def test_log_options(self):
options = LogOptions()
options.log_accounting_info_mode = False
options.log_level = 'stored'
options.application_logging = 'enforced'
options.user_logging = 'enforced'
options.comment = 'my new comment!!'
options.log_closing_mode = True
options.log_level = 'transient'
options.log_payload_additional = True
options.log_payload_excerpt = True
options.log_payload_record = True
self.assertTrue(options.log_accounting_info_mode)
self.assertTrue(options.log_closing_mode)
self.assertEqual(options.log_level, 'transient')
self.assertTrue(options.log_payload_additional)
self.assertTrue(options.log_payload_excerpt)
self.assertTrue(options.log_payload_record)
self.assertEqual(options.user_logging, 'enforced')
self.assertEqual(options.log_severity, -1)
self.assertEqual(options.application_logging, 'enforced')
o = options()
for k, v in o.items():
self.assertEqual(k, 'options')
self.assertDictEqual(v, options.data)
def add_policy(self):
"""
If a client AMI was specified when building a new VPC, this will add
rules to allow inbound access to the AMI. This could be extended to
more generically support VPN rules.
"""
if not self.firewall_policy:
self.firewall_policy = 'AWS_Default'
# Policy not specified, use the default, or check if hidden setting was specified
try:
FirewallPolicy.create(name='AWS_Default',
template='Firewall Inspection Template')
except CreatePolicyFailed:
pass # Already exists
policy = FirewallPolicy(self.firewall_policy)
# Create the access rule for the network
options = LogOptions()
options.log_accounting_info_mode = True
options.log_level = 'stored'
options.application_logging = 'enforced'
options.user_logging = 'enforced'
action = Action()
action.deep_inspection = True
action.file_filtering = False
outbound_rule = policy.search_rule('AWS outbound access rule')
if not outbound_rule:
# Generic outbound access rule
policy.fw_ipv4_access_rules.create(
name='AWS outbound access rule',
sources=[Alias('$$ Interface ID 1.net')],
destinations='any',
services='any',
action=action,
log_options=options)
if self.aws_ami_ip and self.nat_ports:
dest_port = self.nat_ports.get('dest_port')
redirect_port = self.nat_ports.get('redirect_port')
services = list(
TCPService.objects.filter(dest_port)) # @UndefinedVariable
# Ignore services with protocol agents so we skip SSM
service = next(
([service]
for service in services if not service.protocol_agent), [])
if not service:
service = [
TCPService.create(name='aws_tcp{}'.format(dest_port),
min_dst_port=dest_port)
]
# Create the access rule for the client
policy.fw_ipv4_access_rules.create(
name=self.name,
sources='any',
destinations=[Alias('$$ Interface ID 0.ip')],
services=service,
action='allow',
log_options=options)
policy.fw_ipv4_nat_rules.create(
name=self.name,
sources='any',
destinations=[Alias('$$ Interface ID 0.ip')],
services=service,
static_dst_nat=self.aws_ami_ip,
static_dst_nat_ports=(dest_port, redirect_port),
used_on=self.engine.href)