Switch to neutron for security groups
Change-Id: Ic7f5f2d9d01c2de07555da3a7ccfb3bf535e9f59
This commit is contained in:
parent
5fd737959b
commit
bce05180a8
|
@ -25,7 +25,8 @@ else:
|
|||
class ResourceManager(object):
|
||||
def __init__(self, stack, base_name, get_network_steps, get_subnet_steps,
|
||||
port_steps, get_floating_ip_steps, get_server_steps,
|
||||
get_security_group_steps, public_network):
|
||||
get_neutron_security_group_steps,
|
||||
get_neutron_security_group_rule_steps, public_network):
|
||||
self.stack = stack
|
||||
self.base_name = base_name
|
||||
self.get_network_steps = get_network_steps
|
||||
|
@ -33,7 +34,10 @@ class ResourceManager(object):
|
|||
self.port_steps = port_steps
|
||||
self.get_floating_ip_steps = get_floating_ip_steps
|
||||
self.get_server_steps = get_server_steps
|
||||
self.get_security_group_steps = get_security_group_steps
|
||||
self.get_neutron_security_group_steps = (
|
||||
get_neutron_security_group_steps)
|
||||
self.get_neutron_security_group_rule_steps = (
|
||||
get_neutron_security_group_rule_steps)
|
||||
self.public_network = public_network
|
||||
|
||||
def _add_fin(self, steps_getter, fn_name, *args, **kwargs):
|
||||
|
@ -59,12 +63,12 @@ class ResourceManager(object):
|
|||
|
||||
def _create_security_group(self):
|
||||
# Create security groups
|
||||
security_group_steps = self.get_security_group_steps()
|
||||
security_group = security_group_steps.create_group(self.base_name)
|
||||
self._add_fin(self.get_security_group_steps, 'delete_group',
|
||||
security_group_steps = self.get_neutron_security_group_steps()
|
||||
security_group = security_group_steps.create(self.base_name)
|
||||
self._add_fin(self.get_neutron_security_group_steps, 'delete',
|
||||
security_group)
|
||||
security_group_steps.add_group_rules(
|
||||
security_group, stepler_config.SECURITY_GROUP_SSH_PING_RULES)
|
||||
self.get_neutron_security_group_rule_steps().add_rules_to_group(
|
||||
security_group['id'], stepler_config.SECURITY_GROUP_SSH_PING_RULES)
|
||||
return security_group
|
||||
|
||||
def _create_server(self, image, flavor, nova_host, network, ip,
|
||||
|
@ -135,12 +139,12 @@ def project_2(create_user_with_project):
|
|||
|
||||
|
||||
@pytest.fixture
|
||||
def different_tenants_resources(request,
|
||||
project_2, credentials, create_user_with_project, cirros_image,
|
||||
sorted_hypervisors, get_network_steps, get_subnet_steps,
|
||||
def different_tenants_resources(
|
||||
request, project_2, credentials, create_user_with_project,
|
||||
cirros_image, sorted_hypervisors, get_network_steps, get_subnet_steps,
|
||||
get_server_steps, port_steps, get_floating_ip_steps, public_flavor,
|
||||
public_network, get_security_group_steps,
|
||||
nova_availability_zone_hosts):
|
||||
public_network, get_neutron_security_group_steps,
|
||||
get_neutron_security_group_rule_steps, nova_availability_zone_hosts):
|
||||
"""Fixture to create network, subnet and server on each of 2 projects.
|
||||
|
||||
Created subnets has same CIDR.
|
||||
|
@ -152,7 +156,9 @@ def different_tenants_resources(request,
|
|||
default_params = {
|
||||
'subnet_cidr': '10.0.0.0/24',
|
||||
'base_name': next(utils.generate_ids()),
|
||||
'ips': ('10.0.0.11', '10.0.0.21',)
|
||||
'ips': (
|
||||
'10.0.0.11',
|
||||
'10.0.0.21', )
|
||||
}
|
||||
default_params.update(getattr(request, 'param', {}))
|
||||
|
||||
|
@ -168,10 +174,11 @@ def different_tenants_resources(request,
|
|||
|
||||
with contextlib.ExitStack() as stack:
|
||||
|
||||
mrg = ResourceManager(stack, base_name, get_network_steps,
|
||||
get_subnet_steps, port_steps,
|
||||
get_floating_ip_steps, get_server_steps,
|
||||
get_security_group_steps, public_network)
|
||||
mrg = ResourceManager(
|
||||
stack, base_name, get_network_steps, get_subnet_steps, port_steps,
|
||||
get_floating_ip_steps, get_server_steps,
|
||||
get_neutron_security_group_steps,
|
||||
get_neutron_security_group_rule_steps, public_network)
|
||||
|
||||
projects_resources = []
|
||||
|
||||
|
@ -182,8 +189,7 @@ def different_tenants_resources(request,
|
|||
|
||||
with credentials.change(project_2):
|
||||
|
||||
project_resources = mrg.create(subnet_cidr, ips[1],
|
||||
cirros_image, public_flavor,
|
||||
host)
|
||||
project_resources = mrg.create(subnet_cidr, ips[1], cirros_image,
|
||||
public_flavor, host)
|
||||
projects_resources.append(project_resources)
|
||||
yield projects_resources
|
||||
|
|
|
@ -71,7 +71,6 @@ class ClientContrailVRouterAgentBase(object):
|
|||
data = data[key[0]]
|
||||
return_data = self.get_data(data)
|
||||
elif data['@type'] == 'struct':
|
||||
return_list = []
|
||||
data = self.del_unused_key(data)
|
||||
if len(data) == 0:
|
||||
return ''
|
||||
|
@ -141,7 +140,7 @@ class ClientContrailVRouterAgentBase(object):
|
|||
old_data = data.copy()
|
||||
path1 = data[keys[0]]['next_batch']['@link']
|
||||
path2 = data[keys[0]]['next_batch']['#text']
|
||||
path = 'Snh_%s?x=%s' % (path1,path2)
|
||||
path = 'Snh_%s?x=%s' % (path1, path2)
|
||||
data = self.get_resource(path)
|
||||
old_list = self.find_ifmap_list(old_data)
|
||||
self.merge_ifmap_list(data, old_list)
|
||||
|
@ -165,6 +164,3 @@ class ContrailVRouterAgentClient(ClientContrailVRouterAgentBase):
|
|||
def get_itf_by_name(self, interface_name):
|
||||
data = self.get_path_to_dict('Snh_ItfReq?x={}'.format(interface_name))
|
||||
return data
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
from . import base
|
||||
import urllib
|
||||
|
||||
|
||||
class ContrailClient(base.ContrailBaseClient):
|
||||
|
|
|
@ -26,7 +26,6 @@ from vapor.helpers import agent_steps
|
|||
from vapor.helpers import asserts
|
||||
from vapor.helpers import contrail_status, policy, connectivity
|
||||
from vapor import settings
|
||||
from vapor.helpers import contrail_status, nodes_steps
|
||||
from vapor.settings import logger
|
||||
|
||||
|
||||
|
@ -501,7 +500,7 @@ def test_policy_between_vns_diff_proj(different_tenants_resources,
|
|||
"""
|
||||
project1, project2 = different_tenants_resources
|
||||
|
||||
client, server = project1.server, project2.server
|
||||
client = project1.server
|
||||
client_floating_ip = project1.floating_ip
|
||||
server_floating_ip = project2.floating_ip
|
||||
|
||||
|
@ -529,7 +528,8 @@ def test_policy_between_vns_diff_proj(different_tenants_resources,
|
|||
timeout=settings.SECURITY_GROUP_APPLY_TIMEOUT)
|
||||
|
||||
server_sg_entries.add_policy_rule(policy.POLICY_RULE_ALLOW_EGRESS_ICMP)
|
||||
server_sg_entries.add_policy_rule(policy.POLICY_RULE_ALLOW_INGRESS_ICMP)
|
||||
server_sg_entries.add_policy_rule(
|
||||
policy.POLICY_RULE_ALLOW_INGRESS_ICMP)
|
||||
prj2_conrail_sg.security_group_entries = server_sg_entries
|
||||
contrail_api_client.security_group_update(prj2_conrail_sg)
|
||||
|
||||
|
@ -627,4 +627,3 @@ def test_diff_proj_same_vn_vm_add_delete(different_tenants_resources,
|
|||
s2_net_label))
|
||||
|
||||
assert_that(s1_net_label, is_not(equal_to(s2_net_label)))
|
||||
|
||||
|
|
|
@ -23,28 +23,32 @@ from vapor import settings
|
|||
|
||||
SG_RULES = {
|
||||
'tcp_all': [{
|
||||
'ip_protocol': 'tcp',
|
||||
'from_port': 1,
|
||||
'to_port': 65535,
|
||||
'cidr': '0.0.0.0/0',
|
||||
'direction': stepler_config.INGRESS,
|
||||
'protocol': 'tcp',
|
||||
'port_range_min': 1,
|
||||
'port_range_max': 65535,
|
||||
'remote_ip_prefix': '0.0.0.0/0',
|
||||
}],
|
||||
'tcp_ssh': [{
|
||||
'ip_protocol': 'tcp',
|
||||
'from_port': 22,
|
||||
'to_port': 22,
|
||||
'cidr': '0.0.0.0/0',
|
||||
'direction': stepler_config.INGRESS,
|
||||
'protocol': 'tcp',
|
||||
'port_range_min': 22,
|
||||
'port_range_max': 22,
|
||||
'remote_ip_prefix': '0.0.0.0/0',
|
||||
}],
|
||||
'udp_all': [{
|
||||
'ip_protocol': 'udp',
|
||||
'from_port': 1,
|
||||
'to_port': 65535,
|
||||
'cidr': '0.0.0.0/0',
|
||||
'direction': stepler_config.INGRESS,
|
||||
'protocol': 'udp',
|
||||
'port_range_min': 1,
|
||||
'port_range_max': 65535,
|
||||
'remote_ip_prefix': '0.0.0.0/0',
|
||||
}],
|
||||
'icmp_all': [{
|
||||
'ip_protocol': 'icmp',
|
||||
'from_port': -1,
|
||||
'to_port': -1,
|
||||
'cidr': '0.0.0.0/0',
|
||||
'direction': stepler_config.INGRESS,
|
||||
'protocol': 'icmp',
|
||||
'port_range_min': None,
|
||||
'port_range_max': None,
|
||||
'remote_ip_prefix': '0.0.0.0/0',
|
||||
}]
|
||||
}
|
||||
|
||||
|
@ -67,12 +71,15 @@ tcp_ssh_policy = policy.make_policy_entry(
|
|||
|
||||
|
||||
@pytest.fixture
|
||||
def security_group(create_security_group, security_group_steps):
|
||||
def security_group(neutron_create_security_group,
|
||||
neutron_security_group_rule_steps):
|
||||
"""Fixture that returns security group with SSH allow rules."""
|
||||
group_name = next(utils.generate_ids('security-group'))
|
||||
group = create_security_group(group_name)
|
||||
group = neutron_create_security_group(group_name)
|
||||
|
||||
neutron_security_group_rule_steps.add_rules_to_group(group['id'],
|
||||
SG_RULES['tcp_ssh'])
|
||||
|
||||
security_group_steps.add_group_rules(group, SG_RULES['tcp_ssh'])
|
||||
return group
|
||||
|
||||
|
||||
|
@ -163,8 +170,8 @@ def connectivity_test_resources(
|
|||
ids=['tcp_ssh', 'tcp_all', 'tcp_udp_all'])
|
||||
def test_security_group_and_allow_all_policy(
|
||||
security_group, connectivity_test_resources, contrail_network_policy,
|
||||
security_group_steps, server_steps, contrail_api_client, sg_rules,
|
||||
checks):
|
||||
neutron_security_group_rule_steps, server_steps, contrail_api_client,
|
||||
sg_rules, checks):
|
||||
"""Verify traffic restrictions by security group with policy.
|
||||
|
||||
Steps:
|
||||
|
@ -183,7 +190,8 @@ def test_security_group_and_allow_all_policy(
|
|||
contrail_api_client.network_policy_update(contrail_network_policy)
|
||||
|
||||
# Update security group
|
||||
security_group_steps.add_group_rules(security_group, sg_rules)
|
||||
neutron_security_group_rule_steps.add_rules_to_group(security_group['id'],
|
||||
sg_rules)
|
||||
|
||||
server1_ip = server_steps.get_fixed_ip(connectivity_test_resources.server)
|
||||
|
||||
|
@ -214,9 +222,9 @@ def test_security_group_and_allow_all_policy(
|
|||
],
|
||||
ids=['tcp_all', 'tcp_port'])
|
||||
def test_allow_all_security_group_and_policies(
|
||||
contrail_network_policy, security_group, security_group_steps,
|
||||
connectivity_test_resources, server_steps, contrail_api_client,
|
||||
policy_entries, checks):
|
||||
contrail_network_policy, security_group,
|
||||
neutron_security_group_rule_steps, connectivity_test_resources,
|
||||
server_steps, contrail_api_client, policy_entries, checks):
|
||||
"""Verify traffic restrictions by policy with security group.
|
||||
|
||||
Steps:
|
||||
|
@ -233,8 +241,8 @@ def test_allow_all_security_group_and_policies(
|
|||
contrail_api_client.network_policy_update(contrail_network_policy)
|
||||
|
||||
# Update security group
|
||||
security_group_steps.add_group_rules(
|
||||
security_group,
|
||||
neutron_security_group_rule_steps.add_rules_to_group(
|
||||
security_group['id'],
|
||||
SG_RULES['tcp_all'] + SG_RULES['udp_all'] + SG_RULES['icmp_all'])
|
||||
|
||||
server1_ip = server_steps.get_fixed_ip(connectivity_test_resources.server)
|
||||
|
|
|
@ -15,7 +15,8 @@ import pytest
|
|||
|
||||
from vapor.helpers import heat_utils
|
||||
|
||||
@pytest.mark.xfail(run=False) #Remove when contrail-heat wil be added
|
||||
|
||||
@pytest.mark.xfail(run=False) # Remove when contrail-heat wil be added
|
||||
@pytest.mark.parametrize('template_file', heat_utils.list_templates())
|
||||
def test_heat_templates(create_stack, template_file, contrail_current_project,
|
||||
contrail_api_client):
|
||||
|
|
Loading…
Reference in New Issue