def _get_rule(ingress, sg, prefix, ethertype):
sgr_uuid = str(uuid.uuid4())
if sg:
addr = AddressType(security_group=proj_obj.get_fq_name_str() +
':' + sg)
elif prefix:
addr = AddressType(subnet=SubnetType(prefix, 0))
local_addr = AddressType(security_group='local')
if ingress:
src_addr = addr
dst_addr = local_addr
else:
src_addr = local_addr
dst_addr = addr
rule = PolicyRuleType(rule_uuid=sgr_uuid,
direction='>',
protocol='any',
src_addresses=[src_addr],
src_ports=[PortType(0, 65535)],
dst_addresses=[dst_addr],
dst_ports=[PortType(0, 65535)],
ethertype=ethertype)
return rule
def test_get_floating_ip_project_ref(self):
# create project
project = Project(name='project-{}'.format(self.id()))
p_uuid = self._vnc_lib.project_create(project)
project.set_uuid(p_uuid)
# create virtual network
vn = VirtualNetwork(name='vn-{}'.format(self.id()),
parent_obj=project)
vn.add_network_ipam(NetworkIpam(), VnSubnetsType([
IpamSubnetType(SubnetType('1.1.1.0', 28)),
]))
vn_uuid = self._vnc_lib.virtual_network_create(vn)
vn.set_uuid(vn_uuid)
# create floating IP pool
fip_pool = FloatingIpPool(name='fip_p-{}'.format(self.id()),
parent_obj=vn)
fip_p_uuid = self._vnc_lib.floating_ip_pool_create(fip_pool)
fip_pool.set_uuid(fip_p_uuid)
# finally, create floating IP
fip = FloatingIp(name='fip-{}'.format(self.id()),
parent_obj=fip_pool)
fip_uuid = self._vnc_lib.floating_ip_create(fip)
# get floating IPs
fip_list = self._vnc_lib.floating_ips_list(obj_uuids=[fip_uuid],
fields=['project_refs'],
detail=True)
self.assertEqual(len(fip_list), 1)
project_refs = fip_list[0].get_project_refs()
self.assertEqual(len(project_refs), 1)
self.assertEqual(project_refs[0]['uuid'], p_uuid)
self.assertEqual(project_refs[0]['to'], project.fq_name)
def test_security_logging_object_with_policy_and_security_group(self):
# Add a Network Policy Rule and a Security Group Rule to a
# SLO
vn1_name = self.id() + 'vn1'
vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24")
rule1 = {
"protocol": "udp",
"direction": "<>",
"src": {
"type": "vn",
"value": vn1
},
"dst": {
"type": "cidr",
"value": "10.2.1.1/32"
},
"action": "deny"
}
np = self.create_network_policy_with_multiple_rules([rule1])
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1)
sg_obj = SecurityGroup(name=self.id() + '_sg1')
self._vnc_lib.security_group_create(sg_obj)
sgr_uuid = str(uuid.uuid4())
sg_rule = PolicyRuleType(
rule_uuid=sgr_uuid,
direction='>',
protocol='tcp',
src_addresses=[AddressType(subnet=SubnetType('11.0.0.0', 24))],
src_ports=[PortType(0, 65535)],
dst_addresses=[AddressType(security_group='local')],
dst_ports=[PortType(0, 65535)],
ether_type='IPv4')
sg_policy_rules = PolicyEntriesType([sg_rule])
sg_obj.set_security_group_entries(sg_policy_rules)
self._vnc_lib.security_group_update(sg_obj)
project = self._vnc_lib.project_read(
fq_name=[u'default-domain', u'default-project'])
slo_name = self.id() + '_slo1'
slo_obj = SecurityLoggingObject(name=slo_name,
parent_obj=project,
security_logging_object_rate=300)
self._vnc_lib.security_logging_object_create(slo_obj)
self.wait_to_get_object(SecurityLoggingObjectST,
slo_obj.get_fq_name_str())
np_rule1 = np.get_network_policy_entries().get_policy_rule()[0]
np_fqdn = np.get_fq_name_str()
np_rule1_uuid = np_rule1.get_rule_uuid()
slo_rule_entries = []
slo_rule_entries.append(
SecurityLoggingObjectRuleEntryType(np_rule1_uuid, rate=300))
slo_rule_entries.append(
SecurityLoggingObjectRuleEntryType(sgr_uuid, rate=300))
slo_obj = self._vnc_lib.security_logging_object_read(
fq_name=slo_obj.get_fq_name())
slo_obj.add_network_policy(np, None)
sg_obj = self._vnc_lib.security_group_read(id=sg_obj.get_uuid())
slo_obj.add_security_group(sg_obj, None)
self._vnc_lib.security_logging_object_update(slo_obj)
st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, np_fqdn, slo_rule_entries)
slo_obj.del_network_policy(np)
slo_obj.del_security_group(sg_obj)
self._vnc_lib.security_logging_object_update(slo_obj)
st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, None, [])
# cleanup
self.delete_network_policy(np, auto_policy=True)
self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name())
self._vnc_lib.security_logging_object_delete(
fq_name=slo_obj.get_fq_name())
# check if vn is deleted
self.check_vn_is_deleted(uuid=vn1.uuid)
def test_security_logging_object_with_network_policy_update(self):
vn1_name = self.id() + 'vn1'
vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24")
np = self.create_network_policy_with_multiple_rules([])
np_fqdn = np.get_fq_name_str()
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1)
project = self._vnc_lib.project_read(
fq_name=[u'default-domain', u'default-project'])
slo_name = self.id() + '_slo1'
slo_obj = SecurityLoggingObject(name=slo_name,
parent_obj=project,
security_logging_object_rate=300)
self._vnc_lib.security_logging_object_create(slo_obj)
self.wait_to_get_object(SecurityLoggingObjectST,
slo_obj.get_fq_name_str())
slo_obj.add_network_policy(np, None)
self._vnc_lib.security_logging_object_update(slo_obj)
npr_uuid = str(uuid.uuid4())
action_list = ActionListType()
action_list.simple_action = 'pass'
np_rule = PolicyRuleType(
rule_uuid=npr_uuid,
direction='>',
protocol='tcp',
src_addresses=[AddressType(subnet=SubnetType('11.0.0.0', 24))],
src_ports=[PortType(0, 65535)],
dst_addresses=[AddressType(subnet=SubnetType('10.0.0.0', 24))],
dst_ports=[PortType(0, 65535)],
ether_type='IPv4',
action_list=action_list)
np.set_network_policy_entries(PolicyEntriesType([np_rule]))
self._vnc_lib.network_policy_update(np)
slo_obj = self._vnc_lib.security_logging_object_read(
fq_name=slo_obj.get_fq_name())
expected_rule_list = [
SecurityLoggingObjectRuleEntryType(npr_uuid, rate=300)
]
st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, np_fqdn, expected_rule_list)
slo_obj.del_network_policy(np)
self._vnc_lib.security_logging_object_update(slo_obj)
st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, None, [])
# cleanup
self.delete_network_policy(np, auto_policy=True)
self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name())
self._vnc_lib.security_logging_object_delete(
fq_name=slo_obj.get_fq_name())
# check if vn is deleted
self.check_vn_is_deleted(uuid=vn1.uuid)
def test_public_snat_routes(self):
# create private vn
vn_private_name = self.id() + 'vn1'
vn_private = self.create_virtual_network(vn_private_name, "1.0.0.0/24")
# create virtual machine interface
vmi_name = self.id() + 'vmi1'
vmi = VirtualMachineInterface(
vmi_name,
parent_type='project',
fq_name=['default-domain', 'default-project', vmi_name])
vmi.add_virtual_network(vn_private)
self._vnc_lib.virtual_machine_interface_create(vmi)
# create public vn
vn_public_name = 'vn-public'
vn_public = VirtualNetwork(vn_public_name)
vn_public.set_router_external(True)
ipam_obj = NetworkIpam('ipam')
self._vnc_lib.network_ipam_create(ipam_obj)
vn_public.add_network_ipam(
ipam_obj,
VnSubnetsType([IpamSubnetType(SubnetType("192.168.7.0", 24))]))
self._vnc_lib.virtual_network_create(vn_public)
# create logical router, set route targets,
# add private network and extend lr to public network
lr_name = self.id() + 'lr1'
lr = LogicalRouter(lr_name)
rtgt_list = RouteTargetList(route_target=['target:1:1'])
lr.set_configured_route_target_list(rtgt_list)
lr.add_virtual_machine_interface(vmi)
lr.add_virtual_network(vn_public)
self._vnc_lib.logical_router_create(lr)
@retries(5)
def _match_route_table(rtgt_list, ri_name):
lri = self._vnc_lib.routing_instance_read(fq_name_str=ri_name)
sr = lri.get_static_route_entries()
if sr is None:
raise Exception("sr is None")
route = sr.route[0]
self.assertEqual(route.prefix, "0.0.0.0/0")
self.assertEqual(route.next_hop, "100.64.0.4")
for rtgt in rtgt_list:
self.assertIn(rtgt, route.route_target)
@retries(5)
def _wait_to_get_si():
si_list = self._vnc_lib.service_instances_list()
si = si_list.get("service-instances")[0]
si = self._vnc_lib.service_instance_read(id=si.get("uuid"))
return si
@retries(5)
def _wait_to_delete_si():
si_list = self._vnc_lib.service_instances_list()
try:
si = si_list.get("service-instances")[0]
si = self._vnc_lib.service_instance_read(id=si.get("uuid"))
raise
except Exception:
pass
@retries(5)
def _wait_to_delete_ip(vn_fq_name):
vn = self._vnc_lib.virtual_network_read(fq_name=vn_fq_name)
ip_refs = vn.get_instance_ip_back_refs()
if ip_refs:
raise
return
# end
si = _wait_to_get_si()
si_props = si.get_service_instance_properties().get_interface_list()[1]
ri_name = si_props.virtual_network + ":" + \
si_props.virtual_network.split(':')[-1]
lr_rtgt = self._vnc_lib.logical_router_read(
id=lr.uuid).route_target_refs[0]['to'][0]
_match_route_table(['target:1:1', lr_rtgt], ri_name)
rtgt_list = RouteTargetList(route_target=['target:2:2'])
lr.set_configured_route_target_list(rtgt_list)
self._vnc_lib.logical_router_update(lr)
_match_route_table(['target:2:2', lr_rtgt], ri_name)
lr.del_virtual_network(vn_public)
self._vnc_lib.logical_router_update(lr)
_wait_to_delete_si()
# cleanup
self._vnc_lib.logical_router_delete(fq_name=lr.get_fq_name())
self._vnc_lib.virtual_machine_interface_delete(
fq_name=vmi.get_fq_name())
_wait_to_delete_ip(vn_private.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn_private.get_fq_name())
_wait_to_delete_ip(vn_public.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn_public.get_fq_name())
def test_subnet_type_validation(self):
test_suite = [
(SubnetType('0', 0), ('0.0.0.0', 0)),
(SubnetType('1.1.1.1'), BadRequest),
(SubnetType('1.1.1.1', 24), ('1.1.1.0', 24)),
(SubnetType('1.1.1.1', '24'), ('1.1.1.0', 24)),
(SubnetType('1.1.1.1', 32), ('1.1.1.1', 32)),
(SubnetType('1.1.1.e', 32), BadRequest),
(SubnetType('1.1.1.1', '32e'), BadRequest),
(SubnetType('1.1.1.0,2.2.2.0', 24), BadRequest),
(SubnetType(''), BadRequest),
(SubnetType('', 30), BadRequest),
(SubnetType('::', 0), ('::', 0)),
(SubnetType('::'), BadRequest),
(SubnetType('dead::beef', 128), ('dead::beef', 128)),
(SubnetType('dead::beef', '128'), ('dead::beef', 128)),
(SubnetType('dead::beef', 96), ('dead::', 96)),
(SubnetType('dead::beez', 96), BadRequest),
(SubnetType('dead::beef', '96e'), BadRequest),
(SubnetType('dead::,beef::', 64), BadRequest),
]
project = Project('%s-project' % self.id())
self.api.project_create(project)
vn = VirtualNetwork('vn-%s' % self.id(), parent_obj=project)
self.api.virtual_network_create(vn)
vmi = VirtualMachineInterface('vmi-%s' % self.id(), parent_obj=project)
vmi.set_virtual_network(vn)
self.api.virtual_machine_interface_create(vmi)
for subnet, expected_result in test_suite:
aaps = AllowedAddressPairs(
allowed_address_pair=[AllowedAddressPair(ip=subnet)])
vmi.set_virtual_machine_interface_allowed_address_pairs(aaps)
if (type(expected_result) == type and
issubclass(expected_result, Exception)):
self.assertRaises(
expected_result,
self.api.virtual_machine_interface_update,
vmi)
else:
self.api.virtual_machine_interface_update(vmi)
vmi = self.api.virtual_machine_interface_read(id=vmi.uuid)
returned_apps = vmi.\
get_virtual_machine_interface_allowed_address_pairs().\
get_allowed_address_pair()
self.assertEqual(len(returned_apps), 1)
returned_subnet = returned_apps[0].get_ip()
self.assertEqual(returned_subnet.ip_prefix,
expected_result[0])
self.assertEqual(returned_subnet.ip_prefix_len,
expected_result[1])
def test_network_create(self):
subnet = '192.168.1.0'
prefix = 24
subnet_1 = '10.1.1.0'
vn_name = 'my-fe'
vn = VirtualNetwork(vn_name, self._proj_obj)
ipam_sn_1 = IpamSubnetType(subnet=SubnetType(subnet, prefix))
ipam_sn_2 = IpamSubnetType(subnet=SubnetType(subnet_1, prefix))
vn.add_network_ipam(
self._ipam_obj, VnSubnetsType([ipam_sn_1, ipam_sn_2]))
self._vnc_lib.virtual_network_create(vn)
net_obj = self._vnc_lib.virtual_network_read(id=vn.uuid)
# Ensure entries present in KV
kvp = self._vnc_lib.kv_retrieve()
self.assertIn(
'%s 192.168.1.0/24' %
(vn.uuid), [
p['value'] for p in kvp])
self.assertIn('%s 10.1.1.0/24' % (vn.uuid), [p['value'] for p in kvp])
# Ensure entry present in KV
key = net_obj.uuid + " " + subnet + '/' + str(prefix)
subnet_uuid = net_obj.network_ipam_refs[0]['attr'].ipam_subnets[
0].subnet_uuid
key_tmp = self._vnc_lib.kv_retrieve(subnet_uuid)
self.assertEqual(key, key_tmp)
key = net_obj.uuid + " " + subnet_1 + '/' + str(prefix)
subnet_uuid = net_obj.network_ipam_refs[0]['attr'].ipam_subnets[
1].subnet_uuid
key_tmp = self._vnc_lib.kv_retrieve(subnet_uuid)
self.assertEqual(key, key_tmp)
# Test delete
self._vnc_lib.virtual_network_delete(id=vn.uuid)
# Ensure all entries are gone
kvp = self._vnc_lib.kv_retrieve()
self.assertNotIn(
'%s 192.168.1.0/24' %
(vn.uuid), [
p['value'] for p in kvp])
self.assertNotIn(
'%s 10.1.1.0/24' %
(vn.uuid), [
p['value'] for p in kvp])
# Test update
vn_name = 'my-be'
subnet_2 = '9.1.1.0'
vn = VirtualNetwork(vn_name, self._proj_obj)
ipam_sn_1 = IpamSubnetType(subnet=SubnetType(subnet_2, prefix))
vn.add_network_ipam(self._ipam_obj, VnSubnetsType([ipam_sn_1]))
self._vnc_lib.virtual_network_create(vn)
net_obj = self._vnc_lib.virtual_network_read(id=vn.uuid)
# Ensure entry in KV
kvp = self._vnc_lib.kv_retrieve()
self.assertIn('%s 9.1.1.0/24' % (vn.uuid), [p['value'] for p in kvp])
key = net_obj.uuid + " " + subnet_2 + '/' + str(prefix)
subnet_uuid = net_obj.network_ipam_refs[0]['attr'].ipam_subnets[
0].subnet_uuid
key_tmp = self._vnc_lib.kv_retrieve(subnet_uuid)
self.assertEqual(key, key_tmp)
subnet_3 = '8.1.1.0'
ipam_sn_2 = IpamSubnetType(subnet=SubnetType(subnet_3, prefix))
ipam_refs = net_obj.get_network_ipam_refs()
if ipam_refs:
for ipam_ref in ipam_refs:
ipam_ref['attr'].set_ipam_subnets([ipam_sn_2])
net_obj._pending_field_updates.add('network_ipam_refs')
self._vnc_lib.virtual_network_update(net_obj)
# Ensure entry in KV
kvp = self._vnc_lib.kv_retrieve()
self.assertIn('%s 8.1.1.0/24' % (vn.uuid), [p['value'] for p in kvp])
key = net_obj.uuid + " " + subnet_3 + '/' + str(prefix)
net_obj = self._vnc_lib.virtual_network_read(id=net_obj.uuid)
subnet_uuid = net_obj.network_ipam_refs[0]['attr'].ipam_subnets[
0].subnet_uuid
key_tmp = self._vnc_lib.kv_retrieve(subnet_uuid)
self.assertEqual(key, key_tmp)
# Test delete
self._vnc_lib.virtual_network_delete(id=vn.uuid)
kvp = self._vnc_lib.kv_retrieve()
self.assertNotIn(
'%s 9.1.1.0/24' %
(vn.uuid), [
p['value'] for p in kvp])
self.assertNotIn(
'%s 8.1.1.0/24' %
(vn.uuid), [
p['value'] for p in kvp])
# Test ref_update
vn_name = 'my-ref'
vn = VirtualNetwork(vn_name, self._proj_obj)
self._vnc_lib.virtual_network_create(vn)
net_obj = self._vnc_lib.virtual_network_read(id=vn.uuid)
subnet_3 = '99.1.1.0'
ipam_sn_3 = IpamSubnetType(subnet=SubnetType(subnet_3, prefix))
self._vnc_lib.ref_update(
'virtual-network',
net_obj.uuid,
'network-ipam-refs',
None,
self._ipam_obj.get_fq_name(),
'ADD',
VnSubnetsType(
[ipam_sn_3]))
# Ensure entries in KV
kvp = self._vnc_lib.kv_retrieve()
self.assertIn('%s 99.1.1.0/24' % (vn.uuid), [p['value'] for p in kvp])
key = net_obj.uuid + " " + subnet_3 + '/' + str(prefix)
net_obj = self._vnc_lib.virtual_network_read(id=net_obj.uuid)
subnet_uuid = net_obj.network_ipam_refs[0]['attr'].ipam_subnets[
0].subnet_uuid
key_tmp = self._vnc_lib.kv_retrieve(subnet_uuid)
self.assertEqual(key, key_tmp)
self._vnc_lib.ref_update(
'virtual-network',
net_obj.uuid,
'network-ipam-refs',
None,
self._ipam_obj.get_fq_name(),
'DELETE')
kvp = self._vnc_lib.kv_retrieve()
self.assertNotIn(
'%s 99.1.1.0/24' %
(vn.uuid), [
p['value'] for p in kvp])
# Test delete
self._vnc_lib.virtual_network_delete(id=vn.uuid)