commit 365373910cef371a79ae9bd8e905ce41c1a7cb0a
author Slawek Kaplonski <skaplons@redhat.com> Fri Mar 10 11:31:34 2023 +0100
committer Slawek Kaplonski <skaplons@redhat.com> Tue Mar 28 08:15:11 2023 +0000
tree d751d560eff743b57cd731ac141e65d7a7390140
parent b327a6342fa52d93ffd21dca3679c2e5e402f7d5

[Stateless SG] Ensure replies won't work without ingress rule

This patch extends existing
test_connectivity_between_vms_using_different_sec_groups
in the way that for stateless SG rules it makes sure that replies from
server to client will not work without explicity add SG rule which will
allow ingress traffic on the ephemeral ports' range.

Change-Id: I940678c15b65552634096ea3e72888b5bf830912

neutron_tempest_plugin/scenario/test_security_groups.py

diff --git a/neutron_tempest_plugin/scenario/test_security_groups.py b/neutron_tempest_plugin/scenario/test_security_groups.py
index a8faae5..6a0a00a 100644
--- a/neutron_tempest_plugin/scenario/test_security_groups.py
+++ b/neutron_tempest_plugin/scenario/test_security_groups.py
@@ -26,6 +26,7 @@
 from neutron_tempest_plugin.common import ssh
 from neutron_tempest_plugin.common import utils
 from neutron_tempest_plugin import config
+from neutron_tempest_plugin import exceptions
 from neutron_tempest_plugin.scenario import base
 from neutron_tempest_plugin.scenario import constants as const
 
@@ -166,15 +167,6 @@
             if self.stateless_sg:
                 self.create_ingress_metadata_secgroup_rule(
                     secgroup_id=sg['id'])
-                if sg_name == 'client':
-                    # NOTE(slaweq): In case of stateless SG we need also SG
-                    # rule to accept response from server to client,
-                    self.create_security_group_rule(
-                        security_group_id=sg['id'],
-                        protocol=constants.PROTO_NAME_TCP,
-                        direction=constants.INGRESS_DIRECTION,
-                        port_range_min=EPHEMERAL_PORT_RANGE['min'],
-                        port_range_max=EPHEMERAL_PORT_RANGE['max'])
             security_groups[sg_name] = sg
 
         # NOTE(slaweq): we need to iterate over create_vm_testing_sec_grp as
@@ -202,17 +194,35 @@
         def _message_received(server_ssh_client, client_ssh_client,
                               dest_fip, servers):
             expected_msg = "Test_msg"
+            utils.kill_nc_process(server_ssh_client)
             self.nc_listen(server_ssh_client,
                            TEST_TCP_PORT,
                            constants.PROTO_NAME_TCP,
                            expected_msg,
                            list(servers.values()))
-            received_msg = self.nc_client(
-                dest_fip,
-                TEST_TCP_PORT,
-                constants.PROTO_NAME_TCP,
-                ssh_client=client_ssh_client)
-            return expected_msg in received_msg
+            try:
+                received_msg = self.nc_client(
+                    dest_fip,
+                    TEST_TCP_PORT,
+                    constants.PROTO_NAME_TCP,
+                    ssh_client=client_ssh_client)
+                return received_msg and expected_msg in received_msg
+            except exceptions.ShellCommandFailed:
+                return False
+
+        if self.stateless_sg:
+            # In case of stateless SG connectivity will not work without
+            # explicit allow ingress response from server to client
+            utils.wait_until_true(
+                lambda: not _message_received(
+                    ssh_clients['server'], ssh_clients['client'],
+                    fips['server']['fixed_ip_address'], servers))
+            self.create_security_group_rule(
+                security_group_id=security_groups['client']['id'],
+                protocol=constants.PROTO_NAME_TCP,
+                direction=constants.INGRESS_DIRECTION,
+                port_range_min=EPHEMERAL_PORT_RANGE['min'],
+                port_range_max=EPHEMERAL_PORT_RANGE['max'])
 
         utils.wait_until_true(
             lambda: _message_received(