def setUp(self): super(TestSGApp, self).setUp() self.topology = None self.policy = None self.security_group = objects.SecGroupTestObj(self.neutron, self.nb_api) self.addCleanup(self.security_group.close) security_group_id = self.security_group.create() self.assertTrue(self.security_group.exists()) self.security_group2 = objects.SecGroupTestObj(self.neutron, self.nb_api) self.addCleanup(self.security_group2.close) security_group_id2 = self.security_group2.create() self.assertTrue(self.security_group2.exists()) self.security_group3 = objects.SecGroupTestObj(self.neutron, self.nb_api) self.addCleanup(self.security_group3.close) security_group_id3 = self.security_group3.create() self.assertTrue(self.security_group3.exists()) self.topology = app_testing_objects.Topology(self.neutron, self.nb_api) self.addCleanup(self.topology.close) self.active_security_group_id = security_group_id self.inactive_security_group_id = security_group_id2 self.allowed_address_pairs_security_group_id = security_group_id3 self.permit_icmp_request = self._get_icmp_request1 self.no_permit_icmp_request = self._get_icmp_request2
def _init_topology(self): network = netaddr.IPNetwork(self.cidr) security_group = self.store( objects.SecGroupTestObj(self.neutron, self.nb_api)) security_group_id = security_group.create() self.assertTrue(security_group.exists()) egress_rule_info = { 'ethertype': self.ethertype, 'direction': 'egress', 'protocol': self.icmp_proto } egress_rule_id = security_group.rule_create(secrule=egress_rule_info) self.assertTrue(security_group.rule_exists(egress_rule_id)) ingress_rule_info = { 'ethertype': self.ethertype, 'direction': 'ingress', 'protocol': self.icmp_proto, 'remote_ip_prefix': self.cidr } ingress_rule_id = security_group.rule_create(secrule=ingress_rule_info) self.assertTrue(security_group.rule_exists(ingress_rule_id)) self.topology = self.store( app_testing_objects.Topology(self.neutron, self.nb_api)) self.subnet = self.topology.create_subnet(cidr=self.cidr) self.port1 = self.subnet.create_port() self.port1.update({ "allowed_address_pairs": [{ "ip_address": network[100], "mac_address": "10:20:99:99:99:99" }] }) self.port2 = self.subnet.create_port([security_group_id])
def test_create_delete_security_group(self): secgroup = self.store( objects.SecGroupTestObj(self.neutron, self.nb_api)) secgroup.create() self.assertTrue(secgroup.exists()) secgroup.close() self.assertFalse(secgroup.exists())
def test_create_delete_security_group_rule(self): secgroup = objects.SecGroupTestObj(self.neutron, self.nb_api) self.addCleanup(secgroup.close) secgroup.create() self.assertTrue(secgroup.exists()) secrule_id = secgroup.rule_create() self.assertTrue(secgroup.rule_exists(secrule_id)) secgroup.rule_delete(secrule_id) self.assertFalse(secgroup.rule_exists(secrule_id)) secgroup.close() self.assertFalse(secgroup.exists())
def _create_fake_default_security_group(self): security_group = objects.SecGroupTestObj(self.neutron, self.nb_api) security_group_id = security_group.create( secgroup={'name': 'fakedefault'}) ingress_rule_info = {'ethertype': 'IPv4', 'direction': 'ingress', 'remote_group_id': security_group_id} security_group.rule_create(secrule=ingress_rule_info) return security_group
def test_create_delete_security_group(self): secgroup = self.store( objects.SecGroupTestObj(self.neutron, self.nb_api)) sg_id = secgroup.create() self.assertTrue(secgroup.exists()) version1 = self.nb_api.get_security_group(sg_id).get_version() secgroup.update() self.assertTrue(secgroup.exists()) version2 = self.nb_api.get_security_group(sg_id).get_version() self.assertNotEqual(version1, version2) secgroup.close() self.assertFalse(secgroup.exists())
def test_create_delete_security_group(self): secgroup = objects.SecGroupTestObj(self.neutron, self.nb_api) self.addCleanup(secgroup.close) sg_id = secgroup.create() self.assertTrue(secgroup.exists()) secgroup_obj = secgroups.SecurityGroup(id=sg_id) version1 = self.nb_api.get(secgroup_obj).version secgroup.update() self.assertTrue(secgroup.exists()) secgroup_obj = secgroups.SecurityGroup(id=sg_id) version2 = self.nb_api.get(secgroup_obj).version self.assertNotEqual(version1, version2) secgroup.close() self.assertFalse(secgroup.exists())
def test_sg_version(self): secgroup = self.store( objects.SecGroupTestObj(self.neutron, self.nb_api)) sg_id = secgroup.create() self.assertTrue(secgroup.exists()) version = self.nb_api.get_security_group(sg_id).get_version() secrule_id = secgroup.rule_create() self.assertTrue(secgroup.rule_exists(secrule_id)) new_version = self.nb_api.get_security_group(sg_id).get_version() self.assertGreater(new_version, version) secgroup.rule_delete(secrule_id) self.assertFalse(secgroup.rule_exists(secrule_id)) version = new_version new_version = self.nb_api.get_security_group(sg_id).get_version() self.assertGreater(new_version, version) secgroup.close() self.assertFalse(secgroup.exists())
def test_sg_version(self): secgroup = objects.SecGroupTestObj(self.neutron, self.nb_api) self.addCleanup(secgroup.close) sg_id = secgroup.create() self.assertTrue(secgroup.exists()) sg_obj = secgroups.SecurityGroup(id=sg_id) version = self.nb_api.get(sg_obj).version secrule_id = secgroup.rule_create() self.assertTrue(secgroup.rule_exists(secrule_id)) sg_obj = secgroups.SecurityGroup(id=sg_id) new_version = self.nb_api.get(sg_obj).version self.assertGreater(new_version, version) secgroup.rule_delete(secrule_id) self.assertFalse(secgroup.rule_exists(secrule_id)) version = new_version sg_obj = secgroups.SecurityGroup(id=sg_id) new_version = self.nb_api.get(sg_obj).version self.assertGreater(new_version, version) secgroup.close() self.assertFalse(secgroup.exists())
def _test_associating_flows(self, subnet_info): network = self.store(objects.NetworkTestObj(self.neutron, self.nb_api)) network_id = network.create() self.assertTrue(network.exists()) subnet_info['network_id'] = network_id subnet = self.store( objects.SubnetTestObj(self.neutron, self.nb_api, network_id=network_id)) subnet.create(subnet_info) self.assertTrue(subnet.exists()) security_group = self.store( objects.SecGroupTestObj(self.neutron, self.nb_api)) security_group_id = security_group.create() self.assertTrue(security_group.exists()) vm = self.store(objects.VMTestObj(self, self.neutron)) vm.create(network=network, security_groups=[security_group_id]) addresses = vm.server.addresses['mynetwork'] self.assertIsNotNone(addresses) ip = addresses[0]['addr'] self.assertIsNotNone(ip) mac = addresses[0]['OS-EXT-IPS-MAC:mac_addr'] self.assertIsNotNone(mac) port = utils.wait_until_is_and_return( lambda: utils.get_vm_port(self.nb_api, ip, mac), exception=Exception('No port assigned to VM')) tunnel_key = port.unique_key tunnel_key_hex = hex(tunnel_key) of_port = self.vswitch_api.get_port_ofport_by_id(port.id) self.assertIsNotNone(of_port) ovs = utils.OvsFlowsParser() flows_after_change = ovs.dump(self.integration_bridge) # Check if the associating flows were installed. ingress_associating_flow, egress_associating_flow = \ self._find_associating_flows(flows_after_change, tunnel_key_hex) LOG.info( "flows after associating a port and a security group" " are: %s", ovs.get_ovs_flows(self.integration_bridge)) self.assertIsNotNone(ingress_associating_flow) self.assertIsNotNone(egress_associating_flow) vm.close() time.sleep(test_const.DEFAULT_RESOURCE_READY_TIMEOUT) flows_after_update = ovs.dump(self.integration_bridge) # Check if the associating flows were removed. ingress_associating_flow, egress_associating_flow = \ self._find_associating_flows(flows_after_update, tunnel_key_hex) self.assertIsNone(ingress_associating_flow) self.assertIsNone(egress_associating_flow)
def setUp(self): super(TestSGApp, self).setUp() self.topology = None self.policy = None try: security_group = self.store( objects.SecGroupTestObj(self.neutron, self.nb_api)) security_group_id = security_group.create() self.assertTrue(security_group.exists()) security_group2 = self.store( objects.SecGroupTestObj(self.neutron, self.nb_api)) security_group_id2 = security_group2.create() self.assertTrue(security_group2.exists()) self.topology = self.store( app_testing_objects.Topology(self.neutron, self.nb_api)) self.subnet = self.topology.create_subnet(cidr='192.168.14.0/24') self.port1 = self.subnet.create_port() self.port2 = self.subnet.create_port() self.port3 = self.subnet.create_port([security_group_id]) port1_lport = self.port1.port.get_logical_port() self.assertIsNotNone(port1_lport) port1_fixed_ip = port1_lport.get_ip() port2_lport = self.port2.port.get_logical_port() self.assertIsNotNone(port2_lport) port2_fixed_ip = port2_lport.get_ip() egress_rule_info = { 'ethertype': 'IPv4', 'direction': 'egress', 'protocol': 'icmp' } egress_rule_id = security_group.rule_create( secrule=egress_rule_info) self.assertTrue(security_group.rule_exists(egress_rule_id)) egress_rule_id2 = security_group2.rule_create( secrule=egress_rule_info) self.assertTrue(security_group2.rule_exists(egress_rule_id2)) ingress_rule_info = { 'ethertype': 'IPv4', 'direction': 'ingress', 'protocol': 'icmp', 'remote_ip_prefix': port1_fixed_ip + "/32" } ingress_rule_id = security_group.rule_create( secrule=ingress_rule_info) self.assertTrue(security_group.rule_exists(ingress_rule_id)) ingress_rule_info2 = { 'ethertype': 'IPv4', 'direction': 'ingress', 'protocol': 'icmp', 'remote_ip_prefix': port2_fixed_ip + "/32" } ingress_rule_id2 = security_group2.rule_create( secrule=ingress_rule_info2) self.assertTrue(security_group2.rule_exists(ingress_rule_id2)) self.active_security_group_id = security_group_id self.inactive_security_group_id = security_group_id2 self.permit_port_id = self.port1.port_id self.no_permit_port_id = self.port2.port_id self.permit_icmp_request = self._get_icmp_request1 self.no_permit_icmp_request = self._get_icmp_request2 time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT) self._update_policy() except Exception: if self.topology: self.topology.close() raise
def setUp(self): super(SfcTestsCommonBase, self).setUp() self.security_group = self.store( objects.SecGroupTestObj(self.neutron, self.nb_api)) security_group_id = self.security_group.create() self.assertTrue(self.security_group.exists()) for direction, ethertype, protocol in itertools.product( ('ingress', 'egress'), (constants.IPv4, constants.IPv6), (constants.PROTO_NAME_TCP, constants.PROTO_NAME_UDP), ): rule = { 'direction': direction, 'ethertype': ethertype, 'protocol': protocol, 'port_range_min': 1, 'port_range_max': 65535, } rule_id = self.security_group.rule_create(secrule=rule) self.assertTrue(self.security_group.rule_exists(rule_id)) self.topology = self.store( app_testing_objects.Topology( self.neutron, self.nb_api, ), ) self.subnet = self.topology.create_subnet( cidr=IPV4_CIDR, enable_dhcp=True, allocation_pool=IPV4_ALLOCATION_POOL, ) self.subnet_ipv6 = self.topology.create_subnet( cidr=IPV6_CIDR, enable_dhcp=True, allocation_pool=IPV6_ALLOCATION_POOL, ) self.src_port = self.subnet.create_port([security_group_id]) self.dst_port = self.subnet.create_port([security_group_id]) self.src_port.update({ 'name': 'src_port', 'admin_state_up': True, 'fixed_ips': [ { 'ip_address': SRC_IPV4_1 }, { 'ip_address': SRC_IPV4_2 }, { 'ip_address': SRC_IPV6_1 }, { 'ip_address': SRC_IPV6_2 }, ], }) self.dst_port.update({ 'name': 'dst_port', 'admin_state_up': True, 'fixed_ips': [ { 'ip_address': DST_IPV4_1 }, { 'ip_address': DST_IPV4_2 }, { 'ip_address': DST_IPV6_1 }, { 'ip_address': DST_IPV6_2 }, ], }) self.src_lport = self.nb_api.get( l2.LogicalPort(id=self.src_port.port.port_id), ) self.dst_lport = self.nb_api.get( l2.LogicalPort(id=self.dst_port.port.port_id), )
def setUp(self): super(TestPortSecApp, self).setUp() self.topology = None self.policy = None self._ping = None self.icmp_id_cursor = int(time.mktime(time.gmtime())) & 0xffff try: security_group = self.store( objects.SecGroupTestObj(self.neutron, self.nb_api)) security_group_id = security_group.create() self.assertTrue(security_group.exists()) egress_rule_info = { 'ethertype': 'IPv4', 'direction': 'egress', 'protocol': 'icmp' } egress_rule_id = security_group.rule_create( secrule=egress_rule_info) self.assertTrue(security_group.rule_exists(egress_rule_id)) ingress_rule_info = { 'ethertype': 'IPv4', 'direction': 'ingress', 'protocol': 'icmp', 'remote_ip_prefix': "192.168.196.0/24" } ingress_rule_id = security_group.rule_create( secrule=ingress_rule_info) self.assertTrue(security_group.rule_exists(ingress_rule_id)) self.topology = self.store( app_testing_objects.Topology(self.neutron, self.nb_api)) self.subnet = self.topology.create_subnet(cidr='192.168.196.0/24') self.port1 = self.subnet.create_port() self.port1.update({ "allowed_address_pairs": [{ "ip_address": "192.168.196.100", "mac_address": "10:20:99:99:99:99" }] }) self.port2 = self.subnet.create_port([security_group_id]) time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT) port_policies = self._create_port_policies() self.policy = self.store( app_testing_objects.Policy( initial_actions=[ app_testing_objects.SendAction( self.subnet.subnet_id, self.port1.port_id, self._create_ping_using_fake_ip), app_testing_objects.SendAction( self.subnet.subnet_id, self.port1.port_id, self._create_ping_using_fake_mac), app_testing_objects.SendAction( self.subnet.subnet_id, self.port1.port_id, self._create_ping_using_vm_ip_mac), app_testing_objects.SendAction( self.subnet.subnet_id, self.port1.port_id, self._create_ping_using_allowed_address_pair), ], port_policies=port_policies, unknown_port_action=app_testing_objects.IgnoreAction())) except Exception: if self.topology: self.topology.close() raise
def test_rule_flows(self): network = self.store(objects.NetworkTestObj(self.neutron, self.nb_api)) network_id = network.create(network={'name': 'test_network2'}) self.assertTrue(network.exists()) subnet_info = { 'network_id': network_id, 'cidr': '192.168.124.0/24', 'gateway_ip': '192.168.124.1', 'ip_version': 4, 'name': 'test_subnet4', 'enable_dhcp': True } subnet = self.store( objects.SubnetTestObj(self.neutron, self.nb_api, network_id=network_id)) subnet.create(subnet_info) security_group = self.store( objects.SecGroupTestObj(self.neutron, self.nb_api)) security_group_id = security_group.create() self.assertTrue(security_group.exists()) ingress_rule_info = { 'ethertype': 'IPv4', 'direction': 'ingress', 'protocol': 'tcp', 'port_range_min': '80', 'port_range_max': '81', 'remote_ip_prefix': '192.168.124.0/24' } ingress_rule_id = security_group.rule_create(secrule=ingress_rule_info) self.assertTrue(security_group.rule_exists(ingress_rule_id)) egress_rule_info = { 'ethertype': 'IPv4', 'direction': 'egress', 'protocol': '17', 'port_range_min': '53', 'port_range_max': '53', 'remote_group_id': security_group_id } egress_rule_id = security_group.rule_create(secrule=egress_rule_info) self.assertTrue(security_group.rule_exists(egress_rule_id)) vm1 = self.store(objects.VMTestObj(self, self.neutron)) vm1.create(network=network, security_groups=[security_group_id], net_address='192.168.124.8') vm2 = self.store(objects.VMTestObj(self, self.neutron)) vm2.create(network=network, security_groups=[security_group_id], net_address='192.168.124.9') time.sleep(test_const.DEFAULT_RESOURCE_READY_TIMEOUT) ovs = utils.OvsFlowsParser() flows = ovs.dump(self.integration_bridge) LOG.info(_LI("flows after adding rules are: %s"), ovs.get_ovs_flows(self.integration_bridge)) # Check if the rule flows were installed. expected_ingress_rule_match = \ "tcp,nw_src=192.168.124.0/24,tp_dst=0x50/0xfffe" expected_egress_rule_match = \ "udp,nw_dst=192.168.124.8/31,tp_dst=53" self._check_rule_flows(flows, expected_ingress_rule_match, expected_egress_rule_match, True) vm1.close() vm2.close()
def test_rule_flows(self): network = self.store(objects.NetworkTestObj(self.neutron, self.nb_api)) network_id = network.create(network={'name': 'test_network2'}) self.assertTrue(network.exists()) subnet_info = { 'network_id': network_id, 'cidr': '192.168.124.0/24', 'gateway_ip': '192.168.124.1', 'ip_version': 4, 'name': 'test_subnet4', 'enable_dhcp': True } subnet = self.store( objects.SubnetTestObj(self.neutron, self.nb_api, network_id=network_id)) subnet.create(subnet_info) security_group = self.store( objects.SecGroupTestObj(self.neutron, self.nb_api)) security_group_id = security_group.create() self.assertTrue(security_group.exists()) ingress_rule_info = { 'ethertype': 'IPv4', 'direction': 'ingress', 'protocol': 'tcp', 'port_range_min': '8000', 'port_range_max': '8100', 'remote_ip_prefix': '192.168.124.0/24' } ingress_rule_id = security_group.rule_create(secrule=ingress_rule_info) self.assertTrue(security_group.rule_exists(ingress_rule_id)) egress_rule_info = { 'ethertype': 'IPv4', 'direction': 'egress', 'protocol': '17', 'port_range_min': '53', 'port_range_max': '53', 'remote_group_id': security_group_id } egress_rule_id = security_group.rule_create(secrule=egress_rule_info) self.assertTrue(security_group.rule_exists(egress_rule_id)) vm = self.store(objects.VMTestObj(self, self.neutron)) vm.create(network=network, security_groups=[security_group_id]) time.sleep(utils.DEFAULT_CMD_TIMEOUT) ovs = utils.OvsFlowsParser() flows_after_change = ovs.dump() LOG.info(_LI("flows after adding rules are: %s"), ovs.get_ovs_flows()) # Check if the rule flows were installed. self._check_rule_flows(flows_after_change, True) vm.server.stop() vm.close()
def test_associating_flows(self): network = self.store(objects.NetworkTestObj(self.neutron, self.nb_api)) network_id = network.create(network={'name': 'test_network1'}) self.assertTrue(network.exists()) subnet_info = { 'network_id': network_id, 'cidr': '192.168.123.0/24', 'gateway_ip': '192.168.123.1', 'ip_version': 4, 'name': 'test_subnet1', 'enable_dhcp': True } subnet = self.store( objects.SubnetTestObj(self.neutron, self.nb_api, network_id=network_id)) subnet.create(subnet_info) self.assertTrue(subnet.exists()) security_group = self.store( objects.SecGroupTestObj(self.neutron, self.nb_api)) security_group_id = security_group.create() self.assertTrue(security_group.exists()) vm = self.store(objects.VMTestObj(self, self.neutron)) vm.create(network=network, security_groups=[security_group_id]) addresses = vm.server.addresses['test_network1'] self.assertIsNotNone(addresses) ip = addresses[0]['addr'] self.assertIsNotNone(ip) mac = addresses[0]['OS-EXT-IPS-MAC:mac_addr'] self.assertIsNotNone(mac) port = utils.wait_until_is_and_return( lambda: self._get_vm_port(ip, mac), exception=Exception('No port assigned to VM')) tunnel_key = port.get_tunnel_key() tunnel_key_hex = hex(tunnel_key) of_port = self._get_of_port(port.get_id()) self.assertIsNotNone(of_port) ovs = utils.OvsFlowsParser() flows_after_change = ovs.dump() # Check if the associating flows were installed. ingress_associating_flow, egress_associating_flow = \ self._find_associating_flows(flows_after_change, of_port, tunnel_key_hex) LOG.info( _LI("flows after associating a port and a security group" " are: %s"), ovs.get_ovs_flows()) self.assertIsNotNone(ingress_associating_flow) self.assertIsNotNone(egress_associating_flow) vm.server.stop() vm.close() time.sleep(utils.DEFAULT_CMD_TIMEOUT) flows_after_update = ovs.dump() # Check if the associating flows were removed. ingress_associating_flow, egress_associating_flow = \ self._find_associating_flows(flows_after_update, of_port, tunnel_key_hex) self.assertIsNone(ingress_associating_flow) self.assertIsNone(egress_associating_flow)
def _test_rule_flows(self, subnet_info): network = self.store(objects.NetworkTestObj(self.neutron, self.nb_api)) network_id = network.create() self.assertTrue(network.exists()) cidr = subnet_info['cidr'] network_obj = netaddr.IPNetwork(cidr) ethertype = utils.ip_version_to_ethertype(subnet_info['ip_version']) gateway_ip = network_obj[1] subnet_info['gateway_ip'] = gateway_ip subnet_info['network_id'] = network_id subnet = self.store( objects.SubnetTestObj(self.neutron, self.nb_api, network_id=network_id)) subnet.create(subnet_info) security_group = self.store( objects.SecGroupTestObj(self.neutron, self.nb_api)) security_group_id = security_group.create() self.assertTrue(security_group.exists()) ingress_rule_info = { 'ethertype': ethertype, 'direction': 'ingress', 'protocol': 'tcp', 'port_range_min': '80', 'port_range_max': '81', 'remote_ip_prefix': cidr } ingress_rule_id = security_group.rule_create(secrule=ingress_rule_info) self.assertTrue(security_group.rule_exists(ingress_rule_id)) egress_rule_info = { 'ethertype': ethertype, 'direction': 'egress', 'protocol': 'udp', 'port_range_min': '53', 'port_range_max': '53', 'remote_group_id': security_group_id } egress_rule_id = security_group.rule_create(secrule=egress_rule_info) self.assertTrue(security_group.rule_exists(egress_rule_id)) # Get addresses for VMs vm1_ip = network_obj[4] vm2_ip = network_obj[5] vm1 = self.store(objects.VMTestObj(self, self.neutron)) vm1.create(network=network, security_groups=[security_group_id], net_address=vm1_ip) vm2 = self.store(objects.VMTestObj(self, self.neutron)) vm2.create(network=network, security_groups=[security_group_id], net_address=vm2_ip) time.sleep(test_const.DEFAULT_RESOURCE_READY_TIMEOUT) ovs = utils.OvsFlowsParser() flows = ovs.dump(self.integration_bridge) LOG.info("flows after adding rules are: %s", ovs.get_ovs_flows(self.integration_bridge)) # Check if the rule flows were installed. if ethertype == n_const.IPv4: expected_ingress_match = "tcp,nw_src={}".format(network_obj) elif ethertype == n_const.IPv6: expected_ingress_match = "tcp6,ipv6_src={}".format(network_obj) expected_ingress_match += ",tp_dst=0x50/0xfffe" # Calculate vm1, vm2 network vms_ip_set = netaddr.IPSet([vm1_ip, vm2_ip]) vms_ip_set.compact() if ethertype == n_const.IPv4: expected_egress_match = "udp,nw_dst={}".format(vms_ip_set.pop()) elif ethertype == n_const.IPv6: expected_egress_match = "udp6,ipv6_dst={}".format(vms_ip_set.pop()) expected_egress_match += ",tp_dst=53" self._check_rule_flows(flows, expected_ingress_match, expected_egress_match, True) vm1.close() vm2.close()