def testExpiringTerm(self, mock_info):
exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO)
_ = juniper.Juniper(
policy.ParsePolicy(
GOOD_HEADER + EXPIRING_TERM % exp_date.strftime('%Y-%m-%d'),
self.naming), EXP_INFO)
mock_info.assert_called_once_with(
'INFO: Term %s in policy %s expires in '
'less than two weeks.', 'is_expiring', 'test-filter')
def testMultiplePrecedence(self):
self.naming.GetServiceByProto.return_value = ['22']
jcl = juniper.Juniper(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_16, self.naming),
EXP_INFO)
output = str(jcl)
self.failUnless('precedence [ 5 7 ];' in output, output)
self.naming.GetServiceByProto.assert_called_once_with('SSH', 'tcp')
def testArbitraryOptions(self):
self.naming.GetServiceByProto.return_value = ['22']
jcl = juniper.Juniper(
policy.ParsePolicy(GOOD_HEADER + OPTION_TERM_1, self.naming),
EXP_INFO)
output = str(jcl)
self.failUnless('is-fragment;' in output, output)
self.naming.GetServiceByProto.assert_called_once_with('SSH', 'tcp')
def testSimplifiedThenStatementWithSingleActionDiscardIPv6(self):
self.naming.GetServiceByProto.return_value = ['53']
policy_text = GOOD_HEADER_V6 + GOOD_TERM_26_V6
jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
EXP_INFO)
output = str(jcl)
self.assertIn('then discard;', output, output)
self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
def testTcpEstablished(self):
self.naming.GetServiceByProto.return_value = ['53']
policy_text = GOOD_HEADER + ESTABLISHED_TERM_1
jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
EXP_INFO)
output = str(jcl)
self.assertIn('tcp-established', output, output)
self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
def testNextIp(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.1.1.1/32')]
jcl = juniper.Juniper(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming),
EXP_INFO)
output = str(jcl)
self.assertIn(('next-ip 10.1.1.1/32'), output)
self.naming.GetNetAddr.assert_called_once_with('TEST_NEXT')
def testDscpByte(self):
self.naming.GetServiceByProto.return_value = ['53']
policy_text = GOOD_HEADER + GOOD_TERM_22
jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
EXP_INFO)
output = str(jcl)
self.assertIn('dscp b111000;', output, output)
self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
def testBridgeFilterInetType(self):
self.naming.GetNetAddr.return_value = [
nacaddr.IPv4('127.0.0.1'), nacaddr.IPv6('::1/128')]
jcl = juniper.Juniper(policy.ParsePolicy(
GOOD_HEADER_BRIDGE + GOOD_TERM_12, self.naming), EXP_INFO)
output = str(jcl)
self.failIf('::1/128' in output, output)
self.naming.GetNetAddr.assert_called_once_with('LOCALHOST')
def testPrecedence(self):
self.naming.GetServiceByProto.return_value = ['22']
jcl = juniper.Juniper(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_15, self.naming),
EXP_INFO)
output = str(jcl)
self.assertIn('precedence 7;', output, output)
self.naming.GetServiceByProto.assert_called_once_with('SSH', 'tcp')
def testNonTcpWithTcpEstablished(self):
self.naming.GetServiceByProto.return_value = ['53']
policy_text = GOOD_HEADER + BAD_TERM_1
pol_obj = policy.ParsePolicy(policy_text, self.naming)
jcl = juniper.Juniper(pol_obj, EXP_INFO)
self.assertRaises(juniper.TcpEstablishedWithNonTcp, str, jcl)
self.naming.GetServiceByProto.assert_has_calls([
mock.call('DNS', 'tcp'), mock.call('DNS', 'udp')])
def testSimplifiedThenStatementWithSingleAction(self):
self.naming.GetServiceByProto.return_value = ['53']
policy_text = GOOD_HEADER + GOOD_TERM_25
jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
EXP_INFO)
output = str(jcl)
self.failUnless('then accept;' in output, output)
self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
def testPrefixListMixed(self):
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_31,
self.naming), EXP_INFO)
spfx_re = re.compile('source-prefix-list {\W+foo_prefix;\W+'
'foo_except except;\W+}')
dpfx_re = re.compile('destination-prefix-list {\W+bar_prefix;\W+'
'bar_except except;\W+}')
output = str(jcl)
self.failUnless(spfx_re.search(output), output)
self.failUnless(dpfx_re.search(output), output)
def testNextIpv6(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('2001::/128')]
jcl = juniper.Juniper(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming),
EXP_INFO)
output = str(jcl)
self.failUnless(('next-ip6 2001::/128;') in output)
self.naming.GetNetAddr.assert_called_once_with('TEST_NEXT')
def testIcmpv6InetMismatch(self, mock_debug):
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + BAD_ICMPTYPE_TERM_1,
self.naming), EXP_INFO)
# output happens in __str_
str(jcl)
mock_debug.assert_called_once_with(
'Term icmptype-mismatch will not be rendered,'
' as it has [u\'icmpv6\'] match specified but '
'the ACL is of inet address family.')
def testSimplifiedThenStatement(self):
self.naming.GetServiceByProto.return_value = ['53']
policy_text = GOOD_HEADER + GOOD_TERM_24
jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
EXP_INFO)
output = str(jcl)
self.assertIn('forwarding-class af1', output, output)
self.assertIn('accept', output, output)
self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
def testPrefixListExcept(self):
jcl = juniper.Juniper(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_30, self.naming),
EXP_INFO)
spfx_re = re.compile(
r'source-prefix-list {\W+foo_prefix_list except;\W+}')
dpfx_re = re.compile(
r'destination-prefix-list {\W+bar_prefix_list except;\W+}')
output = str(jcl)
self.assertTrue(spfx_re.search(output), output)
self.assertTrue(dpfx_re.search(output), output)
def testInterfaceSpecificHeader(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
self.naming.GetServiceByProto.return_value = ['25']
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1,
self.naming), EXP_INFO)
output = str(jcl)
self.assertIn('interface-specific;', output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testDsmoJuniperFriendly(self):
addr_list = [nacaddr.IP('192.168.%d.0/24' % octet) for octet in range(256)]
self.naming.GetNetAddr.return_value = addr_list
self.naming.GetServiceByProto.return_value = ['25']
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_DSMO_HEADER + GOOD_TERM_1,
self.naming), EXP_INFO)
self.assertIn('192.168.0.0/16;', str(jcl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testBuildTokens(self):
self.naming.GetNetAddr.return_value = [
nacaddr.IP('10.1.1.1/26', strict=False)
]
jcl = juniper.Juniper(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming),
EXP_INFO)
st, sst = jcl._BuildTokens()
self.assertEqual(st, SUPPORTED_TOKENS)
self.assertEqual(sst, SUPPORTED_SUB_TOKENS)
def testFailNextIpNetworkIP(self):
self.naming.GetNetAddr.return_value = [
nacaddr.IP('10.1.1.1/26', strict=False)
]
jcl = juniper.Juniper(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming),
EXP_INFO)
self.assertRaises(juniper.JuniperNextIpError, str, jcl)
self.naming.GetNetAddr.assert_called_once_with('TEST_NEXT')
def testNextIpFormat(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.1.1.1/32')]
jcl = juniper.Juniper(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming),
EXP_INFO)
output = str(jcl)
self.failUnless((' then {\n'
' next-ip 10.1.1.1/32;\n'
' }') in output)
self.naming.GetNetAddr.assert_called_once_with('TEST_NEXT')
def testDscpClass(self):
self.naming.GetServiceByProto.return_value = ['53']
policy_text = GOOD_HEADER + GOOD_TERM_23
jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
EXP_INFO)
output = str(jcl)
self.assertIn('dscp af42;', output, output)
self.assertIn('dscp [ af41-af42 5 ];', output, output)
self.assertIn('dscp-except [ be ];', output, output)
self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
def testInet6(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('2001::/33')]
self.naming.GetServiceByProto.return_value = ['25']
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER_V6 + GOOD_TERM_1_V6,
self.naming), EXP_INFO)
output = str(jcl)
self.assertTrue('next-header icmpv6;' in output and
'next-header tcp;' in output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testIcmpType(self):
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_3,
self.naming), EXP_INFO)
output = str(jcl)
# verify proper translation from policy icmp-type text to juniper-esque
self.assertIn(' icmp-type [', output, output)
self.assertIn(' 0 ', output, output)
self.assertIn(' 15 ', output, output)
self.assertIn(' 10 ', output, output)
self.assertIn(' 13 ', output, output)
self.assertIn(' 16 ', output, output)
self.assertIn('];', output, output)
def testBridgeFilterType(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
self.naming.GetServiceByProto.return_value = ['25']
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER_2 + GOOD_TERM_1,
self.naming), EXP_INFO)
output = str(jcl)
self.assertIn('ip-protocol tcp;', output, output)
self.assertNotIn(' destination-address {', output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testTermAndFilterName(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
self.naming.GetServiceByProto.return_value = ['25']
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1,
self.naming), EXP_INFO)
output = str(jcl)
self.assertIn('term good-term-1 {', output, output)
self.assertIn('replace: filter test-filter {', output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testFlexibleMatchIPv6(self):
jcl = juniper.Juniper(
policy.ParsePolicy(GOOD_HEADER_V6 + GOOD_FLEX_MATCH_TERM,
self.naming), EXP_INFO)
output = str(jcl)
flexible_match_expected = [
'flexible-match-range {', 'bit-length 8;', 'range 0x08;',
'match-start payload;', 'byte-offset 16;', 'bit-offset 7;'
]
self.assertEqual(all([x in output for x in flexible_match_expected]),
True)
def testDscpIPv6(self):
self.naming.GetServiceByProto.return_value = ['53']
policy_text = GOOD_HEADER_V6 + GOOD_TERM_23
jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
EXP_INFO)
output = str(jcl)
self.failUnless('traffic-class af42;' in output, output)
self.failUnless('traffic-class [ af41-af42 5 ];' in output, output)
self.failUnless('traffic-class-except [ be ];' in output, output)
self.failIf('dscp' in output, output)
self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
def testLongPolicer(self):
with mock.patch.object(juniper.logging, 'warn', spec=logging.warn) as warn:
policy_text = GOOD_HEADER + LONG_POLICER_TERM_1
jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
EXP_INFO)
_ = str(jcl)
warn.assert_called_with('WARNING: %s is longer than %d bytes. Due to'
' limitation in JUNOS, OIDs longer than %dB'
' can cause SNMP timeout issues.', 'this-is-very'
'-very-very-very-very-very-very-very-very-very'
'-very-very-very-very-very-very-very-very-very'
'-very-very-very-very-very-very-very-very-very'
'-very-very-long', 128, 128)
def testOptions(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
self.naming.GetServiceByProto.return_value = ['80']
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_2,
self.naming), EXP_INFO)
output = str(jcl)
self.assertIn('destination-port 1024-65535;', output, output)
# Verify that tcp-established; doesn't get duplicated if both 'established'
# and 'tcp-established' options are included in term
self.assertEqual(output.count('tcp-established;'), 1)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('HTTP', 'tcp')