def setup_ufw(): """Setup UFW firewall to ensure only swift-storage clients and storage peers have access to the swift daemons. :side effect: calls several external functions :return: None """ if not config('enable-firewall'): log("Firewall has been administratively disabled", "DEBUG") return ports = [config('object-server-port'), config('container-server-port'), config('account-server-port')] # Storage peers allowed_hosts = RsyncContext()().get('allowed_hosts', '').split(' ') # Storage clients (swift-proxy) allowed_hosts += [get_host_ip(ingress_address(rid=u.rid, unit=u.unit)) for u in iter_units_for_relation_name('swift-storage')] # Grant access for peers and clients for host in allowed_hosts: for port in ports: grant_access(host, port) # Default deny for storage ports for port in ports: ufw.modify_access(src=None, dst='any', port=port, proto='tcp', action='reject')
def test_modify_access_delete_index(self, popen, log, is_enabled): is_enabled.return_value = True p = mock.Mock() p.configure_mock(**{'communicate.return_value': ('stdout', 'stderr'), 'returncode': 0}) popen.return_value = p ufw.modify_access(None, dst=None, action='delete', index=42) popen.assert_any_call(['ufw', '--force', 'delete', '42'], stdout=subprocess.PIPE)
def test_modify_access_comment(self, popen, log, is_enabled): is_enabled.return_value = True p = mock.Mock() p.configure_mock(**{'communicate.return_value': ('stdout', 'stderr'), 'returncode': 0}) popen.return_value = p ufw.modify_access('127.0.0.1', dst='127.0.0.1', port='80', comment='No comment') popen.assert_any_call(['ufw', 'allow', 'from', '127.0.0.1', 'to', '127.0.0.1', 'port', '80', 'comment', 'No comment'], stdout=subprocess.PIPE)
def test_modify_access_allow_set_port(self, popen, log, is_enabled): is_enabled.return_value = True p = mock.Mock() p.configure_mock(**{'communicate.return_value': ('stdout', 'stderr'), 'returncode': 0}) popen.return_value = p ufw.modify_access('127.0.0.1', port='80') popen.assert_any_call(['ufw', 'allow', 'from', '127.0.0.1', 'to', 'any', 'port', '80'], stdout=subprocess.PIPE) log.assert_any_call(('ufw allow: ufw allow from 127.0.0.1 ' 'to any port 80'), level='DEBUG') log.assert_any_call('stdout', level='INFO')
def test_modify_access_ufw_is_disabled(self, check_output, log, is_enabled): is_enabled.return_value = False ufw.modify_access('127.0.0.1') log.assert_any_call('ufw is disabled, skipping modify_access()', level='WARN')