Exemple #1
0
 def testBuildWarningTokens(self):
     pol1 = ipset.Ipset(
         policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_4, self.naming),
         EXP_INFO)
     st, sst = pol1._BuildTokens()
     self.assertEqual(st, SUPPORTED_TOKENS)
     self.assertEqual(sst, SUPPORTED_SUB_TOKENS)
Exemple #2
0
 def testAddsExistsOption(self):
   self.naming.GetNetAddr.return_value = [
       nacaddr.IPv4('10.0.0.0/24'), nacaddr.IPv4('10.1.0.0/24')]
   acl = ipset.Ipset(policy.ParsePolicy(GOOD_HEADER_2 + GOOD_TERM_1,
                                        self.naming), EXP_INFO)
   self.assertIn('create -exist', str(acl))
   self.assertIn('add -exist', str(acl))
Exemple #3
0
    def testManySourceAndDestinationAddresses(self):
        self.naming.GetNetAddr.side_effect = [[
            nacaddr.IPv4('10.0.0.0/24'),
            nacaddr.IPv4('10.1.0.0/24')
        ], [nacaddr.IPv4('172.16.0.0/24'),
            nacaddr.IPv4('172.17.0.0/24')]]

        acl = ipset.Ipset(
            policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_3, self.naming),
            EXP_INFO)
        result = str(acl)
        self.assertIn(
            'create good-term-3-src hash:net family inet hashsize '
            '4 maxelem 4', result)
        self.assertIn(
            'create good-term-3-dst hash:net family inet hashsize '
            '4 maxelem 4', result)
        self.assertIn('add good-term-3-src 10.0.0.0/24', result)
        self.assertIn('add good-term-3-src 10.1.0.0/24', result)
        self.assertIn('add good-term-3-dst 172.16.0.0/24', result)
        self.assertIn('add good-term-3-dst 172.17.0.0/24', result)
        self.assertIn('-m set --match-set good-term-3-src src', result)
        self.assertIn('-m set --match-set good-term-3-dst dst', result)
        self.assertNotIn('-s ', result)
        self.assertNotIn('-d ', result)

        self.naming.GetNetAddr.assert_has_calls(
            [mock.call('INTERNAL'),
             mock.call('EXTERNAL')])
Exemple #4
0
  def testOneDestinationAddress(self):
    self.naming.GetNetAddr.return_value = [nacaddr.IPv4('172.16.0.0/12')]

    acl = ipset.Ipset(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_2,
                                         self.naming), EXP_INFO)
    result = str(acl)
    self.assertIn('-d 172.16.0.0/12', result)
    self.assertNotIn('-m set --match-set good-term-2-dst dst', result)

    self.naming.GetNetAddr.assert_called_once_with('EXTERNAL')
Exemple #5
0
  def testOneSourceAddress(self):
    self.naming.GetNetAddr.return_value = [nacaddr.IPv4('10.0.0.0/8')]

    acl = ipset.Ipset(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_1,
                                         self.naming), EXP_INFO)
    result = str(acl)
    self.assertIn('-s 10.0.0.0/8', result)
    self.assertNotIn('-m set --match-set good-term-3-src src', result)

    self.naming.GetNetAddr.assert_called_once_with('INTERNAL')
Exemple #6
0
  def testMarkers(self):
    self.naming.GetNetAddr.return_value = [nacaddr.IPv4('10.0.0.0/8')]

    acl = ipset.Ipset(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_1,
                                         self.naming), EXP_INFO)
    result = str(acl)
    self.assertIn('# begin:ipset-rules', result)
    self.assertIn('# end:ipset-rules', result)

    self.naming.GetNetAddr.assert_called_once_with('INTERNAL')
Exemple #7
0
    def testOneSourceAndDestinationAddress(self):
        self.naming.GetNetAddr.side_effect = [[nacaddr.IPv4('10.0.0.0/8')],
                                              [nacaddr.IPv4('172.16.0.0/12')]]

        acl = ipset.Ipset(
            policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_3, self.naming),
            EXP_INFO)
        result = str(acl)
        self.assertIn('-s 10.0.0.0/8', result)
        self.assertIn('-d 172.16.0.0/12', result)
        self.assertNotIn('-m set --match-set good-term-3-src src', result)
        self.assertNotIn('-m set --match-set good-term-3-dst dst', result)

        self.naming.GetNetAddr.assert_has_calls(
            [mock.call('INTERNAL'),
             mock.call('EXTERNAL')])
Exemple #8
0
  def testManyDestinationAddresses(self):
    self.naming.GetNetAddr.return_value = [
        nacaddr.IPv4('172.16.0.0/24'), nacaddr.IPv4('172.17.0.0/24')]

    acl = ipset.Ipset(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_2,
                                         self.naming), EXP_INFO)
    result = str(acl)
    self.assertIn('create good-term-2-dst hash:net family inet hashsize '
                  '4 maxelem 4', result)
    self.assertIn('add good-term-2-dst 172.16.0.0/24', result)
    self.assertIn('add good-term-2-dst 172.17.0.0/24', result)
    self.assertIn('-m set --match-set good-term-2-dst dst', result)
    self.assertNotIn('-s ', result)
    self.assertNotIn('-exist', result)

    self.naming.GetNetAddr.assert_called_once_with('EXTERNAL')
Exemple #9
0
  def testManySourceAddresses(self):
    self.naming.GetNetAddr.return_value = [
        nacaddr.IPv4('10.0.0.0/24'), nacaddr.IPv4('10.1.0.0/24')]

    acl = ipset.Ipset(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_1,
                                         self.naming), EXP_INFO)
    result = str(acl)
    self.assertIn('create good-term-1-src hash:net family inet hashsize'
                  ' 4 maxelem 4', result)
    self.assertIn('add good-term-1-src 10.0.0.0/24', result)
    self.assertIn('add good-term-1-src 10.1.0.0/24', result)
    self.assertIn('-m set --match-set good-term-1-src src', result)
    self.assertNotIn('-s ', result)
    self.assertNotIn('-exist', result)

    self.naming.GetNetAddr.assert_called_once_with('INTERNAL')
Exemple #10
0
def RenderFile(base_directory, input_file, output_directory, definitions,
               exp_info, write_files):
    """Render a single file.

  Args:
    base_directory: The base directory to look for acls.
    input_file: the name of the input policy file.
    output_directory: the directory in which we place the rendered file.
    definitions: the definitions from naming.Naming().
    exp_info: print a info message when a term is set to expire
              in that many weeks.
    write_files: a list of file tuples, (output_file, acl_text), to write
  """
    logging.debug('rendering file: %s into %s', input_file, output_directory)
    pol = None
    jcl = False
    acl = False
    asacl = False
    aacl = False
    bacl = False
    eacl = False
    gca = False
    gcefw = False
    ips = False
    ipt = False
    spd = False
    nsx = False
    pcap_accept = False
    pcap_deny = False
    pf = False
    srx = False
    jsl = False
    nft = False
    win_afw = False
    xacl = False
    paloalto = False

    try:
        with open(input_file) as f:
            conf = f.read()
            logging.debug('opened and read %s', input_file)
    except IOError as e:
        logging.warning('bad file: \n%s', e)
        raise

    try:
        pol = policy.ParsePolicy(conf,
                                 definitions,
                                 optimize=FLAGS.optimize,
                                 base_dir=base_directory,
                                 shade_check=FLAGS.shade_check)
    except policy.ShadingError as e:
        logging.warning('shading errors for %s:\n%s', input_file, e)
        return
    except (policy.Error, naming.Error):
        raise ACLParserError(
            'Error parsing policy file %s:\n%s%s' %
            (input_file, sys.exc_info()[0], sys.exc_info()[1]))

    platforms = set()
    for header in pol.headers:
        platforms.update(header.platforms)

    if 'juniper' in platforms:
        jcl = copy.deepcopy(pol)
    if 'cisco' in platforms:
        acl = copy.deepcopy(pol)
    if 'ciscoasa' in platforms:
        asacl = copy.deepcopy(pol)
    if 'brocade' in platforms:
        bacl = copy.deepcopy(pol)
    if 'arista' in platforms:
        eacl = copy.deepcopy(pol)
    if 'aruba' in platforms:
        aacl = copy.deepcopy(pol)
    if 'ipset' in platforms:
        ips = copy.deepcopy(pol)
    if 'iptables' in platforms:
        ipt = copy.deepcopy(pol)
    if 'nsxv' in platforms:
        nsx = copy.deepcopy(pol)
    if 'packetfilter' in platforms:
        pf = copy.deepcopy(pol)
    if 'pcap' in platforms:
        pcap_accept = copy.deepcopy(pol)
        pcap_deny = copy.deepcopy(pol)
    if 'speedway' in platforms:
        spd = copy.deepcopy(pol)
    if 'srx' in platforms:
        srx = copy.deepcopy(pol)
    if 'srxlo' in platforms:
        jsl = copy.deepcopy(pol)
    if 'windows_advfirewall' in platforms:
        win_afw = copy.deepcopy(pol)
    if 'ciscoxr' in platforms:
        xacl = copy.deepcopy(pol)
    if 'nftables' in platforms:
        nft = copy.deepcopy(pol)
    if 'gce' in platforms:
        gcefw = copy.deepcopy(pol)
    if 'paloalto' in platforms:
        paloalto = copy.deepcopy(pol)
    if 'cloudarmor' in platforms:
        gca = copy.deepcopy(pol)

    if not output_directory.endswith('/'):
        output_directory += '/'

    try:
        if jcl:
            acl_obj = juniper.Juniper(jcl, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if srx:
            acl_obj = junipersrx.JuniperSRX(srx, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if acl:
            acl_obj = cisco.Cisco(acl, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if asacl:
            acl_obj = ciscoasa.CiscoASA(asacl, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if aacl:
            acl_obj = aruba.Aruba(aacl, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if bacl:
            acl_obj = brocade.Brocade(bacl, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if eacl:
            acl_obj = arista.Arista(eacl, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if ips:
            acl_obj = ipset.Ipset(ips, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if ipt:
            acl_obj = iptables.Iptables(ipt, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if nsx:
            acl_obj = nsxv.Nsxv(nsx, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if spd:
            acl_obj = speedway.Speedway(spd, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if pcap_accept:
            acl_obj = pcap.PcapFilter(pcap_accept, exp_info)
            RenderACL(str(acl_obj), '-accept' + acl_obj.SUFFIX,
                      output_directory, input_file, write_files)
        if pcap_deny:
            acl_obj = pcap.PcapFilter(pcap_deny, exp_info, invert=True)
            RenderACL(str(acl_obj), '-deny' + acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if pf:
            acl_obj = packetfilter.PacketFilter(pf, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if win_afw:
            acl_obj = windows_advfirewall.WindowsAdvFirewall(win_afw, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if jsl:
            acl_obj = srxlo.SRXlo(jsl, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if xacl:
            acl_obj = ciscoxr.CiscoXR(xacl, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if nft:
            acl_obj = nftables.Nftables(nft, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if gcefw:
            acl_obj = gce.GCE(gcefw, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if paloalto:
            acl_obj = paloaltofw.PaloAltoFW(paloalto, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
        if gca:
            acl_obj = cloudarmor.CloudArmor(gca, exp_info)
            RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                      input_file, write_files)
    # TODO(robankeny) add additional errors.
    except (juniper.Error, junipersrx.Error, cisco.Error, ipset.Error,
            iptables.Error, speedway.Error, pcap.Error, aclgenerator.Error,
            aruba.Error, nftables.Error, gce.Error, cloudarmor.Error) as e:
        raise ACLGeneratorError('Error generating target ACL for %s:\n%s' %
                                (input_file, e))
Exemple #11
0
def get_acl(inputs):
    """Generates an ACL using Capirca.
    Args:
      inputs: Module parameters.
    Returns:
      ACL string.
    """
    header_base = '''
    header {
      comment:: "$comment"
      target:: $platform $options
    }
    '''
    result = ""

    # Create copy of input options removing any spaces
    inputs['options_copy'] = [
        str(elem).replace(" ", "") for elem in inputs['filter_options']
    ]

    # Add from/to-zone to 'paloalto' and 'srx'.
    if inputs['platform'] in ('paloalto' 'srx'):
        if len(inputs['options_copy']) < 2:
            raise AnsibleError(
                "The number of options for {0} is less than 2".format(
                    inputs['platform']))

        inputs['options_copy'][0] = "from-zone " + inputs['options_copy'][0]
        inputs['options_copy'][1] = "to-zone " + inputs['options_copy'][1]

    # Create option string for header
    inputs['options'] = ' '.join(
        [str(elem) for elem in inputs['options_copy']])

    header_template = Template(header_base)
    header = header_template.safe_substitute(inputs)

    defs = naming.Naming(inputs['def_folder'])
    terms = open(inputs['pol_file']).read()
    pol = policy.ParsePolicy(header + '\n' + terms, defs, optimize=True)

    # Exp info in weeks
    EXP_INFO = 2

    # List from https://github.com/google/capirca/blob/master/capirca/aclgen.py#L202
    # Does Python have a Switch statement?
    if inputs['platform'] == 'juniper':
        result = juniper.Juniper(pol, EXP_INFO)
    elif inputs['platform'] == 'cisco':
        result = cisco.Cisco(pol, EXP_INFO)
    elif inputs['platform'] == 'ciscoasa':
        result = ciscoasa.CiscoASA(pol, EXP_INFO)
    elif inputs['platform'] == 'brocade':
        result = brocade.Brocade(pol, EXP_INFO)
    elif inputs['platform'] == 'arista':
        result = arista.Arista(pol, EXP_INFO)
    elif inputs['platform'] == 'aruba':
        result = aruba.Aruba(pol, EXP_INFO)
    elif inputs['platform'] == 'ipset':
        result = ipset.Ipset(pol, EXP_INFO)
    elif inputs['platform'] == 'iptables':
        result = iptables.Iptables(pol, EXP_INFO)
    elif inputs['platform'] == 'nsxv':
        result = nsxv.Nsxv(pol, EXP_INFO)
    elif inputs['platform'] == 'packetfilter':
        result = packetfilter.PacketFilter(pol, EXP_INFO)
    elif inputs['platform'] == 'pcap':
        result = pcap.PcapFilter(pol, EXP_INFO)
    elif inputs['platform'] == 'speedway':
        result = speedway.Speedway(pol, EXP_INFO)
    elif inputs['platform'] == 'srx':
        result = junipersrx.JuniperSRX(pol, EXP_INFO)
    elif inputs['platform'] == 'srxlo':
        result = srxlo.SRXlo(pol, EXP_INFO)
    elif inputs['platform'] == 'windows_advfirewall':
        result = windows_advfirewall.WindowsAdvFirewall(pol, EXP_INFO)
    elif inputs['platform'] == 'ciscoxr':
        result = ciscoxr.CiscoXR(pol, EXP_INFO)
    elif inputs['platform'] == 'nftables':
        result = nftables.Nftables(pol, EXP_INFO)
    elif inputs['platform'] == 'gce':
        result = gce.GCE(pol, EXP_INFO)
    elif inputs['platform'] == 'paloalto':
        result = paloaltofw.PaloAltoFW(pol, EXP_INFO)
    elif inputs['platform'] == 'cloudarmor':
        result = cloudarmor.CloudArmor(pol, EXP_INFO)

    return str(result)