def testLogging(self, option, want_logging):
self.naming.GetNetAddr.return_value = [nacaddr.IPv4('192.168.0.0/24')]
self.naming.GetServiceByProto.return_value = ['25']
expected_output = (
' test-filter {\n' + ' services {\n' +
' stateful-firewall {\n' +
' rule test-filter {\n' +
' match-direction input-output;\n' +
' term good-term-1 {\n' +
' from {\n' +
' application-sets '
'test-filtergood-term-1-app;\n' + ' }\n' +
' then {\n' +
' accept;\n' +
' syslog;\n' +
' }\n' + ' }\n' +
' }\n' + ' }\n' + ' }\n' +
' applications {\n' +
' application test-filtergood-term-1-app1 {\n' +
' protocol icmp;\n' + ' }\n' +
' application-set test-filtergood-term-1-app {\n' +
' application test-filtergood-term-1-app1;\n' +
' }\n' + ' }\n' + ' }\n' + '}\n' +
'apply-groups test-filter;')
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(
GOOD_HEADER_MIXED_IMPLICIT + (LOGGING_TERM % option),
self.naming), EXP_INFO)
output = str(msmpc)
if want_logging:
self.assertIn(expected_output, output, output)
else:
self.assertNotIn(expected_output, output, output)
def testDirection(self, header, direction):
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(header + GOOD_TERM_3, self.naming), EXP_INFO)
output = str(msmpc)
expected_output = (' rule test-filter {\n' +
' match-direction %s;')
self.assertIn(expected_output % direction, output, output)
def testInactiveTerm(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_36, self.naming),
EXP_INFO)
output = str(msmpc)
self.assertIn('inactive: term good-term-36 {', output)
def testDefaultDeny(self):
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER + DEFAULT_TERM_1, self.naming),
EXP_INFO)
output = str(msmpc)
self.assertNotIn('from {', output, output)
self.assertIn('discard;', output, output)
def testBuildTokens(self):
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_35, self.naming),
EXP_INFO)
st, sst = msmpc._BuildTokens()
self.assertSetEqual(st, SUPPORTED_TOKENS)
self.assertDictEqual(sst, SUPPORTED_SUB_TOKENS)
def testMinimizePrefixes(self):
includes = ['1.0.0.0/8', '2.0.0.0/8']
excludes = ['1.1.1.1/32', '2.0.0.0/8', '3.3.3.3/32']
expected = ['1.0.0.0/8;', '1.1.1.1/32 except;']
unexpected = ['2.0.0.0/8;', '2.0.0.0/8 except;', '3.3.3.3/32']
self.naming.GetNetAddr.side_effect = [[
nacaddr.IPv4(ip) for ip in includes
], [nacaddr.IPv4(ip) for ip in excludes]]
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_19, self.naming),
EXP_INFO)
output = str(msmpc)
for result in expected:
self.assertIn(result, output,
'expected "%s" in %s' % (result, output))
for result in unexpected:
self.assertNotIn(result, output,
'unexpected "%s" in %s' % (result, output))
self.naming.GetNetAddr.assert_has_calls(
[mock.call('INCLUDES'),
mock.call('EXCLUDES')])
def testExpiredTerm(self, mock_warn):
_ = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER + EXPIRED_TERM, self.naming), EXP_INFO)
mock_warn.assert_called_once_with(
'WARNING: Term %s in policy %s is expired and will '
'not be rendered.', 'is_expired', 'test-filter')
def testAddressExclude(self):
big = nacaddr.IPv4('0.0.0.0/1', comment='half of everything')
ip1 = nacaddr.IPv4('10.0.0.0/8', comment='RFC1918 10-net')
ip2 = nacaddr.IPv4('172.16.0.0/12', comment='RFC1918 172-net')
terms = (GOOD_TERM_18_SRC, GOOD_TERM_18_DST)
self.naming.GetNetAddr.side_effect = [[big, ip1, ip2], [ip1]
] * len(terms)
mock_calls = []
for term in terms:
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER + term, self.naming), EXP_INFO)
output = str(msmpc)
expected_output = (
' ' +
('source' if term == GOOD_TERM_18_SRC else 'destination') +
'-address {\n' +
' /* half of everything, RFC1918 '
'10-net */\n' +
' 0.0.0.0/1;\n' +
' /* RFC1918 172-net */\n' +
' 172.16.0.0/12;\n' +
' /* RFC1918 10-net */\n' +
' 10.0.0.0/8 except;\n' +
' }')
self.assertIn(expected_output, output, output)
self.assertNotIn('10.0.0.0/8;', output, output)
self.assertNotIn('172.16.0.0/12 except;', output, output)
mock_calls.append(mock.call('INTERNAL'))
mock_calls.append(mock.call('SOME_HOST'))
self.naming.GetNetAddr.assert_has_calls(mock_calls)
def testProtocolCase(self):
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_5, self.naming),
EXP_INFO)
output = str(msmpc)
self.assertIn('protocol icmp;', output, output)
self.assertIn('protocol tcp;', output, output)
def testV6SlashFourteenReplacement(self):
self.naming.GetNetAddr.return_value = ([
nacaddr.IPv4('0.0.0.0/1'),
nacaddr.IPv6('::/14')
])
self.naming.GetServiceByProto.return_value = ['25']
expectedv4 = (' term good-term-2-inet {\n' +
' from {\n' +
' destination-address {\n' +
' 0.0.0.0/1;\n' +
' }')
expectedv6 = (' term good-term-2-inet6 {\n' +
' from {\n' +
' destination-address {\n' +
' ::/16;\n' +
' 1::/16;\n' +
' 2::/16;\n' +
' 3::/16;\n' +
' }')
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER_MIXED + GOOD_TERM_1, self.naming),
EXP_INFO)
output = str(msmpc)
self.assertIn(expectedv4, output, output)
self.assertIn(expectedv6, output, output)
def testOwnerTerm(self):
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_17, self.naming), EXP_INFO)
output = str(msmpc)
self.assertIn(
' /*\n'
' ** Owner: [email protected]\n'
' */', output, output)
def testPrefixListExcept(self):
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_30, self.naming), EXP_INFO)
spfx_re = re.compile(r'source-prefix-list foo_prefix_list except;')
dpfx_re = re.compile(r'destination-prefix-list bar_prefix_list except;')
output = str(msmpc)
self.assertTrue(spfx_re.search(output), output)
self.assertTrue(dpfx_re.search(output), output)
def testNotRangedPorts(self):
self.naming.GetServiceByProto.side_effect = [['67'], ['69']]
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER + RANGE_PORTS_TERM, self.naming),
EXP_INFO)
self.assertNotIn('destination-port 67-68;', str(msmpc))
self.assertIn('destination-port 67;', str(msmpc))
self.assertIn('destination-port 69;', str(msmpc))
def testVerbatimTerm(self):
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_11, self.naming), EXP_INFO)
output = str(msmpc)
self.assertIn('mary had a little lamb', output, output)
# check if other platforms verbatim shows up in output
self.assertNotIn('mary had a second lamb', output, output)
self.assertNotIn('mary had a third lamb', output, output)
self.assertNotIn('mary had a fourth lamb', output, output)
def testIcmpType(self):
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_3, self.naming), EXP_INFO)
output = str(msmpc)
# verify proper translation from policy icmp-type text to juniper-esque
self.assertIn('icmp-type 0;', output, output)
self.assertIn('icmp-type 15;', output, output)
self.assertIn('icmp-type 10;', output, output)
self.assertIn('icmp-type 13;', output, output)
self.assertIn('icmp-type 16;', output, output)
def testExpiringTerm(self, mock_info):
exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO)
_ = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(
GOOD_HEADER + EXPIRING_TERM % exp_date.strftime('%Y-%m-%d'),
self.naming), EXP_INFO)
mock_info.assert_called_once_with(
'INFO: Term %s in policy %s expires in '
'less than two weeks.', 'is_expiring', 'test-filter')
def testMixed(self, addresses, expected, notexpected):
self.naming.GetNetAddr.side_effect = addresses
self.naming.GetServiceByProto.return_value = ['25']
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER_MIXED + MIXED_TESTING_TERM,
self.naming), EXP_INFO)
output = str(msmpc)
for expect in expected:
self.assertIn(expect, output, output)
for notexpect in notexpected:
self.assertNotIn(notexpect, output, output)
def testRejectIPv6(self):
self.naming.GetServiceByProto.return_value = ['53']
policy_text = GOOD_HEADER_V6 + GOOD_TERM_26_V6_REJECT
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(policy_text, self.naming), EXP_INFO)
output = str(msmpc)
self.assertIn('then {', output, output)
self.assertIn('reject;', output, output)
self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
def testTcpEstablished(self):
self.naming.GetServiceByProto.return_value = ['53']
policy_text = GOOD_HEADER + ESTABLISHED_TERM_1
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(policy_text, self.naming), EXP_INFO)
output = str(msmpc)
self.assertNotIn('term established-term-1', output, output)
self.assertNotIn('tcp-established', output, output)
self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
def testDiscardIPv4(self):
self.naming.GetServiceByProto.return_value = ['53']
policy_text = GOOD_HEADER + GOOD_TERM_26
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(policy_text, self.naming), EXP_INFO)
output = str(msmpc)
self.assertIn('then {', output, output)
self.assertIn('discard;', output, output)
self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
def testGroup(self):
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER + DEFAULT_TERM_1, self.naming), EXP_INFO)
self.assertEqual('b;', msmpc._Group(['B']))
self.assertEqual('B;', msmpc._Group(['B'], lc=False))
self.assertEqual('b;', msmpc._Group(['B'], lc=True))
self.assertEqual('100;', msmpc._Group([100]))
self.assertEqual('100-200;', msmpc._Group([(100, 200)]))
self.assertEqual('[ b a ];', msmpc._Group(['b', 'A']))
self.assertEqual('[ 99 101-199 ];', msmpc._Group([99, (101, 199)]))
self.assertEqual('[ 99 101-199 ];', msmpc._Group([99, (101, 199)]))
def testIcmpInet6Mismatch(self, mock_debug):
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER_V6 + BAD_ICMPTYPE_TERM_2,
self.naming), EXP_INFO)
# output happens in __str_
str(msmpc)
mock_debug.assert_called_once_with(
'Term icmptype-mismatch will not be rendered,'
' as it has icmp match specified but '
'the ACL is of inet6 address family.')
def testTermAndFilterName(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
self.naming.GetServiceByProto.return_value = ['25']
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1, self.naming), EXP_INFO)
output = str(msmpc)
self.assertIn('term good-term-1 {', output, output)
self.assertIn('rule test-filter {', output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testProtocolCase(self):
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_5, self.naming), EXP_INFO)
output = str(msmpc)
expected_output = (
' application test-filtergood-term-5-app1 {\n' +
' protocol icmp;\n' + ' }\n' +
' application test-filtergood-term-5-app2 {\n' +
' protocol tcp;\n' +
' destination-port 1-65535;\n' + ' }')
self.assertIn(expected_output, output, output)
def testTermNameCollision(self):
short_append = '1' * (
junipermsmpc.MAX_IDENTIFIER_LEN // 2 - len('?ood-term-1'))
long_append = short_append + '1'
not_too_long_name = (TERM_NAME_COLLISION % (short_append, short_append))
too_long_name = (TERM_NAME_COLLISION % (long_append, long_append))
pol = policy.ParsePolicy(GOOD_HEADER + too_long_name, self.naming)
self.assertRaises(junipermsmpc.ConflictingApplicationSetsError,
junipermsmpc.JuniperMSMPC, pol, EXP_INFO)
_ = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER + not_too_long_name, self.naming),
EXP_INFO)
def testInet6(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('2001::/33')]
self.naming.GetServiceByProto.return_value = ['25']
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER_V6 + GOOD_TERM_1_V6, self.naming),
EXP_INFO)
output = str(msmpc)
self.assertTrue(
'protocol icmp6;' in output and 'protocol tcp;' in output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testMixedv6(self):
self.naming.GetNetAddr.return_value = ([nacaddr.IPv6('2001::/33')])
self.naming.GetServiceByProto.return_value = ['25']
expected = (' term good-term-2 {\n' +
' from {\n' +
' destination-address {\n' +
' 2001::/33;\n' +
' }')
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER_MIXED + GOOD_TERM_1, self.naming),
EXP_INFO)
output = str(msmpc)
self.assertIn(expected, output, output)
def testNoMatchReversal(self):
includes = ['10.0.0.0/8', '10.0.0.0/10']
excludes = ['10.0.0.0/9']
expected = ['10.0.0.0/8;', '10.0.0.0/10;', '10.0.0.0/9 except;']
self.naming.GetNetAddr.side_effect = [[nacaddr.IPv4(ip) for ip in includes],
[nacaddr.IPv4(ip) for ip in excludes]]
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_19, self.naming), EXP_INFO)
output = str(msmpc)
for result in expected:
self.assertIn(result, output)
def testStatelessReply(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.1/32')]
self.naming.GetServiceByProto.return_value = ['25']
ret = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1, self.naming)
_, terms = ret.filters[0]
for term in terms:
if term.protocol[0] == 'icmp':
term.stateless_reply = True
msmpc = junipermsmpc.JuniperMSMPC(ret, EXP_INFO)
output = str(msmpc)
self.assertNotIn('term good-term-1 {', output, output)
self.assertIn('term good-term-2 {', output, output)
def testNoVerboseV4(self):
addr_list = list()
for octet in range(0, 256):
net = nacaddr.IP('192.168.' + str(octet) + '.64/27')
addr_list.append(net)
self.naming.GetNetAddr.return_value = addr_list
self.naming.GetServiceByProto.return_value = ['25']
msmpc = junipermsmpc.JuniperMSMPC(
policy.ParsePolicy(
GOOD_NOVERBOSE_V4_HEADER + GOOD_TERM_1 + GOOD_TERM_COMMENT,
self.naming), EXP_INFO)
self.assertIn('192.168.0.64/27;', str(msmpc))
self.assertNotIn('COMMENT', str(msmpc))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
