Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
S
slapos.core
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
slapos.core
Commits
c81eb3ea
Commit
c81eb3ea
authored
Oct 26, 2015
by
Alain Takoudjou
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'tap-nobridge'
parents
fc6c6ee8
658d48dd
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
333 additions
and
123 deletions
+333
-123
slapos/grid/SlapObject.py
slapos/grid/SlapObject.py
+4
-0
slapos/grid/slapgrid.py
slapos/grid/slapgrid.py
+127
-72
slapos/tests/slapgrid.py
slapos/tests/slapgrid.py
+202
-51
No files found.
slapos/grid/SlapObject.py
View file @
c81eb3ea
...
...
@@ -333,6 +333,7 @@ class Partition(object):
"""
retention_lock_delay_filename
=
'.slapos-retention-lock-delay'
retention_lock_date_filename
=
'.slapos-retention-lock-date'
partition_firewall_rules_name
=
'.slapos-firewalld-rules'
# XXX: we should give the url (or the "key") instead of the software_path
# then compute the path from it, like in Software.
...
...
@@ -394,6 +395,9 @@ class Partition(object):
self
.
retention_lock_date_file_path
=
os
.
path
.
join
(
self
.
instance_path
,
self
.
retention_lock_date_filename
)
self
.
firewall_rules_path
=
os
.
path
.
join
(
self
.
instance_path
,
self
.
partition_firewall_rules_name
)
self
.
instance_min_free_space
=
instance_min_free_space
...
...
slapos/grid/slapgrid.py
View file @
c81eb3ea
...
...
@@ -85,6 +85,18 @@ class _formatXMLError(Exception):
pass
class
FPopen
(
subprocess
.
Popen
):
def
__init__
(
self
,
*
args
,
**
kwargs
):
kwargs
[
'stdin'
]
=
subprocess
.
PIPE
kwargs
[
'stderr'
]
=
subprocess
.
STDOUT
kwargs
.
setdefault
(
'stdout'
,
subprocess
.
PIPE
)
kwargs
.
setdefault
(
'close_fds'
,
True
)
kwargs
.
setdefault
(
'shell'
,
True
)
subprocess
.
Popen
.
__init__
(
self
,
*
args
,
**
kwargs
)
self
.
stdin
.
flush
()
self
.
stdin
.
close
()
self
.
stdin
=
None
def
check_missing_parameters
(
options
):
required
=
set
([
'computer_id'
,
...
...
@@ -656,14 +668,17 @@ stderr_logfile_backups=1
def
_checkAddFirewallRules
(
self
,
partition_id
,
command_list
,
add
=
True
):
"""
Process Firewall rules from and save rules to firewall_rules_path
"""
instance_path
=
os
.
path
.
join
(
self
.
instance_root
,
partition_id
)
firewall_rules
=
os
.
path
.
join
(
instance_path
,
'.slapos-firewalld-rules'
)
firewall_rules_path
=
os
.
path
.
join
(
instance_path
,
Partition
.
partition_firewall_rules_name
)
json_list
=
[]
reload_rules
=
False
if
os
.
path
.
exists
(
firewall_rules
):
with
open
(
firewall_rules
,
'r'
)
as
frules
:
if
os
.
path
.
exists
(
firewall_rules
_path
):
with
open
(
firewall_rules
_path
,
'r'
)
as
frules
:
rules_list
=
json
.
loads
(
frules
.
read
())
for
command
in
rules_list
:
...
...
@@ -679,40 +694,29 @@ stderr_logfile_backups=1
if
skip_check
:
continue
# Check if this rule exists in iptables
check_cmd
=
command
.
replace
(
'--add-rule'
,
'--query-rule'
)
process
=
subprocess
.
Popen
(
check_cmd
,
stdout
=
subprocess
.
PIPE
,
stderr
=
subprocess
.
PIPE
,
shell
=
True
)
check_result
=
process
.
communicate
()[
0
]
self
.
logger
.
debug
(
'%s: %s'
%
(
check_cmd
,
check_result
))
if
check_result
.
strip
()
==
'yes'
:
current_cmd
=
command
.
replace
(
'--add-rule'
,
'--query-rule'
)
cmd_process
=
FPopen
(
current_cmd
)
result
=
cmd_process
.
communicate
()[
0
]
self
.
logger
.
debug
(
'%s: %s'
%
(
current_cmd
,
result
))
if
result
.
strip
()
==
'yes'
:
reload_rules
=
True
command
=
command
.
replace
(
'--add-rule'
,
'--remove-rule'
)
self
.
logger
.
debug
(
command
)
cmd_process
=
subprocess
.
Popen
(
command
,
stdout
=
subprocess
.
PIPE
,
stderr
=
subprocess
.
PIPE
,
shell
=
True
)
current_cmd
=
command
.
replace
(
'--add-rule'
,
'--remove-rule'
)
self
.
logger
.
debug
(
current_cmd
)
cmd_process
=
FPopen
(
current_cmd
)
result
=
cmd_process
.
communicate
()[
0
]
if
cmd_process
.
returncode
==
1
:
raise
Exception
(
"Failed to remove firewalld rule %s.
\
n
%s"
%
(
command
,
result
))
if
cmd_process
.
returncode
==
1
:
raise
Exception
(
"Failed to execute firewalld rule %s."
%
current_cmd
)
if
add
:
for
i
in
range
(
0
,
len
(
command_list
)):
reload_rules
=
True
command
=
command_list
.
pop
()
self
.
logger
.
debug
(
command
)
cmd_process
=
subprocess
.
Popen
(
command
,
stdout
=
subprocess
.
PIPE
,
stderr
=
subprocess
.
PIPE
,
shell
=
True
)
result
=
cmd_process
.
communicate
()[
0
]
cmd_process
=
FPopen
(
command
)
cmd_process
.
communicate
()[
0
]
if
cmd_process
.
returncode
==
1
:
raise
Exception
(
"Failed to add firewalld rule %s.
\
n
%s"
%
(
command
,
result
))
raise
Exception
(
"Failed to add firewalld rule %s."
%
command
)
json_list
.
append
(
command
)
if
reload_rules
:
...
...
@@ -720,20 +724,18 @@ stderr_logfile_backups=1
# XXX - need to check firewalld reload instead of restart
self
.
logger
.
info
(
"Reloading firewall configuration..."
)
reload_cmd
=
self
.
firewall_conf
[
'reload_config_cmd'
]
reload_process
=
subprocess
.
Popen
(
reload_cmd
,
stdout
=
subprocess
.
PIPE
,
stderr
=
subprocess
.
PIPE
,
shell
=
True
)
reload_process
=
FPopen
(
reload_cmd
)
result
=
reload_process
.
communicate
()[
0
]
if
reload_process
.
returncode
==
1
:
self
.
logger
.
error
(
'FirewallD Reload: %s'
%
result
)
raise
Exception
(
"Failed to load firewalld rules with command %s"
%
reload_cmd
)
with
open
(
firewall_rules
,
'w'
)
as
frules
:
with
open
(
firewall_rules
_path
,
'w'
)
as
frules
:
frules
.
write
(
json
.
dumps
(
json_list
))
def
_getFirewall
Rules
(
self
,
ip
,
ip_list
,
ip_type
=
'ipv4'
):
def
_getFirewall
AcceptRules
(
self
,
ip
,
hosting_ip_list
,
source_
ip_list
,
ip_type
=
'ipv4'
):
"""
Generate rules for firewall based on list of IP that should have access to `ip`
"""
if
ip_type
not
in
[
'ipv4'
,
'ipv6'
,
'eb'
]:
raise
NotImplementedError
(
"firewall-cmd has not rules with tables %s."
%
ip_type
)
...
...
@@ -742,6 +744,7 @@ stderr_logfile_backups=1
command
=
'%s --permanent --direct --add-rule %s filter'
%
(
fw_cmd
,
ip_type
)
cmd_list
=
[]
ip_list
=
hosting_ip_list
+
source_ip_list
for
other_ip
in
ip_list
:
# Configure INPUT rules
...
...
@@ -751,25 +754,85 @@ stderr_logfile_backups=1
cmd_list
.
append
(
'%s FORWARD 0 -s %s -d %s -j ACCEPT'
%
(
command
,
other_ip
,
ip
))
#
Drop
all other requests
cmd_list
.
append
(
'%s INPUT 1000 -d %s -j
DROP
'
%
(
command
,
ip
))
cmd_list
.
append
(
'%s FORWARD 1000 -d %s -j
DROP
'
%
(
command
,
ip
))
cmd_list
.
append
(
'%s INPUT 900 -d %s -m state --state ESTABLISHED,RELATED -j
DROP
'
%
(
#
Reject
all other requests
cmd_list
.
append
(
'%s INPUT 1000 -d %s -j
REJECT
'
%
(
command
,
ip
))
cmd_list
.
append
(
'%s FORWARD 1000 -d %s -j
REJECT
'
%
(
command
,
ip
))
cmd_list
.
append
(
'%s INPUT 900 -d %s -m state --state ESTABLISHED,RELATED -j
REJECT
'
%
(
command
,
ip
))
cmd_list
.
append
(
'%s FORWARD 900 -d %s -m state --state ESTABLISHED,RELATED -j
DROP
'
%
(
cmd_list
.
append
(
'%s FORWARD 900 -d %s -m state --state ESTABLISHED,RELATED -j
REJECT
'
%
(
command
,
ip
))
return
cmd_list
def
_getFirewallRejectRules
(
self
,
ip
,
hosting_ip_list
,
source_ip_list
,
ip_type
=
'ipv4'
):
"""
Generate rules for firewall based on list of IP that should not have access to `ip`
"""
if
ip_type
not
in
[
'ipv4'
,
'ipv6'
,
'eb'
]:
raise
NotImplementedError
(
"firewall-cmd has not rules with tables %s."
%
ip_type
)
fw_cmd
=
self
.
firewall_conf
[
'firewall_cmd'
]
command
=
'%s --permanent --direct --add-rule %s filter'
%
(
fw_cmd
,
ip_type
)
cmd_list
=
[]
# Accept all other requests
cmd_list
.
append
(
'%s INPUT 0 -d %s -j ACCEPT'
%
(
command
,
ip
))
cmd_list
.
append
(
'%s FORWARD 0 -d %s -j ACCEPT'
%
(
command
,
ip
))
# Reject all other requests from the list
for
other_ip
in
source_ip_list
:
cmd_list
.
append
(
'%s INPUT 800 -s %s -d %s -m state --state ESTABLISHED,RELATED -j REJECT'
%
(
command
,
other_ip
,
ip
))
cmd_list
.
append
(
'%s FORWARD 800 -s %s -d %s -m state --state ESTABLISHED,RELATED -j REJECT'
%
(
command
,
other_ip
,
ip
))
cmd_list
.
append
(
'%s INPUT 900 -s %s -d %s -j REJECT'
%
(
command
,
other_ip
,
ip
))
cmd_list
.
append
(
'%s FORWARD 900 -s %s -d %s -j REJECT'
%
(
command
,
other_ip
,
ip
))
# Accept on this hosting subscription
for
other_ip
in
hosting_ip_list
:
cmd_list
.
append
(
'%s INPUT 1000 -s %s -d %s -j ACCEPT'
%
(
command
,
other_ip
,
ip
))
cmd_list
.
append
(
'%s FORWARD 1000 -s %s -d %s -j ACCEPT'
%
(
command
,
other_ip
,
ip
))
return
cmd_list
def
_getValidIpv4FromList
(
self
,
ipv4_list
,
warn
=
False
):
"""
Return the list containing only valid ipv4 or network address.
"""
valid_list
=
[]
for
ip
in
ipv4_list
:
if
not
ip
:
continue
the_ip
=
ip
.
split
(
'/'
)[
0
]
if
valid_ipv4
(
the_ip
):
valid_list
.
append
(
ip
)
elif
warn
:
self
.
logger
.
warn
(
"IP/Network address %s is not valid. ignored.."
%
ip
)
return
valid_list
def
_setupComputerPartitionFirewall
(
self
,
computer_partition
,
ip_list
,
authorized_ip_list
,
drop_entries
=
False
):
def
_setupComputerPartitionFirewall
(
self
,
computer_partition
,
ip_list
,
drop_entries
=
False
):
"""
Using linux iptables, limit access to IP of this partition to all
others partitions of the same Hosting Subscription
"""
ipv4_list
=
[]
ipv6_list
=
[]
authorized_ipv4_list
=
[]
authorized_ipv6_list
=
[]
source_ipv4_list
=
[]
source_ipv6_list
=
[]
hosting_ipv4_list
=
[]
hosting_ipv6_list
=
[]
getFirewallRules
=
getattr
(
self
,
'_getFirewallAcceptRules'
)
if
not
drop_entries
:
self
.
logger
.
info
(
"Configuring firewall..."
)
add_rules
=
True
else
:
add_rules
=
False
self
.
logger
.
info
(
"Removing firewall configuration..."
)
for
net_ip
in
ip_list
:
iface
,
ip
=
(
net_ip
[
0
],
net_ip
[
1
])
...
...
@@ -780,41 +843,37 @@ stderr_logfile_backups=1
elif
valid_ipv6
(
ip
):
ipv6_list
.
append
(
ip
)
for
iface
,
ip
in
authorized_ip_list
:
hosting_ip_list
=
computer_partition
.
getFullHostingIpAddressList
()
for
iface
,
ip
in
hosting_ip_list
:
if
valid_ipv4
(
ip
):
if
not
ip
in
ipv4_list
:
authorized
_ipv4_list
.
append
(
ip
)
hosting
_ipv4_list
.
append
(
ip
)
elif
valid_ipv6
(
ip
):
if
not
ip
in
ipv6_list
:
authorized
_ipv6_list
.
append
(
ip
)
hosting
_ipv6_list
.
append
(
ip
)
filter_dict
=
getattr
(
computer_partition
,
'_filter_dict'
,
None
)
extra_list
=
[]
accept_ip_list
=
[]
if
filter_dict
is
not
None
:
extra_list
=
filter_dict
.
get
(
'authorized_sources'
,
''
).
split
(
' '
)
extra_list
.
extend
(
self
.
firewall_conf
.
get
(
'authorized_sources'
,
[]))
for
ip
in
extra_list
:
if
not
ip
:
continue
the_ip
=
ip
.
split
(
'/'
)[
0
]
if
valid_ipv4
(
the_ip
):
authorized_ipv4_list
.
append
(
ip
)
elif
valid_ipv6
(
the_ip
):
authorized_ipv6_list
.
append
(
ip
)
if
filter_dict
.
get
(
'fw_restricted_access'
,
'on'
)
==
'off'
:
extra_list
=
filter_dict
.
get
(
'fw_rejected_sources'
,
''
).
split
(
' '
)
getFirewallRules
=
getattr
(
self
,
'_getFirewallRejectRules'
)
accept_ip_list
.
extend
(
self
.
firewall_conf
.
get
(
'authorized_sources'
,
[]))
accept_ip_list
.
extend
(
filter_dict
.
get
(
'fw_authorized_sources'
,
''
).
split
(
' '
))
else
:
extra_list
=
filter_dict
.
get
(
'fw_authorized_sources'
,
''
).
split
(
' '
)
extra_list
.
extend
(
self
.
firewall_conf
.
get
(
'authorized_sources'
,
[]))
if
not
drop_entries
:
self
.
logger
.
info
(
"Configuring firewall..."
)
add_rules
=
True
else
:
add_rules
=
False
self
.
logger
.
info
(
"Removing firewall configuration..."
)
source_ipv4_list
=
self
.
_getValidIpv4FromList
(
extra_list
,
True
)
hosting_ipv4_list
.
extend
(
self
.
_getValidIpv4FromList
(
accept_ip_list
,
True
))
# XXX - ipv6_list and source_ipv6_list ignored for the moment
for
ip
in
ipv4_list
:
cmd_list
=
self
.
_getFirewallRules
(
ip
,
authorized_ipv4_list
,
ip_type
=
'ipv4'
)
self
.
_checkAddFirewallRules
(
computer_partition
.
getId
(),
cmd_list
,
add
=
add_rules
)
cmd_list
=
getFirewallRules
(
ip
,
hosting_ipv4_list
,
source_ipv4_list
,
ip_type
=
'ipv4'
)
self
.
_checkAddFirewallRules
(
computer_partition
.
getId
(),
cmd_list
,
add
=
add_rules
)
def
processComputerPartition
(
self
,
computer_partition
):
"""
...
...
@@ -954,7 +1013,6 @@ stderr_logfile_backups=1
if
self
.
firewall_conf
:
partition_ip_list
=
parameter_dict
[
'ip_list'
]
+
parameter_dict
.
get
(
'full_ip_list'
,
[])
full_hosting_ip_list
=
computer_partition
.
getFullHostingIpAddressList
()
if
computer_partition_state
==
COMPUTER_PARTITION_STARTED_STATE
:
local_partition
.
install
()
...
...
@@ -962,8 +1020,7 @@ stderr_logfile_backups=1
local_partition
.
start
()
if
self
.
firewall_conf
:
self
.
_setupComputerPartitionFirewall
(
computer_partition
,
partition_ip_list
,
full_hosting_ip_list
)
partition_ip_list
)
self
.
_checkPromises
(
computer_partition
)
computer_partition
.
started
()
elif
computer_partition_state
==
COMPUTER_PARTITION_STOPPED_STATE
:
...
...
@@ -974,8 +1031,7 @@ stderr_logfile_backups=1
computer_partition
.
available
()
if
self
.
firewall_conf
:
self
.
_setupComputerPartitionFirewall
(
computer_partition
,
partition_ip_list
,
full_hosting_ip_list
)
partition_ip_list
)
finally
:
# Instance has to be stopped even if buildout/reporting is wrong.
local_partition
.
stop
()
...
...
@@ -985,7 +1041,6 @@ stderr_logfile_backups=1
if
self
.
firewall_conf
:
self
.
_setupComputerPartitionFirewall
(
computer_partition
,
partition_ip_list
,
full_hosting_ip_list
,
drop_entries
=
True
)
try
:
computer_partition
.
stopped
()
...
...
slapos/tests/slapgrid.py
View file @
c81eb3ea
...
...
@@ -449,6 +449,7 @@ class InstanceForTest(object):
if
self
.
timestamp
is
not
None
:
partition
.
_parameter_dict
[
'timestamp'
]
=
self
.
timestamp
self
.
current_partition
=
partition
return
partition
def
getSoftwareRelease
(
self
):
...
...
@@ -1985,69 +1986,117 @@ class TestSlapgridCPWithFirewall(MasterMixin, unittest.TestCase):
)
self
.
grid
.
firewall_conf
=
firewall_conf
def
checkRuleFromIpSource
(
self
,
ip
,
cmd_list
):
# XXX - rules for one ip contain 2*len(ip_address_list
) rules ACCEPT and 4 rules DROP
num_rules
=
len
(
self
.
ip_address_list
)
*
2
+
4
def
checkRuleFromIpSource
(
self
,
ip
,
accept_ip_list
,
cmd_list
):
# XXX - rules for one ip contain 2*len(ip_address_list
+ accept_ip_list) rules ACCEPT and 4 rules REJECT
num_rules
=
len
(
self
.
ip_address_list
)
*
2
+
len
(
accept_ip_list
)
*
2
+
4
self
.
assertEqual
(
len
(
cmd_list
),
num_rules
)
base_cmd
=
'%s --permanent --direct --add-rule ipv4 filter'
%
self
.
grid
.
firewall_conf
[
'firewall_cmd'
]
# Check that there is
DROP
rule on INPUT
rule
=
'%s INPUT 1000 -d %s -j
DROP
'
%
(
base_cmd
,
ip
)
# Check that there is
REJECT
rule on INPUT
rule
=
'%s INPUT 1000 -d %s -j
REJECT
'
%
(
base_cmd
,
ip
)
self
.
assertIn
(
rule
,
cmd_list
)
# Check that there is
DROP
rule on FORWARD
rule
=
'%s FORWARD 1000 -d %s -j
DROP
'
%
(
base_cmd
,
ip
)
# Check that there is
REJECT
rule on FORWARD
rule
=
'%s FORWARD 1000 -d %s -j
REJECT
'
%
(
base_cmd
,
ip
)
self
.
assertIn
(
rule
,
cmd_list
)
# Check that there is
DROP
rule on INPUT, ESTABLISHED,RELATED
rule
=
'%s INPUT 900 -d %s -m state --state ESTABLISHED,RELATED -j
DROP
'
%
(
base_cmd
,
ip
)
# Check that there is
REJECT
rule on INPUT, ESTABLISHED,RELATED
rule
=
'%s INPUT 900 -d %s -m state --state ESTABLISHED,RELATED -j
REJECT
'
%
(
base_cmd
,
ip
)
self
.
assertIn
(
rule
,
cmd_list
)
# Check that there is
DROP
rule on FORWARD, ESTABLISHED,RELATED
rule
=
'%s FORWARD 900 -d %s -m state --state ESTABLISHED,RELATED -j
DROP
'
%
(
base_cmd
,
ip
)
# Check that there is
REJECT
rule on FORWARD, ESTABLISHED,RELATED
rule
=
'%s FORWARD 900 -d %s -m state --state ESTABLISHED,RELATED -j
REJECT
'
%
(
base_cmd
,
ip
)
self
.
assertIn
(
rule
,
cmd_list
)
# Check that there is INPUT ACCEPT on ip_list
for
_
,
other_ip
in
self
.
ip_address_list
:
rule
=
'%s INPUT 0 -s %s -d %s -j ACCEPT'
%
(
base_cmd
,
other_ip
,
ip
)
self
.
assertIn
(
rule
,
cmd_list
)
rule
=
'%s FORWARD 0 -s %s -d %s -j ACCEPT'
%
(
base_cmd
,
other_ip
,
ip
)
self
.
assertIn
(
rule
,
cmd_list
)
# Check that there is FORWARD ACCEPT on ip_list
for
_
,
other_ip
in
self
.
ip_address_list
:
for
other_ip
in
accept_ip_list
:
rule
=
'%s INPUT 0 -s %s -d %s -j ACCEPT'
%
(
base_cmd
,
other_ip
,
ip
)
self
.
assertIn
(
rule
,
cmd_list
)
rule
=
'%s FORWARD 0 -s %s -d %s -j ACCEPT'
%
(
base_cmd
,
other_ip
,
ip
)
self
.
assertIn
(
rule
,
cmd_list
)
def
checkRuleFromIpSourceReject
(
self
,
ip
,
reject_ip_list
,
cmd_list
):
# XXX - rules for one ip contain 2 + 2*len(ip_address_list) rules ACCEPT and 4*len(reject_ip_list) rules REJECT
num_rules
=
2
+
(
len
(
self
.
ip_address_list
)
*
2
)
+
(
len
(
reject_ip_list
)
*
4
)
self
.
assertEqual
(
len
(
cmd_list
),
num_rules
)
base_cmd
=
'%s --permanent --direct --add-rule ipv4 filter'
%
self
.
grid
.
firewall_conf
[
'firewall_cmd'
]
# Check that there is ACCEPT rule on INPUT
rule
=
'%s INPUT 0 -d %s -j ACCEPT'
%
(
base_cmd
,
ip
)
self
.
assertIn
(
rule
,
cmd_list
)
# Check that there is ACCEPT rule on FORWARD
rule
=
'%s FORWARD 0 -d %s -j ACCEPT'
%
(
base_cmd
,
ip
)
self
.
assertIn
(
rule
,
cmd_list
)
# Check that there is INPUT/FORWARD ACCEPT on ip_list
for
_
,
other_ip
in
self
.
ip_address_list
:
rule
=
'%s INPUT 1000 -s %s -d %s -j ACCEPT'
%
(
base_cmd
,
other_ip
,
ip
)
self
.
assertIn
(
rule
,
cmd_list
)
rule
=
'%s FORWARD 1000 -s %s -d %s -j ACCEPT'
%
(
base_cmd
,
other_ip
,
ip
)
self
.
assertIn
(
rule
,
cmd_list
)
# Check that there is INPUT/FORWARD REJECT on ip_list
for
other_ip
in
reject_ip_list
:
rule
=
'%s INPUT 900 -s %s -d %s -j REJECT'
%
(
base_cmd
,
other_ip
,
ip
)
self
.
assertIn
(
rule
,
cmd_list
)
rule
=
'%s FORWARD 900 -s %s -d %s -j REJECT'
%
(
base_cmd
,
other_ip
,
ip
)
self
.
assertIn
(
rule
,
cmd_list
)
rule
=
'%s INPUT 800 -s %s -d %s -m state --state ESTABLISHED,RELATED -j REJECT'
%
(
base_cmd
,
other_ip
,
ip
)
self
.
assertIn
(
rule
,
cmd_list
)
rule
=
'%s FORWARD 800 -s %s -d %s -m state --state ESTABLISHED,RELATED -j REJECT'
%
(
base_cmd
,
other_ip
,
ip
)
self
.
assertIn
(
rule
,
cmd_list
)
def
test_getFirewallRules
(
self
):
computer
=
ComputerForTest
(
self
.
software_root
,
self
.
instance_root
)
self
.
setFirewallConfig
()
self
.
ip_address_list
=
computer
.
ip_address_list
ip
=
computer
.
instance_list
[
0
].
full_ip_list
[
0
][
1
]
source_ip_list
=
[
'10.32.0.15'
,
'10.32.0.0/8'
]
cmd_list
=
self
.
grid
.
_getFirewallAcceptRules
(
ip
,
[
elt
[
1
]
for
elt
in
self
.
ip_address_list
],
source_ip_list
,
ip_type
=
'ipv4'
)
self
.
checkRuleFromIpSource
(
ip
,
source_ip_list
,
cmd_list
)
cmd_list
=
self
.
grid
.
_getFirewallRules
(
ip
,
cmd_list
=
self
.
grid
.
_getFirewallR
ejectR
ules
(
ip
,
[
elt
[
1
]
for
elt
in
self
.
ip_address_list
],
source_ip_list
,
ip_type
=
'ipv4'
)
self
.
checkRuleFromIpSource
(
ip
,
cmd_list
)
self
.
checkRuleFromIpSource
Reject
(
ip
,
source_ip_list
,
cmd_list
)
def
test_checkAddFirewallRules
(
self
):
computer
=
ComputerForTest
(
self
.
software_root
,
self
.
instance_root
)
self
.
setFirewallConfig
()
# For simulate query rule success
self
.
grid
.
firewall_conf
[
'firewall_cmd'
]
=
'/bin/echo "yes" #'
self
.
ip_address_list
=
computer
.
ip_address_list
instance
=
computer
.
instance_list
[
0
]
ip
=
instance
.
full_ip_list
[
0
][
1
]
name
=
computer
.
instance_list
[
0
].
name
cmd_list
=
self
.
grid
.
_getFirewallRules
(
ip
,
cmd_list
=
self
.
grid
.
_getFirewall
Accept
Rules
(
ip
,
[
elt
[
1
]
for
elt
in
self
.
ip_address_list
],
[],
ip_type
=
'ipv4'
)
self
.
grid
.
_checkAddFirewallRules
(
name
,
cmd_list
,
add
=
True
)
rules_path
=
os
.
path
.
join
(
instance
.
partition_path
,
'.slapos-firewalld-rules'
)
rules_path
=
os
.
path
.
join
(
instance
.
partition_path
,
slapos
.
grid
.
SlapObject
.
Partition
.
partition_firewall_rules_name
)
with
open
(
rules_path
,
'r'
)
as
frules
:
rules_list
=
json
.
loads
(
frules
.
read
())
self
.
checkRuleFromIpSource
(
ip
,
rules_list
)
self
.
checkRuleFromIpSource
(
ip
,
[],
rules_list
)
# Remove all rules
self
.
grid
.
_checkAddFirewallRules
(
name
,
cmd_list
,
add
=
False
)
...
...
@@ -2057,14 +2106,15 @@ class TestSlapgridCPWithFirewall(MasterMixin, unittest.TestCase):
# Add one more ip in the authorized list
self
.
ip_address_list
.
append
((
'interface1'
,
'10.0.8.7'
))
cmd_list
=
self
.
grid
.
_getFirewallRules
(
ip
,
cmd_list
=
self
.
grid
.
_getFirewall
Accept
Rules
(
ip
,
[
elt
[
1
]
for
elt
in
self
.
ip_address_list
],
[],
ip_type
=
'ipv4'
)
self
.
grid
.
_checkAddFirewallRules
(
name
,
cmd_list
,
add
=
True
)
with
open
(
rules_path
,
'r'
)
as
frules
:
rules_list
=
json
.
loads
(
frules
.
read
())
self
.
checkRuleFromIpSource
(
ip
,
rules_list
)
self
.
checkRuleFromIpSource
(
ip
,
[],
rules_list
)
def
test_partition_no_firewall
(
self
):
computer
=
ComputerForTest
(
self
.
software_root
,
self
.
instance_root
)
...
...
@@ -2077,84 +2127,185 @@ class TestSlapgridCPWithFirewall(MasterMixin, unittest.TestCase):
'.slapos-firewalld-rules'
)))
def
test_partition_firewall_restrict
(
self
):
computer
=
ComputerForTest
(
self
.
software_root
,
self
.
instance_root
)
self
.
setFirewallConfig
()
with
httmock
.
HTTMock
(
computer
.
request_handler
):
instance
=
computer
.
instance_list
[
0
]
self
.
assertEqual
(
self
.
grid
.
processComputerPartitionList
(),
slapgrid
.
SLAPGRID_SUCCESS
)
self
.
assertTrue
(
os
.
path
.
exists
(
os
.
path
.
join
(
instance
.
partition_path
,
'.slapos-firewalld-rules'
)))
rules_path
=
os
.
path
.
join
(
instance
.
partition_path
,
slapos
.
grid
.
SlapObject
.
Partition
.
partition_firewall_rules_name
)
self
.
ip_address_list
=
computer
.
ip_address_list
with
open
(
rules_path
,
'r'
)
as
frules
:
rules_list
=
json
.
loads
(
frules
.
read
())
ip
=
instance
.
full_ip_list
[
0
][
1
]
self
.
checkRuleFromIpSource
(
ip
,
[],
rules_list
)
def
test_partition_firewall
(
self
):
computer
=
ComputerForTest
(
self
.
software_root
,
self
.
instance_root
)
self
.
setFirewallConfig
()
with
httmock
.
HTTMock
(
computer
.
request_handler
):
instance
=
computer
.
instance_list
[
0
]
instance
.
filter_dict
=
{
'fw_restricted_access'
:
'off'
}
self
.
assertEqual
(
self
.
grid
.
processComputerPartitionList
(),
slapgrid
.
SLAPGRID_SUCCESS
)
self
.
assertTrue
(
os
.
path
.
exists
(
os
.
path
.
join
(
instance
.
partition_path
,
'.slapos-firewalld-rules'
)))
rules_path
=
os
.
path
.
join
(
instance
.
partition_path
,
'.slapos-firewalld-rules'
)
rules_path
=
os
.
path
.
join
(
instance
.
partition_path
,
slapos
.
grid
.
SlapObject
.
Partition
.
partition_firewall_rules_name
)
self
.
ip_address_list
=
computer
.
ip_address_list
with
open
(
rules_path
,
'r'
)
as
frules
:
rules_list
=
json
.
loads
(
frules
.
read
())
self
.
assertEqual
(
len
(
rules_list
),
len
(
self
.
ip_address_list
)
*
2
+
4
)
ip
=
instance
.
full_ip_list
[
0
][
1
]
self
.
checkRuleFromIpSource
(
ip
,
rules_list
)
def
test_partition_firewall_ipsource
(
self
):
self
.
checkRuleFromIpSourceReject
(
ip
,
[],
rules_list
)
@
unittest
.
skip
(
'Always fail: instance.filter_dict can
\
'
t change'
)
def
test_partition_firewall_restricted_access_change
(
self
):
computer
=
ComputerForTest
(
self
.
software_root
,
self
.
instance_root
)
self
.
setFirewallConfig
()
# For simulate query rule success
self
.
grid
.
firewall_conf
[
'firewall_cmd'
]
=
'/bin/echo "yes" #'
with
httmock
.
HTTMock
(
computer
.
request_handler
):
instance
=
computer
.
instance_list
[
0
]
instance
.
filter_dict
=
{
'fw_restricted_access'
:
'off'
,
'fw_rejected_sources'
:
'10.0.8.11'
}
self
.
assertEqual
(
self
.
grid
.
processComputerPartitionList
(),
slapgrid
.
SLAPGRID_SUCCESS
)
self
.
assertTrue
(
os
.
path
.
exists
(
os
.
path
.
join
(
instance
.
partition_path
,
'.slapos-firewalld-rules'
)))
rules_path
=
os
.
path
.
join
(
instance
.
partition_path
,
slapos
.
grid
.
SlapObject
.
Partition
.
partition_firewall_rules_name
)
self
.
ip_address_list
=
computer
.
ip_address_list
with
open
(
rules_path
,
'r'
)
as
frules
:
rules_list
=
json
.
loads
(
frules
.
read
())
ip
=
instance
.
full_ip_list
[
0
][
1
]
self
.
checkRuleFromIpSourceReject
(
ip
,
[
'10.0.8.11'
],
rules_list
)
instance
.
setFilterParameter
({
'fw_restricted_access'
:
'on'
,
'fw_authorized_sources'
:
''
})
self
.
assertEqual
(
self
.
grid
.
processComputerPartitionList
(),
slapgrid
.
SLAPGRID_SUCCESS
)
with
open
(
rules_path
,
'r'
)
as
frules
:
rules_list
=
json
.
loads
(
frules
.
read
())
self
.
checkRuleFromIpSource
(
ip
,
[],
rules_list
)
def
test_partition_firewall_ipsource_accept
(
self
):
computer
=
ComputerForTest
(
self
.
software_root
,
self
.
instance_root
)
self
.
setFirewallConfig
()
source_ip
=
[
'10.0.8.10'
]
self
.
grid
.
firewall_conf
[
'authorized_sources'
]
=
source_ip
source_ip
=
[
'10.0.8.10'
,
'10.0.8.11'
]
self
.
grid
.
firewall_conf
[
'authorized_sources'
]
=
[
source_ip
[
0
]]
with
httmock
.
HTTMock
(
computer
.
request_handler
):
instance
=
computer
.
instance_list
[
0
]
instance
.
filter_dict
=
{
'fw_restricted_access'
:
'on'
,
'fw_authorized_sources'
:
source_ip
[
1
]}
self
.
assertEqual
(
self
.
grid
.
processComputerPartitionList
(),
slapgrid
.
SLAPGRID_SUCCESS
)
self
.
assertTrue
(
os
.
path
.
exists
(
os
.
path
.
join
(
instance
.
partition_path
,
'.slapos-firewalld-rules'
)))
rules_path
=
os
.
path
.
join
(
instance
.
partition_path
,
'.slapos-firewalld-rules'
)
rules_path
=
os
.
path
.
join
(
instance
.
partition_path
,
slapos
.
grid
.
SlapObject
.
Partition
.
partition_firewall_rules_name
)
rules_list
=
[]
self
.
ip_address_list
=
computer
.
ip_address_list
+
[(
'iface'
,
ip
)
for
ip
in
source_ip
]
self
.
ip_address_list
=
computer
.
ip_address_list
ip
=
instance
.
full_ip_list
[
0
][
1
]
base_cmd
=
'%s --permanent --direct --add-rule ipv4 filter'
%
self
.
grid
.
firewall_conf
[
'firewall_cmd'
]
with
open
(
rules_path
,
'r'
)
as
frules
:
rules_list
=
json
.
loads
(
frules
.
read
())
self
.
assertEqual
(
len
(
rules_list
),
len
(
self
.
ip_address_list
)
*
2
+
4
)
rule_input
=
'%s INPUT 0 -s %s -d %s -j ACCEPT'
%
(
base_cmd
,
source_ip
[
0
]
,
ip
)
self
.
assertIn
(
rule_input
,
rules_list
)
rule_fwd
=
'%s FORWARD 0 -s %s -d %s -j ACCEPT'
%
(
base_cmd
,
source_ip
[
0
]
,
ip
)
self
.
assertIn
(
rule_fwd
,
rules_list
)
for
thier_ip
in
source_ip
:
rule_input
=
'%s INPUT 0 -s %s -d %s -j ACCEPT'
%
(
base_cmd
,
thier_ip
,
ip
)
self
.
assertIn
(
rule_input
,
rules_list
)
rule_fwd
=
'%s FORWARD 0 -s %s -d %s -j ACCEPT'
%
(
base_cmd
,
thier_ip
,
ip
)
self
.
assertIn
(
rule_fwd
,
rules_list
)
self
.
checkRuleFromIpSource
(
ip
,
rules_list
)
self
.
checkRuleFromIpSource
(
ip
,
source_ip
,
rules_list
)
def
test_partition_firewall_ip
_parameter
(
self
):
def
test_partition_firewall_ip
source_reject
(
self
):
computer
=
ComputerForTest
(
self
.
software_root
,
self
.
instance_root
)
self
.
setFirewallConfig
()
source_ip
=
'10.0.8.10'
self
.
grid
.
firewall_conf
[
'authorized_sources'
]
=
[
'10.0.8.15'
]
with
httmock
.
HTTMock
(
computer
.
request_handler
):
instance
=
computer
.
instance_list
[
0
]
instance
.
filter_dict
=
{
'authorized_sources'
:
source_ip
}
instance
.
filter_dict
=
{
'fw_rejected_sources'
:
source_ip
,
'fw_restricted_access'
:
'off'
}
self
.
assertEqual
(
self
.
grid
.
processComputerPartitionList
(),
slapgrid
.
SLAPGRID_SUCCESS
)
self
.
assertTrue
(
os
.
path
.
exists
(
os
.
path
.
join
(
instance
.
partition_path
,
'.slapos-firewalld-rules'
)))
rules_path
=
os
.
path
.
join
(
instance
.
partition_path
,
'.slapos-firewalld-rules'
)
rules_path
=
os
.
path
.
join
(
instance
.
partition_path
,
slapos
.
grid
.
SlapObject
.
Partition
.
partition_firewall_rules_name
)
rules_list
=
[]
self
.
ip_address_list
=
computer
.
ip_address_list
+
[(
'iface'
,
ip
)
for
ip
in
source_ip
.
split
(
' '
)]
self
.
ip_address_list
=
computer
.
ip_address_list
self
.
ip_address_list
.
append
((
'iface'
,
'10.0.8.15'
))
ip
=
instance
.
full_ip_list
[
0
][
1
]
base_cmd
=
'%s --permanent --direct --add-rule ipv4 filter'
%
self
.
grid
.
firewall_conf
[
'firewall_cmd'
]
with
open
(
rules_path
,
'r'
)
as
frules
:
rules_list
=
json
.
loads
(
frules
.
read
())
self
.
assertEqual
(
len
(
rules_list
),
len
(
self
.
ip_address_list
)
*
2
+
4
)
rule_input
=
'%s INPUT 0 -s %s -d %s -j ACCEPT'
%
(
base_cmd
,
source_ip
,
ip
)
self
.
assertIn
(
rule_input
,
rules_list
)
self
.
checkRuleFromIpSourceReject
(
ip
,
source_ip
.
split
(
' '
),
rules_list
)
def
test_partition_firewall_ip_change
(
self
):
computer
=
ComputerForTest
(
self
.
software_root
,
self
.
instance_root
)
self
.
setFirewallConfig
()
# For simulate query rule success
self
.
grid
.
firewall_conf
[
'firewall_cmd'
]
=
'/bin/echo "yes" #'
source_ip
=
[
'10.0.8.10'
,
'10.0.8.11'
]
self
.
grid
.
firewall_conf
[
'authorized_sources'
]
=
[
source_ip
[
0
]]
with
httmock
.
HTTMock
(
computer
.
request_handler
):
instance
=
computer
.
instance_list
[
0
]
instance
.
filter_dict
=
{
'fw_restricted_access'
:
'on'
,
'fw_authorized_sources'
:
source_ip
[
1
]}
self
.
assertEqual
(
self
.
grid
.
processComputerPartitionList
(),
slapgrid
.
SLAPGRID_SUCCESS
)
self
.
assertTrue
(
os
.
path
.
exists
(
os
.
path
.
join
(
instance
.
partition_path
,
'.slapos-firewalld-rules'
)))
rules_path
=
os
.
path
.
join
(
instance
.
partition_path
,
slapos
.
grid
.
SlapObject
.
Partition
.
partition_firewall_rules_name
)
rules_list
=
[]
self
.
ip_address_list
=
computer
.
ip_address_list
ip
=
instance
.
full_ip_list
[
0
][
1
]
with
open
(
rules_path
,
'r'
)
as
frules
:
rules_list
=
json
.
loads
(
frules
.
read
())
self
.
checkRuleFromIpSource
(
ip
,
source_ip
,
rules_list
)
instance
=
computer
.
instance_list
[
0
]
# XXX -- removed
#instance.filter_dict = {'fw_restricted_access': 'on',
# 'fw_authorized_sources': source_ip[0]}
rule_fwd
=
'%s FORWARD 0 -s %s -d %s -j ACCEPT'
%
(
base_cmd
,
source_ip
,
ip
)
self
.
assertIn
(
rule_fwd
,
rules_list
)
self
.
grid
.
firewall_conf
[
'authorized_sources'
]
=
[]
computer
.
ip_address_list
.
append
((
'route_interface1'
,
'10.10.8.4'
))
self
.
assertEqual
(
self
.
grid
.
processComputerPartitionList
(),
slapgrid
.
SLAPGRID_SUCCESS
)
self
.
ip_address_list
=
computer
.
ip_address_list
self
.
checkRuleFromIpSource
(
ip
,
rules_list
)
with
open
(
rules_path
,
'r'
)
as
frules
:
rules_list
=
json
.
loads
(
frules
.
read
())
self
.
checkRuleFromIpSource
(
ip
,
[
source_ip
[
1
]],
rules_list
)
\ No newline at end of file
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment