def test_create_group_with_one_simple_rule(self):
"""
Tests the creation of an OpenStack Security Group with one simple
custom rule.
"""
# Create Security Group
sec_grp_rule_settings = list()
sec_grp_rule_settings.append(
SecurityGroupRuleConfig(sec_grp_name=self.sec_grp_name,
direction=Direction.ingress,
description='test_rule_1'))
sec_grp_settings = SecurityGroupConfig(
name=self.sec_grp_name,
description='hello group',
rule_settings=sec_grp_rule_settings)
self.sec_grp_creator = create_security_group.OpenStackSecurityGroup(
self.os_creds, sec_grp_settings)
self.sec_grp_creator.create()
sec_grp = neutron_utils.get_security_group(
self.neutron, self.keystone, sec_grp_settings=sec_grp_settings)
validation_utils.objects_equivalent(
self.sec_grp_creator.get_security_group(), sec_grp)
rules = neutron_utils.get_rules_by_security_group(
self.neutron, self.sec_grp_creator.get_security_group())
self.assertEqual(len(self.sec_grp_creator.get_rules()), len(rules))
validation_utils.objects_equivalent(self.sec_grp_creator.get_rules(),
rules)
self.assertTrue(
validate_sec_grp(self.neutron, self.keystone,
self.sec_grp_creator.sec_grp_settings,
self.sec_grp_creator.get_security_group(), rules))
def test_create_delete_group(self):
"""
Tests the creation of an OpenStack Security Group without custom rules.
"""
# Create Security Group
sec_grp_settings = SecurityGroupConfig(name=self.sec_grp_name,
description='hello group')
self.sec_grp_creator = create_security_group.OpenStackSecurityGroup(
self.os_creds, sec_grp_settings)
created_sec_grp = self.sec_grp_creator.create()
self.assertIsNotNone(created_sec_grp)
self.assertTrue(
validate_sec_grp(self.neutron, self.keystone,
self.sec_grp_creator.sec_grp_settings,
self.sec_grp_creator.get_security_group()))
neutron_utils.delete_security_group(self.neutron, created_sec_grp)
self.assertIsNone(
neutron_utils.get_security_group(
self.neutron,
self.keystone,
sec_grp_settings=self.sec_grp_creator.sec_grp_settings))
self.sec_grp_creator.clean()
def test_create_group_new_user_to_admin_project(self):
"""
Tests the creation of an OpenStack Security Group without custom rules.
"""
# Create Security Group
sec_grp_settings = SecurityGroupConfig(
name=self.sec_grp_name,
description='hello group',
project_name=self.os_creds.project_name)
self.sec_grp_creator = create_security_group.OpenStackSecurityGroup(
self.admin_os_creds, sec_grp_settings)
self.sec_grp_creator.create()
sec_grp = neutron_utils.get_security_group(
self.neutron, self.keystone, sec_grp_settings=sec_grp_settings)
self.assertIsNotNone(sec_grp)
validation_utils.objects_equivalent(
self.sec_grp_creator.get_security_group(), sec_grp)
rules = neutron_utils.get_rules_by_security_group(
self.neutron, self.sec_grp_creator.get_security_group())
self.assertEqual(len(self.sec_grp_creator.get_rules()), len(rules))
validation_utils.objects_equivalent(self.sec_grp_creator.get_rules(),
rules)
self.assertTrue(
validate_sec_grp(self.neutron, self.keystone,
self.sec_grp_creator.sec_grp_settings,
self.sec_grp_creator.get_security_group(), rules))
def tearDown(self):
"""
Cleans the remote OpenStack objects
"""
if self.project:
neutron = neutron_utils.neutron_client(self.os_creds,
self.os_session)
default_sec_grp = neutron_utils.get_security_group(
neutron,
self.keystone,
sec_grp_name='default',
project_name=self.os_creds.project_name)
if default_sec_grp:
try:
neutron_utils.delete_security_group(
neutron, default_sec_grp)
except:
pass
keystone_utils.delete_project(self.keystone, self.project)
if self.user:
keystone_utils.delete_user(self.keystone, self.user)
if self.role:
keystone_utils.delete_role(self.keystone, self.role)
super(self.__class__, self).__clean__()
def initialize(self):
"""
Loads existing security group.
:return: the security group domain object
"""
super(self.__class__, self).initialize()
self.__security_group = neutron_utils.get_security_group(
self._neutron, self._keystone,
sec_grp_settings=self.sec_grp_settings,
project_name=self._os_creds.project_name)
if self.__security_group:
# Populate rules
existing_rules = neutron_utils.get_rules_by_security_group(
self._neutron, self.__security_group)
for existing_rule in existing_rules:
# For Custom Rules
rule_setting = self.__get_setting_from_rule(existing_rule)
self.__rules[rule_setting] = existing_rule
self.__security_group = neutron_utils.get_security_group_by_id(
self._neutron, self.__security_group.id)
return self.__security_group
def test_remove_rule_by_setting(self):
"""
Tests the creation of an OpenStack Security Group with two simple
custom rules then removes one by the rule setting object
"""
# Create Security Group
sec_grp_rule_settings = list()
sec_grp_rule_settings.append(
SecurityGroupRuleConfig(sec_grp_name=self.sec_grp_name,
direction=Direction.ingress,
description='test_rule_1'))
sec_grp_rule_settings.append(
SecurityGroupRuleConfig(sec_grp_name=self.sec_grp_name,
direction=Direction.egress,
protocol=Protocol.udp,
ethertype=Ethertype.IPv6,
description='test_rule_2'))
sec_grp_rule_settings.append(
SecurityGroupRuleConfig(sec_grp_name=self.sec_grp_name,
direction=Direction.egress,
protocol=Protocol.udp,
ethertype=Ethertype.IPv4,
port_range_min=10,
port_range_max=20,
description='test_rule_3'))
sec_grp_settings = SecurityGroupConfig(
name=self.sec_grp_name,
description='hello group',
rule_settings=sec_grp_rule_settings)
self.sec_grp_creator = create_security_group.OpenStackSecurityGroup(
self.os_creds, sec_grp_settings)
self.sec_grp_creator.create()
sec_grp = neutron_utils.get_security_group(
self.neutron, self.keystone, sec_grp_settings=sec_grp_settings)
validation_utils.objects_equivalent(
self.sec_grp_creator.get_security_group(), sec_grp)
rules = neutron_utils.get_rules_by_security_group(
self.neutron, self.sec_grp_creator.get_security_group())
self.assertEqual(len(self.sec_grp_creator.get_rules()), len(rules))
validation_utils.objects_equivalent(self.sec_grp_creator.get_rules(),
rules)
self.assertTrue(
validate_sec_grp(self.neutron, self.keystone,
self.sec_grp_creator.sec_grp_settings,
self.sec_grp_creator.get_security_group(), rules))
self.sec_grp_creator.remove_rule(rule_setting=sec_grp_rule_settings[0])
rules_after_del = neutron_utils.get_rules_by_security_group(
self.neutron, self.sec_grp_creator.get_security_group())
self.assertEqual(len(rules) - 1, len(rules_after_del))
def validate_sec_grp_rules(neutron, keystone, rule_settings, rules):
"""
Returns True is the settings on a security group rule are properly
contained on the SNAPS SecurityGroupRule domain object.
This function will only operate on rules that contain a description as
this is the only means to tell if the rule is custom or defaulted by
OpenStack
:param neutron: the neutron client
:param keystone: the keystone client
:param rule_settings: collection of SecurityGroupRuleConfig objects
:param rules: a collection of SecurityGroupRule domain objects
:return: T/F
"""
for rule_setting in rule_settings:
if rule_setting.description:
match = False
for rule in rules:
sec_grp = neutron_utils.get_security_group(
neutron, keystone, sec_grp_name=rule_setting.sec_grp_name)
setting_eth_type = create_security_group.Ethertype.IPv4
if rule_setting.ethertype:
setting_eth_type = rule_setting.ethertype
if not sec_grp:
return False
proto_str = 'null'
if rule.protocol:
proto_str = rule.protocol
if (rule.description == rule_setting.description
and rule.direction == rule_setting.direction.name
and rule.ethertype == setting_eth_type.name
and rule.port_range_max == rule_setting.port_range_max
and rule.port_range_min == rule_setting.port_range_min
and proto_str == str(rule_setting.protocol.value) and
rule.remote_group_id == rule_setting.remote_group_id
and rule.remote_ip_prefix
== rule_setting.remote_ip_prefix
and rule.security_group_id == sec_grp.id):
match = True
break
if not match:
return False
return True
def clean(self):
"""
Cleanse environment of all artifacts
:return: void
"""
if self.__project:
# Delete security group 'default' if exists
neutron = neutron_utils.neutron_client(self._os_creds,
self._os_session)
try:
default_sec_grp = neutron_utils.get_security_group(
neutron,
self._keystone,
sec_grp_name='default',
project_name=self.__project.name)
if default_sec_grp:
try:
neutron_utils.delete_security_group(
neutron, default_sec_grp)
except:
pass
finally:
neutron.httpclient.session.session.close()
# Delete Project
try:
keystone_utils.delete_project(self._keystone, self.__project)
except NotFound:
pass
self.__project = None
if self.__role:
try:
keystone_utils.delete_role(self._keystone, self.__role)
except NotFound:
pass
self.__project = None
# Final role check in case init was done from an existing instance
role = keystone_utils.get_role_by_name(self._keystone,
self.__role_name)
if role:
keystone_utils.delete_role(self._keystone, role)
super(self.__class__, self).clean()
def dict_for_neutron(self, neutron, keystone, project_name):
"""
Returns a dictionary object representing this object.
This is meant to be converted into JSON designed for use by the Neutron
API
:param neutron: the neutron client for performing lookups
:param keystone: the keystone client for performing lookups
:param project_name: the name of the project associated with the group
:return: the dictionary object
"""
out = dict()
if self.description:
out['description'] = self.description
if self.direction:
out['direction'] = self.direction.name
if self.port_range_min:
out['port_range_min'] = self.port_range_min
if self.port_range_max:
out['port_range_max'] = self.port_range_max
if self.ethertype:
out['ethertype'] = self.ethertype.name
if self.protocol and self.protocol.value != 'null':
out['protocol'] = self.protocol.value
if self.sec_grp_name:
sec_grp = neutron_utils.get_security_group(
neutron, keystone, sec_grp_name=self.sec_grp_name,
project_name=project_name)
if sec_grp:
out['security_group_id'] = sec_grp.id
else:
raise SecurityGroupRuleConfigError(
'Cannot locate security group with name - ' +
self.sec_grp_name)
if self.remote_group_id:
out['remote_group_id'] = self.remote_group_id
if self.remote_ip_prefix:
out['remote_ip_prefix'] = self.remote_ip_prefix
return {'security_group_rule': out}
def dict_for_neutron(self, neutron, os_creds):
"""
Returns a dictionary object representing this object.
This is meant to be converted into JSON designed for use by the Neutron
API
TODO - expand automated testing to exercise all parameters
:param neutron: the Neutron client
:param os_creds: the OpenStack credentials
:return: the dictionary object
"""
out = dict()
session = keystone_utils.keystone_session(os_creds)
keystone = keystone_utils.keystone_client(os_creds, session)
project_name = os_creds.project_name
if self.project_name:
project_name = project_name
try:
network = neutron_utils.get_network(neutron,
keystone,
network_name=self.network_name)
if network and not (network.shared or network.external):
network = neutron_utils.get_network(
neutron,
keystone,
network_name=self.network_name,
project_name=project_name)
finally:
if session:
keystone_utils.close_session(session)
if not network:
raise PortConfigError('Cannot locate network with name - ' +
self.network_name + ' in project - ' +
str(project_name))
out['network_id'] = network.id
if self.admin_state_up is not None:
out['admin_state_up'] = self.admin_state_up
if self.name:
out['name'] = self.name
if self.project_name:
project = keystone_utils.get_project(
keystone=keystone, project_name=self.project_name)
project_id = None
if project:
project_id = project.id
if project_id:
out['tenant_id'] = project_id
else:
raise PortConfigError(
'Could not find project ID for project named - ' +
self.project_name)
if self.mac_address:
out['mac_address'] = self.mac_address
fixed_ips = self.__get_fixed_ips(neutron, network)
if fixed_ips and len(fixed_ips) > 0:
out['fixed_ips'] = fixed_ips
if self.security_groups:
sec_grp_ids = list()
for sec_grp_name in self.security_groups:
sec_grp = neutron_utils.get_security_group(
neutron,
keystone,
sec_grp_name=sec_grp_name,
project_name=self.project_name)
if sec_grp:
sec_grp_ids.append(sec_grp.id)
out['security_groups'] = sec_grp_ids
if self.port_security_enabled is not None:
out['port_security_enabled'] = self.port_security_enabled
if self.allowed_address_pairs and len(self.allowed_address_pairs) > 0:
out['allowed_address_pairs'] = self.allowed_address_pairs
if self.opt_value:
out['opt_value'] = self.opt_value
if self.opt_name:
out['opt_name'] = self.opt_name
if self.device_owner:
out['device_owner'] = self.device_owner
if self.device_id:
out['device_id'] = self.device_id
if self.extra_dhcp_opts:
out['extra_dhcp_opts'] = self.extra_dhcp_opts
return {'port': out}