github.com/niedbalski/juju@v0.0.0-20190215020005-8ff100488e47/provider/oracle/network/firewall_test.go (about) 1 // Copyright 2017 Canonical Ltd. 2 // Licensed under the AGPLv3, see LICENCE file for details. 3 4 package network_test 5 6 import ( 7 "time" 8 9 "github.com/juju/clock/testclock" 10 "github.com/juju/errors" 11 "github.com/juju/go-oracle-cloud/api" 12 "github.com/juju/go-oracle-cloud/common" 13 "github.com/juju/go-oracle-cloud/response" 14 gitjujutesting "github.com/juju/testing" 15 gc "gopkg.in/check.v1" 16 17 corenetwork "github.com/juju/juju/core/network" 18 "github.com/juju/juju/environs/config" 19 "github.com/juju/juju/environs/context" 20 jujunetwork "github.com/juju/juju/network" 21 "github.com/juju/juju/provider/oracle/network" 22 providertest "github.com/juju/juju/provider/oracle/testing" 23 "github.com/juju/juju/testing" 24 ) 25 26 type firewallSuite struct { 27 gitjujutesting.IsolationSuite 28 29 callCtx context.ProviderCallContext 30 } 31 32 var _ = gc.Suite(&firewallSuite{}) 33 34 func (f *firewallSuite) SetUpTest(c *gc.C) { 35 f.IsolationSuite.SetUpTest(c) 36 f.callCtx = context.NewCloudCallContext() 37 } 38 39 var clk = testclock.NewClock(time.Time{}) 40 var advancingClock = testclock.AutoAdvancingClock{clk, clk.Advance} 41 42 type fakeEnvironConfig struct { 43 cfg *config.Config 44 } 45 46 func (f *fakeEnvironConfig) Config() *config.Config { 47 return f.cfg 48 } 49 50 func (f *firewallSuite) TestNewFirewall(c *gc.C) { 51 firewall := network.NewFirewall(nil, nil, &advancingClock) 52 c.Assert(firewall, gc.NotNil) 53 54 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 55 cli := &api.Client{} 56 firewall = network.NewFirewall(cfg, cli, &advancingClock) 57 c.Assert(firewall, gc.NotNil) 58 } 59 60 func (f *firewallSuite) TestGlobalIngressRules(c *gc.C) { 61 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 62 63 firewall := network.NewFirewall(cfg, providertest.DefaultFakeFirewallAPI, &advancingClock) 64 c.Assert(firewall, gc.NotNil) 65 66 rule, err := firewall.GlobalIngressRules(f.callCtx) 67 c.Assert(err, gc.IsNil) 68 c.Assert(rule, gc.NotNil) 69 } 70 71 func (f *firewallSuite) TestIngressRules(c *gc.C) { 72 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 73 74 firewall := network.NewFirewall(cfg, providertest.DefaultFakeFirewallAPI, &advancingClock) 75 c.Assert(firewall, gc.NotNil) 76 77 rule, err := firewall.IngressRules(f.callCtx) 78 c.Assert(err, gc.IsNil) 79 c.Assert(rule, gc.NotNil) 80 } 81 82 func (f *firewallSuite) TestIngressRulesWithErrors(c *gc.C) { 83 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 84 85 for _, fake := range []*providertest.FakeFirewallAPI{ 86 { 87 FakeComposer: providertest.FakeComposer{ 88 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 89 }, 90 FakeRules: providertest.FakeRules{ 91 AllErr: errors.New("FakeRulesError"), 92 }, 93 }, 94 { 95 FakeComposer: providertest.FakeComposer{ 96 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 97 }, 98 FakeApplication: providertest.FakeApplication{ 99 AllErr: errors.New("FakeApplicationError"), 100 }, 101 }, 102 { 103 FakeComposer: providertest.FakeComposer{ 104 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 105 }, 106 FakeApplication: providertest.FakeApplication{ 107 DefaultErr: errors.New("FakeApplicationError"), 108 }, 109 }, 110 { 111 FakeComposer: providertest.FakeComposer{ 112 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 113 }, 114 FakeSecIp: providertest.FakeSecIp{AllErr: errors.New("FakeSecIpError")}, 115 }, 116 } { 117 118 firewall := network.NewFirewall(cfg, fake, &advancingClock) 119 c.Assert(firewall, gc.NotNil) 120 121 rule, err := firewall.IngressRules(f.callCtx) 122 c.Assert(err, gc.NotNil) 123 c.Assert(rule, gc.IsNil) 124 } 125 126 } 127 func (f *firewallSuite) TestGlobalIngressRulesWithErrors(c *gc.C) { 128 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 129 130 for _, fake := range []*providertest.FakeFirewallAPI{ 131 { 132 FakeComposer: providertest.FakeComposer{ 133 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 134 }, 135 FakeRules: providertest.FakeRules{AllErr: errors.New("FakeRulesError")}, 136 }, 137 { 138 FakeComposer: providertest.FakeComposer{ 139 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 140 }, 141 FakeApplication: providertest.FakeApplication{ 142 AllErr: errors.New("FakeApplicationError"), 143 }, 144 }, 145 { 146 FakeComposer: providertest.FakeComposer{ 147 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 148 }, 149 FakeApplication: providertest.FakeApplication{ 150 DefaultErr: errors.New("FakeApplicationError"), 151 }, 152 }, 153 { 154 FakeComposer: providertest.FakeComposer{ 155 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 156 }, 157 FakeSecIp: providertest.FakeSecIp{AllErr: errors.New("FakeSecIpError")}, 158 }, 159 } { 160 161 firewall := network.NewFirewall(cfg, fake, &advancingClock) 162 c.Assert(firewall, gc.NotNil) 163 164 rule, err := firewall.GlobalIngressRules(f.callCtx) 165 c.Assert(err, gc.NotNil) 166 c.Assert(rule, gc.IsNil) 167 } 168 169 } 170 171 func (f *firewallSuite) TestOpenPorts(c *gc.C) { 172 fakeConfig := testing.CustomModelConfig(c, testing.Attrs{ 173 "firewall-mode": config.FwGlobal, 174 }) 175 cfg := &fakeEnvironConfig{cfg: fakeConfig} 176 177 firewall := network.NewFirewall(cfg, providertest.DefaultFakeFirewallAPI, &advancingClock) 178 c.Assert(firewall, gc.NotNil) 179 180 err := firewall.OpenPorts(f.callCtx, []jujunetwork.IngressRule{}) 181 c.Assert(err, gc.IsNil) 182 183 } 184 185 func (f *firewallSuite) TestOpenPortsWithErrors(c *gc.C) { 186 fakeConfig := testing.CustomModelConfig(c, testing.Attrs{ 187 "firewall-mode": config.FwGlobal, 188 }) 189 cfg := &fakeEnvironConfig{cfg: fakeConfig} 190 191 for _, fake := range []*providertest.FakeFirewallAPI{ 192 { 193 FakeComposer: providertest.FakeComposer{ 194 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 195 }, 196 FakeRules: providertest.FakeRules{AllErr: errors.New("FakeRulesError")}, 197 }, 198 { 199 FakeComposer: providertest.FakeComposer{ 200 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 201 }, 202 FakeApplication: providertest.FakeApplication{ 203 AllErr: errors.New("FakeApplicationError"), 204 }, 205 }, 206 { 207 FakeComposer: providertest.FakeComposer{ 208 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 209 }, 210 FakeApplication: providertest.FakeApplication{ 211 DefaultErr: errors.New("FakeApplicationError"), 212 }, 213 }, 214 { 215 FakeComposer: providertest.FakeComposer{ 216 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 217 }, 218 FakeSecIp: providertest.FakeSecIp{AllErr: errors.New("FakeSecIpError")}, 219 }, 220 { 221 FakeComposer: providertest.FakeComposer{ 222 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 223 }, 224 FakeSecList: providertest.FakeSecList{ 225 SecListErr: errors.New("FakeSecListErr"), 226 }, 227 }, 228 { 229 FakeComposer: providertest.FakeComposer{ 230 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 231 }, 232 FakeSecList: providertest.FakeSecList{ 233 SecListErr: api.ErrNotFound{}, 234 CreateErr: errors.New("FakeSecListErr"), 235 }, 236 }, 237 } { 238 firewall := network.NewFirewall(cfg, fake, &advancingClock) 239 c.Assert(firewall, gc.NotNil) 240 241 err := firewall.OpenPorts(f.callCtx, []jujunetwork.IngressRule{}) 242 c.Assert(err, gc.NotNil) 243 } 244 245 // test with error in firewall config 246 cfg = &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 247 firewall := network.NewFirewall(cfg, providertest.DefaultFakeFirewallAPI, &advancingClock) 248 c.Assert(firewall, gc.NotNil) 249 250 err := firewall.OpenPorts(f.callCtx, []jujunetwork.IngressRule{}) 251 c.Assert(err, gc.NotNil) 252 } 253 254 func (f *firewallSuite) TestClosePorts(c *gc.C) { 255 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 256 257 firewall := network.NewFirewall(cfg, providertest.DefaultFakeFirewallAPI, &advancingClock) 258 c.Assert(firewall, gc.NotNil) 259 260 err := firewall.ClosePorts(f.callCtx, []jujunetwork.IngressRule{}) 261 c.Assert(err, gc.IsNil) 262 } 263 264 func (f *firewallSuite) TestClosePortsWithErrors(c *gc.C) { 265 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 266 for _, fake := range []*providertest.FakeFirewallAPI{ 267 { 268 FakeComposer: providertest.FakeComposer{ 269 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 270 }, 271 FakeRules: providertest.FakeRules{ 272 AllErr: errors.New("FakeRulesErr"), 273 }, 274 }, 275 { 276 FakeComposer: providertest.FakeComposer{ 277 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 278 }, 279 FakeApplication: providertest.FakeApplication{ 280 AllErr: errors.New("FakeApplicationErr"), 281 }, 282 }, 283 { 284 FakeComposer: providertest.FakeComposer{ 285 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 286 }, 287 FakeApplication: providertest.FakeApplication{ 288 DefaultErr: errors.New("FakeApplicationErr"), 289 }, 290 }, 291 { 292 FakeComposer: providertest.FakeComposer{ 293 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 294 }, 295 FakeSecIp: providertest.FakeSecIp{ 296 AllErr: errors.New("FakeSecIpErr"), 297 }, 298 }, 299 { 300 FakeComposer: providertest.FakeComposer{ 301 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 302 }, 303 FakeSecIp: providertest.FakeSecIp{ 304 AllDefaultErr: errors.New("FakeSecIpErr"), 305 }, 306 }, 307 { 308 FakeComposer: providertest.FakeComposer{ 309 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 310 }, 311 FakeRules: providertest.FakeRules{ 312 All: response.AllSecRules{ 313 Result: []response.SecRule{ 314 { 315 Action: common.SecRulePermit, 316 Application: "/Compute-acme/jack.jones@example.com/video_streaming_udp", 317 Name: "/Compute-acme/jack.jones@example.com/es_to_videoservers_stream", 318 Dst_list: "seclist:/Compute-acme/jack.jones@example.com/allowed_video_servers", 319 Src_list: "seciplist:/Compute-acme/jack.jones@example.com/es_iplist", 320 Uri: "https://api-z999.compute.us0.oraclecloud.com/secrule/Compute-acme/jack.jones@example.com/es_to_videoservers_stream", 321 Src_is_ip: "true", 322 Dst_is_ip: "false", 323 }, 324 }, 325 }, 326 AllErr: nil, 327 DeleteErr: errors.New("FakeSecRules"), 328 }, 329 FakeApplication: providertest.FakeApplication{ 330 All: response.AllSecApplications{ 331 Result: []response.SecApplication{ 332 { 333 Description: "Juju created security application", 334 Dport: "17070", 335 Icmpcode: "", 336 Icmptype: "", 337 Name: "/Compute-a432100/sgiulitti@cloudbase.com/juju-72324bcb-e837-4542-8867-844282af22e3-7993630e-d13b-43a3-850e-a1778c7e394e", 338 Protocol: "tcp", 339 Uri: "https://compute.uscom-central-1.oraclecloud.com/secapplication/Compute-a432100/sgiulitti%40cloudbase.com/juju-72324bcb-e837-4542-8867-844282af22e3-7993630e-d13b-43a3-850e-a1778c7e394e", 340 Value1: 17070, 341 Value2: -1, 342 Id: "1869cb17-5b12-49c5-a09a-046da8899bc9", 343 }, 344 { 345 Description: "Juju created security application", 346 Dport: "37017", 347 Icmpcode: "", 348 Icmptype: "", 349 Name: "/Compute-a432100/sgiulitti@cloudbase.com/juju-72324bcb-e837-4542-8867-844282af22e3-ef8a7955-4315-47a2-83c1-8d2978ab77c7", 350 Protocol: "tcp", 351 Uri: "https://compute.uscom-central-1.oraclecloud.com/secapplication/Compute-a432100/sgiulitti%40cloudbase.com/juju-72324bcb-e837-4542-8867-844282af22e3-ef8a7955-4315-47a2-83c1-8d2978ab77c7", 352 Value1: 37017, 353 Value2: -1, 354 Id: "cbefdac0-7684-4f81-a575-825c175aa7b4", 355 }, 356 }, 357 }, 358 AllErr: nil, 359 Default: response.AllSecApplications{ 360 Result: []response.SecApplication{ 361 { 362 Description: "", 363 Dport: "", 364 Icmpcode: "", 365 Icmptype: "", 366 Name: "/oracle/public/all", 367 Protocol: "all", 368 Uri: "https://compute.uscom-central-1.oraclecloud.com/secapplication/oracle/public/all", 369 Value1: 0, 370 Value2: 0, 371 Id: "381c2267-1b38-4bbd-b53d-5149deddb094", 372 }, 373 { 374 Description: "", 375 Dport: "", 376 Icmpcode: "", 377 Icmptype: "echo", 378 Name: "/oracle/public/pings", 379 Protocol: "icmp", 380 Uri: "https://compute.uscom-central-1.oraclecloud.com/secapplication/oracle/public/pings", 381 Value1: 8, 382 Value2: 0, 383 Id: "57b0350b-2f02-4a2d-b5ec-cf731de36027", 384 }, 385 { 386 Description: "", 387 Dport: "", 388 Icmpcode: "", 389 Icmptype: "", 390 Name: "/oracle/public/icmp", 391 Protocol: "icmp", 392 Uri: "https://compute.uscom-central-1.oraclecloud.com/secapplication/oracle/public/icmp", 393 Value1: 255, 394 Value2: 255, 395 Id: "abb27ccd-1872-48f9-86ef-38c72d6f8a38", 396 }, 397 { 398 Description: "", 399 Dport: "", 400 Icmpcode: "", 401 Icmptype: "reply", 402 Name: "/oracle/public/ping-reply", 403 Protocol: "icmp", 404 Uri: "https://compute.uscom-central-1.oraclecloud.com/secapplication/oracle/public/ping-reply", 405 Value1: 0, 406 Value2: 0, 407 Id: "3ad808d4-b740-42c1-805c-57feb7c96d40", 408 }, 409 { 410 Description: "", 411 Dport: "3306", 412 Icmpcode: "", 413 Icmptype: "", 414 Name: "/oracle/public/mysql", 415 Protocol: "tcp", 416 Uri: "https://compute.uscom-central-1.oraclecloud.com/secapplication/oracle/public/mysql", 417 Value1: 3306, 418 Value2: -1, 419 Id: "2fb5eaff-3127-4334-8b03-367a44bb83bd", 420 }, 421 { 422 Description: "", 423 Dport: "22", 424 Icmpcode: "", 425 Icmptype: "", 426 Name: "/oracle/public/ssh", 427 Protocol: "tcp", 428 Uri: "https://compute.uscom-central-1.oraclecloud.com/secapplication/oracle/public/ssh", 429 Value1: 22, Value2: -1, 430 Id: "5f027043-f6b3-4e1a-b9fa-a10d075744de", 431 }, 432 }, 433 }, 434 DefaultErr: nil, 435 }, 436 }, 437 } { 438 firewall := network.NewFirewall(cfg, fake, &advancingClock) 439 c.Assert(firewall, gc.NotNil) 440 441 err := firewall.ClosePorts(f.callCtx, []jujunetwork.IngressRule{ 442 { 443 PortRange: corenetwork.PortRange{ 444 FromPort: 0, 445 ToPort: 0, 446 }, 447 SourceCIDRs: nil, 448 }, 449 }) 450 c.Assert(err, gc.NotNil) 451 } 452 } 453 454 func (f *firewallSuite) TestClosePortsOnInstance(c *gc.C) { 455 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 456 for _, fake := range []*providertest.FakeFirewallAPI{ 457 { 458 FakeComposer: providertest.FakeComposer{ 459 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 460 }, 461 FakeRules: providertest.FakeRules{ 462 AllErr: errors.New("FakeRulesErr"), 463 }, 464 }, 465 { 466 FakeComposer: providertest.FakeComposer{ 467 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 468 }, 469 FakeApplication: providertest.FakeApplication{ 470 AllErr: errors.New("FakeApplicationErr"), 471 }, 472 }, 473 { 474 FakeComposer: providertest.FakeComposer{ 475 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 476 }, 477 FakeApplication: providertest.FakeApplication{ 478 DefaultErr: errors.New("FakeApplicationErr"), 479 }, 480 }, 481 { 482 FakeComposer: providertest.FakeComposer{ 483 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 484 }, 485 FakeSecIp: providertest.FakeSecIp{ 486 AllErr: errors.New("FakeSecIpErr"), 487 }, 488 }, 489 { 490 FakeComposer: providertest.FakeComposer{ 491 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 492 }, 493 FakeSecIp: providertest.FakeSecIp{ 494 AllDefaultErr: errors.New("FakeSecIpErr"), 495 }, 496 }, 497 { 498 FakeComposer: providertest.FakeComposer{ 499 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 500 }, 501 FakeRules: providertest.FakeRules{ 502 All: response.AllSecRules{ 503 Result: []response.SecRule{ 504 { 505 Action: common.SecRulePermit, 506 Application: "/Compute-acme/jack.jones@example.com/video_streaming_udp", 507 Name: "/Compute-acme/jack.jones@example.com/es_to_videoservers_stream", 508 Dst_list: "seclist:/Compute-acme/jack.jones@example.com/allowed_video_servers", 509 Src_list: "seciplist:/Compute-acme/jack.jones@example.com/es_iplist", 510 Uri: "https://api-z999.compute.us0.oraclecloud.com/secrule/Compute-acme/jack.jones@example.com/es_to_videoservers_stream", 511 Src_is_ip: "true", 512 Dst_is_ip: "false", 513 }, 514 }, 515 }, 516 AllErr: nil, 517 DeleteErr: errors.New("FakeSecRules"), 518 }, 519 FakeApplication: providertest.FakeApplication{ 520 All: response.AllSecApplications{ 521 Result: []response.SecApplication{ 522 { 523 Description: "Juju created security application", 524 Dport: "17070", 525 Icmpcode: "", 526 Icmptype: "", 527 Name: "/Compute-a432100/sgiulitti@cloudbase.com/juju-72324bcb-e837-4542-8867-844282af22e3-7993630e-d13b-43a3-850e-a1778c7e394e", 528 Protocol: "tcp", 529 Uri: "https://compute.uscom-central-1.oraclecloud.com/secapplication/Compute-a432100/sgiulitti%40cloudbase.com/juju-72324bcb-e837-4542-8867-844282af22e3-7993630e-d13b-43a3-850e-a1778c7e394e", 530 Value1: 17070, 531 Value2: -1, 532 Id: "1869cb17-5b12-49c5-a09a-046da8899bc9", 533 }, 534 { 535 Description: "Juju created security application", 536 Dport: "37017", 537 Icmpcode: "", 538 Icmptype: "", 539 Name: "/Compute-a432100/sgiulitti@cloudbase.com/juju-72324bcb-e837-4542-8867-844282af22e3-ef8a7955-4315-47a2-83c1-8d2978ab77c7", 540 Protocol: "tcp", 541 Uri: "https://compute.uscom-central-1.oraclecloud.com/secapplication/Compute-a432100/sgiulitti%40cloudbase.com/juju-72324bcb-e837-4542-8867-844282af22e3-ef8a7955-4315-47a2-83c1-8d2978ab77c7", 542 Value1: 37017, 543 Value2: -1, 544 Id: "cbefdac0-7684-4f81-a575-825c175aa7b4", 545 }, 546 }, 547 }, 548 AllErr: nil, 549 Default: response.AllSecApplications{ 550 Result: []response.SecApplication{ 551 { 552 Description: "", 553 Dport: "", 554 Icmpcode: "", 555 Icmptype: "", 556 Name: "/oracle/public/all", 557 Protocol: "all", 558 Uri: "https://compute.uscom-central-1.oraclecloud.com/secapplication/oracle/public/all", 559 Value1: 0, 560 Value2: 0, 561 Id: "381c2267-1b38-4bbd-b53d-5149deddb094", 562 }, 563 { 564 Description: "", 565 Dport: "", 566 Icmpcode: "", 567 Icmptype: "echo", 568 Name: "/oracle/public/pings", 569 Protocol: "icmp", 570 Uri: "https://compute.uscom-central-1.oraclecloud.com/secapplication/oracle/public/pings", 571 Value1: 8, 572 Value2: 0, 573 Id: "57b0350b-2f02-4a2d-b5ec-cf731de36027", 574 }, 575 { 576 Description: "", 577 Dport: "", 578 Icmpcode: "", 579 Icmptype: "", 580 Name: "/oracle/public/icmp", 581 Protocol: "icmp", 582 Uri: "https://compute.uscom-central-1.oraclecloud.com/secapplication/oracle/public/icmp", 583 Value1: 255, 584 Value2: 255, 585 Id: "abb27ccd-1872-48f9-86ef-38c72d6f8a38", 586 }, 587 { 588 Description: "", 589 Dport: "", 590 Icmpcode: "", 591 Icmptype: "reply", 592 Name: "/oracle/public/ping-reply", 593 Protocol: "icmp", 594 Uri: "https://compute.uscom-central-1.oraclecloud.com/secapplication/oracle/public/ping-reply", 595 Value1: 0, 596 Value2: 0, 597 Id: "3ad808d4-b740-42c1-805c-57feb7c96d40", 598 }, 599 { 600 Description: "", 601 Dport: "3306", 602 Icmpcode: "", 603 Icmptype: "", 604 Name: "/oracle/public/mysql", 605 Protocol: "tcp", 606 Uri: "https://compute.uscom-central-1.oraclecloud.com/secapplication/oracle/public/mysql", 607 Value1: 3306, 608 Value2: -1, 609 Id: "2fb5eaff-3127-4334-8b03-367a44bb83bd", 610 }, 611 { 612 Description: "", 613 Dport: "22", 614 Icmpcode: "", 615 Icmptype: "", 616 Name: "/oracle/public/ssh", 617 Protocol: "tcp", 618 Uri: "https://compute.uscom-central-1.oraclecloud.com/secapplication/oracle/public/ssh", 619 Value1: 22, Value2: -1, 620 Id: "5f027043-f6b3-4e1a-b9fa-a10d075744de", 621 }, 622 }, 623 }, 624 DefaultErr: nil, 625 }, 626 }, 627 } { 628 firewall := network.NewFirewall(cfg, fake, &advancingClock) 629 c.Assert(firewall, gc.NotNil) 630 631 err := firewall.ClosePortsOnInstance(f.callCtx, "0,", []jujunetwork.IngressRule{ 632 { 633 PortRange: corenetwork.PortRange{ 634 FromPort: 0, 635 ToPort: 0, 636 }, 637 SourceCIDRs: nil, 638 }, 639 }) 640 c.Assert(err, gc.NotNil) 641 } 642 } 643 644 func (f *firewallSuite) TestMachineIngressRules(c *gc.C) { 645 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 646 647 firewall := network.NewFirewall(cfg, providertest.DefaultFakeFirewallAPI, &advancingClock) 648 c.Assert(firewall, gc.NotNil) 649 650 rules, err := firewall.MachineIngressRules(f.callCtx, "0") 651 c.Assert(err, gc.IsNil) 652 c.Assert(rules, gc.NotNil) 653 } 654 655 func (f *firewallSuite) TestMachineIngressRulesWithErrors(c *gc.C) { 656 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 657 658 for _, fake := range []*providertest.FakeFirewallAPI{ 659 { 660 FakeComposer: providertest.FakeComposer{ 661 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 662 }, 663 FakeRules: providertest.FakeRules{AllErr: errors.New("FakeRulesError")}, 664 }, 665 { 666 FakeComposer: providertest.FakeComposer{ 667 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 668 }, 669 FakeApplication: providertest.FakeApplication{ 670 AllErr: errors.New("FakeApplicationError"), 671 }, 672 }, 673 { 674 FakeComposer: providertest.FakeComposer{ 675 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 676 }, 677 FakeApplication: providertest.FakeApplication{ 678 DefaultErr: errors.New("FakeApplicationError"), 679 }, 680 }, 681 { 682 FakeComposer: providertest.FakeComposer{ 683 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 684 }, 685 FakeSecIp: providertest.FakeSecIp{AllErr: errors.New("FakeSecIpError")}, 686 }, 687 { 688 FakeComposer: providertest.FakeComposer{ 689 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 690 }, 691 FakeSecIp: providertest.FakeSecIp{ 692 AllDefaultErr: errors.New("FakeSecIpError"), 693 }, 694 }, 695 } { 696 firewall := network.NewFirewall(cfg, fake, &advancingClock) 697 c.Assert(firewall, gc.NotNil) 698 699 _, err := firewall.MachineIngressRules(f.callCtx, "0") 700 c.Assert(err, gc.NotNil) 701 } 702 } 703 704 func (f *firewallSuite) TestOpenPortsOnInstance(c *gc.C) { 705 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 706 firewall := network.NewFirewall(cfg, providertest.DefaultFakeFirewallAPI, &advancingClock) 707 c.Assert(firewall, gc.NotNil) 708 709 err := firewall.OpenPortsOnInstance(f.callCtx, "0", []jujunetwork.IngressRule{}) 710 c.Assert(err, gc.IsNil) 711 712 } 713 714 func (f *firewallSuite) TestOpenPortsOnInstanceWithErrors(c *gc.C) { 715 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 716 717 for _, fake := range []*providertest.FakeFirewallAPI{ 718 { 719 FakeComposer: providertest.FakeComposer{ 720 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 721 }, 722 FakeRules: providertest.FakeRules{AllErr: errors.New("FakeRulesError")}, 723 }, 724 { 725 FakeComposer: providertest.FakeComposer{ 726 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 727 }, 728 FakeApplication: providertest.FakeApplication{ 729 AllErr: errors.New("FakeApplicationError"), 730 }, 731 }, 732 { 733 FakeComposer: providertest.FakeComposer{ 734 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 735 }, 736 FakeApplication: providertest.FakeApplication{ 737 DefaultErr: errors.New("FakeApplicationError"), 738 }, 739 }, 740 { 741 FakeComposer: providertest.FakeComposer{ 742 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 743 }, 744 FakeSecIp: providertest.FakeSecIp{AllErr: errors.New("FakeSecIpError")}, 745 }, 746 { 747 FakeComposer: providertest.FakeComposer{ 748 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 749 }, 750 FakeSecList: providertest.FakeSecList{ 751 SecListErr: errors.New("FakeSecListErr"), 752 }, 753 }, 754 { 755 FakeComposer: providertest.FakeComposer{ 756 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 757 }, 758 FakeSecList: providertest.FakeSecList{ 759 SecListErr: api.ErrNotFound{}, 760 CreateErr: errors.New("FakeSecListErr"), 761 }, 762 }, 763 } { 764 firewall := network.NewFirewall(cfg, fake, &advancingClock) 765 c.Assert(firewall, gc.NotNil) 766 767 err := firewall.OpenPortsOnInstance(f.callCtx, "0", []jujunetwork.IngressRule{}) 768 c.Assert(err, gc.NotNil) 769 } 770 } 771 772 func (f *firewallSuite) TestCreateMachineSecLists(c *gc.C) { 773 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 774 775 firewall := network.NewFirewall(cfg, providertest.DefaultFakeFirewallAPI, &advancingClock) 776 c.Assert(firewall, gc.NotNil) 777 778 lists, err := firewall.CreateMachineSecLists("0", 7070) 779 c.Assert(err, gc.IsNil) 780 c.Assert(lists, gc.NotNil) 781 } 782 783 func (f *firewallSuite) TestCreateMachineSecListsWithErrors(c *gc.C) { 784 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 785 for _, fake := range []*providertest.FakeFirewallAPI{ 786 { 787 FakeComposer: providertest.FakeComposer{ 788 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 789 }, 790 FakeSecList: providertest.FakeSecList{ 791 SecListErr: errors.New("FakeSecListErr"), 792 }, 793 }, 794 { 795 FakeComposer: providertest.FakeComposer{ 796 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 797 }, 798 FakeSecList: providertest.FakeSecList{ 799 SecListErr: api.ErrNotFound{}, 800 CreateErr: errors.New("FakeSecListErr"), 801 }, 802 }, 803 { 804 FakeComposer: providertest.FakeComposer{ 805 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 806 }, 807 FakeRules: providertest.FakeRules{AllErr: errors.New("FakeRulesError")}, 808 }, 809 { 810 FakeComposer: providertest.FakeComposer{ 811 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 812 }, 813 FakeApplication: providertest.FakeApplication{ 814 AllErr: errors.New("FakeApplicationError"), 815 }, 816 }, 817 { 818 FakeComposer: providertest.FakeComposer{ 819 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 820 }, 821 FakeApplication: providertest.FakeApplication{ 822 DefaultErr: errors.New("FakeApplicationError"), 823 }, 824 }, 825 { 826 FakeComposer: providertest.FakeComposer{ 827 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 828 }, 829 FakeSecIp: providertest.FakeSecIp{AllErr: errors.New("FakeSecIpError")}, 830 }, 831 } { 832 833 firewall := network.NewFirewall(cfg, fake, &advancingClock) 834 c.Assert(firewall, gc.NotNil) 835 836 _, err := firewall.CreateMachineSecLists("0", 7070) 837 c.Assert(err, gc.NotNil) 838 } 839 } 840 841 func (f *firewallSuite) TestDeleteMachineSecList(c *gc.C) { 842 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 843 844 firewall := network.NewFirewall(cfg, providertest.DefaultFakeFirewallAPI, &advancingClock) 845 c.Assert(firewall, gc.NotNil) 846 847 err := firewall.DeleteMachineSecList("0") 848 c.Assert(err, gc.IsNil) 849 } 850 851 func (f *firewallSuite) TestDeleteMachineSecListWithErrors(c *gc.C) { 852 853 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 854 855 for _, fake := range []*providertest.FakeFirewallAPI{ 856 { 857 FakeComposer: providertest.FakeComposer{ 858 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 859 }, 860 FakeAssociation: providertest.FakeAssociation{ 861 AllErr: errors.New("FakeAssociationError"), 862 }, 863 }, 864 { 865 FakeComposer: providertest.FakeComposer{ 866 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 867 }, 868 FakeRules: providertest.FakeRules{AllErr: errors.New("FakeRulesError")}, 869 }, 870 { 871 FakeComposer: providertest.FakeComposer{ 872 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 873 }, 874 FakeRules: providertest.FakeRules{ 875 All: response.AllSecRules{ 876 Result: []response.SecRule{ 877 { 878 Action: common.SecRulePermit, 879 Application: "/Compute-acme/jack.jones@example.com/video_streaming_udp", 880 Name: "/Compute-acme/jack.jones@example.com/es_to_videoservers_stream", 881 Dst_list: "seclist:/Compute-acme/jack.jones@example.com/allowed_video_servers", 882 Src_list: "seciplist:/Compute-acme/jack.jones@example.com/es_iplist", 883 Uri: "https://api-z999.compute.us0.oraclecloud.com/secrule/Compute-acme/jack.jones@example.com/es_to_videoservers_stream", 884 Src_is_ip: "true", 885 Dst_is_ip: "false", 886 }, 887 }, 888 }, 889 890 DeleteErr: errors.New("FakeRulesError"), 891 }, 892 }, 893 { 894 FakeComposer: providertest.FakeComposer{ 895 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 896 }, 897 FakeSecList: providertest.FakeSecList{ 898 DeleteErr: errors.New("FakeSecListErr"), 899 }, 900 }, 901 } { 902 firewall := network.NewFirewall(cfg, fake, &advancingClock) 903 c.Assert(firewall, gc.NotNil) 904 905 err := firewall.DeleteMachineSecList("0") 906 c.Assert(err, gc.NotNil) 907 } 908 } 909 910 func (f *firewallSuite) TestCreateDefaultACLAndRules(c *gc.C) { 911 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 912 913 firewall := network.NewFirewall(cfg, providertest.DefaultFakeFirewallAPI, &advancingClock) 914 c.Assert(firewall, gc.NotNil) 915 916 acls, err := firewall.CreateDefaultACLAndRules("0") 917 c.Assert(err, gc.IsNil) 918 c.Assert(acls, gc.NotNil) 919 } 920 921 func (f *firewallSuite) TestCreateDefaultACLAndRulesWithErrors(c *gc.C) { 922 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 923 924 for _, fake := range []*providertest.FakeFirewallAPI{ 925 { 926 FakeComposer: providertest.FakeComposer{ 927 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 928 }, 929 FakeAcl: providertest.FakeAcl{ 930 AclErr: errors.New("FakeAclErr"), 931 }, 932 }, 933 { 934 FakeComposer: providertest.FakeComposer{ 935 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 936 }, 937 FakeAcl: providertest.FakeAcl{ 938 AclErr: api.ErrNotFound{}, 939 CreateErr: errors.New("FakeAclErr"), 940 }, 941 }, 942 { 943 FakeComposer: providertest.FakeComposer{ 944 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 945 }, 946 FakeSecRules: providertest.FakeSecRules{ 947 AllErr: errors.New("FakeAclErr"), 948 }, 949 }, 950 { 951 FakeComposer: providertest.FakeComposer{ 952 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 953 }, 954 FakeSecRules: providertest.FakeSecRules{ 955 CreateErr: errors.New("FakeAclErr"), 956 }, 957 }, 958 } { 959 firewall := network.NewFirewall(cfg, fake, &advancingClock) 960 c.Assert(firewall, gc.NotNil) 961 962 _, err := firewall.CreateDefaultACLAndRules("0") 963 c.Assert(err, gc.NotNil) 964 } 965 } 966 967 func (f *firewallSuite) TestRemoveACLAndRules(c *gc.C) { 968 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 969 970 firewall := network.NewFirewall(cfg, providertest.DefaultFakeFirewallAPI, &advancingClock) 971 c.Assert(firewall, gc.NotNil) 972 err := firewall.RemoveACLAndRules("0") 973 c.Assert(err, gc.IsNil) 974 } 975 976 func (f *firewallSuite) TestRemoveACLAndRulesWithErrors(c *gc.C) { 977 cfg := &fakeEnvironConfig{cfg: testing.ModelConfig(c)} 978 for _, fake := range []*providertest.FakeFirewallAPI{ 979 { 980 FakeComposer: providertest.FakeComposer{ 981 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 982 }, 983 FakeSecRules: providertest.FakeSecRules{ 984 AllErr: errors.New("FakeSecRulesErr"), 985 }, 986 }, 987 { 988 FakeComposer: providertest.FakeComposer{ 989 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 990 }, 991 FakeSecRules: providertest.FakeSecRules{ 992 All: response.AllSecurityRules{ 993 Result: []response.SecurityRule{ 994 { 995 Name: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 996 Uri: "https://api-z999.compute.us0.oraclecloud.com:443/network/v1/secrule/Compute-acme/jack.jones@example.com/secrule1", 997 Description: "Sample security rule", 998 Tags: nil, 999 Acl: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 1000 FlowDirection: common.Egress, 1001 SrcVnicSet: "/Compute-acme/jack.jones@example.com/vnicset1", 1002 DstVnicSet: "/Compute-acme/jack.jones@example.com/vnicset2", 1003 SrcIpAddressPrefixSets: []string{"/Compute-acme/jack.jones@example.com/ipaddressprefixset1"}, 1004 DstIpAddressPrefixSets: nil, 1005 SecProtocols: []string{"/Compute-acme/jack.jones@example.com/secprotocol1"}, 1006 EnabledFlag: true, 1007 }, 1008 }, 1009 }, 1010 AllErr: nil, 1011 DeleteErr: errors.New("FakeSecRulesErr"), 1012 }, 1013 }, 1014 { 1015 FakeComposer: providertest.FakeComposer{ 1016 Compose: "/Compute-acme/jack.jones@example.com/allowed_video_servers", 1017 }, 1018 FakeAcl: providertest.FakeAcl{ 1019 DeleteErr: errors.New("FakeAclErr"), 1020 }, 1021 }, 1022 } { 1023 firewall := network.NewFirewall(cfg, fake, &advancingClock) 1024 c.Assert(firewall, gc.NotNil) 1025 1026 err := firewall.RemoveACLAndRules("0") 1027 c.Assert(err, gc.NotNil) 1028 } 1029 }