From 8ca91f4344c6541879e4fe12a6b3d34b82f574d8 Mon Sep 17 00:00:00 2001 From: Roey Chen Date: Sun, 8 Nov 2015 05:29:59 -0800 Subject: [PATCH] Adding unittests for security-group implementation Change-Id: I960ca78ea2ff68fb0d16ee735dc678a4d2571bb8 --- vmware_nsx/nsxlib/v3/security.py | 7 +- vmware_nsx/plugins/nsx_v3/plugin.py | 2 - .../unit/extensions/test_securitygroup.py | 95 +++++++++++++++++++ vmware_nsx/tests/unit/nsx_v3/test_plugin.py | 5 - 4 files changed, 98 insertions(+), 11 deletions(-) create mode 100644 vmware_nsx/tests/unit/extensions/test_securitygroup.py diff --git a/vmware_nsx/nsxlib/v3/security.py b/vmware_nsx/nsxlib/v3/security.py index e7f5f38491..54e7b5727d 100644 --- a/vmware_nsx/nsxlib/v3/security.py +++ b/vmware_nsx/nsxlib/v3/security.py @@ -231,16 +231,15 @@ def _init_default_section(name, description, nsgroup_id): else: section = firewall.create_empty_section( name, description, [nsgroup_id], []) - # TODO(roeyc): Add aditional rules to allow IPV6 NDP. block_rule = firewall.get_firewall_rule_dict( 'Block All', action=firewall.DROP) - + # TODO(roeyc): Add additional rules to allow IPV6 NDP. dhcp_client = firewall.get_nsservice(firewall.L4_PORT_SET_NSSERVICE, l4_protocol=firewall.UDP, source_ports=[67], destination_ports=[68]) dhcp_client_rule_in = firewall.get_firewall_rule_dict( - 'DHCP-Client-IN', direction=firewall.IN, service=dhcp_client) + 'DHCP Reply', direction=firewall.IN, service=dhcp_client) dhcp_server = ( firewall.get_nsservice(firewall.L4_PORT_SET_NSSERVICE, @@ -248,7 +247,7 @@ def _init_default_section(name, description, nsgroup_id): source_ports=[68], destination_ports=[67])) dhcp_client_rule_out = firewall.get_firewall_rule_dict( - 'DHCP-Client-OUT', direction=firewall.OUT, service=dhcp_server) + 'DHCP Request', direction=firewall.OUT, service=dhcp_server) firewall.add_rules_in_section([dhcp_client_rule_out, dhcp_client_rule_in, diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py index d8ddb2f640..ce396d7adc 100644 --- a/vmware_nsx/plugins/nsx_v3/plugin.py +++ b/vmware_nsx/plugins/nsx_v3/plugin.py @@ -836,8 +836,6 @@ class NsxV3Plugin(addr_pair_db.AllowedAddressPairsMixin, context, id, {'port': original_port}, updated_port, original_port) - #TODO(roeyc): add port to nsgroups - return updated_port def _extract_external_gw(self, context, router, is_extract=True): diff --git a/vmware_nsx/tests/unit/extensions/test_securitygroup.py b/vmware_nsx/tests/unit/extensions/test_securitygroup.py new file mode 100644 index 0000000000..cb391950a2 --- /dev/null +++ b/vmware_nsx/tests/unit/extensions/test_securitygroup.py @@ -0,0 +1,95 @@ +# Copyright (c) 2015 VMware, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +import mock + +from neutron.tests.unit.extensions import test_securitygroup as ext_sg + +from vmware_nsx.plugins.nsx_v3 import plugin as nsx_plugin +from vmware_nsx.tests.unit.nsx_v3 import test_plugin as test_nsxv3 + + +class TestSecurityGroups(test_nsxv3.NsxV3PluginTestCaseMixin, + ext_sg.TestSecurityGroups): + + @mock.patch.object(nsx_plugin.security.firewall, 'remove_nsgroup_member') + @mock.patch.object(nsx_plugin.security.firewall, 'add_nsgroup_member') + @mock.patch.object(nsx_plugin.security.firewall, 'create_nsgroup') + def test_create_port_with_multiple_security_groups(self, + create_nsgroup_mock, + add_member_mock, + remove_member_mock): + NSG_IDS = ['11111111-1111-1111-1111-111111111111', + '22222222-2222-2222-2222-222222222222', + '33333333-3333-3333-3333-333333333333'] + count = [-1] + + def _create_nsgroup_mock(x, y, z): + count[0] += 1 + return {'id': NSG_IDS[count[0]]} + + create_nsgroup_mock.side_effect = _create_nsgroup_mock + + super(TestSecurityGroups, + self).test_create_port_with_multiple_security_groups() + + # The first nsgroup is associated with the default secgroup, which is + # not added to this port. + calls = [mock.call(NSG_IDS[1], mock.ANY, mock.ANY), + mock.call(NSG_IDS[2], mock.ANY, mock.ANY)] + add_member_mock.assert_has_calls(calls, any_order=True) + + @mock.patch.object(nsx_plugin.security.firewall, 'remove_nsgroup_member') + @mock.patch.object(nsx_plugin.security.firewall, 'add_nsgroup_member') + @mock.patch.object(nsx_plugin.security.firewall, 'create_nsgroup') + def test_update_port_with_multiple_security_groups(self, + create_nsgroup_mock, + add_member_mock, + remove_member_mock): + NSG_IDS = ['11111111-1111-1111-1111-111111111111', + '22222222-2222-2222-2222-222222222222', + '33333333-3333-3333-3333-333333333333'] + count = [-1] + + def _create_nsgroup_mock(x, y, z): + count[0] += 1 + return {'id': NSG_IDS[count[0]]} + + create_nsgroup_mock.side_effect = _create_nsgroup_mock + + super(TestSecurityGroups, + self).test_update_port_with_multiple_security_groups() + + calls = [mock.call(NSG_IDS[0], mock.ANY, mock.ANY), + mock.call(NSG_IDS[1], mock.ANY, mock.ANY), + mock.call(NSG_IDS[2], mock.ANY, mock.ANY)] + add_member_mock.assert_has_calls(calls, any_order=True) + + remove_member_mock.assert_called_with(NSG_IDS[0], mock.ANY) + + @mock.patch.object(nsx_plugin.security.firewall, 'remove_nsgroup_member') + @mock.patch.object(nsx_plugin.security.firewall, 'add_nsgroup_member') + @mock.patch.object(nsx_plugin.security.firewall, 'create_nsgroup') + def test_update_port_remove_security_group_empty_list(self, + create_nsgroup_mock, + add_member_mock, + remove_member_mock): + NSG_ID = '11111111-1111-1111-1111-111111111111' + create_nsgroup_mock.side_effect = lambda x, y, z: {'id': NSG_ID} + + super(TestSecurityGroups, + self).test_update_port_remove_security_group_empty_list() + + add_member_mock.assert_called_with(NSG_ID, mock.ANY, mock.ANY) + remove_member_mock.assert_called_with(NSG_ID, mock.ANY) diff --git a/vmware_nsx/tests/unit/nsx_v3/test_plugin.py b/vmware_nsx/tests/unit/nsx_v3/test_plugin.py index fb652870fa..93742ef13e 100644 --- a/vmware_nsx/tests/unit/nsx_v3/test_plugin.py +++ b/vmware_nsx/tests/unit/nsx_v3/test_plugin.py @@ -31,7 +31,6 @@ from neutron.tests.unit.extensions import test_extraroute as test_ext_route from neutron.tests.unit.extensions import test_l3 as test_l3_plugin from neutron.tests.unit.extensions \ import test_l3_ext_gw_mode as test_ext_gw_mode -from neutron.tests.unit.extensions import test_securitygroup as ext_sg from neutron import version from oslo_config import cfg @@ -133,10 +132,6 @@ class TestPortsV2(test_plugin.TestPortsV2, NsxV3PluginTestCaseMixin): data['port']['fixed_ips']) -class TestSecurityGroups(NsxV3PluginTestCaseMixin, ext_sg.TestSecurityGroups): - pass - - class DHCPOptsTestCase(test_dhcpopts.TestExtraDhcpOpt, NsxV3PluginTestCaseMixin):