Merge "Add aggressive negotiation mode for ikepolicy"
This commit is contained in:
commit
daded4f984
|
@ -1 +1 @@
|
|||
95601446dbcc
|
||||
5f884db48ba9
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
# Copyright 2020 cmss, Inc. All rights reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
|
||||
"""add_aggressive_negotiation_modes
|
||||
|
||||
Revision ID: 5f884db48ba9
|
||||
Revises: 95601446dbcc
|
||||
Create Date: 2020-05-12 14:37:46.320070
|
||||
|
||||
"""
|
||||
|
||||
# revision identifiers, used by Alembic.
|
||||
revision = '5f884db48ba9'
|
||||
down_revision = '95601446dbcc'
|
||||
|
||||
from alembic import op
|
||||
import sqlalchemy as sa
|
||||
|
||||
|
||||
phase1_negotiation_modes = sa.Enum('main', 'aggressive',
|
||||
name='ike_phase1_mode')
|
||||
|
||||
|
||||
def upgrade():
|
||||
op.alter_column('ikepolicies', 'phase1_negotiation_mode',
|
||||
type_=phase1_negotiation_modes,
|
||||
existing_nullable=False)
|
|
@ -75,7 +75,7 @@ class IKEPolicy(model_base.BASEV2, model_base.HasId, model_base.HasProject):
|
|||
"aes-256", "aes-192",
|
||||
name="vpn_encrypt_algorithms"),
|
||||
nullable=False)
|
||||
phase1_negotiation_mode = sa.Column(sa.Enum("main",
|
||||
phase1_negotiation_mode = sa.Column(sa.Enum("main", 'aggressive',
|
||||
name="ike_phase1_mode"),
|
||||
nullable=False)
|
||||
lifetime_units = sa.Column(sa.Enum("seconds", "kilobytes",
|
||||
|
|
|
@ -194,7 +194,7 @@ vpn_supported_pfs = ['group2', 'group5', 'group14']
|
|||
vpn_supported_ike_versions = ['v1', 'v2']
|
||||
vpn_supported_auth_mode = ['psk']
|
||||
vpn_supported_auth_algorithms = ['sha1', 'sha256', 'sha384', 'sha512']
|
||||
vpn_supported_phase1_negotiation_mode = ['main']
|
||||
vpn_supported_phase1_negotiation_mode = ['main', 'aggressive']
|
||||
|
||||
vpn_lifetime_limits = (60, validators.UNLIMITED)
|
||||
positive_int = (0, validators.UNLIMITED)
|
||||
|
|
|
@ -63,6 +63,9 @@ conn {{ipsec_site_connection.id}}
|
|||
ikev2={{ipsec_site_connection.ikepolicy.ike_version}}
|
||||
# [encryption_algorithm]-[auth_algorithm]-[pfs]
|
||||
ike={{ipsec_site_connection.ikepolicy.encryption_algorithm}}-{{ipsec_site_connection.ikepolicy.auth_algorithm}};{{ipsec_site_connection.ikepolicy.pfs}}
|
||||
{% if ipsec_site_connection.ikepolicy.phase1_negotiation_mode == "aggressive" -%}
|
||||
aggressive=yes
|
||||
{% endif -%}
|
||||
# [lifetime_value]
|
||||
ikelifetime={{ipsec_site_connection.ikepolicy.lifetime_value}}s
|
||||
# NOTE: it looks lifetime_units=kilobytes can't be enforced (could be seconds, hours, days...)
|
||||
|
|
|
@ -23,6 +23,9 @@ conn {{ipsec_site_connection.id}}
|
|||
dpdtimeout={{ipsec_site_connection.dpd_timeout}}s
|
||||
ike={{ipsec_site_connection.ikepolicy.encryption_algorithm}}-{{ipsec_site_connection.ikepolicy.auth_algorithm}}-{{ipsec_site_connection.ikepolicy.pfs}}
|
||||
ikelifetime={{ipsec_site_connection.ikepolicy.lifetime_value}}s
|
||||
{%- if ipsec_site_connection.ikepolicy.phase1_negotiation_mode == "aggressive" %}
|
||||
aggressive=yes
|
||||
{%- endif %}
|
||||
{%- if ipsec_site_connection.ipsecpolicy.transform_protocol == "ah" %}
|
||||
ah={{ipsec_site_connection.ipsecpolicy.auth_algorithm}}-{{ipsec_site_connection.ipsecpolicy.pfs}}
|
||||
{%- else %}
|
||||
|
|
|
@ -512,6 +512,26 @@ class TestVpnaas(VPNPluginDbTestCase):
|
|||
with self.ikepolicy(name=name, description=description) as ikepolicy:
|
||||
self._check_policy(ikepolicy['ikepolicy'], keys, lifetime)
|
||||
|
||||
def test_create_ikepolicy_with_aggressive_mode(self):
|
||||
"""Test case to create an ikepolicy with aggressive mode."""
|
||||
name = "ikepolicy1"
|
||||
description = 'ipsec-ikepolicy'
|
||||
mode = 'aggressive'
|
||||
keys = [('name', name),
|
||||
('description', 'ipsec-ikepolicy'),
|
||||
('auth_algorithm', 'sha1'),
|
||||
('encryption_algorithm', 'aes-128'),
|
||||
('phase1_negotiation_mode', 'aggressive'),
|
||||
('ike_version', 'v1'),
|
||||
('pfs', 'group5'),
|
||||
('tenant_id', self._tenant_id)]
|
||||
lifetime = {
|
||||
'units': 'seconds',
|
||||
'value': 3600}
|
||||
with self.ikepolicy(name=name, description=description,
|
||||
phase1_negotiation_mode=mode) as ikepolicy:
|
||||
self._check_policy(ikepolicy['ikepolicy'], keys, lifetime)
|
||||
|
||||
def test_delete_ikepolicy(self):
|
||||
"""Test case to delete an ikepolicy."""
|
||||
with self.ikepolicy(do_delete=False) as ikepolicy:
|
||||
|
@ -622,6 +642,30 @@ class TestVpnaas(VPNPluginDbTestCase):
|
|||
for k, v in keys:
|
||||
self.assertEqual(res['ikepolicy'][k], v)
|
||||
|
||||
def test_update_ikepolicy_with_aggressive_mode(self):
|
||||
"""Test case to update an ikepolicy with aggressive mode."""
|
||||
name = "new_ikepolicy1"
|
||||
keys = [('name', name),
|
||||
('auth_algorithm', 'sha1'),
|
||||
('encryption_algorithm', 'aes-128'),
|
||||
('phase1_negotiation_mode', 'aggressive'),
|
||||
('ike_version', 'v1'),
|
||||
('pfs', 'group5'),
|
||||
('tenant_id', self._tenant_id),
|
||||
('lifetime', {'units': 'seconds',
|
||||
'value': 60})]
|
||||
with self.ikepolicy(name=name) as ikepolicy:
|
||||
data = {'ikepolicy': {'name': name,
|
||||
'phase1_negotiation_mode': 'aggressive',
|
||||
'lifetime': {'units': 'seconds',
|
||||
'value': 60}}}
|
||||
req = self.new_update_request("ikepolicies",
|
||||
data,
|
||||
ikepolicy['ikepolicy']['id'])
|
||||
res = self.deserialize(self.fmt, req.get_response(self.ext_api))
|
||||
for k, v in keys:
|
||||
self.assertEqual(res['ikepolicy'][k], v)
|
||||
|
||||
def test_create_ikepolicy_with_invalid_values(self):
|
||||
"""Test case to test invalid values."""
|
||||
name = 'ikepolicy1'
|
||||
|
@ -643,7 +687,7 @@ class TestVpnaas(VPNPluginDbTestCase):
|
|||
expected_res_status=400)
|
||||
self._create_ikepolicy(name=name,
|
||||
fmt=self.fmt,
|
||||
phase1_negotiation_mode='aggressive',
|
||||
phase1_negotiation_mode='unsupported',
|
||||
expected_res_status=400)
|
||||
self._create_ikepolicy(name=name,
|
||||
fmt=self.fmt,
|
||||
|
|
|
@ -71,6 +71,35 @@ class VpnaasExtensionTestCase(base.ExtensionTestCase):
|
|||
self.assertIn('ikepolicy', res)
|
||||
self.assertDictSupersetOf(return_value, res['ikepolicy'])
|
||||
|
||||
def test_ikepolicy_create_with_aggressive_mode(self):
|
||||
"""Test case to create an ikepolicy with agressive mode."""
|
||||
ikepolicy_id = _uuid()
|
||||
data = {'ikepolicy': {'name': 'ikepolicy1',
|
||||
'description': 'myikepolicy1',
|
||||
'auth_algorithm': 'sha1',
|
||||
'encryption_algorithm': 'aes-128',
|
||||
'phase1_negotiation_mode': 'aggressive',
|
||||
'lifetime': {
|
||||
'units': 'seconds',
|
||||
'value': 3600},
|
||||
'ike_version': 'v1',
|
||||
'pfs': 'group5',
|
||||
'tenant_id': _uuid()}}
|
||||
|
||||
return_value = copy.copy(data['ikepolicy'])
|
||||
return_value.update({'id': ikepolicy_id})
|
||||
|
||||
instance = self.plugin.return_value
|
||||
instance.create_ikepolicy.return_value = return_value
|
||||
res = self.api.post(_get_path('vpn/ikepolicies', fmt=self.fmt),
|
||||
self.serialize(data),
|
||||
content_type='application/%s' % self.fmt)
|
||||
self.assertEqual(1, instance.create_ikepolicy.call_count)
|
||||
self.assertEqual(exc.HTTPCreated.code, res.status_int)
|
||||
res = self.deserialize(res)
|
||||
self.assertIn('ikepolicy', res)
|
||||
self.assertDictSupersetOf(return_value, res['ikepolicy'])
|
||||
|
||||
def test_ikepolicy_list(self):
|
||||
"""Test case to list all ikepolicies."""
|
||||
ikepolicy_id = _uuid()
|
||||
|
@ -122,6 +151,39 @@ class VpnaasExtensionTestCase(base.ExtensionTestCase):
|
|||
self.assertIn('ikepolicy', res)
|
||||
self.assertEqual(return_value, res['ikepolicy'])
|
||||
|
||||
def test_ikepolicy_update_with_aggressive_mode(self):
|
||||
"""Test case to update an ikepolicy with aggressive mode."""
|
||||
ikepolicy_id = _uuid()
|
||||
update_data = {'ikepolicy':
|
||||
{'name': 'ikepolicy1',
|
||||
'phase1_negotiation_mode': 'aggressive',
|
||||
'encryption_algorithm': 'aes-256'}}
|
||||
return_value = {'name': 'ikepolicy1',
|
||||
'auth_algorithm': 'sha1',
|
||||
'encryption_algorithm': 'aes-256',
|
||||
'phase1_negotiation_mode': 'aggressive',
|
||||
'lifetime': {
|
||||
'units': 'seconds',
|
||||
'value': 3600},
|
||||
'ike_version': 'v1',
|
||||
'pfs': 'group5',
|
||||
'tenant_id': _uuid(),
|
||||
'id': ikepolicy_id}
|
||||
|
||||
instance = self.plugin.return_value
|
||||
instance.update_ikepolicy.return_value = return_value
|
||||
|
||||
res = self.api.put(_get_path('vpn/ikepolicies', id=ikepolicy_id,
|
||||
fmt=self.fmt),
|
||||
self.serialize(update_data))
|
||||
|
||||
instance.update_ikepolicy.assert_called_with(mock.ANY, ikepolicy_id,
|
||||
ikepolicy=update_data)
|
||||
self.assertEqual(exc.HTTPOk.code, res.status_int)
|
||||
res = self.deserialize(res)
|
||||
self.assertIn('ikepolicy', res)
|
||||
self.assertEqual(return_value, res['ikepolicy'])
|
||||
|
||||
def test_ikepolicy_get(self):
|
||||
"""Test case to get or show an ikepolicy."""
|
||||
ikepolicy_id = _uuid()
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
The phase1 negotiation mode can use ``aggressive`` mode in VPNaaS
|
||||
ikepolicy when using \*Swan drivers.
|
Loading…
Reference in New Issue