178 lines
6.5 KiB
Python
178 lines
6.5 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from hamcrest import assert_that, calling, raises
|
|
from pycontrail import exceptions
|
|
from pycontrail import types
|
|
from stepler import config as stepler_config
|
|
from stepler.third_party import utils
|
|
|
|
from vapor import settings
|
|
from vapor.helpers import connectivity
|
|
|
|
|
|
def test_delete_policy_associated_with_network(
|
|
contrail_network, contrail_network_policy, set_network_policy,
|
|
contrail_api_client):
|
|
"""Associate/Disassociate/Delete with reference policy using API.
|
|
|
|
Steps:
|
|
#. Create network
|
|
#. Create policy
|
|
#. Associate policy with network
|
|
#. Check that deleting network with policy raises an Exception
|
|
"""
|
|
set_network_policy(contrail_network, contrail_network_policy)
|
|
assert_that(
|
|
calling(contrail_api_client.network_policy_delete).with_args(
|
|
id=contrail_network_policy.uuid),
|
|
raises(exceptions.RefsExistError))
|
|
|
|
|
|
def test_policy_with_local_source(
|
|
contrail_default_ipam,
|
|
public_network,
|
|
flavor,
|
|
cirros_image,
|
|
security_group,
|
|
contrail_network_policy,
|
|
create_contrail_network,
|
|
create_floating_ip,
|
|
contrail_create_subnet,
|
|
set_network_policy,
|
|
server_steps,
|
|
port_steps,
|
|
contrail_api_client, ):
|
|
"""Test policy with local source port and attached to multiple VN.
|
|
|
|
Steps:
|
|
#. Create policy with allow ICMP rule for `local` source network
|
|
#. Create 3 networks with subnets
|
|
#. Boot nova server on each network
|
|
#. Check ping from all of servers to first
|
|
"""
|
|
rule = types.PolicyRuleType(
|
|
action_list=types.ActionListType(simple_action='pass'),
|
|
direction='<>',
|
|
protocol='icmp',
|
|
src_addresses=[types.AddressType(virtual_network='local')],
|
|
src_ports=[types.PortType()],
|
|
dst_addresses=[types.AddressType(virtual_network='any')],
|
|
dst_ports=[types.PortType()])
|
|
contrail_network_policy.set_network_policy_entries(
|
|
types.PolicyEntriesType(policy_rule=[rule]))
|
|
contrail_api_client.network_policy_update(contrail_network_policy)
|
|
|
|
servers = []
|
|
for i, name in enumerate(utils.generate_ids(count=3)):
|
|
network = create_contrail_network(name)
|
|
contrail_create_subnet(
|
|
network,
|
|
ipam=contrail_default_ipam,
|
|
ip_prefix="10.{}.0.0".format(i))
|
|
set_network_policy(network, contrail_network_policy)
|
|
server = server_steps.create_servers(
|
|
flavor=flavor,
|
|
image=cirros_image,
|
|
networks=[{
|
|
'id': network.uuid
|
|
}],
|
|
security_groups=[security_group],
|
|
username=stepler_config.CIRROS_USERNAME,
|
|
password=stepler_config.CIRROS_PASSWORD)[0]
|
|
servers.append(server)
|
|
|
|
# Add floating IP addresses
|
|
port = port_steps.get_port(
|
|
device_owner=stepler_config.PORT_DEVICE_OWNER_SERVER,
|
|
device_id=server.id)
|
|
floating_ip = create_floating_ip(public_network, port=port)
|
|
server_steps.check_server_ip(
|
|
server,
|
|
floating_ip['floating_ip_address'],
|
|
timeout=settings.FLOATING_IP_BIND_TIMEOUT)
|
|
|
|
# Check pings
|
|
ip = server_steps.get_fixed_ip(servers[0])
|
|
for server in servers[1:]:
|
|
with server_steps.get_server_ssh(server) as server_ssh:
|
|
connectivity.check_icmp_connection_status(ip, remote=server_ssh)
|
|
|
|
|
|
def test_cidr_for_source_and_destination(
|
|
public_network, cirros_image, flavor, security_group, network, subnet,
|
|
contrail_network_policy, set_network_policy, create_floating_ip,
|
|
server_steps, port_steps, contrail_api_client):
|
|
"""Test CIDR as match criteria for source and destination.
|
|
|
|
Steps:
|
|
#. Create network
|
|
#. Create 3 servers
|
|
#. Create policy with deny ICMP traffic from server1 ip to server2 ip
|
|
(with /32 CIDR)
|
|
#. Ping between vm1 and vm2. Ping should fail
|
|
#. Ping between vm1 and vm3. Ping should pass
|
|
"""
|
|
# Boot servers
|
|
server1, server2, server3 = server_steps.create_servers(
|
|
count=3,
|
|
image=cirros_image,
|
|
flavor=flavor,
|
|
networks=[network],
|
|
security_groups=[security_group],
|
|
username=stepler_config.CIRROS_USERNAME,
|
|
password=stepler_config.CIRROS_PASSWORD)
|
|
|
|
# Add floating IP to server1
|
|
port = port_steps.get_port(
|
|
device_owner=stepler_config.PORT_DEVICE_OWNER_SERVER,
|
|
device_id=server1.id)
|
|
floating_ip = create_floating_ip(public_network, port=port)
|
|
server_steps.check_server_ip(
|
|
server1,
|
|
floating_ip['floating_ip_address'],
|
|
timeout=settings.FLOATING_IP_BIND_TIMEOUT)
|
|
|
|
# Block ICMP traffic from server1 to server2
|
|
ip1 = server_steps.get_fixed_ip(server1)
|
|
ip2 = server_steps.get_fixed_ip(server2)
|
|
ip3 = server_steps.get_fixed_ip(server3)
|
|
rule = types.PolicyRuleType(
|
|
protocol='icmp',
|
|
direction='<>',
|
|
src_addresses=[
|
|
types.AddressType(subnet=types.SubnetType(
|
|
ip_prefix=ip1, ip_prefix_len=32))
|
|
],
|
|
src_ports=[types.PortType()],
|
|
dst_addresses=[
|
|
types.AddressType(subnet=types.SubnetType(
|
|
ip_prefix=ip2, ip_prefix_len=32))
|
|
],
|
|
dst_ports=[types.PortType()],
|
|
action_list=types.ActionListType(simple_action='deny'))
|
|
contrail_network_policy.set_network_policy_entries(
|
|
types.PolicyEntriesType(policy_rule=[rule]))
|
|
contrail_api_client.network_policy_update(contrail_network_policy)
|
|
|
|
# Bind policy to network
|
|
contrail_network = contrail_api_client.virtual_network_read(
|
|
id=network['id'])
|
|
set_network_policy(contrail_network, contrail_network_policy)
|
|
|
|
# Check pings
|
|
with server_steps.get_server_ssh(
|
|
server1, floating_ip['floating_ip_address']) as server_ssh:
|
|
connectivity.check_icmp_connection_status(
|
|
ip2, remote=server_ssh, must_available=False)
|
|
connectivity.check_icmp_connection_status(ip3, remote=server_ssh)
|