github.com/vmware/go-vcloud-director/v2@v2.24.0/govcd/nsxv_firewall_test.go (about) 1 //go:build nsxv || edge || firewall || functional || ALL 2 3 /* 4 * Copyright 2019 VMware, Inc. All rights reserved. Licensed under the Apache v2 License. 5 */ 6 7 package govcd 8 9 import ( 10 "github.com/vmware/go-vcloud-director/v2/types/v56" 11 . "gopkg.in/check.v1" 12 ) 13 14 // Test_NsxvFirewallRuleGatewayInterfaces tests firewall rule creation based on vNics (gateway 15 // interfaces in UI) 16 func (vcd *TestVCD) Test_NsxvFirewallRuleGatewayInterfaces(check *C) { 17 firewallRuleConfig := &types.EdgeFirewallRule{ 18 Name: "test-firewall-interface", 19 Source: types.EdgeFirewallEndpoint{ 20 VnicGroupIds: []string{"vnic-0"}, 21 }, 22 Destination: types.EdgeFirewallEndpoint{ 23 Exclude: true, 24 }, 25 Application: types.EdgeFirewallApplication{ 26 Services: []types.EdgeFirewallApplicationService{ 27 { 28 Protocol: "tcp", 29 Port: "55", 30 SourcePort: "44", 31 }, 32 { 33 Protocol: "icmp", 34 }, 35 }, 36 }, 37 Enabled: true, 38 LoggingEnabled: false, 39 Action: "accept", 40 } 41 42 test_NsxvFirewallRule(check, vcd, firewallRuleConfig) 43 } 44 45 // Test_NsxvFirewallRuleIpAddresses tests firewall rule creation based on IP addresses 46 func (vcd *TestVCD) Test_NsxvFirewallRuleIpAddresses(check *C) { 47 firewallRuleConfig := &types.EdgeFirewallRule{ 48 Name: "test-firewall-ips", 49 Source: types.EdgeFirewallEndpoint{ 50 IpAddresses: []string{"1.1.1.1", "2.2.2.2/24"}, 51 }, 52 Destination: types.EdgeFirewallEndpoint{ 53 // Excludes works like a boolean ! (not) for a specified list of objects 54 Exclude: true, 55 IpAddresses: []string{"any"}, // "any" is a keyword that matches all 56 }, 57 Application: types.EdgeFirewallApplication{ 58 Services: []types.EdgeFirewallApplicationService{ 59 { 60 Protocol: "tcp", 61 Port: "55", 62 SourcePort: "44", 63 }, 64 { 65 Protocol: "icmp", 66 }, 67 }, 68 }, 69 Enabled: true, 70 LoggingEnabled: false, 71 Action: "accept", 72 } 73 74 test_NsxvFirewallRule(check, vcd, firewallRuleConfig) 75 } 76 77 // Test_NsxvFirewallRuleIpSets tests firewall rule creation based on IP set IDs 78 func (vcd *TestVCD) Test_NsxvFirewallRuleIpSets(check *C) { 79 if vcd.config.VCD.Org == "" { 80 check.Skip(check.TestName() + ": Org name not given") 81 return 82 } 83 if vcd.config.VCD.Vdc == "" { 84 check.Skip(check.TestName() + ": VDC name not given") 85 return 86 } 87 88 org, err := vcd.client.GetOrgByName(vcd.config.VCD.Org) 89 check.Assert(err, IsNil) 90 check.Assert(org, NotNil) 91 92 vdc, err := org.GetVDCByName(vcd.config.VCD.Vdc, false) 93 check.Assert(err, IsNil) 94 check.Assert(vdc, NotNil) 95 96 // IP set based firewall rule 97 // Create two IP sets 98 ipSetConfig1 := &types.EdgeIpSet{ 99 Name: "test-ipset-1", 100 IPAddresses: "10.10.10.1", 101 InheritanceAllowed: addrOf(true), // Must be true to allow using it in firewall rule 102 } 103 104 ipSetConfig2 := &types.EdgeIpSet{ 105 Name: "test-ipset-2", 106 IPAddresses: "192.168.1.1-192.168.1.200", 107 InheritanceAllowed: addrOf(true), // Must be true to allow using it in firewall rule 108 } 109 110 // Set parent entity and create two IP sets for usage in firewall rule 111 ipSetParentEntity := vcd.org.Org.Name + "|" + vcd.vdc.Vdc.Name 112 ipSet1, err := vdc.CreateNsxvIpSet(ipSetConfig1) 113 check.Assert(err, IsNil) 114 AddToCleanupList(ipSet1.Name, "ipSet", ipSetParentEntity, check.TestName()) 115 check.Assert(ipSet1.ID, Matches, `.*:ipset-\d.*`) 116 117 ipSet2, err := vdc.CreateNsxvIpSet(ipSetConfig2) 118 check.Assert(err, IsNil) 119 AddToCleanupList(ipSet2.Name, "ipSet", ipSetParentEntity, check.TestName()) 120 check.Assert(ipSet2.ID, Matches, `.*:ipset-\d.*`) 121 122 firewallRuleConfig := &types.EdgeFirewallRule{ 123 Name: "test-firewall-ipsets", 124 Enabled: true, 125 LoggingEnabled: false, 126 Action: "deny", 127 Source: types.EdgeFirewallEndpoint{ 128 GroupingObjectIds: []string{ipSet1.ID}, 129 }, 130 Destination: types.EdgeFirewallEndpoint{ 131 GroupingObjectIds: []string{ipSet1.ID}, 132 }, 133 } 134 135 test_NsxvFirewallRule(check, vcd, firewallRuleConfig) 136 } 137 138 // Test_NsxvFirewallRuleVms tests firewall rule creation based on VM 139 func (vcd *TestVCD) Test_NsxvFirewallRuleVms(check *C) { 140 if vcd.skipVappTests { 141 check.Skip("Skipping test because vapp wasn't properly created") 142 } 143 144 vapp := vcd.findFirstVapp() 145 if vapp.VApp.Name == "" { 146 check.Skip("Disabled: No suitable vApp found in vDC") 147 } 148 vm, _ := vcd.findFirstVm(vapp) 149 if vm.Name == "" { 150 check.Skip("Disabled: No suitable VM found in vDC") 151 } 152 153 firewallRuleConfig := &types.EdgeFirewallRule{ 154 Name: "test-firewall-vms", 155 Source: types.EdgeFirewallEndpoint{ 156 GroupingObjectIds: []string{vm.ID}, 157 }, 158 Destination: types.EdgeFirewallEndpoint{ 159 Exclude: true, 160 IpAddresses: []string{"any"}, 161 }, 162 Application: types.EdgeFirewallApplication{ 163 Services: []types.EdgeFirewallApplicationService{ 164 { 165 Protocol: "tcp", 166 Port: "55", 167 SourcePort: "44", 168 }, 169 { 170 Protocol: "icmp", 171 }, 172 }, 173 }, 174 Enabled: true, 175 LoggingEnabled: false, 176 Action: "accept", 177 } 178 179 test_NsxvFirewallRule(check, vcd, firewallRuleConfig) 180 } 181 182 // test_NsxvFirewallRule does the test work for a given fwConfig of *types.EdgeFirewallRule 183 // The tests performed consist of the following steps: 184 // 1. Creates a firewall rule (as per specified config) 185 // 2. Retrieve the rule by ID 186 // 3. Perform an update for the firewall rule 187 // 4. Creates a second firewall rule above the first one 188 // 5. Ensures the positions of both rules are correct (second is above first one) 189 // 6. Deletes both firewall rules 190 // 7. Validates that none are found anymore 191 func test_NsxvFirewallRule(check *C, vcd *TestVCD, fwConfig *types.EdgeFirewallRule) { 192 if vcd.config.VCD.EdgeGateway == "" { 193 check.Skip(check.TestName() + ": no edge gateway given") 194 } 195 if vcd.config.VCD.Org == "" { 196 check.Skip(check.TestName() + ": Org name not given") 197 return 198 } 199 if vcd.config.VCD.Vdc == "" { 200 check.Skip(check.TestName() + ": VDC name not given") 201 return 202 } 203 204 org, err := vcd.client.GetOrgByName(vcd.config.VCD.Org) 205 check.Assert(err, IsNil) 206 check.Assert(org, NotNil) 207 208 vdc, err := org.GetVDCByName(vcd.config.VCD.Vdc, false) 209 check.Assert(err, IsNil) 210 check.Assert(vdc, NotNil) 211 212 edge, err := vcd.vdc.GetEdgeGatewayByName(vcd.config.VCD.EdgeGateway, false) 213 check.Assert(err, IsNil) 214 check.Assert(edge.EdgeGateway.Name, Equals, vcd.config.VCD.EdgeGateway) 215 216 firewallRule := fwConfig 217 218 createdFwRule, err := edge.CreateNsxvFirewallRule(firewallRule, "") 219 check.Assert(err, IsNil) 220 221 parentEntity := vcd.org.Org.Name + "|" + vcd.vdc.Vdc.Name + "|" + vcd.config.VCD.EdgeGateway 222 AddToCleanupList(createdFwRule.ID, "nsxvFirewallRule", parentEntity, check.TestName()) 223 224 gotFwRule, err := edge.GetNsxvFirewallRuleById(createdFwRule.ID) 225 check.Assert(err, IsNil) 226 check.Assert(gotFwRule, NotNil) 227 check.Assert(gotFwRule, DeepEquals, createdFwRule) 228 check.Assert(gotFwRule.ID, Equals, createdFwRule.ID) 229 230 // Set ID and update firewall rule with description 231 firewallRule.ID = gotFwRule.ID 232 firewallRule.Source = types.EdgeFirewallEndpoint{ 233 IpAddresses: []string{"any"}, 234 } 235 firewallRule.Destination = types.EdgeFirewallEndpoint{ 236 IpAddresses: []string{"14.14.14.0/24", "17.17.17.0/24"}, 237 } 238 updatedFwRule, err := edge.UpdateNsxvFirewallRule(firewallRule) 239 check.Assert(err, IsNil) 240 check.Assert(updatedFwRule, NotNil) 241 242 // Check that boolean 'exclude' value was set to false during update 243 check.Assert(updatedFwRule.Destination.Exclude, Equals, false) 244 245 // Check if the objects are deeply equal (except updated 'Source' and 'Destination') 246 createdFwRule.Source = firewallRule.Source 247 createdFwRule.Destination = firewallRule.Destination 248 249 check.Assert(updatedFwRule, DeepEquals, createdFwRule) 250 251 // Add a second rule above the previous one 252 253 firewallRule2 := &types.EdgeFirewallRule{ 254 Name: "test-firewall-above", 255 Source: types.EdgeFirewallEndpoint{ 256 VnicGroupIds: []string{"vnic-0"}, 257 }, 258 Destination: types.EdgeFirewallEndpoint{ 259 Exclude: true, 260 }, 261 Application: types.EdgeFirewallApplication{ 262 Services: []types.EdgeFirewallApplicationService{ 263 { 264 Protocol: "any", 265 }, 266 }, 267 }, 268 Enabled: true, 269 LoggingEnabled: false, 270 Action: "deny", 271 } 272 273 // Create rule 2 above rule 1 274 createdFwRule2, err := edge.CreateNsxvFirewallRule(firewallRule2, createdFwRule.ID) 275 check.Assert(err, IsNil) 276 AddToCleanupList(createdFwRule2.ID, "nsxvFirewallRule", parentEntity, check.TestName()) 277 278 // Check rule order and ensure rule 2 is above rule 1 in the list 279 allFirewallRules, err := edge.GetAllNsxvFirewallRules() 280 check.Assert(err, IsNil) 281 var foundRule1BelowRule2, foundRule2AboveRule1 bool 282 for _, rule := range allFirewallRules { 283 if rule.ID == createdFwRule2.ID { 284 foundRule2AboveRule1 = true 285 } 286 if foundRule2AboveRule1 && rule.ID == createdFwRule.ID { 287 foundRule1BelowRule2 = true 288 } 289 } 290 check.Assert(foundRule1BelowRule2, Equals, true) 291 check.Assert(foundRule2AboveRule1, Equals, true) 292 293 // Remove all rules 294 err = edge.DeleteNsxvFirewallRuleById(gotFwRule.ID) 295 check.Assert(err, IsNil) 296 297 err = edge.DeleteNsxvFirewallRuleById(createdFwRule2.ID) 298 check.Assert(err, IsNil) 299 300 // Ensure these rule do not exist anymore 301 _, err = edge.GetNsxvFirewallRuleById(createdFwRule.ID) 302 check.Assert(err, Equals, ErrorEntityNotFound) 303 304 _, err = edge.GetNsxvFirewallRuleById(createdFwRule2.ID) 305 check.Assert(err, Equals, ErrorEntityNotFound) 306 307 }