chore: adding tests to verify security rule hip-profile removal

michalbil · Feb 16, 2023 · 0555fc1 · 0555fc1
1 parent 751bcf7
commit 0555fc1
Show file tree

Hide file tree

Showing 3 changed files with 160 additions and 11 deletions.
diff --git a/poli/security/entry.go b/poli/security/entry.go
@@ -57,17 +57,17 @@ type Entry struct {
 // Defaults sets params with uninitialized values to their GUI default setting.
 //
 // The defaults are as follows:
-//      * Type: "universal"
-//      * SourceZones: ["any"]
-//      * SourceAddresses: ["any"]
-//      * SourceUsers: ["any"]
-//      * DestinationZones: ["any"]
-//      * DestinationAddresses: ["any"]
-//      * Applications: ["any"]
-//      * Services: ["application-default"]
-//      * Categories: ["any"]
-//      * Action: "allow"
-//      * LogEnd: true
+//   - Type: "universal"
+//   - SourceZones: ["any"]
+//   - SourceAddresses: ["any"]
+//   - SourceUsers: ["any"]
+//   - DestinationZones: ["any"]
+//   - DestinationAddresses: ["any"]
+//   - Applications: ["any"]
+//   - Services: ["application-default"]
+//   - Categories: ["any"]
+//   - Action: "allow"
+//   - LogEnd: true
 func (o *Entry) Defaults() {
 	if o.Type == "" {
 		o.Type = "universal"

diff --git a/poli/security/fw_test.go b/poli/security/fw_test.go
@@ -65,3 +65,42 @@ func TestLogEndMissingIsTrue(t *testing.T) {
 		})
 	}
 }
+
+func TestHipProfilesIsAbsent(t *testing.T) {
+	mc := &testdata.MockClient{}
+	ns := FirewallNamespace(mc)
+
+	mc.Version = version.Number{10, 1, 5, ""}
+	mc.AddResp("")
+
+	elm := Entry{
+		Name:                 "rule1",
+		Type:                 "universal",
+		SourceZones:          []string{"sz1", "sz2"},
+		SourceAddresses:      []string{"sa1", "sa2"},
+		SourceUsers:          []string{"su1", "su2"},
+		DestinationZones:     []string{"dz1", "dz2"},
+		HipProfiles:          []string{"hip1", "hip2"},
+		DestinationAddresses: []string{"da1", "da2"},
+		Applications:         []string{"app1"},
+		Services:             []string{"s2", "s1"},
+		Categories:           []string{"cat1"},
+		Action:               "allow",
+		LogEnd:               true,
+		SourceDevices:        []string{"src2", "src1"},
+		DestinationDevices:   []string{"dstDev"},
+	}
+
+	err := ns.Set("vsys1", elm)
+	if err != nil {
+		t.Fatalf("Failed set: %s", err)
+	}
+	mc.AddResp(mc.Elm)
+	r, err := ns.Get("vsys1", elm.Name)
+	if err != nil {
+		t.Fatalf("Failed get: %s", err)
+	}
+	if len(r.HipProfiles) != 0 {
+		t.Fatalf("HipProfiles has data and shouldn't")
+	}
+}
diff --git a/poli/security/testdata_test.go b/poli/security/testdata_test.go
@@ -266,5 +266,115 @@ func getTests() []testCase {
 			SourceDevices:        []string{"src2", "src1"},
 			DestinationDevices:   []string{"dstDev"},
 		}},
+		{version.Number{10, 1, 5, ""}, "basic rule", "", "", Entry{
+			Name:                 "rule1",
+			Type:                 "universal",
+			SourceZones:          []string{"sz1", "sz2"},
+			SourceAddresses:      []string{"sa1", "sa2"},
+			SourceUsers:          []string{"su1", "su2"},
+			DestinationZones:     []string{"dz1", "dz2"},
+			DestinationAddresses: []string{"da1", "da2"},
+			Applications:         []string{"app1"},
+			Services:             []string{"s2", "s1"},
+			Categories:           []string{"cat1"},
+			Action:               "allow",
+			LogEnd:               false,
+		}},
+		{version.Number{10, 1, 5, ""}, "rule with uuid", "", "", Entry{
+			Name:                 "rule1",
+			Uuid:                 "123-456-78",
+			Type:                 "universal",
+			SourceZones:          []string{"sz1", "sz2"},
+			SourceAddresses:      []string{"sa1", "sa2"},
+			SourceUsers:          []string{"su1", "su2"},
+			DestinationZones:     []string{"dz1", "dz2"},
+			DestinationAddresses: []string{"da1", "da2"},
+			Applications:         []string{"app1"},
+			Services:             []string{"s2", "s1"},
+			Categories:           []string{"cat1"},
+			Action:               "allow",
+			LogEnd:               true,
+		}},
+		{version.Number{10, 1, 5, ""}, "rule with source and dest devices", "", "", Entry{
+			Name:                 "rule1",
+			SourceDevices:        []string{"src1", "wu tang"},
+			DestinationDevices:   []string{"dest1", "clan"},
+			Type:                 "universal",
+			SourceZones:          []string{"sz1", "sz2"},
+			SourceAddresses:      []string{"sa1", "sa2"},
+			SourceUsers:          []string{"su1", "su2"},
+			DestinationZones:     []string{"dz1", "dz2"},
+			DestinationAddresses: []string{"da1", "da2"},
+			Applications:         []string{"app1"},
+			Services:             []string{"s2", "s1"},
+			Categories:           []string{"cat1"},
+			Action:               "allow",
+			LogEnd:               false,
+		}},
+		{version.Number{10, 1, 5, ""}, "prerulebase rule", "vsys2", util.PreRulebase, Entry{
+			Name:                 "rule2",
+			Disabled:             true,
+			Type:                 "universal",
+			SourceZones:          []string{"sz1", "sz2"},
+			SourceAddresses:      []string{"sa1", "sa2"},
+			SourceUsers:          []string{"su1", "su2"},
+			DestinationZones:     []string{"dz1", "dz2"},
+			DestinationAddresses: []string{"da1", "da2"},
+			Applications:         []string{"app1"},
+			Services:             []string{"s2", "s1"},
+			Categories:           []string{"cat1"},
+			Action:               "allow",
+			LogEnd:               true,
+		}},
+		{version.Number{10, 1, 5, ""}, "postrulebase rule with target", "vsys3", util.PostRulebase, Entry{
+			Name: "rule3",
+			Targets: map[string][]string{
+				"fw1": nil,
+				"fw2": {"vsys2", "vsys3"},
+			},
+			NegateTarget:         true,
+			Type:                 "universal",
+			SourceZones:          []string{"sz1", "sz2"},
+			SourceAddresses:      []string{"sa1", "sa2"},
+			SourceUsers:          []string{"su1", "su2"},
+			DestinationZones:     []string{"dz1", "dz2"},
+			DestinationAddresses: []string{"da1", "da2"},
+			Applications:         []string{"app1"},
+			Services:             []string{"s2", "s1"},
+			Categories:           []string{"cat1"},
+			Action:               "allow",
+			LogEnd:               false,
+		}},
+		{version.Number{10, 1, 5, ""}, "rule with group tag", "", "", Entry{
+			Name:                 "rule1",
+			Type:                 "universal",
+			SourceZones:          []string{"sz1", "sz2"},
+			SourceAddresses:      []string{"sa1", "sa2"},
+			SourceUsers:          []string{"su1", "su2"},
+			DestinationZones:     []string{"dz1", "dz2"},
+			DestinationAddresses: []string{"da1", "da2"},
+			Applications:         []string{"app1"},
+			Services:             []string{"s2", "s1"},
+			Categories:           []string{"cat1"},
+			Action:               "allow",
+			LogEnd:               true,
+			GroupTag:             "oneTime",
+		}},
+		{version.Number{10, 1, 5, ""}, "rule with source and dst devices", "", "", Entry{
+			Name:                 "rule1",
+			Type:                 "universal",
+			SourceZones:          []string{"sz1", "sz2"},
+			SourceAddresses:      []string{"sa1", "sa2"},
+			SourceUsers:          []string{"su1", "su2"},
+			DestinationZones:     []string{"dz1", "dz2"},
+			DestinationAddresses: []string{"da1", "da2"},
+			Applications:         []string{"app1"},
+			Services:             []string{"s2", "s1"},
+			Categories:           []string{"cat1"},
+			Action:               "allow",
+			LogEnd:               true,
+			SourceDevices:        []string{"src2", "src1"},
+			DestinationDevices:   []string{"dstDev"},
+		}},
 	}
 }