        vn3_subnets = ['42.1.1.0/24']
        policy1_name = 'policy1'
        policy2_name = 'policy2'
        policy3_name = 'policy3'
        policy4_name = 'policy4'
        # cover all combinations of rules for this test
        # 1. both vn's allow each other 2. one vn allows peer, while other denies 3. policy rule doesnt list local vn
        # 4. allow or deny any vn is not handled now..
        rules = [
            {
                'direction': '<>',
                'simple_action': 'pass',
                'protocol': 'icmp',
                'source_network': vn1_name,
                'dest_network': vn2_name
            },
            {
                'direction': '<>',
                'simple_action': 'deny',
                'protocol': 'icmp',
                'source_network': vn1_name,
                'dest_network': vn3_name
            },
            {
                'direction': '<>',
                'simple_action': 'pass',
                'protocol': 'icmp',
                'source_network': vn2_name,
                'dest_network': vn3_name
            },
            {
                'direction': '<>',
                'simple_action': 'pass',
                'protocol': 'icmp',
                'source_network': 'any',
                'dest_network': vn3_name
            },
        ]
        rev_rules2 = [
            {
                'direction': '<>',
                'simple_action': 'pass',
                'protocol': 'icmp',
                'source_network': vn1_name,
                'dest_network': vn3_name,
            },
        ]

        rev_rules1 = [
            {
                'direction': '<>',
                'simple_action': 'pass',
                'protocol': 'icmp',
                'source_network': vn2_name,
                'dest_network': vn1_name,
            },
        ]
        rules2 = [
            {
                'direction': '<>',
                'simple_action': 'pass',
                'protocol': 'icmp',
                'source_network': vn3_name,
                'dest_network': vn1_name,
            },
        ]

        policy1_fixture = self.useFixture(
            PolicyFixture(policy_name=policy1_name,
                          rules_list=rules,
                          inputs=self.inputs,
                          connections=self.connections))
        policy2_fixture = self.useFixture(
            PolicyFixture(policy_name=policy2_name,
                          rules_list=rev_rules1,
                          inputs=self.inputs,
                          connections=self.connections))
        policy3_fixture = self.useFixture(
            PolicyFixture(policy_name=policy3_name,
                          rules_list=rules2,
                          inputs=self.inputs,
                          connections=self.connections))
        policy4_fixture = self.useFixture(
            PolicyFixture(policy_name=policy4_name,
                          rules_list=rev_rules2,
                          inputs=self.inputs,
                          connections=self.connections))
        vn1_fixture = self.useFixture(
            VNFixture(project_name=self.inputs.project_name,
                      connections=self.connections,
                      vn_name=vn1_name,
                      inputs=self.inputs,
                      subnets=vn1_subnets))
        assert vn1_fixture.verify_on_setup()
        vn2_fixture = self.useFixture(
            VNFixture(project_name=self.inputs.project_name,
                      connections=self.connections,
                      vn_name=vn2_name,
                      inputs=self.inputs,
                      subnets=vn2_subnets))
        assert vn2_fixture.verify_on_setup()
        vn3_fixture = self.useFixture(
            VNFixture(project_name=self.inputs.project_name,
                      connections=self.connections,
                      vn_name=vn3_name,
                      inputs=self.inputs,
                      subnets=vn3_subnets))
        assert vn3_fixture.verify_on_setup()

        self.logger.info("TEST STEP: End of setup")
        vn_fixture = {
            vn1_name: vn1_fixture,
            vn2_name: vn2_fixture,
            vn3_name: vn3_fixture
        }
        vnet_list = [vn1_name, vn2_name, vn3_name]

        self.logger.info("TEST STEP: Route verification for VN after setup")
        actual_peer_vns_by_policy = policy_test_utils.get_policy_peer_vns(
            self, vnet_list, vn_fixture)
        for vn in vnet_list:
            err_msg_on_fail = "route verification failed for vn %s" % (vn)
            assert (vn_fixture[vn].verify_vn_route_target(
                policy_peer_vns=actual_peer_vns_by_policy[vn])
                    ), err_msg_on_fail

        self.logger.info(
            "TEST STEP: Bind policys to VN and verify import and export RT values"
        )
        policy_fq_name1 = [policy1_fixture.policy_fq_name]
        policy_fq_name2 = [policy2_fixture.policy_fq_name]
        vn1_fixture.bind_policies(policy_fq_name1, vn1_fixture.vn_id)
        vn1_pol = vn1_fixture.get_policy_attached_to_vn()
        vn2_fixture.bind_policies(policy_fq_name2, vn2_fixture.vn_id)
        vn2_pol = vn2_fixture.get_policy_attached_to_vn()
        vn3_fixture.bind_policies([policy3_fixture.policy_fq_name],
                                  vn3_fixture.vn_id)
        vn3_pol = vn3_fixture.get_policy_attached_to_vn()
        self.logger.info("vn: %s policys: %s" % (vn1_name, vn1_pol))
        self.logger.info("vn: %s policys: %s" % (vn2_name, vn2_pol))
        self.logger.info("vn: %s policys: %s" % (vn3_name, vn3_pol))

        actual_peer_vns_by_policy = policy_test_utils.get_policy_peer_vns(
            self, vnet_list, vn_fixture)
        for vn in vnet_list:
            err_msg_on_fail = "route verification failed for vn %s" % (vn)
            out = vn_fixture[vn].verify_vn_route_target(
                policy_peer_vns=actual_peer_vns_by_policy[vn])
            # control node may not be updated of the config changes right away, as it depends on system load ..
            # one scenario being when multiple tests are run in parallel..
            # wait & retry one more time if result is not as expected..
            if not out:
                self.logger.info("wait and verify VN RT again...")
                time.sleep(5)
                out = vn_fixture[vn].verify_vn_route_target(
                    policy_peer_vns=actual_peer_vns_by_policy[vn])
            assert (out), err_msg_on_fail

        self.logger.info(
            "TEST STEP: Bind one more policy to VN and verify RT import values updated"
        )
        vn1_fixture.bind_policies(
            [policy1_fixture.policy_fq_name, policy4_fixture.policy_fq_name],
            vn1_fixture.vn_id)

        actual_peer_vns_by_policy = policy_test_utils.get_policy_peer_vns(
            self, vnet_list, vn_fixture)
        for vn in vnet_list:
            err_msg_on_fail = "route verification failed for vn %s" % (vn)
            assert (vn_fixture[vn].verify_vn_route_target(
                policy_peer_vns=actual_peer_vns_by_policy[vn])
                    ), err_msg_on_fail

        self.logger.info(
            "TEST STEP: Unbind policy which was added earlier and verify RT import/export values are updated accordingly"
        )
        vn1_fixture.unbind_policies(vn1_fixture.vn_id,
                                    [policy4_fixture.policy_fq_name])
        vn3_fixture.unbind_policies(vn3_fixture.vn_id,
                                    [policy3_fixture.policy_fq_name])

        actual_peer_vns_by_policy = policy_test_utils.get_policy_peer_vns(
            self, vnet_list, vn_fixture)
        for vn in vnet_list:
            err_msg_on_fail = "route verification failed for vn %s" % (vn)
            assert (vn_fixture[vn].verify_vn_route_target(
                policy_peer_vns=actual_peer_vns_by_policy[vn])
                    ), err_msg_on_fail
        return True
    def test_policy_modify_vn_policy(self):
        """ Configure policies based on topology;
        """
        ###
        # Get config for test from topology
        # very simple topo will do, one vn, one vm, one policy, 3 rules
        topology_class_name = sdn_single_vm_policy_topology.sdn_single_vm_policy_config

        self.logger.info("Scenario for the test used is: %s" % (topology_class_name))
        # set project name
        try:
            # provided by wrapper module if run in parallel test env
            topo = topology_class_name(
                project=self.project.project_name, username=self.project.username, password=self.project.password
            )
        except NameError:
            topo = topology_class_name()
        ###
        # Test setup: Configure policy, VN, & VM
        # return {'result':result, 'msg': err_msg, 'data': [self.topo, config_topo]}
        # Returned topo is of following format:
        # config_topo= {'policy': policy_fixt, 'vn': vn_fixture, 'vm': vm_fixture}
        setup_obj = self.useFixture(sdnTopoSetupFixture(self.connections, topo))
        out = setup_obj.topo_setup()
        assertEqual(out["result"], True, out["msg"])
        if out["result"]:
            topo, config_topo = out["data"]
        ###
        # Verify [and assert on fail] after setup
        # Calling system policy verification, pick any policy fixture to
        # access fixture verification
        policy_name = topo.policy_list[0]
        system_vna_verify_policy(self, config_topo["policy"][policy_name], topo, "setup")
        ###
        # Test procedure:
        # Test adding new policy to VN's exiting policy list
        state = "add policy: "
        test_vm = topo.vmc_list[0]
        test_vn = topo.vn_of_vm[test_vm]
        # Init test data, take backup of current topology
        initial_vn_policy_list = copy.copy(topo.vn_policy[test_vn])
        new_policy_to_add = policy_test_utils.get_policy_not_in_vn(initial_vn_policy_list, topo.policy_list)
        if not new_policy_to_add:
            result = "False"
            msg = "test %s cannot be run as required config not available in topology; aborting test"
            self.logger.info(msg)
            assertEqual(result, True, msg)
        initial_policy_vn_list = copy.copy(topo.policy_vn[new_policy_to_add])
        new_vn_policy_list = copy.copy(initial_vn_policy_list)
        new_policy_vn_list = copy.copy(initial_policy_vn_list)
        new_vn_policy_list.append(new_policy_to_add)
        new_policy_vn_list.append(test_vn)
        test_vn_fix = config_topo["vn"][test_vn]
        test_vn_id = test_vn_fix.vn_id
        # configure new policy
        config_topo["policy"][new_policy_to_add] = self.useFixture(
            PolicyFixture(
                policy_name=new_policy_to_add,
                rules_list=topo.rules[new_policy_to_add],
                inputs=self.inputs,
                connections=self.connections,
            )
        )
        # get new policy_set to be pushed for the vn
        test_policy_fq_names = []
        for policy in new_vn_policy_list:
            name = config_topo["policy"][policy].policy_fq_name
            test_policy_fq_names.append(name)
        self.logger.info("adding policy %s to vn %s" % (new_policy_to_add, test_vn))
        test_vn_fix.bind_policies(test_policy_fq_names, test_vn_id)
        # wait for tables update before checking after making changes to system
        time.sleep(5)
        self.logger.info("New policy list of VN %s is %s" % (test_vn, new_vn_policy_list))
        # update expected topology with this new info for verification
        topo.vn_policy[test_vn] = new_vn_policy_list
        topo.policy_vn[new_policy_to_add] = new_policy_vn_list
        system_vna_verify_policy(self, config_topo["policy"][new_policy_to_add], topo, state)
        # Test unbinding all policies from VN
        state = "unbinding all policies"
        test_vn_fix.unbind_policies(test_vn_id)
        # wait for tables update before checking after making changes to system
        time.sleep(5)
        current_vn_policy_list = new_vn_policy_list
        new_vn_policy_list = []
        self.logger.info("New policy list of VN %s is %s" % (test_vn, new_vn_policy_list))
        # update expected topology with this new info for verification
        topo.vn_policy[test_vn] = new_vn_policy_list
        for policy in current_vn_policy_list:
            topo.policy_vn[policy].remove(test_vn)
        system_vna_verify_policy(self, config_topo["policy"][new_policy_to_add], topo, state)
        return True
    def test_policy_RT_import_export(self):
        ''' Test to validate RT imported/exported in control node.
        Verification is implemented in vn_fixture to compare fixture route data with the data in control node..
        Verification expects test code to compile policy allowed VN info, which is used to validate data in CN.
        Test calls get_policy_peer_vns [internally call get_allowed_peer_vns_by_policy for each VN]. This data is
        fed to verify_vn_route_target, which internally calls get_rt_info to build expected list. This is compared
        against actual by calling cn_ref.get_cn_routing_instance and getting rt info.  '''

        vn1_name = 'vn40'
        vn1_subnets = ['40.1.1.0/24']
        vn2_name = 'vn41'
        vn2_subnets = ['41.1.1.0/24']
        vn3_name = 'vn42'
        vn3_subnets = ['42.1.1.0/24']
        policy1_name = 'policy1'
        policy2_name = 'policy2'
        policy3_name = 'policy3'
        policy4_name = 'policy4'
        # cover all combinations of rules for this test
        # 1. both vn's allow each other 2. one vn allows peer, while other denies 3. policy rule doesnt list local vn
        # 4. allow or deny any vn is not handled now..
        rules = [{'direction': '<>',
                  'simple_action': 'pass',
                  'protocol': 'icmp',
                  'source_network': vn1_name,
                  'dest_network': vn2_name},
                 {'direction': '<>',
                  'simple_action': 'deny',
                  'protocol': 'icmp',
                  'source_network': vn1_name,
                  'dest_network': vn3_name},
                 {'direction': '<>',
                  'simple_action': 'pass',
                  'protocol': 'icmp',
                  'source_network': vn2_name,
                  'dest_network': vn3_name},
                 {'direction': '<>',
                  'simple_action': 'pass',
                  'protocol': 'icmp',
                  'source_network': 'any',
                  'dest_network': vn3_name},
                 ]
        rev_rules2 = [{'direction': '<>',
                       'simple_action': 'pass',
                       'protocol': 'icmp',
                       'source_network': vn1_name,
                       'dest_network': vn3_name,
                       },
                      ]

        rev_rules1 = [{'direction': '<>',
                       'simple_action': 'pass',
                       'protocol': 'icmp',
                       'source_network': vn2_name,
                       'dest_network': vn1_name,
                       },
                      ]
        rules2 = [{'direction': '<>',
                   'simple_action': 'pass',
                   'protocol': 'icmp',
                   'source_network': vn3_name,
                   'dest_network': vn1_name,
                   },
                  ]

        policy1_fixture = self.useFixture(
            PolicyFixture(
                policy_name=policy1_name,
                rules_list=rules,
                inputs=self.inputs,
                connections=self.connections))
        policy2_fixture = self.useFixture(
            PolicyFixture(
                policy_name=policy2_name,
                rules_list=rev_rules1,
                inputs=self.inputs,
                connections=self.connections))
        policy3_fixture = self.useFixture(
            PolicyFixture(
                policy_name=policy3_name,
                rules_list=rules2,
                inputs=self.inputs,
                connections=self.connections))
        policy4_fixture = self.useFixture(
            PolicyFixture(
                policy_name=policy4_name,
                rules_list=rev_rules2,
                inputs=self.inputs,
                connections=self.connections))
        vn1_fixture = self.useFixture(
            VNFixture(
                project_name=self.inputs.project_name,
                connections=self.connections,
                vn_name=vn1_name,
                inputs=self.inputs,
                subnets=vn1_subnets))
        assert vn1_fixture.verify_on_setup()
        vn2_fixture = self.useFixture(
            VNFixture(
                project_name=self.inputs.project_name,
                connections=self.connections,
                vn_name=vn2_name,
                inputs=self.inputs,
                subnets=vn2_subnets))
        assert vn2_fixture.verify_on_setup()
        vn3_fixture = self.useFixture(
            VNFixture(
                project_name=self.inputs.project_name,
                connections=self.connections,
                vn_name=vn3_name,
                inputs=self.inputs,
                subnets=vn3_subnets))
        assert vn3_fixture.verify_on_setup()

        self.logger.info("TEST STEP: End of setup")
        vn_fixture = {
            vn1_name: vn1_fixture,
            vn2_name: vn2_fixture,
            vn3_name: vn3_fixture}
        vnet_list = [vn1_name, vn2_name, vn3_name]

        self.logger.info("TEST STEP: Route verification for VN after setup")
        actual_peer_vns_by_policy = policy_test_utils.get_policy_peer_vns(
            self,
            vnet_list,
            vn_fixture)
        for vn in vnet_list:
            err_msg_on_fail = "route verification failed for vn %s" % (vn)
            assert (
                vn_fixture[vn].verify_vn_route_target(
                    policy_peer_vns=actual_peer_vns_by_policy[vn])), err_msg_on_fail

        self.logger.info(
            "TEST STEP: Bind policys to VN and verify import and export RT values")
        policy_fq_name1 = [policy1_fixture.policy_fq_name]
        policy_fq_name2 = [policy2_fixture.policy_fq_name]
        vn1_fixture.bind_policies(policy_fq_name1, vn1_fixture.vn_id)
        vn1_pol = vn1_fixture.get_policy_attached_to_vn()
        vn2_fixture.bind_policies(policy_fq_name2, vn2_fixture.vn_id)
        vn2_pol = vn2_fixture.get_policy_attached_to_vn()
        vn3_fixture.bind_policies(
            [policy3_fixture.policy_fq_name], vn3_fixture.vn_id)
        vn3_pol = vn3_fixture.get_policy_attached_to_vn()
        self.logger.info("vn: %s policys: %s" % (vn1_name, vn1_pol))
        self.logger.info("vn: %s policys: %s" % (vn2_name, vn2_pol))
        self.logger.info("vn: %s policys: %s" % (vn3_name, vn3_pol))

        actual_peer_vns_by_policy = policy_test_utils.get_policy_peer_vns(
            self,
            vnet_list,
            vn_fixture)
        for vn in vnet_list:
            err_msg_on_fail = "route verification failed for vn %s" % (vn)
            out = vn_fixture[vn].verify_vn_route_target(
                policy_peer_vns=actual_peer_vns_by_policy[vn])
            # control node may not be updated of the config changes right away, as it depends on system load ..
            # one scenario being when multiple tests are run in parallel..
            # wait & retry one more time if result is not as expected..
            if not out:
                self.logger.info("wait and verify VN RT again...")
                time.sleep(5)
                out = vn_fixture[vn].verify_vn_route_target(
                    policy_peer_vns=actual_peer_vns_by_policy[vn])
            assert (out), err_msg_on_fail

        self.logger.info(
            "TEST STEP: Bind one more policy to VN and verify RT import values updated")
        vn1_fixture.bind_policies(
            [policy1_fixture.policy_fq_name, policy4_fixture.policy_fq_name], vn1_fixture.vn_id)

        actual_peer_vns_by_policy = policy_test_utils.get_policy_peer_vns(
            self,
            vnet_list,
            vn_fixture)
        for vn in vnet_list:
            err_msg_on_fail = "route verification failed for vn %s" % (vn)
            assert (
                vn_fixture[vn].verify_vn_route_target(
                    policy_peer_vns=actual_peer_vns_by_policy[vn])), err_msg_on_fail

        self.logger.info(
            "TEST STEP: Unbind policy which was added earlier and verify RT import/export values are updated accordingly")
        vn1_fixture.unbind_policies(
            vn1_fixture.vn_id, [
                policy4_fixture.policy_fq_name])
        vn3_fixture.unbind_policies(
            vn3_fixture.vn_id, [
                policy3_fixture.policy_fq_name])

        actual_peer_vns_by_policy = policy_test_utils.get_policy_peer_vns(
            self,
            vnet_list,
            vn_fixture)
        for vn in vnet_list:
            err_msg_on_fail = "route verification failed for vn %s" % (vn)
            assert (
                vn_fixture[vn].verify_vn_route_target(
                    policy_peer_vns=actual_peer_vns_by_policy[vn])), err_msg_on_fail
        return True
    def test_remove_policy_with_ref(self):
        ''' This tests the following scenarios.
           1. Test to validate that policy removal will fail when it referenced with VN.
           2. validate vn_policy data in api-s against quantum-vn data, when created and unbind policy from VN thru quantum APIs.
           3. validate policy data in api-s against quantum-policy data, when created and deleted thru quantum APIs.
        '''
        vn1_name = 'vn4'
        vn1_subnets = ['10.1.1.0/24']
        policy_name = 'policy1'
        rules = [
            {
                'direction': '<>', 'simple_action': 'pass',
                'protocol': 'icmp',
                'source_network': vn1_name,
                'dest_network': vn1_name,
            },
        ]
        policy_fixture = self.useFixture(
            PolicyFixture(
                policy_name=policy_name,
                rules_list=rules,
                inputs=self.inputs,
                connections=self.connections))
        vn1_fixture = self.useFixture(
            VNFixture(
                project_name=self.inputs.project_name,
                connections=self.connections,
                vn_name=vn1_name,
                inputs=self.inputs,
                subnets=vn1_subnets,
                policy_objs=[
                    policy_fixture.policy_obj]))
        assert vn1_fixture.verify_on_setup()
        ret = policy_fixture.verify_on_setup()
        if ret['result'] == False:
            self.logger.error(
                "Policy %s verification failed after setup" % policy_name)
            assert ret['result'], ret['msg']

        self.logger.info(
            "Done with setup and verification, moving onto test ..")
        # try to remove policy which  was referenced with VN.
        policy_removal = True
        pol_list = self.quantum_fixture.list_policys()
        self.logger.info("policy list for project %s is %s" %
                         (self.project.project_name, pol_list))
        pol_id = None
        for policy in pol_list['policys']:
            if policy['name'] == policy_name:
                pol_id = policy['id']
                policy_removal = self.quantum_fixture.delete_policy(
                    policy['id'])
                break
        self.assertFalse(
            policy_removal,
            'Policy removal succeed as not expected since policy is referenced with VN')
        #assert vn1_fixture.verify_on_setup()
        # policy_fixture.verify_policy_in_api_server()

        self.logger.info("Done with test, moving onto cleanup ..")
        if vn1_fixture.policy_objs:
            policy_fq_names = [
                self.quantum_fixture.get_policy_fq_name(x) for x in vn1_fixture.policy_objs]

        # self.assertTrue(
        #    vn1_fixture.verify_vn_policy_in_vn_uve(),
        #    "Policy information is not found in VN UVE Analytics after binding policy to VN")
        # unbind the policy from VN
        vn1_fixture.unbind_policies(vn1_fixture.vn_id, policy_fq_names)
        self.assertTrue(
            vn1_fixture.verify_vn_policy_not_in_vn_uve(),
            "Policy information is not removed from VN UVE Analytics after policy un binded from VN")
        # Verify policy ref is removed from VN
        vn_pol_found = vn1_fixture.verify_vn_policy_not_in_api_server(
            policy_name)
        self.assertFalse(
            vn_pol_found,
            'policy not removed from VN after policy unbind from VN')
        # Wait for 1 secs for db update after unbind operation..
        time.sleep(1)
        # remove the policy using quantum API
        policy_removal = self.quantum_fixture.delete_policy(pol_id)
        if not policy_removal:
            self.logger.info("policy delete failed, retry again...")
            policy_removal = self.quantum_fixture.delete_policy(pol_id)
        self.assertTrue(
            policy_removal,
            'Policy removal failure not expected since policy is dereferenced with VN')
        pol_found = policy_fixture.verify_policy_not_in_api_server()
        self.assertFalse(
            pol_found,
            'policy not removed from API server when policy removed from Quantum')
        return True