def test_delete_already_deleted_host(self):
# Verify a stale href that was deleted gives expected error
Host.create('tyler', '1.1.1.1')
host = Host('tyler').href
Host('tyler').delete()
result = SMCRequest(href=host).delete()
self.assertIsNotNone(result.msg)
def test_get_resource_link_before_cache_called(self):
Host.create(name='cachehost', address='1.1.1.1')
h = Host('cachehost')
self.assertFalse(vars(h).get('_cache'))
h.data
cache = vars(h).get('data')
self.assertIsInstance(cache, SimpleElement)
h.delete()
def test_update_no_etag(self):
# Failed PUT request
Host.create('tyler', '1.1.1.1')
a = Host('tyler')
element = a.data
element.update(name='newtyler')
result = SMCRequest(href=a.href, json=element).update()
self.assertIsNotNone(result.msg)
Host('tyler').delete()
def testGroup(self):
# Member not href
with self.assertRaises(CreateElementFailed):
Group.create('foogroup', ['test'], 'comment')
# Same as above
with self.assertRaises(CreateElementFailed):
Group.create('foogroup', ['172.18.1.80'])
# Empty group
group = Group.create('foogroup')
self.assertTrue(group.href.startswith('http'))
# Get context
group = Group('foogroup')
# Members
Host.create('groupmember', '1.1.1.1')
Network.create(name='anetwork', ipv4_network='1.1.1.0/24')
self.assertIsNone(group.update_members(members=[Host('groupmember')]))
# ETag in cache matches server after update
etag = search.element_by_href_as_smcresult(group.href).etag
self.assertEqual(group.etag, etag)
# Get the members back and verify
for member in group.obtain_members():
self.assertIn(member.name, ['groupmember'])
# Check Host has a reference to group
refs = Host('groupmember').referenced_by
self.assertEqual(refs[0].name, 'foogroup')
# Add second member and append
group.update_members(members=[Network('anetwork')], append_lists=True)
members = group.obtain_members()
self.assertTrue(len(members) == 2)
etag = search.element_by_href_as_smcresult(group.href).etag
self.assertEqual(group.etag, etag)
# Overwrite (test sending in as a href)
group.update_members(members=[Host('groupmember').href],
append_lists=False)
members = group.obtain_members()
self.assertTrue(len(members) == 1)
self.assertEqual(members[0].name, 'groupmember')
etag = search.element_by_href_as_smcresult(group.href).etag
self.assertEqual(group.etag, etag)
# Delete all members
group.empty_members()
self.assertTrue(len(group.obtain_members()) == 0)
group.rename('group2')
# Delete
Host('groupmember').delete()
group = Group('group2')
group.delete()
def test_create_error_with_unicode(self):
host = Host.create('Curaçao34', '22.22.22.22')
self.assertTrue(host.href.startswith('http'))
# fail because it already exists
with self.assertRaises(CreateElementFailed):
err = Host.create('Curaçao34', '22.22.22.22')
import re
myre = re.compile(r'.*Curaçao+')
self.assertRegexpMatches(err, myre)
Host('Curaçao34').delete()
def testReferencesByElement(self):
system = System()
Host.create('systemhost', '1.1.1.1')
host = Host('systemhost')
self.assertFalse(system.references_by_element(host.href))
# Add a group and the member to create a reference
Group.create(name='systemgroup', members=[host.href])
for references in system.references_by_element(host.href):
self.assertEqual(references.get('href'), Group('systemgroup').href)
Group('systemgroup').delete()
Host('systemhost').delete()
def test_FW_validate_fw_rule_with_vpn(self):
policy = FirewallPolicy.create(name='myfoopolicy',
template='Firewall Inspection Template')
self.assertIsInstance(policy, FirewallPolicy)
vpn = VPNPolicy.create(name='foovpn')
self.assertIsInstance(vpn, VPNPolicy)
# Bad VPN Name
with self.assertRaises(MissingRequiredInput):
policy.fw_ipv4_access_rules.create(name='myvpnrule',
sources='any',
destinations='any',
services='any',
action='enforce_vpn',
vpn_policy='foo')
# Missing VPN Name
with self.assertRaises(MissingRequiredInput):
policy.fw_ipv4_access_rules.create(name='myvpnrule',
sources='any',
destinations='any',
services='any',
action='enforce_vpn')
Host.create(name='mydest', address='1.1.1.1')
dest = Host('mydest')
policy.fw_ipv4_access_rules.create(name='myvpnrule',
sources='any',
destinations=[dest],
services='any',
action='enforce_vpn',
vpn_policy='foovpn')
for rule in policy.fw_ipv4_access_rules.all():
self.assertIsInstance(rule, IPv4Rule)
self.assertEqual(rule.name, 'myvpnrule')
rule.delete()
# IPv6 Rules
Host.create(name='myipv6',
ipv6_address='2001:0db8:85a3:0000:0000:8a2e:0370:7334')
policy.fw_ipv6_access_rules.create(name='myrule',
sources=[Host('myipv6')],
destinations='any',
services='any',
action='discard')
policy.delete()
Host('myipv6').delete()
VPNPolicy('foovpn').delete()
def testHost(self):
# Create a host and check the etag also
result = Host.create('api-test', '2.3.4.5')
self.assertTrue(result.href.startswith('http'))
# Get Etag
host = Host('api-test')
self.assertIsNotNone(host.etag)
self.assertEqual(host.address, '2.3.4.5')
self.assertEqual(host.data.get('address'), '2.3.4.5')
host.modify_attribute(address='1.1.1.1')
self.assertEqual(host.data.get('address'), '1.1.1.1')
host.secondary = ['8.8.8.8', '9.9.9.9']
for ip in host.secondary:
self.assertIn(ip, ['8.8.8.8', '9.9.9.9'])
host.ipv6_address = '2001:0db8:85a3:0000:0000:8a2e:0370:7334'
self.assertEqual(host.ipv6_address,
'2001:0db8:85a3:0000:0000:8a2e:0370:7334')
host.add_secondary(address=['25.25.25.25'], append_lists=True)
self.assertIn('25.25.25.25', host.data.get('secondary'))
with self.assertRaises(AttributeError):
host.foobarattribute
host.rename('renamedhost')
self.assertEqual(host.data.get('name'),
'renamedhost') # Cache refreshed
host.update(etag=host.etag, name='anothername')
self.assertEqual(host.name, 'anothername')
host.delete()
def test_ospf_unicast(self):
for profile in list(Search('ospfv2_interface_settings').objects.all()):
if profile.name.startswith('Default OSPF'):
interface_profile = profile.href
area = OSPFArea.create(name='smcpython-area',
interface_settings_ref=interface_profile,
area_id=0)
self.assertTrue(area.href.startswith('http'))
area = OSPFArea('smcpython-area')
engine = Layer3Firewall.create(name='smcpython-ospf',
mgmt_ip='172.18.1.30',
mgmt_network='172.18.1.0/24',
domain_server_address=['8.8.8.8'],
enable_ospf=True)
self.assertIsInstance(engine, Engine)
host = Host.create(name='smcpython-ospf-user', address='23.23.23.23')
# Get routing resources
for interface in engine.routing.all():
if interface.name == 'Interface 0':
result = interface.add_ospf_area(area,
communication_mode='unicast',
unicast_ref=host)
self.assertIsNone(result)
engine.delete()
area.delete()
Host('smcpython-ospf-user').delete()
def test_ipv6host(self):
result = Host.create(name='mixedhost',
ipv6_address='2001:cdba::3257:9652')
self.assertTrue(result.href.startswith('http'))
host = Host('mixedhost')
self.assertEqual(host.ipv6_address, '2001:cdba::3257:9652')
host.delete()
def test_modify_non_system_element(self):
# Non system elements can be modified
result = Host.create('api-test', '2.3.4.5')
self.assertTrue(result.href.startswith('http'))
host = Host('api-test')
result = host.modify_attribute(name='newapi-test')
self.assertTrue(result.startswith('http'))
Host('newapi-test').delete()
def test_element_resolver(self):
host = Host.create('hostelement', address='1.1.1.1')
resolved = element_resolver([Host('hostelement'), 'http://2.2.2.2'])
for r in resolved:
self.assertIn(r, [host.href, 'http://2.2.2.2'])
# Catches ElementNotFound in list
with self.assertRaises(ElementNotFound):
element_resolver(elements=[Host('foobarblah')])
def test_category_tag(self):
category = Category.create('foo', comment='mycomment')
self.assertTrue(category.href.startswith('http'))
category = Category('foo')
host = Host.create(name='categoryelement', address='1.1.1.1')
# Add category tag by HREF
result = category.add_element(host)
self.assertIsNone(result)
# Search result
result = category.search_elements()
self.assertTrue(result) # Not []
self.assertTrue(result[0].name == 'categoryelement')
# Find the category tag from the element
result = Host('categoryelement').categories
self.assertTrue(result)
self.assertTrue(result[0].name == 'foo')
# Remove category
result = category.remove_element(host)
self.assertIsNone(result)
# Add by smc.base.model.Element
result = category.add_element(Host('categoryelement'))
self.assertIsNone(result)
# Search result
result = category.search_elements()
self.assertTrue(result) # Not []
self.assertTrue(result[0].name == 'categoryelement')
# Delete result by smc.base.model.Element
result = category.remove_element(Host('categoryelement'))
self.assertIsNone(result)
category_tag = CategoryTag.create(name='footag')
category.add_category_tag([category_tag.href])
for tag in category.categories:
self.assertEqual(tag.name, 'footag')
with self.assertRaises(DeleteElementFailed):
Category('foo').delete() #Dependencies
category_tag = Element.from_href(category_tag.href)
for category in category_tag.child_categories:
self.assertTrue(category.name, 'foo')
self.assertFalse(category_tag.parent_categories)
# Throwing when __setattr__ set
category_tag.remove_category([Category('foo')])
Host('categoryelement').delete()
Category('foo').delete()
def test_search_known(self):
host = Host.create('Réunion30', '30.30.30.30')
self.assertTrue(host.href.startswith('http'))
result = smc.actions.search.element_as_json('Réunion30')
self.assertEqual(u'Réunion30', result.get('name'), result)
for host in list(Search('host').objects.filter('Réunion30')):
host.delete()
def test_change_host_name_in_unicode(self):
result = Host.create('Curaçao35', '12.12.12.12')
self.assertTrue(result.href.startswith('http'))
for host in list(Search('host').objects.filter('Curaçao35')):
modified = host.modify_attribute(name='São Tomé Host35')
self.assertTrue(modified.startswith('http'))
for host in list(Search('host').objects.filter('São Tomé Host35')):
host.delete()
def test_element_update_valid(self):
host = Host.create(name='kali', address='1.1.1.1')
self.assertEqual(host.address, '1.1.1.1')
host.address = '34.34.34.34'
host.comment = 'acomment'
host.update()
for attr in vars(host).keys():
self.assertNotEqual(attr, 'address')
self.assertNotEqual(attr, 'comment')
self.assertEqual(host.address, '34.34.34.34')
def test_ipv6_address_with_secondary_ipv4(self):
result = Host.create(name='mixedhost',
ipv6_address='2001:cdba::3257:9652',
secondary=['1.1.1.1'])
self.assertTrue(result.href.startswith('http'))
host = Host('mixedhost')
self.assertEqual(host.ipv6_address, '2001:cdba::3257:9652')
self.assertIn('1.1.1.1', host.secondary)
host.delete()
def test_element_update_invalid_attribute(self):
host = Host.create(name='kali', address='1.1.1.1')
host.address = '34.34.34.34'
host.commento = 'testcomment' # Invalid attribute
with self.assertRaises(UpdateElementFailed):
host.update()
# This should not remove instance attributes
with self.assertRaises(AttributeError):
host.commento
self.assertEqual(host.address, '1.1.1.1')
host.delete()
def test_export_element(self):
# Test exporting a non-system element, should just return href
result = Host.create('api-export-test', '2.3.4.5')
self.assertTrue(result.href.startswith('http'))
host = Host('api-export-test')
self.assertIsInstance(host.export(), DownloadTask)
with self.assertRaises(TaskRunFailed):
host.export(filename='/foo').wait()
host.delete()
def test_host_using_callable_attribute(self):
class Address:
def __call__(self):
return '123.123.123.123'
host = Host.create('graciebear', address='1.1.1.1')
self.assertEqual(host.address, '1.1.1.1')
host.address = Address()
host.update()
self.assertEqual(host.address, '123.123.123.123')
host.delete()
def test_Expression(self):
# Test creating an expression
Host.create('host9', '9.9.9.9')
Host.create('host10', '10.10.10.10')
host9 = Host('host9')
host10 = Host('host10')
sub_expression = Expression.build_sub_expression(
name='mytestexporession',
ne_ref=[host9.href, host10.href],
operator='union')
expression = Expression.create(name='pythonexpression',
ne_ref=[],
sub_expression=sub_expression)
self.assertTrue(expression.href.startswith('http'))
expr = Expression('pythonexpression')
expr.delete()
host9.delete()
host10.delete()
def test_FW_rule_with_outliers(self):
policy = FirewallPolicy.create(name='myfoopolicy',
template='Firewall Inspection Template')
self.assertIsInstance(policy, FirewallPolicy)
host = Host.create('asourcehost', '1.1.1.1')
services = list(Search('tcp_service').objects.filter('HTTP'))
policy.fw_ipv4_access_rules.create(name='myrule',
sources=[host],
services=services)
# Rule with no sources
policy.fw_ipv4_access_rules.create(name='myrule',
sources=[host],
services=services)
policy.delete()
Host('asourcehost').delete()
def test_layer3_engine_methods(self):
# Test each of the top level engine methods
engine = Layer3Firewall.create(name='smcpython-fw',
mgmt_ip='1.1.1.1',
mgmt_network='1.1.1.0/24')
self.assertIsInstance(engine, Engine)
if session.api_version >= 6.1:
test = Engine('smcpython-fw')
self.assertTrue(test.type == 'single_fw')
self.assertTrue(test.href.startswith('http'))
self.assertTrue(test.version is None)
self.assertTrue(isinstance(test.nodes, list))
# Modify an attribute, i.e. antivirus:
self.assertTrue(
engine.modify_attribute(
antivirus={
'antivirus_enabled': False,
'antivirus_update': 'daily',
'antivirus_update_day': 'mo',
'antivirus_update_time': 21600000,
'virus_log_level': 'none',
'virus_mirror': 'update.nai.com/Products/CommonUpdater'
}).startswith('http'))
# Test Fail load using wildcard
Host.create('testengine', '1.1.1.1')
Host.create('testengine2', '2.2.2.2')
with self.assertRaises(ElementNotFound):
foo = Engine('testengine*')
foo.href
Host('testengine').delete()
Host('testengine2').delete()
# Engine type
self.assertEqual(engine.type, 'single_fw')
# Get the node type
self.assertEqual(engine.nodes[0].type, 'firewall_node')
# Iterate nodes
for node in engine.nodes:
self.assertIsInstance(repr(node), str)
self.assertIsInstance(node, Node)
# Get permissions, only for SMC API >- 6.1
if session.api_version >= 6.1:
for x in engine.permissions:
self.assertIsInstance(x, AccessControlList)
else:
self.assertRaises(UnsupportedEngineFeature,
lambda: engine.permissions())
# Get aliases
aliases = engine.alias_resolving()
for alias in aliases:
self.assertIsInstance(alias, Alias)
self.assertIsNotNone(alias.name)
self.assertTrue(alias.href.startswith('http'))
self.assertIsInstance(alias.resolved_value, list)
# Resolve the IP address alias for this engine
alias = Alias('$$ Interface ID 0.ip')
self.assertIn('1.1.1.1', alias.resolve('smcpython-fw'))
# Blacklist, will fail as engine is not live or connected to SMC
self.assertRaises(EngineCommandFailed,
lambda: engine.blacklist('1.1.1.1/32', '0.0.0.0/0'))
# Blacklist flush, same as above
self.assertRaises(EngineCommandFailed,
lambda: engine.blacklist_flush())
# Add route, valid
result = engine.add_route('1.1.1.254', '192.168.1.0/24')
self.assertIsNone(result)
# Add route, invalid, msg attribute set
self.assertRaises(EngineCommandFailed,
lambda: engine.add_route('2.2.2.2', '10.10.10.0/22'))
# Get routes, will catch SMCConnectionException because the engine doesnt
# exist and will be unresponsive. It should catch and return empty list
# A response is sent back in 6.1.2, but should be none
if is_min_required_smc_version('6.1.2'):
self.assertRaises(EngineCommandFailed,
lambda: engine.routing_monitoring)
else: # Timeout in version 6.1.1 or earlier
self.assertRaises(EngineCommandFailed,
lambda: engine.routing_monitoring)
# Get antispoofing info
Network.create(name='network-10.1.2.0/24', ipv4_network='10.1.2.0/24')
spoofing = engine.antispoofing
self.assertIsInstance(spoofing, Antispoofing)
for entry in engine.antispoofing.all():
if entry.name == 'Interface 0':
self.assertEqual(entry.level, 'interface')
self.assertEqual(entry.validity, 'enable')
entry.add(Network('network-10.1.2.0/24'))
# Look for our network
for entry in engine.antispoofing.all():
if entry.name == 'Interface 0':
for network in entry.all():
if network.name == 'network-10.1.2.0/24':
self.assertEqual(network.ip, '10.1.2.0/24')
self.assertTrue(
engine.internal_gateway.name.startswith('smcpython-fw'))
# Get internal gateway
for gw in engine.internal_gateway.internal_endpoint.all():
self.assertEqual(gw.name, '1.1.1.1') # matches interface IP
# Get vpn sites
for sites in engine.internal_gateway.vpn_site.all():
self.assertTrue(
sites.name.startswith('Automatic Site for smcpython-fw'))
# Gen certificate for internal gateway, fail because engine can't gen
# cert
v = VPNCertificate('myorg', 'foo.org')
self.assertRaises(
CertificateError,
lambda: engine.internal_gateway.generate_certificate(v))
# Gateway certificate request, not implemented as of 0.3.7
self.assertTrue(
len(engine.internal_gateway.gateway_certificate()) == 0)
# Gateway certificate, not implemented as of 0.3.7
self.assertTrue(
len(engine.internal_gateway.gateway_certificate_request()) == 0)
# Get a virtual resource on non supported device type
self.assertRaises(UnsupportedEngineFeature,
lambda: engine.virtual_resource)
# Get interfaces
for intf in engine.interface.all():
self.assertEqual(intf.name, 'Interface 0')
# Get virtual physical interface, not supported on layer 3 engine
self.assertRaises(UnsupportedInterfaceType,
lambda: engine.virtual_physical_interface)
# Get modem interfaces
self.assertTrue(len(engine.modem_interface) == 0)
# Get adsl interfaces
self.assertTrue(len(engine.adsl_interface) == 0)
# Get wireless interface
self.assertTrue(len(engine.wireless_interface) == 0)
# Get switch interface
self.assertTrue(len(engine.switch_physical_interface) == 0)
# Get tunnel interfaces
engine.tunnel_interface.add_single_node_interface(
tunnel_id=1000, address='2.2.2.2', network_value='2.2.2.0/24')
intf = engine.interface.get(1000)
self.assertIsInstance(intf, TunnelInterface)
# Query tunnel interfaces
for intf in engine.tunnel_interface.all():
self.assertEqual(intf.name, 'Tunnel Interface 1000')
# Refresh policy, fails as engine not ready
self.assertRaises(TaskRunFailed, lambda: engine.refresh())
# Upload, policy doesn't exist
self.assertRaises(TaskRunFailed, lambda: engine.upload(policy='foo'))
# Generate snapshot #TODO: Bug
with self.assertRaises(EngineCommandFailed):
engine.generate_snapshot()
# See snapshots. Policy hasnt been pushed yet so they wont exist
self.assertTrue(len(list(engine.snapshots)) == 0)
# Delete
engine.delete()
Network('network-10.1.2.0/24').delete()
def testHost_no_addresses(self):
with self.assertRaises(CreateElementFailed):
Host.create(name='mixedhost')
def test_create_host_with_unicode(self):
result = Host.create('Réunion33', '30.30.30.30')
self.assertTrue(result.href.startswith('http'))
for host in list(Search('host').objects.filter('Réunion33')):
host.delete()
NATIP = args.n
IPV6Network = args.p
#################
#Strings zusammen bauen
#################
cnameV4 = cname + '-v4'
cnameV6 = cname + '-v6'
cnameNAT = cname + '-NAT'
#################
#Host NAT Element erstellen
#################
Host.create(name=cnameNAT, address=NATIP, comment='Erstellt via Script')
#################
#Network IPv6 Element erstellen
#################
Network.create(name=cnameV6, ipv6_network=IPV6Network, comment='Erstellt via Script')
#################
#IPv6 Sub Policy erstellen
#################
p = FirewallIPv6SubPolicy.create(name=cnameV6)
p.fw_ipv6_access_rules.create_rule_section(name='Outbound')
p.fw_ipv6_access_rules.create(name='Default Outgoing', sources=[Network(cnameV6)], destinations='any', services=[TCPService('SSH'), TCPService('HTTP'), TCPService('HTTPS'), UDPService('NTP (UDP)'), ServiceGroup('DNS')], action='allow', after='Outbound')
p.fw_ipv6_access_rules.create_rule_section(name='Inbound', add_pos=30)
def test_modify_rules(self):
policy = FirewallPolicy.create(name='myfoopolicy',
template='Firewall Inspection Template')
Host.create(name='foobar', address='1.1.1.1')
host = Host('foobar')
# No action, default to Allow, position set, but no rules so added
# normally
policy.fw_ipv4_access_rules.create(name='myrule',
sources=[host],
add_pos=10)
for rule in policy.fw_ipv4_access_rules.all():
if rule.name == 'myrule':
self.assertEqual(rule.action.action, 'allow')
self.assertIsInstance(rule.authentication_options,
AuthenticationOptions)
self.assertIsInstance(rule.options, LogOptions)
self.assertFalse(rule.is_disabled)
self.assertEqual(rule.parent_policy.name, 'myfoopolicy')
self.assertTrue(rule.destinations.is_none)
self.assertTrue(rule.services.is_none)
self.assertFalse(rule.services.all())
for source in rule.sources.all():
self.assertEqual(source.name, 'foobar')
rule.disable()
rule.comment = 'mycomment'
rule.services.set_any()
rule.save()
self.assertEqual(rule.comment, 'mycomment')
self.assertTrue(rule.is_disabled)
rule.enable()
rule.save()
self.assertFalse(rule.is_disabled)
self.assertTrue(rule.services.is_any)
rule.delete()
Host('foobar').delete()
policy.fw_ipv4_access_rules.create(name='myrule',
sources='any',
destinations=[Host('badhost')],
action=Action())
# Will be returned as type "Element"
engine = Layer3Firewall.create(name='tmpfw',
mgmt_ip='1.1.1.1',
mgmt_network='1.1.1.0/24')
Host.create(name='boo', address='12.12.12.12')
for rule in policy.fw_ipv4_access_rules.all():
if rule.name == 'myrule':
self.assertTrue(rule.destinations.is_none)
self.assertTrue(rule.action.action == 'allow')
self.assertTrue(rule.sources.is_any)
# Host doesn't exist, destinations will remain none
rule.destinations.add(Host('blah'))
rule.save()
self.assertTrue(rule.destinations.is_none)
rule.destinations.add_many([Host('boo'), engine])
rule.save()
dests = list(rule.destinations.all())
self.assertTrue(len(dests) == 2)
for x in rule.destinations.all():
self.assertIsInstance(x, Element)
self.assertIn(x.name, ['tmpfw', 'boo'])
# Test Match Expression
DomainName.create('lepages.net')
Zone.create('MyExZone')
match = MatchExpression.create(name='mymatch',
network_element=Host('boo'),
domain_name=DomainName('lepages.net'),
zone=Zone('MyExZone'))
policy.fw_ipv4_access_rules.create(name='matchex',
sources=[match],
destinations='any',
services='any')
rule = policy.search_rule('matchex')[0]
self.assertTrue(len(rule.sources.all()[0].values()) == 3)
for source in rule.sources.all():
for values in source.values():
self.assertIn(values.name, ['boo', 'lepages.net', 'MyExZone'])
# Test after and before rule position options
# Need rule tag for rule we are inserting around
rule = policy.search_rule('matchex')[0]
policy.fw_ipv4_access_rules.create(name='ruleafter', after=rule.tag)
policy.fw_ipv4_access_rules.create(name='rulebefore', before=rule.tag)
gen = policy.fw_ipv4_access_rules.all()
for x in gen:
if x.name == 'rulebefore':
break
matchex = next(gen)
ruleafter = next(gen)
self.assertEqual(matchex.name, 'matchex')
self.assertEqual(ruleafter.name, 'ruleafter')
# Add a jump rule
with self.assertRaises(MissingRequiredInput):
policy.fw_ipv4_access_rules.create(
name='jumprule',
action='jump',
sub_policy=FirewallSubPolicy('blahblah'))
FirewallSubPolicy.create('subfoo')
policy.fw_ipv4_access_rules.create(
name='jumprule',
action='jump',
sub_policy=FirewallSubPolicy('subfoo'))
rule = policy.search_rule('jumprule')[0]
self.assertEqual(rule.action.action, 'jump')
self.assertEqual(rule.action.sub_policy.href,
FirewallSubPolicy('subfoo').href)
policy.delete()
DomainName('lepages.net').delete()
Zone('MyExZone').delete()
Host('boo').delete()
time.sleep(3)
engine.delete()
def test_NATRules(self):
policy = FirewallPolicy.create(name='apitestpolicy',
template='Firewall Inspection Template')
Host.create('nathost', address='1.1.1.1')
Host.create('sourcenat', address='2.2.2.2')
engine = Layer3Firewall.create(name='natfw',
mgmt_ip='1.1.1.1',
mgmt_network='1.1.1.0/24')
# Source NAT using port restrictions
policy.fw_ipv4_nat_rules.create(name='dynsrcnat',
sources='any',
destinations=[Host('nathost')],
services='any',
dynamic_src_nat='2.2.2.2',
dynamic_src_nat_ports=(30000, 35000))
# Dest NAT by IP
policy.fw_ipv4_nat_rules.create(name='dstnat',
sources='any',
destinations=[Host('nathost')],
services='any',
static_dst_nat='3.3.3.3')
# Destination field cannot be any or none with dest NAT
with self.assertRaises(InvalidRuleValue):
policy.fw_ipv4_nat_rules.create(name='foo',
sources='any',
destinations='any',
services='any',
static_dst_nat='3.3.3.3')
# Source and Dest NAT
policy.fw_ipv4_nat_rules.create(name='dstandsrcnat',
sources='any',
destinations=[Host('sourcenat')],
services='any',
dynamic_src_nat='5.5.5.5',
static_dst_nat='3.3.3.3',
static_dst_nat_ports=(22, 2222))
policy.fw_ipv4_nat_rules.create(name='nonatrule',
sources='any',
destinations='any',
services='any')
# Static src NAT
if is_min_required_smc_version('6.1.2'):
policy.fw_ipv4_nat_rules.create(name='static_src_nat',
sources=[Host('sourcenat')],
destinations='any',
static_src_nat='1.1.1.1')
else:
with self.assertRaises(CreateRuleFailed):
policy.fw_ipv4_nat_rules.create(name='static_src_nat',
sources=[Host('sourcenat')],
destinations='any',
static_src_nat='1.1.1.1')
# Invalid rule
with self.assertRaises(CreateRuleFailed):
policy.fw_ipv4_nat_rules.create(name='foo',
sources='any',
destinations=['any'],
services='any',
static_dst_nat='1.1.1.1')
for rule in policy.fw_ipv4_nat_rules.all():
self.assertIsInstance(rule, IPv4NATRule)
if rule.name == 'dynsrcnat':
self.assertEqual(rule.dynamic_src_nat.translated_value,
'2.2.2.2')
# Not valid for dyn src nat
self.assertIsNone(rule.dynamic_src_nat.original_value)
self.assertEqual(rule.dynamic_src_nat.translated_ports,
(30000, 35000))
elif rule.name == 'dstnat':
if is_min_required_smc_version('6.1.2'):
self.assertEqual(rule.static_dst_nat.translated_value,
'3.3.3.3')
self.assertEqual(rule.static_dst_nat.original_value,
'1.1.1.1')
else: # Version 6.1.1
self.assertEqual(rule.static_dst_nat.translated_value,
'3.3.3.3')
self.assertEqual(rule.static_dst_nat.original_value,
Host('nathost').href)
elif rule.name == 'dstandsrcnat':
self.assertEqual(rule.dynamic_src_nat.translated_ports,
(1024, 65535))
self.assertEqual(rule.dynamic_src_nat.translated_value,
'5.5.5.5')
self.assertEqual(rule.static_dst_nat.translated_value,
'3.3.3.3')
source_port, dest_port = rule.static_dst_nat.translated_ports
self.assertEqual(source_port, 22)
self.assertEqual(dest_port, 2222)
elif rule.name == 'nonatrule':
self.assertFalse(rule.static_src_nat.has_nat)
self.assertFalse(rule.dynamic_src_nat.has_nat)
self.assertFalse(rule.static_dst_nat.has_nat)
# Test unsed on attribute
self.assertIsNone(rule.used_on)
# Catch the ElementNotFound, no change
rule.used_on = Host('nonexistanthost')
self.assertIsNone(rule.used_on)
rule.used_on = engine
self.assertEqual(rule.used_on.name, 'natfw')
# IPv6 NAT
Host.create(name='myipv6',
ipv6_address='2001:0db8:85a3:0000:0000:8a2e:0370:7334')
policy.fw_ipv6_nat_rules.create(name='mynat',
sources=[Host('myipv6')],
destinations='any',
services='any',
dynamic_src_nat='2001:db8::2:1')
rule_matches = policy.search_rule('nonatrule')
self.assertIsInstance(rule_matches[0], IPv4NATRule)
no_rule_match = policy.search_rule('blahblahfoo')
self.assertTrue(len(no_rule_match) == 0)
engine.delete()
policy.delete()
Host('nathost').delete()
Host('sourcenat').delete()
Host('myipv6').delete()
"""
FirewallPolicy.create(name='smcpython',
template='Firewall Inspection Template')
"""
Get an existing policy
"""
policy = FirewallPolicy('smcpython')
"""
Open the policy for editing, create a rule, and save the policy
"""
myservices = describe_tcp_service(name=['HTTP', 'HTTPS'])
myservices = [service.href for service in myservices]
host = Host.create(name='amazon-linux-host', address='192.168.1.5')
mysources = [host.href]
mydestinations = 'any'
policy.fw_ipv4_access_rules.create(name='mynewrule',
sources=mysources,
destinations=mydestinations,
services=myservices,
action='permit')
"""
View a metadata version of each configured rule
"""
for rule in policy.fw_ipv4_access_rules.all():
print rule.name
"""
FirewallPolicy.create(name='smcpython',
template='Firewall Inspection Template')
"""
Get an existing policy
"""
policy = FirewallPolicy('smcpython')
"""
Open the policy for editing, create a rule, and save the policy
"""
myservices = describe_tcp_service(name=['HTTP', 'HTTPS'])
myservices = [service.href for service in myservices]
host = Host.create(name='amazon-linux-host', address='192.168.1.5')
mysources = [host.href]
mydestinations = 'any'
policy.fw_ipv4_access_rules.create(name='mynewrule',
sources=mysources,
destinations=mydestinations,
services=myservices,
action='permit')
"""
View a metadata version of each configured rule
"""
for rule in policy.fw_ipv4_access_rules.all():
print rule.name
def setUp(self):
session.login(url=url, api_key=api_key, verify=verify)
Host.create('test-common-api-user', '12.12.12.12')
# used for wildcard searches
Host.create('test-api-user', '12.12.12.12')
