def main():
# Parse command line args.
parser = argparse.ArgumentParser(description='Calico ACL Manager')
parser.add_argument('-c', '--config-file', dest='config_file')
args = parser.parse_args()
# Read config file.
config = ConfigParser.ConfigParser()
config.read(args.config_file or 'acl_manager.cfg')
plugin_address = config.get('global', 'PluginAddress')
log_file_path = config.get('log', 'LogFilePath')
# Configure logging.
common.mkdir_p(os.path.dirname(log_file_path))
logging.basicConfig(filename=log_file_path, level=logging.DEBUG)
# Create ZeroMQ context.
context = zmq.Context()
log.info("pyzmq version is %s" % zmq.pyzmq_version())
# Create and start components.
acl_store = ACLStore()
network_store = NetworkStore()
publisher = ACLPublisher(context, acl_store)
acl_store.start(publisher)
processor = RuleProcessor(acl_store, network_store)
network_store.add_processor(processor)
subscriber = NetworkSubscriber(context, network_store, plugin_address)
def setUp(self):
self.acl_store = ACLStore()
self.processor = StubRuleProcessor(self, None, self.acl_store)
self.acl_pub = StubACLPublisher(self, self.acl_store)
self.acl_store.start(self.acl_pub)
class TestACLStore(unittest.TestCase):
"""Unit tests for the ACLStore class."""
def setUp(self):
self.acl_store = ACLStore()
self.processor = StubRuleProcessor(self, None, self.acl_store)
self.acl_pub = StubACLPublisher(self, self.acl_store)
self.acl_store.start(self.acl_pub)
def tearDown(self):
self.acl_store.stop()
self.acl_store = None
self.acl_pub = None
self.processor = None
acls = {
'v4': {
'inbound': [{
'group': None,
'cidr': '10.2.3.0/24',
'port': None,
'protocol': None
}],
'inbound_default':
'deny',
'outbound': [{
'group': None,
'cidr': '10.1.1.1/32',
'port': '4',
'protocol': 'udp'
}],
'outbound_default':
'deny'
},
'v6': {
'inbound': [],
'inbound_default':
'deny',
'outbound': [{
'group': None,
'cidr': 'fd5f::1/128',
'port': None,
'protocol': None
}],
'outbound_default':
'deny'
}
}
def test_case1(self):
"""
Test ACL Store updates.
- Creating and modifying ACLs for an endpoint
"""
# Add new ACLs for an endpoint
self.processor.test_update_endpoint_acls('e1', self.acls)
self.acl_pub.test_set_expected_acls('e1', self.acls)
self.acl_pub.test_wait_assert_all_acls_received()
# Modify those ACLs
self.acls['v4']['inbound'][0]['port'] = 22
self.processor.test_update_endpoint_acls('e1', self.acls)
self.acl_pub.test_set_expected_acls('e1', self.acls)
self.acl_pub.test_wait_assert_all_acls_received()
def test_case2(self):
"""
Test ACL Store query handling.
- Query known and unknown endpoints
"""
# Query when there are no known endpoints
self.acl_pub.test_query_endpoint_acls('e1')
self.acl_pub.test_wait_assert_all_acls_received()
# Add some ACLs
self.processor.test_update_endpoint_acls('e1', self.acls)
self.acl_pub.test_set_expected_acls('e1', self.acls)
self.acl_pub.test_wait_assert_all_acls_received()
# Query a known endpoint
self.acl_pub.test_query_endpoint_acls('e1')
self.acl_pub.test_set_expected_acls('e1', self.acls)
self.acl_pub.test_wait_assert_all_acls_received()
# Query an unknown endpoint
self.acl_pub.test_query_endpoint_acls('e5')
self.acl_pub.test_wait_assert_all_acls_received()
def test_case3(self):
"""
Clean shutdown of ACL Manager on ACL Store worker thread crash
"""
# Patch the terminate function so the tests don't exit
terminate_called = threading.Event()
def _terminate(exit_code=1):
terminate_called.set()
utils.terminate = _terminate
self.processor.test_update_endpoint_acls('e1', self.acls)
self.acl_pub.test_set_expected_acls('e1', self.acls)
self.acl_pub.test_raise_exception()
# Allow three seconds for the worker thread to call terminate
terminate_called.wait(3)
self.acl_pub.test_wait_assert_all_acls_received()
def test_case4(self):
"""
Check ACL Store suppresses superfluous no-op updates
"""
# Add some ACLs - an update is published
self.processor.test_update_endpoint_acls('e1', self.acls)
self.acl_pub.test_set_expected_acls('e1', self.acls)
self.acl_pub.test_wait_assert_all_acls_received()
# Update the same ACLs without changing them
self.processor.test_update_endpoint_acls('e1', self.acls)
self.acl_pub.test_wait_assert_all_acls_received()
# Now query the ACLs to check they're still returned
self.acl_pub.test_query_endpoint_acls('e1')
self.acl_pub.test_set_expected_acls('e1', self.acls)
self.acl_pub.test_wait_assert_all_acls_received()
def main():
# Parse command line args.
parser = argparse.ArgumentParser(description='Calico ACL Manager')
parser.add_argument('-c', '--config-file', dest='config_file')
args = parser.parse_args()
log_defaults = {'LogFilePath': None,
'LogSeverityFile': 'INFO',
'LogSeveritySys': 'ERROR',
'LogSeverityScreen': 'ERROR',
'LocalAddress': '*' }
# Read config file.
config = ConfigParser.ConfigParser(log_defaults)
config.read(args.config_file or 'acl_manager.cfg')
plugin_address = config.get('global', 'PluginAddress')
local_address = config.get('global', 'LocalAddress')
log_file_path = config.get('log', 'LogFilePath')
log_file_level = config.get('log', 'LogSeverityFile')
log_syslog_level = config.get('log', 'LogSeveritySys')
log_stream_level = config.get('log', 'LogSeverityScreen')
# Convert log level names into python log levels.
loglevels = {"none": None,
"debug": logging.DEBUG,
"info": logging.INFO,
"warn": logging.WARNING,
"warning": logging.WARNING,
"err": logging.ERROR,
"error": logging.ERROR,
"crit": logging.CRITICAL,
"critical": logging.CRITICAL}
file_level = loglevels[log_file_level.lower()]
syslog_level = loglevels[log_syslog_level.lower()]
stream_level = loglevels[log_stream_level.lower()]
# Configure logging.
common.default_logging()
common.complete_logging(logfile=log_file_path,
file_level=file_level,
syslog_level=syslog_level,
stream_level=stream_level)
log.error("ACL Manager starting (version: %s)",
pkg_resources.get_distribution('calico'))
# Create ZeroMQ context.
context = zmq.Context()
log.info("pyzmq version is %s" % zmq.pyzmq_version())
# Create and start components.
acl_store = ACLStore()
network_store = NetworkStore()
publisher = ACLPublisher(context, acl_store, local_address)
acl_store.start(publisher)
processor = RuleProcessor(acl_store, network_store)
network_store.add_processor(processor)
subscriber = NetworkSubscriber(context, network_store, plugin_address)
class TestACLStore(unittest.TestCase):
"""Unit tests for the ACLStore class."""
def setUp(self):
self.acl_store = ACLStore()
self.processor = StubRuleProcessor(self, None, self.acl_store)
self.acl_pub = StubACLPublisher(self, self.acl_store)
self.acl_store.start(self.acl_pub)
def tearDown(self):
self.acl_store.stop()
self.acl_store = None
self.acl_pub = None
self.processor = None
acls = {
'v4': {
'inbound': [{
'group': None,
'cidr': '10.2.3.0/24',
'port': None,
'protocol': None
}],
'inbound_default':
'deny',
'outbound': [{
'group': None,
'cidr': '10.1.1.1/32',
'port': '4',
'protocol': 'udp'
}],
'outbound_default':
'deny'
},
'v6': {
'inbound': [],
'inbound_default':
'deny',
'outbound': [{
'group': None,
'cidr': 'fd5f::1/128',
'port': None,
'protocol': None
}],
'outbound_default':
'deny'
}
}
def test_case1(self):
"""
Test ACL Store updates.
- Creating and modifying ACLs for an endpoint
"""
# Add new ACLs for an endpoint
self.processor.test_update_endpoint_acls('e1', self.acls)
self.acl_pub.test_set_expected_acls('e1', self.acls)
self.acl_pub.test_wait_assert_all_acls_received()
# Modify those ACLs
self.acls['v4']['inbound'][0]['port'] = 22
self.processor.test_update_endpoint_acls('e1', self.acls)
self.acl_pub.test_set_expected_acls('e1', self.acls)
self.acl_pub.test_wait_assert_all_acls_received()
def test_case2(self):
"""
Test ACL Store query handling.
- Query known and unknown endpoints
"""
# Query when there are no known endpoints
self.acl_pub.test_query_endpoint_acls('e1')
self.acl_pub.test_wait_assert_all_acls_received()
# Add some ACLs
self.processor.test_update_endpoint_acls('e1', self.acls)
self.acl_pub.test_set_expected_acls('e1', self.acls)
self.acl_pub.test_wait_assert_all_acls_received()
# Query a known endpoint
self.acl_pub.test_query_endpoint_acls('e1')
self.acl_pub.test_set_expected_acls('e1', self.acls)
self.acl_pub.test_wait_assert_all_acls_received()
# Query an unknown endpoint
self.acl_pub.test_query_endpoint_acls('e5')
self.acl_pub.test_wait_assert_all_acls_received()