rpms
/
leapp-repository
7
0
Fork 1
Code Issues Pull Requests Releases Activity
leapp-repository/SOURCES/0014-actor-firewalld-suppor...

232 lines
9.0 KiB
Diff
Raw Blame History

From c109704cb2139dbdba371b83e2f55aad8fb1f9ed Mon Sep 17 00:00:00 2001
From: Eric Garver <egarver@redhat.com>
Date: Wed, 31 Aug 2022 14:24:42 -0400
Subject: [PATCH 14/32] actor: firewalld: support 0.8.z
Prior to this change the actor only supported firewalld-0.9.z and later.
Relevant differences between 0.9.z and 0.8.z:
- Policies don't exist (new in 0.9.0)
- Zones use a tuple based API
Fixes: rhbz2101909
---
...private_firewalldcollectusedobjectnames.py | 31 +++++-
...it_test_firewalldcollectusedobjectnames.py | 105 +++++++++++++++++-
2 files changed, 129 insertions(+), 7 deletions(-)
diff --git a/repos/system_upgrade/el8toel9/actors/firewalldcollectusedobjectnames/libraries/private_firewalldcollectusedobjectnames.py b/repos/system_upgrade/el8toel9/actors/firewalldcollectusedobjectnames/libraries/private_firewalldcollectusedobjectnames.py
index 93e4c6a2..d93b980b 100644
--- a/repos/system_upgrade/el8toel9/actors/firewalldcollectusedobjectnames/libraries/private_firewalldcollectusedobjectnames.py
+++ b/repos/system_upgrade/el8toel9/actors/firewalldcollectusedobjectnames/libraries/private_firewalldcollectusedobjectnames.py
@@ -14,6 +14,13 @@ def is_zone_in_use(conf):
return False
+def is_zone_in_use_tuple(conf):
+ conf_dict = {'interfaces': conf[10],
+ 'sources': conf[11]}
+
+ return is_zone_in_use(conf_dict)
+
+
def is_policy_in_use(conf, used_zones):
# A policy is in use if both ingress_zones and egress_zones contain at
# least one of following: an active zone, 'ANY', 'HOST'.
@@ -49,6 +56,18 @@ def get_used_services(conf, isZone):
return used_services
+def get_used_services_tuple(conf, isZone):
+ if not isZone:
+ return set()
+
+ conf_dict = {'services': conf[5],
+ 'interfaces': conf[10],
+ 'sources': conf[11],
+ 'rules_str': conf[12]}
+
+ return get_used_services(conf_dict, isZone)
+
+
def read_config():
try:
fw = Firewall(offline=True)
@@ -65,12 +84,12 @@ def read_config():
used_zones = set([fw.get_default_zone()])
for zone in fw.config.get_zones():
obj = fw.config.get_zone(zone)
- conf = fw.config.get_zone_config_dict(obj)
- if is_zone_in_use(conf):
+ conf = fw.config.get_zone_config(obj)
+ if is_zone_in_use_tuple(conf):
used_zones.add(zone)
used_policies = []
- for policy in fw.config.get_policy_objects():
+ for policy in fw.config.get_policy_objects() if hasattr(fw.config, "get_policy_objects") else []:
obj = fw.config.get_policy_object(policy)
conf = fw.config.get_policy_object_config_dict(obj)
if is_policy_in_use(conf, used_zones):
@@ -79,9 +98,9 @@ def read_config():
used_services = set()
for zone in fw.config.get_zones():
obj = fw.config.get_zone(zone)
- conf = fw.config.get_zone_config_dict(obj)
- used_services.update(get_used_services(conf, True))
- for policy in fw.config.get_policy_objects():
+ conf = fw.config.get_zone_config(obj)
+ used_services.update(get_used_services_tuple(conf, True))
+ for policy in fw.config.get_policy_objects() if hasattr(fw.config, "get_policy_objects") else []:
obj = fw.config.get_policy_object(policy)
conf = fw.config.get_policy_object_config_dict(obj)
used_services.update(get_used_services(conf, False))
diff --git a/repos/system_upgrade/el8toel9/actors/firewalldcollectusedobjectnames/tests/unit_test_firewalldcollectusedobjectnames.py b/repos/system_upgrade/el8toel9/actors/firewalldcollectusedobjectnames/tests/unit_test_firewalldcollectusedobjectnames.py
index 6e1511eb..9d2cfb47 100644
--- a/repos/system_upgrade/el8toel9/actors/firewalldcollectusedobjectnames/tests/unit_test_firewalldcollectusedobjectnames.py
+++ b/repos/system_upgrade/el8toel9/actors/firewalldcollectusedobjectnames/tests/unit_test_firewalldcollectusedobjectnames.py
@@ -1,7 +1,9 @@
from leapp.libraries.actor.private_firewalldcollectusedobjectnames import (
get_used_services,
+ get_used_services_tuple,
is_policy_in_use,
- is_zone_in_use
+ is_zone_in_use,
+ is_zone_in_use_tuple
)
@@ -20,6 +22,35 @@ def test_is_zone_in_use():
assert is_zone_in_use(conf)
+def test_is_zone_in_use_tuple():
+ conf = (None, None, None, None, None,
+ ['tftp-client'], # conf[5], services
+ None, None, None, None,
+ ['dummy0'], # conf[10], interfaces
+ [], # conf[11], sources
+ [], # conf[12], rules_str
+ None, None, None)
+ assert is_zone_in_use_tuple(conf)
+
+ conf = (None, None, None, None, None,
+ ['tftp-client'], # conf[5], services
+ None, None, None, None,
+ [], # conf[10], interfaces
+ ['10.1.2.0/24'], # conf[11], sources
+ [], # conf[12], rules_str
+ None, None, None)
+ assert is_zone_in_use_tuple(conf)
+
+ conf = (None, None, None, None, None,
+ ['tftp-client'], # conf[5], services
+ None, None, None, None,
+ ['dummy0'], # conf[10], interfaces
+ ['fd00::/8'], # conf[11], sources
+ [], # conf[12], rules_str
+ None, None, None)
+ assert is_zone_in_use_tuple(conf)
+
+
def test_is_zone_in_use_negative():
conf = {'interfaces': [],
'services': ['tftp-client']}
@@ -33,6 +64,17 @@ def test_is_zone_in_use_negative():
assert not is_zone_in_use(conf)
+def test_is_zone_in_use_tuple_negative():
+ conf = (None, None, None, None, None,
+ ['tftp-client'], # conf[5], services
+ None, None, None, None,
+ [], # conf[10], interfaces
+ [], # conf[11], sources
+ [], # conf[12], rules_str
+ None, None, None)
+ assert not is_zone_in_use_tuple(conf)
+
+
def test_is_policy_in_use():
conf = {'ingress_zones': ['HOST'],
'egress_zones': ['public'],
@@ -88,6 +130,35 @@ def test_get_used_services_zone():
assert 'tftp-client' in get_used_services(conf, True)
+def test_get_used_services_tuple_zone():
+ conf = (None, None, None, None, None,
+ ['tftp-client'], # conf[5], services
+ None, None, None, None,
+ ['dummy0'], # conf[10], interfaces
+ [], # conf[11], sources
+ [], # conf[12], rules_str
+ None, None, None)
+ assert 'tftp-client' in get_used_services_tuple(conf, True)
+
+ conf = (None, None, None, None, None,
+ [], # conf[5], services
+ None, None, None, None,
+ [], # conf[10], interfaces
+ ['10.1.2.0/24'], # conf[11], sources
+ ['rule family="ipv4" source address="10.1.1.0/24" service name="tftp-client" reject'],
+ None, None, None)
+ assert 'tftp-client' in get_used_services_tuple(conf, True)
+
+ conf = (None, None, None, None, None,
+ [], # conf[5], services
+ None, None, None, None,
+ ['dummy0'], # conf[10], interfaces
+ ['fd00::/8'], # conf[11], sources
+ ['rule service name="ssh" accept', 'rule service name="tftp-client" accept'], # conf[12], rules_str
+ None, None, None)
+ assert 'tftp-client' in get_used_services_tuple(conf, True)
+
+
def test_get_used_services_zone_negative():
conf = {'interfaces': ['dummy0'],
'services': ['https']}
@@ -105,6 +176,38 @@ def test_get_used_services_zone_negative():
assert 'tftp-client' not in get_used_services(conf, True)
+def test_get_used_services_tuple_zone_negative():
+ conf = (None, None, None, None, None,
+ ['https'], # conf[5], services
+ None, None, None, None,
+ ['dummy0'], # conf[10], interfaces
+ [], # conf[11], sources
+ [], # conf[12], rules_str
+ None, None, None)
+ assert 'tftp-client' not in get_used_services_tuple(conf, True)
+
+ conf = {'sources': ['10.1.2.0/24'],
+ 'rules_str': ['rule family="ipv4" source address="10.1.1.0/24" service name="ssh" reject'],
+ 'services': ['https']}
+ conf = (None, None, None, None, None,
+ ['https'], # conf[5], services
+ None, None, None, None,
+ [], # conf[10], interfaces
+ ['10.1.2.0/24'], # conf[11], sources
+ ['rule family="ipv4" source address="10.1.1.0/24" service name="ssh" reject'], # conf[12], rules_str
+ None, None, None)
+ assert 'tftp-client' not in get_used_services_tuple(conf, True)
+
+ conf = (None, None, None, None, None,
+ [], # conf[5], services
+ None, None, None, None,
+ ['dummy0'], # conf[10], interfaces
+ ['fd00::/8'], # conf[11], sources
+ ['rule service name="ssh" accept', 'rule service name="http" accept'], # conf[12], rules_str
+ None, None, None)
+ assert 'tftp-client' not in get_used_services_tuple(conf, True)
+
+
def test_get_used_services_policy():
conf = {'services': ['tftp-client']}
assert 'tftp-client' in get_used_services(conf, False)
--
2.38.1
Reference in New Issue View Git Blame Copy Permalink