def select(self):
     priority_actions = self.priority_actions.get_priority_action_list()
     pri_action_list = list_ops.unique_list(priority_actions)
     pre_action_dict = self.parse_pre_actions()
     pre_action_list = pre_action_dict.keys()
 
     #not executed action is always higher priority in this pickup strategy
     not_executed_actions = list_ops.list_minus(self.action_list, \
             pre_action_list)
     #test_util.test_logger('Not executed actions: %s ' % not_executed_actions)
     print('Not executed actions: %s ' % not_executed_actions)
 
     #test_util.test_logger('Priority Action List: %s ' % pri_action_list)
     print('Priority Action List: %s ' % pri_action_list)
 
     if not_executed_actions:
         if pri_action_list:
             pri_not_executed_actions = list_ops.list_and(not_executed_actions, pri_action_list)
             if pri_not_executed_actions:
                 return random.choice(pri_not_executed_actions)
         return random.choice(not_executed_actions)
     else:
         least_actions = self.cal_least_execute_action(pre_action_dict)
         pri_least_actions = list_ops.list_and(least_actions, pri_action_list)
         if pri_least_actions:
             return random.choice(pri_least_actions)
         else:
             return random.choice(least_actions)
 def select(self):
     priority_actions = self.priority_actions.get_priority_action_list()
     pri_action_list = list_ops.unique_list(priority_actions)
     pre_action_dict = self.parse_pre_actions()
     pre_action_list = pre_action_dict.keys()
 
     #not executed action is always higher priority in this pickup strategy
     not_executed_actions = list_ops.list_minus(self.action_list, \
             pre_action_list)
     #test_util.test_logger('Not executed actions: %s ' % not_executed_actions)
     print('Not executed actions: %s ' % not_executed_actions)
 
     #test_util.test_logger('Priority Action List: %s ' % pri_action_list)
     print('Priority Action List: %s ' % pri_action_list)
 
     if not_executed_actions:
         if pri_action_list:
             pri_not_executed_actions = list_ops.list_and(not_executed_actions, pri_action_list)
             if pri_not_executed_actions:
                 return random.choice(pri_not_executed_actions)
         return random.choice(not_executed_actions)
     else:
         least_actions = self.cal_least_execute_action(pre_action_dict)
         pri_least_actions = list_ops.list_and(least_actions, pri_action_list)
         if pri_least_actions:
             return random.choice(pri_least_actions)
         else:
             return random.choice(least_actions)
    def calc_sg_tcp_ports(self, sg_invs):
        '''
        calculate and setup allowed/denied vr and ip address for later testing.
        '''
        all_ports = port_header.all_ports
        allowed_ports = []
        denied_ports = all_ports

        #default all ingress ports are denied, unless we found vr ip is in 
        #allowed SG ingress rule. 
        self.allowed_vr = None
        self.allowed_vr_ip = None
        self.set_random_denied_vr()
        self.allowed_ports = []
        self.denied_ports = list(all_ports)

        #{vr_ip:{'allowed_ports': [], 'denied_ports': []}, }
        vr_port_map = {}

        for sg in sg_invs:
            if not sg.rules:
                continue 

            for rule in sg.rules:
                if rule.protocol == inventory.TCP \
                        and rule.type == inventory.INGRESS:

                    allowed_cidr = rule.allowedCidr
                    allowed_vr_ip = allowed_cidr.split('/')[0]
                    start_port = rule.startPort
                    end_port = rule.endPort
                    if allowed_vr_ip in self.available_vr_dict.keys():
                        rule_port_key = \
                                port_header.get_port_rule(start_port, end_port)
                        allowed_ports = port_header.get_ports(rule_port_key)
                        if not vr_port_map.has_key(allowed_vr_ip):
                            vr_port_map[allowed_vr_ip] = \
                                    {'allowed_ports': allowed_ports, \
                                    'denied_ports': []}
                        else:
                            for port in allowed_ports:
                                if not port in vr_port_map[allowed_vr_ip]['allowed_ports']:
                                    vr_port_map[allowed_vr_ip]['allowed_ports'].append(port)

        if not vr_port_map:
            #not find available vr ip is in allowed ingress rule. So all denied.
            return

        #pick one vr_ip as test target
        allowed_vr_ips = vr_port_map.keys()
        self.allowed_vr_ip = random.choice(allowed_vr_ips)
        self.allowed_vr = self.available_vr_dict[self.allowed_vr_ip]
        self.allowed_ports = vr_port_map[self.allowed_vr_ip]['allowed_ports']
        self.denied_ports = list_ops.list_minus(all_ports, self.allowed_ports)

        for vr_ip in self.available_vr_dict.keys():
            if not vr_ip in allowed_vr_ips:
                self.denied_vr_ip = vr_ip
                self.denied_vr = self.available_vr_dict[vr_ip]
    def calc_sg_tcp_ports(self, sg_invs):
        '''
        calculate and setup allowed/denied vr and ip address for later testing.
        '''
        all_ports = port_header.all_ports
        allowed_ports = []
        denied_ports = all_ports

        #default all ingress ports are denied, unless we found vr ip is in 
        #allowed SG ingress rule. 
        self.allowed_vr = None
        self.allowed_vr_ip = None
        self.set_random_denied_vr()
        self.allowed_ports = []
        self.denied_ports = list(all_ports)

        #{vr_ip:{'allowed_ports': [], 'denied_ports': []}, }
        vr_port_map = {}

        for sg in sg_invs:
            if not sg.rules:
                continue 

            for rule in sg.rules:
                if rule.protocol == inventory.TCP \
                        and rule.type == inventory.INGRESS:

                    allowed_cidr = rule.allowedCidr
                    allowed_vr_ip = allowed_cidr.split('/')[0]
                    start_port = rule.startPort
                    end_port = rule.endPort
                    if allowed_vr_ip in self.available_vr_dict.keys():
                        rule_port_key = \
                                port_header.get_port_rule(start_port, end_port)
                        allowed_ports = port_header.get_ports(rule_port_key)
                        if not vr_port_map.has_key(allowed_vr_ip):
                            vr_port_map[allowed_vr_ip] = \
                                    {'allowed_ports': allowed_ports, \
                                    'denied_ports': []}
                        else:
                            for port in allowed_ports:
                                if not port in vr_port_map[allowed_vr_ip]['allowed_ports']:
                                    vr_port_map[allowed_vr_ip]['allowed_ports'].append(port)

        if not vr_port_map:
            #not find available vr ip is in allowed ingress rule. So all denied.
            return

        #pick one vr_ip as test target
        allowed_vr_ips = vr_port_map.keys()
        self.allowed_vr_ip = random.choice(allowed_vr_ips)
        self.allowed_vr = self.available_vr_dict[self.allowed_vr_ip]
        self.allowed_ports = vr_port_map[self.allowed_vr_ip]['allowed_ports']
        self.denied_ports = list_ops.list_minus(all_ports, self.allowed_ports)

        for vr_ip in self.available_vr_dict.keys():
            if not vr_ip in allowed_vr_ips:
                self.denied_vr_ip = vr_ip
                self.denied_vr = self.available_vr_dict[vr_ip]
    def check(self):
        super(zstack_kvm_sg_tcp_ingress_checker, self).check()
        all_ports = port_header.all_ports
        test_result = True

        test_util.test_dsc('Check TCP ingress rules')
        nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid)
        l3_uuid = nic.l3NetworkUuid
        if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid):
            test_util.test_logger("Skip SG test for [l3:] %s. Since it doesn't provide DHCP service, there isn't stable IP address for testint." % l3_uuid)
            return self.judge(self.exp_result)

        stub_vm = self.test_obj.get_stub_vm(l3_uuid)
        if not stub_vm:
            test_util.test_warn('Did not find test stub vm for [nic:] %s. Skip TCP ingress port checking for this nic.' % self.nic_uuid)
            return self.judge(self.exp_result)
        stub_vm = stub_vm.vm

        stub_vm_ip = test_lib.lib_get_vm_nic_by_l3(stub_vm, l3_uuid).ip
        target_addr = '%s/32' % stub_vm_ip

        rules = self.test_obj.get_nic_tcp_ingress_rule_by_addr(self.nic_uuid, target_addr)
        allowed_ports = []

        for rule in rules:
            rule_allowed_ports = port_header.get_ports(port_header.get_port_rule(rule.startPort))
            test_util.test_logger('[SG:] %s [ingress rule]: %s allow to access [nic:] %s [ports]: %s from [vm:] %s' % (rule.securityGroupUuid, rule.uuid, self.nic_uuid, rule_allowed_ports, stub_vm.uuid))
            for port in rule_allowed_ports:
                if not port in allowed_ports:
                    allowed_ports.append(port)

        if not allowed_ports:
            #If no allowed port, it means all denied. 
            denied_ports = list(all_ports)
        else:
            denied_ports = list_ops.list_minus(all_ports, allowed_ports)

        test_vm = test_lib.lib_get_vm_by_nic(nic.uuid)
        if test_vm.state == inventory.RUNNING:
            try:
                test_lib.lib_open_vm_listen_ports(test_vm, all_ports, l3_uuid)
                test_lib.lib_check_vm_ports_in_a_command(stub_vm, test_vm, allowed_ports, denied_ports)
            except:
                traceback.print_exc(file=sys.stdout)
                test_util.test_logger('Check result: [Security Group] meets failure when checking TCP ingress rule for [vm:] %s [nic:] %s. ' % (test_vm.uuid, self.nic_uuid))
                test_result = False
        else:
            test_util.test_warn('Test [vm:] %s is not running. Skip SG TCP ingress connection checker for this vm.' % test_vm.uuid)

        test_util.test_logger('Check result: [Security Group] finishes TCP ingress testing for [nic:] %s' % self.nic_uuid)
        print_iptables(test_vm)
        return self.judge(test_result)
    def check(self):
        super(zstack_vcenter_sg_tcp_ingress_checker, self).check()
        all_ports = port_header.all_ports
        test_result = True

        test_util.test_dsc('Check TCP ingress rules')
        nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid)
        l3_uuid = nic.l3NetworkUuid
        if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid):
            test_util.test_logger("Skip SG test for [l3:] %s. Since it doesn't provide DHCP service, there isn't stable IP address for testint." % l3_uuid)
            return self.judge(self.exp_result)

        stub_vm = self.test_obj.get_stub_vm(l3_uuid)
        if not stub_vm:
            test_util.test_warn('Did not find test stub vm for [nic:] %s. Skip TCP ingress port checking for this nic.' % self.nic_uuid)
            return self.judge(self.exp_result)
        stub_vm = stub_vm.vm

        stub_vm_ip = test_lib.lib_get_vm_nic_by_l3(stub_vm, l3_uuid).ip
        target_addr = '%s/32' % stub_vm_ip

        rules = self.test_obj.get_nic_tcp_ingress_rule_by_addr(self.nic_uuid, target_addr)
        allowed_ports = []

        for rule in rules:
            rule_allowed_ports = port_header.get_ports(port_header.get_port_rule(rule.startPort))
            test_util.test_logger('[SG:] %s [ingress rule]: %s allow to access [nic:] %s [ports]: %s from [vm:] %s' % (rule.securityGroupUuid, rule.uuid, self.nic_uuid, rule_allowed_ports, stub_vm.uuid))
            for port in rule_allowed_ports:
                if not port in allowed_ports:
                    allowed_ports.append(port)

        if not allowed_ports:
            #If no allowed port, it means all denied. 
            denied_ports = list(all_ports)
        else:
            denied_ports = list_ops.list_minus(all_ports, allowed_ports)

        test_vm = test_lib.lib_get_vm_by_nic(nic.uuid)
        if test_vm.state == inventory.RUNNING:
            try:
                test_lib.lib_open_vm_listen_ports(test_vm, all_ports, l3_uuid)
                test_lib.lib_check_vm_ports_in_a_command(stub_vm, test_vm, allowed_ports, denied_ports)
            except:
                traceback.print_exc(file=sys.stdout)
                test_util.test_logger('Check result: [Security Group] meets failure when checking TCP ingress rule for [vm:] %s [nic:] %s. ' % (test_vm.uuid, self.nic_uuid))
                test_result = False
        else:
            test_util.test_warn('Test [vm:] %s is not running. Skip SG TCP ingress connection checker for this vm.' % test_vm.uuid)

        test_util.test_logger('Check result: [Security Group] finishes TCP ingress testing for [nic:] %s' % self.nic_uuid)
        print_iptables(test_vm)
        return self.judge(test_result)
    def calc_pf_sg_allowed_denied_ports(self, pf_rule):
        vm_nic = test_lib.lib_get_nic_by_uuid(pf_rule.vmNicUuid)
        target_vm = test_lib.lib_get_vm_by_nic(vm_nic.uuid)
        all_ports = port_header.all_ports
        #consolidate rules for TCP/UDP/ICMP with different AllowedCidr
        rule_port = port_header.get_port_rule(pf_rule.vipPortStart, pf_rule.vipPortEnd)

        #If there is ingress controlled by SG rule and the PF rule is not in the
        # allowed SG rule's range, the ingress PF connection will be blocked.
        sg_tcp_ingress_flag = _sg_rule_exist_for_pf(vm_nic, pf_rule)

        if sg_tcp_ingress_flag:
            test_util.test_logger('SG TCP Ingress rule existence. PF TCP ingress rule will be blocked for [vm:] %s' % target_vm.uuid)
            return [], all_ports
        else:
            allowed_ports = port_header.get_ports(rule_port)
            denied_ports = list_ops.list_minus(all_ports, allowed_ports)
            return allowed_ports, denied_ports
    def calc_pf_sg_allowed_denied_ports(self, pf_rule):
        vm_nic = test_lib.lib_get_nic_by_uuid(pf_rule.vmNicUuid)
        target_vm = test_lib.lib_get_vm_by_nic(vm_nic.uuid)
        all_ports = port_header.all_ports
        #consolidate rules for TCP/UDP/ICMP with different AllowedCidr
        rule_port = port_header.get_port_rule(pf_rule.vipPortStart, pf_rule.vipPortEnd)

        #If there is ingress controlled by SG rule and the PF rule is not in the
        # allowed SG rule's range, the ingress PF connection will be blocked.
        sg_tcp_ingress_flag = _sg_rule_exist_for_pf(vm_nic, pf_rule)

        if sg_tcp_ingress_flag:
            test_util.test_logger('SG TCP Ingress rule existence. PF TCP ingress rule will be blocked for [vm:] %s' % target_vm.uuid)
            return [], all_ports
        else:
            allowed_ports = port_header.get_ports(rule_port)
            denied_ports = list_ops.list_minus(all_ports, allowed_ports)
            return allowed_ports, denied_ports
    def check(self):
        '''
            check will assume target vm only have 1 port forwarding VR. 
            So all vms PF rules are assigned to 1 VM nic.
        '''
        super(zstack_vcenter_pf_tcp_checker, self).check()
        test_result = True
        target_vm = self.test_obj.get_target_vm().vm
        pf_rule = self.test_obj.get_port_forwarding()
        vm_nic = test_lib.lib_get_nic_by_uuid(pf_rule.vmNicUuid)
        all_ports = port_header.all_ports
        #only open ports when VM is running.
        if self.test_obj.get_target_vm().state == vm_header.RUNNING:
            test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_nic.l3NetworkUuid)
        #consolidate rules for TCP/UDP/ICMP with different AllowedCidr
        rule_port = port_header.get_port_rule(pf_rule.vipPortStart, pf_rule.vipPortEnd)

        #check SG ingress limitation. Since SG rule will not consider vip as 
        #allowedCidr, if there is ingress limitation, the ingress PF connection
        #will be blocked.
        sg_tcp_ingress_flag = _sg_rule_exist(vm_nic, inventory.TCP, pf_rule)

        allowedCidr = pf_rule.allowedCidr
        allowed_vr_ip = allowedCidr.split('/')[0]
        allowed_vr_vm = test_lib.lib_get_vm_by_ip(allowed_vr_ip)
        vr_nic = test_lib.lib_get_nic_by_ip(allowed_vr_ip)
        l3_uuid = vr_nic.l3NetworkUuid

        allowed_vr_uuid_list = [allowed_vr_vm.uuid]
        #target_vm's VRs should be excluded, otherwise the ip package will be routed to this VR directly.
        pf_vm_vrs = test_lib.lib_find_vr_by_vm(target_vm)
        for pf_vr in pf_vm_vrs:
            allowed_vr_uuid_list.append(pf_vr.uuid)

        denied_vr_vm = _find_denied_vr(target_vm.clusterUuid, l3_uuid, allowed_vr_uuid_list)
        denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm)

        vip_uuid = pf_rule.vipUuid
        cond = res_ops.gen_query_conditions('uuid', '=', vip_uuid)
        vipIp = res_ops.query_resource(res_ops.VIP, cond)[0].ip
        if sg_tcp_ingress_flag:
            test_util.test_logger('SG TCP Ingress rule existence. PF TCP ingress rule will be blocked for [vm:] %s' % target_vm.uuid)
            try:
                test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, [], all_ports, target_vm)
            except:
                test_util.test_logger("Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s, when SG rule exists. " % (pf_rule.uuid, target_vm.uuid))
                test_result = False
                if test_result != self.exp_result:
                    return self.judge(test_result)
        else:
            allowed_ports = port_header.get_ports(rule_port)
            denied_ports = list_ops.list_minus(all_ports, allowed_ports)
            try:
                test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, allowed_ports, denied_ports, target_vm)
            except:
                traceback.print_exc(file=sys.stdout)
                test_util.test_logger("Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s " % (pf_rule.uuid, target_vm.uuid))
                test_result = False
                if test_result != self.exp_result:
                    return self.judge(test_result)
            else:
                test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s " % (pf_rule.uuid, target_vm.uuid))

            try:
                test_lib.lib_check_ports_in_a_command(denied_vr_vm, denied_vr_ip, vipIp, [], all_ports, target_vm)
            except:
                traceback.print_exc(file=sys.stdout)
                test_util.test_logger("Catch failure when checking Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s" % (pf_rule.uuid, target_vm.uuid))
                test_result = False
                if test_result != self.exp_result:
                    return self.judge(test_result)
            else:
                test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. " % (pf_rule.uuid, target_vm.uuid))

        test_util.test_logger('Check result: [Port Forwarding] finishes TCP testing for [vm:] %s [nic:] %s' % (target_vm.uuid, vm_nic.uuid))
        return self.judge(test_result)
    def check(self):
        '''
            check will assume target vm only have 1 port forwarding VR. 
            So all vms PF rules are assigned to 1 VM nic.
        '''
        super(zstack_kvm_pf_tcp_checker, self).check()
        test_result = True
        target_vm = self.test_obj.get_target_vm().vm
        pf_rule = self.test_obj.get_port_forwarding()
        vm_nic = test_lib.lib_get_nic_by_uuid(pf_rule.vmNicUuid)
        all_ports = port_header.all_ports
        #only open ports when VM is running.
        if self.test_obj.get_target_vm().state == vm_header.RUNNING:
            test_lib.lib_open_vm_listen_ports(target_vm, all_ports,
                                              vm_nic.l3NetworkUuid)
        #consolidate rules for TCP/UDP/ICMP with different AllowedCidr
        rule_port = port_header.get_port_rule(pf_rule.vipPortStart,
                                              pf_rule.vipPortEnd)

        #check SG ingress limitation. Since SG rule will not consider vip as
        #allowedCidr, if there is ingress limitation, the ingress PF connection
        #will be blocked.
        sg_tcp_ingress_flag = _sg_rule_exist(vm_nic, inventory.TCP, pf_rule)

        allowedCidr = pf_rule.allowedCidr
        allowed_vr_ip = allowedCidr.split('/')[0]
        allowed_vr_vm = test_lib.lib_get_vm_by_ip(allowed_vr_ip)
        vr_nic = test_lib.lib_get_nic_by_ip(allowed_vr_ip)
        l3_uuid = vr_nic.l3NetworkUuid

        allowed_vr_uuid_list = [allowed_vr_vm.uuid]
        #target_vm's VRs should be excluded, otherwise the ip package will be routed to this VR directly.
        pf_vm_vrs = test_lib.lib_find_vr_by_vm(target_vm)
        for pf_vr in pf_vm_vrs:
            allowed_vr_uuid_list.append(pf_vr.uuid)

        denied_vr_vm = _find_denied_vr(target_vm.clusterUuid, l3_uuid,
                                       allowed_vr_uuid_list)
        denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm)

        vip_uuid = pf_rule.vipUuid
        cond = res_ops.gen_query_conditions('uuid', '=', vip_uuid)
        vipIp = res_ops.query_resource(res_ops.VIP, cond)[0].ip
        if sg_tcp_ingress_flag:
            test_util.test_logger(
                'SG TCP Ingress rule existence. PF TCP ingress rule will be blocked for [vm:] %s'
                % target_vm.uuid)
            try:
                test_lib.lib_check_ports_in_a_command(allowed_vr_vm,
                                                      allowed_vr_ip, vipIp, [],
                                                      all_ports, target_vm)
            except:
                test_util.test_logger(
                    "Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s, when SG rule exists. "
                    % (pf_rule.uuid, target_vm.uuid))
                test_result = False
                if test_result != self.exp_result:
                    return self.judge(test_result)
        else:
            allowed_ports = port_header.get_ports(rule_port)
            denied_ports = list_ops.list_minus(all_ports, allowed_ports)
            try:
                test_lib.lib_check_ports_in_a_command(allowed_vr_vm,
                                                      allowed_vr_ip, vipIp,
                                                      allowed_ports,
                                                      denied_ports, target_vm)
            except:
                traceback.print_exc(file=sys.stdout)
                test_util.test_logger(
                    "Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s "
                    % (pf_rule.uuid, target_vm.uuid))
                test_result = False
                if test_result != self.exp_result:
                    return self.judge(test_result)
            else:
                test_util.test_logger(
                    "Checking pass for Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s "
                    % (pf_rule.uuid, target_vm.uuid))

            try:
                test_lib.lib_check_ports_in_a_command(denied_vr_vm,
                                                      denied_vr_ip, vipIp, [],
                                                      all_ports, target_vm)
            except:
                traceback.print_exc(file=sys.stdout)
                test_util.test_logger(
                    "Catch failure when checking Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s"
                    % (pf_rule.uuid, target_vm.uuid))
                test_result = False
                if test_result != self.exp_result:
                    return self.judge(test_result)
            else:
                test_util.test_logger(
                    "Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. "
                    % (pf_rule.uuid, target_vm.uuid))

        test_util.test_logger(
            'Check result: [Port Forwarding] finishes TCP testing for [vm:] %s [nic:] %s'
            % (target_vm.uuid, vm_nic.uuid))
        return self.judge(test_result)
    def check(self):
        super(zstack_kvm_sg_icmp_internal_vms_checker, self).check()
        #only check ingress icmp.
        if not self.test_obj.get_nic_icmp_ingress_rules(self.nic_uuid):
            test_util.test_logger("Skip SG internal ICMP test, since there isn't icmp ingress rules for nic: %s" % self.nic_uuid)
            return self.judge(self.exp_result)

        test_result = True

        test_util.test_dsc('Check ICMP rules between attached VMs')
        nic_sg_list = self.test_obj.get_sg_list_by_nic(self.nic_uuid)
        nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid)
        dst_vm = test_lib.lib_get_vm_by_nic(self.nic_uuid)
        l3_uuid = nic.l3NetworkUuid
        if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid):
            test_util.test_logger("Skip SG test for [l3:] %s. Since it doesn't provide DHCP service, test vm's IP address is not stable." % l3_uuid)
            return self.judge(self.exp_result)

        target_ip = nic.ip
        allowed_src_nic_list = []
        temp_allowed_src_nic_list = []
        denied_nic_list = []
        for sg in nic_sg_list:
            same_l3_nic_list = list(sg.get_attached_nics_by_l3(l3_uuid))
            if len(same_l3_nic_list) < 2 :
                test_util.test_logger("Skip [l3:] %s ICMP internal VMs checking, since there is less 2 SG VMs in this l3." % l3_uuid)
                continue

            #if source vm's udp and tcp engress rules exist, while icmp ingress
            # rule does not exist, the src vm egress icmp should be denied.
            #minus current nic.
            nic_list_temp = list_ops.list_minus(list(same_l3_nic_list), [nic.uuid])
            for nic_uuid in nic_list_temp:
                source_nic_egress_icmp_rules = \
                        self.test_obj.get_nic_icmp_egress_rules(nic_uuid)
                if not source_nic_egress_icmp_rules:
                    if self.test_obj.get_nic_tcp_egress_rules(nic_uuid) or \
                            self.test_obj.get_nic_udp_egress_rules(nic_uuid):
                        if not nic_uuid in denied_nic_list:
                            denied_nic_list.append(nic_uuid)
                    else:
                        if not nic_uuid in temp_allowed_src_nic_list:
                            temp_allowed_src_nic_list.append(nic_uuid)
                else:
                    for rule in source_nic_egress_icmp_rules:
                        if target_ip in rule.allowedCidr:
                            if not nic_uuid in allowed_src_nic_list:
                                allowed_src_nic_list.append(nic_uuid)
                            break
                    else:
                        if not nic_uuid in denied_nic_list:
                            denied_nic_list.append(nic_uuid)

        for nic_uuid in list(denied_nic_list):
            if nic_uuid in allowed_src_nic_list:
                denied_nic_list.remove(nic_uuid)

        for nic_uuid in temp_allowed_src_nic_list:
            if not nic_uuid in denied_nic_list and \
                    not nic_uuid in allowed_src_nic_list:
                allowed_src_nic_list.append(nic_uuid)


        allowed_vm_list = get_all_running_vms_by_nics(allowed_src_nic_list)
        denied_vm_list = get_all_running_vms_by_nics(denied_nic_list)

        for src_vm in allowed_vm_list:
            if test_lib.lib_check_ping(src_vm, target_ip, no_exception=True):
                test_util.test_logger('Check result: [Security Group] pass ICMP rule checking to ping [vm:] %s from [vm:] %s' % (src_vm.uuid, dst_vm.uuid))
            else:
                test_util.test_logger('Check result: [Security Group] is FAIL to ping [vm:] %s from [vm:] %s when checking ICMP rule. ' % (src_vm.uuid, dst_vm.uuid))
                test_result = False

        for src_vm in denied_vm_list:
            if test_lib.lib_check_ping(src_vm, target_ip, no_exception=True):
                test_util.test_logger('Unexpected Result: [Security Group] ICMP ping [vm:] %s from [vm:] %s successfully' % (src_vm.uuid, dst_vm.uuid))
                test_result = False
            else:
                test_util.test_logger('Expected Result: [Security Group] FAIL to ping [vm:] %s from [vm:] %s when checking ICMP rule. ' % (src_vm.uuid, dst_vm.uuid))

        test_util.test_logger('Check result: [Security Group] finishes ICMP connection testing from other attached VMs to target [vm:] %s in same SG.' % dst_vm.uuid)
        print_iptables(dst_vm)
        return self.judge(test_result)
    def check(self):
        test_util.test_dsc('Check TCP access between SG VMs.')
        super(zstack_kvm_sg_tcp_internal_vms_checker, self).check()
        nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid)
        l3_uuid = nic.l3NetworkUuid
        if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid):
            test_util.test_logger("Skip SG test for [l3:] %s, since it doesn't provide DHCP service" % l3_uuid)
            return self.judge(self.exp_result)

        test_result = True
        all_ports = port_header.all_ports

        tcp_egress_rules = self.test_obj.get_nic_tcp_egress_rules(self.nic_uuid)
        src_all_allowed_egress_ports = get_all_ports(tcp_egress_rules)
        if not src_all_allowed_egress_ports:
            src_all_allowed_egress_ports = list(all_ports)
        #src_all_allowed_ingress_ports = get_all_ports(self.test_obj.get_nic_tcp_ingress_rules(self.nic_uuid))
        #if not src_all_allowed_ingress_ports:
        #    src_all_allowed_ingress_ports = list(all_ports)

        nic_sg_list = self.test_obj.get_sg_list_by_nic(self.nic_uuid)
        src_vm = test_lib.lib_get_vm_by_nic(self.nic_uuid)

        #save all shared sg for self.nic_uuid, the key was the other nic_uuid, who shared sg with self.nic_uuid
        nic_shared_sg_dict = {}

        #find all other nic shared with same sg.
        for sg in nic_sg_list:
            same_l3_nic_list = list(sg.get_attached_nics_by_l3(l3_uuid))
            if len(same_l3_nic_list) == 1:
                test_util.test_logger("Skip [SG:] %s, since there is not 2nd VM is attached in this SG." % sg.security_group.uuid)
                continue

            if self.nic_uuid in same_l3_nic_list:
                same_l3_nic_list.remove(self.nic_uuid)

            for nic_uuid in same_l3_nic_list:
                if not nic_shared_sg_dict.has_key(nic_uuid):
                    nic_shared_sg_dict[nic_uuid] = [sg]
                elif not sg in nic_shared_sg_dict[nic_uuid]:
                    nic_shared_sg_dict[nic_uuid].append(sg)

        #for each shared sg nic to test.
        for nic_uuid in nic_shared_sg_dict.keys():
            dst_vm = test_lib.lib_get_vm_by_nic(nic_uuid)

            if dst_vm.state != inventory.RUNNING:
                test_util.test_logger("Skip [vm:] %s, since it is not running." % dst_vm.uuid)
                continue

            allowed_ingress_ports = []
            allowed_egress_ports = []

            #find out all shared SG ingress ports and egress ports
            for sg in nic_shared_sg_dict[nic_uuid]:
                sg_allowed_ingress_ports = \
                        get_all_ports(sg.get_tcp_ingress_all_rule())

                for port in sg_allowed_ingress_ports:
                    if not port in allowed_ingress_ports:
                        allowed_ingress_ports.append(port)

                sg_allowed_egress_ports = \
                        get_all_ports(sg.get_tcp_egress_all_rule())

                if not sg_allowed_egress_ports:
                    sg_allowed_egress_ports = list(all_ports)

                for port in sg_allowed_egress_ports:
                    if not port in allowed_egress_ports:
                        allowed_egress_ports.append(port)

            #find out all not shared SG ingress and egress ports for target 
            src_vm_allowedCidr = '%s/32' % test_lib.lib_get_nic_by_uuid(self.nic_uuid).ip
            dst_vm_allowedCidr = '%s/32' % test_lib.lib_get_nic_by_uuid(nic_uuid).ip

            #query all other left SG rules, which might not shard between src_vm
            #and dst_vm, but setting specifically for these two vms. 
            for in_port in get_all_ports(self.test_obj.get_nic_tcp_ingress_rule_by_addr(nic_uuid, src_vm_allowedCidr)):
                if not in_port in allowed_ingress_ports:
                    allowed_ingress_ports.append(in_port)

            for out_port in get_all_ports(self.test_obj.get_nic_tcp_egress_rule_by_addr(self.nic_uuid, dst_vm_allowedCidr)):
                if not out_port in allowed_egress_ports:
                    allowed_egress_ports.append(out_port)

            dst_all_allowed_ingress_ports = get_all_ports(self.test_obj.get_nic_tcp_ingress_rules(nic_uuid))

            if not dst_all_allowed_ingress_ports:
                test_util.test_logger('Destinated VM nic: %s does not allow any ingress rule, since it does not set any ingress rule' % nic_uuid)
                continue
            #if (not allowed_ingress_ports) \
            #    and (not dst_all_allowed_ingress_ports) \
            #    and (not self.test_obj.get_nic_udp_ingress_rules(nic_uuid)) \
            #    and (not self.test_obj.get_nic_icmp_ingress_rules(nic_uuid)):
            #        
            #    allowed_ingress_ports = list(all_ports)

            #if not find suitable port, means all egress opened. 
            if (not src_all_allowed_egress_ports) \
                and (not self.test_obj.get_nic_udp_egress_rules(nic_uuid)) \
                and (not self.test_obj.get_nic_icmp_egress_rules(nic_uuid)):

                allowed_egress_ports = list(all_ports)

            if internal_sg_allow_all(self.nic_uuid, nic_uuid, 'Ingress'):
                allowed_ingress_ports = all_ports

            if internal_sg_allow_all(self.nic_uuid, nic_uuid, 'Egress'):
                allowed_egress_ports = all_ports

            shared_ports = get_shared_ports(allowed_egress_ports, \
                    allowed_ingress_ports)

            not_shared_ports = list_ops.list_minus(all_ports, shared_ports)

            test_lib.lib_open_vm_listen_ports(dst_vm, all_ports, l3_uuid)
            try:
                test_lib.lib_check_vm_ports(src_vm, dst_vm, shared_ports, \
                        not_shared_ports)
            except:
                traceback.print_exc(file=sys.stdout)
                test_util.test_logger('Check result: [Security Group] meets failure when checking TCP Egress rule between [src_vm:] %s and [dst_vm:] %s. ' % (src_vm.uuid, dst_vm.uuid))
                test_result = False
                break

        test_util.test_logger('Check result: [Security Group] finishes TCP connection testing from [vm:] %s to other VMs in same SG.' % src_vm.uuid)
        print_iptables(src_vm)
        return self.judge(test_result)
    def check(self):
        super(zstack_vcenter_sg_icmp_internal_vms_checker, self).check()
        #only check ingress icmp.
        if not self.test_obj.get_nic_icmp_ingress_rules(self.nic_uuid):
            test_util.test_logger("Skip SG internal ICMP test, since there isn't icmp ingress rules for nic: %s" % self.nic_uuid)
            return self.judge(self.exp_result)

        test_result = True

        test_util.test_dsc('Check ICMP rules between attached VMs')
        nic_sg_list = self.test_obj.get_sg_list_by_nic(self.nic_uuid)
        nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid)
        dst_vm = test_lib.lib_get_vm_by_nic(self.nic_uuid)
        l3_uuid = nic.l3NetworkUuid
        if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid):
            test_util.test_logger("Skip SG test for [l3:] %s. Since it doesn't provide DHCP service, test vm's IP address is not stable." % l3_uuid)
            return self.judge(self.exp_result)

        target_ip = nic.ip
        allowed_src_nic_list = []
        temp_allowed_src_nic_list = []
        denied_nic_list = []
        for sg in nic_sg_list:
            same_l3_nic_list = list(sg.get_attached_nics_by_l3(l3_uuid))
            if len(same_l3_nic_list) < 2 :
                test_util.test_logger("Skip [l3:] %s ICMP internal VMs checking, since there is less 2 SG VMs in this l3." % l3_uuid)
                continue

            #if source vm's udp and tcp engress rules exist, while icmp ingress
            # rule does not exist, the src vm egress icmp should be denied.
            #minus current nic.
            nic_list_temp = list_ops.list_minus(list(same_l3_nic_list), [nic.uuid])
            for nic_uuid in nic_list_temp:
                source_nic_egress_icmp_rules = \
                        self.test_obj.get_nic_icmp_egress_rules(nic_uuid)
                if not source_nic_egress_icmp_rules:
                    if self.test_obj.get_nic_tcp_egress_rules(nic_uuid) or \
                            self.test_obj.get_nic_udp_egress_rules(nic_uuid):
                        if not nic_uuid in denied_nic_list:
                            denied_nic_list.append(nic_uuid)
                    else:
                        if not nic_uuid in temp_allowed_src_nic_list:
                            temp_allowed_src_nic_list.append(nic_uuid)
                else:
                    for rule in source_nic_egress_icmp_rules:
                        if target_ip in rule.allowedCidr:
                            if not nic_uuid in allowed_src_nic_list:
                                allowed_src_nic_list.append(nic_uuid)
                            break
                    else:
                        if not nic_uuid in denied_nic_list:
                            denied_nic_list.append(nic_uuid)

        for nic_uuid in list(denied_nic_list):
            if nic_uuid in allowed_src_nic_list:
                denied_nic_list.remove(nic_uuid)

        for nic_uuid in temp_allowed_src_nic_list:
            if not nic_uuid in denied_nic_list and \
                    not nic_uuid in allowed_src_nic_list:
                allowed_src_nic_list.append(nic_uuid)


        allowed_vm_list = get_all_running_vms_by_nics(allowed_src_nic_list)
        denied_vm_list = get_all_running_vms_by_nics(denied_nic_list)

        for src_vm in allowed_vm_list:
            if test_lib.lib_check_ping(src_vm, target_ip, no_exception=True):
                test_util.test_logger('Check result: [Security Group] pass ICMP rule checking to ping [vm:] %s from [vm:] %s' % (src_vm.uuid, dst_vm.uuid))
            else:
                test_util.test_logger('Check result: [Security Group] is FAIL to ping [vm:] %s from [vm:] %s when checking ICMP rule. ' % (src_vm.uuid, dst_vm.uuid))
                test_result = False

        for src_vm in denied_vm_list:
            if test_lib.lib_check_ping(src_vm, target_ip, no_exception=True):
                test_util.test_logger('Unexpected Result: [Security Group] ICMP ping [vm:] %s from [vm:] %s successfully' % (src_vm.uuid, dst_vm.uuid))
                test_result = False
            else:
                test_util.test_logger('Expected Result: [Security Group] FAIL to ping [vm:] %s from [vm:] %s when checking ICMP rule. ' % (src_vm.uuid, dst_vm.uuid))

        test_util.test_logger('Check result: [Security Group] finishes ICMP connection testing from other attached VMs to target [vm:] %s in same SG.' % dst_vm.uuid)
        print_iptables(dst_vm)
        return self.judge(test_result)
    def check(self):
        test_util.test_dsc('Check TCP access between SG VMs.')
        super(zstack_vcenter_sg_tcp_internal_vms_checker, self).check()
        nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid)
        l3_uuid = nic.l3NetworkUuid
        if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid):
            test_util.test_logger("Skip SG test for [l3:] %s, since it doesn't provide DHCP service" % l3_uuid)
            return self.judge(self.exp_result)

        test_result = True
        all_ports = port_header.all_ports

        tcp_egress_rules = self.test_obj.get_nic_tcp_egress_rules(self.nic_uuid)
        src_all_allowed_egress_ports = get_all_ports(tcp_egress_rules)
        if not src_all_allowed_egress_ports:
            src_all_allowed_egress_ports = list(all_ports)
        #src_all_allowed_ingress_ports = get_all_ports(self.test_obj.get_nic_tcp_ingress_rules(self.nic_uuid))
        #if not src_all_allowed_ingress_ports:
        #    src_all_allowed_ingress_ports = list(all_ports)

        nic_sg_list = self.test_obj.get_sg_list_by_nic(self.nic_uuid)
        src_vm = test_lib.lib_get_vm_by_nic(self.nic_uuid)

        #save all shared sg for self.nic_uuid, the key was the other nic_uuid, who shared sg with self.nic_uuid
        nic_shared_sg_dict = {}

        #find all other nic shared with same sg.
        for sg in nic_sg_list:
            same_l3_nic_list = list(sg.get_attached_nics_by_l3(l3_uuid))
            if len(same_l3_nic_list) == 1:
                test_util.test_logger("Skip [SG:] %s, since there is not 2nd VM is attached in this SG." % sg.security_group.uuid)
                continue

            if self.nic_uuid in same_l3_nic_list:
                same_l3_nic_list.remove(self.nic_uuid)

            for nic_uuid in same_l3_nic_list:
                if not nic_shared_sg_dict.has_key(nic_uuid):
                    nic_shared_sg_dict[nic_uuid] = [sg]
                elif not sg in nic_shared_sg_dict[nic_uuid]:
                    nic_shared_sg_dict[nic_uuid].append(sg)

        #for each shared sg nic to test.
        for nic_uuid in nic_shared_sg_dict.keys():
            dst_vm = test_lib.lib_get_vm_by_nic(nic_uuid)

            if dst_vm.state != inventory.RUNNING:
                test_util.test_logger("Skip [vm:] %s, since it is not running." % dst_vm.uuid)
                continue

            allowed_ingress_ports = []
            allowed_egress_ports = []

            #find out all shared SG ingress ports and egress ports
            for sg in nic_shared_sg_dict[nic_uuid]:
                sg_allowed_ingress_ports = \
                        get_all_ports(sg.get_tcp_ingress_all_rule())

                for port in sg_allowed_ingress_ports:
                    if not port in allowed_ingress_ports:
                        allowed_ingress_ports.append(port)

                sg_allowed_egress_ports = \
                        get_all_ports(sg.get_tcp_egress_all_rule())

                if not sg_allowed_egress_ports:
                    sg_allowed_egress_ports = list(all_ports)

                for port in sg_allowed_egress_ports:
                    if not port in allowed_egress_ports:
                        allowed_egress_ports.append(port)

            #find out all not shared SG ingress and egress ports for target 
            src_vm_allowedCidr = '%s/32' % test_lib.lib_get_nic_by_uuid(self.nic_uuid).ip
            dst_vm_allowedCidr = '%s/32' % test_lib.lib_get_nic_by_uuid(nic_uuid).ip

            #query all other left SG rules, which might not shard between src_vm
            #and dst_vm, but setting specifically for these two vms. 
            for in_port in get_all_ports(self.test_obj.get_nic_tcp_ingress_rule_by_addr(nic_uuid, src_vm_allowedCidr)):
                if not in_port in allowed_ingress_ports:
                    allowed_ingress_ports.append(in_port)

            for out_port in get_all_ports(self.test_obj.get_nic_tcp_egress_rule_by_addr(self.nic_uuid, dst_vm_allowedCidr)):
                if not out_port in allowed_egress_ports:
                    allowed_egress_ports.append(out_port)

            dst_all_allowed_ingress_ports = get_all_ports(self.test_obj.get_nic_tcp_ingress_rules(nic_uuid))

            if not dst_all_allowed_ingress_ports:
                test_util.test_logger('Destinated VM nic: %s does not allow any ingress rule, since it does not set any ingress rule' % nic_uuid)
                continue
            #if (not allowed_ingress_ports) \
            #    and (not dst_all_allowed_ingress_ports) \
            #    and (not self.test_obj.get_nic_udp_ingress_rules(nic_uuid)) \
            #    and (not self.test_obj.get_nic_icmp_ingress_rules(nic_uuid)):
            #        
            #    allowed_ingress_ports = list(all_ports)

            #if not find suitable port, means all egress opened. 
            if (not src_all_allowed_egress_ports) \
                and (not self.test_obj.get_nic_udp_egress_rules(nic_uuid)) \
                and (not self.test_obj.get_nic_icmp_egress_rules(nic_uuid)):

                allowed_egress_ports = list(all_ports)

            shared_ports = get_shared_ports(allowed_egress_ports, \
                    allowed_ingress_ports)

            not_shared_ports = list_ops.list_minus(all_ports, shared_ports)

            test_lib.lib_open_vm_listen_ports(dst_vm, all_ports, l3_uuid)
            try:
                test_lib.lib_check_vm_ports(src_vm, dst_vm, shared_ports, \
                        not_shared_ports)
            except:
                traceback.print_exc(file=sys.stdout)
                test_util.test_logger('Check result: [Security Group] meets failure when checking TCP Egress rule between [src_vm:] %s and [dst_vm:] %s. ' % (src_vm.uuid, dst_vm.uuid))
                test_result = False
                break

        test_util.test_logger('Check result: [Security Group] finishes TCP connection testing from [vm:] %s to other VMs in same SG.' % src_vm.uuid)
        print_iptables(src_vm)
        return self.judge(test_result)