TSG-5619:增加自检对firewall动作的支持v21.03.01-20210302

author: fumingwei <[email protected]> 2021-02-24 10:48:45 +0800
committer: fumingwei <[email protected]> 2021-02-24 10:48:45 +0800
commit: 39beba7a498c4ff2ebe47e9b22c593c9c1717f0b (patch)
tree: 5414f644c378b33eab78358e19e60e7a9ecaa3ba
parent: 31f1c1f546d62cfd5c0b6813c347bba43704b72a (diff)
2 files changed, 256 insertions, 42 deletions
diff --git a/unittest_python/unittest/etc/tsg-diagnose.config b/unittest_python/unittest/etc/tsg-diagnose.config
index abe813c..b9e2108 100644
--- a/unittest_python/unittest/etc/tsg-diagnose.config
+++ b/unittest_python/unittest/etc/tsg-diagnose.config
@@ -121,6 +121,41 @@ enabled = 1
 conn_timeout = 12
 max_recv_speed_large = 6553600
 
+[test_http_firewall_allow]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_http_firewall_deny_drop]
+enabled = 1
+conn_timeout = 4
+max_recv_speed_large = 6553600
+
+[test_http_firewall_deny_rst]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_http_firewall_deny_block]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_ssl_firewall_allow]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
+[test_ssl_firewall_deny_drop]
+enabled = 1
+conn_timeout = 4
+max_recv_speed_large = 6553600
+
+[test_ssl_firewall_deny_rst]
+enabled = 1
+conn_timeout = 1
+max_recv_speed_large = 6553600
+
 [start_time_random_delay_range]
 enabled = 1
 #Left_edge is the left edge of the randomly generated time in seconds
diff --git a/unittest_python/unittest/tsg_diagnose.py b/unittest_python/unittest/tsg_diagnose.py
index 421ee95..6a83d0b 100644
--- a/unittest_python/unittest/tsg_diagnose.py
+++ b/unittest_python/unittest/tsg_diagnose.py
@@ -15,19 +15,39 @@ from configparser import ConfigParser
 import random
 
 
-suite_test_config_dict = {'test_securityPolicy_bypass': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},'test_securityPolicy_intercept': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
-                        'test_securityPolicy_intercept_certerrExpired': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},'test_securityPolicy_intercept_certerrSelf_signed': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
-                        'test_securityPolicy_intercept_certerrUntrusted_root': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},'test_proxyPolicy_ssl_redirect': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
-                        'test_proxyPolicy_ssl_block': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},'test_proxyPolicy_ssl_replace': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
-                        'test_proxyPolicy_ssl_hijack': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},'test_proxyPolicy_ssl_insert': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
-                        'test_proxyPolicy_http_redirect': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},'test_proxyPolicy_http_block': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
-                        'test_proxyPolicy_http_replace': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},'test_proxyPolicy_http_hijack': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
-                        'test_proxyPolicy_http_insert': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},'test_https_con_traffic_1k': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
-                        'test_https_con_traffic_4k': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},'test_https_con_traffic_16k': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
-                        'test_https_con_traffic_64k': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},'test_https_con_traffic_256k': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
-                        'test_https_con_traffic_1M': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},'test_https_con_traffic_4M': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
-                        'test_https_con_traffic_16M': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},'test_https_con_traffic_64M': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
-                        'start_time_random_delay_range': {'enabled':1,'left_edge':1,'right_edge':30},'telegraf': {'host':'192.51.100.1','port':8100,'tags_key':'app_name','tags_value' :'tsg-diagnose'}}
+suite_test_config_dict = {'test_securityPolicy_bypass': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_securityPolicy_intercept': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_securityPolicy_intercept_certerrExpired': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_securityPolicy_intercept_certerrSelf_signed': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_securityPolicy_intercept_certerrUntrusted_root': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_proxyPolicy_ssl_redirect': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_proxyPolicy_ssl_block': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_proxyPolicy_ssl_replace': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_proxyPolicy_ssl_hijack': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_proxyPolicy_ssl_insert': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_proxyPolicy_http_redirect': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_proxyPolicy_http_block': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_proxyPolicy_http_replace': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_proxyPolicy_http_hijack': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_proxyPolicy_http_insert': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_https_con_traffic_1k': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_https_con_traffic_4k': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_https_con_traffic_16k': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_https_con_traffic_64k': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_https_con_traffic_256k': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_https_con_traffic_1M': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_https_con_traffic_4M': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_https_con_traffic_16M': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_https_con_traffic_64M': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_http_firewall_allow': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_http_firewall_deny_drop': {'enabled':1,'conn_timeout':4,'max_recv_speed_large':6553600},
+                        'test_http_firewall_deny_rst': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_http_firewall_deny_block': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_ssl_firewall_allow': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_ssl_firewall_deny_drop': {'enabled':1,'conn_timeout':4,'max_recv_speed_large':6553600},
+                        'test_ssl_firewall_deny_rst': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'start_time_random_delay_range': {'enabled':1,'left_edge':1,'right_edge':30},
+                        'telegraf': {'host':'192.51.100.1','port':8100,'tags_key':'app_name','tags_value' :'tsg-diagnose'}}
 
 
 ssl_bypass_info_re           = "Ssl connection bypass success"
@@ -58,34 +78,50 @@ https_conn_taffic_4M_re      =  'https download file 4M  success'
 https_conn_taffic_16M_re     =  'https download file 16M  success'
 https_conn_taffic_64M_re     =  'https download file 64M  success'
 
-
-URLBypass             = 'https://sha384.badssl.self-test.geedge.net'
-URLIntercept          = 'https://sha256.badssl.self-test.geedge.net'
-URLSslExpired         = 'https://expired.badssl.self-test.geedge.net'
-URLSslSelfsigned      = 'https://self-signed.badssl.self-test.geedge.net'
-URLSslSuntrustedroot  = 'https://untrusted-root.badssl.self-test.geedge.net'
-
-URLSslRedirect     = 'https://cn.bing.com/rs/2V/pE/cj,nj/b1392357/d94c45f4.js'
-URLSslReplace      = 'https://cn.bing.com/rs/5j/1pF/cj,nj/2213d9b6/b50738ca.js'
-URLSslInsert       = 'https://cn.bing.com/?FORM=BEHPTB'
-URLSslHijack       = 'https://cn.bing.com/rs/31/2n/cj,nj/4c7364c5/40e1b425.js'
-URLSslBlock        = 'https://cn.bing.com/rs/31/22/cj,nj/3f1e2270/f8c6dd44.js'
-
-URLHttpRedirect    = 'http://cn.bing.com/rs/2V/pE/cj,nj/b1392357/d94c45f4.js'
-URLHttpReplace     = 'http://cn.bing.com/rs/5j/1pF/cj,nj/2213d9b6/b50738ca.js'
-URLHttpInsert      = 'http://cn.bing.com/?FORM=BEHPTB'
-URLHttpHijack      = 'http://cn.bing.com/rs/31/2n/cj,nj/4c7364c5/40e1b425.js'
-URLHttpBlock       = 'http://cn.bing.com/rs/31/22/cj,nj/3f1e2270/f8c6dd44.js'
-
-URLConTraffic_1k   = "https://downloadfile.self-test.geedge.net/1k"
-URLConTraffic_4k   = "https://downloadfile.self-test.geedge.net/4k"
-URLConTraffic_16k  = "https://downloadfile.self-test.geedge.net/16k"
-URLConTraffic_64k  = "https://downloadfile.self-test.geedge.net/64k"
-URLConTraffic_256k = "https://downloadfile.self-test.geedge.net/256k"
-URLConTraffic_1M   = "https://downloadfile.self-test.geedge.net/1M"
-URLConTraffic_4M   = "https://downloadfile.self-test.geedge.net/4M"
-URLConTraffic_16M  = "https://downloadfile.self-test.geedge.net/16M"
-URLConTraffic_64M  = "https://downloadfile.self-test.geedge.net/64M"
+http_firewall_allow_re       = "http firewall action allow success"
+http_firewall_deny_drop_re   = "http firewall aciton deny subaction drop success"
+http_firewall_deny_rst_re    = "http firewall action deny subaction rst success"
+http_firewall_deny_block_re  = "http firewall aciton deny subaction block success"
+ssl_firewall_allow_re        = "ssl firewall action allow success"
+ssl_firewall_deny_drop_re    = "ssl firewall action deny subaction drop success"
+ssl_firewall_deny_rst_re     = "ssl firewall action deny subaction rst success"
+
+
+URLBypass                    = 'https://sha384.badssl.self-test.geedge.net'
+URLIntercept                 = 'https://sha256.badssl.self-test.geedge.net'
+URLSslExpired                = 'https://expired.badssl.self-test.geedge.net'
+URLSslSelfsigned             = 'https://self-signed.badssl.self-test.geedge.net'
+URLSslSuntrustedroot         = 'https://untrusted-root.badssl.self-test.geedge.net'
+
+URLSslRedirect               = 'https://cn.bing.com/rs/2V/pE/cj,nj/b1392357/d94c45f4.js'
+URLSslReplace                = 'https://cn.bing.com/rs/5j/1pF/cj,nj/2213d9b6/b50738ca.js'
+URLSslInsert                 = 'https://cn.bing.com/?FORM=BEHPTB'
+URLSslHijack                 = 'https://cn.bing.com/rs/31/2n/cj,nj/4c7364c5/40e1b425.js'
+URLSslBlock                  = 'https://cn.bing.com/rs/31/22/cj,nj/3f1e2270/f8c6dd44.js'
+
+URLHttpRedirect              = 'http://cn.bing.com/rs/2V/pE/cj,nj/b1392357/d94c45f4.js'
+URLHttpReplace               = 'http://cn.bing.com/rs/5j/1pF/cj,nj/2213d9b6/b50738ca.js'
+URLHttpInsert                = 'http://cn.bing.com/?FORM=BEHPTB'
+URLHttpHijack                = 'http://cn.bing.com/rs/31/2n/cj,nj/4c7364c5/40e1b425.js'
+URLHttpBlock                 = 'http://cn.bing.com/rs/31/22/cj,nj/3f1e2270/f8c6dd44.js'
+
+URLConTraffic_1k             = "https://downloadfile.self-test.geedge.net/1k"
+URLConTraffic_4k             = "https://downloadfile.self-test.geedge.net/4k"
+URLConTraffic_16k            = "https://downloadfile.self-test.geedge.net/16k"
+URLConTraffic_64k            = "https://downloadfile.self-test.geedge.net/64k"
+URLConTraffic_256k           = "https://downloadfile.self-test.geedge.net/256k"
+URLConTraffic_1M             = "https://downloadfile.self-test.geedge.net/1M"
+URLConTraffic_4M             = "https://downloadfile.self-test.geedge.net/4M"
+URLConTraffic_16M            = "https://downloadfile.self-test.geedge.net/16M"
+URLConTraffic_64M            = "https://downloadfile.self-test.geedge.net/64M"
+
+URLHttpFirewallAllow         = "http://http.badssl.self-test.geedge.net"
+URLHttpFirewallDenyDrop      = "http://http-credit-card.badssl.self-test.geedge.net"
+URLHttpFirewallDenyRst       = "http://http-dynamic-login.badssl.self-test.geedge.net"
+URLHttpFirewallDenyBlock     = "http://http-login.badssl.self-test.geedge.net"
+URLSslFirewallAllow          = "https://sha512.badssl.self-test.geedge.net"
+URLSslFirewallDenyDrop       = "https://rsa2048.badssl.self-test.geedge.net"
+URLSslFirewallDenyRst        = "https://rsa4096.badssl.self-test.geedge.net"
 
 
 
@@ -407,6 +443,108 @@ class SSLFileDownloadBuild:
             raise Exception("Error: connection tarffic size error and is no equal", sizeStr)
 
 
+class HttpFirewallActionBuild:
+    def __init__(self):
+        self.conn = pycurl.Curl()
+        self.conn.setopt(self.conn.WRITEFUNCTION, BytesIO().write)
+
+    def _set_conn_opt(self,test_suite_name, url):
+        self.conn.setopt(self.conn.MAX_RECV_SPEED_LARGE, int(suite_test_config_dict[test_suite_name]['max_recv_speed_large']))
+        self.conn.setopt(self.conn.URL,url)
+        self.conn.setopt(self.conn.TIMEOUT, int(suite_test_config_dict[test_suite_name]['conn_timeout']))     
+
+    def action_allow(self,test_suite_name):
+        self._set_conn_opt(test_suite_name,URLHttpFirewallAllow)
+        self.conn.perform()
+        rescode = self.conn.getinfo(self.conn.RESPONSE_CODE)
+        self.conn.close()
+        if rescode == 200:
+            raise Exception(http_firewall_allow_re)
+        else:
+            raise Exception("Error: The stream may be redirected, http code %s" % rescode)
+
+    def action_deny_subaction_drop(self,test_suite_name):
+        self._set_conn_opt(test_suite_name,URLHttpFirewallDenyDrop)
+        try:
+            self.conn.perform()
+            self.conn.close()
+        except pycurl.error as errorinfo:
+            errcode = errorinfo.args[0]
+            if(errcode == 28):
+                raise Exception(http_firewall_deny_drop_re)
+            else:
+                raise Exception("Error: The stream may be not dropped %s" % errorinfo)
+            
+
+    def action_deny_subaction_rst(self,test_suite_name):
+        self._set_conn_opt(test_suite_name,URLHttpFirewallDenyRst)
+        try:
+            self.conn.perform()
+            self.conn.close()
+        except pycurl.error as errorinfo:
+            errcode = errorinfo.args[0]
+            if(errcode == 56):
+                raise Exception(http_firewall_deny_rst_re)
+            else:
+                raise Exception("Error: The stream may be not rst %s" % errorinfo)
+            
+
+    def action_deny_subaction_block(self,test_suite_name):
+        self._set_conn_opt(test_suite_name,URLHttpFirewallDenyBlock)
+        self.conn.perform()
+        rescode = self.conn.getinfo(self.conn.RESPONSE_CODE)
+        self.conn.close()
+        if rescode == 403:
+            raise Exception(http_firewall_deny_block_re)
+        else:
+            raise Exception("Error: The stream may be not block, http code %s " % rescode)
+
+class SslFirewallActionBuild:
+    def __init__(self):
+        self.conn = pycurl.Curl()
+        self.conn.setopt(self.conn.WRITEFUNCTION, BytesIO().write)
+        self.conn.setopt(self.conn.OPT_CERTINFO, 1)
+        self.conn.setopt(self.conn.SSL_VERIFYPEER, False)
+
+    def _set_conn_opt(self,test_suite_name, url):
+        self.conn.setopt(self.conn.MAX_RECV_SPEED_LARGE, int(suite_test_config_dict[test_suite_name]['max_recv_speed_large']))
+        self.conn.setopt(self.conn.URL,url)
+        self.conn.setopt(self.conn.TIMEOUT, int(suite_test_config_dict[test_suite_name]['conn_timeout']))     
+
+    def action_allow(self,test_suite_name):
+        self._set_conn_opt(test_suite_name,URLSslFirewallAllow)
+        self.conn.perform()
+        rescode = self.conn.getinfo(self.conn.RESPONSE_CODE)
+        self.conn.close()
+        if rescode == 200:
+            raise Exception(ssl_firewall_allow_re)
+        else:
+            raise Exception("Error: The stream may be redirected, http code %s" % rescode)
+
+    def action_deny_subaction_drop(self,test_suite_name):
+        self._set_conn_opt(test_suite_name,URLSslFirewallDenyDrop)
+        try:
+            self.conn.perform()
+            self.conn.close()
+        except pycurl.error as errorinfo:
+            errcode = errorinfo.args[0]
+            if(errcode == 28):
+                raise Exception(ssl_firewall_deny_drop_re)
+            else:
+                raise Exception("Error: The stream may be not dropped %s" % errorinfo)
+
+    def action_deny_subaction_rst(self,test_suite_name):
+        self._set_conn_opt(test_suite_name,URLSslFirewallDenyRst)
+        try:
+            self.conn.perform()
+            self.conn.close()
+        except pycurl.error as errorinfo:
+            errcode = errorinfo.args[0]
+            if(errcode == 35):
+                raise Exception(ssl_firewall_deny_rst_re)
+            else:
+                raise Exception("Error: The stream may be not rst %s" % errorinfo)
+
 
 class SslUnitTest(unittest.TestCase):
 
@@ -531,6 +669,41 @@ class SslUnitTest(unittest.TestCase):
         with self.assertRaisesRegex(Exception,https_conn_taffic_64M_re):
             requestHandler.conn_traffic( 'test_https_con_traffic_64M',URLConTraffic_64M,https_conn_taffic_64M_re, '64M', 64*1024*1024)
 
+    def test_http_firewall_allow(self):
+        requestHandler = HttpFirewallActionBuild()
+        with self.assertRaisesRegex(Exception, http_firewall_allow_re):
+            requestHandler.action_allow('test_http_firewall_allow')
+
+    def test_http_firewall_deny_drop(self):
+        requestHandler = HttpFirewallActionBuild()
+        with self.assertRaisesRegex(Exception, http_firewall_deny_drop_re):
+            requestHandler.action_deny_subaction_drop('test_http_firewall_deny_drop')
+
+    def test_http_firewall_deny_rst(self):
+        requestHandler = HttpFirewallActionBuild()
+        with self.assertRaisesRegex(Exception, http_firewall_deny_rst_re):
+            requestHandler.action_deny_subaction_rst('test_http_firewall_deny_rst')
+
+    def test_http_firewall_deny_block(self):
+        requestHandler = HttpFirewallActionBuild()
+        with self.assertRaisesRegex(Exception, http_firewall_deny_block_re):
+            requestHandler.action_deny_subaction_block('test_http_firewall_deny_block')
+
+    def test_ssl_firewall_allow(self):
+        requestHandler = SslFirewallActionBuild()
+        with self.assertRaisesRegex(Exception, ssl_firewall_allow_re):
+            requestHandler.action_allow('test_ssl_firewall_allow')
+
+    def test_ssl_firewall_deny_drop(self):
+        requestHandler = SslFirewallActionBuild()
+        with self.assertRaisesRegex(Exception, ssl_firewall_deny_drop_re):
+            requestHandler.action_deny_subaction_drop('test_ssl_firewall_deny_drop')
+
+    def test_ssl_firewall_deny_rst(self):
+        requestHandler = SslFirewallActionBuild()
+        with self.assertRaisesRegex(Exception, ssl_firewall_deny_rst_re):
+            requestHandler.action_deny_subaction_rst('test_ssl_firewall_deny_rst')
+
 class TsgDiagnoseRun:
     def __init__(self):
         self.interval = 1
@@ -615,7 +788,13 @@ class TsgDiagnoseRun:
         self._add_suite('test_https_con_traffic_4M')
         self._add_suite('test_https_con_traffic_16M')
         self._add_suite('test_https_con_traffic_64M')
-
+        self._add_suite('test_http_firewall_allow')
+        self._add_suite('test_http_firewall_deny_drop')
+        self._add_suite('test_http_firewall_deny_rst')
+        self._add_suite('test_http_firewall_deny_block')
+        self._add_suite('test_ssl_firewall_allow')
+        self._add_suite('test_ssl_firewall_deny_drop')
+        self._add_suite('test_ssl_firewall_deny_rst')
 
     def _write_suite_result_into_file(self):
         resultDict = '/root/result_tsg_diagnose/unittest/'
author	fumingwei <[email protected]>	2021-02-24 10:48:45 +0800
committer	fumingwei <[email protected]>	2021-02-24 10:48:45 +0800
commit	39beba7a498c4ff2ebe47e9b22c593c9c1717f0b (patch)
tree	5414f644c378b33eab78358e19e60e7a9ecaa3ba
parent	31f1c1f546d62cfd5c0b6813c347bba43704b72a (diff)