def testExpiredTerm(self, mock_warn):
_ = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + EXPIRED_TERM_1,
self.naming), EXP_INFO)
mock_warn.assert_called_once_with(
'WARNING: Term %s in policy %s>%s is expired.',
'expired_test', 'trust', 'untrust')
def testLoggingBoth(self):
srx = junipersrx.JuniperSRX(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_5, self.naming),
EXP_INFO)
output = str(srx)
self.failUnless('session-init;' in output, output)
self.failUnless('session-close;' in output, output)
def testLargeTermSplittingV6(self):
ips = list(
nacaddr.IP('2620:0:1000:3103:eca0:2c09:6b32:e000/119').
iter_subnets(new_prefix=128))
mo_ips = []
counter = 0
for ip in ips:
if counter % 2 == 0:
mo_ips.append(nacaddr.IP(ip))
counter += 1
self.naming.GetNetAddr('FOOBAR').AndReturn(mo_ips)
ips = list(
nacaddr.IP('2720:0:1000:3103:eca0:2c09:6b32:e000/119').
iter_subnets(new_prefix=128))
prodcolos_ips = []
counter = 0
for ip in ips:
if counter % 2 == 0:
prodcolos_ips.append(nacaddr.IP(ip))
counter += 1
self.naming.GetNetAddr('SOME_HOST').AndReturn(prodcolos_ips)
self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25'])
self.mox.ReplayAll()
pol = policy.ParsePolicy(GOOD_HEADER_2 + GOOD_TERM_14, self.naming)
srx = junipersrx.JuniperSRX(pol, EXP_INFO)
self.assertEqual(len(srx.policy.filters[0][1]), 4)
def testOwnerTerm(self):
pol = policy.ParsePolicy(GOOD_HEADER + OWNER_TERM, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.failUnless(
' /*\n'
' Owner: [email protected]\n'
' */' in output, output)
def testBuildTokens(self):
self.naming.GetServiceByProto.side_effect = [['25'], ['26']]
pol1 = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_2,
self.naming), EXP_INFO)
st, sst = pol1._BuildTokens()
self.assertEquals(st, SUPPORTED_TOKENS)
self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def testOptimizedGlobalAddressBook(self):
foobar_ips = [nacaddr.IP('172.16.0.0/16', token='FOOBAR'),
nacaddr.IP('172.17.0.0/16', token='FOOBAR'),
nacaddr.IP('172.18.0.0/16', token='FOOBAR'),
nacaddr.IP('172.19.0.0/16', token='FOOBAR'),
nacaddr.IP('172.22.0.0/16', token='FOOBAR'),
nacaddr.IP('172.23.0.0/16', token='FOOBAR'),
nacaddr.IP('172.24.0.0/16', token='FOOBAR'),
nacaddr.IP('172.25.0.0/16', token='FOOBAR'),
nacaddr.IP('172.26.0.0/16', token='FOOBAR'),
nacaddr.IP('172.27.0.0/16', token='FOOBAR'),
nacaddr.IP('172.28.0.0/16', token='FOOBAR'),
nacaddr.IP('172.29.0.0/16', token='FOOBAR'),
nacaddr.IP('172.30.0.0/16', token='FOOBAR'),
nacaddr.IP('172.31.0.0/16', token='FOOBAR')]
some_host_ips = [nacaddr.IP('172.20.0.0/16', token='SOME_HOST'),
nacaddr.IP('172.21.0.0/16', token='SOME_HOST'),
nacaddr.IP('10.0.0.0/8', token='SOME_HOST')]
self.naming.GetNetAddr.side_effect = [foobar_ips, some_host_ips,
some_host_ips]
self.naming.GetServiceByProto.return_value = ['25']
pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_17 + GOOD_HEADER_2 +
GOOD_TERM_15, self.naming)
srx = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.failUnless('address FOOBAR_0 172.16.0.0/12' in srx, srx)
self.failUnless('address SOME_HOST_0 10.0.0.0/8;' in srx, srx)
self.failUnless('address SOME_HOST_1 172.20.0.0/15;' in srx, srx)
self.failUnless('/16' not in srx, srx)
def testGlobalPolicyHeader(self):
self.mox.ReplayAll()
pol = policy.ParsePolicy(GOOD_HEADER_10 + MULTIPLE_PROTOCOLS_TERM,
self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.assertEqual(output.count('global {'), 2)
self.assertFalse('from-zone all to-zone all {' in output)
def testDefaultDeny(self):
self.mox.ReplayAll()
srx = junipersrx.JuniperSRX(
policy.ParsePolicy(GOOD_HEADER + DEFAULT_TERM_1, self.naming),
EXP_INFO)
output = str(srx)
self.failUnless('deny;' in output, output)
def testLargeTermSplitIgnoreV6(self):
ips = list(
nacaddr.IP('2620:0:1000:3103:eca0:2c09:6b32:e000/119').
iter_subnets(new_prefix=128))
mo_ips = []
counter = 0
for ip in ips:
if counter % 2 == 0:
mo_ips.append(nacaddr.IP(ip))
counter += 1
ips = list(
nacaddr.IP('2720:0:1000:3103:eca0:2c09:6b32:e000/119').
iter_subnets(new_prefix=128))
ips.append(nacaddr.IPv4('10.0.0.1/32'))
prodcolos_ips = []
counter = 0
for ip in ips:
if counter % 2 == 0:
prodcolos_ips.append(nacaddr.IP(ip))
counter += 1
self.naming.GetNetAddr.side_effect = [mo_ips, prodcolos_ips]
self.naming.GetServiceByProto.return_value = ['25']
pol = policy.ParsePolicy(GOOD_HEADER_3 + GOOD_TERM_14, self.naming)
srx = junipersrx.JuniperSRX(pol, EXP_INFO)
self.assertEqual(len(srx.policy.filters[0][1]), 1)
def testLargeTermSplittingV6(self):
ips = list(
nacaddr.IP('2620:0:1000:3103:eca0:2c09:6b32:e000/119').
iter_subnets(new_prefix=128))
mo_ips = []
counter = 0
for ip in ips:
if counter % 2 == 0:
mo_ips.append(nacaddr.IP(ip))
counter += 1
ips = list(
nacaddr.IP('2720:0:1000:3103:eca0:2c09:6b32:e000/119').
iter_subnets(new_prefix=128))
prodcolos_ips = []
counter = 0
for ip in ips:
if counter % 2 == 0:
prodcolos_ips.append(nacaddr.IP(ip))
counter += 1
self.naming.GetNetAddr.side_effect = [mo_ips, prodcolos_ips]
self.naming.GetServiceByProto.return_value = ['25']
pol = policy.ParsePolicy(GOOD_HEADER_2 + GOOD_TERM_14, self.naming)
srx = junipersrx.JuniperSRX(pol, EXP_INFO)
self.assertEqual(len(srx.policy.filters[0][1]), 4)
self.naming.GetNetAddr.assert_has_calls(
[mock.call('FOOBAR'), mock.call('SOME_HOST')])
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testDscpWithByte(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_10,
self.naming), EXP_INFO)
output = str(srx)
self.failUnless('dscp b111000;' in output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testVpnWithoutPolicy(self):
self.naming.GetNetAddr('SOME_HOST').AndReturn(_IPSET)
self.mox.ReplayAll()
srx = junipersrx.JuniperSRX(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_3, self.naming),
EXP_INFO)
output = str(srx)
self.failUnless('ipsec-vpn good-vpn-3;' in output, output)
def testMixedVersionIcmp(self):
pol = policy.ParsePolicy(
GOOD_HEADER + ICMP_TYPE_TERM_1 + IPV6_ICMP_TERM, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.failUnless('term t6 protocol icmp6 icmp-type 129 '
'inactivity-timeout 60;' in output)
self.failUnless('term t1 protocol icmp icmp-type 0 '
'inactivity-timeout 60;' in output)
def testDscpWithByte(self):
self.naming.GetNetAddr('SOME_HOST').AndReturn(
[nacaddr.IP('10.0.0.0/8')])
self.mox.ReplayAll()
srx = junipersrx.JuniperSRX(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_10, self.naming),
EXP_INFO)
output = str(srx)
self.failUnless('dscp b111000;' in output, output)
def testIcmpTypes(self):
pol = policy.ParsePolicy(GOOD_HEADER + ICMP_TYPE_TERM_1, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.failUnless('application test-icmp-app;' in output, output)
self.failUnless('application test-icmp-app {' in output, output)
self.failUnless('term t1 protocol icmp icmp-type 0 inactivity-timeout 60'
in output, output)
self.failUnless('term t2 protocol icmp icmp-type 8 inactivity-timeout 60'
in output, output)
def testExpiredTerm(self):
self.mox.StubOutWithMock(junipersrx.logging, 'warn')
# create mock to ensure we warn about expired terms being skipped
junipersrx.logging.warn('WARNING: Term %s in policy %s>%s is expired.',
'expired_test', 'trust', 'untrust')
self.mox.ReplayAll()
_ = junipersrx.JuniperSRX(
policy.ParsePolicy(GOOD_HEADER + EXPIRED_TERM_1, self.naming),
EXP_INFO)
def testReplaceStatement(self):
self.naming.GetNetAddr('SOME_HOST').AndReturn(_IPSET)
self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25'])
self.mox.ReplayAll()
pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.failUnless('replace: address-book' in output, output)
self.failUnless('replace: policies' in output, output)
self.failUnless('replace: applications' in output, output)
def testAddressBookOrderingAlreadyOrdered(self):
y, x = self._OutOfOrderAddresses()
self.naming.GetNetAddr('SOME_HOST').AndReturn([x, y])
self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25'])
self.mox.ReplayAll()
pol = policy.ParsePolicy(GOOD_HEADER_3 + GOOD_TERM_2, self.naming)
p = junipersrx.JuniperSRX(pol, EXP_INFO)
self._FailIfUnorderedAddressBook(p._GenerateAddressBook())
def testVpnWithoutPolicy(self):
self.naming.GetNetAddr.return_value = _IPSET
srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_3,
self.naming), EXP_INFO)
output = str(srx)
self.failUnless('ipsec-vpn good-vpn-3;' in output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testTermAndFilterName(self):
self.naming.GetNetAddr('SOME_HOST').AndReturn(_IPSET)
self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25'])
self.mox.ReplayAll()
srx = junipersrx.JuniperSRX(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1, self.naming),
EXP_INFO)
output = str(srx)
self.failUnless('policy good-term-1 {' in output, output)
def testZoneAdressBookIPv6(self):
self.naming.GetNetAddr('SOME_HOST').AndReturn(_IPSET)
self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25'])
self.mox.ReplayAll()
pol = policy.ParsePolicy(GOOD_HEADER_8 + GOOD_TERM_1, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.failUnless('security-zone untrust {' in output, output)
self.failUnless('replace: address-book {' in output, output)
self.failUnless('2001:4860:8000::/33' in output, output)
self.failUnless('10.0.0.0/8' not in output, output)
def testExpiringTerm(self, mock_info):
exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO)
_ = junipersrx.JuniperSRX(
policy.ParsePolicy(
GOOD_HEADER + EXPIRING_TERM % exp_date.strftime('%Y-%m-%d'),
self.naming), EXP_INFO)
mock_info.assert_called_once_with(
'INFO: Term %s in policy %s>%s expires in '
'less than two weeks.', 'is_expiring', 'trust', 'untrust')
def testAddressBookOrderingSuccess(self):
self.naming.GetNetAddr.return_value = self._OutOfOrderAddresses()
self.naming.GetServiceByProto.return_value = ['25']
pol = policy.ParsePolicy(GOOD_HEADER_3 + GOOD_TERM_2, self.naming)
p = junipersrx.JuniperSRX(pol, EXP_INFO)
self._FailIfUnorderedAddressBook(p._GenerateAddressBook())
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testDscpWithClass(self):
self.naming.GetNetAddr('SOME_HOST').AndReturn(
[nacaddr.IP('10.0.0.0/8')])
self.mox.ReplayAll()
srx = junipersrx.JuniperSRX(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_11, self.naming),
EXP_INFO)
output = str(srx)
self.failUnless('dscp af42;' in output, output)
self.failUnless('dscp [ af41-af42 5 ];' in output, output)
self.failUnless('dscp-except [ be ];' in output, output)
def testTermAndFilterName(self):
self.naming.GetNetAddr.return_value = _IPSET
self.naming.GetServiceByProto.return_value = ['25']
srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1,
self.naming), EXP_INFO)
output = str(srx)
self.failUnless('policy good-term-1 {' in output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testDscpWithClass(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_11,
self.naming), EXP_INFO)
output = str(srx)
self.failUnless('dscp af42;' in output, output)
self.failUnless('dscp [ af41-af42 5 ];' in output, output)
self.failUnless('dscp-except [ be ];' in output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testReplaceStatement(self):
self.naming.GetNetAddr.return_value = _IPSET
self.naming.GetServiceByProto.return_value = ['25']
pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.failUnless('replace: address-book' in output, output)
self.failUnless('replace: policies' in output, output)
self.failUnless('replace: applications' in output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testExpiringTerm(self):
self.mox.StubOutWithMock(junipersrx.logging, 'info')
# create mock to ensure we inform about expiring terms
junipersrx.logging.info(
'INFO: Term %s in policy %s>%s expires in '
'less than two weeks.', 'is_expiring', 'trust', 'untrust')
self.mox.ReplayAll()
exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO)
_ = junipersrx.JuniperSRX(
policy.ParsePolicy(
GOOD_HEADER + EXPIRING_TERM % exp_date.strftime('%Y-%m-%d'),
self.naming), EXP_INFO)
def testZoneAdressBookIPv6(self):
self.naming.GetNetAddr.return_value = _IPSET
self.naming.GetServiceByProto.return_value = ['25']
pol = policy.ParsePolicy(GOOD_HEADER_8 + GOOD_TERM_1, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.failUnless('security-zone untrust {' in output, output)
self.failUnless('replace: address-book {' in output, output)
self.failUnless('2001:4860:8000::/33' in output, output)
self.failUnless('10.0.0.0/8' not in output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testMultipleProtocolGrouping(self):
pol = policy.ParsePolicy(GOOD_HEADER + MULTIPLE_PROTOCOLS_TERM, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.failUnless('application-set multi-proto-app {' in output, output)
self.failUnless('application multi-proto-app1;' in output, output)
self.failUnless('application multi-proto-app2;' in output, output)
self.failUnless('application multi-proto-app3;' in output, output)
self.failUnless('application multi-proto-app1 {' in output, output)
self.failUnless('term t1 protocol tcp;' in output, output)
self.failUnless('application multi-proto-app2 {' in output, output)
self.failUnless('term t2 protocol udp;' in output, output)
self.failUnless('application multi-proto-app3 {' in output, output)
self.failUnless('term t3 protocol icmp;' in output, output)
