232 lines
11 KiB
Python
232 lines
11 KiB
Python
# Copyright (c) 2014 VMware, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
# implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
|
|
from neutron.common import constants
|
|
from neutron.common import exceptions
|
|
from neutron.tests.unit.api.v2 import test_base
|
|
|
|
from vmware_nsx.neutron.plugins.vmware import nsxlib
|
|
from vmware_nsx.neutron.plugins.vmware.nsxlib import secgroup as secgrouplib
|
|
from vmware_nsx.tests.unit.vmware.nsxlib import base
|
|
|
|
_uuid = test_base._uuid
|
|
|
|
|
|
class SecurityProfileTestCase(base.NsxlibTestCase):
|
|
|
|
def test_create_and_get_security_profile(self):
|
|
sec_prof = secgrouplib.create_security_profile(
|
|
self.fake_cluster, _uuid(), 'pippo', {'name': 'test'})
|
|
sec_prof_res = nsxlib.do_request(
|
|
secgrouplib.HTTP_GET,
|
|
nsxlib._build_uri_path('security-profile',
|
|
resource_id=sec_prof['uuid']),
|
|
cluster=self.fake_cluster)
|
|
self.assertEqual(sec_prof['uuid'], sec_prof_res['uuid'])
|
|
# Check for builtin rules
|
|
self.assertEqual(len(sec_prof_res['logical_port_egress_rules']), 1)
|
|
self.assertEqual(len(sec_prof_res['logical_port_ingress_rules']), 2)
|
|
|
|
def test_create_and_get_default_security_profile(self):
|
|
sec_prof = secgrouplib.create_security_profile(
|
|
self.fake_cluster, _uuid(), 'pippo', {'name': 'default'})
|
|
sec_prof_res = nsxlib.do_request(
|
|
secgrouplib.HTTP_GET,
|
|
nsxlib._build_uri_path('security-profile',
|
|
resource_id=sec_prof['uuid']),
|
|
cluster=self.fake_cluster)
|
|
self.assertEqual(sec_prof['uuid'], sec_prof_res['uuid'])
|
|
# Check for builtin rules
|
|
self.assertEqual(len(sec_prof_res['logical_port_egress_rules']), 3)
|
|
self.assertEqual(len(sec_prof_res['logical_port_ingress_rules']), 2)
|
|
|
|
def test_update_security_profile_raise_not_found(self):
|
|
self.assertRaises(exceptions.NotFound,
|
|
secgrouplib.update_security_profile,
|
|
self.fake_cluster,
|
|
_uuid(), 'tatore_magno(the great)')
|
|
|
|
def test_update_security_profile(self):
|
|
tenant_id = 'foo_tenant_uuid'
|
|
secgroup_id = 'foo_secgroup_uuid'
|
|
old_sec_prof = secgrouplib.create_security_profile(
|
|
self.fake_cluster, tenant_id, secgroup_id,
|
|
{'name': 'tatore_magno'})
|
|
new_sec_prof = secgrouplib.update_security_profile(
|
|
self.fake_cluster, old_sec_prof['uuid'], 'aaron_magno')
|
|
self.assertEqual('aaron_magno', new_sec_prof['display_name'])
|
|
|
|
def test_update_security_profile_rules(self):
|
|
sec_prof = secgrouplib.create_security_profile(
|
|
self.fake_cluster, _uuid(), 'pippo', {'name': 'test'})
|
|
ingress_rule = {'ethertype': 'IPv4'}
|
|
egress_rule = {'ethertype': 'IPv4', 'profile_uuid': 'xyz'}
|
|
new_rules = {'logical_port_egress_rules': [egress_rule],
|
|
'logical_port_ingress_rules': [ingress_rule]}
|
|
secgrouplib.update_security_group_rules(
|
|
self.fake_cluster, sec_prof['uuid'], new_rules)
|
|
sec_prof_res = nsxlib.do_request(
|
|
nsxlib.HTTP_GET,
|
|
nsxlib._build_uri_path('security-profile',
|
|
resource_id=sec_prof['uuid']),
|
|
cluster=self.fake_cluster)
|
|
self.assertEqual(sec_prof['uuid'], sec_prof_res['uuid'])
|
|
# Check for builtin rules
|
|
self.assertEqual(len(sec_prof_res['logical_port_egress_rules']), 2)
|
|
self.assertIn(egress_rule,
|
|
sec_prof_res['logical_port_egress_rules'])
|
|
self.assertEqual(len(sec_prof_res['logical_port_ingress_rules']), 1)
|
|
self.assertIn(ingress_rule,
|
|
sec_prof_res['logical_port_ingress_rules'])
|
|
|
|
def test_update_security_profile_rules_noingress(self):
|
|
sec_prof = secgrouplib.create_security_profile(
|
|
self.fake_cluster, _uuid(), 'pippo', {'name': 'test'})
|
|
hidden_ingress_rule = {'ethertype': 'IPv4',
|
|
'ip_prefix': '127.0.0.1/32'}
|
|
egress_rule = {'ethertype': 'IPv4', 'profile_uuid': 'xyz'}
|
|
new_rules = {'logical_port_egress_rules': [egress_rule],
|
|
'logical_port_ingress_rules': []}
|
|
secgrouplib.update_security_group_rules(
|
|
self.fake_cluster, sec_prof['uuid'], new_rules)
|
|
sec_prof_res = nsxlib.do_request(
|
|
nsxlib.HTTP_GET,
|
|
nsxlib._build_uri_path('security-profile',
|
|
resource_id=sec_prof['uuid']),
|
|
cluster=self.fake_cluster)
|
|
self.assertEqual(sec_prof['uuid'], sec_prof_res['uuid'])
|
|
# Check for builtin rules
|
|
self.assertEqual(len(sec_prof_res['logical_port_egress_rules']), 2)
|
|
self.assertIn(egress_rule,
|
|
sec_prof_res['logical_port_egress_rules'])
|
|
self.assertEqual(len(sec_prof_res['logical_port_ingress_rules']), 1)
|
|
self.assertIn(hidden_ingress_rule,
|
|
sec_prof_res['logical_port_ingress_rules'])
|
|
|
|
def test_update_security_profile_rules_summarize_port_range(self):
|
|
sec_prof = secgrouplib.create_security_profile(
|
|
self.fake_cluster, _uuid(), 'pippo', {'name': 'test'})
|
|
ingress_rule = [{'ethertype': 'IPv4'}]
|
|
egress_rules = [
|
|
{'ethertype': 'IPv4', 'protocol': constants.PROTO_NUM_UDP,
|
|
'port_range_min': 1, 'port_range_max': 65535}]
|
|
new_rules = {'logical_port_egress_rules': egress_rules,
|
|
'logical_port_ingress_rules': [ingress_rule]}
|
|
egress_rules_summarized = [{'ethertype': 'IPv4',
|
|
'protocol': constants.PROTO_NUM_UDP}]
|
|
secgrouplib.update_security_group_rules(
|
|
self.fake_cluster, sec_prof['uuid'], new_rules)
|
|
sec_prof_res = nsxlib.do_request(
|
|
nsxlib.HTTP_GET,
|
|
nsxlib._build_uri_path('security-profile',
|
|
resource_id=sec_prof['uuid']),
|
|
cluster=self.fake_cluster)
|
|
self.assertEqual(sec_prof['uuid'], sec_prof_res['uuid'])
|
|
|
|
# Check for builtin rules
|
|
self.assertEqual(len(sec_prof_res['logical_port_ingress_rules']), 1)
|
|
self.assertEqual(sec_prof_res['logical_port_egress_rules'],
|
|
egress_rules_summarized)
|
|
self.assertIn(ingress_rule,
|
|
sec_prof_res['logical_port_ingress_rules'])
|
|
|
|
def test_update_security_profile_rules_summarize_ip_prefix(self):
|
|
sec_prof = secgrouplib.create_security_profile(
|
|
self.fake_cluster, _uuid(), 'pippo', {'name': 'test'})
|
|
ingress_rule = [{'ethertype': 'IPv4'}]
|
|
egress_rules = [
|
|
{'ethertype': 'IPv4', 'protocol': constants.PROTO_NUM_UDP,
|
|
'ip_prefix': '0.0.0.0/0'},
|
|
{'ethertype': 'IPv6', 'protocol': constants.PROTO_NUM_UDP,
|
|
'ip_prefix': '::/0'}]
|
|
new_rules = {'logical_port_egress_rules': egress_rules,
|
|
'logical_port_ingress_rules': [ingress_rule]}
|
|
egress_rules_summarized = [
|
|
{'ethertype': 'IPv4', 'protocol': constants.PROTO_NUM_UDP},
|
|
{'ethertype': 'IPv6', 'protocol': constants.PROTO_NUM_UDP}]
|
|
secgrouplib.update_security_group_rules(
|
|
self.fake_cluster, sec_prof['uuid'], new_rules)
|
|
sec_prof_res = nsxlib.do_request(
|
|
nsxlib.HTTP_GET,
|
|
nsxlib._build_uri_path('security-profile',
|
|
resource_id=sec_prof['uuid']),
|
|
cluster=self.fake_cluster)
|
|
self.assertEqual(sec_prof['uuid'], sec_prof_res['uuid'])
|
|
|
|
# Check for builtin rules
|
|
self.assertEqual(len(sec_prof_res['logical_port_ingress_rules']), 1)
|
|
self.assertEqual(sec_prof_res['logical_port_egress_rules'],
|
|
egress_rules_summarized)
|
|
self.assertIn(ingress_rule,
|
|
sec_prof_res['logical_port_ingress_rules'])
|
|
|
|
def test_update_security_profile_rules_summarize_subset(self):
|
|
sec_prof = secgrouplib.create_security_profile(
|
|
self.fake_cluster, _uuid(), 'pippo', {'name': 'test'})
|
|
ingress_rule = [{'ethertype': 'IPv4'}]
|
|
egress_rules = [
|
|
{'ethertype': 'IPv4', 'protocol': constants.PROTO_NUM_UDP,
|
|
'port_range_min': 1, 'port_range_max': 1,
|
|
'remote_ip_prefix': '1.1.1.1/20'},
|
|
{'ethertype': 'IPv4', 'protocol': constants.PROTO_NUM_UDP,
|
|
'port_range_min': 2, 'port_range_max': 2,
|
|
'profile_uuid': 'xyz'},
|
|
{'ethertype': 'IPv4', 'protocol': constants.PROTO_NUM_UDP}]
|
|
new_rules = {'logical_port_egress_rules': egress_rules,
|
|
'logical_port_ingress_rules': [ingress_rule]}
|
|
egress_rules_summarized = [
|
|
{'ethertype': 'IPv4', 'protocol': constants.PROTO_NUM_UDP}]
|
|
secgrouplib.update_security_group_rules(
|
|
self.fake_cluster, sec_prof['uuid'], new_rules)
|
|
sec_prof_res = nsxlib.do_request(
|
|
nsxlib.HTTP_GET,
|
|
nsxlib._build_uri_path('security-profile',
|
|
resource_id=sec_prof['uuid']),
|
|
cluster=self.fake_cluster)
|
|
self.assertEqual(sec_prof['uuid'], sec_prof_res['uuid'])
|
|
|
|
# Check for builtin rules
|
|
self.assertEqual(len(sec_prof_res['logical_port_ingress_rules']), 1)
|
|
self.assertEqual(sec_prof_res['logical_port_egress_rules'],
|
|
egress_rules_summarized)
|
|
self.assertIn(ingress_rule,
|
|
sec_prof_res['logical_port_ingress_rules'])
|
|
|
|
def test_update_non_existing_securityprofile_raises(self):
|
|
self.assertRaises(exceptions.NeutronException,
|
|
secgrouplib.update_security_group_rules,
|
|
self.fake_cluster, 'whatever',
|
|
{'logical_port_egress_rules': [],
|
|
'logical_port_ingress_rules': []})
|
|
|
|
def test_delete_security_profile(self):
|
|
sec_prof = secgrouplib.create_security_profile(
|
|
self.fake_cluster, _uuid(), 'pippo', {'name': 'test'})
|
|
secgrouplib.delete_security_profile(
|
|
self.fake_cluster, sec_prof['uuid'])
|
|
self.assertRaises(exceptions.NotFound,
|
|
nsxlib.do_request,
|
|
nsxlib.HTTP_GET,
|
|
nsxlib._build_uri_path(
|
|
'security-profile',
|
|
resource_id=sec_prof['uuid']),
|
|
cluster=self.fake_cluster)
|
|
|
|
def test_delete_non_existing_securityprofile_raises(self):
|
|
self.assertRaises(exceptions.NeutronException,
|
|
secgrouplib.delete_security_profile,
|
|
self.fake_cluster, 'whatever')
|