def verify_policy_in_api_quantum_server( self, api_policy_obj, quantum_policy_obj): '''Validate policy information in API-Server. Compare data with quantum based policy fixture data. Check specifically for following: api_server_keys: 1> fq_name, 2> uuid, 3> rules quantum_h_keys: 1> policy_fq_name, 2> id in policy_obj, 3> policy_obj [for rules] ''' me = inspect.getframeinfo(inspect.currentframe())[2] result = True err_msg = [] out = None self.logger.info("====Verifying data for %s in API_Server ======" % (api_policy_obj.fq_name[2])) self.api_s_policy_obj = self.api_s_inspect.get_cs_policy( domain=api_policy_obj.fq_name[0], project=api_policy_obj.fq_name[1], policy=api_policy_obj.fq_name[2], refresh=True) self.api_s_policy_obj_x = self.api_s_policy_obj['network-policy'] # compare policy_fq_name out = policy_test_utils.compare_args( 'policy_fq_name', api_policy_obj.fq_name, quantum_policy_obj['policy']['fq_name']) if out: err_msg.append(out) # compare policy_uuid out = policy_test_utils.compare_args( 'policy_uuid', api_policy_obj.uuid, quantum_policy_obj['policy']['id']) if out: err_msg.append(out) # compare policy_rules out = policy_test_utils.compare_args( 'policy_rules', self.api_s_policy_obj_x[ 'network_policy_entries']['policy_rule'], quantum_policy_obj['policy']['entries']['policy_rule']) if out: err_msg.append(out) if err_msg != []: result = False err_msg.insert( 0, me + ":" + api_policy_obj.fq_name[2]) self.logger.info("verification: %s, status: %s message: %s" % (me, result, err_msg)) return {'result': result, 'msg': err_msg}
def verify_policy_in_control_nodes(self): """ Checks for policy details in Control-nodes. Validate control-node data against quantum and return False if any mismatch is found. """ # Refresh quantum policy object - self.policy_obj self.refresh_quantum_policy_obj() me = inspect.getframeinfo(inspect.currentframe())[2] result = True err_msg = [] out = None for cn in self.inputs.bgp_ips: # check if policy exists: cn_config_policy_obj = self.cn_inspect[cn].get_cn_config_policy( domain=self.project_fq_name[0], project=self.project_fq_name[1], policy=self.policy_name) if not cn_config_policy_obj: msg = "IFMAP View of Control-node %s is missing policy %s" % (cn, self.policy_fq_name) err_msg.append(msg) self.logger.info(msg) return {'result': False, 'msg': err_msg} # compare policy_fq_name self.logger.debug("Control-node %s : Policy object is : %s" % (cn, cn_config_policy_obj)) policy_fqn = ':'.join(self.policy_fq_name) if policy_fqn not in cn_config_policy_obj['node_name']: msg = "IFMAP View of Control-node %s is not having the policy detail of %s" % ( cn, self.policy_fq_name) err_msg.append(msg) # compare policy_rules if cn_config_policy_obj['obj_info']: cn_rules = cn_config_policy_obj['obj_info'][ 0]['data']['network-policy-entries'] else: # policy not attached to any network cn_rules = [] # translate control data in quantum data format for verification: if cn_rules: cn_rules = policy_test_utils.xlate_cn_rules(cn_rules) else: cn_rules = [] self.logger.info("policy info in control node: %s" % cn_rules) qntm_policy_info = self.policy_obj['policy']['entries']['policy_rule'] self.logger.info("policy info in quantum: %s" % qntm_policy_info) out = policy_test_utils.compare_args('policy_rules', cn_rules, qntm_policy_info, exp_name='cn_rules', act_name='quantum_rules') if out: msg = "Rules view in control-node %s is not matching, detailed msg follows %s" % ( cn, out) err_msg.append(msg) if err_msg != []: result = False err_msg.insert(0, me + ":" + self.policy_name) self.logger.info("verification: %s, status: %s" % (me, result)) return {'result': result, 'msg': err_msg}
def test_policy_protocol_summary(self): ''' Test to validate that when policy is created with multiple rules that can be summarized by protocol ''' proj_name = self.inputs.project_name vn1_name = 'vn40' vn1_subnets = ['10.1.1.0/24'] policy1_name = 'policy1' policy2_name = 'policy2' rules2 = [ { 'direction': '<>', 'simple_action': 'pass', 'protocol': 'any', 'source_network': vn1_name, 'dest_network': vn1_name, }, { 'direction': '<>', 'simple_action': 'pass', 'protocol': 'icmp', 'source_network': vn1_name, 'dest_network': vn1_name, }, ] rules1 = [ { 'direction': '<>', 'simple_action': 'pass', 'protocol': 'any', 'source_network': vn1_name, 'dest_network': vn1_name, }, ] policy1_fixture = self.useFixture( PolicyFixture(policy_name=policy1_name, rules_list=rules1, inputs=self.inputs, connections=self.connections)) policy2_fixture = self.useFixture( PolicyFixture(policy_name=policy2_name, rules_list=rules2, inputs=self.inputs, connections=self.connections)) vn1_fixture = self.useFixture( VNFixture(project_name=self.inputs.project_name, connections=self.connections, vn_name=vn1_name, inputs=self.inputs, subnets=vn1_subnets, policy_objs=[policy1_fixture.policy_obj])) assert vn1_fixture.verify_on_setup() vn1_vm1_name = 'vm1' vm1_fixture = self.useFixture( VMFixture(project_name=self.inputs.project_name, connections=self.connections, vn_obj=vn1_fixture.obj, vm_name=vn1_vm1_name)) assert vm1_fixture.verify_on_setup() inspect_h = self.agent_inspect[vm1_fixture.vm_node_ip] vn_fq_name = inspect_h.get_vna_vn(domain='default-domain', project=proj_name, vn_name=vn1_name)['name'] vna_acl1 = inspect_h.get_vna_acl_by_vn(vn_fq_name) policy1_fixture.verify_policy_in_api_server() if vn1_fixture.policy_objs: policy_fq_names = [ self.quantum_h.get_policy_fq_name(x) for x in vn1_fixture.policy_objs ] policy_fq_name2 = self.quantum_h.get_policy_fq_name( policy2_fixture.policy_obj) policy_fq_names.append(policy_fq_name2) vn1_fixture.bind_policies(policy_fq_names, vn1_fixture.vn_id) vna_acl2 = inspect_h.get_vna_acl_by_vn(vn_fq_name) out = policy_test_utils.compare_args('policy_rules', vna_acl1['entries'], vna_acl2['entries']) if out: self.logger.info( "policy rules are not matching with expected %s and actual %s" % (vna_acl1['entries'], vna_acl2['entries'])) self.assertIsNone(out, "policy compare failed") return True
def test_policy_protocol_summary(self): ''' Test to validate that when policy is created with multiple rules that can be summarized by protocol ''' proj_name = self.inputs.project_name vn1_name = 'vn40' vn1_subnets = ['10.1.1.0/24'] policy1_name = 'policy1' policy2_name = 'policy2' rules2 = [ { 'direction': '<>', 'simple_action': 'pass', 'protocol': 'any', 'source_network': vn1_name, 'dest_network': vn1_name, }, { 'direction': '<>', 'simple_action': 'pass', 'protocol': 'icmp', 'source_network': vn1_name, 'dest_network': vn1_name, }, ] rules1 = [ { 'direction': '<>', 'simple_action': 'pass', 'protocol': 'any', 'source_network': vn1_name, 'dest_network': vn1_name, }, ] policy1_fixture = self.useFixture( PolicyFixture( policy_name=policy1_name, rules_list=rules1, inputs=self.inputs, connections=self.connections)) policy2_fixture = self.useFixture( PolicyFixture( policy_name=policy2_name, rules_list=rules2, inputs=self.inputs, connections=self.connections)) vn1_fixture = self.useFixture( VNFixture( project_name=self.inputs.project_name, connections=self.connections, vn_name=vn1_name, inputs=self.inputs, subnets=vn1_subnets, policy_objs=[ policy1_fixture.policy_obj])) assert vn1_fixture.verify_on_setup() vn1_vm1_name = 'vm1' vm1_fixture = self.useFixture( VMFixture( project_name=self.inputs.project_name, connections=self.connections, vn_obj=vn1_fixture.obj, vm_name=vn1_vm1_name)) assert vm1_fixture.verify_on_setup() inspect_h = self.agent_inspect[vm1_fixture.vm_node_ip] vn_fq_name = inspect_h.get_vna_vn( domain='default-domain', project=proj_name, vn_name=vn1_name)['name'] vna_acl1 = inspect_h.get_vna_acl_by_vn(vn_fq_name) policy1_fixture.verify_policy_in_api_server() if vn1_fixture.policy_objs: policy_fq_names = [ self.quantum_h.get_policy_fq_name(x) for x in vn1_fixture.policy_objs] policy_fq_name2 = self.quantum_h.get_policy_fq_name( policy2_fixture.policy_obj) policy_fq_names.append(policy_fq_name2) vn1_fixture.bind_policies(policy_fq_names, vn1_fixture.vn_id) vna_acl2 = inspect_h.get_vna_acl_by_vn(vn_fq_name) out = policy_test_utils.compare_args( 'policy_rules', vna_acl1['entries'], vna_acl2['entries']) if out: self.logger.info( "policy rules are not matching with expected %s and actual %s" % (vna_acl1['entries'], vna_acl2['entries'])) self.assertIsNone(out, "policy compare failed") return True