Switch to neutron for security groups

Change-Id: Ic7f5f2d9d01c2de07555da3a7ccfb3bf535e9f59
This commit is contained in:
Georgy Dyuldin 2017-03-27 11:48:02 +03:00
parent 5fd737959b
commit bce05180a8
6 changed files with 67 additions and 58 deletions

View File

@ -25,7 +25,8 @@ else:
class ResourceManager(object):
def __init__(self, stack, base_name, get_network_steps, get_subnet_steps,
port_steps, get_floating_ip_steps, get_server_steps,
get_security_group_steps, public_network):
get_neutron_security_group_steps,
get_neutron_security_group_rule_steps, public_network):
self.stack = stack
self.base_name = base_name
self.get_network_steps = get_network_steps
@ -33,7 +34,10 @@ class ResourceManager(object):
self.port_steps = port_steps
self.get_floating_ip_steps = get_floating_ip_steps
self.get_server_steps = get_server_steps
self.get_security_group_steps = get_security_group_steps
self.get_neutron_security_group_steps = (
get_neutron_security_group_steps)
self.get_neutron_security_group_rule_steps = (
get_neutron_security_group_rule_steps)
self.public_network = public_network
def _add_fin(self, steps_getter, fn_name, *args, **kwargs):
@ -59,12 +63,12 @@ class ResourceManager(object):
def _create_security_group(self):
# Create security groups
security_group_steps = self.get_security_group_steps()
security_group = security_group_steps.create_group(self.base_name)
self._add_fin(self.get_security_group_steps, 'delete_group',
security_group_steps = self.get_neutron_security_group_steps()
security_group = security_group_steps.create(self.base_name)
self._add_fin(self.get_neutron_security_group_steps, 'delete',
security_group)
security_group_steps.add_group_rules(
security_group, stepler_config.SECURITY_GROUP_SSH_PING_RULES)
self.get_neutron_security_group_rule_steps().add_rules_to_group(
security_group['id'], stepler_config.SECURITY_GROUP_SSH_PING_RULES)
return security_group
def _create_server(self, image, flavor, nova_host, network, ip,
@ -135,12 +139,12 @@ def project_2(create_user_with_project):
@pytest.fixture
def different_tenants_resources(request,
project_2, credentials, create_user_with_project, cirros_image,
sorted_hypervisors, get_network_steps, get_subnet_steps,
def different_tenants_resources(
request, project_2, credentials, create_user_with_project,
cirros_image, sorted_hypervisors, get_network_steps, get_subnet_steps,
get_server_steps, port_steps, get_floating_ip_steps, public_flavor,
public_network, get_security_group_steps,
nova_availability_zone_hosts):
public_network, get_neutron_security_group_steps,
get_neutron_security_group_rule_steps, nova_availability_zone_hosts):
"""Fixture to create network, subnet and server on each of 2 projects.
Created subnets has same CIDR.
@ -152,7 +156,9 @@ def different_tenants_resources(request,
default_params = {
'subnet_cidr': '10.0.0.0/24',
'base_name': next(utils.generate_ids()),
'ips': ('10.0.0.11', '10.0.0.21',)
'ips': (
'10.0.0.11',
'10.0.0.21', )
}
default_params.update(getattr(request, 'param', {}))
@ -168,10 +174,11 @@ def different_tenants_resources(request,
with contextlib.ExitStack() as stack:
mrg = ResourceManager(stack, base_name, get_network_steps,
get_subnet_steps, port_steps,
get_floating_ip_steps, get_server_steps,
get_security_group_steps, public_network)
mrg = ResourceManager(
stack, base_name, get_network_steps, get_subnet_steps, port_steps,
get_floating_ip_steps, get_server_steps,
get_neutron_security_group_steps,
get_neutron_security_group_rule_steps, public_network)
projects_resources = []
@ -182,8 +189,7 @@ def different_tenants_resources(request,
with credentials.change(project_2):
project_resources = mrg.create(subnet_cidr, ips[1],
cirros_image, public_flavor,
host)
project_resources = mrg.create(subnet_cidr, ips[1], cirros_image,
public_flavor, host)
projects_resources.append(project_resources)
yield projects_resources

View File

@ -71,7 +71,6 @@ class ClientContrailVRouterAgentBase(object):
data = data[key[0]]
return_data = self.get_data(data)
elif data['@type'] == 'struct':
return_list = []
data = self.del_unused_key(data)
if len(data) == 0:
return ''
@ -141,7 +140,7 @@ class ClientContrailVRouterAgentBase(object):
old_data = data.copy()
path1 = data[keys[0]]['next_batch']['@link']
path2 = data[keys[0]]['next_batch']['#text']
path = 'Snh_%s?x=%s' % (path1,path2)
path = 'Snh_%s?x=%s' % (path1, path2)
data = self.get_resource(path)
old_list = self.find_ifmap_list(old_data)
self.merge_ifmap_list(data, old_list)
@ -165,6 +164,3 @@ class ContrailVRouterAgentClient(ClientContrailVRouterAgentBase):
def get_itf_by_name(self, interface_name):
data = self.get_path_to_dict('Snh_ItfReq?x={}'.format(interface_name))
return data

View File

@ -1,5 +1,4 @@
from . import base
import urllib
class ContrailClient(base.ContrailBaseClient):

View File

@ -26,7 +26,6 @@ from vapor.helpers import agent_steps
from vapor.helpers import asserts
from vapor.helpers import contrail_status, policy, connectivity
from vapor import settings
from vapor.helpers import contrail_status, nodes_steps
from vapor.settings import logger
@ -501,7 +500,7 @@ def test_policy_between_vns_diff_proj(different_tenants_resources,
"""
project1, project2 = different_tenants_resources
client, server = project1.server, project2.server
client = project1.server
client_floating_ip = project1.floating_ip
server_floating_ip = project2.floating_ip
@ -529,7 +528,8 @@ def test_policy_between_vns_diff_proj(different_tenants_resources,
timeout=settings.SECURITY_GROUP_APPLY_TIMEOUT)
server_sg_entries.add_policy_rule(policy.POLICY_RULE_ALLOW_EGRESS_ICMP)
server_sg_entries.add_policy_rule(policy.POLICY_RULE_ALLOW_INGRESS_ICMP)
server_sg_entries.add_policy_rule(
policy.POLICY_RULE_ALLOW_INGRESS_ICMP)
prj2_conrail_sg.security_group_entries = server_sg_entries
contrail_api_client.security_group_update(prj2_conrail_sg)
@ -627,4 +627,3 @@ def test_diff_proj_same_vn_vm_add_delete(different_tenants_resources,
s2_net_label))
assert_that(s1_net_label, is_not(equal_to(s2_net_label)))

View File

@ -23,28 +23,32 @@ from vapor import settings
SG_RULES = {
'tcp_all': [{
'ip_protocol': 'tcp',
'from_port': 1,
'to_port': 65535,
'cidr': '0.0.0.0/0',
'direction': stepler_config.INGRESS,
'protocol': 'tcp',
'port_range_min': 1,
'port_range_max': 65535,
'remote_ip_prefix': '0.0.0.0/0',
}],
'tcp_ssh': [{
'ip_protocol': 'tcp',
'from_port': 22,
'to_port': 22,
'cidr': '0.0.0.0/0',
'direction': stepler_config.INGRESS,
'protocol': 'tcp',
'port_range_min': 22,
'port_range_max': 22,
'remote_ip_prefix': '0.0.0.0/0',
}],
'udp_all': [{
'ip_protocol': 'udp',
'from_port': 1,
'to_port': 65535,
'cidr': '0.0.0.0/0',
'direction': stepler_config.INGRESS,
'protocol': 'udp',
'port_range_min': 1,
'port_range_max': 65535,
'remote_ip_prefix': '0.0.0.0/0',
}],
'icmp_all': [{
'ip_protocol': 'icmp',
'from_port': -1,
'to_port': -1,
'cidr': '0.0.0.0/0',
'direction': stepler_config.INGRESS,
'protocol': 'icmp',
'port_range_min': None,
'port_range_max': None,
'remote_ip_prefix': '0.0.0.0/0',
}]
}
@ -67,12 +71,15 @@ tcp_ssh_policy = policy.make_policy_entry(
@pytest.fixture
def security_group(create_security_group, security_group_steps):
def security_group(neutron_create_security_group,
neutron_security_group_rule_steps):
"""Fixture that returns security group with SSH allow rules."""
group_name = next(utils.generate_ids('security-group'))
group = create_security_group(group_name)
group = neutron_create_security_group(group_name)
neutron_security_group_rule_steps.add_rules_to_group(group['id'],
SG_RULES['tcp_ssh'])
security_group_steps.add_group_rules(group, SG_RULES['tcp_ssh'])
return group
@ -163,8 +170,8 @@ def connectivity_test_resources(
ids=['tcp_ssh', 'tcp_all', 'tcp_udp_all'])
def test_security_group_and_allow_all_policy(
security_group, connectivity_test_resources, contrail_network_policy,
security_group_steps, server_steps, contrail_api_client, sg_rules,
checks):
neutron_security_group_rule_steps, server_steps, contrail_api_client,
sg_rules, checks):
"""Verify traffic restrictions by security group with policy.
Steps:
@ -183,7 +190,8 @@ def test_security_group_and_allow_all_policy(
contrail_api_client.network_policy_update(contrail_network_policy)
# Update security group
security_group_steps.add_group_rules(security_group, sg_rules)
neutron_security_group_rule_steps.add_rules_to_group(security_group['id'],
sg_rules)
server1_ip = server_steps.get_fixed_ip(connectivity_test_resources.server)
@ -214,9 +222,9 @@ def test_security_group_and_allow_all_policy(
],
ids=['tcp_all', 'tcp_port'])
def test_allow_all_security_group_and_policies(
contrail_network_policy, security_group, security_group_steps,
connectivity_test_resources, server_steps, contrail_api_client,
policy_entries, checks):
contrail_network_policy, security_group,
neutron_security_group_rule_steps, connectivity_test_resources,
server_steps, contrail_api_client, policy_entries, checks):
"""Verify traffic restrictions by policy with security group.
Steps:
@ -233,8 +241,8 @@ def test_allow_all_security_group_and_policies(
contrail_api_client.network_policy_update(contrail_network_policy)
# Update security group
security_group_steps.add_group_rules(
security_group,
neutron_security_group_rule_steps.add_rules_to_group(
security_group['id'],
SG_RULES['tcp_all'] + SG_RULES['udp_all'] + SG_RULES['icmp_all'])
server1_ip = server_steps.get_fixed_ip(connectivity_test_resources.server)

View File

@ -15,7 +15,8 @@ import pytest
from vapor.helpers import heat_utils
@pytest.mark.xfail(run=False) #Remove when contrail-heat wil be added
@pytest.mark.xfail(run=False) # Remove when contrail-heat wil be added
@pytest.mark.parametrize('template_file', heat_utils.list_templates())
def test_heat_templates(create_stack, template_file, contrail_current_project,
contrail_api_client):