Beispiel #1
0
 def make_ace(self,
              protocol_direction,
              target_url,
              protocol,
              match_type,
              direction_initiated,
              ip_version,
              local_ports=None,
              remote_ports=None):
     ace = []
     number_local_ports = len(local_ports) if type(
         local_ports) == list else 1
     number_remote_ports = len(remote_ports) if type(
         remote_ports) == list else 1
     for l in range(number_local_ports):
         for r in range(number_remote_ports):
             ace.append(
                 self.make_sub_ace(
                     get_sub_ace_name(get_ace_name(match_type),
                                      protocol_direction, l + r),
                     protocol_direction, target_url, protocol, match_type,
                     direction_initiated, ip_version,
                     local_ports[l] if local_ports is not None else None,
                     remote_ports[r] if remote_ports is not None else None))
     return ace
Beispiel #2
0
def make_ace(protocol_direction,
             target_url,
             protocol,
             match_types,
             direction_initiated,
             ip_version,
             local_ports=None,
             remote_ports=None):
    ace = []
    number_local_ports = len(local_ports) if type(local_ports) == list else 1
    number_remote_ports = len(remote_ports) if type(
        remote_ports) == list else 1
    for i in range(len(match_types)) if not isinstance(
            match_types, MatchType) else range(1):
        match_type = match_types[i] if not isinstance(
            match_types, MatchType) else match_types
        for l in range(number_local_ports):
            for r in range(number_remote_ports):
                ace.append(
                    make_sub_ace(
                        #get_sub_ace_name(get_ace_name(match_type), direction_initiated, i + l + r),
                        get_sub_ace_name(get_ace_name(match_type),
                                         protocol_direction, i + l + r),
                        protocol_direction,
                        target_url,
                        protocol,
                        match_type,
                        direction_initiated,
                        ip_version,
                        local_ports[l] if local_ports is not None else None,
                        remote_ports[r] if remote_ports is not None else None))
    return ace
Beispiel #3
0
def append_sub_ace(ace,
                   protocol_direction,
                   target_url,
                   protocol,
                   match_type,
                   direction_initiated,
                   ip_version,
                   local_port=None,
                   remote_port=None):
    # Determine what number instance this sub_ace will be
    ace_name = get_ace_name(match_type)
    iteration = 0
    for i in ace:
        if i["name"].startswith(ace_name):
            iteration += 1
    ace.append(
        make_sub_ace(
            get_sub_ace_name(get_ace_name(match_type), direction_initiated,
                             iteration), protocol_direction, target_url,
            protocol, match_type, direction_initiated, ip_version, local_port,
            remote_port))
    return ace
Beispiel #4
0
    def make_mud_5(self):
        #mud = self.support_info
        #mud.update(self.policies)
        #self.mud_file = {'ietf-mud:mud': mud, 'ietf-access-control-list:acls': {'acl': self.acls}}
        #return self.mud_file

        #def assemble_mud(self):

        if self.ip_version == IPVersion.BOTH:
            ip_version = [IPVersion.IPV4, IPVersion.IPV6]
            self.acl = [
                self.acl_v4_to, self.acl_v4_from, self.acl_v6_to,
                self.acl_v6_from
            ]
        else:
            ip_version = [self.ip_version]
            if self.ip_version == IPVersion.IPV4:
                #self.acl_v4_to = {}
                #self.acl_v4_from = {}
                self.acl = [self.acl_v4_to, self.acl_v4_from]
            elif self.ip_version == IPVersion.IPV6:
                #self.acl_v6_to = {}
                #self.acl_v6_from = {}
                self.acl = [self.acl_v6_to, self.acl_v6_from]

        rule_list = [(MatchType.IS_LOCAL, self.rules_local),
                     (MatchType.IS_CLOUD, self.rules_cloud),
                     (MatchType.IS_CONTROLLER, self.rules_controller),
                     (MatchType.IS_MY_CONTROLLER, self.rules_controller_my),
                     (MatchType.IS_MFG, self.rules_manufacturer),
                     (MatchType.IS_MYMFG, self.rules_manufacturer_my)]

        # Not the most efficient way to do this, but it works
        for (i, (match_type, rules)) in enumerate(rule_list):
            for (j, rule) in enumerate(rules):
                for protocol_direction in [
                        Direction.TO_DEVICE, Direction.FROM_DEVICE
                ]:
                    for ipv in ip_version:
                        sub_ace_name = get_sub_ace_name(
                            get_ace_name(match_type), protocol_direction, j)
                        match = {}
                        ip_version_string = get_ipversion_string(ipv)
                        source_port = None
                        destination_port = None
                        direction_initiated = rule.get('direction_initiated')

                        if rule.get('ietf-mud:mud') is not None:
                            match['ietf-mud:mud'] = rule['ietf-mud:mud']
                            cloud_entry = None
                        else:
                            cloud_entry = make_acldns_match(
                                rule['target_url'], protocol_direction)

                        if rule['protocol'] is Protocol.ANY:
                            if cloud_entry:
                                match[ip_version_string] = cloud_entry
                        else:
                            if protocol_direction is Direction.FROM_DEVICE:
                                source_port = rule.get('remote_port')
                                destination_port = rule.get('local_port')
                            elif protocol_direction is Direction.TO_DEVICE:
                                source_port = rule.get('local_port')
                                destination_port = rule.get('remote_port')
                            if rule['protocol'] is Protocol.TCP:
                                match[ip_version_string] = rule.get(
                                    "cloud_placeholder").copy(
                                    )  # {'protocol': 6}
                                if source_port is not None or destination_port is not None or \
                                        direction_initiated is not None:
                                    match['tcp'] = make_port_range(
                                        direction_initiated, source_port,
                                        destination_port)
                            elif rule['protocol'] is Protocol.UDP:
                                match[ip_version_string] = rule.get(
                                    "cloud_placeholder").copy(
                                    )  # {'protocol': 17}
                                if rule.get(
                                        'source_port') is not None or rule.get(
                                            'destination_port') is not None:
                                    match['udp'] = make_port_range(
                                        dir_init=None,
                                        source_port=source_port,
                                        destination_port=destination_port)
                            else:
                                raise InputException(
                                    f'protocol is not valid: {rule["protocol"]}'
                                )
                            if cloud_entry:
                                match[ip_version_string].update(cloud_entry)

                        ace = {
                            'name': sub_ace_name,
                            'matches': match,
                            'actions': {
                                'forwarding': 'accept'
                            }
                        }

                        if ipv == IPVersion.IPV4:
                            if protocol_direction == Direction.TO_DEVICE:
                                self.acl_v4_to['aces']['ace'].append(ace)
                                #self.acl.append(self.acl_v4_to.copy())
                            else:
                                self.acl_v4_from['aces']['ace'].append(ace)
                                #self.acl.append(self.acl_v4_from.copy())
                        elif ipv == IPVersion.IPV6:
                            if protocol_direction == Direction.TO_DEVICE:
                                self.acl_v6_to['aces']['ace'].append(ace)
                                #self.acl.append(self.acl_v6_to.copy())
                            else:
                                self.acl_v6_from['aces']['ace'].append(ace)
                                #self.acl.append(self.acl_v6_from.copy())

        mud = self.support_info
        mud.update(self.policies)
        self.mud_file = {
            'ietf-mud:mud': mud,
            'ietf-access-control-list:acls': {
                'acl': self.acl
            }
        }
        return self.mud_file