Merge "Add aggressive negotiation mode for ikepolicy"

2020-06-18 04:08:56 +00:00 · 2020-06-18 04:08:56 +00:00 · daded4f984
parent d18958bf72 e6bb1584d7
commit daded4f984
9 changed files with 160 additions and 4 deletions
--- a/neutron_vpnaas/db/migration/alembic_migrations/versions/EXPAND_HEAD
+++ b/neutron_vpnaas/db/migration/alembic_migrations/versions/EXPAND_HEAD
@ -1 +1 @@
-95601446dbcc
+5f884db48ba9
--- a/neutron_vpnaas/db/migration/alembic_migrations/versions/victoria/expand/5f884db48ba9_add_aggressive_negotiation_modes.py
+++ b/neutron_vpnaas/db/migration/alembic_migrations/versions/victoria/expand/5f884db48ba9_add_aggressive_negotiation_modes.py
@ -0,0 +1,39 @@
+# Copyright 2020 cmss, Inc.  All rights reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+
+"""add_aggressive_negotiation_modes
+
+Revision ID: 5f884db48ba9
+Revises: 95601446dbcc
+Create Date: 2020-05-12 14:37:46.320070
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '5f884db48ba9'
+down_revision = '95601446dbcc'
+
+from alembic import op
+import sqlalchemy as sa
+
+
+phase1_negotiation_modes = sa.Enum('main', 'aggressive',
+                                   name='ike_phase1_mode')
+
+
+def upgrade():
+    op.alter_column('ikepolicies', 'phase1_negotiation_mode',
+                    type_=phase1_negotiation_modes,
+                    existing_nullable=False)
--- a/neutron_vpnaas/db/vpn/vpn_models.py
+++ b/neutron_vpnaas/db/vpn/vpn_models.py
@ -75,7 +75,7 @@ class IKEPolicy(model_base.BASEV2, model_base.HasId, model_base.HasProject):
                                             "aes-256", "aes-192",
                                             name="vpn_encrypt_algorithms"),
                                     nullable=False)
-    phase1_negotiation_mode = sa.Column(sa.Enum("main",
+    phase1_negotiation_mode = sa.Column(sa.Enum("main", 'aggressive',
                                                name="ike_phase1_mode"),
                                        nullable=False)
    lifetime_units = sa.Column(sa.Enum("seconds", "kilobytes",
--- a/neutron_vpnaas/extensions/vpnaas.py
+++ b/neutron_vpnaas/extensions/vpnaas.py
@ -194,7 +194,7 @@ vpn_supported_pfs = ['group2', 'group5', 'group14']
 vpn_supported_ike_versions = ['v1', 'v2']
 vpn_supported_auth_mode = ['psk']
 vpn_supported_auth_algorithms = ['sha1', 'sha256', 'sha384', 'sha512']
-vpn_supported_phase1_negotiation_mode = ['main']
+vpn_supported_phase1_negotiation_mode = ['main', 'aggressive']

 vpn_lifetime_limits = (60, validators.UNLIMITED)
 positive_int = (0, validators.UNLIMITED)
--- a/neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template
+++ b/neutron_vpnaas/services/vpn/device_drivers/template/openswan/ipsec.conf.template
@ -63,6 +63,9 @@ conn {{ipsec_site_connection.id}}
    ikev2={{ipsec_site_connection.ikepolicy.ike_version}}
    # [encryption_algorithm]-[auth_algorithm]-[pfs]
    ike={{ipsec_site_connection.ikepolicy.encryption_algorithm}}-{{ipsec_site_connection.ikepolicy.auth_algorithm}};{{ipsec_site_connection.ikepolicy.pfs}}
+    {% if ipsec_site_connection.ikepolicy.phase1_negotiation_mode == "aggressive" -%}
+    aggressive=yes
+    {% endif -%}
    # [lifetime_value]
    ikelifetime={{ipsec_site_connection.ikepolicy.lifetime_value}}s
    # NOTE: it looks lifetime_units=kilobytes can't be enforced (could be seconds,  hours,  days...)
--- a/neutron_vpnaas/services/vpn/device_drivers/template/strongswan/ipsec.conf.template
+++ b/neutron_vpnaas/services/vpn/device_drivers/template/strongswan/ipsec.conf.template
@ -23,6 +23,9 @@ conn {{ipsec_site_connection.id}}
    dpdtimeout={{ipsec_site_connection.dpd_timeout}}s
    ike={{ipsec_site_connection.ikepolicy.encryption_algorithm}}-{{ipsec_site_connection.ikepolicy.auth_algorithm}}-{{ipsec_site_connection.ikepolicy.pfs}}
    ikelifetime={{ipsec_site_connection.ikepolicy.lifetime_value}}s
+    {%- if ipsec_site_connection.ikepolicy.phase1_negotiation_mode == "aggressive" %}
+    aggressive=yes
+    {%- endif %}
    {%- if ipsec_site_connection.ipsecpolicy.transform_protocol == "ah" %}
    ah={{ipsec_site_connection.ipsecpolicy.auth_algorithm}}-{{ipsec_site_connection.ipsecpolicy.pfs}}
    {%- else %}
--- a/neutron_vpnaas/tests/unit/db/vpn/test_vpn_db.py
+++ b/neutron_vpnaas/tests/unit/db/vpn/test_vpn_db.py
@ -512,6 +512,26 @@ class TestVpnaas(VPNPluginDbTestCase):
        with self.ikepolicy(name=name, description=description) as ikepolicy:
            self._check_policy(ikepolicy['ikepolicy'], keys, lifetime)

+    def test_create_ikepolicy_with_aggressive_mode(self):
+        """Test case to create an ikepolicy with aggressive mode."""
+        name = "ikepolicy1"
+        description = 'ipsec-ikepolicy'
+        mode = 'aggressive'
+        keys = [('name', name),
+                ('description', 'ipsec-ikepolicy'),
+                ('auth_algorithm', 'sha1'),
+                ('encryption_algorithm', 'aes-128'),
+                ('phase1_negotiation_mode', 'aggressive'),
+                ('ike_version', 'v1'),
+                ('pfs', 'group5'),
+                ('tenant_id', self._tenant_id)]
+        lifetime = {
+            'units': 'seconds',
+            'value': 3600}
+        with self.ikepolicy(name=name, description=description,
+                            phase1_negotiation_mode=mode) as ikepolicy:
+            self._check_policy(ikepolicy['ikepolicy'], keys, lifetime)
+
    def test_delete_ikepolicy(self):
        """Test case to delete an ikepolicy."""
        with self.ikepolicy(do_delete=False) as ikepolicy:
@ -622,6 +642,30 @@ class TestVpnaas(VPNPluginDbTestCase):
            for k, v in keys:
                self.assertEqual(res['ikepolicy'][k], v)

+    def test_update_ikepolicy_with_aggressive_mode(self):
+        """Test case to update an ikepolicy with aggressive mode."""
+        name = "new_ikepolicy1"
+        keys = [('name', name),
+                ('auth_algorithm', 'sha1'),
+                ('encryption_algorithm', 'aes-128'),
+                ('phase1_negotiation_mode', 'aggressive'),
+                ('ike_version', 'v1'),
+                ('pfs', 'group5'),
+                ('tenant_id', self._tenant_id),
+                ('lifetime', {'units': 'seconds',
+                              'value': 60})]
+        with self.ikepolicy(name=name) as ikepolicy:
+            data = {'ikepolicy': {'name': name,
+                                  'phase1_negotiation_mode': 'aggressive',
+                                  'lifetime': {'units': 'seconds',
+                                               'value': 60}}}
+            req = self.new_update_request("ikepolicies",
+                                          data,
+                                          ikepolicy['ikepolicy']['id'])
+            res = self.deserialize(self.fmt, req.get_response(self.ext_api))
+            for k, v in keys:
+                self.assertEqual(res['ikepolicy'][k], v)
+
    def test_create_ikepolicy_with_invalid_values(self):
        """Test case to test invalid values."""
        name = 'ikepolicy1'
@ -643,7 +687,7 @@ class TestVpnaas(VPNPluginDbTestCase):
                               expected_res_status=400)
        self._create_ikepolicy(name=name,
                               fmt=self.fmt,
-                               phase1_negotiation_mode='aggressive',
+                               phase1_negotiation_mode='unsupported',
                               expected_res_status=400)
        self._create_ikepolicy(name=name,
                               fmt=self.fmt,
--- a/neutron_vpnaas/tests/unit/extensions/test_vpnaas.py
+++ b/neutron_vpnaas/tests/unit/extensions/test_vpnaas.py
@ -71,6 +71,35 @@ class VpnaasExtensionTestCase(base.ExtensionTestCase):
        self.assertIn('ikepolicy', res)
        self.assertDictSupersetOf(return_value, res['ikepolicy'])

+    def test_ikepolicy_create_with_aggressive_mode(self):
+        """Test case to create an ikepolicy with agressive mode."""
+        ikepolicy_id = _uuid()
+        data = {'ikepolicy': {'name': 'ikepolicy1',
+                              'description': 'myikepolicy1',
+                              'auth_algorithm': 'sha1',
+                              'encryption_algorithm': 'aes-128',
+                              'phase1_negotiation_mode': 'aggressive',
+                              'lifetime': {
+                                  'units': 'seconds',
+                                  'value': 3600},
+                              'ike_version': 'v1',
+                              'pfs': 'group5',
+                              'tenant_id': _uuid()}}
+
+        return_value = copy.copy(data['ikepolicy'])
+        return_value.update({'id': ikepolicy_id})
+
+        instance = self.plugin.return_value
+        instance.create_ikepolicy.return_value = return_value
+        res = self.api.post(_get_path('vpn/ikepolicies', fmt=self.fmt),
+                            self.serialize(data),
+                            content_type='application/%s' % self.fmt)
+        self.assertEqual(1, instance.create_ikepolicy.call_count)
+        self.assertEqual(exc.HTTPCreated.code, res.status_int)
+        res = self.deserialize(res)
+        self.assertIn('ikepolicy', res)
+        self.assertDictSupersetOf(return_value, res['ikepolicy'])
+
    def test_ikepolicy_list(self):
        """Test case to list all ikepolicies."""
        ikepolicy_id = _uuid()
@ -122,6 +151,39 @@ class VpnaasExtensionTestCase(base.ExtensionTestCase):
        self.assertIn('ikepolicy', res)
        self.assertEqual(return_value, res['ikepolicy'])

+    def test_ikepolicy_update_with_aggressive_mode(self):
+        """Test case to update an ikepolicy with aggressive mode."""
+        ikepolicy_id = _uuid()
+        update_data = {'ikepolicy':
+                       {'name': 'ikepolicy1',
+                        'phase1_negotiation_mode': 'aggressive',
+                        'encryption_algorithm': 'aes-256'}}
+        return_value = {'name': 'ikepolicy1',
+                        'auth_algorithm': 'sha1',
+                        'encryption_algorithm': 'aes-256',
+                        'phase1_negotiation_mode': 'aggressive',
+                        'lifetime': {
+                            'units': 'seconds',
+                            'value': 3600},
+                        'ike_version': 'v1',
+                        'pfs': 'group5',
+                        'tenant_id': _uuid(),
+                        'id': ikepolicy_id}
+
+        instance = self.plugin.return_value
+        instance.update_ikepolicy.return_value = return_value
+
+        res = self.api.put(_get_path('vpn/ikepolicies', id=ikepolicy_id,
+                                     fmt=self.fmt),
+                           self.serialize(update_data))
+
+        instance.update_ikepolicy.assert_called_with(mock.ANY, ikepolicy_id,
+                                                     ikepolicy=update_data)
+        self.assertEqual(exc.HTTPOk.code, res.status_int)
+        res = self.deserialize(res)
+        self.assertIn('ikepolicy', res)
+        self.assertEqual(return_value, res['ikepolicy'])
+
    def test_ikepolicy_get(self):
        """Test case to get or show an ikepolicy."""
        ikepolicy_id = _uuid()
--- a/releasenotes/notes/add-aggressive-negotiation-mode-3d8fbcd843d003b7.yaml
+++ b/releasenotes/notes/add-aggressive-negotiation-mode-3d8fbcd843d003b7.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The phase1 negotiation mode can use ``aggressive`` mode in VPNaaS
+    ikepolicy when using \*Swan drivers.