def testTCPServiceGroup(self):
tcp = TCPService.create('api-tcp', 5000)
self.assertTrue(tcp.href.startswith('http'))
tcp2 = TCPService.create('api-tcp2', 5001)
self.assertTrue(tcp2.href.startswith('http'))
result = TCPServiceGroup.create('api-tcpservicegroup',
members=[tcp.href, tcp2.href])
self.assertTrue(result.href.startswith('http'))
group = TCPServiceGroup('api-tcpservicegroup')
self.assertIn(tcp.href, group.element)
self.assertIn(tcp2.href, group.element)
group.delete()
tcp.delete()
tcp2.delete()
def testTCPService(self):
result = TCPService.create('api-tcpservice',
5000,
5005,
comment='blahcomment')
self.assertTrue(result.href.startswith('http'))
service = TCPService('api-tcpservice')
self.assertEqual(service.min_dst_port, 5000)
self.assertEqual(service.max_dst_port, 5005)
service.delete()
def testServiceGroup(self):
""" Test service group creation """
result = TCPService.create('api-tcp', 5000)
self.assertTrue(result.href.startswith('http'))
result = UDPService.create('api-udp', 5001)
self.assertTrue(result.href.startswith('http'))
tcp = TCPService('api-tcp')
udp = UDPService('api-udp')
result = ServiceGroup.create('api-servicegroup',
members=[tcp.href, udp.href],
comment='test')
self.assertTrue(result.href.startswith('http'))
group = ServiceGroup('api-servicegroup')
# Href in service group
self.assertIn(tcp.href, group.element)
self.assertIn(udp.href, group.element)
group.delete()
tcp.delete()
udp.delete()
def add_policy(self):
"""
If a client AMI was specified when building a new VPC, this will add
rules to allow inbound access to the AMI. This could be extended to
more generically support VPN rules.
"""
if not self.firewall_policy:
self.firewall_policy = 'AWS_Default'
# Policy not specified, use the default, or check if hidden setting was specified
try:
FirewallPolicy.create(name='AWS_Default',
template='Firewall Inspection Template')
except CreatePolicyFailed:
pass # Already exists
policy = FirewallPolicy(self.firewall_policy)
# Create the access rule for the network
options = LogOptions()
options.log_accounting_info_mode = True
options.log_level = 'stored'
options.application_logging = 'enforced'
options.user_logging = 'enforced'
action = Action()
action.deep_inspection = True
action.file_filtering = False
outbound_rule = policy.search_rule('AWS outbound access rule')
if not outbound_rule:
# Generic outbound access rule
policy.fw_ipv4_access_rules.create(
name='AWS outbound access rule',
sources=[Alias('$$ Interface ID 1.net')],
destinations='any',
services='any',
action=action,
log_options=options)
if self.aws_ami_ip and self.nat_ports:
dest_port = self.nat_ports.get('dest_port')
redirect_port = self.nat_ports.get('redirect_port')
services = list(
TCPService.objects.filter(dest_port)) # @UndefinedVariable
# Ignore services with protocol agents so we skip SSM
service = next(
([service]
for service in services if not service.protocol_agent), [])
if not service:
service = [
TCPService.create(name='aws_tcp{}'.format(dest_port),
min_dst_port=dest_port)
]
# Create the access rule for the client
policy.fw_ipv4_access_rules.create(
name=self.name,
sources='any',
destinations=[Alias('$$ Interface ID 0.ip')],
services=service,
action='allow',
log_options=options)
policy.fw_ipv4_nat_rules.create(
name=self.name,
sources='any',
destinations=[Alias('$$ Interface ID 0.ip')],
services=service,
static_dst_nat=self.aws_ami_ip,
static_dst_nat_ports=(dest_port, redirect_port),
used_on=self.engine.href)