def test_replace_selector_with_object(self): """ Checks that the validate_profile() method replaces selectors (with their object representations). """ policy = { "selector": "a == 'b'", "inbound_rules": [{ "src_selector": "b == 'c'", "dst_selector": "e == 'f'" }], "outbound_rules": [{ "src_selector": "h == 'c'", "dst_selector": "i == 'f'" }], "order": 10 } common.validate_policy(TieredPolicyId("a", "b"), policy) self.assertEqual(policy["selector"], parse_selector("a == 'b'")) self.assertEqual(policy["inbound_rules"][0]["src_selector"], parse_selector("b == 'c'")) self.assertEqual(policy["inbound_rules"][0]["dst_selector"], parse_selector("e == 'f'")) self.assertEqual(policy["outbound_rules"][0]["src_selector"], parse_selector("h == 'c'")) self.assertEqual(policy["outbound_rules"][0]["dst_selector"], parse_selector("i == 'f'"))
def test_replace_selector_with_object(self): """ Checks that the validate_profile() method replaces selectors (with their object representations). """ policy = { "selector": "a == 'b'", "inbound_rules": [ {"src_selector": "b == 'c'", "dst_selector": "e == 'f'"} ], "outbound_rules": [ {"src_selector": "h == 'c'", "dst_selector": "i == 'f'"} ], "order": 10 } common.validate_policy(TieredPolicyId("a", "b"), policy) self.assertEqual(policy["selector"], parse_selector("a == 'b'")) self.assertEqual(policy["inbound_rules"][0]["src_selector"], parse_selector("b == 'c'")) self.assertEqual(policy["inbound_rules"][0]["dst_selector"], parse_selector("e == 'f'")) self.assertEqual(policy["outbound_rules"][0]["src_selector"], parse_selector("h == 'c'")) self.assertEqual(policy["outbound_rules"][0]["dst_selector"], parse_selector("i == 'f'"))
def parse_policy(profile_id, raw_json, require_selector=False, require_order=False): policy = safe_decode_json(raw_json, log_tag="policy %s" % profile_id) try: common.validate_policy(profile_id, policy) except ValidationFailed as e: _log.exception("Validation failed for policy %s: %s", profile_id, policy) return None else: return policy
def test_validate_policy(self): policy_id = TieredPolicyId("a", "b") with self.assertRaisesRegexp(ValidationFailed, "Expected policy 'a/b' to " "be a dict"): common.validate_policy(policy_id, []) rules = {'selector': "+abcd", # Bad selector 'inbound_rules': [], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Failed to parse selector"): common.validate_policy(policy_id, rules)
def test_validate_order(self): policy = { "selector": "a == 'b'", "order": 10, "inbound_rules": [], "outbound_rules": [], } common.validate_policy(TieredPolicyId("a", "b"), policy) policy = { "selector": "a == 'b'", "order": "10", "inbound_rules": [], "outbound_rules": [], } with self.assertRaises(ValidationFailed): common.validate_policy(TieredPolicyId("a", "b"), policy) policy = { "selector": "a == 'b'", "inbound_rules": [], "outbound_rules": [], } with self.assertRaises(ValidationFailed): common.validate_policy(TieredPolicyId("a", "b"), policy) policy = { "order": 10, "inbound_rules": [], "outbound_rules": [], } with self.assertRaises(ValidationFailed): common.validate_policy(TieredPolicyId("a", "b"), policy)
def test_validate_order(self): policy = { "selector": "a == 'b'", "order": 10, "inbound_rules": [], "outbound_rules": [], } common.validate_policy(TieredPolicyId("a", "b"), policy) policy = { "selector": "a == 'b'", "order": "10", "inbound_rules": [], "outbound_rules": [], } with self.assertRaises(ValidationFailed): common.validate_policy(TieredPolicyId("a", "b"), policy) policy = { "selector": "a == 'b'", "inbound_rules": [], "outbound_rules": [], } common.validate_policy(TieredPolicyId("a", "b"), policy) self.assertEqual(policy["order"], common.INFINITY) self.assertGreater(policy["order"], 9999999999999999999999999999999999) policy = { "selector": "a == 'b'", "inbound_rules": [], "outbound_rules": [], "order": "default", } common.validate_policy(TieredPolicyId("a", "b"), policy) self.assertEqual(policy["order"], common.INFINITY) self.assertGreater(policy["order"], 9999999999999999999999999999999999) policy = { "order": 10, "inbound_rules": [], "outbound_rules": [], } with self.assertRaises(ValidationFailed): common.validate_policy(TieredPolicyId("a", "b"), policy)
def test_validate_rules(self): profile_id = "valid_name-ok." rules = {'inbound_rules': [], 'outbound_rules': []} common.validate_profile(profile_id, rules.copy()) with self.assertRaisesRegexp( ValidationFailed, "Expected profile 'valid_name-ok.' to " "be a dict"): common.validate_profile(profile_id, []) with self.assertRaisesRegexp(ValidationFailed, "Invalid profile ID"): common.validate_profile("a&b", rules.copy()) with self.assertRaisesRegexp(ValidationFailed, "Invalid profile ID"): common.validate_policy(TieredPolicyId("+123", "abc"), rules.copy()) with self.assertRaisesRegexp(ValidationFailed, "Invalid profile ID"): common.validate_policy(TieredPolicyId("abc", "+"), rules.copy()) # No rules. with self.assertRaisesRegexp(ValidationFailed, "No outbound_rules"): common.validate_profile(profile_id, {'inbound_rules': []}) with self.assertRaisesRegexp(ValidationFailed, "No inbound_rules"): common.validate_profile(profile_id, {'outbound_rules': []}) rules = {'inbound_rules': 3, 'outbound_rules': []} with self.assertRaisesRegexp( ValidationFailed, "Expected rules\[inbound_rules\] to be a list"): common.validate_profile(profile_id, rules.copy()) rule = "not a dict" rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Rule should be a dict"): common.validate_profile(profile_id, rules.copy()) rule = {'bad_key': ""} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Rule contains unknown keys"): common.validate_profile(profile_id, rules) rule = {'protocol': "bloop"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp( ValidationFailed, "Invalid protocol bloop in rule " "{'protocol': 'bloop'}"): common.validate_profile(profile_id, rules) rule = {'ip_version': 5} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid ip_version in rule"): common.validate_profile(profile_id, rules) rule = {'ip_version': 4, 'protocol': "icmpv6"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Using icmpv6 with IPv4"): common.validate_profile(profile_id, rules) rule = {'ip_version': 6, 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Using icmp with IPv6"): common.validate_profile(profile_id, rules) rule = {'src_tag': "abc", 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} common.validate_profile(profile_id, rules) rule = {'src_tag': "abc", 'protocol': "123"} rules = {'inbound_rules': [rule], 'outbound_rules': []} common.validate_profile(profile_id, rules) rule = {'protocol': "256"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid protocol 256 in rule"): common.validate_profile(profile_id, rules) rule = {'protocol': "0"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid protocol 0 in rule"): common.validate_profile(profile_id, rules) rule = {'src_tag': "a!b", 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid src_tag"): common.validate_profile(profile_id, rules) rule = {'dst_tag': "x,y", 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid dst_tag"): common.validate_profile(profile_id, rules) rule = {'src_selector': "a!b"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid src_selector"): common.validate_profile(profile_id, rules) rule = {'dst_selector': "+b"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid dst_selector"): common.validate_profile(profile_id, rules) rule = {'src_net': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid CIDR"): common.validate_profile(profile_id, rules) rule = {'dst_net': "1.2.3.4/16", 'ip_version': 6} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid CIDR"): common.validate_profile(profile_id, rules) rule = {'src_ports': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Expected ports to be a list"): common.validate_profile(profile_id, rules) rule = {'dst_ports': [32, "nonsense"]} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid port"): common.validate_profile(profile_id, rules) rule = {'action': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid action"): common.validate_profile(profile_id, rules) rule = {'icmp_type': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP type is not an integer"): common.validate_profile(profile_id, rules) rule = {'icmp_type': -1} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP type is out of range"): common.validate_profile(profile_id, rules) rule = {'icmp_type': 256} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP type is out of range"): common.validate_profile(profile_id, rules) rule = {'icmp_type': 22, 'icmp_code': "2"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code is not an integer"): common.validate_profile(profile_id, rules) rule = {'icmp_type': 0, 'icmp_code': -1} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code is out of range"): common.validate_profile(profile_id, rules) rule = {'icmp_type': 0, 'icmp_code': 256} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code is out of range"): common.validate_profile(profile_id, rules) rule = {'icmp_code': 2} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code specified without ICMP type"): common.validate_profile(profile_id, rules)
def test_validate_rules(self): profile_id = "valid_name-ok." rules = {'inbound_rules': [], 'outbound_rules': []} common.validate_profile(profile_id, rules.copy()) with self.assertRaisesRegexp(ValidationFailed, "Expected profile 'valid_name-ok.' to " "be a dict"): common.validate_profile(profile_id, []) with self.assertRaisesRegexp(ValidationFailed, "Invalid profile ID"): common.validate_profile("a&b", rules.copy()) with self.assertRaisesRegexp(ValidationFailed, "Invalid profile ID"): common.validate_policy(TieredPolicyId("+123", "abc"), rules.copy()) with self.assertRaisesRegexp(ValidationFailed, "Invalid profile ID"): common.validate_policy(TieredPolicyId("abc", "+"), rules.copy()) # No rules. with self.assertRaisesRegexp(ValidationFailed, "No outbound_rules"): common.validate_profile(profile_id, {'inbound_rules': []}) with self.assertRaisesRegexp(ValidationFailed, "No inbound_rules"): common.validate_profile(profile_id, {'outbound_rules': []}) rules = {'inbound_rules': 3, 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Expected rules\[inbound_rules\] to be a list"): common.validate_profile(profile_id, rules.copy()) rule = "not a dict" rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Rule should be a dict"): common.validate_profile(profile_id, rules.copy()) rule = {'bad_key': ""} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Rule contains unknown keys"): common.validate_profile(profile_id, rules) rule = {'protocol': "bloop"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid protocol bloop in rule " "{'protocol': 'bloop'}"): common.validate_profile(profile_id, rules) rule = {'ip_version': 5} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid ip_version in rule"): common.validate_profile(profile_id, rules) rule = {'ip_version': 4, 'protocol': "icmpv6"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Using icmpv6 with IPv4"): common.validate_profile(profile_id, rules) rule = {'ip_version': 6, 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Using icmp with IPv6"): common.validate_profile(profile_id, rules) rule = {'src_tag': "abc", 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} common.validate_profile(profile_id, rules) rule = {'src_tag': "abc", 'protocol': "123"} rules = {'inbound_rules': [rule], 'outbound_rules': []} common.validate_profile(profile_id, rules) rule = {'protocol': "256"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid protocol 256 in rule"): common.validate_profile(profile_id, rules) rule = {'protocol': "0"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid protocol 0 in rule"): common.validate_profile(profile_id, rules) rule = {'src_tag': "a!b", 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid src_tag"): common.validate_profile(profile_id, rules) rule = {'dst_tag': "x,y", 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid dst_tag"): common.validate_profile(profile_id, rules) rule = {'src_selector': "a!b"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid src_selector"): common.validate_profile(profile_id, rules) rule = {'dst_selector': "+b"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid dst_selector"): common.validate_profile(profile_id, rules) rule = {'src_net': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid CIDR"): common.validate_profile(profile_id, rules) rule = {'dst_net': "1.2.3.4/16", 'ip_version': 6} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid CIDR"): common.validate_profile(profile_id, rules) rule = {'src_ports': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Expected ports to be a list"): common.validate_profile(profile_id, rules) rule = {'dst_ports': [32, "nonsense"]} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid port"): common.validate_profile(profile_id, rules) rule = {'action': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid action"): common.validate_profile(profile_id, rules) rule = {'icmp_type': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP type is not an integer"): common.validate_profile(profile_id, rules) rule = {'icmp_type': -1} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP type is out of range"): common.validate_profile(profile_id, rules) rule = {'icmp_type': 256} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP type is out of range"): common.validate_profile(profile_id, rules) rule = {'icmp_type': 22, 'icmp_code': "2"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code is not an integer"): common.validate_profile(profile_id, rules) rule = {'icmp_type': 0, 'icmp_code': -1} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code is out of range"): common.validate_profile(profile_id, rules) rule = {'icmp_type': 0, 'icmp_code': 256} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code is out of range"): common.validate_profile(profile_id, rules) rule = {'icmp_code': 2} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code specified without ICMP type"): common.validate_profile(profile_id, rules)