summaryrefslogtreecommitdiffstats
path: root/ipsec/ipsec-impl/src/test/java/io/fd/hc2vpp/ipsec/write/IpsecSadEntryCustomizerTest.java
diff options
context:
space:
mode:
Diffstat (limited to 'ipsec/ipsec-impl/src/test/java/io/fd/hc2vpp/ipsec/write/IpsecSadEntryCustomizerTest.java')
-rw-r--r--ipsec/ipsec-impl/src/test/java/io/fd/hc2vpp/ipsec/write/IpsecSadEntryCustomizerTest.java287
1 files changed, 287 insertions, 0 deletions
diff --git a/ipsec/ipsec-impl/src/test/java/io/fd/hc2vpp/ipsec/write/IpsecSadEntryCustomizerTest.java b/ipsec/ipsec-impl/src/test/java/io/fd/hc2vpp/ipsec/write/IpsecSadEntryCustomizerTest.java
new file mode 100644
index 000000000..912f50f27
--- /dev/null
+++ b/ipsec/ipsec-impl/src/test/java/io/fd/hc2vpp/ipsec/write/IpsecSadEntryCustomizerTest.java
@@ -0,0 +1,287 @@
+/*
+ * Copyright (c) 2019 PANTHEON.tech.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.fd.hc2vpp.ipsec.write;
+
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import io.fd.hc2vpp.common.test.write.WriterCustomizerTest;
+import io.fd.hc2vpp.common.translate.util.ByteDataTranslator;
+import io.fd.hc2vpp.common.translate.util.Ipv4Translator;
+import io.fd.hc2vpp.common.translate.util.Ipv6Translator;
+import io.fd.hc2vpp.common.translate.util.MultiNamingContext;
+import io.fd.hc2vpp.ipsec.helpers.SchemaContextTestHelper;
+import io.fd.honeycomb.test.tools.HoneycombTestRunner;
+import io.fd.honeycomb.test.tools.annotations.InjectTestData;
+import io.fd.honeycomb.translate.write.WriteFailedException;
+import io.fd.vpp.jvpp.core.dto.IpsecSadAddDelEntry;
+import io.fd.vpp.jvpp.core.dto.IpsecSadAddDelEntryReply;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.Ipv6Address;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.IkeEncryptionAlgorithmT;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.IkeIntegrityAlgorithmT;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.Ipsec;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.IpsecTrafficDirection;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.KeyStringGrouping;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.Sad;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.ah.grouping.AhBuilder;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.ah.grouping.ah.AuthenticationAlgorithm;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.esp.grouping.EspBuilder;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.esp.grouping.esp.Authentication;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.esp.grouping.esp.AuthenticationBuilder;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.esp.grouping.esp.Encryption;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.esp.grouping.esp.EncryptionBuilder;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.esp.grouping.esp.authentication.authentication.algorithm.HmacMd596Builder;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.esp.grouping.esp.authentication.authentication.algorithm.HmacSha196Builder;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.esp.grouping.esp.encryption.encryption.algorithm.Aes128CbcBuilder;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.esp.grouping.esp.encryption.encryption.algorithm.Aes192CbcBuilder;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.esp.grouping.esp.encryption.encryption.algorithm.Aes256CbcBuilder;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.esp.grouping.esp.encryption.encryption.algorithm.DesCbcBuilder;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sad.SadEntries;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sad.SadEntriesBuilder;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sad.SadEntriesKey;
+import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
+
+@RunWith(HoneycombTestRunner.class)
+public class IpsecSadEntryCustomizerTest extends WriterCustomizerTest implements SchemaContextTestHelper,
+ ByteDataTranslator, Ipv4Translator, Ipv6Translator {
+
+ private static final String SAD_PATH = "/hc2vpp-ietf-ipsec:ipsec/hc2vpp-ietf-ipsec:sad";
+ private static final InstanceIdentifier<Sad> SAD_IID =
+ InstanceIdentifier.create(Ipsec.class).child(Sad.class);
+ private static final String INTEG_KEY = "0123456789012346";
+ private static final String CRYPTO_KEY = "9876543210987654";
+ private static final String TNL_SRC_ADDR = "192.168.1.1";
+ private static final String TNL_DST_ADDR = "192.168.1.2";
+ private static final int SPI_1002 = 1002;
+ private static final int SAD_ID = 10;
+
+ private IpsecSadEntryCustomizer customizer;
+ @Mock
+ private MultiNamingContext namingCntext;
+
+ @Override
+ protected void setUpTest() throws Exception {
+ customizer = new IpsecSadEntryCustomizer(api, namingCntext);
+ when(api.ipsecSadAddDelEntry(any())).thenReturn(future(new IpsecSadAddDelEntryReply()));
+ }
+
+ @Test
+ public void testWrite(@InjectTestData(resourcePath = "/sadEntries/addDelSadEntry.json", id = SAD_PATH) Sad sad)
+ throws WriteFailedException {
+ final SadEntries data = sad.getSadEntries().get(0);
+ final IpsecSadAddDelEntry request = new IpsecSadAddDelEntry();
+ request.isAdd = BYTE_TRUE;
+ request.spi = SPI_1002;
+ request.sadId = SAD_ID;
+ request.isTunnel = BYTE_TRUE;
+ request.isTunnelIpv6 = BYTE_FALSE;
+ request.integrityKey = INTEG_KEY.getBytes();
+ request.cryptoKey = CRYPTO_KEY.getBytes();
+ request.useAntiReplay = 0;
+ request.tunnelSrcAddress = ipv4AddressNoZoneToArray(TNL_SRC_ADDR);
+ request.tunnelDstAddress = ipv4AddressNoZoneToArray(TNL_DST_ADDR);
+
+ // ESP
+ request.protocol = BYTE_TRUE; //0 = AH, 1 = ESP
+ // - auth MD5-96
+ // - crypto Aes-Cbc-128
+ testEspAuthEncrCombination(data, IkeIntegrityAlgorithmT.AuthHmacMd596,
+ IkeEncryptionAlgorithmT.EncrAesCbc128, request);
+ // - crypto Aes-Cbc-192
+ testEspAuthEncrCombination(data, IkeIntegrityAlgorithmT.AuthHmacMd596,
+ IkeEncryptionAlgorithmT.EncrAesCbc192, request);
+ // - crypto Aes-Cbc-256
+ testEspAuthEncrCombination(data, IkeIntegrityAlgorithmT.AuthHmacMd596,
+ IkeEncryptionAlgorithmT.EncrAesCbc256, request);
+ // - crypto DesCbc
+ testEspAuthEncrCombination(data, IkeIntegrityAlgorithmT.AuthHmacMd596,
+ IkeEncryptionAlgorithmT.EncrDes, request);
+
+ // - auth SHA1-96
+ // - crypto Aes-Cbc-128
+ testEspAuthEncrCombination(data, IkeIntegrityAlgorithmT.AuthHmacSha196,
+ IkeEncryptionAlgorithmT.EncrAesCbc128, request);
+ // - crypto Aes-Cbc-192
+ testEspAuthEncrCombination(data, IkeIntegrityAlgorithmT.AuthHmacSha196,
+ IkeEncryptionAlgorithmT.EncrAesCbc192, request);
+ // - crypto Aes-Cbc-256
+ testEspAuthEncrCombination(data, IkeIntegrityAlgorithmT.AuthHmacSha196,
+ IkeEncryptionAlgorithmT.EncrAesCbc256, request);
+ // - crypto DesCbc
+ testEspAuthEncrCombination(data, IkeIntegrityAlgorithmT.AuthHmacSha196,
+ IkeEncryptionAlgorithmT.EncrDes, request);
+
+ // AH
+ request.protocol = BYTE_FALSE;
+ request.cryptoAlgorithm = 0;
+ request.cryptoKey = null;
+ request.cryptoKeyLength = 0;
+ // - auth SHA1-96
+ testAhAuthorization(data, IkeIntegrityAlgorithmT.AuthHmacSha196, request);
+ // - auth MD5-96
+ testAhAuthorization(data, IkeIntegrityAlgorithmT.AuthHmacMd596, request);
+ }
+
+ @Test
+ public void testUpdate(
+ @InjectTestData(resourcePath = "/sadEntries/addDelSadEntry_Ipv6_before.json", id = SAD_PATH) Sad relaysBefore,
+ @InjectTestData(resourcePath = "/sadEntries/addDelSadEntry_Ipv6_after.json", id = SAD_PATH) Sad relayAfter)
+ throws WriteFailedException {
+ final SadEntries before = relaysBefore.getSadEntries().get(0);
+ final SadEntries after = relayAfter.getSadEntries().get(0);
+ final Long spi = after.getSpi();
+ customizer.updateCurrentAttributes(getId(IpsecTrafficDirection.Outbound, spi), before, after, writeContext);
+ final IpsecSadAddDelEntry request = new IpsecSadAddDelEntry();
+ request.isAdd = BYTE_TRUE;
+ request.spi = SPI_1002;
+ request.sadId = SAD_ID;
+ request.protocol = BYTE_FALSE;
+ request.isTunnel = BYTE_FALSE;
+ request.isTunnelIpv6 = BYTE_TRUE;
+ request.integrityAlgorithm = 1;
+ request.integrityKey = INTEG_KEY.getBytes();
+ request.useAntiReplay = BYTE_TRUE;
+ request.tunnelSrcAddress = ipv6AddressNoZoneToArray(Ipv6Address.getDefaultInstance("2001::11"));
+ request.tunnelDstAddress = ipv6AddressNoZoneToArray(Ipv6Address.getDefaultInstance("2001::12"));
+ verify(api).ipsecSadAddDelEntry(request);
+ }
+
+ @Test
+ public void testDelete(@InjectTestData(resourcePath = "/sadEntries/delSadEntry.json", id = SAD_PATH) Sad sad)
+ throws WriteFailedException {
+ final SadEntries data = sad.getSadEntries().get(0);
+ final Long spi = data.getSpi();
+ customizer.deleteCurrentAttributes(getId(IpsecTrafficDirection.Outbound, spi), data, writeContext);
+ final IpsecSadAddDelEntry request = new IpsecSadAddDelEntry();
+ request.isAdd = BYTE_FALSE;
+ request.spi = SPI_1002;
+ request.sadId = SAD_ID;
+ verify(api).ipsecSadAddDelEntry(request);
+ }
+
+ private InstanceIdentifier<SadEntries> getId(final IpsecTrafficDirection direction, final Long spi) {
+ return SAD_IID.child(SadEntries.class, new SadEntriesKey(direction, spi));
+ }
+
+ private void testAhAuthorization(final SadEntries otherData, final IkeIntegrityAlgorithmT authAlg,
+ final IpsecSadAddDelEntry request) throws WriteFailedException {
+ SadEntriesBuilder builder = new SadEntriesBuilder(otherData);
+ builder.setEsp(null);
+ AhBuilder ahBuilder = new AhBuilder();
+ ahBuilder.setAuthenticationAlgorithm(getAhAuthentication(authAlg));
+ builder.setAh(ahBuilder.build());
+ customizer.writeCurrentAttributes(getId(IpsecTrafficDirection.Outbound, Integer.toUnsignedLong(SPI_1002)),
+ builder.build(), writeContext);
+ verify(api).ipsecSadAddDelEntry(request);
+ }
+
+ private void testEspAuthEncrCombination(final SadEntries otherData, final IkeIntegrityAlgorithmT authAlg,
+ final IkeEncryptionAlgorithmT encrAlg, final IpsecSadAddDelEntry request)
+ throws WriteFailedException {
+ SadEntriesBuilder builder = new SadEntriesBuilder(otherData);
+ builder.setAh(null);
+ EspBuilder espBuilder = new EspBuilder();
+ espBuilder.setAuthentication(getEspAuthentication(authAlg))
+ .setEncryption(getEspEncryption(encrAlg));
+ builder.setEsp(espBuilder.build());
+ customizer.writeCurrentAttributes(getId(IpsecTrafficDirection.Outbound, Integer.toUnsignedLong(SPI_1002)),
+ builder.build(), writeContext);
+
+ if (encrAlg == IkeEncryptionAlgorithmT.EncrAesCbc128) {
+ request.cryptoAlgorithm = 1;
+ } else if (encrAlg == IkeEncryptionAlgorithmT.EncrAesCbc192) {
+ request.cryptoAlgorithm = 2;
+ } else if (encrAlg == IkeEncryptionAlgorithmT.EncrAesCbc256) {
+ request.cryptoAlgorithm = 3;
+ } else if (encrAlg == IkeEncryptionAlgorithmT.EncrDes) {
+ request.cryptoAlgorithm = 4;
+ } else {
+ request.cryptoAlgorithm = 0;
+ }
+
+ if (authAlg == IkeIntegrityAlgorithmT.AuthHmacMd596) {
+ request.integrityAlgorithm = 1;
+ } else if (authAlg == IkeIntegrityAlgorithmT.AuthHmacSha196) {
+ request.integrityAlgorithm = 2;
+ } else {
+ request.integrityAlgorithm = 0;
+ }
+
+ verify(api).ipsecSadAddDelEntry(request);
+ }
+
+ private Encryption getEspEncryption(IkeEncryptionAlgorithmT alg) {
+ if (alg == IkeEncryptionAlgorithmT.EncrAesCbc128) {
+ return new EncryptionBuilder().setEncryptionAlgorithm(new Aes128CbcBuilder().
+ setAes128Cbc(
+ new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.esp.grouping.esp.encryption.encryption.algorithm.aes._128.cbc.Aes128CbcBuilder()
+ .setKeyStr(new KeyStringGrouping.KeyStr(CRYPTO_KEY))
+ .build()).build()).build();
+ } else if (alg == IkeEncryptionAlgorithmT.EncrAesCbc192) {
+ return new EncryptionBuilder().setEncryptionAlgorithm(new Aes192CbcBuilder().
+ setAes192Cbc(
+ new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.esp.grouping.esp.encryption.encryption.algorithm.aes._192.cbc.Aes192CbcBuilder()
+ .setKeyStr(new KeyStringGrouping.KeyStr(CRYPTO_KEY))
+ .build()).build()).build();
+ } else if (alg == IkeEncryptionAlgorithmT.EncrAesCbc256) {
+ return new EncryptionBuilder().setEncryptionAlgorithm(new Aes256CbcBuilder().
+ setAes256Cbc(
+ new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.esp.grouping.esp.encryption.encryption.algorithm.aes._256.cbc.Aes256CbcBuilder()
+ .setKeyStr(new KeyStringGrouping.KeyStr(CRYPTO_KEY))
+ .build()).build()).build();
+ } else if (alg == IkeEncryptionAlgorithmT.EncrDes) {
+ return new EncryptionBuilder().setEncryptionAlgorithm(new DesCbcBuilder().setDesCbc(
+ new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.esp.grouping.esp.encryption.encryption.algorithm.des.cbc.DesCbcBuilder()
+ .setKeyStr(new KeyStringGrouping.KeyStr(CRYPTO_KEY))
+ .build()).build()).build();
+ }
+
+ return null;
+ }
+
+ private Authentication getEspAuthentication(IkeIntegrityAlgorithmT alg) {
+ if (alg == IkeIntegrityAlgorithmT.AuthHmacSha196) {
+ return new AuthenticationBuilder().setAuthenticationAlgorithm(new HmacSha196Builder().setHmacSha196(
+ new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.esp.grouping.esp.authentication.authentication.algorithm.hmac.sha1._96.HmacSha196Builder()
+ .setKeyStr(new KeyStringGrouping.KeyStr(INTEG_KEY)).build()).build()).build();
+ } else if (alg == IkeIntegrityAlgorithmT.AuthHmacMd596) {
+ return new AuthenticationBuilder().setAuthenticationAlgorithm(new HmacMd596Builder().setHmacMd596(
+ new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.esp.grouping.esp.authentication.authentication.algorithm.hmac.md5._96.HmacMd596Builder()
+ .setKeyStr(new KeyStringGrouping.KeyStr(INTEG_KEY)).build()).build()).build();
+ }
+ return null;
+ }
+
+ private AuthenticationAlgorithm getAhAuthentication(IkeIntegrityAlgorithmT alg) {
+ if (alg == IkeIntegrityAlgorithmT.AuthHmacSha196) {
+ return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.ah.grouping.ah.authentication.algorithm.HmacSha196Builder()
+ .setHmacSha196(
+ new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.ah.grouping.ah.authentication.algorithm.hmac.sha1._96.HmacSha196Builder()
+ .setKeyStr(new KeyStringGrouping.KeyStr(INTEG_KEY)).build()).build();
+ } else if (alg == IkeIntegrityAlgorithmT.AuthHmacMd596) {
+ return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.ah.grouping.ah.authentication.algorithm.HmacMd596Builder()
+ .setHmacMd596(
+ new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ipsec.rev181214.ipsec.sa.ah.grouping.ah.authentication.algorithm.hmac.md5._96.HmacMd596Builder()
+ .setKeyStr(new KeyStringGrouping.KeyStr(INTEG_KEY)).build()).build();
+ }
+ return null;
+ }
+}