def testExpiredTerm(self, mock_warn): _ = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + EXPIRED_TERM_1, self.naming), EXP_INFO) mock_warn.assert_called_once_with( 'WARNING: Term %s in policy %s>%s is expired.', 'expired_test', 'trust', 'untrust')
def testLoggingBoth(self): srx = junipersrx.JuniperSRX( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_5, self.naming), EXP_INFO) output = str(srx) self.failUnless('session-init;' in output, output) self.failUnless('session-close;' in output, output)
def testLargeTermSplittingV6(self): ips = list( nacaddr.IP('2620:0:1000:3103:eca0:2c09:6b32:e000/119'). iter_subnets(new_prefix=128)) mo_ips = [] counter = 0 for ip in ips: if counter % 2 == 0: mo_ips.append(nacaddr.IP(ip)) counter += 1 self.naming.GetNetAddr('FOOBAR').AndReturn(mo_ips) ips = list( nacaddr.IP('2720:0:1000:3103:eca0:2c09:6b32:e000/119'). iter_subnets(new_prefix=128)) prodcolos_ips = [] counter = 0 for ip in ips: if counter % 2 == 0: prodcolos_ips.append(nacaddr.IP(ip)) counter += 1 self.naming.GetNetAddr('SOME_HOST').AndReturn(prodcolos_ips) self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25']) self.mox.ReplayAll() pol = policy.ParsePolicy(GOOD_HEADER_2 + GOOD_TERM_14, self.naming) srx = junipersrx.JuniperSRX(pol, EXP_INFO) self.assertEqual(len(srx.policy.filters[0][1]), 4)
def testOwnerTerm(self): pol = policy.ParsePolicy(GOOD_HEADER + OWNER_TERM, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.failUnless( ' /*\n' ' Owner: [email protected]\n' ' */' in output, output)
def testBuildTokens(self): self.naming.GetServiceByProto.side_effect = [['25'], ['26']] pol1 = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_2, self.naming), EXP_INFO) st, sst = pol1._BuildTokens() self.assertEquals(st, SUPPORTED_TOKENS) self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def testOptimizedGlobalAddressBook(self): foobar_ips = [nacaddr.IP('172.16.0.0/16', token='FOOBAR'), nacaddr.IP('172.17.0.0/16', token='FOOBAR'), nacaddr.IP('172.18.0.0/16', token='FOOBAR'), nacaddr.IP('172.19.0.0/16', token='FOOBAR'), nacaddr.IP('172.22.0.0/16', token='FOOBAR'), nacaddr.IP('172.23.0.0/16', token='FOOBAR'), nacaddr.IP('172.24.0.0/16', token='FOOBAR'), nacaddr.IP('172.25.0.0/16', token='FOOBAR'), nacaddr.IP('172.26.0.0/16', token='FOOBAR'), nacaddr.IP('172.27.0.0/16', token='FOOBAR'), nacaddr.IP('172.28.0.0/16', token='FOOBAR'), nacaddr.IP('172.29.0.0/16', token='FOOBAR'), nacaddr.IP('172.30.0.0/16', token='FOOBAR'), nacaddr.IP('172.31.0.0/16', token='FOOBAR')] some_host_ips = [nacaddr.IP('172.20.0.0/16', token='SOME_HOST'), nacaddr.IP('172.21.0.0/16', token='SOME_HOST'), nacaddr.IP('10.0.0.0/8', token='SOME_HOST')] self.naming.GetNetAddr.side_effect = [foobar_ips, some_host_ips, some_host_ips] self.naming.GetServiceByProto.return_value = ['25'] pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_17 + GOOD_HEADER_2 + GOOD_TERM_15, self.naming) srx = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.failUnless('address FOOBAR_0 172.16.0.0/12' in srx, srx) self.failUnless('address SOME_HOST_0 10.0.0.0/8;' in srx, srx) self.failUnless('address SOME_HOST_1 172.20.0.0/15;' in srx, srx) self.failUnless('/16' not in srx, srx)
def testGlobalPolicyHeader(self): self.mox.ReplayAll() pol = policy.ParsePolicy(GOOD_HEADER_10 + MULTIPLE_PROTOCOLS_TERM, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.assertEqual(output.count('global {'), 2) self.assertFalse('from-zone all to-zone all {' in output)
def testDefaultDeny(self): self.mox.ReplayAll() srx = junipersrx.JuniperSRX( policy.ParsePolicy(GOOD_HEADER + DEFAULT_TERM_1, self.naming), EXP_INFO) output = str(srx) self.failUnless('deny;' in output, output)
def testLargeTermSplitIgnoreV6(self): ips = list( nacaddr.IP('2620:0:1000:3103:eca0:2c09:6b32:e000/119'). iter_subnets(new_prefix=128)) mo_ips = [] counter = 0 for ip in ips: if counter % 2 == 0: mo_ips.append(nacaddr.IP(ip)) counter += 1 ips = list( nacaddr.IP('2720:0:1000:3103:eca0:2c09:6b32:e000/119'). iter_subnets(new_prefix=128)) ips.append(nacaddr.IPv4('10.0.0.1/32')) prodcolos_ips = [] counter = 0 for ip in ips: if counter % 2 == 0: prodcolos_ips.append(nacaddr.IP(ip)) counter += 1 self.naming.GetNetAddr.side_effect = [mo_ips, prodcolos_ips] self.naming.GetServiceByProto.return_value = ['25'] pol = policy.ParsePolicy(GOOD_HEADER_3 + GOOD_TERM_14, self.naming) srx = junipersrx.JuniperSRX(pol, EXP_INFO) self.assertEqual(len(srx.policy.filters[0][1]), 1)
def testLargeTermSplittingV6(self): ips = list( nacaddr.IP('2620:0:1000:3103:eca0:2c09:6b32:e000/119'). iter_subnets(new_prefix=128)) mo_ips = [] counter = 0 for ip in ips: if counter % 2 == 0: mo_ips.append(nacaddr.IP(ip)) counter += 1 ips = list( nacaddr.IP('2720:0:1000:3103:eca0:2c09:6b32:e000/119'). iter_subnets(new_prefix=128)) prodcolos_ips = [] counter = 0 for ip in ips: if counter % 2 == 0: prodcolos_ips.append(nacaddr.IP(ip)) counter += 1 self.naming.GetNetAddr.side_effect = [mo_ips, prodcolos_ips] self.naming.GetServiceByProto.return_value = ['25'] pol = policy.ParsePolicy(GOOD_HEADER_2 + GOOD_TERM_14, self.naming) srx = junipersrx.JuniperSRX(pol, EXP_INFO) self.assertEqual(len(srx.policy.filters[0][1]), 4) self.naming.GetNetAddr.assert_has_calls( [mock.call('FOOBAR'), mock.call('SOME_HOST')]) self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testDscpWithByte(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')] srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_10, self.naming), EXP_INFO) output = str(srx) self.failUnless('dscp b111000;' in output, output) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testVpnWithoutPolicy(self): self.naming.GetNetAddr('SOME_HOST').AndReturn(_IPSET) self.mox.ReplayAll() srx = junipersrx.JuniperSRX( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_3, self.naming), EXP_INFO) output = str(srx) self.failUnless('ipsec-vpn good-vpn-3;' in output, output)
def testMixedVersionIcmp(self): pol = policy.ParsePolicy( GOOD_HEADER + ICMP_TYPE_TERM_1 + IPV6_ICMP_TERM, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.failUnless('term t6 protocol icmp6 icmp-type 129 ' 'inactivity-timeout 60;' in output) self.failUnless('term t1 protocol icmp icmp-type 0 ' 'inactivity-timeout 60;' in output)
def testDscpWithByte(self): self.naming.GetNetAddr('SOME_HOST').AndReturn( [nacaddr.IP('10.0.0.0/8')]) self.mox.ReplayAll() srx = junipersrx.JuniperSRX( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_10, self.naming), EXP_INFO) output = str(srx) self.failUnless('dscp b111000;' in output, output)
def testIcmpTypes(self): pol = policy.ParsePolicy(GOOD_HEADER + ICMP_TYPE_TERM_1, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.failUnless('application test-icmp-app;' in output, output) self.failUnless('application test-icmp-app {' in output, output) self.failUnless('term t1 protocol icmp icmp-type 0 inactivity-timeout 60' in output, output) self.failUnless('term t2 protocol icmp icmp-type 8 inactivity-timeout 60' in output, output)
def testExpiredTerm(self): self.mox.StubOutWithMock(junipersrx.logging, 'warn') # create mock to ensure we warn about expired terms being skipped junipersrx.logging.warn('WARNING: Term %s in policy %s>%s is expired.', 'expired_test', 'trust', 'untrust') self.mox.ReplayAll() _ = junipersrx.JuniperSRX( policy.ParsePolicy(GOOD_HEADER + EXPIRED_TERM_1, self.naming), EXP_INFO)
def testReplaceStatement(self): self.naming.GetNetAddr('SOME_HOST').AndReturn(_IPSET) self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25']) self.mox.ReplayAll() pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.failUnless('replace: address-book' in output, output) self.failUnless('replace: policies' in output, output) self.failUnless('replace: applications' in output, output)
def testAddressBookOrderingAlreadyOrdered(self): y, x = self._OutOfOrderAddresses() self.naming.GetNetAddr('SOME_HOST').AndReturn([x, y]) self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25']) self.mox.ReplayAll() pol = policy.ParsePolicy(GOOD_HEADER_3 + GOOD_TERM_2, self.naming) p = junipersrx.JuniperSRX(pol, EXP_INFO) self._FailIfUnorderedAddressBook(p._GenerateAddressBook())
def testVpnWithoutPolicy(self): self.naming.GetNetAddr.return_value = _IPSET srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_3, self.naming), EXP_INFO) output = str(srx) self.failUnless('ipsec-vpn good-vpn-3;' in output, output) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testTermAndFilterName(self): self.naming.GetNetAddr('SOME_HOST').AndReturn(_IPSET) self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25']) self.mox.ReplayAll() srx = junipersrx.JuniperSRX( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1, self.naming), EXP_INFO) output = str(srx) self.failUnless('policy good-term-1 {' in output, output)
def testZoneAdressBookIPv6(self): self.naming.GetNetAddr('SOME_HOST').AndReturn(_IPSET) self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25']) self.mox.ReplayAll() pol = policy.ParsePolicy(GOOD_HEADER_8 + GOOD_TERM_1, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.failUnless('security-zone untrust {' in output, output) self.failUnless('replace: address-book {' in output, output) self.failUnless('2001:4860:8000::/33' in output, output) self.failUnless('10.0.0.0/8' not in output, output)
def testExpiringTerm(self, mock_info): exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO) _ = junipersrx.JuniperSRX( policy.ParsePolicy( GOOD_HEADER + EXPIRING_TERM % exp_date.strftime('%Y-%m-%d'), self.naming), EXP_INFO) mock_info.assert_called_once_with( 'INFO: Term %s in policy %s>%s expires in ' 'less than two weeks.', 'is_expiring', 'trust', 'untrust')
def testAddressBookOrderingSuccess(self): self.naming.GetNetAddr.return_value = self._OutOfOrderAddresses() self.naming.GetServiceByProto.return_value = ['25'] pol = policy.ParsePolicy(GOOD_HEADER_3 + GOOD_TERM_2, self.naming) p = junipersrx.JuniperSRX(pol, EXP_INFO) self._FailIfUnorderedAddressBook(p._GenerateAddressBook()) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testDscpWithClass(self): self.naming.GetNetAddr('SOME_HOST').AndReturn( [nacaddr.IP('10.0.0.0/8')]) self.mox.ReplayAll() srx = junipersrx.JuniperSRX( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_11, self.naming), EXP_INFO) output = str(srx) self.failUnless('dscp af42;' in output, output) self.failUnless('dscp [ af41-af42 5 ];' in output, output) self.failUnless('dscp-except [ be ];' in output, output)
def testTermAndFilterName(self): self.naming.GetNetAddr.return_value = _IPSET self.naming.GetServiceByProto.return_value = ['25'] srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1, self.naming), EXP_INFO) output = str(srx) self.failUnless('policy good-term-1 {' in output, output) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testDscpWithClass(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')] srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_11, self.naming), EXP_INFO) output = str(srx) self.failUnless('dscp af42;' in output, output) self.failUnless('dscp [ af41-af42 5 ];' in output, output) self.failUnless('dscp-except [ be ];' in output, output) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testReplaceStatement(self): self.naming.GetNetAddr.return_value = _IPSET self.naming.GetServiceByProto.return_value = ['25'] pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.failUnless('replace: address-book' in output, output) self.failUnless('replace: policies' in output, output) self.failUnless('replace: applications' in output, output) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testExpiringTerm(self): self.mox.StubOutWithMock(junipersrx.logging, 'info') # create mock to ensure we inform about expiring terms junipersrx.logging.info( 'INFO: Term %s in policy %s>%s expires in ' 'less than two weeks.', 'is_expiring', 'trust', 'untrust') self.mox.ReplayAll() exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO) _ = junipersrx.JuniperSRX( policy.ParsePolicy( GOOD_HEADER + EXPIRING_TERM % exp_date.strftime('%Y-%m-%d'), self.naming), EXP_INFO)
def testZoneAdressBookIPv6(self): self.naming.GetNetAddr.return_value = _IPSET self.naming.GetServiceByProto.return_value = ['25'] pol = policy.ParsePolicy(GOOD_HEADER_8 + GOOD_TERM_1, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.failUnless('security-zone untrust {' in output, output) self.failUnless('replace: address-book {' in output, output) self.failUnless('2001:4860:8000::/33' in output, output) self.failUnless('10.0.0.0/8' not in output, output) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testMultipleProtocolGrouping(self): pol = policy.ParsePolicy(GOOD_HEADER + MULTIPLE_PROTOCOLS_TERM, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.failUnless('application-set multi-proto-app {' in output, output) self.failUnless('application multi-proto-app1;' in output, output) self.failUnless('application multi-proto-app2;' in output, output) self.failUnless('application multi-proto-app3;' in output, output) self.failUnless('application multi-proto-app1 {' in output, output) self.failUnless('term t1 protocol tcp;' in output, output) self.failUnless('application multi-proto-app2 {' in output, output) self.failUnless('term t2 protocol udp;' in output, output) self.failUnless('application multi-proto-app3 {' in output, output) self.failUnless('term t3 protocol icmp;' in output, output)