def testTCPServiceGroup(self): tcp = TCPService.create('api-tcp', 5000) self.assertTrue(tcp.href.startswith('http')) tcp2 = TCPService.create('api-tcp2', 5001) self.assertTrue(tcp2.href.startswith('http')) result = TCPServiceGroup.create('api-tcpservicegroup', members=[tcp.href, tcp2.href]) self.assertTrue(result.href.startswith('http')) group = TCPServiceGroup('api-tcpservicegroup') self.assertIn(tcp.href, group.element) self.assertIn(tcp2.href, group.element) group.delete() tcp.delete() tcp2.delete()
def testTCPService(self): result = TCPService.create('api-tcpservice', 5000, 5005, comment='blahcomment') self.assertTrue(result.href.startswith('http')) service = TCPService('api-tcpservice') self.assertEqual(service.min_dst_port, 5000) self.assertEqual(service.max_dst_port, 5005) service.delete()
def testServiceGroup(self): """ Test service group creation """ result = TCPService.create('api-tcp', 5000) self.assertTrue(result.href.startswith('http')) result = UDPService.create('api-udp', 5001) self.assertTrue(result.href.startswith('http')) tcp = TCPService('api-tcp') udp = UDPService('api-udp') result = ServiceGroup.create('api-servicegroup', members=[tcp.href, udp.href], comment='test') self.assertTrue(result.href.startswith('http')) group = ServiceGroup('api-servicegroup') # Href in service group self.assertIn(tcp.href, group.element) self.assertIn(udp.href, group.element) group.delete() tcp.delete() udp.delete()
def add_policy(self): """ If a client AMI was specified when building a new VPC, this will add rules to allow inbound access to the AMI. This could be extended to more generically support VPN rules. """ if not self.firewall_policy: self.firewall_policy = 'AWS_Default' # Policy not specified, use the default, or check if hidden setting was specified try: FirewallPolicy.create(name='AWS_Default', template='Firewall Inspection Template') except CreatePolicyFailed: pass # Already exists policy = FirewallPolicy(self.firewall_policy) # Create the access rule for the network options = LogOptions() options.log_accounting_info_mode = True options.log_level = 'stored' options.application_logging = 'enforced' options.user_logging = 'enforced' action = Action() action.deep_inspection = True action.file_filtering = False outbound_rule = policy.search_rule('AWS outbound access rule') if not outbound_rule: # Generic outbound access rule policy.fw_ipv4_access_rules.create( name='AWS outbound access rule', sources=[Alias('$$ Interface ID 1.net')], destinations='any', services='any', action=action, log_options=options) if self.aws_ami_ip and self.nat_ports: dest_port = self.nat_ports.get('dest_port') redirect_port = self.nat_ports.get('redirect_port') services = list( TCPService.objects.filter(dest_port)) # @UndefinedVariable # Ignore services with protocol agents so we skip SSM service = next( ([service] for service in services if not service.protocol_agent), []) if not service: service = [ TCPService.create(name='aws_tcp{}'.format(dest_port), min_dst_port=dest_port) ] # Create the access rule for the client policy.fw_ipv4_access_rules.create( name=self.name, sources='any', destinations=[Alias('$$ Interface ID 0.ip')], services=service, action='allow', log_options=options) policy.fw_ipv4_nat_rules.create( name=self.name, sources='any', destinations=[Alias('$$ Interface ID 0.ip')], services=service, static_dst_nat=self.aws_ami_ip, static_dst_nat_ports=(dest_port, redirect_port), used_on=self.engine.href)