search

illumio / illumio-py

Python REST client for Illumio PCE APIs
Apache License 2.0
6 stars 3 forks source link

Rule Builder: creating rule with 'ams' string in actors field of Actor object results in href dereferencing exception #27

Closed RonGonz-illumio closed 1 year ago

RonGonz-illumio commented 1 year ago

The following code attempts to build a rule using 'AMS' (all workloads) as Actor in both consumer and provider:

        ipl_internal_obj = self._ipl_internal
        all_workloads_actor = Actor(actors='ams')
        all_services_obj = self._get_all_services_obj()
        intra_rules = [(all_workloads_actor, all_workloads_actor, all_services_obj.href),
                       (all_workloads_actor, ipl_internal_obj, all_services_obj.href)]

        for intra_rule in intra_rules:
            rule = illumio.Rule.build(
                providers=[intra_rule[0]],
                consumers=[intra_rule[1]],
                ingress_services=[intra_rule[2]],
                unscoped_consumers=False  # creates an extra-scope rule
            )

            self._pce.rules.create(rule, parent=ruleset)

However, the rule.py rule class is attempting to dereference an Href value which does not exist for an 'All Workloads' (ams) Actor:

    self._create_intra_scope_rules(ruleset)
  File "C:\Users\ron.gonzalez\PycharmProjects\pce_data_populator\main.py", line 195, in _create_intra_scope_rules
    rule = illumio.Rule.build(
  File "C:\Users\ron.gonzalez\PycharmProjects\pce_data_populator\venv\lib\site-packages\illumio\rules\rule.py", line 158, in build
    return super().build(providers, consumers, ingress_services, resolve_labels_as=resolve_labels_as, enabled=enabled, **kwargs)
  File "C:\Users\ron.gonzalez\PycharmProjects\pce_data_populator\venv\lib\site-packages\illumio\rules\rule.py", line 45, in build
    providers=[Actor.from_reference(provider) for provider in providers],
  File "C:\Users\ron.gonzalez\PycharmProjects\pce_data_populator\venv\lib\site-packages\illumio\rules\rule.py", line 45, in <listcomp>
    providers=[Actor.from_reference(provider) for provider in providers],
  File "C:\Users\ron.gonzalez\PycharmProjects\pce_data_populator\venv\lib\site-packages\illumio\rules\actor.py", line 30, in from_reference
    href = href_from(reference)
  File "C:\Users\ron.gonzalez\PycharmProjects\pce_data_populator\venv\lib\site-packages\illumio\util\jsonutils.py", line 260, in href_from
    raise IllumioException('Failed to extract HREF from value: {}'.format(reference))

What is the correct way to build a rule with an 'All Workloads' Actor? I do not believe an object with an HREF exists for the inbuilt "AMS" or 'All Workloads' actor, instead I believe this is a builtin.

RonGonz-illumio commented 1 year ago

Doing it another way (i.e. manually building a rule object):

intra_rules = [(all_workloads_actor, all_workloads_actor, all_services_obj),
                       (all_workloads_actor, ipl_internal_obj, all_services_obj)]

        for intra_rule in intra_rules:
            rule = illumio.Rule(enabled=True, providers=[intra_rule[0]], consumers=[intra_rule[1]], ingress_services=[intra_rule[2]], unscoped_consumers=False)
            self._pce.rules.create(rule, parent=ruleset)

Yields:

API call returned error code 406. Errors:
input_validation_error: Input validation failed. Details: {The property '#/' did not contain a required property of 'resolve_labels_as' in schema sec_policy_rule_sets_sec_rules_post.schema.json} : APP_K | Test
RonGonz-illumio commented 1 year ago

I fixed the problem with the 'resolve_labels_as' issue by including the following block, I don't believe that is an issue with illumio-py

        resolve_labels_block = LabelResolutionBlock(providers=["workloads"], consumers=["workloads"])
            rule = illumio.Rule(enabled=True, resolve_labels_as=resolve_labels_block, providers=[intra_rule[0]], consumers=[intra_rule[1]], ingress_services=[intra_rule[2]], unscoped_consumers=False)
dsommerville-illumio commented 1 year ago

The build function expects strings or references that can be converted to Actor objects, so if you pass in the "ams" literal rather than an Actor object it will work.

This is a case of insufficient type validation, a bit of a tricky issue in python. I'm planning to deprecate the build functions entirely in a future change, but for now I'll see if I can improve the logic to accept Actor objects.