From 964172409f502d8e9a07723e494b51703c0fdd8f Mon Sep 17 00:00:00 2001
From: TabassumSharieff <shariefftabassum14@gmail.com>
Date: Mon, 3 Sep 2018 17:24:05 +0530
Subject: [PATCH] Revert "Revert Add Acl enhancement"

This reverts commit I7bf12b07e24f73d29bc90f1cff0bd90253e17915

Change id 73638 went in but  broke netvirt csit so was reverted
and this is an attempt to get that original patch in without
breaking netvirt csit.

Change-Id: I21e04f6c1492dc828fa04993c2554ec10ea2d0a5
Signed-off-by: TabassumSharieff <shariefftabassum14@gmail.com>
---
 csit/libraries/OpenStackOperations.robot      |  45 ++++++
 csit/suites/openstack/securitygroup/acl.robot | 131 ++++++++++++++++++
 csit/testplans/netvirt-1node-openstack.txt    |   1 +
 3 files changed, 177 insertions(+)
 create mode 100644 csit/suites/openstack/securitygroup/acl.robot

diff --git a/csit/libraries/OpenStackOperations.robot b/csit/libraries/OpenStackOperations.robot
index ae6393a9c2..a1ca371ac6 100644
--- a/csit/libraries/OpenStackOperations.robot
+++ b/csit/libraries/OpenStackOperations.robot
@@ -43,6 +43,16 @@ Create Network
     ${output} =    OpenStack CLI    openstack network create ${network_name} ${additional_args}
     [Return]    ${output}
 
+Create Multiple Networks
+    [Arguments]    @{name_of_networks}
+    [Documentation]    Create required number of networks and return a list of the resulting network ids
+    ${net_list_ids} =    BuiltIn.Create List    @{EMPTY}
+    : FOR    ${net}    IN    @{name_of_networks}
+    \    ${output} =    OpenStackOperations.Create Network    ${net}
+    \    ${net_id} =    Get Regexp Matches    ${output}    ${REGEX_UUID}
+    \    Collections.Append To List    ${net_list_ids}    ${net_id}
+    [Return]    @{net_list_ids}
+
 Update Network
     [Arguments]    ${network_name}    ${additional_args}=${EMPTY}
     [Documentation]    Update Network with neutron request.
@@ -75,6 +85,20 @@ Create SubNet
     [Documentation]    Create SubNet for the Network with neutron request.
     ${output} =    OpenStack CLI    openstack subnet create --network ${network_name} --subnet-range ${range_ip} ${subnet_name} ${additional_args}
 
+Create Multiple Subnets
+    [Arguments]    ${network_names}    ${subnet_names}    ${subnet_cidr}
+    [Documentation]    Create required number of subnets for previously created networks and return subnet id
+    ${number_of_networks} =    BuiltIn.Get Length    ${network_names}
+    @{subnet_id_list} =    BuiltIn.Create List    @{EMPTY}
+    : FOR    ${index}    IN RANGE    ${number_of_networks}
+    \    OpenStackOperations.Create SubNet    ${network_names[${index}]}    ${subnet_names[${index}]}    ${subnet_cidr[${index}]}
+    ${sub_list} =    OpenStackOperations.List Subnets
+    : FOR    ${index}    IN RANGE    ${number_of_networks}
+    \    BuiltIn.Should Contain    ${sub_list}    ${subnet_names[${index}]}
+    \    ${subnet_id} =    OpenStackOperations.Get Subnet Id    ${subnet_names[${index}]}
+    \    Collections.Append To List    ${subnet_id_list}    ${subnet_id}
+    [Return]    @{subnet_id_list}
+
 Update SubNet
     [Arguments]    ${subnet_name}    ${additional_args}=${EMPTY}
     [Documentation]    Update subnet with openstack subnet set request.
@@ -203,6 +227,13 @@ Get Router Id
     ${router_id} =    Collections.Get from List    ${splitted_output}    0
     [Return]    ${router_id}
 
+Get VMs OVS Port Number
+    [Arguments]    ${ip_address}    ${portname}
+    [Documentation]    Get the port number for given portname
+    ${subportid} =    OpenStackOperations.Get Sub Port Id    ${portname}
+    ${vm_port_number} =    OVSDB.Get Port Number    ${subportid}    ${ip_address}
+    [Return]    ${vm_port_number}
+
 Add New Image From Url
     [Arguments]    ${image_url}    ${image_name}
     [Documentation]    To add new qcow2 images for testing.
@@ -376,6 +407,17 @@ Get VM IPs
     OpenStackOperations.Copy DHCP Files From Control Node
     [Return]    @{vm_ips}    ${ips_and_console_log[1]}
 
+Get All VM IP Addresses
+    [Arguments]    ${conn_id}    ${vm_name}
+    [Documentation]    Show information of a given two port VM and grep for two ip address. VM name should be sent as arguments.
+    SSHLibrary.Switch Connection    ${conn_id}
+    ${cmd} =    BuiltIn.Set Variable    openstack server show ${vm_name}
+    ${output} =    OpenStackOperations.OpenStack CLI    ${cmd}
+    BuiltIn.Log    ${output}
+    ${address_output} =    OpenStackOperations.OpenStack CLI    ${cmd} | grep "addresses" | awk '{print $4$5}'
+    @{vm_ips} =    String.Get Regexp Matches    ${address_output}    ${REGEX_IPV4}
+    [Return]    @{vm_ips}
+
 Get Subnet Gateway Ip
     [Arguments]    ${subnet_name}
     [Documentation]    Show information of a subnet and grep for subnet gateway ip address
@@ -719,6 +761,7 @@ Neutron Security Group Rule Create
     ${protocol}    BuiltIn.Run Keyword If    ${Kwargs}    Collections.Pop From Dictionary    ${Kwargs}    protocol    default=${None}
     ${remote_group_id}    BuiltIn.Run Keyword If    ${Kwargs}    Collections.Pop From Dictionary    ${Kwargs}    remote_group_id    default=${None}
     ${remote_ip_prefix}    BuiltIn.Run Keyword If    ${Kwargs}    Collections.Pop From Dictionary    ${Kwargs}    remote_ip_prefix    default=${None}
+    ${remote_ip}    BuiltIn.Run Keyword If    ${Kwargs}    Collections.Pop From Dictionary    ${Kwargs}    remote_ip    default=${None}
     ${cmd} =    BuiltIn.Set Variable    openstack security group rule create ${Security_group_name}
     ${cmd} =    BuiltIn.Run Keyword If    '${description}'!='None'    BuiltIn.Catenate    ${cmd}    --description ${description}
     ...    ELSE    BuiltIn.Catenate    ${cmd}
@@ -736,6 +779,8 @@ Neutron Security Group Rule Create
     ...    ELSE    BuiltIn.Catenate    ${cmd}
     ${cmd} =    BuiltIn.Run Keyword If    '${remote_ip_prefix}'!='None'    BuiltIn.Catenate    ${cmd}    --src-ip ${remote_ip_prefix}
     ...    ELSE    BuiltIn.Catenate    ${cmd}
+    ${cmd} =    BuiltIn.Run Keyword If    '${remote_ip}'!='None'    BuiltIn.Catenate    ${cmd}    --remote-ip ${remote_ip}
+    ...    ELSE    BuiltIn.Catenate    ${cmd}
     ${output} =    OpenStack CLI    ${cmd}
     ${rule_id} =    BuiltIn.Should Match Regexp    ${output}    ${REGEX_UUID}
     [Return]    ${output}    ${rule_id}
diff --git a/csit/suites/openstack/securitygroup/acl.robot b/csit/suites/openstack/securitygroup/acl.robot
new file mode 100644
index 0000000000..9f29e51fd1
--- /dev/null
+++ b/csit/suites/openstack/securitygroup/acl.robot
@@ -0,0 +1,131 @@
+*** Settings ***
+Documentation     Test suite to validate ARP functionality for ACL_Enhancement feature.
+Suite Setup       Start Suite
+Suite Teardown    OpenStackOperations.OpenStack Suite Teardown
+Test Setup        SetupUtils.Setup_Test_With_Logging_And_Without_Fast_Failing
+Test Teardown     OpenStackOperations.Get Test Teardown Debugs
+Library           OperatingSystem
+Library           RequestsLibrary
+Library           String
+Resource          ../../../libraries/DevstackUtils.robot
+Resource          ../../../libraries/KarafKeywords.robot
+Resource          ../../../libraries/OVSDB.robot
+Resource          ../../../libraries/OpenStackOperations.robot
+Resource          ../../../libraries/OvsManager.robot
+Resource          ../../../libraries/SetupUtils.robot
+Resource          ../../../libraries/Utils.robot
+Resource          ../../../variables/Variables.robot
+Resource          ../../../variables/netvirt/Variables.robot
+
+*** Variables ***
+@{REQ_NETWORKS}    acl_net_1    acl_net_2
+@{REQ_SUBNETS}    acl_subnet_1    acl_subnet_2
+@{REQ_SUBNET_CIDR}    30.30.30.0/24    40.40.40.0/24
+@{PORTS}          acl_port_1    acl_port_2    acl_port_3    acl_port_4
+@{VM_NAMES}       acl_myvm_1    acl_myvm_2
+@{SECURITY_GROUP}    acl_sg_1
+${VIRTUAL_IP}     30.30.30.100/24
+${PACKET_COUNT}    5
+${RANDOM_IP}      11.11.11.11
+${NETMASK}        255.255.255.0
+${PACKET_COUNT_ZERO}    0
+${DHCP_CMD}       sudo /sbin/cirros-dhcpc up eth1
+${SPOOF_IP}       30.30.30.100
+@{SPOOF_MAC_ADDRESSES}    FA:17:3E:73:65:86    fa:16:3e:3d:3b:5e
+${ARP_CONFIG}     sudo ifconfig eth0 down \n sudo ifconfig eth0 hw ether ${SPOOF_MAC_ADDRESSES[0]} \n sudo ifconfig eth0 up
+${ARP_SHA}        arp_sha
+${ARP}            arp
+${TABLE}          goto_table:217
+
+*** Test Cases ***
+Verify ARP request Valid MAC and Valid IP for the VM Egress Table
+    [Documentation]    Verifying ARP resquest resolved for Valid MAC and Valid IP at the VM Egress Table
+    OpenStackOperations.Execute Command on VM Instance    @{REQ_NETWORKS}[0]    @{VM_IP_DPN1}[0]    ${DHCP_CMD}
+    OpenStackOperations.Execute Command on VM Instance    @{REQ_NETWORKS}[0]    @{VM_IP_DPN2}[0]    ${DHCP_CMD}
+    ${get_pkt_count_before_arp} =    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${VM1_METADATA}.*${ARP_SHA}
+    ${arping_cli} =    BuiltIn.Set Variable    sudo arping -I eth0 -c ${PACKET_COUNT} \ ${RANDOM_IP}
+    OpenStackOperations.Execute Command on VM Instance    ${REQ_NETWORKS[1]}    @{VM_IP_DPN1}[1]    ${arping_cli}
+    ${get_pkt_count_after_arp} =    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${VM1_METADATA}.*${ARP_SHA}
+    ${pkt_diff} =    BuiltIn.Evaluate    int(${get_pkt_count_after_arp})-int(${get_pkt_count_before_arp})
+    BuiltIn.Should Be Equal As Numbers    ${pkt_diff}    ${PACKET_COUNT}
+
+Verify ARP request generated from Spoofed IP for the VM
+    [Documentation]    Verifying ARP resquest generated for Spoofed IP with Valid MAC and Validate the packet drop at the VM Egress Table
+    ${arp_int_up_cli} =    BuiltIn.Set Variable    sudo ifconfig eth0:1 ${SPOOF_IP} netmask ${NETMASK} up
+    ${output} =    OpenStackOperations.Execute Command on VM Instance    @{REQ_NETWORKS}[1]    @{VM_IP_DPN1}[1]    ${arp_int_up_cli}
+    ${get_pkt_count_before_arp} =    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${VM1_METADATA}.*${ARP_SHA}
+    ${get_arp_drop_pkt_before} =    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${ARP}.*${TABLE}
+    ${arping_cli} =    BuiltIn.Set Variable    sudo arping -s ${SPOOF_IP} -c ${PACKET_COUNT} \ ${RANDOM_IP}
+    ${output} =    OpenStackOperations.Execute Command on VM Instance    @{REQ_NETWORKS}[1]    @{VM_IP_DPN1}[1]    ${arping_cli}
+    ${get_pkt_count_after_arp} =    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${VM1_METADATA}.*${ARP_SHA}
+    ${get_arp_drop_pkt_after}    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${ARP}.*${TABLE}
+    ${pkt_diff_arp_drop} =    BuiltIn.Evaluate    int(${get_arp_drop_pkt_after})-int(${get_arp_drop_pkt_before})
+    ${pkt_diff} =    BuiltIn.Evaluate    int(${get_pkt_count_after_arp})-int(${get_pkt_count_before_arp})
+    BuiltIn.Should Be Equal As Numbers    ${pkt_diff}    ${PACKET_COUNT_ZERO}
+    BuiltIn.Should Be Equal As Numbers    ${pkt_diff_arp_drop}    ${PACKET_COUNT}
+
+Verify ARP request generated from Spoofed MAC for the VM
+    [Documentation]    Verifying ARP resquest generated for Spoofed MAC with Valid IP and Validate the ARP packet drop at the VM Egress Table
+    ${count} =    String.Get Line Count    ${ARP_CONFIG}
+    : FOR    ${index}    IN RANGE    0    ${count}
+    \    ${cmd} =    String.Get Line    ${ARP_CONFIG}    ${index}
+    \    ${output} =    OpenStackOperations.Execute Command on VM Instance    @{REQ_NETWORKS}[1]    @{VM_IP_DPN1}[1]    ${cmd}
+    ${get_pkt_count_before_arp} =    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${VM1_METADATA}.*${ARP_SHA}
+    ${get_arp_drop_pkt_before} =    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${ARP}.*${TABLE}
+    ${arping_cli} =    BuiltIn.Set Variable    sudo arping -I eth0 -c ${PACKET_COUNT} \ ${RANDOM_IP}
+    OpenStackOperations.Execute Command on VM Instance    @{REQ_NETWORKS}[1]    @{VM_IP_DPN1}[1]    ${arping_cli}
+    ${get_pkt_count_after_arp} =    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${VM1_METADATA}.*${ARP_SHA}
+    ${get_arp_drop_pkt_after}    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${ARP}.*${TABLE}
+    ${pkt_diff} =    BuiltIn.Evaluate    int(${get_pkt_count_after_arp})-int(${get_pkt_count_before_arp})
+    ${pkt_diff_arp_drop} =    BuiltIn.Evaluate    int(${get_arp_drop_pkt_after})-int(${get_arp_drop_pkt_before})
+    BuiltIn.Should Be Equal As Numbers    ${pkt_diff}    ${PACKET_COUNT_ZERO}
+    BuiltIn.Should Be Equal As Numbers    ${pkt_diff_arp_drop}    ${PACKET_COUNT}
+
+Verify ARP request generated from Spoofed IP and spoofed MAC for the VM
+    [Documentation]    Verifying ARP resquest generated for Spoofed MAC with Spoofed IP and Validate the ARP packet drop at the VM Egress Table
+    ${get_pkt_count_before_arp} =    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${VM1_METADATA}.*${ARP_SHA}
+    ${get_arp_drop_pkt_before} =    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${ARP}.*${TABLE}
+    ${arping_cli} =    BuiltIn.Set Variable    sudo arping -s ${SPOOF_IP} -c ${PACKET_COUNT} \ ${RANDOM_IP}
+    OpenStackOperations.Execute Command on VM Instance    @{REQ_NETWORKS}[1]    @{VM_IP_DPN1}[1]    ${arping_cli}
+    ${get_pkt_count_after_arp} =    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${VM1_METADATA}.*${ARP_SHA}
+    ${get_arp_drop_pkt_after} =    OvsManager.Get Packet Count From Table    ${OS_COMPUTE_1_IP}    ${INTEGRATION_BRIDGE}    table=@{DEFAULT_FLOW_TABLES}[15]    | grep ${ARP}.*${TABLE}
+    ${pkt_diff} =    BuiltIn.Evaluate    int(${get_pkt_count_after_arp})-int(${get_pkt_count_before_arp})
+    ${pkt_diff_arp_drop} =    BuiltIn.Evaluate    int(${get_arp_drop_pkt_after})-int(${get_arp_drop_pkt_before})
+    BuiltIn.Should Be Equal As Numbers    ${pkt_diff}    ${PACKET_COUNT_ZERO}
+    BuiltIn.Should Be Equal As Numbers    ${pkt_diff_arp_drop}    ${PACKET_COUNT}
+
+*** Keywords ***
+Start Suite
+    [Documentation]    Suite setup for ACL_Enhancement feature
+    OpenStackOperations.OpenStack Suite Setup
+    Create Setup
+
+Create Setup
+    [Documentation]    Create Two Networks, Two Subnets, Four Ports
+    Create Multiple Networks    @{REQ_NETWORKS}
+    Create Multiple Subnets    ${REQ_NETWORKS}    ${REQ_SUBNETS}    ${REQ_SUBNET_CIDR}
+    OpenStackOperations.Neutron Security Group Create    @{SECURITY_GROUP}[0]
+    OpenStackOperations.Delete All Security Group Rules    @{SECURITY_GROUP}[0]
+    OpenStackOperations.Create Port    @{REQ_NETWORKS}[0]    @{PORTS}[0]    sg=@{SECURITY_GROUP}[0]
+    OpenStackOperations.Create Port    @{REQ_NETWORKS}[1]    @{PORTS}[1]    sg=@{SECURITY_GROUP}[0]
+    OpenStackOperations.Create Port    @{REQ_NETWORKS}[0]    @{PORTS}[2]    sg=@{SECURITY_GROUP}[0]
+    OpenStackOperations.Create Port    @{REQ_NETWORKS}[1]    @{PORTS}[3]    sg=@{SECURITY_GROUP}[0]
+    OpenStackOperations.Neutron Security Group Rule Create    @{SECURITY_GROUP}[0]    direction=ingress    protocol=icmp    remote_ip=0.0.0.0/0
+    OpenStackOperations.Neutron Security Group Rule Create    @{SECURITY_GROUP}[0]    direction=egress    protocol=icmp    remote_ip=0.0.0.0/0
+    OpenStackOperations.Neutron Security Group Rule Create    @{SECURITY_GROUP}[0]    direction=ingress    port_range_max=65535    port_range_min=1    protocol=tcp    remote-ip=0.0.0.0/0
+    OpenStackOperations.Neutron Security Group Rule Create    @{SECURITY_GROUP}[0]    direction=egress    port_range_max=65535    port_range_min=1    protocol=tcp    remote-ip=0.0.0.0/0
+    OpenStackOperations.Create Vm Instance With Ports On Compute Node    @{PORTS}[0]    @{PORTS}[1]    @{VM_NAMES}[0]    ${OS_CMP1_HOSTNAME}    flavor=m1.tiny    sg=@{SECURITY_GROUP}[0]
+    OpenStackOperations.Create Vm Instance With Ports On Compute Node    @{PORTS}[2]    @{PORTS}[3]    @{VM_NAMES}[1]    ${OS_CMP2_HOSTNAME}    flavor=m1.tiny    sg=@{SECURITY_GROUP}[0]
+    : FOR    ${vm}    IN    @{VM_NAMES}
+    \    OpenStackOperations.Poll VM Is ACTIVE    ${vm}
+    @{VM_IP_DPN1} =    BuiltIn.Wait Until Keyword Succeeds    300 sec    15 sec    OpenStackOperations.Get All VM IP Addresses    ${OS_CMP1_CONN_ID}    @{VM_NAMES}[0]
+    @{VM_IP_DPN2} =    BuiltIn.Wait Until Keyword Succeeds    300 sec    15 sec    OpenStackOperations.Get All VM IP Addresses    ${OS_CMP2_CONN_ID}    @{VM_NAMES}[1]
+    BuiltIn.Set Suite Variable    @{VM_IP_DPN1}
+    BuiltIn.Set Suite Variable    @{VM_IP_DPN2}
+    : FOR    ${ip}    IN    @{VM_IP_DPN1}
+    \    BuiltIn.Should Not Contain    ${ip}    None
+    : FOR    ${ip}    IN    @{VM_IP_DPN2}
+    \    BuiltIn.Should Not Contain    ${ip}    None
+    ${VM1_PORT} =    Get VMs OVS Port Number    ${OS_COMPUTE_1_IP}    @{PORTS}[0]
+    ${VM1_METADATA} =    OVSDB.Get Port Metadata    ${OS_COMPUTE_1_IP}    ${VM1_PORT}
+    BuiltIn.Set Suite Variable    ${VM1_METADATA}
diff --git a/csit/testplans/netvirt-1node-openstack.txt b/csit/testplans/netvirt-1node-openstack.txt
index 012bd616bc..1436e308fc 100644
--- a/csit/testplans/netvirt-1node-openstack.txt
+++ b/csit/testplans/netvirt-1node-openstack.txt
@@ -5,6 +5,7 @@ integration/test/csit/suites/openstack/connectivity/security_group.robot
 integration/test/csit/suites/openstack/connectivity/live_migration.robot
 integration/test/csit/suites/openstack/securitygroup/neutron_security_group.robot
 integration/test/csit/suites/openstack/securitygroup/security_group_l3bcast.robot
+integration/test/csit/suites/openstack/securitygroup/acl.robot
 integration/test/csit/suites/netvirt/vpnservice/vpn_basic.robot
 integration/test/csit/suites/netvirt/vpnservice/vpn_basic_ipv6.robot
 integration/test/csit/suites/netvirt/elan/elan.robot
-- 
2.36.6