Example #1
0
 def test_validate_rules_canon(self):
     rules = {
         "inbound_rules": [
             {"protocol": "tcp", "ip_version": 4, "src_net": "10/8",
              "dst_net": "11.0/16", "src_ports": [10, "11:12"],
              "action": "allow"},
             {"protocol": "tcp", "src_net": None},
         ],
         "outbound_rules": [
             {"protocol": "tcp", "ip_version": 6,
              "src_net": "2001:0::1/128", "dst_net": "2001:0::/64",
              "icmp_type": 7, "icmp_code": 10,
              "action": "deny"}
         ],
     }
     common.validate_rules("profile_id", rules)
     # Check IPs get made canonical.
     self.assertEqual(rules, {
         "inbound_rules": [
             {"protocol": "tcp", "ip_version": 4, "src_net": "10.0.0.0/8",
              "dst_net": "11.0.0.0/16", "src_ports": [10, "11:12"],
              "action": "allow"},
             {"protocol": "tcp"},
         ],
         "outbound_rules": [
             {"protocol": "tcp", "ip_version": 6,
              "src_net": "2001::1/128", "dst_net": "2001::/64",
              "icmp_type": 7, "icmp_code": 10,
              "action": "deny"}
         ],
     })
Example #2
0
 def test_validate_rules_canon(self):
     rules = {
         "inbound_rules": [
             {"protocol": "tcp", "ip_version": 4, "src_net": "10/8",
              "dst_net": "11.0/16", "src_ports": [10, "11:12"],
              "action": "allow"},
             {"protocol": "tcp", "src_net": None},
         ],
         "outbound_rules": [
             {"protocol": "tcp", "ip_version": 6,
              "src_net": "2001:0::1/128", "dst_net": "2001:0::/64",
              "icmp_type": 7, "icmp_code": 10,
              "action": "deny"}
         ],
     }
     common.validate_rules("profile_id", rules)
     # Check IPs get made canonical.
     self.assertEqual(rules, {
         "inbound_rules": [
             {"protocol": "tcp", "ip_version": 4, "src_net": "10.0.0.0/8",
              "dst_net": "11.0.0.0/16", "src_ports": [10, "11:12"],
              "action": "allow"},
             {"protocol": "tcp"},
         ],
         "outbound_rules": [
             {"protocol": "tcp", "ip_version": 6,
              "src_net": "2001::1/128", "dst_net": "2001::/64",
              "icmp_type": 7, "icmp_code": 10,
              "action": "deny"}
         ],
     })
Example #3
0
def parse_rules(profile_id, raw_json):
    rules = safe_decode_json(raw_json, log_tag="rules %s" % profile_id)
    try:
        common.validate_rules(profile_id, rules)
    except ValidationFailed as e:
        _log.exception("Validation failed for profile %s rules: %s; %r", profile_id, rules, e)
        return None
    else:
        return rules
Example #4
0
def parse_rules(profile_id, raw_json):
    rules = safe_decode_json(raw_json, log_tag="rules %s" % profile_id)
    try:
        common.validate_rules(profile_id, rules)
    except ValidationFailed as e:
        _log.exception("Validation failed for profile %s rules: %s; %r",
                       profile_id, rules, e)
        return None
    else:
        return rules
Example #5
0
    def assertNeutronToEtcd(self, neutron_rule, exp_etcd_rule):
        etcd_rule = t_etcd._neutron_rule_to_etcd_rule(neutron_rule)
        self.assertEqual(etcd_rule, exp_etcd_rule)

        # Check felix is happy with generated rule.
        if neutron_rule["direction"] == "ingress":
            rules = {"inbound_rules": [etcd_rule], "outbound_rules": []}
        else:
            rules = {"outbound_rules": [etcd_rule], "inbound_rules": []}
        common.validate_rules("profile_id", rules)
    def assertNeutronToEtcd(self, neutron_rule, exp_etcd_rule):
        etcd_rule = t_etcd._neutron_rule_to_etcd_rule(neutron_rule)
        self.assertEqual(etcd_rule, exp_etcd_rule)

        # Check felix is happy with generated rule.
        if neutron_rule["direction"] == "ingress":
            rules = {"inbound_rules": [etcd_rule], "outbound_rules": []}
        else:
            rules = {"outbound_rules": [etcd_rule], "inbound_rules": []}
        common.validate_rules("profile_id", rules)
Example #7
0
def parse_rules(profile_id, raw_json):
    rules = json_decoder.decode(raw_json)
    try:
        common.validate_rules(profile_id, rules)
    except ValidationFailed:
        _log.exception("Validation failed for profile %s rules: %s",
                       profile_id, rules)
        return None
    else:
        return rules
Example #8
0
def parse_if_rules(etcd_node):
    m = RULES_KEY_RE.match(etcd_node.key)
    if m:
        # Got some rules.
        profile_id = m.group("profile_id")
        if etcd_node.action == "delete":
            rules = None
        else:
            rules = json_decoder.decode(etcd_node.value)
            rules["id"] = profile_id
            try:
                common.validate_rules(rules)
            except ValidationFailed:
                _log.exception("Validation failed for profile %s rules: %s",
                               profile_id, rules)
                return profile_id, None

        _log.debug("Found rules for profile %s : %s", profile_id, rules)

        return profile_id, rules
    return None, None
Example #9
0
    def test_validate_rules(self):
        profile_id = "valid_name-ok."
        rules = {'inbound_rules': [],
                 'outbound_rules': []}
        common.validate_rules(profile_id, rules.copy())

        with self.assertRaisesRegexp(ValidationFailed,
                                     "Expected rules to be a dict"):
            common.validate_rules(profile_id, [])

        with self.assertRaisesRegexp(ValidationFailed,
                                     "Invalid profile_id"):
            common.validate_rules("a&b", rules.copy())

        # No rules.
        with self.assertRaisesRegexp(ValidationFailed,
                                     "No outbound_rules"):
            common.validate_rules(profile_id, {'inbound_rules':[]})
        with self.assertRaisesRegexp(ValidationFailed,
                                     "No inbound_rules"):
            common.validate_rules(profile_id, {'outbound_rules':[]})

        rules = {'inbound_rules': 3,
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                            "Expected rules\[inbound_rules\] to be a list"):
            common.validate_rules(profile_id, rules.copy())

        rule = "not a dict"
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                            "Rules should be dicts"):
            common.validate_rules(profile_id, rules.copy())

        rule = {'bad_key': ""}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Rule contains unknown keys"):
            common.validate_rules(profile_id, rules)

        rule = {'protocol': "bloop"}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Invalid protocol in rule"):
            common.validate_rules(profile_id, rules)

        rule = {'ip_version': 5}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Invalid ip_version in rule"):
            common.validate_rules(profile_id, rules)

        rule = {'ip_version': 4,
                'protocol': "icmpv6"}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Using icmpv6 with IPv4"):
            common.validate_rules(profile_id, rules)

        rule = {'ip_version': 6,
                'protocol': "icmp"}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Using icmp with IPv6"):
            common.validate_rules(profile_id, rules)

        rule = {'src_tag': "abc",
                'protocol': "icmp"}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        common.validate_rules(profile_id, rules)

        rule = {'src_tag': "a!b",
                'protocol': "icmp"}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Invalid src_tag"):
            common.validate_rules(profile_id, rules)

        rule = {'dst_tag': "x,y",
                'protocol': "icmp"}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Invalid dst_tag"):
            common.validate_rules(profile_id, rules)

        rule = {'src_net': "nonsense"}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Invalid CIDR"):
            common.validate_rules(profile_id, rules)

        rule = {'dst_net': "1.2.3.4/16",
                'ip_version': 6}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Invalid CIDR"):
            common.validate_rules(profile_id, rules)

        rule = {'src_ports': "nonsense"}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Expected ports to be a list"):
            common.validate_rules(profile_id, rules)

        rule = {'dst_ports': [32, "nonsense"]}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Invalid port"):
            common.validate_rules(profile_id, rules)

        rule = {'action': "nonsense"}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Invalid action"):
            common.validate_rules(profile_id, rules)

        rule = {'icmp_type': "nonsense"}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "ICMP type is not an integer"):
            common.validate_rules(profile_id, rules)

        rule = {'icmp_type': -1}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "ICMP type is out of range"):
            common.validate_rules(profile_id, rules)

        rule = {'icmp_type': 256}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "ICMP type is out of range"):
            common.validate_rules(profile_id, rules)

        rule = {'icmp_type': 22,
                'icmp_code': "2"}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "ICMP code is not an integer"):
            common.validate_rules(profile_id, rules)

        rule = {'icmp_type': 0,
                'icmp_code': -1}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "ICMP code is out of range"):
            common.validate_rules(profile_id, rules)

        rule = {'icmp_type': 0,
                'icmp_code': 256}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "ICMP code is out of range"):
            common.validate_rules(profile_id, rules)

        rule = {'icmp_code': 2}
        rules = {'inbound_rules': [rule],
                 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "ICMP code specified without ICMP type"):
            common.validate_rules(profile_id, rules)
Example #10
0
    def test_validate_rules(self):
        profile_id = "valid_name-ok."
        rules = {'inbound_rules': [], 'outbound_rules': []}
        common.validate_rules(profile_id, rules.copy())

        with self.assertRaisesRegexp(ValidationFailed,
                                     "Expected rules to be a dict"):
            common.validate_rules(profile_id, [])

        with self.assertRaisesRegexp(ValidationFailed, "Invalid profile_id"):
            common.validate_rules("a&b", rules.copy())

        # No rules.
        with self.assertRaisesRegexp(ValidationFailed, "No outbound_rules"):
            common.validate_rules(profile_id, {'inbound_rules': []})
        with self.assertRaisesRegexp(ValidationFailed, "No inbound_rules"):
            common.validate_rules(profile_id, {'outbound_rules': []})

        rules = {'inbound_rules': 3, 'outbound_rules': []}
        with self.assertRaisesRegexp(
                ValidationFailed,
                "Expected rules\[inbound_rules\] to be a list"):
            common.validate_rules(profile_id, rules.copy())

        rule = "not a dict"
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Rules should be dicts"):
            common.validate_rules(profile_id, rules.copy())

        rule = {'bad_key': ""}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Rule contains unknown keys"):
            common.validate_rules(profile_id, rules)

        rule = {'protocol': "bloop"}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(
                ValidationFailed, "Invalid protocol bloop in rule "
                "{'protocol': 'bloop'}"):
            common.validate_rules(profile_id, rules)

        rule = {'ip_version': 5}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Invalid ip_version in rule"):
            common.validate_rules(profile_id, rules)

        rule = {'ip_version': 4, 'protocol': "icmpv6"}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Using icmpv6 with IPv4"):
            common.validate_rules(profile_id, rules)

        rule = {'ip_version': 6, 'protocol': "icmp"}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed, "Using icmp with IPv6"):
            common.validate_rules(profile_id, rules)

        rule = {'src_tag': "abc", 'protocol': "icmp"}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        common.validate_rules(profile_id, rules)

        rule = {'src_tag': "abc", 'protocol': "123"}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        common.validate_rules(profile_id, rules)

        rule = {'protocol': "256"}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Invalid protocol 256 in rule"):
            common.validate_rules(profile_id, rules)

        rule = {'protocol': "0"}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Invalid protocol 0 in rule"):
            common.validate_rules(profile_id, rules)

        rule = {'src_tag': "a!b", 'protocol': "icmp"}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed, "Invalid src_tag"):
            common.validate_rules(profile_id, rules)

        rule = {'dst_tag': "x,y", 'protocol': "icmp"}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed, "Invalid dst_tag"):
            common.validate_rules(profile_id, rules)

        rule = {'src_net': "nonsense"}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed, "Invalid CIDR"):
            common.validate_rules(profile_id, rules)

        rule = {'dst_net': "1.2.3.4/16", 'ip_version': 6}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed, "Invalid CIDR"):
            common.validate_rules(profile_id, rules)

        rule = {'src_ports': "nonsense"}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "Expected ports to be a list"):
            common.validate_rules(profile_id, rules)

        rule = {'dst_ports': [32, "nonsense"]}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed, "Invalid port"):
            common.validate_rules(profile_id, rules)

        rule = {'action': "nonsense"}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed, "Invalid action"):
            common.validate_rules(profile_id, rules)

        rule = {'icmp_type': "nonsense"}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "ICMP type is not an integer"):
            common.validate_rules(profile_id, rules)

        rule = {'icmp_type': -1}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "ICMP type is out of range"):
            common.validate_rules(profile_id, rules)

        rule = {'icmp_type': 256}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "ICMP type is out of range"):
            common.validate_rules(profile_id, rules)

        rule = {'icmp_type': 22, 'icmp_code': "2"}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "ICMP code is not an integer"):
            common.validate_rules(profile_id, rules)

        rule = {'icmp_type': 0, 'icmp_code': -1}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "ICMP code is out of range"):
            common.validate_rules(profile_id, rules)

        rule = {'icmp_type': 0, 'icmp_code': 256}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "ICMP code is out of range"):
            common.validate_rules(profile_id, rules)

        rule = {'icmp_code': 2}
        rules = {'inbound_rules': [rule], 'outbound_rules': []}
        with self.assertRaisesRegexp(ValidationFailed,
                                     "ICMP code specified without ICMP type"):
            common.validate_rules(profile_id, rules)