def test_replace_selector_with_object(self):
"""
Checks that the validate_profile() method replaces selectors
(with their object representations).
"""
policy = {
"selector":
"a == 'b'",
"inbound_rules": [{
"src_selector": "b == 'c'",
"dst_selector": "e == 'f'"
}],
"outbound_rules": [{
"src_selector": "h == 'c'",
"dst_selector": "i == 'f'"
}],
"order":
10
}
common.validate_policy(TieredPolicyId("a", "b"), policy)
self.assertEqual(policy["selector"], parse_selector("a == 'b'"))
self.assertEqual(policy["inbound_rules"][0]["src_selector"],
parse_selector("b == 'c'"))
self.assertEqual(policy["inbound_rules"][0]["dst_selector"],
parse_selector("e == 'f'"))
self.assertEqual(policy["outbound_rules"][0]["src_selector"],
parse_selector("h == 'c'"))
self.assertEqual(policy["outbound_rules"][0]["dst_selector"],
parse_selector("i == 'f'"))
def test_replace_selector_with_object(self):
"""
Checks that the validate_profile() method replaces selectors
(with their object representations).
"""
policy = {
"selector": "a == 'b'",
"inbound_rules": [
{"src_selector": "b == 'c'", "dst_selector": "e == 'f'"}
],
"outbound_rules": [
{"src_selector": "h == 'c'", "dst_selector": "i == 'f'"}
],
"order": 10
}
common.validate_policy(TieredPolicyId("a", "b"), policy)
self.assertEqual(policy["selector"], parse_selector("a == 'b'"))
self.assertEqual(policy["inbound_rules"][0]["src_selector"],
parse_selector("b == 'c'"))
self.assertEqual(policy["inbound_rules"][0]["dst_selector"],
parse_selector("e == 'f'"))
self.assertEqual(policy["outbound_rules"][0]["src_selector"],
parse_selector("h == 'c'"))
self.assertEqual(policy["outbound_rules"][0]["dst_selector"],
parse_selector("i == 'f'"))
def parse_policy(profile_id, raw_json, require_selector=False,
require_order=False):
policy = safe_decode_json(raw_json, log_tag="policy %s" % profile_id)
try:
common.validate_policy(profile_id, policy)
except ValidationFailed as e:
_log.exception("Validation failed for policy %s: %s",
profile_id, policy)
return None
else:
return policy
def parse_policy(profile_id, raw_json, require_selector=False,
require_order=False):
policy = safe_decode_json(raw_json, log_tag="policy %s" % profile_id)
try:
common.validate_policy(profile_id, policy)
except ValidationFailed as e:
_log.exception("Validation failed for policy %s: %s",
profile_id, policy)
return None
else:
return policy
def test_validate_policy(self):
policy_id = TieredPolicyId("a", "b")
with self.assertRaisesRegexp(ValidationFailed,
"Expected policy 'a/b' to "
"be a dict"):
common.validate_policy(policy_id, [])
rules = {'selector': "+abcd", # Bad selector
'inbound_rules': [],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Failed to parse selector"):
common.validate_policy(policy_id, rules)
def test_validate_policy(self):
policy_id = TieredPolicyId("a", "b")
with self.assertRaisesRegexp(ValidationFailed,
"Expected policy 'a/b' to "
"be a dict"):
common.validate_policy(policy_id, [])
rules = {'selector': "+abcd", # Bad selector
'inbound_rules': [],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Failed to parse selector"):
common.validate_policy(policy_id, rules)
def test_validate_order(self):
policy = {
"selector": "a == 'b'",
"order": 10,
"inbound_rules": [],
"outbound_rules": [],
}
common.validate_policy(TieredPolicyId("a", "b"), policy)
policy = {
"selector": "a == 'b'",
"order": "10",
"inbound_rules": [],
"outbound_rules": [],
}
with self.assertRaises(ValidationFailed):
common.validate_policy(TieredPolicyId("a", "b"), policy)
policy = {
"selector": "a == 'b'",
"inbound_rules": [],
"outbound_rules": [],
}
with self.assertRaises(ValidationFailed):
common.validate_policy(TieredPolicyId("a", "b"), policy)
policy = {
"order": 10,
"inbound_rules": [],
"outbound_rules": [],
}
with self.assertRaises(ValidationFailed):
common.validate_policy(TieredPolicyId("a", "b"), policy)
def test_validate_order(self):
policy = {
"selector": "a == 'b'",
"order": 10,
"inbound_rules": [],
"outbound_rules": [],
}
common.validate_policy(TieredPolicyId("a", "b"), policy)
policy = {
"selector": "a == 'b'",
"order": "10",
"inbound_rules": [],
"outbound_rules": [],
}
with self.assertRaises(ValidationFailed):
common.validate_policy(TieredPolicyId("a", "b"), policy)
policy = {
"selector": "a == 'b'",
"inbound_rules": [],
"outbound_rules": [],
}
with self.assertRaises(ValidationFailed):
common.validate_policy(TieredPolicyId("a", "b"), policy)
policy = {
"order": 10,
"inbound_rules": [],
"outbound_rules": [],
}
with self.assertRaises(ValidationFailed):
common.validate_policy(TieredPolicyId("a", "b"), policy)
def test_validate_order(self):
policy = {
"selector": "a == 'b'",
"order": 10,
"inbound_rules": [],
"outbound_rules": [],
}
common.validate_policy(TieredPolicyId("a", "b"), policy)
policy = {
"selector": "a == 'b'",
"order": "10",
"inbound_rules": [],
"outbound_rules": [],
}
with self.assertRaises(ValidationFailed):
common.validate_policy(TieredPolicyId("a", "b"), policy)
policy = {
"selector": "a == 'b'",
"inbound_rules": [],
"outbound_rules": [],
}
common.validate_policy(TieredPolicyId("a", "b"), policy)
self.assertEqual(policy["order"], common.INFINITY)
self.assertGreater(policy["order"], 9999999999999999999999999999999999)
policy = {
"selector": "a == 'b'",
"inbound_rules": [],
"outbound_rules": [],
"order": "default",
}
common.validate_policy(TieredPolicyId("a", "b"), policy)
self.assertEqual(policy["order"], common.INFINITY)
self.assertGreater(policy["order"], 9999999999999999999999999999999999)
policy = {
"order": 10,
"inbound_rules": [],
"outbound_rules": [],
}
with self.assertRaises(ValidationFailed):
common.validate_policy(TieredPolicyId("a", "b"), policy)
def test_validate_rules(self):
profile_id = "valid_name-ok."
rules = {'inbound_rules': [], 'outbound_rules': []}
common.validate_profile(profile_id, rules.copy())
with self.assertRaisesRegexp(
ValidationFailed, "Expected profile 'valid_name-ok.' to "
"be a dict"):
common.validate_profile(profile_id, [])
with self.assertRaisesRegexp(ValidationFailed, "Invalid profile ID"):
common.validate_profile("a&b", rules.copy())
with self.assertRaisesRegexp(ValidationFailed, "Invalid profile ID"):
common.validate_policy(TieredPolicyId("+123", "abc"), rules.copy())
with self.assertRaisesRegexp(ValidationFailed, "Invalid profile ID"):
common.validate_policy(TieredPolicyId("abc", "+"), rules.copy())
# No rules.
with self.assertRaisesRegexp(ValidationFailed, "No outbound_rules"):
common.validate_profile(profile_id, {'inbound_rules': []})
with self.assertRaisesRegexp(ValidationFailed, "No inbound_rules"):
common.validate_profile(profile_id, {'outbound_rules': []})
rules = {'inbound_rules': 3, 'outbound_rules': []}
with self.assertRaisesRegexp(
ValidationFailed,
"Expected rules\[inbound_rules\] to be a list"):
common.validate_profile(profile_id, rules.copy())
rule = "not a dict"
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Rule should be a dict"):
common.validate_profile(profile_id, rules.copy())
rule = {'bad_key': ""}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Rule contains unknown keys"):
common.validate_profile(profile_id, rules)
rule = {'protocol': "bloop"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(
ValidationFailed, "Invalid protocol bloop in rule "
"{'protocol': 'bloop'}"):
common.validate_profile(profile_id, rules)
rule = {'ip_version': 5}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid ip_version in rule"):
common.validate_profile(profile_id, rules)
rule = {'ip_version': 4, 'protocol': "icmpv6"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Using icmpv6 with IPv4"):
common.validate_profile(profile_id, rules)
rule = {'ip_version': 6, 'protocol': "icmp"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed, "Using icmp with IPv6"):
common.validate_profile(profile_id, rules)
rule = {'src_tag': "abc", 'protocol': "icmp"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
common.validate_profile(profile_id, rules)
rule = {'src_tag': "abc", 'protocol': "123"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
common.validate_profile(profile_id, rules)
rule = {'protocol': "256"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid protocol 256 in rule"):
common.validate_profile(profile_id, rules)
rule = {'protocol': "0"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid protocol 0 in rule"):
common.validate_profile(profile_id, rules)
rule = {'src_tag': "a!b", 'protocol': "icmp"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed, "Invalid src_tag"):
common.validate_profile(profile_id, rules)
rule = {'dst_tag': "x,y", 'protocol': "icmp"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed, "Invalid dst_tag"):
common.validate_profile(profile_id, rules)
rule = {'src_selector': "a!b"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed, "Invalid src_selector"):
common.validate_profile(profile_id, rules)
rule = {'dst_selector': "+b"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed, "Invalid dst_selector"):
common.validate_profile(profile_id, rules)
rule = {'src_net': "nonsense"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed, "Invalid CIDR"):
common.validate_profile(profile_id, rules)
rule = {'dst_net': "1.2.3.4/16", 'ip_version': 6}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed, "Invalid CIDR"):
common.validate_profile(profile_id, rules)
rule = {'src_ports': "nonsense"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Expected ports to be a list"):
common.validate_profile(profile_id, rules)
rule = {'dst_ports': [32, "nonsense"]}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed, "Invalid port"):
common.validate_profile(profile_id, rules)
rule = {'action': "nonsense"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed, "Invalid action"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': "nonsense"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP type is not an integer"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': -1}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP type is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 256}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP type is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 22, 'icmp_code': "2"}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code is not an integer"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 0, 'icmp_code': -1}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 0, 'icmp_code': 256}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_code': 2}
rules = {'inbound_rules': [rule], 'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code specified without ICMP type"):
common.validate_profile(profile_id, rules)
def test_validate_rules(self):
profile_id = "valid_name-ok."
rules = {'inbound_rules': [],
'outbound_rules': []}
common.validate_profile(profile_id, rules.copy())
with self.assertRaisesRegexp(ValidationFailed,
"Expected profile 'valid_name-ok.' to "
"be a dict"):
common.validate_profile(profile_id, [])
with self.assertRaisesRegexp(ValidationFailed,
"Invalid profile ID"):
common.validate_profile("a&b", rules.copy())
with self.assertRaisesRegexp(ValidationFailed,
"Invalid profile ID"):
common.validate_policy(TieredPolicyId("+123", "abc"),
rules.copy())
with self.assertRaisesRegexp(ValidationFailed,
"Invalid profile ID"):
common.validate_policy(TieredPolicyId("abc", "+"),
rules.copy())
# No rules.
with self.assertRaisesRegexp(ValidationFailed,
"No outbound_rules"):
common.validate_profile(profile_id, {'inbound_rules': []})
with self.assertRaisesRegexp(ValidationFailed,
"No inbound_rules"):
common.validate_profile(profile_id, {'outbound_rules': []})
rules = {'inbound_rules': 3,
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Expected rules\[inbound_rules\] to be a list"):
common.validate_profile(profile_id, rules.copy())
rule = "not a dict"
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Rule should be a dict"):
common.validate_profile(profile_id, rules.copy())
rule = {'bad_key': ""}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Rule contains unknown keys"):
common.validate_profile(profile_id, rules)
rule = {'protocol': "bloop"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid protocol bloop in rule "
"{'protocol': 'bloop'}"):
common.validate_profile(profile_id, rules)
rule = {'ip_version': 5}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid ip_version in rule"):
common.validate_profile(profile_id, rules)
rule = {'ip_version': 4,
'protocol': "icmpv6"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Using icmpv6 with IPv4"):
common.validate_profile(profile_id, rules)
rule = {'ip_version': 6,
'protocol': "icmp"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Using icmp with IPv6"):
common.validate_profile(profile_id, rules)
rule = {'src_tag': "abc",
'protocol': "icmp"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
common.validate_profile(profile_id, rules)
rule = {'src_tag': "abc",
'protocol': "123"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
common.validate_profile(profile_id, rules)
rule = {'protocol': "256"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid protocol 256 in rule"):
common.validate_profile(profile_id, rules)
rule = {'protocol': "0"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid protocol 0 in rule"):
common.validate_profile(profile_id, rules)
rule = {'src_tag': "a!b",
'protocol': "icmp"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid src_tag"):
common.validate_profile(profile_id, rules)
rule = {'dst_tag': "x,y",
'protocol': "icmp"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid dst_tag"):
common.validate_profile(profile_id, rules)
rule = {'src_selector': "a!b"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid src_selector"):
common.validate_profile(profile_id, rules)
rule = {'dst_selector': "+b"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid dst_selector"):
common.validate_profile(profile_id, rules)
rule = {'src_net': "nonsense"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid CIDR"):
common.validate_profile(profile_id, rules)
rule = {'dst_net': "1.2.3.4/16",
'ip_version': 6}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid CIDR"):
common.validate_profile(profile_id, rules)
rule = {'src_ports': "nonsense"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Expected ports to be a list"):
common.validate_profile(profile_id, rules)
rule = {'dst_ports': [32, "nonsense"]}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid port"):
common.validate_profile(profile_id, rules)
rule = {'action': "nonsense"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid action"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': "nonsense"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP type is not an integer"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': -1}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP type is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 256}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP type is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 22,
'icmp_code': "2"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code is not an integer"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 0,
'icmp_code': -1}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 0,
'icmp_code': 256}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_code': 2}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code specified without ICMP type"):
common.validate_profile(profile_id, rules)
