Firewall Policies, global rules and analytics settings. (#1358)

* Firewall Policies, global rules and analytics settings.

Analysis: Firewall policies, firewall global rules and analytics settings can now be added/modified.

Tests:

Functional and unit tests for the above features have been added.

* Fix style issues

Author: priyalpalkar

f5/bigip/tm/security/__init__.py

@@ -28,6 +28,7 @@
 """
 
 from f5.bigip.resource import OrganizingCollection
+from f5.bigip.tm.security.analytics import Analytics
 from f5.bigip.tm.security.dos import Dos
 from f5.bigip.tm.security.firewall import Firewall
 
@@ -37,4 +38,4 @@ class Security(OrganizingCollection):
 
     def __init__(self, tm):
         super(Security, self).__init__(tm)
-        self._meta_data['allowed_lazy_attributes'] = [Dos, Firewall]
+        self._meta_data['allowed_lazy_attributes'] = [Dos, Firewall, Analytics]

f5/bigip/tm/security/analytics.py

@@ -0,0 +1,46 @@
+# coding=utf-8
+#
+# Copyright 2015-2017 F5 Networks Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+"""BIG-IP® Advanced Firewall Manager™ (AFM®) module.
+
+REST URI
+    ``http://localhost/mgmt/tm/security/analytics``
+
+GUI Path
+    ``Security --> Network Firewall``
+
+REST Kind
+    ``tm:security:analytics:*``
+"""
+from f5.bigip.resource import OrganizingCollection
+from f5.bigip.resource import UnnamedResource
+
+
+class Analytics(OrganizingCollection):
+    """BIG-IP® AFM® Analytics organizing collection."""
+
+    def __init__(self, security):
+        super(Analytics, self).__init__(security)
+        self._meta_data['allowed_lazy_attributes'] = [Settings]
+
+
+class Settings(UnnamedResource):
+    """BIG-IP® Analytics settings resource"""
+    def __init__(self, settings):
+        super(Settings, self).__init__(settings)
+        self._meta_data['required_json_kind'] = \
+            'tm:security:analytics:settings:settingsstate'

f5/bigip/tm/security/firewall.py

@@ -26,14 +26,14 @@
 REST Kind
     ``tm:security:firewall:*``
 """
+from distutils.version import LooseVersion
 from f5.bigip.mixins import CheckExistenceMixin
 from f5.bigip.resource import Collection
 from f5.bigip.resource import OrganizingCollection
 from f5.bigip.resource import Resource
+from f5.bigip.resource import UnnamedResource
 from f5.sdk_exception import NonExtantFirewallRule
 
-from distutils.version import LooseVersion
-
 
 class Firewall(OrganizingCollection):
     """BIG-IP® AFM® Firewall organizing collection."""
@@ -43,7 +43,9 @@ def __init__(self, security):
         self._meta_data['allowed_lazy_attributes'] = [
             Address_Lists,
             Port_Lists,
-            Rule_Lists]
+            Rule_Lists,
+            Policy_s,
+            Global_Rules]
 
 
 class Address_Lists(Collection):
@@ -198,3 +200,35 @@ def _exists_11_6(self, **kwargs):
 
         return self._check_existence_by_collection(
             self._meta_data['container'], kwargs['name'])
+
+
+class Policy_s(Collection):
+    """BIG-IP® AFM® Policy collection"""
+    def __init__(self, firewall):
+        super(Policy_s, self).__init__(firewall)
+        self._meta_data['allowed_lazy_attributes'] = [Policy]
+        self._meta_data['attribute_registry'] = \
+            {'tm:security:firewall:policy:policystate':
+                Policy}
+
+
+class Policy(Resource):
+    """BIG-IP® AFM® Policy resource"""
+    def __init__(self, policy_s):
+        super(Policy, self).__init__(policy_s)
+        self._meta_data['required_json_kind'] = \
+            'tm:security:firewall:policy:policystate'
+        self._meta_data['required_creation_parameters'].update(('partition',))
+        self._meta_data['required_load_parameters'].update(('partition',))
+        self._meta_data['allowed_lazy_attributes'] = [Rules_s]
+        self._meta_data['attribute_registry'] = \
+            {'tm:security:firewall:rule-list:rules:rulescollectionstate':
+                Rules_s}
+
+
+class Global_Rules(UnnamedResource):
+    """BIG-IP® AFM® Global Rules resource"""
+    def __init__(self, global_rules):
+        super(Global_Rules, self).__init__(global_rules)
+        self._meta_data['required_json_kind'] = \
+            'tm:security:firewall:global-rules:global-rulesstate'

f5/bigip/tm/security/test/functional/test_analytics.py

@@ -0,0 +1,27 @@
+# Copyright 2017 F5 Networks Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+
+class TestAnalytics(object):
+    _enable_settings = {"aclRules": {"collectClientIp": "enabled"}}
+    _disable_settings = {"aclRules": {"collectClientIp": "disabled"}}
+
+    def test_modify_settings(self, mgmt_root):
+        settings = mgmt_root.tm.security.analytics.settings.load()
+        assert "aclRules" in settings.__dict__
+        assert settings.aclRules["collectClientIp"] == "enabled"
+        settings.modify(**self._disable_settings)
+        assert settings.aclRules["collectClientIp"] == "disabled"
+        settings.modify(**self._enable_settings)

f5/bigip/tm/security/test/functional/test_firewall.py

@@ -18,6 +18,7 @@
 from distutils.version import LooseVersion
 from f5.bigip.resource import MissingRequiredCreationParameter
 from f5.bigip.tm.security.firewall import Address_List
+from f5.bigip.tm.security.firewall import Policy
 from f5.bigip.tm.security.firewall import Port_List
 from f5.bigip.tm.security.firewall import Rule
 from f5.bigip.tm.security.firewall import Rule_List
@@ -63,6 +64,14 @@ def rule(rulelst):
     r1.delete()
 
 
+@pytest.fixture(scope='function')
+def policy(mgmt_root):
+    p1 = mgmt_root.tm.security.firewall.policy_s.policy.create(
+        name='fake_policy', partition='Common')
+    yield p1
+    p1.delete()
+
+
 class TestAddressList(object):
     def test_create_missing_mandatory_attr_raises(self, mgmt_root):
         ac = mgmt_root.tm.security.firewall.address_lists
@@ -477,3 +486,86 @@ def test_rules_subcollection(self, rulelst, rule):
         assert isinstance(rc, list)
         assert len(rc)
         assert isinstance(rc[0], Rule)
+
+
+class TestPolicy(object):
+    def test_create_req_args(self, mgmt_root):
+        p1 = mgmt_root.tm.security.firewall.policy_s.policy.create(
+            name='fake_policy', partition='Common')
+        URI = 'https://localhost/mgmt/tm/security/' \
+              'firewall/policy/~Common~fake_policy'
+        assert p1.name == 'fake_policy'
+        assert p1.partition == 'Common'
+        assert p1.selfLink.startswith(URI)
+        assert not hasattr(p1, 'description')
+        p1.delete()
+
+    def test_refresh(self, mgmt_root, policy):
+        p1 = policy
+        p2 = mgmt_root.tm.security.firewall.policy_s.policy.load(
+            name='fake_policy', partition='Common')
+        assert p1.name == p2.name
+        assert p1.kind == p2.kind
+        assert p1.selfLink == p2.selfLink
+        assert not hasattr(p1, 'description')
+        assert not hasattr(p2, 'description')
+        p2.modify(description=DESC)
+        p1.modify(description=DESC)
+        assert hasattr(p2, 'description')
+        assert p2.description == DESC
+        p1.refresh()
+        assert p1.selfLink == p2.selfLink
+        assert hasattr(p1, 'description')
+        assert p1.description == p2.description
+
+    def test_delete(self, mgmt_root):
+        p = mgmt_root.tm.security.firewall.policy_s.policy
+        p1 = p.create(name='delete_me', partition='Common')
+        p1.delete()
+        with pytest.raises(HTTPError) as err:
+            mgmt_root.tm.security.firewall.policy_s.policy.load(
+                name='delete_me', partition='Common')
+        assert err.value.response.status_code == 404
+
+    def test_load_no_object(self, mgmt_root):
+        p = mgmt_root.tm.security.firewall.policy_s.policy
+        with pytest.raises(HTTPError) as err:
+            p.load(name='not_exists', partition='Common')
+        assert err.value.response.status_code == 404
+
+    def test_load_and_update(self, mgmt_root, policy):
+        p1 = policy
+        URI = 'https://localhost/mgmt/tm/security/' \
+              'firewall/policy/~Common~fake_policy'
+        assert p1.name == 'fake_policy'
+        assert p1.partition == 'Common'
+        assert p1.selfLink.startswith(URI)
+        assert not hasattr(p1, 'description')
+        p1.description = DESC
+        p1.update()
+        assert hasattr(p1, 'description')
+        assert p1.description == DESC
+        p = mgmt_root.tm.security.firewall.policy_s.policy
+        p2 = p.load(name='fake_policy', partition='Common')
+        assert p1.name == p2.name
+        assert p1.partition == p2.partition
+        assert p1.selfLink == p2.selfLink
+        assert hasattr(p2, 'description')
+        assert p1.description == p2.description
+
+    def test_policies_collection(self, mgmt_root, policy):
+        pc = mgmt_root.tm.security.firewall.policy_s.get_collection()
+        assert isinstance(pc, list)
+        assert len(pc)
+        assert isinstance(pc[0], Policy)
+
+
+class TestGlobalRules(object):
+    def test_modify_req_args(self, mgmt_root, policy):
+        rules = mgmt_root.tm.security.firewall. \
+            global_rules.load(partition='Common')
+        assert "enforcedPolicy" not in rules.__dict__
+        rules.modify(enforcedPolicy='fake_policy', partition='Common')
+        assert rules.enforcedPolicy == "/Common/fake_policy"
+        rules.modify(enforcedPolicy='none', partition='Common')
+        assert "enforcedPolicy" not in rules.__dict__

f5/bigip/tm/security/test/unit/test_analytics.py

@@ -0,0 +1,24 @@
+# Copyright 2017 F5 Networks Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+from f5.bigip import ManagementRoot
+
+
+class TestAnalyticsSettings(object):
+    def test_analytics_settings_kind(self, fakeicontrolsession):
+        b = ManagementRoot('192.168.1.1', 'admin', 'admin')
+        settings = b.tm.security.analytics.settings
+        kind = "tm:security:analytics:settings:settingsstate"
+        assert settings._meta_data["required_json_kind"] == kind

f5/bigip/tm/security/test/unit/test_firewall.py

@@ -18,6 +18,7 @@
 
 from f5.bigip import ManagementRoot
 from f5.bigip.tm.security.firewall import Address_List
+from f5.bigip.tm.security.firewall import Policy
 from f5.bigip.tm.security.firewall import Port_List
 from f5.bigip.tm.security.firewall import Rule
 from f5.bigip.tm.security.firewall import Rule_List
@@ -49,6 +50,13 @@ def FakeRuleLst():
     return fake_rulelst
 
 
+@pytest.fixture
+def FakePolicy():
+    fake_col = mock.MagicMock()
+    fake_policy = Policy(fake_col)
+    return fake_policy
+
+
 def Makerulelist(fakeicontrolsession):
     b = ManagementRoot('192.168.1.1', 'admin', 'admin')
     p = b.tm.security.firewall.rule_lists.rule_list
@@ -58,6 +66,23 @@ def Makerulelist(fakeicontrolsession):
     return p
 
 
+def MakePolicyRules(fakeicontrolsession):
+    b = ManagementRoot('192.168.1.1', 'admin', 'admin')
+    p = b.tm.security.firewall.policy_s.policy
+    p._meta_data['uri'] = \
+        'https://192.168.1.1:443/mgmt/tm/security/firewall/policy/' \
+        '~Common~fakepolicy/'
+    return p
+
+
+def MakeGlobalRules(fakeicontrolsession):
+    b = ManagementRoot('192.168.1.1', 'admin', 'admin')
+    p = b.tm.security.firewall.global_rules
+    p._meta_data['uri'] = \
+        'https://192.168.1.1:443/mgmt/tm/security/firewall/global_rules/'
+    return p
+
+
 class TestAddressList(object):
     def test_create_two(self, fakeicontrolsession):
         b = ManagementRoot('192.168.1.1', 'admin', 'admin')
@@ -127,3 +152,35 @@ def test_app_create_no_args_v11(self, fakeicontrolsession):
         pc = Rules_s(Makerulelist(fakeicontrolsession))
         with pytest.raises(MissingRequiredCreationParameter):
             pc.rule.create()
+
+
+class TestPolicy(object):
+    def test_create_two(self, fakeicontrolsession):
+        b = ManagementRoot('192.168.1.1', 'admin', 'admin')
+        r1 = b.tm.security.firewall.policy_s.policy
+        r2 = b.tm.security.firewall.policy_s.policy
+        assert r1 is not r2
+
+    def test_create_no_args(self, FakePolicy):
+        with pytest.raises(MissingRequiredCreationParameter):
+            FakePolicy.create()
+
+
+class TestPolicyRuleSubCollection(object):
+    def test_policy_rule_subcollection(self, fakeicontrolsession):
+        pc = Rules_s(MakePolicyRules(fakeicontrolsession))
+        kind = 'tm:security:firewall:rule-list:rules:rulesstate'
+        test_meta = pc._meta_data['attribute_registry']
+        test_meta2 = pc._meta_data['allowed_lazy_attributes']
+        assert isinstance(pc, Rules_s)
+        assert kind in list(iterkeys(test_meta))
+        assert Rule in test_meta2
+
+
+class TestGlobalRules(object):
+    def test_global_rules(self, fakeicontrolsession):
+        b = ManagementRoot('192.168.1.1', 'admin', 'admin')
+        kind = "tm:security:firewall:global-rules:global-rulesstate"
+        rules = b.tm.security.firewall.global_rules
+        rules_kind = rules._meta_data["required_json_kind"]
+        assert rules_kind == kind