예제 #1
0
    def testExpiringTerm(self, mock_info):
        exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO)
        _ = juniper.Juniper(
            policy.ParsePolicy(
                GOOD_HEADER + EXPIRING_TERM % exp_date.strftime('%Y-%m-%d'),
                self.naming), EXP_INFO)

        mock_info.assert_called_once_with(
            'INFO: Term %s in policy %s expires in '
            'less than two weeks.', 'is_expiring', 'test-filter')
예제 #2
0
    def testMultiplePrecedence(self):
        self.naming.GetServiceByProto.return_value = ['22']

        jcl = juniper.Juniper(
            policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_16, self.naming),
            EXP_INFO)
        output = str(jcl)
        self.failUnless('precedence [ 5 7 ];' in output, output)

        self.naming.GetServiceByProto.assert_called_once_with('SSH', 'tcp')
예제 #3
0
    def testArbitraryOptions(self):
        self.naming.GetServiceByProto.return_value = ['22']

        jcl = juniper.Juniper(
            policy.ParsePolicy(GOOD_HEADER + OPTION_TERM_1, self.naming),
            EXP_INFO)
        output = str(jcl)
        self.failUnless('is-fragment;' in output, output)

        self.naming.GetServiceByProto.assert_called_once_with('SSH', 'tcp')
예제 #4
0
    def testSimplifiedThenStatementWithSingleActionDiscardIPv6(self):
        self.naming.GetServiceByProto.return_value = ['53']

        policy_text = GOOD_HEADER_V6 + GOOD_TERM_26_V6
        jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
                              EXP_INFO)
        output = str(jcl)
        self.assertIn('then discard;', output, output)

        self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
예제 #5
0
    def testTcpEstablished(self):
        self.naming.GetServiceByProto.return_value = ['53']

        policy_text = GOOD_HEADER + ESTABLISHED_TERM_1
        jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
                              EXP_INFO)
        output = str(jcl)
        self.assertIn('tcp-established', output, output)

        self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
예제 #6
0
    def testNextIp(self):
        self.naming.GetNetAddr.return_value = [nacaddr.IP('10.1.1.1/32')]

        jcl = juniper.Juniper(
            policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming),
            EXP_INFO)
        output = str(jcl)
        self.assertIn(('next-ip 10.1.1.1/32'), output)

        self.naming.GetNetAddr.assert_called_once_with('TEST_NEXT')
예제 #7
0
    def testDscpByte(self):
        self.naming.GetServiceByProto.return_value = ['53']

        policy_text = GOOD_HEADER + GOOD_TERM_22
        jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
                              EXP_INFO)
        output = str(jcl)
        self.assertIn('dscp b111000;', output, output)

        self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
예제 #8
0
  def testBridgeFilterInetType(self):
    self.naming.GetNetAddr.return_value = [
            nacaddr.IPv4('127.0.0.1'), nacaddr.IPv6('::1/128')]

    jcl = juniper.Juniper(policy.ParsePolicy(
        GOOD_HEADER_BRIDGE + GOOD_TERM_12, self.naming), EXP_INFO)
    output = str(jcl)
    self.failIf('::1/128' in output, output)

    self.naming.GetNetAddr.assert_called_once_with('LOCALHOST')
예제 #9
0
    def testPrecedence(self):
        self.naming.GetServiceByProto.return_value = ['22']

        jcl = juniper.Juniper(
            policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_15, self.naming),
            EXP_INFO)
        output = str(jcl)
        self.assertIn('precedence 7;', output, output)

        self.naming.GetServiceByProto.assert_called_once_with('SSH', 'tcp')
예제 #10
0
  def testNonTcpWithTcpEstablished(self):
    self.naming.GetServiceByProto.return_value = ['53']

    policy_text = GOOD_HEADER + BAD_TERM_1
    pol_obj = policy.ParsePolicy(policy_text, self.naming)
    jcl = juniper.Juniper(pol_obj, EXP_INFO)
    self.assertRaises(juniper.TcpEstablishedWithNonTcp, str, jcl)

    self.naming.GetServiceByProto.assert_has_calls([
        mock.call('DNS', 'tcp'), mock.call('DNS', 'udp')])
예제 #11
0
  def testSimplifiedThenStatementWithSingleAction(self):
    self.naming.GetServiceByProto.return_value = ['53']

    policy_text = GOOD_HEADER + GOOD_TERM_25
    jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
                          EXP_INFO)
    output = str(jcl)
    self.failUnless('then accept;' in output, output)

    self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
예제 #12
0
 def testPrefixListMixed(self):
   jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_31,
                                            self.naming), EXP_INFO)
   spfx_re = re.compile('source-prefix-list {\W+foo_prefix;\W+'
                        'foo_except except;\W+}')
   dpfx_re = re.compile('destination-prefix-list {\W+bar_prefix;\W+'
                        'bar_except except;\W+}')
   output = str(jcl)
   self.failUnless(spfx_re.search(output), output)
   self.failUnless(dpfx_re.search(output), output)
예제 #13
0
    def testNextIpv6(self):
        self.naming.GetNetAddr.return_value = [nacaddr.IP('2001::/128')]

        jcl = juniper.Juniper(
            policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming),
            EXP_INFO)
        output = str(jcl)
        self.failUnless(('next-ip6 2001::/128;') in output)

        self.naming.GetNetAddr.assert_called_once_with('TEST_NEXT')
예제 #14
0
  def testIcmpv6InetMismatch(self, mock_debug):
    jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + BAD_ICMPTYPE_TERM_1,
                                             self.naming), EXP_INFO)
    # output happens in __str_
    str(jcl)

    mock_debug.assert_called_once_with(
        'Term icmptype-mismatch will not be rendered,'
        ' as it has [u\'icmpv6\'] match specified but '
        'the ACL is of inet address family.')
예제 #15
0
  def testSimplifiedThenStatement(self):
    self.naming.GetServiceByProto.return_value = ['53']

    policy_text = GOOD_HEADER + GOOD_TERM_24
    jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
                          EXP_INFO)
    output = str(jcl)
    self.assertIn('forwarding-class af1', output, output)
    self.assertIn('accept', output, output)

    self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
예제 #16
0
 def testPrefixListExcept(self):
     jcl = juniper.Juniper(
         policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_30, self.naming),
         EXP_INFO)
     spfx_re = re.compile(
         r'source-prefix-list {\W+foo_prefix_list except;\W+}')
     dpfx_re = re.compile(
         r'destination-prefix-list {\W+bar_prefix_list except;\W+}')
     output = str(jcl)
     self.assertTrue(spfx_re.search(output), output)
     self.assertTrue(dpfx_re.search(output), output)
예제 #17
0
  def testInterfaceSpecificHeader(self):
    self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
    self.naming.GetServiceByProto.return_value = ['25']

    jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1,
                                             self.naming), EXP_INFO)
    output = str(jcl)
    self.assertIn('interface-specific;', output, output)

    self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
    self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
예제 #18
0
  def testDsmoJuniperFriendly(self):
    addr_list = [nacaddr.IP('192.168.%d.0/24' % octet) for octet in range(256)]
    self.naming.GetNetAddr.return_value = addr_list
    self.naming.GetServiceByProto.return_value = ['25']

    jcl = juniper.Juniper(policy.ParsePolicy(GOOD_DSMO_HEADER + GOOD_TERM_1,
                                             self.naming), EXP_INFO)
    self.assertIn('192.168.0.0/16;', str(jcl))

    self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
    self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
예제 #19
0
    def testBuildTokens(self):
        self.naming.GetNetAddr.return_value = [
            nacaddr.IP('10.1.1.1/26', strict=False)
        ]

        jcl = juniper.Juniper(
            policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming),
            EXP_INFO)
        st, sst = jcl._BuildTokens()
        self.assertEqual(st, SUPPORTED_TOKENS)
        self.assertEqual(sst, SUPPORTED_SUB_TOKENS)
예제 #20
0
    def testFailNextIpNetworkIP(self):
        self.naming.GetNetAddr.return_value = [
            nacaddr.IP('10.1.1.1/26', strict=False)
        ]

        jcl = juniper.Juniper(
            policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming),
            EXP_INFO)
        self.assertRaises(juniper.JuniperNextIpError, str, jcl)

        self.naming.GetNetAddr.assert_called_once_with('TEST_NEXT')
예제 #21
0
    def testNextIpFormat(self):
        self.naming.GetNetAddr.return_value = [nacaddr.IP('10.1.1.1/32')]

        jcl = juniper.Juniper(
            policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming),
            EXP_INFO)
        output = str(jcl)
        self.failUnless(('                then {\n'
                         '                    next-ip 10.1.1.1/32;\n'
                         '                }') in output)

        self.naming.GetNetAddr.assert_called_once_with('TEST_NEXT')
예제 #22
0
  def testDscpClass(self):
    self.naming.GetServiceByProto.return_value = ['53']

    policy_text = GOOD_HEADER + GOOD_TERM_23
    jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
                          EXP_INFO)
    output = str(jcl)
    self.assertIn('dscp af42;', output, output)
    self.assertIn('dscp [ af41-af42 5 ];', output, output)
    self.assertIn('dscp-except [ be ];', output, output)

    self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
예제 #23
0
  def testInet6(self):
    self.naming.GetNetAddr.return_value = [nacaddr.IP('2001::/33')]
    self.naming.GetServiceByProto.return_value = ['25']

    jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER_V6 + GOOD_TERM_1_V6,
                                             self.naming), EXP_INFO)
    output = str(jcl)
    self.assertTrue('next-header icmpv6;' in output and
                    'next-header tcp;' in output, output)

    self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
    self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
예제 #24
0
 def testIcmpType(self):
   jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_3,
                                            self.naming), EXP_INFO)
   output = str(jcl)
   # verify proper translation from policy icmp-type text to juniper-esque
   self.assertIn(' icmp-type [', output, output)
   self.assertIn(' 0 ', output, output)
   self.assertIn(' 15 ', output, output)
   self.assertIn(' 10 ', output, output)
   self.assertIn(' 13 ', output, output)
   self.assertIn(' 16 ', output, output)
   self.assertIn('];', output, output)
예제 #25
0
  def testBridgeFilterType(self):
    self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
    self.naming.GetServiceByProto.return_value = ['25']

    jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER_2 + GOOD_TERM_1,
                                             self.naming), EXP_INFO)
    output = str(jcl)
    self.assertIn('ip-protocol tcp;', output, output)
    self.assertNotIn(' destination-address {', output, output)

    self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
    self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
예제 #26
0
  def testTermAndFilterName(self):
    self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
    self.naming.GetServiceByProto.return_value = ['25']

    jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1,
                                             self.naming), EXP_INFO)
    output = str(jcl)
    self.assertIn('term good-term-1 {', output, output)
    self.assertIn('replace: filter test-filter {', output, output)

    self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
    self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
예제 #27
0
    def testFlexibleMatchIPv6(self):
        jcl = juniper.Juniper(
            policy.ParsePolicy(GOOD_HEADER_V6 + GOOD_FLEX_MATCH_TERM,
                               self.naming), EXP_INFO)
        output = str(jcl)

        flexible_match_expected = [
            'flexible-match-range {', 'bit-length 8;', 'range 0x08;',
            'match-start payload;', 'byte-offset 16;', 'bit-offset 7;'
        ]

        self.assertEqual(all([x in output for x in flexible_match_expected]),
                         True)
예제 #28
0
    def testDscpIPv6(self):
        self.naming.GetServiceByProto.return_value = ['53']

        policy_text = GOOD_HEADER_V6 + GOOD_TERM_23
        jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
                              EXP_INFO)
        output = str(jcl)
        self.failUnless('traffic-class af42;' in output, output)
        self.failUnless('traffic-class [ af41-af42 5 ];' in output, output)
        self.failUnless('traffic-class-except [ be ];' in output, output)
        self.failIf('dscp' in output, output)

        self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
예제 #29
0
 def testLongPolicer(self):
   with mock.patch.object(juniper.logging, 'warn', spec=logging.warn) as warn:
     policy_text = GOOD_HEADER + LONG_POLICER_TERM_1
     jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
                           EXP_INFO)
     _ = str(jcl)
     warn.assert_called_with('WARNING: %s is longer than %d bytes. Due to'
                             ' limitation in JUNOS, OIDs longer than %dB'
                             ' can cause SNMP timeout issues.', 'this-is-very'
                             '-very-very-very-very-very-very-very-very-very'
                             '-very-very-very-very-very-very-very-very-very'
                             '-very-very-very-very-very-very-very-very-very'
                             '-very-very-long', 128, 128)
예제 #30
0
  def testOptions(self):
    self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
    self.naming.GetServiceByProto.return_value = ['80']

    jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_2,
                                             self.naming), EXP_INFO)
    output = str(jcl)
    self.assertIn('destination-port 1024-65535;', output, output)
    # Verify that tcp-established; doesn't get duplicated if both 'established'
    # and 'tcp-established' options are included in term
    self.assertEqual(output.count('tcp-established;'), 1)

    self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
    self.naming.GetServiceByProto.assert_called_once_with('HTTP', 'tcp')