Gitiles
Code Review Sign In
spfactory.storpool.com / tempest / 456d9ae44f159f1b5fbd44f549e0fe24ddc62b76 / . / tempest / api / network / test_security_groups.py
blob: 7d0765ee824a11fe1bb85e62dc9a7b32b9c9885f [file] [log] [blame]
Yair Friedf37dae32013-09-01 15:35:14 +0300[diff] [blame]1# Copyright 2013 OpenStack Foundation
2# All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15
sridhargaddam4dbbc962014-05-14 02:10:56 +0530[diff] [blame]16import six
17
Yair Friedd5479822013-10-14 15:33:32 +0300[diff] [blame]18from tempest.api.network import base_security_groups as base
Fei Long Wangd39431f2015-05-14 11:30:48 +1200[diff] [blame]19from tempest.common.utils import data_utils
sridhargaddam510f8962014-09-08 23:37:16 +0530[diff] [blame]20from tempest import config
Yoshihiro Kaneko05670262014-01-18 19:22:44 +0900[diff] [blame]21from tempest import test
Yair Friedf37dae32013-09-01 15:35:14 +0300[diff] [blame]22
sridhargaddam510f8962014-09-08 23:37:16 +0530[diff] [blame]23CONF = config.CONF
24
Yair Friedf37dae32013-09-01 15:35:14 +0300[diff] [blame]25
Yair Friedd5479822013-10-14 15:33:32 +0300[diff] [blame]26class SecGroupTest(base.BaseSecGroupTest):
sridhargaddam510f8962014-09-08 23:37:16 +0530[diff] [blame]27 _tenant_network_cidr = CONF.network.tenant_network_cidr
Yair Friedf37dae32013-09-01 15:35:14 +0300[diff] [blame]28
Yoshihiro Kaneko05670262014-01-18 19:22:44 +0900[diff] [blame]29 @classmethod
Rohan Kanadea565e452015-01-27 14:00:13 +0530[diff] [blame]30 def skip_checks(cls):
31 super(SecGroupTest, cls).skip_checks()
Yoshihiro Kaneko05670262014-01-18 19:22:44 +0900[diff] [blame]32 if not test.is_extension_enabled('security-group', 'network'):
33 msg = "security-group extension not enabled."
34 raise cls.skipException(msg)
35
sridhargaddam510f8962014-09-08 23:37:16 +0530[diff] [blame]36 def _create_verify_security_group_rule(self, sg_id, direction,
37 ethertype, protocol,
38 port_range_min,
39 port_range_max,
40 remote_group_id=None,
41 remote_ip_prefix=None):
42 # Create Security Group rule with the input params and validate
43 # that SG rule is created with the same parameters.
John Warren456d9ae2016-01-12 15:36:33 -0500[diff] [blame^]44 sec_group_rules_client = self.security_group_rules_client
45 rule_create_body = sec_group_rules_client.create_security_group_rule(
sridhargaddam510f8962014-09-08 23:37:16 +0530[diff] [blame]46 security_group_id=sg_id,
47 direction=direction,
48 ethertype=ethertype,
49 protocol=protocol,
50 port_range_min=port_range_min,
51 port_range_max=port_range_max,
52 remote_group_id=remote_group_id,
53 remote_ip_prefix=remote_ip_prefix
54 )
55
56 sec_group_rule = rule_create_body['security_group_rule']
57 self.addCleanup(self._delete_security_group_rule,
58 sec_group_rule['id'])
59
60 expected = {'direction': direction, 'protocol': protocol,
61 'ethertype': ethertype, 'port_range_min': port_range_min,
62 'port_range_max': port_range_max,
63 'remote_group_id': remote_group_id,
64 'remote_ip_prefix': remote_ip_prefix}
65 for key, value in six.iteritems(expected):
66 self.assertEqual(value, sec_group_rule[key],
67 "Field %s of the created security group "
68 "rule does not match with %s." %
69 (key, value))
70
Yoshihiro Kaneko05670262014-01-18 19:22:44 +0900[diff] [blame]71 @test.attr(type='smoke')
Chris Hoge7579c1a2015-02-26 14:12:15 -0800[diff] [blame]72 @test.idempotent_id('e30abd17-fef9-4739-8617-dc26da88e686')
Yair Friedf37dae32013-09-01 15:35:14 +0300[diff] [blame]73 def test_list_security_groups(self):
74 # Verify the that security group belonging to tenant exist in list
John Warrenf9606e92015-12-10 12:12:42 -0500[diff] [blame]75 body = self.security_groups_client.list_security_groups()
Yair Friedf37dae32013-09-01 15:35:14 +0300[diff] [blame]76 security_groups = body['security_groups']
77 found = None
78 for n in security_groups:
79 if (n['name'] == 'default'):
80 found = n['id']
81 msg = "Security-group list doesn't contain default security-group"
82 self.assertIsNotNone(found, msg)
83
Yoshihiro Kaneko05670262014-01-18 19:22:44 +0900[diff] [blame]84 @test.attr(type='smoke')
Chris Hoge7579c1a2015-02-26 14:12:15 -0800[diff] [blame]85 @test.idempotent_id('bfd128e5-3c92-44b6-9d66-7fe29d22c802')
nayna-patel1c76bc92014-01-28 09:24:16 +0000[diff] [blame]86 def test_create_list_update_show_delete_security_group(self):
Yair Friedd5479822013-10-14 15:33:32 +0300[diff] [blame]87 group_create_body, name = self._create_security_group()
Yair Friedf37dae32013-09-01 15:35:14 +0300[diff] [blame]88
Yair Friedf37dae32013-09-01 15:35:14 +0300[diff] [blame]89 # List security groups and verify if created group is there in response
John Warrenf9606e92015-12-10 12:12:42 -0500[diff] [blame]90 list_body = self.security_groups_client.list_security_groups()
Yair Friedf37dae32013-09-01 15:35:14 +0300[diff] [blame]91 secgroup_list = list()
92 for secgroup in list_body['security_groups']:
93 secgroup_list.append(secgroup['id'])
94 self.assertIn(group_create_body['security_group']['id'], secgroup_list)
nayna-patel1c76bc92014-01-28 09:24:16 +0000[diff] [blame]95 # Update the security group
96 new_name = data_utils.rand_name('security-')
97 new_description = data_utils.rand_name('security-description')
John Warrenf9606e92015-12-10 12:12:42 -0500[diff] [blame]98 update_body = self.security_groups_client.update_security_group(
nayna-patel1c76bc92014-01-28 09:24:16 +0000[diff] [blame]99 group_create_body['security_group']['id'],
100 name=new_name,
101 description=new_description)
102 # Verify if security group is updated
nayna-patel1c76bc92014-01-28 09:24:16 +0000[diff] [blame]103 self.assertEqual(update_body['security_group']['name'], new_name)
104 self.assertEqual(update_body['security_group']['description'],
105 new_description)
106 # Show details of the updated security group
John Warrenf9606e92015-12-10 12:12:42 -0500[diff] [blame]107 show_body = self.security_groups_client.show_security_group(
nayna-patel1c76bc92014-01-28 09:24:16 +0000[diff] [blame]108 group_create_body['security_group']['id'])
109 self.assertEqual(show_body['security_group']['name'], new_name)
110 self.assertEqual(show_body['security_group']['description'],
111 new_description)
Yair Friedbcdcb3b2013-10-11 09:08:15 +0300[diff] [blame]112
Yoshihiro Kaneko05670262014-01-18 19:22:44 +0900[diff] [blame]113 @test.attr(type='smoke')
Chris Hoge7579c1a2015-02-26 14:12:15 -0800[diff] [blame]114 @test.idempotent_id('cfb99e0e-7410-4a3d-8a0c-959a63ee77e9')
Yair Friedbcdcb3b2013-10-11 09:08:15 +0300[diff] [blame]115 def test_create_show_delete_security_group_rule(self):
Yair Friedd5479822013-10-14 15:33:32 +0300[diff] [blame]116 group_create_body, _ = self._create_security_group()
Yair Friedbcdcb3b2013-10-11 09:08:15 +0300[diff] [blame]117
118 # Create rules for each protocol
119 protocols = ['tcp', 'udp', 'icmp']
John Warren456d9ae2016-01-12 15:36:33 -0500[diff] [blame^]120 client = self.security_group_rules_client
Yair Friedbcdcb3b2013-10-11 09:08:15 +0300[diff] [blame]121 for protocol in protocols:
John Warren456d9ae2016-01-12 15:36:33 -0500[diff] [blame^]122 rule_create_body = client.create_security_group_rule(
nayna-patel3e361372014-01-29 10:25:41 +0000[diff] [blame]123 security_group_id=group_create_body['security_group']['id'],
124 protocol=protocol,
sridhargaddam510f8962014-09-08 23:37:16 +0530[diff] [blame]125 direction='ingress',
126 ethertype=self.ethertype
Yair Friedbcdcb3b2013-10-11 09:08:15 +0300[diff] [blame]127 )
Yair Friedbcdcb3b2013-10-11 09:08:15 +0300[diff] [blame]128
sridhargaddam4dbbc962014-05-14 02:10:56 +0530[diff] [blame]129 # Show details of the created security rule
John Warren456d9ae2016-01-12 15:36:33 -0500[diff] [blame^]130 show_rule_body = client.show_security_group_rule(
sridhargaddam4dbbc962014-05-14 02:10:56 +0530[diff] [blame]131 rule_create_body['security_group_rule']['id']
132 )
sridhargaddam4dbbc962014-05-14 02:10:56 +0530[diff] [blame]133 create_dict = rule_create_body['security_group_rule']
134 for key, value in six.iteritems(create_dict):
135 self.assertEqual(value,
136 show_rule_body['security_group_rule'][key],
137 "%s does not match." % key)
Yair Friedf37dae32013-09-01 15:35:14 +0300[diff] [blame]138
sridhargaddam4dbbc962014-05-14 02:10:56 +0530[diff] [blame]139 # List rules and verify created rule is in response
John Warren456d9ae2016-01-12 15:36:33 -0500[diff] [blame^]140 rule_list_body = (
141 self.security_group_rules_client.list_security_group_rules())
sridhargaddam4dbbc962014-05-14 02:10:56 +0530[diff] [blame]142 rule_list = [rule['id']
143 for rule in rule_list_body['security_group_rules']]
144 self.assertIn(rule_create_body['security_group_rule']['id'],
145 rule_list)
Yair Friedf37dae32013-09-01 15:35:14 +0300[diff] [blame]146
Chris Hoge7579c1a2015-02-26 14:12:15 -0800[diff] [blame]147 @test.idempotent_id('87dfbcf9-1849-43ea-b1e4-efa3eeae9f71')
jun xiee31dbe92014-01-13 18:10:37 +0800[diff] [blame]148 def test_create_security_group_rule_with_additional_args(self):
sridhargaddam510f8962014-09-08 23:37:16 +0530[diff] [blame]149 """Verify security group rule with additional arguments works.
jun xiee31dbe92014-01-13 18:10:37 +0800[diff] [blame]150
sridhargaddam510f8962014-09-08 23:37:16 +0530[diff] [blame]151 direction:ingress, ethertype:[IPv4/IPv6],
152 protocol:tcp, port_range_min:77, port_range_max:77
153 """
154 group_create_body, _ = self._create_security_group()
155 sg_id = group_create_body['security_group']['id']
jun xiee31dbe92014-01-13 18:10:37 +0800[diff] [blame]156 direction = 'ingress'
157 protocol = 'tcp'
158 port_range_min = 77
159 port_range_max = 77
sridhargaddam510f8962014-09-08 23:37:16 +0530[diff] [blame]160 self._create_verify_security_group_rule(sg_id, direction,
161 self.ethertype, protocol,
162 port_range_min,
163 port_range_max)
jun xiee31dbe92014-01-13 18:10:37 +0800[diff] [blame]164
Chris Hoge7579c1a2015-02-26 14:12:15 -0800[diff] [blame]165 @test.idempotent_id('c9463db8-b44d-4f52-b6c0-8dbda99f26ce')
sridhargaddam510f8962014-09-08 23:37:16 +0530[diff] [blame]166 def test_create_security_group_rule_with_icmp_type_code(self):
167 """Verify security group rule for icmp protocol works.
jun xiee31dbe92014-01-13 18:10:37 +0800[diff] [blame]168
sridhargaddam510f8962014-09-08 23:37:16 +0530[diff] [blame]169 Specify icmp type (port_range_min) and icmp code
Tingting Bao2b513342015-02-15 22:54:55 -0800[diff] [blame]170 (port_range_max) with different values. A separate testcase
sridhargaddam510f8962014-09-08 23:37:16 +0530[diff] [blame]171 is added for icmp protocol as icmp validation would be
172 different from tcp/udp.
173 """
174 group_create_body, _ = self._create_security_group()
175
176 sg_id = group_create_body['security_group']['id']
177 direction = 'ingress'
178 protocol = 'icmp'
Tong Liuec20aeb2015-02-25 00:14:35 +0000[diff] [blame]179 icmp_type_codes = [(3, 2), (3, 0), (8, 0), (0, 0), (11, None)]
sridhargaddam510f8962014-09-08 23:37:16 +0530[diff] [blame]180 for icmp_type, icmp_code in icmp_type_codes:
181 self._create_verify_security_group_rule(sg_id, direction,
182 self.ethertype, protocol,
183 icmp_type, icmp_code)
184
Chris Hoge7579c1a2015-02-26 14:12:15 -0800[diff] [blame]185 @test.idempotent_id('c2ed2deb-7a0c-44d8-8b4c-a5825b5c310b')
sridhargaddam510f8962014-09-08 23:37:16 +0530[diff] [blame]186 def test_create_security_group_rule_with_remote_group_id(self):
187 # Verify creating security group rule with remote_group_id works
188 sg1_body, _ = self._create_security_group()
189 sg2_body, _ = self._create_security_group()
190
191 sg_id = sg1_body['security_group']['id']
192 direction = 'ingress'
193 protocol = 'udp'
194 port_range_min = 50
195 port_range_max = 55
196 remote_id = sg2_body['security_group']['id']
197 self._create_verify_security_group_rule(sg_id, direction,
198 self.ethertype, protocol,
199 port_range_min,
200 port_range_max,
201 remote_group_id=remote_id)
202
Chris Hoge7579c1a2015-02-26 14:12:15 -0800[diff] [blame]203 @test.idempotent_id('16459776-5da2-4634-bce4-4b55ee3ec188')
sridhargaddam510f8962014-09-08 23:37:16 +0530[diff] [blame]204 def test_create_security_group_rule_with_remote_ip_prefix(self):
205 # Verify creating security group rule with remote_ip_prefix works
206 sg1_body, _ = self._create_security_group()
207
208 sg_id = sg1_body['security_group']['id']
209 direction = 'ingress'
210 protocol = 'tcp'
211 port_range_min = 76
212 port_range_max = 77
213 ip_prefix = self._tenant_network_cidr
214 self._create_verify_security_group_rule(sg_id, direction,
215 self.ethertype, protocol,
216 port_range_min,
217 port_range_max,
218 remote_ip_prefix=ip_prefix)
jun xiee31dbe92014-01-13 18:10:37 +0800[diff] [blame]219
Chris Hoge7579c1a2015-02-26 14:12:15 -0800[diff] [blame]220 @test.idempotent_id('0a307599-6655-4220-bebc-fd70c64f2290')
Ashish Gupta1d3712f2014-07-17 04:10:43 -0700[diff] [blame]221 def test_create_security_group_rule_with_protocol_integer_value(self):
222 # Verify creating security group rule with the
223 # protocol as integer value
224 # arguments : "protocol": 17
225 group_create_body, _ = self._create_security_group()
226 direction = 'ingress'
227 protocol = 17
228 security_group_id = group_create_body['security_group']['id']
John Warren456d9ae2016-01-12 15:36:33 -0500[diff] [blame^]229 client = self.security_group_rules_client
230 rule_create_body = client.create_security_group_rule(
Ashish Gupta1d3712f2014-07-17 04:10:43 -0700[diff] [blame]231 security_group_id=security_group_id,
232 direction=direction,
233 protocol=protocol
234 )
235 sec_group_rule = rule_create_body['security_group_rule']
236 self.assertEqual(sec_group_rule['direction'], direction)
237 self.assertEqual(int(sec_group_rule['protocol']), protocol)
238
Yair Friedf37dae32013-09-01 15:35:14 +0300[diff] [blame]239
sridhargaddam510f8962014-09-08 23:37:16 +0530[diff] [blame]240class SecGroupIPv6Test(SecGroupTest):
241 _ip_version = 6
242 _tenant_network_cidr = CONF.network.tenant_network_v6_cidr