def _get_rule(ingress, sg, prefix, ethertype): sgr_uuid = str(uuid.uuid4()) if sg: if ':' not in sg: sg_fq_name = proj_obj.get_fq_name_str() + ':' + sg else: sg_fq_name = sg addr = AddressType(security_group=sg_fq_name) elif prefix: addr = AddressType(subnet=SubnetType(prefix, 0)) local_addr = AddressType(security_group='local') if ingress: src_addr = addr dst_addr = local_addr else: src_addr = local_addr dst_addr = addr rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>', protocol='any', src_addresses=[src_addr], src_ports=[PortType(0, 65535)], dst_addresses=[dst_addr], dst_ports=[PortType(0, 65535)], ethertype=ethertype) return rule
def _create_policy(self, policy_name, proj_obj, src_vn_obj, dst_vn_obj): policy_exists = False policy = NetworkPolicy(name=policy_name, parent_obj=proj_obj) try: policy_obj = self._vnc_lib.network_policy_read( fq_name=policy.get_fq_name()) policy_exists = True except NoIdError: # policy does not exist. Create one. policy_obj = policy network_policy_entries = PolicyEntriesType([ PolicyRuleType( direction='<>', action_list=ActionListType(simple_action='pass'), protocol='any', src_addresses=[ AddressType(virtual_network=src_vn_obj.get_fq_name_str()) ], src_ports=[PortType(-1, -1)], dst_addresses=[ AddressType(virtual_network=dst_vn_obj.get_fq_name_str()) ], dst_ports=[PortType(-1, -1)]) ]) policy_obj.set_network_policy_entries(network_policy_entries) if policy_exists: self._vnc_lib.network_policy_update(policy) else: self._vnc_lib.network_policy_create(policy) return policy_obj
def _security_group_rule_build(self, rule_info, sg_fq_name_str): protocol = rule_info['protocol'] port_min = rule_info['port_min'] or 0 port_max = rule_info['port_max'] or 65535 direction = rule_info['direction'] or 'ingress' ip_prefix = rule_info['ip_prefix'] ether_type = rule_info['ether_type'] if ip_prefix: cidr = ip_prefix.split('/') pfx = cidr[0] pfx_len = int(cidr[1]) endpt = [AddressType(subnet=SubnetType(pfx, pfx_len))] else: endpt = [AddressType(security_group=sg_fq_name_str)] local = None remote = None if direction == 'ingress': dir = '>' local = endpt remote = [AddressType(security_group='local')] else: dir = '>' remote = endpt local = [AddressType(security_group='local')] if not protocol: protocol = 'any' if protocol.isdigit(): protocol = int(protocol) if protocol < 0 or protocol > 255: raise Exception('SecurityGroupRuleInvalidProtocol-%s' % protocol) else: if protocol not in ['any', 'tcp', 'udp', 'icmp']: raise Exception('SecurityGroupRuleInvalidProtocol-%s' % protocol) if not ip_prefix and not sg_fq_name_str: if not ether_type: ether_type = 'IPv4' sgr_uuid = str(uuid.uuid4()) rule = PolicyRuleType(rule_uuid=sgr_uuid, direction=dir, protocol=protocol, src_addresses=local, src_ports=[PortType(0, 65535)], dst_addresses=remote, dst_ports=[PortType(port_min, port_max)], ethertype=ether_type) return rule
def _create_policy_entry(self, src_vn_obj, dst_vn_obj): return PolicyRuleType( direction='<>', action_list=ActionListType(simple_action='pass'), protocol='any', src_addresses=[ AddressType(virtual_network=src_vn_obj.get_fq_name_str()) ], src_ports=[PortType(-1, -1)], dst_addresses=[ AddressType(virtual_network=dst_vn_obj.get_fq_name_str()) ], dst_ports=[PortType(-1, -1)])
def test_security_group_rule_list_per_security_group(self): sg1 = SecurityGroup('sg1-%s' % self.id(), parent_obj=self.project) sgr1_id = str(uuid.uuid4()) rule = PolicyRuleType( rule_uuid=sgr1_id, protocol='any', src_addresses=[AddressType(security_group='local')], dst_addresses=[AddressType(security_group='local')], ) sg1.set_security_group_entries(PolicyEntriesType([rule])) self._vnc_lib.security_group_create(sg1) sg2 = SecurityGroup('sg2-%s' % self.id(), parent_obj=self.project) sgr2_id = str(uuid.uuid4()) rule = PolicyRuleType( rule_uuid=sgr2_id, protocol='any', src_addresses=[AddressType(security_group='local')], dst_addresses=[AddressType(security_group='local')], ) sg2.set_security_group_entries(PolicyEntriesType([rule])) self._vnc_lib.security_group_create(sg2) list_result = self.list_resource( 'security_group_rule', self.project_id, req_filters={ 'security_group_id': [sg1.uuid], }, ) self.assertEqual(set([sgr1_id]), {sgr['id'] for sgr in list_result}) list_result = self.list_resource( 'security_group_rule', self.project_id, req_filters={ 'security_group_id': [sg1.uuid, sg2.uuid], }, ) self.assertEqual(set([sgr1_id, sgr2_id]), {sgr['id'] for sgr in list_result}) list_result = self.list_resource('security_group_rule', self.project_id) self.assertTrue( set([sgr1_id, sgr2_id]).issubset({sgr['id'] for sgr in list_result}))
def frame_rule_addresses(self, addr): addrs = [addr] if isinstance(addr, dict) else addr rule_kwargs = {} for addr in addrs: if addr["type"] == "vn": vn = addr["value"] if isinstance(vn, basestring): rule_kwargs.update({'virtual_network': vn}) else: rule_kwargs.update( {'virtual_network': vn.get_fq_name_str()}) elif addr["type"] == "cidr_list": subnets = [] for cidr in addr["value"]: pfx, pfx_len = cidr.split('/') subnets.append(SubnetType(pfx, int(pfx_len))) rule_kwargs.update({'subnet_list': subnets}) else: cidr = addr["value"].split('/') pfx = cidr[0] pfx_len = int(cidr[1]) rule_kwargs.update({'subnet': SubnetType(pfx, pfx_len)}) rule_addr = AddressType(**rule_kwargs) return rule_addr
def test_security_logging_object_with_policy_and_security_group(self): # Add a Network Policy Rule and a Security Group Rule to a # SLO vn1_name = self.id() + 'vn1' vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24") rule1 = { "protocol": "udp", "direction": "<>", "src": { "type": "vn", "value": vn1 }, "dst": { "type": "cidr", "value": "10.2.1.1/32" }, "action": "deny" } np = self.create_network_policy_with_multiple_rules([rule1]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1) sg_obj = SecurityGroup(name=self.id() + '_sg1') self._vnc_lib.security_group_create(sg_obj) sgr_uuid = str(uuid.uuid4()) sg_rule = PolicyRuleType( rule_uuid=sgr_uuid, direction='>', protocol='tcp', src_addresses=[AddressType(subnet=SubnetType('11.0.0.0', 24))], src_ports=[PortType(0, 65535)], dst_addresses=[AddressType(security_group='local')], dst_ports=[PortType(0, 65535)], ether_type='IPv4') sg_policy_rules = PolicyEntriesType([sg_rule]) sg_obj.set_security_group_entries(sg_policy_rules) self._vnc_lib.security_group_update(sg_obj) project = self._vnc_lib.project_read( fq_name=[u'default-domain', u'default-project']) slo_name = self.id() + '_slo1' slo_obj = SecurityLoggingObject(name=slo_name, parent_obj=project, security_logging_object_rate=300) self._vnc_lib.security_logging_object_create(slo_obj) self.wait_to_get_object(SecurityLoggingObjectST, slo_obj.get_fq_name_str()) np_rule1 = np.get_network_policy_entries().get_policy_rule()[0] np_fqdn = np.get_fq_name_str() np_rule1_uuid = np_rule1.get_rule_uuid() slo_rule_entries = [] slo_rule_entries.append( SecurityLoggingObjectRuleEntryType(np_rule1_uuid, rate=300)) slo_rule_entries.append( SecurityLoggingObjectRuleEntryType(sgr_uuid, rate=300)) slo_obj = self._vnc_lib.security_logging_object_read( fq_name=slo_obj.get_fq_name()) slo_obj.add_network_policy(np, None) sg_obj = self._vnc_lib.security_group_read(id=sg_obj.get_uuid()) slo_obj.add_security_group(sg_obj, None) self._vnc_lib.security_logging_object_update(slo_obj) st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str()) self.check_rules_in_slo(st_slo, np_fqdn, slo_rule_entries) slo_obj.del_network_policy(np) slo_obj.del_security_group(sg_obj) self._vnc_lib.security_logging_object_update(slo_obj) st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str()) self.check_rules_in_slo(st_slo, None, []) # cleanup self.delete_network_policy(np, auto_policy=True) self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name()) self._vnc_lib.security_logging_object_delete( fq_name=slo_obj.get_fq_name()) # check if vn is deleted self.check_vn_is_deleted(uuid=vn1.uuid)
def test_security_logging_object_with_network_policy_update(self): vn1_name = self.id() + 'vn1' vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24") np = self.create_network_policy_with_multiple_rules([]) np_fqdn = np.get_fq_name_str() seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1) project = self._vnc_lib.project_read( fq_name=[u'default-domain', u'default-project']) slo_name = self.id() + '_slo1' slo_obj = SecurityLoggingObject(name=slo_name, parent_obj=project, security_logging_object_rate=300) self._vnc_lib.security_logging_object_create(slo_obj) self.wait_to_get_object(SecurityLoggingObjectST, slo_obj.get_fq_name_str()) slo_obj.add_network_policy(np, None) self._vnc_lib.security_logging_object_update(slo_obj) npr_uuid = str(uuid.uuid4()) action_list = ActionListType() action_list.simple_action = 'pass' np_rule = PolicyRuleType( rule_uuid=npr_uuid, direction='>', protocol='tcp', src_addresses=[AddressType(subnet=SubnetType('11.0.0.0', 24))], src_ports=[PortType(0, 65535)], dst_addresses=[AddressType(subnet=SubnetType('10.0.0.0', 24))], dst_ports=[PortType(0, 65535)], ether_type='IPv4', action_list=action_list) np.set_network_policy_entries(PolicyEntriesType([np_rule])) self._vnc_lib.network_policy_update(np) slo_obj = self._vnc_lib.security_logging_object_read( fq_name=slo_obj.get_fq_name()) expected_rule_list = [ SecurityLoggingObjectRuleEntryType(npr_uuid, rate=300) ] st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str()) self.check_rules_in_slo(st_slo, np_fqdn, expected_rule_list) slo_obj.del_network_policy(np) self._vnc_lib.security_logging_object_update(slo_obj) st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str()) self.check_rules_in_slo(st_slo, None, []) # cleanup self.delete_network_policy(np, auto_policy=True) self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name()) self._vnc_lib.security_logging_object_delete( fq_name=slo_obj.get_fq_name()) # check if vn is deleted self.check_vn_is_deleted(uuid=vn1.uuid)