def check(self): super(zstack_kvm_sg_tcp_ingress_checker, self).check() all_ports = port_header.all_ports test_result = True test_util.test_dsc('Check TCP ingress rules') nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid) l3_uuid = nic.l3NetworkUuid if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid): test_util.test_logger("Skip SG test for [l3:] %s. Since it doesn't provide DHCP service, there isn't stable IP address for testint." % l3_uuid) return self.judge(self.exp_result) stub_vm = self.test_obj.get_stub_vm(l3_uuid) if not stub_vm: test_util.test_warn('Did not find test stub vm for [nic:] %s. Skip TCP ingress port checking for this nic.' % self.nic_uuid) return self.judge(self.exp_result) stub_vm = stub_vm.vm stub_vm_ip = test_lib.lib_get_vm_nic_by_l3(stub_vm, l3_uuid).ip target_addr = '%s/32' % stub_vm_ip rules = self.test_obj.get_nic_tcp_ingress_rule_by_addr(self.nic_uuid, target_addr) allowed_ports = [] for rule in rules: rule_allowed_ports = port_header.get_ports(port_header.get_port_rule(rule.startPort)) test_util.test_logger('[SG:] %s [ingress rule]: %s allow to access [nic:] %s [ports]: %s from [vm:] %s' % (rule.securityGroupUuid, rule.uuid, self.nic_uuid, rule_allowed_ports, stub_vm.uuid)) for port in rule_allowed_ports: if not port in allowed_ports: allowed_ports.append(port) if not allowed_ports: #If no allowed port, it means all denied. denied_ports = list(all_ports) else: denied_ports = list_ops.list_minus(all_ports, allowed_ports) test_vm = test_lib.lib_get_vm_by_nic(nic.uuid) if test_vm.state == inventory.RUNNING: try: test_lib.lib_open_vm_listen_ports(test_vm, all_ports, l3_uuid) test_lib.lib_check_vm_ports_in_a_command(stub_vm, test_vm, allowed_ports, denied_ports) except: traceback.print_exc(file=sys.stdout) test_util.test_logger('Check result: [Security Group] meets failure when checking TCP ingress rule for [vm:] %s [nic:] %s. ' % (test_vm.uuid, self.nic_uuid)) test_result = False else: test_util.test_warn('Test [vm:] %s is not running. Skip SG TCP ingress connection checker for this vm.' % test_vm.uuid) test_util.test_logger('Check result: [Security Group] finishes TCP ingress testing for [nic:] %s' % self.nic_uuid) print_iptables(test_vm) return self.judge(test_result)
def check(self): super(zstack_vcenter_sg_tcp_ingress_checker, self).check() all_ports = port_header.all_ports test_result = True test_util.test_dsc('Check TCP ingress rules') nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid) l3_uuid = nic.l3NetworkUuid if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid): test_util.test_logger("Skip SG test for [l3:] %s. Since it doesn't provide DHCP service, there isn't stable IP address for testint." % l3_uuid) return self.judge(self.exp_result) stub_vm = self.test_obj.get_stub_vm(l3_uuid) if not stub_vm: test_util.test_warn('Did not find test stub vm for [nic:] %s. Skip TCP ingress port checking for this nic.' % self.nic_uuid) return self.judge(self.exp_result) stub_vm = stub_vm.vm stub_vm_ip = test_lib.lib_get_vm_nic_by_l3(stub_vm, l3_uuid).ip target_addr = '%s/32' % stub_vm_ip rules = self.test_obj.get_nic_tcp_ingress_rule_by_addr(self.nic_uuid, target_addr) allowed_ports = [] for rule in rules: rule_allowed_ports = port_header.get_ports(port_header.get_port_rule(rule.startPort)) test_util.test_logger('[SG:] %s [ingress rule]: %s allow to access [nic:] %s [ports]: %s from [vm:] %s' % (rule.securityGroupUuid, rule.uuid, self.nic_uuid, rule_allowed_ports, stub_vm.uuid)) for port in rule_allowed_ports: if not port in allowed_ports: allowed_ports.append(port) if not allowed_ports: #If no allowed port, it means all denied. denied_ports = list(all_ports) else: denied_ports = list_ops.list_minus(all_ports, allowed_ports) test_vm = test_lib.lib_get_vm_by_nic(nic.uuid) if test_vm.state == inventory.RUNNING: try: test_lib.lib_open_vm_listen_ports(test_vm, all_ports, l3_uuid) test_lib.lib_check_vm_ports_in_a_command(stub_vm, test_vm, allowed_ports, denied_ports) except: traceback.print_exc(file=sys.stdout) test_util.test_logger('Check result: [Security Group] meets failure when checking TCP ingress rule for [vm:] %s [nic:] %s. ' % (test_vm.uuid, self.nic_uuid)) test_result = False else: test_util.test_warn('Test [vm:] %s is not running. Skip SG TCP ingress connection checker for this vm.' % test_vm.uuid) test_util.test_logger('Check result: [Security Group] finishes TCP ingress testing for [nic:] %s' % self.nic_uuid) print_iptables(test_vm) return self.judge(test_result)
def test(): ''' Test image requirements: 1. have nc to check the network port 2. have "nc" to open any port 3. it doesn't include a default firewall VR image is a good candiate to be the guest image. ''' test_util.test_dsc( "Create 3 VMs with vlan VR L3 network and using VR image.") vm1 = test_stub.create_sg_vm() test_obj_dict.add_vm(vm1) vm1_ip = vm1.vm.vmNics[0].ip vm2 = test_stub.create_sg_vm() test_obj_dict.add_vm(vm2) vm2_ip = vm2.vm.vmNics[0].ip vm1.check() vm2.check() test_util.test_dsc("Create security groups.") sg1 = test_stub.create_sg() test_obj_dict.add_sg(sg1.security_group.uuid) sg2 = test_stub.create_sg() test_obj_dict.add_sg(sg2.security_group.uuid) sg_vm = test_sg_vm_header.ZstackTestSgVm() sg_vm.check() l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid vm1_nic_uuid = vm1.vm.vmNics[0].uuid vm2_nic_uuid = vm2.vm.vmNics[0].uuid #Attach security group to l3 network net_ops.attach_security_group_to_l3(sg1.security_group.uuid, l3_uuid) net_ops.attach_security_group_to_l3(sg2.security_group.uuid, l3_uuid) #Add vm1 nic to security group sg_vm.attach(sg1, [(vm1_nic_uuid, vm1)]) sg_vm.check() sg_vm.attach(sg2, [(vm2_nic_uuid, vm2)]) sg_vm.check() rule1_1 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP, inventory.INGRESS, vm2_ip) rule1_2 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vm2_ip) rule1_3 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.UDP, inventory.INGRESS, vm2_ip) sg1.add_rule([rule1_1, rule1_2, rule1_3], [sg2.security_group.uuid]) sg_vm.check() sg_vm.add_stub_vm(l3_uuid, vm2) sg_vm.check() sg_vm.delete_stub_vm(l3_uuid) rule2_1 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP, inventory.INGRESS, vm1_ip) rule2_2 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vm1_ip) rule2_3 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.UDP, inventory.INGRESS, vm1_ip) sg2.add_rule([rule2_1, rule2_2, rule2_3], [sg1.security_group.uuid]) sg_vm.check() sg_vm.add_stub_vm(l3_uuid, vm1) #sg_vm.check() try: test_lib.lib_open_vm_listen_ports(vm1.vm, Port.ports_range_dict['rule1_ports'], l3_uuid) test_lib.lib_open_vm_listen_ports(vm2.vm, Port.ports_range_dict['rule1_ports'], l3_uuid) test_lib.lib_check_vm_ports_in_a_command( vm1.vm, vm2.vm, Port.ports_range_dict['rule1_ports'], []) except: test_util.test_fail( 'Security Group Meets Failure When Checking Ingress Rule. ') #Cleanup sg_vm.delete_sg(sg2) test_obj_dict.rm_sg(sg2.security_group.uuid) sg_vm.delete_sg(sg1) test_obj_dict.rm_sg(sg1.security_group.uuid) sg_vm.check() vm1.destroy() test_obj_dict.rm_vm(vm1) vm2.destroy() test_obj_dict.rm_vm(vm2) test_util.test_pass( 'Security Group Vlan VirtualRouter 2 VMs Group Ingress Test Success')
def test(): ''' Test image requirements: 1. have nc to check the network port 2. have "nc" to open any port 3. it doesn't include a default firewall VR image is a good candiate to be the guest image. ''' test_util.test_dsc("Create 3 VMs with vlan VR L3 network and using VR image.") image_name = os.environ.get('ipv6ImageName') ipv4_net_uuid = test_lib.lib_get_l3_by_name(os.environ.get('l3PublicNetworkName')).uuid ipv6_net_uuid = test_lib.lib_get_l3_by_name(os.environ.get('l3PublicNetworkName1')).uuid print "ipv4_net_uuid is : %s , ipv6_net_uuid is : %s" %(ipv4_net_uuid, ipv6_net_uuid) vm1 = test_stub.create_vm(l3_name = os.environ.get('l3PublicNetworkName'), vm_name = 'vm_1 IPv6 2 stack test', system_tags = ["dualStackNic::%s::%s" %(ipv4_net_uuid, ipv6_net_uuid)], image_name = image_name) test_obj_dict.add_vm(vm1) vm2 = test_stub.create_vm(l3_name = os.environ.get('l3PublicNetworkName'), vm_name = 'vm_2 IPv6 2 stack test', system_tags = ["dualStackNic::%s::%s" %(ipv4_net_uuid, ipv6_net_uuid)], image_name = image_name) test_obj_dict.add_vm(vm2) time.sleep(120) #waiting for vm bootup vm1_ip1 = vm1.get_vm().vmNics[0].usedIps[0].ip vm1_ip2 = vm1.get_vm().vmNics[0].usedIps[1].ip vm2_ip1 = vm2.get_vm().vmNics[0].usedIps[0].ip vm2_ip2 = vm2.get_vm().vmNics[0].usedIps[1].ip if "172.20" in vm1_ip1: vm1_ipv4 = vm1_ip1 vm1_ipv6 = vm1_ip2 else: vm1_ipv4 = vm1_ip2 vm1_ipv6 = vm1_ip1 if "172.20" in vm2_ip1: vm2_ipv4 = vm2_ip1 vm2_ipv6 = vm2_ip2 else: vm2_ipv4 = vm2_ip2 vm2_ipv6 = vm2_ip1 print "vm1_ipv6 : %s, vm1_ipv4: %s, vm2_ipv6 :%s,vm2_ipv4 :%s, ipv4 :%s, ipv6 :%s." %(vm1_ipv6, vm1_ipv4, vm2_ipv6, vm2_ipv4, vm2_ipv4, vm2_ipv6) cmd = "ping6 -c 4 %s" %(vm2_ipv6) (retcode, output, erroutput) = ssh.execute(cmd, vm1_ipv4, "root", "password", True, 22) cmd1 = "ping -c 4 %s" %(vm2_ipv4) (retcode1, output1, erroutput1) = ssh.execute(cmd1, vm1_ipv4, "root", "password", True, 22) print "retcode is: %s; output is : %s.; erroutput is: %s" %(retcode, output , erroutput) print "retcode1 is: %s; output1 is : %s.; erroutput1 is: %s" %(retcode1, output1 , erroutput1) test_util.test_dsc("Create security groups.") sg1 = test_stub.create_sg(ipVersion = 6) test_obj_dict.add_sg(sg1.security_group.uuid) sg2 = test_stub.create_sg(ipVersion = 6) test_obj_dict.add_sg(sg2.security_group.uuid) sg_vm = test_sg_vm_header.ZstackTestSgVm() l3_uuid = ipv6_net_uuid vm1_nic_uuid = vm1.get_vm().vmNics[0].uuid vm2_nic_uuid = vm2.get_vm().vmNics[0].uuid print "vm1_nic_uuid :%s, vm2_nic_uuid :%s ."%(vm1_nic_uuid, vm2_nic_uuid) #Attach security group to l3 network net_ops.attach_security_group_to_l3(sg1.security_group.uuid, l3_uuid) net_ops.attach_security_group_to_l3(sg2.security_group.uuid, l3_uuid) #Add vm1 nic to security group sg_vm.attach(sg1, [(vm1_nic_uuid, vm1)], ipv6 = "ipv6") sg_vm.attach(sg2, [(vm2_nic_uuid, vm2)], ipv6 = "ipv6") rule1_1 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP, inventory.INGRESS, vm2_ipv6, ipVersion = 6) rule1_2 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vm2_ipv6, ipVersion = 6) rule1_3 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.UDP, inventory.INGRESS, vm2_ipv6, ipVersion = 6) sg1.add_rule([rule1_1,rule1_2,rule1_3], [sg2.security_group.uuid]) sg_vm.add_stub_vm(l3_uuid, vm2) sg_vm.delete_stub_vm(l3_uuid) rule2_1 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP, inventory.INGRESS, vm1_ipv6, ipVersion = 6) rule2_2 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vm1_ipv6, ipVersion = 6) rule2_3 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.UDP, inventory.INGRESS, vm1_ipv6, ipVersion = 6) sg2.add_rule([rule2_1,rule2_2,rule2_3], [sg1.security_group.uuid]) sg_vm.add_stub_vm(l3_uuid, vm1) try: test_lib.lib_open_vm_listen_ports(vm1.vm, Port.ports_range_dict['rule1_ports'], l3_uuid, target_ip = vm1_ipv4, target_ipv6 = vm1_ipv6) test_lib.lib_open_vm_listen_ports(vm2.vm, Port.ports_range_dict['rule1_ports'], l3_uuid, target_ip = vm2_ipv4, target_ipv6 = vm2_ipv6) test_lib.lib_check_vm_ports_in_a_command(vm1.vm, vm2.vm, Port.ports_range_dict['rule1_ports'], [], target_ipv6 = vm2_ipv6) except: test_util.test_fail('Security Group Meets Failure When Checking Ingress Rule. ') #Cleanup sg_vm.delete_sg(sg2) test_obj_dict.rm_sg(sg2.security_group.uuid) sg_vm.delete_sg(sg1) test_obj_dict.rm_sg(sg1.security_group.uuid) sg_vm.check() vm1.destroy() test_obj_dict.rm_vm(vm1) vm2.destroy() test_obj_dict.rm_vm(vm2) test_util.test_pass('Security Group Vlan VirtualRouter 2 VMs Group Ingress Test Success')