New unit test for referenced security groups

axsh · Apr 25, 2012 · a06c3ed · a06c3ed
1 parent 9656a9d
commit a06c3ed
Show file tree

Hide file tree

Showing 5 changed files with 139 additions and 6 deletions.
diff --git a/tests/cucumber/environment.rb b/tests/cucumber/environment.rb
@@ -3,6 +3,7 @@
 TIMEOUT_BASE = 10
 TIMEOUT_CREATE_INSTANCE = TIMEOUT_BASE * 20
 TIMEOUT_TERMINATE_INSTANCE = TIMEOUT_BASE * 20
+TIMEOUT_PACKET_SENDING = TIMEOUT_BASE * 6
 
 IO.popen("cd #{VDC_ROOT}/dcmgr && ./bin/vdc-debug vnet edges") { |debug_io|
   while !(line = debug_io.readline).nil?

diff --git a/tests/cucumber/features/firewall/security_group_reference.feature b/tests/cucumber/features/firewall/security_group_reference.feature
@@ -0,0 +1,65 @@
+Feature: Security groups referencing other security groups
+
+  Scenario: Single nic
+    Given the volume "wmi-secgtest" exists
+      And the instance_spec "is-demospec" exists for api until 11.12
+    And security group A exists with the following rules
+      """
+      tcp:22,22,ip4:0.0.0.0
+      """
+    And security group B exists with the following rules
+      """
+      tcp:22,22,ip4:0.0.0.0
+      tcp:345,345,<Group A>
+      """
+    And security group C exists with the following rules
+      """
+      tcp:22,22,ip4:0.0.0.0
+      """
+
+    And an instance instB1 is started in group B that listens on tcp port 345
+    And an instance instA1 is started in group A that listens on tcp port 345
+    And an instance instA2 is started in group A that listens on tcp port 345
+    And an instance instC1 is started in group C that listens on tcp port 345
+
+    When instance instA1 sends a tcp packet to instance instB1 on port 345
+    Then the packet should arrive successfully
+
+    When instance instA2 sends a tcp packet to instance instB1 on port 345
+    Then the packet should arrive successfully
+
+    When instance instB1 sends a tcp packet to instance instA1 on port 345
+    Then the packet should not arrive successfully
+
+    When instance instB1 sends a tcp packet to instance instA2 on port 345
+    Then the packet should not arrive successfully
+
+    When instance instC1 sends a tcp packet to instance instB1 on port 345
+    Then the packet should not arrive successfully
+
+    When we successfully start an instance instA3 in group A that listens on tcp port 345
+    And instance instA3 sends a tcp packet to instance instB1 on port 345
+    Then the packet should arrive successfully
+
+    When we update security group B with the following rules
+      """
+      tcp:22,22,ip4:0.0.0.0
+      """
+
+    When instance instA1 sends a tcp packet to instance instB1 on port 345
+    Then the packet should not arrive successfully
+
+    When instance instA2 sends a tcp packet to instance instB1 on port 345
+    Then the packet should not arrive successfully
+
+    When instance instA3 sends a tcp packet to instance instB1 on port 345
+    Then the packet should not arrive successfully
+
+    When we successfully terminate instance instA1
+    And we successfully terminate instance instA2
+    And we successfully terminate instance instA3
+    And we successfully terminate instance instB1
+    And we successfully terminate instance instC1
+    And we successfully delete security group A
+    And we successfully delete security group B
+    And we successfully delete security group C
diff --git a/tests/cucumber/features/firewall/step_definitions/isolation_steps.rb b/tests/cucumber/features/firewall/step_definitions/isolation_steps.rb
@@ -48,7 +48,7 @@
     @instances[sender] = @api_last_result
   end
 
-  @ping_result[sender][ip] = ssh_command(@instances[sender]["id"], "ubuntu", "/opt/ping.rb #{ip} #{TIMEOUT_BASE}", TIMEOUT_BASE).chomp
+  @ping_result[sender][ip] = ssh_command(@instances[sender]["id"], "ubuntu", "/opt/ping.rb #{ip} #{TIMEOUT_PACKET_SENDING}", TIMEOUT_PACKET_SENDING).chomp
   @last_sender_name = sender
   @last_pinged_ip = ip
 end

diff --git a/tests/cucumber/features/firewall/step_definitions/nat_steps.rb b/tests/cucumber/features/firewall/step_definitions/nat_steps.rb
@@ -39,17 +39,26 @@
 
 Given /^security group (.+) exists with the following rules$/ do |group_name, rules|
   @security_groups = {} if @security_groups.nil?
+
   steps %Q{
     When we make a successful api create call to security_groups with the following options
-    | description                              |
+    | description                            |
-    | static nat test group: #{group_name}     |
+    | cucumber test group: #{group_name}     |
     Then the previous api call should be successful
     And from the previous api call take {"id":} and save it to <registry:group_#{group_name}>
+  }
+
+  # Fill in the proper uuid if another group is referenced
+  parsed_rules = rules.gsub(/<Group (.+)>/) { |group| 
+    grp_name = group.split(" ").last
+    variable_get_value "<registry:group_#{grp_name}"
+  }
+
+  steps %Q{
     When we successfully set the following rules for the security group
       """
-      #{rules}
+      #{parsed_rules}
       """
-    Then the previous api call should be successful
   }
 end
 
@@ -124,7 +133,12 @@
   sender_address = @instances[sender]["vif"].first["ipv4"]["address"]
   receiver_address = @instances[receiver]["vif"].first["ipv4"][which_address]
 
-  @used_ip = ssh_command(@instances[sender]["id"], "ubuntu", "/opt/tcp.rb #{receiver_address} #{port} #{TIMEOUT_BASE}", TIMEOUT_BASE+10).chomp
+  begin
+    @used_ip = ssh_command(@instances[sender]["id"], "ubuntu", "/opt/tcp.rb #{receiver_address} #{port} #{TIMEOUT_PACKET_SENDING} 2> /dev/null", TIMEOUT_PACKET_SENDING+10).chomp
+  rescue RuntimeError => e
+    raise unless e.message[0..13] == "Retry Failure:"
+    @used_ip = "false"
+  end
   @last_sender = sender
 end
 

diff --git a/tests/cucumber/features/firewall/step_definitions/reference_steps.rb b/tests/cucumber/features/firewall/step_definitions/reference_steps.rb
@@ -0,0 +1,53 @@
+# encoding: utf-8
+begin require 'rspec/expectations'; rescue LoadError; require 'spec/expectations'; end 
+require 'cucumber/formatter/unicode'
+
+Before do
+end
+
+After do
+end
+
+require 'socket'
+require 'timeout'
+
+Given /^an instance (.+) is started in group (.+) that listens on (tcp|udp) port (\d+)$/ do |instance_name, group_name, protocol, port|
+  steps %Q{
+    Given an instance #{instance_name} is started with the following options
+    | image_id               | instance_spec_id | ssh_key_id | security_groups                | user_data           |
+    | wmi-secgtest           | is-demospec      | ssh-demo   | <registry:group_#{group_name}> | #{protocol}:#{port} |
+  }
+end
+
+When /^we successfully start an instance (.+) in group (.+) that listens on (tcp|udp) port (\d+)$/ do |instance_name, group_name, protocol, port|
+  steps %Q{
+    Given an instance #{instance_name} is started with the following options
+    | image_id               | instance_spec_id | ssh_key_id | security_groups                | user_data           |
+    | wmi-secgtest           | is-demospec      | ssh-demo   | <registry:group_#{group_name}> | #{protocol}:#{port} |
+    Then the started instance should start ssh in 60 seconds or less
+  }
+end
+
+When /^instance (.+) sends a (tcp|udp) packet to instance (.+) on port (\d+)$/ do |sender_name, protocol, receiver_name, port|
+  steps %Q{
+    When instance #{sender_name} sends a #{protocol} packet to #{receiver_name}'s inside address on port #{port}
+  }
+end
+
+Then /^the packet (should|should\snot) arrive successfully$/ do |result|
+  if result == "should"
+    steps %{Then it should use its inside ip}
+  else
+    steps %{Then it should fail to send the packet}
+  end
+end
+
+When /^we update security group (.+) with the following rules$/ do |group_name,rules|
+  rules_with_line_breaks = rules.inspect.slice(1,rules.inspect.length-2)
+  group_uuid = variable_get_value "<registry:group_#{group_name}>"
+  steps %Q{
+    When we make a successful api update call to security_groups/#{group_uuid} with the following options
+    | rule                      |
+    | #{rules_with_line_breaks} |
+  }
+end