diff --git a/neutron/tests/api/admin/test_extension_driver_port_security_admin.py b/neutron/tests/api/admin/test_extension_driver_port_security_admin.py new file mode 100644 index 00000000000..2e28371d2ff --- /dev/null +++ b/neutron/tests/api/admin/test_extension_driver_port_security_admin.py @@ -0,0 +1,32 @@ +# Copyright 2015 Cisco Systems, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from neutron.tests.api import base +from neutron.tests.api import base_security_groups as base_security +from neutron.tests.tempest import test +from tempest_lib import exceptions as lib_exc + + +class PortSecurityAdminTests(base_security.BaseSecGroupTest, + base.BaseAdminNetworkTest): + + @test.attr(type=['negative', 'smoke']) + @test.idempotent_id('d39a96e2-2dea-4feb-8093-e7ac991ce6f8') + def test_create_port_security_false_on_shared_network(self): + network = self.create_shared_network() + self.assertTrue(network['shared']) + self.create_subnet(network, client=self.admin_client) + self.assertRaises(lib_exc.Forbidden, self.create_port, + network, port_security_enabled=False) diff --git a/neutron/tests/api/base.py b/neutron/tests/api/base.py index e0c7386611b..25ae565e580 100644 --- a/neutron/tests/api/base.py +++ b/neutron/tests/api/base.py @@ -188,11 +188,11 @@ class BaseNetworkTest(neutron.tests.tempest.test.BaseTestCase): pass @classmethod - def create_network(cls, network_name=None): + def create_network(cls, network_name=None, **kwargs): """Wrapper utility that returns a test network.""" network_name = network_name or data_utils.rand_name('test-network-') - body = cls.client.create_network(name=network_name) + body = cls.client.create_network(name=network_name, **kwargs) network = body['network'] cls.networks.append(network) return network diff --git a/neutron/tests/api/test_extension_driver_port_security.py b/neutron/tests/api/test_extension_driver_port_security.py index 10ccb224dbb..6e5d32eb593 100644 --- a/neutron/tests/api/test_extension_driver_port_security.py +++ b/neutron/tests/api/test_extension_driver_port_security.py @@ -13,34 +13,22 @@ # License for the specific language governing permissions and limitations # under the License. -from tempest_lib.common.utils import data_utils -from tempest_lib import exceptions as lib_exc +import ddt -from neutron.tests.api import base_security_groups as base +from neutron.tests.api import base +from neutron.tests.api import base_security_groups as base_security from neutron.tests.tempest import config from neutron.tests.tempest import test - +from tempest_lib import exceptions as lib_exc CONF = config.CONF FAKE_IP = '10.0.0.1' FAKE_MAC = '00:25:64:e8:19:dd' -class PortSecTest(base.BaseSecGroupTest): - - @classmethod - def resource_setup(cls): - super(PortSecTest, cls).resource_setup() - - def _create_network(self, network_name=None, port_security_enabled=True): - """Wrapper utility that returns a test network.""" - network_name = network_name or data_utils.rand_name('test-network') - - body = self.client.create_network( - name=network_name, port_security_enabled=port_security_enabled) - network = body['network'] - self.networks.append(network) - return network +@ddt.ddt +class PortSecTest(base_security.BaseSecGroupTest, + base.BaseNetworkTest): @test.attr(type='smoke') @test.idempotent_id('7c338ddf-e64e-4118-bd33-e49a1f2f1495') @@ -49,29 +37,41 @@ class PortSecTest(base.BaseSecGroupTest): # Default port-sec value is True, and the attr of the port will inherit # from the port-sec of the network when it not be specified in API network = self.create_network() - self.create_subnet(network) self.assertTrue(network['port_security_enabled']) + self.create_subnet(network) port = self.create_port(network) self.assertTrue(port['port_security_enabled']) @test.attr(type='smoke') @test.idempotent_id('e60eafd2-31de-4c38-8106-55447d033b57') @test.requires_ext(extension='port-security', service='network') - def test_port_sec_specific_value(self): - network = self.create_network() - - self.assertTrue(network['port_security_enabled']) + @ddt.unpack + @ddt.data({'port_sec_net': False, 'port_sec_port': True, 'expected': True}, + {'port_sec_net': True, 'port_sec_port': False, + 'expected': False}) + def test_port_sec_specific_value(self, port_sec_net, port_sec_port, + expected): + network = self.create_network(port_security_enabled=port_sec_net) self.create_subnet(network) - port = self.create_port(network, port_security_enabled=False) - self.assertFalse(port['port_security_enabled']) + port = self.create_port(network, port_security_enabled=port_sec_port) + self.assertEqual(network['port_security_enabled'], port_sec_net) + self.assertEqual(port['port_security_enabled'], expected) - # Create a network with port-sec set to False - network = self._create_network(port_security_enabled=False) - - self.assertFalse(network['port_security_enabled']) + @test.attr(type=['smoke']) + @test.idempotent_id('05642059-1bfc-4581-9bc9-aaa5db08dd60') + @test.requires_ext(extension='port-security', service='network') + def test_create_port_sec_with_security_group(self): + network = self.create_network(port_security_enabled=True) self.create_subnet(network) - port = self.create_port(network, port_security_enabled=True) + + port = self.create_port(network, security_groups=[]) self.assertTrue(port['port_security_enabled']) + self.client.delete_port(port['id']) + + port = self.create_port(network, security_groups=[], + port_security_enabled=False) + self.assertFalse(port['port_security_enabled']) + self.assertEmpty(port['security_groups']) @test.attr(type=['negative', 'smoke']) @test.idempotent_id('05642059-1bfc-4581-9bc9-aaa5db08dd60') @@ -79,16 +79,72 @@ class PortSecTest(base.BaseSecGroupTest): def test_port_sec_update_port_failed(self): network = self.create_network() self.create_subnet(network) + + sec_group_body, sec_group_name = self._create_security_group() port = self.create_port(network) # Exception when set port-sec to False with sec-group defined - self.assertRaises(lib_exc.Conflict, - self.update_port, port, port_security_enabled=False) + self.assertRaises(lib_exc.Conflict, self.update_port, port, + port_security_enabled=False) - updated_port = self.update_port( - port, security_groups=[], port_security_enabled=False) - self.assertFalse(updated_port['port_security_enabled']) + port = self.update_port(port, security_groups=[], + port_security_enabled=False) + self.assertEmpty(port['security_groups']) + self.assertFalse(port['port_security_enabled']) + port = self.update_port( + port, security_groups=[sec_group_body['security_group']['id']], + port_security_enabled=True) + self.assertNotEmpty(port['security_groups']) + self.assertTrue(port['port_security_enabled']) + + # Remove security group from port before deletion on resource_cleanup + self.update_port(port, security_groups=[]) + + @test.attr(type=['smoke']) + @test.idempotent_id('05642059-1bfc-4581-9bc9-aaa5db08dd60') + @test.requires_ext(extension='port-security', service='network') + def test_port_sec_update_pass(self): + network = self.create_network() + self.create_subnet(network) + sec_group, _ = self._create_security_group() + sec_group_id = sec_group['security_group']['id'] + port = self.create_port(network, security_groups=[sec_group_id], + port_security_enabled=True) + + self.assertNotEmpty(port['security_groups']) + self.assertTrue(port['port_security_enabled']) + + port = self.update_port(port, security_groups=[]) + self.assertEmpty(port['security_groups']) + self.assertTrue(port['port_security_enabled']) + + port = self.update_port(port, security_groups=[sec_group_id]) + self.assertNotEmpty(port['security_groups']) + port = self.update_port(port, security_groups=[], + port_security_enabled=False) + self.assertEmpty(port['security_groups']) + self.assertFalse(port['port_security_enabled']) + + @test.attr(type=['smoke']) + @test.idempotent_id('2df6114b-b8c3-48a1-96e8-47f08159d35c') + @test.requires_ext(extension='port-security', service='network') + def test_delete_with_port_sec(self): + network = self.create_network(port_security_enabled=True) + port = self.create_port(network=network, + port_security_enabled=True) + self.client.delete_port(port['id']) + self.assertTrue(self.client.is_resource_deleted('port', port['id'])) + self.client.delete_network(network['id']) + self.assertTrue( + self.client.is_resource_deleted('network', network['id'])) + + @test.attr(type=['negative', 'smoke']) + @test.idempotent_id('ed93e453-3f8d-495e-8e7e-b0e268c2ebd9') + def test_allow_address_pairs(self): + network = self.create_network() + self.create_subnet(network) + port = self.create_port(network=network, port_security_enabled=False) allowed_address_pairs = [{'ip_address': FAKE_IP, 'mac_address': FAKE_MAC}] diff --git a/test-requirements.txt b/test-requirements.txt index be4bd087cbc..5648e677f75 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -17,3 +17,4 @@ testscenarios>=0.4 WebTest>=2.0 oslotest>=1.5.1 # Apache-2.0 tempest-lib>=0.5.0 +ddt>=0.7.0