def test_validate_rules_canon(self): rules = { "inbound_rules": [ {"protocol": "tcp", "ip_version": 4, "src_net": "10/8", "dst_net": "11.0/16", "src_ports": [10, "11:12"], "action": "allow", "log_prefix": "foo!@#$012345678901234567890123456789"}, {"action": "log"}, {"protocol": "tcp", "src_net": None}, ], "outbound_rules": [ {"protocol": "tcp", "ip_version": 6, "src_net": "2001:0::1/128", "dst_net": "2001:0::/64", "icmp_type": 7, "icmp_code": 10, "action": "deny"} ], } common.validate_profile("profile_id", rules) # Check IPs get made canonical. self.assertEqual(rules, { "inbound_rules": [ {"protocol": "tcp", "ip_version": 4, "src_net": "10.0.0.0/8", "dst_net": "11.0.0.0/16", "src_ports": [10, "11:12"], "action": "allow", "log_prefix": "foo____01234567890123456789"}, {"action": "log"}, {"protocol": "tcp"}, ], "outbound_rules": [ {"protocol": "tcp", "ip_version": 6, "src_net": "2001::1/128", "dst_net": "2001::/64", "icmp_type": 7, "icmp_code": 10, "action": "deny"} ], })
def test_validate_rules(self): profile_id = "valid_name-ok." rules = {'inbound_rules': [], 'outbound_rules': []} common.validate_profile(profile_id, rules.copy()) with self.assertRaisesRegexp(ValidationFailed, "Expected profile 'valid_name-ok.' to " "be a dict"): common.validate_profile(profile_id, []) with self.assertRaisesRegexp(ValidationFailed, "Invalid profile ID"): common.validate_profile("a&b", rules.copy()) # No rules. prof = {} common.validate_profile("prof1", prof) self.assertEqual(prof, {"inbound_rules": [], "outbound_rules": []}) rules = {'inbound_rules': 3, 'outbound_rules': []} with self.assertRaisesRegexp( ValidationFailed, "Expected rules\[inbound_rules\] to be a list" ): common.validate_profile(profile_id, rules.copy()) rule = "not a dict" rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Rule should be a dict"): common.validate_profile(profile_id, rules.copy()) rule = {'bad_key': ""} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Rule contains unknown keys"): common.validate_profile(profile_id, rules) rule = {'protocol': "bloop"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid protocol bloop in rule " "{'protocol': 'bloop'}"): common.validate_profile(profile_id, rules) rule = {'ip_version': 5} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid ip_version in rule"): common.validate_profile(profile_id, rules) rule = {'ip_version': 4, 'protocol': "icmpv6"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Using icmpv6 with IPv4"): common.validate_profile(profile_id, rules) rule = {'ip_version': 6, 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Using icmp with IPv6"): common.validate_profile(profile_id, rules) rule = {'src_tag': "abc", 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} common.validate_profile(profile_id, rules) rule = {'src_tag': "abc", 'protocol': "123"} rules = {'inbound_rules': [rule], 'outbound_rules': []} common.validate_profile(profile_id, rules) rule = {'protocol': "256"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid protocol 256 in rule"): common.validate_profile(profile_id, rules) rule = {'protocol': "0"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid protocol 0 in rule"): common.validate_profile(profile_id, rules) rule = {'src_tag': "a!b", 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid src_tag"): common.validate_profile(profile_id, rules) rule = {'dst_tag': "x,y", 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid dst_tag"): common.validate_profile(profile_id, rules) rule = {'src_selector': "a!b"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp( ValidationFailed, "Calico/OpenStack is not expected to generate profiles " + "that use selectors" ): common.validate_profile(profile_id, rules) rule = {'dst_selector': "+b"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp( ValidationFailed, "Calico/OpenStack is not expected to generate profiles " + "that use selectors" ): common.validate_profile(profile_id, rules) rule = {'src_net': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid CIDR"): common.validate_profile(profile_id, rules) rule = {'dst_net': "1.2.3.4/16", 'ip_version': 6} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid CIDR"): common.validate_profile(profile_id, rules) rule = {'src_ports': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Expected ports to be a list"): common.validate_profile(profile_id, rules) rule = {'dst_ports': [32, "nonsense"]} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid port"): common.validate_profile(profile_id, rules) rule = {'action': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid action"): common.validate_profile(profile_id, rules) rule = {'icmp_type': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP type is not an integer"): common.validate_profile(profile_id, rules) rule = {'icmp_type': -1} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP type is out of range"): common.validate_profile(profile_id, rules) rule = {'icmp_type': 256} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP type is out of range"): common.validate_profile(profile_id, rules) rule = {'icmp_type': 22, 'icmp_code': "2"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code is not an integer"): common.validate_profile(profile_id, rules) rule = {'icmp_type': 0, 'icmp_code': -1} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code is out of range"): common.validate_profile(profile_id, rules) rule = {'icmp_type': 0, 'icmp_code': 256} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code is out of range"): common.validate_profile(profile_id, rules) rule = {'icmp_code': 2} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code specified without ICMP type"): common.validate_profile(profile_id, rules) rule = {'log_prefix': []} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Log prefix should be a string"): common.validate_profile(profile_id, rules)