示例#1
0
    def test_policy_RT_import_export(self):
        ''' Test to validate RT imported/exported in control node.
        Verification is implemented in vn_fixture to compare fixture route data with the data in control node..
        Verification expects test code to compile policy allowed VN info, which is used to validate data in CN.
        Test calls get_policy_peer_vns [internally call get_allowed_peer_vns_by_policy for each VN]. This data is
        fed to verify_vn_route_target, which internally calls get_rt_info to build expected list. This is compared
        against actual by calling cn_ref.get_cn_routing_instance and getting rt info.  '''

        vn1_name = 'vn40'
        vn1_subnets = ['40.1.1.0/24']
        vn2_name = 'vn41'
        vn2_subnets = ['41.1.1.0/24']
        vn3_name = 'vn42'
        vn3_subnets = ['42.1.1.0/24']
        policy1_name = 'policy1'
        policy2_name = 'policy2'
        policy3_name = 'policy3'
        policy4_name = 'policy4'
        # cover all combinations of rules for this test
        # 1. both vn's allow each other 2. one vn allows peer, while other denies 3. policy rule doesnt list local vn
        # 4. allow or deny any vn is not handled now..
        rules = [
            {
                'direction': '<>',
                'simple_action': 'pass',
                'protocol': 'icmp',
                'source_network': vn1_name,
                'dest_network': vn2_name
            },
            {
                'direction': '<>',
                'simple_action': 'deny',
                'protocol': 'icmp',
                'source_network': vn1_name,
                'dest_network': vn3_name
            },
            {
                'direction': '<>',
                'simple_action': 'pass',
                'protocol': 'icmp',
                'source_network': vn2_name,
                'dest_network': vn3_name
            },
            {
                'direction': '<>',
                'simple_action': 'pass',
                'protocol': 'icmp',
                'source_network': 'any',
                'dest_network': vn3_name
            },
        ]
        rev_rules2 = [
            {
                'direction': '<>',
                'simple_action': 'pass',
                'protocol': 'icmp',
                'source_network': vn1_name,
                'dest_network': vn3_name,
            },
        ]

        rev_rules1 = [
            {
                'direction': '<>',
                'simple_action': 'pass',
                'protocol': 'icmp',
                'source_network': vn2_name,
                'dest_network': vn1_name,
            },
        ]
        rules2 = [
            {
                'direction': '<>',
                'simple_action': 'pass',
                'protocol': 'icmp',
                'source_network': vn3_name,
                'dest_network': vn1_name,
            },
        ]

        policy1_fixture = self.useFixture(
            PolicyFixture(policy_name=policy1_name,
                          rules_list=rules,
                          inputs=self.inputs,
                          connections=self.connections))
        policy2_fixture = self.useFixture(
            PolicyFixture(policy_name=policy2_name,
                          rules_list=rev_rules1,
                          inputs=self.inputs,
                          connections=self.connections))
        policy3_fixture = self.useFixture(
            PolicyFixture(policy_name=policy3_name,
                          rules_list=rules2,
                          inputs=self.inputs,
                          connections=self.connections))
        policy4_fixture = self.useFixture(
            PolicyFixture(policy_name=policy4_name,
                          rules_list=rev_rules2,
                          inputs=self.inputs,
                          connections=self.connections))
        vn1_fixture = self.useFixture(
            VNFixture(project_name=self.inputs.project_name,
                      connections=self.connections,
                      vn_name=vn1_name,
                      inputs=self.inputs,
                      subnets=vn1_subnets))
        assert vn1_fixture.verify_on_setup()
        vn2_fixture = self.useFixture(
            VNFixture(project_name=self.inputs.project_name,
                      connections=self.connections,
                      vn_name=vn2_name,
                      inputs=self.inputs,
                      subnets=vn2_subnets))
        assert vn2_fixture.verify_on_setup()
        vn3_fixture = self.useFixture(
            VNFixture(project_name=self.inputs.project_name,
                      connections=self.connections,
                      vn_name=vn3_name,
                      inputs=self.inputs,
                      subnets=vn3_subnets))
        assert vn3_fixture.verify_on_setup()

        self.logger.info("TEST STEP: End of setup")
        vn_fixture = {
            vn1_name: vn1_fixture,
            vn2_name: vn2_fixture,
            vn3_name: vn3_fixture
        }
        vnet_list = [vn1_name, vn2_name, vn3_name]

        self.logger.info("TEST STEP: Route verification for VN after setup")
        actual_peer_vns_by_policy = policy_test_utils.get_policy_peer_vns(
            self, vnet_list, vn_fixture)
        for vn in vnet_list:
            err_msg_on_fail = "route verification failed for vn %s" % (vn)
            assert (vn_fixture[vn].verify_vn_route_target(
                policy_peer_vns=actual_peer_vns_by_policy[vn])
                    ), err_msg_on_fail

        self.logger.info(
            "TEST STEP: Bind policys to VN and verify import and export RT values"
        )
        policy_fq_name1 = [policy1_fixture.policy_fq_name]
        policy_fq_name2 = [policy2_fixture.policy_fq_name]
        vn1_fixture.bind_policies(policy_fq_name1, vn1_fixture.vn_id)
        vn1_pol = vn1_fixture.get_policy_attached_to_vn()
        vn2_fixture.bind_policies(policy_fq_name2, vn2_fixture.vn_id)
        vn2_pol = vn2_fixture.get_policy_attached_to_vn()
        vn3_fixture.bind_policies([policy3_fixture.policy_fq_name],
                                  vn3_fixture.vn_id)
        vn3_pol = vn3_fixture.get_policy_attached_to_vn()
        self.logger.info("vn: %s policys: %s" % (vn1_name, vn1_pol))
        self.logger.info("vn: %s policys: %s" % (vn2_name, vn2_pol))
        self.logger.info("vn: %s policys: %s" % (vn3_name, vn3_pol))

        actual_peer_vns_by_policy = policy_test_utils.get_policy_peer_vns(
            self, vnet_list, vn_fixture)
        for vn in vnet_list:
            err_msg_on_fail = "route verification failed for vn %s" % (vn)
            out = vn_fixture[vn].verify_vn_route_target(
                policy_peer_vns=actual_peer_vns_by_policy[vn])
            # control node may not be updated of the config changes right away, as it depends on system load ..
            # one scenario being when multiple tests are run in parallel..
            # wait & retry one more time if result is not as expected..
            if not out:
                self.logger.info("wait and verify VN RT again...")
                time.sleep(5)
                out = vn_fixture[vn].verify_vn_route_target(
                    policy_peer_vns=actual_peer_vns_by_policy[vn])
            assert (out), err_msg_on_fail

        self.logger.info(
            "TEST STEP: Bind one more policy to VN and verify RT import values updated"
        )
        vn1_fixture.bind_policies(
            [policy1_fixture.policy_fq_name, policy4_fixture.policy_fq_name],
            vn1_fixture.vn_id)

        actual_peer_vns_by_policy = policy_test_utils.get_policy_peer_vns(
            self, vnet_list, vn_fixture)
        for vn in vnet_list:
            err_msg_on_fail = "route verification failed for vn %s" % (vn)
            assert (vn_fixture[vn].verify_vn_route_target(
                policy_peer_vns=actual_peer_vns_by_policy[vn])
                    ), err_msg_on_fail

        self.logger.info(
            "TEST STEP: Unbind policy which was added earlier and verify RT import/export values are updated accordingly"
        )
        vn1_fixture.unbind_policies(vn1_fixture.vn_id,
                                    [policy4_fixture.policy_fq_name])
        vn3_fixture.unbind_policies(vn3_fixture.vn_id,
                                    [policy3_fixture.policy_fq_name])

        actual_peer_vns_by_policy = policy_test_utils.get_policy_peer_vns(
            self, vnet_list, vn_fixture)
        for vn in vnet_list:
            err_msg_on_fail = "route verification failed for vn %s" % (vn)
            assert (vn_fixture[vn].verify_vn_route_target(
                policy_peer_vns=actual_peer_vns_by_policy[vn])
                    ), err_msg_on_fail
        return True
示例#2
0
    def test_policy_RT_import_export(self):
        ''' Test to validate RT imported/exported in control node.
        Verification is implemented in vn_fixture to compare fixture route data with the data in control node..
        Verification expects test code to compile policy allowed VN info, which is used to validate data in CN.
        Test calls get_policy_peer_vns [internally call get_allowed_peer_vns_by_policy for each VN]. This data is
        fed to verify_vn_route_target, which internally calls get_rt_info to build expected list. This is compared
        against actual by calling cn_ref.get_cn_routing_instance and getting rt info.  '''

        vn1_name = 'vn40'
        vn1_subnets = ['40.1.1.0/24']
        vn2_name = 'vn41'
        vn2_subnets = ['41.1.1.0/24']
        vn3_name = 'vn42'
        vn3_subnets = ['42.1.1.0/24']
        policy1_name = 'policy1'
        policy2_name = 'policy2'
        policy3_name = 'policy3'
        policy4_name = 'policy4'
        # cover all combinations of rules for this test
        # 1. both vn's allow each other 2. one vn allows peer, while other denies 3. policy rule doesnt list local vn
        # 4. allow or deny any vn is not handled now..
        rules = [{'direction': '<>',
                  'simple_action': 'pass',
                  'protocol': 'icmp',
                  'source_network': vn1_name,
                  'dest_network': vn2_name},
                 {'direction': '<>',
                  'simple_action': 'deny',
                  'protocol': 'icmp',
                  'source_network': vn1_name,
                  'dest_network': vn3_name},
                 {'direction': '<>',
                  'simple_action': 'pass',
                  'protocol': 'icmp',
                  'source_network': vn2_name,
                  'dest_network': vn3_name},
                 {'direction': '<>',
                  'simple_action': 'pass',
                  'protocol': 'icmp',
                  'source_network': 'any',
                  'dest_network': vn3_name},
                 ]
        rev_rules2 = [{'direction': '<>',
                       'simple_action': 'pass',
                       'protocol': 'icmp',
                       'source_network': vn1_name,
                       'dest_network': vn3_name,
                       },
                      ]

        rev_rules1 = [{'direction': '<>',
                       'simple_action': 'pass',
                       'protocol': 'icmp',
                       'source_network': vn2_name,
                       'dest_network': vn1_name,
                       },
                      ]
        rules2 = [{'direction': '<>',
                   'simple_action': 'pass',
                   'protocol': 'icmp',
                   'source_network': vn3_name,
                   'dest_network': vn1_name,
                   },
                  ]

        policy1_fixture = self.useFixture(
            PolicyFixture(
                policy_name=policy1_name,
                rules_list=rules,
                inputs=self.inputs,
                connections=self.connections))
        policy2_fixture = self.useFixture(
            PolicyFixture(
                policy_name=policy2_name,
                rules_list=rev_rules1,
                inputs=self.inputs,
                connections=self.connections))
        policy3_fixture = self.useFixture(
            PolicyFixture(
                policy_name=policy3_name,
                rules_list=rules2,
                inputs=self.inputs,
                connections=self.connections))
        policy4_fixture = self.useFixture(
            PolicyFixture(
                policy_name=policy4_name,
                rules_list=rev_rules2,
                inputs=self.inputs,
                connections=self.connections))
        vn1_fixture = self.useFixture(
            VNFixture(
                project_name=self.inputs.project_name,
                connections=self.connections,
                vn_name=vn1_name,
                inputs=self.inputs,
                subnets=vn1_subnets))
        assert vn1_fixture.verify_on_setup()
        vn2_fixture = self.useFixture(
            VNFixture(
                project_name=self.inputs.project_name,
                connections=self.connections,
                vn_name=vn2_name,
                inputs=self.inputs,
                subnets=vn2_subnets))
        assert vn2_fixture.verify_on_setup()
        vn3_fixture = self.useFixture(
            VNFixture(
                project_name=self.inputs.project_name,
                connections=self.connections,
                vn_name=vn3_name,
                inputs=self.inputs,
                subnets=vn3_subnets))
        assert vn3_fixture.verify_on_setup()

        self.logger.info("TEST STEP: End of setup")
        vn_fixture = {
            vn1_name: vn1_fixture,
            vn2_name: vn2_fixture,
            vn3_name: vn3_fixture}
        vnet_list = [vn1_name, vn2_name, vn3_name]

        self.logger.info("TEST STEP: Route verification for VN after setup")
        actual_peer_vns_by_policy = policy_test_utils.get_policy_peer_vns(
            self,
            vnet_list,
            vn_fixture)
        for vn in vnet_list:
            err_msg_on_fail = "route verification failed for vn %s" % (vn)
            assert (
                vn_fixture[vn].verify_vn_route_target(
                    policy_peer_vns=actual_peer_vns_by_policy[vn])), err_msg_on_fail

        self.logger.info(
            "TEST STEP: Bind policys to VN and verify import and export RT values")
        policy_fq_name1 = [policy1_fixture.policy_fq_name]
        policy_fq_name2 = [policy2_fixture.policy_fq_name]
        vn1_fixture.bind_policies(policy_fq_name1, vn1_fixture.vn_id)
        vn1_pol = vn1_fixture.get_policy_attached_to_vn()
        vn2_fixture.bind_policies(policy_fq_name2, vn2_fixture.vn_id)
        vn2_pol = vn2_fixture.get_policy_attached_to_vn()
        vn3_fixture.bind_policies(
            [policy3_fixture.policy_fq_name], vn3_fixture.vn_id)
        vn3_pol = vn3_fixture.get_policy_attached_to_vn()
        self.logger.info("vn: %s policys: %s" % (vn1_name, vn1_pol))
        self.logger.info("vn: %s policys: %s" % (vn2_name, vn2_pol))
        self.logger.info("vn: %s policys: %s" % (vn3_name, vn3_pol))

        actual_peer_vns_by_policy = policy_test_utils.get_policy_peer_vns(
            self,
            vnet_list,
            vn_fixture)
        for vn in vnet_list:
            err_msg_on_fail = "route verification failed for vn %s" % (vn)
            out = vn_fixture[vn].verify_vn_route_target(
                policy_peer_vns=actual_peer_vns_by_policy[vn])
            # control node may not be updated of the config changes right away, as it depends on system load ..
            # one scenario being when multiple tests are run in parallel..
            # wait & retry one more time if result is not as expected..
            if not out:
                self.logger.info("wait and verify VN RT again...")
                time.sleep(5)
                out = vn_fixture[vn].verify_vn_route_target(
                    policy_peer_vns=actual_peer_vns_by_policy[vn])
            assert (out), err_msg_on_fail

        self.logger.info(
            "TEST STEP: Bind one more policy to VN and verify RT import values updated")
        vn1_fixture.bind_policies(
            [policy1_fixture.policy_fq_name, policy4_fixture.policy_fq_name], vn1_fixture.vn_id)

        actual_peer_vns_by_policy = policy_test_utils.get_policy_peer_vns(
            self,
            vnet_list,
            vn_fixture)
        for vn in vnet_list:
            err_msg_on_fail = "route verification failed for vn %s" % (vn)
            assert (
                vn_fixture[vn].verify_vn_route_target(
                    policy_peer_vns=actual_peer_vns_by_policy[vn])), err_msg_on_fail

        self.logger.info(
            "TEST STEP: Unbind policy which was added earlier and verify RT import/export values are updated accordingly")
        vn1_fixture.unbind_policies(
            vn1_fixture.vn_id, [
                policy4_fixture.policy_fq_name])
        vn3_fixture.unbind_policies(
            vn3_fixture.vn_id, [
                policy3_fixture.policy_fq_name])

        actual_peer_vns_by_policy = policy_test_utils.get_policy_peer_vns(
            self,
            vnet_list,
            vn_fixture)
        for vn in vnet_list:
            err_msg_on_fail = "route verification failed for vn %s" % (vn)
            assert (
                vn_fixture[vn].verify_vn_route_target(
                    policy_peer_vns=actual_peer_vns_by_policy[vn])), err_msg_on_fail
        return True