#2257: acl tests

2024-02-15 16:29:36 +00:00
parent 48d7f9f85a
commit e390d8385c
3 changed files with 73 additions and 11 deletions
--- a/tests/assets/configs/dmz_network.yaml
+++ b/tests/assets/configs/dmz_network.yaml
@@ -218,17 +218,11 @@ simulation:
              action: PERMIT
              src_port: ARP
              dst_port: ARP
-            23:
-              action: PERMIT
-              protocol: ICMP
          external_outbound_acl:
            22:
              action: PERMIT
              src_port: ARP
              dst_port: ARP
-            23:
-              action: PERMIT
-              protocol: ICMP
        routes:
          - address: 192.168.0.10 # route to client_1
            subnet_mask: 255.255.255.0
--- a/tests/integration_tests/configuration_file_parsing/nodes/network/test_firewall_config.py
+++ b/tests/integration_tests/configuration_file_parsing/nodes/network/test_firewall_config.py
@@ -4,6 +4,9 @@ from primaite.simulator.network.container import Network
 from primaite.simulator.network.hardware.nodes.host.computer import Computer
 from primaite.simulator.network.hardware.nodes.host.server import Server
 from primaite.simulator.network.hardware.nodes.network.firewall import Firewall
+from primaite.simulator.network.hardware.nodes.network.router import ACLAction
+from primaite.simulator.network.transmission.network_layer import IPProtocol
+from primaite.simulator.network.transmission.transport_layer import Port
 from tests.integration_tests.configuration_file_parsing import DMZ_NETWORK, load_config


@@ -37,9 +40,63 @@ def test_firewall_routes_are_correctly_added(dmz_config):
    assert external_server.ping(client_1.network_interface[1].ip_address)


-def test_firewall_acl_rules_correctly_added():
+def test_firewall_acl_rules_correctly_added(dmz_config):
    """
    Test that makes sure that the firewall ACLs have been configured onto the firewall
    node via configuration file.
    """
-    pass
+    firewall: Firewall = dmz_config.get_node_by_hostname("firewall")
+
+    # ICMP and ARP should be allowed internal_inbound
+    assert firewall.internal_inbound_acl.num_rules == 2
+    assert firewall.internal_inbound_acl.acl[22].action == ACLAction.PERMIT
+    assert firewall.internal_inbound_acl.acl[22].src_port == Port.ARP
+    assert firewall.internal_inbound_acl.acl[22].dst_port == Port.ARP
+    assert firewall.internal_inbound_acl.acl[23].action == ACLAction.PERMIT
+    assert firewall.internal_inbound_acl.acl[23].protocol == IPProtocol.ICMP
+    assert firewall.internal_inbound_acl.implicit_action == ACLAction.DENY
+
+    # ICMP and ARP should be allowed internal_outbound
+    assert firewall.internal_outbound_acl.num_rules == 2
+    assert firewall.internal_outbound_acl.acl[22].action == ACLAction.PERMIT
+    assert firewall.internal_outbound_acl.acl[22].src_port == Port.ARP
+    assert firewall.internal_outbound_acl.acl[22].dst_port == Port.ARP
+    assert firewall.internal_outbound_acl.acl[23].action == ACLAction.PERMIT
+    assert firewall.internal_outbound_acl.acl[23].protocol == IPProtocol.ICMP
+    assert firewall.internal_outbound_acl.implicit_action == ACLAction.DENY
+
+    # ICMP and ARP should be allowed dmz_inbound
+    assert firewall.dmz_inbound_acl.num_rules == 2
+    assert firewall.dmz_inbound_acl.acl[22].action == ACLAction.PERMIT
+    assert firewall.dmz_inbound_acl.acl[22].src_port == Port.ARP
+    assert firewall.dmz_inbound_acl.acl[22].dst_port == Port.ARP
+    assert firewall.dmz_inbound_acl.acl[23].action == ACLAction.PERMIT
+    assert firewall.dmz_inbound_acl.acl[23].protocol == IPProtocol.ICMP
+    assert firewall.dmz_inbound_acl.implicit_action == ACLAction.DENY
+
+    # ICMP and ARP should be allowed dmz_outbound
+    assert firewall.dmz_outbound_acl.num_rules == 2
+    assert firewall.dmz_outbound_acl.acl[22].action == ACLAction.PERMIT
+    assert firewall.dmz_outbound_acl.acl[22].src_port == Port.ARP
+    assert firewall.dmz_outbound_acl.acl[22].dst_port == Port.ARP
+    assert firewall.dmz_outbound_acl.acl[23].action == ACLAction.PERMIT
+    assert firewall.dmz_outbound_acl.acl[23].protocol == IPProtocol.ICMP
+    assert firewall.dmz_outbound_acl.implicit_action == ACLAction.DENY
+
+    # ICMP and ARP should be allowed external_inbound
+    assert firewall.external_inbound_acl.num_rules == 1
+    assert firewall.external_inbound_acl.acl[22].action == ACLAction.PERMIT
+    assert firewall.external_inbound_acl.acl[22].src_port == Port.ARP
+    assert firewall.external_inbound_acl.acl[22].dst_port == Port.ARP
+    # external_inbound should have implicit action PERMIT
+    # ICMP does not have a provided ACL Rule but implicit action should allow anything
+    assert firewall.external_inbound_acl.implicit_action == ACLAction.PERMIT
+
+    # ICMP and ARP should be allowed external_outbound
+    assert firewall.external_outbound_acl.num_rules == 1
+    assert firewall.external_outbound_acl.acl[22].action == ACLAction.PERMIT
+    assert firewall.external_outbound_acl.acl[22].src_port == Port.ARP
+    assert firewall.external_outbound_acl.acl[22].dst_port == Port.ARP
+    # external_outbound should have implicit action PERMIT
+    # ICMP does not have a provided ACL Rule but implicit action should allow anything
+    assert firewall.external_outbound_acl.implicit_action == ACLAction.PERMIT
--- a/tests/integration_tests/configuration_file_parsing/nodes/network/test_router_config.py
+++ b/tests/integration_tests/configuration_file_parsing/nodes/network/test_router_config.py
@@ -3,7 +3,9 @@ import pytest
 from primaite.simulator.network.container import Network
 from primaite.simulator.network.hardware.nodes.host.computer import Computer
 from primaite.simulator.network.hardware.nodes.host.server import Server
-from primaite.simulator.network.hardware.nodes.network.router import Router
+from primaite.simulator.network.hardware.nodes.network.router import ACLAction, Router
+from primaite.simulator.network.transmission.network_layer import IPProtocol
+from primaite.simulator.network.transmission.transport_layer import Port
 from tests.integration_tests.configuration_file_parsing import DMZ_NETWORK, load_config


@@ -49,6 +51,15 @@ def test_router_routes_are_correctly_added(dmz_config):
    assert external_computer.ping(external_server.network_interface[1].ip_address)


-def test_router_acl_rules_correctly_added():
+def test_router_acl_rules_correctly_added(dmz_config):
    """Test that makes sure that the router ACLs have been configured onto the router node via configuration file."""
-    pass
+    router_1: Router = dmz_config.get_node_by_hostname("router_1")
+
+    # ICMP and ARP should be allowed
+    assert router_1.acl.num_rules == 2
+    assert router_1.acl.acl[22].action == ACLAction.PERMIT
+    assert router_1.acl.acl[22].src_port == Port.ARP
+    assert router_1.acl.acl[22].dst_port == Port.ARP
+    assert router_1.acl.acl[23].action == ACLAction.PERMIT
+    assert router_1.acl.acl[23].protocol == IPProtocol.ICMP
+    assert router_1.acl.implicit_action == ACLAction.DENY