def test_security_group_rules_create(self):
sg = {
"id": "53C33142-3607-4CB2-B6E4-FA5F5C9E3C19",
"revision_number": 2,
"tags": ["capability_tcp_strict"],
"rules": [],
}
provider_nsx_policy.Provider().sg_rules_realize(sg)
inv = self.inventory.inv
policy = self.get_by_name(inv[Inventory.POLICIES], sg["id"])
LOG.info(json.dumps(policy, indent=4))
tags = {t["scope"]: t["tag"] for t in policy.get("tags")}
self.assertEquals(policy.get("display_name"), sg.get("id"))
self.assertEquals(tags["revision_number"], sg.get("revision_number"))
self.assertNotEqual(tags.get("age"), None)
self.assertEquals(
policy.get("scope"),
["/infra/domains/default/groups/{}".format(sg["id"])])
self.assertEquals(policy.get("rules"), [])
def test_security_group_members_update(self):
sg = {
"id":
"53C33142-3607-4CB2-B6E4-FA5F5C9E3C19",
"cidrs":
["172.16.1.1/32", "172.16.1.2", "172.16.2.0/24", "172.16.0.0/16"],
"revision_number":
0,
}
sgu = {
"id": "53C33142-3607-4CB2-B6E4-FA5F5C9E3C19",
"cidrs": ["172.16.1.2/16"],
"revision_number": 3
}
provider = provider_nsx_policy.Provider()
provider.sg_members_realize(sg)
provider.sg_members_realize(sgu)
inv = self.inventory.inv
sg_group = self.get_by_name(inv[Inventory.GROUPS], sg["id"])
ip_addresses = []
for e in sg_group.get("expression"):
if e.get("ip_addresses"):
ip_addresses = e.get("ip_addresses")
break
self.assertEquals(ip_addresses, ["172.16.1.2/16"])
def test_security_group_rules_service_ip_protocol(self):
sg = {
"id": "53C33142-3607-4CB2-B6E4-FA5F5C9E3C19",
"revision_number": 2,
"tags": ["capability_tcp_strict"],
"rules": [],
}
rule_hopopt = {
"id": "1",
"ethertype": "",
"direction": "ingress",
"remote_group_id": "",
"remote_ip_prefix": "192.168.10.0/24",
"security_group_id": "",
"port_range_min": "",
"port_range_max": "",
"protocol": "hopopt",
}
rule_0 = {
"id": "2",
"ethertype": "",
"direction": "ingress",
"remote_group_id": "",
"remote_ip_prefix": "192.168.10.0/24",
"security_group_id": "",
"port_range_min": "",
"port_range_max": "",
"protocol": "0",
}
sg["rules"].append(rule_hopopt)
sg["rules"].append(rule_0)
provider_nsx_policy.Provider().sg_rules_realize(sg)
inv = self.inventory.inv
policy = self.get_by_name(inv[Inventory.POLICIES], sg["id"])
rules = {r.get("id"): r for r in policy.get("rules")}
self.assertEquals(rules[rule_hopopt["id"]].get("service_entries")[0], {
"resource_type": "IPProtocolServiceEntry",
"protocol_number": 0
})
self.assertEquals(rules[rule_0["id"]].get("service_entries")[0], {
"resource_type": "IPProtocolServiceEntry",
"protocol_number": 0
})
self.assertEquals(
rules[rule_0["id"]].get("service_entries")[0],
{
"resource_type": "IPProtocolServiceEntry",
"protocol_number": 0
},
)
def test_remote_prefix_orphan_cleanup(self):
sg = {
"id": "53C33142-3607-4CB2-B6E4-FA5F5C9E3C19",
"revision_number": 2,
"tags": ["capability_tcp_strict"],
"rules": []
}
rule = {
"id": "1",
"ethertype": "IPv4",
"direction": "ingress",
"remote_group_id": "",
"remote_ip_prefix": "0.0.0.0/16",
"security_group_id": sg.get("id"),
"port_range_min": "443",
"port_range_max": "443",
"protocol": "tcp",
}
sg["rules"].append(rule)
p = provider_nsx_policy.Provider()
inv = self.inventory.inv
for i in range(1, 10):
cidr = f"192.168.{i}.0/24"
id = re.sub(r"\.|:|\/", "-", cidr)
data = {
"display_name":
cidr,
"expression": [{
"resource_type": "IPAddressExpression",
"ip_addresses": [cidr]
}],
"tags": []
}
p.client.put(path=provider_nsx_policy.API.GROUP.format(id),
data=data)
p.sg_rules_realize(sg)
self.assertEquals(len(inv[self.inventory.GROUPS]), 10)
self.assertEquals(
inv[self.inventory.GROUPS].get("192-168-1-0-24",
{}).get("display_name"),
"192.168.1.0/24")
for id, cleanup in p.sanitize(100):
cleanup(id)
self.assertEquals(len(inv[self.inventory.GROUPS]), 1)
self.assertEquals(
inv[self.inventory.GROUPS].get("0-0-0-0-16",
{}).get("display_name"),
"0.0.0.0/16")
def test_bulk_migration(self):
_, _, _, os_qos, os_port_parent, _ = self.port_fixture()
migr_provider = mp_to_policy_migration.Provider()
mngr_provider = provider_nsx_mgmt.Provider()
plcy_provider = provider_nsx_policy.Provider()
mngr_provider.qos_realize(os_qos)
mngr_net_meta = mngr_provider.network_realize(3200)
os_port_parent["vif_details"]["nsx-logical-switch-id"] = mngr_net_meta.id
mngr_port_meta = mngr_provider.port_realize(os_port_parent)
mngr_port_inv = self.inventory.inv[Inventory.PROFILES]
mngr_qos: dict = self.get_by_name(mngr_port_inv, os_qos.get("id"))
pb = mp_to_policy_migration.PayloadBuilder()
payload = pb\
.sw_profiles([(mngr_qos.get("id"), "QosSwitchingProfile")])\
.switch(mngr_net_meta.id)\
.ports([mngr_port_meta.id])\
.build()
migr_provider.migrate_bulk(payload)
plcy_provider.metadata_refresh(plcy_provider.SEGMENT)
plcy_net_meta = plcy_provider.network_realize(3200)
mngr_net_inv = self.inventory.inv[Inventory.SWITCHES]
plcy_net_inv = self.inventory.inv[Inventory.SEGMENTS]
mngr_port_inv = self.inventory.inv[Inventory.PORTS]
mngr_net: dict = mngr_net_inv.get(mngr_net_meta.id)
plcy_net: dict = plcy_net_inv.get(plcy_net_meta.id)
prfls = plcy_provider.get_non_default_switching_profiles()
mngr_port: dict = self.get_by_name(mngr_port_inv, os_port_parent.get("id"))
plcy_port = plcy_provider.get_port(os_port_parent.get("id"))[1]
policy_qos_profile = prfls[0]
self.assertEqual(os_qos.get("id"), policy_qos_profile.get("display_name"))
self.assertEqual("QoSProfile", policy_qos_profile.get("resource_type"))
self.assertEqual(mngr_qos.get("id"), policy_qos_profile.get("id"))
self.assertEqual("nsx_policy", mngr_qos.get("_create_user"))
self.assertEqual(mngr_qos.get("tags"), policy_qos_profile.get("tags"))
self.assertEqual(os_port_parent.get("id"), plcy_port.get("display_name"))
self.assertEqual("SegmentPort", plcy_port.get("resource_type"))
self.assertEqual(mngr_port.get("id"), plcy_port.get("id"))
self.assertEqual("nsx_policy", mngr_port.get("_create_user"))
self.assertEqual(mngr_port.get("tags"), plcy_port.get("tags"))
self.assertEqual(mngr_net_meta.id, plcy_net_meta.id)
self.assertEqual(mngr_net.get("id"), plcy_net.get("id"))
self.assertEqual(mngr_net.get("display_name"), plcy_net.get("display_name"))
self.assertEqual(True, str(mngr_net.get("vlan")) in plcy_net.get("vlan_ids"))
self.assertEqual("Segment", plcy_net.get("resource_type"))
self.assertEqual("LogicalSwitch", mngr_net.get("resource_type"))
self.assertEqual("nsx_policy", mngr_net.get("_create_user"))
def test_security_group_stateful(self):
sg1 = {"id": "1", "revision_number": 2, "rules": []}
sg2 = dict(sg1, **{'id': '2', 'stateful': False})
provider = provider_nsx_policy.Provider()
provider.sg_rules_realize(sg1)
provider.sg_rules_realize(sg2)
inv = self.inventory.inv
self.assertTrue(
self.get_by_name(inv[Inventory.POLICIES],
sg1["id"]).get("stateful"))
self.assertFalse(
self.get_by_name(inv[Inventory.POLICIES],
sg2["id"]).get("stateful"))
def test_security_group_revision_retry(self):
sg1 = {
"id": "1904e541-7fa0-475a-99dc-00ff03c7489f",
"revision_number": 2,
"rules": []
}
provider = provider_nsx_policy.Provider()
provider.sg_rules_realize(sg1)
inv = self.inventory.inv
inv[Inventory.POLICIES]["1904e541-7fa0-475a-99dc-00ff03c7489f"][
"_revision"] = 100
provider.sg_rules_realize(sg1)
self.assertEqual(
101, inv[Inventory.POLICIES].get(
"1904e541-7fa0-475a-99dc-00ff03c7489f").get("_revision"))
def test_outdated(self):
sg = [
{
"id": str(uuid.uuid4()),
"revision_number": 1,
"tags": [],
"rules": []
},
{
"id": str(uuid.uuid4()),
"revision_number": 2,
"tags": [],
"rules": []
},
{
"id": str(uuid.uuid4()),
"revision_number": 3,
"tags": [],
"rules": []
},
{
"id": str(uuid.uuid4()),
"revision_number": 4,
"tags": [],
"rules": []
},
]
meta = {
sg[0]['id']: "1", # same
sg[1]['id']: "3", # updated
sg[2]['id']: "8" # updated
# 4 was removed => orphaned
}
provider = provider_nsx_policy.Provider()
provider.sg_rules_realize(sg[0])
provider.sg_rules_realize(sg[1])
provider.sg_rules_realize(sg[2])
provider.sg_rules_realize(sg[3])
LOG.info(json.dumps(self.inventory.inv, indent=4))
outdated, current = provider.outdated(provider.SG_RULES, meta)
self.assertItemsEqual(outdated,
[sg[1]['id'], sg[2]['id'], sg[3]['id']])
self.assertItemsEqual(current, [sg[0]['id']])
def test_double_creation_of_default_group(self):
r = responses
r.reset()
# Simulate default group exists response
r.add(
r.PUT,
re.compile("(.*)" +
provider_nsx_policy.API.GROUP.format("0-0-0-0-0")),
status=400,
json={
"httpStatus":
"BAD_REQUEST",
"error_code":
500127,
"module_name":
"Policy",
"error_message":
"Cannot create an object with path=[/infra/domains/default/groups/0-0-0-0-0] as it already exists.",
},
)
# Add the rest of the callbacks
for m in [r.GET, r.POST, r.DELETE, r.PATCH]:
r.add_callback(m, re.compile(r".*"), callback=self.inventory.api)
provider = provider_nsx_policy.Provider()
o = provider._create_sg_provider_rule_remote_prefix("0.0.0.0/0")
expected = {
"display_name":
"0.0.0.0/0",
"expression": [{
"resource_type": "IPAddressExpression",
"ip_addresses": ["0.0.0.0/0"]
}],
"tags": [{
"scope": "agent_id",
"tag": "nsxm-l-01a.corp.local"
}, {
"scope": "age",
"tag": 1637251144
}],
}
self.assertEqual(o["display_name"], expected["display_name"])
self.assertEqual(o["expression"][0]["ip_addresses"][0],
expected["expression"][0]["ip_addresses"][0])
def test_security_group_rules_skip_ipv4_mapped_ipv6s(self):
sg = {
"id": "53C33143-3607-4CB2-B6E4-FA5F5C9E3C21",
"revision_number": 2,
"tags": ["capability_tcp_strict"],
"rules": []
}
rule_valid = {
"id": "1",
"ethertype": "IPv4",
"direction": "ingress",
"remote_group_id": "",
"remote_ip_prefix": "192.168.10.0/24",
"security_group_id": "",
"port_range_min": "65535",
"port_range_max": "1",
"protocol": "tcp",
}
rule_invalid = {
"id": "2",
"ethertype": "IPv6",
"direction": "ingress",
"remote_group_id": "",
"remote_ip_prefix": "::ffff:10.180.0.0/112",
"security_group_id": "",
"port_range_min": "1",
"port_range_max": "65535",
"protocol": "tcp",
}
sg["rules"].append(rule_valid)
sg["rules"].append(rule_invalid)
provider_nsx_policy.Provider().sg_rules_realize(sg)
inv = self.inventory.inv
policy = self.get_by_name(inv[Inventory.POLICIES], sg["id"])
rules = {r.get("id"): r for r in policy.get("rules")}
self.assertEquals(len(rules), 1)
self.assertEquals(rules[rule_valid["id"]].get("source_groups"),
['192.168.10.0/24'])
def test_port_migration(self):
_, _, _, _, os_port_parent, _ = self.port_fixture()
migr_provider = mp_to_policy_migration.Provider()
mngr_provider = provider_nsx_mgmt.Provider()
plcy_provider = provider_nsx_policy.Provider()
mngr_provider.port_realize(os_port_parent)
inv = self.inventory.inv[Inventory.PORTS]
mngr_port: dict = self.get_by_name(inv, os_port_parent.get("id"))
migr_provider.migrate_ports([mngr_port.get("id")])
plcy_port = plcy_provider.get_port(os_port_parent.get("id"))[1]
self.assertEqual(os_port_parent.get("id"), plcy_port.get("display_name"))
self.assertEqual("SegmentPort", plcy_port.get("resource_type"))
self.assertEqual(mngr_port.get("id"), plcy_port.get("id"))
self.assertEqual("nsx_policy", mngr_port.get("_create_user"))
self.assertEqual(mngr_port.get("tags"), plcy_port.get("tags"))
def test_security_group_rules_service_l4(self):
sg = {
"id": "53C33142-3607-4CB2-B6E4-FA5F5C9E3C19",
"revision_number": 2,
"tags": ["capability_tcp_strict"],
"rules": [],
}
rule = {
"id": "1",
"ethertype": "IPv4",
"direction": "ingress",
"remote_group_id": "",
"remote_ip_prefix": "192.168.10.0/24",
"security_group_id": "",
"port_range_min": "443",
"port_range_max": "443",
"protocol": "tcp",
}
sg["rules"].append(rule)
provider_nsx_policy.Provider().sg_rules_realize(sg)
inv = self.inventory.inv
policy = self.get_by_name(inv[Inventory.POLICIES], sg["id"])
rules = {r.get("id"): r for r in policy.get("rules")}
self.assertEquals(
rules[rule["id"]].get("service_entries")[0], {
"resource_type": "L4PortSetServiceEntry",
"l4_protocol": "TCP",
"source_ports": ["1-65535"],
"destination_ports": ["443"]
})
self.assertEquals(rules[rule["id"]].get("action"), "ALLOW")
self.assertEquals(rules[rule["id"]].get("ip_protocol"), "IPV4")
self.assertEquals(rules[rule["id"]].get("direction"), "IN")
self.assertEquals(rules[rule["id"]].get("destination_groups"), ["ANY"])
self.assertEquals(rules[rule["id"]].get("disabled"), False)
def test_security_group_rules_remote_group(self):
sg_remote = {
"id": "36BC1A8F-C62C-4327-9FD5-AEC49E941467",
"cidrs": [],
"revision_number": 0
}
sg = {
"id": "53C33142-3607-4CB2-B6E4-FA5F5C9E3C19",
"revision_number": 2,
"tags": ["capability_tcp_strict"],
"rules": [],
}
rule = {
"id": "1",
"ethertype": "IPv4",
"direction": "ingress",
"remote_group_id": sg_remote.get("id"),
"remote_ip_prefix": "",
"security_group_id": sg.get("id"),
"port_range_min": "443",
"port_range_max": "443",
"protocol": "tcp",
}
sg["rules"].append(rule)
provider = provider_nsx_policy.Provider()
provider.sg_members_realize(sg_remote)
provider.sg_rules_realize(sg)
inv = self.inventory.inv
LOG.info(json.dumps(inv, indent=4))
policy = self.get_by_name(inv[Inventory.POLICIES], sg["id"])
group = self.get_by_name(inv[Inventory.GROUPS], sg["id"])
rules = {r.get("id"): r for r in policy.get("rules")}
self.assertEquals(
rules[rule["id"]].get("source_groups"),
["/infra/domains/default/groups/{}".format(sg_remote["id"])])
def test_security_group_members_creation_compact_ipv6_cidrs(self):
sg = {
"id": "53C33142-3607-4CB2-B6E4-FA5F5C9E3C19",
"cidrs": ["fd2e:faa4:fe14:e370:fd2e:faa4:fe14:e370/128"],
"revision_number": 0,
}
provider_nsx_policy.Provider().sg_members_realize(sg)
inv = self.inventory.inv
sg_group = self.get_by_name(inv[Inventory.GROUPS], sg["id"])
ip_addresses = []
for e in sg_group.get("expression"):
if e.get("ip_addresses"):
ip_addresses = e.get("ip_addresses")
break
self.assertEquals(ip_addresses,
["fd2e:faa4:fe14:e370:fd2e:faa4:fe14:e370"])
def test_security_group_members_delete(self):
sg = {
"id":
"53C33142-3607-4CB2-B6E4-FA5F5C9E3C19",
"cidrs":
["172.16.1.1/32", "172.16.1.2", "172.16.2.0/24", "172.16.0.0/16"],
"revision_number":
0,
}
inv = self.inventory.inv
provider = provider_nsx_policy.Provider()
provider.sg_members_realize(sg)
sg_group = self.get_by_name(inv[Inventory.GROUPS], sg["id"])
self.assertNotEqual(sg_group, None)
provider.sg_members_realize(sg, delete=True)
sg_group = self.get_by_name(inv[Inventory.GROUPS], sg["id"])
self.assertEquals(sg_group, None)
def test_migrate_sw_profiles_supported_type(self):
_, _, _, os_qos, _, _ = self.port_fixture()
migr_provider = mp_to_policy_migration.Provider()
mngr_provider = provider_nsx_mgmt.Provider()
plcy_provider = provider_nsx_policy.Provider()
mngr_provider.qos_realize(os_qos)
inv = self.inventory.inv[Inventory.PROFILES]
mngr_qos: dict = self.get_by_name(inv, os_qos.get("id"))
migr_provider.migrate_sw_profiles(
not_migrated=[(mngr_qos.get("id"), "QosSwitchingProfile")])
prfls = plcy_provider.get_non_default_switching_profiles()
policy_qos_profile = prfls[0]
self.assertEqual(os_qos.get("id"), policy_qos_profile.get("display_name"))
self.assertEqual("QoSProfile", policy_qos_profile.get("resource_type"))
self.assertEqual(mngr_qos.get("id"), policy_qos_profile.get("id"))
self.assertEqual("nsx_policy", mngr_qos.get("_create_user"))
self.assertEqual(mngr_qos.get("tags"), policy_qos_profile.get("tags"))
def test_port_already_migrated(self):
_, _, _, _, os_port_parent, _ = self.port_fixture()
migr_provider = mp_to_policy_migration.Provider()
mngr_provider = provider_nsx_mgmt.Provider()
plcy_provider = provider_nsx_policy.Provider()
mngr_provider.port_realize(os_port_parent)
inv = self.inventory.inv[Inventory.PORTS]
mngr_port: dict = self.get_by_name(inv, os_port_parent.get("id"))
migr_provider.migrate_ports([mngr_port.get("id")])
plcy_port = plcy_provider.get_port(os_port_parent.get("id"))[1]
self.assertEqual(os_port_parent.get("id"), plcy_port.get("display_name"))
try:
migr_provider.migrate_ports([mngr_port.get("id")])
except RuntimeError as e:
self.assertEqual(True, "Policy Resource already exists" in str(e))
return
assert False
def test_switch_migration(self):
migr_provider = mp_to_policy_migration.Provider()
mngr_provider = provider_nsx_mgmt.Provider()
plcy_provider = provider_nsx_policy.Provider()
mngr_meta = mngr_provider.network_realize(10)
migr_provider.migrate_switch(mngr_meta.id)
plcy_provider.metadata_refresh(plcy_provider.SEGMENT)
plcy_meta = plcy_provider.network_realize(10)
mngr_inv = self.inventory.inv[Inventory.SWITCHES]
plcy_inv = self.inventory.inv[Inventory.SEGMENTS]
mngr_net: dict = mngr_inv.get(mngr_meta.id)
plcy_net: dict = plcy_inv.get(plcy_meta.id)
self.assertEqual(mngr_meta.id, plcy_meta.id)
self.assertEqual(mngr_net.get("id"), plcy_net.get("id"))
self.assertEqual(mngr_net.get("display_name"), plcy_net.get("display_name"))
self.assertEqual(True, str(mngr_net.get("vlan")) in plcy_net.get("vlan_ids"))
self.assertEqual("Segment", plcy_net.get("resource_type"))
self.assertEqual("LogicalSwitch", mngr_net.get("resource_type"))
self.assertEqual("nsx_policy", mngr_net.get("_create_user"))
def test_security_group_rules_update(self):
sg = {
"id": "7FBE1798-65F6-43E9-A7BB-3DFA63450818",
"revision_number": 2,
"tags": ["capability_tcp_strict"],
"rules": [],
}
rule1 = {
"id": "1",
"ethertype": "IPv4",
"direction": "ingress",
"remote_group_id": "",
"remote_ip_prefix": "192.168.10.0/24",
"security_group_id": "",
"port_range_min": "5",
"port_range_max": "1",
"protocol": "icmp",
}
rule2 = {
"id": "2",
"ethertype": "IPv4",
"direction": "ingress",
"remote_group_id": "",
"remote_ip_prefix": "0.0.0.0/16",
"security_group_id": "",
"port_range_min": "",
"port_range_max": "",
"protocol": "hopopt",
}
rule1_u = {
"id": "1",
"ethertype": "IPv4",
"direction": "ingress",
"remote_group_id": "",
"remote_ip_prefix": "192.168.10.0/24",
"security_group_id": "",
"port_range_min": "5",
"port_range_max": "2",
"protocol": "icmp",
}
rule3 = {
"id": "3",
"ethertype": "IPv4",
"direction": "ingress",
"remote_group_id": "",
"remote_ip_prefix": "192.168.10.0/24",
"security_group_id": "",
"port_range_min": "",
"port_range_max": "",
"protocol": "1",
}
# Add two new rules
sg1 = copy.deepcopy(sg)
sg1["rules"].append(copy.deepcopy(rule1))
sg1["rules"].append(copy.deepcopy(rule2))
# Add new, update existing, delete existing
sg2 = copy.deepcopy(sg)
sg2["rules"].append(copy.deepcopy(rule1_u))
sg2["rules"].append(copy.deepcopy(rule3))
sg3 = copy.deepcopy(sg)
inv = self.inventory.inv
provider = provider_nsx_policy.Provider()
provider.sg_rules_realize(sg1)
LOG.info(json.dumps(inv, indent=4))
policy1 = self.get_by_name(inv[Inventory.POLICIES], sg["id"])
rules = {r.get("id"): r for r in policy1.get("rules")}
self.assertEquals(len(policy1.get("rules")), 2)
self.assertEquals(rules[rule1["id"]].get("source_groups"),
[rule1.get("remote_ip_prefix")])
self.assertEquals(
rules[rule1["id"]].get("service_entries")[0].get("icmp_type"), "5")
self.assertEquals(
rules[rule1["id"]].get("service_entries")[0].get("icmp_code"), "1")
self.assertEquals(
rules[rule2["id"]].get("service_entries")[0].get(
"protocol_number"), 0)
provider.sg_rules_realize(sg2)
LOG.info(json.dumps(inv, indent=4))
policy2 = self.get_by_name(inv[Inventory.POLICIES], sg["id"])
rules = {r.get("id"): r for r in policy2.get("rules")}
self.assertEquals(len(policy2.get("rules")), 2)
self.assertEquals(rules.get(rule2["id"]), None)
self.assertEquals(
rules[rule1["id"]].get("service_entries")[0].get("icmp_code"), "2")
self.assertEquals(
rules[rule3["id"]].get("service_entries")[0].get(
"protocol_number"), 1)
provider.sg_rules_realize(sg3)
LOG.info(json.dumps(inv, indent=4))
policy3 = self.get_by_name(inv[Inventory.POLICIES], sg["id"])
rules = {r.get("id"): r for r in policy3.get("rules")}
self.assertEquals(len(policy3.get("rules")), 0)
def test_security_group_logging(self):
sg = {
"id": "7FBE1798-65F6-43E9-A7BB-3DFA63450818",
"revision_number": 2,
"tags": ["capability_tcp_strict"],
"rules": [],
}
rule1 = {
"id": "1",
"ethertype": "IPv4",
"direction": "ingress",
"remote_group_id": "",
"remote_ip_prefix": "192.168.10.0/24",
"security_group_id": "",
"port_range_min": "5",
"port_range_max": "1",
"protocol": "icmp",
}
rule2 = {
"id": "2",
"ethertype": "IPv4",
"direction": "ingress",
"remote_group_id": "",
"remote_ip_prefix": "0.0.0.0/16",
"security_group_id": "",
"port_range_min": "",
"port_range_max": "",
"protocol": "hopopt",
}
# Add two new rules
sg1 = copy.deepcopy(sg)
sg1["rules"].append(copy.deepcopy(rule1))
sg1["rules"].append(copy.deepcopy(rule2))
inv = self.inventory.inv
provider = provider_nsx_policy.Provider()
provider.sg_rules_realize(sg1, logged=True)
rules_logged = [
r["logged"] for r in self.get_by_name(inv[Inventory.POLICIES],
sg["id"])["rules"]
]
self.assertEquals(all(rules_logged), True)
provider.sg_rules_realize(sg1, logged=False)
rules_logged = [
r["logged"] for r in self.get_by_name(inv[Inventory.POLICIES],
sg["id"])["rules"]
]
self.assertEquals(any(rules_logged), False)
provider.sg_rules_realize(sg1, logged=True)
rules_logged = [
r["logged"] for r in self.get_by_name(inv[Inventory.POLICIES],
sg["id"])["rules"]
]
self.assertEquals(all(rules_logged), True)
log_obj = {"resource_type": "security_group", "resource_id": sg["id"]}
provider.disable_policy_logging(log_obj)
rules_logged = [
r["logged"] for r in inv[Inventory.POLICIES][sg["id"]]["rules"]
]
self.assertEquals(any(rules_logged), False)
provider.enable_policy_logging(log_obj)
rules_logged = [
r["logged"] for r in inv[Inventory.POLICIES][sg["id"]]["rules"]
]
self.assertEquals(all(rules_logged), True)
provider.disable_policy_logging(log_obj)
rules_logged = [
r["logged"] for r in inv[Inventory.POLICIES][sg["id"]]["rules"]
]
self.assertEquals(any(rules_logged), False)
log_obj["enabled"] = True
provider.update_policy_logging(log_obj)
rules_logged = [
r["logged"] for r in inv[Inventory.POLICIES][sg["id"]]["rules"]
]
self.assertEquals(all(rules_logged), True)
log_obj["enabled"] = False
provider.update_policy_logging(log_obj)
rules_logged = [
r["logged"] for r in inv[Inventory.POLICIES][sg["id"]]["rules"]
]
self.assertEquals(any(rules_logged), False)
log_obj["enabled"] = True
provider.update_policy_logging(log_obj)
rules_logged = [
r["logged"] for r in inv[Inventory.POLICIES][sg["id"]]["rules"]
]
self.assertEquals(all(rules_logged), True)
LOG.info("FINISHED: test_security_group_logging")