x/vmware-nsxlib
Code Issues Proposed changes

Merge "Refactor policy resources"

Browse Source
This commit is contained in:
Zuul
2018-10-04 00:36:24 +00:00
committed by Gerrit Code Review
parent 32d57ff52f 277e4fa636
commit 72a431025c
7 changed files with 296 additions and 432 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
tools/policy/poltool.py Normal file → Executable file
View File

@@ -34,18 +34,25 @@
# python poltool.py -o delete -r network_segment -i "test:all"
import sys
from sys import path
import copy
import getopt
import json
import os
import sys
from sys import path
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
path.append(os.path.abspath("../../"))
OPERATIONS = ("create", "update", "delete", "get")
RESOURCES = ("domain", "service", "group", "network",
RESOURCES = ("domain", "service", "icmp_service", "group", "network",
"segment", "network_segment")

27
tools/policy/sanity.txt Normal file
View File

@@ -0,0 +1,27 @@
# domains
python poltool.py -o create -r domain -i domain1 -a "name=sanity"
python poltool.py -o update -r domain -i domain1 -a "name=insane"
python poltool.py -o get -r domain -i domain1
python poltool.py -o get -r domain
# groups
python poltool.py -o create -r group -i group1 -a "name=sanity" -a "domain_id=domain1" -a "cond_val=sanity"
python poltool.py -o update -r group -i group1 -a "name=insane" -a "domain_id=domain1" -a "description=stuff"
python poltool.py -o get -r group -i "domain1:all"
python poltool.py -o get -r group -i "domain1:group1"
# services
python poltool.py -o create -r service -i service1 -a "name=sanity" -a "protocol=UDP"
python poltool.py -o update -r service -i service1 -a "name=insane" -a "protocol=TCP"
python poltool.py -o get -r service -i service1
python poltool.py -o create -r icmp_service -i service2 -a "name=sanity" -a "icmp_type=9"
python poltool.py -o update -r icmp_service -i service2 -a "name=insane"
python poltool.py -o get -r icmp_service -i service2
# TODO: networks, segments, network segments, comm maps, enforcement points, sites
# cleanup
python poltool.py -o delete -r service -i service1
python poltool.py -o delete -r icmp_service -i service2
python poltool.py -o delete -r group -i "domain1:all"
python poltool.py -o delete -r domain -i domain1

97
vmware_nsxlib/tests/unit/v3/test_policy_api.py
View File

@@ -41,22 +41,22 @@ class TestPolicyDomain(TestPolicyApi):
def test_create(self):
domain_def = policy.DomainDef(
'archaea',
'prokaryotic cells',
'typically characterized by membrane lipids')
domain_id='archaea',
name='prokaryotic cells',
description='typically characterized by membrane lipids')
self.policy_api.create_or_update(domain_def)
self.assert_json_call('PATCH', self.client,
'infra/domains/archaea',
data=domain_def.get_obj_dict())
def test_delete(self):
domain_def = policy.DomainDef('bacteria')
domain_def = policy.DomainDef(domain_id='bacteria')
self.policy_api.delete(domain_def)
self.assert_json_call('DELETE', self.client,
'infra/domains/bacteria')
def test_get(self):
domain_def = policy.DomainDef('eukarya')
domain_def = policy.DomainDef(domain_id='eukarya')
self.policy_api.get(domain_def)
self.assert_json_call('GET', self.client,
'infra/domains/eukarya')
@@ -71,21 +71,21 @@ class TestPolicyGroup(TestPolicyApi):
def test_create(self):
group_def = policy.GroupDef(
'eukarya',
'cats',
'felis catus')
domain_id='eukarya',
group_id='cats',
name='felis catus')
self.policy_api.create_or_update(group_def)
self.assert_json_call('PATCH', self.client,
'infra/domains/eukarya/groups/cats',
data=group_def.get_obj_dict())
def test_create_with_domain(self):
domain_def = policy.DomainDef('eukarya',
'eukarya',
'dude with cell membranes')
group_def = policy.GroupDef('eukarya',
'cats',
'Ailuropoda melanoleuca')
domain_def = policy.DomainDef(domain_id='eukarya',
name='eukarya',
description='dude with cell membranes')
group_def = policy.GroupDef(domain_id='eukarya',
group_id='cats',
name='Ailuropoda melanoleuca')
self.policy_api.create_with_parent(domain_def, group_def)
data = domain_def.get_obj_dict()
@@ -95,8 +95,8 @@ class TestPolicyGroup(TestPolicyApi):
data=data)
def test_create_with_single_tag(self):
domain_def = policy.DomainDef('eukarya')
group_def = policy.GroupDef('eukarya', 'dogs',
domain_def = policy.DomainDef(domain_id='eukarya')
group_def = policy.GroupDef(domain_id='eukarya', group_id='dogs',
conditions=policy.Condition('spaniel'))
self.policy_api.create_with_parent(domain_def, group_def)
data = domain_def.get_obj_dict()
@@ -109,26 +109,22 @@ class TestPolicyGroup(TestPolicyApi):
'resource_type': 'Condition',
'key': 'Tag'}
expected_group = {'id': 'dogs',
'display_name': None,
'description': None,
'expression': [expected_condition]}
expected_data = {'id': 'eukarya',
'display_name': None,
'description': None,
'groups': [expected_group]}
self.assert_json_call('PATCH', self.client,
'infra/domains/eukarya',
data=expected_data)
def test_create_with_multi_tag(self):
domain_def = policy.DomainDef('eukarya')
domain_def = policy.DomainDef(domain_id='eukarya')
pines = policy.Condition(
'pine',
operator=policy_constants.CONDITION_OP_CONTAINS)
maples = policy.Condition(
'maple',
operator=policy_constants.CONDITION_OP_STARTS_WITH)
group_def = policy.GroupDef('eukarya', 'trees',
group_def = policy.GroupDef(domain_id='eukarya', group_id='trees',
conditions=[pines, maples])
self.policy_api.create_with_parent(domain_def, group_def)
data = domain_def.get_obj_dict()
@@ -147,16 +143,16 @@ class TestPolicyGroup(TestPolicyApi):
class TestPolicyService(TestPolicyApi):
def test_create(self):
service_def = policy.ServiceDef('roomservice')
service_def = policy.ServiceDef(service_id='roomservice')
self.policy_api.create_or_update(service_def)
self.assert_json_call('PATCH', self.client,
'infra/services/roomservice',
data=service_def.get_obj_dict())
def test_create_l4_with_parent(self):
service_def = policy.ServiceDef('roomservice')
entry_def = policy.L4ServiceEntryDef('roomservice',
'http',
service_def = policy.ServiceDef(service_id='roomservice')
entry_def = policy.L4ServiceEntryDef(service_id='roomservice',
entry_id='http',
name='room http',
dest_ports=[80, 8080])
@@ -164,32 +160,28 @@ class TestPolicyService(TestPolicyApi):
expected_entry = {'id': 'http',
'resource_type': 'L4PortSetServiceEntry',
'display_name': 'room http',
'description': None,
'l4_protocol': 'TCP',
'destination_ports': [80, 8080]}
expected_data = {'id': 'roomservice',
'display_name': None,
'description': None,
'service_entries': [expected_entry]}
self.assert_json_call('PATCH', self.client,
'infra/services/roomservice',
data=expected_data)
def test_create_icmp_with_parent(self):
service_def = policy.ServiceDef('icmpservice')
entry_def = policy.IcmpServiceEntryDef('icmpservice',
'icmp',
service_def = policy.ServiceDef(name='icmpservice',
service_id='icmpservice')
entry_def = policy.IcmpServiceEntryDef(service_id='icmpservice',
entry_id='icmp',
name='icmpv4')
self.policy_api.create_with_parent(service_def, entry_def)
expected_entry = {'id': 'icmp',
'resource_type': 'ICMPTypeServiceEntry',
'display_name': 'icmpv4',
'description': None,
'protocol': 'ICMPv4'}
expected_data = {'id': 'icmpservice',
'display_name': None,
'description': None,
'display_name': 'icmpservice',
'service_entries': [expected_entry]}
self.assert_json_call('PATCH', self.client,
'infra/services/icmpservice',
@@ -201,7 +193,10 @@ class TestPolicyCommunicationMap(TestPolicyApi):
def setUp(self):
super(TestPolicyCommunicationMap, self).setUp()
self.entry1 = policy.CommunicationMapEntryDef(
'd1', 'cm1', 'en1',
domain_id='d1',
map_id='cm1',
entry_id='en1',
action='ALLOW',
sequence_number=12,
source_groups=["group1",
"group2"],
@@ -210,7 +205,10 @@ class TestPolicyCommunicationMap(TestPolicyApi):
direction=nsx_constants.IN_OUT)
self.entry2 = policy.CommunicationMapEntryDef(
'd1', 'cm2', 'en2',
domain_id='d1',
map_id='cm2',
entry_id='en2',
action='ALLOW',
sequence_number=13,
source_groups=["group1",
"group2"],
@@ -219,11 +217,8 @@ class TestPolicyCommunicationMap(TestPolicyApi):
direction=nsx_constants.IN)
self.expected_data1 = {'id': 'en1',
'display_name': None,
'description': None,
'sequence_number': 12,
'action': 'ALLOW',
'scope': ['ANY'],
'source_groups':
['/infra/domains/d1/groups/group1',
'/infra/domains/d1/groups/group2'],
@@ -231,15 +226,11 @@ class TestPolicyCommunicationMap(TestPolicyApi):
['/infra/domains/d1/groups/group1'],
'services':
['/infra/services/service1'],
'direction': 'IN_OUT',
'logged': False}
'direction': 'IN_OUT'}
self.expected_data2 = {'id': 'en2',
'display_name': None,
'description': None,
'sequence_number': 13,
'action': 'ALLOW',
'scope': ['ANY'],
'source_groups':
['/infra/domains/d1/groups/group1',
'/infra/domains/d1/groups/group2'],
@@ -247,8 +238,7 @@ class TestPolicyCommunicationMap(TestPolicyApi):
['/infra/domains/d1/groups/group3'],
'services':
['/infra/services/service2'],
'direction': 'IN',
'logged': False}
'direction': 'IN'}
def test_create_with_one_entry(self):
map_def = policy.CommunicationMapDef(domain_id='d1', map_id='cm1')
@@ -291,13 +281,13 @@ class TestPolicyCommunicationMap(TestPolicyApi):
class TestPolicyEnforcementPoint(TestPolicyApi):
def test_create(self):
ep_def = policy.EnforcementPointDef('ep1', name='The Point',
ep_def = policy.EnforcementPointDef(ep_id='ep1', name='The Point',
ip_address='1.1.1.1',
username='admin',
password='a')
self.policy_api.create_or_update(ep_def)
ep_path = policy.EnforcementPointDef('ep1').get_resource_path()
ep_path = policy.EnforcementPointDef(ep_id='ep1').get_resource_path()
self.assert_json_call('PATCH', self.client,
ep_path,
data=ep_def.get_obj_dict())
@@ -306,13 +296,14 @@ class TestPolicyEnforcementPoint(TestPolicyApi):
class TestPolicyDeploymentMap(TestPolicyApi):
def test_create(self):
map_def = policy.DeploymentMapDef('dm1', domain_id='d1', ep_id='ep1')
map_def = policy.DeploymentMapDef(map_id='dm1',
domain_id='d1',
ep_id='ep1')
self.policy_api.create_or_update(map_def)
ep_path = policy.EnforcementPointDef('ep1').get_resource_full_path()
ep_path = policy.EnforcementPointDef(
ep_id='ep1').get_resource_full_path()
expected_data = {'id': 'dm1',
'display_name': None,
'description': None,
'enforcement_point_path': ep_path}
self.assert_json_call('PATCH', self.client,

32
vmware_nsxlib/tests/unit/v3/test_policy_resources.py
View File

@@ -41,7 +41,7 @@ class NsxPolicyLibTestCase(unittest.TestCase):
# verify the resource definition class
self.assertEqual(expected_def.__class__, actual_def.__class__)
# verify the resource definition tenant
self.assertEqual(expected_def.tenant, actual_def.tenant)
self.assertEqual(expected_def.get_tenant(), actual_def.get_tenant())
# verify the resource definition values
self.assertEqual(expected_def.get_obj_dict(),
actual_def.get_obj_dict())
@@ -362,7 +362,8 @@ class TestPolicyGroup(NsxPolicyLibTestCase):
obj = self.resourceApi.get_by_name(domain_id, name,
tenant=TEST_TENANT)
self.assertIsNotNone(obj)
expected_def = policy_defs.GroupDef(domain_id, tenant=TEST_TENANT)
expected_def = policy_defs.GroupDef(domain_id=domain_id,
tenant=TEST_TENANT)
self.assert_called_with_def(api_call, expected_def)
def test_list(self):
@@ -442,12 +443,10 @@ class TestPolicyService(NsxPolicyLibTestCase):
def test_delete(self):
id = '111'
with mock.patch.object(self.policy_api, "delete") as api_call,\
mock.patch.object(self.policy_api, "get") as get_call:
with mock.patch.object(self.policy_api, "delete") as api_call:
self.resourceApi.delete(id, tenant=TEST_TENANT)
expected_def = policy_defs.ServiceDef(service_id=id,
tenant=TEST_TENANT)
self.assert_called_with_def(get_call, expected_def)
self.assert_called_with_def(api_call, expected_def)
def test_get(self):
@@ -564,12 +563,10 @@ class TestPolicyIcmpService(NsxPolicyLibTestCase):
def test_delete(self):
id = '111'
with mock.patch.object(self.policy_api, "delete") as api_call,\
mock.patch.object(self.policy_api, "get") as get_call:
with mock.patch.object(self.policy_api, "delete") as api_call:
self.resourceApi.delete(id, tenant=TEST_TENANT)
expected_def = policy_defs.ServiceDef(service_id=id,
tenant=TEST_TENANT)
self.assert_called_with_def(get_call, expected_def)
self.assert_called_with_def(api_call, expected_def)
def test_get(self):
@@ -690,12 +687,10 @@ class TestPolicyIPProtocolService(NsxPolicyLibTestCase):
def test_delete(self):
id = '111'
with mock.patch.object(self.policy_api, "delete") as api_call,\
mock.patch.object(self.policy_api, "get") as get_call:
with mock.patch.object(self.policy_api, "delete") as api_call:
self.resourceApi.delete(id, tenant=TEST_TENANT)
expected_def = policy_defs.ServiceDef(service_id=id,
tenant=TEST_TENANT)
self.assert_called_with_def(get_call, expected_def)
self.assert_called_with_def(api_call, expected_def)
def test_get(self):
@@ -824,6 +819,7 @@ class TestPolicyCommunicationMap(NsxPolicyLibTestCase):
map_id=map_id,
entry_id=map_id,
name=name,
action=policy_constants.ACTION_ALLOW,
description=description,
sequence_number=seq_num,
service_ids=[service_id],
@@ -855,6 +851,7 @@ class TestPolicyCommunicationMap(NsxPolicyLibTestCase):
source_groups=[source_group],
dest_groups=[dest_group],
category=category,
logged=False,
tenant=TEST_TENANT)
expected_def = policy_defs.CommunicationMapDef(
@@ -872,6 +869,7 @@ class TestPolicyCommunicationMap(NsxPolicyLibTestCase):
map_id=map_id,
entry_id=map_id,
name=name,
action=policy_constants.ACTION_ALLOW,
description=description,
sequence_number=1,
service_ids=[service_id],
@@ -912,13 +910,13 @@ class TestPolicyCommunicationMap(NsxPolicyLibTestCase):
domain_id=domain_id,
map_id=mock.ANY,
entry_id=mock.ANY,
action=policy_constants.ACTION_ALLOW,
name=name,
description=description,
sequence_number=1,
service_ids=[service1_id, service2_id],
source_groups=[source_group],
dest_groups=[dest_group],
logged=False,
tenant=TEST_TENANT)
self.assert_called_with_defs(
@@ -958,7 +956,9 @@ class TestPolicyCommunicationMap(NsxPolicyLibTestCase):
service2_id = 'c2'
with mock.patch.object(self.policy_api,
"create_or_update") as api_call:
self.resourceApi.create_entry(name, domain_id, map_id,
self.resourceApi.create_entry(name=name,
domain_id=domain_id,
map_id=map_id,
description=description,
service_ids=[service1_id,
service2_id],
@@ -973,13 +973,13 @@ class TestPolicyCommunicationMap(NsxPolicyLibTestCase):
map_id=map_id,
entry_id=mock.ANY,
name=name,
action=policy_constants.ACTION_ALLOW,
description=description,
sequence_number=1,
service_ids=[service1_id, service2_id],
source_groups=[source_group],
dest_groups=[dest_group],
direction=nsx_constants.IN,
logged=False,
tenant=TEST_TENANT)
self.assert_called_with_def(
@@ -1006,12 +1006,12 @@ class TestPolicyCommunicationMap(NsxPolicyLibTestCase):
map_id=map_id,
entry_id=mock.ANY,
name=name,
action=policy_constants.ACTION_ALLOW,
description=description,
sequence_number=1,
service_ids=None,
source_groups=[source_group],
dest_groups=[dest_group],
logged=False,
tenant=TEST_TENANT)
self.assert_called_with_def(
@@ -1046,12 +1046,12 @@ class TestPolicyCommunicationMap(NsxPolicyLibTestCase):
map_id=map_id,
entry_id=mock.ANY,
name=name,
action=policy_constants.ACTION_ALLOW,
description=description,
service_ids=[service1_id, service2_id],
source_groups=[source_group],
dest_groups=[dest_group],
sequence_number=seq_num + 1,
logged=False,
tenant=TEST_TENANT)
self.assert_called_with_def(

1
vmware_nsxlib/v3/policy_constants.py
View File

@@ -22,6 +22,7 @@ ACTION_ALLOW = 'ALLOW'
ACTION_DENY = 'DROP'
ANY_GROUP = 'ANY'
ANY_SERVICE = 'ANY'
CONDITION_KEY_TAG = 'Tag'
CONDITION_KEY_NAME = 'Name'

491
vmware_nsxlib/v3/policy_defs.py
View File

@@ -35,37 +35,57 @@ REALIZED_STATE_SERVICE = REALIZED_STATE_EF + "services/nsservices/services:%s"
@six.add_metaclass(abc.ABCMeta)
class ResourceDef(object):
def __init__(self):
self.tenant = None
self.id = None
self.name = None
self.description = None
self.parent_ids = None
self.tags = None
def __init__(self, **kwargs):
self.attrs = kwargs
# init default tenant
self.attrs['tenant'] = self.get_tenant()
self.body = {}
def get_obj_dict(self):
body = {'display_name': self.name,
'description': self.description}
if self.id:
body['id'] = self.id
if self.tags:
body['tags'] = self.tags
return body
body = {}
if 'name' in self.attrs:
body['display_name'] = self.attrs['name']
def add_tags(self, tags):
self.tags = tags
for attr in ('description', 'tags'):
if self.get_attr(attr):
body[attr] = self.attrs[attr]
resource_id = self.get_id()
if resource_id:
body['id'] = resource_id
return body
@abc.abstractproperty
def path_pattern(self):
pass
@abc.abstractproperty
def path_ids(self):
pass
def get_id(self):
if self.attrs and self.path_ids:
return self.attrs.get(self.path_ids[-1])
def get_attr(self, attr):
return self.attrs.get(attr)
def get_tenant(self):
if self.attrs.get('tenant'):
return self.attrs.get('tenant')
return policy_constants.POLICY_INFRA_TENANT
def get_section_path(self):
return self.path_pattern % self.parent_ids
path_ids = [self.get_attr(path_id) for path_id in self.path_ids[:-1]]
return self.path_pattern % (tuple(path_ids))
def get_resource_path(self):
if self.id:
return self.get_section_path() + self.id
resource_id = self.get_id()
if resource_id:
print(self.get_section_path() + resource_id)
return self.get_section_path() + resource_id
return self.get_section_path()
def get_resource_full_path(self):
@@ -124,61 +144,36 @@ class ResourceDef(object):
class DomainDef(ResourceDef):
def __init__(self,
domain_id=None,
name=None,
description=None,
tenant=policy_constants.POLICY_INFRA_TENANT):
super(DomainDef, self).__init__()
self.tenant = tenant
self.id = domain_id
self.name = name
self.description = description
self.parent_ids = (tenant)
@property
def path_pattern(self):
return DOMAINS_PATH_PATTERN
@property
def path_ids(self):
return ('tenant', 'domain_id')
class NetworkDef(ResourceDef):
def __init__(self,
network_id=None,
name=None,
description=None,
provider=None,
ip_addresses=None,
ha_mode=policy_constants.ACTIVE_STANDBY,
force_whitelisting=False,
tenant=policy_constants.POLICY_INFRA_TENANT):
super(NetworkDef, self).__init__()
self.tenant = tenant
self.id = network_id
self.name = name
self.description = description
# TODO(annak): replace with provider path when provider is exposed
if provider:
self.provider = "/" + TENANTS_PATH_PATTERN % tenant + \
"providers/" + provider
else:
self.provider = None
self.ip_addresses = ip_addresses
self.ha_mode = ha_mode
self.force_whitelisting = force_whitelisting
self.parent_ids = (tenant)
@property
def path_pattern(self):
return NETWORKS_PATH_PATTERN
@property
def path_ids(self):
return ('tenant', 'network_id')
def get_obj_dict(self):
body = super(NetworkDef, self).get_obj_dict()
body['provider'] = self.provider
body['ha_mode'] = self.ha_mode
body['force_whitelisting'] = self.force_whitelisting
if self.ip_addresses:
body['ip_addresses'] = self.ip_addresses
# TODO(annak): replace with provider path when provider is exposed
body['provider'] = "/" + TENANTS_PATH_PATTERN % self.get_tenant() + \
"providers/" + self.get_attr('provider')
for attr in ('ha_mode', 'force_whitelisting'):
body[attr] = self.get_attr(attr)
if self.get_attr('ip_addresses'):
body['ip_addresses'] = self.get_attr('ip_addresses')
return body
@@ -197,57 +192,29 @@ class Subnet(object):
# TODO(annak) - add advanced config when supported by platform
class BaseSegmentDef(ResourceDef):
def __init__(self,
segment_id=None,
name=None,
description=None,
subnets=None,
dns_domain_name=None,
vlan_ids=None,
tenant=policy_constants.POLICY_INFRA_TENANT):
super(BaseSegmentDef, self).__init__()
self.tenant = tenant
self.id = segment_id
self.name = name
self.description = description
self.dns_domain_name = dns_domain_name
self.vlan_ids = vlan_ids
self.subnets = subnets
self.parent_ids = (tenant)
def get_obj_dict(self):
body = super(BaseSegmentDef, self).get_obj_dict()
if self.subnets:
if self.get_attr('subnets'):
body['subnets'] = [subnet.get_obj_dict()
for subnet in self.subnets]
if self.dns_domain_name:
body['domain_name'] = self.dns_domain_name
if self.vlan_ids:
body['vlan_ids'] = self.vlan_ids
for subnet in self.get_attr('subnets')]
for attr in ('domain_name', 'vlan_ids'):
if self.get_attr(attr):
body[attr] = self.get_attr(attr)
return body
class NetworkSegmentDef(BaseSegmentDef):
'''Network segments can not move to different network '''
def __init__(self,
network_id,
segment_id=None,
name=None,
description=None,
subnets=None,
dns_domain_name=None,
vlan_ids=None,
tenant=policy_constants.POLICY_INFRA_TENANT):
super(NetworkSegmentDef, self).__init__(segment_id, name, description,
subnets, dns_domain_name,
vlan_ids)
self.parent_ids = (tenant, network_id)
@property
def path_pattern(self):
return NETWORKS_PATH_PATTERN + "%s/segments/"
@property
def path_ids(self):
return ('tenant', 'network_id', 'segment_id')
class SegmentDef(BaseSegmentDef):
'''These segments don't belong to particular network.
@@ -259,6 +226,10 @@ class SegmentDef(BaseSegmentDef):
def path_pattern(self):
return TENANTS_PATH_PATTERN + "segments/"
@property
def path_ids(self):
return ('tenant', 'segment_id')
class Condition(object):
def __init__(self, value, key=policy_constants.CONDITION_KEY_TAG,
@@ -305,34 +276,23 @@ class NestedExpression(object):
class GroupDef(ResourceDef):
def __init__(self,
domain_id=None,
group_id=None,
name=None,
description=None,
conditions=None,
tenant=policy_constants.POLICY_INFRA_TENANT):
super(GroupDef, self).__init__()
self.tenant = tenant
self.id = group_id
self.name = name
self.description = description
self.domain_id = domain_id
self.parent_ids = (tenant, domain_id)
if conditions and isinstance(conditions, Condition):
self.conditions = [conditions]
else:
self.conditions = conditions
@property
def path_pattern(self):
return DOMAINS_PATH_PATTERN + "%s/groups/"
@property
def path_ids(self):
return ('tenant', 'domain_id', 'group_id')
def get_obj_dict(self):
body = super(GroupDef, self).get_obj_dict()
if self.conditions:
body['expression'] = [condition.get_obj_dict()
for condition in self.conditions]
conds = self.get_attr('conditions')
if conds:
conds = conds if isinstance(conds, list) else [conds]
if conds:
body['expression'] = [condition.get_obj_dict()
for condition in conds]
return body
def update_attributes_in_body(self, **kwargs):
@@ -347,28 +307,24 @@ class GroupDef(ResourceDef):
super(GroupDef, self).update_attributes_in_body(body=body, **kwargs)
def get_realized_state_path(self, ep_id):
return REALIZED_STATE_GROUP % (self.tenant, ep_id,
self.domain_id, self.id)
return REALIZED_STATE_GROUP % (self.get_tenant(), ep_id,
self.get_attr('domain_id'),
self.get_id())
class ServiceDef(ResourceDef):
def __init__(self,
service_id=None,
name=None,
description=None,
tenant=policy_constants.POLICY_INFRA_TENANT):
super(ServiceDef, self).__init__()
self.tenant = tenant
self.id = service_id
self.name = name
self.description = description
self.parent_ids = (tenant)
def __init__(self, **kwargs):
super(ServiceDef, self).__init__(**kwargs)
self.service_entries = []
@property
def path_pattern(self):
return SERVICES_PATH_PATTERN
@property
def path_ids(self):
return ('tenant', 'service_id')
def get_obj_dict(self):
body = super(ServiceDef, self).get_obj_dict()
body['service_entries'] = [entry.get_obj_dict()
@@ -380,43 +336,29 @@ class ServiceDef(ResourceDef):
return ServiceEntryDef().get_last_section_dict_key
def get_realized_state_path(self, ep_id):
return REALIZED_STATE_SERVICE % (self.tenant, ep_id,
self.id)
return REALIZED_STATE_SERVICE % (self.get_tenant(), ep_id,
self.get_id())
class ServiceEntryDef(ResourceDef):
def __init__(self):
super(ServiceEntryDef, self).__init__()
@property
def path_pattern(self):
return SERVICES_PATH_PATTERN + "%s/service-entries/"
@property
def path_ids(self):
return ('tenant', 'service_id', 'entry_id')
class L4ServiceEntryDef(ServiceEntryDef):
def __init__(self,
service_id=None,
service_entry_id=None,
name=None,
description=None,
protocol=policy_constants.TCP,
dest_ports=None,
tenant=policy_constants.POLICY_INFRA_TENANT):
super(L4ServiceEntryDef, self).__init__()
self.tenant = tenant
self.id = service_entry_id
self.name = name
self.description = description
self.protocol = protocol.upper()
self.dest_ports = dest_ports
self.parent_ids = (tenant, service_id)
def get_obj_dict(self):
body = super(L4ServiceEntryDef, self).get_obj_dict()
body['resource_type'] = 'L4PortSetServiceEntry'
body['l4_protocol'] = self.protocol
body['destination_ports'] = self.dest_ports
body['l4_protocol'] = self.attrs.get('protocol', 'TCP')
if self.get_attr('dest_ports'):
body['destination_ports'] = self.get_attr('dest_ports')
return body
def update_attributes_in_body(self, **kwargs):
@@ -436,33 +378,14 @@ class L4ServiceEntryDef(ServiceEntryDef):
class IcmpServiceEntryDef(ServiceEntryDef):
def __init__(self,
service_id=None,
service_entry_id=None,
name=None,
description=None,
version=4,
icmp_type=None,
icmp_code=None,
tenant=policy_constants.POLICY_INFRA_TENANT):
super(IcmpServiceEntryDef, self).__init__()
self.tenant = tenant
self.id = service_entry_id
self.name = name
self.description = description
self.version = version
self.icmp_type = icmp_type
self.icmp_code = icmp_code
self.parent_ids = (tenant, service_id)
def get_obj_dict(self):
body = super(IcmpServiceEntryDef, self).get_obj_dict()
body['resource_type'] = 'ICMPTypeServiceEntry'
body['protocol'] = 'ICMPv' + str(self.version)
if self.icmp_type:
body['icmp_type'] = self.icmp_type
if self.icmp_code:
body['icmp_code'] = self.icmp_code
body['protocol'] = 'ICMPv' + str(self.attrs.get('version', '4'))
for attr in ('icmp_type', 'icmp_code'):
if self.get_attr(attr):
body[attr] = self.get_attr(attr)
return body
def update_attributes_in_body(self, **kwargs):
@@ -479,25 +402,11 @@ class IcmpServiceEntryDef(ServiceEntryDef):
class IPProtocolServiceEntryDef(ServiceEntryDef):
def __init__(self,
service_id=None,
service_entry_id=None,
name=None,
description=None,
protocol_number=None,
tenant=policy_constants.POLICY_INFRA_TENANT):
super(IPProtocolServiceEntryDef, self).__init__()
self.tenant = tenant
self.id = service_entry_id
self.name = name
self.description = description
self.protocol_number = protocol_number
self.parent_ids = (tenant, service_id)
def get_obj_dict(self):
body = super(IPProtocolServiceEntryDef, self).get_obj_dict()
body['resource_type'] = 'IPProtocolServiceEntry'
body['protocol_number'] = self.protocol_number
body['protocol_number'] = self.get_attr('protocol_number')
return body
def update_attributes_in_body(self, **kwargs):
@@ -511,38 +420,26 @@ class IPProtocolServiceEntryDef(ServiceEntryDef):
class CommunicationMapDef(ResourceDef):
def __init__(self,
map_id=None,
domain_id=None,
category=policy_constants.CATEGORY_APPLICATION,
name=None,
precedence=0,
description=None,
tenant=policy_constants.POLICY_INFRA_TENANT):
super(CommunicationMapDef, self).__init__()
self.id = map_id
self.category = category
self.precedence = precedence
self.name = name
self.description = description
self.tenant = tenant
self.domain_id = domain_id
self.parent_ids = (tenant, domain_id)
@property
def path_pattern(self):
return (DOMAINS_PATH_PATTERN + "%s/communication-maps/")
@property
def path_ids(self):
return ('tenant', 'domain_id', 'map_id')
def get_realized_state_path(self, ep_id):
return REALIZED_STATE_COMM_MAP % (self.tenant, ep_id, self.domain_id,
self.id)
return REALIZED_STATE_COMM_MAP % (self.get_tenant(), ep_id,
self.get_attr('domain_id'),
self.get_id())
def get_obj_dict(self):
body = super(CommunicationMapDef, self).get_obj_dict()
if self.category:
body['category'] = self.category
if self.precedence:
body['precedence'] = self.precedence
for attr in ('category', 'precedence'):
if self.get_attr(attr):
body[attr] = self.get_attr(attr)
return body
@staticmethod
@@ -551,70 +448,50 @@ class CommunicationMapDef(ResourceDef):
class CommunicationMapEntryDef(ResourceDef):
def __init__(self,
domain_id=None,
map_id=None,
entry_id=None,
sequence_number=None,
source_groups=None,
dest_groups=None,
service_ids=None,
action=policy_constants.ACTION_ALLOW,
scope="ANY",
name=None,
description=None,
direction=None,
logged=False,
tenant=policy_constants.POLICY_INFRA_TENANT):
super(CommunicationMapEntryDef, self).__init__()
self.tenant = tenant
self.domain_id = domain_id
self.map_id = map_id,
self.id = entry_id
self.name = name
self.description = description
self.sequence_number = sequence_number
self.action = action
self.scope = scope
self.source_groups = self.get_groups_path(domain_id, source_groups)
self.dest_groups = self.get_groups_path(domain_id, dest_groups)
self.direction = direction
self.logged = logged
self.service_paths = ([self.get_service_path(service_id) for service_id
in service_ids] if service_ids
else [policy_constants.ANY_GROUP])
self.parent_ids = (tenant, domain_id, map_id)
# convert groups and services to full path
def get_groups_path(self, domain_id, group_ids):
if not group_ids:
return [policy_constants.ANY_GROUP]
return [GroupDef(domain_id,
group_id,
tenant=self.tenant).get_resource_full_path()
return [GroupDef(domain_id=domain_id,
group_id=group_id,
tenant=self.get_tenant()).get_resource_full_path()
for group_id in group_ids]
def get_service_path(self, service_id):
return ServiceDef(
service_id,
tenant=self.tenant).get_resource_full_path()
service_id=service_id,
tenant=self.get_tenant()).get_resource_full_path()
def get_services_path(self, service_ids):
if service_ids:
return [self.get_service_path(service_id)
for service_id in service_ids]
return [policy_constants.ANY_SERVICE]
@property
def path_pattern(self):
return (DOMAINS_PATH_PATTERN +
"%s/communication-maps/%s/communication-entries/")
@property
def path_ids(self):
return ('tenant', 'domain_id', 'map_id', 'entry_id')
def get_obj_dict(self):
body = super(CommunicationMapEntryDef, self).get_obj_dict()
body['source_groups'] = self.source_groups
body['destination_groups'] = self.dest_groups
body['sequence_number'] = self.sequence_number
body['services'] = self.service_paths
body['scope'] = [self.scope]
body['action'] = self.action
body['direction'] = self.direction
if self.logged is not None:
body['logged'] = self.logged
domain_id = self.get_attr('domain_id')
body['source_groups'] = self.get_groups_path(
domain_id, self.get_attr('source_groups'))
body['destination_groups'] = self.get_groups_path(
domain_id, self.get_attr('dest_groups'))
for attr in ('sequence_number', 'services', 'scope',
'action', 'direction', 'logged'):
if self.get_attr(attr):
body[attr] = self.get_attr(attr)
service_ids = self.get_attr('service_ids')
body['services'] = self.get_services_path(service_ids)
return body
def update_attributes_in_body(self, **kwargs):
@@ -654,49 +531,32 @@ class CommunicationMapEntryDef(ResourceDef):
# Currently supports only NSXT
class EnforcementPointDef(ResourceDef):
def __init__(self, ep_id=None,
name=None,
description=None,
ip_address=None,
username=None,
password=None,
thumbprint=None,
edge_cluster_id=None,
transport_zone_id=None,
tenant=policy_constants.POLICY_INFRA_TENANT):
super(EnforcementPointDef, self).__init__()
self.id = ep_id
self.name = name
self.description = description
self.tenant = tenant
self.username = username
self.password = password
self.ip_address = ip_address
self.thumbprint = thumbprint
self.edge_cluster_id = edge_cluster_id
self.transport_zone_id = transport_zone_id
self.parent_ids = (tenant)
@property
def path_pattern(self):
return (TENANTS_PATH_PATTERN +
'deployment-zones/default/enforcement-points/')
@property
def path_ids(self):
return ('tenant', 'ep_id')
def get_obj_dict(self):
body = super(EnforcementPointDef, self).get_obj_dict()
body['id'] = self.id
body['id'] = self.get_id()
body['connection_info'] = {
'thumbprint': self.thumbprint,
'username': self.username,
'password': self.password,
'enforcement_point_address': self.ip_address,
'thumbprint': self.get_attr('thumbprint'),
'username': self.get_attr('username'),
'password': self.get_attr('password'),
'enforcement_point_address': self.get_attr('ip_address'),
'resource_type': 'NSXTConnectionInfo'}
if self.edge_cluster_id:
if self.get_attr('edge_cluster_id'):
body['connection_info']['edge_cluster_ids'] = [
self.edge_cluster_id]
if self.transport_zone_id:
self.get_attr('edge_cluster_id')]
if self.get_attr('transport_zone_id'):
body['connection_info']['transport_zone_ids'] = [
self.transport_zone_id]
self.get_attr('transport_zone_id')]
body['resource_type'] = 'EnforcementPoint'
return body
@@ -729,37 +589,28 @@ class EnforcementPointDef(ResourceDef):
body=body, **kwargs)
def get_realized_state_path(self):
return REALIZED_STATE_EF % (self.tenant, self.id)
return REALIZED_STATE_EF % (self.get_tenant(), self.get_id())
# Currently assumes one deployment point per id
class DeploymentMapDef(ResourceDef):
def __init__(self, map_id=None,
name=None,
description=None,
domain_id=None,
ep_id=None,
tenant=policy_constants.POLICY_INFRA_TENANT):
super(DeploymentMapDef, self).__init__()
self.id = map_id
self.name = name
self.description = description
# convert enforcement point id to path
self.ep_path = EnforcementPointDef(
ep_id,
tenant=tenant).get_resource_full_path() if ep_id else None
self.tenant = tenant
self.parent_ids = (tenant, domain_id)
@property
def path_pattern(self):
return (DOMAINS_PATH_PATTERN + '%s/domain-deployment-maps/')
@property
def path_ids(self):
return ('tenant', 'domain_id', 'map_id')
def get_obj_dict(self):
body = super(DeploymentMapDef, self).get_obj_dict()
body['id'] = self.id
body['enforcement_point_path'] = self.ep_path
body['id'] = self.get_id()
ep_id = self.get_attr('ep_id')
tenant = self.get_tenant()
body['enforcement_point_path'] = EnforcementPointDef(
ep_id=ep_id,
tenant=tenant).get_resource_full_path() if ep_id else None
return body
def update_attributes_in_body(self, **kwargs):
@@ -770,14 +621,16 @@ class DeploymentMapDef(ResourceDef):
if kwargs.get('domain_id') is not None:
domain_id = kwargs.get('domain_id')
domain_path = DomainDef(
domain_id, tenant=self.tenant).get_resource_full_path()
domain_id=domain_id,
tenant=self.get_tenant()).get_resource_full_path()
body['parent_path'] = domain_path
del kwargs['domain_id']
if kwargs.get('ep_id') is not None:
ep_id = kwargs.get('ep_id')
ep_path = EnforcementPointDef(
ep_id, tenant=self.tenant).get_resource_full_path()
ep_id=ep_id,
tenant=self.get_tenant()).get_resource_full_path()
body['enforcement_point_path'] = ep_path
del kwargs['ep_id']

67
vmware_nsxlib/v3/policy_resources.py
View File

@@ -95,17 +95,17 @@ class NsxPolicyDomainApi(NsxPolicyResourceBase):
domain_def = policy_defs.DomainDef(domain_id=domain_id,
name=name,
description=description,
tags=tags,
tenant=tenant)
if tags:
domain_def.add_tags(tags)
return self.policy_api.create_or_update(domain_def)
def delete(self, domain_id, tenant=policy_constants.POLICY_INFRA_TENANT):
domain_def = policy_defs.DomainDef(domain_id, tenant=tenant)
domain_def = policy_defs.DomainDef(domain_id=domain_id, tenant=tenant)
self.policy_api.delete(domain_def)
def get(self, domain_id, tenant=policy_constants.POLICY_INFRA_TENANT):
domain_def = policy_defs.DomainDef(domain_id, tenant=tenant)
domain_def = policy_defs.DomainDef(domain_id=domain_id, tenant=tenant)
return self.policy_api.get(domain_def)
def list(self, tenant=policy_constants.POLICY_INFRA_TENANT):
@@ -153,9 +153,8 @@ class NsxPolicyGroupApi(NsxPolicyResourceBase):
name=name,
description=description,
conditions=conditions,
tags=tags,
tenant=tenant)
if tags:
group_def.add_tags(tags)
return self.policy_api.create_or_update(group_def)
def build_condition(
@@ -201,9 +200,8 @@ class NsxPolicyGroupApi(NsxPolicyResourceBase):
name=name,
description=description,
conditions=conditions,
tags=tags,
tenant=tenant)
if tags:
group_def.add_tags(tags)
return self.policy_api.create_or_update(group_def)
def delete(self, domain_id, group_id,
@@ -268,15 +266,6 @@ class NsxPolicyServiceBase(NsxPolicyResourceBase):
"""Delete the service with all its entries"""
service_def = policy_defs.ServiceDef(service_id=service_id,
tenant=tenant)
service = self.policy_api.get(service_def)
# first delete all the service entries
if 'service_entries' in service:
for entry in service['service_entries']:
entry_def = self.entry_def(
service_id=service_id,
service_entry_id=entry['id'],
tenant=tenant)
self.policy_api.delete(entry_def)
self.policy_api.delete(service_def)
def get(self, service_id,
@@ -506,17 +495,16 @@ class NsxPolicyNetworkApi(NsxPolicyResourceBase):
ip_addresses=ip_addresses,
ha_mode=ha_mode,
force_whitelisting=force_whitelisting,
tags=tags,
tenant=tenant)
if tags:
network_def.add_tags(tags)
return self.policy_api.create_or_update(network_def)
def delete(self, network_id, tenant=policy_constants.POLICY_INFRA_TENANT):
network_def = self.entry_def(network_id, tenant=tenant)
network_def = self.entry_def(network_id=network_id, tenant=tenant)
self.policy_api.delete(network_def)
def get(self, network_id, tenant=policy_constants.POLICY_INFRA_TENANT):
network_def = self.entry_def(network_id, tenant=tenant)
network_def = self.entry_def(network_id=network_id, tenant=tenant)
return self.policy_api.get(network_def)
def list(self, tenant=policy_constants.POLICY_INFRA_TENANT):
@@ -562,23 +550,26 @@ class NsxPolicyNetworkSegmentApi(NsxPolicyResourceBase):
subnets=subnets,
dns_domain_name=dns_domain_name,
vlan_ids=vlan_ids,
tags=tags,
tenant=tenant)
if tags:
segment_def.add_tags(tags)
return self.policy_api.create_or_update(segment_def)
def delete(self, network_id, segment_id,
tenant=policy_constants.POLICY_INFRA_TENANT):
segment_def = self.entry_def(network_id, segment_id, tenant=tenant)
segment_def = self.entry_def(network_id=network_id,
segment_id=segment_id,
tenant=tenant)
self.policy_api.delete(segment_def)
def get(self, network_id, segment_id,
tenant=policy_constants.POLICY_INFRA_TENANT):
segment_def = self.entry_def(network_id, segment_id, tenant=tenant)
segment_def = self.entry_def(network_id=network_id,
segment_id=segment_id,
tenant=tenant)
return self.policy_api.get(segment_def)
def list(self, network_id, tenant=policy_constants.POLICY_INFRA_TENANT):
segment_def = self.entry_def(network_id, tenant=tenant)
segment_def = self.entry_def(network_id=network_id, tenant=tenant)
return self.policy_api.list(segment_def)['results']
def update(self, network_id, segment_id,
@@ -619,19 +610,18 @@ class NsxPolicySegmentApi(NsxPolicyResourceBase):
subnets=subnets,
dns_domain_name=dns_domain_name,
vlan_ids=vlan_ids,
tags=tags,
tenant=tenant)
if tags:
segment_def.add_tags(tags)
return self.policy_api.create_or_update(segment_def)
def delete(self, segment_id,
tenant=policy_constants.POLICY_INFRA_TENANT):
segment_def = self.entry_def(segment_id, tenant=tenant)
segment_def = self.entry_def(segment_id=segment_id, tenant=tenant)
self.policy_api.delete(segment_def)
def get(self, segment_id,
tenant=policy_constants.POLICY_INFRA_TENANT):
segment_def = self.entry_def(segment_id, tenant=tenant)
segment_def = self.entry_def(segment_id=segment_id, tenant=tenant)
return self.policy_api.get(segment_def)
def list(self, tenant=policy_constants.POLICY_INFRA_TENANT):
@@ -644,7 +634,7 @@ class NsxPolicySegmentApi(NsxPolicyResourceBase):
dns_domain_name=None,
vlan_ids=None,
tenant=policy_constants.POLICY_INFRA_TENANT):
segment_def = self.entry_def(segment_id, tenant=tenant)
segment_def = self.entry_def(segment_id=segment_id, tenant=tenant)
segment_def.update_attributes_in_body(
name=name,
description=description,
@@ -726,9 +716,7 @@ class NsxPolicyCommunicationMapApi(NsxPolicyResourceBase):
map_def = policy_defs.CommunicationMapDef(
domain_id=domain_id, map_id=map_id,
tenant=tenant, name=name, description=description,
precedence=precedence, category=category)
if tags:
map_def.add_tags(tags)
precedence=precedence, category=category, tags=tags)
if last_sequence < 0:
# if communication map is absent, we need to create it
return self.policy_api.create_with_parent(map_def, entry_def)
@@ -751,9 +739,7 @@ class NsxPolicyCommunicationMapApi(NsxPolicyResourceBase):
map_def = policy_defs.CommunicationMapDef(
domain_id=domain_id, map_id=map_id,
tenant=tenant, name=name, description=description,
precedence=precedence, category=category)
if tags:
map_def.add_tags(tags)
precedence=precedence, category=category, tags=tags)
return self.policy_api.create_or_update(map_def)
@@ -793,9 +779,7 @@ class NsxPolicyCommunicationMapApi(NsxPolicyResourceBase):
map_def = policy_defs.CommunicationMapDef(
domain_id=domain_id, map_id=map_id,
tenant=tenant, name=name, description=description,
precedence=precedence, category=category)
if tags:
map_def.add_tags(tags)
precedence=precedence, category=category, tags=tags)
map_def.body = map_def.get_obj_dict()
# update the entries with the map id
if entries:
@@ -930,7 +914,8 @@ class NsxPolicyCommunicationMapApi(NsxPolicyResourceBase):
def get_realized_state(self, domain_id, map_id, ep_id,
tenant=policy_constants.POLICY_INFRA_TENANT):
map_def = policy_defs.CommunicationMapDef(map_id, domain_id,
map_def = policy_defs.CommunicationMapDef(map_id=map_id,
domain_id=domain_id,
tenant=tenant)
path = map_def.get_realized_state_path(ep_id)
return self._get_realized_state(path)