def test_action(self):
action = Action()
# Defaults
self.assertEqual(action.action, 'allow')
self.assertEqual(action.scan_detection, 'undefined')
action.action = 'discard'
self.assertEqual(action.action, 'discard')
action.action = 'foo'
self.assertEqual(action.action, 'foo')
action.deep_inspection = True
action.file_filtering = False
action.dos_protection = True
action.scan_detection = 'on'
action.vpn = 'http://1.1.1.1'
action.mobile_vpn = True
self.assertTrue(action.deep_inspection)
self.assertFalse(action.file_filtering)
self.assertTrue(action.dos_protection)
self.assertEqual(action.scan_detection, 'on')
self.assertEqual(action.vpn, 'http://1.1.1.1')
self.assertTrue(action.mobile_vpn)
self.assertIsNone(action.user_response)
self.assertFalse(action.connection_tracking_options.mss_enforced)
self.assertEqual(action.connection_tracking_options.timeout, -1)
mini, maxi = action.connection_tracking_options.mss_enforced_min_max
self.assertEqual(mini, 0)
self.assertEqual(maxi, 0)
action.connection_tracking_options.state = 'normal'
action.connection_tracking_options.timeout = 60
action.connection_tracking_options.mss_enforced_min_max = (1400, 1450)
action.connection_tracking_options.mss_enforced = True
self.assertEqual(action.connection_tracking_options.state, 'normal')
self.assertEqual(action.connection_tracking_options.timeout, 60)
mini, maxi = action.connection_tracking_options.mss_enforced_min_max
self.assertEqual(mini, 1400)
self.assertEqual(maxi, 1450)
self.assertTrue(action.connection_tracking_options.mss_enforced)
o = action()
for k, v in o.items():
self.assertEqual(k, 'action')
self.assertDictEqual(v, action.data)
action = Action({'foo': 'bar'})
self.assertDictEqual(action.data, {'foo': 'bar'})
def add_policy(self):
"""
If a client AMI was specified when building a new VPC, this will add
rules to allow inbound access to the AMI. This could be extended to
more generically support VPN rules.
"""
if not self.firewall_policy:
self.firewall_policy = 'AWS_Default'
# Policy not specified, use the default, or check if hidden setting was specified
try:
FirewallPolicy.create(name='AWS_Default',
template='Firewall Inspection Template')
except CreatePolicyFailed:
pass # Already exists
policy = FirewallPolicy(self.firewall_policy)
# Create the access rule for the network
options = LogOptions()
options.log_accounting_info_mode = True
options.log_level = 'stored'
options.application_logging = 'enforced'
options.user_logging = 'enforced'
action = Action()
action.deep_inspection = True
action.file_filtering = False
outbound_rule = policy.search_rule('AWS outbound access rule')
if not outbound_rule:
# Generic outbound access rule
policy.fw_ipv4_access_rules.create(
name='AWS outbound access rule',
sources=[Alias('$$ Interface ID 1.net')],
destinations='any',
services='any',
action=action,
log_options=options)
if self.aws_ami_ip and self.nat_ports:
dest_port = self.nat_ports.get('dest_port')
redirect_port = self.nat_ports.get('redirect_port')
services = list(
TCPService.objects.filter(dest_port)) # @UndefinedVariable
# Ignore services with protocol agents so we skip SSM
service = next(
([service]
for service in services if not service.protocol_agent), [])
if not service:
service = [
TCPService.create(name='aws_tcp{}'.format(dest_port),
min_dst_port=dest_port)
]
# Create the access rule for the client
policy.fw_ipv4_access_rules.create(
name=self.name,
sources='any',
destinations=[Alias('$$ Interface ID 0.ip')],
services=service,
action='allow',
log_options=options)
policy.fw_ipv4_nat_rules.create(
name=self.name,
sources='any',
destinations=[Alias('$$ Interface ID 0.ip')],
services=service,
static_dst_nat=self.aws_ami_ip,
static_dst_nat_ports=(dest_port, redirect_port),
used_on=self.engine.href)