def test_multi_set(self):
'''Test lifecycle of set with 3 rules having different dirs'''
# Create rule set with 3 rules
with self._mock_profile_create() as profile_create:
rule1 = self._create_simple_policy_rule('in', 'tcp', '7887')
rule2 = self._create_simple_policy_rule('out', 'udp', '8778')
rule3 = self._create_simple_policy_rule('bi', 'tcp', '5060')
rule_set = self.create_policy_rule_set(
name='test',
policy_rules=[rule1['id'], rule2['id'],
rule3['id']])['policy_rule_set']
self.assertEqual(2, profile_create.call_count)
profile_create._assert_profile_call(
driver.append_in_dir('test'),
driver.append_in_dir(rule_set['id']),
[rule1['policy_classifier_id'], rule3['policy_classifier_id']])
profile_create._assert_profile_call(
driver.append_out_dir('test'),
driver.append_out_dir(rule_set['id']),
[rule2['policy_classifier_id'], rule3['policy_classifier_id']])
# Replace rule3 with rule4
with self._mock_profile_create() as profile_update:
rule4 = self._create_simple_policy_rule('out', 'tcp', '555:777')
rule_set1 = self.update_policy_rule_set(
rule_set['id'],
policy_rules=[rule1['id'], rule2['id'],
rule4['id']])['policy_rule_set']
self.assertEqual(rule_set['id'], rule_set1['id'])
self.assertEqual(2, profile_create.call_count)
profile_update._assert_profile_call(
driver.append_in_dir('test'),
driver.append_in_dir(rule_set['id']),
[rule1['policy_classifier_id']])
profile_update._assert_profile_call(
driver.append_out_dir('test'),
driver.append_out_dir(rule_set['id']),
[rule2['policy_classifier_id'], rule4['policy_classifier_id']])
# Delete rule1 from the rule set and verify ingress profile is
# is deleted on backend
with self._mock_profile_delete() as profile_delete:
self.update_policy_rule_set(
rule_set['id'], policy_rules=[rule2['id'], rule4['id']])
profile_delete.assert_called_once_with(
driver.append_in_dir(rule_set['id']))
# Delete the rule set and verify egress profile is deleted
with self._mock_profile_delete() as profile_delete:
self.delete_policy_rule_set(rule_set['id'])
profile_delete.assert_called_once_with(
driver.append_out_dir(rule_set['id']))
def test_bidirectional(self):
''' Create and delete bidirectional rule set'''
with self._mock_profile_create() as profile_create,\
self._mock_profile_delete() as profile_delete:
rule = self._create_simple_policy_rule()
rule_set = self.create_policy_rule_set(
name='test', policy_rules=[rule['id']])['policy_rule_set']
calls = [
call(name=mock.ANY,
description=mock.ANY,
profile_id=driver.append_in_dir(rule_set['id']),
services=[rule['policy_classifier_id']]),
call(name=mock.ANY,
description=mock.ANY,
profile_id=driver.append_out_dir(rule_set['id']),
services=[rule['policy_classifier_id']])
]
profile_create.assert_has_calls(calls)
self.delete_policy_rule_set(rule_set['id'])
calls = [
call(driver.append_in_dir(rule_set['id'])),
call(driver.append_out_dir(rule_set['id']))
]
profile_delete.assert_has_calls(calls)
def ingress_map_call(self, prs_id, provider_ids, consumer_ids):
return call(domain_id=TEST_PROJECT,
profile_id=driver.append_in_dir(prs_id),
map_id=mock.ANY,
name=driver.append_in_dir(prs_id),
description=mock.ANY,
source_groups=consumer_ids,
dest_groups=provider_ids)
def test_create_fail_connected(self):
'''Verify integrity when backend fails on connectivity map creation
This test creates a pair of groups. First group creation succeeds,
while second fails on connectivity enforcement.
Verify backend receives a group delete call for second group.
Verify spawned neutron resources are cleaned up for second group.
'''
policy_rule_set = self._prepare_rule_set()
profile_ids = [
driver.append_in_dir(policy_rule_set['id']),
driver.append_out_dir(policy_rule_set['id'])
]
with self._mock_group_create(),\
self._mock_profile_list(profile_ids),\
self._mock_map_create_fails(),\
self._mock_group_delete() as group_delete:
self.assertRaises(webob.exc.HTTPClientError,
self._create_provider_consumer_ptgs,
policy_rule_set['id'])
group_delete.assert_called_with(self._tenant_id, mock.ANY)
self.assert_neutron_resources(1, 1, 1)
def test_create_ptg_pair_multi_rule_set(self):
'''Create ptg pair based on 3 rule sets
First rule set is simulated to have only ingress connectivity,
second - only egress connectivity, and third - both
'''
prs1 = self._prepare_rule_set()['id']
prs2 = self._prepare_rule_set()['id']
prs3 = self._prepare_rule_set()['id']
profile_ids = [
driver.append_in_dir(prs1),
driver.append_out_dir(prs2),
driver.append_in_dir(prs3),
driver.append_out_dir(prs3)
]
with self._mock_domain_create(),\
self._mock_group_create() as group_create,\
self._mock_profile_list(profile_ids),\
self._mock_map_create() as map_create:
rule_set_dict = {prs1: None, prs2: None, prs3: None}
provider_ptg = self.create_policy_target_group(
name='ptg1', provided_policy_rule_sets=rule_set_dict)
provider_id = provider_ptg['policy_target_group']['id']
consumer_ptg = self.create_policy_target_group(
name='ptg2', consumed_policy_rule_sets=rule_set_dict)
consumer_id = consumer_ptg['policy_target_group']['id']
group_create.assert_has_calls([
self.group_call('ptg1', provider_id),
self.group_call('ptg2', consumer_id)
])
map_calls = [
self.ingress_map_call(prs1, [provider_id], [consumer_id]),
self.egress_map_call(prs2, [provider_id], [consumer_id]),
self.ingress_map_call(prs3, [provider_id], [consumer_id]),
self.egress_map_call(prs3, [provider_id], [consumer_id])
]
map_create.assert_has_calls(map_calls, any_order=True)
def test_update_rule_set(self):
'''Under consumer and producer group pair with single rule lifecycle,
Update rule set and verify backend gets updated
'''
rule_set = self._prepare_rule_set(direction='in')
# Create group pair
with self._mock_group_create(), \
self._mock_map_create(), \
self._mock_domain_create():
provider_ptg, consumer_ptg = self._create_provider_consumer_ptgs(
rule_set['id'])
# Add another rule to the rule set
with self._mock_service_create(),\
self._mock_map_create() as map_update:
rule = self._create_simple_policy_rule(direction='in')
self.rules.append(rule)
rules = [rule['id'] for rule in self.rules]
self.update_policy_rule_set(rule_set['id'], policy_rules=rules)
classifier_ids = sorted(
[rule['policy_classifier_id'] for rule in self.rules])
map_update.assert_has_calls([
self.ingress_map_call(rule_set['id'], [provider_ptg],
[consumer_ptg], classifier_ids)
])
# Delete all rules from rule set, leaving the rule set
with self._mock_map_delete() as map_delete:
self.update_policy_rule_set(rule_set['id'], policy_rules=[])
# verify communication map delete on backend
map_delete.assert_any_call(TEST_PROJECT,
driver.append_in_dir(rule_set['id']))
def test_create_ptg_star(self):
'''Star-like topology (single producer and N consumers) lifecycle'''
star_size = 10
policy_rule_set = self._prepare_rule_set()
prs_id = policy_rule_set['id']
profile_ids = [driver.append_in_dir(prs_id)]
# Create topology
with self._mock_domain_create(),\
self._mock_profile_list(profile_ids),\
self._mock_group_create() as group_create,\
self._mock_map_create() as map_create:
policy_rule_set_dict = {prs_id: None}
provider_ptg = self.create_policy_target_group(
name='producer',
provided_policy_rule_sets=policy_rule_set_dict)
provider_id = provider_ptg['policy_target_group']['id']
group_calls = [self.group_call('producer', provider_id)]
map_calls = []
consumer_ids = []
for i in range(0, star_size):
name = 'consumer_%d' % i
consumer_ptg = self.create_policy_target_group(
name=name, consumed_policy_rule_sets=policy_rule_set_dict)
consumer_id = consumer_ptg['policy_target_group']['id']
consumer_ids.append(consumer_id)
group_calls.append(self.group_call(name, consumer_id))
map_calls.append(
self.ingress_map_call(prs_id, [provider_id],
consumer_ids[:]))
group_create.assert_has_calls(group_calls)
map_create.assert_has_calls(map_calls)
star_size += 1
self.assert_neutron_resources(star_size, star_size, star_size)
# Delete one consumer group
with self._mock_map_delete() as map_delete,\
self._mock_map_create() as map_create,\
self._mock_profile_list(profile_ids),\
self._mock_group_delete() as group_delete:
consumer_id = consumer_ids.pop(0)
self.delete_policy_target_group(consumer_id)
map_create.assert_has_calls(
[self.ingress_map_call(prs_id, [provider_id], consumer_ids)])
map_delete.assert_not_called()
group_delete.assert_called_with(TEST_PROJECT, consumer_id)
star_size -= 1
self.assert_neutron_resources(star_size, star_size, star_size)
# Delete provider group
with self._mock_map_delete() as map_delete,\
self._mock_map_create() as map_create,\
self._mock_profile_list(profile_ids),\
self._mock_group_delete() as group_delete:
self.delete_policy_target_group(provider_id)
map_create.assert_not_called()
map_delete.assert_called_with(TEST_PROJECT,
driver.append_in_dir(prs_id))
star_size -= 1
group_delete.assert_called_with(TEST_PROJECT, provider_id)
def test_create_ptg_ring(self):
ring_size = 10
prs_ids = []
for i in range(0, ring_size):
prs_ids.append(self._prepare_rule_set()['id'])
profile_ids = [driver.append_in_dir(prs_id) for prs_id in prs_ids]
# Create ring topology
with self._mock_domain_create(),\
self._mock_profile_list(profile_ids),\
self._mock_group_create() as group_create,\
self._mock_map_create() as map_create:
group_calls = []
map_calls = []
ptg_ids = []
for i in range(0, ring_size):
provided_rule_set_dict = {prs_ids[i]: None}
next_i = (i + 1) % ring_size
consumed_rule_set_dict = {prs_ids[next_i]: None}
name = 'ptg_%d' % i
ptg = self.create_policy_target_group(
name=name,
provided_policy_rule_sets=provided_rule_set_dict,
consumed_policy_rule_sets=consumed_rule_set_dict)
ptg_id = ptg['policy_target_group']['id']
ptg_ids.append(ptg_id)
group_calls.append(self.group_call(name, ptg_id))
if i > 0:
map_calls.append(
self.ingress_map_call(prs_ids[i], [ptg_id],
[ptg_ids[i - 1]]))
map_calls.append(
self.ingress_map_call(prs_ids[0], [ptg_ids[0]], [ptg_id]))
group_create.assert_has_calls(group_calls)
map_create.assert_has_calls(map_calls, any_order=True)
self.assert_neutron_resources(ring_size, ring_size, ring_size)
# Delete single group and verify connectors are deleted
with self._mock_map_delete() as map_delete,\
self._mock_map_create() as map_create,\
self._mock_profile_list(profile_ids),\
self._mock_group_delete() as group_delete:
ptg_id = ptg_ids[2]
self.delete_policy_target_group(ptg_id)
map_calls = [
call(TEST_PROJECT, driver.append_in_dir(prs_ids[2])),
call(TEST_PROJECT, driver.append_in_dir(prs_ids[3]))
]
map_delete.assert_has_calls(map_calls)
map_create.assert_not_called()
group_delete.assert_called_with(TEST_PROJECT, ptg_id)
# Remove connectors from single group
with self._mock_map_delete() as map_delete,\
self._mock_map_create() as map_create,\
self._mock_profile_list(profile_ids),\
self._mock_group_delete() as group_delete:
ptg_id = ptg_ids[5]
self.update_policy_target_group(ptg_id,
provided_policy_rule_sets={})
map_calls = [call(TEST_PROJECT, driver.append_in_dir(prs_ids[5]))]
map_delete.assert_has_calls(map_calls)
map_create.assert_not_called()
group_delete.assert_not_called()
def test_create_fail_multi_connected(self):
'''Verify integrity when backend fails on connectivity map creation
This test creates three groups a<-->b<==>c
B is created last, and creation fails on its last connectivity
enforcement.
Verify all maps are deleted in cleanup.
Verify spawned neutron resources are cleaned up for third group.
'''
prs1 = self._prepare_rule_set()['id']
prs2 = self._prepare_rule_set()['id']
prs3 = self._prepare_rule_set()['id']
profile_ids = [
driver.append_in_dir(prs1),
driver.append_out_dir(prs1),
driver.append_in_dir(prs2),
driver.append_out_dir(prs2),
driver.append_in_dir(prs3),
driver.append_out_dir(prs3)
]
# Create a and c
with self._mock_group_create(),\
self._mock_profile_list(profile_ids),\
self._mock_map_create():
ab_dict = {prs1: None}
bc_dict = {prs2: None, prs3: None}
a = self.create_policy_target_group(
name='a',
provided_policy_rule_sets=ab_dict)['policy_target_group']['id']
c = self.create_policy_target_group(
name='c',
consumed_policy_rule_sets=bc_dict)['policy_target_group']['id']
with self._mock_group_create(),\
self._mock_profile_list(profile_ids),\
self._mock_nth_map_create_fails(n=6) as map_create,\
self._mock_map_delete() as map_delete,\
self._mock_group_delete() as group_delete:
self.assertRaises(webob.exc.HTTPClientError,
self.create_policy_target_group,
name='c',
consumed_policy_rule_sets=ab_dict,
provided_policy_rule_sets=bc_dict)
b = mock.ANY
map_create_calls = [
self.ingress_map_call(prs1, [a], [b]),
self.egress_map_call(prs1, [a], [b]),
self.ingress_map_call(prs2, [b], [c]),
self.egress_map_call(prs2, [b], [c]),
self.ingress_map_call(prs3, [b], [c]),
self.egress_map_call(prs3, [b], [c])
]
map_create.assert_has_calls(map_create_calls, any_order=True)
map_delete_calls = [
call(TEST_PROJECT, driver.append_in_dir(prs1)),
call(TEST_PROJECT, driver.append_out_dir(prs1)),
call(TEST_PROJECT, driver.append_in_dir(prs2)),
call(TEST_PROJECT, driver.append_out_dir(prs2)),
call(TEST_PROJECT, driver.append_in_dir(prs3))
]
map_delete.assert_has_calls(map_delete_calls, any_order=True)
group_delete.assert_called_with(TEST_PROJECT, mock.ANY)
self.assert_neutron_resources(2, 2, 2)
def _test_ptg_pair_with_single_rule(self,
direction_in=True,
direction_out=True):
'''Test consumer and producer group pair with single rule lifecycle.
Verify backend group and rule creation calls.
Verify spawned neutron resources.
'''
policy_rule_set = self._prepare_rule_set()
profile_in = driver.append_in_dir(policy_rule_set['id'])
profile_out = driver.append_out_dir(policy_rule_set['id'])
profile_ids = []
if direction_in:
profile_ids.append(profile_in)
if direction_out:
profile_ids.append(profile_out)
# Create group pair
with self._mock_group_create() as group_create,\
self._mock_profile_list(profile_ids),\
self._mock_map_create() as map_create,\
self._mock_domain_create():
provider_ptg, consumer_ptg = self._create_provider_consumer_ptgs(
policy_rule_set['id'])
# validate group creation on backend
calls = [
self.group_call('ptg1', provider_ptg),
self.group_call('ptg2', consumer_ptg)
]
group_create.assert_has_calls(calls)
# validate communication map creation on backend
calls = []
if direction_in:
calls.append(
self.ingress_map_call(policy_rule_set['id'],
[provider_ptg], [consumer_ptg]))
if direction_out:
calls.append(
self.egress_map_call(policy_rule_set['id'], [provider_ptg],
[consumer_ptg]))
map_create.assert_has_calls(calls)
# validate neutron resources
self.assert_neutron_resources(2, 2, 2)
# Delete producer
with self._mock_map_delete() as map_delete,\
self._mock_profile_list(profile_ids),\
self._mock_group_delete() as group_delete,\
self._mock_domain_delete() as domain_delete:
self.delete_policy_target_group(provider_ptg)
# verify communication map delete on backend
calls = []
if direction_in:
calls.append(
call(TEST_PROJECT,
driver.append_in_dir(policy_rule_set['id'])))
if direction_out:
calls.append(
call(TEST_PROJECT,
driver.append_out_dir(policy_rule_set['id'])))
map_delete.assert_has_calls(calls)
# verify group delete call
group_delete.assert_called_with(TEST_PROJECT, provider_ptg)
# verify domain not deleted yet
domain_delete.assert_not_called()
# Delete consumer
with self._mock_map_delete() as map_delete,\
self._mock_profile_list(profile_ids),\
self._mock_group_delete() as group_delete,\
self._mock_domain_delete() as domain_delete:
self.delete_policy_target_group(consumer_ptg)
# no deletions on communication map are expected
map_delete.assert_not_called()
# verify group delete call
group_delete.assert_called_with(TEST_PROJECT, consumer_ptg)
# last group is deleted, domain should go as well
domain_delete.assert_called_with(TEST_PROJECT)
