def testServiceIncorrectSyntax(self):
badservicedata = []
badservicedata.append('SVC1 = 80//tcp 80/udp')
badservicedata.append('SVC2 = 81/tcp')
testdefs = naming.Naming(None)
self.assertRaises(naming.NamingSyntaxError, testdefs.ParseServiceList,
badservicedata)
def testNamespaceCollisionError(self):
badservicedata = []
badservicedata.append('SVC1 = 80/tcp')
badservicedata.append('SVC1 = 81/udp')
testdefs = naming.Naming(None)
self.assertRaises(naming.NamespaceCollisionError,
testdefs.ParseServiceList, badservicedata)
def main(args):
FLAGS = parse_args(args)
# Do some sanity checking.
if FLAGS.policy_directory and FLAGS.policy:
# When parsing a single file, ignore default path of policy_directory.
FLAGS.policy_directory = False
if not (FLAGS.policy_directory or FLAGS.policy):
raise ValueError('must provide policy or policy_directive')
# Set log level to DEBUG if debug option is specified.
if FLAGS.debug:
logging.basicConfig(level=logging.DEBUG)
if not FLAGS.definitions:
_parser.error('no definitions supplied')
defs = naming.Naming(FLAGS.definitions)
if not defs:
print 'problem loading definitions'
return
count = 0
if FLAGS.policy_directory:
count = load_and_render(FLAGS.policy_directory, defs,
FLAGS.shade_check, FLAGS.exp_info,
FLAGS.output_directory)
elif FLAGS.policy:
count = render_filters(FLAGS.policy, defs, FLAGS.shade_check,
FLAGS.exp_info, FLAGS.output_directory)
print '%d filters rendered' % count
def main(args):
FLAGS(args)
logging.debug(
'binary: %s\noptimize: %d\base_directory: %s\n'
'policy_file: %s\nrendered_acl_directory: %s', str(sys.argv[0]),
int(FLAGS.optimize), str(FLAGS.base_directory), str(FLAGS.policy_file),
str(FLAGS.output_directory))
definitions = None
try:
definitions = naming.Naming(FLAGS.definitions_directory)
except naming.NoDefinitionsError:
logging.fatal('bad definitions directory: %s',
FLAGS.definitions_directory)
# thead-safe list for storing files to write
manager = multiprocessing.Manager()
write_files = manager.list()
with_errors = False
if FLAGS.policy_file:
# render just one file
logging.info('rendering one file')
RenderFile(FLAGS.policy_file, FLAGS.output_directory, definitions,
FLAGS.exp_info, write_files)
else:
# render all files in parallel
logging.info('finding policies...')
pols = []
pols.extend(
DescendRecursively(FLAGS.base_directory, FLAGS.output_directory,
definitions))
pool = multiprocessing.Pool(processes=FLAGS.max_renderers)
results = []
for x in pols:
results.append(
pool.apply_async(RenderFile,
args=(x.get('in_file'), x.get('out_dir'),
definitions, FLAGS.exp_info,
write_files)))
pool.close()
pool.join()
for result in results:
try:
result.get()
except (ACLParserError, ACLGeneratorError) as e:
with_errors = True
logging.warn(
'\n\nerror encountered in rendering process:\n%s\n\n', e)
# actually write files to disk
WriteFiles(write_files)
if with_errors:
logging.warn('done, with errors.')
sys.exit(1)
else:
logging.info('done.')
def setUp(self):
self.defs = naming.Naming(None)
servicedata = []
servicedata.append('SVC1 = 80/tcp 81/udp 82/tcp')
servicedata.append('SVC2 = 80/tcp 81/udp 82/tcp SVC2')
servicedata.append('SVC3 = 80/tcp 81/udp')
servicedata.append('SVC4 = 80/tcp # some service')
servicedata.append('TCP_90 = 90/tcp')
servicedata.append('SVC5 = TCP_90')
servicedata.append('SVC6 = SVC1 SVC5')
networkdata = []
networkdata.append('NET1 = 10.1.0.0/8 # network1')
networkdata.append('NET2 = 10.2.0.0/16 # network2.0')
networkdata.append(' NET1')
networkdata.append('9OCLOCK = 1.2.3.4/32 # 9 is the time')
networkdata.append('FOOBAR = 9OCLOCK')
networkdata.append('FOO_V6 = ::FFFF:FFFF:FFFF:FFFF')
networkdata.append('BAR_V6 = ::1/128')
networkdata.append('BAZ = FOO_V6')
networkdata.append(' BAR_V6')
networkdata.append('BING = NET1 # foo')
networkdata.append(' FOO_V6')
self.defs.ParseServiceList(servicedata)
self.defs.ParseNetworkList(networkdata)
def setUp(self):
"""Call before every test case."""
_parser = OptionParser()
_parser.add_option('-d', '--def', dest='definitions',
help='definitions directory', default='../def')
(FLAGS, args) = _parser.parse_args()
self.defs = naming.Naming(FLAGS.definitions)
def loadNaming(self, def_type, content, defs=None):
"""Load the given naming definition type and string blob"""
defs = defs or naming.Naming(None)
for lineno, line in enumerate(content.splitlines(), start=1):
defs._ParseLine(line, def_type, lineno=lineno)
return defs
def main(argv):
parser = OptionParser()
parser.add_option("-d", "--def", dest="defs", action="store",
help="Network Definitions directory location",
default="../def")
parser.add_option("-i", "--ip", dest="ip", action="store",
help="Return list of defintions containing this IP. "
"Multiple IPs permitted.")
parser.add_option("-t", "--token", dest="token", action="store",
help="See if an IP is contained within this token."
"Must be used in conjunction with --ip [addr].")
parser.add_option("-c", "--cmp", dest="cmp", action="store_true",
help="Compare two network definition tokens")
(options, args) = parser.parse_args()
db = naming.Naming(options.defs)
if options.ip is not None and options.token is None:
for arg in sys.argv[2:]:
print "%s: " % arg
rval = db.GetIpParents(arg)
print rval
if options.token is not None and options.ip is None:
print "You must specify and IP Address with --ip [addr] to check."
sys.exit(0)
if options.token is not None and options.ip is not None:
token = options.token
ip = options.ip
rval = db.GetIpParents(ip)
if token in rval:
print '%s is in %s' % (ip, token)
else:
print '%s is not in %s' % (ip, token)
if options.cmp is not None:
t1 = argv[2]
t2 = argv[3]
d1 = db.GetNet(t1)
d2 = db.GetNet(t2)
union = list(set(d1 + d2))
print 'Union of %s and %s:\n %s\n' % (t1, t2, union)
print 'Diff of %s and %s:' % (t1, t2)
for el in set(d1 + d2):
el = nacaddr.IP(el)
if el in d1 and el in d2:
print ' %s' % el
elif el in d1:
print '+ %s' % el
elif el in d2:
print '- %s' % el
def testUndefinedTokenNesting(self):
bad_servicedata = ['FOO = 7/tcp BAR']
bad_networkdata = ['NETGROUP = 10.0.0.0/8 FOOBAR']
baddefs = naming.Naming(None)
baddefs.ParseServiceList(bad_servicedata)
baddefs.ParseNetworkList(bad_networkdata)
self.assertRaises(naming.UndefinedServiceError, baddefs._CheckUnseen,
'services')
self.assertRaises(naming.UndefinedAddressError, baddefs._CheckUnseen,
'networks')
def setUp(self):
self.defs = naming.Naming(None)
servicedata = []
servicedata.append('SSH = 22/tcp')
networkdata = []
networkdata.append('NET172 = 172.16.0.0/12')
networkdata.append('NET10 = 10.0.0.0/8')
self.defs.ParseServiceList(servicedata)
self.defs.ParseNetworkList(networkdata)
self.pol = policy.ParsePolicy(POLICYTEXT, self.defs)
def __init__(self, filename, defs_data=None):
"""Build policy object and naming definitions from provided filenames.
Args:
filename: location of a .pol file
defs_data: location of naming definitions directory, if any
"""
self.defs = naming.Naming(defs_data)
self.filter = []
try:
self.data = open(filename, 'r').readlines()
except IOError, error_info:
info = str(filename) + ' cannot be opened'
raise FileOpenError('%s\n%s' % (info, error_info))
def main():
# TODO(robankeny): Lets move this to gflags
usage = 'usage: %prog [options] arg'
_parser = OptionParser(usage)
_parser.add_option('--definitions-directory',
dest='definitions',
help='definitions directory',
default='./def')
_parser.add_option('-p',
'--policy-file',
dest='pol',
help='policy file',
default='./policies/sample.pol')
_parser.add_option('-d',
'--destination',
dest='dst',
help='destination IP',
default='200.1.1.1')
_parser.add_option('-s',
'--source',
dest='src',
help='source IP',
default='any')
_parser.add_option('--proto',
'--protocol',
dest='proto',
help='Protocol (tcp, udp, icmp, etc.)',
default='tcp')
_parser.add_option('--dport',
'--destination-port',
dest='dport',
help='destination port',
default='80')
_parser.add_option('--sport',
'--source-port',
dest='sport',
help='source port',
default='1025')
(FLAGS, unused_args) = _parser.parse_args()
defs = naming.Naming(FLAGS.definitions)
policy_obj = policy.ParsePolicy(open(FLAGS.pol).read(), defs)
check = aclcheck.AclCheck(policy_obj,
src=FLAGS.src,
dst=FLAGS.dst,
sport=FLAGS.sport,
dport=FLAGS.dport,
proto=FLAGS.proto)
print(str(check))
def main():
if not FLAGS.definitions:
_parser.error('no definitions supplied')
defs = naming.Naming(FLAGS.definitions)
if not defs:
print 'problem loading definitions'
return
count = 0
if FLAGS.policy_directory:
count = load_and_render(FLAGS.policy_directory, defs,
FLAGS.shade_check, FLAGS.exp_info)
elif FLAGS.policy:
count = render_filters(FLAGS.policy, defs, FLAGS.shade_check,
FLAGS.exp_info)
print '%d filters rendered' % count
def loadPolicy(self,
net_content,
svc_content,
policy_content,
filename='unittest'):
"""Load the provided string blobs into a tracked parsed policy"""
defs = naming.Naming(None)
self.loadNaming('networks', net_content, defs=defs)
self.loadNaming('services', svc_content, defs=defs)
p = policy.ParsePolicy(
policy_content,
defs,
track=True,
optimize=False,
filename=filename,
)
return p
def main(parser):
""" Determines the code path based on the arguments passed.
Args:
parser as argparse.ArgumentParser: the argument parser, but not parsed yet.
"""
options = parser.parse_args()
db = naming.Naming(options.defs)
p = pprint.PrettyPrinter(indent=1, depth=4, width=1).pprint
# if -i and any other option:
if options.ip and any(
[options.gmp, options.cmp, options.obj, options.svc, options.port]):
print('You can only use -i with -t or by itself')
# if -i and -t
elif options.token and options.ip:
try:
get_nets([options.token], db)
except naming.UndefinedAddressError as e:
print("Network group '%s' is not defined!" %
(e.message.split()[0]))
else:
results = compare_ip_token(options, db)
print(results)
# if -t, but not -i; invalid!
elif options.token and not options.ip:
print('You must specify an IP Address with -i [addr]')
# if -i
elif options.ip:
for ip in options.ip:
groups = get_ip_parents(ip, db)
print('Results for IP: %s' % ip)
# iterate and print the tokens we found.
for name, networks in groups:
# print the group name [0], and the networks it was in [1]
print('%s %s' % (name, networks))
elif options.gmp:
common, diff1, diff2 = group_diff(options, db)
print_diff(options.gmp[0], common, diff1, diff2)
print('')
print_diff(options.gmp[1], common, diff2, diff1)
# if -c
elif options.cmp:
meta, results = compare_tokens(options, db)
print('Union of %s and %s:\n %s\n' % meta)
print('Diff of %s and %s:' % meta[:-1])
for i in results:
print(' ' + i)
print('')
first_obj, sec_obj = options.cmp
if check_encapsulated('network', first_obj, sec_obj, db):
print('%s fully encapsulates %s' % (sec_obj, first_obj))
else:
print('%s does _not_ fully encapsulate %s' % (sec_obj, first_obj))
# check the other way around.
if check_encapsulated('network', sec_obj, first_obj, db):
print('%s fully encapsulates %s' % (first_obj, sec_obj))
else:
print('%s does _not_ fully encapsulate %s' % (first_obj, sec_obj))
# if -o
elif options.obj:
for obj in options.obj:
try:
token, ips = get_nets([obj], db)[0]
except naming.UndefinedAddressError:
print('%s is an invalid object' % obj)
else:
print(token + ':')
# convert list of ip objects to strings and sort them
ips.sort(key=lambda x: int(x.ip))
p([str(x) for x in ips])
# if -s
elif options.svc:
try:
results = get_ports(options.svc, db)
except naming.UndefinedServiceError:
print('%s contains an invalid service object' % str(options.svc))
else:
for result in get_ports(options.svc, db):
svc, port = result
print(svc + ':')
p(port)
# if -p
elif options.port:
port, protocol, result = get_services(options, db)
print('%s/%s:' % (port, protocol))
p(result)
# if nothing is passed
elif not any((options.cmp, options.ip, options.token, options.obj,
options.svc, options.port)):
parser.print_help()
print('')
def setUp(self):
self.db = naming.Naming(None)
self.db.ParseServiceList(_SERVICE.split('\n'))
self.db.ParseNetworkList(_NETWORK.split('\n'))
def testParseServiceFile(self):
filedefs = naming.Naming(None)
data = io.BytesIO('HTTP = 80/tcp\n'.encode('utf8'))
filedefs._ParseFile(data, 'services')
self.assertEqual(filedefs.GetService('HTTP'), ['80/tcp'])
def testParseNetFile(self):
filedefs = naming.Naming(None)
data = io.BytesIO('FOO = 127.0.0.1 # some network\n'.encode('utf8'))
filedefs._ParseFile(data, 'networks')
self.assertEqual(filedefs.GetNetAddr('FOO'),
[nacaddr.IPv4('127.0.0.1')])