def testOwnerTerm(self):
self.mox.ReplayAll()
acl = cisco.Cisco(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_13, self.naming),
EXP_INFO)
self.failUnless(re.search('remark Owner: [email protected]', str(acl)),
str(acl))
def testDsmo2(self):
fourth_octet = [
2, 8, 20, 26, 28, 32, 40, 52, 58, 86, 130, 136, 148, 154, 156, 160,
168, 180, 186, 214
]
addr_list = list()
for octet3 in range(56, 60):
for octet4 in fourth_octet:
net = nacaddr.IP('192.168.' + str(octet3) + '.' + str(octet4) +
'/31')
addr_list.append(net)
self.naming.GetNetAddr.return_value = addr_list
acl = cisco.Cisco(
policy.ParsePolicy(GOOD_DSMO_HEADER + GOOD_TERM_8, self.naming),
EXP_INFO)
self.assertIn('permit tcp any 192.168.56.2 0.0.3.129', str(acl))
self.assertIn('permit tcp any 192.168.56.8 0.0.3.161', str(acl))
self.assertIn('permit tcp any 192.168.56.20 0.0.3.137', str(acl))
self.assertIn('permit tcp any 192.168.56.26 0.0.3.161', str(acl))
self.assertIn('permit tcp any 192.168.56.32 0.0.3.129', str(acl))
self.assertIn('permit tcp any 192.168.56.52 0.0.3.129', str(acl))
self.assertIn('permit tcp any 192.168.56.86 0.0.3.129', str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testIcmpCode(self):
acl = cisco.Cisco(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_19, self.naming),
EXP_INFO)
output = str(acl)
self.failUnless(' permit icmp any any 3 3' in output, output)
self.failUnless(' permit icmp any any 3 4' in output, output)
def testUdpEstablished(self):
self.mox.ReplayAll()
acl = cisco.Cisco(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_9, self.naming),
EXP_INFO)
self.failIf(re.search('permit 17 any any established', str(acl)),
str(acl))
def testDSCP(self):
self.mox.ReplayAll()
acl = cisco.Cisco(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_16, self.naming),
EXP_INFO)
self.failUnless(re.search('permit 6 any any dscp 42', str(acl)),
str(acl))
def testTcpEstablished(self):
self.mox.ReplayAll()
acl = cisco.Cisco(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_3, self.naming),
EXP_INFO)
self.failUnless(re.search('permit 6 any any established\n', str(acl)),
str(acl))
def testLogging(self):
self.mox.ReplayAll()
acl = cisco.Cisco(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_4, self.naming),
EXP_INFO)
self.failUnless(re.search('permit 6 any any log\n', str(acl)),
str(acl))
def testTermAndFilterName(self):
acl = cisco.Cisco(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1, self.naming),
EXP_INFO)
self.failUnless('ip access-list extended test-filter' in str(acl),
str(acl))
self.failUnless(' remark good-term-1' in str(acl), str(acl))
def testExpiredTerm(self, mock_warn):
_ = cisco.Cisco(policy.ParsePolicy(GOOD_HEADER + EXPIRED_TERM,
self.naming), EXP_INFO)
mock_warn.assert_called_once_with(
'WARNING: Term %s in policy %s is expired and will not '
'be rendered.', 'is_expired', 'test-filter')
def testBuildWarningTokens(self):
pol1 = cisco.Cisco(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_17, self.naming),
EXP_INFO)
st, sst = pol1._BuildTokens()
self.assertEquals(st, SUPPORTED_TOKENS)
self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def testVerbatimTerm(self):
acl = cisco.Cisco(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_5,
self.naming), EXP_INFO)
self.failUnless('mary had a little lamb' in str(acl), str(acl))
# check if other platforms verbatim shows up in ouput
self.failIf('mary had a second lamb' in str(acl), str(acl))
self.failIf('mary had a third lamb' in str(acl), str(acl))
def testRemark(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.1.1.1/32')]
# Extended ACLs should have extended remark style.
acl = cisco.Cisco(policy.ParsePolicy(
GOOD_EXTENDED_NUMBERED_HEADER + GOOD_TERM_1, self.naming), EXP_INFO)
self.failUnless('ip access-list extended 150' in str(acl), str(acl))
self.failUnless(' remark numbered extended' in str(acl), str(acl))
self.failIf('150 remark' in str(acl), str(acl))
# Extended ACLs should have extended remark style.
acl = cisco.Cisco(policy.ParsePolicy(
GOOD_STANDARD_NUMBERED_HEADER + GOOD_STANDARD_TERM_1, self.naming),
EXP_INFO)
self.failUnless('access-list 50 remark' in str(acl), str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testObjectGroup(self):
ip_grp = ['object-group network ipv4 SOME_HOST']
ip_grp.append(' 10.0.0.0/8')
ip_grp.append('exit')
port_grp1 = ['object-group port 80-80']
port_grp1.append(' eq 80')
port_grp1.append('exit')
port_grp2 = ['object-group port 1024-65535']
port_grp2.append(' range 1024 65535')
port_grp2.append('exit')
self.naming.GetNetAddr('SOME_HOST').AndReturn(
[nacaddr.IP('10.0.0.0/8', token='SOME_HOST')])
self.naming.GetServiceByProto('HTTP', 'tcp').AndReturn(['80'])
self.mox.ReplayAll()
pol = policy.ParsePolicy(GOOD_OBJGRP_HEADER + GOOD_TERM_2, self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
self.failUnless('\n'.join(ip_grp) in str(acl),
'%s %s' % ('\n'.join(ip_grp), str(acl)))
self.failUnless('\n'.join(port_grp1) in str(acl),
'%s %s' % ('\n'.join(port_grp1), str(acl)))
self.failUnless('\n'.join(port_grp2) in str(acl),
'%s %s' % ('\n'.join(port_grp2), str(acl)))
# Object-group terms should use the object groups created.
self.failUnless(
'any port-group 80-80 net-group SOME_HOST port-group 1024-65535' in
str(acl))
# There should be no addrgroups that look like IP addresses.
for addrgroup in re.findall(r'net-group ([a-f0-9.:/]+)', str(acl)):
self.assertRaises(ValueError, nacaddr.IP(addrgroup))
def testRemark(self):
self.naming.GetNetAddr('SOME_HOST').AndReturn(
[nacaddr.IP('10.1.1.1/32')])
self.mox.ReplayAll()
# Extended ACLs should have extended remark style.
acl = cisco.Cisco(
policy.ParsePolicy(GOOD_EXTENDED_NUMBERED_HEADER + GOOD_TERM_1,
self.naming), EXP_INFO)
self.failUnless('ip access-list extended 150' in str(acl), str(acl))
self.failUnless('remark numbered extended' in str(acl), str(acl))
self.failIf('150 remark' in str(acl), str(acl))
# Extended ACLs should have extended remark style.
acl = cisco.Cisco(
policy.ParsePolicy(
GOOD_STANDARD_NUMBERED_HEADER + GOOD_STANDARD_TERM_1,
self.naming), EXP_INFO)
self.failUnless('access-list 50 remark' in str(acl), str(acl))
def testNoIPv6InOutput(self):
self.naming.GetNetAddr('SOME_HOST').AndReturn(
[nacaddr.IP('2620:0:1000::/40')])
self.mox.ReplayAll()
pol = policy.ParsePolicy(GOOD_STANDARD_HEADER_1 + GOOD_STANDARD_TERM_2,
self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
self.failIf('::' in str(acl), '[%s]' % str(acl))
def testExpiringTerm(self, mock_info):
exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO)
_ = cisco.Cisco(policy.ParsePolicy(GOOD_HEADER + EXPIRING_TERM %
exp_date.strftime('%Y-%m-%d'),
self.naming), EXP_INFO)
mock_info.assert_called_once_with(
'INFO: Term %s in policy %s expires in '
'less than two weeks.', 'is_expiring', 'test-filter')
def testNoIPv6InOutput(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('2620:0:1000::/40')]
pol = policy.ParsePolicy(GOOD_STANDARD_HEADER_1 + GOOD_STANDARD_TERM_2,
self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
self.failIf('::' in str(acl), '[%s]' % str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testIPVersion(self):
self.naming.GetNetAddr('ANY').AndReturn(
[nacaddr.IP('0.0.0.0/0'),
nacaddr.IP('::/0')])
self.mox.ReplayAll()
pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_6, self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
# check if we've got a v6 address in there.
self.failIf('::' in str(acl), str(acl))
def testNamedStandard(self):
self.naming.GetNetAddr('SOME_HOST').AndReturn(
[nacaddr.IP('10.0.0.0/8')])
self.mox.ReplayAll()
pol = policy.ParsePolicy(GOOD_STANDARD_HEADER_2 + GOOD_STANDARD_TERM_2,
self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
expected = 'ip access-list standard FOO'
self.failUnless(expected in str(acl), '[%s]' % str(acl))
def testStandardTermHost(self):
self.naming.GetNetAddr('SOME_HOST').AndReturn(
[nacaddr.IP('10.1.1.1/32')])
self.mox.ReplayAll()
pol = policy.ParsePolicy(GOOD_STANDARD_HEADER_1 + GOOD_STANDARD_TERM_1,
self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
expected = 'access-list 99 permit 10.1.1.1'
self.failUnless(expected in str(acl), '[%s]' % str(acl))
def testIcmpInet6Mismatch(self, mock_debug):
acl = cisco.Cisco(policy.ParsePolicy(GOOD_INET6_HEADER + GOOD_TERM_1,
self.naming), EXP_INFO)
# output happens in __str_
str(acl)
mock_debug.assert_called_once_with(
'Term good-term-1 will not be rendered,'
' as it has [\'icmp\'] match specified but '
'the ACL is of inet6 address family.')
def testProtoInts(self):
pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_7 + GOOD_TERM_9,
self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
self.failUnless('permit 112 any any' in str(acl), str(acl))
self.failUnless(
'permit tcp any any range 1024 65535 '
'established' in str(acl), str(acl))
self.failUnless('permit udp any any range 1024 65535' in str(acl),
str(acl))
def testStandardTermHost(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.1.1.1/32')]
pol = policy.ParsePolicy(GOOD_STANDARD_HEADER_1 + GOOD_STANDARD_TERM_1,
self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
expected = 'access-list 99 permit 10.1.1.1'
self.failUnless(expected in str(acl), '[%s]' % str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testNamedStandard(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
pol = policy.ParsePolicy(GOOD_STANDARD_HEADER_2 + GOOD_STANDARD_TERM_2,
self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
expected = 'ip access-list standard FOO'
self.failUnless(expected in str(acl), '[%s]' % str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testIcmpTypes(self):
acl = cisco.Cisco(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_10, self.naming),
EXP_INFO)
# echo-reply = 0
self.failUnless(re.search('permit 1 any any 0', str(acl)), str(acl))
# unreachable = 3
self.failUnless(re.search('permit 1 any any 3', str(acl)), str(acl))
# time-exceeded = 11
self.failUnless(re.search('permit 1 any any 11', str(acl)), str(acl))
def testIpv6IcmpTypes(self):
acl = cisco.Cisco(
policy.ParsePolicy(GOOD_INET6_HEADER + GOOD_TERM_11, self.naming),
EXP_INFO)
# echo-reply = icmp-type code 129
self.failUnless(re.search('permit 58 any any 129', str(acl)), str(acl))
# destination-unreachable = icmp-type code 1
self.failUnless(re.search('permit 58 any any 1', str(acl)), str(acl))
# time-exceeded = icmp-type code 3
self.failUnless(re.search('permit 58 any any 3', str(acl)), str(acl))
def testIPVersion(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('0.0.0.0/0'),
nacaddr.IP('::/0')]
pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_6, self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
# check if we've got a v6 address in there.
self.failIf('::' in str(acl), str(acl))
self.naming.GetNetAddr.assert_called_once_with('ANY')
def testExpiredTerm(self):
self.mox.StubOutWithMock(cisco.logging, 'warn')
# create mock to ensure we warn about expired terms being skipped
cisco.logging.warn(
'WARNING: Term %s in policy %s is expired and will not '
'be rendered.', 'is_expired', 'test-filter')
self.mox.ReplayAll()
_ = cisco.Cisco(
policy.ParsePolicy(GOOD_HEADER + EXPIRED_TERM, self.naming),
EXP_INFO)
def testIcmpInet6Mismatch(self):
self.mox.StubOutWithMock(cisco.logging, 'debug')
cisco.logging.debug('Term good-term-1 will not be rendered,'
' as it has [\'icmp\'] match specified but '
'the ACL is of inet6 address family.')
self.mox.ReplayAll()
acl = cisco.Cisco(
policy.ParsePolicy(GOOD_INET6_HEADER + GOOD_TERM_1, self.naming),
EXP_INFO)
# output happens in __str_
str(acl)
def testDsmo(self):
addr_list = list()
for octet in range(0, 256):
net = nacaddr.IP('192.168.' + str(octet) + '.64/27')
addr_list.append(net)
self.naming.GetNetAddr('SOME_HOST').AndReturn(addr_list)
self.mox.ReplayAll()
acl = cisco.Cisco(
policy.ParsePolicy(GOOD_DSMO_HEADER + GOOD_TERM_8, self.naming),
EXP_INFO)
self.failUnless('permit 6 any 192.168.0.64 0.0.255.31' in str(acl))
