def _associate_security_groups(vmi_obj, proj_obj, ns): sg_name = "-".join([vnc_kube_config.cluster_name(), ns, 'default']) sg_obj = SecurityGroup(sg_name, proj_obj) vmi_obj.add_security_group(sg_obj) ns_sg_name = "-".join([vnc_kube_config.cluster_name(), ns, 'sg']) sg_obj = SecurityGroup(ns_sg_name, proj_obj) vmi_obj.add_security_group(sg_obj) return
def _update_security_groups(self, ns_name, proj_obj): def _get_rule(ingress, sg, prefix, ethertype): sgr_uuid = str(uuid.uuid4()) if sg: if ':' not in sg: sg_fq_name = proj_obj.get_fq_name_str() + ':' + sg else: sg_fq_name = sg addr = AddressType(security_group=sg_fq_name) elif prefix: addr = AddressType(subnet=SubnetType(prefix, 0)) local_addr = AddressType(security_group='local') if ingress: src_addr = addr dst_addr = local_addr else: src_addr = local_addr dst_addr = addr rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>', protocol='any', src_addresses=[src_addr], src_ports=[PortType(0, 65535)], dst_addresses=[dst_addr], dst_ports=[PortType(0, 65535)], ethertype=ethertype) return rule # create default security group sg_name = vnc_kube_config.get_default_sg_name(ns_name) DEFAULT_SECGROUP_DESCRIPTION = "Default security group" id_perms = IdPermsType(enable=True, description=DEFAULT_SECGROUP_DESCRIPTION) rules = [] ingress = True egress = True if ingress: rules.append(_get_rule(True, None, '0.0.0.0', 'IPv4')) rules.append(_get_rule(True, None, '::', 'IPv6')) if egress: rules.append(_get_rule(False, None, '0.0.0.0', 'IPv4')) rules.append(_get_rule(False, None, '::', 'IPv6')) sg_rules = PolicyEntriesType(rules) sg_obj = SecurityGroup(name=sg_name, parent_obj=proj_obj, id_perms=id_perms, security_group_entries=sg_rules) SecurityGroupKM.add_annotations(self, sg_obj, namespace=ns_name, name=sg_obj.name, k8s_type=self._k8s_event_type) try: self._vnc_lib.security_group_create(sg_obj) self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid()) except RefsExistError: self._vnc_lib.security_group_update(sg_obj) sg = SecurityGroupKM.locate(sg_obj.get_uuid()) return sg
def test_create_sg_with_configured_id_is_limited(self): sg_obj = SecurityGroup('%s-sg' % self.id()) sg_obj.set_configured_security_group_id(8000000) with ExpectedException(BadRequest): self.api.security_group_create(sg_obj) sg_obj.set_configured_security_group_id(-1) with ExpectedException(BadRequest): self.api.security_group_create(sg_obj)
def test_update_sg_with_configured_id(self): mock_zk = self._api_server._db_conn._zk_db sg_obj = SecurityGroup('%s-sg' % self.id()) self.api.security_group_create(sg_obj) sg_obj = self.api.security_group_read(id=sg_obj.uuid) allocated_sg_id = sg_obj.security_group_id configured_sg_id = sg_obj.configured_security_group_id self.assertEqual(sg_obj.get_fq_name_str(), mock_zk.get_sg_from_id(allocated_sg_id)) self.assertEqual(configured_sg_id, 0) sg_obj.set_configured_security_group_id(42) self.api.security_group_update(sg_obj) sg_obj = self.api.security_group_read(id=sg_obj.uuid) sg_id = sg_obj.security_group_id configured_sg_id = sg_obj.configured_security_group_id self.assertEqual(sg_id, 42) self.assertEqual(configured_sg_id, 42) self.assertNotEqual(mock_zk.get_sg_from_id(sg_id), sg_obj.get_fq_name_str()) sg_obj.set_configured_security_group_id(0) self.api.security_group_update(sg_obj) sg_obj = self.api.security_group_read(id=sg_obj.uuid) allocated_sg_id = sg_obj.security_group_id configured_sg_id = sg_obj.configured_security_group_id self.assertEqual(sg_obj.get_fq_name_str(), mock_zk.get_sg_from_id(allocated_sg_id)) self.assertEqual(configured_sg_id, 0)
def test_deallocate_sg_id(self): mock_zk = self._api_server._db_conn._zk_db sg_obj = SecurityGroup('%s-sg' % self.id()) self.api.security_group_create(sg_obj) sg_obj = self.api.security_group_read(id=sg_obj.uuid) sg_id = sg_obj.security_group_id self.api.security_group_delete(id=sg_obj.uuid) self.assertNotEqual(mock_zk.get_sg_from_id(sg_id), sg_obj.get_fq_name_str())
def test_allocate_sg_id(self): mock_zk = self._api_server._db_conn._zk_db sg_obj = SecurityGroup('%s-sg' % self.id()) self.api.security_group_create(sg_obj) sg_obj = self.api.security_group_read(id=sg_obj.uuid) sg_id = sg_obj.security_group_id self.assertEqual(sg_obj.get_fq_name_str(), mock_zk.get_sg_from_id(sg_id)) self.assertGreaterEqual(sg_id, SGID_MIN_ALLOC)
def test_cannot_update_sg_id(self): sg_obj = SecurityGroup('%s-sg' % self.id()) self.api.security_group_create(sg_obj) sg_obj = self.api.security_group_read(id=sg_obj.uuid) sg_obj.set_security_group_id(8000042) with ExpectedException(PermissionDenied): self.api.security_group_update(sg_obj) # test can update with same value, needed internally # TODO(ethuleau): not sure why it's needed sg_obj = self.api.security_group_read(id=sg_obj.uuid) sg_obj.set_security_group_id(sg_obj.security_group_id) self.api.security_group_update(sg_obj)
def test_create_sg_with_configured_id(self): mock_zk = self._api_server._db_conn._zk_db sg_obj = SecurityGroup('%s-sg' % self.id()) sg_obj.set_configured_security_group_id(42) self.api.security_group_create(sg_obj) sg_obj = self.api.security_group_read(id=sg_obj.uuid) sg_id = sg_obj.security_group_id configured_sg_id = sg_obj.configured_security_group_id self.assertEqual(sg_id, 42) self.assertEqual(configured_sg_id, 42) self.assertNotEqual(mock_zk.get_sg_from_id(sg_id), sg_obj.get_fq_name_str())
def _create_virtual_interface(self, project, lb_id, subnet_id, network_id, ip_address): iip_obj = InstanceIp(name=lb_id) if subnet_id and subnet_id != ATTR_NOT_SPECIFIED: network_id = utils.get_subnet_network_id(self._api, subnet_id) vnet = utils.get_vnet_obj(self._api, network_id) iip_obj.set_subnet_uuid(subnet_id) elif network_id and network_id != ATTR_NOT_SPECIFIED: vnet = utils.get_vnet_obj(self._api, network_id) else: msg = 'vip-network-id or vip-subnet-id should be specified' raise BadRequest(resource='loadbalancer', msg=msg) vmi = VirtualMachineInterface(lb_id, project) vmi.set_virtual_network(vnet) vmi.set_virtual_machine_interface_device_owner( DEVICE_OWNER_LOADBALANCER) sg_obj = SecurityGroup("default", project) vmi.add_security_group(sg_obj) self._api.virtual_machine_interface_create(vmi) iip_obj.set_virtual_network(vnet) iip_obj.set_virtual_machine_interface(vmi) if ip_address and ip_address != ATTR_NOT_SPECIFIED: iip_obj.set_instance_ip_address(ip_address) self._api.instance_ip_create(iip_obj) iip = self._api.instance_ip_read(id=iip_obj.uuid) vip_address = iip.get_instance_ip_address() vip_subnet_id = iip.get_subnet_uuid() return vmi, vip_address, vip_subnet_id
def _create_virtual_interface(self, project, vip_id, subnet_id, ip_address): network_id = utils.get_subnet_network_id(self._api, subnet_id) try: vnet = self._api.virtual_network_read(id=network_id) except NoIdError: raise n_exc.NetworkNotFound(net_id=network_id) vmi = VirtualMachineInterface(vip_id, project) vmi.set_virtual_network(vnet) sg_obj = SecurityGroup("default", project) vmi.add_security_group(sg_obj) self._api.virtual_machine_interface_create(vmi) fq_name = list(project.get_fq_name()) fq_name.append(vip_id) iip_obj = InstanceIp(fq_name=fq_name) iip_obj.set_virtual_network(vnet) iip_obj.set_virtual_machine_interface(vmi) if ip_address and ip_address != attributes.ATTR_NOT_SPECIFIED: iip_obj.set_instance_ip_address(ip_address) self._api.instance_ip_create(fq_name) return vmi
def _create_virtual_interface(self, project, lb_id, subnet_id, ip_address): network_id = utils.get_subnet_network_id(self._api, subnet_id) try: vnet = self._api.virtual_network_read(id=network_id) except NoIdError: raise n_exc.NetworkNotFound(net_id=network_id) vmi = VirtualMachineInterface(lb_id, project) vmi.set_virtual_network(vnet) vmi.set_virtual_machine_interface_device_owner(n_constants.DEVICE_OWNER_LOADBALANCER) sg_obj = SecurityGroup("default", project) vmi.add_security_group(sg_obj) self._api.virtual_machine_interface_create(vmi) iip_obj = InstanceIp(name=lb_id) iip_obj.set_virtual_network(vnet) iip_obj.set_virtual_machine_interface(vmi) if ip_address and ip_address != attributes.ATTR_NOT_SPECIFIED: iip_obj.set_instance_ip_address(ip_address) self._api.instance_ip_create(iip_obj) iip = self._api.instance_ip_read(id=iip_obj.uuid) vip_address = iip.get_instance_ip_address() return vmi, vip_address
def create_security_group(self, proj_obj): def _get_rule(ingress, sg, prefix, ethertype): sgr_uuid = str(uuid.uuid4()) if sg: addr = AddressType(security_group=proj_obj.get_fq_name_str() + ':' + sg) elif prefix: addr = AddressType(subnet=SubnetType(prefix, 0)) local_addr = AddressType(security_group='local') if ingress: src_addr = addr dst_addr = local_addr else: src_addr = local_addr dst_addr = addr rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>', protocol='any', src_addresses=[src_addr], src_ports=[PortType(0, 65535)], dst_addresses=[dst_addr], dst_ports=[PortType(0, 65535)], ethertype=ethertype) return rule rules = [] rules.append(_get_rule(True, 'default', None, 'IPv4')) rules.append(_get_rule(True, 'default', None, 'IPv6')) sg_rules = PolicyEntriesType(rules) # create security group id_perms = IdPermsType( enable=True, description=KMTestCase.DEFAULT_SECGROUP_DESCRIPTION) sg_obj = SecurityGroup(name='default', parent_obj=proj_obj, id_perms=id_perms, security_group_entries=sg_rules) self._vnc_lib.security_group_create(sg_obj) self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid()) return sg_obj
def create_security_group(self, proj_obj): def _get_rule(ingress, sg, prefix, ethertype): sgr_uuid = str(uuid.uuid4()) if sg: addr = AddressType( security_group=proj_obj.get_fq_name_str() + ':' + sg) elif prefix: addr = AddressType(subnet=SubnetType(prefix, 0)) local_addr = AddressType(security_group='local') if ingress: src_addr = addr dst_addr = local_addr else: src_addr = local_addr dst_addr = addr rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>', protocol='any', src_addresses=[src_addr], src_ports=[PortType(0, 65535)], dst_addresses=[dst_addr], dst_ports=[PortType(0, 65535)], ethertype=ethertype) return rule rules = [] rules.append(_get_rule(True, 'default', None, 'IPv4')) rules.append(_get_rule(True, 'default', None, 'IPv6')) sg_rules = PolicyEntriesType(rules) # create security group id_perms = IdPermsType( enable=True, description=KMTestCase.DEFAULT_SECGROUP_DESCRIPTION) sg_obj = SecurityGroup(name='default', parent_obj=proj_obj, id_perms=id_perms, security_group_entries=sg_rules) self._vnc_lib.security_group_create(sg_obj) self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid()) return sg_obj
def test_security_group_rule_list_per_security_group(self): sg1 = SecurityGroup('sg1-%s' % self.id(), parent_obj=self.project) sgr1_id = str(uuid.uuid4()) rule = PolicyRuleType( rule_uuid=sgr1_id, protocol='any', src_addresses=[AddressType(security_group='local')], dst_addresses=[AddressType(security_group='local')], ) sg1.set_security_group_entries(PolicyEntriesType([rule])) self._vnc_lib.security_group_create(sg1) sg2 = SecurityGroup('sg2-%s' % self.id(), parent_obj=self.project) sgr2_id = str(uuid.uuid4()) rule = PolicyRuleType( rule_uuid=sgr2_id, protocol='any', src_addresses=[AddressType(security_group='local')], dst_addresses=[AddressType(security_group='local')], ) sg2.set_security_group_entries(PolicyEntriesType([rule])) self._vnc_lib.security_group_create(sg2) list_result = self.list_resource( 'security_group_rule', self.project_id, req_filters={ 'security_group_id': [sg1.uuid], }, ) self.assertEqual(set([sgr1_id]), {sgr['id'] for sgr in list_result}) list_result = self.list_resource( 'security_group_rule', self.project_id, req_filters={ 'security_group_id': [sg1.uuid, sg2.uuid], }, ) self.assertEqual(set([sgr1_id, sgr2_id]), {sgr['id'] for sgr in list_result}) list_result = self.list_resource('security_group_rule', self.project_id) self.assertTrue( set([sgr1_id, sgr2_id]).issubset({sgr['id'] for sgr in list_result}))
def test_not_deallocate_sg_id_if_fq_name_does_not_correspond(self): mock_zk = self._api_server._db_conn._zk_db sg_obj = SecurityGroup('%s-sg' % self.id()) self.api.security_group_create(sg_obj) sg_obj = self.api.security_group_read(id=sg_obj.uuid) sg_id = sg_obj.security_group_id fake_fq_name = "fake fq_name" mock_zk._sg_id_allocator.delete(sg_id - SGID_MIN_ALLOC) mock_zk._sg_id_allocator.reserve(sg_id - SGID_MIN_ALLOC, fake_fq_name) self.api.security_group_delete(id=sg_obj.uuid) self.assertIsNotNone(mock_zk.get_sg_from_id(sg_id)) self.assertEqual(fake_fq_name, mock_zk.get_sg_from_id(sg_id))
def test_singleton_no_rule_sg(self): try: no_rule_sg = self.api.security_group_read(SG_NO_RULE_FQ_NAME) except NoIdError: self.fail("Cannot read singleton security '%s' for OpenStack" % ':'.join(SG_NO_RULE_FQ_NAME)) sg_obj = SecurityGroup(name=SG_NO_RULE_FQ_NAME[-1]) self._api_server.create_singleton_entry(sg_obj) try: no_rule_sg_2 = self.api.security_group_read(SG_NO_RULE_FQ_NAME) except NoIdError: self.fail("Cannot read singleton security '%s' for OpenStack" % ':'.join(SG_NO_RULE_FQ_NAME)) self.assertEqual(no_rule_sg.security_group_id, no_rule_sg_2.security_group_id)
def test_security_group_rule_list_per_security_group(self): sg1 = SecurityGroup('sg1-%s' % self.id(), parent_obj=self.project) sgr1_id = str(uuid.uuid4()) rule = PolicyRuleType( rule_uuid=sgr1_id, protocol='any', src_addresses=[AddressType(security_group='local')], dst_addresses=[AddressType(security_group='local')], ) sg1.set_security_group_entries(PolicyEntriesType([rule])) self._vnc_lib.security_group_create(sg1) sg2 = SecurityGroup('sg2-%s' % self.id(), parent_obj=self.project) sgr2_id = str(uuid.uuid4()) rule = PolicyRuleType( rule_uuid=sgr2_id, protocol='any', src_addresses=[AddressType(security_group='local')], dst_addresses=[AddressType(security_group='local')], ) sg2.set_security_group_entries(PolicyEntriesType([rule])) self._vnc_lib.security_group_create(sg2) list_result = self.list_resource( 'security_group_rule', self.project_id, req_filters={ 'security_group_id': [sg1.uuid], }, ) self.assertEqual(set([sgr1_id]), {sgr['id'] for sgr in list_result}) list_result = self.list_resource( 'security_group_rule', self.project_id, req_filters={ 'security_group_id': [sg1.uuid, sg2.uuid], }, ) self.assertEqual(set([sgr1_id, sgr2_id]), {sgr['id'] for sgr in list_result}) list_result = self.list_resource('security_group_rule', self.project_id) self.assertTrue(set([sgr1_id, sgr2_id]).issubset( {sgr['id'] for sgr in list_result}))
def test_cannot_set_sg_id(self): sg_obj = SecurityGroup('%s-sg' % self.id()) sg_obj.set_security_group_id(8000042) with ExpectedException(PermissionDenied): self.api.security_group_create(sg_obj)
def _update_security_groups(self, ns_name, proj_obj, network_policy): def _get_rule(ingress, sg, prefix, ethertype): sgr_uuid = str(uuid.uuid4()) if sg: addr = AddressType( security_group=proj_obj.get_fq_name_str() + ':' + sg) elif prefix: addr = AddressType(subnet=SubnetType(prefix, 0)) local_addr = AddressType(security_group='local') if ingress: src_addr = addr dst_addr = local_addr else: src_addr = local_addr dst_addr = addr rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>', protocol='any', src_addresses=[src_addr], src_ports=[PortType(0, 65535)], dst_addresses=[dst_addr], dst_ports=[PortType(0, 65535)], ethertype=ethertype) return rule sg_dict = {} # create default security group sg_name = "-".join([vnc_kube_config.cluster_name(), ns_name, 'default']) DEFAULT_SECGROUP_DESCRIPTION = "Default security group" id_perms = IdPermsType(enable=True, description=DEFAULT_SECGROUP_DESCRIPTION) rules = [] ingress = True egress = True if network_policy and 'ingress' in network_policy: ingress_policy = network_policy['ingress'] if ingress_policy and 'isolation' in ingress_policy: isolation = ingress_policy['isolation'] if isolation == 'DefaultDeny': ingress = False if ingress: if self._is_service_isolated(ns_name): rules.append(_get_rule(True, sg_name, None, 'IPv4')) rules.append(_get_rule(True, sg_name, None, 'IPv6')) else: rules.append(_get_rule(True, None, '0.0.0.0', 'IPv4')) rules.append(_get_rule(True, None, '::', 'IPv6')) if egress: rules.append(_get_rule(False, None, '0.0.0.0', 'IPv4')) rules.append(_get_rule(False, None, '::', 'IPv6')) sg_rules = PolicyEntriesType(rules) sg_obj = SecurityGroup(name=sg_name, parent_obj=proj_obj, id_perms=id_perms, security_group_entries=sg_rules) SecurityGroupKM.add_annotations(self, sg_obj, namespace=ns_name, name=sg_obj.name, k8s_type=self._k8s_event_type) try: self._vnc_lib.security_group_create(sg_obj) self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid()) except RefsExistError: self._vnc_lib.security_group_update(sg_obj) sg_obj = self._vnc_lib.security_group_read(sg_obj.fq_name) sg_uuid = sg_obj.get_uuid() SecurityGroupKM.locate(sg_uuid) sg_dict[sg_name] = sg_uuid # create namespace security group ns_sg_name = "-".join([vnc_kube_config.cluster_name(), ns_name, 'sg']) NAMESPACE_SECGROUP_DESCRIPTION = "Namespace security group" id_perms = IdPermsType(enable=True, description=NAMESPACE_SECGROUP_DESCRIPTION) sg_obj = SecurityGroup(name=ns_sg_name, parent_obj=proj_obj, id_perms=id_perms, security_group_entries=None) SecurityGroupKM.add_annotations(self, sg_obj, namespace=ns_name, name=sg_obj.name, k8s_type=self._k8s_event_type) try: self._vnc_lib.security_group_create(sg_obj) self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid()) except RefsExistError: pass sg_obj = self._vnc_lib.security_group_read(sg_obj.fq_name) sg_uuid = sg_obj.get_uuid() SecurityGroupKM.locate(sg_uuid) sg_dict[ns_sg_name] = sg_uuid return sg_dict
def _update_security_groups(self, ns_name, proj_obj, network_policy): def _get_rule(ingress, sg, prefix, ethertype): sgr_uuid = str(uuid.uuid4()) if sg: if ':' not in sg: sg_fq_name = proj_obj.get_fq_name_str() + ':' + sg else: sg_fq_name = sg addr = AddressType(security_group=sg_fq_name) elif prefix: addr = AddressType(subnet=SubnetType(prefix, 0)) local_addr = AddressType(security_group='local') if ingress: src_addr = addr dst_addr = local_addr else: src_addr = local_addr dst_addr = addr rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>', protocol='any', src_addresses=[src_addr], src_ports=[PortType(0, 65535)], dst_addresses=[dst_addr], dst_ports=[PortType(0, 65535)], ethertype=ethertype) return rule sg_dict = {} # create default security group sg_name = "-".join( [vnc_kube_config.cluster_name(), ns_name, 'default']) DEFAULT_SECGROUP_DESCRIPTION = "Default security group" id_perms = IdPermsType(enable=True, description=DEFAULT_SECGROUP_DESCRIPTION) rules = [] ingress = True egress = True if network_policy and 'ingress' in network_policy: ingress_policy = network_policy['ingress'] if ingress_policy and 'isolation' in ingress_policy: isolation = ingress_policy['isolation'] if isolation == 'DefaultDeny': ingress = False if ingress: rules.append(_get_rule(True, None, '0.0.0.0', 'IPv4')) rules.append(_get_rule(True, None, '::', 'IPv6')) if egress: rules.append(_get_rule(False, None, '0.0.0.0', 'IPv4')) rules.append(_get_rule(False, None, '::', 'IPv6')) sg_rules = PolicyEntriesType(rules) sg_obj = SecurityGroup(name=sg_name, parent_obj=proj_obj, id_perms=id_perms, security_group_entries=sg_rules) SecurityGroupKM.add_annotations(self, sg_obj, namespace=ns_name, name=sg_obj.name, k8s_type=self._k8s_event_type) try: self._vnc_lib.security_group_create(sg_obj) self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid()) except RefsExistError: self._vnc_lib.security_group_update(sg_obj) sg_obj = self._vnc_lib.security_group_read(sg_obj.fq_name) sg_uuid = sg_obj.get_uuid() SecurityGroupKM.locate(sg_uuid) sg_dict[sg_name] = sg_uuid # create namespace security group ns_sg_name = "-".join([vnc_kube_config.cluster_name(), ns_name, 'sg']) NAMESPACE_SECGROUP_DESCRIPTION = "Namespace security group" id_perms = IdPermsType(enable=True, description=NAMESPACE_SECGROUP_DESCRIPTION) sg_obj = SecurityGroup(name=ns_sg_name, parent_obj=proj_obj, id_perms=id_perms, security_group_entries=None) SecurityGroupKM.add_annotations(self, sg_obj, namespace=ns_name, name=sg_obj.name, k8s_type=self._k8s_event_type) try: self._vnc_lib.security_group_create(sg_obj) self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid()) except RefsExistError: pass sg_obj = self._vnc_lib.security_group_read(sg_obj.fq_name) sg_uuid = sg_obj.get_uuid() SecurityGroupKM.locate(sg_uuid) sg_dict[ns_sg_name] = sg_uuid return sg_dict
def test_security_logging_object_with_policy_and_security_group(self): # Add a Network Policy Rule and a Security Group Rule to a # SLO vn1_name = self.id() + 'vn1' vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24") rule1 = { "protocol": "udp", "direction": "<>", "src": { "type": "vn", "value": vn1 }, "dst": { "type": "cidr", "value": "10.2.1.1/32" }, "action": "deny" } np = self.create_network_policy_with_multiple_rules([rule1]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1) sg_obj = SecurityGroup(name=self.id() + '_sg1') self._vnc_lib.security_group_create(sg_obj) sgr_uuid = str(uuid.uuid4()) sg_rule = PolicyRuleType( rule_uuid=sgr_uuid, direction='>', protocol='tcp', src_addresses=[AddressType(subnet=SubnetType('11.0.0.0', 24))], src_ports=[PortType(0, 65535)], dst_addresses=[AddressType(security_group='local')], dst_ports=[PortType(0, 65535)], ether_type='IPv4') sg_policy_rules = PolicyEntriesType([sg_rule]) sg_obj.set_security_group_entries(sg_policy_rules) self._vnc_lib.security_group_update(sg_obj) project = self._vnc_lib.project_read( fq_name=[u'default-domain', u'default-project']) slo_name = self.id() + '_slo1' slo_obj = SecurityLoggingObject(name=slo_name, parent_obj=project, security_logging_object_rate=300) self._vnc_lib.security_logging_object_create(slo_obj) self.wait_to_get_object(SecurityLoggingObjectST, slo_obj.get_fq_name_str()) np_rule1 = np.get_network_policy_entries().get_policy_rule()[0] np_fqdn = np.get_fq_name_str() np_rule1_uuid = np_rule1.get_rule_uuid() slo_rule_entries = [] slo_rule_entries.append( SecurityLoggingObjectRuleEntryType(np_rule1_uuid, rate=300)) slo_rule_entries.append( SecurityLoggingObjectRuleEntryType(sgr_uuid, rate=300)) slo_obj = self._vnc_lib.security_logging_object_read( fq_name=slo_obj.get_fq_name()) slo_obj.add_network_policy(np, None) sg_obj = self._vnc_lib.security_group_read(id=sg_obj.get_uuid()) slo_obj.add_security_group(sg_obj, None) self._vnc_lib.security_logging_object_update(slo_obj) st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str()) self.check_rules_in_slo(st_slo, np_fqdn, slo_rule_entries) slo_obj.del_network_policy(np) slo_obj.del_security_group(sg_obj) self._vnc_lib.security_logging_object_update(slo_obj) st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str()) self.check_rules_in_slo(st_slo, None, []) # cleanup self.delete_network_policy(np, auto_policy=True) self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name()) self._vnc_lib.security_logging_object_delete( fq_name=slo_obj.get_fq_name()) # check if vn is deleted self.check_vn_is_deleted(uuid=vn1.uuid)
def test_security_logging_object_with_policy_and_security_group(self): # Add a Network Policy Rule and a Security Group Rule to a # SLO vn1_name = self.id() + 'vn1' vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24") rule1 = {"protocol": "udp", "direction": "<>", "src": {"type": "vn", "value": vn1}, "dst": {"type": "cidr", "value": "10.2.1.1/32"}, "action": "deny" } np = self.create_network_policy_with_multiple_rules([rule1]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1) sg_obj = SecurityGroup(name=self.id() + '_sg1') self._vnc_lib.security_group_create(sg_obj) sgr_uuid = str(uuid.uuid4()) sg_rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>', protocol='tcp', src_addresses=[AddressType(subnet=SubnetType('11.0.0.0', 24))], src_ports=[PortType(0, 65535)], dst_addresses=[AddressType(security_group='local')], dst_ports=[PortType(0, 65535)], ether_type='IPv4') sg_policy_rules = PolicyEntriesType([sg_rule]) sg_obj.set_security_group_entries(sg_policy_rules) self._vnc_lib.security_group_update(sg_obj) project = self._vnc_lib.project_read(fq_name=[u'default-domain', u'default-project']) slo_name = self.id() + '_slo1' slo_obj = SecurityLoggingObject(name=slo_name, parent_obj=project, security_logging_object_rate=300) self._vnc_lib.security_logging_object_create(slo_obj) self.wait_to_get_object(config_db.SecurityLoggingObjectST, slo_obj.get_fq_name_str()) np_rule1 = np.get_network_policy_entries().get_policy_rule()[0] np_fqdn = np.get_fq_name_str() np_rule1_uuid = np_rule1.get_rule_uuid() slo_rule_entries = [] slo_rule_entries.append(SecurityLoggingObjectRuleEntryType(np_rule1_uuid, rate=300)) slo_rule_entries.append(SecurityLoggingObjectRuleEntryType(sgr_uuid, rate=300)) slo_obj = self._vnc_lib.security_logging_object_read(fq_name=slo_obj.get_fq_name()) slo_obj.add_network_policy(np, None) sg_obj = self._vnc_lib.security_group_read(id=sg_obj.get_uuid()) slo_obj.add_security_group(sg_obj, None) self._vnc_lib.security_logging_object_update(slo_obj) st_slo = to_bgp.SecurityLoggingObjectST.get(slo_obj.get_fq_name_str()) self.check_rules_in_slo(st_slo, np_fqdn, slo_rule_entries) slo_obj.del_network_policy(np) slo_obj.del_security_group(sg_obj) self._vnc_lib.security_logging_object_update(slo_obj) st_slo = to_bgp.SecurityLoggingObjectST.get(slo_obj.get_fq_name_str()) self.check_rules_in_slo(st_slo, None, []) # cleanup self.delete_network_policy(np, auto_policy=True) self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name()) self._vnc_lib.security_logging_object_delete(fq_name=slo_obj.get_fq_name()) # check if vn is deleted self.check_vn_is_deleted(uuid=vn1.uuid)
def security_group_create(self, sg_name, project_fq_name): project_obj = self._vnc_lib.project_read(project_fq_name) sg_obj = SecurityGroup(name=sg_name, parent_obj=project_obj) self._vnc_lib.security_group_create(sg_obj) return sg_obj