def fix_acls(self, conf):
# Recursively walk config replacing all acls with ACL objects
for k, v in conf.items():
if k == 'acls':
if isinstance(v, dict):
for ip, acls in v.items():
conf[k][ip] = [
ACL(x['match'], x['action']) for x in acls
]
else:
conf[k] = [ACL(x['match'], x['action']) for x in v]
elif isinstance(v, dict):
self.fix_acls(v)
def __list_templates(self):
"""list all template for project
列出指定项目下的所有模板
Args:
Returns:
List[]
"""
pid = int(self.get_argument('pid', 0))
if pid == 0:
self.write(json.dumps(Error.CGIREQUESTERR))
return
page = int(self.get_argument('page', 1))
temp = ModTemplate(self.application)
# 权限过滤
template_acl_filter = "" if ACL.is_root(
pid, self.userinfo['acl']
) != 0 else " allow like '%\"" + self.userinfo['username'] + "\"%' "
count, data = temp.get_template_list(pid, 200, page,
template_acl_filter,
'template_id desc')
if type(data) in (dict, ):
self.write(json.dumps(data))
return
self.render('admin_template_list.html',
project_id=pid,
templates=data,
userinfo=self.userinfo)
return
def test_friend_blob_addDelta_expired_token(self):
zauth = AuthSystem.getExpiredToken(Constants.ZID)
delta = "sample delta value"
ACL_arr=ACL.getGraphTypes('friend.blob.addDelta',Constants.DELTATYPE)
for element in ACL_arr:
if (element == 'any'):
delete_prev_deltas(Constants.ZID)
ret , result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID+1,Constants.DELTATYPE,delta ] ,[403])
self.assertTrue(ret, msg=result)
elif (element == 'self'):
delete_prev_deltas(Constants.ZID)
ret , result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID,Constants.DELTATYPE,delta ] ,[403])
self.assertTrue(ret, msg=result)
elif (element == 'none'):
delete_prev_deltas(Constants.ZID)
ret , result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID,Constants.DELTATYPE,delta ] ,[403])
self.assertTrue(ret, msg=result)
else:
delete_prev_deltas(Constants.ZID)
ret = get_friend_nofriend_id(AuthSystem.getUntrustedToken(Constants.ZID),element)
fid_list=ret['result']['data'][element]
fid = random.choice(fid_list)
res=delete_prev_deltas(fid)
ret , result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID,Constants.DELTATYPE,delta ] ,[403])
self.assertTrue(ret, msg=result)
"""for non-friend, 403 should be returned as err code"""
nfid=nfzid(AuthSystem.getUntrustedToken(Constants.ZID))
ret , result = self.check_pass(friend_blob_addDelta , [ zauth , nfid , Constants.DELTATYPE , delta ] ,[403])
self.assertTrue(ret, msg=result)
def _remove_flow(self, flow):
"""
Remove a specific flow from an EVC_MAP. This includes removing any
ACL entries associated with the flow and could result in moving the
EVC-MAP over to another EVC.
:param flow: (FlowEntry) Flow to remove
"""
try:
del self._flows[flow.flow_id]
# Remove any ACLs
acl_name = ACL.flow_to_name(flow)
acl = None
# if not yet installed just remove it from list
if acl_name in self._new_acls:
del self._new_acls[acl_name]
else:
acl = self._existing_acls[acl_name]
if acl is not None:
# Remove ACL from EVC-MAP entry
try:
map_xml = self._ingress_remove_acl_xml(
self._gem_ids_and_vid, acl)
log.debug('remove', xml=map_xml, name=acl.name)
results = yield self._handler.netconf_client.edit_config(
map_xml)
if results.ok:
del self._existing_acls[acl.name]
# Scan EVC to see if it needs to move back to the Utility
# or Untagged EVC from a user data EVC
if self._evc and not self._evc.service_evc and\
len(self._flows) > 0 and\
all(f.is_acl_flow for f in self._flows.itervalues()):
self._evc.remove_evc_map(self)
first_flow = self._flows.itervalues().next()
self._evc = first_flow.get_utility_evc(None, True)
self._evc.add_evc_map(self)
log.debug('moved-acl-flows-to-utility-evc',
newevcname=self._evc.name)
self._needs_update = True
self._evc.schedule_install()
except Exception as e:
log.exception('acl-remove-from-evc', e=e)
# Remove ACL itself
try:
yield acl.remove()
except Exception as e:
log.exception('acl-remove', e=e)
except Exception as e:
log.exception('remove-failed', e=e)
def test_friend_blob_queryDeltas_empty_token(self):
zauth=None
user_query = {Constants.USER_QUERY: Constants.F_QUERY, "params":[] }
ACL_arr=ACL.getGraphTypes('friend.blob.queryDeltas',Constants.DELTATYPE)
delta="some delta"
for element in ACL_arr:
if (element == 'any'):
self.test_friend_blob_addDelta()
ret , result = self.check_pass(friend_blob_queryDeltas , [zauth , Constants.ZID+1,user_query] ,[403])
self.assertTrue(ret, msg=result)
elif (element == 'self'):
self.test_friend_blob_addDelta()
ret , result = self.check_pass(friend_blob_queryDeltas , [zauth ,Constants.ZID, user_query] ,[403])
self.assertTrue(ret, msg=result)
elif (element == 'none'):
ret , result = self.check_pass(friend_blob_queryDeltas , [zauth ,Constants.ZID, user_query] ,[403])
self.assertTrue(ret, msg=result)
else:
"""graph-list"""
ret = get_friend_nofriend_id(AuthSystem.getUntrustedToken(Constants.ZID), element )
fid_list=ret['result']['data'][element]
fid = random.choice(fid_list)
self.test_friend_blob_addDelta()
ret , result = self.check_pass(friend_blob_queryDeltas , [zauth ,fid,user_query] ,[403])
self.assertTrue(ret, msg=result)
"""for non-friends"""
nfid=nfzid(AuthSystem.getUntrustedToken(Constants.ZID))
ret , result = self.check_pass(friend_blob_queryDeltas , [zauth ,nfid,user_query] ,[403])
self.assertTrue(ret, msg=result)
def test_friend_blob_addDelta(self):
zauth = AuthSystem.getUntrustedToken(Constants.ZID)
ACL_arr=ACL.getGraphTypes('friend.blob.addDelta',Constants.DELTATYPE)
delta = "sample delta value"
for element in ACL_arr:
if (element == 'any'):
ret , result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID, Constants.DELTATYPE , delta ] ,[0])
self.assertTrue(ret, msg=result)
elif (element == 'self'):
ret,result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID, Constants.DELTATYPE , delta ] ,[0])
self.assertTrue(ret, msg=result)
elif (element == 'none'):
ret,result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID, Constants.DELTATYPE , delta ] ,[403])
self.assertTrue(ret, msg=result)
else:
"""graph-list """
ret = get_friend_nofriend_id(AuthSystem.getUntrustedToken(Constants.ZID),element)
fid_list=ret['result']['data'][element]
fid = random.choice(fid_list)
res=delete_prev_deltas(fid)
ret , result = self.check_pass(friend_blob_addDelta , [ zauth , fid , Constants.DELTATYPE , delta ] ,[0])
self.assertTrue(ret, msg=result)
"""check for failure when non friend tries to add delta"""
nfid=nfzid(AuthSystem.getUntrustedToken(Constants.ZID))
ret , result = self.check_pass(friend_blob_addDelta , [ zauth , nfid , Constants.DELTATYPE , delta ] ,[403])
self.assertTrue(ret, msg=result)
def test_friend_blob_get_no_zauth_header(self):
zauth = AuthSystem.getUntrustedToken(Constants.ZID)
ACL_arr=ACL.getGraphTypes('friend.blob.get', Constants.USER_BLOB)
for element in ACL_arr:
if (element == 'any') or (element == 'self') or (element == 'none'):
ret , result = self.check_pass(friend_blob_get_no_Zauth_head , [ Constants.ZID, Constants.USER_BLOB],[403])
self.assertTrue(ret, msg = result)
else:
"In this case it is a graphlist"
ret = get_friend_nofriend_id(zauth, element )
fid_list = ret['result']['data'][element]
fid = random.choice(fid_list)
"""If friend blob is empty, update some value and then fetch the blob, through friend.blob.get api"""
fzauth=AuthSystem.getUntrustedToken(fid)
result = user_blob_get( fzauth )
if "'CAS': None" in str(result):
cas= " "
data = data_to_post()
result = user_blob_set( fzauth, Constants.USER_BLOB, data, cas)
else:
cas = result[ Constants.BLOBS ][ Constants.USER_BLOB ][ Constants.GH_CAS ]
"""Checking for friend"""
ret , result = self.check_pass(friend_blob_get_no_Zauth_head , [ fid, Constants.USER_BLOB],[403])
self.assertTrue(ret, msg = result)
"""cheking for non-friend"""
nfid=nfzid(zauth)
ret , result = self.check_pass(friend_blob_get_no_Zauth_head , [ nfid, Constants.USER_BLOB],[403])
self.assertTrue(ret, msg = result)
def add_acls_to_port(self, port, acls):
for acl in acls:
acl = ACL(acl['match'], acl['action'])
if acl in self.portdb[port]['acls']:
index = self.portdb[port]['acls'].index(acl)
self.portdb[port]['acls'][index] = acl
else:
self.portdb[port]['acls'].append(acl)
def test_user_blob_queryDeltas_Mixed_case_char(self):
zauth = AuthSystem.getUntrustedToken(Constants.ZID)
user_query = {Constants.USER_QUERY: "select * from DeLTAs" , "params": {"type": Constants.DELTATYPE}}
ACL_arr = ACL.getGraphTypes('user.blob.queryDeltas',Constants.DELTATYPE)
for element in ACL_arr:
if (element == 'any' or element == 'self' or element == 'none'):
ret,result = self.check_pass(user_blob_queryDeltas , [zauth , user_query],[403])
self.assertTrue(ret, msg=result)
else:
self.fail(msg="invalid ACL rule for the api")
def test_user_blob_queryDeltas_noquery(self):
zauth = AuthSystem.getUntrustedToken(Constants.ZID)
user_query=None
ACL_arr = ACL.getGraphTypes('user.blob.queryDeltas',Constants.DELTATYPE)
for element in ACL_arr:
if (element == 'any' or element == 'self' or element == 'none'):
ret,result = self.check_pass(user_blob_queryDeltas , [zauth , user_query],[403])
self.assertTrue(ret, msg=result)
else:
self.fail(msg="invalid ACL rule for the api")
def _dp_parser_v2(logger, acls_conf, dps_conf, routers_conf, vlans_conf):
dps = []
vid_dp = {}
for identifier, dp_conf in list(dps_conf.items()):
try:
dp = DP(identifier, dp_conf)
dp.sanity_check()
dp_id = dp.dp_id
vlans = {}
for vid, vlan_conf in list(vlans_conf.items()):
vlans[vid] = VLAN(vid, dp_id, vlan_conf)
acls = []
for acl_ident, acl_conf in list(acls_conf.items()):
acls.append((acl_ident, ACL(acl_ident, acl_conf)))
routers = []
for router_ident, router_conf in list(routers_conf.items()):
routers.append((router_ident, Router(router_ident,
router_conf)))
if routers:
assert len(routers) == 1, 'only one router supported'
router_ident, router = routers[0]
assert set(router.vlans) == set(
vlans.keys()), 'only global routing supported'
dp.add_router(router_ident, router)
ports_conf = dp_conf.pop('interfaces', {})
ports = {}
# as users can config port vlan by using vlan name, we store vid in
# Port instance instead of vlan name for data consistency
for port_num, port_conf in list(ports_conf.items()):
port = port_parser(dp_id, port_num, port_conf, vlans)
ports[port_num] = port
if port.native_vlan is not None:
vlan = vlans[port.native_vlan]
port.native_vlan = vlan
_dp_add_vlan(vid_dp, dp, vlan)
if port.tagged_vlans is not None:
tagged_vlans = []
for v_identifier in port.tagged_vlans:
vlan = vlans[v_identifier]
tagged_vlans.append(vlan)
_dp_add_vlan(vid_dp, dp, vlan)
port.tagged_vlans = tagged_vlans
except AssertionError as err:
logger.exception('Error in config file: %s', err)
return None
for port in list(ports.values()):
dp.add_port(port)
for acl_ident, acl in acls:
dp.add_acl(acl_ident, acl)
dps.append(dp)
return dps
def _dp_parser_v2(logger, acls_conf, dps_conf, meters_conf, routers_conf,
vlans_conf):
dps = []
vid_dp = {}
for identifier, dp_conf in list(dps_conf.items()):
try:
dp = DP(identifier, dp_conf)
dp.sanity_check()
dp_id = dp.dp_id
vlans = {}
for vlan_ident, vlan_conf in list(vlans_conf.items()):
vlans[vlan_ident] = VLAN(vlan_ident, dp_id, vlan_conf)
acls = []
for acl_ident, acl_conf in list(acls_conf.items()):
acls.append((acl_ident, ACL(acl_ident, acl_conf)))
for router_ident, router_conf in list(routers_conf.items()):
router = Router(router_ident, router_conf)
dp.add_router(router_ident, router)
for meter_ident, meter_conf in list(meters_conf.items()):
dp.meters[meter_ident] = Meter(meter_ident, meter_conf)
ports_conf = dp_conf.pop('interfaces', {})
ports = {}
# as users can config port vlan by using vlan name, we store vid in
# Port instance instead of vlan name for data consistency
for port_num, port_conf in list(ports_conf.items()):
port = port_parser(dp_id, port_num, port_conf, vlans)
ports[port_num] = port
if port.native_vlan is not None:
vlan = _get_vlan_by_identifier(dp_id, port.native_vlan,
vlans)
port.native_vlan = vlan
_dp_add_vlan(vid_dp, dp, vlan)
if port.tagged_vlans is not None:
tagged_vlans = []
for vlan_ident in port.tagged_vlans:
vlan = _get_vlan_by_identifier(dp_id, vlan_ident,
vlans)
tagged_vlans.append(vlan)
_dp_add_vlan(vid_dp, dp, vlan)
port.tagged_vlans = tagged_vlans
except AssertionError as err:
logger.exception('Error in config file: %s', err)
return None
for port in list(ports.values()):
dp.add_port(port)
for acl_ident, acl in acls:
dp.add_acl(acl_ident, acl)
dps.append(dp)
return dps
def test_friend_blob_addDelta_Max_delta_count(self):
zauth = AuthSystem.getUntrustedToken(Constants.ZID)
delta="some delta"
limit=ConfigService.getDeltaLimits(Constants.DELTATYPE)
maxcount=limit['maxcount']
keep=limit['keep']
if (keep is False):
self.assertTrue(False,msg="Check for keep variable in storage.yaml file for the delta type")
ACL_arr=ACL.getGraphTypes('friend.blob.addDelta',Constants.DELTATYPE)
for element in ACL_arr:
if (element == 'any'):
delete_prev_deltas(Constants.ZID)
delta_max=delta_max_count(zauth , Constants.ZID+1 , Constants.DELTATYPE,maxcount,delta)
ret , result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID+1, Constants.DELTATYPE , delta ] ,[413])
self.assertTrue(ret, msg=result)
elif (element == 'self'):
delete_prev_deltas(Constants.ZID)
delta_max=delta_max_count(zauth , Constants.ZID , Constants.DELTATYPE,maxcount,delta)
ret , result = self.check_pass(friend_blob_addDelta , [ zauth ,Constants.ZID , Constants.DELTATYPE , delta ] ,[413])
self.assertTrue(ret, msg=result)
elif (element == 'none'):
delete_prev_deltas(Constants.ZID)
delta_max=delta_max_count(zauth ,Constants.ZID , Constants.DELTATYPE,maxcount,delta)
ret , result = self.check_pass(friend_blob_addDelta , [ zauth ,Constants.ZID,Constants.DELTATYPE , delta ] ,[403])
self.assertTrue(ret, msg=result)
else:
"""This is graph-list """
delete_prev_deltas(Constants.ZID)
ret = get_friend_nofriend_id(zauth, element )
fid_list=ret['result']['data'][element]
fid = random.choice(fid_list)
delta_max=delta_max_count(zauth , fid , Constants.DELTATYPE,maxcount,delta)
ret , result = self.check_pass(friend_blob_addDelta , [ zauth ,fid, Constants.DELTATYPE , delta ] ,[413])
self.assertTrue(ret, msg=result)
"""for non-friends"""
delete_prev_deltas(Constants.ZID)
nfid=nfzid(zauth)
delta_max=delta_max_count(zauth , fid , Constants.DELTATYPE,maxcount,delta)
ret , result = self.check_pass(friend_blob_addDelta , [ zauth ,nfid, Constants.DELTATYPE , delta ] ,[403])
self.assertTrue(ret, msg=result)
def test_friend_blob_addDelta_Exceed_content_Limit(self):
zauth = AuthSystem.getUntrustedToken(Constants.ZID)
limit=ConfigService.getDeltaLimits(Constants.DELTATYPE)
ACL_arr=ACL.getGraphTypes('friend.blob.addDelta',Constants.DELTATYPE)
for element in ACL_arr:
if (element == 'any'):
#delete_prev_deltas(fid)
delete_prev_deltas(Constants.ZID)
delta=delta_max_size(limit['maxsize']+1024,Constants.DELTATYPE)
ret , result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID, Constants.DELTATYPE , delta ] ,[413])
self.assertTrue(ret, msg=result)
elif (element == 'self'):
delete_prev_deltas(Constants.ZID)
delta=delta_max_size(limit['maxsize']+1024,Constants.DELTATYPE)
ret , result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID, Constants.DELTATYPE , delta ] ,[413])
self.assertTrue(ret, msg=result)
elif (element == 'none'):
delete_prev_deltas(Constants.ZID)
delta=delta_max_size(limit['maxsize']+1024,Constants.DELTATYPE)
ret , result = self.check_pass(friend_blob_addDelta , [ zauth , Constants.ZID, Constants.DELTATYPE , delta ] ,[403])
self.assertTrue(ret, msg=result)
else:
"""This is graph-list """
delete_prev_deltas(Constants.ZID)
ret = get_friend_nofriend_id(AuthSystem.getUntrustedToken(Constants.ZID), element )
fid_list=ret['result']['data'][element]
fid = random.choice(fid_list)
delta=delta_max_size(limit['maxsize']+1024,Constants.DELTATYPE)
ret , result = self.check_pass(friend_blob_addDelta , [ zauth , fid , Constants.DELTATYPE , delta ] ,[413])
self.assertTrue(ret, msg=result)
"""for non-friends"""
delete_prev_deltas(Constants.ZID)
nfid=nfzid(AuthSystem.getUntrustedToken(Constants.ZID))
delta=delta_max_size(limit['maxsize']+1024,Constants.DELTATYPE)
ret , result = self.check_pass(friend_blob_addDelta , [ zauth , nfid, Constants.DELTATYPE , delta ] ,[403])
self.assertTrue(ret, msg=result)
def acl(self):
return ACL(self)
def __init__(self, *args, **kwargs):
super(Valve, self).__init__(*args, **kwargs)
self.mac_to_port = {}
self._snoop = kwargs['igmplib']
# if you want a switch to operate as a querier,
# set up as follows:
self._snoop.set_querier_mode(dpid=str_to_dpid('0000000000000001'),
server_port=2)
# dpid the datapath id that will operate as a querier.
# server_port a port number which connect to the multicast
# server.
#
# NOTE: you can set up only the one querier.
# when you called this method several times,
# only the last one becomes effective.
# start a thread for stats gethering
self.stats_event = hub.Event()
self.threads.append(hub.spawn(self.stats_loop))
self.datapaths = []
self.statstimeout = 5
# Setup logging
handler = logging.StreamHandler()
log_format = '%(asctime)s %(name)-8s %(levelname)-8s %(message)s'
formatter = logging.Formatter(log_format, '%b %d %H:%M:%S')
handler.setFormatter(formatter)
self.logger.addHandler(handler)
self.logger.propagate = 0
# Read in config file
self.portdb = None
self.vlandb = {}
self.acldb = {}
with open('valve.yaml', 'r') as stream:
self.portdb = yaml.load(stream)
# Make sure exclude property always exists in 'default'
if 'default' in self.portdb and 'exclude' not in self.portdb['default']:
self.portdb['default'] = []
# Make sure acls property always at the top level
if 'acls' not in self.portdb:
self.portdb['acls'] = {}
# Parse top level acls
for nw_address in self.portdb['acls']:
if nw_address not in self.acldb:
self.acldb[nw_address] = []
for acl in self.portdb['acls'][nw_address]:
acl = ACL(acl['match'], acl['action'])
self.logger.info("adding %s on nw_dst:%s" % (acl, nw_address))
self.acldb[nw_address].append(acl)
# Parse configuration
for dpid in self.portdb:
if dpid in ('all', 'default', 'acls'):
# Skip nodes that aren't real datapaths
continue
# Handle acls, default acls < port acls < global acls
# Copy out port acls and clear port acl list
#port_acls = []
#if 'acls' in self.portdb[dpid]:
# port_acls = self.portdb[dpid]['acls']
#self.portdb[dpid]['acls'] = []
# Add default acls
#if 'default' in self.portdb and \
#'acls' in self.portdb['default'] and \
#port not in self.portdb['default']['exclude']:
# self.add_acls_to_port(port, self.portdb['default']['acls'])
# Add port acls
#self.add_acls_to_port(port, port_acls)
# Add global acls
#if 'all' in self.portdb and 'acls' in self.portdb['all']:
# self.add_acls_to_port(port, self.portdb['all']['acls'])
# Now that we've resolved all acls we can print them
#for acl in self.portdb[port]['acls']:
# self.logger.info("adding %s on port:%s" % (acl, port))
# Handle vlans
# If we have global vlans add them
if 'all' in self.portdb and \
all (k in self.portdb['all'] for k in ('vlans','type')):
vlans = self.portdb['all']['vlans']
ptype = self.portdb['all']['type']
self.logger.info("adding ALL type:%s, vlan:%s" %
(ptype, str(vlans)))
for port in self.portdb[dpid]:
#self.dump(self.portdb[dpid][port])
self.portdb[dpid][port]['vlans'] = vlans
self.portdb[dpid][port]['type'] = ptype
for port in self.portdb[dpid]:
# Add vlans defined on this port (or add default values)
if 'vlans' in self.portdb[dpid][
port] and 'type' in self.portdb[dpid][port]:
vlans = self.portdb[dpid][port]['vlans']
ptype = self.portdb[dpid][port]['type']
self.add_port_to_vlans(dpid, port, vlans, ptype)
elif 'default' in self.portdb and \
all (k in self.portdb['default'] for k in ('vlans','type')) and \
port not in self.portdb['default']['exclude']:
vlans = self.portdb['default']['vlans']
ptype = self.portdb['default']['type']
self.portdb[dpid][port]['vlans'] = vlans
self.portdb[dpid][port]['type'] = ptype
self.add_port_to_vlans(dpid, subif, vlans, ptype)
# Remove nodes that aren't real ports
for n in ('all', 'default', 'acls'):
if n in self.portdb:
del self.portdb[n]
def _dp_parser_v2(logger, acls_conf, dps_conf, meters_conf, routers_conf,
vlans_conf):
dps = []
vid_dp = collections.defaultdict(set)
def _get_vlan_by_identifier(dp_id, vlan_ident, vlans):
if vlan_ident in vlans:
return vlans[vlan_ident]
for vlan in list(vlans.values()):
if int(vlan_ident) == vlan.vid:
return vlan
try:
vid = int(vlan_ident, 0)
except ValueError:
assert False, 'VLAN VID value (%s) is invalid' % vlan_ident
return vlans.setdefault(vlan_ident, VLAN(vid, dp_id))
def _dp_add_vlan(dp, vlan):
if vlan not in dp.vlans:
dp.add_vlan(vlan)
vid_dp[vlan.vid].add(dp.name)
if len(vid_dp[vlan.vid]) > 1:
assert not vlan.bgp_routerid, (
'DPs %s sharing a BGP speaker VLAN is unsupported' %
(str.join(', ', vid_dp[vlan.vid])))
def _dp_parse_port(dp_id, p_identifier, port_conf, vlans):
port = Port(p_identifier, port_conf)
if port.native_vlan is not None:
v_identifier = port.native_vlan
vlan = _get_vlan_by_identifier(dp_id, v_identifier, vlans)
port.native_vlan = vlan
vlan.add_untagged(port)
port_tagged_vlans = []
for v_identifier in port.tagged_vlans:
vlan = _get_vlan_by_identifier(dp_id, v_identifier, vlans)
port_tagged_vlans.append(vlan)
vlan.add_tagged(port)
port.tagged_vlans = port_tagged_vlans
for vlan in port.vlans():
_dp_add_vlan(dp, vlan)
return port
def _dp_add_ports(dp, dp_conf, dp_id, vlans):
ports_conf = dp_conf.pop('interfaces', {})
# as users can config port vlan by using vlan name, we store vid in
# Port instance instead of vlan name for data consistency
for port_num, port_conf in list(ports_conf.items()):
port = _dp_parse_port(dp_id, port_num, port_conf, vlans)
dp.add_port(port)
try:
for identifier, dp_conf in list(dps_conf.items()):
dp = DP(identifier, dp_conf)
dp.sanity_check()
dp_id = dp.dp_id
vlans = {}
for vlan_ident, vlan_conf in list(vlans_conf.items()):
vlans[vlan_ident] = VLAN(vlan_ident, dp_id, vlan_conf)
acls = []
for acl_ident, acl_conf in list(acls_conf.items()):
acls.append((acl_ident, ACL(acl_ident, acl_conf)))
for router_ident, router_conf in list(routers_conf.items()):
router = Router(router_ident, router_conf)
dp.add_router(router_ident, router)
for meter_ident, meter_conf in list(meters_conf.items()):
dp.meters[meter_ident] = Meter(meter_ident, meter_conf)
_dp_add_ports(dp, dp_conf, dp_id, vlans)
for acl_ident, acl in acls:
dp.add_acl(acl_ident, acl)
dps.append(dp)
for dp in dps:
dp.finalize_config(dps)
for dp in dps:
dp.resolve_stack_topology(dps)
except AssertionError as err:
logger.exception('Error in config file: %s', err)
return None
return dps
def _decode(self, evc):
from evc import EVC
from flow_entry import FlowEntry
# Only called from initializer, so first flow is only flow
flow = self._flows.itervalues().next()
self._name = EVCMap.create_evc_map_name(flow)
if evc:
self._evc_connection = EVCMap.EvcConnection.EVC
else:
self._status_message = 'Can only create EVC-MAP if EVC supplied'
return False
is_pon = flow.handler.is_pon_port(flow.in_port)
is_uni = flow.handler.is_uni_port(flow.in_port)
if is_pon or is_uni:
self._uni_port = flow.handler.get_port_name(flow.in_port)
evc.ce_vlan_preservation = False
else:
self._status_message = 'EVC-MAPS without UNI or PON ports are not supported'
return False # UNI Ports handled in the EVC Maps
# ACL logic
self._eth_type = flow.eth_type
if self._eth_type == FlowEntry.EtherType.IPv4:
self._ip_protocol = flow.ip_protocol
self._ipv4_dst = flow.ipv4_dst
if self._ip_protocol == FlowEntry.IpProtocol.UDP:
self._udp_dst = flow.udp_dst
self._udp_src = flow.udp_src
# If no match of VLAN this may be for untagged traffic or upstream and needs to
# match the gem-port vid
self._setup_gem_ids()
# self._match_untagged = flow.vlan_id is None and flow.inner_vid is None
self._c_tag = flow.inner_vid or flow.vlan_id
# If a push of a single VLAN is present with a POP of the VLAN in the EVC's
# flow, then this is a traditional EVC flow
evc.men_to_uni_tag_manipulation = EVC.Men2UniManipulation.POP_OUT_TAG_ONLY
evc.switching_method = EVC.SwitchingMethod.DOUBLE_TAGGED # \
# if self._c_tag is not None else EVC.SwitchingMethod.SINGLE_TAGGED
try:
acl = ACL.create(flow)
if acl.name not in self._new_acls:
self._new_acls[acl.name] = acl
except Exception as e:
log.exception('ACL-decoding', e=e)
return False
return True
def __update_user_acl(self, action, isapi=False):
"""update user template acl
更新用户模板详细设置
Args:
action:
isapi
Returns:
"""
uid = int(self.get_argument('uid', 0))
pid = int(self.get_argument('pid', 0))
if uid == 0 or pid == 0:
self.write(json.dumps(Error.CGIREQUESTERR))
return
_usr = ModUser(self.application)
if isapi == False:
_template = ModTemplate(self.application)
n, data = _template.get_template_list(pid)
if n < 0:
self.write(json.dumps(Error.MODPARAMERR))
return
uinfo = _usr.get_user_info(uid=uid)
uinfo = {
'uid': '',
'username': '',
'avator': '',
'status': 1,
'acl': '[]'
} if uinfo is None else uinfo
tlist = ACL.get_acl_templates(pid, json.loads(uinfo['acl']))
# 检查root_acl
user_acl = Common.collection_find(tlist, lambda s: s['tid'] == 0)
project_root_acl = 0 if user_acl is None else user_acl['acl']
templates = [{
'template_id': 0,
'template_name': '*',
'acl': project_root_acl
}]
# 获取普通模板acl
for row in data:
_item = {
'template_id': int(row[0]),
'template_name': row[2],
'acl': 0
}
user_acl = Common.collection_find(
tlist, lambda s: s['tid'] == int(row[0]))
if user_acl is not None:
_item['acl'] = user_acl['acl']
templates.append(_item)
self.render('system_user_detail.html',
templates=templates,
acl=ACL.AclCode,
target=uinfo,
project_id=pid,
userinfo=self.userinfo)
else:
acl = self.get_arguments('acl')
uinfo = _usr.get_user_info(uid=uid)
if uinfo is None:
self.write(json.dumps(Error.ACL_NOTFOUNDUSER))
return
_uacl = json.loads(uinfo['acl'])
# item:tid_DOC_E ....
# 构建一个需要追加权限的list
_new_template_acl = []
_tid_set = []
for item in acl:
_tid = item.split('_')[0]
if _tid not in _tid_set:
_tid_set.append(_tid)
_tacl = Common.collection_find(_new_template_acl,
lambda s: s['tid'] == int(_tid))
if _tacl is not None:
# 这里修改的是引用值,不是深拷贝
_index = _new_template_acl.index(_tacl)
_new_template_acl[_index] = {
'tid':
int(_tid),
'acl':
_tacl['acl']
| ACL.AclCode[item.replace(_tid + '_', '')]
}
else:
# 没有的就追加
_new_template_acl.append({
'tid':
int(_tid),
'acl':
ACL.AclCode[item.replace(_tid + '_', '')]
})
# 修改template表的allow
_template = ModTemplate(self.application)
recode = _template.update_template_allow(pid, uinfo['username'],
_tid_set)
if recode['code'] != 0:
self.write(json.dumps(recode))
return
# 改写pacl
_pacl = Common.collection_find(_uacl, lambda s: s['pid'] == pid)
if _pacl is None:
_uacl.append({'pid': pid, 'acl': _new_template_acl})
else:
_pacl['acl'] = _new_template_acl
recode = _usr.update_user_info(uid=uid, acl=json.dumps(_uacl))
if recode['code'] == 0:
self.set_status(302)
self.set_header('Location', '/system/user?action=list')
return
else:
self.write(json.dumps(recode))
return
def __update_user(self, action, isapi=False):
"""create/update user base info
创建更改用户基本信息
Args:
action
isapi
Returns:
"""
uid = self.get_argument('uid', '0')
print(self.application.cfg['db'])
projects = copy.deepcopy(self.application.cfg['db'])
projects.reverse()
projects.pop()
projects.reverse()
projects.append({'pid': 0, 'project': '*'})
mod = ModUser(self.application)
if not isapi:
uinfo = mod.get_user_info(uid=uid)
uinfo = {
'uid': '',
'username': '',
'nickname': '',
'avator': '',
'status': 1,
'acl': '[]'
} if uinfo is None else uinfo
date = []
plist = ACL.get_acl_projects(json.loads(uinfo['acl']))
for i in range(0, len(projects)):
if uinfo is None:
projects[i]['enable'] = 0
else:
p = Common.collection_find(
plist, lambda s: s == int(projects[i]['pid']))
projects[i]['enable'] = p is not None
# projects[i]['acl'] = ACL.get_acl_projects(json.loads(uinfo['acl']))
self.render('system_user.html',
projects=projects,
target=uinfo,
userinfo=self.userinfo)
else:
# 处理post
username = self.get_argument('username', '')
nickname = self.get_argument('nickname', '')
avator = self.get_argument('avator', '')
pid_set = self.get_arguments('projects')
uinfo = mod.get_user_info(uid=uid)
acl = []
if uinfo is not None:
acl = json.loads(uinfo['acl'])
# 扫2次,对比差异
new_acl = []
for item in acl:
if Common.collection_find(
pid_set, lambda s: s == str(item['pid'])) is not None:
new_acl.append(item)
for i in range(0, len(pid_set)):
p = Common.collection_find(
new_acl, lambda s: s['pid'] == int(pid_set[i]))
if p is None:
new_acl.append({'pid': int(pid_set[i]), 'acl': []})
# 完成构建
recode = mod.update_user_info(uid=uid,
username=username,
nickname=nickname,
avator=avator,
acl=json.dumps(new_acl))
if recode['code'] == 0:
self.set_status(302)
self.set_header('Location', '/system/user?action=list')
else:
self.write(json.dumps(recode))
def assertAcl(self, readable, writable, acl_r, acl_w, user,
default_permission):
self.assertEqual(readable,
ACL(default_permission, acl_r, acl_w).can_read(user))
self.assertEqual(writable,
ACL(default_permission, acl_r, acl_w).can_write(user))
