tests: update for new firewall API

QubesOS/qubes-issues#1815
2016-09-12 06:04:23 +02:00 · 2016-09-12 06:04:23 +02:00 · 202042bd8d
commit 202042bd8d
parent d5b3d971ee
3 changed files with 48 additions and 54 deletions
--- a/qubes/tests/firewall.py
+++ b/qubes/tests/firewall.py
@ -53,6 +53,8 @@ class TestVM(object):
        self.dir_path = '/tmp'
        self.app = TestApp()

+    def fire_event(self, event):
+        pass

 # noinspection PyPep8Naming
 class TC_00_RuleChoice(qubes.tests.QubesTestCase):
--- a/qubes/tests/int/basic.py
+++ b/qubes/tests/int/basic.py
@ -31,9 +31,11 @@ import time
 import unittest

 import qubes
+import qubes.firewall
 import qubes.tests
 import qubes.vm.appvm
 import qubes.vm.qubesvm
+import qubes.vm.standalonevm
 import qubes.vm.templatevm

 import libvirt  # pylint: disable=import-error
@ -85,12 +87,16 @@ class TC_01_Properties(qubes.tests.SystemTestsMixin, qubes.tests.QubesTestCase):
        newname = self.make_vm_name('newname')

        self.assertEqual(self.vm.name, self.vmname)
-        self.vm.write_firewall_conf({'allow': False, 'allowDns': False})
+        self.vm.firewall.policy = 'drop'
+        self.vm.firewall.rules = [
+            qubes.firewall.Rule(None, action='accept', specialtarget='dns')
+        ]
+        self.vm.firewall.save()
        self.vm.autostart = True
        self.addCleanup(os.system,
                        'sudo systemctl -q disable qubes-vm@{}.service || :'.
                        format(self.vmname))
-        pre_rename_firewall = self.vm.get_firewall_conf()
+        pre_rename_firewall = self.vm.firewall.rules

        with self.assertNotRaises(
                (OSError, libvirt.libvirtError, qubes.exc.QubesException)):
@ -117,9 +123,10 @@ class TC_01_Properties(qubes.tests.SystemTestsMixin, qubes.tests.QubesTestCase):
        self.assertFalse(os.path.exists(
            os.path.join(os.getenv("HOME"), ".local/share/applications",
                self.vmname + "-firefox.desktop")))
-        self.assertEquals(pre_rename_firewall, self.vm.get_firewall_conf())
+        self.vm.firewall.load()
+        self.assertEquals(pre_rename_firewall, self.vm.firewall.rules)
        with self.assertNotRaises((qubes.exc.QubesException, OSError)):
-            self.vm.write_firewall_conf({'allow': False})
+            self.vm.firewall.save()
        self.assertTrue(self.vm.autostart)
        self.assertTrue(os.path.exists(
            '/etc/systemd/system/multi-user.target.wants/'
@ -178,24 +185,19 @@ class TC_01_Properties(qubes.tests.SystemTestsMixin, qubes.tests.QubesTestCase):
                          testvm2.include_in_backups)
        self.assertEquals(testvm1.default_user, testvm2.default_user)
        self.assertEquals(testvm1.features, testvm2.features)
-        # TODO
-        # self.assertEquals(testvm1.get_firewall_conf(),
-        #                   testvm2.get_firewall_conf())
+        self.assertEquals(testvm1.firewall.rules,
+                          testvm2.firewall.rules)

        # now some non-default values
        testvm1.netvm = None
        testvm1.label = 'orange'
        testvm1.memory = 512
-        firewall = testvm1.get_firewall_conf()
-        firewall['allowDns'] = False
-        firewall['allowYumProxy'] = False
-        firewall['rules'] = [{'address': '1.2.3.4',
-                              'netmask': 24,
-                              'proto': 'tcp',
-                              'portBegin': 22,
-                              'portEnd': 22,
-                              }]
-        testvm1.write_firewall_conf(firewall)
+        firewall = testvm1.firewall
+        firewall.policy = 'drop'
+        firewall.rules = [
+            qubes.firewall.Rule(None, action='accept', dsthost='1.2.3.0/24',
+                proto='tcp', dstports=22)]
+        firewall.save()

        testvm3 = self.app.add_new_vm(testvm1.__class__,
                                     name=self.make_vm_name("clone2"),
@ -226,9 +228,8 @@ class TC_01_Properties(qubes.tests.SystemTestsMixin, qubes.tests.QubesTestCase):
                          testvm3.include_in_backups)
        self.assertEquals(testvm1.default_user, testvm3.default_user)
        self.assertEquals(testvm1.features, testvm3.features)
-        # TODO
-        # self.assertEquals(testvm1.get_firewall_conf(),
-        #                   testvm3.get_firewall_conf())
+        self.assertEquals(testvm1.firewall.rules,
+                          testvm2.firewall.rules)

    def test_020_name_conflict_app(self):
        # TODO decide what exception should be here
--- a/qubes/tests/int/network.py
+++ b/qubes/tests/int/network.py
@ -196,11 +196,8 @@ class VmNetworkingMixin(qubes.tests.SystemTestsMixin):

        # block all for first

-        self.testvm1.write_firewall_conf({
-            'allow': False,
-            'allowDns': False,
-            'allowIcmp': False,
-        })
+        self.testvm1.firewall.policy = 'drop'
+        self.testvm1.firewall.save()
        self.testvm1.start()
        self.assertTrue(self.proxy.is_running())

@ -225,11 +222,10 @@ class VmNetworkingMixin(qubes.tests.SystemTestsMixin):

        # block all except ICMP

-        self.testvm1.write_firewall_conf({
-            'allow': False,
-            'allowDns': False,
-            'allowIcmp': True,
-        })
+        self.testvm1.firewall.rules = [(
+            qubes.firewall.Rule(None, action='accept', proto='icmp')
+        )]
+        self.testvm1.firewall.save()
        # Ugly hack b/c there is no feedback when the rules are actually applied
        time.sleep(3)
        self.assertEqual(self.run_cmd(self.testvm1, self.ping_ip), 0,
@ -239,11 +235,11 @@ class VmNetworkingMixin(qubes.tests.SystemTestsMixin):

        # all TCP still blocked

-        self.testvm1.write_firewall_conf({
-            'allow': False,
-            'allowDns': True,
-            'allowIcmp': True,
-        })
+        self.testvm1.firewall.rules = [
+            qubes.firewall.Rule(None, action='accept', proto='icmp'),
+            qubes.firewall.Rule(None, action='accept', specialtarget='dns'),
+        ]
+        self.testvm1.firewall.save()
        # Ugly hack b/c there is no feedback when the rules are actually applied
        time.sleep(3)
        self.assertEqual(self.run_cmd(self.testvm1, self.ping_name), 0,
@ -253,15 +249,13 @@ class VmNetworkingMixin(qubes.tests.SystemTestsMixin):

        # block all except target

-        self.testvm1.write_firewall_conf({
-            'allow': False,
-            'allowDns': True,
-            'allowIcmp': True,
-            'rules': [{'address': self.test_ip,
-                       'netmask': 32,
-                       'proto': 'tcp',
-                       'portBegin': 1234
-                      }] })
+        self.testvm1.firewall.policy = 'drop'
+        self.testvm1.firewall.rules = [
+            qubes.firewall.Rule(None, action='accept', dsthost=self.test_ip,
+                proto='tcp', dstports=1234),
+        ]
+        self.testvm1.firewall.save()
+
        # Ugly hack b/c there is no feedback when the rules are actually applied
        time.sleep(3)
        self.assertEqual(self.run_cmd(self.testvm1, nc_cmd), 0,
@ -269,16 +263,13 @@ class VmNetworkingMixin(qubes.tests.SystemTestsMixin):

        # allow all except target

-        self.testvm1.write_firewall_conf({
-            'allow': True,
-            'allowDns': True,
-            'allowIcmp': True,
-            'rules': [{'address': self.test_ip,
-                       'netmask': 32,
-                       'proto': 'tcp',
-                       'portBegin': 1234
-                      }]
-        })
+        self.testvm1.firewall.policy = 'accept'
+        self.testvm1.firewall.rules = [
+            qubes.firewall.Rule(None, action='drop', dsthost=self.test_ip,
+                proto='tcp', dstports=1234),
+        ]
+        self.testvm1.firewall.save()
+
        # Ugly hack b/c there is no feedback when the rules are actually applied
        time.sleep(3)
        self.assertNotEqual(self.run_cmd(self.testvm1, nc_cmd), 0,