github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/enforcer/acls/ports_test.go (about) 1 // +build !windows 2 3 package acls 4 5 import ( 6 "testing" 7 8 . "github.com/smartystreets/goconvey/convey" 9 "go.aporeto.io/enforcerd/trireme-lib/policy" 10 ) 11 12 func TestEmptyPortListLookup(t *testing.T) { 13 14 Convey("Given an empty port action list", t, func() { 15 pl := &portActionList{} 16 17 Convey("When I lookup for a matching port, I should not get any result", func() { 18 r, p, err := pl.lookup(10, nil) 19 So(err, ShouldNotBeNil) 20 So(r, ShouldBeNil) 21 So(p, ShouldBeNil) 22 }) 23 }) 24 } 25 26 func TestPortListLookup(t *testing.T) { 27 28 rule := policy.IPRule{ 29 Addresses: []string{"172.0.0.0/8"}, 30 Ports: []string{"1:999"}, 31 Protocols: []string{"tcp"}, 32 Policy: &policy.FlowPolicy{ 33 Action: policy.Accept, 34 PolicyID: "portMatch", 35 }, 36 } 37 38 Convey("Given a non-empty port action list", t, func() { 39 var pl portActionList 40 for _, port := range rule.Ports { 41 pa, err := newPortAction(port, rule.Policy, false) 42 43 So(err, ShouldBeNil) 44 So(pa, ShouldNotBeNil) 45 46 pl = append(pl, pa) 47 } 48 49 Convey("When I lookup for a non matching port, I should get error", func() { 50 r, p, err := pl.lookup(0, nil) 51 So(err, ShouldNotBeNil) 52 So(r, ShouldBeNil) 53 So(p, ShouldBeNil) 54 }) 55 56 Convey("When I lookup for a non matching port, I should get error but get the unmodified reported flow input", func() { 57 r, p, err := pl.lookup(0, &policy.FlowPolicy{ 58 Action: policy.Accept, 59 PolicyID: "portPreMatch"}, 60 ) 61 So(err, ShouldNotBeNil) 62 So(r, ShouldNotBeNil) 63 So(r.Action, ShouldEqual, policy.Accept) 64 So(r.PolicyID, ShouldEqual, "portPreMatch") 65 So(p, ShouldBeNil) 66 }) 67 68 Convey("When I lookup for a matching port, I should get accept", func() { 69 r, p, err := pl.lookup(10, nil) 70 So(err, ShouldBeNil) 71 So(r.Action, ShouldEqual, policy.Accept) 72 So(r.PolicyID, ShouldEqual, "portMatch") 73 So(p.Action, ShouldEqual, policy.Accept) 74 So(p.PolicyID, ShouldEqual, "portMatch") 75 }) 76 77 Convey("When I lookup for a matching port, and a report action, packet must be reported with no error", func() { 78 r, p, err := pl.lookup(10, &policy.FlowPolicy{ 79 Action: policy.Accept, 80 PolicyID: "portPreMatch"}, 81 ) 82 So(err, ShouldBeNil) 83 So(r, ShouldNotBeNil) 84 So(r.Action, ShouldEqual, policy.Accept) 85 So(r.PolicyID, ShouldEqual, "portPreMatch") 86 So(p, ShouldNotBeNil) 87 So(p.Action, ShouldEqual, policy.Accept) 88 So(p.PolicyID, ShouldEqual, "portMatch") 89 }) 90 }) 91 } 92 93 func TestPortListLookupObservedPolicyContinue(t *testing.T) { 94 95 rule := policy.IPRule{ 96 Addresses: []string{"172.0.0.0/8"}, 97 Ports: []string{"1:999"}, 98 Protocols: []string{"tcp"}, 99 Policy: &policy.FlowPolicy{ 100 ObserveAction: policy.ObserveContinue, 101 Action: policy.Accept, 102 PolicyID: "portMatch", 103 }, 104 } 105 106 Convey("Given a non-empty port action list", t, func() { 107 var pl portActionList 108 for _, port := range rule.Ports { 109 pa, err := newPortAction(port, rule.Policy, false) 110 So(err, ShouldBeNil) 111 So(pa, ShouldNotBeNil) 112 113 pl = append(pl, pa) 114 } 115 116 Convey("When I lookup for a non matching port, I should get error", func() { 117 r, p, err := pl.lookup(0, nil) 118 So(err, ShouldNotBeNil) 119 So(r, ShouldBeNil) 120 So(p, ShouldBeNil) 121 }) 122 123 Convey("When I lookup for a non matching port, I should get error but get the unmodified reported flow input", func() { 124 r, p, err := pl.lookup(0, &policy.FlowPolicy{ 125 Action: policy.Accept, 126 PolicyID: "portPreMatch"}, 127 ) 128 So(err, ShouldNotBeNil) 129 So(r, ShouldNotBeNil) 130 So(r.Action, ShouldEqual, policy.Accept) 131 So(r.PolicyID, ShouldEqual, "portPreMatch") 132 So(p, ShouldBeNil) 133 }) 134 135 Convey("When I lookup for a matching port with observed policy, I should get report but no packet action and error ", func() { 136 r, p, err := pl.lookup(10, nil) 137 So(err, ShouldEqual, ErrNoMatch) 138 So(r.ObserveAction, ShouldEqual, policy.ObserveContinue) 139 So(r.Action, ShouldEqual, policy.Accept) 140 So(r.PolicyID, ShouldEqual, "portMatch") 141 So(p, ShouldBeNil) 142 }) 143 144 Convey("When I lookup for a matching port with observed policy and pre-existing report, I should get unmodified report but no packet action and error ", func() { 145 r, p, err := pl.lookup(10, &policy.FlowPolicy{ 146 Action: policy.Accept, 147 PolicyID: "portPreMatch", 148 }) 149 So(err, ShouldEqual, ErrNoMatch) 150 So(r.ObserveAction, ShouldEqual, policy.ObserveNone) 151 So(r.Action, ShouldEqual, policy.Accept) 152 So(r.PolicyID, ShouldEqual, "portPreMatch") 153 So(p, ShouldBeNil) 154 }) 155 }) 156 } 157 158 func TestPortListLookupObservedPolicyApply(t *testing.T) { 159 160 rule := policy.IPRule{ 161 Addresses: []string{"172.0.0.0/8"}, 162 Ports: []string{"1:999"}, 163 Protocols: []string{"tcp"}, 164 Policy: &policy.FlowPolicy{ 165 ObserveAction: policy.ObserveApply, 166 Action: policy.Accept, 167 PolicyID: "portMatch", 168 }, 169 } 170 171 Convey("Given a non-empty port action list", t, func() { 172 var pl portActionList 173 for _, port := range rule.Ports { 174 pa, err := newPortAction(port, rule.Policy, false) 175 So(err, ShouldBeNil) 176 So(pa, ShouldNotBeNil) 177 178 pl = append(pl, pa) 179 } 180 181 Convey("When I lookup for a non matching port, I should get error", func() { 182 r, p, err := pl.lookup(0, nil) 183 So(err, ShouldNotBeNil) 184 So(r, ShouldBeNil) 185 So(p, ShouldBeNil) 186 }) 187 188 Convey("When I lookup for a non matching port, I should get error but get the unmodified reported flow input", func() { 189 r, p, err := pl.lookup(0, &policy.FlowPolicy{ 190 Action: policy.Accept, 191 PolicyID: "portPreMatch"}, 192 ) 193 So(err, ShouldNotBeNil) 194 So(r, ShouldNotBeNil) 195 So(r.Action, ShouldEqual, policy.Accept) 196 So(r.PolicyID, ShouldEqual, "portPreMatch") 197 So(p, ShouldBeNil) 198 }) 199 200 Convey("When I lookup for a matching port with observed policy apply, I should get report and packet action and no error ", func() { 201 r, p, err := pl.lookup(10, nil) 202 203 So(err, ShouldBeNil) 204 205 So(r.ObserveAction, ShouldEqual, policy.ObserveApply) 206 So(r.Action, ShouldEqual, policy.Accept) 207 So(r.PolicyID, ShouldEqual, "portMatch") 208 209 So(p.ObserveAction, ShouldEqual, policy.ObserveApply) 210 So(p.Action, ShouldEqual, policy.Accept) 211 So(p.PolicyID, ShouldEqual, "portMatch") 212 }) 213 214 Convey("When I lookup for a matching port with observed policy and pre-existing report, I should get unmodified report, packet action and no error ", func() { 215 r, p, err := pl.lookup(10, &policy.FlowPolicy{ 216 Action: policy.Accept, 217 PolicyID: "portPreMatch", 218 }) 219 220 So(err, ShouldBeNil) 221 222 So(r.ObserveAction, ShouldEqual, policy.ObserveNone) 223 So(r.Action, ShouldEqual, policy.Accept) 224 So(r.PolicyID, ShouldEqual, "portPreMatch") 225 226 So(p.ObserveAction, ShouldEqual, policy.ObserveApply) 227 So(p.Action, ShouldEqual, policy.Accept) 228 So(p.PolicyID, ShouldEqual, "portMatch") 229 }) 230 }) 231 } 232 233 func TestPortListWithNomatchLookup(t *testing.T) { 234 235 rule := policy.IPRule{ 236 Addresses: []string{"0.0.0.0/1", "128.0.0.0/1", "!172.0.0.0/8"}, 237 Ports: []string{"1:999"}, 238 Protocols: []string{"tcp"}, 239 Policy: &policy.FlowPolicy{ 240 Action: policy.Accept, 241 PolicyID: "portMatch", 242 }, 243 } 244 245 Convey("Given a non-empty port action list", t, func() { 246 var pl portActionList 247 for _, port := range rule.Ports { 248 pa, err := newPortAction(port, rule.Policy, true) 249 250 So(err, ShouldBeNil) 251 So(pa, ShouldNotBeNil) 252 253 pl = append(pl, pa) 254 } 255 256 Convey("When I lookup for a non matching port, I should get error", func() { 257 r, p, err := pl.lookup(0, nil) 258 So(err, ShouldNotBeNil) 259 So(r, ShouldBeNil) 260 So(p, ShouldBeNil) 261 }) 262 263 Convey("When I lookup for a non matching port, I should get error but get the unmodified reported flow input", func() { 264 r, p, err := pl.lookup(0, &policy.FlowPolicy{ 265 Action: policy.Accept, 266 PolicyID: "portPreMatch"}, 267 ) 268 So(err, ShouldNotBeNil) 269 So(r, ShouldNotBeNil) 270 So(r.Action, ShouldEqual, policy.Accept) 271 So(r.PolicyID, ShouldEqual, "portPreMatch") 272 So(p, ShouldBeNil) 273 }) 274 275 Convey("When I lookup for a matching port, I should get no match", func() { 276 r, p, err := pl.lookup(10, nil) 277 So(err, ShouldNotBeNil) 278 So(r, ShouldBeNil) 279 So(p, ShouldBeNil) 280 }) 281 282 Convey("When I lookup for a matching port, I should get no match but the unmodified reported flow input", func() { 283 r, p, err := pl.lookup(10, &policy.FlowPolicy{ 284 Action: policy.Accept, 285 PolicyID: "portPreMatch"}, 286 ) 287 So(err, ShouldNotBeNil) 288 So(r, ShouldNotBeNil) 289 So(r.Action, ShouldEqual, policy.Accept) 290 So(r.PolicyID, ShouldEqual, "portPreMatch") 291 So(p, ShouldBeNil) 292 }) 293 }) 294 }