1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.hosted.node.admin.maintenance.acl;
import com.yahoo.config.provision.NodeType;
import com.yahoo.vespa.hosted.node.admin.configserver.noderepository.Acl;
import com.yahoo.vespa.hosted.node.admin.task.util.file.Editor;
import com.yahoo.vespa.hosted.node.admin.task.util.network.IPVersion;
import org.junit.jupiter.api.Test;
import java.util.ArrayList;
import java.util.List;
import static org.junit.jupiter.api.Assertions.assertEquals;
/**
* @author freva
*/
public class FilterTableLineEditorTest {
@Test
void filter_set_wanted_rules() {
Acl acl = new Acl.Builder().withTrustedPorts(22).withTrustedNode("hostname", "3001::1").build();
assertFilterTableLineEditorResult(
acl, IPVersion.IPv6,
"-P INPUT ACCEPT\n" +
"-P FORWARD ACCEPT\n" +
"-P OUTPUT ACCEPT\n",
"-P INPUT ACCEPT\n" +
"-P FORWARD ACCEPT\n" +
"-P OUTPUT ACCEPT\n" +
"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" +
"-A INPUT -i lo -j ACCEPT\n" +
"-A INPUT -p ipv6-icmp -j ACCEPT\n" +
"-A INPUT -p tcp -m multiport --dports 22 -j ACCEPT\n" +
"-A INPUT -s 3001::1/128 -j ACCEPT\n" +
"-A INPUT -j REJECT --reject-with icmp6-port-unreachable");
}
@Test
void produces_minimal_diff_simple() {
assertFilterTableDiff(List.of(2, 5, 3, 6, 1, 4), List.of(2, 5, 6, 1, 4),
"Patching file table:\n" +
"--A INPUT -s 2001::3/128 -j ACCEPT\n");
}
@Test
void produces_minimal_diff_complex() {
assertFilterTableDiff(List.of(1, 2, 3, 4, 5, 6, 7, 8, 9, 10), List.of(5, 11, 6, 3, 10, 4, 8, 12),
"Patching file table:\n" +
"--A INPUT -s 2001::1/128 -j ACCEPT\n" +
"--A INPUT -s 2001::2/128 -j ACCEPT\n" +
"+-A INPUT -s 2001::11/128 -j ACCEPT\n" +
"+-A INPUT -s 2001::12/128 -j ACCEPT\n" +
"--A INPUT -s 2001::7/128 -j ACCEPT\n" +
"--A INPUT -s 2001::9/128 -j ACCEPT\n");
}
private static void assertFilterTableLineEditorResult(
Acl acl, IPVersion ipVersion, String currentFilterTable, String expectedRestoreFileContent) {
FilterTableLineEditor filterLineEditor = FilterTableLineEditor.from(acl, ipVersion);
Editor editor = new Editor(
"nat-table",
() -> List.of(currentFilterTable.split("\n")),
result -> assertEquals(expectedRestoreFileContent, String.join("\n", result)),
filterLineEditor);
editor.edit(m -> {});
}
private static void assertFilterTableDiff(List<Integer> currentIpSuffix, List<Integer> wantedIpSuffix, String diff) {
Acl.Builder currentAcl = new Acl.Builder();
NodeType nodeType = NodeType.tenant;
currentIpSuffix.forEach(i -> currentAcl.withTrustedNode("host" + i, "2001::" + i));
List<String> currentTable = new ArrayList<>();
Acl.Builder wantedAcl = new Acl.Builder();
wantedIpSuffix.forEach(i -> wantedAcl.withTrustedNode("host" + i, "2001::" + i));
new Editor("table", List::of, currentTable::addAll, FilterTableLineEditor.from(currentAcl.build(), IPVersion.IPv6))
.edit(log -> {});
new Editor("table", () -> currentTable, result -> {}, FilterTableLineEditor.from(wantedAcl.build(), IPVersion.IPv6))
.edit(log -> assertEquals(diff, log));
}
}
|
