def test_cannot_set_different_egress_and_ingress_policies(self):
fp1 = FirewallPolicy('%s-fp1' % self.id(), parent_obj=self.project)
self._vnc_lib.firewall_policy_create(fp1)
fp2 = FirewallPolicy('%s-fp2' % self.id(), parent_obj=self.project)
self._vnc_lib.firewall_policy_create(fp2)
self.create_resource(
'firewall_group',
self.project_id,
extra_res_fields={
'ingress_firewall_policy_id': fp1.uuid,
'egress_firewall_policy_id': fp2.uuid,
},
status="400 Bad Request",
)
def test_remove_extra_fp_refs(self):
neutron_fg = self.create_resource('firewall_group', self.project_id)
aps = self._vnc_lib.application_policy_set_read(id=neutron_fg['id'])
fp1 = FirewallPolicy('%s-fp1' % self.id(), parent_obj=self.project)
self._vnc_lib.firewall_policy_create(fp1)
fp2 = FirewallPolicy('%s-fp2' % self.id(), parent_obj=self.project)
self._vnc_lib.firewall_policy_create(fp2)
aps.add_firewall_policy(fp1, FirewallSequence(sequence='0.0'))
aps.add_firewall_policy(fp2, FirewallSequence(sequence='1.0'))
self._vnc_lib.application_policy_set_update(aps)
neutron_fg = self.read_resource('firewall_group', neutron_fg['id'])
self.assertEquals(neutron_fg['ingress_firewall_policy_id'], fp1.uuid)
self.assertEquals(neutron_fg['egress_firewall_policy_id'], fp1.uuid)
aps = self._vnc_lib.application_policy_set_read(id=neutron_fg['id'])
fp_refs = aps.get_firewall_policy_refs() or []
self.assertEquals(len(fp_refs), 1)
self.assertEquals(fp_refs[0]['uuid'], fp1.uuid)
def test_firewall_group_status(self):
neutron_fg = self.create_resource(
'firewall_group',
self.project_id,
extra_res_fields={
'admin_state_up': False,
},
)
self.assertEquals(neutron_fg['status'], constants.DOWN)
neutron_fg = self.update_resource(
'firewall_group',
neutron_fg['id'],
self.project_id,
extra_res_fields={
'admin_state_up': True,
},
)
self.assertEquals(neutron_fg['status'], constants.INACTIVE)
vn = VirtualNetwork('%s-vn' % self.id(), parent_obj=self.project)
self._vnc_lib.virtual_network_create(vn)
vmi = VirtualMachineInterface('%s-vmi' % self.id(),
parent_obj=self.project)
vmi.add_virtual_network(vn)
self._vnc_lib.virtual_machine_interface_create(vmi)
neutron_fg = self.update_resource(
'firewall_group',
neutron_fg['id'],
self.project_id,
extra_res_fields={
'ports': [vmi.uuid],
},
)
self.assertEquals(neutron_fg['status'], constants.INACTIVE)
fp = FirewallPolicy('%s-fp' % self.id(), parent_obj=self.project)
self._vnc_lib.firewall_policy_create(fp)
neutron_fg = self.update_resource(
'firewall_group',
neutron_fg['id'],
self.project_id,
extra_res_fields={
'egress_firewall_policy_id': fp.uuid,
},
)
self.assertEquals(neutron_fg['status'], constants.ACTIVE)
neutron_fg = self.update_resource(
'firewall_group',
neutron_fg['id'],
self.project_id,
extra_res_fields={
'ports': [],
},
)
self.assertEquals(neutron_fg['status'], constants.INACTIVE)
def test_cannot_update_default_firewall_group(self):
neutron_default_fg = self.list_resource(
'firewall_group',
self.project_id,
req_filters={
'name': _NEUTRON_FIREWALL_DEFAULT_GROUP_POLICY_NAME,
},
)[0]
fp_uuid = self._vnc_lib.firewall_policy_create(
FirewallPolicy('%s-fp' % self.id(), parent_obj=self.project))
attrs = {
'name': 'fake name',
'description': 'fake description',
'admin_state_up': False,
'ingress_firewall_policy_id': fp_uuid,
'egress_firewall_policy_id': fp_uuid,
}
for attr, value in attrs.items():
resp = self.update_resource(
'firewall_group',
neutron_default_fg['id'],
self.project_id,
extra_res_fields={
attr: value,
},
status="400 Bad Request",
)
self.assertEquals(resp['exception'],
'FirewallGroupCannotUpdateDefault')
# admin can update default firewall group but not the name
attrs.pop('name')
for attr, value in attrs.items():
self.update_resource(
'firewall_group',
neutron_default_fg['id'],
self.project_id,
extra_res_fields={
attr: value,
},
is_admin=True,
)
resp = self.update_resource(
'firewall_group',
neutron_default_fg['id'],
self.project_id,
extra_res_fields={
'name': 'fake name',
},
is_admin=True,
status="400 Bad Request",
)
self.assertEquals(resp['exception'],
'FirewallGroupCannotUpdateDefault')
def test_egress_policy_set_to_ingress(self):
fp = FirewallPolicy('%s-fp' % self.id(), parent_obj=self.project)
self._vnc_lib.firewall_policy_create(fp)
neutron_fg = self.create_resource(
'firewall_group',
self.project_id,
extra_res_fields={
'egress_firewall_policy_id': fp.uuid,
},
)
self.assertEquals(neutron_fg['ingress_firewall_policy_id'], fp.uuid)
self.assertEquals(neutron_fg['egress_firewall_policy_id'], fp.uuid)
def test_egress_and_ingress_policies_remove_if_egress_deleted(self):
fp = FirewallPolicy('%s-fp' % self.id(), parent_obj=self.project)
self._vnc_lib.firewall_policy_create(fp)
neutron_fg = self.create_resource(
'firewall_group',
self.project_id,
extra_res_fields={
'egress_firewall_policy_id': fp.uuid,
},
)
neutron_fg = self.update_resource(
'firewall_group',
neutron_fg['id'],
self.project_id,
extra_res_fields={
'egress_firewall_policy_id': None,
},
)
self.assertNotIn('ingress_firewall_policy_id', neutron_fg)
self.assertNotIn('egress_firewall_policy_id', neutron_fg)
def test_list_firewall_group(self):
vn = VirtualNetwork('%s-vn' % self.id(), parent_obj=self.project)
self._vnc_lib.virtual_network_create(vn)
neutron_fgs = []
fp_ids = []
vmi_ids = []
for i in range(2):
fp = FirewallPolicy('%s-fp%d' % (self.id(), i),
parent_obj=self.project)
fp_ids.append(self._vnc_lib.firewall_policy_create(fp))
vmi = VirtualMachineInterface('%s-vmi%d' % (self.id(), i),
parent_obj=self.project)
vmi.add_virtual_network(vn)
vmi_ids.append(self._vnc_lib.virtual_machine_interface_create(vmi))
neutron_fgs.append(
self.create_resource(
'firewall_group',
self.project_id,
extra_res_fields={
'name': '%s-fg%d' % (self.id(), i),
'ingress_firewall_policy_id': fp.uuid,
'ports': [vmi.uuid],
},
), )
list_result = self.list_resource(
'firewall_group',
self.project_id,
req_filters={
'ingress_firewall_policy_id': fp_ids,
},
)
self.assertEquals(len(list_result), len(neutron_fgs))
self.assertEquals({r['id']
for r in list_result},
{r['id']
for r in neutron_fgs})
list_result = self.list_resource(
'firewall_group',
self.project_id,
req_filters={
'egress_firewall_policy_id': fp_ids,
},
)
self.assertEquals(len(list_result), len(neutron_fgs))
self.assertEquals({r['id']
for r in list_result},
{r['id']
for r in neutron_fgs})
list_result = self.list_resource(
'firewall_group',
self.project_id,
req_filters={
'ports': vmi_ids,
},
)
self.assertEquals(len(list_result), len(neutron_fgs))
self.assertEquals({r['id']
for r in list_result},
{r['id']
for r in neutron_fgs})
list_result = self.list_resource(
'firewall_group',
self.project_id,
req_filters={
'ingress_firewall_policy_id': [fp_ids[0]],
},
)
self.assertEquals(len(list_result), 1)
self.assertEquals(list_result[0], neutron_fgs[0])
list_result = self.list_resource(
'firewall_group',
self.project_id,
req_filters={
'egress_firewall_policy_id': [fp_ids[1]],
},
)
self.assertEquals(len(list_result), 1)
self.assertEquals(list_result[0], neutron_fgs[1])
list_result = self.list_resource(
'firewall_group',
self.project_id,
req_filters={
'ports': [vmi_ids[0]],
},
)
self.assertEquals(len(list_result), 1)
self.assertEquals(list_result[0], neutron_fgs[0])