70c6071943
This patch moves the hash update call into the success block of the server manager so the database isn't updated with a hash header from an error response. Additionally, it prevents the hash from being updated to an empty value if the hash header is not present in the response. Closes-Bug: #1348766 Change-Id: I512d01f9bb91b208dd58883d2464951ecc6748e1
490 lines
22 KiB
Python
490 lines
22 KiB
Python
# Copyright 2014 Big Switch Networks, Inc. All rights reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
# @author: Kevin Benton, kevin.benton@bigswitch.com
|
|
#
|
|
import contextlib
|
|
import httplib
|
|
import socket
|
|
import ssl
|
|
|
|
import mock
|
|
from oslo.config import cfg
|
|
|
|
from neutron import manager
|
|
from neutron.openstack.common import importutils
|
|
from neutron.plugins.bigswitch import servermanager
|
|
from neutron.tests.unit.bigswitch import test_restproxy_plugin as test_rp
|
|
|
|
SERVERMANAGER = 'neutron.plugins.bigswitch.servermanager'
|
|
HTTPCON = SERVERMANAGER + '.httplib.HTTPConnection'
|
|
HTTPSCON = SERVERMANAGER + '.HTTPSConnectionWithValidation'
|
|
|
|
|
|
class ServerManagerTests(test_rp.BigSwitchProxyPluginV2TestCase):
|
|
|
|
def setUp(self):
|
|
self.socket_mock = mock.patch(
|
|
SERVERMANAGER + '.socket.create_connection').start()
|
|
self.wrap_mock = mock.patch(SERVERMANAGER + '.ssl.wrap_socket').start()
|
|
super(ServerManagerTests, self).setUp()
|
|
# http patch must not be running or it will mangle the servermanager
|
|
# import where the https connection classes are defined
|
|
self.httpPatch.stop()
|
|
self.sm = importutils.import_module(SERVERMANAGER)
|
|
|
|
def test_no_servers(self):
|
|
cfg.CONF.set_override('servers', [], 'RESTPROXY')
|
|
self.assertRaises(cfg.Error, servermanager.ServerPool)
|
|
|
|
def test_malformed_servers(self):
|
|
cfg.CONF.set_override('servers', ['1.2.3.4', '1.1.1.1:a'], 'RESTPROXY')
|
|
self.assertRaises(cfg.Error, servermanager.ServerPool)
|
|
|
|
def test_ipv6_server_address(self):
|
|
cfg.CONF.set_override(
|
|
'servers', ['[ABCD:EF01:2345:6789:ABCD:EF01:2345:6789]:80'],
|
|
'RESTPROXY')
|
|
s = servermanager.ServerPool()
|
|
self.assertEqual(s.servers[0].server,
|
|
'[ABCD:EF01:2345:6789:ABCD:EF01:2345:6789]')
|
|
|
|
def test_sticky_cert_fetch_fail(self):
|
|
pl = manager.NeutronManager.get_plugin()
|
|
pl.servers.ssl = True
|
|
with mock.patch(
|
|
'ssl.get_server_certificate',
|
|
side_effect=Exception('There is no more entropy in the universe')
|
|
) as sslgetmock:
|
|
self.assertRaises(
|
|
cfg.Error,
|
|
pl.servers._get_combined_cert_for_server,
|
|
*('example.org', 443)
|
|
)
|
|
sslgetmock.assert_has_calls([mock.call(('example.org', 443))])
|
|
|
|
def test_consistency_watchdog_stops_with_0_polling_interval(self):
|
|
pl = manager.NeutronManager.get_plugin()
|
|
pl.servers.capabilities = ['consistency']
|
|
self.watch_p.stop()
|
|
with mock.patch('eventlet.sleep') as smock:
|
|
# should return immediately a polling interval of 0
|
|
pl.servers._consistency_watchdog(0)
|
|
self.assertFalse(smock.called)
|
|
|
|
def test_consistency_watchdog(self):
|
|
pl = manager.NeutronManager.get_plugin()
|
|
pl.servers.capabilities = []
|
|
self.watch_p.stop()
|
|
with contextlib.nested(
|
|
mock.patch('eventlet.sleep'),
|
|
mock.patch(
|
|
SERVERMANAGER + '.ServerPool.rest_call',
|
|
side_effect=servermanager.RemoteRestError(
|
|
reason='Failure to trigger except clause.'
|
|
)
|
|
),
|
|
mock.patch(
|
|
SERVERMANAGER + '.LOG.exception',
|
|
side_effect=KeyError('Failure to break loop')
|
|
)
|
|
) as (smock, rmock, lmock):
|
|
# should return immediately without consistency capability
|
|
pl.servers._consistency_watchdog()
|
|
self.assertFalse(smock.called)
|
|
pl.servers.capabilities = ['consistency']
|
|
self.assertRaises(KeyError,
|
|
pl.servers._consistency_watchdog)
|
|
rmock.assert_called_with('GET', '/health', '', {}, [], False)
|
|
self.assertEqual(1, len(lmock.mock_calls))
|
|
|
|
def test_consistency_hash_header(self):
|
|
# mock HTTP class instead of rest_call so we can see headers
|
|
with mock.patch(HTTPCON) as conmock:
|
|
rv = conmock.return_value
|
|
rv.getresponse.return_value.getheader.return_value = 'HASHHEADER'
|
|
rv.getresponse.return_value.status = 200
|
|
rv.getresponse.return_value.read.return_value = ''
|
|
with self.network():
|
|
callheaders = rv.request.mock_calls[0][1][3]
|
|
self.assertIn('X-BSN-BVS-HASH-MATCH', callheaders)
|
|
# first call will be empty to indicate no previous state hash
|
|
self.assertEqual(callheaders['X-BSN-BVS-HASH-MATCH'], '')
|
|
# change the header that will be received on delete call
|
|
rv.getresponse.return_value.getheader.return_value = 'HASH2'
|
|
|
|
# net delete should have used header received on create
|
|
callheaders = rv.request.mock_calls[1][1][3]
|
|
self.assertEqual(callheaders['X-BSN-BVS-HASH-MATCH'], 'HASHHEADER')
|
|
|
|
# create again should now use header received from prev delete
|
|
with self.network():
|
|
callheaders = rv.request.mock_calls[2][1][3]
|
|
self.assertIn('X-BSN-BVS-HASH-MATCH', callheaders)
|
|
self.assertEqual(callheaders['X-BSN-BVS-HASH-MATCH'],
|
|
'HASH2')
|
|
|
|
def test_consistency_hash_header_no_update_on_bad_response(self):
|
|
# mock HTTP class instead of rest_call so we can see headers
|
|
with mock.patch(HTTPCON) as conmock:
|
|
rv = conmock.return_value
|
|
rv.getresponse.return_value.getheader.return_value = 'HASHHEADER'
|
|
rv.getresponse.return_value.status = 200
|
|
rv.getresponse.return_value.read.return_value = ''
|
|
with self.network():
|
|
# change the header that will be received on delete call
|
|
rv.getresponse.return_value.getheader.return_value = 'EVIL'
|
|
rv.getresponse.return_value.status = 'GARBAGE'
|
|
|
|
# create again should not use header from delete call
|
|
with self.network():
|
|
callheaders = rv.request.mock_calls[2][1][3]
|
|
self.assertIn('X-BSN-BVS-HASH-MATCH', callheaders)
|
|
self.assertEqual(callheaders['X-BSN-BVS-HASH-MATCH'],
|
|
'HASHHEADER')
|
|
|
|
def test_file_put_contents(self):
|
|
pl = manager.NeutronManager.get_plugin()
|
|
with mock.patch(SERVERMANAGER + '.open', create=True) as omock:
|
|
pl.servers._file_put_contents('somepath', 'contents')
|
|
omock.assert_has_calls([mock.call('somepath', 'w')])
|
|
omock.return_value.__enter__.return_value.assert_has_calls([
|
|
mock.call.write('contents')
|
|
])
|
|
|
|
def test_combine_certs_to_file(self):
|
|
pl = manager.NeutronManager.get_plugin()
|
|
with mock.patch(SERVERMANAGER + '.open', create=True) as omock:
|
|
omock.return_value.__enter__().read.return_value = 'certdata'
|
|
pl.servers._combine_certs_to_file(['cert1.pem', 'cert2.pem'],
|
|
'combined.pem')
|
|
# mock shared between read and write file handles so the calls
|
|
# are mixed together
|
|
omock.assert_has_calls([
|
|
mock.call('combined.pem', 'w'),
|
|
mock.call('cert1.pem', 'r'),
|
|
mock.call('cert2.pem', 'r'),
|
|
], any_order=True)
|
|
omock.return_value.__enter__.return_value.assert_has_calls([
|
|
mock.call.read(),
|
|
mock.call.write('certdata'),
|
|
mock.call.read(),
|
|
mock.call.write('certdata')
|
|
])
|
|
|
|
def test_auth_header(self):
|
|
cfg.CONF.set_override('server_auth', 'username:pass', 'RESTPROXY')
|
|
sp = servermanager.ServerPool()
|
|
with mock.patch(HTTPCON) as conmock:
|
|
rv = conmock.return_value
|
|
rv.getresponse.return_value.getheader.return_value = 'HASHHEADER'
|
|
sp.rest_create_network('tenant', 'network')
|
|
callheaders = rv.request.mock_calls[0][1][3]
|
|
self.assertIn('Authorization', callheaders)
|
|
self.assertEqual(callheaders['Authorization'],
|
|
'Basic dXNlcm5hbWU6cGFzcw==')
|
|
|
|
def test_header_add(self):
|
|
sp = servermanager.ServerPool()
|
|
with mock.patch(HTTPCON) as conmock:
|
|
rv = conmock.return_value
|
|
rv.getresponse.return_value.getheader.return_value = 'HASHHEADER'
|
|
sp.servers[0].rest_call('GET', '/', headers={'EXTRA-HEADER': 'HI'})
|
|
callheaders = rv.request.mock_calls[0][1][3]
|
|
# verify normal headers weren't mangled
|
|
self.assertIn('Content-type', callheaders)
|
|
self.assertEqual(callheaders['Content-type'],
|
|
'application/json')
|
|
# verify new header made it in
|
|
self.assertIn('EXTRA-HEADER', callheaders)
|
|
self.assertEqual(callheaders['EXTRA-HEADER'], 'HI')
|
|
|
|
def test_capabilities_retrieval(self):
|
|
sp = servermanager.ServerPool()
|
|
with mock.patch(HTTPCON) as conmock:
|
|
rv = conmock.return_value.getresponse.return_value
|
|
rv.getheader.return_value = 'HASHHEADER'
|
|
|
|
# each server will get different capabilities
|
|
rv.read.side_effect = ['["a","b","c"]', '["b","c","d"]']
|
|
# pool capabilities is intersection between both
|
|
self.assertEqual(set(['b', 'c']), sp.get_capabilities())
|
|
self.assertEqual(2, rv.read.call_count)
|
|
|
|
# the pool should cache after the first call so no more
|
|
# HTTP calls should be made
|
|
rv.read.side_effect = ['["w","x","y"]', '["x","y","z"]']
|
|
self.assertEqual(set(['b', 'c']), sp.get_capabilities())
|
|
self.assertEqual(2, rv.read.call_count)
|
|
|
|
def test_capabilities_retrieval_failure(self):
|
|
sp = servermanager.ServerPool()
|
|
with mock.patch(HTTPCON) as conmock:
|
|
rv = conmock.return_value.getresponse.return_value
|
|
rv.getheader.return_value = 'HASHHEADER'
|
|
# a failure to parse should result in an empty capability set
|
|
rv.read.return_value = 'XXXXX'
|
|
self.assertEqual([], sp.servers[0].get_capabilities())
|
|
|
|
# One broken server should affect all capabilities
|
|
rv.read.side_effect = ['{"a": "b"}', '["b","c","d"]']
|
|
self.assertEqual(set(), sp.get_capabilities())
|
|
|
|
def test_reconnect_on_timeout_change(self):
|
|
sp = servermanager.ServerPool()
|
|
with mock.patch(HTTPCON) as conmock:
|
|
rv = conmock.return_value
|
|
rv.getresponse.return_value.getheader.return_value = 'HASHHEADER'
|
|
sp.servers[0].capabilities = ['keep-alive']
|
|
sp.servers[0].rest_call('GET', '/', timeout=10)
|
|
# even with keep-alive enabled, a change in timeout will trigger
|
|
# a reconnect
|
|
sp.servers[0].rest_call('GET', '/', timeout=75)
|
|
conmock.assert_has_calls([
|
|
mock.call('localhost', 9000, timeout=10),
|
|
mock.call('localhost', 9000, timeout=75),
|
|
], any_order=True)
|
|
|
|
def test_connect_failures(self):
|
|
sp = servermanager.ServerPool()
|
|
with mock.patch(HTTPCON, return_value=None):
|
|
resp = sp.servers[0].rest_call('GET', '/')
|
|
self.assertEqual(resp, (0, None, None, None))
|
|
# verify same behavior on ssl class
|
|
sp.servers[0].currentcon = False
|
|
sp.servers[0].ssl = True
|
|
with mock.patch(HTTPSCON, return_value=None):
|
|
resp = sp.servers[0].rest_call('GET', '/')
|
|
self.assertEqual(resp, (0, None, None, None))
|
|
|
|
def test_reconnect_cached_connection(self):
|
|
sp = servermanager.ServerPool()
|
|
with mock.patch(HTTPCON) as conmock:
|
|
rv = conmock.return_value
|
|
rv.getresponse.return_value.getheader.return_value = 'HASH'
|
|
sp.servers[0].capabilities = ['keep-alive']
|
|
sp.servers[0].rest_call('GET', '/first')
|
|
# raise an error on re-use to verify reconnect
|
|
# return okay the second time so the reconnect works
|
|
rv.request.side_effect = [httplib.ImproperConnectionState(),
|
|
mock.MagicMock()]
|
|
sp.servers[0].rest_call('GET', '/second')
|
|
uris = [c[1][1] for c in rv.request.mock_calls]
|
|
expected = [
|
|
sp.base_uri + '/first',
|
|
sp.base_uri + '/second',
|
|
sp.base_uri + '/second',
|
|
]
|
|
self.assertEqual(uris, expected)
|
|
|
|
def test_no_reconnect_recurse_to_infinity(self):
|
|
# retry uses recursion when a reconnect is necessary
|
|
# this test makes sure it stops after 1 recursive call
|
|
sp = servermanager.ServerPool()
|
|
with mock.patch(HTTPCON) as conmock:
|
|
rv = conmock.return_value
|
|
# hash header must be string instead of mock object
|
|
rv.getresponse.return_value.getheader.return_value = 'HASH'
|
|
sp.servers[0].capabilities = ['keep-alive']
|
|
sp.servers[0].rest_call('GET', '/first')
|
|
# after retrying once, the rest call should raise the
|
|
# exception up
|
|
rv.request.side_effect = httplib.ImproperConnectionState()
|
|
self.assertRaises(httplib.ImproperConnectionState,
|
|
sp.servers[0].rest_call,
|
|
*('GET', '/second'))
|
|
# 1 for the first call, 2 for the second with retry
|
|
self.assertEqual(rv.request.call_count, 3)
|
|
|
|
def test_socket_error(self):
|
|
sp = servermanager.ServerPool()
|
|
with mock.patch(HTTPCON) as conmock:
|
|
conmock.return_value.request.side_effect = socket.timeout()
|
|
resp = sp.servers[0].rest_call('GET', '/')
|
|
self.assertEqual(resp, (0, None, None, None))
|
|
|
|
def test_cert_get_fail(self):
|
|
pl = manager.NeutronManager.get_plugin()
|
|
pl.servers.ssl = True
|
|
with mock.patch('os.path.exists', return_value=False):
|
|
self.assertRaises(cfg.Error,
|
|
pl.servers._get_combined_cert_for_server,
|
|
*('example.org', 443))
|
|
|
|
def test_cert_make_dirs(self):
|
|
pl = manager.NeutronManager.get_plugin()
|
|
pl.servers.ssl = True
|
|
cfg.CONF.set_override('ssl_sticky', False, 'RESTPROXY')
|
|
# pretend base dir exists, 3 children don't, and host cert does
|
|
with contextlib.nested(
|
|
mock.patch('os.path.exists', side_effect=[True, False, False,
|
|
False, True]),
|
|
mock.patch('os.makedirs'),
|
|
mock.patch(SERVERMANAGER + '.ServerPool._combine_certs_to_file')
|
|
) as (exmock, makemock, combmock):
|
|
# will raise error because no certs found
|
|
self.assertIn(
|
|
'example.org',
|
|
pl.servers._get_combined_cert_for_server('example.org', 443)
|
|
)
|
|
base = cfg.CONF.RESTPROXY.ssl_cert_directory
|
|
hpath = base + '/host_certs/example.org.pem'
|
|
combpath = base + '/combined/example.org.pem'
|
|
combmock.assert_has_calls([mock.call([hpath], combpath)])
|
|
self.assertEqual(exmock.call_count, 5)
|
|
self.assertEqual(makemock.call_count, 3)
|
|
|
|
def test_no_cert_error(self):
|
|
pl = manager.NeutronManager.get_plugin()
|
|
pl.servers.ssl = True
|
|
cfg.CONF.set_override('ssl_sticky', False, 'RESTPROXY')
|
|
# pretend base dir exists and 3 children do, but host cert doesn't
|
|
with mock.patch(
|
|
'os.path.exists',
|
|
side_effect=[True, True, True, True, False]
|
|
) as exmock:
|
|
# will raise error because no certs found
|
|
self.assertRaises(
|
|
cfg.Error,
|
|
pl.servers._get_combined_cert_for_server,
|
|
*('example.org', 443)
|
|
)
|
|
self.assertEqual(exmock.call_count, 5)
|
|
|
|
def test_action_success(self):
|
|
pl = manager.NeutronManager.get_plugin()
|
|
self.assertTrue(pl.servers.action_success((200,)))
|
|
|
|
def test_server_failure(self):
|
|
pl = manager.NeutronManager.get_plugin()
|
|
self.assertTrue(pl.servers.server_failure((404,)))
|
|
# server failure has an ignore codes option
|
|
self.assertFalse(pl.servers.server_failure((404,),
|
|
ignore_codes=[404]))
|
|
|
|
def test_conflict_triggers_sync(self):
|
|
pl = manager.NeutronManager.get_plugin()
|
|
with mock.patch(
|
|
SERVERMANAGER + '.ServerProxy.rest_call',
|
|
return_value=(httplib.CONFLICT, 0, 0, 0)
|
|
) as srestmock:
|
|
# making a call should trigger a conflict sync
|
|
pl.servers.rest_call('GET', '/', '', None, [])
|
|
srestmock.assert_has_calls([
|
|
mock.call('GET', '/', '', None, False, reconnect=True,
|
|
hash_handler=mock.ANY),
|
|
mock.call('PUT', '/topology',
|
|
{'routers': [], 'networks': []},
|
|
timeout=None)
|
|
])
|
|
|
|
def test_conflict_sync_raises_error_without_topology(self):
|
|
pl = manager.NeutronManager.get_plugin()
|
|
pl.servers.get_topo_function = None
|
|
with mock.patch(
|
|
SERVERMANAGER + '.ServerProxy.rest_call',
|
|
return_value=(httplib.CONFLICT, 0, 0, 0)
|
|
):
|
|
# making a call should trigger a conflict sync that will
|
|
# error without the topology function set
|
|
self.assertRaises(
|
|
cfg.Error,
|
|
pl.servers.rest_call,
|
|
*('GET', '/', '', None, [])
|
|
)
|
|
|
|
def test_floating_calls(self):
|
|
pl = manager.NeutronManager.get_plugin()
|
|
with mock.patch(SERVERMANAGER + '.ServerPool.rest_action') as ramock:
|
|
pl.servers.rest_create_floatingip('tenant', {'id': 'somefloat'})
|
|
pl.servers.rest_update_floatingip('tenant', {'name': 'myfl'}, 'id')
|
|
pl.servers.rest_delete_floatingip('tenant', 'oldid')
|
|
ramock.assert_has_calls([
|
|
mock.call('PUT', '/tenants/tenant/floatingips/somefloat',
|
|
errstr=u'Unable to create floating IP: %s'),
|
|
mock.call('PUT', '/tenants/tenant/floatingips/id',
|
|
errstr=u'Unable to update floating IP: %s'),
|
|
mock.call('DELETE', '/tenants/tenant/floatingips/oldid',
|
|
errstr=u'Unable to delete floating IP: %s')
|
|
])
|
|
|
|
def test_HTTPSConnectionWithValidation_without_cert(self):
|
|
con = self.sm.HTTPSConnectionWithValidation(
|
|
'www.example.org', 443, timeout=90)
|
|
con.source_address = '127.0.0.1'
|
|
con.request("GET", "/")
|
|
self.socket_mock.assert_has_calls([mock.call(
|
|
('www.example.org', 443), 90, '127.0.0.1'
|
|
)])
|
|
self.wrap_mock.assert_has_calls([mock.call(
|
|
self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE
|
|
)])
|
|
self.assertEqual(con.sock, self.wrap_mock())
|
|
|
|
def test_HTTPSConnectionWithValidation_with_cert(self):
|
|
con = self.sm.HTTPSConnectionWithValidation(
|
|
'www.example.org', 443, timeout=90)
|
|
con.combined_cert = 'SOMECERTS.pem'
|
|
con.source_address = '127.0.0.1'
|
|
con.request("GET", "/")
|
|
self.socket_mock.assert_has_calls([mock.call(
|
|
('www.example.org', 443), 90, '127.0.0.1'
|
|
)])
|
|
self.wrap_mock.assert_has_calls([mock.call(
|
|
self.socket_mock(), None, None, ca_certs='SOMECERTS.pem',
|
|
cert_reqs=ssl.CERT_REQUIRED
|
|
)])
|
|
self.assertEqual(con.sock, self.wrap_mock())
|
|
|
|
def test_HTTPSConnectionWithValidation_tunnel(self):
|
|
tunnel_mock = mock.patch.object(
|
|
self.sm.HTTPSConnectionWithValidation,
|
|
'_tunnel').start()
|
|
con = self.sm.HTTPSConnectionWithValidation(
|
|
'www.example.org', 443, timeout=90)
|
|
con.source_address = '127.0.0.1'
|
|
if not hasattr(con, 'set_tunnel'):
|
|
# no tunnel support in py26
|
|
return
|
|
con.set_tunnel('myproxy.local', 3128)
|
|
con.request("GET", "/")
|
|
self.socket_mock.assert_has_calls([mock.call(
|
|
('www.example.org', 443), 90, '127.0.0.1'
|
|
)])
|
|
self.wrap_mock.assert_has_calls([mock.call(
|
|
self.socket_mock(), None, None, cert_reqs=ssl.CERT_NONE
|
|
)])
|
|
# _tunnel() doesn't take any args
|
|
tunnel_mock.assert_has_calls([mock.call()])
|
|
self.assertEqual(con._tunnel_host, 'myproxy.local')
|
|
self.assertEqual(con._tunnel_port, 3128)
|
|
self.assertEqual(con.sock, self.wrap_mock())
|
|
|
|
|
|
class TestSockets(test_rp.BigSwitchProxyPluginV2TestCase):
|
|
|
|
def setUp(self):
|
|
super(TestSockets, self).setUp()
|
|
# http patch must not be running or it will mangle the servermanager
|
|
# import where the https connection classes are defined
|
|
self.httpPatch.stop()
|
|
self.sm = importutils.import_module(SERVERMANAGER)
|
|
|
|
def test_socket_create_attempt(self):
|
|
# exercise the socket creation to make sure it works on both python
|
|
# versions
|
|
con = self.sm.HTTPSConnectionWithValidation('127.0.0.1', 0, timeout=1)
|
|
# if httpcon was created, a connect attempt should raise a socket error
|
|
self.assertRaises(socket.error, con.connect)
|