Example #1
0
 def testServiceIncorrectSyntax(self):
     badservicedata = []
     badservicedata.append('SVC1 = 80//tcp 80/udp')
     badservicedata.append('SVC2 = 81/tcp')
     testdefs = naming.Naming(None)
     self.assertRaises(naming.NamingSyntaxError, testdefs.ParseServiceList,
                       badservicedata)
Example #2
0
 def testNamespaceCollisionError(self):
     badservicedata = []
     badservicedata.append('SVC1 = 80/tcp')
     badservicedata.append('SVC1 = 81/udp')
     testdefs = naming.Naming(None)
     self.assertRaises(naming.NamespaceCollisionError,
                       testdefs.ParseServiceList, badservicedata)
Example #3
0
def main(args):
    FLAGS = parse_args(args)

    # Do some sanity checking.
    if FLAGS.policy_directory and FLAGS.policy:
        # When parsing a single file, ignore default path of policy_directory.
        FLAGS.policy_directory = False
    if not (FLAGS.policy_directory or FLAGS.policy):
        raise ValueError('must provide policy or policy_directive')

    # Set log level to DEBUG if debug option is specified.
    if FLAGS.debug:
        logging.basicConfig(level=logging.DEBUG)

    if not FLAGS.definitions:
        _parser.error('no definitions supplied')
    defs = naming.Naming(FLAGS.definitions)
    if not defs:
        print 'problem loading definitions'
        return

    count = 0
    if FLAGS.policy_directory:
        count = load_and_render(FLAGS.policy_directory, defs,
                                FLAGS.shade_check, FLAGS.exp_info,
                                FLAGS.output_directory)

    elif FLAGS.policy:
        count = render_filters(FLAGS.policy, defs, FLAGS.shade_check,
                               FLAGS.exp_info, FLAGS.output_directory)

    print '%d filters rendered' % count
Example #4
0
def main(args):
    FLAGS(args)
    logging.debug(
        'binary: %s\noptimize: %d\base_directory: %s\n'
        'policy_file: %s\nrendered_acl_directory: %s', str(sys.argv[0]),
        int(FLAGS.optimize), str(FLAGS.base_directory), str(FLAGS.policy_file),
        str(FLAGS.output_directory))

    definitions = None
    try:
        definitions = naming.Naming(FLAGS.definitions_directory)
    except naming.NoDefinitionsError:
        logging.fatal('bad definitions directory: %s',
                      FLAGS.definitions_directory)

    # thead-safe list for storing files to write
    manager = multiprocessing.Manager()
    write_files = manager.list()

    with_errors = False
    if FLAGS.policy_file:
        # render just one file
        logging.info('rendering one file')
        RenderFile(FLAGS.policy_file, FLAGS.output_directory, definitions,
                   FLAGS.exp_info, write_files)
    else:
        # render all files in parallel
        logging.info('finding policies...')
        pols = []
        pols.extend(
            DescendRecursively(FLAGS.base_directory, FLAGS.output_directory,
                               definitions))

        pool = multiprocessing.Pool(processes=FLAGS.max_renderers)
        results = []
        for x in pols:
            results.append(
                pool.apply_async(RenderFile,
                                 args=(x.get('in_file'), x.get('out_dir'),
                                       definitions, FLAGS.exp_info,
                                       write_files)))
        pool.close()
        pool.join()

        for result in results:
            try:
                result.get()
            except (ACLParserError, ACLGeneratorError) as e:
                with_errors = True
                logging.warn(
                    '\n\nerror encountered in rendering process:\n%s\n\n', e)

    # actually write files to disk
    WriteFiles(write_files)

    if with_errors:
        logging.warn('done, with errors.')
        sys.exit(1)
    else:
        logging.info('done.')
Example #5
0
    def setUp(self):
        self.defs = naming.Naming(None)
        servicedata = []
        servicedata.append('SVC1 = 80/tcp 81/udp 82/tcp')
        servicedata.append('SVC2 = 80/tcp 81/udp 82/tcp SVC2')
        servicedata.append('SVC3 = 80/tcp 81/udp')
        servicedata.append('SVC4 = 80/tcp # some service')
        servicedata.append('TCP_90 = 90/tcp')
        servicedata.append('SVC5 = TCP_90')
        servicedata.append('SVC6 = SVC1 SVC5')
        networkdata = []
        networkdata.append('NET1 = 10.1.0.0/8 # network1')
        networkdata.append('NET2 = 10.2.0.0/16 # network2.0')
        networkdata.append('       NET1')
        networkdata.append('9OCLOCK = 1.2.3.4/32 # 9 is the time')
        networkdata.append('FOOBAR = 9OCLOCK')
        networkdata.append('FOO_V6 = ::FFFF:FFFF:FFFF:FFFF')
        networkdata.append('BAR_V6 = ::1/128')
        networkdata.append('BAZ = FOO_V6')
        networkdata.append('      BAR_V6')
        networkdata.append('BING = NET1 # foo')
        networkdata.append('       FOO_V6')

        self.defs.ParseServiceList(servicedata)
        self.defs.ParseNetworkList(networkdata)
Example #6
0
 def setUp(self):
   """Call before every test case."""
   _parser = OptionParser()
   _parser.add_option('-d', '--def', dest='definitions',
                      help='definitions directory', default='../def')
   (FLAGS, args) = _parser.parse_args()
   self.defs = naming.Naming(FLAGS.definitions)
    def loadNaming(self, def_type, content, defs=None):
        """Load the given naming definition type and string blob"""

        defs = defs or naming.Naming(None)
        for lineno, line in enumerate(content.splitlines(), start=1):
            defs._ParseLine(line, def_type, lineno=lineno)
        return defs
Example #8
0
def main(argv):
  parser = OptionParser()

  parser.add_option("-d", "--def", dest="defs", action="store",
                    help="Network Definitions directory location",
                    default="../def")
  parser.add_option("-i", "--ip", dest="ip", action="store",
                    help="Return list of defintions containing this IP.  "
                         "Multiple IPs permitted.")

  parser.add_option("-t", "--token", dest="token", action="store",
                    help="See if an IP is contained within this token."
                         "Must be used in conjunction with --ip [addr].")

  parser.add_option("-c", "--cmp", dest="cmp", action="store_true",
                    help="Compare two network definition tokens")

  (options, args) = parser.parse_args()

  db = naming.Naming(options.defs)

  if options.ip is not None and options.token is None:
    for arg in sys.argv[2:]:
      print "%s: " % arg
      rval = db.GetIpParents(arg)
      print rval

  if options.token is not None and options.ip is None:
    print "You must specify and IP Address with --ip [addr] to check."
    sys.exit(0)

  if options.token is not None and options.ip is not None:
    token = options.token
    ip = options.ip
    rval = db.GetIpParents(ip)
    if token in rval:
      print '%s is in %s' % (ip, token)
    else:
      print '%s is not in %s' % (ip, token)

  if options.cmp is not None:
    t1 = argv[2]
    t2 = argv[3]
    d1 = db.GetNet(t1)
    d2 = db.GetNet(t2)
    union = list(set(d1 + d2))
    print 'Union of %s and %s:\n %s\n' % (t1, t2, union)
    print 'Diff of %s and %s:' % (t1, t2)
    for el in set(d1 + d2):
      el = nacaddr.IP(el)
      if el in d1 and el in d2:
        print '  %s' % el
      elif el in d1:
          print '+ %s' % el
      elif el in d2:
          print '- %s' % el
Example #9
0
 def testUndefinedTokenNesting(self):
     bad_servicedata = ['FOO = 7/tcp BAR']
     bad_networkdata = ['NETGROUP = 10.0.0.0/8 FOOBAR']
     baddefs = naming.Naming(None)
     baddefs.ParseServiceList(bad_servicedata)
     baddefs.ParseNetworkList(bad_networkdata)
     self.assertRaises(naming.UndefinedServiceError, baddefs._CheckUnseen,
                       'services')
     self.assertRaises(naming.UndefinedAddressError, baddefs._CheckUnseen,
                       'networks')
Example #10
0
    def setUp(self):
        self.defs = naming.Naming(None)
        servicedata = []
        servicedata.append('SSH = 22/tcp')
        networkdata = []
        networkdata.append('NET172 = 172.16.0.0/12')
        networkdata.append('NET10 = 10.0.0.0/8')

        self.defs.ParseServiceList(servicedata)
        self.defs.ParseNetworkList(networkdata)
        self.pol = policy.ParsePolicy(POLICYTEXT, self.defs)
Example #11
0
    def __init__(self, filename, defs_data=None):
        """Build policy object and naming definitions from provided filenames.

    Args:
      filename: location of a .pol file
      defs_data: location of naming definitions directory, if any
    """
        self.defs = naming.Naming(defs_data)
        self.filter = []
        try:
            self.data = open(filename, 'r').readlines()
        except IOError, error_info:
            info = str(filename) + ' cannot be opened'
            raise FileOpenError('%s\n%s' % (info, error_info))
Example #12
0
def main():
    # TODO(robankeny): Lets move this to gflags
    usage = 'usage: %prog [options] arg'
    _parser = OptionParser(usage)
    _parser.add_option('--definitions-directory',
                       dest='definitions',
                       help='definitions directory',
                       default='./def')
    _parser.add_option('-p',
                       '--policy-file',
                       dest='pol',
                       help='policy file',
                       default='./policies/sample.pol')
    _parser.add_option('-d',
                       '--destination',
                       dest='dst',
                       help='destination IP',
                       default='200.1.1.1')
    _parser.add_option('-s',
                       '--source',
                       dest='src',
                       help='source IP',
                       default='any')
    _parser.add_option('--proto',
                       '--protocol',
                       dest='proto',
                       help='Protocol (tcp, udp, icmp, etc.)',
                       default='tcp')
    _parser.add_option('--dport',
                       '--destination-port',
                       dest='dport',
                       help='destination port',
                       default='80')
    _parser.add_option('--sport',
                       '--source-port',
                       dest='sport',
                       help='source port',
                       default='1025')
    (FLAGS, unused_args) = _parser.parse_args()

    defs = naming.Naming(FLAGS.definitions)
    policy_obj = policy.ParsePolicy(open(FLAGS.pol).read(), defs)
    check = aclcheck.AclCheck(policy_obj,
                              src=FLAGS.src,
                              dst=FLAGS.dst,
                              sport=FLAGS.sport,
                              dport=FLAGS.dport,
                              proto=FLAGS.proto)
    print(str(check))
Example #13
0
def main():
    if not FLAGS.definitions:
        _parser.error('no definitions supplied')
    defs = naming.Naming(FLAGS.definitions)
    if not defs:
        print 'problem loading definitions'
        return

    count = 0
    if FLAGS.policy_directory:
        count = load_and_render(FLAGS.policy_directory, defs,
                                FLAGS.shade_check, FLAGS.exp_info)

    elif FLAGS.policy:
        count = render_filters(FLAGS.policy, defs, FLAGS.shade_check,
                               FLAGS.exp_info)

    print '%d filters rendered' % count
    def loadPolicy(self,
                   net_content,
                   svc_content,
                   policy_content,
                   filename='unittest'):
        """Load the provided string blobs into a tracked parsed policy"""

        defs = naming.Naming(None)
        self.loadNaming('networks', net_content, defs=defs)
        self.loadNaming('services', svc_content, defs=defs)
        p = policy.ParsePolicy(
            policy_content,
            defs,
            track=True,
            optimize=False,
            filename=filename,
        )
        return p
Example #15
0
def main(parser):
    """ Determines the code path based on the arguments passed.

  Args:
    parser as argparse.ArgumentParser: the argument parser, but not parsed yet.
  """
    options = parser.parse_args()
    db = naming.Naming(options.defs)
    p = pprint.PrettyPrinter(indent=1, depth=4, width=1).pprint

    # if -i and any other option:
    if options.ip and any(
        [options.gmp, options.cmp, options.obj, options.svc, options.port]):
        print('You can only use -i with -t or by itself')

    # if -i and -t
    elif options.token and options.ip:
        try:
            get_nets([options.token], db)
        except naming.UndefinedAddressError as e:
            print("Network group '%s' is not defined!" %
                  (e.message.split()[0]))
        else:
            results = compare_ip_token(options, db)
            print(results)

    # if -t, but not -i; invalid!
    elif options.token and not options.ip:
        print('You must specify an IP Address with -i [addr]')

    # if -i
    elif options.ip:
        for ip in options.ip:
            groups = get_ip_parents(ip, db)
            print('Results for IP: %s' % ip)
            # iterate and print the tokens we found.
            for name, networks in groups:
                # print the group name [0], and the networks it was in [1]
                print('%s  %s' % (name, networks))

    elif options.gmp:
        common, diff1, diff2 = group_diff(options, db)
        print_diff(options.gmp[0], common, diff1, diff2)
        print('')
        print_diff(options.gmp[1], common, diff2, diff1)

    # if -c
    elif options.cmp:
        meta, results = compare_tokens(options, db)
        print('Union of %s and %s:\n %s\n' % meta)
        print('Diff of %s and %s:' % meta[:-1])
        for i in results:
            print(' ' + i)
        print('')
        first_obj, sec_obj = options.cmp
        if check_encapsulated('network', first_obj, sec_obj, db):
            print('%s fully encapsulates %s' % (sec_obj, first_obj))
        else:
            print('%s does _not_ fully encapsulate %s' % (sec_obj, first_obj))
        # check the other way around.
        if check_encapsulated('network', sec_obj, first_obj, db):
            print('%s fully encapsulates %s' % (first_obj, sec_obj))
        else:
            print('%s does _not_ fully encapsulate %s' % (first_obj, sec_obj))

    # if -o
    elif options.obj:
        for obj in options.obj:
            try:
                token, ips = get_nets([obj], db)[0]
            except naming.UndefinedAddressError:
                print('%s is an invalid object' % obj)
            else:
                print(token + ':')
                # convert list of ip objects to strings and sort them
                ips.sort(key=lambda x: int(x.ip))
                p([str(x) for x in ips])

    # if -s
    elif options.svc:
        try:
            results = get_ports(options.svc, db)
        except naming.UndefinedServiceError:
            print('%s contains an invalid service object' % str(options.svc))
        else:
            for result in get_ports(options.svc, db):
                svc, port = result
                print(svc + ':')
                p(port)

    # if -p
    elif options.port:
        port, protocol, result = get_services(options, db)
        print('%s/%s:' % (port, protocol))
        p(result)

    # if nothing is passed
    elif not any((options.cmp, options.ip, options.token, options.obj,
                  options.svc, options.port)):
        parser.print_help()
    print('')
Example #16
0
 def setUp(self):
     self.db = naming.Naming(None)
     self.db.ParseServiceList(_SERVICE.split('\n'))
     self.db.ParseNetworkList(_NETWORK.split('\n'))
Example #17
0
 def testParseServiceFile(self):
     filedefs = naming.Naming(None)
     data = io.BytesIO('HTTP = 80/tcp\n'.encode('utf8'))
     filedefs._ParseFile(data, 'services')
     self.assertEqual(filedefs.GetService('HTTP'), ['80/tcp'])
Example #18
0
 def testParseNetFile(self):
     filedefs = naming.Naming(None)
     data = io.BytesIO('FOO = 127.0.0.1 # some network\n'.encode('utf8'))
     filedefs._ParseFile(data, 'networks')
     self.assertEqual(filedefs.GetNetAddr('FOO'),
                      [nacaddr.IPv4('127.0.0.1')])