Added server firewalls

SLsthompson · SLsthompson · commit b497d55b8ddd · 2014-08-11T12:16:28.000-05:00
diff --git a/lib/softlayer/ProductItemCategory.rb b/lib/softlayer/ProductItemCategory.rb
@@ -26,7 +26,7 @@ def initialize(package_item_data, price_item_data)
       self.recurringFee = price_item_data['recurringFee'] ? price_item_data['recurringFee'].to_f : 0.0
       self.hourlyRecurringFee = price_item_data['hourlyRecurringFee'] ? price_item_data['hourlyRecurringFee'].to_f : 0.0
     end
-    
+
     # returns true if the configurtion option has no fees associated with it.
     def free?
       self.setupFee == 0 && self.laborFee == 0 && self.oneTimeFee == 0 && self.recurringFee == 0 && self.hourlyRecurringFee == 0
diff --git a/lib/softlayer/ProductPackage.rb b/lib/softlayer/ProductPackage.rb
@@ -139,7 +139,7 @@ def datacenter_options
     def items_with_description(expected_description)
       filter = ObjectFilter.new { |filter| filter.accept("items.description").when_it is(expected_description) }
       items_data = self.service.object_filter(filter).getItems()
-      
+
       items_data.collect do |item_data|
         first_price = item_data['prices'][0]
         ProductConfigurationOption.new(item_data, first_price)
diff --git a/lib/softlayer/ServerFirewall.rb b/lib/softlayer/ServerFirewall.rb
@@ -5,7 +5,6 @@
 #++
 
 module SoftLayer
-  
   ##
   # The ServerFirewall class represents a firewall in the 
   # SoftLayer environment that exists in a 1 to 1 relationship
@@ -19,6 +18,14 @@ module SoftLayer
 	class ServerFirewall < SoftLayer::ModelBase
     include ::SoftLayer::DynamicAttribute
 
+    ##
+    # :attr_reader:
+    # The state of the firewall, includes whether or not the rules are 
+    # editable and whether or not the firewall rules are applied or bypassed
+    # Can at least be 'allow_edit', 'bypass' or 'no_edit'.  
+    # This list may not be exhaustive
+    sl_attr :status
+
     ##
     # :attr_reader:
     # The firewall rules assigned to this firewall.  These rules will
@@ -34,10 +41,10 @@ class ServerFirewall < SoftLayer::ModelBase
       firewall_rules.to_update do
         rules_data = self.service.object_mask(self.class.default_rules_mask).getRules()
 
-        # For some reason (at the time of this writing) the object mask is not
-        # applied to the rules properly. (this has been reported as a bug to the
-        # proper development team). This extra step does filtering that should
-        # have been done by the object mask.
+        # At the time of this writing, the object mask sent to getRules is not
+        # applied properly. This has been reported as a bug to the proper 
+        # development team. In the mean time, this extra step does filtering 
+        # that should have been done by the object mask.
         rules_keys = self.class.default_rules_mask_keys
         new_rules = rules_data.inject([]) do |new_rules, current_rule|
           new_rule = current_rule.delete_if { |key, value| !(rules_keys.include? key) }
@@ -71,6 +78,9 @@ class ServerFirewall < SoftLayer::ModelBase
       end
     end
 
+    ##
+    # Calls super to initialize the object then initializes some
+    # properties
     def initialize(client, network_hash)
       super(client, network_hash)
       @protected_server = nil
@@ -102,11 +112,10 @@ def change_rules!(rules_data)
       self.softlayer_client[:Network_Firewall_Update_Request].createObject(change_object)
     end
 
-
     ##
     # Locate and return all the server firewalls in the environment.
     # 
-    # These are a bit trick to track down. The strategy we take here is
+    # These are a bit tricky to track down. The strategy we take here is
     # to look at the account and find all the VLANs that do NOT have their
     # "dedicatedFirewallFlag" set.
     #
@@ -132,10 +141,10 @@ def self.find_firewalls(client)
       bare_metal_firewalls_data = []
       virtual_firewalls_data = []
 
-      shared_vlans = softlayer_client[:Account].object_mask("mask[firewallNetworkComponents[id,status,networkComponent[downlinkComponent[hardwareId]]],firewallGuestNetworkComponents[id,status,guestNetworkComponent[id,guest.id]]]").object_filter(shared_vlans_filter).getNetworkVlans
+      shared_vlans = softlayer_client[:Account].object_mask(network_vlan_mask).object_filter(shared_vlans_filter).getNetworkVlans
       shared_vlans.each do |vlan_data|
-        bare_metal_firewalls_data.concat vlan_data["firewallNetworkComponents"].select { |network_component| network_component['status'] == 'allow_edit'}
-        virtual_firewalls_data.concat vlan_data["firewallGuestNetworkComponents"].select { |network_component| network_component['status'] == 'allow_edit'}
+        bare_metal_firewalls_data.concat vlan_data["firewallNetworkComponents"].select { |network_component| network_component['status'] != 'no_edit'}
+        virtual_firewalls_data.concat vlan_data["firewallGuestNetworkComponents"].select { |network_component| network_component['status'] != 'no_edit'}
       end
 
       bare_metal_firewalls = bare_metal_firewalls_data.collect { |bare_metal_firewall_data|
@@ -152,9 +161,24 @@ def self.find_firewalls(client)
     def service
       self.softlayer_client[:Network_Component_Firewall].object_with_id(self.id)
     end
+    
+    def softlayer_properties(object_mask = nil)
+      service = self.service
+      service = service.object_mask(object_mask) if object_mask
+      
+      if self.has_sl_property?('networkComponent')
+        service.object_mask("mask[id,status,networkComponent.downlinkComponent.hardwareId]").getObject
+      else
+        service.object_mask("mask[id,status,guestNetworkComponent.guest.id]").getObject
+      end
+    end
 
     private
 
+    def self.network_vlan_mask
+      "mask[firewallNetworkComponents[id,status,networkComponent.downlinkComponent.hardwareId],firewallGuestNetworkComponents[id,status,guestNetworkComponent.guest.id]]"
+    end
+
     def self.default_rules_mask
       return { "mask" => default_rules_mask_keys }.to_sl_object_mask
     end
diff --git a/lib/softlayer/Service.rb b/lib/softlayer/Service.rb
@@ -236,7 +236,7 @@ def call_softlayer_api_with_params(method_name, parameters, args)
       # The client knows about authentication, so ask him for the auth headers
       authentication_headers = self.client.authentication_headers
       additional_headers.merge!(authentication_headers)
-      
+
       if parameters && parameters.server_object_filter
         additional_headers.merge!("#{@service_name}ObjectFilter" => parameters.server_object_filter)
       end
@@ -324,5 +324,5 @@ def http
 
       @xmlrpc_client
     end
-  end # Service class  
+  end # Service class
 end # module SoftLayer
diff --git a/lib/softlayer/VLANFirewall.rb b/lib/softlayer/VLANFirewall.rb
@@ -5,17 +5,88 @@
 #++
 
 module SoftLayer
+  # The VLANFirewall class represents the firewall that protects
+  # all the servers on a VLAN in the SoftLayer Environment.  It is
+  # also known as a "Dedicated Firewall" in some documentation.
+  # 
+  # Instances of this class are a bit odd because they actually represent 
+  # VLANs (the VLAN protected by the firewall) and not the physical hardware 
+  # implementing the firewall itself. (although the device is accessible as 
+  # the "networkVlanFirewall" property)
+  #
+  # As a result, instances of this class correspond to certain instances
+  # in the SoftLayer_Network_Vlan service.
+  #
 	class VLANFirewall < SoftLayer::ModelBase
+    include ::SoftLayer::DynamicAttribute
+    
+    ##
+    #:attr_reader:
+    #
+    # The number of the VLAN protected by this firewall
+    #
     sl_attr :VLAN_number, 'vlanNumber'
 
     ##
-    # return the name of the router the firewall is attached to
+    # :attr_reader:
+    #
+    # The set of rules applied by this firewall to incoming traffic.
+    # The object will retrieve the rules from the network API every
+    # time you ask it for the rules.
+    #
+    # The code will sort the rules by their "orderValue" which is the
+    # order that the firewall applies the rules, however please see 
+    # the important note in change_rules! concerning the "orderValue" 
+    # property of the rules.
+    sl_dynamic_attr :rules do |firewall_rules|
+      firewall_rules.should_update? do
+        # firewall rules update every time you ask for them.
+        return true
+      end
+
+      firewall_rules.to_update do
+        acl_id = rules_ACL_id()
+        rules_data = self.softlayer_client[:Network_Firewall_AccessControlList].object_with_id(acl_id).object_mask(self.class.default_rules_mask).getRules
+        rules_data.sort { |lhs, rhs| lhs['orderValue'] <=> rhs['orderValue'] }
+      end
+    end
+
+    ##
+    # Change the set of rules for the firewall.
+    # The rules_data parameter should be an array of hashes where
+    # each hash gives the conditions of the rule. The keys of the
+    # hashes should be entries from the array returned by
+    # SoftLayer::ServerFirewall.default_rules_mask_keys
+    #
+    # *NOTE!* The rules themselves have an "orderValue" property.
+    # It is this property, and *not* the order that the rules are
+    # found in the rules_data array, which will determine in which
+    # order the firewall applies it's rules to incomming traffic.
+    #
+    # *NOTE!* Changes to the rules are not applied immediately
+    # on the server side. Instead, they are enqueued by the
+    # firewall update service and updated periodically. A typical
+    # update will take about one minute to apply, but times may vary
+    # depending on the system load and other circumstances.
+    def change_rules!(rules_data)
+      change_object = {
+        "firewallContextAccessControlListId" => self.id,
+        "rules" => rules_data
+      }
+
+      self.softlayer_client[:Network_Firewall_Update_Request].createObject(change_object)
+    end
+
+    ##
+    # Returns the name of the primary router the firewall is attached to.
+    # This is often a "customer router" in one of the datacenters.
     def primaryRouter
       return self['primaryRouter']['hostname']
     end
 
     ##
-    # The fully qualified domain name of the firewall
+    # The fully qualified domain name of the physical device the
+    # firewall is implemented by.
     def fullyQualifiedDomainName
       if self.has_sl_property?('networkVlanFirewall')
         return self['networkVlanFirewall']['fullyQualifiedDomainName']
@@ -25,51 +96,71 @@ def fullyQualifiedDomainName
     end
 
     ##
-    # returns true if the firewall has the high availability flag set
-    #
+    # Returns true if this is a "high availability" firewall, that is a firewall
+    # that exists as one member of a redundant pair.
     def high_availability?
       # note that highAvailabilityFirewallFlag is a boolean in the softlayer hash
       return self.has_sl_property?('highAvailabilityFirewallFlag') && self['highAvailabilityFirewallFlag']
     end
 
-    def rule_set
-      rule_set = nil
-
-      # Search down through the firewall's data to find the AccessControlList (ACL) for the
-      # "outside" interface which handles "in"-wardly directed traffic.  This is the list that
-      # has the rules we're interested in.
-      outside_interface_data = self["firewallInterfaces"].find { |firewall_interface_data| firewall_interface_data['name'] == 'outside' }
-      if outside_interface_data
-        incoming_ACL = outside_interface_data['firewallContextAccessControlLists'].find { |firewallACL_data| firewallACL_data['direction'] == 'in' }
-        
-        firewall_ACL = self.softlayer_client[:Network_Firewall_AccessControlList].object_with_id(incoming_ACL['id']).getObject
-        rule_set = VLANFirewallRuleset.new(self.softlayer_client, firewall_ACL)
-      end
-
-      return rule_set
-    end
-
     ##
-    # collect a list of the firewalls on the account
+    # Collect a list of the firewalls on the account.
     #
+    # This list is obtained by asking the account for all the VLANs
+    # it has that also have a networkVlanFirewall component.
     def self.find_firewalls(client)
       softlayer_client = client || Client.default_client
       raise "#{__method__} requires a client but none was given and Client::default_client is not set" if !softlayer_client
 
+      # only VLAN firewallas have a networkVlanFirewall component
       vlan_firewall_filter = SoftLayer::ObjectFilter.new() { |filter|
         filter.accept("networkVlans.networkVlanFirewall").when_it is_not_null
       }
 
       vlan_firewalls = client[:Account].object_mask(vlan_firewall_mask).object_filter(vlan_firewall_filter).getNetworkVlans
       vlan_firewalls.collect { |firewall_data| SoftLayer::VLANFirewall.new(client, firewall_data)}
     end
+    
+    def service
+      # Objects of this class are a bit odd because they actually represent VLANs (the VLAN protected by the firewall)
+      # and not the physical hardware implementing the firewall itself.  (although the device is accessible as the
+      # "networkVlanFirewall" property)
+      self.softlayer_client[:Network_Vlan].object_with_id(self.id)
+    end
+
+    def softlayer_properties(object_mask = nil)
+      service = self.service
+      service = service.object_mask(object_mask) if object_mask
+      service.object_mask(self.class.vlan_firewall_mask).getObject
+    end
 
     private
 
+    # Searches the set of access control lists for the firewall device in order to locate the one that
+    # sits on the "outside" side of the network and handles 'in'coming traffic.
+    def rules_ACL_id
+      outside_interface_data = self['firewallInterfaces'].find { |interface_data| interface_data['name'] == 'outside' }
+      incoming_ACL = outside_interface_data['firewallContextAccessControlLists'].find { |firewallACL_data| firewallACL_data['direction'] == 'in' } if outside_interface_data
+
+      if incoming_ACL
+        return incoming_ACL['id']
+      else
+        return nil
+      end
+    end
+
     def self.vlan_firewall_mask
-      return "mask[primaryRouter,dedicatedFirewallFlag,highAvailabilityFirewallFlag,"+
+      return "mask[primaryRouter,highAvailabilityFirewallFlag,"+
         "firewallInterfaces.firewallContextAccessControlLists," +
         "networkVlanFirewall[id, datacenter, primaryIpAddress, firewallType, fullyQualifiedDomainName]]"
     end
+
+    def self.default_rules_mask
+      return { "mask" => default_rules_mask_keys }.to_sl_object_mask
+    end
+
+    def self.default_rules_mask_keys
+      ['orderValue','action','destinationIpAddress','destinationIpSubnetMask',"protocol","destinationPortRangeStart","destinationPortRangeEnd",'sourceIpAddress',"sourceIpSubnetMask","version"]
+    end
   end # class Firewall
 end # module SoftLayer
diff --git a/lib/softlayer/VLANFirewallRuleset.rb b/lib/softlayer/VLANFirewallRuleset.rb
diff --git a/lib/softlayer_api.rb b/lib/softlayer_api.rb
@@ -26,13 +26,13 @@
 require 'softlayer/BareMetalServer'
 require 'softlayer/BareMetalServerOrder'
 require 'softlayer/BareMetalServerOrder_Package'
-require 'softlayer/VLANFirewall'
-require 'softlayer/VLANFirewallRuleset'
 require 'softlayer/ImageTemplate'
 require 'softlayer/NetworkComponent'
 require 'softlayer/ProductPackage'
 require 'softlayer/ProductItemCategory'
+require 'softlayer/ServerFirewall'
 require 'softlayer/Ticket'
 require 'softlayer/VirtualServer'
 require 'softlayer/VirtualServerOrder'
 require 'softlayer/VirtualServerUpgradeOrder'
+require 'softlayer/VLANFirewall'
diff --git a/spec/VLANFirewall_spec.rb b/spec/VLANFirewall_spec.rb
@@ -10,8 +10,8 @@
 require 'softlayer_api'
 require 'rspec'
 
-describe SoftLayer::Firewall do
+describe SoftLayer::VLANFirewall do
   it "should have a class representing a firewall" do
-    expect{ SoftLayer::Firewall.new("not really a client", { "id" => 12345 }) }.to_not raise_error
+    expect{ SoftLayer::VLANFirewall.new("not really a client", { "id" => 12345 }) }.to_not raise_error
   end
 end
