def testPlatformTerm(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + PLATFORM_TERM, self.naming)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.findtext(
PATH_RULES + "/entry[@name='test-accept-action']/action")
self.assertEqual(x, 'allow', output)
def testDenyAction(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + ACTION_DENY_TERM, self.naming)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.findtext(PATH_RULES +
"/entry[@name='test-deny-action']/action")
self.assertEqual(x, 'deny', output)
def testSkipEstablished(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + TCP_ESTABLISHED_TERM,
self.naming)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.find(PATH_RULES +
"/entry[@name='tcp-established']")
self.assertIsNone(x, output)
pol = policy.ParsePolicy(GOOD_HEADER_1 + UDP_ESTABLISHED_TERM,
self.naming)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.find(PATH_RULES +
"/entry[@name='udp-established-term']")
self.assertIsNone(x, output)
def testResetAction(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + ACTION_RESET_TERM,
self.naming)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.findtext(
PATH_RULES + "/entry[@name='test-reset-action']/action")
self.assertEqual(x, 'reset-client', output)
def testBuildTokens(self):
self.naming.GetServiceByProto.side_effect = [['25'], ['26']]
pol1 = paloaltofw.PaloAltoFW(
policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_2, self.naming),
EXP_INFO)
st, sst = pol1._BuildTokens()
self.assertEqual(st, SUPPORTED_TOKENS)
self.assertEqual(sst, SUPPORTED_SUB_TOKENS)
def testPortLessNonPort(self):
POL = """
header {
target:: paloalto from-zone trust to-zone untrust
}
term rule-1 {
%s
action:: accept
}"""
T = """
protocol:: udp icmp
"""
pol = policy.ParsePolicy(POL % T, self.naming)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.findall(PATH_RULES +
"/entry[@name='rule-1-1']/service/member")
self.assertTrue(len(x) > 0, output)
services = {elem.text for elem in x}
self.assertEqual({"any-udp"}, services, output)
x = paloalto.config.findall(
PATH_RULES + "/entry[@name='rule-1-2']/application/member")
self.assertTrue(len(x) > 0, output)
applications = {elem.text for elem in x}
self.assertEqual({"icmp"}, applications, output)
T = """
protocol:: udp tcp icmp gre
"""
pol = policy.ParsePolicy(POL % T, self.naming)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.findall(PATH_RULES +
"/entry[@name='rule-1-1']/service/member")
self.assertTrue(len(x) > 0, output)
services = {elem.text for elem in x}
self.assertEqual({"any-udp", "any-tcp"}, services, output)
x = paloalto.config.findall(
PATH_RULES + "/entry[@name='rule-1-2']/application/member")
self.assertTrue(len(x) > 0, output)
applications = {elem.text for elem in x}
self.assertEqual({"icmp", "gre"}, applications, output)
def testDefaultDeny(self):
paloalto = paloaltofw.PaloAltoFW(
policy.ParsePolicy(GOOD_HEADER_1 + DEFAULT_TERM_1, self.naming),
EXP_INFO)
output = str(paloalto)
x = paloalto.config.find(PATH_RULES +
"/entry[@name='default-term-1']/action")
self.assertIsNotNone(x, output)
self.assertEqual(x.text, 'deny', output)
def testGreProtoTerm(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + GRE_PROTO_TERM, self.naming)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.find(
PATH_RULES + "/entry[@name='test-gre-protocol']/application")
self.assertIsNotNone(x, output)
self.assertEqual(len(x), 1, output)
self.assertEqual(x[0].tag, 'member', output)
self.assertEqual(x[0].text, 'gre', output)
def testLoggingBoth(self):
paloalto = paloaltofw.PaloAltoFW(
policy.ParsePolicy(GOOD_HEADER_1 + LOGGING_BOTH_TERM, self.naming),
EXP_INFO)
output = str(paloalto)
x = paloalto.config.findtext(PATH_RULES +
"/entry[@name='test-log-both']/log-start")
self.assertEqual(x, 'yes', output)
x = paloalto.config.findtext(PATH_RULES +
"/entry[@name='test-log-both']/log-end")
self.assertEqual(x, 'yes', output)
def testLogging(self):
for term in [
LOGGING_SYSLOG_KEYWORD, LOGGING_LOCAL_KEYWORD,
LOGGING_PYTRUE_KEYWORD, LOGGING_TRUE_KEYWORD
]:
pol = paloaltofw.PaloAltoFW(
policy.ParsePolicy(GOOD_HEADER_1 + term, self.naming),
EXP_INFO)
output = str(pol)
self.assertNotIn('<log-start>yes</log-start>', output, output)
self.assertIn('<log-end>yes</log-end>', output, output)
def testDisableLogging(self):
paloalto = paloaltofw.PaloAltoFW(
policy.ParsePolicy(GOOD_HEADER_1 + LOGGING_DISABLED, self.naming),
EXP_INFO)
output = str(paloalto)
x = paloalto.config.findtext(
PATH_RULES + "/entry[@name='test-disabled-log']/log-start")
self.assertEqual(x, 'no', output)
x = paloalto.config.findtext(
PATH_RULES + "/entry[@name='test-disabled-log']/log-end")
self.assertEqual(x, 'no', output)
def testTermAndFilterName(self):
self.naming.GetNetAddr.return_value = _IPSET
self.naming.GetServiceByProto.return_value = ['25']
paloalto = paloaltofw.PaloAltoFW(
policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_1, self.naming),
EXP_INFO)
output = str(paloalto)
self.assertIn('<entry name="good-term-1">', output, output)
self.naming.GetNetAddr.assert_called_once_with('FOOBAR')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testTermAndFilterName(self):
self.naming.GetNetAddr.return_value = _IPSET
self.naming.GetServiceByProto.return_value = ['25']
paloalto = paloaltofw.PaloAltoFW(
policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_1, self.naming), EXP_INFO)
output = str(paloalto)
x = paloalto.config.find(PATH_RULES + "/entry[@name='good-term-1']")
self.assertIsNotNone(x, output)
self.naming.GetNetAddr.assert_called_once_with('FOOBAR')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testSkipStatelessReply(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_4_STATELESS_REPLY,
self.naming)
# Add stateless_reply to terms, there is no current way to include it in the
# term definition.
_, terms = pol.filters[0]
for term in terms:
term.stateless_reply = True
output = str(paloaltofw.PaloAltoFW(pol, EXP_INFO))
self.assertNotIn('good-term-stateless-reply', output, output)
def testICMPProtocolOnly(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + ICMP_ONLY_TERM_1, self.naming)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.find(PATH_RULES +
"/entry[@name='test-icmp-only']/application")
self.assertIsNotNone(x, output)
members = []
for node in x:
self.assertEqual(node.tag, 'member', output)
members.append(node.text)
self.assertEqual(['icmp'], members, output)
def testPanApplication(self):
POL1 = """
header {
target:: paloalto from-zone trust to-zone untrust
}
term rule-1 {
action:: accept
}"""
POL2 = """
header {
target:: paloalto from-zone trust to-zone untrust
}
term rule-1 {
pan-application:: %s
action:: accept
}"""
APPS = [
{'app1'},
{'app1', 'app2'},
{'app1', 'app2', 'app3'},
]
pol = policy.ParsePolicy(POL1, self.naming)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.findtext(
PATH_RULES + "/entry[@name='rule-1']/application/member")
self.assertEqual(x, 'any', output)
for i, app in enumerate(APPS):
pol = policy.ParsePolicy(POL2 % ' '.join(app), self.naming)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.findall(
PATH_RULES + "/entry[@name='rule-1']/application/member")
apps = {elem.text for elem in x}
self.assertEqual(APPS[i], apps, output)
def testSkipStatelessReply(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_4_STATELESS_REPLY,
self.naming)
# Add stateless_reply to terms, there is no current way to include it in the
# term definition.
_, terms = pol.filters[0]
for term in terms:
term.stateless_reply = True
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.find(PATH_RULES +
"/entry[@name='good-term-stateless-reply']")
self.assertIsNone(x, output)
def testIcmpTypes(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + ICMP_TYPE_TERM_1, self.naming)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.find(PATH_RULES +
"/entry[@name='test-icmp']/application")
self.assertIsNotNone(x, output)
members = []
for node in x:
self.assertEqual(node.tag, 'member', output)
members.append(node.text)
self.assertCountEqual(
['icmp-echo-reply', 'icmp-echo-request', 'icmp-unreachable'],
members, output)
def testLogging(self):
for term in [
LOGGING_SYSLOG_KEYWORD, LOGGING_LOCAL_KEYWORD, LOGGING_PYTRUE_KEYWORD,
LOGGING_TRUE_KEYWORD
]:
paloalto = paloaltofw.PaloAltoFW(
policy.ParsePolicy(GOOD_HEADER_1 + term, self.naming), EXP_INFO)
output = str(paloalto)
# we don't have term name so match all elements with attribute
# name at the entry level
x = paloalto.config.findall(PATH_RULES + '/entry[@name]/log-start')
self.assertEqual(len(x), 0, output)
x = paloalto.config.findall(PATH_RULES + '/entry[@name]/log-end')
self.assertEqual(len(x), 1, output)
self.assertEqual(x[0].text, 'yes', output)
def testAcceptAction(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + ACTION_ACCEPT_TERM,
self.naming)
output = str(paloaltofw.PaloAltoFW(pol, EXP_INFO))
self.assertIn('<action>allow</action>', output, output)
def testResetAction(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + ACTION_RESET_TERM,
self.naming)
output = str(paloaltofw.PaloAltoFW(pol, EXP_INFO))
self.assertIn('<action>reset-client</action>', output, output)
def testICMPProtocolOnly(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + ICMP_ONLY_TERM_1, self.naming)
output = str(paloaltofw.PaloAltoFW(pol, EXP_INFO))
self.assertIn('<member>icmp</member>', output, output)
def testIcmpTypes(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + ICMP_TYPE_TERM_1, self.naming)
output = str(paloaltofw.PaloAltoFW(pol, EXP_INFO))
self.assertIn('<member>icmp-echo-request</member>', output, output)
self.assertIn('<member>icmp-echo-reply</member>', output, output)
def testDefaultDeny(self):
paloalto = paloaltofw.PaloAltoFW(
policy.ParsePolicy(GOOD_HEADER_1 + DEFAULT_TERM_1, self.naming),
EXP_INFO)
output = str(paloalto)
self.assertIn('<action>deny</action>', output, output)
def RenderFile(base_directory, input_file, output_directory, definitions,
exp_info, write_files):
"""Render a single file.
Args:
base_directory: The base directory to look for acls.
input_file: the name of the input policy file.
output_directory: the directory in which we place the rendered file.
definitions: the definitions from naming.Naming().
exp_info: print a info message when a term is set to expire
in that many weeks.
write_files: a list of file tuples, (output_file, acl_text), to write
"""
logging.debug('rendering file: %s into %s', input_file, output_directory)
pol = None
jcl = False
acl = False
asacl = False
aacl = False
bacl = False
eacl = False
gca = False
gcefw = False
ips = False
ipt = False
spd = False
nsx = False
pcap_accept = False
pcap_deny = False
pf = False
srx = False
jsl = False
nft = False
win_afw = False
xacl = False
paloalto = False
try:
with open(input_file) as f:
conf = f.read()
logging.debug('opened and read %s', input_file)
except IOError as e:
logging.warning('bad file: \n%s', e)
raise
try:
pol = policy.ParsePolicy(conf,
definitions,
optimize=FLAGS.optimize,
base_dir=base_directory,
shade_check=FLAGS.shade_check)
except policy.ShadingError as e:
logging.warning('shading errors for %s:\n%s', input_file, e)
return
except (policy.Error, naming.Error):
raise ACLParserError(
'Error parsing policy file %s:\n%s%s' %
(input_file, sys.exc_info()[0], sys.exc_info()[1]))
platforms = set()
for header in pol.headers:
platforms.update(header.platforms)
if 'juniper' in platforms:
jcl = copy.deepcopy(pol)
if 'cisco' in platforms:
acl = copy.deepcopy(pol)
if 'ciscoasa' in platforms:
asacl = copy.deepcopy(pol)
if 'brocade' in platforms:
bacl = copy.deepcopy(pol)
if 'arista' in platforms:
eacl = copy.deepcopy(pol)
if 'aruba' in platforms:
aacl = copy.deepcopy(pol)
if 'ipset' in platforms:
ips = copy.deepcopy(pol)
if 'iptables' in platforms:
ipt = copy.deepcopy(pol)
if 'nsxv' in platforms:
nsx = copy.deepcopy(pol)
if 'packetfilter' in platforms:
pf = copy.deepcopy(pol)
if 'pcap' in platforms:
pcap_accept = copy.deepcopy(pol)
pcap_deny = copy.deepcopy(pol)
if 'speedway' in platforms:
spd = copy.deepcopy(pol)
if 'srx' in platforms:
srx = copy.deepcopy(pol)
if 'srxlo' in platforms:
jsl = copy.deepcopy(pol)
if 'windows_advfirewall' in platforms:
win_afw = copy.deepcopy(pol)
if 'ciscoxr' in platforms:
xacl = copy.deepcopy(pol)
if 'nftables' in platforms:
nft = copy.deepcopy(pol)
if 'gce' in platforms:
gcefw = copy.deepcopy(pol)
if 'paloalto' in platforms:
paloalto = copy.deepcopy(pol)
if 'cloudarmor' in platforms:
gca = copy.deepcopy(pol)
if not output_directory.endswith('/'):
output_directory += '/'
try:
if jcl:
acl_obj = juniper.Juniper(jcl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if srx:
acl_obj = junipersrx.JuniperSRX(srx, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if acl:
acl_obj = cisco.Cisco(acl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if asacl:
acl_obj = ciscoasa.CiscoASA(asacl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if aacl:
acl_obj = aruba.Aruba(aacl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if bacl:
acl_obj = brocade.Brocade(bacl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if eacl:
acl_obj = arista.Arista(eacl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if ips:
acl_obj = ipset.Ipset(ips, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if ipt:
acl_obj = iptables.Iptables(ipt, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if nsx:
acl_obj = nsxv.Nsxv(nsx, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if spd:
acl_obj = speedway.Speedway(spd, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if pcap_accept:
acl_obj = pcap.PcapFilter(pcap_accept, exp_info)
RenderACL(str(acl_obj), '-accept' + acl_obj.SUFFIX,
output_directory, input_file, write_files)
if pcap_deny:
acl_obj = pcap.PcapFilter(pcap_deny, exp_info, invert=True)
RenderACL(str(acl_obj), '-deny' + acl_obj.SUFFIX, output_directory,
input_file, write_files)
if pf:
acl_obj = packetfilter.PacketFilter(pf, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if win_afw:
acl_obj = windows_advfirewall.WindowsAdvFirewall(win_afw, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if jsl:
acl_obj = srxlo.SRXlo(jsl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if xacl:
acl_obj = ciscoxr.CiscoXR(xacl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if nft:
acl_obj = nftables.Nftables(nft, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if gcefw:
acl_obj = gce.GCE(gcefw, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if paloalto:
acl_obj = paloaltofw.PaloAltoFW(paloalto, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if gca:
acl_obj = cloudarmor.CloudArmor(gca, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
# TODO(robankeny) add additional errors.
except (juniper.Error, junipersrx.Error, cisco.Error, ipset.Error,
iptables.Error, speedway.Error, pcap.Error, aclgenerator.Error,
aruba.Error, nftables.Error, gce.Error, cloudarmor.Error) as e:
raise ACLGeneratorError('Error generating target ACL for %s:\n%s' %
(input_file, e))
def testPanPorts(self):
POL = """
header {
target:: paloalto from-zone trust to-zone untrust
}
term rule-1 {
%s
action:: accept
}"""
T = """
protocol:: udp
destination-port:: NTP
"""
definitions = naming.Naming()
definitions._ParseLine('NTP = 123/tcp 123/udp', 'services')
definitions._ParseLine('DNS = 53/tcp 53/udp', 'services')
pol = policy.ParsePolicy(POL % T, definitions)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
name = "service-rule-1-udp"
path = "/entry[@name='%s']/protocol/udp/port" % name
x = paloalto.config.findtext(PATH_SERVICE + path)
self.assertEqual(x, "123", output)
path = "/entry[@name='%s']/protocol/udp/source-port" % name
x = paloalto.config.findtext(PATH_SERVICE + path)
self.assertIsNone(x, output)
T = """
protocol:: udp
source-port:: NTP
"""
pol = policy.ParsePolicy(POL % T, definitions)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
name = "service-rule-1-udp"
path = "/entry[@name='%s']/protocol/udp/port" % name
x = paloalto.config.findtext(PATH_SERVICE + path)
self.assertEqual(x, "0-65535", output)
path = "/entry[@name='%s']/protocol/udp/source-port" % name
x = paloalto.config.findtext(PATH_SERVICE + path)
self.assertEqual(x, "123", output)
T = """
protocol:: tcp
source-port:: NTP
destination-port:: NTP DNS
"""
pol = policy.ParsePolicy(POL % T, definitions)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
name = "service-rule-1-tcp"
path = "/entry[@name='%s']/protocol/tcp/port" % name
x = paloalto.config.findtext(PATH_SERVICE + path)
self.assertEqual(x, "53,123", output)
path = "/entry[@name='%s']/protocol/tcp/source-port" % name
x = paloalto.config.findtext(PATH_SERVICE + path)
self.assertEqual(x, "123", output)
T = """
protocol:: tcp
"""
pol = policy.ParsePolicy(POL % T, definitions)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
name = "any-tcp"
path = "/entry[@name='%s']/protocol/tcp/port" % name
x = paloalto.config.findtext(PATH_SERVICE + path)
self.assertEqual(x, "0-65535", output)
path = "/entry[@name='%s']/protocol/tcp/source-port" % name
x = paloalto.config.find(PATH_SERVICE + path)
self.assertIsNone(x, output)
T = """
protocol:: tcp udp
"""
pol = policy.ParsePolicy(POL % T, definitions)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
name = "any-tcp"
path = "/entry[@name='%s']/protocol/tcp/port" % name
x = paloalto.config.findtext(PATH_SERVICE + path)
self.assertEqual(x, "0-65535", output)
name = "any-udp"
path = "/entry[@name='%s']/protocol/udp/port" % name
x = paloalto.config.findtext(PATH_SERVICE + path)
self.assertEqual(x, "0-65535", output)
x = paloalto.config.findall(PATH_RULES +
"/entry[@name='rule-1']/service/member")
services = {elem.text for elem in x}
self.assertEqual({"any-tcp", "any-udp"}, services, output)
def testIcmpTypes(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + ICMP_TYPE_TERM_1, self.naming)
output = str(paloaltofw.PaloAltoFW(pol, EXP_INFO))
self.failUnless('<member>ping</member>' in output, output)
def testICMPProtocolOnly(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + ICMP_ONLY_TERM_1, self.naming)
output = str(paloaltofw.PaloAltoFW(pol, EXP_INFO))
self.failUnless('<member>ping</member>' in output, output)
def testDenyAction(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + ACTION_DENY_TERM, self.naming)
output = str(paloaltofw.PaloAltoFW(pol, EXP_INFO))
self.assertIn('<action>deny</action>', output, output)
def get_acl(inputs):
"""Generates an ACL using Capirca.
Args:
inputs: Module parameters.
Returns:
ACL string.
"""
header_base = '''
header {
comment:: "$comment"
target:: $platform $options
}
'''
result = ""
# Create copy of input options removing any spaces
inputs['options_copy'] = [
str(elem).replace(" ", "") for elem in inputs['filter_options']
]
# Add from/to-zone to 'paloalto' and 'srx'.
if inputs['platform'] in ('paloalto' 'srx'):
if len(inputs['options_copy']) < 2:
raise AnsibleError(
"The number of options for {0} is less than 2".format(
inputs['platform']))
inputs['options_copy'][0] = "from-zone " + inputs['options_copy'][0]
inputs['options_copy'][1] = "to-zone " + inputs['options_copy'][1]
# Create option string for header
inputs['options'] = ' '.join(
[str(elem) for elem in inputs['options_copy']])
header_template = Template(header_base)
header = header_template.safe_substitute(inputs)
defs = naming.Naming(inputs['def_folder'])
terms = open(inputs['pol_file']).read()
pol = policy.ParsePolicy(header + '\n' + terms, defs, optimize=True)
# Exp info in weeks
EXP_INFO = 2
# List from https://github.com/google/capirca/blob/master/capirca/aclgen.py#L202
# Does Python have a Switch statement?
if inputs['platform'] == 'juniper':
result = juniper.Juniper(pol, EXP_INFO)
elif inputs['platform'] == 'cisco':
result = cisco.Cisco(pol, EXP_INFO)
elif inputs['platform'] == 'ciscoasa':
result = ciscoasa.CiscoASA(pol, EXP_INFO)
elif inputs['platform'] == 'brocade':
result = brocade.Brocade(pol, EXP_INFO)
elif inputs['platform'] == 'arista':
result = arista.Arista(pol, EXP_INFO)
elif inputs['platform'] == 'aruba':
result = aruba.Aruba(pol, EXP_INFO)
elif inputs['platform'] == 'ipset':
result = ipset.Ipset(pol, EXP_INFO)
elif inputs['platform'] == 'iptables':
result = iptables.Iptables(pol, EXP_INFO)
elif inputs['platform'] == 'nsxv':
result = nsxv.Nsxv(pol, EXP_INFO)
elif inputs['platform'] == 'packetfilter':
result = packetfilter.PacketFilter(pol, EXP_INFO)
elif inputs['platform'] == 'pcap':
result = pcap.PcapFilter(pol, EXP_INFO)
elif inputs['platform'] == 'speedway':
result = speedway.Speedway(pol, EXP_INFO)
elif inputs['platform'] == 'srx':
result = junipersrx.JuniperSRX(pol, EXP_INFO)
elif inputs['platform'] == 'srxlo':
result = srxlo.SRXlo(pol, EXP_INFO)
elif inputs['platform'] == 'windows_advfirewall':
result = windows_advfirewall.WindowsAdvFirewall(pol, EXP_INFO)
elif inputs['platform'] == 'ciscoxr':
result = ciscoxr.CiscoXR(pol, EXP_INFO)
elif inputs['platform'] == 'nftables':
result = nftables.Nftables(pol, EXP_INFO)
elif inputs['platform'] == 'gce':
result = gce.GCE(pol, EXP_INFO)
elif inputs['platform'] == 'paloalto':
result = paloaltofw.PaloAltoFW(pol, EXP_INFO)
elif inputs['platform'] == 'cloudarmor':
result = cloudarmor.CloudArmor(pol, EXP_INFO)
return str(result)
