vcloud-edge_gateway 0.0.1

data/spec/integration/edge_gateway/data/firewall_rule_order_test.yaml.erb

@@ -0,0 +1,24 @@
+---
+gateway: <%= edge_gateway_name %>
+firewall_service:
+  firewall_rules:
+  - description: 'First Input Rule'
+    destination_port_range: '8081'
+    destination_ip: 10.10.1.2
+    source_ip: Any
+  - description: 'Second Input Rule'
+    destination_port_range: '8888'
+    destination_ip: 10.10.1.2
+    source_ip: Any
+  - description: 'Third Input Rule'
+    destination_port_range: '2222'
+    destination_ip: 10.10.1.2
+    source_ip: Any
+  - description: 'Fourth Input Rule'
+    destination_port_range: '9111'
+    destination_ip: 10.10.1.2
+    source_ip: Any
+  - description: 'Fifth Input Rule'
+    destination_port_range: '8113'
+    destination_ip: 10.10.1.2
+    source_ip: Any

data/spec/integration/edge_gateway/data/hairpin_nat_config.yaml.erb

@@ -0,0 +1,13 @@
+---
+gateway: <%= edge_gateway_name %>
+nat_service:
+  nat_rules:
+  - enabled: true
+    description: 'A DNAT rule'
+    network_id: <%= org_vdc_network_id %>
+    rule_type: 'DNAT'
+    translated_ip: '10.10.1.2'
+    translated_port: '3412'
+    original_ip: <%= original_ip %>
+    original_port: '3412'
+    protocol: 'tcp'

data/spec/integration/edge_gateway/data/incorrect_firewall_config.yaml

@@ -0,0 +1,14 @@
+---
+gateway: 'Test Edgegateway'
+firewall_service:
+  policy: drop
+  log_default_action: true
+  firewall_rules_incorrect:
+  - enabled: true
+    description: 'A rule'
+    policy: allow
+    protocols: 'tcp'
+    destination_port_range: Any
+    destination_ip: Any
+    source_port_range: Any
+    source_ip: 192.0.2.2

data/spec/integration/edge_gateway/data/nat_and_firewall_config.yaml.erb

@@ -0,0 +1,32 @@
+---
+gateway: <%= edge_gateway_name %>
+nat_service:
+  nat_rules:
+  - enabled: true
+    network_id: <%= network_id %>
+    rule_type: 'DNAT'
+    translated_ip: '10.10.1.2-10.10.1.3'
+    translated_port: '3412'
+    original_ip: <%= original_ip %>
+    original_port: '3412'
+    protocol: 'tcp'
+  - enabled: true
+    network_id: <%= network_id %>
+    rule_type: 'SNAT'
+    translated_ip: <%= original_ip %>
+    original_ip: '10.10.1.2-10.10.1.3'
+firewall_service:
+  policy: drop
+  log_default_action: true
+  firewall_rules:
+  - enabled: true
+    description: 'A rule'
+    policy: allow
+    protocols: 'tcp'
+    destination_port_range: Any
+    destination_ip: 10.10.1.2
+    source_port_range: Any
+    source_ip: 192.0.2.2
+  - enabled: true
+    destination_ip: '10.10.1.3-10.10.1.5'
+    source_ip: 192.0.2.2/24

data/spec/integration/edge_gateway/data/nat_config.yaml.erb

@@ -0,0 +1,17 @@
+---
+gateway: <%= edge_gateway_name %>
+nat_service:
+  nat_rules:
+  - enabled: true
+    network_id: <%= network_id %>
+    rule_type: 'DNAT'
+    translated_ip: '10.10.1.2-10.10.1.3'
+    translated_port: '3412'
+    original_ip: <%= original_ip %>
+    original_port: '3412'
+    protocol: 'tcp'
+  - enabled: true
+    network_id: <%= network_id %>
+    rule_type: 'SNAT'
+    translated_ip: <%= original_ip %>
+    original_ip: '10.10.1.2-10.10.1.3'

data/spec/integration/edge_gateway/edge_gateway_services_spec.rb

@@ -0,0 +1,132 @@
+require 'spec_helper'
+
+module Vcloud
+  describe EdgeGatewayServices do
+
+    required_env = {
+      'VCLOUD_EDGE_GATEWAY' => 'to name of VSE',
+      'VCLOUD_PROVIDER_NETWORK_ID' => 'to ID of VSE external network',
+      'VCLOUD_PROVIDER_NETWORK_IP' => 'to an available IP on VSE external network',
+      'VCLOUD_NETWORK1_ID' => 'to the ID of a VSE internal network',
+      'VCLOUD_NETWORK1_NAME' => 'to the name of the VSE internal network',
+      'VCLOUD_NETWORK1_IP' => 'to an ID on the VSE internal network',
+    }
+
+    error = false
+    required_env.each do |var,message|
+      unless ENV[var]
+        puts "Must set #{var} #{message}" unless ENV[var]
+        error = true
+      end
+    end
+    Kernel.exit(2) if error
+
+    before(:all) do
+      @edge_name = ENV['VCLOUD_EDGE_GATEWAY']
+      @ext_net_id = ENV['VCLOUD_PROVIDER_NETWORK_ID']
+      @ext_net_ip = ENV['VCLOUD_PROVIDER_NETWORK_IP']
+      @ext_net_name = ENV['VCLOUD_PROVIDER_NETWORK_NAME']
+      @int_net_id = ENV['VCLOUD_NETWORK1_ID']
+      @int_net_ip = ENV['VCLOUD_NETWORK1_IP']
+      @int_net_name = ENV['VCLOUD_NETWORK1_NAME']
+      @files_to_delete = []
+    end
+
+    context "Test EdgeGatewayServices with multiple services" do
+
+      before(:all) do
+        reset_edge_gateway
+        @initial_config_file = generate_input_config_file('nat_and_firewall_config.yaml.erb', edge_gateway_erb_input)
+        @edge_gateway = Vcloud::Core::EdgeGateway.get_by_name(@edge_name)
+      end
+
+      context "Check update is functional" do
+
+        before(:all) do
+          local_config = ConfigLoader.new.load_config(@initial_config_file, Vcloud::Schema::EDGE_GATEWAY_SERVICES)
+        end
+
+        it "should be starting our tests from an empty EdgeGateway" do
+          remote_vcloud_config = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration]
+          expect(remote_vcloud_config[:FirewallService][:FirewallRule].empty?).to be_true
+          expect(remote_vcloud_config[:NatService][:NatRule].empty?).to be_true
+        end
+
+        it "should only need to make one call to Core::EdgeGateway.update_configuration to update configuration" do
+          q = Query.new('edgeGateway', :filter => "name==#{@edge_name}")
+          result = q.get_all_results
+          latest_task = result.first[:task]
+
+          expect_any_instance_of(Core::EdgeGateway).to receive(:update_configuration).exactly(1).times.and_call_original
+          EdgeGatewayServices.new.update(@initial_config_file)
+
+          test_result = q.get_all_results
+          test_latest_task = test_result.first[:task]
+
+          # confirm that a task has been run on the EdgeGateway
+          expect(latest_task == test_latest_task).to be_false
+        end
+
+        it "should now have nat and firewall rules configured" do
+          remote_vcloud_config = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration]
+          expect(remote_vcloud_config[:FirewallService][:FirewallRule].empty?).to be_false
+          expect(remote_vcloud_config[:NatService][:NatRule].empty?).to be_false
+        end
+
+        it "should not update the EdgeGateway again if the config hasn't changed" do
+          q = Query.new('edgeGateway', :filter => "name==#{@edge_name}")
+          result = q.get_all_results
+          latest_task = result.first[:task]
+
+          EdgeGatewayServices.new.update(@initial_config_file)
+
+          test_result = q.get_all_results
+          test_latest_task = result.first[:task]
+
+          # No task has been run on the EdgeGateway since the one before update was called
+          expect(latest_task == test_latest_task).to be_true
+        end
+
+      end
+
+      after(:all) do
+        reset_edge_gateway unless ENV['VCLOUD_NO_RESET_VSE_AFTER']
+        remove_temp_config_files
+      end
+
+      def remove_temp_config_files
+        FileUtils.rm(@files_to_delete)
+      end
+
+      def reset_edge_gateway
+        edge_gateway = Core::EdgeGateway.get_by_name @edge_name
+        edge_gateway.update_configuration({
+                                            FirewallService: {IsEnabled: false, FirewallRule: []},
+                                            NatService: {:IsEnabled => "true", :NatRule => []},
+                                            LoadBalancerService: {
+                                              IsEnabled: "false",
+                                              Pool: [],
+                                              VirtualServer: []
+                                            }
+                                          })
+      end
+
+      def generate_input_config_file(data_file, erb_input)
+        config_erb = File.expand_path("data/#{data_file}", File.dirname(__FILE__))
+        output_file = ErbHelper.convert_erb_template_to_yaml(erb_input, config_erb)
+        @files_to_delete << output_file
+        output_file
+      end
+
+      def edge_gateway_erb_input
+        {
+          edge_gateway_name: @edge_name,
+          network_id: @ext_net_id,
+          original_ip: @ext_net_ip,
+        }
+      end
+
+    end
+
+  end
+end

data/spec/integration/edge_gateway/firewall_service_spec.rb

@@ -0,0 +1,201 @@
+require 'spec_helper'
+
+module Vcloud
+  describe EdgeGatewayServices do
+
+    required_env = {
+      'VCLOUD_EDGE_GATEWAY' => 'to name of VSE',
+      'VCLOUD_PROVIDER_NETWORK_ID' => 'to ID of VSE external network',
+      'VCLOUD_PROVIDER_NETWORK_IP' => 'to an available IP on VSE external network',
+      'VCLOUD_NETWORK1_ID' => 'to the ID of a VSE internal network',
+      'VCLOUD_NETWORK1_NAME' => 'to the name of the VSE internal network',
+      'VCLOUD_NETWORK1_IP' => 'to an ID on the VSE internal network',
+    }
+
+    error = false
+    required_env.each do |var,message|
+      unless ENV[var]
+        puts "Must set #{var} #{message}" unless ENV[var]
+        error = true
+      end
+    end
+    Kernel.exit(2) if error
+
+    before(:all) do
+      @edge_name = ENV['VCLOUD_EDGE_GATEWAY']
+      @ext_net_id = ENV['VCLOUD_PROVIDER_NETWORK_ID']
+      @ext_net_ip = ENV['VCLOUD_PROVIDER_NETWORK_IP']
+      @ext_net_name = ENV['VCLOUD_PROVIDER_NETWORK_NAME']
+      @int_net_id = ENV['VCLOUD_NETWORK1_ID']
+      @int_net_ip = ENV['VCLOUD_NETWORK1_IP']
+      @int_net_name = ENV['VCLOUD_NETWORK1_NAME']
+      @files_to_delete = []
+    end
+
+    context "Test FirewallService specifics of EdgeGatewayServices" do
+
+      before(:all) do
+        reset_edge_gateway
+        @initial_firewall_config_file = generate_input_config_file('firewall_config.yaml.erb', edge_gateway_erb_input)
+        @edge_gateway = Vcloud::Core::EdgeGateway.get_by_name(@edge_name)
+        @firewall_service = {}
+      end
+
+      context "Check input schema checking is working" do
+
+        it "should raise exception if input yaml does not match with schema" do
+          config_yaml = File.expand_path('data/incorrect_firewall_config.yaml', File.dirname(__FILE__))
+          expect(Vcloud::EdgeGateway.logger).to receive(:fatal)
+          expect { EdgeGatewayServices.new.update(config_yaml) }.to raise_error('Supplied configuration does not match supplied schema')
+        end
+
+      end
+
+      context "Check update is functional" do
+
+        before(:all) do
+          local_config = ConfigLoader.new.load_config(@initial_firewall_config_file, Vcloud::Schema::EDGE_GATEWAY_SERVICES)
+          @local_vcloud_config  = EdgeGateway::ConfigurationGenerator::FirewallService.new.generate_fog_config(local_config[:firewall_service])
+        end
+
+        it "should be starting our tests from an empty firewall" do
+          remote_vcloud_config = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration][:FirewallService]
+          expect(remote_vcloud_config[:FirewallRule].empty?).to be_true
+        end
+
+        it "should only need to make one call to Core::EdgeGateway.update_configuration" do
+          expect_any_instance_of(Core::EdgeGateway).to receive(:update_configuration).exactly(1).times.and_call_original
+          EdgeGatewayServices.new.update(@initial_firewall_config_file)
+        end
+
+        it "should have configured at least one firewall rule" do
+          remote_vcloud_config = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration][:FirewallService]
+          expect(remote_vcloud_config[:FirewallRule].empty?).to be_false
+        end
+
+        it "should have configured the same number of firewall rules as in our configuration" do
+          remote_vcloud_config = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration][:FirewallService]
+          expect(remote_vcloud_config[:FirewallRule].size).
+            to eq(@local_vcloud_config[:FirewallRule].size)
+        end
+
+        it "and then should not configure the firewall service if updated again with the same configuration (idempotency)" do
+          expect(Vcloud::EdgeGateway.logger).to receive(:info).with('EdgeGatewayServices.update: Configuration is already up to date. Skipping.')
+          EdgeGatewayServices.new.update(@initial_firewall_config_file)
+        end
+
+        it "ConfigurationDiffer should return empty if local and remote firewall configs match" do
+          remote_vcloud_config = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration][:FirewallService]
+          differ = EdgeGateway::ConfigurationDiffer.new(@local_vcloud_config, remote_vcloud_config)
+          diff_output = differ.diff
+          expect(diff_output).to eq([])
+        end
+
+        it "should highlight a difference if local firewall config has been updated" do
+          input_config_file = generate_input_config_file('firewall_config_updated_rule.yaml.erb', edge_gateway_erb_input)
+
+          local_config = ConfigLoader.new.load_config(input_config_file, Vcloud::Schema::EDGE_GATEWAY_SERVICES)
+          local_firewall_config = EdgeGateway::ConfigurationGenerator::FirewallService.new.generate_fog_config(local_config[:firewall_service])
+
+          edge_gateway = Core::EdgeGateway.get_by_name local_config[:gateway]
+          remote_config = edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration]
+          remote_firewall_config = remote_config[:FirewallService]
+
+          differ = EdgeGateway::ConfigurationDiffer.new(local_firewall_config, remote_firewall_config)
+          diff_output = differ.diff
+
+          expect(diff_output.empty?).to be_false
+        end
+
+      end
+
+      context "ensure EdgeGateway FirewallService configuration is as expected" do
+        before(:all) do
+          @firewall_service = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration][:FirewallService]
+        end
+
+        it "should configure firewall rule with destination and source ip addresses" do
+          expect(@firewall_service[:FirewallRule].first).to eq({:Id => "1",
+                                                                :IsEnabled => "true",
+                                                                :MatchOnTranslate => "false",
+                                                                :Description => "A rule",
+                                                                :Policy => "allow",
+                                                                :Protocols => {:Tcp => "true"},
+                                                                :Port => "-1",
+                                                                :DestinationPortRange => "Any",
+                                                                :DestinationIp => "10.10.1.2",
+                                                                :SourcePort => "-1",
+                                                                :SourcePortRange => "Any",
+                                                                :SourceIp => "192.0.2.2",
+                                                                :EnableLogging => "false"})
+        end
+
+        it "should configure firewall rule with destination and source ip ranges" do
+          expect(@firewall_service[:FirewallRule].last).to eq({:Id => "2",
+                                                               :IsEnabled => "true",
+                                                               :MatchOnTranslate => "false",
+                                                               :Description => "",
+                                                               :Policy => "allow",
+                                                               :Protocols => {:Tcp => "true"},
+                                                               :Port => "-1",
+                                                               :DestinationPortRange => "Any",
+                                                               :DestinationIp => "10.10.1.3-10.10.1.5",
+                                                               :SourcePort => "-1",
+                                                               :SourcePortRange => "Any",
+                                                               :SourceIp => "192.0.2.2/24",
+                                                               :EnableLogging => "false"})
+        end
+
+      end
+
+      context "Specific FirewallService update tests" do
+
+        it "should have the same rule order as the input rule order" do
+          input_config_file = generate_input_config_file('firewall_rule_order_test.yaml.erb', edge_gateway_erb_input)
+          EdgeGatewayServices.new.update(input_config_file)
+          remote_rules = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration][:FirewallService][:FirewallRule]
+          remote_descriptions_list = remote_rules.map {|rule| rule[:Description]}
+          expect(remote_descriptions_list).
+            to eq([
+              "First Input Rule",
+              "Second Input Rule",
+              "Third Input Rule",
+              "Fourth Input Rule",
+              "Fifth Input Rule"
+              ])
+        end
+
+      end
+
+
+      after(:all) do
+        reset_edge_gateway unless ENV['VCLOUD_NO_RESET_VSE_AFTER']
+        FileUtils.rm(@files_to_delete)
+      end
+
+      def reset_edge_gateway
+        edge_gateway = Core::EdgeGateway.get_by_name @edge_name
+        edge_gateway.update_configuration({
+          FirewallService: {IsEnabled: false, FirewallRule: []},
+        })
+      end
+
+      def generate_input_config_file(data_file, erb_input)
+        config_erb = File.expand_path("data/#{data_file}", File.dirname(__FILE__))
+        output_file = ErbHelper.convert_erb_template_to_yaml(erb_input, config_erb)
+        @files_to_delete << output_file
+        output_file
+      end
+
+      def edge_gateway_erb_input
+        {
+          :edge_gateway_name => @edge_name,
+          :edge_gateway_ext_network_id => @ext_net_id,
+          :edge_gateway_ext_network_ip => @ext_net_ip,
+        }
+      end
+
+    end
+
+  end
+end

data/spec/integration/edge_gateway/nat_service_spec.rb

@@ -0,0 +1,208 @@
+require 'spec_helper'
+
+module Vcloud
+  describe EdgeGatewayServices do
+
+    required_env = {
+      'VCLOUD_EDGE_GATEWAY' => 'to name of VSE',
+      'VCLOUD_PROVIDER_NETWORK_ID' => 'to ID of VSE external network',
+      'VCLOUD_PROVIDER_NETWORK_IP' => 'to an available IP on VSE external network',
+      'VCLOUD_NETWORK1_ID' => 'to the ID of a VSE internal network',
+      'VCLOUD_NETWORK1_NAME' => 'to the name of the VSE internal network',
+      'VCLOUD_NETWORK1_IP' => 'to an ID on the VSE internal network',
+    }
+
+    error = false
+    required_env.each do |var,message|
+      unless ENV[var]
+        puts "Must set #{var} #{message}" unless ENV[var]
+        error = true
+      end
+    end
+    Kernel.exit(2) if error
+
+    before(:all) do
+      @edge_name = ENV['VCLOUD_EDGE_GATEWAY']
+      @ext_net_id = ENV['VCLOUD_PROVIDER_NETWORK_ID']
+      @ext_net_ip = ENV['VCLOUD_PROVIDER_NETWORK_IP']
+      @ext_net_name = ENV['VCLOUD_PROVIDER_NETWORK_NAME']
+      @int_net_id = ENV['VCLOUD_NETWORK1_ID']
+      @int_net_ip = ENV['VCLOUD_NETWORK1_IP']
+      @int_net_name = ENV['VCLOUD_NETWORK1_NAME']
+      @files_to_delete = []
+    end
+
+    context "Test NatService specifics of EdgeGatewayServices" do
+
+      before(:all) do
+        reset_edge_gateway
+        @initial_nat_config_file = generate_input_config_file(
+          'nat_config.yaml.erb', {
+              edge_gateway_name: @edge_name,
+              network_id: @ext_net_id,
+              original_ip: @ext_net_ip,
+            }
+          )
+        @edge_gateway = Vcloud::Core::EdgeGateway.get_by_name(@edge_name)
+      end
+
+      context "Check update is functional" do
+
+        before(:all) do
+          local_config = ConfigLoader.new.load_config(@initial_nat_config_file, Vcloud::Schema::EDGE_GATEWAY_SERVICES)
+          @local_vcloud_config  = EdgeGateway::ConfigurationGenerator::NatService.new(@edge_name, local_config[:nat_service]).generate_fog_config
+        end
+
+        it "should be starting our tests from an empty NatService" do
+          remote_vcloud_config = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration][:NatService]
+          expect(remote_vcloud_config[:NatRule].empty?).to be_true
+        end
+
+        it "should only make one EdgeGateway update task, to minimise EdgeGateway reload events" do
+          start_time = DateTime.now()
+          task_list_before_update = get_all_edge_gateway_update_tasks_ordered_by_start_date_since_time(start_time)
+          EdgeGatewayServices.new.update(@initial_nat_config_file)
+          task_list_after_update = get_all_edge_gateway_update_tasks_ordered_by_start_date_since_time(start_time)
+          expect(task_list_after_update.size - task_list_before_update.size).to be(1)
+        end
+
+        it "should have configured at least one NAT rule" do
+          remote_vcloud_config = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration][:NatService]
+          expect(remote_vcloud_config[:NatRule].empty?).to be_false
+        end
+
+        it "should have configured the same number of nat rules as in our configuration" do
+          remote_vcloud_config = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration][:NatService]
+          expect(remote_vcloud_config[:NatRule].size).
+            to eq(@local_vcloud_config[:NatRule].size)
+        end
+
+        it "ConfigurationDiffer should return empty if local and remote nat configs match" do
+          remote_vcloud_config = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration][:NatService]
+          differ = EdgeGateway::ConfigurationDiffer.new(@local_vcloud_config, remote_vcloud_config)
+          diff_output = differ.diff
+          expect(diff_output).to eq([])
+        end
+
+        it "and then should not configure the firewall service if updated again with the same configuration (idempotency)" do
+          expect(Vcloud::EdgeGateway.logger).to receive(:info).with('EdgeGatewayServices.update: Configuration is already up to date. Skipping.')
+          EdgeGatewayServices.new.update(@initial_nat_config_file)
+        end
+
+      end
+
+      context "ensure updated EdgeGateway NatService configuration is as expected" do
+        before(:all) do
+          @nat_service = @edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration][:NatService]
+        end
+
+        it "should configure DNAT rule" do
+          dnat_rule = @nat_service[:NatRule].first
+          expect(dnat_rule).not_to be_nil
+          expect(dnat_rule[:RuleType]).to eq('DNAT')
+          expect(dnat_rule[:Id]).to eq('65537')
+          expect(dnat_rule[:IsEnabled]).to eq('true')
+          expect(dnat_rule[:GatewayNatRule][:Interface][:href]).to include(@ext_net_id)
+          expect(dnat_rule[:GatewayNatRule][:OriginalIp]).to eq(@ext_net_ip)
+          expect(dnat_rule[:GatewayNatRule][:OriginalPort]).to eq('3412')
+          expect(dnat_rule[:GatewayNatRule][:TranslatedIp]).to eq('10.10.1.2-10.10.1.3')
+          expect(dnat_rule[:GatewayNatRule][:TranslatedPort]).to eq('3412')
+          expect(dnat_rule[:GatewayNatRule][:Protocol]).to eq('tcp')
+        end
+
+        it "should configure SNAT rule" do
+          snat_rule = @nat_service[:NatRule].last
+          expect(snat_rule).not_to be_nil
+          expect(snat_rule[:RuleType]).to eq('SNAT')
+          expect(snat_rule[:Id]).to eq('65538')
+          expect(snat_rule[:IsEnabled]).to eq('true')
+          expect(snat_rule[:GatewayNatRule][:Interface][:href]).to include(@ext_net_id)
+          expect(snat_rule[:GatewayNatRule][:OriginalIp]).to eq('10.10.1.2-10.10.1.3')
+          expect(snat_rule[:GatewayNatRule][:TranslatedIp]).to eq(@ext_net_ip)
+        end
+
+      end
+
+      context "ensure hairpin NAT rules are specifiable" do
+
+        it "and then should configure hairpin NATting with orgVdcNetwork" do
+          input_config_file = generate_input_config_file('hairpin_nat_config.yaml.erb', {
+            edge_gateway_name: @edge_name,
+            org_vdc_network_id: @int_net_id,
+            original_ip: @int_net_ip,
+          })
+
+          EdgeGatewayServices.new.update(input_config_file)
+
+          edge_gateway = Vcloud::Core::EdgeGateway.get_by_name(@edge_name)
+          nat_service = edge_gateway.vcloud_attributes[:Configuration][:EdgeGatewayServiceConfiguration][:NatService]
+          expected_rule = nat_service[:NatRule].first
+          expect(expected_rule).not_to be_nil
+          expect(expected_rule[:RuleType]).to eq('DNAT')
+          expect(expected_rule[:Id]).to eq('65537')
+          expect(expected_rule[:RuleType]).to eq('DNAT')
+          expect(expected_rule[:IsEnabled]).to eq('true')
+          expect(expected_rule[:GatewayNatRule][:Interface][:name]).to eq(@int_net_name)
+          expect(expected_rule[:GatewayNatRule][:OriginalIp]).to eq(@int_net_ip)
+          expect(expected_rule[:GatewayNatRule][:OriginalPort]).to eq('3412')
+          expect(expected_rule[:GatewayNatRule][:TranslatedIp]).to eq('10.10.1.2')
+          expect(expected_rule[:GatewayNatRule][:TranslatedPort]).to eq('3412')
+          expect(expected_rule[:GatewayNatRule][:Protocol]).to eq('tcp')
+        end
+
+        it "should raise error if network provided in rule does not exist" do
+          random_network_id = SecureRandom.uuid
+          input_config_file = generate_input_config_file('nat_config.yaml.erb', {
+            edge_gateway_name: @edge_name,
+            network_id: random_network_id,
+            original_ip: @int_net_ip,
+          })
+          expect{EdgeGatewayServices.new.update(input_config_file)}.
+            to raise_error("unable to find gateway network interface with id #{random_network_id}")
+        end
+      end
+
+      after(:all) do
+        reset_edge_gateway unless ENV['VCLOUD_NO_RESET_VSE_AFTER']
+        remove_temp_config_files
+      end
+
+      def remove_temp_config_files
+        FileUtils.rm(@files_to_delete)
+      end
+
+      def reset_edge_gateway
+        edge_gateway = Core::EdgeGateway.get_by_name @edge_name
+        edge_gateway.update_configuration({
+          NatService: {:IsEnabled => "true", :NatRule => []},
+        })
+      end
+
+      def generate_input_config_file(data_file, erb_input)
+        config_erb = File.expand_path("data/#{data_file}", File.dirname(__FILE__))
+        output_file = ErbHelper.convert_erb_template_to_yaml(erb_input, config_erb)
+        @files_to_delete << output_file
+        output_file
+      end
+
+      def edge_gateway_erb_input
+        {
+          :edge_gateway_name => @edge_name,
+          :edge_gateway_ext_network_id => @ext_net_id,
+          :edge_gateway_ext_network_ip => @ext_net_ip,
+        }
+      end
+
+      def get_all_edge_gateway_update_tasks_ordered_by_start_date_since_time(timestamp)
+        vcloud_time = timestamp.strftime('%FT%T.000Z')
+        q = Query.new('task',
+          :filter => "name==networkConfigureEdgeGatewayServices;objectName==#{@edge_name};startDate=ge=#{vcloud_time}",
+          :sortDesc => 'startDate',
+        )
+        q.get_all_results
+      end
+
+    end
+
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,26 @@
+require 'simplecov'
+require 'erb_helper'
+
+SimpleCov.profiles.define 'gem' do
+  add_filter '/spec/'
+  add_filter '/features/'
+  add_filter '/vendor/'
+
+  add_group 'Libraries', '/lib/'
+end
+
+SimpleCov.start 'gem'
+
+require 'bundler/setup'
+require 'vcloud/edge_gateway'
+
+
+SimpleCov.at_exit do
+  SimpleCov.result.format!
+  # do not change the coverage percentage, instead add more unit tests to fix coverage failures.
+  if SimpleCov.result.covered_percent < 60
+    print "ERROR::BAD_COVERAGE\n"
+    print "Coverage is less than acceptable limit(71%). Please add more tests to improve the coverage"
+    exit(1)
+  end
+end