Include port_security check in fullstack tests

Bug #1549443 skipped setting up the right firewall rules for ports created with port security disabled. This bug was not caught since tests didn't cover this fact. This patch adds functionality to existing test by creating ports with port_security_enabled=False and checking that traffic is allowed prior to enabling port security and assigning security groups to them. Change-Id: I65da39fd390e4faecc6cfb18bb50e1f5ce684f1e Related-Bug: #1549443
2017-01-16 02:55:08 +00:00 · 2017-01-16 02:55:08 +00:00 · 2725b4d314
parent a8b6a597b6
commit 2725b4d314
2 changed files with 26 additions and 5 deletions
--- a/neutron/tests/fullstack/resources/config.py
+++ b/neutron/tests/fullstack/resources/config.py
@ -139,9 +139,10 @@ class ML2ConfigFixture(ConfigFixture):
            },
        })

+        extension_drivers = ['port_security']
        if env_desc.qos:
-            self.config['ml2']['extension_drivers'] =\
-                    qos_ext.QOS_EXT_DRIVER_ALIAS
+            extension_drivers.append(qos_ext.QOS_EXT_DRIVER_ALIAS)
+        self.config['ml2']['extension_drivers'] = ','.join(extension_drivers)


 class OVSConfigFixture(ConfigFixture):
--- a/neutron/tests/fullstack/test_securitygroup.py
+++ b/neutron/tests/fullstack/test_securitygroup.py
@ -102,7 +102,8 @@ class TestSecurityGroupsSameNetwork(BaseSecurityGroupsSameNetworkTest):
    # adding another.
    def test_securitygroup(self):
        """Tests if a security group rules are working, by confirming
-        that 1. connection from allowed security group is allowed,
+        that 0. traffic is allowed when port security is disabled,
+             1. connection from allowed security group is allowed,
             2. connection from elsewhere is blocked,
             3. traffic not explicitly allowed (eg. ICMP) is blocked,
             4. a security group update takes effect,
@ -128,8 +129,9 @@ class TestSecurityGroupsSameNetwork(BaseSecurityGroupsSameNetworkTest):
        ports = [
            self.safe_client.create_port(tenant_uuid, network['id'],
                                         self.environment.hosts[host].hostname,
-                                         security_groups=[sgs[sg]['id']])
-            for host, sg in zip(index_to_host, index_to_sg)]
+                                         security_groups=[],
+                                         port_security_enabled=False)
+            for host in index_to_host]

        self.safe_client.create_security_group_rule(
            tenant_uuid, sgs[0]['id'],
@ -151,6 +153,24 @@ class TestSecurityGroupsSameNetwork(BaseSecurityGroupsSameNetworkTest):
        for vm in vms:
            vm.block_until_boot()

+        # 0. check that traffic is allowed when port security is disabled
+        self.assert_connection(
+            vms[1].namespace, vms[0].namespace, vms[0].ip, 3333,
+            net_helpers.NetcatTester.TCP)
+        self.assert_connection(
+            vms[2].namespace, vms[0].namespace, vms[0].ip, 3333,
+            net_helpers.NetcatTester.TCP)
+        net_helpers.assert_ping(vms[0].namespace, vms[1].ip)
+        net_helpers.assert_ping(vms[0].namespace, vms[2].ip)
+        net_helpers.assert_ping(vms[1].namespace, vms[2].ip)
+
+        # Apply security groups to the ports
+        for port, sg in zip(ports, index_to_sg):
+            self.safe_client.client.update_port(
+                port['id'],
+                body={'port': {'port_security_enabled': True,
+                               'security_groups': [sgs[sg]['id']]}})
+
        # 1. check if connection from allowed security group is allowed
        self.assert_connection(
            vms[1].namespace, vms[0].namespace, vms[0].ip, 3333,