def assert_filter_denies(filter_name, headers, startLocation=None, soft=False):
# type: (str, HeaderConstraints, str, bool) -> bool
"""
Check if a named ACL denies a specified set of flows.
:param filter_name: the name of ACL to check
:param headers: :py:class:`~pybatfish.datamodel.flow.HeaderConstraints`
:param startLocation: LocationSpec indicating where a flow starts
:param soft: whether this assertion is soft (i.e., generates a warning but
not a failure)
:return: True if the assertion passes
"""
__tracebackhide__ = operator.methodcaller("errisinstance",
BatfishAssertException)
kwargs = dict(filters=filter_name, headers=headers, action="permit")
if startLocation is not None:
kwargs.update(startLocation=startLocation)
df = bfq.searchFilters(**kwargs).answer().frame() # type: ignore
if len(df) > 0:
return _raise_common(
"Found a flow that was permitted, when expected to be denied\n{}".
format(df.to_string()), soft)
return True
def test_answer_fail(network):
"""Expect a BatfishException with searchFilters specifying a non-existant filter."""
with pytest.raises(BatfishException) as err:
bfq.searchFilters(filters="undefined").answer().frame()
assert "Work terminated abnormally" in str(err.value)
name=CANDIDATE2_SNAPSHOT_NAME,
overwrite=True)
node_name = "eos-acl"
filter_name = "acl_in"
traffic1 = HeaderConstraints(srcIps="192.168.2.0/24",
dstIps="192.168.1.4/32, 192.168.1.5/32",
ipProtocols=["tcp"],
dstPorts="80,8080")
traffic2 = HeaderConstraints(srcIps="192.168.2.0/24",
dstIps="192.168.1.0 \ (192.168.1.4, 192.168.1.5)",
ipProtocols=["tcp"],
dstPorts="80,8080")
currentdeny = bfq.searchFilters(
headers=traffic1, filters=filter_name, nodes=node_name,
action="deny").answer(snapshot=CURRENT_SNAPSHOT_NAME)
# No output indicates the traffic was permitted, i.e. find flows that match this search
print(currentdeny.frame())
# testing the opposite case.. here we see that there is no traffic permitted that
# isn't destined for those two hosts
currentpermit = bfq.searchFilters(
headers=traffic2, filters=filter_name, nodes=node_name,
action="permit").answer(snapshot=CURRENT_SNAPSHOT_NAME)
print(currentpermit.frame())
# pybatfish.client.asserts.assert_filter_denies(filters, headers, startLocation=None, soft=False, snapshot=None, session=None, df_format='table')
answer2 = bfq.searchFilters(
headers=traffic1, filters=filter_name, nodes=node_name,
action="deny").answer(snapshot=CANDIDATE1_SNAPSHOT_NAME)
result = bfq.nodeProperties().answer().frame()
# permiturl = 'http://dmz-gitlab.sjc.aristanetworks.com/network/cloudvision/-/raw/master/permit.json'
permit_url = GITLAB_API_URL + "/projects/" + GITLAB_PROJECT_ID + \
"/repository/files" + "/permit.json" + "/raw?ref=" + GITLAB_BRANCH
resp = requests.get(permit_url, headers=tokenheader)
permits = resp.json()
print(f"ACL SNAPSHOT: {acl_snapshot}")
for p in permits['permit']:
headers = HeaderConstraints(dstIps=p["dstIps"],
ipProtocols=p["ipProtocols"],
dstPorts=p["dstPorts"])
# print(headers)
# answer = bfq.searchFilters(headers=headers,
# action="permit").answer(snapshot=SNAPSHOT_NAME)
answer2 = bfq.searchFilters(headers=headers,
action="permit").answer(snapshot=acl_snapshot)
# print(answer.frame())
print("*********")
# print(answer2.frame())
if answer2.frame().empty:
print(
f"{bcolors.FAIL}*** Traffic is unable to reach {headers.dstIps}{bcolors.ENDC}"
)
exit(1)
else:
print(
f"{bcolors.OKGREEN}*** Host {headers.dstIps} is reachable{bcolors.ENDC}"
)
continue
exit(0)