Add methods for firewall section and rule

1. get logical port applyto reference
2. get rule address
3. get l4 portset nsservice
4. create section with rules

Change-Id: I02003b64f6937f1200572cb07accd8b59be19544
This commit is contained in:
Danting Liu 2017-02-27 22:05:58 -08:00
parent 3e5f2e324a
commit 576bac2ae0
2 changed files with 123 additions and 0 deletions

View File

@ -0,0 +1,83 @@
# Copyright (c) 2015 OpenStack Foundation.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import mock
from vmware_nsxlib.tests.unit.v3 import nsxlib_testcase
class TestNsxLibFirewallSection(nsxlib_testcase.NsxLibTestCase):
"""Tests for vmware_nsxlib.v3.security.NsxLibFirewallSection"""
def test_get_logicalport_reference(self):
mock_port = '3ed55c9f-f879-4048-bdd3-eded92465252'
result = self.nsxlib.firewall_section.get_logicalport_reference(
mock_port)
expected = {
'target_id': '3ed55c9f-f879-4048-bdd3-eded92465252',
'target_type': 'LogicalPort'
}
self.assertEqual(expected, result)
def test_get_rule_address(self):
result = self.nsxlib.firewall_section.get_rule_address(
'target-id', 'display-name')
expected = {
'target_display_name': 'display-name',
'target_id': 'target-id',
'is_valid': True,
'target_type': 'IPv4Address'
}
self.assertEqual(expected, result)
def test_get_l4portset_nsservice(self):
result = self.nsxlib.firewall_section.get_l4portset_nsservice()
expected = {
'service': {
'resource_type': 'L4PortSetNSService',
'source_ports': [],
'destination_ports': [],
'l4_protocol': 'TCP'
}
}
self.assertEqual(expected, result)
def test_create_with_rules(self):
expected_body = {
'display_name': 'display-name',
'description': 'section-description',
'stateful': True,
'section_type': "LAYER3",
'applied_tos': [],
'rules': [{
'display_name': 'rule-name',
'direction': 'IN_OUT',
'ip_protocol': "IPV4_IPV6",
'action': "ALLOW",
'logged': False,
'disabled': False,
'sources': [],
'destinations': [],
'services': []
}],
'tags': []
}
with mock.patch.object(self.nsxlib.client, 'create') as create:
rule = self.nsxlib.firewall_section.get_rule_dict('rule-name')
self.nsxlib.firewall_section.create_with_rules(
'display-name', 'section-description', rules=[rule])
resource = 'firewall/sections?operation=insert_bottom' \
'&action=create_with_rules'
create.assert_called_with(resource, expected_body)

View File

@ -316,6 +316,25 @@ class NsxLibFirewallSection(utils.NsxLibApiBase):
resource += '&id=%s' % other_section
return self.client.create(resource, body)
def create_with_rules(self, display_name, description, applied_tos=None,
tags=None, operation=consts.FW_INSERT_BOTTOM,
other_section=None, rules=None):
resource = 'firewall/sections?operation=%s' % operation
body = {
'display_name': display_name,
'description': description,
'stateful': True,
'section_type': consts.FW_SECTION_LAYER3,
'applied_tos': applied_tos or [],
'rules': rules or [],
'tags': tags or []
}
if rules:
resource += '&action=create_with_rules'
if other_section:
resource += '&id=%s' % other_section
return self.client.create(resource, body)
def update(self, section_id, display_name=None, description=None,
applied_tos=None, rules=None, tags_update=None):
# Using internal method so we can access max_attempts in the decorator
@ -363,6 +382,10 @@ class NsxLibFirewallSection(utils.NsxLibApiBase):
return {'target_id': nsgroup_id,
'target_type': consts.NSGROUP}
def get_logicalport_reference(self, port_id):
return {'target_id': port_id,
'target_type': consts.TARGET_TYPE_LOGICAL_PORT}
def get_ip_cidr_reference(self, ip_cidr_block, ip_protocol):
target_type = (consts.TARGET_TYPE_IPV4ADDRESS
if ip_protocol == consts.IPV4
@ -370,6 +393,23 @@ class NsxLibFirewallSection(utils.NsxLibApiBase):
return {'target_id': ip_cidr_block,
'target_type': target_type}
def get_rule_address(self, target_id, display_name=None, is_valid=True,
target_type=consts.TARGET_TYPE_IPV4ADDRESS):
return {'target_display_name': display_name or '',
'target_id': target_id,
'is_valid': is_valid,
'target_type': target_type}
def get_l4portset_nsservice(self, sources=None, destinations=None,
protocol=consts.TCP):
return {
'service': {
'resource_type': 'L4PortSetNSService',
'source_ports': sources or [],
'destination_ports': destinations or [],
'l4_protocol': protocol}
}
def get_rule_dict(self, display_name, sources=None, destinations=None,
direction=consts.IN_OUT, ip_protocol=consts.IPV4_IPV6,
services=None, action=consts.FW_ACTION_ALLOW,