From b6943bba0f8a1b74d840f1ce45298f66998e0016 Mon Sep 17 00:00:00 2001
From: David Schmitz <schmitz@lrz.de>
Date: Mon, 10 Jul 2023 11:08:18 +0000
Subject: [PATCH] install-*.sh: option for adding an initial test rule to DB;
 feature/exabgp_with_docker-compose: use this new option for test rule to
 block traffic between host1 aand host2

---
 Dockerfile.fod.centos.new                     |  2 +-
 docker-compose/fod_setup_environment-step3.sh |  6 +-
 docker-compose/fod_setup_environment.sh       |  7 ++-
 inst/helpers/add_rule.sh                      | 52 ++++++++++++++++++
 install-centos.sh                             | 55 +++++++++++++++++++
 install-debian.sh                             | 55 +++++++++++++++++++
 6 files changed, 174 insertions(+), 3 deletions(-)
 create mode 100755 inst/helpers/add_rule.sh

diff --git a/Dockerfile.fod.centos.new b/Dockerfile.fod.centos.new
index 192f6f50..e0046230 100644
--- a/Dockerfile.fod.centos.new
+++ b/Dockerfile.fod.centos.new
@@ -1,5 +1,5 @@
 
-# doc: to build+run: docker build -f Dockerfile.fod.centos.new -t fod.centos . && docker run -ti fod.centos
+# doc: to build+run: docker build -f Dockerfile.fod.centos.new -t fod.centos . && docker run -ti -p 8000:8000 fod.centos
 
 #############################################################################
 #############################################################################
diff --git a/docker-compose/fod_setup_environment-step3.sh b/docker-compose/fod_setup_environment-step3.sh
index 39faa11a..403441d4 100755
--- a/docker-compose/fod_setup_environment-step3.sh
+++ b/docker-compose/fod_setup_environment-step3.sh
@@ -6,7 +6,11 @@ else
 	cd /opt/FOD
 	#./install-debian.sh --here --supervisord --setup_admin_user --setup_admin_user5 admin ${ADMIN_PASS} ${ADMIN_EMAIL} ${FOD_ORG} ${FOD_ORG_NET} --exabgp ${FOD_EXABGP_LOCAL_ID} ${FOD_EXABGP_LOCAL_IP} ${FOD_EXABGP_LOCAL_AS} ${FOD_EXABGP_REMOTE_ID} ${FOD_EXABGP_REMOTE_IP} ${FOD_EXABGP_REMOTE_AS}
 	#./install-debian.sh --here__with_venv_relative --supervisord --setup_admin_user --setup_admin_user5 admin ${ADMIN_PASS} ${ADMIN_EMAIL} ${FOD_ORG} ${FOD_ORG_NET} --exabgp ${FOD_EXABGP_LOCAL_ID} ${FOD_EXABGP_LOCAL_IP} ${FOD_EXABGP_LOCAL_AS} ${FOD_EXABGP_REMOTE_ID} ${FOD_EXABGP_REMOTE_IP} ${FOD_EXABGP_REMOTE_AS}
-	./install-debian.sh --fodproper1 --here__with_venv_relative --supervisord --setup_admin_user --setup_admin_user5 admin ${ADMIN_PASS} ${ADMIN_EMAIL} ${FOD_ORG} ${FOD_ORG_NET} --exabgp ${FOD_EXABGP_LOCAL_ID} ${FOD_EXABGP_LOCAL_IP} ${FOD_EXABGP_LOCAL_AS} ${FOD_EXABGP_REMOTE_ID} ${FOD_EXABGP_REMOTE_IP} ${FOD_EXABGP_REMOTE_AS}
+	./install-debian.sh --fodproper1 \
+		--here__with_venv_relative --supervisord \
+		--setup_admin_user --setup_admin_user5 admin ${ADMIN_PASS} ${ADMIN_EMAIL} ${FOD_ORG} ${FOD_ORG_NET} \
+		--setup_test_rule --setup_test_rule5 testrtr1 10.1.10.11/32 10.2.10.12/32 1 admin \
+		--exabgp ${FOD_EXABGP_LOCAL_ID} ${FOD_EXABGP_LOCAL_IP} ${FOD_EXABGP_LOCAL_AS} ${FOD_EXABGP_REMOTE_ID} ${FOD_EXABGP_REMOTE_IP} ${FOD_EXABGP_REMOTE_AS}
 	/opt/FOD/venv/bin/python -m pip install exabgp
 	touch /opt/setup_ok
 fi
diff --git a/docker-compose/fod_setup_environment.sh b/docker-compose/fod_setup_environment.sh
index 6eecbf4f..b2a590f8 100755
--- a/docker-compose/fod_setup_environment.sh
+++ b/docker-compose/fod_setup_environment.sh
@@ -5,7 +5,12 @@ if [ -e /opt/setup_ok ]; then
 else
 	cd /opt/FOD
 	#./install-debian.sh --here --supervisord --setup_admin_user --setup_admin_user5 admin ${ADMIN_PASS} ${ADMIN_EMAIL} ${FOD_ORG} ${FOD_ORG_NET} --exabgp ${FOD_EXABGP_LOCAL_ID} ${FOD_EXABGP_LOCAL_IP} ${FOD_EXABGP_LOCAL_AS} ${FOD_EXABGP_REMOTE_ID} ${FOD_EXABGP_REMOTE_IP} ${FOD_EXABGP_REMOTE_AS}
-	./install-debian.sh --here__with_venv_relative --supervisord --setup_admin_user --setup_admin_user5 admin ${ADMIN_PASS} ${ADMIN_EMAIL} ${FOD_ORG} ${FOD_ORG_NET} --exabgp ${FOD_EXABGP_LOCAL_ID} ${FOD_EXABGP_LOCAL_IP} ${FOD_EXABGP_LOCAL_AS} ${FOD_EXABGP_REMOTE_ID} ${FOD_EXABGP_REMOTE_IP} ${FOD_EXABGP_REMOTE_AS}
+	#./install-debian.sh --here__with_venv_relative --supervisord --setup_admin_user --setup_admin_user5 admin ${ADMIN_PASS} ${ADMIN_EMAIL} ${FOD_ORG} ${FOD_ORG_NET} --exabgp ${FOD_EXABGP_LOCAL_ID} ${FOD_EXABGP_LOCAL_IP} ${FOD_EXABGP_LOCAL_AS} ${FOD_EXABGP_REMOTE_ID} ${FOD_EXABGP_REMOTE_IP} ${FOD_EXABGP_REMOTE_AS}
+	./install-debian.sh \
+		--here__with_venv_relative --supervisord \
+		--setup_admin_user --setup_admin_user5 admin ${ADMIN_PASS} ${ADMIN_EMAIL} ${FOD_ORG} ${FOD_ORG_NET} \
+		--setup_test_rule --setup_test_rule5 testrtr1 10.1.10.11/32 10.2.10.12/32 1 admin \
+		--exabgp ${FOD_EXABGP_LOCAL_ID} ${FOD_EXABGP_LOCAL_IP} ${FOD_EXABGP_LOCAL_AS} ${FOD_EXABGP_REMOTE_ID} ${FOD_EXABGP_REMOTE_IP} ${FOD_EXABGP_REMOTE_AS}
 	/opt/FOD/venv/bin/python -m pip install exabgp
 	touch /opt/setup_ok
 fi
diff --git a/inst/helpers/add_rule.sh b/inst/helpers/add_rule.sh
new file mode 100755
index 00000000..3700416a
--- /dev/null
+++ b/inst/helpers/add_rule.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+source_prefix="$1"
+shift 1
+[ -n "$source_prefix" ] || source_prefix="127.0.0.1/32"
+
+destination_prefix="$1"
+shift 1
+[ -n "$destination_prefix" ] || destination_prefix="0.0.0.0/0"
+
+#
+
+IPprotocolId="$1" #arg
+shift 1
+[ -n "$IPprotocolId" ] || IPprotocolId="1"
+
+#
+
+appliername="$1"
+shift 1
+[ -n "$appliername" ] || appliername="admin"
+
+#
+
+name_prefix="testrtr1"
+
+#
+
+{ cat /dev/fd/5 | ./pythonenv ./manage.py shell; } 5<<EOF
+from flowspec.models import *
+from django.contrib.auth.models import User; 
+applier1 = User.objects.get(username__exact='$appliername');
+
+from django.db.models import Q
+query = Q()
+query |= Q(source='$source_prefix', destination='$destination_prefix', protocol__in=[$IPprotocolId])
+matching_routes = Route.objects.filter(query)
+
+if len(matching_routes)!=0:
+  print("test rule $name_prefix already exists")
+  print("matching_routes="+str(matching_routes))
+else:
+  a = Route(name='$name_prefix', source='$source_prefix', destination='$destination_prefix', status='INACTIVE', applier=applier1)
+  a.save();
+  a.protocol.set([$IPprotocolId])
+  a.save();
+EOF
+
+#
+
+echo "SELECT * from route;" | ./pythonenv ./manage.py dbshell | grep "$name_prefix.*$source_prefix.*$destination_prefix.*$IPprotocolId"
+
diff --git a/install-centos.sh b/install-centos.sh
index ce3922f1..0946da3e 100755
--- a/install-centos.sh
+++ b/install-centos.sh
@@ -92,6 +92,15 @@ setup_adminuser__peer_ip_prefix1="0.0.0.0/0"
 
 #
 
+setup_testrule=0
+setup_testrule_appliername="$setup_adminuser__username"
+setup_testrule_name_prefix="testrule1"
+setup_testrule_source_prefix="0.0.0.0/0"
+setup_testrule_destination_prefix="127.0.0.1/32"
+setup_testrule_IPprotocolId=1 # ICMP
+
+#
+
 setup_netconf=0
 
 setup_netconf__device=
@@ -305,6 +314,22 @@ while [ $# -gt 0 ]; do
     shift 1 
     setup_adminuser__peer_ip_prefix1="$1"
     shift 1 
+  elif [ $# -ge 1 -a "$1" = "--setup_test_rule" ]; then
+    shift 1
+    setup_test_rule=1
+  elif [ $# -ge 1 -a "$1" = "--setup_test_rule5" ]; then
+    shift 1
+    setup_testrule=1
+    setup_testrule_name_prefix="$1" 
+    shift 1
+    setup_testrule_source_prefix="$1"
+    shift 1
+    setup_testrule_destination_prefix="$1"
+    shift 1
+    setup_testrule_IPprotocolId="$1"
+    shift 1
+    setup_testrule_appliername="$1"
+    shift 1
   elif [ $# -ge 1 -a "$1" = "--netconf" ]; then 
     shift 1
     setup_netconf=1
@@ -813,6 +838,36 @@ if [ "$install_fodproper" = 1 ]; then
  
   fi
 
+  echo "setup_testrule=$setup_testrule" 1>&2
+
+  if [ "$setup_testrule" = 1 ]; then
+    echo "$0: step 2.4.2.1: setup test rule" 1>&2
+
+    (
+      set +e # for now ignore potential errors, especially in case user already exists
+      source ./venv/bin/activate
+{ cat /dev/fd/5 | ./pythonenv ./manage.py shell; } 5<<EOF
+from flowspec.models import *
+from django.contrib.auth.models import User; 
+applier1 = User.objects.get(username__exact='$setup_testrule_appliername');
+
+from django.db.models import Q
+query = Q()
+query |= Q(source='$setup_testrule_source_prefix', destination='$setup_testrule_destination_prefix', protocol__in=[$setup_testrule_IPprotocolId])
+matching_routes = Route.objects.filter(query)
+
+if len(matching_routes)!=0:
+  print("test rule $setup_testrule_name_prefix already exists")
+  print("matching_routes="+str(matching_routes))
+else:
+  a = Route(name='$setup_testrule_name_prefix', source='$setup_testrule_source_prefix', destination='$setup_testrule_destination_prefix', status='INACTIVE', applier=applier1)
+  a.save();
+  a.protocol.set([$setup_testrule_IPprotocolId])
+  a.save();
+EOF
+    )
+  fi
+
   ##
 
   # ./manage.py above may have created debug.log with root permissions:
diff --git a/install-debian.sh b/install-debian.sh
index b684c013..bbf0d89b 100755
--- a/install-debian.sh
+++ b/install-debian.sh
@@ -98,6 +98,15 @@ setup_adminuser__peer_ip_prefix1="0.0.0.0/0"
 
 #
 
+setup_testrule=0
+setup_testrule_appliername="$setup_adminuser__username"
+setup_testrule_name_prefix="testrule1"
+setup_testrule_source_prefix="0.0.0.0/0"
+setup_testrule_destination_prefix="127.0.0.1/32"
+setup_testrule_IPprotocolId=1 # ICMP
+
+#
+
 setup_netconf=0
 
 setup_netconf__device=
@@ -408,6 +417,22 @@ while [ $# -gt 0 ]; do
     shift 1 
     setup_adminuser__peer_ip_prefix1="$1"
     shift 1 
+  elif [ $# -ge 1 -a "$1" = "--setup_test_rule" ]; then
+    shift 1
+    setup_test_rule=1
+  elif [ $# -ge 1 -a "$1" = "--setup_test_rule5" ]; then
+    shift 1
+    setup_testrule=1
+    setup_testrule_name_prefix="$1" 
+    shift 1
+    setup_testrule_source_prefix="$1"
+    shift 1
+    setup_testrule_destination_prefix="$1"
+    shift 1
+    setup_testrule_IPprotocolId="$1"
+    shift 1
+    setup_testrule_appliername="$1"
+    shift 1
   elif [ $# -ge 1 -a "$1" = "--netconf" ]; then 
     shift 1
     setup_netconf=1
@@ -954,6 +979,36 @@ if [ "$install_fodproper" = 1 ]; then
  
   fi
 
+  echo "setup_testrule=$setup_testrule" 1>&2
+
+  if [ "$setup_testrule" = 1 ]; then
+    echo "$0: step 2.4.2.1: setup test rule" 1>&2
+
+    (
+      set +e # for now ignore potential errors, especially in case user already exists
+      source ./venv/bin/activate
+{ cat /dev/fd/5 | ./pythonenv ./manage.py shell; } 5<<EOF
+from flowspec.models import *
+from django.contrib.auth.models import User; 
+applier1 = User.objects.get(username__exact='$setup_testrule_appliername');
+
+from django.db.models import Q
+query = Q()
+query |= Q(source='$setup_testrule_source_prefix', destination='$setup_testrule_destination_prefix', protocol__in=[$setup_testrule_IPprotocolId])
+matching_routes = Route.objects.filter(query)
+
+if len(matching_routes)!=0:
+  print("test rule $setup_testrule_name_prefix already exists")
+  print("matching_routes="+str(matching_routes))
+else:
+  a = Route(name='$setup_testrule_name_prefix', source='$setup_testrule_source_prefix', destination='$setup_testrule_destination_prefix', status='INACTIVE', applier=applier1)
+  a.save();
+  a.protocol.set([$setup_testrule_IPprotocolId])
+  a.save();
+EOF
+    )
+  fi
+
   ##
 
   # ./manage.py above may have created debug.log with root permissions:
-- 
GitLab