Merge "Fix AH-ESP transform protocol in IPSec Policy"

neutron_vpnaas/db/vpn/vpn_db.py

@@ -357,12 +357,14 @@ class VPNPluginDb(vpnaas.VPNPluginBase, base_db.CommonDbMixin):
 
     def create_ipsecpolicy(self, context, ipsecpolicy):
         ipsecp = ipsecpolicy['ipsecpolicy']
+        validator = self._get_validator()
         tenant_id = self._get_tenant_id_for_create(context, ipsecp)
         lifetime_info = ipsecp['lifetime']
         lifetime_units = lifetime_info.get('units', 'seconds')
         lifetime_value = lifetime_info.get('value', 3600)
 
         with context.session.begin(subtransactions=True):
+            validator.validate_ipsec_policy(context, ipsecp)
             ipsecp_db = vpn_models.IPsecPolicy(
                 id=uuidutils.generate_uuid(),
                 tenant_id=tenant_id,
@@ -380,7 +382,9 @@ class VPNPluginDb(vpnaas.VPNPluginBase, base_db.CommonDbMixin):
 
     def update_ipsecpolicy(self, context, ipsecpolicy_id, ipsecpolicy):
         ipsecp = ipsecpolicy['ipsecpolicy']
+        validator = self._get_validator()
         with context.session.begin(subtransactions=True):
+            validator.validate_ipsec_policy(context, ipsecp)
             if context.session.query(vpn_models.IPsecSiteConnection).filter_by(
                     ipsecpolicy_id=ipsecpolicy_id).first():
                 raise vpnaas.IPsecPolicyInUse(ipsecpolicy_id=ipsecpolicy_id)

neutron_vpnaas/db/vpn/vpn_validator.py

@@ -135,3 +135,11 @@ class VpnReferenceValidator(object):
         self._check_router(context, vpnservice['router_id'])
         self._check_subnet_id(context, vpnservice['router_id'],
                               vpnservice['subnet_id'])
+
+    def validate_ipsec_policy(self, context, ipsec_policy):
+        """Reference implementation of validation for IPSec Policy.
+
+        Service driver can override and implement specific logic
+        for IPSec Policy validation.
+        """
+        pass

neutron_vpnaas/services/vpn/service_drivers/ipsec.py

@@ -18,6 +18,7 @@ from oslo_log import log as logging
 
 from neutron_vpnaas.services.vpn.common import topics
 from neutron_vpnaas.services.vpn.service_drivers import base_ipsec
+from neutron_vpnaas.services.vpn.service_drivers import ipsec_validator
 
 
 LOG = logging.getLogger(__name__)
@@ -30,7 +31,9 @@ class IPsecVPNDriver(base_ipsec.BaseIPsecVPNDriver):
     """VPN Service Driver class for IPsec."""
 
     def __init__(self, service_plugin):
-        super(IPsecVPNDriver, self).__init__(service_plugin)
+        super(IPsecVPNDriver, self).__init__(
+            service_plugin,
+            ipsec_validator.IpsecVpnValidator(service_plugin))
 
     def create_rpc_conn(self):
         self.endpoints = [base_ipsec.IPsecVpnDriverCallBack(self)]

neutron_vpnaas/services/vpn/service_drivers/ipsec_validator.py

@@ -0,0 +1,48 @@
+# Copyright 2015 Awcloud Inc.  All rights reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from neutron.common import exceptions
+from oslo_log import log as logging
+
+from neutron_vpnaas.db.vpn import vpn_validator
+
+
+LOG = logging.getLogger(__name__)
+
+
+class IpsecValidationFailure(exceptions.BadRequest):
+    message = _("IPSec does not support %(resource)s attribute %(key)s "
+                "with value '%(value)s'")
+
+
+class IpsecVpnValidator(vpn_validator.VpnReferenceValidator):
+
+    """Validator methods for the Openswan, Strongswan and Libreswan."""
+
+    def __init__(self, service_plugin):
+        self.service_plugin = service_plugin
+        super(IpsecVpnValidator, self).__init__()
+
+    def validate_ipsec_policy(self, context, ipsec_policy):
+        """Restrict selecting ah-esp as IPSec Policy transform protocol.
+
+        For those *Swan implementations, the 'ah-esp' transform protocol
+        is not supported and therefore the request should be rejected.
+        """
+        transform_protocol = ipsec_policy.get('transform_protocol')
+        if transform_protocol == "ah-esp":
+            raise IpsecValidationFailure(
+                resource='IPsec Policy',
+                key='transform_protocol',
+                value=transform_protocol)

neutron_vpnaas/tests/unit/services/vpn/service_drivers/test_ipsec.py

@@ -23,10 +23,11 @@ from neutron.plugins.common import constants
 from oslo_config import cfg
 from oslo_utils import uuidutils
 
-from neutron_vpnaas.db.vpn import vpn_validator
 from neutron_vpnaas.extensions import vpnaas
 from neutron_vpnaas.services.vpn import plugin as vpn_plugin
 from neutron_vpnaas.services.vpn.service_drivers import ipsec as ipsec_driver
+from neutron_vpnaas.services.vpn.service_drivers \
+    import ipsec_validator as vpn_validator
 from neutron_vpnaas.tests import base
 
 _uuid = uuidutils.generate_uuid
@@ -81,7 +82,7 @@ class TestValidatorSelection(base.BaseTestCase):
 
     def test_reference_driver_used(self):
         self.assertIsInstance(self.vpn_plugin._get_validator(),
-                              vpn_validator.VpnReferenceValidator)
+                              vpn_validator.IpsecVpnValidator)
 
 
 class TestIPsecDriverValidation(base.BaseTestCase):
@@ -96,7 +97,8 @@ class TestIPsecDriverValidation(base.BaseTestCase):
         mock.patch('neutron.manager.NeutronManager.get_plugin',
                    return_value=self.core_plugin).start()
         self.context = n_ctx.Context('some_user', 'some_tenant')
-        self.validator = vpn_validator.VpnReferenceValidator()
+        self.service_plugin = mock.Mock()
+        self.validator = vpn_validator.IpsecVpnValidator(self.service_plugin)
         self.router = mock.Mock()
         self.router.gw_port = {'fixed_ips': [{'ip_address': '10.0.0.99'}]}
 
@@ -212,6 +214,12 @@ class TestIPsecDriverValidation(base.BaseTestCase):
         fixed_ips = [{'ip_address': '10.0.0.99'}]
         self._validate_peer_address(fixed_ips, IPV6, expected_exception=True)
 
+    def test_validate_ipsec_policy(self):
+        ipsec_policy = {'transform_protocol': 'ah-esp'}
+        self.assertRaises(vpn_validator.IpsecValidationFailure,
+                          self.validator.validate_ipsec_policy,
+                          self.context, ipsec_policy)
+
     def test_defaults_for_ipsec_site_connections_on_update(self):
         """Check that defaults are used for any values not specified."""
         ipsec_sitecon = {}
@@ -287,7 +295,7 @@ class TestIPsecDriverValidation(base.BaseTestCase):
 
     def test_bad_mtu_for_ipsec_connection(self):
         """Failure test of invalid MTU values for IPSec conn create/update."""
-        ip_version_limits = vpn_validator.VpnReferenceValidator.IP_MIN_MTU
+        ip_version_limits = vpn_validator.IpsecVpnValidator.IP_MIN_MTU
         for version, limit in ip_version_limits.items():
             ipsec_sitecon = {'mtu': limit - 1,
                              'dpd_action': 'hold',