def test_connect(client_library: ClientLibrary):
lab = client_library.create_lab("my lab name")
lab = client_library.join_existing_lab(lab.id)
lab.auto_sync = False
s1 = lab.create_node("s1", "server", 50, 100)
s2 = lab.create_node("s2", "server", 50, 200)
print(s1, s2)
# create a link between s1 and s2
s1_i1 = s1.create_interface()
s2_i1 = s2.create_interface()
lab.create_link(s1_i1, s2_i1)
# this must remove the link between s1 and s2
lab.remove_node(s2)
lab.sync_states()
for node in lab.nodes():
print(node, node.state)
for iface in node.interfaces():
print(iface, iface.state)
assert [link for link in lab.links() if link.state is not None] == []
def get_testbed(lab, host, user, passwd):
client_library = ClientLibrary("https://" + host,
user,
passwd,
ssl_verify=False)
lab = client_library.join_existing_lab(args.lab)
return lab.get_pyats_testbed()
def stop_wipe_and_remove_all_labs(client_library: ClientLibrary):
lab_list = client_library.get_lab_list()
for lab_id in lab_list:
lab = client_library.join_existing_lab(lab_id)
lab.stop()
lab.wipe()
client_library.remove_lab(lab_id)
def __init__(self, cml_controller, base_config_dir):
self.__base_config_dir = base_config_dir
ssl_cert = False
if "CA_BUNDLE" in os.environ:
ssl_cert = os.environ["CA_BUNDLE"]
# Create a client and use the environment to provide the username, password, and CA bundle
self.__client = ClientLibrary(cml_controller, ssl_verify=ssl_cert)
def test_sending_requests_without_auth_token(controller_url: str):
client_library = ClientLibrary(controller_url,
username="******",
password="******",
ssl_verify=False,
allow_http=True)
# it probably won't be a common case to override `auth` by ClientLibrary users
# but missing auth token may happen when using API directly via HTTP:
client_library.session.auth = None
with pytest.raises(requests.exceptions.HTTPError) as exc:
client_library.create_lab()
exc.match('401 Client Error: Unauthorized for url')
def test_lab_details(client_library: ClientLibrary):
lab = client_library.create_lab("lab_1")
s1 = lab.create_node("s1", "server", 5, 100)
s2 = lab.create_node("s2", "server", 102, 201)
s1_iface = lab.create_interface(s1, 2)
s2_iface = lab.create_interface(s2, 2)
lab.create_link(s1_iface, s2_iface)
expected_keys = (
"state",
"created",
"lab_title",
"lab_description",
"node_count",
"link_count",
"id",
)
details = lab.details()
assert all(k in details.keys() for k in expected_keys)
assert details["node_count"] == 2
assert details["link_count"] == 1
assert details["state"] == "DEFINED_ON_CORE"
def test_lab_state(client_library: ClientLibrary):
lab = client_library.create_lab("lab_1")
s1 = lab.create_node("s1", "server", 5, 100)
s2 = lab.create_node("s2", "server", 102, 201)
s1_iface = lab.create_interface(s1, 2)
s2_iface = lab.create_interface(s2, 2)
lab.create_link(s1_iface, s2_iface)
state = lab.state()
assert state == "DEFINED_ON_CORE"
lab.start()
state = lab.state()
assert state == "STARTED"
assert lab.is_active()
lab.stop()
state = lab.state()
assert state == "STOPPED"
lab.wipe()
state = lab.state()
assert state == "DEFINED_ON_CORE"
def get_cml_client(server, ignore=False):
"""
Helper function to get a consistent CML client library object
"""
ssl_verify = not ignore
# The virl2_client library warns about some stuff which can be confusing.
# This eliminates the warnings, but the level is reset back to the current level
# Before returning.
logger = logging.getLogger("virl2_client.virl2_client")
level = logger.getEffectiveLevel()
logger.setLevel(logging.ERROR)
if not ignore and "CML_VERIFY_CERT" in server.config:
if server.config["CML_VERIFY_CERT"].lower() == "false":
ssl_verify = False
else:
ssl_verify = server.config["CML_VERIFY_CERT"]
# Remove VIRL2 envvars if they exist. These would conflict with the virlutils config.
os.environ.pop("VIRL2_USER", None)
os.environ.pop("VIRL2_PASS", None)
os.environ.pop("VIRL2_URL", None)
client = ClientLibrary(server.host,
server.user,
server.passwd,
raise_for_auth_failure=True,
ssl_verify=ssl_verify)
logger.setLevel(level)
return client
def test_server_node_deletion(client_library: ClientLibrary):
lab = client_library.create_lab("lab_1")
lab.auto_sync = False
s1 = lab.create_node("s1", "server", 5, 100)
s2 = lab.create_node("s2", "server", 102, 201)
s1_iface = lab.create_interface(s1, 2)
s2_iface = lab.create_interface(s2, 2)
lab.create_link(s1_iface, s2_iface)
lab.start()
s3 = lab.create_node("s3", "server", 200, 400)
s3_iface = lab.create_interface(s3)
s2.stop()
lab.create_link(s2.interfaces()[0], s3_iface)
lab.start()
# can't remove node while running
with pytest.raises(requests.exceptions.HTTPError) as exc:
lab.remove_node(s3)
assert exc.value.response.status_code == 403
# need to stop and wipe to be able to remove node.
s3.stop()
s3.wipe()
lab.remove_node(s3)
def print_labs(self):
"""
Get list of labs from CML2 server and print it formatted on console.
:raises requests.exceptions.HTTPError: if there was a transport error
"""
cl = ClientLibrary(url="https://" + self._cmlnetkitconfig.host,
username=self._cmlnetkitconfig.username,
password=self._cmlnetkitconfig.password,
ssl_verify=self._cmlnetkitconfig.ssl_verify)
cl.wait_for_lld_connected()
labs = cl.all_labs()
print('\nLab ID\tLab Title')
for lab in labs:
print(lab.id + '\t' + lab.title)
def test_node_with_unavailable_vnc(client_library: ClientLibrary):
lab = client_library.create_lab("lab_111")
node = lab.create_node("s1", "unmanaged_switch", 5, 100)
lab.start()
assert lab.state() == "STARTED"
with pytest.raises(requests.exceptions.HTTPError) as err:
node.vnc_key()
assert err.value.response.status_code == 404
def lab_upload(self):
"""
Upload topology from the self.lab_conf class variable to CML2 server as a new lab, except if
'dry run' mode is active.
:raises requests.exceptions.HTTPError: if there was a transport error
"""
if self._cmlnetkitconfig.dry_run is True:
print("Dry Run mode: No changes applied to CML2 server")
return
cl = ClientLibrary(url="https://" + self._cmlnetkitconfig.host,
username=self._cmlnetkitconfig.username,
password=self._cmlnetkitconfig.password,
ssl_verify=self._cmlnetkitconfig.ssl_verify)
cl.wait_for_lld_connected()
self.lab_conf = cl.import_lab(topology=yaml.dump(self.lab_conf),
title=self.lab_conf["lab"]["title"])
def test_sync_lab(register_licensing, client_library: ClientLibrary):
lab = client_library.create_lab("my test lab name")
lab = client_library.join_existing_lab(lab.id)
r1 = lab.create_node("r1", "server", 5, 100)
r2 = lab.create_node("r2", "server", 102, 201)
r3 = lab.create_node("r3", "server", 200, 400)
# print(r1, r2, r3)
r1.x = 400
r1.label = "abc"
r1_i1 = r1.create_interface()
r1_i2 = r1.create_interface()
r2_i1 = r2.create_interface()
r2_i2 = r2.create_interface()
r3_i1 = r3.create_interface()
r3_i2 = r3.create_interface()
#
lab.create_link(r1_i1, r2_i1)
lab.create_link(r2_i2, r3_i1)
lab.create_link(r3_i2, r1_i2)
r1.start()
r2.start()
r3.start()
# lab.stop()
r1.stop()
r2.stop()
r3.stop()
# lab.remove_link(link_1)
# lab.remove_link(link_2)
# lab.remove_link(link_3)
# lab.remove_node(r1)
# lab.remove_node(r2)
# lab.remove_node(r3)
# TODO: wait for convergence here
lab.stop()
def test_link_conditioning(register_licensing,
client_library_keep_labs: ClientLibrary):
lab = client_library_keep_labs.create_lab()
alpine = lab.create_node("alpine-0", "alpine", 0, 0)
ums = lab.create_node("unmanaged-switch-0", "unmanaged_switch", 100, 0)
ext = lab.create_node("ext", "external_connector", 200, 0)
lab.connect_two_nodes(alpine, ums)
lab.connect_two_nodes(ums, ext)
lab.start(wait=True)
alpine = lab.get_node_by_label("alpine-0")
ums = lab.get_node_by_label("unmanaged-switch-0")
link = lab.get_link_by_nodes(alpine, ums)
pylab = ClPyats(lab)
pylab.sync_testbed("cml2", "cml2cml2")
# ensure there's no link condition
result = link.get_condition()
assert result is None
# remove, just to be sure
link.remove_condition()
result = pylab.run_command("alpine-0", "time ping -Aqc100 192.168.255.1")
check_result(result, False, 0.0, 10.0)
# link.set_condition_by_name("dsl1")
# 2mbps, 50ms delay, 0ms jitter, 5.1% loss)
# 5.1 to ensure that the float is understood and returned
link.set_condition(2000, 50, 0, 5.1)
result = link.get_condition()
assert result == {
"bandwidth": 2000,
"latency": 50,
"loss": 5.1,
"jitter": 0
}
result = pylab.run_command("alpine-0", "time ping -Aqc100 192.168.255.1")
check_result(result, True, 90.0, 110.0)
link.remove_condition()
result = pylab.run_command("alpine-0", "time ping -Aqc100 192.168.255.1")
check_result(result, False, 0.0, 10.0)
lab.stop()
lab.wipe()
lab.remove()
def client_library_keep_labs_base(url,
usr="******",
pwd="cml2cml2",
ssl_verify=False,
allow_http=True):
clientlibrary = ClientLibrary(
url,
username=usr,
password=pwd,
ssl_verify=ssl_verify,
allow_http=allow_http,
)
for _ in range(5):
try:
clientlibrary.is_system_ready()
except HTTPError as err:
if err.errno == 504:
# system still initialising, wait longer
time.sleep(2)
return clientlibrary
def lab_download(self):
"""
Imports an existing topology from a CML2 server. Downloaded configuration is stored in self.lab_conf class
variable and parsed as YAML object
:raises TypeError: if no lab_id is provided
:raises requests.exceptions.HTTPError: if there was a transport error
"""
cl = ClientLibrary(url="https://" + self._cmlnetkitconfig.host,
username=self._cmlnetkitconfig.username,
password=self._cmlnetkitconfig.password,
ssl_verify=self._cmlnetkitconfig.ssl_verify)
cl.wait_for_lld_connected()
try:
self.lab_handler = cl.join_existing_lab(
self._cmlnetkitconfig.lab_id)
self.lab_conf = yaml.safe_load(self.lab_handler.download())
except TypeError:
print(
"TypeError: No lab_id provided. Use the -l option to provide the lab_id"
)
def __init__(self, host, username, password):
logger = logging.getLogger("virl2_client.virl2_client")
level = logger.getEffectiveLevel()
logger.setLevel(logging.ERROR)
# Remove VIRL2 envvars if they exist. These would conflict with the virlutils config.
os.environ.pop("VIRL2_USER", None)
os.environ.pop("VIRL2_PASS", None)
os.environ.pop("VIRL2_URL", None)
self._host = host
self._username = username
self._password = password
self._consoles = {}
self._student = None
self._student_password = None
self._student_name = None
self._client = ClientLibrary(host,
username,
password,
raise_for_auth_failure=True,
ssl_verify=False)
logger.setLevel(level)
def test_labels_and_tags(client_library: ClientLibrary):
lab = client_library.import_sample_lab("server-triangle.yaml")
lab.sync(topology_only=True)
node_1 = lab.get_node_by_label("server-0")
assert node_1.label == "server-0"
assert len(node_1.tags()) == 2
node_2 = lab.get_node_by_label("server-1")
assert node_2.label == "server-1"
assert len(node_2.tags()) == 2
node_3 = lab.get_node_by_label("server-2")
assert node_3.label == "server-2"
assert len(node_3.tags()) == 5
def test_start_stop_start_stop_cycle(client_library: ClientLibrary):
"""we need to test if the entire lifecycle works... e.g.
- define
- start
- queued
- booted
- stopped
- queued
- start
- stopped
- ...
"""
lab = client_library.import_sample_lab("server-triangle.ng")
lab.start()
lab.stop()
lab.start()
lab.stop()
lab.wipe()
def test_node_console_logs(client_library_session: ClientLibrary):
lab = client_library_session.create_lab("lab_space")
ext_conn = lab.create_node("ec", "external_connector", 100, 50, wait=False)
server = lab.create_node("s1", "server", 100, 100)
iosv = lab.create_node("n", "iosv", 50, 0)
lab.start()
assert lab.state() == "STARTED"
# server has one serial console on id 0
logs = server.console_logs(console_id=0)
assert type(logs) == str
# external connector - no serial console
with pytest.raises(requests.exceptions.HTTPError) as err:
ext_conn.console_logs(console_id=0)
assert err.value.response.status_code == 400
assert "Serial port does not exist on node" in err.value.response.text
# test limited number of lines
num_lines = 5
logs = server.console_logs(console_id=0, lines=num_lines)
assert type(logs) == str
assert len(logs.split("\n")) == num_lines
# assert 400 for non existent console id for server >0
with pytest.raises(requests.exceptions.HTTPError) as err:
server.console_logs(console_id=55)
assert err.value.response.status_code == 400
assert "Serial port does not exist on node" in err.value.response.text
# iosv has 2 serial consoles
logs = iosv.console_logs(console_id=0)
assert type(logs) == str
logs = iosv.console_logs(console_id=1)
assert type(logs) == str
with pytest.raises(requests.exceptions.HTTPError) as err:
iosv.console_logs(console_id=2)
assert err.value.response.status_code == 400
assert "Serial port does not exist on node" in err.value.response.text
lab.stop()
lab.wipe()
lab.remove()
def test_import(client_library: ClientLibrary):
lab = client_library.import_sample_lab("server-triangle.ng")
s0 = lab.get_node_by_id("n0")
assert lab.get_node_by_id("n1") is not None
assert lab.get_node_by_id("n2") is not None
lab.start()
s0.stop()
s0.wipe()
i1 = s0.create_interface()
s3 = lab.create_node("s3", "server", 100, 200)
i2 = s3.create_interface()
lab.create_link(i1, i2)
lab.start()
lab.stop()
#
import getpass
import re
from requests.exceptions import HTTPError
from virl2_client import ClientLibrary
VIRL_CONTROLLER = "virl2-controller"
VIRL_USERNAME = input("username: "******"password: "******"enter lab name: ")
client = ClientLibrary(VIRL_CONTROLLER,
VIRL_USERNAME,
VIRL_PASSWORD,
ssl_verify=False)
# Find the lab by title and join it as long as it's the only
# lab with that title.
labs = client.find_labs_by_title(LAB_NAME)
if not labs or len(labs) != 1:
print("ERROR: Unable to find a unique lab named {}".format(LAB_NAME))
exit(1)
lobj = client.join_existing_lab(labs[0].id)
if not lobj:
print("ERROR: Failed to join lab {}".format(LAB_NAME))
exit(1)
def create_client_connection(virl_host, virl_username, virl_password):
client = ClientLibrary(virl_host,
virl_username,
virl_password,
ssl_verify=False)
return client
import re
import sys
import urllib3
from braceexpand import braceexpand
from virl2_client import ClientLibrary
from pprint import pprint
# Get login credentials
username = input("Enter CML username: "******"Enter CML password: "******"https://192.168.137.252",
username,
password,
ssl_verify=False)
client.is_system_ready()
except:
print(
f"\nUnable to contact CML2.x server, please check server connectivity."
)
# get list of labs
all_labs = client.all_labs()
# check if programmatic_network_build exists
if 'programmatic_network_build' in [lab.title for lab in all_labs]:
print(f"\nprogrammatic_network_build exists, deleting lab..")
lab = client.find_labs_by_title(title='programmatic_network_build')[0]
try:
headers = {
'Authorization': f'Bearer {webex_token}',
}
response = requests.request("POST",
url,
headers=headers,
data=payload,
files=files)
response.raise_for_status()
if __name__ == "__main__":
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
client = ClientLibrary(cml_server_url,
cml_username,
cml_password,
ssl_verify=False,
raise_for_auth_failure=True,
allow_http=True)
#get lab
lab = client.find_labs_by_title("Jupyter Lab")[0]
#get lab testbed
pyats_testbed = lab.get_pyats_testbed()
#add credentials to testbed
add_cml_credentials(pyats_testbed, "lab_testbed.yaml", cml_username,
cml_password)
#create directories if doesn't exist
if not os.path.exists("./learn_results"):
def parse(self, inventory, loader, path, cache=True):
# call base method to ensure properties are available for use with other helper methods
super(InventoryModule, self).parse(inventory, loader, path, cache)
# this method will parse 'common format' inventory sources and
# update any options declared in DOCUMENTATION as needed
# config = self._read_config_data(self, path)
self._read_config_data(path)
# if NOT using _read_config_data you should call set_options directly,
# to process any defined configuration for this plugin,
# if you dont define any options you can skip
# self.set_options()
if 'VIRL_HOST' in os.environ and len(os.environ['VIRL_HOST']):
self.host = os.environ['VIRL_HOST']
else:
self.host = self.get_option('host')
self.display.vvv("virl2.py - VIRL_HOST: {0}".format(self.host))
if 'VIRL_USERNAME' in os.environ and len(os.environ['VIRL_USERNAME']):
self.username = os.environ['VIRL_USERNAME']
else:
self.username = self.get_option('username')
self.display.vvv("virl2.py - VIRL_USERNAME: {0}".format(self.username))
if 'VIRL_PASSWORD' in os.environ and len(os.environ['VIRL_PASSWORD']):
self.password = os.environ['VIRL_PASSWORD']
else:
self.password = self.get_option('password')
if 'VIRL_LAB' in os.environ and len(os.environ['VIRL_LAB']):
self.lab = os.environ['VIRL_LAB']
else:
self.lab = self.get_option('lab')
self.display.vvv("virl2.py - VIRL_LAB: {0}".format(self.lab))
if not self.lab:
self.display.vvv("No lab defined. Nothing to do.")
return
self.group = self.get_option('group')
if self.group is None:
self.group = 'virl_hosts'
self.display.vvv("virl2.py - Group: {0}".format(self.group))
self.inventory.set_variable('all', 'virl_host', self.host)
self.inventory.set_variable('all', 'virl_username', self.username)
self.inventory.set_variable('all', 'virl_password', self.password)
self.inventory.set_variable('all', 'virl_lab', self.lab)
url = 'https://{0}'.format(self.host)
try:
client = ClientLibrary(url, username=self.username, password=self.password, ssl_verify=False)
except:
raise AnsibleParserError('Unable to log into {0}'.format(url))
labs = (client.find_labs_by_title(self.lab))
if not labs:
return
try:
group = self.inventory.add_group(self.group)
except AnsibleError as e:
raise AnsibleParserError("Unable to add group %s: %s" % (group, to_text(e)))
group_dict = {}
lab = labs[0]
lab.sync()
for node in lab.nodes():
self.inventory.add_host(node.label, group=self.group)
virl = {
'state': node.state,
'image_definition': node.image_definition,
'node_definition': node.node_definition,
'cpus': node.cpus,
'ram': node.ram,
'config': node.config,
'data_volume': node.data_volume,
}
interface_list = []
ansible_host = None
for interface in node.interfaces():
if interface.discovered_ipv4 and not ansible_host:
ansible_host = interface.discovered_ipv4[0]
interface_dict = {
'name': interface.label,
'state': interface.state,
'ipv4_addresses': interface.discovered_ipv4,
'ipv6_addresses': interface.discovered_ipv6,
'mac_address': interface.discovered_mac_address
}
interface_list.append(interface_dict)
virl.update({'interfaces': interface_list})
if ansible_host:
self.inventory.set_variable(node.label, 'ansible_host', ansible_host)
self.inventory.set_variable(node.label, 'virl_facts', virl)
self.display.vvv("Adding {0}({1}) to group {2}, state: {3}, ansible_host: {4}".format(
node.label, node.node_definition, self.group, node.state, ansible_host))
# Group by node_definition
if node.node_definition not in group_dict:
try:
group_dict[node.node_definition] = self.inventory.add_group(node.node_definition)
except AnsibleError as e:
raise AnsibleParserError("Unable to add group %s: %s" % (group, to_text(e)))
self.inventory.add_host(node.label, group=node.node_definition)
def test_import_virl(client_library: ClientLibrary):
lab = client_library.import_sample_lab("dual-server.virl")
assert lab is not None
def test_topology_owner(client_library_keep_labs: ClientLibrary):
lab = client_library_keep_labs.create_lab("owned_by_cml2")
lab.sync(topology_only=True)
assert lab.owner == "cml2"
class DSTTopology(object):
__client = None
__lab = None
__started = False
__wiped = True
__base_config_dir = None
__nodes = {
"Internet Router": {
"type": "iosv",
"node": None,
"config": "internet_router.txt"
},
"HQ Firewall": {
"type": "asav",
"node": None,
"config": "hq_firewall.txt"
},
"HQ Switch": {
"type": "unmanaged_switch",
"node": None
},
"HQ Server": {
"type": "ubuntu",
"node": None,
"config": "hq_server.txt"
},
"Internet": {
"type": "external_connector",
"node": None
},
"OOB Management": {
"type": "external_connector",
"node": None,
"config": "oob_management.txt"
},
}
def __init__(self, cml_controller, base_config_dir):
self.__base_config_dir = base_config_dir
ssl_cert = False
if "CA_BUNDLE" in os.environ:
ssl_cert = os.environ["CA_BUNDLE"]
# Create a client and use the environment to provide the username, password, and CA bundle
self.__client = ClientLibrary(cml_controller, ssl_verify=ssl_cert)
@staticmethod
def __get_lab_suffix():
return "".join(
random.choice(string.ascii_lowercase + string.digits)
for i in range(8))
def __create_lab(self):
# Wait for the low-level drive to connect
self.__client.wait_for_lld_connected()
lab_prefix = "Dynamic Split Tunnel Test-"
lab_suffix = DSTTopology.__get_lab_suffix()
# Find a unique name for this lab
while True:
labs = self.__client.find_labs_by_title(lab_prefix + lab_suffix)
if labs is not None and len(labs) > 0:
lab_suffix = DSTTopology.__get_lab_suffix()
else:
break
self.__lab = self.__client.create_lab(title=lab_prefix + lab_suffix)
self.__lab.description = "This lab is for testing a Dynamic Split Tunnel config change (created at: {ctime})".format(
ctime=time.ctime())
self.__lab.wait_for_convergence = False
def __add_nodes(self):
# Create each node
for node in list(self.__nodes.keys()):
self.__nodes[node]["node"] = self.__lab.create_node(
node, self.__nodes[node]["type"], populate_interfaces=True)
def __connect_nodes(self):
"""
Connect all nodes in the test topology is a known, static way.
"""
# First connect Gi0/0 of the Internet Router to the Internet
igi0 = self.__nodes["Internet Router"]["node"].get_interface_by_label(
"GigabitEthernet0/0")
iport = self.__nodes["Internet"]["node"].get_interface_by_label("port")
self.__lab.create_link(igi0, iport)
# Next connect Gi0/1 of the Internet Router to Gi0/0 of the HQ Firewall
igi1 = self.__nodes["Internet Router"]["node"].get_interface_by_label(
"GigabitEthernet0/1")
fgi0 = self.__nodes["HQ Firewall"]["node"].get_interface_by_label(
"GigabitEthernet0/0")
self.__lab.create_link(igi1, fgi0)
# Next connect Gi0/1 of the HQ Firewall to port0 of the HQ Switch
# ...But before we can do that, we need to add a new interface.
self.__nodes["HQ Firewall"]["node"].create_interface()
fgi1 = self.__nodes["HQ Firewall"]["node"].get_interface_by_label(
"GigabitEthernet0/1")
sport0 = self.__nodes["HQ Switch"]["node"].get_interface_by_label(
"port0")
self.__lab.create_link(fgi1, sport0)
# Next connect Management0/0 of HQ Firewall to the OOB Management network
fm0 = self.__nodes["HQ Firewall"]["node"].get_interface_by_label(
"Management0/0")
oport = self.__nodes["OOB Management"]["node"].get_interface_by_label(
"port")
self.__lab.create_link(fm0, oport)
# Next connect port1 of HQ Switch to port enp0s2 of the HQ Server
sport1 = self.__nodes["HQ Switch"]["node"].get_interface_by_label(
"port1")
seth = self.__nodes["HQ Server"]["node"].get_interface_by_label(
"enp0s2")
self.__lab.create_link(sport1, seth)
def __configure_nodes(self):
for node, properties in list(self.__nodes.items()):
if "config" in properties:
config = self.__base_config_dir + "/" + properties["config"]
if not os.path.exists(config):
raise FileNotFoundError(config)
with open(config, "r") as fd:
conf_contents = fd.read()
properties["node"].config = conf_contents
def create_topology(self):
"""
Create a DST test topology and configure it.
"""
self.__create_lab()
self.__add_nodes()
self.__connect_nodes()
self.__configure_nodes()
def start(self):
"""
Start the DST test lab.
"""
if self.__started:
return
self.__lab.start()
self.__started = True
self.__wiped = False
def stop(self):
"""
Stop the DST test lab.
"""
if not self.__started:
return
self.__lab.stop(wait=True)
self.__started = False
def is_ready(self):
"""
Check if the overall lab is ready.
Returns:
Boolean: True if all nodes have converged, False otherwise.
"""
if not self.__started:
raise Exception("Lab has not been started yet.")
ready = True
for node, properties in list(self.__nodes.items()):
if not properties["node"].has_converged(
) or properties["node"].has_converged(
) == 0 or not properties["node"].is_booted():
ready = False
break
return ready
def get_fw_ip(self, wait=False):
"""
Return the IP address of the OOB Management interface on the firewall node.
Parameters:
wait (Boolean): Whether or not to wait for the firewall node to converge (default: False)
Returns:
string: The first IP address on Management0/0 if found, else None
"""
if not self.__started:
raise Exception("Lab has not been started yet.")
if not wait and not self.__nodes["HQ Firewall"]["node"].has_converged(
):
raise Exception("Firewall node has not yet converged.")
elif not self.__nodes["HQ Firewall"]["node"].has_converged():
while not self.__nodes["HQ Firewall"]["node"].has_converged():
time.sleep(1)
fm0 = self.__nodes["HQ Firewall"]["node"].get_interface_by_label(
"Management0/0")
ip4_addr = fm0.discovered_ipv4
if len(ip4_addr) > 0:
return ip4_addr[0]
return None
def wipe(self):
"""
Wipe the DST test lab
"""
if self.__started:
raise Exception("Lab must be stopped first.")
self.__lab.wipe(wait=True)
self.__wiped = True
def remove(self):
"""
Remove the lab from the CML controller.
"""
if not self.__wiped:
raise Exception("Lab must be wiped before it can be removed.")
self.__lab.remove()
def test_group_api_permissions(controller_url,
client_library_session: ClientLibrary):
cl_admin = client_library_session
# create non-admin user
username = "******"
satoshi_pwd = "super-secret-pwd"
satoshi = cl_admin.user_management.create_user(username=username,
pwd=satoshi_pwd)
halfinn = cl_admin.user_management.create_user(username="******",
pwd=satoshi_pwd)
satoshi_uid = satoshi["id"]
cml2_uid = client_library_session.user_management.user_id(username="******")
halfinn_uid = client_library_session.user_management.user_id(
username="******")
# assert there is no lab
assert cl_admin.all_labs(show_all=True) == []
# create lab
lab0 = cl_admin.create_lab(title="lab0")
lab1 = cl_admin.create_lab(title="lab1")
# create students group
lab0_ro = [{"id": lab0.id, "permission": "read_only"}]
lab0_1_rw = [
{
"id": lab0.id,
"permission": "read_write"
},
{
"id": lab1.id,
"permission": "read_write"
},
]
students_group = cl_admin.group_management.create_group(
name="students",
description="students group",
members=[satoshi_uid],
labs=lab0_ro,
)
teachers_group = cl_admin.group_management.create_group(
name="teachers",
description="teachers group",
members=[],
labs=lab0_1_rw)
all_groups = cl_admin.group_management.groups()
assert len(all_groups) == 2
all_groups_names = [group["id"] for group in all_groups]
assert students_group["id"] in all_groups_names
assert teachers_group["id"] in all_groups_names
# log in as non-admin satoshi user
cl_satoshi = ClientLibrary(
controller_url,
username=username,
password=satoshi_pwd,
ssl_verify=False,
allow_http=True,
)
# satoshi must only see groups that he is part of
satoshi_groups = cl_satoshi.group_management.groups()
assert len(satoshi_groups) == 1
assert satoshi_groups[0]["name"] == "students"
assert cl_satoshi.user_management.user_groups(user_id=satoshi_uid) == [
students_group["id"]
]
# cannot check other user info
with pytest.raises(requests.exceptions.HTTPError) as err:
cl_satoshi.user_management.user_groups(user_id=cml2_uid)
assert err.value.response.status_code == 403
assert "User does not have required access" in err.value.response.text
# user cannot see groups he is not part of
with pytest.raises(requests.exceptions.HTTPError) as err:
cl_satoshi.group_management.get_group(group_id=teachers_group["id"])
assert err.value.response.status_code == 403
assert "User does not have required access" in err.value.response.text
# can see those where he is member
students_group = cl_satoshi.group_management.get_group(
group_id=students_group["id"])
assert students_group["members"] == [satoshi_uid]
# only admin can create, delete and modify group
# create
with pytest.raises(requests.exceptions.HTTPError) as err:
cl_satoshi.group_management.create_group(name="xxx")
assert err.value.response.status_code == 403
assert "User does not have required access" in err.value.response.text
# update
with pytest.raises(requests.exceptions.HTTPError) as err:
cl_satoshi.group_management.update_group(group_id=teachers_group["id"],
description="new")
assert err.value.response.status_code == 403
assert "User does not have required access" in err.value.response.text
# delete
with pytest.raises(requests.exceptions.HTTPError) as err:
cl_satoshi.group_management.delete_group(group_id=teachers_group["id"])
assert err.value.response.status_code == 403
assert "User does not have required access" in err.value.response.text
# user cannot see members of group that he is not part of
with pytest.raises(requests.exceptions.HTTPError) as err:
cl_satoshi.group_management.group_members(
group_id=teachers_group["id"])
assert err.value.response.status_code == 403
assert "User does not have required access" in err.value.response.text
# can see those where he is member
students_group_members = cl_satoshi.group_management.group_members(
group_id=students_group["id"])
assert students_group_members == [satoshi_uid]
# user cannot see labs of group that he is not part of
with pytest.raises(requests.exceptions.HTTPError) as err:
cl_satoshi.group_management.group_labs(group_id=teachers_group["id"])
assert err.value.response.status_code == 403
assert "User does not have required access" in err.value.response.text
# can see those where he is member
students_group_labs = cl_satoshi.group_management.group_labs(
group_id=students_group["id"])
assert students_group_labs == [lab0.id]
# we need to get lab objects again so that they are bound to satoshi user
lab0 = cl_satoshi.find_labs_by_title(title="lab0")[0]
# satishi can only see groups where he is a member - in this case students
assert lab0.groups == [
{
"id": students_group["id"],
"permission": "read_only"
},
]
# we cannot modify groups associations as satoshi is not owner or admin
with pytest.raises(requests.exceptions.HTTPError) as err:
lab0.update_lab_groups(group_list=[])
assert err.value.response.status_code == 403
assert "User does not have required access" in err.value.response.text
# we cannot modify notes
with pytest.raises(requests.exceptions.HTTPError) as err:
lab0.notes = "new note"
assert err.value.response.status_code == 403
assert "User does not have write permission to lab" in err.value.response.text
# we cannot modify description
with pytest.raises(requests.exceptions.HTTPError) as err:
lab0.description = "new description"
assert err.value.response.status_code == 403
assert "User does not have write permission to lab" in err.value.response.text
# change students association to lab0 to read_write
assert cl_admin.group_management.update_group(
group_id=students_group["id"],
labs=[{
"id": lab0.id,
"permission": "read_write"
}],
)
# now user can perform writes to associated lab
lab0.notes = "new note"
assert lab0.notes == "new note"
lab0.description = "new description"
assert lab0.description == "new description"
# get students groups association to lab0 back to read only
# satoshi cannot - he is not admin or owner
with pytest.raises(requests.exceptions.HTTPError) as err:
lab0.update_lab_groups(group_list=[
{
"id": students_group["id"],
"permission": "read_only"
},
])
assert err.value.response.status_code == 403
assert "User does not have required access" in err.value.response.text
# admin can
lab0 = cl_admin.find_labs_by_title(title="lab0")[0]
lab0.update_lab_groups(group_list=[
{
"id": students_group["id"],
"permission": "read_only"
},
])
lab0 = cl_satoshi.find_labs_by_title(title="lab0")[0]
assert lab0.groups == [
{
"id": students_group["id"],
"permission": "read_only"
},
]
# add teachers group rw association to lab0 (admin action)
teachers_group = cl_admin.group_management.update_group(
group_id=teachers_group["id"], labs=lab0_1_rw)
# we cannot modify groups associations as satoshi is not admin or owner
with pytest.raises(requests.exceptions.HTTPError) as err:
lab0.update_lab_groups(group_list=[])
assert err.value.response.status_code == 403
assert "User does not have required access" in err.value.response.text
# we cannot modify notes
with pytest.raises(requests.exceptions.HTTPError) as err:
lab0.notes = "new note"
assert err.value.response.status_code == 403
assert "User does not have write permission to lab" in err.value.response.text
# we cannot modify description
with pytest.raises(requests.exceptions.HTTPError) as err:
lab0.description = "new description"
assert err.value.response.status_code == 403
assert "User does not have write permission to lab" in err.value.response.text
# as satoshi has no access to lab1 - below list is empty
assert cl_satoshi.find_labs_by_title(title="lab1") == []
# add satoshi to teachers group - by doing this now he gains read write
# access to both ;ab0 and lab1
cl_admin.group_management.update_group(group_id=teachers_group["id"],
members=[satoshi_uid])
# now we can access teachers group and related data
assert cl_satoshi.group_management.get_group(group_id=teachers_group["id"])
assert cl_satoshi.group_management.group_members(
group_id=teachers_group["id"]) == [satoshi_uid]
assert (len(
cl_satoshi.group_management.group_labs(
group_id=teachers_group["id"])) == 2)
user_groups = cl_satoshi.user_management.user_groups(user_id=satoshi_uid)
assert students_group["id"] in user_groups and teachers_group[
"id"] in user_groups
associated_groups_names = [
group["name"] for group in cl_satoshi.group_management.groups()
]
assert ("students" in associated_groups_names
and "teachers" in associated_groups_names)
# test adjusting lab groups (only owner and admin can change lab group associations)
# admin must see all associations
# owner and non-admin users can only see those associations where they are members of group
# log in as non-admin satoshi user
cl_halfinn = ClientLibrary(
controller_url,
username="******",
password=satoshi_pwd,
ssl_verify=False,
allow_http=True,
)
# create lab owned by halfin
lab2 = cl_halfinn.create_lab(title="lab2")
# only satoshi in students group + add lab2 association
cl_admin.group_management.update_group(
group_id=students_group["id"],
members=[satoshi_uid],
labs=[{
"id": lab2.id,
"permission": "read_only"
}],
)
# only halfinney in teachers group + add lab2 association
cl_admin.group_management.update_group(
group_id=teachers_group["id"],
members=[halfinn_uid],
labs=[{
"id": lab2.id,
"permission": "read_only"
}],
)
halfinn_lab2 = cl_halfinn.find_labs_by_title(title="lab2")[0]
# get lab owned by halfinney with satoshi (who is not owner)
satoshi_lab2 = cl_satoshi.find_labs_by_title(title="lab2")[0]
# get lab owned by halfinney with admin
admin_lab2 = cl_admin.find_labs_by_title(title="lab2")[0]
# admin must see both groups associated with lab2
assert admin_lab2.groups == [
{
"id": students_group["id"],
"permission": "read_only"
},
{
"id": teachers_group["id"],
"permission": "read_only"
},
]
# halfinney only sees group that he is member of (teachers)
assert halfinn_lab2.groups == [
{
"id": teachers_group["id"],
"permission": "read_only"
},
]
# satoshi only sees group that he is member of (students)
assert satoshi_lab2.groups == [
{
"id": students_group["id"],
"permission": "read_only"
},
]
# satoshi cannot update lab groups associations for lab2 -> 403 (not owner or admin)
with pytest.raises(requests.exceptions.HTTPError) as err:
satoshi_lab2.update_lab_groups(group_list=[])
assert err.value.response.status_code == 403
assert "User does not have required access" in err.value.response.text
# associations mus still be present after above failure
assert admin_lab2.groups == [
{
"id": students_group["id"],
"permission": "read_only"
},
{
"id": teachers_group["id"],
"permission": "read_only"
},
]
# halfinney cannot add/remove students association to lab2 as he is not member of students
halfinn_lab2.update_lab_groups(group_list=[])
# above only removed the group teachers as halfinn is owner and also member of teachers
assert halfinn_lab2.groups == [] # sees nothing
assert satoshi_lab2.groups == [
{
"id": students_group["id"],
"permission": "read_only"
},
] # sees students
assert admin_lab2.groups == [
{
"id": students_group["id"],
"permission": "read_only"
},
] # admin too sees only students as that is now only associtation
# halfinney cannot add students group as he is not member
with pytest.raises(requests.exceptions.HTTPError) as err:
halfinn_lab2.update_lab_groups(group_list=[{
"id": students_group["id"],
"permission": "read_only"
}])
assert err.value.response.status_code == 403
assert "User does not have required access" in err.value.response.text
# halfinney can add teachers as he is a member
halfinn_lab2.update_lab_groups(group_list=[{
"id": teachers_group["id"],
"permission": "read_only"
}])
# halfinney only sees group that he is member of (teachers)
assert halfinn_lab2.groups == [
{
"id": teachers_group["id"],
"permission": "read_only"
},
]
# add halfinney to students group
cl_admin.group_management.update_group(
group_id=students_group["id"],
members=[satoshi_uid, halfinn_uid],
)
# halfinney now sees both students and teachers
# associations mus still be present after above failure
assert halfinn_lab2.groups == [
{
"id": students_group["id"],
"permission": "read_only"
},
{
"id": teachers_group["id"],
"permission": "read_only"
},
]
# he can now also remove both associations
halfinn_lab2.update_lab_groups(group_list=[])
assert admin_lab2.groups == []
assert halfinn_lab2.groups == []
# satoshi lost access --> 404
with pytest.raises(requests.exceptions.HTTPError) as err:
assert satoshi_lab2.groups == []
assert err.value.response.status_code == 404
assert "Lab not found" in err.value.response.text
# add also possible
halfinn_lab2.update_lab_groups(group_list=[
{
"id": students_group["id"],
"permission": "read_only"
},
{
"id": teachers_group["id"],
"permission": "read_only"
},
])
assert halfinn_lab2.groups == [
{
"id": students_group["id"],
"permission": "read_only"
},
{
"id": teachers_group["id"],
"permission": "read_only"
},
]
assert satoshi_lab2.groups == [
{
"id": students_group["id"],
"permission": "read_only"
},
] # sees students as he is only part of students not teachers
assert admin_lab2.groups == [
{
"id": students_group["id"],
"permission": "read_only"
},
{
"id": teachers_group["id"],
"permission": "read_only"
},
]
# admin can do whatever he pleases
admin_lab2.update_lab_groups(group_list=[])
assert admin_lab2.groups == []
assert halfinn_lab2.groups == []
# satoshi lost access --> 404
with pytest.raises(requests.exceptions.HTTPError) as err:
assert satoshi_lab2.groups == []
assert err.value.response.status_code == 404
assert "Lab not found" in err.value.response.text
# CLEAN UP
# again need to get lab0 from admin account
lab0 = cl_admin.find_labs_by_title(title="lab0")[0]
lab0.remove()
lab1.remove()
lab2.remove()
cl_admin.user_management.delete_user(user_id=satoshi_uid)
cl_admin.user_management.delete_user(user_id=halfinn_uid)
assert cl_admin.group_management.delete_group(
group_id=students_group["id"]) is None
assert cl_admin.group_management.delete_group(
group_id=teachers_group["id"]) is None
assert cl_admin.group_management.groups() == []
assert cl_admin.all_labs(show_all=True) == []