def _set_features(self): if Topology.nuage_release.major_release == '4.0': self.full_external_id_support = Topology.from_nuage('4.0R5') self.vsd_managed_dualstack_subnets = Topology.from_nuage('4.0VZ') else: self.full_external_id_support = True self.ml2_limited_exceptions = False self.full_os_networking = True self.vsd_managed_dualstack_subnets = Topology.is_ml2 self.os_managed_dualstack_subnets = (Topology.from_nuage('5.1') and self.ipv6_enabled) self.project_name_in_vsd = Topology.from_nuage('5.1') self.stateless_security_groups = Topology.from_nuage('5.2') self.route_to_underlay = Topology.from_nuage('5.2') self.switchdev_offload = Topology.from_nuage('6.0')
def test_create_update_delete_sg(self): sg = self.create_security_group() sg2 = self.create_security_group() # Create for ipversions: # - normal rule, for all applicable protocols # - normal rule, TCP protocol, port 80 # - normal rule, UDP protocol, port 80, egress # - networkmacro rule for 90.0.0.0/24 # - remote group id rule for SG2 for ip_version in self.ip_versions: ethertype = 'IPv' + str(ip_version) # - normal rule, for all applicable protocols if ip_version == 6: if Topology.up_to_openstack('stein'): protocols = (n_constants.IPV6_PROTO_NAME + [n_constants.IPV6_PROTO_NAME_LEGACY]) else: # Train onwards, legacy is canonicalized # https://review.opendev.org/#/c/453346/14 protocols = n_constants.IPV6_PROTO_NAME else: protocols = n_constants.IPV4_PROTO_NAME for protocol in protocols: self.create_security_group_rule_with_manager( sg, protocol=protocol, direction='ingress', ethertype=ethertype) # - normal rule, TCP protocol, port 80 self.create_security_group_rule_with_manager(sg, protocol='tcp', direction='ingress', ethertype=ethertype, port_range_min=80, port_range_max=80) # - normal rule, UDP protocol, port 80, egress self.create_security_group_rule_with_manager(sg, protocol='udp', direction='egress', ethertype=ethertype, port_range_min=80, port_range_max=80) # - networkmacro rule for 90.0.0.0/24 or cafe:babe::/64 remote_ip_prefix = ('90.0.0.0/24' if ip_version == 4 else 'cafe:babe::/64') self.create_security_group_rule_with_manager( sg, direction='egress', ethertype=ethertype, remote_ip_prefix=remote_ip_prefix) # - remote group id rule for SG2 self.create_security_group_rule_with_manager( sg, direction='egress', ethertype=ethertype, remote_group_id=sg2['id']) port = self.create_port(self.network, security_groups=[sg['id']]) # Verify VSD # Get updated SG with SGRules sg = self.get_security_group(sg['id']) self._verify_sg(sg, ports=[port]) # Update Security group name name = "updated SG name" sg = self.update_security_group(sg, name=name) self._verify_sg(sg, ports=[port]) # Delete port from SG self.delete_port(port) # cleanup happens before 20.10, not after. pg_expected = Topology.from_nuage('20.10') self._verify_sg(sg, ports=[], pg_expected_without_port=pg_expected)
def _verify_sg_rule(self, pg, sg, sg_rule, is_reverse_rule=False, domain=None): """_verify_sg_rule :param pg: Policygroup :param sg: Securitygroup :param sg_rule: security group rule to check :param is_reverse_rule: True if the rule is a reverse rule of an actual sg_rule. Used for not checking the reverse of a reverse rule. :param domain: VSD domain where ACL is located """ domain = domain or self.domain is_ipv4 = sg_rule['ethertype'] == 'IPv4' stateful_icmp_types = (n_constants.STATEFUL_ICMP_V4_TYPES if is_ipv4 else n_constants.STATEFUL_ICMP_V6_TYPES) ext_id_filter = self.vsd.get_external_id_filter(sg_rule['id']) if sg_rule['direction'] == 'ingress': acl_entry = domain.egress_acl_entry_templates.get_first( filter=ext_id_filter) else: acl_entry = domain.ingress_acl_entry_templates.get_first( filter=ext_id_filter) self.assertIsNotNone( acl_entry, "aclEntryTemplate not found for " "SG Rule: {}".format(sg_rule)) # Remote group id refers to another Policy Group remote_pg = None if sg_rule.get('remote_group_id'): ext_id_filter = self.vsd.get_external_id_filter( sg_rule['remote_group_id']) remote_pgs = domain.policy_groups.get(ext_id_filter) self.assertNotEmpty(remote_pgs, "Remote PG not found") remote_pg = remote_pgs[0] # Remote ip prefix refers to enterprise network / network macro enterprise_network = None if sg_rule.get('remote_ip_prefix'): ip_network = netaddr.IPNetwork(sg_rule['remote_ip_prefix']) enterprise_network = self._get_enterprise_network(ip_network) # Ethertype self.assertEqual(n_constants.PROTO_NAME_TO_NUM[sg_rule['ethertype']], acl_entry.ether_type) # Protocol os_protocol = sg_rule['protocol'] try: expected_protocol = int(os_protocol) except (ValueError, TypeError): if not os_protocol: expected_protocol = 'ANY' elif os_protocol == 'icmp' and sg_rule['ethertype'] == 'IPv6': expected_protocol = n_constants.PROTO_NAME_TO_NUM['icmpv6'] else: expected_protocol = n_constants.PROTO_NAME_TO_NUM[os_protocol] self.assertEqual(expected_protocol, acl_entry.protocol) # Stateful if not sg['stateful']: expected_stateful = False elif str(os_protocol) in ['icmp', 'icmpv6', 'ipv6-icmp', 1, 58]: if Topology.up_to_nuage('5.4') and not is_ipv4: # no support for icmp v6 in 5.4 expected_stateful = True else: # ICMP rules are not stateful unless special cases if (not sg_rule['port_range_min'] and not sg_rule['port_range_max']): expected_stateful = False elif (sg_rule['port_range_min'] not in stateful_icmp_types): expected_stateful = False else: expected_stateful = True else: expected_stateful = True self.assertEqual(expected_stateful, acl_entry.stateful) # Network Type if (sg_rule.get('remote_group_id') or sg_rule.get('remote_external_group_id')): expected_network_type = 'POLICYGROUP' elif sg_rule.get('remote_ip_prefix'): expected_network_type = 'ENTERPRISE_NETWORK' else: if Topology.from_nuage('20.10'): expected_network_type = 'ANY' else: # Legacy usage of ANY network macro / enterprise network expected_network_type = 'ENTERPRISE_NETWORK' self.assertEqual(expected_network_type, acl_entry.network_type) # Network ID if sg_rule.get('remote_external_group_id'): expected_network_id = sg_rule['remote_external_group_id'] elif sg_rule.get('remote_ip_prefix'): expected_network_id = enterprise_network.id elif sg_rule.get('remote_group_id'): expected_network_id = remote_pg.id else: if Topology.from_nuage('20.10'): # No network id, as ANY type is used expected_network_id = None else: # Legacy usage of ANY network macro / enterprise network address = '0.0.0.0/0' if is_ipv4 else '::/0' ip_network = netaddr.IPNetwork(address) enterprise_network = self._get_enterprise_network(ip_network) expected_network_id = enterprise_network.id self.assertEqual(expected_network_id, acl_entry.network_id) # Location type self.assertEqual('POLICYGROUP', acl_entry.location_type) # Location ID self.assertEqual(pg.id, acl_entry.location_id) # Action self.assertEqual('FORWARD', acl_entry.action) # DSCP self.assertEqual('*', acl_entry.dscp) # TCP/UDP specific attributes if sg_rule['protocol'] in ['tcp', 'udp']: # Source port self.assertEqual('*', acl_entry.source_port) # Destination port if (not sg_rule['port_range_min'] and not sg_rule['port_range_max']): expected_dest_port = '*' elif sg_rule['port_range_min'] == sg_rule['port_range_max']: expected_dest_port = str(sg_rule['port_range_min']) else: expected_dest_port = '{}-{}'.format(sg_rule['port_range_min'], sg_rule['port_range_max']) self.assertEqual(expected_dest_port, acl_entry.destination_port) # ICMP specific attributes elif sg_rule['protocol'] in ['icmp', 'icmpv6', 'ipv6-icmp', 1, 58]: if sg_rule['port_range_min']: self.assertEqual(str(sg_rule['port_range_min']), acl_entry.icmp_type) if sg_rule['port_range_max']: self.assertEqual(str(sg_rule['port_range_max']), acl_entry.icmp_code) # check reverse ICMP rule if needed if Topology.up_to_nuage('5.4') and not is_ipv4: # no support for icmpv6 reverse rules return else: acl_icmp_type = (int(acl_entry.icmp_type) if acl_entry.icmp_type != '*' else '*') if (acl_icmp_type not in stateful_icmp_types and not is_reverse_rule): sg_rule['direction'] = ('ingress' if sg_rule['direction'] == 'egress' else 'egress') self._verify_sg_rule(pg, sg, sg_rule, is_reverse_rule=True, domain=domain)
class AllowedAddressPairTest(base.BaseNetworkTest): _interface = 'json' _address_in_vsd = 'address' @classmethod def setup_clients(cls): super(AllowedAddressPairTest, cls).setup_clients() cls.nuage_client = NuageRestClient() @classmethod def resource_setup(cls): super(AllowedAddressPairTest, cls).resource_setup() if not utils.is_extension_enabled('allowed-address-pairs', 'network'): msg = "Allowed Address Pairs extension not enabled." raise cls.skipException(msg) cls.network = cls.create_network() cls.subnet = cls.create_subnet(cls.network) cls.ext_net_id = CONF.network.public_network_id cls.l3network = cls.create_network() cls.l3subnet = cls.create_subnet(cls.l3network) cls.router = cls.create_router(data_utils.rand_name('router-'), external_network_id=cls.ext_net_id) cls.create_router_interface(cls.router['id'], cls.l3subnet['id']) def _verify_port_by_id(self, port_id): body = self.ports_client.list_ports() ports = body['ports'] port = [p for p in ports if p['id'] == port_id] msg = 'Created port not found in list of ports returned by Neutron' self.assertTrue(port, msg) def _verify_port_allowed_address_fields(self, port, addrpair_ip, addrpair_mac): ip_address = port['allowed_address_pairs'][0]['ip_address'] mac_address = port['allowed_address_pairs'][0]['mac_address'] self.assertEqual(addrpair_ip, ip_address) self.assertEqual(addrpair_mac, mac_address) def create_port(self, network, cleanup=True, **kwargs): if CONF.network.port_vnic_type and 'binding:vnic_type' not in kwargs: kwargs['binding:vnic_type'] = CONF.network.port_vnic_type if CONF.network.port_profile and 'binding:profile' not in kwargs: kwargs['binding:profile'] = CONF.network.port_profile port = super(AllowedAddressPairTest, self).create_port(network, **kwargs) if cleanup: self.addCleanup(self.ports_client.delete_port, port['id']) return port def test_create_address_pair_on_l2domain_with_no_mac(self): # Create port with allowed address pair attribute # For /32 cidr addrpair_port = self.create_port(self.network, device_owner='nuage:vip') allowed_address_pairs = [{ 'ip_address': addrpair_port['fixed_ips'][0]['ip_address'] }] port = self.create_port(network=self.network, allowed_address_pairs=allowed_address_pairs) # routersubnetbind new_router = self.create_router('r') self.create_router_interface(new_router['id'], port['fixed_ips'][0]['subnet_id']) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields( port, addrpair_port['fixed_ips'][0]['ip_address'], port['mac_address']) self.routers_client.remove_router_interface( new_router['id'], subnet_id=port['fixed_ips'][0]['subnet_id']) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields( port, addrpair_port['fixed_ips'][0]['ip_address'], port['mac_address']) # Check address spoofing is disabled on vport in VSD nuage_subnet = self.nuage_client.get_l2domain(by_subnet=self.subnet) port_ext_id = self.nuage_client.get_vsd_external_id(port['id']) nuage_vport = self.nuage_client.get_vport(n_constants.L2_DOMAIN, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_ENABLED, nuage_vport[0]['addressSpoofing']) @testtools.skipIf(CONF.nuage_sut.ipam_driver == 'nuage_vsd_managed', 'This scenario cannot be reproduced with vsd ipam. ' 'Extra validation for vsd ipam prevents it.') def test_create_address_pair_on_l2domain_update_fixed_ip(self): # Create port with allowed address pair attribute # For /32 cidr port = self.create_port(self.network) allowed_address_pairs = [{ 'ip_address': port['fixed_ips'][0]['ip_address'], 'mac_address': port['mac_address'] }] port = self.update_port(port, allowed_address_pairs=allowed_address_pairs) # Check address spoofing is disabled on vport in VSD nuage_subnet = self.nuage_client.get_l2domain(by_subnet=self.subnet) port_ext_id = self.nuage_client.get_vsd_external_id(port['id']) nuage_vport = self.nuage_client.get_vport(n_constants.L2_DOMAIN, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing']) # Update fixed ip # Get free IP in subnet addrpair_port = self.create_port(self.network, cleanup=False) ip = addrpair_port['fixed_ips'][0]['ip_address'] self.ports_client.delete_port(addrpair_port['id']) subnet_id = port['fixed_ips'][0]['subnet_id'] self.update_port(port, fixed_ips=[{ 'subnet_id': subnet_id, 'ip_address': ip }]) nuage_vport = self.nuage_client.get_vport(n_constants.L2_DOMAIN, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_ENABLED, nuage_vport[0]['addressSpoofing']) @decorators.attr(type='smoke') def test_create_address_pair_on_l2domain_with_mac_routersubnetbind(self): # Create port with allowed address pair attribute # For /32 cidr addrpair_port = self.create_port(self.network, device_owner='nuage:vip') allowed_address_pairs = [{ 'ip_address': addrpair_port['fixed_ips'][0]['ip_address'], 'mac_address': addrpair_port['mac_address'] }] port = self.create_port(network=self.network, allowed_address_pairs=allowed_address_pairs) # routersubnetbind new_router = self.create_router('r') self.create_router_interface(new_router['id'], port['fixed_ips'][0]['subnet_id']) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields( port, addrpair_port['fixed_ips'][0]['ip_address'], addrpair_port['mac_address']) self.routers_client.remove_router_interface( new_router['id'], subnet_id=port['fixed_ips'][0]['subnet_id']) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields( port, addrpair_port['fixed_ips'][0]['ip_address'], addrpair_port['mac_address']) # Check address spoofing is disabled on vport in VSD nuage_subnet = self.nuage_client.get_l2domain(by_subnet=self.subnet) port_ext_id = self.nuage_client.get_vsd_external_id(port['id']) nuage_vport = self.nuage_client.get_vport(n_constants.L2_DOMAIN, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_ENABLED, nuage_vport[0]['addressSpoofing']) def test_create_address_pair_on_l2domain_with_cidr(self): # Create port with AAP for non /32 cidr ip_address = '30.30.0.0/24' mac_address = 'fe:a0:36:4b:c8:70' allowed_address_pairs = [{ 'ip_address': ip_address, 'mac_address': mac_address }] port = self.create_port(network=self.network, allowed_address_pairs=allowed_address_pairs) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields(port, ip_address, mac_address) # Check address spoofing is disabled on vport in VSD nuage_subnet = self.nuage_client.get_l2domain(by_subnet=self.subnet) port_ext_id = self.nuage_client.get_vsd_external_id(port['id']) nuage_vport = self.nuage_client.get_vport(n_constants.L2_DOMAIN, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_ENABLED, nuage_vport[0]['addressSpoofing']) def test_create_address_pair_on_l2domain_with_cidr_routersubnetbind(self): # Create port with AAP for non /32 cidr ip_address = '30.30.0.0/24' mac_address = 'fe:a0:36:4b:c8:70' allowed_address_pairs = [{ 'ip_address': ip_address, 'mac_address': mac_address }] port = self.create_port(network=self.network, allowed_address_pairs=allowed_address_pairs) # routersubnetbind new_router = self.create_router('r') self.create_router_interface(new_router['id'], port['fixed_ips'][0]['subnet_id']) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields(port, ip_address, mac_address) self.routers_client.remove_router_interface( new_router['id'], subnet_id=port['fixed_ips'][0]['subnet_id']) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields(port, ip_address, mac_address) # Check address spoofing is disabled on vport in VSD nuage_subnet = self.nuage_client.get_l2domain(by_subnet=self.subnet) port_ext_id = self.nuage_client.get_vsd_external_id(port['id']) nuage_vport = self.nuage_client.get_vport(n_constants.L2_DOMAIN, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_ENABLED, nuage_vport[0]['addressSpoofing']) @decorators.attr(type='smoke') def test_create_address_pair_on_l3subnet_with_mac(self): # Create port with allowed address pair attribute addrpair_port = self.create_port(self.l3network, device_owner='nuage:vip') allowed_address_pairs = [{ 'ip_address': addrpair_port['fixed_ips'][0]['ip_address'], 'mac_address': addrpair_port['mac_address'] }] port = self.create_port(network=self.l3network, allowed_address_pairs=allowed_address_pairs) # routersubnetbind self.routers_client.remove_router_interface( self.router['id'], subnet_id=port['fixed_ips'][0]['subnet_id']) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields( port, addrpair_port['fixed_ips'][0]['ip_address'], addrpair_port['mac_address']) self.create_router_interface(self.router['id'], port['fixed_ips'][0]['subnet_id']) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields( port, addrpair_port['fixed_ips'][0]['ip_address'], addrpair_port['mac_address']) # Check VIP is created in VSD l3domain_ext_id = self.nuage_client.get_vsd_external_id( self.router['id']) nuage_domain = self.nuage_client.get_resource( n_constants.DOMAIN, filters='externalID', filter_values=l3domain_ext_id) nuage_subnet = self.nuage_client.get_domain_subnet( n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet) port_ext_id = self.nuage_client.get_vsd_external_id(port['id']) nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing']) nuage_vip = self.nuage_client.get_virtual_ip( n_constants.VPORT, nuage_vport[0]['ID'], filters='virtualIP', filter_values=str(addrpair_port['fixed_ips'][0]['ip_address'])) self.assertEqual(addrpair_port['mac_address'], nuage_vip[0]['MAC']) self.assertEqual(nuage_vip[0]['externalID'], self.nuage_client.get_vsd_external_id(port['id'])) @decorators.attr(type='smoke') def test_create_address_pair_on_l3subnet_with_mac_routersubnetbind(self): # Create port with allowed address pair attribute addrpair_port = self.create_port(self.l3network, device_owner='nuage:vip') allowed_address_pairs = [{ 'ip_address': addrpair_port['fixed_ips'][0]['ip_address'], 'mac_address': addrpair_port['mac_address'] }] port = self.create_port(network=self.l3network, allowed_address_pairs=allowed_address_pairs) # routersubnetbind self.routers_client.remove_router_interface( self.router['id'], subnet_id=port['fixed_ips'][0]['subnet_id']) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields( port, addrpair_port['fixed_ips'][0]['ip_address'], addrpair_port['mac_address']) self.create_router_interface(self.router['id'], port['fixed_ips'][0]['subnet_id']) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields( port, addrpair_port['fixed_ips'][0]['ip_address'], addrpair_port['mac_address']) # Check VIP is created in VSD l3domain_ext_id = self.nuage_client.get_vsd_external_id( self.router['id']) nuage_domain = self.nuage_client.get_resource( n_constants.DOMAIN, filters='externalID', filter_values=l3domain_ext_id) nuage_subnet = self.nuage_client.get_domain_subnet( n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet) port_ext_id = self.nuage_client.get_vsd_external_id(port['id']) nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing']) nuage_vip = self.nuage_client.get_virtual_ip( n_constants.VPORT, nuage_vport[0]['ID'], filters='virtualIP', filter_values=str(addrpair_port['fixed_ips'][0]['ip_address'])) self.assertEqual(addrpair_port['mac_address'], nuage_vip[0]['MAC']) self.assertEqual(nuage_vip[0]['externalID'], self.nuage_client.get_vsd_external_id(port['id'])) def test_create_address_pair_on_l3subnet_with_no_mac(self): # Create port with allowed address pair attribute addrpair_port = self.create_port(self.l3network, device_owner='nuage:vip') allowed_address_pairs = [{ 'ip_address': addrpair_port['fixed_ips'][0]['ip_address'] }] port = self.create_port(network=self.l3network, allowed_address_pairs=allowed_address_pairs) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_by_id(port['id']) self._verify_port_allowed_address_fields( port, addrpair_port['fixed_ips'][0]['ip_address'], port['mac_address']) # Check VIP is created in VSD l3domain_ext_id = self.nuage_client.get_vsd_external_id( self.router['id']) nuage_domain = self.nuage_client.get_resource( n_constants.DOMAIN, filters='externalID', filter_values=l3domain_ext_id) nuage_subnet = self.nuage_client.get_domain_subnet( n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet) port_ext_id = self.nuage_client.get_vsd_external_id(port['id']) nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing']) nuage_vip = self.nuage_client.get_virtual_ip( n_constants.VPORT, nuage_vport[0]['ID'], filters='virtualIP', filter_values=str(addrpair_port['fixed_ips'][0]['ip_address'])) self.assertEqual(port['mac_address'], nuage_vip[0]['MAC']) self.assertEqual(nuage_vip[0]['externalID'], self.nuage_client.get_vsd_external_id(port['id'])) def test_create_address_pair_on_l3subnet_with_cidr(self): # Create port with allowed address pair attribute ip_address = '30.30.0.0/24' mac_address = 'fe:a0:36:4b:c8:70' allowed_address_pairs = [{ 'ip_address': ip_address, 'mac_address': mac_address }] port = self.create_port(network=self.l3network, allowed_address_pairs=allowed_address_pairs) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields(port, ip_address, mac_address) # Check VIP is created in VSD l3domain_ext_id = self.nuage_client.get_vsd_external_id( self.router['id']) nuage_domain = self.nuage_client.get_resource( n_constants.DOMAIN, filters='externalID', filter_values=l3domain_ext_id) nuage_subnet = self.nuage_client.get_domain_subnet( n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet) port_ext_id = self.nuage_client.get_vsd_external_id(port['id']) nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_ENABLED, nuage_vport[0]['addressSpoofing']) def test_create_address_pair_on_l3subnet_with_cidr_routersubnetbind(self): # Create port with allowed address pair attribute ip_address = '30.30.0.0/24' mac_address = 'fe:a0:36:4b:c8:70' allowed_address_pairs = [{ 'ip_address': ip_address, 'mac_address': mac_address }] port = self.create_port(network=self.l3network, allowed_address_pairs=allowed_address_pairs) # routersubnetbind self.routers_client.remove_router_interface( self.router['id'], subnet_id=port['fixed_ips'][0]['subnet_id']) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields(port, ip_address, mac_address) self.create_router_interface(self.router['id'], port['fixed_ips'][0]['subnet_id']) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields(port, ip_address, mac_address) # Check VIP is created in VSD l3domain_ext_id = self.nuage_client.get_vsd_external_id( self.router['id']) nuage_domain = self.nuage_client.get_resource( n_constants.DOMAIN, filters='externalID', filter_values=l3domain_ext_id) nuage_subnet = self.nuage_client.get_domain_subnet( n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet) port_ext_id = self.nuage_client.get_vsd_external_id(port['id']) nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_ENABLED, nuage_vport[0]['addressSpoofing']) @decorators.attr(type='smoke') def test_update_address_pair_on_l3subnet(self): addrpair_port_1 = self.create_port(self.l3network, device_owner='nuage:vip') allowed_address_pairs = [{ 'ip_address': addrpair_port_1['fixed_ips'][0]['ip_address'], 'mac_address': addrpair_port_1['mac_address'] }] port = self.create_port(network=self.l3network, allowed_address_pairs=allowed_address_pairs) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields( port, allowed_address_pairs[0]['ip_address'], allowed_address_pairs[0]['mac_address']) # Check VIP is created in VSD l3domain_ext_id = self.nuage_client.get_vsd_external_id( self.router['id']) nuage_domain = self.nuage_client.get_resource( n_constants.DOMAIN, filters='externalID', filter_values=l3domain_ext_id) nuage_subnet = self.nuage_client.get_domain_subnet( n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet) port_ext_id = self.nuage_client.get_vsd_external_id(port['id']) nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing']) nuage_vip = self.nuage_client.get_virtual_ip( n_constants.VPORT, nuage_vport[0]['ID'], filters='virtualIP', filter_values=str(addrpair_port_1['fixed_ips'][0]['ip_address'])) self.assertEqual(addrpair_port_1['mac_address'], nuage_vip[0]['MAC']) self.assertEqual(nuage_vip[0]['externalID'], self.nuage_client.get_vsd_external_id(port['id'])) # Update the address pairs # Create port with allowed address pair attribute addrpair_port_2 = self.create_port(self.l3network, device_owner='nuage:vip') allowed_address_pairs = [{ 'ip_address': addrpair_port_2['fixed_ips'][0]['ip_address'], 'mac_address': addrpair_port_2['mac_address'] }] port = self.update_port(port, allowed_address_pairs=allowed_address_pairs) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields( port, addrpair_port_2['fixed_ips'][0]['ip_address'], addrpair_port_2['mac_address']) # Verify new VIP is created port_ext_id = self.nuage_client.get_vsd_external_id(port['id']) nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing']) nuage_vip = self.nuage_client.get_virtual_ip( n_constants.VPORT, nuage_vport[0]['ID'], filters='virtualIP', filter_values=str(addrpair_port_2['fixed_ips'][0]['ip_address'])) self.assertEqual(addrpair_port_2['mac_address'], nuage_vip[0]['MAC']) self.assertEqual(nuage_vip[0]['externalID'], self.nuage_client.get_vsd_external_id(port['id'])) # Verify old VIP is deleted nuage_vip = self.nuage_client.get_virtual_ip( n_constants.VPORT, nuage_vport[0]['ID'], filters='virtualIP', filter_values=str(addrpair_port_1['fixed_ips'][0]['ip_address'])) self.assertEmpty(nuage_vip) # Subnet attach/detach are not fully synchronous @decorators.attr(type='smoke') def test_update_address_pair_on_l3subnet_routersubnetbind(self): # Test now uses fixed ips, so random error when a port is created # with the ip of the dhcp port in L2 is prevented. ip = IPAddress(self.l3subnet['allocation_pools'][0]['start']) ip += 2 # first ip or second ip is external dhcp port addrpair_port_1 = self.create_port(self.l3network, fixed_ips=[{ 'subnet_id': self.l3subnet['id'], 'ip_address': str(ip) }], device_owner='nuage:vip') ip += 1 allowed_address_pairs = [{ 'ip_address': addrpair_port_1['fixed_ips'][0]['ip_address'], 'mac_address': addrpair_port_1['mac_address'] }] port = self.create_port(network=self.l3network, allowed_address_pairs=allowed_address_pairs, fixed_ips=[{ 'subnet_id': self.l3subnet['id'], 'ip_address': str(ip) }]) ip += 1 # routersubnetbind self.routers_client.remove_router_interface( self.router['id'], subnet_id=port['fixed_ips'][0]['subnet_id']) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields( port, allowed_address_pairs[0]['ip_address'], allowed_address_pairs[0]['mac_address']) self.create_router_interface(self.router['id'], port['fixed_ips'][0]['subnet_id']) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields( port, allowed_address_pairs[0]['ip_address'], allowed_address_pairs[0]['mac_address']) # Check VIP is created in VSD l3domain_ext_id = self.nuage_client.get_vsd_external_id( self.router['id']) nuage_domain = self.nuage_client.get_resource( n_constants.DOMAIN, filters='externalID', filter_values=l3domain_ext_id) nuage_subnet = self.nuage_client.get_domain_subnet( n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet) port_ext_id = self.nuage_client.get_vsd_external_id(port['id']) nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing']) nuage_vip = self.nuage_client.get_virtual_ip( n_constants.VPORT, nuage_vport[0]['ID'], filters='virtualIP', filter_values=str(addrpair_port_1['fixed_ips'][0]['ip_address'])) self.assertEqual(addrpair_port_1['mac_address'], nuage_vip[0]['MAC']) self.assertEqual(nuage_vip[0]['externalID'], self.nuage_client.get_vsd_external_id(port['id'])) # Update the address pairs # Create port with allowed address pair attribute addrpair_port_2 = self.create_port(self.l3network, fixed_ips=[{ 'subnet_id': self.l3subnet['id'], 'ip_address': str(ip) }], device_owner='nuage:vip') ip += 1 allowed_address_pairs = [{ 'ip_address': addrpair_port_2['fixed_ips'][0]['ip_address'], 'mac_address': addrpair_port_2['mac_address'] }] port = self.update_port(port, allowed_address_pairs=allowed_address_pairs) # routersubnetbind self.routers_client.remove_router_interface( self.router['id'], subnet_id=port['fixed_ips'][0]['subnet_id']) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields( port, addrpair_port_2['fixed_ips'][0]['ip_address'], addrpair_port_2['mac_address']) self.create_router_interface(self.router['id'], port['fixed_ips'][0]['subnet_id']) nuage_subnet = self.nuage_client.get_domain_subnet( n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields( port, addrpair_port_2['fixed_ips'][0]['ip_address'], addrpair_port_2['mac_address']) # Verify new VIP is created port_ext_id = self.nuage_client.get_vsd_external_id(port['id']) nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing']) nuage_vip = self.nuage_client.get_virtual_ip( n_constants.VPORT, nuage_vport[0]['ID'], filters='virtualIP', filter_values=str(addrpair_port_2['fixed_ips'][0]['ip_address'])) self.assertEqual(addrpair_port_2['mac_address'], nuage_vip[0]['MAC']) self.assertEqual(nuage_vip[0]['externalID'], self.nuage_client.get_vsd_external_id(port['id'])) # Verify old VIP is deleted nuage_vip = self.nuage_client.get_virtual_ip( n_constants.VPORT, nuage_vport[0]['ID'], filters='virtualIP', filter_values=str(addrpair_port_1['fixed_ips'][0]['ip_address'])) self.assertEmpty(nuage_vip) def test_fip_allowed_address_pairs_assoc(self): if self._ip_version == 6: self.skipTest('Skipping FIP to VIP in IPV6') post_body = {"device_owner": 'nuage:vip'} addrpair_port = self.create_port(self.l3network, **post_body) allowed_address_pairs = [{ 'ip_address': addrpair_port['fixed_ips'][0]['ip_address'], 'mac_address': addrpair_port['mac_address'] }] port = self.create_port(network=self.l3network, allowed_address_pairs=allowed_address_pairs) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields( port, allowed_address_pairs[0]['ip_address'], allowed_address_pairs[0]['mac_address']) body = self.floating_ips_client.create_floatingip( floating_network_id=self.ext_net_id, port_id=addrpair_port['id']) created_floating_ip = body['floatingip'] self.assertIsNotNone(created_floating_ip['id']) self.assertEqual(created_floating_ip['fixed_ip_address'], addrpair_port['fixed_ips'][0]['ip_address']) # VSD validation of VIP to FIP association l3dom_ext_id = self.nuage_client.get_vsd_external_id(self.router['id']) nuage_domain = self.nuage_client.get_l3domain( filters='externalID', filter_values=l3dom_ext_id) nuage_domain_fip = self.nuage_client.get_floatingip( n_constants.DOMAIN, nuage_domain[0]['ID']) nuage_subnet = self.nuage_client.get_domain_subnet( n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet) port_ext_id = self.nuage_client.get_vsd_external_id(port['id']) nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) nuage_vip = self.nuage_client.get_virtual_ip( n_constants.VPORT, nuage_vport[0]['ID'], filters='virtualIP', filter_values=str(addrpair_port['fixed_ips'][0]['ip_address'])) self.assertEqual(nuage_domain_fip[0]['ID'], nuage_vip[0]['associatedFloatingIPID']) self.assertEqual(nuage_domain_fip[0]['assignedToObjectType'], 'virtualip') self.assertEqual(nuage_vip[0]['externalID'], self.nuage_client.get_vsd_external_id(port['id'])) self.floating_ips_client.delete_floatingip(created_floating_ip['id']) def test_allowed_address_pair_extraroute(self): addrpair_port = self.create_port(self.l3network, device_owner='nuage:vip') allowed_address_pairs = [{ 'ip_address': addrpair_port['fixed_ips'][0]['ip_address'], 'mac_address': addrpair_port['mac_address'] }] port = self.create_port(network=self.l3network, allowed_address_pairs=allowed_address_pairs) self._verify_port_by_id(port['id']) # Confirm port was created with allowed address pair attribute self._verify_port_allowed_address_fields( port, addrpair_port['fixed_ips'][0]['ip_address'], addrpair_port['mac_address']) # update the extra route next_hop = addrpair_port['fixed_ips'][0]['ip_address'] destination = ('2003:a:b::5/128' if self._ip_version == 6 else '201.1.1.5/32') test_routes = [{'nexthop': next_hop, 'destination': destination}] extra_route = self.routers_client.update_router(self.router['id'], routes=test_routes) self.addCleanup(self.routers_client.update_router, self.router['id'], routes=None) self.assertEqual(1, len(extra_route['router']['routes'])) self.assertEqual(destination, extra_route['router']['routes'][0]['destination']) self.assertEqual(next_hop, extra_route['router']['routes'][0]['nexthop']) show_body = self.routers_client.show_router(self.router['id']) self.assertEqual(destination, show_body['router']['routes'][0]['destination']) self.assertEqual(next_hop, show_body['router']['routes'][0]['nexthop']) # Check VIP is created in VSD l3domain_ext_id = self.nuage_client.get_vsd_external_id( self.router['id']) nuage_domain = self.nuage_client.get_resource( n_constants.DOMAIN, filters='externalID', filter_values=l3domain_ext_id) nuage_subnet = self.nuage_client.get_domain_subnet( n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet) port_ext_id = self.nuage_client.get_vsd_external_id(port['id']) nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing']) nuage_vip = self.nuage_client.get_virtual_ip( n_constants.VPORT, nuage_vport[0]['ID'], filters='virtualIP', filter_values=str(addrpair_port['fixed_ips'][0]['ip_address'])) self.assertEqual(addrpair_port['mac_address'], nuage_vip[0]['MAC']) self.assertEqual(nuage_vip[0]['externalID'], self.nuage_client.get_vsd_external_id(port['id'])) # Check static roues on VSD nuage_static_route = self.nuage_client.get_staticroute( parent=n_constants.DOMAIN, parent_id=nuage_domain[0]['ID']) self.assertEqual(nuage_static_route[0]['nextHopIp'], next_hop, "wrong nexthop") @testtools.skipUnless( Topology.from_nuage('20.10R2') or Topology.from_nuage('6.0.12', within_stream='6.0') or Topology.from_nuage('5.4.1.U16', within_stream='5.4'), "Single IP VIP CIDR not allowed on older releases.") def test_allowed_address_pair_single_ip_cidr(self): """test_allowed_address_pair_single_ip_cidr Test that using CIDR notation with an address range of only one ip is allowed. """ addrpair_port = self.create_port(self.l3network, device_owner='nuage:vip') cidr_suffix = '/32' if self._ip_version == 4 else '/128' ip_address = addrpair_port['fixed_ips'][0]['ip_address'] + cidr_suffix mac_address = addrpair_port['mac_address'] allowed_address_pairs = [{ 'ip_address': ip_address, 'mac_address': mac_address }] port = self.create_port(network=self.l3network, allowed_address_pairs=allowed_address_pairs) self._verify_port_allowed_address_fields(port, ip_address, mac_address) # Check VIP is created in VSD l3domain_ext_id = self.nuage_client.get_vsd_external_id( self.router['id']) nuage_domain = self.nuage_client.get_resource( n_constants.DOMAIN, filters='externalID', filter_values=l3domain_ext_id) nuage_subnet = self.nuage_client.get_domain_subnet( n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet) port_ext_id = self.nuage_client.get_vsd_external_id(port['id']) nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing']) nuage_vip = self.nuage_client.get_virtual_ip( n_constants.VPORT, nuage_vport[0]['ID'], filters='virtualIP', filter_values=addrpair_port['fixed_ips'][0]['ip_address']) self.assertEqual(addrpair_port['mac_address'], nuage_vip[0]['MAC']) self.assertEqual(nuage_vip[0]['externalID'], self.nuage_client.get_vsd_external_id(port['id'])) # Verify clearing self.update_port(port=port, allowed_address_pairs=[]) nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing']) nuage_vip = self.nuage_client.get_virtual_ip( n_constants.VPORT, nuage_vport[0]['ID'], filters='virtualIP', filter_values=addrpair_port['fixed_ips'][0]['ip_address']) self.assertIsNot(nuage_vip, "Found VIP after deleting address pair") @testtools.skipUnless( Topology.from_nuage('20.10R2') or Topology.from_nuage('6.0.12', within_stream='6.0') or Topology.from_nuage('5.4.1.U16', within_stream='5.4'), "Single IP VIP CIDR not allowed on older releases.") def test_allowed_address_pair_single_ip_cidr_delete_other_aap(self): """test_allowed_address_pair_single_ip_cidr_delete_other_aap Test that using CIDR notation with an address range of only one ip is allowed, a second AAP does not interfere and deleting that second AAP does not delete the original /32 CIDR AAP. This tests the deletion of AAP flow. """ addrpair_port = self.create_port(self.l3network, device_owner='nuage:vip') addrpair_port2 = self.create_port(self.l3network, device_owner='nuage:vip') cidr_suffix = '/32' if self._ip_version == 4 else '/128' ip_address = addrpair_port['fixed_ips'][0]['ip_address'] + cidr_suffix mac_address = addrpair_port['mac_address'] allowed_address_pairs = [{ 'ip_address': ip_address, 'mac_address': mac_address }] port = self.create_port(network=self.l3network, allowed_address_pairs=allowed_address_pairs) self._verify_port_allowed_address_fields(port, ip_address, mac_address) # Update port with second ip ip_address2 = addrpair_port2['fixed_ips'][0]['ip_address'] mac_address2 = addrpair_port2['mac_address'] allowed_address_pairs_update = [ { 'ip_address': ip_address, 'mac_address': mac_address }, { 'ip_address': ip_address2, 'mac_address': mac_address2 }, ] self.update_port(port, allowed_address_pairs=allowed_address_pairs_update) # Check VIPs are created in VSD l3domain_ext_id = self.nuage_client.get_vsd_external_id( self.router['id']) nuage_domain = self.nuage_client.get_resource( n_constants.DOMAIN, filters='externalID', filter_values=l3domain_ext_id) nuage_subnet = self.nuage_client.get_domain_subnet( n_constants.DOMAIN, nuage_domain[0]['ID'], by_subnet=self.l3subnet) port_ext_id = self.nuage_client.get_vsd_external_id(port['id']) nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing']) # First VIP nuage_vip = self.nuage_client.get_virtual_ip( n_constants.VPORT, nuage_vport[0]['ID'], filters='virtualIP', filter_values=addrpair_port['fixed_ips'][0]['ip_address']) self.assertEqual(addrpair_port['mac_address'], nuage_vip[0]['MAC']) self.assertEqual(nuage_vip[0]['externalID'], self.nuage_client.get_vsd_external_id(port['id'])) # Second vip nuage_vip = self.nuage_client.get_virtual_ip( n_constants.VPORT, nuage_vport[0]['ID'], filters='virtualIP', filter_values=addrpair_port2['fixed_ips'][0]['ip_address']) self.assertEqual(addrpair_port2['mac_address'], nuage_vip[0]['MAC']) self.assertEqual(nuage_vip[0]['externalID'], self.nuage_client.get_vsd_external_id(port['id'])) # Verify clearing to only first address pair self.update_port(port, allowed_address_pairs=allowed_address_pairs) nuage_vport = self.nuage_client.get_vport(n_constants.SUBNETWORK, nuage_subnet[0]['ID'], filters='externalID', filter_values=port_ext_id) self.assertEqual(SPOOFING_DISABLED, nuage_vport[0]['addressSpoofing']) nuage_vip = self.nuage_client.get_virtual_ip( n_constants.VPORT, nuage_vport[0]['ID'], filters='virtualIP', filter_values=addrpair_port['fixed_ips'][0]['ip_address']) self.assertEqual(addrpair_port['mac_address'], nuage_vip[0]['MAC']) self.assertEqual(nuage_vip[0]['externalID'], self.nuage_client.get_vsd_external_id(port['id']))
def _verify_fip_vsd(self, subnet, port, created_floating_ip, ingress_rate_limit=None, egress_rate_limit=None): # verifying on Domain level that the floating ip is added external_id = self.nuage_client.get_vsd_external_id( created_floating_ip['router_id']) nuage_domain = self.nuage_client.get_l3domain( filters='externalID', filter_values=external_id) nuage_domain_fips = self.nuage_client.get_floatingip( constants.DOMAIN, nuage_domain[0]['ID']) # The VSD FIP has same IP address than OpenStack FIP self.assertIn( created_floating_ip['floating_ip_address'], [nuage_fip['address'] for nuage_fip in nuage_domain_fips]) # The VSD externalID for FIP matches the OpenStack ID external_id = self.nuage_client.get_vsd_external_id( created_floating_ip['id']) self.assertIn( external_id, [nuage_fip['externalID'] for nuage_fip in nuage_domain_fips]) # Check vsd vsd_subnets = self.nuage_client.get_domain_subnet(None, None, by_subnet=subnet) self.assertEqual(1, len(vsd_subnets)) vports = self.nuage_client.get_vport( constants.SUBNETWORK, vsd_subnets[0]['ID'], 'externalID', self.nuage_client.get_vsd_external_id(port['id'])) self.assertEqual(1, len(vports)) qos = self.nuage_client.get_qos(constants.VPORT, vports[0]['ID']) if Topology.from_nuage('20.10'): self.assertEqual(0, len(qos)) nuage_fip = [ fip for fip in nuage_domain_fips if fip['externalID'] == external_id ][0] associated_ingress_rate_limit = nuage_fip.get( 'ingressRateLimiterID') associated_egress_rate_limit = nuage_fip.get('egressRateLimiterID') if ingress_rate_limit is not None: # Get Ratelimiter external_id = 'egress_{}'.format(created_floating_ip['id']) ratelimiter = self.nuage_client.get_ratelimiter(external_id) if ingress_rate_limit == constants.UNLIMITED: self.assertIsNone(ratelimiter) self.assertIsNone(associated_egress_rate_limit) else: self.assertEqualFiprate( ingress_rate_limit, self.convert_mbps_to_kbps( ratelimiter['peakInformationRate'])) self.assertEqual(associated_egress_rate_limit, ratelimiter['ID']) if egress_rate_limit is not None: external_id = 'ingress_{}'.format(created_floating_ip['id']) ratelimiter = self.nuage_client.get_ratelimiter(external_id) if egress_rate_limit == constants.UNLIMITED: self.assertIsNone(ratelimiter) self.assertIsNone(associated_ingress_rate_limit) else: self.assertEqualFiprate( egress_rate_limit, self.convert_mbps_to_kbps( ratelimiter['peakInformationRate'])) self.assertEqual(associated_ingress_rate_limit, ratelimiter['ID']) else: self.assertEqual(1, len(qos)) self.assertEqual(True, qos[0]['FIPRateLimitingActive']) if ingress_rate_limit is not None: self.assertEqualFiprate( ingress_rate_limit, self.convert_mbps_to_kbps( qos[0]['EgressFIPPeakInformationRate'])) if egress_rate_limit is not None: self.assertEqualFiprate( egress_rate_limit, self.convert_mbps_to_kbps( qos[0]['FIPPeakInformationRate'])) self.assertEqual( self.nuage_client.get_vsd_external_id( created_floating_ip['id']), qos[0]['externalID'])
# Copyright 2020 NOKIA # All Rights Reserved. import getpass import inspect from nuage_tempest_plugin.lib.topology import Topology if Topology.up_to_nuage('20.10'): from vspk import v5_0 as vspk5 else: vspk5 = None if Topology.from_nuage('6.0'): from vspk import v6 as vspk6 else: vspk6 = None CONF = Topology.get_conf() LOG = Topology.get_logger(__name__) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # CAUTION : THIS SUITE IS HIGHLY INTRUSIVE # - it relies heavily on devstack env # - it installs new packages in the tox env (like neutron) # - it changes the neutron branch out of which neutron runs # - it restarts neutron # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
def test_create_floatingip_without_rate_limiting(self): # Create port port = self.create_port(network=self.network) # Associate a fip to the port body = self.floating_ips_client.create_floatingip( floating_network_id=self.ext_net_id, port_id=port['id'], fixed_ip_address=port['fixed_ips'][0]['ip_address']) created_floating_ip = body['floatingip'] self.addCleanup(self.floating_ips_client.delete_floatingip, created_floating_ip['id']) self.assertIsNotNone(created_floating_ip['id']) fip_id = created_floating_ip['id'] body = self.floating_ips_client.show_floatingip(fip_id) fip = body['floatingip'] self.assertIsNotNone(fip.get('nuage_ingress_fip_rate_kbps')) self.assertIsNotNone(fip.get('nuage_egress_fip_rate_kbps')) # Check vsd vsd_subnets = self.nuage_client.get_domain_subnet( None, None, by_subnet=self.subnet) self.assertEqual(1, len(vsd_subnets)) vports = self.nuage_client.get_vport(constants.SUBNETWORK, vsd_subnets[0]['ID'], 'externalID', port['id']) self.assertEqual(1, len(vports)) qos = self.nuage_client.get_qos(constants.VPORT, vports[0]['ID']) if Topology.from_nuage('20.10'): self.assertEqual(0, len(qos)) external_id_domain = self.nuage_client.get_vsd_external_id( created_floating_ip['router_id']) nuage_domain = self.nuage_client.get_l3domain( filters='externalID', filter_values=external_id_domain) nuage_domain_fips = self.nuage_client.get_floatingip( constants.DOMAIN, nuage_domain[0]['ID']) nuage_fip = [ nuage_fip for nuage_fip in nuage_domain_fips if nuage_fip['externalID'].startswith(fip_id) ][0] associated_ingress_rate_limit = nuage_fip['ingressRateLimiterID'] associated_egress_rate_limit = nuage_fip['egressRateLimiterID'] # Infinity for egress expected self.assertIsNone(associated_egress_rate_limit) # Infinity for ingress expected self.assertIsNone(associated_ingress_rate_limit) else: self.assertEqual(1, len(vports)) qos = self.nuage_client.get_qos(constants.VPORT, vports[0]['ID']) self.assertEqual(1, len(qos)) self.assertEqual(self.nuage_client.get_vsd_external_id(fip_id), qos[0]['externalID']) self.assertEqual(True, qos[0]['FIPRateLimitingActive']) self.assertEqual('INFINITY', qos[0]['FIPPeakInformationRate']) self.assertEqual('INFINITY', qos[0]['EgressFIPPeakInformationRate'])
def test_create_floatingip_with_rate_limiting(self): rate_limit = 10000 # Create port port = self.create_port(network=self.network) # Associate a fip to the port body = self.floating_ips_client.create_floatingip( floating_network_id=self.ext_net_id, port_id=port['id'], fixed_ip_address=port['fixed_ips'][0]['ip_address'], nuage_egress_fip_rate_kbps=rate_limit) created_floating_ip = body['floatingip'] self.addCleanup(self.floating_ips_client.delete_floatingip, created_floating_ip['id']) self.assertIsNotNone(created_floating_ip['id']) fip_id = created_floating_ip['id'] body = self.floating_ips_client.show_floatingip(fip_id) fip = body['floatingip'] # rate_limit is in kbps now! self.assertThat( fip, ContainsDict({'nuage_ingress_fip_rate_kbps': Equals(-1)})) self.assertThat( fip, ContainsDict({'nuage_egress_fip_rate_kbps': Equals(rate_limit)})) # attribute 'nuage_fip_rate' is no longer in response self.assertIsNone(fip.get('nuage_fip_rate')) # Check vsd vsd_subnets = self.nuage_client.get_domain_subnet( None, None, by_subnet=self.subnet) self.assertEqual(1, len(vsd_subnets)) vports = self.nuage_client.get_vport(constants.SUBNETWORK, vsd_subnets[0]['ID'], 'externalID', port['id']) self.assertEqual(1, len(vports)) qos = self.nuage_client.get_qos(constants.VPORT, vports[0]['ID']) if Topology.from_nuage('20.10'): self.assertEqual(0, len(qos)) external_id_domain = self.nuage_client.get_vsd_external_id( created_floating_ip['router_id']) nuage_domain = self.nuage_client.get_l3domain( filters='externalID', filter_values=external_id_domain) nuage_domain_fips = self.nuage_client.get_floatingip( constants.DOMAIN, nuage_domain[0]['ID']) nuage_fip = [ nuage_fip for nuage_fip in nuage_domain_fips if nuage_fip['externalID'].startswith(fip_id) ][0] associated_ingress_rate_limit = nuage_fip['ingressRateLimiterID'] associated_egress_rate_limit = nuage_fip['egressRateLimiterID'] # Infinity for egress expected self.assertIsNone(associated_egress_rate_limit) # Ingress: external_id = 'ingress_{}'.format(created_floating_ip['id']) ratelimiter = self.nuage_client.get_ratelimiter(external_id) self.assertEqual(str(float(rate_limit / 1000)), ratelimiter['peakInformationRate']) self.assertEqual(associated_ingress_rate_limit, ratelimiter['ID']) else: self.assertEqual(1, len(qos)) self.assertThat( qos[0], ContainsDict({ 'externalID': Equals(self.nuage_client.get_vsd_external_id(fip_id)) })) self.assertThat( qos[0], ContainsDict({'FIPRateLimitingActive': Equals(True)})) self.assertThat( qos[0], ContainsDict({ 'FIPPeakInformationRate': Equals(str(float(rate_limit / 1000))) })) self.assertThat( qos[0], ContainsDict({'FIPPeakBurstSize': Equals(str(100))})) self.assertThat( qos[0], ContainsDict( {'EgressFIPPeakInformationRate': Equals('INFINITY')})) self.assertThat( qos[0], ContainsDict({'EgressFIPPeakBurstSize': Equals(str(100))}))
# Copyright 2015 Alcatel-Lucent # All Rights Reserved. from tempest.lib import exceptions as lib_exc from tempest.test import decorators from nuage_tempest_plugin.lib.topology import Topology from nuage_tempest_plugin.tests.api.floating_ip import \ base_nuage_bidirectional_fip_rate_limit if Topology.from_nuage('20.5'): MSG_INVALID_INPUT_IN = ("Bad request: 'nuage_ingress_fip_rate_kbps' " "should be an integer number between 0 and " "2147483647, -1 for unlimited or 'default' " "for the configured default value.") MSG_INVALID_INPUT_EG = ("Bad request: 'nuage_egress_fip_rate_kbps' " "should be an integer number between 0 and " "2147483647, -1 for unlimited or 'default' for " "the configured default value.") else: MSG_INVALID_INPUT_IN = ("'nuage_ingress_fip_rate_kbps' should be a " "number higher than 0, -1 for unlimited or " "'default' for the configured default value.") MSG_INVALID_INPUT_EG = ("'nuage_egress_fip_rate_kbps' should be a number " "higher than 0, -1 for unlimited or 'default' " "for the configured default value.") MSG_INVALID_INPUT_FOR_OPERATION = "Invalid input for operation: " + \ "'nuage_fip_rate' should be a number " \ "higher than 0, -1 for unlimited " + \
class NuageExtSecGroup(test_security_groups_nuage.SecGroupTestNuageBase): if Topology.from_nuage('20.5'): expected_exception_from_topology = exceptions.BadRequest else: expected_exception_from_topology = exceptions.ServerFault @classmethod def setup_clients(cls): super(NuageExtSecGroup, cls).setup_clients() cls.nuageclient = nuage_client.NuageRestClient() cls.client = NuageNetworkClientJSON( cls.os_primary.auth_provider, **cls.os_primary.default_params) @classmethod def resource_setup(cls): super(NuageExtSecGroup, cls).resource_setup() cls.external_secgroups = [] @classmethod def resource_cleanup(cls): super(NuageExtSecGroup, cls).resource_cleanup() @classmethod def _create_external_security_group(cls, **kwargs): body = cls.client.create_nuage_external_security_group(**kwargs) ext_sg = body['nuage_external_security_group'] cls.external_secgroups.append(ext_sg) return ext_sg @classmethod def _delete_external_security_group(cls, esg_id): try: cls.client.delete_nuage_external_security_group(esg_id) except Exception as exc: LOG.exception(exc) @classmethod def _create_external_security_group_rule(cls, **kwargs): body = cls.client.create_nuage_external_security_group_rule(**kwargs) ext_sg_rule = body['nuage_external_security_group_rule'] cls.external_secgroups.append(ext_sg_rule) return ext_sg_rule def _verify_external_secgroup_properties(self, actual_esg, expected_esg): self.assertEqual(actual_esg['name'], expected_esg['name']) self.assertEqual(actual_esg['extended_community_id'], expected_esg['EVPNCommunityTag']) self.assertEqual(actual_esg['id'], expected_esg['ID']) def _verify_external_secgroup_rule_properties(self, actual_esgr, expected_esgr, origin_sg): self.assertEqual(actual_esgr['id'], expected_esgr['ID']) self.assertEqual(actual_esgr['protocol'], expected_esgr['protocol']) self.assertEqual(actual_esgr['origin_group_id'], origin_sg['id']) def _get_nuage_external_acl(self, esg_router, ext_sg_rule, isList=False): l3domain_ext_id = self.nuageclient.get_vsd_external_id( esg_router['id']) l3domain = self.nuageclient.get_l3domain( filters='externalID', filter_values=l3domain_ext_id) if ext_sg_rule['direction'] == 'egress': nuage_eacl_template = self.nuageclient.\ get_egressacl_template(constants.DOMAIN, l3domain[0]['ID']) if not isList: nuage_entrytemplate = self.nuageclient.\ get_egressacl_entrytemplate( constants.EGRESS_ACL_TEMPLATE, nuage_eacl_template[0]['ID'], filters='ID', filter_values=ext_sg_rule['id']) else: nuage_entrytemplate = self.nuageclient.\ get_egressacl_entrytemplate( constants.EGRESS_ACL_TEMPLATE, nuage_eacl_template[0]['ID']) else: nuage_iacl_template = self.nuageclient.\ get_ingressacl_template( constants.DOMAIN, l3domain[0]['ID']) if not isList: nuage_entrytemplate = self.nuageclient.\ get_ingressacl_entrytemplate( constants.INGRESS_ACL_TEMPLATE, nuage_iacl_template[0]['ID'], filters='ID', filter_values=ext_sg_rule['id']) else: nuage_entrytemplate = self.nuageclient. \ get_ingressacl_entrytemplate( constants.INGRESS_ACL_TEMPLATE, nuage_iacl_template[0]['ID']) return nuage_entrytemplate def test_create_show_list_delete_ext_secgroup(self, *args): router_name = data_utils.rand_name('router-') body = self.routers_client.create_router(name=router_name) esg_router = body['router'] self.addCleanup(self.routers_client.delete_router, esg_router['id']) name = data_utils.rand_name('esg-') kwargs = {'name': name, 'router_id': esg_router['id'], 'extended_community_id': "1:1"} ext_sg = self._create_external_security_group(**kwargs) self.addCleanup(self._delete_external_security_group, ext_sg['id']) self.assertEqual(ext_sg['name'], name) self.assertEqual(ext_sg['extended_community_id'], "1:1") # VSD verification of external security group res_path = self.nuageclient.build_resource_path( constants.POLICYGROUP, resource_id=ext_sg['id']) show_vsd_resp = self.nuageclient.get(res_path) show_resp = self.client.show_nuage_external_security_group( ext_sg['id']) self._verify_external_secgroup_properties( show_resp['nuage_external_security_group'], show_vsd_resp[0]) self.assertEqual(self.nuage_client.get_vsd_external_id( esg_router['id']), show_vsd_resp[0]['externalID']) # list_external_security_group res_path = self.nuageclient.build_resource_path( constants.POLICYGROUP, resource_id=ext_sg['id']) list_vsd_resp = self.nuageclient.get(res_path) list_resp = self.client.list_nuage_external_security_group( esg_router['id']) self._verify_external_secgroup_properties( list_resp['nuage_external_security_groups'][0], list_vsd_resp[0]) def test_create_show_list_delete_ext_secgroup_rule(self): router_name = data_utils.rand_name('router-') body = self.routers_client.create_router(name=router_name) esg_router = body['router'] self.addCleanup(self.routers_client.delete_router, esg_router['id']) body, name = self._create_security_group() sec_group = body['security_group'] name = data_utils.rand_name('esg-') kwargs = {'name': name, 'router_id': esg_router['id'], 'extended_community_id': "1:1"} ext_sg = self._create_external_security_group(**kwargs) self.addCleanup(self._delete_external_security_group, ext_sg['id']) kwargs = {'protocol': 'tcp', 'direction': 'egress', 'origin_group_id': sec_group['id'], 'remote_external_group_id': ext_sg['id']} ext_sg_rule = self._create_external_security_group_rule(**kwargs) # Show operation and VSD verification of external security group show_resp = self.client.show_nuage_external_security_group_rule( ext_sg_rule['id']) show_vsd_resp = self._get_nuage_external_acl(esg_router, ext_sg_rule) self._verify_external_secgroup_rule_properties( show_resp['nuage_external_security_group_rule'], show_vsd_resp[0], sec_group) # Create second rule kwargs = {'protocol': 'udp', 'port_range_min': 300, 'port_range_max': 500, 'direction': 'egress', 'origin_group_id': sec_group['id'], 'remote_external_group_id': ext_sg['id']} self._create_external_security_group_rule(**kwargs) # Create third rule kwargs = {'protocol': 'vrrp', 'direction': 'egress', 'origin_group_id': sec_group['id'], 'remote_external_group_id': ext_sg['id']} self._create_external_security_group_rule(**kwargs) # List Operation on secgroup rules list_resp = self.client.list_nuage_external_security_group_rule( ext_sg['id'])['nuage_external_security_group_rules'] list_vsd_resp = self._get_nuage_external_acl( esg_router, ext_sg_rule, True) for resp, vsd_resp in zip(list_resp, list_vsd_resp): self._verify_external_secgroup_rule_properties( resp, vsd_resp, sec_group) for vsd_resp in list_vsd_resp: self.assertEqual(self.nuage_client.get_vsd_external_id( esg_router['id']), vsd_resp['externalID']) def test_create_show_list_delete_ext_secgroup_l2domain(self): net_name = data_utils.rand_name('network-') network = self.create_network(net_name) esg_subnet = self.create_subnet(network) name = data_utils.rand_name('esg-') kwargs = {'name': name, 'subnet_id': esg_subnet['id'], 'extended_community_id': "4:4"} ext_sg = self._create_external_security_group(**kwargs) self.addCleanup(self._delete_external_security_group, ext_sg['id']) self.assertEqual(ext_sg['name'], name) self.assertEqual(ext_sg['extended_community_id'], "4:4") # VSD verification of external security group res_path = self.nuageclient.build_resource_path( constants.POLICYGROUP, resource_id=ext_sg['id']) show_vsd_resp = self.nuageclient.get(res_path) show_resp = self.client.show_nuage_external_security_group( ext_sg['id']) self._verify_external_secgroup_properties( show_resp['nuage_external_security_group'], show_vsd_resp[0]) self.assertEqual(self.nuage_client.get_vsd_external_id( esg_subnet['id']), show_vsd_resp[0]['externalID']) # list_external_security_group res_path = self.nuageclient.build_resource_path( constants.POLICYGROUP, resource_id=ext_sg['id']) list_vsd_resp = self.nuageclient.get(res_path) list_resp = self.client.list_nuage_external_security_group_l2domain( esg_subnet['id']) self._verify_external_secgroup_properties( list_resp['nuage_external_security_groups'][0], list_vsd_resp[0]) def test_create_delete_invalid_ext_secgroup(self): router_name = data_utils.rand_name('router-') body = self.routers_client.create_router(name=router_name) esg_router = body['router'] self.addCleanup(self.routers_client.delete_router, esg_router['id']) self._create_security_group() name = data_utils.rand_name('esg-') # Missing pararmeter: external_communtiy_tag in input kwargs = {'name': name, 'router_id': esg_router['id']} self.assertRaises( exceptions.BadRequest, self.client.create_nuage_external_security_group, **kwargs) # Invalid external_communtiy_tag_value kwargs = {'name': name, 'router_id': esg_router['id'], 'extended_community_id': "4"} self.assertRaises( self.expected_exception_from_topology, self.client.create_nuage_external_security_group, **kwargs) # Missing pararmeter: router/subnet ID in input kwargs = {'name': name, 'router_id': '11111111-1111-1111-1111111111111111', 'extended_community_id': "2:2"} self.assertRaises( exceptions.BadRequest, self.client.create_nuage_external_security_group, **kwargs) # Try deleting invalid external_secgroup self.assertRaises( exceptions.NotFound, self.client.delete_nuage_external_security_group, '11111111-1111-1111-1111111111111111') def test_create_delete_invalid_ext_secgroup_rule(self): router_name = data_utils.rand_name('router-') body = self.routers_client.create_router(name=router_name) esg_router = body['router'] self.addCleanup(self.routers_client.delete_router, esg_router['id']) body, name = self._create_security_group() sec_group = body['security_group'] name = data_utils.rand_name('esg-') kwargs = {'name': name, 'router_id': esg_router['id'], 'extended_community_id': "1:1"} ext_sg = self._create_external_security_group(**kwargs) # Missing mandatory parameter: origin_group_id in input kwargs = {'protocol': 'tcp', 'direction': 'egress', 'remote_external_group_id': ext_sg['id']} self.assertRaises( self.expected_exception_from_topology, self.client.create_nuage_external_security_group_rule, **kwargs) # Invalid remote_group_id value kwargs = {'protocol': 'tcp', 'direction': 'egress', 'origin_group_id': sec_group['id'], 'remote_external_group_id': '11111111-1111-1111-1111111111111111'} self.assertRaises( self.expected_exception_from_topology, self.client.create_nuage_external_security_group_rule, **kwargs) # Try deleting invalid external_secgroup_rule self.assertRaises( exceptions.NotFound, self.client.delete_nuage_external_security_group_rule, '11111111-1111-1111-1111111111111111')
def test_neutron_nuage_commands_help(self): help_text = self.cli.neutron('help') lines = help_text.split('\n') self.assertFirstLineStartsWith(lines, 'usage: neutron') commands = [] cmds_start = lines.index('Commands for API v2.0:') command_pattern = re.compile('^ {2}([a-z0-9\-_]+)') for line in lines[cmds_start:]: match = command_pattern.match(line) if match: commands.append(match.group(1)) commands = set(commands) wanted_commands = {'nuage-netpartition-create'} if utils.is_extension_enabled('net-partition', 'network'): wanted_commands = wanted_commands.union(self._crud_command_list( 'nuage-netpartition', update=False)) if utils.is_extension_enabled('appdesigner', 'network'): wanted_commands = wanted_commands.union(self._crud_command_list( 'nuage-appdport')) wanted_commands = wanted_commands.union(self._crud_command_list( 'nuage-service')) wanted_commands = wanted_commands.union(self._crud_command_list( 'nuage-tier')) wanted_commands = wanted_commands.union(self._crud_command_list( 'nuage-application')) wanted_commands = wanted_commands.union(self._crud_command_list( 'nuage-applicationdomain')) wanted_commands = wanted_commands.union(self._crud_command_list( 'nuage-flow')) if utils.is_extension_enabled('nuage-redirect-target', 'network'): wanted_commands.add('nuage-redirect-target-vip-create') wanted_commands = wanted_commands.union(self._crud_command_list( 'nuage-redirect-target', update=False)) wanted_commands = wanted_commands.union(self._crud_command_list( 'nuage-redirect-target-rule', update=False)) if Topology.from_nuage('4.0'): wanted_commands.add('nuage-policy-group-list') wanted_commands.add('nuage-policy-group-show') wanted_commands.add('nuage-floatingip-list') wanted_commands.add('nuage-floatingip-show') wanted_commands = wanted_commands.union(self._crud_command_list( 'nuage-external-security-group', update=False)) wanted_commands = wanted_commands.union(self._crud_command_list( 'nuage-external-security-group-rule', update=False)) if utils.is_extension_enabled('nuage-gateway', 'network'): wanted_commands.add('nuage-gateway-list') wanted_commands.add('nuage-gateway-show') wanted_commands.add('nuage-gateway-port-list') wanted_commands.add('nuage-gateway-port-show') wanted_commands.add('nuage-gateway-vlan-assign') wanted_commands.add('nuage-gateway-vlan-create') wanted_commands.add('nuage-gateway-vlan-list') wanted_commands.add('nuage-gateway-vlan-delete') wanted_commands.add('nuage-gateway-vlan-show') wanted_commands.add('nuage-gateway-vlan-unassign') wanted_commands = wanted_commands.union(self._crud_command_list( 'nuage-gateway-vport', update=False)) self.assertFalse(wanted_commands - commands)
class NuageExtSecGroup(nuage_test.NuageBaseTest): if Topology.from_nuage('20.5'): expected_exception_from_topology = exceptions.BadRequest else: expected_exception_from_topology = exceptions.ServerFault @classmethod def resource_setup(cls): super(NuageExtSecGroup, cls).resource_setup() cls.network = cls.create_cls_network() cls.subnet4 = cls.create_cls_subnet(cls.network, ip_version=4) cls.subnet6 = cls.create_cls_subnet(cls.network, ip_version=6) cls.router = cls.create_cls_router() cls.router_cls_attach(cls.router, cls.subnet4) cls.router_cls_attach(cls.router, cls.subnet6) cls.domain = cls.vsd.get_l3_domain_by_subnet(cls.subnet4) def _create_external_security_group(self, cleanup=True, **kwargs): body = self.plugin_network_client.create_nuage_external_security_group( **kwargs) ext_sg = body['nuage_external_security_group'] if cleanup: self.addCleanup(self._delete_external_security_group, ext_sg['id']) return ext_sg def _delete_external_security_group(self, esg_id): self.plugin_network_client.delete_nuage_external_security_group(esg_id) def _create_external_security_group_rule(self, **kwargs): body = (self.plugin_network_client. create_nuage_external_security_group_rule(**kwargs)) ext_sg_rule = body['nuage_external_security_group_rule'] return ext_sg_rule def _verify_external_secgroup_properties(self, actual_esg, vsd_pg): self.assertEqual(actual_esg['name'], vsd_pg.name) self.assertEqual(actual_esg['extended_community_id'], vsd_pg.evpn_community_tag) self.assertEqual(actual_esg['id'], vsd_pg.id) def _verify_external_secgroup_rule_properties(self, actual_esgr, vsd_pg, origin_sg): self.assertEqual(actual_esgr['id'], vsd_pg.id) self.assertEqual(actual_esgr['protocol'], vsd_pg.protocol) self.assertEqual(actual_esgr['origin_group_id'], origin_sg['id']) def _get_nuage_external_acl(self, ext_sg_rule=None): if ext_sg_rule: template = self.vsd.vspk.NUEgressACLEntryTemplate( id=ext_sg_rule['id']) template.fetch() return template else: return self.domain.egress_acl_entry_templates.get() def test_create_show_list_delete_ext_secgroup(self): name = self.get_randomized_name() kwargs = {'name': name, 'router_id': self.router['id'], 'extended_community_id': "1:1"} ext_sg = self._create_external_security_group(**kwargs) self.assertEqual(ext_sg['name'], name) self.assertEqual(ext_sg['extended_community_id'], "1:1") # VSD verification of external security group ext_pg = self.vsd.vspk.NUPolicyGroup(id=ext_sg['id']) ext_pg.fetch() show_resp = (self.plugin_network_client. show_nuage_external_security_group(ext_sg['id'])) self._verify_external_secgroup_properties( show_resp['nuage_external_security_group'], ext_pg) router_ext_id = self.vsd.external_id(self.router['id']) self.assertEqual(router_ext_id, ext_pg.external_id) # list_external_security_group list_resp = (self.plugin_network_client. list_nuage_external_security_group(self.router['id'])) self._verify_external_secgroup_properties( list_resp['nuage_external_security_groups'][0], ext_pg) def test_create_show_list_delete_ext_secgroup_rule(self): sec_group = self.create_security_group() name = self.get_randomized_name() kwargs = {'name': name, 'router_id': self.router['id'], 'extended_community_id': "1:1"} ext_sg = self._create_external_security_group(**kwargs) kwargs = {'protocol': 'tcp', 'direction': 'egress', 'origin_group_id': sec_group['id'], 'remote_external_group_id': ext_sg['id']} ext_sg_rule = self._create_external_security_group_rule(**kwargs) # Show operation and VSD verification of external security group show_resp = ( self.plugin_network_client. show_nuage_external_security_group_rule(ext_sg_rule['id'])) show_vsd_resp = self._get_nuage_external_acl(ext_sg_rule) self._verify_external_secgroup_rule_properties( show_resp['nuage_external_security_group_rule'], show_vsd_resp, sec_group) # Create second rule kwargs = {'protocol': 'udp', 'port_range_min': 300, 'port_range_max': 500, 'direction': 'egress', 'origin_group_id': sec_group['id'], 'remote_external_group_id': ext_sg['id']} self._create_external_security_group_rule(**kwargs) # Create third rule kwargs = {'protocol': 'vrrp', 'direction': 'egress', 'origin_group_id': sec_group['id'], 'remote_external_group_id': ext_sg['id']} self._create_external_security_group_rule(**kwargs) # List Operation on secgroup rules list_resp = (self.plugin_network_client. list_nuage_external_security_group_rule( ext_sg['id'])['nuage_external_security_group_rules']) list_vsd_resp = self._get_nuage_external_acl() for resp, vsd_resp in zip(list_resp, list_vsd_resp): self._verify_external_secgroup_rule_properties( resp, vsd_resp, sec_group) router_ext_id = self.vsd.external_id(self.router['id']) for vsd_resp in list_vsd_resp: self.assertEqual(router_ext_id, vsd_resp.external_id) def test_create_show_list_delete_ext_secgroup_l2domain(self): network = self.create_network() esg_subnet = self.create_subnet(network) name = self.get_randomized_name() kwargs = {'name': name, 'subnet_id': esg_subnet['id'], 'extended_community_id': "4:4"} ext_sg = self._create_external_security_group(**kwargs) self.assertEqual(ext_sg['name'], name) self.assertEqual(ext_sg['extended_community_id'], "4:4") # VSD verification of external security group ext_pg = self.vsd.vspk.NUPolicyGroup(id=ext_sg['id']) ext_pg.fetch() show_resp = (self.plugin_network_client. show_nuage_external_security_group(ext_sg['id'])) self._verify_external_secgroup_properties( show_resp['nuage_external_security_group'], ext_pg) subnet_ext_id = self.vsd.external_id(esg_subnet['id']) self.assertEqual(subnet_ext_id, ext_pg.external_id) # list_external_security_group list_resp = ( self.plugin_network_client. list_nuage_external_security_group_l2domain(esg_subnet['id'])) self._verify_external_secgroup_properties( list_resp['nuage_external_security_groups'][0], ext_pg) def test_create_delete_invalid_ext_secgroup(self): name = self.get_randomized_name() # Missing pararmeter: external_communtiy_tag in input kwargs = {'name': name, 'router_id': self.router['id']} self.assertRaises( exceptions.BadRequest, self.plugin_network_client.create_nuage_external_security_group, **kwargs) # Invalid external_communtiy_tag_value kwargs = {'name': name, 'router_id': self.router['id'], 'extended_community_id': "4"} self.assertRaises( self.expected_exception_from_topology, self.plugin_network_client.create_nuage_external_security_group, **kwargs) # Missing pararmeter: router/subnet ID in input kwargs = {'name': name, 'router_id': '11111111-1111-1111-1111111111111111', 'extended_community_id': "2:2"} self.assertRaises( exceptions.BadRequest, self.plugin_network_client.create_nuage_external_security_group, **kwargs) # Try deleting invalid external_secgroup self.assertRaises( exceptions.NotFound, self.plugin_network_client.delete_nuage_external_security_group, '11111111-1111-1111-1111111111111111') def test_create_delete_invalid_ext_secgroup_rule(self): sec_group = self.create_security_group() name = self.get_randomized_name() kwargs = {'name': name, 'router_id': self.router['id'], 'extended_community_id': "1:1"} ext_sg = self._create_external_security_group(**kwargs) # Missing mandatory parameter: origin_group_id in input kwargs = {'protocol': 'tcp', 'direction': 'egress', 'remote_external_group_id': ext_sg['id']} self.assertRaises( self.expected_exception_from_topology, self.plugin_network_client. create_nuage_external_security_group_rule, **kwargs) # Invalid remote_group_id value kwargs = {'protocol': 'tcp', 'direction': 'egress', 'origin_group_id': sec_group['id'], 'remote_external_group_id': '11111111-1111-1111-1111111111111111'} self.assertRaises( self.expected_exception_from_topology, self.plugin_network_client. create_nuage_external_security_group_rule, **kwargs) # Try deleting invalid external_secgroup_rule self.assertRaises( exceptions.NotFound, self.plugin_network_client. delete_nuage_external_security_group_rule, '11111111-1111-1111-1111111111111111')