def test_validate_rules_canon(self):
rules = {
"inbound_rules": [
{"protocol": "tcp", "ip_version": 4, "src_net": "10/8",
"dst_net": "11.0/16", "src_ports": [10, "11:12"],
"action": "allow",
"log_prefix": "foo!@#$012345678901234567890123456789"},
{"action": "log"},
{"protocol": "tcp", "src_net": None},
],
"outbound_rules": [
{"protocol": "tcp", "ip_version": 6,
"src_net": "2001:0::1/128", "dst_net": "2001:0::/64",
"icmp_type": 7, "icmp_code": 10,
"action": "deny"}
],
}
common.validate_profile("profile_id", rules)
# Check IPs get made canonical.
self.assertEqual(rules, {
"inbound_rules": [
{"protocol": "tcp", "ip_version": 4, "src_net": "10.0.0.0/8",
"dst_net": "11.0.0.0/16", "src_ports": [10, "11:12"],
"action": "allow",
"log_prefix": "foo____01234567890123456789"},
{"action": "log"},
{"protocol": "tcp"},
],
"outbound_rules": [
{"protocol": "tcp", "ip_version": 6,
"src_net": "2001::1/128", "dst_net": "2001::/64",
"icmp_type": 7, "icmp_code": 10,
"action": "deny"}
],
})
def test_validate_rules(self):
profile_id = "valid_name-ok."
rules = {'inbound_rules': [],
'outbound_rules': []}
common.validate_profile(profile_id, rules.copy())
with self.assertRaisesRegexp(ValidationFailed,
"Expected profile 'valid_name-ok.' to "
"be a dict"):
common.validate_profile(profile_id, [])
with self.assertRaisesRegexp(ValidationFailed,
"Invalid profile ID"):
common.validate_profile("a&b", rules.copy())
# No rules.
prof = {}
common.validate_profile("prof1", prof)
self.assertEqual(prof, {"inbound_rules": [], "outbound_rules": []})
rules = {'inbound_rules': 3,
'outbound_rules': []}
with self.assertRaisesRegexp(
ValidationFailed,
"Expected rules\[inbound_rules\] to be a list"
):
common.validate_profile(profile_id, rules.copy())
rule = "not a dict"
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Rule should be a dict"):
common.validate_profile(profile_id, rules.copy())
rule = {'bad_key': ""}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Rule contains unknown keys"):
common.validate_profile(profile_id, rules)
rule = {'protocol': "bloop"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid protocol bloop in rule "
"{'protocol': 'bloop'}"):
common.validate_profile(profile_id, rules)
rule = {'ip_version': 5}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid ip_version in rule"):
common.validate_profile(profile_id, rules)
rule = {'ip_version': 4,
'protocol': "icmpv6"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Using icmpv6 with IPv4"):
common.validate_profile(profile_id, rules)
rule = {'ip_version': 6,
'protocol': "icmp"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Using icmp with IPv6"):
common.validate_profile(profile_id, rules)
rule = {'src_tag': "abc",
'protocol': "icmp"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
common.validate_profile(profile_id, rules)
rule = {'src_tag': "abc",
'protocol': "123"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
common.validate_profile(profile_id, rules)
rule = {'protocol': "256"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid protocol 256 in rule"):
common.validate_profile(profile_id, rules)
rule = {'protocol': "0"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid protocol 0 in rule"):
common.validate_profile(profile_id, rules)
rule = {'src_tag': "a!b",
'protocol': "icmp"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid src_tag"):
common.validate_profile(profile_id, rules)
rule = {'dst_tag': "x,y",
'protocol': "icmp"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid dst_tag"):
common.validate_profile(profile_id, rules)
rule = {'src_selector': "a!b"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(
ValidationFailed,
"Calico/OpenStack is not expected to generate profiles " +
"that use selectors"
):
common.validate_profile(profile_id, rules)
rule = {'dst_selector': "+b"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(
ValidationFailed,
"Calico/OpenStack is not expected to generate profiles " +
"that use selectors"
):
common.validate_profile(profile_id, rules)
rule = {'src_net': "nonsense"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid CIDR"):
common.validate_profile(profile_id, rules)
rule = {'dst_net': "1.2.3.4/16",
'ip_version': 6}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid CIDR"):
common.validate_profile(profile_id, rules)
rule = {'src_ports': "nonsense"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Expected ports to be a list"):
common.validate_profile(profile_id, rules)
rule = {'dst_ports': [32, "nonsense"]}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid port"):
common.validate_profile(profile_id, rules)
rule = {'action': "nonsense"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Invalid action"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': "nonsense"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP type is not an integer"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': -1}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP type is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 256}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP type is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 22,
'icmp_code': "2"}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code is not an integer"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 0,
'icmp_code': -1}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_type': 0,
'icmp_code': 256}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code is out of range"):
common.validate_profile(profile_id, rules)
rule = {'icmp_code': 2}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"ICMP code specified without ICMP type"):
common.validate_profile(profile_id, rules)
rule = {'log_prefix': []}
rules = {'inbound_rules': [rule],
'outbound_rules': []}
with self.assertRaisesRegexp(ValidationFailed,
"Log prefix should be a string"):
common.validate_profile(profile_id, rules)
