diff options
Diffstat (limited to 'docs/testing/user/testspecification/securitygroup/index.rst')
-rw-r--r-- | docs/testing/user/testspecification/securitygroup/index.rst | 453 |
1 files changed, 0 insertions, 453 deletions
diff --git a/docs/testing/user/testspecification/securitygroup/index.rst b/docs/testing/user/testspecification/securitygroup/index.rst deleted file mode 100644 index 61aa1c4b..00000000 --- a/docs/testing/user/testspecification/securitygroup/index.rst +++ /dev/null @@ -1,453 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. (c) Huawei Technologies Co.,Ltd - -=================================================== -Security Group and Port Security test specification -=================================================== - -.. toctree:: - :maxdepth: 2 - -Scope -===== - -The security group and port security test area evaluates the ability of the -system under test to support packet filtering by security group and port security. -The tests in this test area will evaluate preventing MAC spoofing by port security, -basic security group operations including testing cross/in tenant traffic, testing -multiple security groups, using port security to disable security groups and -updating security groups. - -References -========== - -N/A - -Definitions and abbreviations -============================= - -The following terms and abbreviations are used in conjunction with this test -area - -- API - Application Programming Interface -- ICMP - Internet Control Message Protocol -- MAC - Media Access Control -- NFVi - Network Functions Virtualization infrastructure -- SSH - Secure Shell -- TCP - Transmission Control Protocol -- VIM - Virtual Infrastructure Manager -- VM - Virtual Machine - -System Under Test (SUT) -======================= - -The system under test is assumed to be the NFVi and VIM in operation on a -Pharos compliant infrastructure. - -Test Area Structure -=================== - -The test area is structured based on the basic operations of security group and -port security. Each test case is able to run independently, i.e. irrelevant of -the state created by a previous test. Specifically, every test performs clean-up -operations which return the system to the same state as before the test. - -All these test cases are included in the test case dovetail.tempest.tc002 of -OVP test suite. - -Test Descriptions -================= - -API Used and Reference ----------------------- - -Security Groups: https://developer.openstack.org/api-ref/network/v2/index.html#security-groups-security-groups - -- create security group -- delete security group - -Networks: https://developer.openstack.org/api-ref/networking/v2/index.html#networks - -- create network -- delete network -- list networks -- create floating ip -- delete floating ip - -Routers and interface: https://developer.openstack.org/api-ref/networking/v2/index.html#routers-routers - -- create router -- delete router -- list routers -- add interface to router - -Subnets: https://developer.openstack.org/api-ref/networking/v2/index.html#subnets - -- create subnet -- list subnets -- delete subnet - -Servers: https://developer.openstack.org/api-ref/compute/ - -- create keypair -- create server -- delete server -- add/assign floating ip - -Ports: https://developer.openstack.org/api-ref/networking/v2/index.html#ports - -- update port -- list ports -- show port details - --------------------------------------------- -Test Case 1 - Port Security and MAC Spoofing --------------------------------------------- - -Test case specification ------------------------ - -tempest.scenario.test_network_basic_ops.TestNetworkBasicOps.test_port_security_macspoofing_port - -Test preconditions ------------------- - -* Neutron port-security extension API -* Neutron security-group extension API -* One public network - -Basic test flow execution description and pass/fail criteria ------------------------------------------------------------- - -Test execution -'''''''''''''' - -* Test action 1: Create a security group SG1, which has rules for allowing incoming - SSH and ICMP traffic -* Test action 2: Create a neutron network NET1 -* Test action 3: Create a tenant router R1 which routes traffic to public network -* Test action 4: Create a subnet SUBNET1 and add it as router interface -* Test action 5: Create a server VM1 with SG1 and NET1, and assign a floating ip - FIP1 (via R1) to VM1 -* Test action 6: Verify can ping FIP1 successfully and can SSH to VM1 with FIP1 -* Test action 7: Create a second neutron network NET2 and subnet SUBNET2, and attach VM1 to NET2 -* Test action 8: Get VM1's ethernet interface NIC2 for NET2 -* Test action 9: Create second server VM2 on NET2 -* Test action 10: Verify VM1 is able to communicate with VM2 via NIC2 -* Test action 11: Login to VM1 and spoof the MAC address of NIC2 to "00:00:00:00:00:01" -* Test action 12: Verify VM1 fails to communicate with VM2 via NIC2 -* **Test assertion 1:** The ping operation is failed -* Test action 13: Update 'security_groups' to be none for VM1's NIC2 port -* Test action 14: Update 'port_security_enable' to be False for VM1's NIC2 port -* Test action 15: Verify now VM1 is able to communicate with VM2 via NIC2 -* **Test assertion 2:** The ping operation is successful -* Test action 16: Delete SG1, NET1, NET2, SUBNET1, SUBNET2, R1, VM1, VM2 and FIP1 - -Pass / fail criteria -'''''''''''''''''''' - -This test evaluates the ability to prevent MAC spoofing by using port security. -Specifically, the test verifies that: - -* With port security, the ICMP packets from a spoof server cannot pass the port. - -* Without port security, the ICMP packets from a spoof server can pass the port. - -In order to pass this test, all test assertions listed in the test execution above need to pass. - -Post conditions ---------------- - -N/A - ------------------------------------------------------- -Test Case 2 - Test Security Group Cross Tenant Traffic ------------------------------------------------------- - -Test case specification ------------------------ - -tempest.scenario.test_security_groups_basic_ops.TestSecurityGroupsBasicOps.test_cross_tenant_traffic - -Test preconditions ------------------- - -* Neutron security-group extension API -* Two tenants -* One public network - -Basic test flow execution description and pass/fail criteria ------------------------------------------------------------- - -Test execution -'''''''''''''' - -* Test action 1: Create a neutron network NET1 for primary tenant -* Test action 2: Create a primary tenant router R1 which routes traffic to public network -* Test action 3: Create a subnet SUBNET1 and add it as router interface -* Test action 4: Create 2 empty security groups SG1 and SG2 for primary tenant -* Test action 5: Add a tcp rule to SG1 -* Test action 6: Create a server VM1 with SG1, SG2 and NET1, and assign a floating ip - FIP1 (via R1) to VM1 -* Test action 7: Repeat test action 1 to 6 and create NET2, R2, SUBNET2, SG3, SG4, - FIP2 and VM2 for an alt_tenant -* Test action 8: Verify VM1 fails to communicate with VM2 through FIP2 -* **Test assertion 1:** The ping operation is failed -* Test action 9: Add ICMP rule to SG4 -* Test action 10: Verify VM1 is able to communicate with VM2 through FIP2 -* **Test assertion 2:** The ping operation is successful -* Test action 11: Verify VM2 fails to communicate with VM1 through FIP1 -* **Test assertion 3:** The ping operation is failed -* Test action 12: Add ICMP rule to SG2 -* Test action 13: Verify VM2 is able to communicate with VM1 through FIP1 -* **Test assertion 4:** The ping operation is successful -* Test action 14: Delete SG1, SG2, SG3, SG4, NET1, NET2, SUBNET1, SUBNET2, R1, R2, - VM1, VM2, FIP1 and FIP2 - -Pass / fail criteria -'''''''''''''''''''' - -This test evaluates the ability of the security group to filter packets cross tenant. -Specifically, the test verifies that: - -* Without ICMP security group rule, the ICMP packets cannot be received by the server - in another tenant which differs from the source server. - -* With ingress ICMP security group rule enabled only at tenant1, the server in tenant2 - can ping server in tenant1 but not the reverse direction. - -* With ingress ICMP security group rule enabled at tenant2 also, the ping works from both directions. - -In order to pass this test, all test assertions listed in the test execution above need to pass. - -Post conditions ---------------- - -N/A - ---------------------------------------------------- -Test Case 3 - Test Security Group in Tenant Traffic ---------------------------------------------------- - -Test case specification ------------------------ - -tempest.scenario.test_security_groups_basic_ops.TestSecurityGroupsBasicOps.test_in_tenant_traffic - -Test preconditions ------------------- - -* Neutron security-group extension API -* One public network - -Basic test flow execution description and pass/fail criteria ------------------------------------------------------------- - -Test execution -'''''''''''''' - -* Test action 1: Create a neutron network NET1 -* Test action 2: Create a tenant router R1 which routes traffic to public network -* Test action 3: Create a subnet SUBNET1 and add it as router interface -* Test action 4: Create 2 empty security groups SG1 and SG2 -* Test action 5: Add a tcp rule to SG1 -* Test action 6: Create a server VM1 with SG1, SG2 and NET1, and assign a floating ip - FIP1 (via R1) to VM1 -* Test action 7: Create second server VM2 with default security group and NET1 -* Test action 8: Verify VM1 fails to communicate with VM2 through VM2's fixed ip -* **Test assertion 1:** The ping operation is failed -* Test action 9: Add ICMP security group rule to default security group -* Test action 10: Verify VM1 is able to communicate with VM2 through VM2's fixed ip -* **Test assertion 2:** The ping operation is successful -* Test action 11: Delete SG1, SG2, NET1, SUBNET1, R1, VM1, VM2 and FIP1 - -Pass / fail criteria -'''''''''''''''''''' - -This test evaluates the ability of the security group to filter packets in one tenant. -Specifically, the test verifies that: - -* Without ICMP security group rule, the ICMP packets cannot be received by the server - in the same tenant. - -* With ICMP security group rule, the ICMP packets can be received by the server - in the same tenant. - -In order to pass this test, all test assertions listed in the test execution above need to pass. - -Post conditions ---------------- - -N/A - -------------------------------------------- -Test Case 4 - Test Multiple Security Groups -------------------------------------------- - -Test case specification ------------------------ - -tempest.scenario.test_security_groups_basic_ops.TestSecurityGroupsBasicOps.test_multiple_security_groups - -Test preconditions ------------------- - -* Neutron security-group extension API -* One public network - -Basic test flow execution description and pass/fail criteria ------------------------------------------------------------- - -Test execution -'''''''''''''' - -* Test action 1: Create a neutron network NET1 -* Test action 2: Create a tenant router R1 which routes traffic to public network -* Test action 3: Create a subnet SUBNET1 and add it as router interface -* Test action 4: Create 2 empty security groups SG1 and SG2 -* Test action 5: Add a tcp rule to SG1 -* Test action 6: Create a server VM1 with SG1, SG2 and NET1, and assign a floating ip - FIP1 (via R1) to VM1 -* Test action 7: Verify failed to ping FIP1 -* **Test assertion 1:** The ping operation is failed -* Test action 8: Add ICMP security group rule to SG2 -* Test action 9: Verify can ping FIP1 successfully -* **Test assertion 2:** The ping operation is successful -* Test action 10: Verify can SSH to VM1 with FIP1 -* **Test assertion 3:** Can SSH to VM1 successfully -* Test action 11: Delete SG1, SG2, NET1, SUBNET1, R1, VM1 and FIP1 - -Pass / fail criteria -'''''''''''''''''''' - -This test evaluates the ability of multiple security groups to filter packets. -Specifically, the test verifies that: - -* A server with 2 security groups, one with TCP rule and without ICMP rule, - cannot receive the ICMP packets sending from the tempest host machine. - -* A server with 2 security groups, one with TCP rule and the other with ICMP rule, - can receive the ICMP packets sending from the tempest host machine and be connected - via the SSH client. - -In order to pass this test, all test assertions listed in the test execution above need to pass. - -Post conditions ---------------- - -N/A - -------------------------------------------------------- -Test Case 5 - Test Port Security Disable Security Group -------------------------------------------------------- - -Test case specification ------------------------ - -tempest.scenario.test_security_groups_basic_ops.TestSecurityGroupsBasicOps.test_port_security_disable_security_group - -Test preconditions ------------------- - -* Neutron security-group extension API -* Neutron port-security extension API -* One public network - -Basic test flow execution description and pass/fail criteria ------------------------------------------------------------- - -Test execution -'''''''''''''' - -* Test action 1: Create a neutron network NET1 -* Test action 2: Create a tenant router R1 which routes traffic to public network -* Test action 3: Create a subnet SUBNET1 and add it as router interface -* Test action 4: Create 2 empty security groups SG1 and SG2 -* Test action 5: Add a tcp rule to SG1 -* Test action 6: Create a server VM1 with SG1, SG2 and NET1, and assign a floating ip - FIP1 (via R1) to VM1 -* Test action 7: Create second server VM2 with default security group and NET1 -* Test action 8: Update 'security_groups' to be none and 'port_security_enabled' to be - True for VM2's port -* Test action 9: Verify VM1 fails to communicate with VM2 through VM2's fixed ip -* **Test assertion 1:** The ping operation is failed -* Test action 10: Update 'security_groups' to be none and 'port_security_enabled' to be - False for VM2's port -* Test action 11: Verify VM1 is able to communicate with VM2 through VM2's fixed ip -* **Test assertion 2:** The ping operation is successful -* Test action 12: Delete SG1, SG2, NET1, SUBNET1, R1, VM1, VM2 and FIP1 - -Pass / fail criteria -'''''''''''''''''''' - -This test evaluates the ability of port security to disable security group. -Specifically, the test verifies that: - -* The ICMP packets cannot pass the port whose 'port_security_enabled' is True - and security_groups is none. - -* The ICMP packets can pass the port whose 'port_security_enabled' is False - and security_groups is none. - -In order to pass this test, all test assertions listed in the test execution above need to pass. - -Post conditions ---------------- - -N/A - ---------------------------------------------- -Test Case 6 - Test Update Port Security Group ---------------------------------------------- - -Test case specification ------------------------ - -tempest.scenario.test_security_groups_basic_ops.TestSecurityGroupsBasicOps.test_port_update_new_security_group - -Test preconditions ------------------- - -* Neutron security-group extension API -* One public network - -Basic test flow execution description and pass/fail criteria ------------------------------------------------------------- - -Test execution -'''''''''''''' - -* Test action 1: Create a neutron network NET1 -* Test action 2: Create a tenant router R1 which routes traffic to public network -* Test action 3: Create a subnet SUBNET1 and add it as router interface -* Test action 4: Create 2 empty security groups SG1 and SG2 -* Test action 5: Add a tcp rule to SG1 -* Test action 6: Create a server VM1 with SG1, SG2 and NET1, and assign a floating ip - FIP1 (via R1) to VM1 -* Test action 7: Create third empty security group SG3 -* Test action 8: Add ICMP rule to SG3 -* Test action 9: Create second server VM2 with default security group and NET1 -* Test action 10: Verify VM1 fails to communicate with VM2 through VM2's fixed ip -* **Test assertion 1:** The ping operation is failed -* Test action 11: Update 'security_groups' to be SG3 for VM2's port -* Test action 12: Verify VM1 is able to communicate with VM2 through VM2's fixed ip -* **Test assertion 2:** The ping operation is successful -* Test action 13: Delete SG1, SG2, SG3, NET1, SUBNET1, R1, VM1, VM2 and FIP1 - -Pass / fail criteria -'''''''''''''''''''' - -This test evaluates the ability to update port with a new security group. -Specifically, the test verifies that: - -* Without ICMP security group rule, the VM cannot receive ICMP packets. - -* Update the port's security group which has ICMP rule, the VM can receive ICMP packets. - -In order to pass this test, all test assertions listed in the test execution above need to pass. - -Post conditions ---------------- - -N/A |