def testAddressExclude(self): big = nacaddr.IPv4("0.0.0.0/1") ip1 = nacaddr.IPv4("10.0.0.0/8") ip2 = nacaddr.IPv4("172.16.0.0/12") terms = (GOOD_TERM_18_SRC, GOOD_TERM_18_DST) self.naming.GetNetAddr.side_effect = [[big, ip1, ip2], [ip1]] * len(terms) mock_calls = [] for term in terms: atp = arista_tp.AristaTrafficPolicy( policy.ParsePolicy(GOOD_HEADER + term, self.naming), EXP_INFO) output = str(atp) self.assertIn("except 10.0.0.0/8", output, output) # note that the additional spaces are in the following assert to insure # that it's not being rendered w/o the "except" self.assertNotIn(" 10.0.0.0/8", output, output) self.assertIn("172.16.0.0/12", output, output) self.assertNotIn("except 172.16.0.0/12", output, output) mock_calls.append(mock.call("INTERNAL")) mock_calls.append(mock.call("SOME_HOST")) self.naming.GetNetAddr.assert_has_calls(mock_calls)
def testMixedInet(self): self.naming.GetNetAddr.side_effect = [[ nacaddr.IP("8.8.4.4"), nacaddr.IP("8.8.8.8"), nacaddr.IP("2001:4860:4860::8844"), nacaddr.IP("2001:4860:4860::8888") ], [ nacaddr.IP("10.0.0.0/8"), nacaddr.IP("172.16.0.0/12"), nacaddr.IP("192.168.0.0/16") ]] pol = policy.ParsePolicy(GOOD_HEADER + MIXED_INET, self.naming) atp = arista_tp.AristaTrafficPolicy(pol, EXP_INFO) output = str(atp) self.assertIn("match MIXED_INET ipv4", output, output) self.assertIn("source prefix 8.8.4.4/32", output, output) self.assertIn("destination prefix 10.0.0.0/8", output, output) self.assertNotIn("match ipv6-MIXED_INET ipv6", output, output) self.assertNotIn("source prefix 2001:4860:4860::8844/128", output, output)
def testSrcFsMixed(self): self.naming.GetNetAddr.side_effect = [ [ nacaddr.IP("8.8.4.0/24"), nacaddr.IP("8.8.8.0/24"), nacaddr.IP("2001:4860:4860::/64"), nacaddr.IP("2001:4860:4860::/64"), nacaddr.IP("2001:4860:4861::/64") ], [ nacaddr.IP("2001:4860:4860::8844"), nacaddr.IP("2001:4860:4861::8888"), nacaddr.IP("8.8.4.4"), nacaddr.IP("8.8.8.8"), ], ] atp = arista_tp.AristaTrafficPolicy( policy.ParsePolicy(GOOD_HEADER + SRC_FIELD_SET_MIXED, self.naming), EXP_INFO) output = str(atp) self.assertIn("field-set ipv4 prefix src-FS_MIXED", output, output) self.assertIn("field-set ipv6 prefix src-ipv6-FS_MIXED", output, output) self.assertIn("source prefix field-set src-FS_MIXED", output, output) self.assertIn("source prefix field-set src-ipv6-FS_MIXED", output, output)
def testOwnerTerm(self): atp = arista_tp.AristaTrafficPolicy( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_OWNER, self.naming), EXP_INFO) output = str(atp) self.assertIn("!! owner: [email protected]", output, output)
def testLoggingOption(self): atp = arista_tp.AristaTrafficPolicy( policy.ParsePolicy(GOOD_HEADER + LOGGING_DENY, self.naming), EXP_INFO) output = str(atp) self.assertIn(" log\n", output)
def testProtocolExceptList(self): atp = arista_tp.AristaTrafficPolicy( policy.ParsePolicy(GOOD_HEADER + PROTO_EXC_LIST, self.naming), EXP_INFO) output = str(atp) self.assertIn("protocol 1,3-7,9-26,28-255", output, output)
def testProtocol(self): atp = arista_tp.AristaTrafficPolicy( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_5, self.naming), EXP_INFO) output = str(atp) self.assertIn("protocol icmp tcp", output, output)
def testIcmpCode(self): atp = arista_tp.AristaTrafficPolicy( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_35, self.naming), EXP_INFO) output = str(atp) self.assertIn("code 3,4", output, output)
def testHopOptProtocol(self): atp = arista_tp.AristaTrafficPolicy( policy.ParsePolicy(GOOD_HEADER + HOPOPT_TERM, self.naming), EXP_INFO) output = str(atp) self.assertIn("protocol 0", output, output)
def testTTL(self): atp = arista_tp.AristaTrafficPolicy( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_21, self.naming), EXP_INFO) output = str(atp) self.assertIn("ttl 10", output)
def testFragmentOffset(self): atp = arista_tp.AristaTrafficPolicy( policy.ParsePolicy(GOOD_HEADER + FRAGOFFSET_TERM, self.naming), EXP_INFO) output = str(atp) self.assertIn("fragment offset 1-7", output, output)
def RenderFile(base_directory: str, input_file: pathlib.Path, output_directory: pathlib.Path, definitions: naming.Naming, exp_info: int, optimize: bool, shade_check: bool, write_files: WriteList): """Render a single file. Args: base_directory: The base directory to look for acls. input_file: the name of the input policy file. output_directory: the directory in which we place the rendered file. definitions: the definitions from naming.Naming(). exp_info: print a info message when a term is set to expire in that many weeks. optimize: a boolean indicating if we should turn on optimization or not. shade_check: should we raise an error if a term is completely shaded write_files: a list of file tuples, (output_file, acl_text), to write """ output_relative = input_file.relative_to(base_directory).parent.parent output_directory = output_directory / output_relative logging.debug('rendering file: %s into %s', input_file, output_directory) pol = None jcl = False acl = False atp = False asacl = False aacl = False bacl = False eacl = False gca = False gcefw = False gcphf = False ips = False ipt = False msmpc = False spd = False nsx = False pcap_accept = False pcap_deny = False pf = False srx = False jsl = False nft = False win_afw = False nxacl = False xacl = False paloalto = False try: with open(input_file) as f: conf = f.read() logging.debug('opened and read %s', input_file) except IOError as e: logging.warning('bad file: \n%s', e) raise try: pol = policy.ParsePolicy(conf, definitions, optimize=optimize, base_dir=base_directory, shade_check=shade_check) except policy.ShadingError as e: logging.warning('shading errors for %s:\n%s', input_file, e) return except (policy.Error, naming.Error): raise ACLParserError( 'Error parsing policy file %s:\n%s%s' % (input_file, sys.exc_info()[0], sys.exc_info()[1])) platforms = set() for header in pol.headers: platforms.update(header.platforms) if 'juniper' in platforms: jcl = copy.deepcopy(pol) if 'cisco' in platforms: acl = copy.deepcopy(pol) if 'ciscoasa' in platforms: asacl = copy.deepcopy(pol) if 'brocade' in platforms: bacl = copy.deepcopy(pol) if 'arista' in platforms: eacl = copy.deepcopy(pol) if 'arista_tp' in platforms: atp = copy.deepcopy(pol) if 'aruba' in platforms: aacl = copy.deepcopy(pol) if 'ipset' in platforms: ips = copy.deepcopy(pol) if 'iptables' in platforms: ipt = copy.deepcopy(pol) if 'msmpc' in platforms: msmpc = copy.deepcopy(pol) if 'nsxv' in platforms: nsx = copy.deepcopy(pol) if 'packetfilter' in platforms: pf = copy.deepcopy(pol) if 'pcap' in platforms: pcap_accept = copy.deepcopy(pol) pcap_deny = copy.deepcopy(pol) if 'speedway' in platforms: spd = copy.deepcopy(pol) if 'srx' in platforms: srx = copy.deepcopy(pol) if 'srxlo' in platforms: jsl = copy.deepcopy(pol) if 'windows_advfirewall' in platforms: win_afw = copy.deepcopy(pol) if 'cisconx' in platforms: nxacl = copy.deepcopy(pol) if 'ciscoxr' in platforms: xacl = copy.deepcopy(pol) if 'nftables' in platforms: nft = copy.deepcopy(pol) if 'gce' in platforms: gcefw = copy.deepcopy(pol) if 'gcp_hf' in platforms: gcphf = copy.deepcopy(pol) if 'paloalto' in platforms: paloalto = copy.deepcopy(pol) if 'cloudarmor' in platforms: gca = copy.deepcopy(pol) acl_obj: aclgenerator.ACLGenerator try: if jcl: acl_obj = juniper.Juniper(jcl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if msmpc: acl_obj = junipermsmpc.JuniperMSMPC(msmpc, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if srx: acl_obj = junipersrx.JuniperSRX(srx, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if acl: acl_obj = cisco.Cisco(acl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if asacl: acl_obj = ciscoasa.CiscoASA(asacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if aacl: acl_obj = aruba.Aruba(aacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if bacl: acl_obj = brocade.Brocade(bacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if eacl: acl_obj = arista.Arista(eacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if atp: acl_obj = arista_tp.AristaTrafficPolicy(atp, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if ips: acl_obj = ipset.Ipset(ips, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if ipt: acl_obj = iptables.Iptables(ipt, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if nsx: acl_obj = nsxv.Nsxv(nsx, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if spd: acl_obj = speedway.Speedway(spd, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if pcap_accept: acl_obj = pcap.PcapFilter(pcap_accept, exp_info) RenderACL(str(acl_obj), '-accept' + acl_obj.SUFFIX, output_directory, input_file, write_files) if pcap_deny: acl_obj = pcap.PcapFilter(pcap_deny, exp_info, invert=True) RenderACL(str(acl_obj), '-deny' + acl_obj.SUFFIX, output_directory, input_file, write_files) if pf: acl_obj = packetfilter.PacketFilter(pf, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if win_afw: acl_obj = windows_advfirewall.WindowsAdvFirewall(win_afw, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if jsl: acl_obj = srxlo.SRXlo(jsl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if nxacl: acl_obj = cisconx.CiscoNX(nxacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if xacl: acl_obj = ciscoxr.CiscoXR(xacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if nft: acl_obj = nftables.Nftables(nft, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if gcefw: acl_obj = gce.GCE(gcefw, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if gcphf: acl_obj = gcp_hf.HierarchicalFirewall(gcphf, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if paloalto: acl_obj = paloaltofw.PaloAltoFW(paloalto, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if gca: acl_obj = cloudarmor.CloudArmor(gca, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) # TODO(robankeny) add additional errors. except (juniper.Error, junipermsmpc.Error, junipersrx.Error, cisco.Error, ipset.Error, iptables.Error, speedway.Error, pcap.Error, aclgenerator.Error, aruba.Error, nftables.Error, gce.Error, cloudarmor.Error) as e: raise ACLGeneratorError('Error generating target ACL for %s:\n%s' % (input_file, e))
def testProtocolExceptTcp(self): atp = arista_tp.AristaTrafficPolicy( policy.ParsePolicy(GOOD_HEADER + PROTO_EXC_TCP, self.naming), EXP_INFO) output = str(atp) self.assertIn("protocol 1-5,7-255", output, output) self.assertIn("protocol 0-5,7-255", output, output)
def testDefaultDeny(self): atp = arista_tp.AristaTrafficPolicy( policy.ParsePolicy(GOOD_HEADER + DEFAULT_TERM_1, self.naming), EXP_INFO) output = str(atp) self.assertIn("match ipv4-default-all ipv4", output, output) self.assertIn("match ipv6-default-all ipv6", output, output)
def testBuildWarningTokens(self): atp = arista_tp.AristaTrafficPolicy( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming), EXP_INFO) st, sst = atp._BuildTokens() self.assertEqual(st, SUPPORTED_TOKENS) self.assertEqual(sst, SUPPORTED_SUB_TOKENS)