def test_acl_hash_entries(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1_obj = self.create_virtual_network(vn1_name, "10.2.1.0/24")
vn2_obj = self.create_virtual_network(vn2_name, "20.2.1.0/24")
np = self.create_network_policy(vn1_obj, vn2_obj)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np, vnp)
vn2_obj.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
gevent.sleep(5)
acl = self._vnc_lib.access_control_list_read(
fq_name=self.get_ri_name(vn1_obj))
acl2 = self._vnc_lib.access_control_list_read(
fq_name=self.get_ri_name(vn2_obj))
acl_hash = acl.access_control_list_hash
acl_hash2 = acl2.access_control_list_hash
self.assertEqual(acl_hash, hash(acl.access_control_list_entries))
self.assertEqual(acl_hash2, hash(acl2.access_control_list_entries))
self.schema_transformer_restart()
vn1_obj.del_network_policy(np)
vn2_obj.del_network_policy(np)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.delete_network_policy(np)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
def _attach_policy(self, vn_obj, *policies):
for policy in policies or []:
vn_obj.add_network_policy(policy, \
VirtualNetworkPolicyType(sequence=SequenceType(0, 0)))
self._vnc_lib.virtual_network_update(vn_obj)
for policy in policies or []:
self._vnc_lib.ref_relax_for_delete(vn_obj.uuid, policy.uuid)
def test_policy_with_cidr_and_vn(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24")
vn2 = self.create_virtual_network(vn2_name,
["10.2.1.0/24", "10.2.2.0/24"])
rules = []
rule1 = {
"protocol":
"icmp",
"direction":
"<>",
"src-port":
"any",
"src": {
"type": "vn",
"value": vn1
},
"dst": [{
"type": "cidr_list",
"value": ["10.2.1.0/24"]
}, {
"type": "vn",
"value": vn2
}],
"dst-port":
"any",
"action":
"pass"
}
rules.append(rule1)
np = self.create_network_policy_with_multiple_rules(rules)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1)
for obj in [vn1]:
ident_name = self.get_obj_imid(obj)
gevent.sleep(2)
self.assertThat(FakeIfmapClient._graph, Contains(ident_name))
self.check_vn_ri_state(fq_name=self.get_ri_name(vn1))
self.check_acl_match_dst_cidr(fq_name=self.get_ri_name(vn1),
ip_prefix="10.2.1.0",
ip_len=24)
self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn1),
src_vn=':'.join(vn1.get_fq_name()),
dst_vn=':'.join(vn2.get_fq_name()))
# cleanup
self.delete_network_policy(np, auto_policy=True)
self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2.get_fq_name())
# check if vn is deleted
self.check_vn_is_deleted(uuid=vn1.uuid)
self.check_vn_is_deleted(uuid=vn2.uuid)
def test_basic_policy(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1_obj = VirtualNetwork(vn1_name)
vn2_obj = VirtualNetwork(vn2_name)
np = self.create_network_policy(vn1_obj, vn2_obj)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np, vnp)
vn2_obj.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_create(vn1_obj)
self._vnc_lib.virtual_network_create(vn2_obj)
for obj in [vn1_obj, vn2_obj]:
self.assertTill(self.vnc_db_has_ident, obj=obj)
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
self.check_ri_ref_present(self.get_ri_name(vn2_obj),
self.get_ri_name(vn1_obj))
vn1_obj.del_network_policy(np)
vn2_obj.del_network_policy(np)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj))
self.delete_network_policy(np)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
self.check_vn_is_deleted(uuid=vn1_obj.uuid)
self.check_ri_is_deleted(fq_name=self.get_ri_name(vn2_obj))
def test_policy_with_cidr(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24")
vn2 = self.create_virtual_network(vn2_name, "10.2.1.0/24")
rules = []
rule1 = {
"protocol": "icmp",
"direction": "<>",
"src": {
"type": "vn",
"value": vn1
},
"dst": {
"type": "cidr",
"value": "10.2.1.1/32"
},
"action": "deny"
}
rule2 = {
"protocol": "icmp",
"direction": "<>",
"src": {
"type": "vn",
"value": vn1
},
"dst": {
"type": "cidr",
"value": "10.2.1.2/32"
},
"action": "deny"
}
rules.append(rule1)
rules.append(rule2)
np = self.create_network_policy_with_multiple_rules(rules)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1)
self.assertTill(self.vnc_db_has_ident, obj=vn1)
self.check_vn_ri_state(fq_name=self.get_ri_name(vn1))
self.check_acl_match_dst_cidr(fq_name=self.get_ri_name(vn1),
ip_prefix="10.2.1.1",
ip_len=32)
self.check_acl_match_dst_cidr(fq_name=self.get_ri_name(vn1),
ip_prefix="10.2.1.2",
ip_len=32)
# cleanup
self.delete_network_policy(np, auto_policy=True)
self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2.get_fq_name())
# check if vn is deleted
self.check_vn_is_deleted(uuid=vn1.uuid)
def test_multiple_policy(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1_obj = VirtualNetwork(vn1_name)
vn2_obj = VirtualNetwork(vn2_name)
np1 = self.create_network_policy(vn1_obj, vn2_obj)
np2 = self.create_network_policy(vn2_obj, vn1_obj)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np1, vnp)
vn2_obj.set_network_policy(np2, vnp)
self._vnc_lib.virtual_network_create(vn1_obj)
self._vnc_lib.virtual_network_create(vn2_obj)
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
self.check_ri_ref_present(self.get_ri_name(vn2_obj),
self.get_ri_name(vn1_obj))
np1.network_policy_entries.policy_rule[
0].action_list.simple_action = 'deny'
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
expr = (
"('contrail:connection contrail:routing-instance:%s' in FakeIfmapClient._graph['8443']['contrail:routing-instance:%s']['links'])"
% (':'.join(self.get_ri_name(vn2_obj)), ':'.join(
self.get_ri_name(vn1_obj))))
self.assertTill(expr)
np1.network_policy_entries.policy_rule[
0].action_list.simple_action = 'pass'
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
np2.network_policy_entries.policy_rule[
0].action_list.simple_action = 'deny'
np2.set_network_policy_entries(np2.network_policy_entries)
self._vnc_lib.network_policy_update(np2)
expr = (
"('contrail:connection contrail:routing-instance:%s' in FakeIfmapClient._graph['8443']['contrail:routing-instance:%s']['links'])"
% (':'.join(self.get_ri_name(vn1_obj)), ':'.join(
self.get_ri_name(vn2_obj))))
self.assertTill(expr)
vn1_obj.del_network_policy(np1)
vn2_obj.del_network_policy(np2)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj))
self.delete_network_policy(np1)
self.delete_network_policy(np2)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
self.check_vn_is_deleted(uuid=vn1_obj.uuid)
def test_multiple_policy(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1_obj = VirtualNetwork(vn1_name)
vn2_obj = VirtualNetwork(vn2_name)
np1 = self.create_network_policy(vn1_obj, vn2_obj)
np2 = self.create_network_policy(vn2_obj, vn1_obj)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np1, vnp)
vn2_obj.set_network_policy(np2, vnp)
self._vnc_lib.virtual_network_create(vn1_obj)
self._vnc_lib.virtual_network_create(vn2_obj)
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
self.check_ri_ref_present(self.get_ri_name(vn2_obj),
self.get_ri_name(vn1_obj))
np1.network_policy_entries.policy_rule[
0].action_list.simple_action = 'deny'
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
self.assertTill(
self.ifmap_ident_has_link,
type_fq_name=('routing-instance', self.get_ri_name(vn1_obj)),
link_name='contrail:connection contrail:routing-instance:%s' %
':'.join(self.get_ri_name(vn2_obj)))
np1.network_policy_entries.policy_rule[
0].action_list.simple_action = 'pass'
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
np2.network_policy_entries.policy_rule[
0].action_list.simple_action = 'deny'
np2.set_network_policy_entries(np2.network_policy_entries)
self._vnc_lib.network_policy_update(np2)
self.assertTill(
self.ifmap_ident_has_link,
type_fq_name=('routing-instance', self.get_ri_name(vn2_obj)),
link_name='contrail:connection contrail:routing-instance:%s' %
':'.join(self.get_ri_name(vn1_obj)))
vn1_obj.del_network_policy(np1)
vn2_obj.del_network_policy(np2)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj))
self.delete_network_policy(np1)
self.delete_network_policy(np2)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
self.check_vn_is_deleted(uuid=vn1_obj.uuid)
def test_policy_processing_time_optimization_acl_with_vn(self):
# Create VNs
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24")
vn2 = self.create_virtual_network(vn2_name, "10.2.1.0/24")
# Create policy
rules = []
rule1 = {"protocol": "icmp",
"direction": "<>",
"src": {"type": "vn", "value": vn1},
"dst": {"type": "cidr", "value": "10.2.1.2/32"},
"action": "deny"
}
rules.append(rule1)
np = self.create_network_policy_with_multiple_rules(rules)
self._vnc_lib.network_policy_update(np)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
# Attach policy to vn1
vn1.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1)
orignal_vn_eval = VirtualNetworkST.evaluate
# if we dont sleep now for some time than following mock function gets
# picked for the above vn update
vn1.vn_evaluate_hit = False
def mock_vn_evaluate(vn_obj):
if vn1.get_fq_name_str() == vn_obj.name:
vn1.vn_evaluate_hit = True
orignal_vn_eval(vn_obj)
# end evaluate
gevent.sleep(3)
VirtualNetworkST.evaluate = mock_vn_evaluate
vn2.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn2)
# if we dont sleep now for some time than for the
# above code original vn
# evaluate gets picked up due to the next line
gevent.sleep(3)
if not vn1.vn_evaluate_hit:
self.assertTrue(False, 'Error: Did not execute evaluate of vn1')
VirtualNetworkST.evaluate = orignal_vn_eval
# cleanup
self.delete_network_policy(np, auto_policy=True)
self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2.get_fq_name())
# check if vn is deleted
self.check_vn_is_deleted(uuid=vn1.uuid)
self.check_vn_is_deleted(uuid=vn2.uuid)
def test_multiple_policy(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1_obj = VirtualNetwork(vn1_name)
vn2_obj = VirtualNetwork(vn2_name)
np1 = self.create_network_policy(vn1_obj, vn2_obj)
np2 = self.create_network_policy(vn2_obj, vn1_obj)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np1, vnp)
vn2_obj.set_network_policy(np2, vnp)
self._vnc_lib.virtual_network_create(vn1_obj)
self._vnc_lib.virtual_network_create(vn2_obj)
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
self.check_ri_ref_present(self.get_ri_name(vn2_obj),
self.get_ri_name(vn1_obj))
np1.network_policy_entries.policy_rule[0].action_list.simple_action = \
'deny'
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj))
np1.network_policy_entries.policy_rule[0].action_list.simple_action = \
'pass'
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
np2.network_policy_entries.policy_rule[0].action_list.simple_action = \
'deny'
np2.set_network_policy_entries(np2.network_policy_entries)
self._vnc_lib.network_policy_update(np2)
self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj))
vn1_obj.del_network_policy(np1)
vn2_obj.del_network_policy(np2)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.delete_network_policy(np1)
self.delete_network_policy(np2)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
self.check_vn_is_deleted(uuid=vn1_obj.uuid)
self.check_vn_is_deleted(uuid=vn2_obj.uuid)
def test_compressed_policy_with_cidr(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24")
vn2 = self.create_virtual_network(vn2_name, "10.2.1.0/24")
rules = []
rule = {
"protocol": "any",
"direction": "<>",
"src": {
"type": "cidr",
"value": "10.1.1.1/32"
},
"dst": {
"type": "cidr",
"value": "10.2.1.1/32"
},
"action": "deny"
}
rules.append(rule)
np = self.create_network_policy_with_multiple_rules(rules)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1.set_network_policy(np, vnp)
vn2.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1)
self._vnc_lib.virtual_network_update(vn2)
self.assertTill(self.vnc_db_has_ident, obj=vn1)
self.assertTill(self.vnc_db_has_ident, obj=vn2)
self.check_vn_ri_state(fq_name=self.get_ri_name(vn1))
self.check_vn_ri_state(fq_name=self.get_ri_name(vn2))
self.check_compress_acl_match_condition(
np._network_policy_entries.policy_rule[0].dst_addresses,
fq_name=self.get_ri_name(vn1))
self.check_compress_acl_match_condition(
np._network_policy_entries.policy_rule[0].src_addresses,
fq_name=self.get_ri_name(vn2))
# cleanup
self.delete_network_policy(np, auto_policy=True)
self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2.get_fq_name())
# check if vn is deleted
self.check_vn_is_deleted(uuid=vn1.uuid)
self.check_vn_is_deleted(uuid=vn2.uuid)
def bind_policies(self, policy_fq_names):
if self._api == 'contrail':
self.vnc_obj.set_network_policy_list([], True)
self.vnc_api.virtual_network_update(self.vnc_obj)
for seq, policy in enumerate(policy_fq_names):
policy_obj = self._vnc.get_network_policy(policy)
seq_obj = SequenceType(major=seq, minor=0)
self.vnc_obj.add_network_policy(
policy_obj, VirtualNetworkPolicyType(sequence=seq_obj))
self.vnc_api.virtual_network_update(self.vnc_obj)
else:
net_req = {'policys': policy_fq_names}
self._qh.update_network(self.uuid, {'network': net_req})
self.update()
self._policies = policy_fq_names
def test_basic_policy(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1_obj = VirtualNetwork(vn1_name)
vn2_obj = VirtualNetwork(vn2_name)
np = self.create_network_policy(vn1_obj, vn2_obj)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np, vnp)
vn2_obj.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_create(vn1_obj)
self._vnc_lib.virtual_network_create(vn2_obj)
for obj in [vn1_obj, vn2_obj]:
ident_name = self.get_obj_imid(obj)
gevent.sleep(2)
self.assertThat(FakeIfmapClient._graph['8443'],
Contains(ident_name))
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
self.check_ri_ref_present(self.get_ri_name(vn2_obj),
self.get_ri_name(vn1_obj))
vn1_obj.del_network_policy(np)
vn2_obj.del_network_policy(np)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj))
self.delete_network_policy(np)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
self.check_vn_is_deleted(uuid=vn1_obj.uuid)
self.check_ri_is_deleted(fq_name=self.get_ri_name(vn2_obj))
def test_provider_network(self):
"""
Test description.
Verify:
1. Check creating a non-provider VNs with
non-provider VNs connected to it is not allowed
2. Check a non provider-VN can not be created
with is_provider_network property set to True
3. Check is_provider_network property of a
provider-VN is True by default
4. Check is_provider_network property of a
provider-VN can be set as True
5. Check is_provider_network property of provider-VN
can not be set as False
6. Check is_provider_network property of non provider-VN
can not be set as True
7. Check is_provider_network property of non provider-VN
can be set as False
8. Check setting other parameters of a non provider-VN
is not affected
9. Check db_resync sets is_provider_network property
of provider-VN as True (simulating upgrade case)
10. Check non provider VNs can be added to
provider VN
11. Check the provider-VN can be added to a VN
12. Check non provider-VN can not be added to a VN
13. Check many VNs can be linked to the provider-VN
14. Check (provider-vn -> any-VN),DENY acl rule is added to
the provider-VN
15. Check (VN -> provider-VN),DENY acl rule is added to
the VN
16. Adding a (VN -> provider-VN),PASS acl rule at VN removes
(VN -> provider-VN),DENY acl rule
Assumption: ip-fabric VN is the provider-VN
"""
# create two VNs - vn1, vn2
vn1_name = self.id() + '_vn1'
vn2_name = self.id() + '_vn2'
vn3_name = self.id() + '_vn3'
vn4_name = self.id() + '_vn4'
vn1_obj1 = VirtualNetwork(vn1_name)
vn2_obj1 = VirtualNetwork(vn2_name)
vn3_obj1 = VirtualNetwork(vn3_name)
vn4_obj1 = VirtualNetwork(vn4_name)
self._vnc_lib.virtual_network_create(vn1_obj1)
self._vnc_lib.virtual_network_create(vn2_obj1)
self._vnc_lib.virtual_network_create(vn3_obj1)
# try creating non provider_vn with linked
# non provider_vn (linked before creating)
vn4_obj1.add_virtual_network(vn3_obj1)
self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create,
vn4_obj1)
vn4_obj1.add_virtual_network(vn2_obj1)
self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create,
vn4_obj1)
# remove vn3_obj1 and vn2_obj1
# as its not allowed
vn4_obj1.del_virtual_network(vn3_obj1)
vn4_obj1.del_virtual_network(vn2_obj1)
# set is_provider_network on a non provider-vn
# and try creating it
vn4_obj1.set_is_provider_network(True)
self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create,
vn4_obj1)
# set it as False and retry creating it
vn4_obj1.set_is_provider_network(False)
self._vnc_lib.virtual_network_create(vn4_obj1)
# Check updating other parameters of a non provider VN
# when no provider VN is not connected
vn4_obj1.set_mac_aging_time(400)
self._vnc_lib.virtual_network_update(vn4_obj1)
# retrieve provider network, assuming ip-fabric for now
provider_fq_name = ['default-domain', 'default-project', 'ip-fabric']
provider_vn = self._vnc_lib.virtual_network_read(
fq_name=provider_fq_name)
self.assertEqual(provider_vn.get_is_provider_network(), True)
# check is_provider_network of provider_vn
# can be set to True (ie only as its default)
provider_vn.set_is_provider_network(True)
self._vnc_lib.virtual_network_update(provider_vn)
# check is_provider_network of provider_vn
# can not be set to False
provider_vn.set_is_provider_network(False)
self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update,
provider_vn)
# check is_provider_network of non provider_vn
# can be set to False
vn4_obj1.set_is_provider_network(False)
self._vnc_lib.virtual_network_update(vn4_obj1)
# check is_provider_network of non provider_vn
# can not be set to True
vn4_obj1.set_is_provider_network(True)
self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update,
vn4_obj1)
# check db_resync sets is_provider_network property
# as True in provider-vn
self._api_server._db_conn.db_resync()
provider_vn = self._vnc_lib.virtual_network_read(
fq_name=provider_fq_name)
self.assertEqual(provider_vn.get_is_provider_network(), True)
# check adding vn3 and vn2 to provider vn
provider_vn.add_virtual_network(vn2_obj1)
provider_vn.add_virtual_network(vn3_obj1)
self._vnc_lib.virtual_network_update(provider_vn)
gevent.sleep(5)
provider_vn = self._vnc_lib.virtual_network_read(
fq_name=provider_vn.get_fq_name())
self.assertEqual(len(provider_vn.virtual_network_refs), 2)
linked_uuids = [
ref['uuid'] for ref in provider_vn.virtual_network_refs
]
self.assertIn(vn3_obj1.uuid, linked_uuids)
self.assertIn(vn2_obj1.uuid, linked_uuids)
VirtualNetworkST._dict = {}
VirtualNetworkST.reinit()
provider_vn = self._vnc_lib.virtual_network_read(
fq_name=provider_vn.get_fq_name())
vn3_obj1 = self._vnc_lib.virtual_network_read(
fq_name=vn3_obj1.get_fq_name())
vn2_obj1 = self._vnc_lib.virtual_network_read(
fq_name=vn2_obj1.get_fq_name())
self.assertEqual(len(provider_vn.virtual_network_refs), 2)
linked_uuids = [
ref['uuid'] for ref in provider_vn.virtual_network_refs
]
self.assertIn(vn3_obj1.uuid, linked_uuids)
self.assertIn(vn2_obj1.uuid, linked_uuids)
self.check_acl_implicit_deny_rule(
fq_name=self.get_ri_name(provider_vn),
src_vn=':'.join(provider_fq_name),
dst_vn='any')
self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn2_obj1),
src_vn=vn2_obj1.get_fq_name_str(),
dst_vn=':'.join(provider_fq_name))
self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn3_obj1),
src_vn=vn3_obj1.get_fq_name_str(),
dst_vn=':'.join(provider_fq_name))
# check adding provider vn to vn1 works
vn1_obj1.add_virtual_network(provider_vn)
self._vnc_lib.virtual_network_update(vn1_obj1)
gevent.sleep(2)
vn1_obj2 = self._vnc_lib.virtual_network_read(
fq_name=vn1_obj1.get_fq_name())
self.assertEqual(vn1_obj2.virtual_network_refs[0]['to'],
provider_fq_name)
self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn1_obj2),
src_vn=vn1_obj2.get_fq_name_str(),
dst_vn=':'.join(provider_fq_name))
# Check updating other parameters of a non provider VN
# when a provider VN is connected
vn1_obj2.set_mac_aging_time(400)
self._vnc_lib.virtual_network_update(vn1_obj2)
# create a policy to allow icp between vn1 <> vn2
# and update vn1
vn1_to_vn2_rule = {
"protocol": "icmp",
"direction": "<>",
"src": {
"type": "vn",
"value": vn1_obj2
},
"dst": [{
"type": "vn",
"value": vn2_obj1
}],
"action": "pass"
}
np = self.create_network_policy_with_multiple_rules([vn1_to_vn2_rule])
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj2.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1_obj2)
vn1_obj3 = self._vnc_lib.virtual_network_read(
fq_name=vn1_obj2.get_fq_name())
# check linking a non provider network is not allowed
vn1_obj3.add_virtual_network(vn2_obj1)
self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update,
vn1_obj3)
vn1_obj4 = self._vnc_lib.virtual_network_read(
fq_name=vn1_obj3.get_fq_name())
self.assertEqual(vn1_obj4.virtual_network_refs[0]['to'],
provider_fq_name)
self.assertNotEqual(vn1_obj4.virtual_network_refs[0]['to'],
vn2_obj1.get_fq_name())
# check the provider-network got a deny rule to any VN
provider_to_vn1_rule = {
"protocol": "icmp",
"direction": ">",
"src": {
"type": "vn",
"value": provider_vn
},
"dst": [{
"type": "vn",
"value": vn1_obj4
}],
"action": "pass"
}
np = self.create_network_policy_with_multiple_rules(
[provider_to_vn1_rule])
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
provider_vn.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(provider_vn)
self.check_acl_implicit_deny_rule(
fq_name=self.get_ri_name(provider_vn),
src_vn=':'.join(provider_fq_name),
dst_vn='any')
# check the network connected to provider-network
# got a deny rule to provider-network
self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn1_obj4),
src_vn=':'.join(
vn1_obj4.get_fq_name()),
dst_vn=':'.join(provider_fq_name))
# add an explicit policy to allow traffic to provider network
# and the implicit deny is removed
vn1_to_provider_rule = {
"protocol": "any",
"direction": ">",
"src": {
"type": "vn",
"value": vn1_obj4
},
"dst": [{
"type": "vn",
"value": provider_vn
}],
"action": "pass"
}
np = self.create_network_policy_with_multiple_rules(
[vn1_to_provider_rule])
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj4.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1_obj4)
vn1_obj5 = self._vnc_lib.virtual_network_read(
fq_name=vn1_obj4.get_fq_name())
self.check_acl_no_implicit_deny_rule(
fq_name=self.get_ri_name(vn1_obj5),
src_vn=':'.join(vn1_obj5.get_fq_name()),
dst_vn=':'.join(provider_fq_name))
self.check_acl_allow_rule(fq_name=self.get_ri_name(vn1_obj5),
src_vn=':'.join(vn1_obj5.get_fq_name()),
dst_vn=':'.join(provider_fq_name))
# adding explicit policy to allow traffic to provider network
# do not change deny rule in provider network
self.check_acl_implicit_deny_rule(
fq_name=self.get_ri_name(provider_vn),
src_vn=':'.join(provider_fq_name),
dst_vn='any')
def test_security_logging_object_with_policy_and_security_group(self):
# Add a Network Policy Rule and a Security Group Rule to a
# SLO
vn1_name = self.id() + 'vn1'
vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24")
rule1 = {
"protocol": "udp",
"direction": "<>",
"src": {
"type": "vn",
"value": vn1
},
"dst": {
"type": "cidr",
"value": "10.2.1.1/32"
},
"action": "deny"
}
np = self.create_network_policy_with_multiple_rules([rule1])
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1)
sg_obj = SecurityGroup(name=self.id() + '_sg1')
self._vnc_lib.security_group_create(sg_obj)
sgr_uuid = str(uuid.uuid4())
sg_rule = PolicyRuleType(
rule_uuid=sgr_uuid,
direction='>',
protocol='tcp',
src_addresses=[AddressType(subnet=SubnetType('11.0.0.0', 24))],
src_ports=[PortType(0, 65535)],
dst_addresses=[AddressType(security_group='local')],
dst_ports=[PortType(0, 65535)],
ether_type='IPv4')
sg_policy_rules = PolicyEntriesType([sg_rule])
sg_obj.set_security_group_entries(sg_policy_rules)
self._vnc_lib.security_group_update(sg_obj)
project = self._vnc_lib.project_read(
fq_name=[u'default-domain', u'default-project'])
slo_name = self.id() + '_slo1'
slo_obj = SecurityLoggingObject(name=slo_name,
parent_obj=project,
security_logging_object_rate=300)
self._vnc_lib.security_logging_object_create(slo_obj)
self.wait_to_get_object(SecurityLoggingObjectST,
slo_obj.get_fq_name_str())
np_rule1 = np.get_network_policy_entries().get_policy_rule()[0]
np_fqdn = np.get_fq_name_str()
np_rule1_uuid = np_rule1.get_rule_uuid()
slo_rule_entries = []
slo_rule_entries.append(
SecurityLoggingObjectRuleEntryType(np_rule1_uuid, rate=300))
slo_rule_entries.append(
SecurityLoggingObjectRuleEntryType(sgr_uuid, rate=300))
slo_obj = self._vnc_lib.security_logging_object_read(
fq_name=slo_obj.get_fq_name())
slo_obj.add_network_policy(np, None)
sg_obj = self._vnc_lib.security_group_read(id=sg_obj.get_uuid())
slo_obj.add_security_group(sg_obj, None)
self._vnc_lib.security_logging_object_update(slo_obj)
st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, np_fqdn, slo_rule_entries)
slo_obj.del_network_policy(np)
slo_obj.del_security_group(sg_obj)
self._vnc_lib.security_logging_object_update(slo_obj)
st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, None, [])
# cleanup
self.delete_network_policy(np, auto_policy=True)
self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name())
self._vnc_lib.security_logging_object_delete(
fq_name=slo_obj.get_fq_name())
# check if vn is deleted
self.check_vn_is_deleted(uuid=vn1.uuid)
def test_security_logging_object_with_network_policy_update(self):
vn1_name = self.id() + 'vn1'
vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24")
np = self.create_network_policy_with_multiple_rules([])
np_fqdn = np.get_fq_name_str()
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1)
project = self._vnc_lib.project_read(
fq_name=[u'default-domain', u'default-project'])
slo_name = self.id() + '_slo1'
slo_obj = SecurityLoggingObject(name=slo_name,
parent_obj=project,
security_logging_object_rate=300)
self._vnc_lib.security_logging_object_create(slo_obj)
self.wait_to_get_object(SecurityLoggingObjectST,
slo_obj.get_fq_name_str())
slo_obj.add_network_policy(np, None)
self._vnc_lib.security_logging_object_update(slo_obj)
npr_uuid = str(uuid.uuid4())
action_list = ActionListType()
action_list.simple_action = 'pass'
np_rule = PolicyRuleType(
rule_uuid=npr_uuid,
direction='>',
protocol='tcp',
src_addresses=[AddressType(subnet=SubnetType('11.0.0.0', 24))],
src_ports=[PortType(0, 65535)],
dst_addresses=[AddressType(subnet=SubnetType('10.0.0.0', 24))],
dst_ports=[PortType(0, 65535)],
ether_type='IPv4',
action_list=action_list)
np.set_network_policy_entries(PolicyEntriesType([np_rule]))
self._vnc_lib.network_policy_update(np)
slo_obj = self._vnc_lib.security_logging_object_read(
fq_name=slo_obj.get_fq_name())
expected_rule_list = [
SecurityLoggingObjectRuleEntryType(npr_uuid, rate=300)
]
st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, np_fqdn, expected_rule_list)
slo_obj.del_network_policy(np)
self._vnc_lib.security_logging_object_update(slo_obj)
st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, None, [])
# cleanup
self.delete_network_policy(np, auto_policy=True)
self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name())
self._vnc_lib.security_logging_object_delete(
fq_name=slo_obj.get_fq_name())
# check if vn is deleted
self.check_vn_is_deleted(uuid=vn1.uuid)
def test_security_logging_object_with_wildcard_rules(self):
vn1_name = self.id() + 'vn1'
vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24")
rules = []
rule1 = {
"protocol": "udp",
"direction": "<>",
"src": {
"type": "vn",
"value": vn1
},
"dst": {
"type": "cidr",
"value": "10.2.1.1/32"
},
"action": "deny"
}
rule2 = {
"protocol": "icmp",
"direction": "<>",
"src": {
"type": "vn",
"value": vn1
},
"dst": {
"type": "cidr",
"value": "10.2.1.2/32"
},
"action": "deny"
}
rules.append(rule1)
rules.append(rule2)
np = self.create_network_policy_with_multiple_rules(rules)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1)
project = self._vnc_lib.project_read(
fq_name=[u'default-domain', u'default-project'])
slo_name = self.id() + '_slo1'
slo_obj = SecurityLoggingObject(name=slo_name,
parent_obj=project,
security_logging_object_rate=300)
self._vnc_lib.security_logging_object_create(slo_obj)
self.wait_to_get_object(SecurityLoggingObjectST,
slo_obj.get_fq_name_str())
np_rule1 = np.get_network_policy_entries().get_policy_rule()[0]
np_rule2 = np.get_network_policy_entries().get_policy_rule()[1]
np_fqdn = np.get_fq_name_str()
np_rule1_uuid = np_rule1.get_rule_uuid()
np_rule2_uuid = np_rule2.get_rule_uuid()
slo_rule_entries = []
slo_rule_entries.append(
SecurityLoggingObjectRuleEntryType(np_rule1_uuid, rate=300))
slo_rule_entries.append(
SecurityLoggingObjectRuleEntryType(np_rule2_uuid, rate=300))
slo_obj = self._vnc_lib.security_logging_object_read(
fq_name=slo_obj.get_fq_name())
slo_obj.add_network_policy(np, None)
self._vnc_lib.security_logging_object_update(slo_obj)
st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, np_fqdn, slo_rule_entries)
slo_obj.del_network_policy(np)
self._vnc_lib.security_logging_object_update(slo_obj)
st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, None, [])
# cleanup
self.delete_network_policy(np, auto_policy=True)
self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name())
self._vnc_lib.security_logging_object_delete(
fq_name=slo_obj.get_fq_name())
# check if vn is deleted
self.check_vn_is_deleted(uuid=vn1.uuid)
def test_policy_in_policy(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn3_name = self.id() + 'vn3'
vn1_obj = VirtualNetwork(vn1_name)
vn2_obj = VirtualNetwork(vn2_name)
np1 = self.create_network_policy(vn1_obj, vn2_obj)
np2 = self.create_network_policy(vn2_obj, vn1_obj)
np1.network_policy_entries.policy_rule[0].dst_addresses[
0].virtual_network = None
np1.network_policy_entries.policy_rule[0].dst_addresses[
0].network_policy = np2.get_fq_name_str()
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
np2.network_policy_entries.policy_rule[0].src_addresses[
0].virtual_network = 'local'
np2.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np2)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np1, vnp)
vn2_obj.set_network_policy(np2, vnp)
self._vnc_lib.virtual_network_create(vn1_obj)
self._vnc_lib.virtual_network_create(vn2_obj)
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
self.check_ri_ref_present(self.get_ri_name(vn2_obj),
self.get_ri_name(vn1_obj))
vn3_obj = VirtualNetwork(vn3_name)
vn3_obj.set_network_policy(np2, vnp)
self._vnc_lib.virtual_network_create(vn3_obj)
self.check_ri_ref_present(self.get_ri_name(vn3_obj),
self.get_ri_name(vn1_obj))
vn3_obj.del_network_policy(np2)
self._vnc_lib.virtual_network_update(vn3_obj)
@retries(5)
def _match_acl_rule():
acl = self._vnc_lib.access_control_list_read(
fq_name=self.get_ri_name(vn1_obj))
for rule in acl.get_access_control_list_entries().get_acl_rule():
if (rule.match_condition.dst_address.virtual_network ==
vn3_obj.get_fq_name_str()):
raise Exception("ACL rule still present")
_match_acl_rule()
vn1_obj.del_network_policy(np1)
vn2_obj.del_network_policy(np2)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.delete_network_policy(np1)
self.delete_network_policy(np2)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn3_obj.get_fq_name())
self.check_vn_is_deleted(uuid=vn1_obj.uuid)
def test_policy_processing_time_optimization_subnet_only(self):
# Create VNs
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24")
vn2 = self.create_virtual_network(vn2_name, "10.2.1.0/24")
# Create policy
rules = []
rule1 = {
"protocol": "icmp",
"direction": "<>",
"src": {
"type": "cidr",
"value": "20.2.1.2/32"
},
"dst": {
"type": "cidr",
"value": "10.2.1.2/32"
},
"action": "deny"
}
rules.append(rule1)
np = self.create_network_policy_with_multiple_rules(rules)
self._vnc_lib.network_policy_update(np)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
# Attach policy to vn1
vn1.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1)
orignal_vn_eval = config_db.VirtualNetworkST.evaluate
# if we dont sleep now for some time than following mock function gets picked
# for the above vn update
gevent.sleep(3)
# Mock the VirtualNetworkST evaluate function and attach the policy to vn2
# Test fails if vn1 evaluate funcation is hit.
def mock_vn_evaluate(self):
if vn1.get_fq_name_str() == self.name:
self.assertTrue(False,
'Error: Should not have run evaluate of vn1')
orignal_vn_eval()
#end evaluate
config_db.VirtualNetworkST.evaluate = mock_vn_evaluate
vn2.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn2)
# if we dont sleep now for some time than for the above code original vn evaluate gets
# picked up due to the next line
gevent.sleep(3)
config_db.VirtualNetworkST.evaluate = orignal_vn_eval
# cleanup
self.delete_network_policy(np, auto_policy=True)
self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2.get_fq_name())
# check if vn is deleted
self.check_vn_is_deleted(uuid=vn1.uuid)
self.check_vn_is_deleted(uuid=vn2.uuid)
def _attach_policy(self, policy, *vn_objects):
for vn_obj in vn_objects:
vn_obj.add_network_policy(policy, \
VirtualNetworkPolicyType(sequence=SequenceType(0, 0)))
self._vnc_lib.virtual_network_update(vn_obj)
self._vnc_lib.ref_relax_for_delete(vn_obj.uuid, policy.uuid)
