Merge "NSX|P: LB WAF profile support"

2019-04-02 10:04:49 +00:00 · 2019-04-02 10:04:49 +00:00 · 83ade8468a
commit 83ade8468a
parent 912db40ccf 9325965a73
4 changed files with 61 additions and 0 deletions
--- a/vmware_nsx/common/config.py
+++ b/vmware_nsx/common/config.py
@ -521,6 +521,14 @@ nsx_p_opts = nsx_v3_and_p + [
                      "specified. If only one VLAN transport zone is present "
                      "on backend, it will be assumed as default unless this "
                      "value is provided")),
+    cfg.StrOpt('waf_profile',
+               help=_("(Optional) Name or UUID of the default WAF profile to "
+                      "be attached to L7 loadbalancer listeners")),
+    cfg.BoolOpt('waf_protect',
+                default=False,
+                help=_("If True and waf_profile is set, it will be used with "
+                       "protection mode. If False - it will be used only for "
+                       "detection")),
    cfg.BoolOpt('allow_passthrough',
                default=True,
                help=_("If True, use nsx manager api for cases which are not "
--- a/vmware_nsx/plugins/nsx_p/plugin.py
+++ b/vmware_nsx/plugins/nsx_p/plugin.py
@ -248,6 +248,47 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
            az.translate_configured_names_to_uuids(
                self.nsxpolicy, nsxlib=self.nsxlib, search_scope=search_scope)

+        self._waf_profile_uuid = self._init_backend_resource(
+            self.nsxpolicy.waf_profile,
+            cfg.CONF.nsx_p.waf_profile,
+            search_scope=search_scope)
+
+    def _init_backend_resource(self, resource_api, name_or_id,
+                               search_scope=None):
+        resource_type = resource_api.entry_def.resource_type()
+        if not name_or_id:
+            return None
+        try:
+            # Check if the configured value is the ID
+            resource_api.get(name_or_id, silent=True)
+            return name_or_id
+        except nsx_lib_exc.ResourceNotFound:
+            # Search by tags
+            if search_scope:
+                resource_id = self.nsxpolicy.get_id_by_resource_and_tag(
+                    resource_type,
+                    search_scope,
+                    name_or_id)
+                if resource_id:
+                    return resource_id
+
+            # Check if the configured value is the name
+            resource = resource_api.get_by_name(name_or_id)
+            if resource:
+                return resource['id']
+
+        msg = (_("Could not find %(type)s %(id)s") % {
+            'type': resource_type, 'id': name_or_id})
+        raise nsx_exc.NsxPluginException(err_msg=msg)
+
+    def get_waf_profile_path_and_mode(self):
+        path = self.nsxpolicy.waf_profile.get_path(
+            profile_id=self._waf_profile_uuid)
+        mode = (policy_constants.WAF_OPERATIONAL_MODE_PROTECTION
+                if cfg.CONF.nsx_p.waf_protect
+                else policy_constants.WAF_OPERATIONAL_MODE_DETECTION)
+        return path, mode
+
    def _init_dhcp_metadata(self):
        if (cfg.CONF.dhcp_agent_notification and
            cfg.CONF.nsx_p.allow_passthrough):
--- a/vmware_nsx/services/lbaas/nsx_p/implementation/listener_mgr.py
+++ b/vmware_nsx/services/lbaas/nsx_p/implementation/listener_mgr.py
@ -25,6 +25,7 @@ from vmware_nsx.services.lbaas import lb_const
 from vmware_nsx.services.lbaas.nsx_v3.implementation import lb_utils
 from vmware_nsxlib.v3 import exceptions as nsxlib_exc
 from vmware_nsxlib.v3.policy import core_resources
+from vmware_nsxlib.v3.policy import lb_defs
 from vmware_nsxlib.v3 import utils

 LOG = logging.getLogger(__name__)
@ -101,6 +102,15 @@ class EdgeListenerManagerFromDict(base_mgr.NsxpLoadbalancerBaseManager):
            if (listener['protocol'] == lb_const.LB_PROTOCOL_TERMINATED_HTTPS
                and ssl_profile_binding):
                kwargs.update(ssl_profile_binding)
+
+        waf_profile, mode = self.core_plugin.get_waf_profile_path_and_mode()
+        if (waf_profile and (
+            listener['protocol'] == lb_const.LB_PROTOCOL_HTTP or
+            listener['protocol'] == lb_const.LB_PROTOCOL_TERMINATED_HTTPS)):
+            kwargs['waf_profile_binding'] = lb_defs.WAFProfileBindingDef(
+                waf_profile_path=waf_profile,
+                operational_mode=mode)
+
        return kwargs

    def _get_nsxlib_app_profile(self, nsxlib_lb, listener):
--- a/vmware_nsx/tests/unit/nsx_p/test_plugin.py
+++ b/vmware_nsx/tests/unit/nsx_p/test_plugin.py
@ -63,6 +63,7 @@ DEFAULT_TIER0_ROUTER_UUID = "efad0078-9204-4b46-a2d8-d4dd31ed448f"
 NSX_DHCP_PROFILE_ID = 'DHCP_PROFILE'
 NSX_MD_PROXY_ID = 'MD_PROXY'
 LOGICAL_SWITCH_ID = '00000000-1111-2222-3333-444444444444'
+WAF_PROFILE_ID = 'WAF'


 def _return_id_key(*args, **kwargs):
@ -184,6 +185,7 @@ class NsxPPluginTestCaseMixin(
        cfg.CONF.set_override('default_vlan_tz', NSX_VLAN_TZ_NAME, 'nsx_p')
        cfg.CONF.set_override('dhcp_profile', NSX_DHCP_PROFILE_ID, 'nsx_p')
        cfg.CONF.set_override('metadata_proxy', NSX_MD_PROXY_ID, 'nsx_p')
+        cfg.CONF.set_override('waf_profile', WAF_PROFILE_ID, 'nsx_p')
        cfg.CONF.set_override('dhcp_agent_notification', False)

    def _create_network(self, fmt, name, admin_state_up,