vcloud-edge_gateway 0.0.1

data/spec/vcloud/edge_gateway/configuration_generator/nat_service_spec.rb

@@ -0,0 +1,360 @@
+require 'spec_helper'
+
+module Vcloud
+  module EdgeGateway
+    module ConfigurationGenerator
+      describe NatService do
+
+        before(:each) do
+          @edge_id = '1111111-7b54-43dd-9eb1-631dd337e5a7'
+          @mock_edge_gateway = double(
+            :edge_gateway,
+            :vcloud_gateway_interface_by_id => {
+              Network: {
+                name: 'ane012345',
+                href: 'https://vmware.api.net/api/admin/network/2ad93597-7b54-43dd-9eb1-631dd337e5a7'
+              }
+            }
+          )
+          expect(Vcloud::Core::EdgeGateway).to receive(:get_by_name).with(@edge_id)
+                                               .and_return(@mock_edge_gateway)
+        end
+
+        context "SNAT rule defaults" do
+
+          before(:each) do
+            input = { nat_rules: [{
+              rule_type: 'SNAT',
+              network_id: '2ad93597-7b54-43dd-9eb1-631dd337e5a7',
+              original_ip: "192.0.2.2",
+              translated_ip: "10.10.20.20",
+            }]} # minimum NAT configuration with a rule
+            output = NatService.new(@edge_id, input).generate_fog_config
+            @rule = output[:NatRule].first
+          end
+
+          it 'should default to the rule being enabled' do
+            expect(@rule[:IsEnabled]).to eq('true')
+          end
+
+          it 'should have a RuleType of SNAT' do
+            expect(@rule[:RuleType]).to eq('SNAT')
+          end
+
+          it 'should not include a Protocol' do
+            expect(@rule[:GatewayNatRule].key?(:Protocol)).to be_false
+          end
+
+          it 'should completely match our expected default rule' do
+            expect(@rule).to eq({
+              :Id=>"65537",
+              :IsEnabled=>"true",
+              :RuleType=>"SNAT",
+              :GatewayNatRule=>{
+                :Interface=>{
+                  :name=>"ane012345",
+                  :href=>"https://vmware.api.net/api/admin/network/2ad93597-7b54-43dd-9eb1-631dd337e5a7"
+                },
+              :OriginalIp=>"192.0.2.2",
+              :TranslatedIp=>"10.10.20.20"}
+            })
+          end
+
+        end
+
+        context "DNAT rule defaults" do
+
+          before(:each) do
+            input = { nat_rules: [{
+              rule_type: 'DNAT',
+              network_id: '2ad93597-7b54-43dd-9eb1-631dd337e5a7',
+              original_ip: "192.0.2.2",
+              original_port: '22',
+              translated_port: '22',
+              translated_ip: "10.10.20.20",
+              protocol: 'tcp',
+            }]} # minimum NAT configuration with a rule
+            output = NatService.new(@edge_id, input).generate_fog_config
+            @rule = output[:NatRule].first
+          end
+
+          it 'should default to rule being enabled' do
+            expect(@rule[:IsEnabled]).to eq('true')
+          end
+
+          it 'should have a RuleType of DNAT' do
+            expect(@rule[:RuleType]).to eq('DNAT')
+          end
+
+          it 'should include a default Protocol of tcp' do
+            expect(@rule[:GatewayNatRule][:Protocol]).to eq('tcp')
+          end
+
+          it 'should completely match our expected default rule' do
+            expect(@rule).to eq({
+              :Id=>"65537",
+              :IsEnabled=>"true",
+              :RuleType=>"DNAT",
+              :GatewayNatRule=>{
+                :Interface=>{
+                  :name=>"ane012345",
+                  :href=>"https://vmware.api.net/api/admin/network/2ad93597-7b54-43dd-9eb1-631dd337e5a7"
+                },
+                :OriginalIp=>"192.0.2.2",
+                :TranslatedIp=>"10.10.20.20",
+                :OriginalPort=>"22",
+                :TranslatedPort=>"22",
+                :Protocol=>"tcp"
+              }
+            })
+          end
+
+        end
+
+        context "nat service config generation" do
+
+          test_cases = [
+            {
+              title: 'should generate config for enabled nat service with single disabled DNAT rule',
+              input: {
+                enabled: 'true',
+                nat_rules: [
+                  {
+                    enabled: 'false',
+                    id: '999',
+                    rule_type: 'DNAT',
+                    network_id: '2ad93597-7b54-43dd-9eb1-631dd337e5a7',
+                    original_ip: "192.0.2.2",
+                    original_port: '22',
+                    translated_port: '22',
+                    translated_ip: "10.10.20.20",
+                    protocol: 'tcp',
+                  }
+                ]
+              },
+              output: {
+                :IsEnabled => 'true',
+                :NatRule => [
+                  {
+                    :RuleType => 'DNAT',
+                    :IsEnabled => 'false',
+                    :Id => '999',
+                    :GatewayNatRule => {
+                      :Interface =>
+                        {
+                          :name => 'ane012345',
+                          :href => 'https://vmware.api.net/api/admin/network/2ad93597-7b54-43dd-9eb1-631dd337e5a7'
+                        },
+                      :Protocol => 'tcp',
+                      :OriginalIp => "192.0.2.2",
+                      :OriginalPort => '22',
+                      :TranslatedIp => "10.10.20.20",
+                      :TranslatedPort => '22'
+                    }
+                  }
+                ]
+              }
+            },
+
+            {
+              title: 'should handle specification of UDP based DNAT rules',
+              input: {
+                enabled: 'true',
+                nat_rules: [
+                  {
+                    rule_type: 'DNAT',
+                    network_id: '2ad93597-7b54-43dd-9eb1-631dd337e5a7',
+                    original_ip: "192.0.2.25",
+                    original_port: '53',
+                    translated_port: '53',
+                    translated_ip: "10.10.20.25",
+                    protocol: 'udp',
+                  }
+                ]
+              },
+              output: {
+                :IsEnabled => 'true',
+                :NatRule => [
+                  {
+                    :RuleType => 'DNAT',
+                    :IsEnabled => 'true',
+                    :Id => '65537',
+                    :GatewayNatRule => {
+                      :Interface =>
+                        {
+                          :name => 'ane012345',
+                          :href => 'https://vmware.api.net/api/admin/network/2ad93597-7b54-43dd-9eb1-631dd337e5a7'
+                        },
+                      :Protocol => 'udp',
+                      :OriginalIp => "192.0.2.25",
+                      :OriginalPort => '53',
+                      :TranslatedIp => "10.10.20.25",
+                      :TranslatedPort => '53'
+                    }
+                  }
+                ]
+              }
+            },
+
+            {
+              title: 'should generate config for enabled nat service with single disabled SNAT rule',
+              input: {
+                enabled: 'true',
+                nat_rules: [
+                  {
+                    enabled: 'false',
+                    rule_type: 'SNAT',
+                    network_id: '2ad93597-7b54-43dd-9eb1-631dd337e5a7',
+                    original_ip: "192.0.2.2",
+                    translated_ip: "10.10.20.20",
+                  }
+                ]
+              },
+              output: {
+                :IsEnabled => 'true',
+                :NatRule => [
+                  {
+                    :RuleType => 'SNAT',
+                    :IsEnabled => 'false',
+                    :Id => '65537',
+                    :GatewayNatRule => {
+                      :Interface =>
+                        {
+                          :name => 'ane012345',
+                          :href => 'https://vmware.api.net/api/admin/network/2ad93597-7b54-43dd-9eb1-631dd337e5a7'
+                        },
+                      :OriginalIp => "192.0.2.2",
+                      :TranslatedIp => "10.10.20.20",
+                    }
+                  }
+                ]
+              }
+            },
+
+            {
+              title: 'should auto generate rule id if not provided',
+              input: {
+                enabled: 'true',
+                nat_rules: [
+                  {
+                    enabled: 'false',
+                    rule_type: 'DNAT',
+                    network_id: '2ad93597-7b54-43dd-9eb1-631dd337e5a7',
+                    original_ip: "192.0.2.2",
+                    original_port: '22',
+                    translated_port: '22',
+                    translated_ip: "10.10.20.20",
+                    protocol: 'tcp',
+                  }
+                ]
+              },
+              output: {
+                :IsEnabled => 'true',
+                :NatRule => [
+                  {
+                    :RuleType => 'DNAT',
+                    :IsEnabled => 'false',
+                    :Id => '65537',
+                    :GatewayNatRule => {
+                      :Interface =>
+                        {
+                          :name => 'ane012345',
+                          :href => 'https://vmware.api.net/api/admin/network/2ad93597-7b54-43dd-9eb1-631dd337e5a7'
+                        },
+                      :Protocol => 'tcp',
+                      :OriginalIp => "192.0.2.2",
+                      :OriginalPort => '22',
+                      :TranslatedIp => "10.10.20.20",
+                      :TranslatedPort => '22'
+                    }
+                  }
+                ]
+              }
+            },
+
+            {
+              title: 'should use default values for optional fields if they are missing',
+              input: {
+                nat_rules: [
+                  {
+                    rule_type: 'DNAT',
+                    network_id: '2ad93597-7b54-43dd-9eb1-631dd337e5a7',
+                    original_ip: "192.0.2.2",
+                    original_port: '22',
+                    translated_port: '22',
+                    translated_ip: "10.10.20.20",
+                  }
+                ]
+              },
+              output: {
+                :IsEnabled => 'true',
+                :NatRule => [
+                  {
+                    :RuleType => 'DNAT',
+                    :IsEnabled => 'true',
+                    :Id => '65537',
+                    :GatewayNatRule => {
+                      :Interface =>
+                        {
+                          :name => 'ane012345',
+                          :href => 'https://vmware.api.net/api/admin/network/2ad93597-7b54-43dd-9eb1-631dd337e5a7'
+                        },
+                      :Protocol => 'tcp',
+                      :OriginalIp => "192.0.2.2",
+                      :OriginalPort => '22',
+                      :TranslatedIp => "10.10.20.20",
+                      :TranslatedPort => '22'
+                    }
+                  }
+                ]
+              }
+
+            }
+          ]
+
+          test_cases.each do |test_case|
+            it "#{test_case[:title]}" do
+              generated_config = NatService.new(@edge_id, test_case[:input]).generate_fog_config
+              expect(generated_config).to eq(test_case[:output])
+            end
+          end
+
+          it "should only make a single API call per network specified" do
+            input = {
+              nat_rules: [
+                {
+                  rule_type: 'DNAT',
+                  network_id: '2ad93597-7b54-43dd-9eb1-631dd337e5a7',
+                  original_ip: "192.0.2.2",
+                  original_port: '8081',
+                  translated_port: '8081',
+                  translated_ip: "10.10.20.21",
+                },
+                {
+                  rule_type: 'DNAT',
+                  network_id: '2ad93597-7b54-43dd-9eb1-631dd337e5a7',
+                  original_ip: "192.0.2.2",
+                  original_port: '8082',
+                  translated_port: '8082',
+                  translated_ip: "10.10.20.22",
+                },
+                {
+                  rule_type: 'DNAT',
+                  network_id: '2ad93597-7b54-43dd-9eb1-631dd337e5a7',
+                  original_ip: "192.0.2.2",
+                  original_port: '8083',
+                  translated_port: '8083',
+                  translated_ip: "10.10.20.23",
+                },
+              ]
+            }
+            expect(@mock_edge_gateway).
+              to receive(:vcloud_gateway_interface_by_id).exactly(1).times
+            NatService.new(@edge_id, input).generate_fog_config
+          end
+
+        end
+      end
+    end
+  end
+end

data/spec/vcloud/edge_gateway/edge_gateway_configuration_spec.rb

@@ -0,0 +1,182 @@
+require 'spec_helper'
+
+module Vcloud
+  module EdgeGateway
+    describe EdgeGatewayConfiguration do
+
+      context "whether update is required" do
+
+        before(:each) do
+          @edge_gateway_id = "1111111-7b54-43dd-9eb1-631dd337e5a7"
+          @edge_gateway = double(:edge_gateway,
+            :vcloud_gateway_interface_by_id => {
+              Network: {
+                :name => 'ane012345',
+                :href => 'https://vmware.example.com/api/admin/network/01234567-1234-1234-1234-0123456789aa' 
+              }
+            })
+            Vcloud::Core::EdgeGateway.stub(:get_by_name).with(@edge_gateway_id).and_return(@edge_gateway)
+        end
+
+        it "requires update to both when both configurations are changed" do
+          test_config = {
+            :gateway=> @edge_gateway_id,
+            :nat_service=> test_nat_config,
+            :firewall_service=> test_firewall_config
+          }
+
+          proposed_config = EdgeGateway::EdgeGatewayConfiguration.new(test_config)
+
+          remote_config = {
+            :FirewallService=> different_firewall_config,
+            :NatService=> different_nat_config
+          }
+
+          expect(proposed_config.update_required?(remote_config)).to be_true
+
+          proposed_firewall_config = proposed_config.config[:FirewallService]
+          expect(proposed_firewall_config).to eq(expected_firewall_config)
+
+          proposed_nat_config = proposed_config.config[:NatService]
+          expect(proposed_nat_config).to eq(expected_nat_config)
+        end
+
+        it "requires update to firewall only when firewall has changed and nat has not" do
+          test_config = {
+            :gateway=> @edge_gateway_id,
+            :nat_service=> test_nat_config,
+            :firewall_service=> test_firewall_config
+          }
+
+          proposed_config = EdgeGateway::EdgeGatewayConfiguration.new(test_config)
+
+          remote_config = {
+            :FirewallService=> different_firewall_config,
+            :NatService=> same_nat_config
+          }
+
+          expect(proposed_config.update_required?(remote_config)).to be_true
+
+          proposed_firewall_config = proposed_config.config[:FirewallService]
+          expect(proposed_firewall_config).to eq(expected_firewall_config)
+
+          expect(proposed_config.config.key?(:NatService)).to be_false
+        end
+
+        it "requires update to firewall only when firewall has changed and nat is absent" do
+          test_config = {
+            :gateway=> @edge_gateway_id,
+            :firewall_service=> test_firewall_config
+          }
+
+          proposed_config = EdgeGateway::EdgeGatewayConfiguration.new(test_config)
+
+          remote_config = {
+            :FirewallService=> different_firewall_config,
+            :NatService=> same_nat_config
+          }
+
+          expect(proposed_config.update_required?(remote_config)).to be_true
+
+          proposed_firewall_config = proposed_config.config[:FirewallService]
+          expect(proposed_firewall_config).to eq(expected_firewall_config)
+
+          #expect proposed config not to contain nat config
+          expect(proposed_config.config.key?(:NatService)).to be_false
+        end
+
+        it "does not require change when both configs are present but have not changed" do
+          test_config = {
+            :gateway=> @edge_gateway_id,
+            :nat_service=> test_nat_config,
+            :firewall_service=> test_firewall_config
+          }
+
+          proposed_config = EdgeGateway::EdgeGatewayConfiguration.new(test_config)
+
+          remote_config = {
+            :FirewallService=> same_firewall_config,
+            :NatService=> same_nat_config
+          }
+
+          expect(proposed_config.update_required?(remote_config)).to be_false
+          expect(proposed_config.config.empty?).to be_true
+        end
+
+        it "does not require change when firewall is unchanged and nat is absent" do
+          test_config = {
+            :gateway=> @edge_gateway_id,
+            :firewall_service=> test_firewall_config
+          }
+
+          proposed_config = EdgeGateway::EdgeGatewayConfiguration.new(test_config)
+
+          remote_config = {
+            :FirewallService=> same_firewall_config,
+            :NatService=> different_nat_config
+          }
+
+          expect(proposed_config.update_required?(remote_config)).to be_false
+          expect(proposed_config.config.empty?).to be_true
+        end
+
+        it "does not require change when both are absent" do
+          test_config = {
+            :gateway=> @edge_gateway_id,
+          }
+
+          proposed_config = EdgeGateway::EdgeGatewayConfiguration.new(test_config)
+
+          remote_config = {
+            :FirewallService=> different_firewall_config,
+            :NatService=> different_nat_config
+          }
+
+          expect(proposed_config.update_required?(remote_config)).to be_false
+          expect(proposed_config.config.empty?).to be_true
+        end
+
+        it "does not require change if local configuration is in unexpected format" do
+
+        end
+
+        it "does not require change if remote configuration is in unexpected format" do
+
+        end
+
+     end
+
+      def test_firewall_config
+          {:policy=>"drop", :log_default_action=>true, :firewall_rules=>[{:enabled=>true, :description=>"A rule", :policy=>"allow", :protocols=>"tcp", :destination_port_range=>"Any", :destination_ip=>"10.10.1.2", :source_port_range=>"Any", :source_ip=>"192.0.2.2"}, {:enabled=>true, :destination_ip=>"10.10.1.3-10.10.1.5", :source_ip=>"192.0.2.2/24"}]}
+      end
+
+      def test_nat_config
+          {:nat_rules=>[{:enabled=>true, :network_id=>"01234567-1234-1234-1234-0123456789ab", :rule_type=>"DNAT", :translated_ip=>"10.10.1.2-10.10.1.3", :translated_port=>"3412", :original_ip=>"192.0.2.58", :original_port=>"3412", :protocol=>"tcp"}]}
+      end
+
+      def different_firewall_config
+        {:IsEnabled=>"true", :DefaultAction=>"drop", :LogDefaultAction=>"false", :FirewallRule=>[{:Id=>"1", :IsEnabled=>"true", :MatchOnTranslate=>"false", :Description=>"A rule", :Policy=>"allow", :Protocols=>{:Tcp=>"true"}, :Port=>"-1", :DestinationPortRange=>"Any", :DestinationIp=>"10.10.1.2", :SourcePort=>"-1", :SourcePortRange=>"Any", :SourceIp=>"192.0.2.2", :EnableLogging=>"false"}]}
+      end
+
+      def different_nat_config
+        {:IsEnabled=>"true", :NatRule=>[{:RuleType=>"SNAT", :IsEnabled=>"true", :Id=>"65538", :GatewayNatRule=>{:Interface=>{:type=>"application/vnd.vmware.admin.network+xml", :name=>"RemoteVSE", :href=>"https://api.vmware.example.com/api/admin/network/01234567-1234-1234-1234-012345678912"}, :OriginalIp=>"10.10.1.2-10.10.1.3", :TranslatedIp=>"192.0.2.40"}}]}
+      end
+
+      def same_firewall_config
+        {:IsEnabled=>"true", :DefaultAction=>"drop", :LogDefaultAction=>"true", :FirewallRule=>[{:Id=>"1", :IsEnabled=>"true", :MatchOnTranslate=>"false", :Description=>"A rule", :Policy=>"allow", :Protocols=>{:Tcp=>"true"}, :DestinationPortRange=>"Any", :Port=>"-1", :DestinationIp=>"10.10.1.2", :SourcePortRange=>"Any", :SourcePort=>"-1", :SourceIp=>"192.0.2.2", :EnableLogging=>"false"}, {:Id=>"2", :IsEnabled=>"true", :MatchOnTranslate=>"false", :Description=>"", :Policy=>"allow", :Protocols=>{:Tcp=>"true"}, :DestinationPortRange=>"Any", :Port=>"-1", :DestinationIp=>"10.10.1.3-10.10.1.5", :SourcePortRange=>"Any", :SourcePort=>"-1", :SourceIp=>"192.0.2.2/24", :EnableLogging=>"false"}]}
+      end
+
+      def same_nat_config
+        {:IsEnabled=>"true", :NatRule=>[{:Id=>"65537", :IsEnabled=>"true", :RuleType=>"DNAT", :GatewayNatRule=>{:Interface=>{:name=>"ane012345", :href=>"https://vmware.example.com/api/admin/network/01234567-1234-1234-1234-0123456789aa"}, :OriginalIp=>"192.0.2.58", :TranslatedIp=>"10.10.1.2-10.10.1.3", :OriginalPort=>"3412", :TranslatedPort=>"3412", :Protocol=>"tcp"}}]}
+      end
+
+      def expected_firewall_config
+          {:IsEnabled=>"true", :DefaultAction=>"drop", :LogDefaultAction=>"true", :FirewallRule=>[{:Id=>"1", :IsEnabled=>"true", :MatchOnTranslate=>"false", :Description=>"A rule", :Policy=>"allow", :Protocols=>{:Tcp=>"true"}, :DestinationPortRange=>"Any", :Port=>"-1", :DestinationIp=>"10.10.1.2", :SourcePortRange=>"Any", :SourcePort=>"-1", :SourceIp=>"192.0.2.2", :EnableLogging=>"false"}, {:Id=>"2", :IsEnabled=>"true", :MatchOnTranslate=>"false", :Description=>"", :Policy=>"allow", :Protocols=>{:Tcp=>"true"}, :DestinationPortRange=>"Any", :Port=>"-1", :DestinationIp=>"10.10.1.3-10.10.1.5", :SourcePortRange=>"Any", :SourcePort=>"-1", :SourceIp=>"192.0.2.2/24", :EnableLogging=>"false"}]}
+      end
+
+      def expected_nat_config
+          {:IsEnabled=>"true", :NatRule=>[{:Id=>"65537", :IsEnabled=>"true", :RuleType=>"DNAT", :GatewayNatRule=>{:Interface=>{:name=>"ane012345", :href=>"https://vmware.example.com/api/admin/network/01234567-1234-1234-1234-0123456789aa"}, :OriginalIp=>"192.0.2.58", :TranslatedIp=>"10.10.1.2-10.10.1.3", :OriginalPort=>"3412", :TranslatedPort=>"3412", :Protocol=>"tcp"}}]}
+      end
+    end
+  end
+end

data/spec/vcloud/edge_gateway/firewall_schema_validation_spec.rb

@@ -0,0 +1,45 @@
+require 'spec_helper'
+
+module Vcloud
+  describe 'firewall_service_schema_validations' do
+    context 'source and destination ips' do
+      it 'should error if source_ip/destination_ip are invalid IPs' do
+        config = {
+          firewall_rules: [
+            {
+              id: '999',
+              description: "A rule",
+              destination_port_range: "22",
+              destination_ip: "10.10",
+              source_ip: "192.0",
+            }
+          ]
+
+        }
+        validator = ConfigValidator.validate(:base, config, Schema::FIREWALL_SERVICE)
+        expect(validator.valid?).to be_false
+        expect(validator.errors).to eq([
+                                         "source_ip: 192.0 is not a valid IP address range. Valid values can be IP address, CIDR, IP range, 'Any','internal' and 'external'.",
+                                         "destination_ip: 10.10 is not a valid IP address range. Valid values can be IP address, CIDR, IP range, 'Any','internal' and 'external'."
+                                       ])
+      end
+
+      it 'should validate OK if source_ip/destination_ip are valid IPs' do
+        config = {
+          firewall_rules: [
+            {
+              id: '999',
+              description: "A rule",
+              destination_port_range: "22",
+              destination_ip: "10.10.10.20",
+              source_ip: "192.0.2.2",
+            }
+          ]
+
+        }
+        validator = ConfigValidator.validate(:base, config, Schema::FIREWALL_SERVICE)
+        expect(validator.valid?).to be_true
+      end
+    end
+  end
+end