csit/suites/openstack/securitygroup/acl.robot

   1 *** Settings ***
   2 Documentation     Test suite to validate ARP functionality for ACL_Enhancement feature.
   3 Suite Setup       Start Suite
   4 Suite Teardown    OpenStackOperations.OpenStack Suite Teardown
   5 Test Setup        SetupUtils.Setup_Test_With_Logging_And_Without_Fast_Failing
   6 Test Teardown     OpenStackOperations.Get Test Teardown Debugs
   7 Library           OperatingSystem
   8 Library           RequestsLibrary
   9 Library           String
  10 Resource          ../../../libraries/DevstackUtils.robot
  11 Resource          ../../../libraries/KarafKeywords.robot
  12 Resource          ../../../libraries/OVSDB.robot
  13 Resource          ../../../libraries/OpenStackOperations.robot
  14 Resource          ../../../libraries/OvsManager.robot
  15 Resource          ../../../libraries/SetupUtils.robot
  16 Resource          ../../../libraries/Utils.robot
  17 Resource          ../../../variables/Variables.robot
  18 Resource          ../../../variables/netvirt/Variables.robot
  19
  20 *** Variables ***
  21 @{REQ_NETWORKS}    acl_net_1    acl_net_2
  22 @{REQ_SUBNETS}    acl_subnet_1    acl_subnet_2
  23 @{REQ_SUBNET_CIDR}    30.30.30.0/24    40.40.40.0/24
  24 @{PORTS}          acl_port_1    acl_port_2    acl_port_3    acl_port_4    acl_port_5    acl_port_6
  25 @{VM_NAMES}       acl_myvm_1    acl_myvm_2    acl_myvm_3
  26 @{SECURITY_GROUP}    acl_sg_1
  27 ${VIRTUAL_IP}     30.30.30.100/24
  28 ${PACKET_COUNT}    5
  29 ${RANDOM_IP}      11.11.11.11
  30 ${NETMASK}        255.255.255.0
  31 ${PACKET_COUNT_ZERO}    0
  32 ${DHCP_CMD}       sudo /sbin/cirros-dhcpc up eth1
  33 ${SPOOF}          30.30.30.100
  34 @{SPOOF_MAC_ADDRESS}    FA:17:3E:73:65:86    fa:16:3e:3d:3b:5e
  35 ${ARP_CONFIG}     sudo ifconfig eth0 down \n sudo ifconfig eth0 hw ether ${SPOOF_MAC_ADDRESS[0]} \n sudo ifconfig eth0 up
  36 ${timeout}        60
  37
  38 *** Test Cases ***
  39 Verify ARP request Valid MAC and Valid IP for the VM Egress Table
  40     [Documentation]    Verifying ARP resquest resolved for Valid MAC and Valid IP at the VM Egress Table
  41     BuiltIn.Wait Until Keyword Succeeds    60s    10s    OpenStackOperations.Execute Command on VM Instance    @{REQ_NETWORKS}[0]    @{VM_IP_DPN1}[0]    ${DHCP_CMD}
  42     BuiltIn.Wait Until Keyword Succeeds    60s    10s    OpenStackOperations.Execute Command on VM Instance    @{REQ_NETWORKS}[0]    @{VM_IP_DPN2}[0]    ${DHCP_CMD}
  43     ${get_pkt_count_before_arp}    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${VM1_METADATA} | grep arp_sha
  44     ${arping_cli} =    BuiltIn.Set Variable    sudo arping -I eth0 -c ${PACKET_COUNT} \ ${RANDOM_IP}
  45     BuiltIn.Wait Until Keyword Succeeds    60s    10s    OpenStackOperations.Execute Command on VM Instance    ${REQ_NETWORKS[1]}    @{VM_IP_DPN1}[1]    ${arping_cli}
  46     ${get_pkt_count_after_arp}    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${VM1_METADATA} | grep arp_sha
  47     ${pkt_diff} =    BuiltIn.Evaluate    int(${get_pkt_count_after_arp})-int(${get_pkt_count_before_arp})
  48     BuiltIn.Should Be Equal As Numbers    ${pkt_diff}    ${PACKET_COUNT}
  49
  50 Verify ARP request generated from Spoofed IP for the VM
  51     [Documentation]    Verifying ARP resquest generated for Spoofed IP with Valid MAC and Validate the packet drop at the VM Egress Table
  52     ${arp_int_up_cli} =    BuiltIn.Set Variable    sudo ifconfig eth0:1 ${SPOOF} netmask ${NETMASK} up
  53     ${output} =    BuiltIn.Wait Until Keyword Succeeds    60s    10s    OpenStackOperations.Execute Command on VM Instance    @{REQ_NETWORKS}[1]    @{VM_IP_DPN1}[1]
  54     ...    ${arp_int_up_cli}
  55     ${get_pkt_count_before_arp}    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${VM1_METADATA} | grep arp_sha
  56     ${get_arp_drop_pkt_before}    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep arp | grep goto_table:217
  57     ${arping_cli} =    BuiltIn.Set Variable    sudo arping -s ${SPOOF} -c ${PACKET_COUNT} \ ${RANDOM_IP}
  58     ${output} =    BuiltIn.Wait Until Keyword Succeeds    60s    10s    OpenStackOperations.Execute Command on VM Instance    @{REQ_NETWORKS}[1]    @{VM_IP_DPN1}[1]
  59     ...    ${arping_cli}
  60     ${get_pkt_count_after_arp}    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${VM1_METADATA} | grep arp_sha
  61     ${get_arp_drop_pkt_after}    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep arp | grep goto_table:217
  62     ${pkt_diff_arp_drop} =    BuiltIn.Evaluate    int(${get_arp_drop_pkt_after})-int(${get_arp_drop_pkt_before})
  63     ${pkt_diff} =    BuiltIn.Evaluate    int(${get_pkt_count_after_arp})-int(${get_pkt_count_before_arp})
  64     BuiltIn.Should Be Equal As Numbers    ${pkt_diff}    ${PACKET_COUNT_ZERO}
  65     BuiltIn.Should Be Equal As Numbers    ${pkt_diff_arp_drop}    ${PACKET_COUNT}
  66
  67 Verify ARP request generated from Spoofed MAC for the VM
  68     [Documentation]    Verifying ARP resquest generated for Spoofed MAC with Valid IP and Validate the ARP packet drop at the VM Egress Table
  69     ${count} =    String.Get Line Count    ${ARP_CONFIG}
  70     : FOR    ${index}    IN RANGE    0    ${count}
  71     \    ${cmd} =    String.Get Line    ${ARP_CONFIG}    ${index}
  72     \    ${output} =    BuiltIn.Wait Until Keyword Succeeds    60s    10s    OpenStackOperations.Execute Command on VM Instance    @{REQ_NETWORKS}[1]
  73     \    ...    @{VM_IP_DPN1}[1]    ${cmd}
  74     ${get_pkt_count_before_arp}    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${VM1_METADATA}|grep arp_sha
  75     ${get_arp_drop_pkt_before}    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep arp | grep goto_table:217
  76     ${arping_cli} =    BuiltIn.Set Variable    sudo arping -I eth0 -c ${PACKET_COUNT} \ ${RANDOM_IP}
  77     BuiltIn.Wait Until Keyword Succeeds    60s    10s    OpenStackOperations.Execute Command on VM Instance    @{REQ_NETWORKS}[1]    @{VM_IP_DPN1}[1]    ${arping_cli}
  78     ${get_pkt_count_after_arp}    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${VM1_METADATA}|grep arp_sha
  79     ${get_arp_drop_pkt_after}    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep arp | grep goto_table:217
  80     ${pkt_diff} =    BuiltIn.Evaluate    int(${get_pkt_count_after_arp})-int(${get_pkt_count_before_arp})
  81     ${pkt_diff_arp_drop} =    BuiltIn.Evaluate    int(${get_arp_drop_pkt_after})-int(${get_arp_drop_pkt_before})
  82     BuiltIn.Should Be Equal As Numbers    ${pkt_diff}    ${PACKET_COUNT_ZERO}
  83     BuiltIn.Should Be Equal As Numbers    ${pkt_diff_arp_drop}    ${PACKET_COUNT}
  84
  85 Verify ARP request generated from Spoofed IP and spoofed MAC for the VM
  86     [Documentation]    Verifying ARP resquest generated for Spoofed MAC with Spoofed IP and Validate the ARP packet drop at the VM Egress Table
  87     ${get_pkt_count_before_arp}    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${VM1_METADATA}|grep arp_sha
  88     ${get_arp_drop_pkt_before}    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep arp | grep goto_table:217
  89     ${arping_cli} =    BuiltIn.Set Variable    sudo arping -s ${SPOOF} -c ${PACKET_COUNT} \ ${RANDOM_IP}
  90     BuiltIn.Wait Until Keyword Succeeds    60s    10s    OpenStackOperations.Execute Command on VM Instance    @{REQ_NETWORKS}[1]    @{VM_IP_DPN1}[1]    ${arping_cli}
  91     ${get_pkt_count_after_arp}    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${VM1_METADATA}|grep arp_sha
  92     ${get_arp_drop_pkt_after}    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep arp | grep goto_table:217
  93     ${pkt_diff} =    BuiltIn.Evaluate    int(${get_pkt_count_after_arp})-int(${get_pkt_count_before_arp})
  94     ${pkt_diff_arp_drop} =    BuiltIn.Evaluate    int(${get_arp_drop_pkt_after})-int(${get_arp_drop_pkt_before})
  95     BuiltIn.Should Be Equal As Numbers    ${pkt_diff}    ${PACKET_COUNT_ZERO}
  96     BuiltIn.Should Be Equal As Numbers    ${pkt_diff_arp_drop}    ${PACKET_COUNT}
  97
  98 *** Keywords ***
  99 Start Suite
 100     [Documentation]    Suite setup for ACL_Enhancement feature
 101     OpenStackOperations.OpenStack Suite Setup
 102     Create Setup
 103
 104 Create Setup
 105     [Documentation]    Create Two Networks, Two Subnets, Four Ports
 106     Create Neutron Networks    2
 107     Create Neutron Subnets    2
 108     OpenStackOperations.Neutron Security Group Create    @{SECURITY_GROUP}[0]
 109     OpenStackOperations.Delete All Security Group Rules    @{SECURITY_GROUP}[0]
 110     OpenStackOperations.Create Port    @{REQ_NETWORKS}[0]    @{PORTS}[0]    sg=@{SECURITY_GROUP}[0]
 111     OpenStackOperations.Create Port    @{REQ_NETWORKS}[1]    @{PORTS}[1]    sg=@{SECURITY_GROUP}[0]
 112     OpenStackOperations.Create Port    @{REQ_NETWORKS}[0]    @{PORTS}[2]    sg=@{SECURITY_GROUP}[0]
 113     OpenStackOperations.Create Port    @{REQ_NETWORKS}[1]    @{PORTS}[3]    sg=@{SECURITY_GROUP}[0]
 114     OpenStackOperations.Neutron Security Group Rule Create    @{SECURITY_GROUP}[0]    direction=ingress    protocol=icmp    remote-ip=0.0.0.0/0
 115     OpenStackOperations.Neutron Security Group Rule Create    @{SECURITY_GROUP}[0]    direction=egress    protocol=icmp    remote-ip=0.0.0.0/0
 116     OpenStackOperations.Neutron Security Group Rule Create    @{SECURITY_GROUP}[0]    direction=ingress    port_range_max=65535    port_range_min=1    protocol=tcp    remote-ip=0.0.0.0/0
 117     OpenStackOperations.Neutron Security Group Rule Create    @{SECURITY_GROUP}[0]    direction=egress    port_range_max=65535    port_range_min=1    protocol=tcp    remote-ip=0.0.0.0/0
 118     OpenStackOperations.Create Vm Instance With Ports On Compute Node    @{PORTS}[0]    @{PORTS}[1]    @{VM_NAMES}[0]    ${OS_CMP1_HOSTNAME}    flavor=m1.tiny    sg=@{SECURITY_GROUP}[0]
 119     OpenStackOperations.Create Vm Instance With Ports On Compute Node    @{PORTS}[2]    @{PORTS}[3]    @{VM_NAMES}[1]    ${OS_CMP2_HOSTNAME}    flavor=m1.tiny    sg=@{SECURITY_GROUP}[0]
 120     @{VM_IP_DPN1} =    BuiltIn.Wait Until Keyword Succeeds    300 sec    15 sec    OpenStackOperations.Get Two Port VM IP Addresses    ${OS_CMP1_CONN_ID}    @{VM_NAMES}[0]
 121     @{VM_IP_DPN2} =    BuiltIn.Wait Until Keyword Succeeds    300 sec    15 sec    OpenStackOperations.Get Two Port VM IP Addresses    ${OS_CMP2_CONN_ID}    @{VM_NAMES}[1]
 122     BuiltIn.Set Suite Variable    @{VM_IP_DPN1}
 123     BuiltIn.Set Suite Variable    @{VM_IP_DPN2}
 124     BuiltIn.Should Not Contain    @{VM_IP_DPN1}[0]    None
 125     BuiltIn.Should Not Contain    @{VM_IP_DPN1}[1]    None
 126     BuiltIn.Should Not Contain    @{VM_IP_DPN2}[0]    None
 127     BuiltIn.Should Not Contain    @{VM_IP_DPN2}[1]    None
 128     ${VM1_PORT} =    Get Vm Port    ${OS_COMPUTE_1_IP}    @{PORTS}[0]
 129     ${VM1_METADATA} =    OVSDB.Get Port Metadata    ${OS_COMPUTE_1_IP}    ${VM1_PORT}
 130     BuiltIn.Set Suite Variable    ${VM1_METADATA}
 131
 132 Create Neutron Networks
 133     [Arguments]    ${num_of_network}
 134     [Documentation]    Create required number of networks
 135     : FOR    ${net}    IN    @{REQ_NETWORKS}
 136     \    OpenStackOperations.Create Network    ${net}
 137     ${net_list}    OpenStackOperations.List Networks
 138     : FOR    ${index}    IN RANGE    0    ${num_of_network}
 139     \    BuiltIn.Should Contain    ${net_list}    ${REQ_NETWORKS[${index}]}
 140
 141 Create Neutron Subnets
 142     [Arguments]    ${NUM_OF_NETWORK}
 143     [Documentation]    Create required number of subnets for previously created networks
 144     : FOR    ${index}    IN RANGE    0    ${NUM_OF_NETWORK}
 145     \    OpenStackOperations.Create SubNet    ${REQ_NETWORKS[${index}]}    ${REQ_SUBNETS[${index}]}    ${REQ_SUBNET_CIDR[${index}]}
 146     ${sub_list}    OpenStackOperations.List Subnets
 147     : FOR    ${index}    IN RANGE    0    ${NUM_OF_NETWORK}
 148     \    BuiltIn.Should Contain    ${sub_list}    ${REQ_SUBNETS[${index}]}
 149
 150 Get Vm Port
 151     [Arguments]    ${ip_address}    ${portname}
 152     [Documentation]    Get the port number for given portname
 153     ${subportid} =    OpenStackOperations.Get Sub Port Id    ${portname}
 154     ${vm_port} =    OVSDB.Get Port Number    ${subportid}    ${ip_address}
 155     [Return]    ${vm_port}