x
/
fuel-plugin-contrail
Code Issues Proposed changes
fuel-plugin-contrail/plugin_test/vapor/vapor/tests/test_policy.py

178 lines
6.5 KiB
Python
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from hamcrest import assert_that, calling, raises
from pycontrail import exceptions
from pycontrail import types
from stepler import config as stepler_config
from stepler.third_party import utils
from vapor import settings
from vapor.helpers import connectivity
def test_delete_policy_associated_with_network(
contrail_network, contrail_network_policy, set_network_policy,
contrail_api_client):
"""Associate/Disassociate/Delete with reference policy using API.
Steps:
#. Create network
#. Create policy
#. Associate policy with network
#. Check that deleting network with policy raises an Exception
"""
set_network_policy(contrail_network, contrail_network_policy)
assert_that(
calling(contrail_api_client.network_policy_delete).with_args(
id=contrail_network_policy.uuid),
raises(exceptions.RefsExistError))
def test_policy_with_local_source(
contrail_default_ipam,
public_network,
flavor,
cirros_image,
security_group,
contrail_network_policy,
create_contrail_network,
create_floating_ip,
contrail_create_subnet,
set_network_policy,
server_steps,
port_steps,
contrail_api_client, ):
"""Test policy with local source port and attached to multiple VN.
Steps:
#. Create policy with allow ICMP rule for `local` source network
#. Create 3 networks with subnets
#. Boot nova server on each network
#. Check ping from all of servers to first
"""
rule = types.PolicyRuleType(
action_list=types.ActionListType(simple_action='pass'),
direction='<>',
protocol='icmp',
src_addresses=[types.AddressType(virtual_network='local')],
src_ports=[types.PortType()],
dst_addresses=[types.AddressType(virtual_network='any')],
dst_ports=[types.PortType()])
contrail_network_policy.set_network_policy_entries(
types.PolicyEntriesType(policy_rule=[rule]))
contrail_api_client.network_policy_update(contrail_network_policy)
servers = []
for i, name in enumerate(utils.generate_ids(count=3)):
network = create_contrail_network(name)
contrail_create_subnet(
network,
ipam=contrail_default_ipam,
ip_prefix="10.{}.0.0".format(i))
set_network_policy(network, contrail_network_policy)
server = server_steps.create_servers(
flavor=flavor,
image=cirros_image,
networks=[{
'id': network.uuid
}],
security_groups=[security_group],
username=stepler_config.CIRROS_USERNAME,
password=stepler_config.CIRROS_PASSWORD)[0]
servers.append(server)
# Add floating IP addresses
port = port_steps.get_port(
device_owner=stepler_config.PORT_DEVICE_OWNER_SERVER,
device_id=server.id)
floating_ip = create_floating_ip(public_network, port=port)
server_steps.check_server_ip(
server,
floating_ip['floating_ip_address'],
timeout=settings.FLOATING_IP_BIND_TIMEOUT)
# Check pings
ip = server_steps.get_fixed_ip(servers[0])
for server in servers[1:]:
with server_steps.get_server_ssh(server) as server_ssh:
connectivity.check_icmp_connection_status(ip, remote=server_ssh)
def test_cidr_for_source_and_destination(
public_network, cirros_image, flavor, security_group, network, subnet,
contrail_network_policy, set_network_policy, create_floating_ip,
server_steps, port_steps, contrail_api_client):
"""Test CIDR as match criteria for source and destination.
Steps:
#. Create network
#. Create 3 servers
#. Create policy with deny ICMP traffic from server1 ip to server2 ip
(with /32 CIDR)
#. Ping between vm1 and vm2. Ping should fail
#. Ping between vm1 and vm3. Ping should pass
"""
# Boot servers
server1, server2, server3 = server_steps.create_servers(
count=3,
image=cirros_image,
flavor=flavor,
networks=[network],
security_groups=[security_group],
username=stepler_config.CIRROS_USERNAME,
password=stepler_config.CIRROS_PASSWORD)
# Add floating IP to server1
port = port_steps.get_port(
device_owner=stepler_config.PORT_DEVICE_OWNER_SERVER,
device_id=server1.id)
floating_ip = create_floating_ip(public_network, port=port)
server_steps.check_server_ip(
server1,
floating_ip['floating_ip_address'],
timeout=settings.FLOATING_IP_BIND_TIMEOUT)
# Block ICMP traffic from server1 to server2
ip1 = server_steps.get_fixed_ip(server1)
ip2 = server_steps.get_fixed_ip(server2)
ip3 = server_steps.get_fixed_ip(server3)
rule = types.PolicyRuleType(
protocol='icmp',
direction='<>',
src_addresses=[
types.AddressType(subnet=types.SubnetType(
ip_prefix=ip1, ip_prefix_len=32))
],
src_ports=[types.PortType()],
dst_addresses=[
types.AddressType(subnet=types.SubnetType(
ip_prefix=ip2, ip_prefix_len=32))
],
dst_ports=[types.PortType()],
action_list=types.ActionListType(simple_action='deny'))
contrail_network_policy.set_network_policy_entries(
types.PolicyEntriesType(policy_rule=[rule]))
contrail_api_client.network_policy_update(contrail_network_policy)
# Bind policy to network
contrail_network = contrail_api_client.virtual_network_read(
id=network['id'])
set_network_policy(contrail_network, contrail_network_policy)
# Check pings
with server_steps.get_server_ssh(
server1, floating_ip['floating_ip_address']) as server_ssh:
connectivity.check_icmp_connection_status(
ip2, remote=server_ssh, must_available=False)
connectivity.check_icmp_connection_status(ip3, remote=server_ssh)
View Git Blame Copy Permalink