def _get_acl_text(pol, platform): # type: (policy.Policy, str) -> str # Capirca policy terms can have expiration dates, and Capirca warns if any # of the terms expire before this future date. Just set to a large number to # prevent warning - Capirca already warns itself if terms are expired. exp_info_weeks = 52 * 100 # ~100 years platform = platform.strip().lower() if platform == 'arista': from capirca.lib import arista return str(arista.Arista(pol, exp_info_weeks)) elif platform == 'cisco' or platform == 'cisco-nx': from capirca.lib import cisco return str(cisco.Cisco(pol, exp_info_weeks)) elif platform == 'cisco-xr': from capirca.lib import ciscoxr return str(ciscoxr.CiscoXR(pol, exp_info_weeks)) elif platform == 'ciscoasa': from capirca.lib import ciscoasa return str(ciscoasa.CiscoASA(pol, exp_info_weeks)) elif platform == 'juniper': from capirca.lib import juniper return str(juniper.Juniper(pol, exp_info_weeks)) elif platform == 'juniper-srx': from capirca.lib import junipersrx return str(junipersrx.JuniperSRX(pol, exp_info_weeks)) elif platform == 'paloalto': # from capirca.lib import paloaltofw # return str(paloaltofw.PaloAltoFW(pol, exp_info_weeks)) raise ValueError( 'Capirca generates Palo Alto ACLs in XML form, which Batfish does not yet parse') else: raise ValueError( 'Either Capirca or Pybatfish does not handle converting to ACLs in platform: ' + platform)
def testNoVerbose(self): self.naming.GetNetAddr.return_value = _IPSET self.naming.GetServiceByProto.return_value = ['25'] pol = policy.ParsePolicy(GOOD_HEADER_NOVERBOSE + GOOD_TERM_1, self.naming) srx = junipersrx.JuniperSRX(pol, EXP_INFO) self.assertNotIn('This is a test acl with a comment', str(srx)) self.assertNotIn('very very very', str(srx))
def testLargeTermSplitIgnoreV6(self): ips = list( nacaddr.IP('2620:0:1000:3103:eca0:2c09:6b32:e000/119').subnets( new_prefix=128)) mo_ips = [] counter = 0 for ip in ips: if counter % 2 == 0: mo_ips.append(nacaddr.IP(ip)) counter += 1 ips = list( nacaddr.IP('2720:0:1000:3103:eca0:2c09:6b32:e000/119').subnets( new_prefix=128)) ips.append(nacaddr.IPv4('10.0.0.1/32')) prodcolos_ips = [] counter = 0 for ip in ips: if counter % 2 == 0: prodcolos_ips.append(nacaddr.IP(ip)) counter += 1 self.naming.GetNetAddr.side_effect = [mo_ips, prodcolos_ips] self.naming.GetServiceByProto.return_value = ['25'] pol = policy.ParsePolicy(GOOD_HEADER_3 + GOOD_TERM_14, self.naming) srx = junipersrx.JuniperSRX(pol, EXP_INFO) self.assertEqual(len(srx.policy.filters[0][1]), 1)
def testExpiredTerm(self, mock_warn): _ = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + EXPIRED_TERM_1, self.naming), EXP_INFO) mock_warn.assert_called_once_with( 'WARNING: Term %s in policy %s>%s is expired.', 'expired_test', 'trust', 'untrust')
def testOwnerTerm(self): pol = policy.ParsePolicy(GOOD_HEADER + OWNER_TERM, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.failUnless( ' /*\n' ' Owner: [email protected]\n' ' */' in output, output)
def testLoggingBoth(self): srx = junipersrx.JuniperSRX( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_5, self.naming), EXP_INFO) output = str(srx) self.failUnless('session-init;' in output, output) self.failUnless('session-close;' in output, output)
def testLargeTermSplittingV6(self): ips = list( nacaddr.IP('2620:0:1000:3103:eca0:2c09:6b32:e000/119').subnets( new_prefix=128)) mo_ips = [] counter = 0 for ip in ips: if counter % 2 == 0: mo_ips.append(nacaddr.IP(ip)) counter += 1 ips = list( nacaddr.IP('2720:0:1000:3103:eca0:2c09:6b32:e000/119').subnets( new_prefix=128)) prodcolos_ips = [] counter = 0 for ip in ips: if counter % 2 == 0: prodcolos_ips.append(nacaddr.IP(ip)) counter += 1 self.naming.GetNetAddr.side_effect = [mo_ips, prodcolos_ips] self.naming.GetServiceByProto.return_value = ['25'] pol = policy.ParsePolicy(GOOD_HEADER_2 + GOOD_TERM_14, self.naming) srx = junipersrx.JuniperSRX(pol, EXP_INFO) self.assertEqual(len(srx.policy.filters[0][1]), 4) self.naming.GetNetAddr.assert_has_calls( [mock.call('FOOBAR'), mock.call('SOME_HOST')]) self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testOptimizedGlobalAddressBook(self): foobar_ips = [nacaddr.IP('172.16.0.0/16', token='FOOBAR'), nacaddr.IP('172.17.0.0/16', token='FOOBAR'), nacaddr.IP('172.18.0.0/16', token='FOOBAR'), nacaddr.IP('172.19.0.0/16', token='FOOBAR'), nacaddr.IP('172.22.0.0/16', token='FOOBAR'), nacaddr.IP('172.23.0.0/16', token='FOOBAR'), nacaddr.IP('172.24.0.0/16', token='FOOBAR'), nacaddr.IP('172.25.0.0/16', token='FOOBAR'), nacaddr.IP('172.26.0.0/16', token='FOOBAR'), nacaddr.IP('172.27.0.0/16', token='FOOBAR'), nacaddr.IP('172.28.0.0/16', token='FOOBAR'), nacaddr.IP('172.29.0.0/16', token='FOOBAR'), nacaddr.IP('172.30.0.0/16', token='FOOBAR'), nacaddr.IP('172.31.0.0/16', token='FOOBAR')] some_host_ips = [nacaddr.IP('172.20.0.0/16', token='SOME_HOST'), nacaddr.IP('172.21.0.0/16', token='SOME_HOST'), nacaddr.IP('10.0.0.0/8', token='SOME_HOST')] self.naming.GetNetAddr.side_effect = [foobar_ips, some_host_ips, some_host_ips] self.naming.GetServiceByProto.return_value = ['25'] pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_17 + GOOD_HEADER_2 + GOOD_TERM_15, self.naming) srx = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.failUnless('address FOOBAR_0 172.16.0.0/14' in srx, srx) self.failUnless('address FOOBAR_1 172.22.0.0/15;' in srx, srx) self.failUnless('address FOOBAR_2 172.24.0.0/13;' in srx, srx) self.failUnless('address SOME_HOST_0 10.0.0.0/8;' in srx, srx) self.failUnless('address SOME_HOST_1 172.20.0.0/15;' in srx, srx) self.failUnless('/16' not in srx, srx)
def testBuildTokens(self): self.naming.GetServiceByProto.side_effect = [['25'], ['26']] pol1 = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_2, self.naming), EXP_INFO) st, sst = pol1._BuildTokens() self.assertEquals(st, SUPPORTED_TOKENS) self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def testLoggingTrueDeny(self): srx = junipersrx.JuniperSRX( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_LOG_4, self.naming), EXP_INFO) output = str(srx) self.assertIn('session-init;', output) self.assertNotIn('session-close;', output)
def testMixedVersionIcmp(self): pol = policy.ParsePolicy( GOOD_HEADER + ICMP_TYPE_TERM_1 + IPV6_ICMP_TERM, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.failUnless('term t6 protocol icmp6 icmp6-type 129 ' 'inactivity-timeout 60;' in output) self.failUnless('term t1 protocol icmp icmp-type 0 ' 'inactivity-timeout 60;' in output)
def testDscpWithByte(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')] srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_10, self.naming), EXP_INFO) output = str(srx) self.failUnless('dscp b111000;' in output, output) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testIcmpTypes(self): pol = policy.ParsePolicy(GOOD_HEADER + ICMP_TYPE_TERM_1, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.failUnless('application test-icmp-app;' in output, output) self.failUnless('application test-icmp-app {' in output, output) self.failUnless('term t1 protocol icmp icmp-type 0 inactivity-timeout 60' in output, output) self.failUnless('term t2 protocol icmp icmp-type 8 inactivity-timeout 60' in output, output)
def testVpnWithoutPolicy(self): self.naming.GetNetAddr.return_value = _IPSET srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_3, self.naming), EXP_INFO) output = str(srx) self.failUnless('ipsec-vpn good-vpn-3;' in output, output) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testVpnWithDrop(self): self.naming.GetNetAddr.return_value = _IPSET srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + BAD_TERM_1, self.naming), EXP_INFO) output = str(srx) self.assertNotIn('ipsec-vpn good-vpn-4;', output, output) self.assertNotIn('pair-policy policy-4;', output, output) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testExpiringTerm(self, mock_info): exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO) _ = junipersrx.JuniperSRX( policy.ParsePolicy( GOOD_HEADER + EXPIRING_TERM % exp_date.strftime('%Y-%m-%d'), self.naming), EXP_INFO) mock_info.assert_called_once_with( 'INFO: Term %s in policy %s>%s expires in ' 'less than two weeks.', 'is_expiring', 'trust', 'untrust')
def testAddressBookOrderingSuccess(self): self.naming.GetNetAddr.return_value = self._OutOfOrderAddresses() self.naming.GetServiceByProto.return_value = ['25'] pol = policy.ParsePolicy(GOOD_HEADER_3 + GOOD_TERM_2, self.naming) p = junipersrx.JuniperSRX(pol, EXP_INFO) self._FailIfUnorderedAddressBook(p._GenerateAddressBook()) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testTermAndFilterName(self): self.naming.GetNetAddr.return_value = _IPSET self.naming.GetServiceByProto.return_value = ['25'] srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1, self.naming), EXP_INFO) output = str(srx) self.failUnless('policy good-term-1 {' in output, output) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testDscpWithClass(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')] srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_11, self.naming), EXP_INFO) output = str(srx) self.failUnless('dscp af42;' in output, output) self.failUnless('dscp [ af41-af42 5 ];' in output, output) self.failUnless('dscp-except [ be ];' in output, output) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testExpressPath(self): some_host = [nacaddr.IP('10.0.0.1/32', token='SOMEHOST')] self.naming.GetNetAddr.side_effect = [some_host, some_host] self.naming.GetServiceByProto.side_effect = [['25', '25'], ['25', '25']] pol = policy.ParsePolicy(GOOD_HEADER_14 + GOOD_TERM_2 + DEFAULT_TERM_1 + GOOD_HEADER + GOOD_TERM_1, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.assertIn('services-offload;', output) self.assertIn('deny;', output) self.assertIn('permit;', output)
def testReplaceStatement(self): self.naming.GetNetAddr.return_value = _IPSET self.naming.GetServiceByProto.return_value = ['25'] pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.failUnless('replace: address-book' in output, output) self.failUnless('replace: policies' in output, output) self.failUnless('replace: applications' in output, output) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testZoneAdressBookIPv6(self): self.naming.GetNetAddr.return_value = _IPSET self.naming.GetServiceByProto.return_value = ['25'] pol = policy.ParsePolicy(GOOD_HEADER_8 + GOOD_TERM_1, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.failUnless('security-zone untrust {' in output, output) self.failUnless('replace: address-book {' in output, output) self.failUnless('2001:4860:8000::/33' in output, output) self.failUnless('10.0.0.0/8' not in output, output) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testDropEstablished(self): some_host = [nacaddr.IP('10.0.0.1/32', token='FOO')] self.naming.GetServiceByProto.side_effect = [['25', '25'], ['443', '443'], ['25', '25'], ['443', '443']] self.naming.GetNetAddr.side_effect = [some_host, some_host, some_host, some_host] pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1 + GOOD_TERM_21 + DEFAULT_TERM_1 + GOOD_HEADER_2 + TCP_ESTABLISHED_TERM + UDP_ESTABLISHED_TERM + DEFAULT_TERM_1, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.assertNotIn('udp-established-term', output) self.assertNotIn('tcp-established-term', output)
def testMultipleProtocolGrouping(self): pol = policy.ParsePolicy(GOOD_HEADER + MULTIPLE_PROTOCOLS_TERM, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.failUnless('application-set multi-proto-app {' in output, output) self.failUnless('application multi-proto-app1;' in output, output) self.failUnless('application multi-proto-app2;' in output, output) self.failUnless('application multi-proto-app3;' in output, output) self.failUnless('application multi-proto-app1 {' in output, output) self.failUnless('term t1 protocol tcp;' in output, output) self.failUnless('application multi-proto-app2 {' in output, output) self.failUnless('term t2 protocol udp;' in output, output) self.failUnless('application multi-proto-app3 {' in output, output) self.failUnless('term t3 protocol icmp;' in output, output)
def testAdressBookIPv6(self): self.naming.GetNetAddr.return_value = _IPSET self.naming.GetServiceByProto.return_value = ['25'] pol = policy.ParsePolicy(GOOD_HEADER_4 + GOOD_TERM_1, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.assertIn('replace: address-book {', output, output) self.assertIn('global {', output, output) self.assertIn('2001:4860:8000::/33', output, output) self.assertNotIn('10.0.0.0/8', output, output) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testAllIcmpTypes(self): pol = policy.ParsePolicy(GOOD_HEADER + ICMP_ALL_TERM, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) # Check for split into application set of many applications; 18 terms. pattern = re.compile( r'application-set accept-icmp-types-app \{\s+(application accept-icmp-types-app\d{1,2};\s+){18}\}') self.assertTrue(pattern.search(output), output) # Check that each of the 18 applications have 1 term each. pattern = re.compile( r'(application accept-icmp-types-app\d{1,2} \{\s+(term t1 protocol icmp icmp-type \d{1,3} inactivity-timeout 60;\s+)\}\s+){18}' ) self.assertTrue(pattern.search(output), output)
def testAllIcmp6Types(self): pol = policy.ParsePolicy(GOOD_HEADER + ICMP6_ALL_TERM, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) # Check for 29 applications. pattern = re.compile( r'application-set accept-icmpv6-types-app \{\s+(application accept-icmpv6-types-app\d{1,2};\s+){29}\}' ) self.assertTrue(pattern.search(output), output) # Check that each of the 4 applications have between 1 and 8 terms. pattern = re.compile( r'(application accept-icmpv6-types-app\d{1,2} \{\s+(term t1 protocol icmp6 icmp6-type \d{1,3} inactivity-timeout 60;\s+)\}\s+){29}' ) self.assertTrue(pattern.search(output), output)
def testLongSplitIcmpTypes(self): pol = policy.ParsePolicy(GOOD_HEADER + LONG_IPV6_ICMP_TERM2, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) # Check the application was split into a set of many applications; 9 terms. pattern = re.compile( r'application-set accept-icmpv6-types-app \{\s+(application accept-icmpv6-types-app\d;\s+){9}\}') self.assertTrue(pattern.search(output), output) # Check that each of the 9 applications with 1 term each. pattern = re.compile( r'(application accept-icmpv6-types-app\d \{\s+(term t1 protocol icmp6 icmp6-type \d{1,3} inactivity-timeout 60;\s+)\}\s+){9}' ) self.assertTrue(pattern.search(output), output)
def testNakedExclude(self): small = [nacaddr.IP('10.0.0.0/24', 'SMALL', 'SMALL')] self.naming.GetNetAddr.side_effect = [small] pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_18, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.assertIn('address GOOD_TERM_18_SRC_EXCLUDE_2 10.0.1.0/24;', output, output) self.assertIn('address GOOD_TERM_18_SRC_EXCLUDE_3 10.0.2.0/23;', output, output) self.assertIn('address GOOD_TERM_18_SRC_EXCLUDE_4 10.0.4.0/22;', output, output) self.assertIn('address GOOD_TERM_18_SRC_EXCLUDE_5 10.0.8.0/21;', output, output) self.assertNotIn('10.0.0.0', output)
def testLongComment(self): expected_output = """ /* This header is very very very very very very very very very very very very very very very very very very very very large */""" self.naming.GetNetAddr.return_value = _IPSET self.naming.GetServiceByProto.return_value = ['25'] srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1, self.naming), EXP_INFO) output = str(srx) self.failUnless(expected_output in output, output) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')