Add Policy support for WAF profiles

WAF profiles & binding & adding those the LB virtual servers Change-Id: I2e894cd30d27ff332aa729b04c3706450ebd61eb
2019-03-14 14:24:34 +02:00 · 2019-03-14 14:24:34 +02:00 · 58226d60e1
parent 0895bfa5e8
commit 58226d60e1
8 changed files with 96 additions and 2 deletions
--- a/vmware_nsxlib/tests/unit/v3/policy/test_lb_resources.py
+++ b/vmware_nsxlib/tests/unit/v3/policy/test_lb_resources.py
@ -652,15 +652,22 @@ class TestPolicyLBVirtualServer(test_resources.NsxPolicyLibTestCase):
        name = 'd1'
        description = 'desc'
        obj_id = '111'
+        waf_profile_id = 'waf'
+        waf_profile_path = self.policy_lib.waf_profile.get_path(
+            profile_id=waf_profile_id, tenant=TEST_TENANT)
+        waf_profile_binding = lb_defs.WAFProfileBindingDef(
+            waf_profile_path=waf_profile_path)
        with mock.patch.object(self.policy_api,
                               "create_or_update") as api_call:
            result = self.resourceApi.create_or_overwrite(
                name,
                virtual_server_id=obj_id,
+                waf_profile_binding=waf_profile_binding,
                description=description,
                tenant=TEST_TENANT)
            expected_def = lb_defs.LBVirtualServerDef(
                virtual_server_id=obj_id, name=name, description=description,
+                waf_profile_binding=waf_profile_binding,
                tenant=TEST_TENANT)
            self.assert_called_with_def(api_call, expected_def)
            self.assertEqual(obj_id, result)
--- a/vmware_nsxlib/tests/unit/v3/policy/test_resources.py
+++ b/vmware_nsxlib/tests/unit/v3/policy/test_resources.py
@ -3262,6 +3262,14 @@ class TestPolicyMacDiscoveryProfile(TestPolicySegmentProfileBase):
            resource_def=core_defs.MacDiscoveryProfileDef)


+class TestPolicyWAFProfile(TestPolicySegmentProfileBase):
+
+    def setUp(self):
+        super(TestPolicyWAFProfile, self).setUp(
+            resource_api_name='waf_profile',
+            resource_def=core_defs.WAFProfileDef)
+
+
 class TestPolicySegmentSecurityProfile(TestPolicySegmentProfileBase):

    def test_create_with_params(self):
--- a/vmware_nsxlib/v3/policy/init.py
+++ b/vmware_nsxlib/v3/policy/init.py
@ -94,6 +94,8 @@ class NsxPolicyLib(lib.NsxLibBase):
            core_resources.NsxIpDiscoveryProfileApi(*args))
        self.mac_discovery_profile = (
            core_resources.NsxMacDiscoveryProfileApi(*args))
+        self.waf_profile = (
+            core_resources.NsxWAFProfileApi(*args))
        self.segment_port_security_profiles = (
            core_resources.SegmentPortSecurityProfilesBindingMapApi(
                *args))
--- a/vmware_nsxlib/v3/policy/constants.py
+++ b/vmware_nsxlib/v3/policy/constants.py
@ -72,3 +72,17 @@ IPV6_RA_MODE_DISABLED = "DISABLED"
 IPV6_RA_MODE_SLAAC_RA = "SLAAC_DNS_THROUGH_RA"
 IPV6_RA_MODE_SLAAC_DHCP = "SLAAC_DNS_THROUGH_DHCP"
 IPV6_RA_MODE_DHCP = "DHCP_ADDRESS_AND_DNS_THROUGH_DHCP"
+
+# WAF operational mode types
+WAF_OPERATIONAL_MODE_DETECTION = 'DETECTION'
+WAF_OPERATIONAL_MODE_PROTECTION = 'PROTECTION'
+WAF_OPERATIONAL_MODE_DISABLED = 'DISABLED'
+
+# WAF debug log level types
+WAF_LOG_LEVEL_NO_LOG = 'NO_LOG'
+WAF_LOG_LEVEL_ERROR = 'ERROR'
+WAF_LOG_LEVEL_WARNING = 'WARNING'
+WAF_LOG_LEVEL_NOTICE = 'NOTICE'
+WAF_LOG_LEVEL_INFO = 'INFO'
+WAF_LOG_LEVEL_DETAIL = 'DETAIL'
+WAF_LOG_LEVEL_EVERYTHING = 'EVERYTHING'
--- a/vmware_nsxlib/v3/policy/core_defs.py
+++ b/vmware_nsxlib/v3/policy/core_defs.py
@ -47,6 +47,8 @@ MAC_DISCOVERY_PROFILES_PATH_PATTERN = (TENANTS_PATH_PATTERN +
                                       "mac-discovery-profiles/")
 IPV6_NDRA_PROFILES_PATH_PATTERN = (TENANTS_PATH_PATTERN +
                                   "ipv6-ndra-profiles/")
+WAF_PROFILES_PATH_PATTERN = (TENANTS_PATH_PATTERN +
+                             "waf-profiles/")
 CERTIFICATE_PATH_PATTERN = TENANTS_PATH_PATTERN + "certificates/"

 REALIZATION_PATH = "infra/realized-state/realized-entities?intent_path=%s"
@ -1624,6 +1626,29 @@ class DhcpRelayConfigDef(ResourceDef):
        return body


+class WAFProfileDef(ResourceDef):
+    @property
+    def path_pattern(self):
+        return WAF_PROFILES_PATH_PATTERN
+
+    @property
+    def path_ids(self):
+        return ('tenant', 'profile_id')
+
+    @staticmethod
+    def resource_type():
+        return 'WAFProfile'
+
+    def path_defs(self):
+        return (TenantDef,)
+
+    def get_obj_dict(self):
+        body = super(WAFProfileDef, self).get_obj_dict()
+        # TODO(asarfaty): add all attributes here.
+        # Currently used for read only
+        return body
+
+
 class CertificateDef(ResourceDef):

    @property
--- a/vmware_nsxlib/v3/policy/core_resources.py
+++ b/vmware_nsxlib/v3/policy/core_resources.py
@ -3082,10 +3082,11 @@ class NsxSegmentProfileBaseApi(NsxPolicyResourceBase):
                                     tenant=tenant)
        self.policy_api.delete(profile_def)

-    def get(self, profile_id, tenant=constants.POLICY_INFRA_TENANT):
+    def get(self, profile_id, tenant=constants.POLICY_INFRA_TENANT,
+            silent=False):
        profile_def = self.entry_def(profile_id=profile_id,
                                     tenant=tenant)
-        return self.policy_api.get(profile_def)
+        return self.policy_api.get(profile_def, silent=silent)

    def list(self, tenant=constants.POLICY_INFRA_TENANT):
        profile_def = self.entry_def(tenant=tenant)
@ -3103,6 +3104,10 @@ class NsxSegmentProfileBaseApi(NsxPolicyResourceBase):
                     tags=tags,
                     tenant=tenant)

+    def get_path(self, profile_id, tenant=constants.POLICY_INFRA_TENANT):
+        profile_def = self.entry_def(profile_id=profile_id, tenant=tenant)
+        return profile_def.get_resource_full_path()
+

 class NsxSegmentSecurityProfileApi(NsxSegmentProfileBaseApi):
    @property
@ -3240,6 +3245,12 @@ class NsxIpDiscoveryProfileApi(NsxSegmentProfileBaseApi):
        return core_defs.IpDiscoveryProfileDef


+class NsxWAFProfileApi(NsxSegmentProfileBaseApi):
+    @property
+    def entry_def(self):
+        return core_defs.WAFProfileDef
+
+
 class NsxMacDiscoveryProfileApi(NsxSegmentProfileBaseApi):
    @property
    def entry_def(self):
--- a/vmware_nsxlib/v3/policy/lb_defs.py
+++ b/vmware_nsxlib/v3/policy/lb_defs.py
@ -14,6 +14,7 @@
 #    under the License.
 #

+from vmware_nsxlib.v3.policy import constants
 from vmware_nsxlib.v3.policy.core_defs import ResourceDef

 TENANTS_PATH_PATTERN = "%s/"
@ -230,6 +231,11 @@ class LBVirtualServerDef(ResourceDef):
            self._set_attr_if_specified(
                body, 'server_ssl_profile_binding',
                value=server_ssl_binding.get_obj_dict())
+        waf_profile_binding = self.get_attr('waf_profile_binding')
+        if waf_profile_binding:
+            self._set_attr_if_specified(
+                body, 'waf_profile_binding',
+                value=waf_profile_binding.get_obj_dict())
        rules = self.get_attr('rules')
        if self.has_attr('rules'):
            rules = rules if isinstance(rules, list) else [rules]
@ -329,6 +335,23 @@ class ServerSSLProfileBindingDef(object):
        return body


+class WAFProfileBindingDef(object):
+    def __init__(self, waf_profile_path,
+                 operational_mode=constants.WAF_OPERATIONAL_MODE_PROTECTION,
+                 debug_log_level=constants.WAF_LOG_LEVEL_NO_LOG):
+        self.waf_profile_path = waf_profile_path
+        self.operational_mode = operational_mode
+        self.debug_log_level = debug_log_level
+
+    def get_obj_dict(self):
+        body = {
+            'waf_profile_path': self.waf_profile_path,
+            'operational_mode': self.operational_mode,
+            'debug_log_level': self.debug_log_level
+        }
+        return body
+
+
 class LBServiceDef(ResourceDef):

    @property
--- a/vmware_nsxlib/v3/policy/lb_resources.py
+++ b/vmware_nsxlib/v3/policy/lb_resources.py
@ -592,6 +592,7 @@ class NsxPolicyLoadBalancerVirtualServerAPI(NsxPolicyResourceBase):
                            lb_persistence_profile_id=IGNORE,
                            ports=IGNORE,
                            server_ssl_profile_binding=IGNORE,
+                            waf_profile_binding=IGNORE,
                            tenant=constants.POLICY_INFRA_TENANT,
                            tags=IGNORE):
        virtual_server_id = self._init_obj_uuid(virtual_server_id)
@ -609,6 +610,7 @@ class NsxPolicyLoadBalancerVirtualServerAPI(NsxPolicyResourceBase):
            lb_persistence_profile_id=lb_persistence_profile_id,
            ports=ports,
            server_ssl_profile_binding=server_ssl_profile_binding,
+            waf_profile_binding=waf_profile_binding,
            tags=tags
        )
        self._create_or_store(lbvs_def)
@ -677,6 +679,7 @@ class NsxPolicyLoadBalancerVirtualServerAPI(NsxPolicyResourceBase):
               lb_persistence_profile_id=IGNORE,
               ports=IGNORE,
               server_ssl_profile_binding=IGNORE,
+               waf_profile_binding=IGNORE,
               tags=IGNORE,
               tenant=constants.POLICY_INFRA_TENANT):
        self._update_helper(
@ -693,6 +696,7 @@ class NsxPolicyLoadBalancerVirtualServerAPI(NsxPolicyResourceBase):
            lb_persistence_profile_id=lb_persistence_profile_id,
            ports=ports,
            server_ssl_profile_binding=server_ssl_profile_binding,
+            waf_profile_binding=waf_profile_binding,
            tags=tags)

    def update_virtual_server_with_pool(