def test_security_group_rule_list_per_security_group(self): sg1 = SecurityGroup('sg1-%s' % self.id(), parent_obj=self.project) sgr1_id = str(uuid.uuid4()) rule = PolicyRuleType( rule_uuid=sgr1_id, protocol='any', src_addresses=[AddressType(security_group='local')], dst_addresses=[AddressType(security_group='local')], ) sg1.set_security_group_entries(PolicyEntriesType([rule])) self._vnc_lib.security_group_create(sg1) sg2 = SecurityGroup('sg2-%s' % self.id(), parent_obj=self.project) sgr2_id = str(uuid.uuid4()) rule = PolicyRuleType( rule_uuid=sgr2_id, protocol='any', src_addresses=[AddressType(security_group='local')], dst_addresses=[AddressType(security_group='local')], ) sg2.set_security_group_entries(PolicyEntriesType([rule])) self._vnc_lib.security_group_create(sg2) list_result = self.list_resource( 'security_group_rule', self.project_id, req_filters={ 'security_group_id': [sg1.uuid], }, ) self.assertEqual(set([sgr1_id]), {sgr['id'] for sgr in list_result}) list_result = self.list_resource( 'security_group_rule', self.project_id, req_filters={ 'security_group_id': [sg1.uuid, sg2.uuid], }, ) self.assertEqual(set([sgr1_id, sgr2_id]), {sgr['id'] for sgr in list_result}) list_result = self.list_resource('security_group_rule', self.project_id) self.assertTrue( set([sgr1_id, sgr2_id]).issubset({sgr['id'] for sgr in list_result}))
def create_network_policy_with_multiple_rules(self, rules): pentrys = [] for rule in rules: addr1 = self.frame_rule_addresses(rule["src"]) addr2 = self.frame_rule_addresses(rule["dst"]) service_list = self.get_service_list(rule) mirror_service = self.get_mirror_service(rule) src_port = rule.get("src-port", PortType(-1, -1)) dst_port = rule.get("dst-port", PortType(-1, -1)) action_list = ActionListType() if mirror_service: mirror = MirrorActionType(analyzer_name=mirror_service) action_list.mirror_to = mirror if service_list: action_list.apply_service = service_list else: action_list.simple_action = rule["action"] prule = PolicyRuleType( rule_uuid=str(uuid.uuid4()), direction=rule["direction"], protocol=rule["protocol"], src_addresses=[addr1], dst_addresses=[addr2], src_ports=[src_port], dst_ports=[dst_port], action_list=action_list) pentrys.append(prule) pentry = PolicyEntriesType(pentrys) np = NetworkPolicy(str(uuid.uuid4()), network_policy_entries=pentry) self._vnc_lib.network_policy_create(np) return np
def _create_policy(self, policy_name, proj_obj, src_vn_obj, dst_vn_obj): policy_exists = False policy = NetworkPolicy(name=policy_name, parent_obj=proj_obj) try: policy_obj = self._vnc_lib.network_policy_read( fq_name=policy.get_fq_name()) policy_exists = True except NoIdError: # policy does not exist. Create one. policy_obj = policy network_policy_entries = PolicyEntriesType([ PolicyRuleType( direction='<>', action_list=ActionListType(simple_action='pass'), protocol='any', src_addresses=[ AddressType(virtual_network=src_vn_obj.get_fq_name_str()) ], src_ports=[PortType(-1, -1)], dst_addresses=[ AddressType(virtual_network=dst_vn_obj.get_fq_name_str()) ], dst_ports=[PortType(-1, -1)]) ]) policy_obj.set_network_policy_entries(network_policy_entries) if policy_exists: self._vnc_lib.network_policy_update(policy) else: self._vnc_lib.network_policy_create(policy) return policy_obj
def _security_group_rule_append(self, sg_obj, sg_rule): rules = sg_obj.get_security_group_entries() if rules is None: rules = PolicyEntriesType([sg_rule]) else: for sgr in rules.get_policy_rule() or []: sgr_copy = copy.copy(sgr) sgr_copy.rule_uuid = sg_rule.rule_uuid if sg_rule == sgr_copy: raise Exception('SecurityGroupRuleExists %s' % sgr.rule_uuid) rules.add_policy_rule(sg_rule) sg_obj.set_security_group_entries(rules)
def _create_vn_vn_policy(self, policy_name, \ proj_obj, src_vn_obj, dst_vn_obj): policy_exists = False policy = NetworkPolicy(name=policy_name, parent_obj=proj_obj) try: policy_obj = self._vnc_lib.network_policy_read( fq_name=policy.get_fq_name()) policy_exists = True except NoIdError: # policy does not exist. Create one. policy_obj = policy network_policy_entries = PolicyEntriesType() policy_entry = self._create_policy_entry(src_vn_obj, dst_vn_obj) network_policy_entries.add_policy_rule(policy_entry) policy_obj.set_network_policy_entries(network_policy_entries) if policy_exists: self._vnc_lib.network_policy_update(policy) else: self._vnc_lib.network_policy_create(policy) return policy_obj
def create_security_group(self, proj_obj): def _get_rule(ingress, sg, prefix, ethertype): sgr_uuid = str(uuid.uuid4()) if sg: addr = AddressType(security_group=proj_obj.get_fq_name_str() + ':' + sg) elif prefix: addr = AddressType(subnet=SubnetType(prefix, 0)) local_addr = AddressType(security_group='local') if ingress: src_addr = addr dst_addr = local_addr else: src_addr = local_addr dst_addr = addr rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>', protocol='any', src_addresses=[src_addr], src_ports=[PortType(0, 65535)], dst_addresses=[dst_addr], dst_ports=[PortType(0, 65535)], ethertype=ethertype) return rule rules = [] rules.append(_get_rule(True, 'default', None, 'IPv4')) rules.append(_get_rule(True, 'default', None, 'IPv6')) sg_rules = PolicyEntriesType(rules) # create security group id_perms = IdPermsType( enable=True, description=KMTestCase.DEFAULT_SECGROUP_DESCRIPTION) sg_obj = SecurityGroup(name='default', parent_obj=proj_obj, id_perms=id_perms, security_group_entries=sg_rules) self._vnc_lib.security_group_create(sg_obj) self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid()) return sg_obj
def _update_security_groups(self, ns_name, proj_obj, network_policy): def _get_rule(ingress, sg, prefix, ethertype): sgr_uuid = str(uuid.uuid4()) if sg: if ':' not in sg: sg_fq_name = proj_obj.get_fq_name_str() + ':' + sg else: sg_fq_name = sg addr = AddressType(security_group=sg_fq_name) elif prefix: addr = AddressType(subnet=SubnetType(prefix, 0)) local_addr = AddressType(security_group='local') if ingress: src_addr = addr dst_addr = local_addr else: src_addr = local_addr dst_addr = addr rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>', protocol='any', src_addresses=[src_addr], src_ports=[PortType(0, 65535)], dst_addresses=[dst_addr], dst_ports=[PortType(0, 65535)], ethertype=ethertype) return rule sg_dict = {} # create default security group sg_name = "-".join( [vnc_kube_config.cluster_name(), ns_name, 'default']) DEFAULT_SECGROUP_DESCRIPTION = "Default security group" id_perms = IdPermsType(enable=True, description=DEFAULT_SECGROUP_DESCRIPTION) rules = [] ingress = True egress = True if network_policy and 'ingress' in network_policy: ingress_policy = network_policy['ingress'] if ingress_policy and 'isolation' in ingress_policy: isolation = ingress_policy['isolation'] if isolation == 'DefaultDeny': ingress = False if ingress: rules.append(_get_rule(True, None, '0.0.0.0', 'IPv4')) rules.append(_get_rule(True, None, '::', 'IPv6')) if egress: rules.append(_get_rule(False, None, '0.0.0.0', 'IPv4')) rules.append(_get_rule(False, None, '::', 'IPv6')) sg_rules = PolicyEntriesType(rules) sg_obj = SecurityGroup(name=sg_name, parent_obj=proj_obj, id_perms=id_perms, security_group_entries=sg_rules) SecurityGroupKM.add_annotations(self, sg_obj, namespace=ns_name, name=sg_obj.name, k8s_type=self._k8s_event_type) try: self._vnc_lib.security_group_create(sg_obj) self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid()) except RefsExistError: self._vnc_lib.security_group_update(sg_obj) sg_obj = self._vnc_lib.security_group_read(sg_obj.fq_name) sg_uuid = sg_obj.get_uuid() SecurityGroupKM.locate(sg_uuid) sg_dict[sg_name] = sg_uuid # create namespace security group ns_sg_name = "-".join([vnc_kube_config.cluster_name(), ns_name, 'sg']) NAMESPACE_SECGROUP_DESCRIPTION = "Namespace security group" id_perms = IdPermsType(enable=True, description=NAMESPACE_SECGROUP_DESCRIPTION) sg_obj = SecurityGroup(name=ns_sg_name, parent_obj=proj_obj, id_perms=id_perms, security_group_entries=None) SecurityGroupKM.add_annotations(self, sg_obj, namespace=ns_name, name=sg_obj.name, k8s_type=self._k8s_event_type) try: self._vnc_lib.security_group_create(sg_obj) self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid()) except RefsExistError: pass sg_obj = self._vnc_lib.security_group_read(sg_obj.fq_name) sg_uuid = sg_obj.get_uuid() SecurityGroupKM.locate(sg_uuid) sg_dict[ns_sg_name] = sg_uuid return sg_dict
def test_security_logging_object_with_policy_and_security_group(self): # Add a Network Policy Rule and a Security Group Rule to a # SLO vn1_name = self.id() + 'vn1' vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24") rule1 = { "protocol": "udp", "direction": "<>", "src": { "type": "vn", "value": vn1 }, "dst": { "type": "cidr", "value": "10.2.1.1/32" }, "action": "deny" } np = self.create_network_policy_with_multiple_rules([rule1]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1) sg_obj = SecurityGroup(name=self.id() + '_sg1') self._vnc_lib.security_group_create(sg_obj) sgr_uuid = str(uuid.uuid4()) sg_rule = PolicyRuleType( rule_uuid=sgr_uuid, direction='>', protocol='tcp', src_addresses=[AddressType(subnet=SubnetType('11.0.0.0', 24))], src_ports=[PortType(0, 65535)], dst_addresses=[AddressType(security_group='local')], dst_ports=[PortType(0, 65535)], ether_type='IPv4') sg_policy_rules = PolicyEntriesType([sg_rule]) sg_obj.set_security_group_entries(sg_policy_rules) self._vnc_lib.security_group_update(sg_obj) project = self._vnc_lib.project_read( fq_name=[u'default-domain', u'default-project']) slo_name = self.id() + '_slo1' slo_obj = SecurityLoggingObject(name=slo_name, parent_obj=project, security_logging_object_rate=300) self._vnc_lib.security_logging_object_create(slo_obj) self.wait_to_get_object(SecurityLoggingObjectST, slo_obj.get_fq_name_str()) np_rule1 = np.get_network_policy_entries().get_policy_rule()[0] np_fqdn = np.get_fq_name_str() np_rule1_uuid = np_rule1.get_rule_uuid() slo_rule_entries = [] slo_rule_entries.append( SecurityLoggingObjectRuleEntryType(np_rule1_uuid, rate=300)) slo_rule_entries.append( SecurityLoggingObjectRuleEntryType(sgr_uuid, rate=300)) slo_obj = self._vnc_lib.security_logging_object_read( fq_name=slo_obj.get_fq_name()) slo_obj.add_network_policy(np, None) sg_obj = self._vnc_lib.security_group_read(id=sg_obj.get_uuid()) slo_obj.add_security_group(sg_obj, None) self._vnc_lib.security_logging_object_update(slo_obj) st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str()) self.check_rules_in_slo(st_slo, np_fqdn, slo_rule_entries) slo_obj.del_network_policy(np) slo_obj.del_security_group(sg_obj) self._vnc_lib.security_logging_object_update(slo_obj) st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str()) self.check_rules_in_slo(st_slo, None, []) # cleanup self.delete_network_policy(np, auto_policy=True) self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name()) self._vnc_lib.security_logging_object_delete( fq_name=slo_obj.get_fq_name()) # check if vn is deleted self.check_vn_is_deleted(uuid=vn1.uuid)
def test_security_logging_object_with_network_policy_update(self): vn1_name = self.id() + 'vn1' vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24") np = self.create_network_policy_with_multiple_rules([]) np_fqdn = np.get_fq_name_str() seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1) project = self._vnc_lib.project_read( fq_name=[u'default-domain', u'default-project']) slo_name = self.id() + '_slo1' slo_obj = SecurityLoggingObject(name=slo_name, parent_obj=project, security_logging_object_rate=300) self._vnc_lib.security_logging_object_create(slo_obj) self.wait_to_get_object(SecurityLoggingObjectST, slo_obj.get_fq_name_str()) slo_obj.add_network_policy(np, None) self._vnc_lib.security_logging_object_update(slo_obj) npr_uuid = str(uuid.uuid4()) action_list = ActionListType() action_list.simple_action = 'pass' np_rule = PolicyRuleType( rule_uuid=npr_uuid, direction='>', protocol='tcp', src_addresses=[AddressType(subnet=SubnetType('11.0.0.0', 24))], src_ports=[PortType(0, 65535)], dst_addresses=[AddressType(subnet=SubnetType('10.0.0.0', 24))], dst_ports=[PortType(0, 65535)], ether_type='IPv4', action_list=action_list) np.set_network_policy_entries(PolicyEntriesType([np_rule])) self._vnc_lib.network_policy_update(np) slo_obj = self._vnc_lib.security_logging_object_read( fq_name=slo_obj.get_fq_name()) expected_rule_list = [ SecurityLoggingObjectRuleEntryType(npr_uuid, rate=300) ] st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str()) self.check_rules_in_slo(st_slo, np_fqdn, expected_rule_list) slo_obj.del_network_policy(np) self._vnc_lib.security_logging_object_update(slo_obj) st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str()) self.check_rules_in_slo(st_slo, None, []) # cleanup self.delete_network_policy(np, auto_policy=True) self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name()) self._vnc_lib.security_logging_object_delete( fq_name=slo_obj.get_fq_name()) # check if vn is deleted self.check_vn_is_deleted(uuid=vn1.uuid)
def _update_security_groups(self, ns_name, proj_obj): def _get_rule(ingress, sg, prefix, ethertype): sgr_uuid = str(uuid.uuid4()) if sg: if ':' not in sg: sg_fq_name = proj_obj.get_fq_name_str() + ':' + sg else: sg_fq_name = sg addr = AddressType(security_group=sg_fq_name) elif prefix: addr = AddressType(subnet=SubnetType(prefix, 0)) local_addr = AddressType(security_group='local') if ingress: src_addr = addr dst_addr = local_addr else: src_addr = local_addr dst_addr = addr rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>', protocol='any', src_addresses=[src_addr], src_ports=[PortType(0, 65535)], dst_addresses=[dst_addr], dst_ports=[PortType(0, 65535)], ethertype=ethertype) return rule # create default security group sg_name = vnc_kube_config.get_default_sg_name(ns_name) DEFAULT_SECGROUP_DESCRIPTION = "Default security group" id_perms = IdPermsType(enable=True, description=DEFAULT_SECGROUP_DESCRIPTION) rules = [] ingress = True egress = True if ingress: rules.append(_get_rule(True, None, '0.0.0.0', 'IPv4')) rules.append(_get_rule(True, None, '::', 'IPv6')) if egress: rules.append(_get_rule(False, None, '0.0.0.0', 'IPv4')) rules.append(_get_rule(False, None, '::', 'IPv6')) sg_rules = PolicyEntriesType(rules) sg_obj = SecurityGroup(name=sg_name, parent_obj=proj_obj, id_perms=id_perms, security_group_entries=sg_rules) SecurityGroupKM.add_annotations(self, sg_obj, namespace=ns_name, name=sg_obj.name, k8s_type=self._k8s_event_type) try: self._vnc_lib.security_group_create(sg_obj) self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid()) except RefsExistError: self._vnc_lib.security_group_update(sg_obj) sg = SecurityGroupKM.locate(sg_obj.get_uuid()) return sg