Adds test for mac_spoofing
Test that MAC spoofing is enforced by Neutron security-groups and allowed when
port-security flag is turned off.
Enhances several helper functions to support multiple NICs
Partially Implements: blueprint ml2-ovs-portsecurity
Change-Id: Idc7e733a19f926894050db012efbd7a10f08c011
diff --git a/tempest/common/utils/linux/remote_client.py b/tempest/common/utils/linux/remote_client.py
index 10654ff..025b79f 100644
--- a/tempest/common/utils/linux/remote_client.py
+++ b/tempest/common/utils/linux/remote_client.py
@@ -95,15 +95,24 @@
return self.exec_command(cmd)
def ping_host(self, host, count=CONF.compute.ping_count,
- size=CONF.compute.ping_size):
+ size=CONF.compute.ping_size, nic=None):
addr = netaddr.IPAddress(host)
cmd = 'ping6' if addr.version == 6 else 'ping'
+ if nic:
+ cmd = 'sudo {cmd} -I {nic}'.format(cmd=cmd, nic=nic)
cmd += ' -c{0} -w{0} -s{1} {2}'.format(count, size, host)
return self.exec_command(cmd)
- def get_mac_address(self):
- cmd = "ip addr | awk '/ether/ {print $2}'"
- return self.exec_command(cmd)
+ def set_mac_address(self, nic, address):
+ self.set_nic_state(nic=nic, state="down")
+ cmd = "sudo ip link set dev {0} address {1}".format(nic, address)
+ self.exec_command(cmd)
+ self.set_nic_state(nic=nic, state="up")
+
+ def get_mac_address(self, nic=""):
+ show_nic = "show {nic} ".format(nic=nic) if nic else ""
+ cmd = "ip addr %s| awk '/ether/ {print $2}'" % show_nic
+ return self.exec_command(cmd).strip().lower()
def get_nic_name(self, address):
cmd = "ip -o addr | awk '/%s/ {print $2}'" % address
@@ -121,8 +130,8 @@
)
return self.exec_command(cmd)
- def turn_nic_on(self, nic):
- cmd = "sudo ip link set {nic} up".format(nic=nic)
+ def set_nic_state(self, nic, state="up"):
+ cmd = "sudo ip link set {nic} {state}".format(nic=nic, state=state)
return self.exec_command(cmd)
def get_pids(self, pr_name):
diff --git a/tempest/scenario/manager.py b/tempest/scenario/manager.py
index 9f283c5..2e95e83 100644
--- a/tempest/scenario/manager.py
+++ b/tempest/scenario/manager.py
@@ -862,18 +862,20 @@
self._log_net_info(e)
raise
- def _check_remote_connectivity(self, source, dest, should_succeed=True):
+ def _check_remote_connectivity(self, source, dest, should_succeed=True,
+ nic=None):
"""check ping server via source ssh connection
:param source: RemoteClient: an ssh connection from which to ping
:param dest: and IP to ping against
:param should_succeed: boolean should ping succeed or not
+ :param nic: specific network interface to ping from
:returns: boolean -- should_succeed == ping
:returns: ping is false if ping failed
"""
def ping_remote():
try:
- source.ping_host(dest)
+ source.ping_host(dest, nic=nic)
except lib_exc.SSHExecCommandFailed:
LOG.warn('Failed to ping IP: %s via a ssh connection from: %s.'
% (dest, source.ssh_client.host))
diff --git a/tempest/scenario/test_network_basic_ops.py b/tempest/scenario/test_network_basic_ops.py
index 8fefd9e..28f1cd3 100644
--- a/tempest/scenario/test_network_basic_ops.py
+++ b/tempest/scenario/test_network_basic_ops.py
@@ -287,7 +287,7 @@
num, new_nic = self.diff_list[0]
ssh_client.assign_static_ip(nic=new_nic,
addr=new_port.fixed_ips[0]['ip_address'])
- ssh_client.turn_nic_on(nic=new_nic)
+ ssh_client.set_nic_state(nic=new_nic)
def _get_server_nics(self, ssh_client):
reg = re.compile(r'(?P<num>\d+): (?P<nic_name>\w+):')
@@ -737,3 +737,49 @@
self.check_public_network_connectivity(
should_connect=True,
msg='After router rescheduling')
+
+ @test.requires_ext(service='network', extension='port-security')
+ @test.idempotent_id('7c0bb1a2-d053-49a4-98f9-ca1a1d849f63')
+ @test.services('compute', 'network')
+ def test_port_security_macspoofing_port(self):
+ """Tests port_security extension enforces mac spoofing
+
+ 1. create a new network
+ 2. connect VM to new network
+ 4. check VM can ping new network DHCP port
+ 5. spoof mac on new new network interface
+ 6. check Neutron enforces mac spoofing and blocks pings via spoofed
+ interface
+ 7. disable port-security on the spoofed port
+ 8. check Neutron allows pings via spoofed interface
+ """
+ spoof_mac = "00:00:00:00:00:01"
+
+ # Create server
+ self._setup_network_and_servers()
+ self.check_public_network_connectivity(should_connect=False)
+ self._create_new_network()
+ self._hotplug_server()
+ fip, server = self.floating_ip_tuple
+ new_ports = self._list_ports(device_id=server["id"],
+ network_id=self.new_net["id"])
+ spoof_port = new_ports[0]
+ private_key = self._get_server_key(server)
+ ssh_client = self.get_remote_client(fip.floating_ip_address,
+ private_key=private_key)
+ spoof_nic = ssh_client.get_nic_name(spoof_port["mac_address"])
+ dhcp_ports = self._list_ports(device_owner="network:dhcp",
+ network_id=self.new_net["id"])
+ new_net_dhcp = dhcp_ports[0]["fixed_ips"][0]["ip_address"]
+ self._check_remote_connectivity(ssh_client, dest=new_net_dhcp,
+ nic=spoof_nic, should_succeed=True)
+ ssh_client.set_mac_address(spoof_nic, spoof_mac)
+ new_mac = ssh_client.get_mac_address(nic=spoof_nic)
+ self.assertEqual(spoof_mac, new_mac)
+ self._check_remote_connectivity(ssh_client, dest=new_net_dhcp,
+ nic=spoof_nic, should_succeed=False)
+ self.ports_client.update_port(spoof_port["id"],
+ port_security_enabled=False,
+ security_groups=[])
+ self._check_remote_connectivity(ssh_client, dest=new_net_dhcp,
+ nic=spoof_nic, should_succeed=True)
diff --git a/tempest/scenario/test_network_v6.py b/tempest/scenario/test_network_v6.py
index 151eef8..a18dd2e 100644
--- a/tempest/scenario/test_network_v6.py
+++ b/tempest/scenario/test_network_v6.py
@@ -148,7 +148,7 @@
"ports: %s")
% (self.network_v6, ports))
mac6 = ports[0]
- ssh.turn_nic_on(ssh.get_nic_name(mac6))
+ ssh.set_nic_state(ssh.get_nic_name(mac6))
def _prepare_and_test(self, address6_mode, n_subnets6=1, dualnet=False):
net_list = self.prepare_network(address6_mode=address6_mode,
diff --git a/tempest/tests/common/utils/linux/test_remote_client.py b/tempest/tests/common/utils/linux/test_remote_client.py
index 3ff8e0d..e596aab 100644
--- a/tempest/tests/common/utils/linux/test_remote_client.py
+++ b/tempest/tests/common/utils/linux/test_remote_client.py
@@ -146,8 +146,11 @@
self._assert_exec_called_with(
"sudo ip addr add %s/%s dev %s" % (ip, '28', nic))
- def test_turn_nic_on(self):
+ def test_set_nic_state(self):
nic = 'eth0'
- self.conn.turn_nic_on(nic)
+ self.conn.set_nic_state(nic)
self._assert_exec_called_with(
'sudo ip link set %s up' % nic)
+ self.conn.set_nic_state(nic, "down")
+ self._assert_exec_called_with(
+ 'sudo ip link set %s down' % nic)