def testExpiredTerm(self, mock_warn):
aruba.Aruba(
policy.ParsePolicy(GOOD_HEADER_V4 + EXPIRED_TERM, self.naming),
EXP_INFO)
mock_warn.assert_called_once_with(
'WARNING: Term %s in policy %s is expired and will not '
'be rendered.', 'is-expired', 'test-filter')
def testBuildTokens(self):
aru = aruba.Aruba(
policy.ParsePolicy(GOOD_HEADER_V4 + GOOD_TERM_SIMPLE, self.naming),
EXP_INFO)
st, sst = aru._BuildTokens()
self.assertEqual(SUPPORTED_TOKENS, st)
self.assertEqual(SUPPORTED_SUB_TOKENS, sst)
def testBuildTokens(self):
"""Test also covers all platform subclasses."""
pol1 = aruba.Aruba(policy.ParsePolicy(GOOD_HEADER_IPV4 + GOOD_TERM_IPV4,
self.naming), EXP_INFO)
st, sst = pol1._BuildTokens()
self.assertEquals(st, SUPPORTED_TOKENS)
self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def testMultipleTermsIPv6(self):
expected_result = """\
# $Id:$
# $Date:$
# $Revision:$
netdestination6 good-terms-combined-1_src
host 2001::
network 2002::/64
!
netdestination6 good-terms-combined-1_dst
host 2001::
network 2002::/64
!
ip access-list session test-filter
ipv6 alias good-terms-combined-1_src alias good-terms-combined-1_dst udp 69 permit
ipv6 any any any deny
!
"""
self.naming.GetNetAddr.return_value = [
nacaddr.IP('2002::/64'),
nacaddr.IP('2001::/128')
]
self.naming.GetServiceByProto.return_value = ['69']
aru = aruba.Aruba(
policy.ParsePolicy(
GOOD_HEADER_V6 + GOOD_TERMS_COMBINED_SINGLE_CASE, self.naming),
EXP_INFO)
self.assertEqual(textwrap.dedent(expected_result), str(aru))
def testNetdestination6(self):
self.naming.GetNetAddr('SERVERS').AndReturn(TEST_IPS)
self.mox.ReplayAll()
acl = aruba.Aruba(
policy.ParsePolicy(GOOD_HEADER_IPV6 + GOOD_TERM_IPV6, self.naming),
EXP_INFO)
self.assertTrue('netdestination6 SERVER-LIST_6' in str(acl))
self.assertTrue(' host 2001:4860:8000::5' in str(acl))
self.assertFalse(' host 10.2.3.4' in str(acl))
def testExpiringTerm(self, mock_info):
exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO)
aruba.Aruba(
policy.ParsePolicy(
GOOD_HEADER_V4 + EXPIRING_TERM % exp_date.strftime('%Y-%m-%d'),
self.naming), EXP_INFO)
mock_info.assert_called_once_with(
'INFO: Term %s in policy %s expires in '
'less than two weeks.', 'is-expiring', 'test-filter')
def testNetdestination(self):
self.naming.GetNetAddr.return_value = TEST_IPS
acl = aruba.Aruba(policy.ParsePolicy(
GOOD_HEADER_IPV4 + GOOD_TERM_IPV4, self.naming), EXP_INFO)
self.assertTrue('netdestination SERVER-LIST' in str(acl))
self.assertTrue(' host 10.2.3.4' in str(acl))
self.assertFalse(' host fc01:2345:8000::5' in str(acl))
self.naming.GetNetAddr.assert_called_once_with('SERVERS')
def testNegateAny(self):
expected_result = """\
# $Id:$
# $Date:$
# $Revision:$
ip access-list session test-filter
no any any any permit
!
"""
aru = aruba.Aruba(
policy.ParsePolicy(GOOD_HEADER_V4 + GOOD_TERM_NEGATE_2,
self.naming), EXP_INFO)
self.assertEqual(textwrap.dedent(expected_result), str(aru))
def testTermDenyAnyAnyIPv6(self):
expected_result = """\
# $Id:$
# $Date:$
# $Revision:$
ip access-list session test-filter
ipv6 any any any deny
!
"""
aru = aruba.Aruba(
policy.ParsePolicy(GOOD_HEADER_V6 + GOOD_TERM_DENY_ANY_ANY,
self.naming), EXP_INFO)
self.assertEqual(textwrap.dedent(expected_result), str(aru))
def testTermAllowAnyAnyIPv4(self):
expected_result = """\
# $Id:$
# $Date:$
# $Revision:$
ip access-list session test-filter
any any any permit
!
"""
aru = aruba.Aruba(
policy.ParsePolicy(GOOD_HEADER_V4 + GOOD_TERM_ALLOW_ANY_ANY,
self.naming), EXP_INFO)
self.assertEqual(textwrap.dedent(expected_result), str(aru))
def testProtocolMap(self):
expected_result = """\
# $Id:$
# $Date:$
# $Revision:$
ip access-list session test-filter
any any 1 permit
any any 47 permit
any any 50 permit
!
"""
aru = aruba.Aruba(
policy.ParsePolicy(GOOD_HEADER_V4 + GOOD_TERM_PROTOCOL_MAP,
self.naming), EXP_INFO)
self.assertEqual(textwrap.dedent(expected_result), str(aru))
def testShortComment(self):
expected_result = """\
# $Id:$
# $Date:$
# $Revision:$
ip access-list session test-filter
# It will be huge.
# Owner: djtrump
any any any deny
!
"""
aru = aruba.Aruba(
policy.ParsePolicy(GOOD_HEADER_V4 + GOOD_TERM_SHORT_COMMENT,
self.naming), EXP_INFO)
self.assertEqual(textwrap.dedent(expected_result), str(aru))
def testVerbatim(self):
expected_result = """\
# $Id:$
# $Date:$
# $Revision:$
ip access-list session test-filter
aruba uses some odd ACL format
which is kinda like, weird
any any any permit
!
"""
aru = aruba.Aruba(
policy.ParsePolicy(
GOOD_HEADER_V4 + GOOD_TERM_VERBATIM + GOOD_TERM_ALLOW_ANY_ANY,
self.naming), EXP_INFO)
self.assertEqual(textwrap.dedent(expected_result), str(aru))
def testNegateWithNetwork(self):
expected_result = """\
# $Id:$
# $Date:$
# $Revision:$
netdestination good-term-negate_src
network 100.0.0.0 255.0.0.0
!
ip access-list session test-filter
no alias good-term-negate_src any any deny
!
"""
self.naming.GetNetAddr.return_value = [nacaddr.IP('100.0.0.0/8')]
aru = aruba.Aruba(
policy.ParsePolicy(GOOD_HEADER_V4 + GOOD_TERM_NEGATE_1,
self.naming), EXP_INFO)
self.assertEqual(textwrap.dedent(expected_result), str(aru))
def testLongWrappedComment(self):
expected_result = """\
# $Id:$
# $Date:$
# $Revision:$
ip access-list session test-filter
# Two households, both alike in dignity,
# In fair Verona, where we lay our scene,
# From ancient grudge break to new mutiny, Where civil blood makes civil
# hands unclean.
# Owner: wshakespeare
any any any permit
!
"""
aru = aruba.Aruba(
policy.ParsePolicy(GOOD_HEADER_V4 + GOOD_TERM_LONG_COMMENT,
self.naming), EXP_INFO)
self.assertEqual(textwrap.dedent(expected_result), str(aru))
def testProtocolIsContiguousRange(self):
expected_result = """\
# $Id:$
# $Date:$
# $Revision:$
netdestination good-term-destination-is-user_src
network 100.0.0.0 255.0.0.0
!
ip access-list session test-filter
alias good-term-destination-is-user_src user tcp 53 55 permit
!
"""
self.naming.GetNetAddr.return_value = [nacaddr.IP('100.0.0.0/8')]
self.naming.GetServiceByProto.return_value = ['53-55', '54']
aru = aruba.Aruba(
policy.ParsePolicy(GOOD_HEADER_V4 + GOOD_TERM_DESTINATION_IS_USER,
self.naming), EXP_INFO)
self.assertEqual(textwrap.dedent(expected_result), str(aru))
def testSingleNetdestinationIPv6(self):
expected_result = """\
# $Id:$
# $Date:$
# $Revision:$
netdestination6 gt-one-netd_src
host 2001::
!
ip access-list session test-filter
ipv6 alias gt-one-netd_src any 1 permit
!
"""
self.naming.GetNetAddr.return_value = [nacaddr.IP('2001::/128')]
aru = aruba.Aruba(
policy.ParsePolicy(
GOOD_HEADER_V6 + GOOD_TERM_SINGLE_NETDESTINATION, self.naming),
EXP_INFO)
self.assertEqual(textwrap.dedent(expected_result), str(aru))
def testSourceIsUser(self):
expected_result = """\
# $Id:$
# $Date:$
# $Revision:$
netdestination good-term-source-is-user_dst
network 100.0.0.0 255.0.0.0
!
ip access-list session test-filter
user alias good-term-source-is-user_dst tcp 53 permit
!
"""
self.naming.GetNetAddr.return_value = [nacaddr.IP('100.0.0.0/8')]
self.naming.GetServiceByProto.return_value = ['53']
aru = aruba.Aruba(
policy.ParsePolicy(GOOD_HEADER_V4 + GOOD_TERM_SOURCE_IS_USER,
self.naming), EXP_INFO)
self.assertEqual(textwrap.dedent(expected_result), str(aru))
def testMultipleCallsSingleNetdestinationsBlock(self):
expected_result = textwrap.dedent("""\
# $Id:$
# $Date:$
# $Revision:$
netdestination gt-one-netd_src
host 10.1.1.1
!
ip access-list session test-filter
alias gt-one-netd_src any 1 permit
!
""")
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.1.1.1/32')]
aru = aruba.Aruba(
policy.ParsePolicy(
GOOD_HEADER_V4 + GOOD_TERM_SINGLE_NETDESTINATION, self.naming),
EXP_INFO)
self.assertEqual(expected_result, str(aru))
self.assertEqual(expected_result, str(aru))
def testTwoNetdestinationsIPv4(self):
expected_result = """\
# $Id:$
# $Date:$
# $Revision:$
netdestination gt-two-netd_src
host 10.1.1.1
!
netdestination gt-two-netd_dst
host 10.1.1.1
!
ip access-list session test-filter
alias gt-two-netd_src alias gt-two-netd_dst 1 permit
!
"""
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.1.1.1/32')]
aru = aruba.Aruba(
policy.ParsePolicy(GOOD_HEADER_V4 + GOOD_TERM_TWO_NETDESTINATIONS,
self.naming), EXP_INFO)
self.assertEqual(textwrap.dedent(expected_result), str(aru))
def testTwoNetworkNetdestinationsIPv6(self):
expected_result = """\
# $Id:$
# $Date:$
# $Revision:$
netdestination6 gt-mix-netd_src
network 2001::/64
!
netdestination6 gt-mix-netd_dst
network 2001::/64
!
ip access-list session test-filter
ipv6 alias gt-mix-netd_src alias gt-mix-netd_dst 1 permit
!
"""
self.naming.GetNetAddr.return_value = [nacaddr.IP('2001::/64')]
aru = aruba.Aruba(
policy.ParsePolicy(
GOOD_HEADER_V6 + GOOD_TERM_TWO_NETWORK_NETDESTINATIONS,
self.naming), EXP_INFO)
self.assertEqual(textwrap.dedent(expected_result), str(aru))
def testCombinedNetdestinationsIPv6(self):
expected_result = """\
# $Id:$
# $Date:$
# $Revision:$
netdestination6 good-term-combined-netdestinations_src
host 2001::
network 2002::/64
!
ip access-list session test-filter
ipv6 alias good-term-combined-netdestinations_src any tcp 80 deny
!
"""
self.naming.GetNetAddr.return_value = [
nacaddr.IP('2002::/64'),
nacaddr.IP('2001::/128')
]
self.naming.GetServiceByProto.return_value = ['80']
aru = aruba.Aruba(
policy.ParsePolicy(
GOOD_HEADER_V6 + GOOD_TERM_COMBINED_NETDESTINATIONS,
self.naming), EXP_INFO)
self.assertEqual(textwrap.dedent(expected_result), str(aru))
def RenderFile(input_file, output_directory, definitions, exp_info,
write_files):
"""Render a single file.
Args:
input_file: the name of the input policy file.
output_directory: the directory in which we place the rendered file.
definitions: the definitions from naming.Naming().
exp_info: print a info message when a term is set to expire
in that many weeks.
write_files: a list of file tuples, (output_file, acl_text), to write
"""
logging.debug('rendering file: %s into %s', input_file, output_directory)
pol = None
jcl = False
acl = False
asacl = False
aacl = False
bacl = False
eacl = False
gcefw = False
ips = False
ipt = False
spd = False
nsx = False
pcap_accept = False
pcap_deny = False
pf = False
srx = False
jsl = False
nft = False
win_afw = False
xacl = False
paloalto = False
try:
conf = open(input_file).read()
logging.debug('opened and read %s', input_file)
except IOError as e:
logging.warn('bad file: \n%s', e)
raise
try:
pol = policy.ParsePolicy(conf,
definitions,
optimize=FLAGS.optimize,
base_dir=FLAGS.base_directory,
shade_check=FLAGS.shade_check)
except policy.ShadingError as e:
logging.warn('shading errors for %s:\n%s', input_file, e)
return
except (policy.Error, naming.Error):
raise ACLParserError(
'Error parsing policy file %s:\n%s%s' %
(input_file, sys.exc_info()[0], sys.exc_info()[1]))
platforms = set()
for header in pol.headers:
platforms.update(header.platforms)
if 'juniper' in platforms:
jcl = copy.deepcopy(pol)
if 'cisco' in platforms:
acl = copy.deepcopy(pol)
if 'ciscoasa' in platforms:
asacl = copy.deepcopy(pol)
if 'brocade' in platforms:
bacl = copy.deepcopy(pol)
if 'arista' in platforms:
eacl = copy.deepcopy(pol)
if 'aruba' in platforms:
aacl = copy.deepcopy(pol)
if 'ipset' in platforms:
ips = copy.deepcopy(pol)
if 'iptables' in platforms:
ipt = copy.deepcopy(pol)
if 'nsxv' in platforms:
nsx = copy.deepcopy(pol)
if 'packetfilter' in platforms:
pf = copy.deepcopy(pol)
if 'pcap' in platforms:
pcap_accept = copy.deepcopy(pol)
pcap_deny = copy.deepcopy(pol)
if 'speedway' in platforms:
spd = copy.deepcopy(pol)
if 'srx' in platforms:
srx = copy.deepcopy(pol)
if 'srxlo' in platforms:
jsl = copy.deepcopy(pol)
if 'windows_advfirewall' in platforms:
win_afw = copy.deepcopy(pol)
if 'ciscoxr' in platforms:
xacl = copy.deepcopy(pol)
if 'nftables' in platforms:
nft = copy.deepcopy(pol)
if 'gce' in platforms:
gcefw = copy.deepcopy(pol)
if 'paloalto' in platforms:
paloalto = copy.deepcopy(pol)
if not output_directory.endswith('/'):
output_directory += '/'
try:
if jcl:
acl_obj = juniper.Juniper(jcl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if srx:
acl_obj = junipersrx.JuniperSRX(srx, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if acl:
acl_obj = cisco.Cisco(acl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if asacl:
acl_obj = ciscoasa.CiscoASA(acl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if aacl:
acl_obj = aruba.Aruba(aacl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if bacl:
acl_obj = brocade.Brocade(bacl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if eacl:
acl_obj = arista.Arista(eacl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if ips:
acl_obj = ipset.Ipset(ips, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if ipt:
acl_obj = iptables.Iptables(ipt, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if nsx:
acl_obj = nsxv.Nsxv(nsx, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if spd:
acl_obj = speedway.Speedway(spd, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if pcap_accept:
acl_obj = pcap.PcapFilter(pcap_accept, exp_info)
RenderACL(str(acl_obj), '-accept' + acl_obj.SUFFIX,
output_directory, input_file, write_files)
if pcap_deny:
acl_obj = pcap.PcapFilter(pcap_deny, exp_info, invert=True)
RenderACL(str(acl_obj), '-deny' + acl_obj.SUFFIX, output_directory,
input_file, write_files)
if pf:
acl_obj = packetfilter.PacketFilter(pf, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if win_afw:
acl_obj = windows_advfirewall.WindowsAdvFirewall(win_afw, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if jsl:
acl_obj = srxlo.SRXlo(jsl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if xacl:
acl_obj = ciscoxr.CiscoXR(xacl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if nft:
acl_obj = nftables.Nftables(nft, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if gcefw:
acl_obj = gce.GCE(gcefw, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if paloalto:
acl_obj = paloaltofw.PaloAltoFW(paloalto, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
# TODO(robankeny) add additional errors.
except (juniper.Error, junipersrx.Error, cisco.Error, ipset.Error,
iptables.Error, speedway.Error, pcap.Error, aclgenerator.Error,
aruba.Error, nftables.Error, gce.Error):
raise ACLGeneratorError(
'Error generating target ACL for %s:\n%s%s' %
(input_file, sys.exc_info()[0], sys.exc_info()[1]))
def render_filters(source_file, definitions_obj, shade_check, exp_info):
count = 0
[(eacl, aacl, bacl, jcl, acl, asa, xacl, ipt, ips, pf, spd, spk, srx, dem)
] = [(False, False, False, False, False, False, False, False, False,
False, False, False, False, False)]
pol = policy.ParsePolicy(open(source_file).read(),
definitions_obj,
shade_check=shade_check)
for header in pol.headers:
if 'arista' in header.platforms:
eacl = copy.deepcopy(pol)
if 'aruba' in header.platforms:
aacl = copy.deepcopy(pol)
if 'brocade' in header.platforms:
bacl = copy.deepcopy(pol)
if 'juniper' in header.platforms:
jcl = copy.deepcopy(pol)
if 'cisco' in header.platforms:
acl = copy.deepcopy(pol)
if 'ciscoasa' in header.platforms:
asa = copy.deepcopy(pol)
if 'ciscoxr' in header.platforms:
xacl = copy.deepcopy(pol)
if 'iptables' in header.platforms:
ipt = copy.deepcopy(pol)
if 'ipset' in header.platforms:
ips = copy.deepcopy(pol)
if 'packetfilter' in header.platforms:
pf = copy.deepcopy(pol)
if 'speedway' in header.platforms:
spd = copy.deepcopy(pol)
# SRX needs to be un-optimized for correct building of the address book
# entries.
if 'srx' in header.platforms:
unoptimized_pol = policy.ParsePolicy(open(source_file).read(),
definitions_obj,
optimize=False)
srx = copy.deepcopy(unoptimized_pol)
if 'demo' in header.platforms:
dem = copy.deepcopy(pol)
if eacl:
fw = arista.Arista(eacl, exp_info)
do_output_filter(str(fw), filter_name(source_file, fw._SUFFIX))
count += 1
if aacl:
fw = aruba.Aruba(aacl, exp_info)
do_output_filter(str(fw), filter_name(source_file, fw._SUFFIX))
count += 1
if bacl:
fw = brocade.Brocade(bacl, exp_info)
do_output_filter(str(fw), filter_name(source_file, fw._SUFFIX))
count += 1
if jcl:
fw = juniper.Juniper(jcl, exp_info)
do_output_filter(str(fw), filter_name(source_file, fw._SUFFIX))
count += 1
if acl:
fw = cisco.Cisco(acl, exp_info)
do_output_filter(str(fw), filter_name(source_file, fw._SUFFIX))
count += 1
if asa:
fw = ciscoasa.CiscoASA(asa, exp_info)
do_output_filter(str(fw), filter_name(source_file, fw._SUFFIX))
count += 1
if xacl:
fw = ciscoxr.CiscoXR(xacl, exp_info)
do_output_filter(str(fw), filter_name(source_file, fw._SUFFIX))
count += 1
if ipt:
fw = iptables.Iptables(ipt, exp_info)
do_output_filter(str(fw), filter_name(source_file, fw._SUFFIX))
count += 1
if ips:
fw = ipset.Ipset(ips, exp_info)
do_output_filter(str(fw), filter_name(source_file, fw._SUFFIX))
count += 1
if pf:
fw = packetfilter.PacketFilter(pf, exp_info)
do_output_filter(str(fw), filter_name(source_file, fw._SUFFIX))
count += 1
if spd:
fw = speedway.Speedway(spd, exp_info)
do_output_filter(str(fw), filter_name(source_file, fw._SUFFIX))
count += 1
if srx:
fw = junipersrx.JuniperSRX(srx, exp_info)
do_output_filter(str(fw), filter_name(source_file, fw._SUFFIX))
count += 1
if dem:
fw = demo.Demo(dem, exp_info)
do_output_filter(str(fw), filter_name(source_file, fw._SUFFIX))
count += 1
return count
def testBuildWarningTokens(self): t = GOOD_HEADER_IPV4 + GOOD_TERM_IPV4_1 pol1 = aruba.Aruba(policy.ParsePolicy(t, self.naming), EXP_INFO) st, sst = pol1._BuildTokens() self.assertEquals(st, SUPPORTED_TOKENS) self.assertEquals(sst, SUPPORTED_SUB_TOKENS)