blob: 9afb598c7041449a49fb8af4e70c87889e052351 [file] [log] [blame]
Yair Fried4d7efa62013-11-17 17:12:29 +02001# Copyright 2013 Red Hat, Inc.
2# All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15
Doug Hellmann583ce2c2015-03-11 14:55:46 +000016from oslo_log import log as logging
Matthew Treinish01472ff2015-02-20 17:26:52 -050017
Andrea Frittolif9cde7e2014-02-18 09:57:04 +000018from tempest import clients
Fei Long Wangd39431f2015-05-14 11:30:48 +120019from tempest.common.utils import data_utils
Matthew Treinish6c072292014-01-29 19:15:52 +000020from tempest import config
Yair Fried4d7efa62013-11-17 17:12:29 +020021from tempest.scenario import manager
Masayuki Igawa4ded9f02014-02-17 15:05:59 +090022from tempest import test
Yair Fried4d7efa62013-11-17 17:12:29 +020023
Matthew Treinish6c072292014-01-29 19:15:52 +000024CONF = config.CONF
25
Yair Fried4d7efa62013-11-17 17:12:29 +020026LOG = logging.getLogger(__name__)
27
28
Andrea Frittoli4971fc82014-09-25 10:22:20 +010029class TestSecurityGroupsBasicOps(manager.NetworkScenarioTest):
Yair Fried4d7efa62013-11-17 17:12:29 +020030
31 """
32 This test suite assumes that Nova has been configured to
33 boot VM's with Neutron-managed networking, and attempts to
34 verify cross tenant connectivity as follows
35
36 ssh:
37 in order to overcome "ip namespace", each tenant has an "access point"
38 VM with floating-ip open to incoming ssh connection allowing network
39 commands (ping/ssh) to be executed from within the
40 tenant-network-namespace
41 Tempest host performs key-based authentication to the ssh server via
42 floating IP address
43
44 connectivity test is done by pinging destination server via source server
45 ssh connection.
46 success - ping returns
47 failure - ping_timeout reached
48
49 setup:
Yair Friedbf2e2c42014-01-28 12:06:38 +020050 for primary tenant:
Yair Fried4d7efa62013-11-17 17:12:29 +020051 1. create a network&subnet
52 2. create a router (if public router isn't configured)
53 3. connect tenant network to public network via router
54 4. create an access point:
55 a. a security group open to incoming ssh connection
56 b. a VM with a floating ip
57 5. create a general empty security group (same as "default", but
58 without rules allowing in-tenant traffic)
Yair Fried4d7efa62013-11-17 17:12:29 +020059
60 tests:
61 1. _verify_network_details
62 2. _verify_mac_addr: for each access point verify that
63 (subnet, fix_ip, mac address) are as defined in the port list
64 3. _test_in_tenant_block: test that in-tenant traffic is disabled
65 without rules allowing it
66 4. _test_in_tenant_allow: test that in-tenant traffic is enabled
67 once an appropriate rule has been created
68 5. _test_cross_tenant_block: test that cross-tenant traffic is disabled
69 without a rule allowing it on destination tenant
70 6. _test_cross_tenant_allow:
71 * test that cross-tenant traffic is enabled once an appropriate
72 rule has been created on destination tenant.
73 * test that reverse traffic is still blocked
Fei Long Wang50131ee2015-02-02 16:58:24 +130074 * test than reverse traffic is enabled once an appropriate rule has
Yair Fried4d7efa62013-11-17 17:12:29 +020075 been created on source tenant
Rajkumar Thiyagarajand9e964a2014-12-17 01:55:52 -080076 7._test_port_update_new_security_group:
77 * test that traffic is blocked with default security group
78 * test that traffic is enabled after updating port with new security
79 group having appropriate rule
prdsilva8b733ad2014-12-09 02:54:49 -080080 8. _test_multiple_security_groups: test multiple security groups can be
81 associated with the vm
Yair Fried4d7efa62013-11-17 17:12:29 +020082
83 assumptions:
Yair Friedbf2e2c42014-01-28 12:06:38 +020084 1. alt_tenant/user existed and is different from primary_tenant/user
Yair Fried4d7efa62013-11-17 17:12:29 +020085 2. Public network is defined and reachable from the Tempest host
86 3. Public router can either be:
87 * defined, in which case all tenants networks can connect directly
88 to it, and cross tenant check will be done on the private IP of the
89 destination tenant
90 or
Fei Long Wang50131ee2015-02-02 16:58:24 +130091 * not defined (empty string), in which case each tenant will have
Yair Fried4d7efa62013-11-17 17:12:29 +020092 its own router connected to the public network
93 """
94
Andrea Frittolib21de6c2015-02-06 20:12:38 +000095 credentials = ['primary', 'alt', 'admin']
96
Joe Gordon28788b42015-02-25 12:42:37 -080097 class TenantProperties(object):
Yair Friedbf2e2c42014-01-28 12:06:38 +020098 """
Yair Fried4d7efa62013-11-17 17:12:29 +020099 helper class to save tenant details
100 id
101 credentials
102 network
103 subnet
104 security groups
105 servers
106 access point
Yair Friedbf2e2c42014-01-28 12:06:38 +0200107 """
Yair Fried4d7efa62013-11-17 17:12:29 +0200108
Andrea Frittoli422fbdf2014-03-20 10:05:18 +0000109 def __init__(self, credentials):
Yair Frieddb6c9e92014-08-06 08:53:13 +0300110 self.manager = clients.Manager(credentials)
Andrea Frittoli422fbdf2014-03-20 10:05:18 +0000111 # Credentials from manager are filled with both names and IDs
112 self.creds = self.manager.credentials
Yair Fried4d7efa62013-11-17 17:12:29 +0200113 self.network = None
114 self.subnet = None
115 self.router = None
116 self.security_groups = {}
117 self.servers = list()
118
Yair Friedbf2e2c42014-01-28 12:06:38 +0200119 def set_network(self, network, subnet, router):
Yair Fried4d7efa62013-11-17 17:12:29 +0200120 self.network = network
121 self.subnet = subnet
122 self.router = router
123
Yair Fried4d7efa62013-11-17 17:12:29 +0200124 @classmethod
Emily Hugenbruch5e2d2a22015-02-25 21:35:45 +0000125 def skip_checks(cls):
126 super(TestSecurityGroupsBasicOps, cls).skip_checks()
Yair Frieddb6c9e92014-08-06 08:53:13 +0300127 if CONF.baremetal.driver_enabled:
128 msg = ('Not currently supported by baremetal.')
Yair Frieddb6c9e92014-08-06 08:53:13 +0300129 raise cls.skipException(msg)
Itzik Brown06952672015-03-29 12:38:58 +0300130 if CONF.network.port_vnic_type in ['direct', 'macvtap']:
131 msg = ('Not currently supported when using vnic_type'
132 ' direct or macvtap')
133 raise cls.skipException(msg)
Matthew Treinish6c072292014-01-29 19:15:52 +0000134 if not (CONF.network.tenant_networks_reachable or
135 CONF.network.public_network_id):
Yair Fried4d7efa62013-11-17 17:12:29 +0200136 msg = ('Either tenant_networks_reachable must be "true", or '
137 'public_network_id must be defined.')
Yair Fried4d7efa62013-11-17 17:12:29 +0200138 raise cls.skipException(msg)
139
140 @classmethod
Emily Hugenbruch5e2d2a22015-02-25 21:35:45 +0000141 def setup_credentials(cls):
Yair Fried764610a2014-04-07 12:17:05 +0300142 # Create no network resources for these tests.
143 cls.set_network_resources()
Emily Hugenbruch5e2d2a22015-02-25 21:35:45 +0000144 super(TestSecurityGroupsBasicOps, cls).setup_credentials()
Yair Fried4d7efa62013-11-17 17:12:29 +0200145 # TODO(mnewby) Consider looking up entities as needed instead
146 # of storing them as collections on the class.
Yair Fried79b0a912014-10-20 11:15:37 +0300147
Yair Fried79b0a912014-10-20 11:15:37 +0300148 # Credentials from the manager are filled with both IDs and Names
149 cls.alt_creds = cls.alt_manager.credentials
150
Emily Hugenbruch5e2d2a22015-02-25 21:35:45 +0000151 @classmethod
152 def resource_setup(cls):
153 super(TestSecurityGroupsBasicOps, cls).resource_setup()
Yair Fried4d7efa62013-11-17 17:12:29 +0200154 cls.floating_ips = {}
155 cls.tenants = {}
Andrea Frittolib21de6c2015-02-06 20:12:38 +0000156 creds = cls.manager.credentials
Andrea Frittoli422fbdf2014-03-20 10:05:18 +0000157 cls.primary_tenant = cls.TenantProperties(creds)
158 cls.alt_tenant = cls.TenantProperties(cls.alt_creds)
Yair Friedbf2e2c42014-01-28 12:06:38 +0200159 for tenant in [cls.primary_tenant, cls.alt_tenant]:
Andrea Frittoli86ad28d2014-03-20 10:09:12 +0000160 cls.tenants[tenant.creds.tenant_id] = tenant
Emily Hugenbruch5e2d2a22015-02-25 21:35:45 +0000161
Yair Friedbf2e2c42014-01-28 12:06:38 +0200162 cls.floating_ip_access = not CONF.network.public_router_id
Yair Fried4d7efa62013-11-17 17:12:29 +0200163
Yair Friedbf2e2c42014-01-28 12:06:38 +0200164 def setUp(self):
165 super(TestSecurityGroupsBasicOps, self).setUp()
166 self._deploy_tenant(self.primary_tenant)
167 self._verify_network_details(self.primary_tenant)
168 self._verify_mac_addr(self.primary_tenant)
Yair Fried4d7efa62013-11-17 17:12:29 +0200169
Yair Frieddb6c9e92014-08-06 08:53:13 +0300170 def _create_tenant_keypairs(self, tenant):
171 keypair = self.create_keypair(tenant.manager.keypairs_client)
172 tenant.keypair = keypair
Yair Fried4d7efa62013-11-17 17:12:29 +0200173
174 def _create_tenant_security_groups(self, tenant):
Yair Fried4d7efa62013-11-17 17:12:29 +0200175 access_sg = self._create_empty_security_group(
176 namestart='secgroup_access-',
Yair Frieddb6c9e92014-08-06 08:53:13 +0300177 tenant_id=tenant.creds.tenant_id,
178 client=tenant.manager.network_client
Yair Fried4d7efa62013-11-17 17:12:29 +0200179 )
Yair Friedbf2e2c42014-01-28 12:06:38 +0200180
Yair Fried4d7efa62013-11-17 17:12:29 +0200181 # don't use default secgroup since it allows in-tenant traffic
182 def_sg = self._create_empty_security_group(
183 namestart='secgroup_general-',
Yair Frieddb6c9e92014-08-06 08:53:13 +0300184 tenant_id=tenant.creds.tenant_id,
185 client=tenant.manager.network_client
Yair Fried4d7efa62013-11-17 17:12:29 +0200186 )
187 tenant.security_groups.update(access=access_sg, default=def_sg)
188 ssh_rule = dict(
189 protocol='tcp',
190 port_range_min=22,
191 port_range_max=22,
192 direction='ingress',
193 )
Yair Frieddb6c9e92014-08-06 08:53:13 +0300194 self._create_security_group_rule(secgroup=access_sg,
195 client=tenant.manager.network_client,
196 **ssh_rule)
Yair Fried4d7efa62013-11-17 17:12:29 +0200197
198 def _verify_network_details(self, tenant):
199 # Checks that we see the newly created network/subnet/router via
200 # checking the result of list_[networks,routers,subnets]
201 # Check that (router, subnet) couple exist in port_list
202 seen_nets = self._list_networks()
203 seen_names = [n['name'] for n in seen_nets]
204 seen_ids = [n['id'] for n in seen_nets]
205
206 self.assertIn(tenant.network.name, seen_names)
207 self.assertIn(tenant.network.id, seen_ids)
208
209 seen_subnets = [(n['id'], n['cidr'], n['network_id'])
210 for n in self._list_subnets()]
211 mysubnet = (tenant.subnet.id, tenant.subnet.cidr, tenant.network.id)
212 self.assertIn(mysubnet, seen_subnets)
213
214 seen_routers = self._list_routers()
215 seen_router_ids = [n['id'] for n in seen_routers]
216 seen_router_names = [n['name'] for n in seen_routers]
217
218 self.assertIn(tenant.router.name, seen_router_names)
219 self.assertIn(tenant.router.id, seen_router_ids)
220
221 myport = (tenant.router.id, tenant.subnet.id)
222 router_ports = [(i['device_id'], i['fixed_ips'][0]['subnet_id']) for i
Yair Frieddb6c9e92014-08-06 08:53:13 +0300223 in self._list_ports()
armando-migliacciobcfbbeb2014-08-11 18:33:47 -0700224 if self._is_router_port(i)]
Yair Fried4d7efa62013-11-17 17:12:29 +0200225
226 self.assertIn(myport, router_ports)
227
armando-migliacciobcfbbeb2014-08-11 18:33:47 -0700228 def _is_router_port(self, port):
229 """Return True if port is a router interface."""
230 # NOTE(armando-migliaccio): match device owner for both centralized
231 # and distributed routers; 'device_owner' is "" by default.
232 return port['device_owner'].startswith('network:router_interface')
233
Yair Fried4d7efa62013-11-17 17:12:29 +0200234 def _create_server(self, name, tenant, security_groups=None):
235 """
236 creates a server and assigns to security group
237 """
238 self._set_compute_context(tenant)
239 if security_groups is None:
Yair Frieddb6c9e92014-08-06 08:53:13 +0300240 security_groups = [tenant.security_groups['default']]
Ken'ichi Ohmichi1b3461e2014-12-02 03:41:07 +0000241 security_groups_names = [{'name': s['name']} for s in security_groups]
Yair Fried4d7efa62013-11-17 17:12:29 +0200242 create_kwargs = {
Dirk Mueller8cf79722014-09-12 17:37:15 +0200243 'networks': [
244 {'uuid': tenant.network.id},
Yair Fried4d7efa62013-11-17 17:12:29 +0200245 ],
Yair Frieddb6c9e92014-08-06 08:53:13 +0300246 'key_name': tenant.keypair['name'],
Ken'ichi Ohmichi1b3461e2014-12-02 03:41:07 +0000247 'security_groups': security_groups_names,
Itzik Brown2ca01cd2014-12-08 12:58:20 +0200248 'network_client': tenant.manager.network_client
Yair Fried4d7efa62013-11-17 17:12:29 +0200249 }
Claudiu Belufaa98912014-09-01 16:50:28 +0300250 server = self.create_server(name=name, create_kwargs=create_kwargs)
251 self.assertEqual(
252 sorted([s['name'] for s in security_groups]),
253 sorted([s['name'] for s in server['security_groups']]))
254 return server
Yair Fried4d7efa62013-11-17 17:12:29 +0200255
256 def _create_tenant_servers(self, tenant, num=1):
257 for i in range(num):
Ken'ichi Ohmichi6ded8df2015-03-23 02:00:19 +0000258 name = 'server-{tenant}-gen-{num}'.format(
Andrea Frittoli86ad28d2014-03-20 10:09:12 +0000259 tenant=tenant.creds.tenant_name,
Yair Fried4d7efa62013-11-17 17:12:29 +0200260 num=i
261 )
262 name = data_utils.rand_name(name)
263 server = self._create_server(name, tenant)
Yair Fried4d7efa62013-11-17 17:12:29 +0200264 tenant.servers.append(server)
265
266 def _set_access_point(self, tenant):
267 """
268 creates a server in a secgroup with rule allowing external ssh
269 in order to access tenant internal network
270 workaround ip namespace
271 """
Yair Frieddb6c9e92014-08-06 08:53:13 +0300272 secgroups = tenant.security_groups.values()
Ken'ichi Ohmichi6ded8df2015-03-23 02:00:19 +0000273 name = 'server-{tenant}-access_point'.format(
Andrea Frittoli86ad28d2014-03-20 10:09:12 +0000274 tenant=tenant.creds.tenant_name)
Yair Fried4d7efa62013-11-17 17:12:29 +0200275 name = data_utils.rand_name(name)
276 server = self._create_server(name, tenant,
277 security_groups=secgroups)
Yair Fried4d7efa62013-11-17 17:12:29 +0200278 tenant.access_point = server
Yair Frieddb6c9e92014-08-06 08:53:13 +0300279 self._assign_floating_ips(tenant, server)
Yair Fried4d7efa62013-11-17 17:12:29 +0200280
Yair Frieddb6c9e92014-08-06 08:53:13 +0300281 def _assign_floating_ips(self, tenant, server):
Matthew Treinish6c072292014-01-29 19:15:52 +0000282 public_network_id = CONF.network.public_network_id
Yair Friedae0e73d2014-11-24 11:56:26 +0200283 floating_ip = self.create_floating_ip(
Yair Frieddb6c9e92014-08-06 08:53:13 +0300284 server, public_network_id,
285 client=tenant.manager.network_client)
286 self.floating_ips.setdefault(server['id'], floating_ip)
Yair Fried4d7efa62013-11-17 17:12:29 +0200287
288 def _create_tenant_network(self, tenant):
Yair Frieddb6c9e92014-08-06 08:53:13 +0300289 network, subnet, router = self.create_networks(
290 client=tenant.manager.network_client)
Yair Friedbf2e2c42014-01-28 12:06:38 +0200291 tenant.set_network(network, subnet, router)
Yair Fried4d7efa62013-11-17 17:12:29 +0200292
293 def _set_compute_context(self, tenant):
Yair Frieddb6c9e92014-08-06 08:53:13 +0300294 self.servers_client = tenant.manager.servers_client
295 return self.servers_client
Yair Fried4d7efa62013-11-17 17:12:29 +0200296
297 def _deploy_tenant(self, tenant_or_id):
298 """
299 creates:
300 network
301 subnet
302 router (if public not defined)
303 access security group
304 access-point server
Yair Fried4d7efa62013-11-17 17:12:29 +0200305 """
306 if not isinstance(tenant_or_id, self.TenantProperties):
307 tenant = self.tenants[tenant_or_id]
Yair Fried4d7efa62013-11-17 17:12:29 +0200308 else:
309 tenant = tenant_or_id
Yair Fried4d7efa62013-11-17 17:12:29 +0200310 self._set_compute_context(tenant)
Yair Frieddb6c9e92014-08-06 08:53:13 +0300311 self._create_tenant_keypairs(tenant)
Yair Fried4d7efa62013-11-17 17:12:29 +0200312 self._create_tenant_network(tenant)
313 self._create_tenant_security_groups(tenant)
Yair Fried4d7efa62013-11-17 17:12:29 +0200314 self._set_access_point(tenant)
315
316 def _get_server_ip(self, server, floating=False):
Yair Friedbf2e2c42014-01-28 12:06:38 +0200317 """
Yair Fried4d7efa62013-11-17 17:12:29 +0200318 returns the ip (floating/internal) of a server
Yair Friedbf2e2c42014-01-28 12:06:38 +0200319 """
Yair Fried4d7efa62013-11-17 17:12:29 +0200320 if floating:
Yair Frieddb6c9e92014-08-06 08:53:13 +0300321 server_ip = self.floating_ips[server['id']].floating_ip_address
Yair Fried4d7efa62013-11-17 17:12:29 +0200322 else:
armando-migliacciod03f2642014-02-21 19:55:50 -0800323 server_ip = None
Yair Frieddb6c9e92014-08-06 08:53:13 +0300324 network_name = self.tenants[server['tenant_id']].network.name
325 if network_name in server['addresses']:
326 server_ip = server['addresses'][network_name][0]['addr']
armando-migliacciod03f2642014-02-21 19:55:50 -0800327 return server_ip
Yair Fried4d7efa62013-11-17 17:12:29 +0200328
329 def _connect_to_access_point(self, tenant):
330 """
331 create ssh connection to tenant access point
332 """
333 access_point_ssh = \
Yair Frieddb6c9e92014-08-06 08:53:13 +0300334 self.floating_ips[tenant.access_point['id']].floating_ip_address
335 private_key = tenant.keypair['private_key']
Yair Fried4d7efa62013-11-17 17:12:29 +0200336 access_point_ssh = self._ssh_to_server(access_point_ssh,
337 private_key=private_key)
338 return access_point_ssh
339
Yair Fried4d7efa62013-11-17 17:12:29 +0200340 def _check_connectivity(self, access_point, ip, should_succeed=True):
341 if should_succeed:
342 msg = "Timed out waiting for %s to become reachable" % ip
343 else:
Yair Fried4d7efa62013-11-17 17:12:29 +0200344 msg = "%s is reachable" % ip
Matthew Treinish53483132014-12-09 18:50:06 -0500345 self.assertTrue(self._check_remote_connectivity(access_point, ip,
346 should_succeed), msg)
Yair Fried4d7efa62013-11-17 17:12:29 +0200347
348 def _test_in_tenant_block(self, tenant):
349 access_point_ssh = self._connect_to_access_point(tenant)
350 for server in tenant.servers:
351 self._check_connectivity(access_point=access_point_ssh,
352 ip=self._get_server_ip(server),
353 should_succeed=False)
354
355 def _test_in_tenant_allow(self, tenant):
356 ruleset = dict(
357 protocol='icmp',
358 remote_group_id=tenant.security_groups['default'].id,
359 direction='ingress'
360 )
Matthew Treinishb7144eb2013-12-13 22:57:35 +0000361 self._create_security_group_rule(
Yair Fried4d7efa62013-11-17 17:12:29 +0200362 secgroup=tenant.security_groups['default'],
363 **ruleset
364 )
365 access_point_ssh = self._connect_to_access_point(tenant)
366 for server in tenant.servers:
367 self._check_connectivity(access_point=access_point_ssh,
368 ip=self._get_server_ip(server))
Yair Fried4d7efa62013-11-17 17:12:29 +0200369
370 def _test_cross_tenant_block(self, source_tenant, dest_tenant):
Yair Friedbf2e2c42014-01-28 12:06:38 +0200371 """
Yair Fried4d7efa62013-11-17 17:12:29 +0200372 if public router isn't defined, then dest_tenant access is via
373 floating-ip
Yair Friedbf2e2c42014-01-28 12:06:38 +0200374 """
Yair Fried4d7efa62013-11-17 17:12:29 +0200375 access_point_ssh = self._connect_to_access_point(source_tenant)
376 ip = self._get_server_ip(dest_tenant.access_point,
377 floating=self.floating_ip_access)
378 self._check_connectivity(access_point=access_point_ssh, ip=ip,
379 should_succeed=False)
380
381 def _test_cross_tenant_allow(self, source_tenant, dest_tenant):
Yair Friedbf2e2c42014-01-28 12:06:38 +0200382 """
Yair Fried4d7efa62013-11-17 17:12:29 +0200383 check for each direction:
384 creating rule for tenant incoming traffic enables only 1way traffic
Yair Friedbf2e2c42014-01-28 12:06:38 +0200385 """
Yair Fried4d7efa62013-11-17 17:12:29 +0200386 ruleset = dict(
387 protocol='icmp',
388 direction='ingress'
389 )
Matthew Treinishb7144eb2013-12-13 22:57:35 +0000390 self._create_security_group_rule(
Yair Fried4d7efa62013-11-17 17:12:29 +0200391 secgroup=dest_tenant.security_groups['default'],
Yair Frieddb6c9e92014-08-06 08:53:13 +0300392 client=dest_tenant.manager.network_client,
Yair Fried4d7efa62013-11-17 17:12:29 +0200393 **ruleset
394 )
Yair Friedbf2e2c42014-01-28 12:06:38 +0200395 access_point_ssh = self._connect_to_access_point(source_tenant)
396 ip = self._get_server_ip(dest_tenant.access_point,
397 floating=self.floating_ip_access)
398 self._check_connectivity(access_point_ssh, ip)
Yair Fried4d7efa62013-11-17 17:12:29 +0200399
Yair Friedbf2e2c42014-01-28 12:06:38 +0200400 # test that reverse traffic is still blocked
401 self._test_cross_tenant_block(dest_tenant, source_tenant)
Yair Fried4d7efa62013-11-17 17:12:29 +0200402
Yair Friedbf2e2c42014-01-28 12:06:38 +0200403 # allow reverse traffic and check
Matthew Treinishb7144eb2013-12-13 22:57:35 +0000404 self._create_security_group_rule(
Yair Friedbf2e2c42014-01-28 12:06:38 +0200405 secgroup=source_tenant.security_groups['default'],
Yair Frieddb6c9e92014-08-06 08:53:13 +0300406 client=source_tenant.manager.network_client,
Yair Friedbf2e2c42014-01-28 12:06:38 +0200407 **ruleset
408 )
Yair Fried4d7efa62013-11-17 17:12:29 +0200409
Yair Friedbf2e2c42014-01-28 12:06:38 +0200410 access_point_ssh_2 = self._connect_to_access_point(dest_tenant)
411 ip = self._get_server_ip(source_tenant.access_point,
412 floating=self.floating_ip_access)
413 self._check_connectivity(access_point_ssh_2, ip)
Yair Fried4d7efa62013-11-17 17:12:29 +0200414
415 def _verify_mac_addr(self, tenant):
416 """
417 verify that VM (tenant's access point) has the same ip,mac as listed in
418 port list
419 """
420 access_point_ssh = self._connect_to_access_point(tenant)
421 mac_addr = access_point_ssh.get_mac_address()
422 mac_addr = mac_addr.strip().lower()
Henry Gessau78ab4b02014-03-31 15:10:13 -0400423 # Get the fixed_ips and mac_address fields of all ports. Select
424 # only those two columns to reduce the size of the response.
Yair Frieddb6c9e92014-08-06 08:53:13 +0300425 port_list = self._list_ports(fields=['fixed_ips', 'mac_address'])
Yair Fried4d7efa62013-11-17 17:12:29 +0200426 port_detail_list = [
427 (port['fixed_ips'][0]['subnet_id'],
428 port['fixed_ips'][0]['ip_address'],
Henry Gessau78ab4b02014-03-31 15:10:13 -0400429 port['mac_address'].lower())
430 for port in port_list if port['fixed_ips']
Yair Fried4d7efa62013-11-17 17:12:29 +0200431 ]
432 server_ip = self._get_server_ip(tenant.access_point)
433 subnet_id = tenant.subnet.id
434 self.assertIn((subnet_id, server_ip, mac_addr), port_detail_list)
435
Chris Hoge7579c1a2015-02-26 14:12:15 -0800436 @test.idempotent_id('e79f879e-debb-440c-a7e4-efeda05b6848')
Masayuki Igawa4ded9f02014-02-17 15:05:59 +0900437 @test.services('compute', 'network')
Yair Fried4d7efa62013-11-17 17:12:29 +0200438 def test_cross_tenant_traffic(self):
Andrea Frittoli (andreaf)1f342412015-05-12 16:37:19 +0100439 if not self.credentials_provider.is_multi_tenant():
Yair Fried79b0a912014-10-20 11:15:37 +0300440 raise self.skipException("No secondary tenant defined")
Nachi Ueno26b4c972014-01-17 06:15:13 -0800441 try:
Yair Friedbf2e2c42014-01-28 12:06:38 +0200442 # deploy new tenant
443 self._deploy_tenant(self.alt_tenant)
444 self._verify_network_details(self.alt_tenant)
445 self._verify_mac_addr(self.alt_tenant)
Yair Fried4d7efa62013-11-17 17:12:29 +0200446
Nachi Ueno26b4c972014-01-17 06:15:13 -0800447 # cross tenant check
Yair Friedbf2e2c42014-01-28 12:06:38 +0200448 source_tenant = self.primary_tenant
Nachi Ueno26b4c972014-01-17 06:15:13 -0800449 dest_tenant = self.alt_tenant
450 self._test_cross_tenant_block(source_tenant, dest_tenant)
451 self._test_cross_tenant_allow(source_tenant, dest_tenant)
452 except Exception:
Yair Friedbf2e2c42014-01-28 12:06:38 +0200453 for tenant in self.tenants.values():
454 self._log_console_output(servers=tenant.servers)
455 raise
456
Chris Hoge7579c1a2015-02-26 14:12:15 -0800457 @test.idempotent_id('63163892-bbf6-4249-aa12-d5ea1f8f421b')
Masayuki Igawa4ded9f02014-02-17 15:05:59 +0900458 @test.services('compute', 'network')
Yair Friedbf2e2c42014-01-28 12:06:38 +0200459 def test_in_tenant_traffic(self):
460 try:
461 self._create_tenant_servers(self.primary_tenant, num=1)
462
463 # in-tenant check
464 self._test_in_tenant_block(self.primary_tenant)
465 self._test_in_tenant_allow(self.primary_tenant)
Rajkumar Thiyagarajand9e964a2014-12-17 01:55:52 -0800466 except Exception:
467 for tenant in self.tenants.values():
468 self._log_console_output(servers=tenant.servers)
469 raise
Yair Friedbf2e2c42014-01-28 12:06:38 +0200470
Chris Hoge7579c1a2015-02-26 14:12:15 -0800471 @test.idempotent_id('f4d556d7-1526-42ad-bafb-6bebf48568f6')
Rajkumar Thiyagarajand9e964a2014-12-17 01:55:52 -0800472 @test.services('compute', 'network')
473 def test_port_update_new_security_group(self):
474 """
475 This test verifies the traffic after updating the vm port with new
Fei Long Wang50131ee2015-02-02 16:58:24 +1300476 security group having appropriate rule.
Rajkumar Thiyagarajand9e964a2014-12-17 01:55:52 -0800477 """
478 new_tenant = self.primary_tenant
479
480 # Create empty security group and add icmp rule in it
481 new_sg = self._create_empty_security_group(
482 namestart='secgroup_new-',
483 tenant_id=new_tenant.creds.tenant_id,
484 client=new_tenant.manager.network_client)
485 icmp_rule = dict(
486 protocol='icmp',
487 direction='ingress',
488 )
489 self._create_security_group_rule(
490 secgroup=new_sg,
491 client=new_tenant.manager.network_client,
492 **icmp_rule)
493 new_tenant.security_groups.update(new_sg=new_sg)
494
495 # Create server with default security group
Ken'ichi Ohmichi6ded8df2015-03-23 02:00:19 +0000496 name = 'server-{tenant}-gen-1'.format(
Rajkumar Thiyagarajand9e964a2014-12-17 01:55:52 -0800497 tenant=new_tenant.creds.tenant_name
498 )
499 name = data_utils.rand_name(name)
500 server = self._create_server(name, new_tenant)
501
502 # Check connectivity failure with default security group
503 try:
504 access_point_ssh = self._connect_to_access_point(new_tenant)
505 self._check_connectivity(access_point=access_point_ssh,
506 ip=self._get_server_ip(server),
507 should_succeed=False)
508 server_id = server['id']
509 port_id = self._list_ports(device_id=server_id)[0]['id']
510
511 # update port with new security group and check connectivity
512 self.network_client.update_port(port_id, security_groups=[
513 new_tenant.security_groups['new_sg'].id])
514 self._check_connectivity(
515 access_point=access_point_ssh,
516 ip=self._get_server_ip(server))
Yair Friedbf2e2c42014-01-28 12:06:38 +0200517 except Exception:
518 for tenant in self.tenants.values():
519 self._log_console_output(servers=tenant.servers)
Nachi Ueno26b4c972014-01-17 06:15:13 -0800520 raise
prdsilva8b733ad2014-12-09 02:54:49 -0800521
Chris Hoge7579c1a2015-02-26 14:12:15 -0800522 @test.idempotent_id('d2f77418-fcc4-439d-b935-72eca704e293')
prdsilva8b733ad2014-12-09 02:54:49 -0800523 @test.services('compute', 'network')
524 def test_multiple_security_groups(self):
525 """
526 This test verifies multiple security groups and checks that rules
527 provided in the both the groups is applied onto VM
528 """
529 tenant = self.primary_tenant
530 ip = self._get_server_ip(tenant.access_point,
531 floating=self.floating_ip_access)
532 ssh_login = CONF.compute.image_ssh_user
533 private_key = tenant.keypair['private_key']
534 self.check_vm_connectivity(ip,
535 should_connect=False)
536 ruleset = dict(
537 protocol='icmp',
538 direction='ingress'
539 )
540 self._create_security_group_rule(
541 secgroup=tenant.security_groups['default'],
542 **ruleset
543 )
544 """
545 Vm now has 2 security groups one with ssh rule(
546 already added in setUp() method),and other with icmp rule
547 (added in the above step).The check_vm_connectivity tests
548 -that vm ping test is successful
549 -ssh to vm is successful
550 """
551 self.check_vm_connectivity(ip,
552 username=ssh_login,
553 private_key=private_key,
554 should_connect=True)