def test_valid_wildcard(self):
test_inputs = {
"reject *:*": (True, True),
"reject *:80": (True, False),
"accept 192.168.0.1:*": (False, True),
"accept 192.168.0.1:80": (False, False),
"reject 127.0.0.1/0:*": (False, True),
"reject 127.0.0.1/16:*": (False, True),
"reject 127.0.0.1/32:*": (False, True),
"reject [0000:0000:0000:0000:0000:0000:0000:0000]/0:80": (False, False),
"reject [0000:0000:0000:0000:0000:0000:0000:0000]/64:80": (False, False),
"reject [0000:0000:0000:0000:0000:0000:0000:0000]/128:80": (False, False),
"accept 192.168.0.1:0-65535": (False, True),
"accept 192.168.0.1:1-65535": (False, True),
"accept 192.168.0.1:2-65535": (False, False),
"accept 192.168.0.1:1-65534": (False, False),
}
for rule_arg, attr in test_inputs.items():
is_address_wildcard, is_port_wildcard = attr
rule = ExitPolicyRule(rule_arg)
self.assertEquals(is_address_wildcard, rule.is_address_wildcard())
self.assertEquals(is_port_wildcard, rule.is_port_wildcard())
def test_is_match_ipv4(self):
test_inputs = {
"reject 192.168.0.50:*": {
("192.168.0.50", 80): True,
("192.168.0.51", 80): False,
("192.168.0.49", 80): False,
(None, 80): False,
("192.168.0.50", None): True,
},
"reject 0.0.0.0/24:*": {
("0.0.0.0", 80): True,
("0.0.0.1", 80): True,
("0.0.0.255", 80): True,
("0.0.1.0", 80): False,
("0.1.0.0", 80): False,
("1.0.0.0", 80): False,
(None, 80): False,
("0.0.0.0", None): True,
},
}
for rule_arg, matches in test_inputs.items():
rule = ExitPolicyRule(rule_arg)
for match_args, expected_result in matches.items():
self.assertEquals(expected_result, rule.is_match(*match_args))
def test_is_match_ipv6(self):
test_inputs = {
"reject [FE80:0000:0000:0000:0202:B3FF:FE1E:8329]:*": {
("FE80:0000:0000:0000:0202:B3FF:FE1E:8329", 80): True,
("fe80:0000:0000:0000:0202:b3ff:fe1e:8329", 80): True,
("[FE80:0000:0000:0000:0202:B3FF:FE1E:8329]", 80): True,
("FE80:0000:0000:0000:0202:B3FF:FE1E:8330", 80): False,
("FE80:0000:0000:0000:0202:B3FF:FE1E:8328", 80): False,
(None, 80): False,
("FE80:0000:0000:0000:0202:B3FF:FE1E:8329", None): True,
},
"reject [FE80:0000:0000:0000:0202:B3FF:FE1E:8329]/112:*": {
("FE80:0000:0000:0000:0202:B3FF:FE1E:8329", 80): True,
("FE80:0000:0000:0000:0202:B3FF:FE1E:0000", 80): True,
("FE80:0000:0000:0000:0202:B3FF:FE1E:FFFF", 80): True,
("FE80:0000:0000:0000:0202:B3FF:FE1F:8329", 80): False,
("FE81:0000:0000:0000:0202:B3FF:FE1E:8329", 80): False,
(None, 80): False,
("FE80:0000:0000:0000:0202:B3FF:FE1E:8329", None): True,
},
}
for rule_arg, matches in test_inputs.items():
rule = ExitPolicyRule(rule_arg)
for match_args, expected_result in matches.items():
self.assertEquals(expected_result, rule.is_match(*match_args))
def test_is_match_wildcard(self):
test_inputs = {
"reject *:*": {
("192.168.0.1", 80): True,
("0.0.0.0", 80): True,
("255.255.255.255", 80): True,
("FE80:0000:0000:0000:0202:B3FF:FE1E:8329", 80): True,
("[FE80:0000:0000:0000:0202:B3FF:FE1E:8329]", 80): True,
("192.168.0.1", None): True,
(None, 80): True,
(None, None): True,
},
"reject 255.255.255.255/0:*": {
("192.168.0.1", 80): True,
("0.0.0.0", 80): True,
("255.255.255.255", 80): True,
("FE80:0000:0000:0000:0202:B3FF:FE1E:8329", 80): False,
("[FE80:0000:0000:0000:0202:B3FF:FE1E:8329]", 80): False,
("192.168.0.1", None): True,
(None, 80): False,
(None, None): False,
},
}
for rule_arg, matches in test_inputs.items():
rule = ExitPolicyRule(rule_arg)
for match_args, expected_result in matches.items():
self.assertEquals(expected_result, rule.is_match(*match_args))
# port zero is special in that exit policies can include it, but it's not
# something that we can match against
rule = ExitPolicyRule("reject *:*")
self.assertRaises(ValueError, rule.is_match, "127.0.0.1", 0)
def test_is_match_ipv6(self):
test_inputs = {
'reject [FE80:0000:0000:0000:0202:B3FF:FE1E:8329]:*': {
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', 80): True,
('fe80:0000:0000:0000:0202:b3ff:fe1e:8329', 80): True,
('[FE80:0000:0000:0000:0202:B3FF:FE1E:8329]', 80): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8330', 80): False,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8328', 80): False,
(None, 80, False): True,
(None, 80, True): False,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', None): True,
},
'reject [FE80:0000:0000:0000:0202:B3FF:FE1E:8329]/112:*': {
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', 80): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:0000', 80): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:FFFF', 80): True,
('FE80:0000:0000:0000:0202:B3FF:FE1F:8329', 80): False,
('FE81:0000:0000:0000:0202:B3FF:FE1E:8329', 80): False,
(None, 80, False): True,
(None, 80, True): False,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', None, False): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', None, True): True,
},
}
for rule_arg, matches in test_inputs.items():
rule = ExitPolicyRule(rule_arg)
for match_args, expected_result in matches.items():
self.assertEqual(expected_result, rule.is_match(*match_args))
def test_is_match_port(self):
test_inputs = {
'reject *:80': {
('192.168.0.50', 80): True,
('192.168.0.50', 81): False,
('192.168.0.50', 79): False,
(None, 80): True,
('192.168.0.50', None, False): True,
('192.168.0.50', None, True): False,
},
'reject *:80-85': {
('192.168.0.50', 79): False,
('192.168.0.50', 80): True,
('192.168.0.50', 83): True,
('192.168.0.50', 85): True,
('192.168.0.50', 86): False,
(None, 83): True,
('192.168.0.50', None, False): True,
('192.168.0.50', None, True): False,
},
}
for rule_arg, matches in test_inputs.items():
rule = ExitPolicyRule(rule_arg)
for match_args, expected_result in matches.items():
self.assertEqual(expected_result, rule.is_match(*match_args))
def test_is_match_ipv4(self):
test_inputs = {
"reject 192.168.0.50:*": {
("192.168.0.50", 80): True,
("192.168.0.51", 80): False,
("192.168.0.49", 80): False,
(None, 80, False): True,
(None, 80, True): False,
("192.168.0.50", None): True,
},
"reject 0.0.0.0/24:*": {
("0.0.0.0", 80): True,
("0.0.0.1", 80): True,
("0.0.0.255", 80): True,
("0.0.1.0", 80): False,
("0.1.0.0", 80): False,
("1.0.0.0", 80): False,
(None, 80, False): True,
(None, 80, True): False,
("0.0.0.0", None): True,
},
}
for rule_arg, matches in test_inputs.items():
rule = ExitPolicyRule(rule_arg)
for match_args, expected_result in matches.items():
self.assertEquals(expected_result, rule.is_match(*match_args))
def test_is_match_ipv4(self):
test_inputs = {
'reject 192.168.0.50:*': {
('192.168.0.50', 80): True,
('192.168.0.51', 80): False,
('192.168.0.49', 80): False,
(None, 80, False): True,
(None, 80, True): False,
('192.168.0.50', None): True,
},
'reject 0.0.0.0/24:*': {
('0.0.0.0', 80): True,
('0.0.0.1', 80): True,
('0.0.0.255', 80): True,
('0.0.1.0', 80): False,
('0.1.0.0', 80): False,
('1.0.0.0', 80): False,
(None, 80, False): True,
(None, 80, True): False,
('0.0.0.0', None): True,
},
}
for rule_arg, matches in test_inputs.items():
rule = ExitPolicyRule(rule_arg)
for match_args, expected_result in matches.items():
self.assertEqual(expected_result, rule.is_match(*match_args))
def test_constructor(self):
# The ExitPolicy constructor takes a series of string or ExitPolicyRule
# entries. Extra whitespace is ignored to make csvs easier to handle.
expected_policy = ExitPolicy(
ExitPolicyRule('accept *:80'),
ExitPolicyRule('accept *:443'),
ExitPolicyRule('reject *:*'),
)
policy = ExitPolicy('accept *:80', 'accept *:443', 'reject *:*')
self.assertEqual(expected_policy, policy)
policy = ExitPolicy(
*'accept *:80, accept *:443, reject *:*'.split(','))
self.assertEqual(expected_policy, policy)
# checks that we truncate after getting a catch-all policy
policy = ExitPolicy(
*'accept *:80, accept *:443, reject *:*, accept *:20-50'.split(
','))
self.assertEqual(expected_policy, policy)
# checks that we compress redundant policies
policy = ExitPolicy(
*'reject *:80, reject *:443, reject *:*'.split(','))
self.assertEqual(ExitPolicy('reject *:*'), policy)
def test_is_match_ipv6(self):
test_inputs = {
"reject [FE80:0000:0000:0000:0202:B3FF:FE1E:8329]:*": {
("FE80:0000:0000:0000:0202:B3FF:FE1E:8329", 80): True,
("fe80:0000:0000:0000:0202:b3ff:fe1e:8329", 80): True,
("[FE80:0000:0000:0000:0202:B3FF:FE1E:8329]", 80): True,
("FE80:0000:0000:0000:0202:B3FF:FE1E:8330", 80): False,
("FE80:0000:0000:0000:0202:B3FF:FE1E:8328", 80): False,
(None, 80, False): True,
(None, 80, True): False,
("FE80:0000:0000:0000:0202:B3FF:FE1E:8329", None): True,
},
"reject [FE80:0000:0000:0000:0202:B3FF:FE1E:8329]/112:*": {
("FE80:0000:0000:0000:0202:B3FF:FE1E:8329", 80): True,
("FE80:0000:0000:0000:0202:B3FF:FE1E:0000", 80): True,
("FE80:0000:0000:0000:0202:B3FF:FE1E:FFFF", 80): True,
("FE80:0000:0000:0000:0202:B3FF:FE1F:8329", 80): False,
("FE81:0000:0000:0000:0202:B3FF:FE1E:8329", 80): False,
(None, 80, False): True,
(None, 80, True): False,
("FE80:0000:0000:0000:0202:B3FF:FE1E:8329", None, False): True,
("FE80:0000:0000:0000:0202:B3FF:FE1E:8329", None, True): True,
},
}
for rule_arg, matches in test_inputs.items():
rule = ExitPolicyRule(rule_arg)
for match_args, expected_result in matches.items():
self.assertEquals(expected_result, rule.is_match(*match_args))
def test_is_match_wildcard(self):
test_inputs = {
"reject *:*": {
("192.168.0.1", 80): True,
("0.0.0.0", 80): True,
("255.255.255.255", 80): True,
("FE80:0000:0000:0000:0202:B3FF:FE1E:8329", 80): True,
("[FE80:0000:0000:0000:0202:B3FF:FE1E:8329]", 80): True,
("192.168.0.1", None): True,
(None, 80): True,
(None, None): True,
},
"reject 255.255.255.255/0:*": {
("192.168.0.1", 80): True,
("0.0.0.0", 80): True,
("255.255.255.255", 80): True,
("FE80:0000:0000:0000:0202:B3FF:FE1E:8329", 80): False,
("[FE80:0000:0000:0000:0202:B3FF:FE1E:8329]", 80): False,
("192.168.0.1", None): True,
(None, 80): False,
(None, None): False,
},
}
for rule_arg, matches in test_inputs.items():
rule = ExitPolicyRule(rule_arg)
for match_args, expected_result in matches.items():
self.assertEquals(expected_result, rule.is_match(*match_args))
# port zero is special in that exit policies can include it, but it's not
# something that we can match against
rule = ExitPolicyRule("reject *:*")
self.assertRaises(ValueError, rule.is_match, "127.0.0.1", 0)
def test_valid_wildcard(self):
test_inputs = {
"reject *:*": (True, True),
"reject *:80": (True, False),
"accept 192.168.0.1:*": (False, True),
"accept 192.168.0.1:80": (False, False),
"reject 127.0.0.1/0:*": (False, True),
"reject 127.0.0.1/16:*": (False, True),
"reject 127.0.0.1/32:*": (False, True),
"reject [0000:0000:0000:0000:0000:0000:0000:0000]/0:80":
(False, False),
"reject [0000:0000:0000:0000:0000:0000:0000:0000]/64:80":
(False, False),
"reject [0000:0000:0000:0000:0000:0000:0000:0000]/128:80":
(False, False),
"accept 192.168.0.1:0-65535": (False, True),
"accept 192.168.0.1:1-65535": (False, True),
"accept 192.168.0.1:2-65535": (False, False),
"accept 192.168.0.1:1-65534": (False, False),
}
for rule_arg, attr in test_inputs.items():
is_address_wildcard, is_port_wildcard = attr
rule = ExitPolicyRule(rule_arg)
self.assertEquals(is_address_wildcard, rule.is_address_wildcard())
self.assertEquals(is_port_wildcard, rule.is_port_wildcard())
def test_is_match_ipv4(self):
test_inputs = {
'reject 192.168.0.50:*': {
('192.168.0.50', 80): True,
('192.168.0.51', 80): False,
('192.168.0.49', 80): False,
(None, 80, False): False,
(None, 80, True): True,
('192.168.0.50', None): True,
},
'reject 0.0.0.0/24:*': {
('0.0.0.0', 80): True,
('0.0.0.1', 80): True,
('0.0.0.255', 80): True,
('0.0.1.0', 80): False,
('0.1.0.0', 80): False,
('1.0.0.0', 80): False,
(None, 80, False): False,
(None, 80, True): True,
('0.0.0.0', None): True,
},
}
for rule_arg, matches in test_inputs.items():
rule = ExitPolicyRule(rule_arg)
for match_args, expected_result in matches.items():
self.assertEqual(expected_result, rule.is_match(*match_args))
def test_is_match_ipv6(self):
test_inputs = {
'reject [FE80:0000:0000:0000:0202:B3FF:FE1E:8329]:*': {
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', 80): True,
('fe80:0000:0000:0000:0202:b3ff:fe1e:8329', 80): True,
('[FE80:0000:0000:0000:0202:B3FF:FE1E:8329]', 80): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8330', 80): False,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8328', 80): False,
(None, 80, False): False,
(None, 80, True): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', None): True,
},
'reject [FE80:0000:0000:0000:0202:B3FF:FE1E:8329]/112:*': {
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', 80): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:0000', 80): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:FFFF', 80): True,
('FE80:0000:0000:0000:0202:B3FF:FE1F:8329', 80): False,
('FE81:0000:0000:0000:0202:B3FF:FE1E:8329', 80): False,
(None, 80, False): False,
(None, 80, True): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', None, False): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', None, True): True,
},
}
for rule_arg, matches in test_inputs.items():
rule = ExitPolicyRule(rule_arg)
for match_args, expected_result in matches.items():
self.assertEqual(expected_result, rule.is_match(*match_args))
def test_is_match_port(self):
test_inputs = {
'reject *:80': {
('192.168.0.50', 80): True,
('192.168.0.50', 81): False,
('192.168.0.50', 79): False,
(None, 80): True,
('192.168.0.50', None, False): False,
('192.168.0.50', None, True): True,
},
'reject *:80-85': {
('192.168.0.50', 79): False,
('192.168.0.50', 80): True,
('192.168.0.50', 83): True,
('192.168.0.50', 85): True,
('192.168.0.50', 86): False,
(None, 83): True,
('192.168.0.50', None, False): False,
('192.168.0.50', None, True): True,
},
}
for rule_arg, matches in test_inputs.items():
rule = ExitPolicyRule(rule_arg)
for match_args, expected_result in matches.items():
self.assertEqual(expected_result, rule.is_match(*match_args))
def test_wildcard_attributes(self):
rule = ExitPolicyRule('reject *:*')
self.assertEqual(AddressType.WILDCARD, rule.get_address_type())
self.assertEqual(None, rule.address)
self.assertEqual(None, rule.get_mask())
self.assertEqual(None, rule.get_masked_bits())
self.assertEqual(1, rule.min_port)
self.assertEqual(65535, rule.max_port)
def test_wildcard_attributes(self):
rule = ExitPolicyRule('reject *:*')
self.assertEqual(AddressType.WILDCARD, rule.get_address_type())
self.assertEqual(None, rule.address)
self.assertEqual(None, rule.get_mask())
self.assertEqual(None, rule.get_masked_bits())
self.assertEqual(1, rule.min_port)
self.assertEqual(65535, rule.max_port)
def test_iter(self):
# sanity test for our __iter__ method
rules = [
ExitPolicyRule('accept *:80'),
ExitPolicyRule('accept *:443'),
ExitPolicyRule('reject *:*'),
]
self.assertEqual(rules, list(ExitPolicy(*rules)))
self.assertEqual(rules, list(ExitPolicy('accept *:80', 'accept *:443', 'reject *:*')))
def test_without_port(self):
policy = get_config_policy('accept 216.58.193.78, reject *')
self.assertEqual([
ExitPolicyRule('accept 216.58.193.78:*'),
ExitPolicyRule('reject *:*')
], list(policy))
policy = get_config_policy(
'reject6 [2a00:1450:4001:081e:0000:0000:0000:200e]')
self.assertEqual([
ExitPolicyRule(
'reject [2a00:1450:4001:081e:0000:0000:0000:200e]:*')
], list(policy))
def test_is_match_wildcard(self):
test_inputs = {
'reject *:*': {
('192.168.0.1', 80): True,
('0.0.0.0', 80): True,
('255.255.255.255', 80): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', 80): True,
('[FE80:0000:0000:0000:0202:B3FF:FE1E:8329]', 80): True,
('192.168.0.1', None): True,
(None, 80, False): True,
(None, 80, True): True,
(None, None, False): True,
(None, None, True): True,
},
'reject 255.255.255.255/0:*': {
('192.168.0.1', 80): True,
('0.0.0.0', 80): True,
('255.255.255.255', 80): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', 80): False,
('[FE80:0000:0000:0000:0202:B3FF:FE1E:8329]', 80): False,
('192.168.0.1', None): True,
(None, 80, False): False,
(None, 80, True): True,
(None, None, False): False,
(None, None, True): True,
},
'reject *4:*': {
('192.168.0.1', 80): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', 80): False,
},
'reject *6:*': {
('192.168.0.1', 80): False,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', 80): True,
},
}
for rule_arg, matches in test_inputs.items():
rule = ExitPolicyRule(rule_arg)
rule._submask_wildcard = False
for match_args, expected_result in matches.items():
self.assertEqual(expected_result, rule.is_match(*match_args))
# port zero is special in that exit policies can include it, but it's not
# something that we can match against
rule = ExitPolicyRule('reject *:*')
self.assertRaises(ValueError, rule.is_match, '127.0.0.1', 0)
def test_valid_ipv4_addresses(self):
test_inputs = {
'0.0.0.0': ('0.0.0.0', '255.255.255.255', 32),
'127.0.0.1/32': ('127.0.0.1', '255.255.255.255', 32),
'192.168.0.50/24': ('192.168.0.50', '255.255.255.0', 24),
'255.255.255.255/0': ('255.255.255.255', '0.0.0.0', 0),
}
for rule_addr, attr in test_inputs.items():
address, mask, masked_bits = attr
rule = ExitPolicyRule('accept %s:*' % rule_addr)
self.assertEqual(AddressType.IPv4, rule.get_address_type())
self.assertEqual(address, rule.address)
self.assertEqual(mask, rule.get_mask())
self.assertEqual(masked_bits, rule.get_masked_bits())
def test_valid_ipv4_addresses(self):
test_inputs = {
'0.0.0.0': ('0.0.0.0', '255.255.255.255', 32),
'127.0.0.1/32': ('127.0.0.1', '255.255.255.255', 32),
'192.168.0.50/24': ('192.168.0.50', '255.255.255.0', 24),
'255.255.255.255/0': ('255.255.255.255', '0.0.0.0', 0),
}
for rule_addr, attr in test_inputs.items():
address, mask, masked_bits = attr
rule = ExitPolicyRule('accept %s:*' % rule_addr)
self.assertEqual(AddressType.IPv4, rule.get_address_type())
self.assertEqual(address, rule.address)
self.assertEqual(mask, rule.get_mask())
self.assertEqual(masked_bits, rule.get_masked_bits())
def test_str_changed(self):
# some instances where our rule is valid but won't match our str() representation
test_inputs = {
'accept 10.0.0.1/32:80': 'accept 10.0.0.1:80',
'accept 192.168.0.1/255.255.255.0:80': 'accept 192.168.0.1/24:80',
'accept [::]/32:*':
'accept [0000:0000:0000:0000:0000:0000:0000:0000]/32:*',
'accept [::]/128:*':
'accept [0000:0000:0000:0000:0000:0000:0000:0000]:*',
'accept6 *:*':
'accept [0000:0000:0000:0000:0000:0000:0000:0000]/0:*',
'reject6 *:*':
'reject [0000:0000:0000:0000:0000:0000:0000:0000]/0:*',
'accept6 [FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF]:*':
'accept [FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF]:*',
'reject6 [FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF]:*':
'reject [FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF]:*',
'accept *4:*': 'accept 0.0.0.0/0:*',
'accept *6:*':
'accept [0000:0000:0000:0000:0000:0000:0000:0000]/0:*',
'accept6 *4:*': 'accept 0.0.0.0/0:*',
'accept6 *6:*':
'accept [0000:0000:0000:0000:0000:0000:0000:0000]/0:*',
}
for rule_arg, expected_str in test_inputs.items():
rule = ExitPolicyRule(rule_arg)
self.assertEqual(expected_str, str(rule))
def test_constructor(self):
# The ExitPolicy constructor takes a series of string or ExitPolicyRule
# entries. Extra whitespace is ignored to make csvs easier to handle.
expected_policy = ExitPolicy(
ExitPolicyRule('accept *:80'),
ExitPolicyRule('accept *:443'),
ExitPolicyRule('reject *:*'),
)
policy = ExitPolicy('accept *:80', 'accept *:443', 'reject *:*')
self.assertEquals(expected_policy, policy)
policy = ExitPolicy(
*"accept *:80, accept *:443, reject *:*".split(","))
self.assertEquals(expected_policy, policy)
def test_valid_ipv4_addresses(self):
test_inputs = {
"0.0.0.0": ("0.0.0.0", "255.255.255.255", 32),
"127.0.0.1/32": ("127.0.0.1", "255.255.255.255", 32),
"192.168.0.50/24": ("192.168.0.50", "255.255.255.0", 24),
"255.255.255.255/0": ("255.255.255.255", "0.0.0.0", 0),
}
for rule_addr, attr in test_inputs.items():
address, mask, masked_bits = attr
rule = ExitPolicyRule("accept %s:*" % rule_addr)
self.assertEquals(AddressType.IPv4, rule.get_address_type())
self.assertEquals(address, rule.address)
self.assertEquals(mask, rule.get_mask())
self.assertEquals(masked_bits, rule.get_masked_bits())
def test_valid_ipv4_addresses(self):
test_inputs = {
"0.0.0.0": ("0.0.0.0", "255.255.255.255", 32),
"127.0.0.1/32": ("127.0.0.1", "255.255.255.255", 32),
"192.168.0.50/24": ("192.168.0.50", "255.255.255.0", 24),
"255.255.255.255/0": ("255.255.255.255", "0.0.0.0", 0),
}
for rule_addr, attr in test_inputs.items():
address, mask, masked_bits = attr
rule = ExitPolicyRule("accept %s:*" % rule_addr)
self.assertEquals(AddressType.IPv4, rule.get_address_type())
self.assertEquals(address, rule.address)
self.assertEquals(mask, rule.get_mask())
self.assertEquals(masked_bits, rule.get_masked_bits())
def test_accept_or_reject(self):
self.assertTrue(ExitPolicyRule('accept *:*').is_accept)
self.assertFalse(ExitPolicyRule('reject *:*').is_accept)
invalid_inputs = (
'accept',
'reject',
'accept\t*:*',
'accept\n*:*',
'acceptt *:*',
'rejectt *:*',
'blarg *:*',
' *:*',
'*:*',
'',
)
for rule_arg in invalid_inputs:
self.assertRaises(ValueError, ExitPolicyRule, rule_arg)
def test_accept_or_reject(self):
self.assertTrue(ExitPolicyRule("accept *:*").is_accept)
self.assertFalse(ExitPolicyRule("reject *:*").is_accept)
invalid_inputs = (
"accept",
"reject",
"accept *:*",
"accept\t*:*",
"accept\n*:*",
"acceptt *:*",
"rejectt *:*",
"blarg *:*",
" *:*",
"*:*",
"",
)
for rule_arg in invalid_inputs:
self.assertRaises(ValueError, ExitPolicyRule, rule_arg)
def test_valid_wildcard(self):
test_inputs = {
'reject *:*': (True, True),
'reject *:80': (True, False),
'accept 192.168.0.1:*': (False, True),
'accept 192.168.0.1:80': (False, False),
'reject *4:*': (False, True),
'reject *6:*': (False, True),
'reject6 *4:*': (False, True),
'reject6 *6:*': (False, True),
'reject 127.0.0.1/0:*': (False, True),
'reject 127.0.0.1/0.0.0.0:*': (False, True),
'reject 127.0.0.1/16:*': (False, True),
'reject 127.0.0.1/32:*': (False, True),
'reject [0000:0000:0000:0000:0000:0000:0000:0000]/0:80': (False, False),
'reject [0000:0000:0000:0000:0000:0000:0000:0000]/64:80': (False, False),
'reject [0000:0000:0000:0000:0000:0000:0000:0000]/128:80': (False, False),
'reject6 *:*': (False, True),
'reject6 *:80': (False, False),
'reject6 [0000:0000:0000:0000:0000:0000:0000:0000]/128:80': (False, False),
'accept 192.168.0.1:0-65535': (False, True),
'accept 192.168.0.1:1-65535': (False, True),
'accept 192.168.0.1:2-65535': (False, False),
'accept 192.168.0.1:1-65534': (False, False),
}
for rule_arg, attr in test_inputs.items():
is_address_wildcard, is_port_wildcard = attr
rule = ExitPolicyRule(rule_arg)
self.assertEqual(is_address_wildcard, rule.is_address_wildcard(), '%s (wildcard expected %s and actually %s)' % (rule_arg, is_address_wildcard, rule.is_address_wildcard()))
self.assertEqual(is_port_wildcard, rule.is_port_wildcard())
# check that when appropriate a /0 is reported as *not* being a wildcard
rule = ExitPolicyRule('reject 127.0.0.1/0:*')
rule._submask_wildcard = False
self.assertEqual(False, rule.is_address_wildcard())
rule = ExitPolicyRule('reject [0000:0000:0000:0000:0000:0000:0000:0000]/0:80')
rule._submask_wildcard = False
self.assertEqual(False, rule.is_address_wildcard())
def test_valid_ipv6_addresses(self):
test_inputs = {
'[fe80:0000:0000:0000:0202:b3ff:fe1e:8329]':
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329',
'FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF', 128),
'[FE80::0202:b3ff:fe1e:8329]':
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329',
'FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF', 128),
'[0000:0000:0000:0000:0000:0000:0000:0000]/0':
('0000:0000:0000:0000:0000:0000:0000:0000',
'0000:0000:0000:0000:0000:0000:0000:0000', 0),
'[::]': ('0000:0000:0000:0000:0000:0000:0000:0000',
'FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF', 128),
}
for rule_addr, attr in test_inputs.items():
address, mask, masked_bits = attr
rule = ExitPolicyRule('accept %s:*' % rule_addr)
self.assertEqual(AddressType.IPv6, rule.get_address_type())
self.assertEqual(address, rule.address)
self.assertEqual(mask, rule.get_mask())
self.assertEqual(masked_bits, rule.get_masked_bits())
def test_valid_ports(self):
test_inputs = {
'0': (0, 0),
'1': (1, 1),
'80': (80, 80),
'80-443': (80, 443),
}
for rule_port, attr in test_inputs.items():
min_port, max_port = attr
rule = ExitPolicyRule('accept 127.0.0.1:%s' % rule_port)
self.assertEqual(min_port, rule.min_port)
self.assertEqual(max_port, rule.max_port)
def test_valid_ports(self):
test_inputs = {
"0": (0, 0),
"1": (1, 1),
"80": (80, 80),
"80-443": (80, 443),
}
for rule_port, attr in test_inputs.items():
min_port, max_port = attr
rule = ExitPolicyRule("accept 127.0.0.1:%s" % rule_port)
self.assertEquals(min_port, rule.min_port)
self.assertEquals(max_port, rule.max_port)
def test_valid_ipv6_addresses(self):
test_inputs = {
"[fe80:0000:0000:0000:0202:b3ff:fe1e:8329]":
("FE80:0000:0000:0000:0202:B3FF:FE1E:8329",
"FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF", 128),
"[FE80::0202:b3ff:fe1e:8329]":
("FE80:0000:0000:0000:0202:B3FF:FE1E:8329",
"FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF", 128),
"[0000:0000:0000:0000:0000:0000:0000:0000]/0":
("0000:0000:0000:0000:0000:0000:0000:0000",
"0000:0000:0000:0000:0000:0000:0000:0000", 0),
"[::]": ("0000:0000:0000:0000:0000:0000:0000:0000",
"FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF", 128),
}
for rule_addr, attr in test_inputs.items():
address, mask, masked_bits = attr
rule = ExitPolicyRule("accept %s:*" % rule_addr)
self.assertEquals(AddressType.IPv6, rule.get_address_type())
self.assertEquals(address, rule.address)
self.assertEquals(mask, rule.get_mask())
self.assertEquals(masked_bits, rule.get_masked_bits())
def test_ipv6_only_entries(self):
# accept6/reject6 shouldn't match anything when given an ipv4 addresses
rule = ExitPolicyRule('accept6 192.168.0.1/0:*')
self.assertTrue(rule._skip_rule)
self.assertFalse(rule.is_match('192.168.0.1'))
self.assertFalse(rule.is_match('FE80:0000:0000:0000:0202:B3FF:FE1E:8329'))
self.assertFalse(rule.is_match())
rule = ExitPolicyRule('accept6 *4:*')
self.assertTrue(rule._skip_rule)
# wildcards match all ipv6 but *not* ipv4
rule = ExitPolicyRule('accept6 *:*')
self.assertTrue(rule.is_match('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', 443))
self.assertFalse(rule.is_match('192.168.0.1', 443))
def test_valid_ipv6_addresses(self):
test_inputs = {
'[fe80:0000:0000:0000:0202:b3ff:fe1e:8329]':
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329',
'FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF', 128),
'[FE80::0202:b3ff:fe1e:8329]':
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329',
'FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF', 128),
'[0000:0000:0000:0000:0000:0000:0000:0000]/0':
('0000:0000:0000:0000:0000:0000:0000:0000',
'0000:0000:0000:0000:0000:0000:0000:0000', 0),
'[::]':
('0000:0000:0000:0000:0000:0000:0000:0000',
'FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF', 128),
}
for rule_addr, attr in test_inputs.items():
address, mask, masked_bits = attr
rule = ExitPolicyRule('accept %s:*' % rule_addr)
self.assertEqual(AddressType.IPv6, rule.get_address_type())
self.assertEqual(address, rule.address)
self.assertEqual(mask, rule.get_mask())
self.assertEqual(masked_bits, rule.get_masked_bits())
def test_valid_ipv6_addresses(self):
test_inputs = {
"[fe80:0000:0000:0000:0202:b3ff:fe1e:8329]":
("FE80:0000:0000:0000:0202:B3FF:FE1E:8329",
"FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF", 128),
"[FE80::0202:b3ff:fe1e:8329]":
("FE80:0000:0000:0000:0202:B3FF:FE1E:8329",
"FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF", 128),
"[0000:0000:0000:0000:0000:0000:0000:0000]/0":
("0000:0000:0000:0000:0000:0000:0000:0000",
"0000:0000:0000:0000:0000:0000:0000:0000", 0),
"[::]":
("0000:0000:0000:0000:0000:0000:0000:0000",
"FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF", 128),
}
for rule_addr, attr in test_inputs.items():
address, mask, masked_bits = attr
rule = ExitPolicyRule("accept %s:*" % rule_addr)
self.assertEquals(AddressType.IPv6, rule.get_address_type())
self.assertEquals(address, rule.address)
self.assertEquals(mask, rule.get_mask())
self.assertEquals(masked_bits, rule.get_masked_bits())
def test_str_changed(self):
# some instances where our rule is valid but won't match our str() representation
test_inputs = {
"accept 10.0.0.1/32:80":
"accept 10.0.0.1:80",
"accept 192.168.0.1/255.255.255.0:80":
"accept 192.168.0.1/24:80",
"accept [::]/32:*":
"accept [0000:0000:0000:0000:0000:0000:0000:0000]/32:*",
"accept [::]/128:*":
"accept [0000:0000:0000:0000:0000:0000:0000:0000]:*",
}
for rule_arg, expected_str in test_inputs.items():
rule = ExitPolicyRule(rule_arg)
self.assertEquals(expected_str, str(rule))
def test_valid_wildcard(self):
test_inputs = {
"reject *:*": (True, True),
"reject *:80": (True, False),
"accept 192.168.0.1:*": (False, True),
"accept 192.168.0.1:80": (False, False),
"reject 127.0.0.1/0:*": (True, True),
"reject 127.0.0.1/0.0.0.0:*": (True, True),
"reject 127.0.0.1/16:*": (False, True),
"reject 127.0.0.1/32:*": (False, True),
"reject [0000:0000:0000:0000:0000:0000:0000:0000]/0:80": (True, False),
"reject [0000:0000:0000:0000:0000:0000:0000:0000]/64:80": (False, False),
"reject [0000:0000:0000:0000:0000:0000:0000:0000]/128:80": (False, False),
"accept 192.168.0.1:0-65535": (False, True),
"accept 192.168.0.1:1-65535": (False, True),
"accept 192.168.0.1:2-65535": (False, False),
"accept 192.168.0.1:1-65534": (False, False),
}
for rule_arg, attr in test_inputs.items():
is_address_wildcard, is_port_wildcard = attr
rule = ExitPolicyRule(rule_arg)
self.assertEquals(is_address_wildcard, rule.is_address_wildcard())
self.assertEquals(is_port_wildcard, rule.is_port_wildcard())
# check that when appropriate a /0 is reported as *not* being a wildcard
rule = ExitPolicyRule("reject 127.0.0.1/0:*")
rule._submask_wildcard = False
self.assertEquals(False, rule.is_address_wildcard())
rule = ExitPolicyRule("reject [0000:0000:0000:0000:0000:0000:0000:0000]/0:80")
rule._submask_wildcard = False
self.assertEquals(False, rule.is_address_wildcard())
def test_str_unchanged(self):
# provides a series of test inputs where the str() representation should
# match the input rule
test_inputs = (
'accept *:*',
'reject *:*',
'accept *:80',
'accept *:80-443',
'accept 127.0.0.1:80',
'accept 87.0.0.1/24:80',
'accept 156.5.38.3/255.255.0.255:80',
'accept [FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF]:80',
'accept [FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF]/32:80',
)
for rule_arg in test_inputs:
rule = ExitPolicyRule(rule_arg)
self.assertEqual(rule_arg, str(rule))
def test_is_match_wildcard(self):
test_inputs = {
'reject *:*': {
('192.168.0.1', 80): True,
('0.0.0.0', 80): True,
('255.255.255.255', 80): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', 80): True,
('[FE80:0000:0000:0000:0202:B3FF:FE1E:8329]', 80): True,
('192.168.0.1', None): True,
(None, 80, False): True,
(None, 80, True): True,
(None, None, False): True,
(None, None, True): True,
},
'reject 255.255.255.255/0:*': {
('192.168.0.1', 80): True,
('0.0.0.0', 80): True,
('255.255.255.255', 80): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', 80): False,
('[FE80:0000:0000:0000:0202:B3FF:FE1E:8329]', 80): False,
('192.168.0.1', None): True,
(None, 80, False): False,
(None, 80, True): True,
(None, None, False): False,
(None, None, True): True,
},
'reject *4:*': {
('192.168.0.1', 80): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', 80): False,
},
'reject *6:*': {
('192.168.0.1', 80): False,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', 80): True,
},
}
for rule_arg, matches in test_inputs.items():
rule = ExitPolicyRule(rule_arg)
rule._submask_wildcard = False
for match_args, expected_result in matches.items():
self.assertEqual(expected_result, rule.is_match(*match_args))
# port zero is special in that exit policies can include it, but it's not
# something that we can match against
rule = ExitPolicyRule('reject *:*')
self.assertRaises(ValueError, rule.is_match, '127.0.0.1', 0)
def test_valid_wildcard(self):
test_inputs = {
'reject *:*': (True, True),
'reject *:80': (True, False),
'accept 192.168.0.1:*': (False, True),
'accept 192.168.0.1:80': (False, False),
'reject 127.0.0.1/0:*': (True, True),
'reject 127.0.0.1/0.0.0.0:*': (True, True),
'reject 127.0.0.1/16:*': (False, True),
'reject 127.0.0.1/32:*': (False, True),
'reject [0000:0000:0000:0000:0000:0000:0000:0000]/0:80':
(True, False),
'reject [0000:0000:0000:0000:0000:0000:0000:0000]/64:80':
(False, False),
'reject [0000:0000:0000:0000:0000:0000:0000:0000]/128:80':
(False, False),
'accept 192.168.0.1:0-65535': (False, True),
'accept 192.168.0.1:1-65535': (False, True),
'accept 192.168.0.1:2-65535': (False, False),
'accept 192.168.0.1:1-65534': (False, False),
}
for rule_arg, attr in test_inputs.items():
is_address_wildcard, is_port_wildcard = attr
rule = ExitPolicyRule(rule_arg)
self.assertEqual(is_address_wildcard, rule.is_address_wildcard())
self.assertEqual(is_port_wildcard, rule.is_port_wildcard())
# check that when appropriate a /0 is reported as *not* being a wildcard
rule = ExitPolicyRule('reject 127.0.0.1/0:*')
rule._submask_wildcard = False
self.assertEqual(False, rule.is_address_wildcard())
rule = ExitPolicyRule(
'reject [0000:0000:0000:0000:0000:0000:0000:0000]/0:80')
rule._submask_wildcard = False
self.assertEqual(False, rule.is_address_wildcard())
def test_ipv6_only_entries(self):
# accept6/reject6 shouldn't match anything when given an ipv4 addresses
rule = ExitPolicyRule('accept6 192.168.0.1/0:*')
self.assertTrue(rule._skip_rule)
self.assertFalse(rule.is_match('192.168.0.1'))
self.assertFalse(
rule.is_match('FE80:0000:0000:0000:0202:B3FF:FE1E:8329'))
self.assertFalse(rule.is_match())
rule = ExitPolicyRule('accept6 *4:*')
self.assertTrue(rule._skip_rule)
# wildcards match all ipv6 but *not* ipv4
rule = ExitPolicyRule('accept6 *:*')
self.assertTrue(
rule.is_match('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', 443))
self.assertFalse(rule.is_match('192.168.0.1', 443))
def test_with_multiple_spaces(self):
rule = ExitPolicyRule('accept *:80')
self.assertEqual('accept *:80', str(rule))
policy = MicroExitPolicy('accept 80,443')
self.assertTrue(policy.can_exit_to('75.119.206.243', 80))
