1
# Copyright 2013 OpenStack Foundation
4
# Licensed under the Apache License, Version 2.0 (the "License"); you may
5
# not use this file except in compliance with the License. You may obtain
6
# a copy of the License at
8
# http://www.apache.org/licenses/LICENSE-2.0
10
# Unless required by applicable law or agreed to in writing, software
11
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13
# License for the specific language governing permissions and limitations
17
from tempest_lib.common.utils import data_utils
19
from neutron.tests.tempest.api.network import base_security_groups as base
20
from neutron.tests.tempest import config
21
from neutron.tests.tempest import test
26
class SecGroupTest(base.BaseSecGroupTest):
28
_tenant_network_cidr = CONF.network.tenant_network_cidr
31
def resource_setup(cls):
32
super(SecGroupTest, cls).resource_setup()
33
if not test.is_extension_enabled('security-group', 'network'):
34
msg = "security-group extension not enabled."
35
raise cls.skipException(msg)
37
def _create_verify_security_group_rule(self, sg_id, direction,
42
remote_ip_prefix=None):
43
# Create Security Group rule with the input params and validate
44
# that SG rule is created with the same parameters.
45
rule_create_body = self.client.create_security_group_rule(
46
security_group_id=sg_id,
50
port_range_min=port_range_min,
51
port_range_max=port_range_max,
52
remote_group_id=remote_group_id,
53
remote_ip_prefix=remote_ip_prefix
56
sec_group_rule = rule_create_body['security_group_rule']
57
self.addCleanup(self._delete_security_group_rule,
60
expected = {'direction': direction, 'protocol': protocol,
61
'ethertype': ethertype, 'port_range_min': port_range_min,
62
'port_range_max': port_range_max,
63
'remote_group_id': remote_group_id,
64
'remote_ip_prefix': remote_ip_prefix}
65
for key, value in six.iteritems(expected):
66
self.assertEqual(value, sec_group_rule[key],
67
"Field %s of the created security group "
68
"rule does not match with %s." %
71
@test.attr(type='smoke')
72
@test.idempotent_id('e30abd17-fef9-4739-8617-dc26da88e686')
73
def test_list_security_groups(self):
74
# Verify the that security group belonging to tenant exist in list
75
body = self.client.list_security_groups()
76
security_groups = body['security_groups']
78
for n in security_groups:
79
if (n['name'] == 'default'):
81
msg = "Security-group list doesn't contain default security-group"
82
self.assertIsNotNone(found, msg)
84
@test.attr(type='smoke')
85
@test.idempotent_id('bfd128e5-3c92-44b6-9d66-7fe29d22c802')
86
def test_create_list_update_show_delete_security_group(self):
87
group_create_body, name = self._create_security_group()
89
# List security groups and verify if created group is there in response
90
list_body = self.client.list_security_groups()
91
secgroup_list = list()
92
for secgroup in list_body['security_groups']:
93
secgroup_list.append(secgroup['id'])
94
self.assertIn(group_create_body['security_group']['id'], secgroup_list)
95
# Update the security group
96
new_name = data_utils.rand_name('security-')
97
new_description = data_utils.rand_name('security-description')
98
update_body = self.client.update_security_group(
99
group_create_body['security_group']['id'],
101
description=new_description)
102
# Verify if security group is updated
103
self.assertEqual(update_body['security_group']['name'], new_name)
104
self.assertEqual(update_body['security_group']['description'],
106
# Show details of the updated security group
107
show_body = self.client.show_security_group(
108
group_create_body['security_group']['id'])
109
self.assertEqual(show_body['security_group']['name'], new_name)
110
self.assertEqual(show_body['security_group']['description'],
113
@test.attr(type='smoke')
114
@test.idempotent_id('cfb99e0e-7410-4a3d-8a0c-959a63ee77e9')
115
def test_create_show_delete_security_group_rule(self):
116
group_create_body, _ = self._create_security_group()
118
# Create rules for each protocol
119
protocols = ['tcp', 'udp', 'icmp']
120
for protocol in protocols:
121
rule_create_body = self.client.create_security_group_rule(
122
security_group_id=group_create_body['security_group']['id'],
125
ethertype=self.ethertype
128
# Show details of the created security rule
129
show_rule_body = self.client.show_security_group_rule(
130
rule_create_body['security_group_rule']['id']
132
create_dict = rule_create_body['security_group_rule']
133
for key, value in six.iteritems(create_dict):
134
self.assertEqual(value,
135
show_rule_body['security_group_rule'][key],
136
"%s does not match." % key)
138
# List rules and verify created rule is in response
139
rule_list_body = self.client.list_security_group_rules()
140
rule_list = [rule['id']
141
for rule in rule_list_body['security_group_rules']]
142
self.assertIn(rule_create_body['security_group_rule']['id'],
145
@test.attr(type='smoke')
146
@test.idempotent_id('87dfbcf9-1849-43ea-b1e4-efa3eeae9f71')
147
def test_create_security_group_rule_with_additional_args(self):
148
"""Verify security group rule with additional arguments works.
150
direction:ingress, ethertype:[IPv4/IPv6],
151
protocol:tcp, port_range_min:77, port_range_max:77
153
group_create_body, _ = self._create_security_group()
154
sg_id = group_create_body['security_group']['id']
155
direction = 'ingress'
159
self._create_verify_security_group_rule(sg_id, direction,
160
self.ethertype, protocol,
164
@test.attr(type='smoke')
165
@test.idempotent_id('c9463db8-b44d-4f52-b6c0-8dbda99f26ce')
166
def test_create_security_group_rule_with_icmp_type_code(self):
167
"""Verify security group rule for icmp protocol works.
169
Specify icmp type (port_range_min) and icmp code
170
(port_range_max) with different values. A separate testcase
171
is added for icmp protocol as icmp validation would be
172
different from tcp/udp.
174
group_create_body, _ = self._create_security_group()
176
sg_id = group_create_body['security_group']['id']
177
direction = 'ingress'
179
icmp_type_codes = [(3, 2), (3, 0), (8, 0), (0, 0), (11, None)]
180
for icmp_type, icmp_code in icmp_type_codes:
181
self._create_verify_security_group_rule(sg_id, direction,
182
self.ethertype, protocol,
183
icmp_type, icmp_code)
185
@test.attr(type='smoke')
186
@test.idempotent_id('c2ed2deb-7a0c-44d8-8b4c-a5825b5c310b')
187
def test_create_security_group_rule_with_remote_group_id(self):
188
# Verify creating security group rule with remote_group_id works
189
sg1_body, _ = self._create_security_group()
190
sg2_body, _ = self._create_security_group()
192
sg_id = sg1_body['security_group']['id']
193
direction = 'ingress'
197
remote_id = sg2_body['security_group']['id']
198
self._create_verify_security_group_rule(sg_id, direction,
199
self.ethertype, protocol,
202
remote_group_id=remote_id)
204
@test.attr(type='smoke')
205
@test.idempotent_id('16459776-5da2-4634-bce4-4b55ee3ec188')
206
def test_create_security_group_rule_with_remote_ip_prefix(self):
207
# Verify creating security group rule with remote_ip_prefix works
208
sg1_body, _ = self._create_security_group()
210
sg_id = sg1_body['security_group']['id']
211
direction = 'ingress'
215
ip_prefix = self._tenant_network_cidr
216
self._create_verify_security_group_rule(sg_id, direction,
217
self.ethertype, protocol,
220
remote_ip_prefix=ip_prefix)
222
@test.attr(type='smoke')
223
@test.idempotent_id('0a307599-6655-4220-bebc-fd70c64f2290')
224
def test_create_security_group_rule_with_protocol_integer_value(self):
225
# Verify creating security group rule with the
226
# protocol as integer value
227
# arguments : "protocol": 17
228
group_create_body, _ = self._create_security_group()
229
direction = 'ingress'
231
security_group_id = group_create_body['security_group']['id']
232
rule_create_body = self.client.create_security_group_rule(
233
security_group_id=security_group_id,
237
sec_group_rule = rule_create_body['security_group_rule']
238
self.assertEqual(sec_group_rule['direction'], direction)
239
self.assertEqual(int(sec_group_rule['protocol']), protocol)
242
class SecGroupIPv6Test(SecGroupTest):
244
_tenant_network_cidr = CONF.network.tenant_network_v6_cidr