def test_add_and_remove_metering_label_rule_src_and_dest_ip_only(self):
second_uuid = 'e27fe2df-376e-4ac7-ae13-92f050a21f84'
expected_add = [{'status': 'ACTIVE',
'name': 'router1',
'gw_port_id': None,
'admin_state_up': True,
'distributed': False,
'tenant_id': self.tenant_id,
'_metering_labels': [
{'rule': {
'destination_ip_prefix':
net_utils.AuthenticIPNetwork('0.0.0.0/0'),
'source_ip_prefix':
net_utils.AuthenticIPNetwork(
'10.0.0.0/24'),
'remote_ip_prefix': None,
'direction': 'ingress',
'metering_label_id': self.uuid,
'excluded': False,
'id': second_uuid},
'id': self.uuid}],
'id': self.uuid}]
expected_del = [{'status': 'ACTIVE',
'name': 'router1',
'gw_port_id': None,
'admin_state_up': True,
'distributed': False,
'tenant_id': self.tenant_id,
'_metering_labels': [
{'rule': {
'destination_ip_prefix':
net_utils.AuthenticIPNetwork('0.0.0.0/0'),
'source_ip_prefix':
net_utils.AuthenticIPNetwork(
'10.0.0.0/24'),
'remote_ip_prefix': None,
'direction': 'ingress',
'metering_label_id': self.uuid,
'excluded': False,
'id': second_uuid},
'id': self.uuid}],
'id': self.uuid}]
ip_prefixes = {'source_ip_prefix': '10.0.0.0/24',
'destination_ip_prefix': '0.0.0.0/0'}
with self.router(tenant_id=self.tenant_id, set_context=True):
with self.metering_label(tenant_id=self.tenant_id,
set_context=True) as label:
la = label['metering_label']
self.mock_uuid.return_value = second_uuid
with self.metering_label_rule(la['id'],
**ip_prefixes):
self.mock_add_rule.assert_called_with(self.ctx,
expected_add)
self._delete('metering-label-rules', second_uuid)
self.mock_remove_rule.assert_called_with(self.ctx,
expected_del)
def _get_normalized_cidr_from_rule(rule):
normalized_cidr = None
remote_ip_prefix = rule.get('remote_ip_prefix')
if remote_ip_prefix:
normalized_cidr = str(
net.AuthenticIPNetwork(remote_ip_prefix).cidr)
return normalized_cidr
def _save_subnet(self, context, network, subnet_args, dns_nameservers,
host_routes, subnet_request):
network_scope = addr_scope_obj.AddressScope.get_network_address_scope(
context, network.id, subnet_args['ip_version'])
# 'subnetpool' is not necessarily an object
subnetpool = subnet_args.get('subnetpool_id')
if subnetpool and subnetpool != const.IPV6_PD_POOL_ID:
subnetpool = self._get_subnetpool(context, subnetpool)
self._validate_subnet_cidr(context, network, subnet_args['cidr'])
self._validate_network_subnetpools(network, subnet_args['ip_version'],
subnetpool, network_scope)
service_types = subnet_args.pop('service_types', [])
segment_id = subnet_args.get('segment_id')
if segment_id:
# TODO(slaweq): integrate check if segment exists in
# self._validate_segment() method
if not network_obj.NetworkSegment.get_object(context,
id=segment_id):
raise segment_exc.SegmentNotFound(segment_id=segment_id)
subnet = subnet_obj.Subnet(context, **subnet_args)
subnet.create()
# TODO(slaweq): when check is segment exists will be integrated in
# self._validate_segment() method, it should be moved to be done before
# subnet object is created
self._validate_segment(context, network['id'], segment_id)
# NOTE(changzhi) Store DNS nameservers with order into DB one
# by one when create subnet with DNS nameservers
if validators.is_attr_set(dns_nameservers):
for order, server in enumerate(dns_nameservers):
dns = subnet_obj.DNSNameServer(context,
address=server,
order=order,
subnet_id=subnet.id)
dns.create()
if validators.is_attr_set(host_routes):
for rt in host_routes:
route = subnet_obj.Route(
context,
subnet_id=subnet.id,
destination=net_utils.AuthenticIPNetwork(
rt['destination']),
nexthop=netaddr.IPAddress(rt['nexthop']))
route.create()
if validators.is_attr_set(service_types):
for service_type in service_types:
service_type_obj = subnet_obj.SubnetServiceType(
context, subnet_id=subnet.id, service_type=service_type)
service_type_obj.create()
self.save_allocation_pools(context, subnet,
subnet_request.allocation_pools)
return subnet_obj.Subnet.get_object(context, id=subnet.id)
def _create_security_group_rule(self,
context,
security_group_rule,
validate=True):
if validate:
sg_id = self._validate_security_group_rule(context,
security_group_rule)
rule_dict = security_group_rule['security_group_rule']
remote_ip_prefix = rule_dict.get('remote_ip_prefix')
if remote_ip_prefix:
remote_ip_prefix = net.AuthenticIPNetwork(remote_ip_prefix)
protocol = rule_dict.get('protocol')
if protocol:
# object expects strings only
protocol = six.text_type(protocol)
args = {
'id': (rule_dict.get('id') or uuidutils.generate_uuid()),
'project_id': rule_dict['tenant_id'],
'security_group_id': rule_dict['security_group_id'],
'direction': rule_dict['direction'],
'remote_group_id': rule_dict.get('remote_group_id'),
'ethertype': rule_dict['ethertype'],
'protocol': protocol,
'remote_ip_prefix': remote_ip_prefix,
'description': rule_dict.get('description'),
}
port_range_min = self._safe_int(rule_dict['port_range_min'])
if port_range_min is not None:
args['port_range_min'] = port_range_min
port_range_max = self._safe_int(rule_dict['port_range_max'])
if port_range_max is not None:
args['port_range_max'] = port_range_max
kwargs = {'context': context, 'security_group_rule': args}
self._registry_notify(resources.SECURITY_GROUP_RULE,
events.BEFORE_CREATE,
exc_cls=ext_sg.SecurityGroupConflict,
**kwargs)
with db_api.CONTEXT_WRITER.using(context):
if validate:
self._check_for_duplicate_rules(context, sg_id,
[security_group_rule])
sg_rule = sg_obj.SecurityGroupRule(context, **args)
sg_rule.create()
# fetch sg_rule from db to load the sg rules with sg model
# otherwise a DetachedInstanceError can occur for model extensions
sg_rule = sg_obj.SecurityGroupRule.get_object(context,
id=sg_rule.id)
res_rule_dict = self._make_security_group_rule_dict(sg_rule.db_obj)
kwargs['security_group_rule'] = res_rule_dict
self._registry_notify(resources.SECURITY_GROUP_RULE,
events.PRECOMMIT_CREATE,
exc_cls=ext_sg.SecurityGroupConflict,
**kwargs)
return res_rule_dict
def modify_fields_from_db(cls, db_obj):
fields = super(BGPVPNPortAssociationRoute,
cls).modify_fields_from_db(db_obj)
if 'prefix' in fields and fields['prefix'] is not None:
fields['prefix'] = net_utils.AuthenticIPNetwork(fields['prefix'])
return fields
def _update_subnet_host_routes(self, context, id, s):
def _combine(ht):
return "{}_{}".format(ht['destination'], ht['nexthop'])
old_route_list = self._get_route_by_subnet(context, id)
new_route_set = set([_combine(route) for route in s['host_routes']])
old_route_set = set([_combine(route) for route in old_route_list])
for route_str in old_route_set - new_route_set:
for route in old_route_list:
if _combine(route) == route_str:
route.delete()
for route_str in new_route_set - old_route_set:
route = subnet_obj.Route(context,
destination=net_utils.AuthenticIPNetwork(
route_str.partition("_")[0]),
nexthop=netaddr.IPAddress(
route_str.partition("_")[2]),
subnet_id=id)
route.create()
# Gather host routes for result
new_routes = []
for route_str in new_route_set:
new_routes.append({
'destination': route_str.partition("_")[0],
'nexthop': route_str.partition("_")[2]
})
del s["host_routes"]
return new_routes
def _process_create_allowed_address_pairs(self, context, port,
allowed_address_pairs):
if not validators.is_attr_set(allowed_address_pairs):
return []
try:
with db_api.CONTEXT_WRITER.using(context):
for address_pair in allowed_address_pairs:
# use port.mac_address if no mac address in address pair
if 'mac_address' not in address_pair:
address_pair['mac_address'] = port['mac_address']
# retain string format as passed through API
mac_address = net_utils.AuthenticEUI(
address_pair['mac_address'])
ip_address = net_utils.AuthenticIPNetwork(
address_pair['ip_address'])
pair_obj = obj_addr_pair.AllowedAddressPair(
context,
port_id=port['id'],
mac_address=mac_address,
ip_address=ip_address)
pair_obj.create()
except exceptions.NeutronDbObjectDuplicateEntry:
raise addr_exc.DuplicateAddressPairInRequest(
mac_address=address_pair['mac_address'],
ip_address=address_pair['ip_address'])
return allowed_address_pairs
def modify_fields_from_db(cls, db_obj):
# TODO(korzen) remove this method when IP and CIDR decorator ready
result = super(Subnet, cls).modify_fields_from_db(db_obj)
if 'cidr' in result:
result['cidr'] = net_utils.AuthenticIPNetwork(result['cidr'])
if 'gateway_ip' in result and result['gateway_ip'] is not None:
result['gateway_ip'] = netaddr.IPAddress(result['gateway_ip'])
return result
def _subnet_dict(gw_mac=None):
return {
'id': mock.ANY,
'ip_version': 4,
'gateway_mac': gw_mac,
'cidr': net_utils.AuthenticIPNetwork(CIDR),
'gateway_ip': netaddr.IPAddress(GW_IP)
}
def modify_fields_from_db(cls, db_obj):
result = super(RouterRoute, cls).modify_fields_from_db(db_obj)
if 'destination' in result:
result['destination'] = net_utils.AuthenticIPNetwork(
result['destination'])
if 'nexthop' in result:
result['nexthop'] = netaddr.IPAddress(result['nexthop'])
return result
def modify_fields_from_db(cls, db_obj):
# TODO(korzen) remove this method when IP and CIDR decorator ready
result = super(Route, cls).modify_fields_from_db(db_obj)
if 'destination' in result:
result['destination'] = net_utils.AuthenticIPNetwork(
result['destination'])
if 'nexthop' in result:
result['nexthop'] = netaddr.IPAddress(result['nexthop'])
return result
def modify_fields_from_db(cls, db_obj):
fields = super(AllowedAddressPair, cls).modify_fields_from_db(db_obj)
if 'ip_address' in fields:
# retain string format as stored in the database
fields['ip_address'] = net_utils.AuthenticIPNetwork(
fields['ip_address'])
if 'mac_address' in fields:
# retain string format as stored in the database
fields['mac_address'] = net_utils.AuthenticEUI(
fields['mac_address'])
return fields
def _load_normalized_cidr(self, db_obj=None):
db_obj = db_obj or SecurityGroupRule.get_object(self.obj_context,
id=self.id)
if not db_obj:
return
cidr = None
if db_obj.remote_ip_prefix:
cidr = net_utils.AuthenticIPNetwork(db_obj.remote_ip_prefix).cidr
setattr(self, 'normalized_cidr', cidr)
self.obj_reset_changes(['normalized_cidr'])
def _update_extra_routes(self, context, router, routes):
self._validate_routes(context, router['id'], routes)
old_routes = self._get_extra_routes_by_router_id(context, router['id'])
added, removed = helpers.diff_list_of_dict(old_routes, routes)
LOG.debug('Added routes are %s', added)
for route in added:
l3_obj.RouterRoute(
context,
router_id=router['id'],
destination=net_utils.AuthenticIPNetwork(route['destination']),
nexthop=netaddr.IPAddress(route['nexthop'])).create()
LOG.debug('Removed routes are %s', removed)
for route in removed:
l3_obj.RouterRoute.get_object(context,
router_id=router['id'],
destination=route['destination'],
nexthop=route['nexthop']).delete()
return added, removed
def create_one_security_group_rule(attrs=None):
"""Create a fake security group rule.
:param Dictionary attrs:
A dictionary with all attributes
:return:
A FakeResource object faking the security group rule
"""
attrs = attrs or {}
# Set default attributes.
fake_uuid = uuidutils.generate_uuid()
security_group_rule_attrs = {
'direction': 'ingress',
'ethertype': 'IPv4',
'id': 'security-group-rule-id-' + fake_uuid,
'port_range_max': 22,
'port_range_min': 22,
'protocol': 'tcp',
'remote_group_id': None,
'remote_ip_prefix': '0.0.0.0/0',
'normalized_cidr': '0.0.0.0/0',
'security_group_id': 'security-group-id-' + fake_uuid,
'tenant_id': 'project-id-' + fake_uuid,
}
# Overwrite default attributes.
security_group_rule_attrs.update(attrs)
if ('remote_ip_prefix' in attrs and 'normalized_cidr' not in attrs):
if attrs['remote_ip_prefix'] is None:
security_group_rule_attrs['normalized_cidr'] = None
else:
security_group_rule_attrs['normalized_cidr'] = (
net.AuthenticIPNetwork(attrs['remote_ip_prefix']))
return FakeResource(info=copy.deepcopy(security_group_rule_attrs),
loaded=True)
def setUp(self):
super(TestL3GwModeMixin, self).setUp()
plugin = __name__ + '.' + TestDbIntPlugin.__name__
self.setup_coreplugin(plugin)
self.target_object = TestDbIntPlugin()
# Patch the context
ctx_patcher = mock.patch('neutron_lib.context', autospec=True)
mock_context = ctx_patcher.start()
self.context = mock_context.get_admin_context()
# This ensure also calls to elevated work in unit tests
self.context.elevated.return_value = self.context
self.context.session = db_api.get_writer_session()
# Create sample data for tests
self.ext_net_id = _uuid()
self.int_net_id = _uuid()
self.int_sub_id = _uuid()
self.tenant_id = 'the_tenant'
self.network = net_obj.Network(
self.context,
id=self.ext_net_id,
project_id=self.tenant_id,
admin_state_up=True,
status=constants.NET_STATUS_ACTIVE)
self.net_ext = net_obj.ExternalNetwork(
self.context, network_id=self.ext_net_id)
self.network.create()
self.net_ext.create()
self.router = l3_models.Router(
id=_uuid(),
name=None,
tenant_id=self.tenant_id,
admin_state_up=True,
status=constants.NET_STATUS_ACTIVE,
enable_snat=True,
gw_port_id=None)
self.context.session.add(self.router)
self.context.session.flush()
self.router_gw_port = port_obj.Port(
self.context,
id=FAKE_GW_PORT_ID,
project_id=self.tenant_id,
device_id=self.router.id,
device_owner=l3_db.DEVICE_OWNER_ROUTER_GW,
admin_state_up=True,
status=constants.PORT_STATUS_ACTIVE,
mac_address=netaddr.EUI(FAKE_GW_PORT_MAC),
network_id=self.ext_net_id)
self.router_gw_port.create()
self.router.gw_port_id = self.router_gw_port.id
self.context.session.add(self.router)
self.context.session.flush()
self.fip_ext_port = port_obj.Port(
self.context,
id=FAKE_FIP_EXT_PORT_ID,
project_id=self.tenant_id,
admin_state_up=True,
device_id=self.router.id,
device_owner=l3_db.DEVICE_OWNER_FLOATINGIP,
status=constants.PORT_STATUS_ACTIVE,
mac_address=netaddr.EUI(FAKE_FIP_EXT_PORT_MAC),
network_id=self.ext_net_id)
self.fip_ext_port.create()
self.context.session.flush()
self.int_net = net_obj.Network(
self.context,
id=self.int_net_id,
project_id=self.tenant_id,
admin_state_up=True,
status=constants.NET_STATUS_ACTIVE)
self.int_sub = subnet_obj.Subnet(self.context,
id=self.int_sub_id,
project_id=self.tenant_id,
ip_version=constants.IP_VERSION_4,
cidr=net_utils.AuthenticIPNetwork('3.3.3.0/24'),
gateway_ip=netaddr.IPAddress('3.3.3.1'),
network_id=self.int_net_id)
self.router_port = port_obj.Port(
self.context,
id=FAKE_ROUTER_PORT_ID,
project_id=self.tenant_id,
admin_state_up=True,
device_id=self.router.id,
device_owner=l3_db.DEVICE_OWNER_ROUTER_INTF,
status=constants.PORT_STATUS_ACTIVE,
mac_address=netaddr.EUI(FAKE_ROUTER_PORT_MAC),
network_id=self.int_net_id)
self.router_port_ip_info = port_obj.IPAllocation(self.context,
port_id=self.router_port.id,
network_id=self.int_net.id,
subnet_id=self.int_sub_id,
ip_address='3.3.3.1')
self.int_net.create()
self.int_sub.create()
self.router_port.create()
self.router_port_ip_info.create()
self.context.session.flush()
self.fip_int_port = port_obj.Port(
self.context,
id=FAKE_FIP_INT_PORT_ID,
project_id=self.tenant_id,
admin_state_up=True,
device_id='something',
device_owner=constants.DEVICE_OWNER_COMPUTE_PREFIX + 'nova',
status=constants.PORT_STATUS_ACTIVE,
mac_address=netaddr.EUI(FAKE_FIP_INT_PORT_MAC),
network_id=self.int_net_id)
self.fip_int_ip_info = port_obj.IPAllocation(self.context,
port_id=self.fip_int_port.id,
network_id=self.int_net.id,
subnet_id=self.int_sub_id,
ip_address='3.3.3.3')
self.fip = l3_obj.FloatingIP(
self.context,
id=_uuid(),
floating_ip_address=netaddr.IPAddress('1.1.1.2'),
floating_network_id=self.ext_net_id,
floating_port_id=FAKE_FIP_EXT_PORT_ID,
fixed_port_id=None,
fixed_ip_address=None,
router_id=None)
self.fip_int_port.create()
self.fip_int_ip_info.create()
self.fip.create()
self.context.session.flush()
self.context.session.expire_all()
self.fip_request = {'port_id': FAKE_FIP_INT_PORT_ID,
'tenant_id': self.tenant_id}
subnet_id='daed3c3d-d95a-48a8-a8b1-17d408cd760f')
],
'subnet_id':
'daed3c3d-d95a-48a8-a8b1-17d408cd760f',
'dns_nameservers': [
subnet_obj.DNSNameServer(
address='8.8.8.8',
order=0,
subnet_id='daed3c3d-d95a-48a8-a8b1-17d408cd760f'),
subnet_obj.DNSNameServer(
address='8.8.4.4',
order=1,
subnet_id='daed3c3d-d95a-48a8-a8b1-17d408cd760f')
],
'cidr':
net_utils.AuthenticIPNetwork('192.168.111.0/24'),
'ip_address':
'192.168.111.45',
'gateway_ip':
netaddr.IPAddress('192.168.111.1')
}, {
'version': 6,
'host_routes': [],
'subnet_id': 'bd013460-b05f-4927-a4c6-5127584b2487',
'dns_nameservers': [],
'cidr': net_utils.AuthenticIPNetwork('fda7:a5cc:3460:1::/64'),
'ip_address': 'fda7:a5cc:3460:1::bf',
'gateway_ip': netaddr.IPAddress('fda7:a5cc:3460:1::1')
}],
'mac_address':
'00:01:02:03:04:05',
def modify_fields_from_db(cls, db_obj):
fields = super(SecurityGroupRule, cls).modify_fields_from_db(db_obj)
if 'remote_ip_prefix' in fields:
fields['remote_ip_prefix'] = (net_utils.AuthenticIPNetwork(
fields['remote_ip_prefix']))
return fields
def modify_fields_from_db(cls, db_obj):
result = super(MeteringLabelRule, cls).modify_fields_from_db(db_obj)
if 'remote_ip_prefix' in result:
result['remote_ip_prefix'] = net_utils.AuthenticIPNetwork(
result['remote_ip_prefix'])
return result
def ip_field_from_db(cls, result, attribute_name):
if attribute_name in result:
result[attribute_name] = net_utils.AuthenticIPNetwork(
result[attribute_name])
def from_primitive(obj, attr, value):
try:
return net_utils.AuthenticIPNetwork(value)
except Exception:
msg = _("Field value %s is not a netaddr.IPNetwork") % value
raise ValueError(msg)
def test_get_sg_log_info_for_port_added_event(self):
with self.network() as network, \
self.subnet(network), \
self.security_group() as sg:
sg_id = sg['security_group']['id']
tenant_id = sg['security_group']['tenant_id']
rule1 = self._build_security_group_rule(
sg_id,
'ingress', const.PROTO_NAME_TCP, '11', '13',
remote_ip_prefix='10.0.0.1',
)
rule2 = self._build_security_group_rule(
sg_id,
'egress', const.PROTO_NAME_ICMP,
)
rules = {
'security_group_rules': [rule1['security_group_rule'],
rule2['security_group_rule']]}
self._create_security_group_rule(self.fmt, rules)
res = self._create_port(
self.fmt, network['network']['id'],
security_groups=[sg_id],
tenant_id=tenant_id
)
ports_rest = self.deserialize(self.fmt, res)
port_id = ports_rest['port']['id']
log = _create_log(tenant_id=tenant_id)
with mock.patch.object(
log_object.Log, 'get_objects', return_value=[log]):
with mock.patch.object(
server_rpc,
'get_rpc_method',
return_value=server_rpc.get_sg_log_info_for_port
):
with mock.patch.object(
validators,
'validate_log_type_for_port',
return_value=True):
ports_log = (
self.rpc_callback.get_sg_log_info_for_port(
self.context,
resource_type=log_const.SECURITY_GROUP,
port_id=port_id)
)
expected = [{
'event': log.event,
'id': log.id,
'ports_log': [{
'port_id': port_id,
'security_group_rules': [
{'direction': 'egress',
'ethertype': u'IPv4',
'security_group_id': sg_id},
{'direction': 'egress',
'ethertype': u'IPv6',
'security_group_id': sg_id},
{'direction': 'ingress',
'ethertype': u'IPv4',
'port_range_max': 13,
'port_range_min': 11,
'protocol': u'tcp',
'source_ip_prefix':
net_utils.AuthenticIPNetwork(
'10.0.0.1/32'),
'security_group_id': sg_id},
{'direction': 'egress',
'ethertype': u'IPv4',
'protocol': u'icmp',
'security_group_id': sg_id}]
}],
'project_id': tenant_id
}]
self.assertEqual(expected, ports_log)
self._delete('ports', port_id)