def test_validate_rules_canon(self): rules = { "inbound_rules": [ {"protocol": "tcp", "ip_version": 4, "src_net": "10/8", "dst_net": "11.0/16", "src_ports": [10, "11:12"], "action": "allow"}, {"protocol": "tcp", "src_net": None}, ], "outbound_rules": [ {"protocol": "tcp", "ip_version": 6, "src_net": "2001:0::1/128", "dst_net": "2001:0::/64", "icmp_type": 7, "icmp_code": 10, "action": "deny"} ], } common.validate_rules("profile_id", rules) # Check IPs get made canonical. self.assertEqual(rules, { "inbound_rules": [ {"protocol": "tcp", "ip_version": 4, "src_net": "10.0.0.0/8", "dst_net": "11.0.0.0/16", "src_ports": [10, "11:12"], "action": "allow"}, {"protocol": "tcp"}, ], "outbound_rules": [ {"protocol": "tcp", "ip_version": 6, "src_net": "2001::1/128", "dst_net": "2001::/64", "icmp_type": 7, "icmp_code": 10, "action": "deny"} ], })
def parse_rules(profile_id, raw_json): rules = safe_decode_json(raw_json, log_tag="rules %s" % profile_id) try: common.validate_rules(profile_id, rules) except ValidationFailed as e: _log.exception("Validation failed for profile %s rules: %s; %r", profile_id, rules, e) return None else: return rules
def assertNeutronToEtcd(self, neutron_rule, exp_etcd_rule): etcd_rule = t_etcd._neutron_rule_to_etcd_rule(neutron_rule) self.assertEqual(etcd_rule, exp_etcd_rule) # Check felix is happy with generated rule. if neutron_rule["direction"] == "ingress": rules = {"inbound_rules": [etcd_rule], "outbound_rules": []} else: rules = {"outbound_rules": [etcd_rule], "inbound_rules": []} common.validate_rules("profile_id", rules)
def parse_rules(profile_id, raw_json): rules = json_decoder.decode(raw_json) try: common.validate_rules(profile_id, rules) except ValidationFailed: _log.exception("Validation failed for profile %s rules: %s", profile_id, rules) return None else: return rules
def parse_if_rules(etcd_node): m = RULES_KEY_RE.match(etcd_node.key) if m: # Got some rules. profile_id = m.group("profile_id") if etcd_node.action == "delete": rules = None else: rules = json_decoder.decode(etcd_node.value) rules["id"] = profile_id try: common.validate_rules(rules) except ValidationFailed: _log.exception("Validation failed for profile %s rules: %s", profile_id, rules) return profile_id, None _log.debug("Found rules for profile %s : %s", profile_id, rules) return profile_id, rules return None, None
def test_validate_rules(self): profile_id = "valid_name-ok." rules = {'inbound_rules': [], 'outbound_rules': []} common.validate_rules(profile_id, rules.copy()) with self.assertRaisesRegexp(ValidationFailed, "Expected rules to be a dict"): common.validate_rules(profile_id, []) with self.assertRaisesRegexp(ValidationFailed, "Invalid profile_id"): common.validate_rules("a&b", rules.copy()) # No rules. with self.assertRaisesRegexp(ValidationFailed, "No outbound_rules"): common.validate_rules(profile_id, {'inbound_rules':[]}) with self.assertRaisesRegexp(ValidationFailed, "No inbound_rules"): common.validate_rules(profile_id, {'outbound_rules':[]}) rules = {'inbound_rules': 3, 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Expected rules\[inbound_rules\] to be a list"): common.validate_rules(profile_id, rules.copy()) rule = "not a dict" rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Rules should be dicts"): common.validate_rules(profile_id, rules.copy()) rule = {'bad_key': ""} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Rule contains unknown keys"): common.validate_rules(profile_id, rules) rule = {'protocol': "bloop"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid protocol in rule"): common.validate_rules(profile_id, rules) rule = {'ip_version': 5} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid ip_version in rule"): common.validate_rules(profile_id, rules) rule = {'ip_version': 4, 'protocol': "icmpv6"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Using icmpv6 with IPv4"): common.validate_rules(profile_id, rules) rule = {'ip_version': 6, 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Using icmp with IPv6"): common.validate_rules(profile_id, rules) rule = {'src_tag': "abc", 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} common.validate_rules(profile_id, rules) rule = {'src_tag': "a!b", 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid src_tag"): common.validate_rules(profile_id, rules) rule = {'dst_tag': "x,y", 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid dst_tag"): common.validate_rules(profile_id, rules) rule = {'src_net': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid CIDR"): common.validate_rules(profile_id, rules) rule = {'dst_net': "1.2.3.4/16", 'ip_version': 6} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid CIDR"): common.validate_rules(profile_id, rules) rule = {'src_ports': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Expected ports to be a list"): common.validate_rules(profile_id, rules) rule = {'dst_ports': [32, "nonsense"]} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid port"): common.validate_rules(profile_id, rules) rule = {'action': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid action"): common.validate_rules(profile_id, rules) rule = {'icmp_type': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP type is not an integer"): common.validate_rules(profile_id, rules) rule = {'icmp_type': -1} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP type is out of range"): common.validate_rules(profile_id, rules) rule = {'icmp_type': 256} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP type is out of range"): common.validate_rules(profile_id, rules) rule = {'icmp_type': 22, 'icmp_code': "2"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code is not an integer"): common.validate_rules(profile_id, rules) rule = {'icmp_type': 0, 'icmp_code': -1} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code is out of range"): common.validate_rules(profile_id, rules) rule = {'icmp_type': 0, 'icmp_code': 256} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code is out of range"): common.validate_rules(profile_id, rules) rule = {'icmp_code': 2} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code specified without ICMP type"): common.validate_rules(profile_id, rules)
def test_validate_rules(self): profile_id = "valid_name-ok." rules = {'inbound_rules': [], 'outbound_rules': []} common.validate_rules(profile_id, rules.copy()) with self.assertRaisesRegexp(ValidationFailed, "Expected rules to be a dict"): common.validate_rules(profile_id, []) with self.assertRaisesRegexp(ValidationFailed, "Invalid profile_id"): common.validate_rules("a&b", rules.copy()) # No rules. with self.assertRaisesRegexp(ValidationFailed, "No outbound_rules"): common.validate_rules(profile_id, {'inbound_rules': []}) with self.assertRaisesRegexp(ValidationFailed, "No inbound_rules"): common.validate_rules(profile_id, {'outbound_rules': []}) rules = {'inbound_rules': 3, 'outbound_rules': []} with self.assertRaisesRegexp( ValidationFailed, "Expected rules\[inbound_rules\] to be a list"): common.validate_rules(profile_id, rules.copy()) rule = "not a dict" rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Rules should be dicts"): common.validate_rules(profile_id, rules.copy()) rule = {'bad_key': ""} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Rule contains unknown keys"): common.validate_rules(profile_id, rules) rule = {'protocol': "bloop"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp( ValidationFailed, "Invalid protocol bloop in rule " "{'protocol': 'bloop'}"): common.validate_rules(profile_id, rules) rule = {'ip_version': 5} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid ip_version in rule"): common.validate_rules(profile_id, rules) rule = {'ip_version': 4, 'protocol': "icmpv6"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Using icmpv6 with IPv4"): common.validate_rules(profile_id, rules) rule = {'ip_version': 6, 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Using icmp with IPv6"): common.validate_rules(profile_id, rules) rule = {'src_tag': "abc", 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} common.validate_rules(profile_id, rules) rule = {'src_tag': "abc", 'protocol': "123"} rules = {'inbound_rules': [rule], 'outbound_rules': []} common.validate_rules(profile_id, rules) rule = {'protocol': "256"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid protocol 256 in rule"): common.validate_rules(profile_id, rules) rule = {'protocol': "0"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid protocol 0 in rule"): common.validate_rules(profile_id, rules) rule = {'src_tag': "a!b", 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid src_tag"): common.validate_rules(profile_id, rules) rule = {'dst_tag': "x,y", 'protocol': "icmp"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid dst_tag"): common.validate_rules(profile_id, rules) rule = {'src_net': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid CIDR"): common.validate_rules(profile_id, rules) rule = {'dst_net': "1.2.3.4/16", 'ip_version': 6} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid CIDR"): common.validate_rules(profile_id, rules) rule = {'src_ports': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Expected ports to be a list"): common.validate_rules(profile_id, rules) rule = {'dst_ports': [32, "nonsense"]} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid port"): common.validate_rules(profile_id, rules) rule = {'action': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "Invalid action"): common.validate_rules(profile_id, rules) rule = {'icmp_type': "nonsense"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP type is not an integer"): common.validate_rules(profile_id, rules) rule = {'icmp_type': -1} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP type is out of range"): common.validate_rules(profile_id, rules) rule = {'icmp_type': 256} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP type is out of range"): common.validate_rules(profile_id, rules) rule = {'icmp_type': 22, 'icmp_code': "2"} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code is not an integer"): common.validate_rules(profile_id, rules) rule = {'icmp_type': 0, 'icmp_code': -1} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code is out of range"): common.validate_rules(profile_id, rules) rule = {'icmp_type': 0, 'icmp_code': 256} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code is out of range"): common.validate_rules(profile_id, rules) rule = {'icmp_code': 2} rules = {'inbound_rules': [rule], 'outbound_rules': []} with self.assertRaisesRegexp(ValidationFailed, "ICMP code specified without ICMP type"): common.validate_rules(profile_id, rules)