def test_create_group_with_one_simple_rule(self): """ Tests the creation of an OpenStack Security Group with one simple custom rule. """ # Create Security Group sec_grp_rule_settings = list() sec_grp_rule_settings.append( SecurityGroupRuleConfig(sec_grp_name=self.sec_grp_name, direction=Direction.ingress, description='test_rule_1')) sec_grp_settings = SecurityGroupConfig( name=self.sec_grp_name, description='hello group', rule_settings=sec_grp_rule_settings) self.sec_grp_creator = create_security_group.OpenStackSecurityGroup( self.os_creds, sec_grp_settings) self.sec_grp_creator.create() sec_grp = neutron_utils.get_security_group( self.neutron, self.keystone, sec_grp_settings=sec_grp_settings) validation_utils.objects_equivalent( self.sec_grp_creator.get_security_group(), sec_grp) rules = neutron_utils.get_rules_by_security_group( self.neutron, self.sec_grp_creator.get_security_group()) self.assertEqual(len(self.sec_grp_creator.get_rules()), len(rules)) validation_utils.objects_equivalent(self.sec_grp_creator.get_rules(), rules) self.assertTrue( validate_sec_grp(self.neutron, self.keystone, self.sec_grp_creator.sec_grp_settings, self.sec_grp_creator.get_security_group(), rules))
def test_create_delete_group(self): """ Tests the creation of an OpenStack Security Group without custom rules. """ # Create Security Group sec_grp_settings = SecurityGroupConfig(name=self.sec_grp_name, description='hello group') self.sec_grp_creator = create_security_group.OpenStackSecurityGroup( self.os_creds, sec_grp_settings) created_sec_grp = self.sec_grp_creator.create() self.assertIsNotNone(created_sec_grp) self.assertTrue( validate_sec_grp(self.neutron, self.keystone, self.sec_grp_creator.sec_grp_settings, self.sec_grp_creator.get_security_group())) neutron_utils.delete_security_group(self.neutron, created_sec_grp) self.assertIsNone( neutron_utils.get_security_group( self.neutron, self.keystone, sec_grp_settings=self.sec_grp_creator.sec_grp_settings)) self.sec_grp_creator.clean()
def test_create_group_new_user_to_admin_project(self): """ Tests the creation of an OpenStack Security Group without custom rules. """ # Create Security Group sec_grp_settings = SecurityGroupConfig( name=self.sec_grp_name, description='hello group', project_name=self.os_creds.project_name) self.sec_grp_creator = create_security_group.OpenStackSecurityGroup( self.admin_os_creds, sec_grp_settings) self.sec_grp_creator.create() sec_grp = neutron_utils.get_security_group( self.neutron, self.keystone, sec_grp_settings=sec_grp_settings) self.assertIsNotNone(sec_grp) validation_utils.objects_equivalent( self.sec_grp_creator.get_security_group(), sec_grp) rules = neutron_utils.get_rules_by_security_group( self.neutron, self.sec_grp_creator.get_security_group()) self.assertEqual(len(self.sec_grp_creator.get_rules()), len(rules)) validation_utils.objects_equivalent(self.sec_grp_creator.get_rules(), rules) self.assertTrue( validate_sec_grp(self.neutron, self.keystone, self.sec_grp_creator.sec_grp_settings, self.sec_grp_creator.get_security_group(), rules))
def tearDown(self): """ Cleans the remote OpenStack objects """ if self.project: neutron = neutron_utils.neutron_client(self.os_creds, self.os_session) default_sec_grp = neutron_utils.get_security_group( neutron, self.keystone, sec_grp_name='default', project_name=self.os_creds.project_name) if default_sec_grp: try: neutron_utils.delete_security_group( neutron, default_sec_grp) except: pass keystone_utils.delete_project(self.keystone, self.project) if self.user: keystone_utils.delete_user(self.keystone, self.user) if self.role: keystone_utils.delete_role(self.keystone, self.role) super(self.__class__, self).__clean__()
def initialize(self): """ Loads existing security group. :return: the security group domain object """ super(self.__class__, self).initialize() self.__security_group = neutron_utils.get_security_group( self._neutron, self._keystone, sec_grp_settings=self.sec_grp_settings, project_name=self._os_creds.project_name) if self.__security_group: # Populate rules existing_rules = neutron_utils.get_rules_by_security_group( self._neutron, self.__security_group) for existing_rule in existing_rules: # For Custom Rules rule_setting = self.__get_setting_from_rule(existing_rule) self.__rules[rule_setting] = existing_rule self.__security_group = neutron_utils.get_security_group_by_id( self._neutron, self.__security_group.id) return self.__security_group
def test_remove_rule_by_setting(self): """ Tests the creation of an OpenStack Security Group with two simple custom rules then removes one by the rule setting object """ # Create Security Group sec_grp_rule_settings = list() sec_grp_rule_settings.append( SecurityGroupRuleConfig(sec_grp_name=self.sec_grp_name, direction=Direction.ingress, description='test_rule_1')) sec_grp_rule_settings.append( SecurityGroupRuleConfig(sec_grp_name=self.sec_grp_name, direction=Direction.egress, protocol=Protocol.udp, ethertype=Ethertype.IPv6, description='test_rule_2')) sec_grp_rule_settings.append( SecurityGroupRuleConfig(sec_grp_name=self.sec_grp_name, direction=Direction.egress, protocol=Protocol.udp, ethertype=Ethertype.IPv4, port_range_min=10, port_range_max=20, description='test_rule_3')) sec_grp_settings = SecurityGroupConfig( name=self.sec_grp_name, description='hello group', rule_settings=sec_grp_rule_settings) self.sec_grp_creator = create_security_group.OpenStackSecurityGroup( self.os_creds, sec_grp_settings) self.sec_grp_creator.create() sec_grp = neutron_utils.get_security_group( self.neutron, self.keystone, sec_grp_settings=sec_grp_settings) validation_utils.objects_equivalent( self.sec_grp_creator.get_security_group(), sec_grp) rules = neutron_utils.get_rules_by_security_group( self.neutron, self.sec_grp_creator.get_security_group()) self.assertEqual(len(self.sec_grp_creator.get_rules()), len(rules)) validation_utils.objects_equivalent(self.sec_grp_creator.get_rules(), rules) self.assertTrue( validate_sec_grp(self.neutron, self.keystone, self.sec_grp_creator.sec_grp_settings, self.sec_grp_creator.get_security_group(), rules)) self.sec_grp_creator.remove_rule(rule_setting=sec_grp_rule_settings[0]) rules_after_del = neutron_utils.get_rules_by_security_group( self.neutron, self.sec_grp_creator.get_security_group()) self.assertEqual(len(rules) - 1, len(rules_after_del))
def validate_sec_grp_rules(neutron, keystone, rule_settings, rules): """ Returns True is the settings on a security group rule are properly contained on the SNAPS SecurityGroupRule domain object. This function will only operate on rules that contain a description as this is the only means to tell if the rule is custom or defaulted by OpenStack :param neutron: the neutron client :param keystone: the keystone client :param rule_settings: collection of SecurityGroupRuleConfig objects :param rules: a collection of SecurityGroupRule domain objects :return: T/F """ for rule_setting in rule_settings: if rule_setting.description: match = False for rule in rules: sec_grp = neutron_utils.get_security_group( neutron, keystone, sec_grp_name=rule_setting.sec_grp_name) setting_eth_type = create_security_group.Ethertype.IPv4 if rule_setting.ethertype: setting_eth_type = rule_setting.ethertype if not sec_grp: return False proto_str = 'null' if rule.protocol: proto_str = rule.protocol if (rule.description == rule_setting.description and rule.direction == rule_setting.direction.name and rule.ethertype == setting_eth_type.name and rule.port_range_max == rule_setting.port_range_max and rule.port_range_min == rule_setting.port_range_min and proto_str == str(rule_setting.protocol.value) and rule.remote_group_id == rule_setting.remote_group_id and rule.remote_ip_prefix == rule_setting.remote_ip_prefix and rule.security_group_id == sec_grp.id): match = True break if not match: return False return True
def clean(self): """ Cleanse environment of all artifacts :return: void """ if self.__project: # Delete security group 'default' if exists neutron = neutron_utils.neutron_client(self._os_creds, self._os_session) try: default_sec_grp = neutron_utils.get_security_group( neutron, self._keystone, sec_grp_name='default', project_name=self.__project.name) if default_sec_grp: try: neutron_utils.delete_security_group( neutron, default_sec_grp) except: pass finally: neutron.httpclient.session.session.close() # Delete Project try: keystone_utils.delete_project(self._keystone, self.__project) except NotFound: pass self.__project = None if self.__role: try: keystone_utils.delete_role(self._keystone, self.__role) except NotFound: pass self.__project = None # Final role check in case init was done from an existing instance role = keystone_utils.get_role_by_name(self._keystone, self.__role_name) if role: keystone_utils.delete_role(self._keystone, role) super(self.__class__, self).clean()
def dict_for_neutron(self, neutron, keystone, project_name): """ Returns a dictionary object representing this object. This is meant to be converted into JSON designed for use by the Neutron API :param neutron: the neutron client for performing lookups :param keystone: the keystone client for performing lookups :param project_name: the name of the project associated with the group :return: the dictionary object """ out = dict() if self.description: out['description'] = self.description if self.direction: out['direction'] = self.direction.name if self.port_range_min: out['port_range_min'] = self.port_range_min if self.port_range_max: out['port_range_max'] = self.port_range_max if self.ethertype: out['ethertype'] = self.ethertype.name if self.protocol and self.protocol.value != 'null': out['protocol'] = self.protocol.value if self.sec_grp_name: sec_grp = neutron_utils.get_security_group( neutron, keystone, sec_grp_name=self.sec_grp_name, project_name=project_name) if sec_grp: out['security_group_id'] = sec_grp.id else: raise SecurityGroupRuleConfigError( 'Cannot locate security group with name - ' + self.sec_grp_name) if self.remote_group_id: out['remote_group_id'] = self.remote_group_id if self.remote_ip_prefix: out['remote_ip_prefix'] = self.remote_ip_prefix return {'security_group_rule': out}
def dict_for_neutron(self, neutron, os_creds): """ Returns a dictionary object representing this object. This is meant to be converted into JSON designed for use by the Neutron API TODO - expand automated testing to exercise all parameters :param neutron: the Neutron client :param os_creds: the OpenStack credentials :return: the dictionary object """ out = dict() session = keystone_utils.keystone_session(os_creds) keystone = keystone_utils.keystone_client(os_creds, session) project_name = os_creds.project_name if self.project_name: project_name = project_name try: network = neutron_utils.get_network(neutron, keystone, network_name=self.network_name) if network and not (network.shared or network.external): network = neutron_utils.get_network( neutron, keystone, network_name=self.network_name, project_name=project_name) finally: if session: keystone_utils.close_session(session) if not network: raise PortConfigError('Cannot locate network with name - ' + self.network_name + ' in project - ' + str(project_name)) out['network_id'] = network.id if self.admin_state_up is not None: out['admin_state_up'] = self.admin_state_up if self.name: out['name'] = self.name if self.project_name: project = keystone_utils.get_project( keystone=keystone, project_name=self.project_name) project_id = None if project: project_id = project.id if project_id: out['tenant_id'] = project_id else: raise PortConfigError( 'Could not find project ID for project named - ' + self.project_name) if self.mac_address: out['mac_address'] = self.mac_address fixed_ips = self.__get_fixed_ips(neutron, network) if fixed_ips and len(fixed_ips) > 0: out['fixed_ips'] = fixed_ips if self.security_groups: sec_grp_ids = list() for sec_grp_name in self.security_groups: sec_grp = neutron_utils.get_security_group( neutron, keystone, sec_grp_name=sec_grp_name, project_name=self.project_name) if sec_grp: sec_grp_ids.append(sec_grp.id) out['security_groups'] = sec_grp_ids if self.port_security_enabled is not None: out['port_security_enabled'] = self.port_security_enabled if self.allowed_address_pairs and len(self.allowed_address_pairs) > 0: out['allowed_address_pairs'] = self.allowed_address_pairs if self.opt_value: out['opt_value'] = self.opt_value if self.opt_name: out['opt_name'] = self.opt_name if self.device_owner: out['device_owner'] = self.device_owner if self.device_id: out['device_id'] = self.device_id if self.extra_dhcp_opts: out['extra_dhcp_opts'] = self.extra_dhcp_opts return {'port': out}