require 'spec_helper' module Vcloud describe EdgeGatewayServices do required_env = { 'VCLOUD_EDGE_GATEWAY' => 'to name of VSE', 'VCLOUD_PROVIDER_NETWORK_ID' => 'to ID of VSE external network', 'VCLOUD_PROVIDER_NETWORK_IP' => 'to an available IP on VSE external network', 'VCLOUD_NETWORK1_ID' => 'to the ID of a VSE internal network', 'VCLOUD_NETWORK1_NAME' => 'to the name of the VSE internal network', 'VCLOUD_NETWORK1_IP' => 'to an ID on the VSE internal network', } error = false required_env.each do |var,message| unless ENV[var] puts "Must set #{var} #{message}" unless ENV[var] error = true end end Kernel.exit(2) if error before(:all) do @edge_name = ENV['VCLOUD_EDGE_GATEWAY'] @ext_net_id = ENV['VCLOUD_PROVIDER_NETWORK_ID'] @ext_net_ip = ENV['VCLOUD_PROVIDER_NETWORK_IP'] @ext_net_name = ENV['VCLOUD_PROVIDER_NETWORK_NAME'] @int_net_id = ENV['VCLOUD_NETWORK1_ID'] @int_net_ip = ENV['VCLOUD_NETWORK1_IP'] @int_net_name = ENV['VCLOUD_NETWORK1_NAME'] @files_to_delete = [] end context "Test FirewallService specifics of EdgeGatewayServices" do before(:all) do reset_edge_gateway @initial_firewall_config_file = generate_input_config_file('firewall_config.yaml.erb', edge_gateway_erb_input) @edge_gateway = Vcloud::Core::EdgeGateway.get_by_name(@edge_name) @firewall_service = {} end context "Check update is functional" do before(:all) do local_config = Core::ConfigLoader.new.load_config(@initial_firewall_config_file, Vcloud::Schema::EDGE_GATEWAY_SERVICES) @local_vcloud_config = EdgeGateway::ConfigurationGenerator::FirewallService.new.generate_fog_config(local_config[:firewall_service]) end it "should be starting our tests from an empty firewall" do remote_vcloud_config = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration][:FirewallService] expect(remote_vcloud_config[:FirewallRule].empty?).to be_true end it "should only need to make one call to Core::EdgeGateway.update_configuration" do expect_any_instance_of(Core::EdgeGateway).to receive(:update_configuration).exactly(1).times.and_call_original EdgeGatewayServices.new.update(@initial_firewall_config_file) end it "should have configured at least one firewall rule" do remote_vcloud_config = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration][:FirewallService] expect(remote_vcloud_config[:FirewallRule].empty?).to be_false end it "should have configured the same number of firewall rules as in our configuration" do remote_vcloud_config = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration][:FirewallService] expect(remote_vcloud_config[:FirewallRule].size). to eq(@local_vcloud_config[:FirewallRule].size) end it "and then should not configure the firewall service if updated again with the same configuration (idempotency)" do expect(Vcloud::EdgeGateway.logger).to receive(:info).with('EdgeGatewayServices.update: Configuration is already up to date. Skipping.') EdgeGatewayServices.new.update(@initial_firewall_config_file) end it "ConfigurationDiffer should return empty if local and remote firewall configs match" do remote_vcloud_config = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration][:FirewallService] differ = EdgeGateway::ConfigurationDiffer.new(@local_vcloud_config, remote_vcloud_config) diff_output = differ.diff expect(diff_output).to eq([]) end it "should highlight a difference if local firewall config has been updated" do input_config_file = generate_input_config_file('firewall_config_updated_rule.yaml.erb', edge_gateway_erb_input) local_config = Core::ConfigLoader.new.load_config(input_config_file, Vcloud::Schema::EDGE_GATEWAY_SERVICES) local_firewall_config = EdgeGateway::ConfigurationGenerator::FirewallService.new.generate_fog_config(local_config[:firewall_service]) edge_gateway = Core::EdgeGateway.get_by_name local_config[:gateway] remote_config = edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration] remote_firewall_config = remote_config[:FirewallService] differ = EdgeGateway::ConfigurationDiffer.new(local_firewall_config, remote_firewall_config) diff_output = differ.diff expect(diff_output.empty?).to be_false end end context "ensure EdgeGateway FirewallService configuration is as expected" do before(:all) do @firewall_service = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration][:FirewallService] end it "should configure firewall rule with destination and source ip addresses" do expect(@firewall_service[:FirewallRule].first).to eq({:Id => "1", :IsEnabled => "true", :MatchOnTranslate => "false", :Description => "A rule", :Policy => "allow", :Protocols => {:Tcp => "true"}, :Port => "-1", :DestinationPortRange => "Any", :DestinationIp => "10.10.1.2", :SourcePort => "-1", :SourcePortRange => "Any", :SourceIp => "192.0.2.2", :EnableLogging => "false"}) end it "should configure firewall rule with destination and source ip ranges" do expect(@firewall_service[:FirewallRule].last).to eq({:Id => "2", :IsEnabled => "true", :MatchOnTranslate => "false", :Description => "", :Policy => "allow", :Protocols => {:Tcp => "true"}, :Port => "-1", :DestinationPortRange => "Any", :DestinationIp => "10.10.1.3-10.10.1.5", :SourcePort => "-1", :SourcePortRange => "Any", :SourceIp => "192.0.2.2/24", :EnableLogging => "false"}) end end context "Specific FirewallService update tests" do it "should have the same rule order as the input rule order" do input_config_file = generate_input_config_file('firewall_rule_order_test.yaml.erb', edge_gateway_erb_input) EdgeGatewayServices.new.update(input_config_file) remote_rules = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration][:FirewallService][:FirewallRule] remote_descriptions_list = remote_rules.map {|rule| rule[:Description]} expect(remote_descriptions_list). to eq([ "First Input Rule", "Second Input Rule", "Third Input Rule", "Fourth Input Rule", "Fifth Input Rule" ]) end end after(:all) do reset_edge_gateway unless ENV['VCLOUD_NO_RESET_VSE_AFTER'] FileUtils.rm(@files_to_delete) end def reset_edge_gateway edge_gateway = Core::EdgeGateway.get_by_name @edge_name edge_gateway.update_configuration({ FirewallService: {IsEnabled: false, FirewallRule: []}, }) end def generate_input_config_file(data_file, erb_input) config_erb = File.expand_path("data/#{data_file}", File.dirname(__FILE__)) output_file = ErbHelper.convert_erb_template_to_yaml(erb_input, config_erb) @files_to_delete << output_file output_file end def edge_gateway_erb_input { :edge_gateway_name => @edge_name, :edge_gateway_ext_network_id => @ext_net_id, :edge_gateway_ext_network_ip => @ext_net_ip, } end end end end