From 32f101bf3a3e2a17b834f2e17f9976eb7fd03960 Mon Sep 17 00:00:00 2001 From: Tomas Cechvala Date: Fri, 10 Feb 2017 15:48:05 +0100 Subject: Security groups smoke test in FDS Security group rules are applied to L2 traffic. - creates infrastructure - applies policy rules - makes MM send icmp and http traffic - changes policy rules - rechecks the traffic - clears infrastructure Change-Id: I7b73f7ff22bb3fc59c5e873818bdb5d5ad88c12d Signed-off-by: Tomas Cechvala --- testing/robot/data/test_data.py | 6 +- testing/robot/lib/FDSLibrary.py | 38 +++++++++- testing/robot/lib/Keywords.robot | 109 ++++++++++++++++++++++++++++ testing/robot/sec_groups_and_l2-smoke.robot | 97 +++++++++++++++++++++++++ testing/robot/smoke.robot | 68 +---------------- 5 files changed, 245 insertions(+), 73 deletions(-) create mode 100644 testing/robot/lib/Keywords.robot create mode 100644 testing/robot/sec_groups_and_l2-smoke.robot diff --git a/testing/robot/data/test_data.py b/testing/robot/data/test_data.py index 2011257..97aaf2b 100644 --- a/testing/robot/data/test_data.py +++ b/testing/robot/data/test_data.py @@ -12,6 +12,8 @@ import uuid run_uuid = str(uuid.uuid4()) network_name = 'fds_smoke_network_' + run_uuid subnet_name = 'fds_smoke_subnet_' + run_uuid +sg_client = 'client' +sg_server = 'server' vm1_name = 'fds_smoke_vm1_' + run_uuid vm1_address = '192.168.10.5' vm2_name = 'fds_smoke_vm2_' + run_uuid @@ -21,7 +23,7 @@ port2_name = 'fds_smoke_port2_' + run_uuid subnet_cidr = '192.168.10.0/24' vm_flavor = 'm1.small' vm_image = 'cirros-0.3.4' -userdata1 = "#!/bin/sh\n\nsudo ip a add {}/24 dev eth0\n".format(vm1_address) +userdata1 = "#!/bin/sh\n\nsudo ip a add {}/24 dev eth0\n while true; do echo curl_passed | nc -l -p 80; done\n".format(vm1_address) userdata2 = "#!/bin/sh\n\nsudo ip a add {}/24 dev eth0\nwhile true; do\n ping -c 1 {} 2>&1 >/dev/null\n " \ "RES=$?\n if [ \"Z$RES\" = \"Z0\" ] ; then\n echo 'ping PASSED'\n break\n else\n echo " \ - "'ping FAILED'\n fi\n sleep 1\ndone\n".format(vm2_address, vm1_address) + "'ping FAILED'\n fi\n sleep 1\ndone\n\nwhile true; do curl {} --retry-delay 1 -m 1; sleep 3; done\n".format(vm2_address, vm1_address, vm1_address) diff --git a/testing/robot/lib/FDSLibrary.py b/testing/robot/lib/FDSLibrary.py index 786cee6..32c18eb 100644 --- a/testing/robot/lib/FDSLibrary.py +++ b/testing/robot/lib/FDSLibrary.py @@ -124,11 +124,33 @@ class FDSLibrary(): time.sleep(5) return False - def create_security_group(self): - pass + def create_security_group(self, name): + body = {'security_group': { + 'name': name + }} + response = self.neutron_client.create_security_group(body=body) + return response - def create_security_rule(self): - pass + def create_security_rule(self, sg_id, dir, eth, desc=None, proto=None, port_min=None, port_max=None, r_sg_id=None, r_prefix=None): + body = {'security_group_rule': { + 'security_group_id': sg_id, + 'ethertype': eth, + 'direction': dir + }} + if desc is not None: + body['security_group_rule']['description'] = desc + if proto is not None: + body['security_group_rule']['protocol'] = proto + if port_min is not None: + body['security_group_rule']['port_range_min'] = port_min + if port_max is not None: + body['security_group_rule']['port_range_max'] = port_max + if r_sg_id is not None: + body['security_group_rule']['remote_group_id'] = r_sg_id + if r_prefix is not None: + body['security_group_rule']['remote_ip_prefix'] = r_prefix + response = self.neutron_client.create_security_group_rule(body=body) + return response def poll_server(self, vm_id, status, timeout=300): try: @@ -167,6 +189,14 @@ class FDSLibrary(): response = self.neutron_client.delete_network(net_id) return response + def delete_security_group(self, sg_id): + response = self.neutron_client.delete_security_group(sg_id) + return response + + def delete_security_rule(self, rule_id): + response = self.neutron_client.delete_security_group_rule(rule_id) + return response + def ping_vm(self, ip_address): try: output = subprocess.check_output(['ping', '-c', '4', ip_address]) diff --git a/testing/robot/lib/Keywords.robot b/testing/robot/lib/Keywords.robot new file mode 100644 index 0000000..36136a1 --- /dev/null +++ b/testing/robot/lib/Keywords.robot @@ -0,0 +1,109 @@ +############################################################################## +# Copyright (c) 2016 Juraj Linkes (Cisco) and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## + +*** Settings *** +Library OperatingSystem +Library FDSLibrary.py +Variables ../data/test_data.py + +*** Keywords *** + +Ensure Flavor + ${result} = Check Flavor Exists ${vm_flavor} + Return From Keyword If '${result}' == 'True' + Create Flavor ${vm_flavor} ram=768 + ${result} = Check Flavor Exists ${vm_flavor} + Should be True ${result} + +Ensure Image + ${result} = Check Image Exists ${vm_image} + Return From Keyword If '${result}' == 'True' + Create Image ${vm_image} /home/opnfv/functest/data/cirros-0.3.4-x86_64-disk.img + ${result} = Check Image Exists ${vm_image} + Should be True ${result} + +Create tenant network + &{response} = create network ${network_name} + log many &{response} + Set Suite Variable ${network_id} ${response.network['id']} + log ${network_id} + +Create subnet without dhcp + &{response} = create subnet ${subnet_name} ${network_id} ${subnet_cidr} dhcp=False + log many &{response} + Set Suite Variable ${subnet_id} ${response.subnet['id']} + log ${subnet_id} + +Create subnet with dhcp + &{response} = create subnet ${subnet_name} ${network_id} ${subnet_cidr} dhcp=True + log many &{response} + Set Suite Variable ${subnet_id} ${response.subnet['id']} + log ${subnet_id} + +Create security group no default rules + [Arguments] ${name} + &{response} = create security group ${name} + log many &{response} + : FOR ${rule} IN @{response.security_group['security_group_rules']} + \ log ${rule} + \ log ${rule['id']} + \ delete security rule ${rule['id']} + [Return] ${response.security_group['id']} + +Create security group rules + #def create_security_rule(self, sg_id, dir, eth, desc=None, proto=None, port_min=None, port_max=None, r_sg_id=None, r_prefix=None): + &{response} = create security rule ${sg_client} ingress ipv4 + log many &{response} + &{response} = create security rule ${sg_client} egress' ipv4 + log many &{response} + &{response} = create security rule ${sg_server} egress ipv4 + log many &{response} + &{response} = create security rule ${sg_server} ingress ipv4 icmp + log many &{response} + +Create port with ip + [Arguments] ${port_name} ${ip_address} + &{response} = create port ${port_name} ${network_id} ${subnet_id} ${ip_address} + log many &{response} + log ${response.port['id']} + [Return] ${response.port['id']} + +Create vm + [Arguments] ${vm_name} ${port_ids} ${security_groups}=${None} ${userdata}=${None} + Log Many ${vm_name} ${vm_image} ${vm_flavor} ${port_ids} ${userdata} + ${response} = create server ${vm_name} ${vm_image} ${vm_flavor} ${port_ids} ${security_groups} + ... ${userdata} + log many ${response} + log ${response.id} + [Return] ${response.id} + +Check vm console + [Arguments] ${vm_id} ${string} + ${response} = check server console ${vm_id} ${string} + [Return] ${response} + +Poll vm + [Arguments] ${id} ${state} + poll server ${id} ${state} + +Delete vm + [Arguments] ${id} + ${response} = delete server ${id} + log ${response} + Poll vm ${id} ${None} + +Delete ports + [Arguments] ${id} + ${response} = delete port ${id} + log ${response} + +Delete network + [Arguments] ${id} + ${response} = delete net ${id} + log ${response} diff --git a/testing/robot/sec_groups_and_l2-smoke.robot b/testing/robot/sec_groups_and_l2-smoke.robot new file mode 100644 index 0000000..17c5a42 --- /dev/null +++ b/testing/robot/sec_groups_and_l2-smoke.robot @@ -0,0 +1,97 @@ +############################################################################## +# Copyright (c) 2017 Tomas Cechvala (Cisco) and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## + +*** Settings *** +Library OperatingSystem +Library lib/FDSLibrary.py +Variables data/test_data.py +Resource lib/Keywords.robot +Suite Setup Setup Suite +Suite Teardown Teardown Suite + +*** Variables *** + +*** Test Cases *** + +Create network for VMs + Create tenant network + +Create subnet with dhcp for VMs + Create subnet with dhcp + +Create sec groups + ${result} = Create security group no default rules ${sg_server} + Set Suite Variable ${SEC_GR_SERVER} ${result} + ${result} = Create security group no default rules ${sg_client} + Set Suite Variable ${SEC_GR_CLIENT} ${result} + +Create sec rules + Wait Until Keyword Succeeds 3x 3s create security rule ${SEC_GR_CLIENT} egress ipv4 + Wait Until Keyword Succeeds 3x 3s create security rule ${SEC_GR_CLIENT} ingress ipv4 + Wait Until Keyword Succeeds 3x 3s create security rule ${SEC_GR_SERVER} egress ipv4 + Wait Until Keyword Succeeds 3x 3s create security rule ${SEC_GR_SERVER} ingress ipv4 proto=icmp + +Create port for VM1 + ${result} = Create port with ip ${port1_name} ${vm1_address} + Set Suite Variable ${port1_id} ${result} + +Create port for VM2 + ${result} = Create port with ip ${port2_name} ${vm2_address} + Set Suite Variable ${port2_id} ${result} + +Create VM1 + ${port_ids} = Create List ${port1_id} + ${result} = Create vm ${vm1_name} ${port_ids} userdata=${userdata1} + Set Suite Variable ${vm1_id} ${result} + +Wait for VM1 to be active + Should Be True $vm1_id is not $None + Poll vm ${vm1_id} active + +Create VM2 + ${port_ids} = Create List ${port2_id} + ${result} = Create vm ${vm2_name} ${port_ids} userdata=${userdata2} + Set Suite Variable ${vm2_id} ${result} + +Wait for VM2 to be active + Should Be True $vm2_id is not $None + Poll vm ${vm2_id} active + +Check VM2 userdata + ${result} = Check vm console ${vm2_id} PASSED + Should Be True ${result} + +Modify policy + Wait Until Keyword Succeeds 3x 3s create security rule ${SEC_GR_SERVER} ingress ipv4 proto=tcp port_min=80 port_max=80 + +Check VM2 userdata again + ${result} = Check vm console ${vm2_id} curl_passed + Should Be True ${result} + +*** Keywords *** +Setup Suite + Set Suite Variable ${network_id} ${None} + Set Suite Variable ${subnet_id} ${None} + Set Suite Variable ${port1_id} ${None} + Set Suite Variable ${port2_id} ${None} + Set Suite Variable ${vm1_id} ${None} + Set Suite Variable ${vm2_id} ${None} + Set Suite Variable ${SEC_GR_SERVER} ${None} + Set Suite Variable ${SEC_GR_CLIENT} ${None} + Ensure Image + Ensure Flavor + +Teardown Suite + Run Keyword If $vm1_id is not $None Delete vm ${vm1_id} + Run Keyword If $vm2_id is not $None Delete vm ${vm2_id} + Run Keyword If $port1_id is not $None Delete ports ${port1_id} + Run Keyword If $port2_id is not $None Delete ports ${port2_id} + Run Keyword If $network_id is not $None Delete network ${network_id} + Run Keyword If $SEC_GR_SERVER is not $None delete security group ${SEC_GR_SERVER} + Run Keyword If $SEC_GR_CLIENT is not $None delete security group ${SEC_GR_CLIENT} diff --git a/testing/robot/smoke.robot b/testing/robot/smoke.robot index a6c7d70..d6f8fe6 100644 --- a/testing/robot/smoke.robot +++ b/testing/robot/smoke.robot @@ -10,6 +10,7 @@ *** Settings *** Library OperatingSystem Library lib/FDSLibrary.py +Library lib/Keywords.robot Variables data/test_data.py Suite Setup Setup Suite Suite Teardown Teardown Suite @@ -70,70 +71,3 @@ Teardown Suite Run Keyword If $port1_id is not $None Delete ports ${port1_id} Run Keyword If $port2_id is not $None Delete ports ${port2_id} Run Keyword If $network_id is not $None Delete network ${network_id} - -Ensure Flavor - ${result} = Check Flavor Exists ${vm_flavor} - Return From Keyword If '${result}' == 'True' - Create Flavor ${vm_flavor} ram=768 - ${result} = Check Flavor Exists ${vm_flavor} - Should be True ${result} - -Ensure Image - ${result} = Check Image Exists ${vm_image} - Return From Keyword If '${result}' == 'True' - Create Image ${vm_image} /home/opnfv/functest/data/cirros-0.3.4-x86_64-disk.img - ${result} = Check Image Exists ${vm_image} - Should be True ${result} - -Create tenant network - &{response} = create network ${network_name} - log many &{response} - Set Suite Variable ${network_id} ${response.network['id']} - log ${network_id} - -Create subnet without dhcp - &{response} = create subnet ${subnet_name} ${network_id} ${subnet_cidr} dhcp=False - log many &{response} - Set Suite Variable ${subnet_id} ${response.subnet['id']} - log ${subnet_id} - -Create port with ip - [Arguments] ${port_name} ${ip_address} - &{response} = create port ${port_name} ${network_id} ${subnet_id} ${ip_address} - log many &{response} - log ${response.port['id']} - [Return] ${response.port['id']} - -Create vm - [Arguments] ${vm_name} ${port_ids} ${security_groups}=${None} ${userdata}=${None} - Log Many ${vm_name} ${vm_image} ${vm_flavor} ${port_ids} ${userdata} - ${response} = create server ${vm_name} ${vm_image} ${vm_flavor} ${port_ids} ${security_groups} - ... ${userdata} - log many ${response} - log ${response.id} - [Return] ${response.id} - -Check vm console - [Arguments] ${vm_id} ${string} - ${response} = check server console ${vm_id} ${string} - [Return] ${response} - -Poll vm - [Arguments] ${id} ${state} - poll server ${id} ${state} - -Delete vm - [Arguments] ${id} - ${response} = delete server ${id} - log ${response} - Poll vm ${id} ${None} - -Delete ports - [Arguments] ${id} - ${response} = delete port ${id} - log ${response} - -Delete network - [Arguments] ${id} - ${response} = delete net ${id} - log ${response} -- cgit 1.2.3-korg