def _get_rule(ingress, sg, prefix, ethertype):
sgr_uuid = str(uuid.uuid4())
if sg:
if ':' not in sg:
sg_fq_name = proj_obj.get_fq_name_str() + ':' + sg
else:
sg_fq_name = sg
addr = AddressType(security_group=sg_fq_name)
elif prefix:
addr = AddressType(subnet=SubnetType(prefix, 0))
local_addr = AddressType(security_group='local')
if ingress:
src_addr = addr
dst_addr = local_addr
else:
src_addr = local_addr
dst_addr = addr
rule = PolicyRuleType(rule_uuid=sgr_uuid,
direction='>',
protocol='any',
src_addresses=[src_addr],
src_ports=[PortType(0, 65535)],
dst_addresses=[dst_addr],
dst_ports=[PortType(0, 65535)],
ethertype=ethertype)
return rule
def _create_policy(self, policy_name, proj_obj, src_vn_obj, dst_vn_obj):
policy_exists = False
policy = NetworkPolicy(name=policy_name, parent_obj=proj_obj)
try:
policy_obj = self._vnc_lib.network_policy_read(
fq_name=policy.get_fq_name())
policy_exists = True
except NoIdError:
# policy does not exist. Create one.
policy_obj = policy
network_policy_entries = PolicyEntriesType([
PolicyRuleType(
direction='<>',
action_list=ActionListType(simple_action='pass'),
protocol='any',
src_addresses=[
AddressType(virtual_network=src_vn_obj.get_fq_name_str())
],
src_ports=[PortType(-1, -1)],
dst_addresses=[
AddressType(virtual_network=dst_vn_obj.get_fq_name_str())
],
dst_ports=[PortType(-1, -1)])
])
policy_obj.set_network_policy_entries(network_policy_entries)
if policy_exists:
self._vnc_lib.network_policy_update(policy)
else:
self._vnc_lib.network_policy_create(policy)
return policy_obj
def _security_group_rule_build(self, rule_info, sg_fq_name_str):
protocol = rule_info['protocol']
port_min = rule_info['port_min'] or 0
port_max = rule_info['port_max'] or 65535
direction = rule_info['direction'] or 'ingress'
ip_prefix = rule_info['ip_prefix']
ether_type = rule_info['ether_type']
if ip_prefix:
cidr = ip_prefix.split('/')
pfx = cidr[0]
pfx_len = int(cidr[1])
endpt = [AddressType(subnet=SubnetType(pfx, pfx_len))]
else:
endpt = [AddressType(security_group=sg_fq_name_str)]
local = None
remote = None
if direction == 'ingress':
dir = '>'
local = endpt
remote = [AddressType(security_group='local')]
else:
dir = '>'
remote = endpt
local = [AddressType(security_group='local')]
if not protocol:
protocol = 'any'
if protocol.isdigit():
protocol = int(protocol)
if protocol < 0 or protocol > 255:
raise Exception('SecurityGroupRuleInvalidProtocol-%s' %
protocol)
else:
if protocol not in ['any', 'tcp', 'udp', 'icmp']:
raise Exception('SecurityGroupRuleInvalidProtocol-%s' %
protocol)
if not ip_prefix and not sg_fq_name_str:
if not ether_type:
ether_type = 'IPv4'
sgr_uuid = str(uuid.uuid4())
rule = PolicyRuleType(rule_uuid=sgr_uuid,
direction=dir,
protocol=protocol,
src_addresses=local,
src_ports=[PortType(0, 65535)],
dst_addresses=remote,
dst_ports=[PortType(port_min, port_max)],
ethertype=ether_type)
return rule
def _create_policy_entry(self, src_vn_obj, dst_vn_obj):
return PolicyRuleType(
direction='<>',
action_list=ActionListType(simple_action='pass'),
protocol='any',
src_addresses=[
AddressType(virtual_network=src_vn_obj.get_fq_name_str())
],
src_ports=[PortType(-1, -1)],
dst_addresses=[
AddressType(virtual_network=dst_vn_obj.get_fq_name_str())
],
dst_ports=[PortType(-1, -1)])
def test_security_group_rule_list_per_security_group(self):
sg1 = SecurityGroup('sg1-%s' % self.id(), parent_obj=self.project)
sgr1_id = str(uuid.uuid4())
rule = PolicyRuleType(
rule_uuid=sgr1_id,
protocol='any',
src_addresses=[AddressType(security_group='local')],
dst_addresses=[AddressType(security_group='local')],
)
sg1.set_security_group_entries(PolicyEntriesType([rule]))
self._vnc_lib.security_group_create(sg1)
sg2 = SecurityGroup('sg2-%s' % self.id(), parent_obj=self.project)
sgr2_id = str(uuid.uuid4())
rule = PolicyRuleType(
rule_uuid=sgr2_id,
protocol='any',
src_addresses=[AddressType(security_group='local')],
dst_addresses=[AddressType(security_group='local')],
)
sg2.set_security_group_entries(PolicyEntriesType([rule]))
self._vnc_lib.security_group_create(sg2)
list_result = self.list_resource(
'security_group_rule',
self.project_id,
req_filters={
'security_group_id': [sg1.uuid],
},
)
self.assertEqual(set([sgr1_id]), {sgr['id'] for sgr in list_result})
list_result = self.list_resource(
'security_group_rule',
self.project_id,
req_filters={
'security_group_id': [sg1.uuid, sg2.uuid],
},
)
self.assertEqual(set([sgr1_id, sgr2_id]),
{sgr['id']
for sgr in list_result})
list_result = self.list_resource('security_group_rule',
self.project_id)
self.assertTrue(
set([sgr1_id,
sgr2_id]).issubset({sgr['id']
for sgr in list_result}))
def frame_rule_addresses(self, addr):
addrs = [addr] if isinstance(addr, dict) else addr
rule_kwargs = {}
for addr in addrs:
if addr["type"] == "vn":
vn = addr["value"]
if isinstance(vn, basestring):
rule_kwargs.update({'virtual_network': vn})
else:
rule_kwargs.update(
{'virtual_network': vn.get_fq_name_str()})
elif addr["type"] == "cidr_list":
subnets = []
for cidr in addr["value"]:
pfx, pfx_len = cidr.split('/')
subnets.append(SubnetType(pfx, int(pfx_len)))
rule_kwargs.update({'subnet_list': subnets})
else:
cidr = addr["value"].split('/')
pfx = cidr[0]
pfx_len = int(cidr[1])
rule_kwargs.update({'subnet': SubnetType(pfx, pfx_len)})
rule_addr = AddressType(**rule_kwargs)
return rule_addr
def test_security_logging_object_with_policy_and_security_group(self):
# Add a Network Policy Rule and a Security Group Rule to a
# SLO
vn1_name = self.id() + 'vn1'
vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24")
rule1 = {
"protocol": "udp",
"direction": "<>",
"src": {
"type": "vn",
"value": vn1
},
"dst": {
"type": "cidr",
"value": "10.2.1.1/32"
},
"action": "deny"
}
np = self.create_network_policy_with_multiple_rules([rule1])
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1)
sg_obj = SecurityGroup(name=self.id() + '_sg1')
self._vnc_lib.security_group_create(sg_obj)
sgr_uuid = str(uuid.uuid4())
sg_rule = PolicyRuleType(
rule_uuid=sgr_uuid,
direction='>',
protocol='tcp',
src_addresses=[AddressType(subnet=SubnetType('11.0.0.0', 24))],
src_ports=[PortType(0, 65535)],
dst_addresses=[AddressType(security_group='local')],
dst_ports=[PortType(0, 65535)],
ether_type='IPv4')
sg_policy_rules = PolicyEntriesType([sg_rule])
sg_obj.set_security_group_entries(sg_policy_rules)
self._vnc_lib.security_group_update(sg_obj)
project = self._vnc_lib.project_read(
fq_name=[u'default-domain', u'default-project'])
slo_name = self.id() + '_slo1'
slo_obj = SecurityLoggingObject(name=slo_name,
parent_obj=project,
security_logging_object_rate=300)
self._vnc_lib.security_logging_object_create(slo_obj)
self.wait_to_get_object(SecurityLoggingObjectST,
slo_obj.get_fq_name_str())
np_rule1 = np.get_network_policy_entries().get_policy_rule()[0]
np_fqdn = np.get_fq_name_str()
np_rule1_uuid = np_rule1.get_rule_uuid()
slo_rule_entries = []
slo_rule_entries.append(
SecurityLoggingObjectRuleEntryType(np_rule1_uuid, rate=300))
slo_rule_entries.append(
SecurityLoggingObjectRuleEntryType(sgr_uuid, rate=300))
slo_obj = self._vnc_lib.security_logging_object_read(
fq_name=slo_obj.get_fq_name())
slo_obj.add_network_policy(np, None)
sg_obj = self._vnc_lib.security_group_read(id=sg_obj.get_uuid())
slo_obj.add_security_group(sg_obj, None)
self._vnc_lib.security_logging_object_update(slo_obj)
st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, np_fqdn, slo_rule_entries)
slo_obj.del_network_policy(np)
slo_obj.del_security_group(sg_obj)
self._vnc_lib.security_logging_object_update(slo_obj)
st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, None, [])
# cleanup
self.delete_network_policy(np, auto_policy=True)
self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name())
self._vnc_lib.security_logging_object_delete(
fq_name=slo_obj.get_fq_name())
# check if vn is deleted
self.check_vn_is_deleted(uuid=vn1.uuid)
def test_security_logging_object_with_network_policy_update(self):
vn1_name = self.id() + 'vn1'
vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24")
np = self.create_network_policy_with_multiple_rules([])
np_fqdn = np.get_fq_name_str()
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1)
project = self._vnc_lib.project_read(
fq_name=[u'default-domain', u'default-project'])
slo_name = self.id() + '_slo1'
slo_obj = SecurityLoggingObject(name=slo_name,
parent_obj=project,
security_logging_object_rate=300)
self._vnc_lib.security_logging_object_create(slo_obj)
self.wait_to_get_object(SecurityLoggingObjectST,
slo_obj.get_fq_name_str())
slo_obj.add_network_policy(np, None)
self._vnc_lib.security_logging_object_update(slo_obj)
npr_uuid = str(uuid.uuid4())
action_list = ActionListType()
action_list.simple_action = 'pass'
np_rule = PolicyRuleType(
rule_uuid=npr_uuid,
direction='>',
protocol='tcp',
src_addresses=[AddressType(subnet=SubnetType('11.0.0.0', 24))],
src_ports=[PortType(0, 65535)],
dst_addresses=[AddressType(subnet=SubnetType('10.0.0.0', 24))],
dst_ports=[PortType(0, 65535)],
ether_type='IPv4',
action_list=action_list)
np.set_network_policy_entries(PolicyEntriesType([np_rule]))
self._vnc_lib.network_policy_update(np)
slo_obj = self._vnc_lib.security_logging_object_read(
fq_name=slo_obj.get_fq_name())
expected_rule_list = [
SecurityLoggingObjectRuleEntryType(npr_uuid, rate=300)
]
st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, np_fqdn, expected_rule_list)
slo_obj.del_network_policy(np)
self._vnc_lib.security_logging_object_update(slo_obj)
st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, None, [])
# cleanup
self.delete_network_policy(np, auto_policy=True)
self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name())
self._vnc_lib.security_logging_object_delete(
fq_name=slo_obj.get_fq_name())
# check if vn is deleted
self.check_vn_is_deleted(uuid=vn1.uuid)
