def testLogging(self, option, want_logging): self.naming.GetNetAddr.return_value = [nacaddr.IPv4('192.168.0.0/24')] self.naming.GetServiceByProto.return_value = ['25'] expected_output = ( ' test-filter {\n' + ' services {\n' + ' stateful-firewall {\n' + ' rule test-filter {\n' + ' match-direction input-output;\n' + ' term good-term-1 {\n' + ' from {\n' + ' application-sets ' 'test-filtergood-term-1-app;\n' + ' }\n' + ' then {\n' + ' accept;\n' + ' syslog;\n' + ' }\n' + ' }\n' + ' }\n' + ' }\n' + ' }\n' + ' applications {\n' + ' application test-filtergood-term-1-app1 {\n' + ' protocol icmp;\n' + ' }\n' + ' application-set test-filtergood-term-1-app {\n' + ' application test-filtergood-term-1-app1;\n' + ' }\n' + ' }\n' + ' }\n' + '}\n' + 'apply-groups test-filter;') msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy( GOOD_HEADER_MIXED_IMPLICIT + (LOGGING_TERM % option), self.naming), EXP_INFO) output = str(msmpc) if want_logging: self.assertIn(expected_output, output, output) else: self.assertNotIn(expected_output, output, output)
def testDirection(self, header, direction): msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(header + GOOD_TERM_3, self.naming), EXP_INFO) output = str(msmpc) expected_output = (' rule test-filter {\n' + ' match-direction %s;') self.assertIn(expected_output % direction, output, output)
def testInactiveTerm(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')] msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_36, self.naming), EXP_INFO) output = str(msmpc) self.assertIn('inactive: term good-term-36 {', output)
def testDefaultDeny(self): msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER + DEFAULT_TERM_1, self.naming), EXP_INFO) output = str(msmpc) self.assertNotIn('from {', output, output) self.assertIn('discard;', output, output)
def testBuildTokens(self): msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_35, self.naming), EXP_INFO) st, sst = msmpc._BuildTokens() self.assertSetEqual(st, SUPPORTED_TOKENS) self.assertDictEqual(sst, SUPPORTED_SUB_TOKENS)
def testMinimizePrefixes(self): includes = ['1.0.0.0/8', '2.0.0.0/8'] excludes = ['1.1.1.1/32', '2.0.0.0/8', '3.3.3.3/32'] expected = ['1.0.0.0/8;', '1.1.1.1/32 except;'] unexpected = ['2.0.0.0/8;', '2.0.0.0/8 except;', '3.3.3.3/32'] self.naming.GetNetAddr.side_effect = [[ nacaddr.IPv4(ip) for ip in includes ], [nacaddr.IPv4(ip) for ip in excludes]] msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_19, self.naming), EXP_INFO) output = str(msmpc) for result in expected: self.assertIn(result, output, 'expected "%s" in %s' % (result, output)) for result in unexpected: self.assertNotIn(result, output, 'unexpected "%s" in %s' % (result, output)) self.naming.GetNetAddr.assert_has_calls( [mock.call('INCLUDES'), mock.call('EXCLUDES')])
def testExpiredTerm(self, mock_warn): _ = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER + EXPIRED_TERM, self.naming), EXP_INFO) mock_warn.assert_called_once_with( 'WARNING: Term %s in policy %s is expired and will ' 'not be rendered.', 'is_expired', 'test-filter')
def testAddressExclude(self): big = nacaddr.IPv4('0.0.0.0/1', comment='half of everything') ip1 = nacaddr.IPv4('10.0.0.0/8', comment='RFC1918 10-net') ip2 = nacaddr.IPv4('172.16.0.0/12', comment='RFC1918 172-net') terms = (GOOD_TERM_18_SRC, GOOD_TERM_18_DST) self.naming.GetNetAddr.side_effect = [[big, ip1, ip2], [ip1] ] * len(terms) mock_calls = [] for term in terms: msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER + term, self.naming), EXP_INFO) output = str(msmpc) expected_output = ( ' ' + ('source' if term == GOOD_TERM_18_SRC else 'destination') + '-address {\n' + ' /* half of everything, RFC1918 ' '10-net */\n' + ' 0.0.0.0/1;\n' + ' /* RFC1918 172-net */\n' + ' 172.16.0.0/12;\n' + ' /* RFC1918 10-net */\n' + ' 10.0.0.0/8 except;\n' + ' }') self.assertIn(expected_output, output, output) self.assertNotIn('10.0.0.0/8;', output, output) self.assertNotIn('172.16.0.0/12 except;', output, output) mock_calls.append(mock.call('INTERNAL')) mock_calls.append(mock.call('SOME_HOST')) self.naming.GetNetAddr.assert_has_calls(mock_calls)
def testProtocolCase(self): msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_5, self.naming), EXP_INFO) output = str(msmpc) self.assertIn('protocol icmp;', output, output) self.assertIn('protocol tcp;', output, output)
def testV6SlashFourteenReplacement(self): self.naming.GetNetAddr.return_value = ([ nacaddr.IPv4('0.0.0.0/1'), nacaddr.IPv6('::/14') ]) self.naming.GetServiceByProto.return_value = ['25'] expectedv4 = (' term good-term-2-inet {\n' + ' from {\n' + ' destination-address {\n' + ' 0.0.0.0/1;\n' + ' }') expectedv6 = (' term good-term-2-inet6 {\n' + ' from {\n' + ' destination-address {\n' + ' ::/16;\n' + ' 1::/16;\n' + ' 2::/16;\n' + ' 3::/16;\n' + ' }') msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER_MIXED + GOOD_TERM_1, self.naming), EXP_INFO) output = str(msmpc) self.assertIn(expectedv4, output, output) self.assertIn(expectedv6, output, output)
def testOwnerTerm(self): msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_17, self.naming), EXP_INFO) output = str(msmpc) self.assertIn( ' /*\n' ' ** Owner: [email protected]\n' ' */', output, output)
def testPrefixListExcept(self): msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_30, self.naming), EXP_INFO) spfx_re = re.compile(r'source-prefix-list foo_prefix_list except;') dpfx_re = re.compile(r'destination-prefix-list bar_prefix_list except;') output = str(msmpc) self.assertTrue(spfx_re.search(output), output) self.assertTrue(dpfx_re.search(output), output)
def testNotRangedPorts(self): self.naming.GetServiceByProto.side_effect = [['67'], ['69']] msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER + RANGE_PORTS_TERM, self.naming), EXP_INFO) self.assertNotIn('destination-port 67-68;', str(msmpc)) self.assertIn('destination-port 67;', str(msmpc)) self.assertIn('destination-port 69;', str(msmpc))
def testVerbatimTerm(self): msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_11, self.naming), EXP_INFO) output = str(msmpc) self.assertIn('mary had a little lamb', output, output) # check if other platforms verbatim shows up in output self.assertNotIn('mary had a second lamb', output, output) self.assertNotIn('mary had a third lamb', output, output) self.assertNotIn('mary had a fourth lamb', output, output)
def testIcmpType(self): msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_3, self.naming), EXP_INFO) output = str(msmpc) # verify proper translation from policy icmp-type text to juniper-esque self.assertIn('icmp-type 0;', output, output) self.assertIn('icmp-type 15;', output, output) self.assertIn('icmp-type 10;', output, output) self.assertIn('icmp-type 13;', output, output) self.assertIn('icmp-type 16;', output, output)
def testExpiringTerm(self, mock_info): exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO) _ = junipermsmpc.JuniperMSMPC( policy.ParsePolicy( GOOD_HEADER + EXPIRING_TERM % exp_date.strftime('%Y-%m-%d'), self.naming), EXP_INFO) mock_info.assert_called_once_with( 'INFO: Term %s in policy %s expires in ' 'less than two weeks.', 'is_expiring', 'test-filter')
def testMixed(self, addresses, expected, notexpected): self.naming.GetNetAddr.side_effect = addresses self.naming.GetServiceByProto.return_value = ['25'] msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER_MIXED + MIXED_TESTING_TERM, self.naming), EXP_INFO) output = str(msmpc) for expect in expected: self.assertIn(expect, output, output) for notexpect in notexpected: self.assertNotIn(notexpect, output, output)
def testRejectIPv6(self): self.naming.GetServiceByProto.return_value = ['53'] policy_text = GOOD_HEADER_V6 + GOOD_TERM_26_V6_REJECT msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(policy_text, self.naming), EXP_INFO) output = str(msmpc) self.assertIn('then {', output, output) self.assertIn('reject;', output, output) self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
def testTcpEstablished(self): self.naming.GetServiceByProto.return_value = ['53'] policy_text = GOOD_HEADER + ESTABLISHED_TERM_1 msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(policy_text, self.naming), EXP_INFO) output = str(msmpc) self.assertNotIn('term established-term-1', output, output) self.assertNotIn('tcp-established', output, output) self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
def testDiscardIPv4(self): self.naming.GetServiceByProto.return_value = ['53'] policy_text = GOOD_HEADER + GOOD_TERM_26 msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(policy_text, self.naming), EXP_INFO) output = str(msmpc) self.assertIn('then {', output, output) self.assertIn('discard;', output, output) self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
def testGroup(self): msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER + DEFAULT_TERM_1, self.naming), EXP_INFO) self.assertEqual('b;', msmpc._Group(['B'])) self.assertEqual('B;', msmpc._Group(['B'], lc=False)) self.assertEqual('b;', msmpc._Group(['B'], lc=True)) self.assertEqual('100;', msmpc._Group([100])) self.assertEqual('100-200;', msmpc._Group([(100, 200)])) self.assertEqual('[ b a ];', msmpc._Group(['b', 'A'])) self.assertEqual('[ 99 101-199 ];', msmpc._Group([99, (101, 199)])) self.assertEqual('[ 99 101-199 ];', msmpc._Group([99, (101, 199)]))
def testIcmpInet6Mismatch(self, mock_debug): msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER_V6 + BAD_ICMPTYPE_TERM_2, self.naming), EXP_INFO) # output happens in __str_ str(msmpc) mock_debug.assert_called_once_with( 'Term icmptype-mismatch will not be rendered,' ' as it has icmp match specified but ' 'the ACL is of inet6 address family.')
def testTermAndFilterName(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')] self.naming.GetServiceByProto.return_value = ['25'] msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1, self.naming), EXP_INFO) output = str(msmpc) self.assertIn('term good-term-1 {', output, output) self.assertIn('rule test-filter {', output, output) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testProtocolCase(self): msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_5, self.naming), EXP_INFO) output = str(msmpc) expected_output = ( ' application test-filtergood-term-5-app1 {\n' + ' protocol icmp;\n' + ' }\n' + ' application test-filtergood-term-5-app2 {\n' + ' protocol tcp;\n' + ' destination-port 1-65535;\n' + ' }') self.assertIn(expected_output, output, output)
def testTermNameCollision(self): short_append = '1' * ( junipermsmpc.MAX_IDENTIFIER_LEN // 2 - len('?ood-term-1')) long_append = short_append + '1' not_too_long_name = (TERM_NAME_COLLISION % (short_append, short_append)) too_long_name = (TERM_NAME_COLLISION % (long_append, long_append)) pol = policy.ParsePolicy(GOOD_HEADER + too_long_name, self.naming) self.assertRaises(junipermsmpc.ConflictingApplicationSetsError, junipermsmpc.JuniperMSMPC, pol, EXP_INFO) _ = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER + not_too_long_name, self.naming), EXP_INFO)
def testInet6(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('2001::/33')] self.naming.GetServiceByProto.return_value = ['25'] msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER_V6 + GOOD_TERM_1_V6, self.naming), EXP_INFO) output = str(msmpc) self.assertTrue( 'protocol icmp6;' in output and 'protocol tcp;' in output, output) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testMixedv6(self): self.naming.GetNetAddr.return_value = ([nacaddr.IPv6('2001::/33')]) self.naming.GetServiceByProto.return_value = ['25'] expected = (' term good-term-2 {\n' + ' from {\n' + ' destination-address {\n' + ' 2001::/33;\n' + ' }') msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER_MIXED + GOOD_TERM_1, self.naming), EXP_INFO) output = str(msmpc) self.assertIn(expected, output, output)
def testNoMatchReversal(self): includes = ['10.0.0.0/8', '10.0.0.0/10'] excludes = ['10.0.0.0/9'] expected = ['10.0.0.0/8;', '10.0.0.0/10;', '10.0.0.0/9 except;'] self.naming.GetNetAddr.side_effect = [[nacaddr.IPv4(ip) for ip in includes], [nacaddr.IPv4(ip) for ip in excludes]] msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_19, self.naming), EXP_INFO) output = str(msmpc) for result in expected: self.assertIn(result, output)
def testStatelessReply(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.1/32')] self.naming.GetServiceByProto.return_value = ['25'] ret = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1, self.naming) _, terms = ret.filters[0] for term in terms: if term.protocol[0] == 'icmp': term.stateless_reply = True msmpc = junipermsmpc.JuniperMSMPC(ret, EXP_INFO) output = str(msmpc) self.assertNotIn('term good-term-1 {', output, output) self.assertIn('term good-term-2 {', output, output)
def testNoVerboseV4(self): addr_list = list() for octet in range(0, 256): net = nacaddr.IP('192.168.' + str(octet) + '.64/27') addr_list.append(net) self.naming.GetNetAddr.return_value = addr_list self.naming.GetServiceByProto.return_value = ['25'] msmpc = junipermsmpc.JuniperMSMPC( policy.ParsePolicy( GOOD_NOVERBOSE_V4_HEADER + GOOD_TERM_1 + GOOD_TERM_COMMENT, self.naming), EXP_INFO) self.assertIn('192.168.0.64/27;', str(msmpc)) self.assertNotIn('COMMENT', str(msmpc)) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')