Source code for network.test_security_groups_negative

# Copyright 2013 OpenStack Foundation
# All Rights Reserved.
#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

from tempest.api.network import base_security_groups as base
from tempest.common import utils
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from tempest.lib import exceptions as lib_exc

CONF = config.CONF


[docs]class NegativeSecGroupTest(base.BaseSecGroupTest): """Negative tests of security groups""" @classmethod def skip_checks(cls): super(NegativeSecGroupTest, cls).skip_checks() if not utils.is_extension_enabled('security-group', 'network'): msg = "security-group extension not enabled." raise cls.skipException(msg)
[docs] @decorators.attr(type=['negative']) @decorators.idempotent_id('424fd5c3-9ddc-486a-b45f-39bf0c820fc6') def test_show_non_existent_security_group(self): """Test showing non existent security group""" non_exist_id = data_utils.rand_uuid() self.assertRaises( lib_exc.NotFound, self.security_groups_client.show_security_group, non_exist_id)
[docs] @decorators.attr(type=['negative']) @decorators.idempotent_id('4c094c09-000b-4e41-8100-9617600c02a6') def test_show_non_existent_security_group_rule(self): """Test showing non existent security group rule""" non_exist_id = data_utils.rand_uuid() self.assertRaises( lib_exc.NotFound, self.security_group_rules_client.show_security_group_rule, non_exist_id)
[docs] @decorators.attr(type=['negative']) @decorators.idempotent_id('1f1bb89d-5664-4956-9fcd-83ee0fa603df') def test_delete_non_existent_security_group(self): """Test deleting non existent security group""" non_exist_id = data_utils.rand_uuid() self.assertRaises(lib_exc.NotFound, self.security_groups_client.delete_security_group, non_exist_id )
[docs] @decorators.attr(type=['negative']) @decorators.idempotent_id('981bdc22-ce48-41ed-900a-73148b583958') def test_create_security_group_rule_with_bad_protocol(self): """Test creating security group rule with bad protocol""" group_create_body, _ = self._create_security_group() # Create rule with bad protocol name pname = 'bad_protocol_name' self.assertRaises( lib_exc.BadRequest, self.security_group_rules_client.create_security_group_rule, security_group_id=group_create_body['security_group']['id'], protocol=pname, direction='ingress', ethertype=self.ethertype)
[docs] @decorators.attr(type=['negative']) @decorators.idempotent_id('5f8daf69-3c5f-4aaa-88c9-db1d66f68679') def test_create_security_group_rule_with_bad_remote_ip_prefix(self): """Test creating security group rule with bad remote ip prefix""" group_create_body, _ = self._create_security_group() # Create rule with bad remote_ip_prefix prefix = ['192.168.1./24', '192.168.1.1/33', 'bad_prefix', '256'] for remote_ip_prefix in prefix: self.assertRaises( lib_exc.BadRequest, self.security_group_rules_client.create_security_group_rule, security_group_id=group_create_body['security_group']['id'], protocol='tcp', direction='ingress', ethertype=self.ethertype, remote_ip_prefix=remote_ip_prefix)
[docs] @decorators.attr(type=['negative']) @decorators.idempotent_id('4bf786fd-2f02-443c-9716-5b98e159a49a') def test_create_security_group_rule_with_non_existent_remote_groupid(self): """Creating security group rule with non existent remote group id""" group_create_body, _ = self._create_security_group() non_exist_id = data_utils.rand_uuid() # Create rule with non existent remote_group_id group_ids = ['bad_group_id', non_exist_id] for remote_group_id in group_ids: self.assertRaises( lib_exc.NotFound, self.security_group_rules_client.create_security_group_rule, security_group_id=group_create_body['security_group']['id'], protocol='tcp', direction='ingress', ethertype=self.ethertype, remote_group_id=remote_group_id)
[docs] @decorators.attr(type=['negative']) @decorators.idempotent_id('b5c4b247-6b02-435b-b088-d10d45650881') def test_create_security_group_rule_with_remote_ip_and_group(self): """Test creating security group rule with remote ip and group""" sg1_body, _ = self._create_security_group() sg2_body, _ = self._create_security_group() # Create rule specifying both remote_ip_prefix and remote_group_id prefix = str(self.cidr) self.assertRaises( lib_exc.BadRequest, self.security_group_rules_client.create_security_group_rule, security_group_id=sg1_body['security_group']['id'], protocol='tcp', direction='ingress', ethertype=self.ethertype, remote_ip_prefix=prefix, remote_group_id=sg2_body['security_group']['id'])
[docs] @decorators.attr(type=['negative']) @decorators.idempotent_id('5666968c-fff3-40d6-9efc-df1c8bd01abb') def test_create_security_group_rule_with_bad_ethertype(self): """Test creating security group rule with bad bad ethertype""" group_create_body, _ = self._create_security_group() # Create rule with bad ethertype ethertype = 'bad_ethertype' self.assertRaises( lib_exc.BadRequest, self.security_group_rules_client.create_security_group_rule, security_group_id=group_create_body['security_group']['id'], protocol='udp', direction='ingress', ethertype=ethertype)
[docs] @decorators.attr(type=['negative']) @decorators.idempotent_id('0d9c7791-f2ad-4e2f-ac73-abf2373b0d2d') def test_create_security_group_rule_with_invalid_ports(self): """Test creating security group rule with invalid ports""" group_create_body, _ = self._create_security_group() # Create rule for tcp protocol with invalid ports states = [(-16, 80, 'Invalid value for port -16'), (80, 79, 'port_range_min must be <= port_range_max'), (80, 65536, 'Invalid value for port 65536'), (None, 6, 'port_range_min must be <= port_range_max'), (-16, 65536, 'Invalid value for port')] for pmin, pmax, msg in states: ex = self.assertRaises( lib_exc.BadRequest, self.security_group_rules_client.create_security_group_rule, security_group_id=group_create_body['security_group']['id'], protocol='tcp', port_range_min=pmin, port_range_max=pmax, direction='ingress', ethertype=self.ethertype) self.assertIn(msg, str(ex)) # Create rule for icmp protocol with invalid ports states = [(1, 256, 'Invalid value for ICMP code'), (-1, 25, 'Invalid value'), (None, 6, 'ICMP type (port-range-min) is missing'), (300, 1, 'Invalid value for ICMP type')] for pmin, pmax, msg in states: ex = self.assertRaises( lib_exc.BadRequest, self.security_group_rules_client.create_security_group_rule, security_group_id=group_create_body['security_group']['id'], protocol='icmp', port_range_min=pmin, port_range_max=pmax, direction='ingress', ethertype=self.ethertype) self.assertIn(msg, str(ex))
[docs] @decorators.attr(type=['negative']) @decorators.idempotent_id('2323061e-9fbf-4eb0-b547-7e8fafc90849') def test_create_additional_default_security_group_fails(self): """Test creating additional default security group Create security group named 'default', it should be failed. """ name = 'default' self.assertRaises(lib_exc.Conflict, self.security_groups_client.create_security_group, name=name)
[docs] @decorators.attr(type=['negative']) @decorators.idempotent_id('966e2b96-023a-11e7-a9e4-fa163e4fa634') def test_create_security_group_update_name_default(self): """Test updating security group's name to default Update security group name to 'default', it should be failed. """ group_create_body, _ = self._create_security_group() self.assertRaises(lib_exc.Conflict, self.security_groups_client.update_security_group, group_create_body['security_group']['id'], name="default")
[docs] @decorators.attr(type=['negative']) @decorators.idempotent_id('8fde898f-ce88-493b-adc9-4e4692879fc5') def test_create_duplicate_security_group_rule_fails(self): """Test creating duplicate security group rule Create duplicate security group rule, it should fail. """ body, _ = self._create_security_group() min_port = 66 max_port = 67 # Create a rule with valid params self.security_group_rules_client.create_security_group_rule( security_group_id=body['security_group']['id'], direction='ingress', ethertype=self.ethertype, protocol='tcp', port_range_min=min_port, port_range_max=max_port ) # Try creating the same security group rule, it should fail self.assertRaises( lib_exc.Conflict, self.security_group_rules_client.create_security_group_rule, security_group_id=body['security_group']['id'], protocol='tcp', direction='ingress', ethertype=self.ethertype, port_range_min=min_port, port_range_max=max_port)
[docs] @decorators.attr(type=['negative']) @decorators.idempotent_id('be308db6-a7cf-4d5c-9baf-71bafd73f35e') def test_create_security_group_rule_with_non_existent_security_group(self): """Creating security group rules with not existing security group""" non_existent_sg = data_utils.rand_uuid() self.assertRaises( lib_exc.NotFound, self.security_group_rules_client.create_security_group_rule, security_group_id=non_existent_sg, direction='ingress', ethertype=self.ethertype)
[docs]class NegativeSecGroupIPv6Test(NegativeSecGroupTest): _ip_version = 6
[docs] @decorators.attr(type=['negative']) @decorators.idempotent_id('7607439c-af73-499e-bf64-f687fd12a842') def test_create_security_group_rule_wrong_ip_prefix_version(self): """Test creating security group rule with wrong ip prefix version""" group_create_body, _ = self._create_security_group() # Create rule with bad remote_ip_prefix pairs = ({'ethertype': 'IPv6', 'ip_prefix': CONF.network.project_network_cidr}, {'ethertype': 'IPv4', 'ip_prefix': CONF.network.project_network_v6_cidr}) for pair in pairs: self.assertRaisesRegex( lib_exc.BadRequest, "Conflicting value ethertype", self.security_group_rules_client.create_security_group_rule, security_group_id=group_create_body['security_group']['id'], protocol='tcp', direction='ingress', ethertype=pair['ethertype'], remote_ip_prefix=pair['ip_prefix'])