tests/sysrepo-firewall.cpp

/*
 * Copyright (C) 2021 CESNET, https://photonics.cesnet.cz/
 *
 * Written by Václav Kubernát <kubernat@cesnet.cz>
 *
*/

#include "trompeloeil_doctest.h"
#include <sysrepo-cpp/Connection.hpp>
#include "firewall/Firewall.h"
#include "test_log_setup.h"

class MockNft {
public:
    MAKE_MOCK1(consumeConfig, void(const std::string&));
    void operator()(const std::string& config)
    {
        consumeConfig(config);
    }
};

const std::string NFTABLES_OUTPUT_START = R"(flush ruleset
add table inet filter
add chain inet filter acls { type filter hook input priority 0; }
add rule inet filter acls ct state established,related accept
add rule inet filter acls iif lo accept comment "Accept any localhost traffic"
)";

const auto TIMEOUT = std::chrono::milliseconds{1000};

TEST_CASE("nftables generator")
{
    TEST_SYSREPO_INIT_LOGS;
    sysrepo::Connection srConn;
    auto srSess = srConn.sessionStart();
    // Delete all acls at the start so we know what we're dealing with.
    srSess.deleteItem("/ietf-access-control-list:acls");
    srSess.applyChanges(TIMEOUT);
    MockNft nft;

    SECTION("include files")
    {
        REQUIRE_CALL(nft, consumeConfig(NFTABLES_OUTPUT_START + "include \"/some/file\"\n"));
        velia::firewall::SysrepoFirewall fwWithIncludes(srSess, [&nft] (const std::string& config) {nft.consumeConfig(config);}, {"/some/file"});
    }

    REQUIRE_CALL(nft, consumeConfig(NFTABLES_OUTPUT_START));
    velia::firewall::SysrepoFirewall fw(srSess, [&nft] (const std::string& config) {nft.consumeConfig(config);});
    std::string inputData;
    std::string expectedOutput;

    SECTION("empty ACL start")
    {
        // Add an empty ACL
        {
            REQUIRE_CALL(nft, consumeConfig(NFTABLES_OUTPUT_START));
            srSess.setItem("/ietf-access-control-list:acls/acl[name='acls']/type", "mixed-eth-ipv4-ipv6-acl-type");
            srSess.applyChanges(TIMEOUT);
        }

        SECTION("add an IPv4 ACE")
        {
            expectedOutput = NFTABLES_OUTPUT_START +
                "add rule inet filter acls ip saddr 192.168.0.0/24 drop comment \"deny 192.168.0.0/24\"\n";
            srSess.setItem(
                    "/ietf-access-control-list:acls/acl[name='acls']/aces/ace[name='deny 192.168.0.0/24']/matches/ipv4/source-ipv4-network",
                    "192.168.0.0/24");
            srSess.setItem("/ietf-access-control-list:acls/acl[name='acls']/aces/ace[name='deny 192.168.0.0/24']/actions/forwarding", "drop");
        }

        SECTION("add an IPv6 ACE")
        {
            expectedOutput = NFTABLES_OUTPUT_START +
                "add rule inet filter acls ip6 saddr 2001:db8:85a3::8a2e:370:7334/128 accept comment \"deny an ipv6 address\"\n";
            srSess.setItem(
                    "/ietf-access-control-list:acls/acl[name='acls']/aces/ace[name='deny an ipv6 address']/matches/ipv6/source-ipv6-network",
                    "2001:0db8:85a3:0000:0000:8a2e:0370:7334/128");
            srSess.setItem("/ietf-access-control-list:acls/acl[name='acls']/aces/ace[name='deny an ipv6 address']/actions/forwarding", "accept");
        }

        SECTION("add ACE without 'matches'")
        {
            expectedOutput = NFTABLES_OUTPUT_START +
                "add rule inet filter acls drop comment \"drop eveything\"\n";
            srSess.setItem("/ietf-access-control-list:acls/acl[name='acls']/aces/ace[name='drop eveything']/actions/forwarding", "drop");
        }

        SECTION("add ACE with 'reject'")
        {
            expectedOutput = NFTABLES_OUTPUT_START +
                "add rule inet filter acls reject comment \"reject eveything\"\n";
            srSess.setItem("/ietf-access-control-list:acls/acl[name='acls']/aces/ace[name='reject eveything']/actions/forwarding", "reject");
        }

        SECTION("add ACE with 'reject'")
        {
            expectedOutput = NFTABLES_OUTPUT_START +
                "add rule inet filter acls reject comment \"reject eveything\"\n";
            srSess.setItem("/ietf-access-control-list:acls/acl[name='acls']/aces/ace[name='reject eveything']/actions/forwarding", "reject");
        }

        SECTION("add two ACEs")
        {
            expectedOutput = NFTABLES_OUTPUT_START +
                "add rule inet filter acls ip saddr 192.168.0.0/24 drop comment \"deny 192.168.0.0/24\"\n"
                "add rule inet filter acls reject comment \"reject eveything\"\n";
            srSess.setItem(
                    "/ietf-access-control-list:acls/acl[name='acls']/aces/ace[name='deny 192.168.0.0/24']/matches/ipv4/source-ipv4-network",
                    "192.168.0.0/24");
            srSess.setItem("/ietf-access-control-list:acls/acl[name='acls']/aces/ace[name='deny 192.168.0.0/24']/actions/forwarding", "drop");
            srSess.setItem("/ietf-access-control-list:acls/acl[name='acls']/aces/ace[name='reject eveything']/actions/forwarding", "reject");
        }

        REQUIRE_CALL(nft, consumeConfig(expectedOutput));
        srSess.applyChanges(TIMEOUT);

    }

    SECTION("non-empty ACL start")
    {
        // Add a non-empty ACL
        {
            REQUIRE_CALL(nft, consumeConfig(NFTABLES_OUTPUT_START +
                        "add rule inet filter acls ip saddr 192.168.0.0/24 drop comment \"deny 192.168.0.0/24\"\n"));
            srSess.setItem("/ietf-access-control-list:acls/acl[name='acls']/type", "mixed-eth-ipv4-ipv6-acl-type");
            srSess.setItem(
                    "/ietf-access-control-list:acls/acl[name='acls']/aces/ace[name='deny 192.168.0.0/24']/matches/ipv4/source-ipv4-network",
                    "192.168.0.0/24");
            srSess.setItem("/ietf-access-control-list:acls/acl[name='acls']/aces/ace[name='deny 192.168.0.0/24']/actions/forwarding", "drop");
            srSess.applyChanges(TIMEOUT);
        }

        SECTION("add another ACE")
        {
            expectedOutput = NFTABLES_OUTPUT_START +
                "add rule inet filter acls ip saddr 192.168.0.0/24 drop comment \"deny 192.168.0.0/24\"\n"
                "add rule inet filter acls ip saddr 192.168.13.0/24 drop comment \"also deny 192.168.13.0/24\"\n";
            srSess.setItem(
                    "/ietf-access-control-list:acls/acl[name='acls']/aces/ace[name='also deny 192.168.13.0/24']/matches/ipv4/source-ipv4-network",
                    "192.168.13.0/24");
            srSess.setItem("/ietf-access-control-list:acls/acl[name='acls']/aces/ace[name='also deny 192.168.13.0/24']/actions/forwarding", "drop");

        }

        SECTION("remove ACE")
        {
            expectedOutput = NFTABLES_OUTPUT_START;
            srSess.deleteItem("/ietf-access-control-list:acls/acl[name='acls']/aces/ace[name='deny 192.168.0.0/24']");
        }

        SECTION("remove previous ACE and add another")
        {
            expectedOutput = NFTABLES_OUTPUT_START +
                "add rule inet filter acls ip saddr 192.168.13.0/24 drop comment \"deny 192.168.13.0/24\"\n";
            srSess.deleteItem("/ietf-access-control-list:acls/acl[name='acls']/aces/ace[name='deny 192.168.0.0/24']");
            srSess.setItem(
                    "/ietf-access-control-list:acls/acl[name='acls']/aces/ace[name='deny 192.168.13.0/24']/matches/ipv4/source-ipv4-network",
                    "192.168.13.0/24");
            srSess.setItem("/ietf-access-control-list:acls/acl[name='acls']/aces/ace[name='deny 192.168.13.0/24']/actions/forwarding", "drop");
        }

        SECTION("remove entire ACL")
        {
            expectedOutput = NFTABLES_OUTPUT_START;
            srSess.deleteItem("/ietf-access-control-list:acls/acl[name='acls']");
        }

        REQUIRE_CALL(nft, consumeConfig(expectedOutput));
        srSess.applyChanges(TIMEOUT);
    }
}