Add Policy support for WAF profiles
WAF profiles & binding & adding those the LB virtual servers Change-Id: I2e894cd30d27ff332aa729b04c3706450ebd61eb
This commit is contained in:
parent
0895bfa5e8
commit
58226d60e1
|
@ -652,15 +652,22 @@ class TestPolicyLBVirtualServer(test_resources.NsxPolicyLibTestCase):
|
||||||
name = 'd1'
|
name = 'd1'
|
||||||
description = 'desc'
|
description = 'desc'
|
||||||
obj_id = '111'
|
obj_id = '111'
|
||||||
|
waf_profile_id = 'waf'
|
||||||
|
waf_profile_path = self.policy_lib.waf_profile.get_path(
|
||||||
|
profile_id=waf_profile_id, tenant=TEST_TENANT)
|
||||||
|
waf_profile_binding = lb_defs.WAFProfileBindingDef(
|
||||||
|
waf_profile_path=waf_profile_path)
|
||||||
with mock.patch.object(self.policy_api,
|
with mock.patch.object(self.policy_api,
|
||||||
"create_or_update") as api_call:
|
"create_or_update") as api_call:
|
||||||
result = self.resourceApi.create_or_overwrite(
|
result = self.resourceApi.create_or_overwrite(
|
||||||
name,
|
name,
|
||||||
virtual_server_id=obj_id,
|
virtual_server_id=obj_id,
|
||||||
|
waf_profile_binding=waf_profile_binding,
|
||||||
description=description,
|
description=description,
|
||||||
tenant=TEST_TENANT)
|
tenant=TEST_TENANT)
|
||||||
expected_def = lb_defs.LBVirtualServerDef(
|
expected_def = lb_defs.LBVirtualServerDef(
|
||||||
virtual_server_id=obj_id, name=name, description=description,
|
virtual_server_id=obj_id, name=name, description=description,
|
||||||
|
waf_profile_binding=waf_profile_binding,
|
||||||
tenant=TEST_TENANT)
|
tenant=TEST_TENANT)
|
||||||
self.assert_called_with_def(api_call, expected_def)
|
self.assert_called_with_def(api_call, expected_def)
|
||||||
self.assertEqual(obj_id, result)
|
self.assertEqual(obj_id, result)
|
||||||
|
|
|
@ -3262,6 +3262,14 @@ class TestPolicyMacDiscoveryProfile(TestPolicySegmentProfileBase):
|
||||||
resource_def=core_defs.MacDiscoveryProfileDef)
|
resource_def=core_defs.MacDiscoveryProfileDef)
|
||||||
|
|
||||||
|
|
||||||
|
class TestPolicyWAFProfile(TestPolicySegmentProfileBase):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(TestPolicyWAFProfile, self).setUp(
|
||||||
|
resource_api_name='waf_profile',
|
||||||
|
resource_def=core_defs.WAFProfileDef)
|
||||||
|
|
||||||
|
|
||||||
class TestPolicySegmentSecurityProfile(TestPolicySegmentProfileBase):
|
class TestPolicySegmentSecurityProfile(TestPolicySegmentProfileBase):
|
||||||
|
|
||||||
def test_create_with_params(self):
|
def test_create_with_params(self):
|
||||||
|
|
|
@ -94,6 +94,8 @@ class NsxPolicyLib(lib.NsxLibBase):
|
||||||
core_resources.NsxIpDiscoveryProfileApi(*args))
|
core_resources.NsxIpDiscoveryProfileApi(*args))
|
||||||
self.mac_discovery_profile = (
|
self.mac_discovery_profile = (
|
||||||
core_resources.NsxMacDiscoveryProfileApi(*args))
|
core_resources.NsxMacDiscoveryProfileApi(*args))
|
||||||
|
self.waf_profile = (
|
||||||
|
core_resources.NsxWAFProfileApi(*args))
|
||||||
self.segment_port_security_profiles = (
|
self.segment_port_security_profiles = (
|
||||||
core_resources.SegmentPortSecurityProfilesBindingMapApi(
|
core_resources.SegmentPortSecurityProfilesBindingMapApi(
|
||||||
*args))
|
*args))
|
||||||
|
|
|
@ -72,3 +72,17 @@ IPV6_RA_MODE_DISABLED = "DISABLED"
|
||||||
IPV6_RA_MODE_SLAAC_RA = "SLAAC_DNS_THROUGH_RA"
|
IPV6_RA_MODE_SLAAC_RA = "SLAAC_DNS_THROUGH_RA"
|
||||||
IPV6_RA_MODE_SLAAC_DHCP = "SLAAC_DNS_THROUGH_DHCP"
|
IPV6_RA_MODE_SLAAC_DHCP = "SLAAC_DNS_THROUGH_DHCP"
|
||||||
IPV6_RA_MODE_DHCP = "DHCP_ADDRESS_AND_DNS_THROUGH_DHCP"
|
IPV6_RA_MODE_DHCP = "DHCP_ADDRESS_AND_DNS_THROUGH_DHCP"
|
||||||
|
|
||||||
|
# WAF operational mode types
|
||||||
|
WAF_OPERATIONAL_MODE_DETECTION = 'DETECTION'
|
||||||
|
WAF_OPERATIONAL_MODE_PROTECTION = 'PROTECTION'
|
||||||
|
WAF_OPERATIONAL_MODE_DISABLED = 'DISABLED'
|
||||||
|
|
||||||
|
# WAF debug log level types
|
||||||
|
WAF_LOG_LEVEL_NO_LOG = 'NO_LOG'
|
||||||
|
WAF_LOG_LEVEL_ERROR = 'ERROR'
|
||||||
|
WAF_LOG_LEVEL_WARNING = 'WARNING'
|
||||||
|
WAF_LOG_LEVEL_NOTICE = 'NOTICE'
|
||||||
|
WAF_LOG_LEVEL_INFO = 'INFO'
|
||||||
|
WAF_LOG_LEVEL_DETAIL = 'DETAIL'
|
||||||
|
WAF_LOG_LEVEL_EVERYTHING = 'EVERYTHING'
|
||||||
|
|
|
@ -47,6 +47,8 @@ MAC_DISCOVERY_PROFILES_PATH_PATTERN = (TENANTS_PATH_PATTERN +
|
||||||
"mac-discovery-profiles/")
|
"mac-discovery-profiles/")
|
||||||
IPV6_NDRA_PROFILES_PATH_PATTERN = (TENANTS_PATH_PATTERN +
|
IPV6_NDRA_PROFILES_PATH_PATTERN = (TENANTS_PATH_PATTERN +
|
||||||
"ipv6-ndra-profiles/")
|
"ipv6-ndra-profiles/")
|
||||||
|
WAF_PROFILES_PATH_PATTERN = (TENANTS_PATH_PATTERN +
|
||||||
|
"waf-profiles/")
|
||||||
CERTIFICATE_PATH_PATTERN = TENANTS_PATH_PATTERN + "certificates/"
|
CERTIFICATE_PATH_PATTERN = TENANTS_PATH_PATTERN + "certificates/"
|
||||||
|
|
||||||
REALIZATION_PATH = "infra/realized-state/realized-entities?intent_path=%s"
|
REALIZATION_PATH = "infra/realized-state/realized-entities?intent_path=%s"
|
||||||
|
@ -1624,6 +1626,29 @@ class DhcpRelayConfigDef(ResourceDef):
|
||||||
return body
|
return body
|
||||||
|
|
||||||
|
|
||||||
|
class WAFProfileDef(ResourceDef):
|
||||||
|
@property
|
||||||
|
def path_pattern(self):
|
||||||
|
return WAF_PROFILES_PATH_PATTERN
|
||||||
|
|
||||||
|
@property
|
||||||
|
def path_ids(self):
|
||||||
|
return ('tenant', 'profile_id')
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def resource_type():
|
||||||
|
return 'WAFProfile'
|
||||||
|
|
||||||
|
def path_defs(self):
|
||||||
|
return (TenantDef,)
|
||||||
|
|
||||||
|
def get_obj_dict(self):
|
||||||
|
body = super(WAFProfileDef, self).get_obj_dict()
|
||||||
|
# TODO(asarfaty): add all attributes here.
|
||||||
|
# Currently used for read only
|
||||||
|
return body
|
||||||
|
|
||||||
|
|
||||||
class CertificateDef(ResourceDef):
|
class CertificateDef(ResourceDef):
|
||||||
|
|
||||||
@property
|
@property
|
||||||
|
|
|
@ -3082,10 +3082,11 @@ class NsxSegmentProfileBaseApi(NsxPolicyResourceBase):
|
||||||
tenant=tenant)
|
tenant=tenant)
|
||||||
self.policy_api.delete(profile_def)
|
self.policy_api.delete(profile_def)
|
||||||
|
|
||||||
def get(self, profile_id, tenant=constants.POLICY_INFRA_TENANT):
|
def get(self, profile_id, tenant=constants.POLICY_INFRA_TENANT,
|
||||||
|
silent=False):
|
||||||
profile_def = self.entry_def(profile_id=profile_id,
|
profile_def = self.entry_def(profile_id=profile_id,
|
||||||
tenant=tenant)
|
tenant=tenant)
|
||||||
return self.policy_api.get(profile_def)
|
return self.policy_api.get(profile_def, silent=silent)
|
||||||
|
|
||||||
def list(self, tenant=constants.POLICY_INFRA_TENANT):
|
def list(self, tenant=constants.POLICY_INFRA_TENANT):
|
||||||
profile_def = self.entry_def(tenant=tenant)
|
profile_def = self.entry_def(tenant=tenant)
|
||||||
|
@ -3103,6 +3104,10 @@ class NsxSegmentProfileBaseApi(NsxPolicyResourceBase):
|
||||||
tags=tags,
|
tags=tags,
|
||||||
tenant=tenant)
|
tenant=tenant)
|
||||||
|
|
||||||
|
def get_path(self, profile_id, tenant=constants.POLICY_INFRA_TENANT):
|
||||||
|
profile_def = self.entry_def(profile_id=profile_id, tenant=tenant)
|
||||||
|
return profile_def.get_resource_full_path()
|
||||||
|
|
||||||
|
|
||||||
class NsxSegmentSecurityProfileApi(NsxSegmentProfileBaseApi):
|
class NsxSegmentSecurityProfileApi(NsxSegmentProfileBaseApi):
|
||||||
@property
|
@property
|
||||||
|
@ -3240,6 +3245,12 @@ class NsxIpDiscoveryProfileApi(NsxSegmentProfileBaseApi):
|
||||||
return core_defs.IpDiscoveryProfileDef
|
return core_defs.IpDiscoveryProfileDef
|
||||||
|
|
||||||
|
|
||||||
|
class NsxWAFProfileApi(NsxSegmentProfileBaseApi):
|
||||||
|
@property
|
||||||
|
def entry_def(self):
|
||||||
|
return core_defs.WAFProfileDef
|
||||||
|
|
||||||
|
|
||||||
class NsxMacDiscoveryProfileApi(NsxSegmentProfileBaseApi):
|
class NsxMacDiscoveryProfileApi(NsxSegmentProfileBaseApi):
|
||||||
@property
|
@property
|
||||||
def entry_def(self):
|
def entry_def(self):
|
||||||
|
|
|
@ -14,6 +14,7 @@
|
||||||
# under the License.
|
# under the License.
|
||||||
#
|
#
|
||||||
|
|
||||||
|
from vmware_nsxlib.v3.policy import constants
|
||||||
from vmware_nsxlib.v3.policy.core_defs import ResourceDef
|
from vmware_nsxlib.v3.policy.core_defs import ResourceDef
|
||||||
|
|
||||||
TENANTS_PATH_PATTERN = "%s/"
|
TENANTS_PATH_PATTERN = "%s/"
|
||||||
|
@ -230,6 +231,11 @@ class LBVirtualServerDef(ResourceDef):
|
||||||
self._set_attr_if_specified(
|
self._set_attr_if_specified(
|
||||||
body, 'server_ssl_profile_binding',
|
body, 'server_ssl_profile_binding',
|
||||||
value=server_ssl_binding.get_obj_dict())
|
value=server_ssl_binding.get_obj_dict())
|
||||||
|
waf_profile_binding = self.get_attr('waf_profile_binding')
|
||||||
|
if waf_profile_binding:
|
||||||
|
self._set_attr_if_specified(
|
||||||
|
body, 'waf_profile_binding',
|
||||||
|
value=waf_profile_binding.get_obj_dict())
|
||||||
rules = self.get_attr('rules')
|
rules = self.get_attr('rules')
|
||||||
if self.has_attr('rules'):
|
if self.has_attr('rules'):
|
||||||
rules = rules if isinstance(rules, list) else [rules]
|
rules = rules if isinstance(rules, list) else [rules]
|
||||||
|
@ -329,6 +335,23 @@ class ServerSSLProfileBindingDef(object):
|
||||||
return body
|
return body
|
||||||
|
|
||||||
|
|
||||||
|
class WAFProfileBindingDef(object):
|
||||||
|
def __init__(self, waf_profile_path,
|
||||||
|
operational_mode=constants.WAF_OPERATIONAL_MODE_PROTECTION,
|
||||||
|
debug_log_level=constants.WAF_LOG_LEVEL_NO_LOG):
|
||||||
|
self.waf_profile_path = waf_profile_path
|
||||||
|
self.operational_mode = operational_mode
|
||||||
|
self.debug_log_level = debug_log_level
|
||||||
|
|
||||||
|
def get_obj_dict(self):
|
||||||
|
body = {
|
||||||
|
'waf_profile_path': self.waf_profile_path,
|
||||||
|
'operational_mode': self.operational_mode,
|
||||||
|
'debug_log_level': self.debug_log_level
|
||||||
|
}
|
||||||
|
return body
|
||||||
|
|
||||||
|
|
||||||
class LBServiceDef(ResourceDef):
|
class LBServiceDef(ResourceDef):
|
||||||
|
|
||||||
@property
|
@property
|
||||||
|
|
|
@ -592,6 +592,7 @@ class NsxPolicyLoadBalancerVirtualServerAPI(NsxPolicyResourceBase):
|
||||||
lb_persistence_profile_id=IGNORE,
|
lb_persistence_profile_id=IGNORE,
|
||||||
ports=IGNORE,
|
ports=IGNORE,
|
||||||
server_ssl_profile_binding=IGNORE,
|
server_ssl_profile_binding=IGNORE,
|
||||||
|
waf_profile_binding=IGNORE,
|
||||||
tenant=constants.POLICY_INFRA_TENANT,
|
tenant=constants.POLICY_INFRA_TENANT,
|
||||||
tags=IGNORE):
|
tags=IGNORE):
|
||||||
virtual_server_id = self._init_obj_uuid(virtual_server_id)
|
virtual_server_id = self._init_obj_uuid(virtual_server_id)
|
||||||
|
@ -609,6 +610,7 @@ class NsxPolicyLoadBalancerVirtualServerAPI(NsxPolicyResourceBase):
|
||||||
lb_persistence_profile_id=lb_persistence_profile_id,
|
lb_persistence_profile_id=lb_persistence_profile_id,
|
||||||
ports=ports,
|
ports=ports,
|
||||||
server_ssl_profile_binding=server_ssl_profile_binding,
|
server_ssl_profile_binding=server_ssl_profile_binding,
|
||||||
|
waf_profile_binding=waf_profile_binding,
|
||||||
tags=tags
|
tags=tags
|
||||||
)
|
)
|
||||||
self._create_or_store(lbvs_def)
|
self._create_or_store(lbvs_def)
|
||||||
|
@ -677,6 +679,7 @@ class NsxPolicyLoadBalancerVirtualServerAPI(NsxPolicyResourceBase):
|
||||||
lb_persistence_profile_id=IGNORE,
|
lb_persistence_profile_id=IGNORE,
|
||||||
ports=IGNORE,
|
ports=IGNORE,
|
||||||
server_ssl_profile_binding=IGNORE,
|
server_ssl_profile_binding=IGNORE,
|
||||||
|
waf_profile_binding=IGNORE,
|
||||||
tags=IGNORE,
|
tags=IGNORE,
|
||||||
tenant=constants.POLICY_INFRA_TENANT):
|
tenant=constants.POLICY_INFRA_TENANT):
|
||||||
self._update_helper(
|
self._update_helper(
|
||||||
|
@ -693,6 +696,7 @@ class NsxPolicyLoadBalancerVirtualServerAPI(NsxPolicyResourceBase):
|
||||||
lb_persistence_profile_id=lb_persistence_profile_id,
|
lb_persistence_profile_id=lb_persistence_profile_id,
|
||||||
ports=ports,
|
ports=ports,
|
||||||
server_ssl_profile_binding=server_ssl_profile_binding,
|
server_ssl_profile_binding=server_ssl_profile_binding,
|
||||||
|
waf_profile_binding=waf_profile_binding,
|
||||||
tags=tags)
|
tags=tags)
|
||||||
|
|
||||||
def update_virtual_server_with_pool(
|
def update_virtual_server_with_pool(
|
||||||
|
|
Loading…
Reference in New Issue