def l7rule_data(l7rule): """Raises an error if the l7rule given is invalid in some way.""" if l7rule.type == constants.L7RULE_TYPE_HEADER: if not l7rule.key: raise exceptions.InvalidL7Rule(msg='L7 rule type requires a key') header_name(l7rule.key, what='key') if l7rule.compare_type == constants.L7RULE_COMPARE_TYPE_REGEX: regex(l7rule.value) elif l7rule.compare_type in ( constants.L7RULE_COMPARE_TYPE_STARTS_WITH, constants.L7RULE_COMPARE_TYPE_ENDS_WITH, constants.L7RULE_COMPARE_TYPE_CONTAINS, constants.L7RULE_COMPARE_TYPE_EQUAL_TO): header_value_string(l7rule.value, what='header value') else: raise exceptions.InvalidL7Rule(msg='invalid comparison type ' 'for rule type') elif l7rule.type == constants.L7RULE_TYPE_COOKIE: if not l7rule.key: raise exceptions.InvalidL7Rule(msg='L7 rule type requires a key') header_name(l7rule.key, what='key') if l7rule.compare_type == constants.L7RULE_COMPARE_TYPE_REGEX: regex(l7rule.value) elif l7rule.compare_type in ( constants.L7RULE_COMPARE_TYPE_STARTS_WITH, constants.L7RULE_COMPARE_TYPE_ENDS_WITH, constants.L7RULE_COMPARE_TYPE_CONTAINS, constants.L7RULE_COMPARE_TYPE_EQUAL_TO): cookie_value_string(l7rule.value, what='cookie value') else: raise exceptions.InvalidL7Rule(msg='invalid comparison type ' 'for rule type') elif l7rule.type in (constants.L7RULE_TYPE_HOST_NAME, constants.L7RULE_TYPE_PATH): if l7rule.compare_type in ( constants.L7RULE_COMPARE_TYPE_STARTS_WITH, constants.L7RULE_COMPARE_TYPE_ENDS_WITH, constants.L7RULE_COMPARE_TYPE_CONTAINS, constants.L7RULE_COMPARE_TYPE_EQUAL_TO): header_value_string(l7rule.value, what='comparison value') elif l7rule.compare_type == constants.L7RULE_COMPARE_TYPE_REGEX: regex(l7rule.value) else: raise exceptions.InvalidL7Rule(msg='invalid comparison type ' 'for rule type') elif l7rule.type == constants.L7RULE_TYPE_FILE_TYPE: if l7rule.compare_type == constants.L7RULE_COMPARE_TYPE_REGEX: regex(l7rule.value) elif l7rule.compare_type == constants.L7RULE_COMPARE_TYPE_EQUAL_TO: header_value_string(l7rule.value, what='comparison value') else: raise exceptions.InvalidL7Rule(msg='invalid comparison type ' 'for rule type') else: raise exceptions.InvalidL7Rule(msg='invalid rule type') return True
def validate_l7rule_ssl_types(l7rule): if not l7rule.type or l7rule.type not in [ constants.L7RULE_TYPE_SSL_CONN_HAS_CERT, constants.L7RULE_TYPE_SSL_VERIFY_RESULT, constants.L7RULE_TYPE_SSL_DN_FIELD ]: return rule_type = None if l7rule.type == wtypes.Unset else l7rule.type req_key = None if l7rule.key == wtypes.Unset else l7rule.key req_value = None if l7rule.value == wtypes.Unset else l7rule.value compare_type = (None if l7rule.compare_type == wtypes.Unset else l7rule.compare_type) msg = None if rule_type == constants.L7RULE_TYPE_SSL_CONN_HAS_CERT: # key and value are not allowed if req_key: # log error or raise msg = 'L7rule type {0} does not use the "key" field.'.format( rule_type) elif req_value.lower() != 'true': msg = 'L7rule value {0} is not a boolean True string.'.format( req_value) elif compare_type != constants.L7RULE_COMPARE_TYPE_EQUAL_TO: msg = 'L7rule type {0} only supports the {1} compare type.'.format( rule_type, constants.L7RULE_COMPARE_TYPE_EQUAL_TO) if rule_type == constants.L7RULE_TYPE_SSL_VERIFY_RESULT: if req_key: # log or raise req_key not used msg = 'L7rule type {0} does not use the "key" field.'.format( rule_type) elif not req_value.isdigit() or int(req_value) < 0: # log or raise req_value must be int msg = 'L7rule type {0} needs a int value, which is >= 0'.format( rule_type) elif compare_type != constants.L7RULE_COMPARE_TYPE_EQUAL_TO: msg = 'L7rule type {0} only supports the {1} compare type.'.format( rule_type, constants.L7RULE_COMPARE_TYPE_EQUAL_TO) if rule_type == constants.L7RULE_TYPE_SSL_DN_FIELD: dn_regex = re.compile(constants.DISTINGUISHED_NAME_FIELD_REGEX) if compare_type == constants.L7RULE_COMPARE_TYPE_REGEX: regex(l7rule.value) if not req_key or not req_value: # log or raise key and value must be specified. msg = 'L7rule type {0} needs to specify a key and a value.'.format( rule_type) # log or raise the key must be splited by '-' elif not dn_regex.match(req_key): msg = ('Invalid L7rule distinguished name field.') if msg: raise exceptions.InvalidL7Rule(msg=msg)