def test_add_acls_with_sec_group(self): expected_acls = [] expected_acls += ovn_acl.drop_all_ip_traffic_for_port( self.fake_port_sg) expected_acls += ovn_acl.add_acl_dhcp( self.fake_port_sg, self.fake_subnet) sg_rule_acl = ovn_acl.add_sg_rule_acl_for_port( self.fake_port_sg, self.fake_sg_rule, 'outport == "' + self.fake_port_sg['id'] + '" ' + '&& ip4 && ip4.src == 0.0.0.0/0 ' + '&& tcp && tcp.dst == 22') expected_acls.append(sg_rule_acl) # Test with caches acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), self.fake_port_sg, self.sg_cache, self.sg_ports_cache, self.subnet_cache) self.assertEqual(expected_acls, acls) # Test without caches with mock.patch('neutron.db.db_base_plugin_v2.' 'NeutronDbPluginV2.get_subnet', return_value=self.fake_subnet), \ mock.patch('neutron.db.securitygroups_db.' 'SecurityGroupDbMixin.get_security_group', return_value=self.fake_sg): acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), self.fake_port_sg, {}, {}, {}) self.assertEqual(expected_acls, acls)
def _add_sg_rule_acl_for_port(self, admin_context, port, r, sg_ports_cache, subnet_cache): # Update the match based on which direction this rule is for (ingress # or egress). match, remote_portdir = ovn_acl.acl_direction(r, port) # Update the match for IPv4 vs IPv6. ip_match, ip_version, icmp = ovn_acl.acl_ethertype(r) match += ip_match # Update the match if an IPv4 or IPv6 prefix was specified. match += ovn_acl.acl_remote_ip_prefix(r, ip_version) group_match, empty_match = self._acl_remote_group_id( admin_context, r, sg_ports_cache, subnet_cache, port, remote_portdir, ip_version) if empty_match: # If there are no other ports on this security group, then this # rule can never match, so no ACL row will be created for this # rule. return None match += group_match # Update the match for the protocol (tcp, udp, icmp) and port/type # range if specified. match += ovn_acl.acl_protocol_and_ports(r, icmp) # Finally, create the ACL entry for the direction specified. return ovn_acl.add_sg_rule_acl_for_port(port, r, match)
def _add_sg_rule_acl_for_port(self, admin_context, port, r, sg_ports_cache, subnet_cache): # Update the match based on which direction this rule is for (ingress # or egress). match, remote_portdir = ovn_acl.acl_direction(r, port) # Update the match for IPv4 vs IPv6. ip_match, ip_version, icmp = ovn_acl.acl_ethertype(r) match += ip_match # Update the match if an IPv4 or IPv6 prefix was specified. match += ovn_acl.acl_remote_ip_prefix(r, ip_version) group_match, empty_match = self._acl_remote_group_id(admin_context, r, sg_ports_cache, subnet_cache, port, remote_portdir, ip_version) if empty_match: # If there are no other ports on this security group, then this # rule can never match, so no ACL row will be created for this # rule. return None match += group_match # Update the match for the protocol (tcp, udp, icmp) and port/type # range if specified. match += ovn_acl.acl_protocol_and_ports(r, icmp) # Finally, create the ACL entry for the direction specified. return ovn_acl.add_sg_rule_acl_for_port(port, r, match)
def test_acl_update_compare_acls(self): fake_sg_rule = \ fakes.FakeSecurityGroupRule.create_one_security_group_rule().info() fake_port = fakes.FakePort.create_one_port().info() fake_add_acl = fakes.FakeOvsdbRow.create_one_ovsdb_row( attrs={'match': 'add_acl'}) fake_del_acl = fakes.FakeOvsdbRow.create_one_ovsdb_row( attrs={'match': 'del_acl'}) fake_lswitch = fakes.FakeOvsdbRow.create_one_ovsdb_row( attrs={'name': ovn_utils.ovn_name(fake_port['network_id']), 'acls': []}) add_acl = ovn_acl.add_sg_rule_acl_for_port( fake_port, fake_sg_rule, 'add_acl') self.ovn_api.get_acls_for_lswitches.return_value = ( {fake_port['id']: [fake_del_acl.match]}, {fake_del_acl.match: fake_del_acl}, {fake_lswitch.name.replace('neutron-', ''): fake_lswitch}) cmd = commands.UpdateACLsCommand( self.ovn_api, [fake_port['network_id']], [fake_port], {fake_port['id']: [add_acl]}, need_compare=True) self.transaction.insert.return_value = fake_add_acl cmd.run_idl(self.transaction) self.transaction.insert.assert_called_once_with( self.ovn_api.acl_table) fake_lswitch.verify.assert_called_with('acls') self.assertEqual([fake_add_acl.uuid], fake_lswitch.acls)
def _test_add_acls_with_sec_group_helper(self, native_dhcp=True): fake_port_sg = fakes.FakePort.create_one_port( attrs={ 'security_groups': [self.fake_sg['id']], 'fixed_ips': [{ 'subnet_id': self.fake_subnet['id'], 'ip_address': '10.10.10.20' }] }).info() expected_acls = [] expected_acls += ovn_acl.drop_all_ip_traffic_for_port(fake_port_sg) if not native_dhcp: expected_acls += ovn_acl.add_acl_dhcp(fake_port_sg, self.fake_subnet) sg_rule_acl = ovn_acl.add_sg_rule_acl_for_port( fake_port_sg, self.fake_sg_rule, 'outport == "' + fake_port_sg['id'] + '" ' + '&& ip4 && ip4.src == 0.0.0.0/0 ' + '&& tcp && tcp.dst == 22') expected_acls.append(sg_rule_acl) # Test with caches acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache) self.assertEqual(expected_acls, acls) # Test without caches with mock.patch('neutron.db.db_base_plugin_v2.' 'NeutronDbPluginV2.get_subnet', return_value=self.fake_subnet), \ mock.patch('neutron.db.securitygroups_db.' 'SecurityGroupDbMixin.get_security_group', return_value=self.fake_sg): acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, {}, {}) self.assertEqual(expected_acls, acls) # Test with security groups disabled with mock.patch('networking_ovn.common.acl.is_sg_enabled', return_value=False): acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache) self.assertEqual([], acls) # Test with multiple fixed IPs on the same subnet. fake_port_sg['fixed_ips'].append({ 'subnet_id': self.fake_subnet['id'], 'ip_address': '10.10.10.21' }) acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache) self.assertEqual(expected_acls, acls)
def _test_add_sg_rule_acl_for_port(self, sg_rule, direction, match): port = {'id': 'port-id', 'network_id': 'network-id'} acl = ovn_acl.add_sg_rule_acl_for_port(port, sg_rule, match) self.assertEqual(acl, {'lswitch': 'neutron-network-id', 'lport': 'port-id', 'priority': ovn_const.ACL_PRIORITY_ALLOW, 'action': ovn_const.ACL_ACTION_ALLOW_RELATED, 'log': False, 'direction': direction, 'match': match, 'external_ids': {'neutron:lport': 'port-id'}})
def _test_add_sg_rule_acl_for_port(self, sg_rule, direction, match): port = {'id': 'port-id', 'network_id': 'network-id'} acl = ovn_acl.add_sg_rule_acl_for_port(port, sg_rule, match) self.assertEqual({'lswitch': 'neutron-network-id', 'lport': 'port-id', 'priority': ovn_const.ACL_PRIORITY_ALLOW, 'action': ovn_const.ACL_ACTION_ALLOW_RELATED, 'log': False, 'direction': direction, 'match': match, 'external_ids': {'neutron:lport': 'port-id'}}, acl)
def _test_add_acls_with_sec_group_helper(self, native_dhcp=True): fake_port_sg = fakes.FakePort.create_one_port( attrs={ "security_groups": [self.fake_sg["id"]], "fixed_ips": [{"subnet_id": self.fake_subnet["id"], "ip_address": "10.10.10.20"}], } ).info() expected_acls = [] expected_acls += ovn_acl.drop_all_ip_traffic_for_port(fake_port_sg) if not native_dhcp: expected_acls += ovn_acl.add_acl_dhcp(fake_port_sg, self.fake_subnet) sg_rule_acl = ovn_acl.add_sg_rule_acl_for_port( fake_port_sg, self.fake_sg_rule, 'outport == "' + fake_port_sg["id"] + '" ' + "&& ip4 && ip4.src == 0.0.0.0/0 " + "&& tcp && tcp.dst == 22", ) expected_acls.append(sg_rule_acl) # Test with caches acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache) self.assertEqual(expected_acls, acls) # Test without caches with mock.patch( "neutron.db.db_base_plugin_v2." "NeutronDbPluginV2.get_subnet", return_value=self.fake_subnet ), mock.patch( "neutron.db.securitygroups_db." "SecurityGroupDbMixin.get_security_group", return_value=self.fake_sg ): acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, {}, {}) self.assertEqual(expected_acls, acls) # Test with security groups disabled with mock.patch("networking_ovn.common.acl.is_sg_enabled", return_value=False): acls = ovn_acl.add_acls( self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache ) self.assertEqual([], acls) # Test with multiple fixed IPs on the same subnet. fake_port_sg["fixed_ips"].append({"subnet_id": self.fake_subnet["id"], "ip_address": "10.10.10.21"}) acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache) self.assertEqual(expected_acls, acls)
def test_acl_update_no_compare_del_acls(self): fake_sg_rule = \ fakes.FakeSecurityGroupRule.create_one_security_group_rule().info() fake_port = fakes.FakePort.create_one_port().info() fake_acl = fakes.FakeOvsdbRow.create_one_ovsdb_row( attrs={'match': '*'}) fake_lswitch = fakes.FakeOvsdbRow.create_one_ovsdb_row( attrs={'name': ovn_utils.ovn_name(fake_port['network_id']), 'acls': [fake_acl]}) del_acl = ovn_acl.add_sg_rule_acl_for_port( fake_port, fake_sg_rule, '*') with mock.patch.object(idlutils, 'row_by_value', return_value=fake_lswitch): cmd = commands.UpdateACLsCommand( self.ovn_api, [fake_port['network_id']], [fake_port], {fake_port['id']: del_acl}, need_compare=False, is_add_acl=False) cmd.run_idl(self.transaction) self.transaction.insert.assert_not_called() fake_lswitch.verify.assert_called_with('acls') self.assertEqual([], fake_lswitch.acls)
def _test_add_acls_with_sec_group_helper(self, native_dhcp=True): fake_port_sg = fakes.FakePort.create_one_port( attrs={'security_groups': [self.fake_sg['id']], 'fixed_ips': [{'subnet_id': self.fake_subnet['id'], 'ip_address': '10.10.10.20'}]} ).info() expected_acls = [] expected_acls += ovn_acl.drop_all_ip_traffic_for_port( fake_port_sg) if not native_dhcp: expected_acls += ovn_acl.add_acl_dhcp( fake_port_sg, self.fake_subnet) sg_rule_acl = ovn_acl.add_sg_rule_acl_for_port( fake_port_sg, self.fake_sg_rule, 'outport == "' + fake_port_sg['id'] + '" ' + '&& ip4 && ip4.src == 0.0.0.0/0 ' + '&& tcp && tcp.dst == 22') expected_acls.append(sg_rule_acl) # Test with caches acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache) self.assertEqual(expected_acls, acls) # Test without caches with mock.patch('neutron.db.db_base_plugin_v2.' 'NeutronDbPluginV2.get_subnet', return_value=self.fake_subnet), \ mock.patch('neutron.db.securitygroups_db.' 'SecurityGroupDbMixin.get_security_group', return_value=self.fake_sg): acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, {}, {}) self.assertEqual(expected_acls, acls) # Test with security groups disabled with mock.patch('networking_ovn.common.acl.is_sg_enabled', return_value=False): acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache) self.assertEqual([], acls) # Test with multiple fixed IPs on the same subnet. fake_port_sg['fixed_ips'].append({'subnet_id': self.fake_subnet['id'], 'ip_address': '10.10.10.21'}) acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache) self.assertEqual(expected_acls, acls)