def test_validate(monkeypatch):
"""
.
"""
# pylint: disable=unused-argument
@counter_wrapper
def fake_validate_false(self) -> bool:
"""
.
"""
return False
@counter_wrapper
def fake_validate_true(self) -> bool:
"""
.
"""
return True
monkeypatch.setattr(
secondary_configs,
"get_port_groups",
lambda config_path: [PortGroup("group1"),
PortGroup("group2")],
)
monkeypatch.setattr(Validatable, "validate", fake_validate_false)
rule = Rule(10, "firewall", ".")
assert not rule.validate(), "Validation fails if parent fails"
assert fake_validate_false.counter == 1, "Parent validation called"
monkeypatch.setattr(Validatable, "validate", fake_validate_true)
rule = Rule(10, "firewall", ".")
assert rule.validate(), "Validation can succeed if parent succeeds"
assert fake_validate_true.counter == 1, "Parent validation called"
rule = Rule(10,
"firewall",
".",
source={"port": "group1"},
destination={"port": "group2"})
assert rule.validate(), "Rule is valid if groups are valid"
rule = Rule(10,
"firewall",
".",
source={"port": "group3"},
destination={"port": "group4"})
assert not rule.validate(), "Rule is invalid with nonexistent groups"
assert rule.validation_errors() == [
"Rule 10 has nonexistent source port group group3",
"Rule 10 has nonexistent destination port group group4",
], "Errors added"
def test_connection_consistency(monkeypatch):
"""
.
"""
monkeypatch.setattr(
secondary_configs, "get_port_groups", lambda config_path: [PortGroup("a-group")]
)
monkeypatch.setattr(Host, "add_firewall_rules", lambda self: None)
network = Network(
"network", None, ".", "192.168.0.0/24", **{"interface-name": "eth0"}
)
attributes = {
"connections": [
{"allow": True, "rule": 10},
{
"allow": True,
"rule": 20,
"source": {"address": "123.123.123.123"},
"destination": {"address": "a-group"},
},
]
}
host = Host("host", network, ".", "192.168.0.1", **attributes)
assert not host.is_consistent(), "Host is not consistent"
assert host.validation_errors() == [
"Host host has connection with no source address or destination address",
"Host host has connection where its address is not used "
"in source or destination",
]
def get_port_groups(config_path: str) -> List[PortGroup]:
"""
Gets the yaml port group definitions
"""
port_groups = []
for port_group in file_paths.get_config_files(
[config_path, file_paths.PORT_GROUPS_FOLDER]):
group_name = path.basename(port_group).replace(".yaml", "")
port_groups.append(
PortGroup(group_name,
**file_paths.load_yaml_from_file(port_group) or {}))
return port_groups
def test_is_consistent(monkeypatch):
"""
.
"""
monkeypatch.setattr(utility, "get_duplicates", lambda array: [])
group = PortGroup("group", [])
assert group.is_consistent(), "No duplicates is consistent"
monkeypatch.setattr(utility, "get_duplicates", lambda array: [10, 20])
duplicate_group = PortGroup("group2", [])
assert not duplicate_group.is_consistent(
), "Duplicate port group is not consistent"
assert duplicate_group.validation_errors() == [
str(duplicate_group) + " has duplicate ports: 10, 20"
], "Validation error added"
def test_port_group():
"""
.
"""
ports = PortGroup("group", [80])
assert ports.name == "group", "Name set"
assert ports.ports == [80], "Ports set"
ports.add_port(443)
assert ports.ports == [80, 443], "Port added"
ports.add_ports([8080, 4430])
assert ports.ports == [80, 443, 8080, 4430], "Ports added"
assert str(ports) == "Port group group", "Port group name returned"
def test_command():
"""
.
"""
group = PortGroup("web-ports", [80, 443])
group2 = PortGroup("printer-ports", [161, 515, 631, 9100],
"Ports for printer connections")
assert group.commands() == [
"firewall group port-group web-ports port 80",
"firewall group port-group web-ports port 443",
], "No description port group correct"
assert group2.commands() == [
"firewall group port-group printer-ports port 161",
"firewall group port-group printer-ports port 515",
"firewall group port-group printer-ports port 631",
"firewall group port-group printer-ports port 9100",
"firewall group port-group printer-ports description "
"'Ports for printer connections'",
], "Description port group correct"
def test_is_consistent(monkeypatch):
"""
.
"""
monkeypatch.setattr(Host, "add_firewall_rules", lambda self: None)
network = Network(
"network", None, ".", "192.168.0.0/24", **{"interface-name": "eth0"}
)
host = Host("host", network, ".", "192.168.0.1")
monkeypatch.setattr(secondary_configs, "get_port_groups", lambda config_path: [])
assert host.is_consistent(), "Empty host is consistent"
monkeypatch.setattr(
secondary_configs, "get_port_groups", lambda config_path: [PortGroup("group1")]
)
attrs = {"forward-ports": ["group1", "group2"]}
host = Host("host", network, ".", "192.168.0.1", **attrs)
assert not host.is_consistent(), "Missing forward port group inconsistent"
assert host.validation_errors() == [
"Port Group group2 not defined for forwarding in Host host"
], "Forward port group error set"
attrs = {"forward-ports": ["group1", 80, {8080: 80}]}
host = Host("host", network, ".", "192.168.0.1", **attrs)
assert host.is_consistent(), "Forward port groups consistent"
assert not host.validation_errors(), "No errors for forward port"
attrs = {
"hairpin-ports": [
{
"description": "hairpin",
"interface": "eth1.10",
"connection": {"destination": {"port": "group1"}},
},
{
"description": "hairpin2",
"interface": "eth1.20",
"connection": {"destination": {"port": "group2"}},
},
]
}
host = Host("host", network, ".", "192.168.0.1", **attrs)
assert not host.is_consistent(), "Missing hairpin port group inconsistent"
assert host.validation_errors() == [
"Port Group group2 not defined for hairpin in Host host"
], "Hairpin port group error set"
attrs = {
"hairpin-ports": [
{
"description": "hairpin",
"interface": "eth1.10",
"connection": {"destination": {"port": "group1"}},
},
{
"description": "web",
"interface": "eth1.20",
"connection": {"destination": {"port": 80}},
},
]
}
host = Host("host", network, ".", "192.168.0.2", **attrs)
assert host.is_consistent(), "Hairpin port groups consistent"
assert not host.validation_errors(), "No errors for hairpin port"
attrs = {
"connections": [
{
"allow": True,
"source": {"address": "an-address"},
"destination": {"port": 80},
},
{
"allow": False,
"source": {"address": "12.10.12.12", "port": 8080},
"destination": {"port": "443"},
},
{
"allow": False,
"source": {"address": "192.168.0.0/24"},
"destination": {"port": "group1"},
},
{
"allow": False,
"source": {"port": "group2"},
"destination": {"port": "group3"},
},
{
"allow": True,
"source": {"address": "Amazon"},
"destination": {"port": "web"},
},
]
}
host = Host("host", network, ".", "192.168.0.1", **attrs)
assert not host.is_consistent(), "Connections inconsistent"
assert host.validation_errors() == [
"Source Port Group group2 not defined for blocked connection in Host host",
"Destination Port Group group3 not defined for blocked connection in Host host",
"Destination Port Group web not defined for allowed connection in Host host",
], "Error set for missing port group in connections"
del attrs["connections"][-2:]
host = Host("host", network, ".", "192.168.0.1", **attrs)
assert host.is_consistent(), "Connections are consistent"
assert not host.validation_errors(), "No connection errors"
def test_validate(monkeypatch):
"""
.
"""
# pylint: disable=unused-argument
@counter_wrapper
def fake_validate_false(self) -> bool:
"""
.
"""
return False
@counter_wrapper
def fake_validate_true(self) -> bool:
"""
.
"""
return True
monkeypatch.setattr(
secondary_configs,
"get_port_groups",
lambda config_path: [PortGroup("group1"),
PortGroup("group2")],
)
monkeypatch.setattr(Validatable, "validate", fake_validate_false)
rule = NATRule(10, ".")
assert not rule.validate(), "Validation fails if parent fails"
assert fake_validate_false.counter == 1, "Parent validation called"
monkeypatch.setattr(Validatable, "validate", fake_validate_true)
rule = NATRule(10, ".")
assert not rule.validate(), "Validation fails without inside address"
assert fake_validate_true.counter == 1, "Parent validation called"
assert rule.validation_errors() == ["NAT rule 10 does not have type"
], "Validation errors set"
properties = {
"source": {
"port": "group1"
},
"destination": {
"port": "group2"
},
}
rule = NATRule(10, ".", **properties)
assert not rule.validate(), "Missing type invalid"
assert rule.validation_errors() == ["NAT rule 10 does not have type"
], "Errors set"
properties["type"] = "source"
rule = NATRule(10, ".", **properties)
assert not rule.validate(), "Missing type invalid"
assert rule.validation_errors() == [
"NAT rule 10 does not have inside address"
], "Errors set"
properties["inside-address"] = ({"address": "192.168.0.2"}, )
rule = NATRule(10, ".", **properties)
assert rule.validate(), "Rule is valid if groups are valid"
rule = NATRule(10, ".", **properties)
properties["source"]["port"] = "group3"
properties["destination"]["port"] = "group4"
assert not rule.validate(), "Rule is invalid with nonexistent groups"
assert rule.validation_errors() == [
"NAT rule 10 has nonexistent source port group group3",
"NAT rule 10 has nonexistent destination port group group4",
], "Errors added"