def fix_acls(self, conf): # Recursively walk config replacing all acls with ACL objects for k, v in conf.items(): if k == 'acls': if isinstance(v, dict): for ip, acls in v.items(): conf[k][ip] = [ ACL(x['match'], x['action']) for x in acls ] else: conf[k] = [ACL(x['match'], x['action']) for x in v] elif isinstance(v, dict): self.fix_acls(v)
def __list_templates(self): """list all template for project 列出指定项目下的所有模板 Args: Returns: List[] """ pid = int(self.get_argument('pid', 0)) if pid == 0: self.write(json.dumps(Error.CGIREQUESTERR)) return page = int(self.get_argument('page', 1)) temp = ModTemplate(self.application) # 权限过滤 template_acl_filter = "" if ACL.is_root( pid, self.userinfo['acl'] ) != 0 else " allow like '%\"" + self.userinfo['username'] + "\"%' " count, data = temp.get_template_list(pid, 200, page, template_acl_filter, 'template_id desc') if type(data) in (dict, ): self.write(json.dumps(data)) return self.render('admin_template_list.html', project_id=pid, templates=data, userinfo=self.userinfo) return
def test_friend_blob_addDelta_expired_token(self): zauth = AuthSystem.getExpiredToken(Constants.ZID) delta = "sample delta value" ACL_arr=ACL.getGraphTypes('friend.blob.addDelta',Constants.DELTATYPE) for element in ACL_arr: if (element == 'any'): delete_prev_deltas(Constants.ZID) ret , result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID+1,Constants.DELTATYPE,delta ] ,[403]) self.assertTrue(ret, msg=result) elif (element == 'self'): delete_prev_deltas(Constants.ZID) ret , result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID,Constants.DELTATYPE,delta ] ,[403]) self.assertTrue(ret, msg=result) elif (element == 'none'): delete_prev_deltas(Constants.ZID) ret , result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID,Constants.DELTATYPE,delta ] ,[403]) self.assertTrue(ret, msg=result) else: delete_prev_deltas(Constants.ZID) ret = get_friend_nofriend_id(AuthSystem.getUntrustedToken(Constants.ZID),element) fid_list=ret['result']['data'][element] fid = random.choice(fid_list) res=delete_prev_deltas(fid) ret , result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID,Constants.DELTATYPE,delta ] ,[403]) self.assertTrue(ret, msg=result) """for non-friend, 403 should be returned as err code""" nfid=nfzid(AuthSystem.getUntrustedToken(Constants.ZID)) ret , result = self.check_pass(friend_blob_addDelta , [ zauth , nfid , Constants.DELTATYPE , delta ] ,[403]) self.assertTrue(ret, msg=result)
def _remove_flow(self, flow): """ Remove a specific flow from an EVC_MAP. This includes removing any ACL entries associated with the flow and could result in moving the EVC-MAP over to another EVC. :param flow: (FlowEntry) Flow to remove """ try: del self._flows[flow.flow_id] # Remove any ACLs acl_name = ACL.flow_to_name(flow) acl = None # if not yet installed just remove it from list if acl_name in self._new_acls: del self._new_acls[acl_name] else: acl = self._existing_acls[acl_name] if acl is not None: # Remove ACL from EVC-MAP entry try: map_xml = self._ingress_remove_acl_xml( self._gem_ids_and_vid, acl) log.debug('remove', xml=map_xml, name=acl.name) results = yield self._handler.netconf_client.edit_config( map_xml) if results.ok: del self._existing_acls[acl.name] # Scan EVC to see if it needs to move back to the Utility # or Untagged EVC from a user data EVC if self._evc and not self._evc.service_evc and\ len(self._flows) > 0 and\ all(f.is_acl_flow for f in self._flows.itervalues()): self._evc.remove_evc_map(self) first_flow = self._flows.itervalues().next() self._evc = first_flow.get_utility_evc(None, True) self._evc.add_evc_map(self) log.debug('moved-acl-flows-to-utility-evc', newevcname=self._evc.name) self._needs_update = True self._evc.schedule_install() except Exception as e: log.exception('acl-remove-from-evc', e=e) # Remove ACL itself try: yield acl.remove() except Exception as e: log.exception('acl-remove', e=e) except Exception as e: log.exception('remove-failed', e=e)
def test_friend_blob_queryDeltas_empty_token(self): zauth=None user_query = {Constants.USER_QUERY: Constants.F_QUERY, "params":[] } ACL_arr=ACL.getGraphTypes('friend.blob.queryDeltas',Constants.DELTATYPE) delta="some delta" for element in ACL_arr: if (element == 'any'): self.test_friend_blob_addDelta() ret , result = self.check_pass(friend_blob_queryDeltas , [zauth , Constants.ZID+1,user_query] ,[403]) self.assertTrue(ret, msg=result) elif (element == 'self'): self.test_friend_blob_addDelta() ret , result = self.check_pass(friend_blob_queryDeltas , [zauth ,Constants.ZID, user_query] ,[403]) self.assertTrue(ret, msg=result) elif (element == 'none'): ret , result = self.check_pass(friend_blob_queryDeltas , [zauth ,Constants.ZID, user_query] ,[403]) self.assertTrue(ret, msg=result) else: """graph-list""" ret = get_friend_nofriend_id(AuthSystem.getUntrustedToken(Constants.ZID), element ) fid_list=ret['result']['data'][element] fid = random.choice(fid_list) self.test_friend_blob_addDelta() ret , result = self.check_pass(friend_blob_queryDeltas , [zauth ,fid,user_query] ,[403]) self.assertTrue(ret, msg=result) """for non-friends""" nfid=nfzid(AuthSystem.getUntrustedToken(Constants.ZID)) ret , result = self.check_pass(friend_blob_queryDeltas , [zauth ,nfid,user_query] ,[403]) self.assertTrue(ret, msg=result)
def test_friend_blob_addDelta(self): zauth = AuthSystem.getUntrustedToken(Constants.ZID) ACL_arr=ACL.getGraphTypes('friend.blob.addDelta',Constants.DELTATYPE) delta = "sample delta value" for element in ACL_arr: if (element == 'any'): ret , result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID, Constants.DELTATYPE , delta ] ,[0]) self.assertTrue(ret, msg=result) elif (element == 'self'): ret,result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID, Constants.DELTATYPE , delta ] ,[0]) self.assertTrue(ret, msg=result) elif (element == 'none'): ret,result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID, Constants.DELTATYPE , delta ] ,[403]) self.assertTrue(ret, msg=result) else: """graph-list """ ret = get_friend_nofriend_id(AuthSystem.getUntrustedToken(Constants.ZID),element) fid_list=ret['result']['data'][element] fid = random.choice(fid_list) res=delete_prev_deltas(fid) ret , result = self.check_pass(friend_blob_addDelta , [ zauth , fid , Constants.DELTATYPE , delta ] ,[0]) self.assertTrue(ret, msg=result) """check for failure when non friend tries to add delta""" nfid=nfzid(AuthSystem.getUntrustedToken(Constants.ZID)) ret , result = self.check_pass(friend_blob_addDelta , [ zauth , nfid , Constants.DELTATYPE , delta ] ,[403]) self.assertTrue(ret, msg=result)
def test_friend_blob_get_no_zauth_header(self): zauth = AuthSystem.getUntrustedToken(Constants.ZID) ACL_arr=ACL.getGraphTypes('friend.blob.get', Constants.USER_BLOB) for element in ACL_arr: if (element == 'any') or (element == 'self') or (element == 'none'): ret , result = self.check_pass(friend_blob_get_no_Zauth_head , [ Constants.ZID, Constants.USER_BLOB],[403]) self.assertTrue(ret, msg = result) else: "In this case it is a graphlist" ret = get_friend_nofriend_id(zauth, element ) fid_list = ret['result']['data'][element] fid = random.choice(fid_list) """If friend blob is empty, update some value and then fetch the blob, through friend.blob.get api""" fzauth=AuthSystem.getUntrustedToken(fid) result = user_blob_get( fzauth ) if "'CAS': None" in str(result): cas= " " data = data_to_post() result = user_blob_set( fzauth, Constants.USER_BLOB, data, cas) else: cas = result[ Constants.BLOBS ][ Constants.USER_BLOB ][ Constants.GH_CAS ] """Checking for friend""" ret , result = self.check_pass(friend_blob_get_no_Zauth_head , [ fid, Constants.USER_BLOB],[403]) self.assertTrue(ret, msg = result) """cheking for non-friend""" nfid=nfzid(zauth) ret , result = self.check_pass(friend_blob_get_no_Zauth_head , [ nfid, Constants.USER_BLOB],[403]) self.assertTrue(ret, msg = result)
def add_acls_to_port(self, port, acls): for acl in acls: acl = ACL(acl['match'], acl['action']) if acl in self.portdb[port]['acls']: index = self.portdb[port]['acls'].index(acl) self.portdb[port]['acls'][index] = acl else: self.portdb[port]['acls'].append(acl)
def test_user_blob_queryDeltas_Mixed_case_char(self): zauth = AuthSystem.getUntrustedToken(Constants.ZID) user_query = {Constants.USER_QUERY: "select * from DeLTAs" , "params": {"type": Constants.DELTATYPE}} ACL_arr = ACL.getGraphTypes('user.blob.queryDeltas',Constants.DELTATYPE) for element in ACL_arr: if (element == 'any' or element == 'self' or element == 'none'): ret,result = self.check_pass(user_blob_queryDeltas , [zauth , user_query],[403]) self.assertTrue(ret, msg=result) else: self.fail(msg="invalid ACL rule for the api")
def test_user_blob_queryDeltas_noquery(self): zauth = AuthSystem.getUntrustedToken(Constants.ZID) user_query=None ACL_arr = ACL.getGraphTypes('user.blob.queryDeltas',Constants.DELTATYPE) for element in ACL_arr: if (element == 'any' or element == 'self' or element == 'none'): ret,result = self.check_pass(user_blob_queryDeltas , [zauth , user_query],[403]) self.assertTrue(ret, msg=result) else: self.fail(msg="invalid ACL rule for the api")
def _dp_parser_v2(logger, acls_conf, dps_conf, routers_conf, vlans_conf): dps = [] vid_dp = {} for identifier, dp_conf in list(dps_conf.items()): try: dp = DP(identifier, dp_conf) dp.sanity_check() dp_id = dp.dp_id vlans = {} for vid, vlan_conf in list(vlans_conf.items()): vlans[vid] = VLAN(vid, dp_id, vlan_conf) acls = [] for acl_ident, acl_conf in list(acls_conf.items()): acls.append((acl_ident, ACL(acl_ident, acl_conf))) routers = [] for router_ident, router_conf in list(routers_conf.items()): routers.append((router_ident, Router(router_ident, router_conf))) if routers: assert len(routers) == 1, 'only one router supported' router_ident, router = routers[0] assert set(router.vlans) == set( vlans.keys()), 'only global routing supported' dp.add_router(router_ident, router) ports_conf = dp_conf.pop('interfaces', {}) ports = {} # as users can config port vlan by using vlan name, we store vid in # Port instance instead of vlan name for data consistency for port_num, port_conf in list(ports_conf.items()): port = port_parser(dp_id, port_num, port_conf, vlans) ports[port_num] = port if port.native_vlan is not None: vlan = vlans[port.native_vlan] port.native_vlan = vlan _dp_add_vlan(vid_dp, dp, vlan) if port.tagged_vlans is not None: tagged_vlans = [] for v_identifier in port.tagged_vlans: vlan = vlans[v_identifier] tagged_vlans.append(vlan) _dp_add_vlan(vid_dp, dp, vlan) port.tagged_vlans = tagged_vlans except AssertionError as err: logger.exception('Error in config file: %s', err) return None for port in list(ports.values()): dp.add_port(port) for acl_ident, acl in acls: dp.add_acl(acl_ident, acl) dps.append(dp) return dps
def _dp_parser_v2(logger, acls_conf, dps_conf, meters_conf, routers_conf, vlans_conf): dps = [] vid_dp = {} for identifier, dp_conf in list(dps_conf.items()): try: dp = DP(identifier, dp_conf) dp.sanity_check() dp_id = dp.dp_id vlans = {} for vlan_ident, vlan_conf in list(vlans_conf.items()): vlans[vlan_ident] = VLAN(vlan_ident, dp_id, vlan_conf) acls = [] for acl_ident, acl_conf in list(acls_conf.items()): acls.append((acl_ident, ACL(acl_ident, acl_conf))) for router_ident, router_conf in list(routers_conf.items()): router = Router(router_ident, router_conf) dp.add_router(router_ident, router) for meter_ident, meter_conf in list(meters_conf.items()): dp.meters[meter_ident] = Meter(meter_ident, meter_conf) ports_conf = dp_conf.pop('interfaces', {}) ports = {} # as users can config port vlan by using vlan name, we store vid in # Port instance instead of vlan name for data consistency for port_num, port_conf in list(ports_conf.items()): port = port_parser(dp_id, port_num, port_conf, vlans) ports[port_num] = port if port.native_vlan is not None: vlan = _get_vlan_by_identifier(dp_id, port.native_vlan, vlans) port.native_vlan = vlan _dp_add_vlan(vid_dp, dp, vlan) if port.tagged_vlans is not None: tagged_vlans = [] for vlan_ident in port.tagged_vlans: vlan = _get_vlan_by_identifier(dp_id, vlan_ident, vlans) tagged_vlans.append(vlan) _dp_add_vlan(vid_dp, dp, vlan) port.tagged_vlans = tagged_vlans except AssertionError as err: logger.exception('Error in config file: %s', err) return None for port in list(ports.values()): dp.add_port(port) for acl_ident, acl in acls: dp.add_acl(acl_ident, acl) dps.append(dp) return dps
def test_friend_blob_addDelta_Max_delta_count(self): zauth = AuthSystem.getUntrustedToken(Constants.ZID) delta="some delta" limit=ConfigService.getDeltaLimits(Constants.DELTATYPE) maxcount=limit['maxcount'] keep=limit['keep'] if (keep is False): self.assertTrue(False,msg="Check for keep variable in storage.yaml file for the delta type") ACL_arr=ACL.getGraphTypes('friend.blob.addDelta',Constants.DELTATYPE) for element in ACL_arr: if (element == 'any'): delete_prev_deltas(Constants.ZID) delta_max=delta_max_count(zauth , Constants.ZID+1 , Constants.DELTATYPE,maxcount,delta) ret , result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID+1, Constants.DELTATYPE , delta ] ,[413]) self.assertTrue(ret, msg=result) elif (element == 'self'): delete_prev_deltas(Constants.ZID) delta_max=delta_max_count(zauth , Constants.ZID , Constants.DELTATYPE,maxcount,delta) ret , result = self.check_pass(friend_blob_addDelta , [ zauth ,Constants.ZID , Constants.DELTATYPE , delta ] ,[413]) self.assertTrue(ret, msg=result) elif (element == 'none'): delete_prev_deltas(Constants.ZID) delta_max=delta_max_count(zauth ,Constants.ZID , Constants.DELTATYPE,maxcount,delta) ret , result = self.check_pass(friend_blob_addDelta , [ zauth ,Constants.ZID,Constants.DELTATYPE , delta ] ,[403]) self.assertTrue(ret, msg=result) else: """This is graph-list """ delete_prev_deltas(Constants.ZID) ret = get_friend_nofriend_id(zauth, element ) fid_list=ret['result']['data'][element] fid = random.choice(fid_list) delta_max=delta_max_count(zauth , fid , Constants.DELTATYPE,maxcount,delta) ret , result = self.check_pass(friend_blob_addDelta , [ zauth ,fid, Constants.DELTATYPE , delta ] ,[413]) self.assertTrue(ret, msg=result) """for non-friends""" delete_prev_deltas(Constants.ZID) nfid=nfzid(zauth) delta_max=delta_max_count(zauth , fid , Constants.DELTATYPE,maxcount,delta) ret , result = self.check_pass(friend_blob_addDelta , [ zauth ,nfid, Constants.DELTATYPE , delta ] ,[403]) self.assertTrue(ret, msg=result)
def test_friend_blob_addDelta_Exceed_content_Limit(self): zauth = AuthSystem.getUntrustedToken(Constants.ZID) limit=ConfigService.getDeltaLimits(Constants.DELTATYPE) ACL_arr=ACL.getGraphTypes('friend.blob.addDelta',Constants.DELTATYPE) for element in ACL_arr: if (element == 'any'): #delete_prev_deltas(fid) delete_prev_deltas(Constants.ZID) delta=delta_max_size(limit['maxsize']+1024,Constants.DELTATYPE) ret , result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID, Constants.DELTATYPE , delta ] ,[413]) self.assertTrue(ret, msg=result) elif (element == 'self'): delete_prev_deltas(Constants.ZID) delta=delta_max_size(limit['maxsize']+1024,Constants.DELTATYPE) ret , result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID, Constants.DELTATYPE , delta ] ,[413]) self.assertTrue(ret, msg=result) elif (element == 'none'): delete_prev_deltas(Constants.ZID) delta=delta_max_size(limit['maxsize']+1024,Constants.DELTATYPE) ret , result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID, Constants.DELTATYPE , delta ] ,[403]) self.assertTrue(ret, msg=result) else: """This is graph-list """ delete_prev_deltas(Constants.ZID) ret = get_friend_nofriend_id(AuthSystem.getUntrustedToken(Constants.ZID), element ) fid_list=ret['result']['data'][element] fid = random.choice(fid_list) delta=delta_max_size(limit['maxsize']+1024,Constants.DELTATYPE) ret , result = self.check_pass(friend_blob_addDelta , [ zauth , fid , Constants.DELTATYPE , delta ] ,[413]) self.assertTrue(ret, msg=result) """for non-friends""" delete_prev_deltas(Constants.ZID) nfid=nfzid(AuthSystem.getUntrustedToken(Constants.ZID)) delta=delta_max_size(limit['maxsize']+1024,Constants.DELTATYPE) ret , result = self.check_pass(friend_blob_addDelta , [ zauth , nfid, Constants.DELTATYPE , delta ] ,[403]) self.assertTrue(ret, msg=result)
def acl(self): return ACL(self)
def __init__(self, *args, **kwargs): super(Valve, self).__init__(*args, **kwargs) self.mac_to_port = {} self._snoop = kwargs['igmplib'] # if you want a switch to operate as a querier, # set up as follows: self._snoop.set_querier_mode(dpid=str_to_dpid('0000000000000001'), server_port=2) # dpid the datapath id that will operate as a querier. # server_port a port number which connect to the multicast # server. # # NOTE: you can set up only the one querier. # when you called this method several times, # only the last one becomes effective. # start a thread for stats gethering self.stats_event = hub.Event() self.threads.append(hub.spawn(self.stats_loop)) self.datapaths = [] self.statstimeout = 5 # Setup logging handler = logging.StreamHandler() log_format = '%(asctime)s %(name)-8s %(levelname)-8s %(message)s' formatter = logging.Formatter(log_format, '%b %d %H:%M:%S') handler.setFormatter(formatter) self.logger.addHandler(handler) self.logger.propagate = 0 # Read in config file self.portdb = None self.vlandb = {} self.acldb = {} with open('valve.yaml', 'r') as stream: self.portdb = yaml.load(stream) # Make sure exclude property always exists in 'default' if 'default' in self.portdb and 'exclude' not in self.portdb['default']: self.portdb['default'] = [] # Make sure acls property always at the top level if 'acls' not in self.portdb: self.portdb['acls'] = {} # Parse top level acls for nw_address in self.portdb['acls']: if nw_address not in self.acldb: self.acldb[nw_address] = [] for acl in self.portdb['acls'][nw_address]: acl = ACL(acl['match'], acl['action']) self.logger.info("adding %s on nw_dst:%s" % (acl, nw_address)) self.acldb[nw_address].append(acl) # Parse configuration for dpid in self.portdb: if dpid in ('all', 'default', 'acls'): # Skip nodes that aren't real datapaths continue # Handle acls, default acls < port acls < global acls # Copy out port acls and clear port acl list #port_acls = [] #if 'acls' in self.portdb[dpid]: # port_acls = self.portdb[dpid]['acls'] #self.portdb[dpid]['acls'] = [] # Add default acls #if 'default' in self.portdb and \ #'acls' in self.portdb['default'] and \ #port not in self.portdb['default']['exclude']: # self.add_acls_to_port(port, self.portdb['default']['acls']) # Add port acls #self.add_acls_to_port(port, port_acls) # Add global acls #if 'all' in self.portdb and 'acls' in self.portdb['all']: # self.add_acls_to_port(port, self.portdb['all']['acls']) # Now that we've resolved all acls we can print them #for acl in self.portdb[port]['acls']: # self.logger.info("adding %s on port:%s" % (acl, port)) # Handle vlans # If we have global vlans add them if 'all' in self.portdb and \ all (k in self.portdb['all'] for k in ('vlans','type')): vlans = self.portdb['all']['vlans'] ptype = self.portdb['all']['type'] self.logger.info("adding ALL type:%s, vlan:%s" % (ptype, str(vlans))) for port in self.portdb[dpid]: #self.dump(self.portdb[dpid][port]) self.portdb[dpid][port]['vlans'] = vlans self.portdb[dpid][port]['type'] = ptype for port in self.portdb[dpid]: # Add vlans defined on this port (or add default values) if 'vlans' in self.portdb[dpid][ port] and 'type' in self.portdb[dpid][port]: vlans = self.portdb[dpid][port]['vlans'] ptype = self.portdb[dpid][port]['type'] self.add_port_to_vlans(dpid, port, vlans, ptype) elif 'default' in self.portdb and \ all (k in self.portdb['default'] for k in ('vlans','type')) and \ port not in self.portdb['default']['exclude']: vlans = self.portdb['default']['vlans'] ptype = self.portdb['default']['type'] self.portdb[dpid][port]['vlans'] = vlans self.portdb[dpid][port]['type'] = ptype self.add_port_to_vlans(dpid, subif, vlans, ptype) # Remove nodes that aren't real ports for n in ('all', 'default', 'acls'): if n in self.portdb: del self.portdb[n]
def _dp_parser_v2(logger, acls_conf, dps_conf, meters_conf, routers_conf, vlans_conf): dps = [] vid_dp = collections.defaultdict(set) def _get_vlan_by_identifier(dp_id, vlan_ident, vlans): if vlan_ident in vlans: return vlans[vlan_ident] for vlan in list(vlans.values()): if int(vlan_ident) == vlan.vid: return vlan try: vid = int(vlan_ident, 0) except ValueError: assert False, 'VLAN VID value (%s) is invalid' % vlan_ident return vlans.setdefault(vlan_ident, VLAN(vid, dp_id)) def _dp_add_vlan(dp, vlan): if vlan not in dp.vlans: dp.add_vlan(vlan) vid_dp[vlan.vid].add(dp.name) if len(vid_dp[vlan.vid]) > 1: assert not vlan.bgp_routerid, ( 'DPs %s sharing a BGP speaker VLAN is unsupported' % (str.join(', ', vid_dp[vlan.vid]))) def _dp_parse_port(dp_id, p_identifier, port_conf, vlans): port = Port(p_identifier, port_conf) if port.native_vlan is not None: v_identifier = port.native_vlan vlan = _get_vlan_by_identifier(dp_id, v_identifier, vlans) port.native_vlan = vlan vlan.add_untagged(port) port_tagged_vlans = [] for v_identifier in port.tagged_vlans: vlan = _get_vlan_by_identifier(dp_id, v_identifier, vlans) port_tagged_vlans.append(vlan) vlan.add_tagged(port) port.tagged_vlans = port_tagged_vlans for vlan in port.vlans(): _dp_add_vlan(dp, vlan) return port def _dp_add_ports(dp, dp_conf, dp_id, vlans): ports_conf = dp_conf.pop('interfaces', {}) # as users can config port vlan by using vlan name, we store vid in # Port instance instead of vlan name for data consistency for port_num, port_conf in list(ports_conf.items()): port = _dp_parse_port(dp_id, port_num, port_conf, vlans) dp.add_port(port) try: for identifier, dp_conf in list(dps_conf.items()): dp = DP(identifier, dp_conf) dp.sanity_check() dp_id = dp.dp_id vlans = {} for vlan_ident, vlan_conf in list(vlans_conf.items()): vlans[vlan_ident] = VLAN(vlan_ident, dp_id, vlan_conf) acls = [] for acl_ident, acl_conf in list(acls_conf.items()): acls.append((acl_ident, ACL(acl_ident, acl_conf))) for router_ident, router_conf in list(routers_conf.items()): router = Router(router_ident, router_conf) dp.add_router(router_ident, router) for meter_ident, meter_conf in list(meters_conf.items()): dp.meters[meter_ident] = Meter(meter_ident, meter_conf) _dp_add_ports(dp, dp_conf, dp_id, vlans) for acl_ident, acl in acls: dp.add_acl(acl_ident, acl) dps.append(dp) for dp in dps: dp.finalize_config(dps) for dp in dps: dp.resolve_stack_topology(dps) except AssertionError as err: logger.exception('Error in config file: %s', err) return None return dps
def _decode(self, evc): from evc import EVC from flow_entry import FlowEntry # Only called from initializer, so first flow is only flow flow = self._flows.itervalues().next() self._name = EVCMap.create_evc_map_name(flow) if evc: self._evc_connection = EVCMap.EvcConnection.EVC else: self._status_message = 'Can only create EVC-MAP if EVC supplied' return False is_pon = flow.handler.is_pon_port(flow.in_port) is_uni = flow.handler.is_uni_port(flow.in_port) if is_pon or is_uni: self._uni_port = flow.handler.get_port_name(flow.in_port) evc.ce_vlan_preservation = False else: self._status_message = 'EVC-MAPS without UNI or PON ports are not supported' return False # UNI Ports handled in the EVC Maps # ACL logic self._eth_type = flow.eth_type if self._eth_type == FlowEntry.EtherType.IPv4: self._ip_protocol = flow.ip_protocol self._ipv4_dst = flow.ipv4_dst if self._ip_protocol == FlowEntry.IpProtocol.UDP: self._udp_dst = flow.udp_dst self._udp_src = flow.udp_src # If no match of VLAN this may be for untagged traffic or upstream and needs to # match the gem-port vid self._setup_gem_ids() # self._match_untagged = flow.vlan_id is None and flow.inner_vid is None self._c_tag = flow.inner_vid or flow.vlan_id # If a push of a single VLAN is present with a POP of the VLAN in the EVC's # flow, then this is a traditional EVC flow evc.men_to_uni_tag_manipulation = EVC.Men2UniManipulation.POP_OUT_TAG_ONLY evc.switching_method = EVC.SwitchingMethod.DOUBLE_TAGGED # \ # if self._c_tag is not None else EVC.SwitchingMethod.SINGLE_TAGGED try: acl = ACL.create(flow) if acl.name not in self._new_acls: self._new_acls[acl.name] = acl except Exception as e: log.exception('ACL-decoding', e=e) return False return True
def __update_user_acl(self, action, isapi=False): """update user template acl 更新用户模板详细设置 Args: action: isapi Returns: """ uid = int(self.get_argument('uid', 0)) pid = int(self.get_argument('pid', 0)) if uid == 0 or pid == 0: self.write(json.dumps(Error.CGIREQUESTERR)) return _usr = ModUser(self.application) if isapi == False: _template = ModTemplate(self.application) n, data = _template.get_template_list(pid) if n < 0: self.write(json.dumps(Error.MODPARAMERR)) return uinfo = _usr.get_user_info(uid=uid) uinfo = { 'uid': '', 'username': '', 'avator': '', 'status': 1, 'acl': '[]' } if uinfo is None else uinfo tlist = ACL.get_acl_templates(pid, json.loads(uinfo['acl'])) # 检查root_acl user_acl = Common.collection_find(tlist, lambda s: s['tid'] == 0) project_root_acl = 0 if user_acl is None else user_acl['acl'] templates = [{ 'template_id': 0, 'template_name': '*', 'acl': project_root_acl }] # 获取普通模板acl for row in data: _item = { 'template_id': int(row[0]), 'template_name': row[2], 'acl': 0 } user_acl = Common.collection_find( tlist, lambda s: s['tid'] == int(row[0])) if user_acl is not None: _item['acl'] = user_acl['acl'] templates.append(_item) self.render('system_user_detail.html', templates=templates, acl=ACL.AclCode, target=uinfo, project_id=pid, userinfo=self.userinfo) else: acl = self.get_arguments('acl') uinfo = _usr.get_user_info(uid=uid) if uinfo is None: self.write(json.dumps(Error.ACL_NOTFOUNDUSER)) return _uacl = json.loads(uinfo['acl']) # item:tid_DOC_E .... # 构建一个需要追加权限的list _new_template_acl = [] _tid_set = [] for item in acl: _tid = item.split('_')[0] if _tid not in _tid_set: _tid_set.append(_tid) _tacl = Common.collection_find(_new_template_acl, lambda s: s['tid'] == int(_tid)) if _tacl is not None: # 这里修改的是引用值,不是深拷贝 _index = _new_template_acl.index(_tacl) _new_template_acl[_index] = { 'tid': int(_tid), 'acl': _tacl['acl'] | ACL.AclCode[item.replace(_tid + '_', '')] } else: # 没有的就追加 _new_template_acl.append({ 'tid': int(_tid), 'acl': ACL.AclCode[item.replace(_tid + '_', '')] }) # 修改template表的allow _template = ModTemplate(self.application) recode = _template.update_template_allow(pid, uinfo['username'], _tid_set) if recode['code'] != 0: self.write(json.dumps(recode)) return # 改写pacl _pacl = Common.collection_find(_uacl, lambda s: s['pid'] == pid) if _pacl is None: _uacl.append({'pid': pid, 'acl': _new_template_acl}) else: _pacl['acl'] = _new_template_acl recode = _usr.update_user_info(uid=uid, acl=json.dumps(_uacl)) if recode['code'] == 0: self.set_status(302) self.set_header('Location', '/system/user?action=list') return else: self.write(json.dumps(recode)) return
def __update_user(self, action, isapi=False): """create/update user base info 创建更改用户基本信息 Args: action isapi Returns: """ uid = self.get_argument('uid', '0') print(self.application.cfg['db']) projects = copy.deepcopy(self.application.cfg['db']) projects.reverse() projects.pop() projects.reverse() projects.append({'pid': 0, 'project': '*'}) mod = ModUser(self.application) if not isapi: uinfo = mod.get_user_info(uid=uid) uinfo = { 'uid': '', 'username': '', 'nickname': '', 'avator': '', 'status': 1, 'acl': '[]' } if uinfo is None else uinfo date = [] plist = ACL.get_acl_projects(json.loads(uinfo['acl'])) for i in range(0, len(projects)): if uinfo is None: projects[i]['enable'] = 0 else: p = Common.collection_find( plist, lambda s: s == int(projects[i]['pid'])) projects[i]['enable'] = p is not None # projects[i]['acl'] = ACL.get_acl_projects(json.loads(uinfo['acl'])) self.render('system_user.html', projects=projects, target=uinfo, userinfo=self.userinfo) else: # 处理post username = self.get_argument('username', '') nickname = self.get_argument('nickname', '') avator = self.get_argument('avator', '') pid_set = self.get_arguments('projects') uinfo = mod.get_user_info(uid=uid) acl = [] if uinfo is not None: acl = json.loads(uinfo['acl']) # 扫2次,对比差异 new_acl = [] for item in acl: if Common.collection_find( pid_set, lambda s: s == str(item['pid'])) is not None: new_acl.append(item) for i in range(0, len(pid_set)): p = Common.collection_find( new_acl, lambda s: s['pid'] == int(pid_set[i])) if p is None: new_acl.append({'pid': int(pid_set[i]), 'acl': []}) # 完成构建 recode = mod.update_user_info(uid=uid, username=username, nickname=nickname, avator=avator, acl=json.dumps(new_acl)) if recode['code'] == 0: self.set_status(302) self.set_header('Location', '/system/user?action=list') else: self.write(json.dumps(recode))
def assertAcl(self, readable, writable, acl_r, acl_w, user, default_permission): self.assertEqual(readable, ACL(default_permission, acl_r, acl_w).can_read(user)) self.assertEqual(writable, ACL(default_permission, acl_r, acl_w).can_write(user))