From c109704cb2139dbdba371b83e2f55aad8fb1f9ed Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Wed, 31 Aug 2022 14:24:42 -0400 Subject: [PATCH 14/32] actor: firewalld: support 0.8.z Prior to this change the actor only supported firewalld-0.9.z and later. Relevant differences between 0.9.z and 0.8.z: - Policies don't exist (new in 0.9.0) - Zones use a tuple based API Fixes: rhbz2101909 --- ...private_firewalldcollectusedobjectnames.py | 31 +++++- ...it_test_firewalldcollectusedobjectnames.py | 105 +++++++++++++++++- 2 files changed, 129 insertions(+), 7 deletions(-) diff --git a/repos/system_upgrade/el8toel9/actors/firewalldcollectusedobjectnames/libraries/private_firewalldcollectusedobjectnames.py b/repos/system_upgrade/el8toel9/actors/firewalldcollectusedobjectnames/libraries/private_firewalldcollectusedobjectnames.py index 93e4c6a2..d93b980b 100644 --- a/repos/system_upgrade/el8toel9/actors/firewalldcollectusedobjectnames/libraries/private_firewalldcollectusedobjectnames.py +++ b/repos/system_upgrade/el8toel9/actors/firewalldcollectusedobjectnames/libraries/private_firewalldcollectusedobjectnames.py @@ -14,6 +14,13 @@ def is_zone_in_use(conf): return False +def is_zone_in_use_tuple(conf): + conf_dict = {'interfaces': conf[10], + 'sources': conf[11]} + + return is_zone_in_use(conf_dict) + + def is_policy_in_use(conf, used_zones): # A policy is in use if both ingress_zones and egress_zones contain at # least one of following: an active zone, 'ANY', 'HOST'. @@ -49,6 +56,18 @@ def get_used_services(conf, isZone): return used_services +def get_used_services_tuple(conf, isZone): + if not isZone: + return set() + + conf_dict = {'services': conf[5], + 'interfaces': conf[10], + 'sources': conf[11], + 'rules_str': conf[12]} + + return get_used_services(conf_dict, isZone) + + def read_config(): try: fw = Firewall(offline=True) @@ -65,12 +84,12 @@ def read_config(): used_zones = set([fw.get_default_zone()]) for zone in fw.config.get_zones(): obj = fw.config.get_zone(zone) - conf = fw.config.get_zone_config_dict(obj) - if is_zone_in_use(conf): + conf = fw.config.get_zone_config(obj) + if is_zone_in_use_tuple(conf): used_zones.add(zone) used_policies = [] - for policy in fw.config.get_policy_objects(): + for policy in fw.config.get_policy_objects() if hasattr(fw.config, "get_policy_objects") else []: obj = fw.config.get_policy_object(policy) conf = fw.config.get_policy_object_config_dict(obj) if is_policy_in_use(conf, used_zones): @@ -79,9 +98,9 @@ def read_config(): used_services = set() for zone in fw.config.get_zones(): obj = fw.config.get_zone(zone) - conf = fw.config.get_zone_config_dict(obj) - used_services.update(get_used_services(conf, True)) - for policy in fw.config.get_policy_objects(): + conf = fw.config.get_zone_config(obj) + used_services.update(get_used_services_tuple(conf, True)) + for policy in fw.config.get_policy_objects() if hasattr(fw.config, "get_policy_objects") else []: obj = fw.config.get_policy_object(policy) conf = fw.config.get_policy_object_config_dict(obj) used_services.update(get_used_services(conf, False)) diff --git a/repos/system_upgrade/el8toel9/actors/firewalldcollectusedobjectnames/tests/unit_test_firewalldcollectusedobjectnames.py b/repos/system_upgrade/el8toel9/actors/firewalldcollectusedobjectnames/tests/unit_test_firewalldcollectusedobjectnames.py index 6e1511eb..9d2cfb47 100644 --- a/repos/system_upgrade/el8toel9/actors/firewalldcollectusedobjectnames/tests/unit_test_firewalldcollectusedobjectnames.py +++ b/repos/system_upgrade/el8toel9/actors/firewalldcollectusedobjectnames/tests/unit_test_firewalldcollectusedobjectnames.py @@ -1,7 +1,9 @@ from leapp.libraries.actor.private_firewalldcollectusedobjectnames import ( get_used_services, + get_used_services_tuple, is_policy_in_use, - is_zone_in_use + is_zone_in_use, + is_zone_in_use_tuple ) @@ -20,6 +22,35 @@ def test_is_zone_in_use(): assert is_zone_in_use(conf) +def test_is_zone_in_use_tuple(): + conf = (None, None, None, None, None, + ['tftp-client'], # conf[5], services + None, None, None, None, + ['dummy0'], # conf[10], interfaces + [], # conf[11], sources + [], # conf[12], rules_str + None, None, None) + assert is_zone_in_use_tuple(conf) + + conf = (None, None, None, None, None, + ['tftp-client'], # conf[5], services + None, None, None, None, + [], # conf[10], interfaces + ['10.1.2.0/24'], # conf[11], sources + [], # conf[12], rules_str + None, None, None) + assert is_zone_in_use_tuple(conf) + + conf = (None, None, None, None, None, + ['tftp-client'], # conf[5], services + None, None, None, None, + ['dummy0'], # conf[10], interfaces + ['fd00::/8'], # conf[11], sources + [], # conf[12], rules_str + None, None, None) + assert is_zone_in_use_tuple(conf) + + def test_is_zone_in_use_negative(): conf = {'interfaces': [], 'services': ['tftp-client']} @@ -33,6 +64,17 @@ def test_is_zone_in_use_negative(): assert not is_zone_in_use(conf) +def test_is_zone_in_use_tuple_negative(): + conf = (None, None, None, None, None, + ['tftp-client'], # conf[5], services + None, None, None, None, + [], # conf[10], interfaces + [], # conf[11], sources + [], # conf[12], rules_str + None, None, None) + assert not is_zone_in_use_tuple(conf) + + def test_is_policy_in_use(): conf = {'ingress_zones': ['HOST'], 'egress_zones': ['public'], @@ -88,6 +130,35 @@ def test_get_used_services_zone(): assert 'tftp-client' in get_used_services(conf, True) +def test_get_used_services_tuple_zone(): + conf = (None, None, None, None, None, + ['tftp-client'], # conf[5], services + None, None, None, None, + ['dummy0'], # conf[10], interfaces + [], # conf[11], sources + [], # conf[12], rules_str + None, None, None) + assert 'tftp-client' in get_used_services_tuple(conf, True) + + conf = (None, None, None, None, None, + [], # conf[5], services + None, None, None, None, + [], # conf[10], interfaces + ['10.1.2.0/24'], # conf[11], sources + ['rule family="ipv4" source address="10.1.1.0/24" service name="tftp-client" reject'], + None, None, None) + assert 'tftp-client' in get_used_services_tuple(conf, True) + + conf = (None, None, None, None, None, + [], # conf[5], services + None, None, None, None, + ['dummy0'], # conf[10], interfaces + ['fd00::/8'], # conf[11], sources + ['rule service name="ssh" accept', 'rule service name="tftp-client" accept'], # conf[12], rules_str + None, None, None) + assert 'tftp-client' in get_used_services_tuple(conf, True) + + def test_get_used_services_zone_negative(): conf = {'interfaces': ['dummy0'], 'services': ['https']} @@ -105,6 +176,38 @@ def test_get_used_services_zone_negative(): assert 'tftp-client' not in get_used_services(conf, True) +def test_get_used_services_tuple_zone_negative(): + conf = (None, None, None, None, None, + ['https'], # conf[5], services + None, None, None, None, + ['dummy0'], # conf[10], interfaces + [], # conf[11], sources + [], # conf[12], rules_str + None, None, None) + assert 'tftp-client' not in get_used_services_tuple(conf, True) + + conf = {'sources': ['10.1.2.0/24'], + 'rules_str': ['rule family="ipv4" source address="10.1.1.0/24" service name="ssh" reject'], + 'services': ['https']} + conf = (None, None, None, None, None, + ['https'], # conf[5], services + None, None, None, None, + [], # conf[10], interfaces + ['10.1.2.0/24'], # conf[11], sources + ['rule family="ipv4" source address="10.1.1.0/24" service name="ssh" reject'], # conf[12], rules_str + None, None, None) + assert 'tftp-client' not in get_used_services_tuple(conf, True) + + conf = (None, None, None, None, None, + [], # conf[5], services + None, None, None, None, + ['dummy0'], # conf[10], interfaces + ['fd00::/8'], # conf[11], sources + ['rule service name="ssh" accept', 'rule service name="http" accept'], # conf[12], rules_str + None, None, None) + assert 'tftp-client' not in get_used_services_tuple(conf, True) + + def test_get_used_services_policy(): conf = {'services': ['tftp-client']} assert 'tftp-client' in get_used_services(conf, False) -- 2.38.1