diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index ba61d20f7..6d2b7a52d 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -349,8 +349,7 @@ The contract between **inspector** and a PXE filter driver is described in the internal driver state * :meth:`~FilterDriver.sync` called both periodically and when a node starts or - finishes introspection to white or blacklist its ports MAC addresses in the - driver + finishes introspection to allow or deny its ports MAC addresses in the driver * :meth:`~FilterDriver.tear_down_filter` called on service exit to reset the internal driver state diff --git a/doc/source/admin/dnsmasq-pxe-filter.rst b/doc/source/admin/dnsmasq-pxe-filter.rst index 10ce14495..36d874211 100644 --- a/doc/source/admin/dnsmasq-pxe-filter.rst +++ b/doc/source/admin/dnsmasq-pxe-filter.rst @@ -24,7 +24,7 @@ file parsing. The content of the file determines the MAC address access policy. Thanks to the ``inotify`` facility, **dnsmasq** is notified once a new file is *created* or an existing file is *modified* in the DHCP hosts directory. Thus, -to white-list a MAC address, the filter removes the ``ignore`` directive:: +to allow a MAC address, the filter removes the ``ignore`` directive:: $ cat /etc/dnsmasq.d/de-ad-be-ef-de-ad de:ad:be:ef:de:ad @@ -121,5 +121,5 @@ start-up. Although the filter driver tries its best to always stop the **dnsmasq** service, it is recommended that the operator configures the **dnsmasq** service in such a way that it terminates upon **ironic-inspector** -(unexpected) exit to prevent a stale blacklist from being used by the +(unexpected) exit to prevent a stale deny list from being used by the **dnsmasq** service. diff --git a/ironic_inspector/pxe_filter/dnsmasq.py b/ironic_inspector/pxe_filter/dnsmasq.py index d4d4c7bce..ae282f15b 100644 --- a/ironic_inspector/pxe_filter/dnsmasq.py +++ b/ironic_inspector/pxe_filter/dnsmasq.py @@ -44,18 +44,18 @@ _EXCLUSIVE_WRITE_ATTEMPTS = 10 _EXCLUSIVE_WRITE_ATTEMPTS_DELAY = 0.01 _ROOTWRAP_COMMAND = 'sudo ironic-inspector-rootwrap {rootwrap_config!s}' -_MACBL_LEN = len('ff:ff:ff:ff:ff:ff,ignore\n') -_MACWL_LEN = len('ff:ff:ff:ff:ff:ff\n') +_MAC_DENY_LEN = len('ff:ff:ff:ff:ff:ff,ignore\n') +_MAC_ALLOW_LEN = len('ff:ff:ff:ff:ff:ff\n') _UNKNOWN_HOSTS_FILE = 'unknown_hosts_filter' -_BLACKLIST_UNKNOWN_HOSTS = '*:*:*:*:*:*,ignore\n' -_WHITELIST_UNKNOWN_HOSTS = '*:*:*:*:*:*\n' +_DENY_UNKNOWN_HOSTS = '*:*:*:*:*:*,ignore\n' +_ALLOW_UNKNOWN_HOSTS = '*:*:*:*:*:*\n' def _should_enable_unknown_hosts(): """Check whether we should enable DHCP for unknown hosts - We blacklist unknown hosts unless one or more nodes are on introspection - and node_not_found_hook is not set. + We add unknown hosts to the deny list unless one or more nodes are on + introspection and node_not_found_hook is not set. """ return (node_cache.introspection_active() or CONF.processing.node_not_found_hook is not None) @@ -89,24 +89,24 @@ class DnsmasqFilter(pxe_filter.BaseFilter): ironic_macs = set(port.address for port in ir_utils.call_with_retries(ironic.ports, limit=None, fields=['address'])) - blacklist, whitelist = _get_black_white_lists() - # removedlist are the MACs that are in either blacklist or whitelist, + denylist, allowlist = _get_deny_allow_lists() + # removedlist are the MACs that are in either in allow or denylist, # but not kept in ironic (ironic_macs) any more - removedlist = blacklist.union(whitelist).difference(ironic_macs) + removedlist = denylist.union(allowlist).difference(ironic_macs) - # Whitelist active MACs that are not already whitelisted - for mac in active_macs.difference(whitelist): - _whitelist_mac(mac) - # Blacklist any ironic MACs that is not active for introspection unless - # it is already blacklisted - for mac in ironic_macs.difference(blacklist.union(active_macs)): - _blacklist_mac(mac) + # Add active MACs that are not already in the allowlist + for mac in active_macs.difference(allowlist): + _add_mac_to_allowlist(mac) + # Add any ironic MACs that is not active for introspection to the + # deny list unless it is already present + for mac in ironic_macs.difference(denylist.union(active_macs)): + _add_mac_to_denylist(mac) - # Whitelist or Blacklist unknown hosts and MACs not kept in ironic + # Allow or deny unknown hosts and MACs not kept in ironic # NOTE(hjensas): Treat unknown hosts and MACs not kept in ironic the # same. Neither should boot the inspection image unless introspection - # is active. Deleted MACs must be whitelisted when introspection is - # active in case the host is re-enrolled. + # is active. Deleted MACs must be added to the allow list when + # introspection is active in case the host is re-enrolled. _configure_unknown_hosts() _configure_removedlist(removedlist) @@ -119,8 +119,8 @@ class DnsmasqFilter(pxe_filter.BaseFilter): """Sync dnsmasq configuration with current Ironic&Inspector state. Polls all ironic ports. Those being inspected, the active ones, are - whitelisted while the rest are blacklisted in the dnsmasq - configuration. + added to the allow list while the rest are added to the deny list in + the dnsmasq configuration. :param ironic: an ironic client instance. :raises: OSError, IOError. @@ -133,8 +133,8 @@ class DnsmasqFilter(pxe_filter.BaseFilter): """Performs an initial sync with ironic and starts dnsmasq. The initial _sync() call reduces the chances dnsmasq might lose - some inotify blacklist events by prefetching the blacklist before - the dnsmasq is started. + some inotify deny list events by prefetching the list before dnsmasq + is started. :raises: OSError, IOError. :returns: None. @@ -166,23 +166,23 @@ def _purge_dhcp_hostsdir(): LOG.debug('Removed %s', path) -def _get_black_white_lists(): - """Get addresses currently blacklisted in dnsmasq. +def _get_deny_allow_lists(): + """Get addresses currently denied by dnsmasq. :raises: FileNotFoundError in case the dhcp_hostsdir is invalid. - :returns: a set of MACs currently blacklisted in dnsmasq. + :returns: a set of MACs currently denied by dnsmasq. """ hostsdir = CONF.dnsmasq_pxe_filter.dhcp_hostsdir - # whitelisted MACs lack the ,ignore directive - blacklist = set() - whitelist = set() + # MACs in the allow list lack the ,ignore directive + denylist = set() + allowlist = set() for mac in os.listdir(hostsdir): - if os.stat(os.path.join(hostsdir, mac)).st_size == _MACBL_LEN: - blacklist.add(mac) - if os.stat(os.path.join(hostsdir, mac)).st_size == _MACWL_LEN: - whitelist.add(mac) + if os.stat(os.path.join(hostsdir, mac)).st_size == _MAC_DENY_LEN: + denylist.add(mac) + if os.stat(os.path.join(hostsdir, mac)).st_size == _MAC_ALLOW_LEN: + allowlist.add(mac) - return blacklist, whitelist + return denylist, allowlist def _exclusive_write_or_pass(path, buf): @@ -225,7 +225,7 @@ def _exclusive_write_or_pass(path, buf): def _configure_removedlist(macs): - """Manages a dhcp_hostsdir ignore/not-ignore record for removed macs + """Manages a dhcp_hostsdir allow/deny record for removed macs :raises: FileNotFoundError in case the dhcp_hostsdir is invalid, :returns: None. @@ -235,16 +235,16 @@ def _configure_removedlist(macs): if _should_enable_unknown_hosts(): for mac in macs: - if os.stat(os.path.join(hostsdir, mac)).st_size != _MACWL_LEN: - _whitelist_mac(mac) + if os.stat(os.path.join(hostsdir, mac)).st_size != _MAC_ALLOW_LEN: + _add_mac_to_allowlist(mac) else: for mac in macs: - if os.stat(os.path.join(hostsdir, mac)).st_size != _MACBL_LEN: - _blacklist_mac(mac) + if os.stat(os.path.join(hostsdir, mac)).st_size != _MAC_DENY_LEN: + _add_mac_to_denylist(mac) def _configure_unknown_hosts(): - """Manages a dhcp_hostsdir ignore/not-ignore record for unknown macs. + """Manages a dhcp_hostsdir allow/deny record for unknown macs. :raises: FileNotFoundError in case the dhcp_hostsdir is invalid, IOError in case the dhcp host unknown file isn't writable. @@ -254,13 +254,13 @@ def _configure_unknown_hosts(): _UNKNOWN_HOSTS_FILE) if _should_enable_unknown_hosts(): - wildcard_filter = _WHITELIST_UNKNOWN_HOSTS - log_wildcard_filter = 'whitelist' + wildcard_filter = _ALLOW_UNKNOWN_HOSTS + log_wildcard_filter = 'allow' else: - wildcard_filter = _BLACKLIST_UNKNOWN_HOSTS - log_wildcard_filter = 'blacklist' + wildcard_filter = _DENY_UNKNOWN_HOSTS + log_wildcard_filter = 'deny' - # Don't update if unknown hosts are already black/white-listed + # Don't update if unknown hosts are already in the deny/allow-list try: if os.stat(path).st_size == len(wildcard_filter): return @@ -276,8 +276,8 @@ def _configure_unknown_hosts(): 'retrying next periodic sync time', log_wildcard_filter) -def _blacklist_mac(mac): - """Creates a dhcp_hostsdir ignore record for the MAC. +def _add_mac_to_denylist(mac): + """Creates a dhcp_hostsdir deny record for the MAC. :raises: FileNotFoundError in case the dhcp_hostsdir is invalid, IOError in case the dhcp host MAC file isn't writable. @@ -285,14 +285,14 @@ def _blacklist_mac(mac): """ path = os.path.join(CONF.dnsmasq_pxe_filter.dhcp_hostsdir, mac) if _exclusive_write_or_pass(path, '%s,ignore\n' % mac): - LOG.debug('Blacklisted %s', mac) + LOG.debug('MAC %s added to the deny list', mac) else: - LOG.warning('Failed to blacklist %s; retrying next periodic sync ' - 'time', mac) + LOG.warning('Failed to add MAC %s to the deny list; retrying next ' + 'periodic sync time', mac) -def _whitelist_mac(mac): - """Un-ignores the dhcp_hostsdir record for the MAC. +def _add_mac_to_allowlist(mac): + """Update the dhcp_hostsdir record for the MAC adding it to allow list :raises: FileNotFoundError in case the dhcp_hostsdir is invalid, IOError in case the dhcp host MAC file isn't writable. @@ -301,10 +301,10 @@ def _whitelist_mac(mac): path = os.path.join(CONF.dnsmasq_pxe_filter.dhcp_hostsdir, mac) # remove the ,ignore directive if _exclusive_write_or_pass(path, '%s\n' % mac): - LOG.debug('Whitelisted %s', mac) + LOG.debug('MAC %s removed from the deny list', mac) else: - LOG.warning('Failed to whitelist %s; retrying next periodic sync ' - 'time', mac) + LOG.warning('Failed to remove MAC %s from the deny list; retrying ' + 'next periodic sync time', mac) def _execute(cmd=None, ignore_errors=False): diff --git a/ironic_inspector/pxe_filter/iptables.py b/ironic_inspector/pxe_filter/iptables.py index 80f74d999..1d9c5248d 100644 --- a/ironic_inspector/pxe_filter/iptables.py +++ b/ironic_inspector/pxe_filter/iptables.py @@ -45,7 +45,7 @@ class IptablesFilter(pxe_filter.BaseFilter): def __init__(self): super(IptablesFilter, self).__init__() - self.blacklist_cache = None + self.denylist_cache = None self.enabled = True self.interface = CONF.iptables.dnsmasq_interface self.chain = CONF.iptables.firewall_chain @@ -65,7 +65,7 @@ class IptablesFilter(pxe_filter.BaseFilter): def reset(self): self.enabled = True - self.blacklist_cache = None + self.denylist_cache = None for chain in (self.chain, self.new_chain): try: self._clean_up(chain) @@ -114,26 +114,26 @@ class IptablesFilter(pxe_filter.BaseFilter): self._disable_dhcp() return - to_blacklist = _get_blacklist(ironic) - if to_blacklist == self.blacklist_cache: + to_deny = _get_denylist(ironic) + if to_deny == self.denylist_cache: LOG.debug('Not updating iptables - no changes in MAC list %s', - to_blacklist) + to_deny) return - LOG.debug('Blacklisting active MAC\'s %s', to_blacklist) + LOG.debug('Adding active MAC\'s %s to the deny list', to_deny) with self._temporary_chain(self.new_chain, self.chain): # Force update on the next iteration if this attempt fails - self.blacklist_cache = None - # - Blacklist active macs, so that nova can boot them - for mac in to_blacklist: + self.denylist_cache = None + # - Add active macs to the deny list, so that nova can boot them + for mac in to_deny: self._iptables('-A', self.new_chain, '-m', 'mac', '--mac-source', mac, '-j', 'DROP') - # - Whitelist everything else + # - Add everything else to the allow list self._iptables('-A', self.new_chain, '-j', 'ACCEPT') # Cache result of successful iptables update self.enabled = True - self.blacklist_cache = to_blacklist + self.denylist_cache = to_deny LOG.debug('The iptables filter was synchronized') @contextlib.contextmanager @@ -185,9 +185,9 @@ class IptablesFilter(pxe_filter.BaseFilter): LOG.debug('No nodes on introspection and node_not_found_hook is ' 'not set - disabling DHCP') - self.blacklist_cache = None + self.denylist_cache = None with self._temporary_chain(self.new_chain, self.chain): - # Blacklist everything + # deny everything self._iptables('-A', self.new_chain, '-j', 'REJECT') self.enabled = False @@ -230,7 +230,7 @@ def _ib_mac_to_rmac_mapping(ports): port.address = match.group(1) -def _get_blacklist(ironic): +def _get_denylist(ironic): ports = [port for port in ir_utils.call_with_retries(ironic.ports, limit=None, fields=['address', 'extra']) diff --git a/ironic_inspector/test/unit/test_dnsmasq_pxe_filter.py b/ironic_inspector/test/unit/test_dnsmasq_pxe_filter.py index 6d15eb684..c66af8ec7 100644 --- a/ironic_inspector/test/unit/test_dnsmasq_pxe_filter.py +++ b/ironic_inspector/test/unit/test_dnsmasq_pxe_filter.py @@ -221,7 +221,7 @@ class TestMACHandlers(test_base.BaseTest): self.mock_introspection_active = self.useFixture( fixtures.MockPatchObject(node_cache, 'introspection_active')).mock - def test__whitelist_unknown_hosts(self): + def test__allowlist_unknown_hosts(self): self.mock_join.return_value = "%s/%s" % (self.dhcp_hostsdir, dnsmasq._UNKNOWN_HOSTS_FILE) self.mock_introspection_active.return_value = True @@ -231,12 +231,12 @@ class TestMACHandlers(test_base.BaseTest): dnsmasq._UNKNOWN_HOSTS_FILE) self.mock__exclusive_write_or_pass.assert_called_once_with( self.mock_join.return_value, - '%s' % dnsmasq._WHITELIST_UNKNOWN_HOSTS) + '%s' % dnsmasq._ALLOW_UNKNOWN_HOSTS) self.mock_log.debug.assert_called_once_with( 'A %s record for all unknown hosts using wildcard mac ' - 'created', 'whitelist') + 'created', 'allow') - def test__blacklist_unknown_hosts(self): + def test__denylist_unknown_hosts(self): self.mock_join.return_value = "%s/%s" % (self.dhcp_hostsdir, dnsmasq._UNKNOWN_HOSTS_FILE) self.mock_introspection_active.return_value = False @@ -246,14 +246,14 @@ class TestMACHandlers(test_base.BaseTest): dnsmasq._UNKNOWN_HOSTS_FILE) self.mock__exclusive_write_or_pass.assert_called_once_with( self.mock_join.return_value, - '%s' % dnsmasq._BLACKLIST_UNKNOWN_HOSTS) + '%s' % dnsmasq._DENY_UNKNOWN_HOSTS) self.mock_log.debug.assert_called_once_with( 'A %s record for all unknown hosts using wildcard mac ' - 'created', 'blacklist') + 'created', 'deny') - def test__configure_removedlist_whitelist(self): + def test__configure_removedlist_allowlist(self): self.mock_introspection_active.return_value = True - self.mock_stat.return_value.st_size = dnsmasq._MACBL_LEN + self.mock_stat.return_value.st_size = dnsmasq._MAC_DENY_LEN dnsmasq._configure_removedlist({self.mac}) @@ -261,9 +261,9 @@ class TestMACHandlers(test_base.BaseTest): self.mock__exclusive_write_or_pass.assert_called_once_with( self.mock_join.return_value, '%s\n' % self.mac) - def test__configure_removedlist_blacklist(self): + def test__configure_removedlist_denylist(self): self.mock_introspection_active.return_value = False - self.mock_stat.return_value.st_size = dnsmasq._MACWL_LEN + self.mock_stat.return_value.st_size = dnsmasq._MAC_ALLOW_LEN dnsmasq._configure_removedlist({self.mac}) @@ -271,56 +271,56 @@ class TestMACHandlers(test_base.BaseTest): self.mock__exclusive_write_or_pass.assert_called_once_with( self.mock_join.return_value, '%s,ignore\n' % self.mac) - def test__whitelist_mac(self): - dnsmasq._whitelist_mac(self.mac) + def test__allowlist_mac(self): + dnsmasq._add_mac_to_allowlist(self.mac) self.mock_join.assert_called_once_with(self.dhcp_hostsdir, self.mac) self.mock__exclusive_write_or_pass.assert_called_once_with( self.mock_join.return_value, '%s\n' % self.mac) - def test__blacklist_mac(self): - dnsmasq._blacklist_mac(self.mac) + def test__denylist_mac(self): + dnsmasq._add_mac_to_denylist(self.mac) self.mock_join.assert_called_once_with(self.dhcp_hostsdir, self.mac) self.mock__exclusive_write_or_pass.assert_called_once_with( self.mock_join.return_value, '%s,ignore\n' % self.mac) - def test__get_blacklist(self): + def test__get_denylist(self): self.mock_listdir.return_value = [self.mac] self.mock_stat.return_value.st_size = len('%s,ignore\n' % self.mac) - blacklist, whitelist = dnsmasq._get_black_white_lists() + denylist, allowlist = dnsmasq._get_deny_allow_lists() - self.assertEqual({self.mac}, blacklist) + self.assertEqual({self.mac}, denylist) self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir) self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac) self.mock_stat.assert_called_with(self.mock_join.return_value) - def test__get_whitelist(self): + def test__get_allowlist(self): self.mock_listdir.return_value = [self.mac] self.mock_stat.return_value.st_size = len('%s\n' % self.mac) - blacklist, whitelist = dnsmasq._get_black_white_lists() + denylist, allowlist = dnsmasq._get_deny_allow_lists() - self.assertEqual({self.mac}, whitelist) + self.assertEqual({self.mac}, allowlist) self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir) self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac) self.mock_stat.assert_called_with(self.mock_join.return_value) - def test__get_no_blacklist(self): + def test__get_no_denylist(self): self.mock_listdir.return_value = [self.mac] self.mock_stat.return_value.st_size = len('%s\n' % self.mac) - blacklist, whitelist = dnsmasq._get_black_white_lists() + denylist, allowlist = dnsmasq._get_deny_allow_lists() - self.assertEqual(set(), blacklist) + self.assertEqual(set(), denylist) self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir) self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac) self.mock_stat.assert_called_with(self.mock_join.return_value) - def test__get_no_whitelist(self): + def test__get_no_allowlist(self): self.mock_listdir.return_value = [self.mac] self.mock_stat.return_value.st_size = len('%s,ignore\n' % self.mac) - blacklist, whitelist = dnsmasq._get_black_white_lists() + denylist, allowlist = dnsmasq._get_deny_allow_lists() - self.assertEqual(set(), whitelist) + self.assertEqual(set(), allowlist) self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir) self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac) self.mock_stat.assert_called_with(self.mock_join.return_value) @@ -348,12 +348,12 @@ class TestMACHandlers(test_base.BaseTest): class TestSync(DnsmasqTestBase): def setUp(self): super(TestSync, self).setUp() - self.mock__get_black_white_lists = self.useFixture( - fixtures.MockPatchObject(dnsmasq, '_get_black_white_lists')).mock - self.mock__whitelist_mac = self.useFixture( - fixtures.MockPatchObject(dnsmasq, '_whitelist_mac')).mock - self.mock__blacklist_mac = self.useFixture( - fixtures.MockPatchObject(dnsmasq, '_blacklist_mac')).mock + self.mock__get_deny_allow_lists = self.useFixture( + fixtures.MockPatchObject(dnsmasq, '_get_deny_allow_lists')).mock + self.mock__add_mac_to_allowlist = self.useFixture( + fixtures.MockPatchObject(dnsmasq, '_add_mac_to_allowlist')).mock + self.mock__add_mac_to_denylist = self.useFixture( + fixtures.MockPatchObject(dnsmasq, '_add_mac_to_denylist')).mock self.mock__configure_unknown_hosts = self.useFixture( fixtures.MockPatchObject(dnsmasq, '_configure_unknown_hosts')).mock self.mock__configure_removedlist = self.useFixture( @@ -376,10 +376,10 @@ class TestSync(DnsmasqTestBase): fixtures.MockPatchObject(node_cache, 'active_macs')).mock self.ironic_macs = {'new_mac', 'active_mac'} self.active_macs = {'active_mac'} - self.blacklist = {'gone_mac', 'active_mac'} - self.whitelist = {} - self.mock__get_black_white_lists.return_value = (self.blacklist, - self.whitelist) + self.denylist = {'gone_mac', 'active_mac'} + self.allowlist = {} + self.mock__get_deny_allow_lists.return_value = (self.denylist, + self.allowlist) self.mock_ironic.ports.return_value = [ mock.Mock(address=address) for address in self.ironic_macs] self.mock_active_macs.return_value = self.active_macs @@ -403,13 +403,13 @@ class TestSync(DnsmasqTestBase): def test__sync(self): self.driver._sync(self.mock_ironic) - self.mock__whitelist_mac.assert_called_once_with('active_mac') - self.mock__blacklist_mac.assert_called_once_with('new_mac') + self.mock__add_mac_to_allowlist.assert_called_once_with('active_mac') + self.mock__add_mac_to_denylist.assert_called_once_with('new_mac') self.mock_ironic.ports.assert_called_once_with( limit=None, fields=['address']) self.mock_active_macs.assert_called_once_with() - self.mock__get_black_white_lists.assert_called_once_with() + self.mock__get_deny_allow_lists.assert_called_once_with() self.mock__configure_unknown_hosts.assert_called_once_with() self.mock__configure_removedlist.assert_called_once_with({'gone_mac'}) self.mock_log.debug.assert_has_calls([ @@ -426,13 +426,13 @@ class TestSync(DnsmasqTestBase): ] self.driver._sync(self.mock_ironic) - self.mock__whitelist_mac.assert_called_once_with('active_mac') - self.mock__blacklist_mac.assert_called_once_with('new_mac') + self.mock__add_mac_to_allowlist.assert_called_once_with('active_mac') + self.mock__add_mac_to_denylist.assert_called_once_with('new_mac') self.mock_ironic.ports.assert_called_with( limit=None, fields=['address']) self.mock_active_macs.assert_called_once_with() - self.mock__get_black_white_lists.assert_called_once_with() + self.mock__get_deny_allow_lists.assert_called_once_with() self.mock__configure_removedlist.assert_called_once_with({'gone_mac'}) self.mock_log.debug.assert_has_calls([ mock.call('Syncing the driver'), diff --git a/ironic_inspector/test/unit/test_iptables.py b/ironic_inspector/test/unit/test_iptables.py index 25cdff305..939811dfb 100644 --- a/ironic_inspector/test/unit/test_iptables.py +++ b/ironic_inspector/test/unit/test_iptables.py @@ -44,9 +44,9 @@ class TestIptablesDriver(test_base.NodeTest): fixtures.MockPatchObject(self.driver, '_iptables')).mock self.mock_should_enable_dhcp = self.useFixture( fixtures.MockPatchObject(iptables, '_should_enable_dhcp')).mock - self.mock__get_blacklist = self.useFixture( - fixtures.MockPatchObject(iptables, '_get_blacklist')).mock - self.mock__get_blacklist.return_value = [] + self.mock__get_denylist = self.useFixture( + fixtures.MockPatchObject(iptables, '_get_denylist')).mock + self.mock__get_denylist.return_value = [] self.mock_ironic = mock.Mock() def check_fsm(self, events): @@ -143,7 +143,7 @@ class TestIptablesDriver(test_base.NodeTest): for (args, call) in zip(_iptables_expected_args, call_args_list): self.assertEqual(args, call[0]) - self.mock__get_blacklist.assert_called_once_with(self.mock_ironic) + self.mock__get_denylist.assert_called_once_with(self.mock_ironic) self.check_fsm([pxe_filter.Events.sync]) def test__iptables_args_ipv4(self): @@ -175,11 +175,11 @@ class TestIptablesDriver(test_base.NodeTest): self.assertEqual(kwargs, call[1]) self.check_fsm([pxe_filter.Events.sync]) - def _test_sync_with_blacklist(self, expected_port): + def _test_sync_with_denylist(self, expected_port): self.driver = iptables.IptablesFilter() self.mock_iptables = self.useFixture( fixtures.MockPatchObject(self.driver, '_iptables')).mock - self.mock__get_blacklist.return_value = ['AA:BB:CC:DD:EE:FF'] + self.mock__get_denylist.return_value = ['AA:BB:CC:DD:EE:FF'] self.mock_should_enable_dhcp.return_value = True _iptables_expected_args = [ @@ -188,9 +188,9 @@ class TestIptablesDriver(test_base.NodeTest): ('-F', self.driver.new_chain), ('-X', self.driver.new_chain), ('-N', self.driver.new_chain), - # Blacklist + # deny ('-A', self.driver.new_chain, '-m', 'mac', '--mac-source', - self.mock__get_blacklist.return_value[0], '-j', 'DROP'), + self.mock__get_denylist.return_value[0], '-j', 'DROP'), ('-A', self.driver.new_chain, '-j', 'ACCEPT'), ('-I', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport', expected_port, '-j', self.driver.new_chain), @@ -208,36 +208,36 @@ class TestIptablesDriver(test_base.NodeTest): for (args, call) in zip(_iptables_expected_args, call_args_list): self.assertEqual(args, call[0]) - self.mock__get_blacklist.assert_called_once_with(self.mock_ironic) + self.mock__get_denylist.assert_called_once_with(self.mock_ironic) # check caching self.mock_iptables.reset_mock() - self.mock__get_blacklist.reset_mock() + self.mock__get_denylist.reset_mock() self.driver.sync(self.mock_ironic) - self.mock__get_blacklist.assert_called_once_with(self.mock_ironic) + self.mock__get_denylist.assert_called_once_with(self.mock_ironic) self.assertFalse(self.mock_iptables.called) - def test_sync_with_blacklist_ipv4(self): + def test_sync_with_denylist_ipv4(self): CONF.set_override('ip_version', '4', 'iptables') - self._test_sync_with_blacklist('67') + self._test_sync_with_denylist('67') - def test_sync_with_blacklist_ipv6(self): + def test_sync_with_denylist_ipv6(self): CONF.set_override('ip_version', '6', 'iptables') - self._test_sync_with_blacklist('547') + self._test_sync_with_denylist('547') def _test__iptables_clean_cache_on_error(self, expected_port): self.driver = iptables.IptablesFilter() self.mock_iptables = self.useFixture( fixtures.MockPatchObject(self.driver, '_iptables')).mock - self.mock__get_blacklist.return_value = ['AA:BB:CC:DD:EE:FF'] + self.mock__get_denylist.return_value = ['AA:BB:CC:DD:EE:FF'] self.mock_should_enable_dhcp.return_value = True self.mock_iptables.side_effect = [None, None, RuntimeError('Oops!'), None, None, None, None, None, None] self.assertRaises(RuntimeError, self.driver.sync, self.mock_ironic) self.check_fsm([pxe_filter.Events.sync, pxe_filter.Events.reset]) - self.mock__get_blacklist.assert_called_once_with(self.mock_ironic) + self.mock__get_denylist.assert_called_once_with(self.mock_ironic) # check caching syncs_expected_args = [ @@ -247,9 +247,9 @@ class TestIptablesDriver(test_base.NodeTest): ('-F', self.driver.new_chain), ('-X', self.driver.new_chain), ('-N', self.driver.new_chain), - # Blacklist + # deny ('-A', self.driver.new_chain, '-m', 'mac', '--mac-source', - self.mock__get_blacklist.return_value[0], '-j', 'DROP'), + self.mock__get_denylist.return_value[0], '-j', 'DROP'), ('-A', self.driver.new_chain, '-j', 'ACCEPT'), ('-I', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport', expected_port, '-j', self.driver.new_chain), @@ -262,7 +262,7 @@ class TestIptablesDriver(test_base.NodeTest): self.mock_iptables.reset_mock() self.mock_iptables.side_effect = None - self.mock__get_blacklist.reset_mock() + self.mock__get_denylist.reset_mock() self.mock_fsm.reset_mock() self.driver.sync(self.mock_ironic) self.check_fsm([pxe_filter.Events.sync]) @@ -271,7 +271,7 @@ class TestIptablesDriver(test_base.NodeTest): for (idx, (args, call)) in enumerate(zip(syncs_expected_args, call_args_list)): self.assertEqual(args, call[0], 'idx: %s' % idx) - self.mock__get_blacklist.assert_called_once_with(self.mock_ironic) + self.mock__get_denylist.assert_called_once_with(self.mock_ironic) def test__iptables_clean_cache_on_error_ipv4(self): CONF.set_override('ip_version', '4', 'iptables') @@ -377,9 +377,9 @@ class TestIBMapping(test_base.BaseTest): mock_open.assert_not_called() -class TestGetBlacklist(test_base.BaseTest): +class TestGetDenylist(test_base.BaseTest): def setUp(self): - super(TestGetBlacklist, self).setUp() + super(TestGetDenylist, self).setUp() self.mock__ib_mac_to_rmac_mapping = self.useFixture( fixtures.MockPatchObject(iptables, '_ib_mac_to_rmac_mapping')).mock self.mock_active_macs = self.useFixture( @@ -394,8 +394,8 @@ class TestGetBlacklist(test_base.BaseTest): self.mock_ironic.ports.return_value = mock_ports_list self.mock_active_macs.return_value = {'foo'} - ports = iptables._get_blacklist(self.mock_ironic) - # foo is an active address so we expect the blacklist contains only bar + ports = iptables._get_denylist(self.mock_ironic) + # foo is an active address so we expect the denylist contain only bar self.assertEqual(['bar'], ports) self.mock_ironic.ports.assert_called_once_with( limit=None, fields=['address', 'extra']) @@ -414,8 +414,8 @@ class TestGetBlacklist(test_base.BaseTest): ] self.mock_active_macs.return_value = {'foo'} - ports = iptables._get_blacklist(self.mock_ironic) - # foo is an active address so we expect the blacklist contains only bar + ports = iptables._get_denylist(self.mock_ironic) + # foo is an active address so we expect the denylist contain only bar self.assertEqual(['bar'], ports) self.mock_ironic.ports.assert_called_with( limit=None, fields=['address', 'extra'])