def verify_policy_in_api_quantum_server(
self,
api_policy_obj,
quantum_policy_obj):
'''Validate policy information in API-Server. Compare data with quantum based policy fixture data.
Check specifically for following:
api_server_keys: 1> fq_name, 2> uuid, 3> rules
quantum_h_keys: 1> policy_fq_name, 2> id in policy_obj, 3> policy_obj [for rules]
'''
me = inspect.getframeinfo(inspect.currentframe())[2]
result = True
err_msg = []
out = None
self.logger.info("====Verifying data for %s in API_Server ======" %
(api_policy_obj.fq_name[2]))
self.api_s_policy_obj = self.api_s_inspect.get_cs_policy(
domain=api_policy_obj.fq_name[0],
project=api_policy_obj.fq_name[1],
policy=api_policy_obj.fq_name[2],
refresh=True)
self.api_s_policy_obj_x = self.api_s_policy_obj['network-policy']
# compare policy_fq_name
out = policy_test_utils.compare_args(
'policy_fq_name',
api_policy_obj.fq_name,
quantum_policy_obj['policy']['fq_name'])
if out:
err_msg.append(out)
# compare policy_uuid
out = policy_test_utils.compare_args(
'policy_uuid',
api_policy_obj.uuid,
quantum_policy_obj['policy']['id'])
if out:
err_msg.append(out)
# compare policy_rules
out = policy_test_utils.compare_args(
'policy_rules', self.api_s_policy_obj_x[
'network_policy_entries']['policy_rule'],
quantum_policy_obj['policy']['entries']['policy_rule'])
if out:
err_msg.append(out)
if err_msg != []:
result = False
err_msg.insert(
0, me + ":" + api_policy_obj.fq_name[2])
self.logger.info("verification: %s, status: %s message: %s" %
(me, result, err_msg))
return {'result': result, 'msg': err_msg}
def verify_policy_in_control_nodes(self):
""" Checks for policy details in Control-nodes.
Validate control-node data against quantum and return False if any mismatch is found.
"""
# Refresh quantum policy object - self.policy_obj
self.refresh_quantum_policy_obj()
me = inspect.getframeinfo(inspect.currentframe())[2]
result = True
err_msg = []
out = None
for cn in self.inputs.bgp_ips:
# check if policy exists:
cn_config_policy_obj = self.cn_inspect[cn].get_cn_config_policy(
domain=self.project_fq_name[0], project=self.project_fq_name[1], policy=self.policy_name)
if not cn_config_policy_obj:
msg = "IFMAP View of Control-node %s is missing policy %s" % (cn,
self.policy_fq_name)
err_msg.append(msg)
self.logger.info(msg)
return {'result': False, 'msg': err_msg}
# compare policy_fq_name
self.logger.debug("Control-node %s : Policy object is : %s" %
(cn, cn_config_policy_obj))
policy_fqn = ':'.join(self.policy_fq_name)
if policy_fqn not in cn_config_policy_obj['node_name']:
msg = "IFMAP View of Control-node %s is not having the policy detail of %s" % (
cn, self.policy_fq_name)
err_msg.append(msg)
# compare policy_rules
if cn_config_policy_obj['obj_info']:
cn_rules = cn_config_policy_obj['obj_info'][
0]['data']['network-policy-entries']
else:
# policy not attached to any network
cn_rules = []
# translate control data in quantum data format for verification:
if cn_rules:
cn_rules = policy_test_utils.xlate_cn_rules(cn_rules)
else:
cn_rules = []
self.logger.info("policy info in control node: %s" % cn_rules)
qntm_policy_info = self.policy_obj['policy']['entries']['policy_rule']
self.logger.info("policy info in quantum: %s" % qntm_policy_info)
out = policy_test_utils.compare_args('policy_rules', cn_rules, qntm_policy_info,
exp_name='cn_rules', act_name='quantum_rules')
if out:
msg = "Rules view in control-node %s is not matching, detailed msg follows %s" % (
cn, out)
err_msg.append(msg)
if err_msg != []:
result = False
err_msg.insert(0, me + ":" + self.policy_name)
self.logger.info("verification: %s, status: %s" % (me, result))
return {'result': result, 'msg': err_msg}
def test_policy_protocol_summary(self):
''' Test to validate that when policy is created with multiple rules that can be summarized by protocol
'''
proj_name = self.inputs.project_name
vn1_name = 'vn40'
vn1_subnets = ['10.1.1.0/24']
policy1_name = 'policy1'
policy2_name = 'policy2'
rules2 = [
{
'direction': '<>',
'simple_action': 'pass',
'protocol': 'any',
'source_network': vn1_name,
'dest_network': vn1_name,
},
{
'direction': '<>',
'simple_action': 'pass',
'protocol': 'icmp',
'source_network': vn1_name,
'dest_network': vn1_name,
},
]
rules1 = [
{
'direction': '<>',
'simple_action': 'pass',
'protocol': 'any',
'source_network': vn1_name,
'dest_network': vn1_name,
},
]
policy1_fixture = self.useFixture(
PolicyFixture(policy_name=policy1_name,
rules_list=rules1,
inputs=self.inputs,
connections=self.connections))
policy2_fixture = self.useFixture(
PolicyFixture(policy_name=policy2_name,
rules_list=rules2,
inputs=self.inputs,
connections=self.connections))
vn1_fixture = self.useFixture(
VNFixture(project_name=self.inputs.project_name,
connections=self.connections,
vn_name=vn1_name,
inputs=self.inputs,
subnets=vn1_subnets,
policy_objs=[policy1_fixture.policy_obj]))
assert vn1_fixture.verify_on_setup()
vn1_vm1_name = 'vm1'
vm1_fixture = self.useFixture(
VMFixture(project_name=self.inputs.project_name,
connections=self.connections,
vn_obj=vn1_fixture.obj,
vm_name=vn1_vm1_name))
assert vm1_fixture.verify_on_setup()
inspect_h = self.agent_inspect[vm1_fixture.vm_node_ip]
vn_fq_name = inspect_h.get_vna_vn(domain='default-domain',
project=proj_name,
vn_name=vn1_name)['name']
vna_acl1 = inspect_h.get_vna_acl_by_vn(vn_fq_name)
policy1_fixture.verify_policy_in_api_server()
if vn1_fixture.policy_objs:
policy_fq_names = [
self.quantum_h.get_policy_fq_name(x)
for x in vn1_fixture.policy_objs
]
policy_fq_name2 = self.quantum_h.get_policy_fq_name(
policy2_fixture.policy_obj)
policy_fq_names.append(policy_fq_name2)
vn1_fixture.bind_policies(policy_fq_names, vn1_fixture.vn_id)
vna_acl2 = inspect_h.get_vna_acl_by_vn(vn_fq_name)
out = policy_test_utils.compare_args('policy_rules',
vna_acl1['entries'],
vna_acl2['entries'])
if out:
self.logger.info(
"policy rules are not matching with expected %s and actual %s"
% (vna_acl1['entries'], vna_acl2['entries']))
self.assertIsNone(out, "policy compare failed")
return True
def test_policy_protocol_summary(self):
''' Test to validate that when policy is created with multiple rules that can be summarized by protocol
'''
proj_name = self.inputs.project_name
vn1_name = 'vn40'
vn1_subnets = ['10.1.1.0/24']
policy1_name = 'policy1'
policy2_name = 'policy2'
rules2 = [
{
'direction': '<>', 'simple_action': 'pass',
'protocol': 'any',
'source_network': vn1_name,
'dest_network': vn1_name,
},
{
'direction': '<>', 'simple_action': 'pass',
'protocol': 'icmp',
'source_network': vn1_name,
'dest_network': vn1_name,
},
]
rules1 = [
{
'direction': '<>', 'simple_action': 'pass',
'protocol': 'any',
'source_network': vn1_name,
'dest_network': vn1_name,
},
]
policy1_fixture = self.useFixture(
PolicyFixture(
policy_name=policy1_name,
rules_list=rules1,
inputs=self.inputs,
connections=self.connections))
policy2_fixture = self.useFixture(
PolicyFixture(
policy_name=policy2_name,
rules_list=rules2,
inputs=self.inputs,
connections=self.connections))
vn1_fixture = self.useFixture(
VNFixture(
project_name=self.inputs.project_name,
connections=self.connections,
vn_name=vn1_name,
inputs=self.inputs,
subnets=vn1_subnets,
policy_objs=[
policy1_fixture.policy_obj]))
assert vn1_fixture.verify_on_setup()
vn1_vm1_name = 'vm1'
vm1_fixture = self.useFixture(
VMFixture(
project_name=self.inputs.project_name,
connections=self.connections,
vn_obj=vn1_fixture.obj,
vm_name=vn1_vm1_name))
assert vm1_fixture.verify_on_setup()
inspect_h = self.agent_inspect[vm1_fixture.vm_node_ip]
vn_fq_name = inspect_h.get_vna_vn(
domain='default-domain',
project=proj_name,
vn_name=vn1_name)['name']
vna_acl1 = inspect_h.get_vna_acl_by_vn(vn_fq_name)
policy1_fixture.verify_policy_in_api_server()
if vn1_fixture.policy_objs:
policy_fq_names = [
self.quantum_h.get_policy_fq_name(x) for x in vn1_fixture.policy_objs]
policy_fq_name2 = self.quantum_h.get_policy_fq_name(
policy2_fixture.policy_obj)
policy_fq_names.append(policy_fq_name2)
vn1_fixture.bind_policies(policy_fq_names, vn1_fixture.vn_id)
vna_acl2 = inspect_h.get_vna_acl_by_vn(vn_fq_name)
out = policy_test_utils.compare_args(
'policy_rules',
vna_acl1['entries'],
vna_acl2['entries'])
if out:
self.logger.info(
"policy rules are not matching with expected %s and actual %s" %
(vna_acl1['entries'], vna_acl2['entries']))
self.assertIsNone(out, "policy compare failed")
return True
