From ec8865030626f2b569c9626c859c000e842e1ba4 Mon Sep 17 00:00:00 2001 From: Puneet Arora Date: Mon, 6 Feb 2017 23:46:29 +0000 Subject: [PATCH] [Tempest]: Adding of Provider security Group cases. During port update with psg check vm connectivity. Change-Id: Iec25051122fdb1bb167266108dc28ac097a15694 --- .../nsxv3/api/test_provider_sec_group.py | 155 ++++++++++++++---- .../scenario/test_provider_security_group.py | 93 +++++++++-- 2 files changed, 202 insertions(+), 46 deletions(-) diff --git a/vmware_nsx_tempest/tests/nsxv3/api/test_provider_sec_group.py b/vmware_nsx_tempest/tests/nsxv3/api/test_provider_sec_group.py index 14d90178f6..e1419af590 100644 --- a/vmware_nsx_tempest/tests/nsxv3/api/test_provider_sec_group.py +++ b/vmware_nsx_tempest/tests/nsxv3/api/test_provider_sec_group.py @@ -67,12 +67,12 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest): sg_client.delete_security_group(sg_id) def create_security_provider_group(self, cmgr=None, - tenant_id=None, provider=False): + project_id=None, provider=False): cmgr = cmgr or self.cmgr_adm sg_client = cmgr.security_groups_client sg_dict = dict(name=data_utils.rand_name('provider-sec-group')) - if tenant_id: - sg_dict['tenant_id'] = tenant_id + if project_id: + sg_dict['tenant_id'] = project_id if provider: sg_dict['provider'] = True sg = sg_client.create_security_group(**sg_dict) @@ -91,14 +91,14 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest): return sg.get('security_group', sg) def create_security_group_rule(self, security_group_id, - cmgr=None, tenant_id=None, + cmgr=None, project_id=None, protocol=None): cmgr = cmgr or self.cmgr_adm sgr_client = cmgr.security_group_rules_client sgr_dict = dict(security_group_id=security_group_id, direction='ingress', protocol=protocol) - if tenant_id: - sgr_dict['tenant_id'] = tenant_id + if project_id: + sgr_dict['tenant_id'] = project_id sgr = sgr_client.create_security_group_rule(**sgr_dict) return sgr.get('security_group_rule', sgr) @@ -127,7 +127,8 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest): sg = self.create_security_provider_group(self.cmgr_adm, provider=True) sg_id = sg.get('id') show_sec_group = sg_client.show_security_group(sg_id) - self.assertEqual(True, show_sec_group['security_group']['provider']) + self.assertEqual(True, show_sec_group['security_group']['provider'], + "Provider security group created") sg_show = sg_client.update_security_group(sg_id, description=sg_desc) self.assertEqual(sg_desc, sg_show['security_group'].get('description')) self.delete_security_group(sg_client, sg_id) @@ -138,9 +139,9 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest): @test.attr(type='nsxv3') @test.idempotent_id('2bc5452f-5673-4dbe-afb3-fb40bf0916a5') def test_admin_can_create_provider_security_group_for_tenant(self): - tenant_id = self.cmgr_alt.networks_client.tenant_id + project_id = self.cmgr_alt.networks_client.tenant_id sg = self.create_security_provider_group(self.cmgr_adm, - tenant_id=tenant_id, + project_id=project_id, provider=True) self.assertEqual(True, sg.get('provider')) @@ -193,6 +194,9 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest): net_client = self.cmgr_adm.networks_client body = {'name': 'provider-network'} network = net_client.create_network(**body) + self.addCleanup(test_utils.call_and_ignore_notfound_exc, + net_client.delete_network, + network['network']['id']) body = {"network_id": network['network']['id'], "allocation_pools": [{"start": "2.0.0.2", "end": "2.0.0.254"}], @@ -203,11 +207,13 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest): "admin_state_up": 'true'} port_client = self.cmgr_adm.ports_client port_id = port_client.create_port(**body) + self.addCleanup(test_utils.call_and_ignore_notfound_exc, + port_client.delete_port, + port_id['port']['id']) ss = port_client.show_port(port_id['port']['id']) self.assertEqual([sg_id], ss['port']['provider_security_groups']) - body = {"id": port_id} - port_client.delete_port(port_id['port']['id']) - net_client.delete_network(network['network']['id']) + kwargs = {"provider_security_groups": ''} + port_client.update_port(port_id['port']['id'], **kwargs) @test.attr(type='nsxv3') @test.idempotent_id('2c44a134-f013-46b7-a2ec-14c7c38a4d8c') @@ -225,17 +231,17 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest): @test.attr(type='nsxv3') @test.idempotent_id('275abe9f-4f01-46e5-bde0-0b6840290d3b') def test_provider_sec_group_with_multiple_rules(self): - tenant_id = self.cmgr_adm.networks_client.tenant_id + project_id = self.cmgr_adm.networks_client.tenant_id sg = self.create_security_provider_group(self.cmgr_adm, - tenant_id=tenant_id) + project_id=project_id) sg_rule1 = self.create_security_group_rule(sg.get('id'), cmgr=self.cmgr_adm, - tenant_id=tenant_id, + project_id=project_id, protocol='icmp') sg_rule1_id = sg_rule1.get('id') sg_rule2 = self.create_security_group_rule(sg.get('id'), cmgr=self.cmgr_adm, - tenant_id=tenant_id, + project_id=project_id, protocol='tcp') sg_rule2_id = sg_rule2.get('id') self.assertNotEqual(sg_rule1_id, sg_rule2_id) @@ -243,13 +249,16 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest): @test.attr(type='nsxv3') @test.idempotent_id('5d25370e-da6a-44a7-8565-7b1c2fc39fdc') def test_clear_provider_sec_group_from_port(self): - tenant_id = self.cmgr_adm.networks_client.tenant_id + project_id = self.cmgr_adm.networks_client.tenant_id self.create_security_provider_group(self.cmgr_adm, - tenant_id=tenant_id, + project_id=project_id, provider=True) net_client = self.cmgr_adm.networks_client body = {'name': 'provider-network'} network = net_client.create_network(**body) + self.addCleanup(test_utils.call_and_ignore_notfound_exc, + net_client.delete_network, + network['network']['id']) body = {"network_id": network['network']['id'], "allocation_pools": [{"start": "2.0.0.2", "end": "2.0.0.254"}], @@ -260,23 +269,28 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest): "provider_security_groups": []} port_client = self.cmgr_adm.ports_client port_id = port_client.create_port(**body) + self.addCleanup(test_utils.call_and_ignore_notfound_exc, + port_client.delete_port, + port_id['port']['id']) ss = port_client.show_port(port_id['port']['id']) self.assertEqual([], ss['port']['provider_security_groups']) - port_client.delete_port(port_id['port']['id']) - net_client.delete_network(network['network']['id']) + kwargs = {"provider_security_groups": ''} + port_client.update_port(port_id['port']['id'], **kwargs) @test.attr(type='nsxv3') @test.idempotent_id('dfc6bb8e-ba7b-4ce5-b6ee-0d0830d7e152') def test_check_security_group_precedence_at_beckend(self): count = 0 - tenant_id = self.cmgr_adm.networks_client.tenant_id - provider_sg = self.create_security_provider_group(self.cmgr_adm, - tenant_id=tenant_id, - provider=True) + project_id = self.cmgr_adm.networks_client.tenant_id + provider_sg = \ + self.create_security_provider_group(self.cmgr_adm, + project_id=project_id, + provider=True) provider_sg_name = provider_sg.get('name') - default_sg = self.create_security_provider_group(self.cmgr_adm, - tenant_id=tenant_id, - provider=False) + default_sg = \ + self.create_security_provider_group(self.cmgr_adm, + project_id=project_id, + provider=False) sg_name = default_sg.get('name') firewall_section = self.nsx.get_firewall_sections() for sec_name in firewall_section: @@ -292,9 +306,9 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest): @test.attr(type='nsxv3') @test.idempotent_id('37d8fbfc-eb3f-40c8-a146-70f5df937a2e') def test_tenant_cannot_delete_admin_provider_security_group(self): - tenant_id = self.cmgr_adm.networks_client.tenant_id + project_id = self.cmgr_adm.networks_client.tenant_id sg = self.create_security_provider_group(self.cmgr_adm, - tenant_id=tenant_id, + project_id=project_id, provider=True) sg_id = sg.get('id') sg_client = self.cmgr_alt.security_groups_client @@ -308,19 +322,94 @@ class ProviderSecurityGroupTest(base.BaseAdminNetworkTest): @test.attr(type='nsxv3') @test.idempotent_id('1bbebba3-780c-4e95-a95a-e52f577a6c1d') def test_tenant_cannot_create_provider_sec_group(self): - tenant_id = self.cmgr_alt.networks_client.tenant_id + project_id = self.cmgr_alt.networks_client.tenant_id self.assertRaises(exceptions.Forbidden, self.create_security_provider_group, - self.cmgr_alt, tenant_id=tenant_id, + self.cmgr_alt, project_id=project_id, provider=True) LOG.info(_LI("Non-Admin Tenant cannot create provider sec group")) + @test.attr(type='nsxv3') + @test.idempotent_id('0d021bb2-9e21-422c-a509-6ac27803b2a2') + def test_update_port_with_psg(self): + net_client = self.cmgr_adm.networks_client + body = {'name': 'provider-network'} + network = net_client.create_network(**body) + self.addCleanup(test_utils.call_and_ignore_notfound_exc, + net_client.delete_network, + network['network']['id']) + body = {"network_id": network['network']['id'], + "allocation_pools": [{"start": "2.0.0.2", + "end": "2.0.0.254"}], + "ip_version": 4, "cidr": "2.0.0.0/24"} + subnet_client = self.cmgr_adm.subnets_client + subnet_client.create_subnet(**body) + body = {"network_id": network['network']['id'], + "provider_security_groups": []} + port_client = self.cmgr_adm.ports_client + port_id = port_client.create_port(**body) + self.addCleanup(test_utils.call_and_ignore_notfound_exc, + port_client.delete_port, + port_id['port']['id']) + ss = port_client.show_port(port_id['port']['id']) + self.assertEqual([], ss['port']['provider_security_groups'], + "Provider security group is not set on port") + project_id = self.cmgr_adm.networks_client.tenant_id + sg = self.create_security_provider_group(self.cmgr_adm, + project_id=project_id, + provider=True) + sg_id = sg.get('id') + body = {"provider_security_groups": ["%s" % sg_id]} + port_client.update_port(port_id['port']['id'], **body) + ss = port_client.show_port(port_id['port']['id']) + self.assertEqual([sg_id], ss['port']['provider_security_groups'], + "PSG assigned to port is accurate") + kwargs = {"provider_security_groups": ''} + port_client.update_port(port_id['port']['id'], **kwargs) + + @test.attr(type='nsxv3') + @test.idempotent_id('2922a7fb-75fb-4d9f-9fdb-4b017c191aba') + def test_update_port_with_psg_using_different_tenant(self): + net_client = self.cmgr_alt.networks_client + body = {'name': 'provider-network'} + network = net_client.create_network(**body) + self.addCleanup(test_utils.call_and_ignore_notfound_exc, + net_client.delete_network, + network['network']['id']) + body = {"network_id": network['network']['id'], + "allocation_pools": [{"start": "2.0.0.2", + "end": "2.0.0.254"}], + "ip_version": 4, "cidr": "2.0.0.0/24"} + subnet_client = self.cmgr_alt.subnets_client + subnet_client.create_subnet(**body) + body = {"network_id": network['network']['id'], + "provider_security_groups": []} + port_client = self.cmgr_alt.ports_client + port_id = port_client.create_port(**body) + self.addCleanup(test_utils.call_and_ignore_notfound_exc, + port_client.delete_port, + port_id['port']['id']) + ss = port_client.show_port(port_id['port']['id']) + self.assertEqual([], ss['port']['provider_security_groups'], + "Provider security group is not set on port") + project_id = self.cmgr_adm.networks_client.tenant_id + sg = self.create_security_provider_group(self.cmgr_adm, + project_id=project_id, + provider=True) + sg_id = sg.get('id') + body = {"provider_security_groups": ["%s" % sg_id]} + self.assertRaises(exceptions.NotFound, + port_client.update_port, + port_id['port']['id'], **body) + kwargs = {"provider_security_groups": ''} + port_client.update_port(port_id['port']['id'], **kwargs) + @test.attr(type='nsxv3') @test.idempotent_id('cef8d816-e5fa-45a5-a5a5-f1f2ed8fb49f') def test_tenant_cannot_create_provider_sec_group_for_other_tenant(self): tenant_cmgr = self.cmgr_alt - tenant_id = tenant_cmgr.networks_client.tenant_id + project_id = tenant_cmgr.networks_client.tenant_id self.assertRaises(exceptions.BadRequest, self.create_security_provider_group, self.cmgr_pri, - tenant_id=tenant_id, + project_id=project_id, provider=True) diff --git a/vmware_nsx_tempest/tests/nsxv3/scenario/test_provider_security_group.py b/vmware_nsx_tempest/tests/nsxv3/scenario/test_provider_security_group.py index c3ff1b0bfc..a5a1f17ff6 100644 --- a/vmware_nsx_tempest/tests/nsxv3/scenario/test_provider_security_group.py +++ b/vmware_nsx_tempest/tests/nsxv3/scenario/test_provider_security_group.py @@ -69,11 +69,11 @@ class TestProviderSecurityGroup(manager.NetworkScenarioTest): self.servers = [] def create_security_provider_group(self, cmgr=None, - tenant_id=None, provider=False): + project_id=None, provider=False): sg_client_admin = self.cmgr_adm.security_groups_client sg_dict = dict(name=data_utils.rand_name('provider-sec-group')) - if tenant_id: - sg_dict['tenant_id'] = tenant_id + if project_id: + sg_dict['tenant_id'] = project_id if provider: sg_dict['provider'] = True sg = sg_client_admin.create_security_group(**sg_dict) @@ -156,14 +156,14 @@ class TestProviderSecurityGroup(manager.NetworkScenarioTest): return address['addr'] def create_security_group_rule(self, security_group_id, - cmgr=None, tenant_id=None, + cmgr=None, project_id=None, protocol=None): cmgr = cmgr or self.cmgr_adm sgr_client = cmgr.security_group_rules_client sgr_dict = dict(security_group_id=security_group_id, direction='ingress', protocol=protocol) - if tenant_id: - sgr_dict['tenant_id'] = tenant_id + if project_id: + sgr_dict['tenant_id'] = project_id sgr = sgr_client.create_security_group_rule(**sgr_dict) return sgr.get('security_group_rule', sgr) @@ -225,13 +225,72 @@ class TestProviderSecurityGroup(manager.NetworkScenarioTest): src=floating_ip)) raise - def _test_connectivity_between_default_psg_server(self, network_topo): + def _create_vms_without_psg(self, network_topo): server_name_default = data_utils.rand_name('server-default-sec-group') network = network_topo['network'] server_default = self._create_server(server_name_default, network) - tenant_id = network['tenant_id'] + server_name_psg = data_utils.rand_name('server-psg-sec-group') + server_psg = self._create_server(server_name_psg, network) + servers = dict(server_default=server_default, server_psg=server_psg) + return servers + + def _test_connectivity_between_vms_after_port_update(self, network_topo, + servers): + floating_ip_default = self.create_floating_ip( + servers['server_default']) + floating_ip_psg = self.create_floating_ip(servers['server_psg']) + private_ip_address_psg_vm = floating_ip_psg['fixed_ip_address'] + public_ip_address_psg_vm = \ + floating_ip_psg['floating_ip_address'] + private_ip_address_default_vm = floating_ip_default['fixed_ip_address'] + public_ip_address_default_vm = \ + floating_ip_default['floating_ip_address'] + private_key_default_vm = \ + self._get_server_key(servers['server_default']) + private_key_psg_vm = \ + self._get_server_key(servers['server_psg']) + self._check_server_connectivity(public_ip_address_default_vm, + private_ip_address_psg_vm, + private_key_default_vm) + self._check_server_connectivity(public_ip_address_psg_vm, + private_ip_address_default_vm, + private_key_psg_vm) + project_id = network_topo['network']['tenant_id'] sg = self.create_security_provider_group(provider=True, - tenant_id=tenant_id) + project_id=project_id) + sg_id = sg.get('id') + self.create_security_group_rule(sg_id, cmgr=self.cmgr_adm, + protocol='icmp') + p_client = self.ports_client + kwargs = {"provider_security_groups": ["%s" % sg_id]} + port_id_psg = self.get_port_id(network_topo['network']['id'], + network_topo['subnet']['id'], + servers['server_psg']) + port_id_default = self.get_port_id(network_topo['network']['id'], + network_topo['subnet']['id'], + servers['server_default']) + p_client.update_port(port_id_psg, **kwargs) + p_client.update_port(port_id_default, **kwargs) + self._check_server_connectivity(public_ip_address_default_vm, + private_ip_address_psg_vm, + private_key_default_vm, + should_connect=False) + self._check_server_connectivity(public_ip_address_psg_vm, + private_ip_address_default_vm, + private_key_psg_vm, + should_connect=False) + kwargs = {"provider_security_groups": ''} + p_client.update_port(port_id_psg, **kwargs) + p_client.update_port(port_id_default, **kwargs) + + def _test_connectivity_between_default_psg_server(self, network_topo): + server_name_default = \ + data_utils.rand_name('server-default-sec-group') + network = network_topo['network'] + server_default = self._create_server(server_name_default, network) + project_id = network['tenant_id'] + sg = self.create_security_provider_group(provider=True, + project_id=project_id) sg_id = sg.get('id') server_name_psg = data_utils.rand_name('server-psg-sec-group') server_psg = self._create_server(server_name_psg, network) @@ -254,9 +313,9 @@ class TestProviderSecurityGroup(manager.NetworkScenarioTest): server_name_default = data_utils.rand_name('server-default-sec-group') network = network_topo['network'] server_default = self._create_server(server_name_default, network) - tenant_id = network['tenant_id'] + project_id = network['tenant_id'] sg = self.create_security_provider_group(provider=True, - tenant_id=tenant_id) + project_id=project_id) sg_id = sg.get('id') server_name_psg = data_utils.rand_name('server-psg-sec-group') server_psg = self._create_server(server_name_psg, network) @@ -296,9 +355,9 @@ class TestProviderSecurityGroup(manager.NetworkScenarioTest): server_default_1 = self._create_server(server_name_default_1, network) server_default_2 = self._create_server(server_name_default_2, network2) - tenant_id = network['tenant_id'] + project_id = network['tenant_id'] sg = self.create_security_provider_group(provider=True, - tenant_id=tenant_id) + project_id=project_id) sg_id = sg.get('id') server_name_psg_1 = data_utils.rand_name('server-psg-sec-group1') server_psg_1 = self._create_server(server_name_psg_1, network) @@ -344,6 +403,14 @@ class TestProviderSecurityGroup(manager.NetworkScenarioTest): self.network_topo = self.create_network_topo() self._test_connectivity_between_default_psg_server(self.network_topo) + @test.attr(type='nsxv3') + @test.idempotent_id('a14b5c25-39ce-4641-bd51-f28c25e69440') + def test_vm_connectivity_port_update_with_psg(self): + self.network_topo = self.create_network_topo() + self.servers = self._create_vms_without_psg(self.network_topo) + self._test_connectivity_between_vms_after_port_update( + self.network_topo, self.servers) + @test.attr(type='nsxv3') @test.idempotent_id('4a8eac6a-68ff-4392-bab9-70ea08132acb') def test_connectivity_between_default_psg_servers(self):