def testTcpOptions(self):
acl = pcap.PcapFilter(
policy.ParsePolicy(GOOD_HEADER + ESTABLISHED_TERM, self.naming),
EXP_INFO)
result = str(acl)
self.failUnless('(tcp[tcpflags] & (tcp-ack) == (tcp-ack)' in result,
'did not find actual term for established')
def testMultiprotocol(self):
acl = pcap.PcapFilter(policy.ParsePolicy(
GOOD_HEADER + MULTIPLE_PROTOCOLS_TERM, self.naming), EXP_INFO)
result = str(acl)
self.failUnless(
'(proto \\tcp or proto \\udp or proto \\icmp)' in result,
'did not find actual term for multi-proto')
def testNextTerm(self):
self.mox.ReplayAll()
acl = pcap.PcapFilter(
policy.ParsePolicy(GOOD_HEADER + NEXT_TERM, self.naming), EXP_INFO)
result = str(acl)
self.failUnless('' in result,
'did not find actual term for good-term-icmpv6')
def testExpiredTerm(self, mock_warn):
pcap.PcapFilter(policy.ParsePolicy(
GOOD_HEADER + EXPIRED_TERM, self.naming), EXP_INFO)
mock_warn.assert_called_once_with(
'WARNING: Term %s in policy %s is expired and '
'will not be rendered.', 'expired_test', 'test-filter')
def testIcmpCode(self):
acl = pcap.PcapFilter(
policy.ParsePolicy(GOOD_HEADER + GOOD_ICMP_CODE, self.naming),
EXP_INFO)
result = str(acl)
self.failUnless('and icmp[icmpcode] == 3' in result, result)
self.failUnless('and icmp[icmpcode] == 4' in result, result)
def testIcmpv6(self):
acl = pcap.PcapFilter(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_ICMPV6, self.naming),
EXP_INFO)
result = str(acl)
self.failUnless('icmp6' in result,
'did not find actual term for good-term-icmpv6')
def testLog(self):
acl = pcap.PcapFilter(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_LOG, self.naming),
EXP_INFO)
result = str(acl)
self.failUnless('proto \\tcp' in result,
'did not find actual term for good-term-log')
def testVrrpTerm(self):
acl = pcap.PcapFilter(policy.ParsePolicy(
GOOD_HEADER + VRRP_TERM, self.naming), EXP_INFO)
result = str(acl)
self.failUnless(
'(proto 112)' in result,
'did not find actual term for vrrp')
def testBuildTokens(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
self.naming.GetServiceByProto.return_value = ['25']
pol1 = pcap.PcapFilter(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_TCP,
self.naming), EXP_INFO)
st, sst = pol1._BuildTokens()
self.assertEquals(st, SUPPORTED_TOKENS)
self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def testMultiHeader(self):
acl = pcap.PcapFilter(policy.ParsePolicy(
GOOD_HEADER + GOOD_TERM_LOG + GOOD_HEADER + GOOD_TERM_ICMP,
self.naming), EXP_INFO)
result = str(acl)
self.failUnless(
'((((proto \\tcp))\n))\nor\n((((proto \\icmp))\n))' in result,
'did not find actual terms for multi-header')
def testIcmp(self):
self.mox.ReplayAll()
acl = pcap.PcapFilter(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_ICMP, self.naming),
EXP_INFO)
result = str(acl)
self.failUnless('proto \\icmp' in result,
'did not find actual term for good-term-icmp')
def testIcmpTypes(self):
acl = pcap.PcapFilter(policy.ParsePolicy(
GOOD_HEADER + GOOD_TERM_ICMP_TYPES, self.naming), EXP_INFO)
result = str(acl)
self.failUnless(
'(proto \\icmp) and (icmp[icmptype] == 0 or icmp[icmptype] == 3'
' or icmp[icmptype] == 11)' in result,
'did not find actual term for good-term-icmp-types')
def testHbh(self):
acl = pcap.PcapFilter(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_HBH, self.naming),
EXP_INFO)
result = str(acl)
self.failUnless('(ip6 protochain 0)' in result,
'did not find actual terms for unicast-term')
def testDirectional(self):
acl = pcap.PcapFilter(policy.ParsePolicy(
GOOD_HEADER_IN + GOOD_TERM_LOG + GOOD_HEADER_OUT + GOOD_TERM_ICMP,
self.naming), EXP_INFO)
result = str(acl)
self.failUnless(
'(((dst net localhost and ((proto \\tcp)))\n))\nor\n'
'(((src net localhost and ((proto \\icmp)))\n))' in result,
'did not find actual terms for directional')
def testUnicastIPv6(self):
self.naming.GetNetAddr('ANY').AndReturn([nacaddr.IP('::/0')])
self.mox.ReplayAll()
acl = pcap.PcapFilter(
policy.ParsePolicy(GOOD_HEADER_IN + UNICAST_TERM, self.naming),
EXP_INFO)
result = str(acl)
self.failUnless('(dst net localhost and ((proto \\tcp)))' in result,
'did not find actual terms for unicast-term')
def testExpiringTerm(self, mock_info):
exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO)
pcap.PcapFilter(policy.ParsePolicy(
GOOD_HEADER + EXPIRING_TERM % exp_date.strftime('%Y-%m-%d'),
self.naming), EXP_INFO)
mock_info.assert_called_once_with(
'INFO: Term %s in policy %s expires in '
'less than two weeks.', 'is_expiring', 'test-filter')
def testExpiredTerm(self):
self.mox.StubOutWithMock(pcap.logging, 'warn')
# create mock to ensure we warn about expired terms being skipped
pcap.logging.warn(
'WARNING: Term %s in policy %s is expired and '
'will not be rendered.', 'expired_test', 'test-filter')
self.mox.ReplayAll()
pcap.PcapFilter(
policy.ParsePolicy(GOOD_HEADER + EXPIRED_TERM, self.naming),
EXP_INFO)
def testUnicastIPv6(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('::/0')]
acl = pcap.PcapFilter(
policy.ParsePolicy(GOOD_HEADER_IN + UNICAST_TERM, self.naming),
EXP_INFO)
result = str(acl)
self.failUnless('(dst net localhost and ((proto \\tcp)))' in result,
'did not find actual terms for unicast-term')
self.naming.GetNetAddr.assert_called_once_with('ANY')
def testExpiringTerm(self):
self.mox.StubOutWithMock(pcap.logging, 'info')
# create mock to ensure we inform about expiring terms
pcap.logging.info(
'INFO: Term %s in policy %s expires in '
'less than two weeks.', 'is_expiring', 'test-filter')
self.mox.ReplayAll()
exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO)
pcap.PcapFilter(
policy.ParsePolicy(
GOOD_HEADER + EXPIRING_TERM % exp_date.strftime('%Y-%m-%d'),
self.naming), EXP_INFO)
def testTcp(self):
self.naming.GetNetAddr('PROD_NETWRK').AndReturn(
[nacaddr.IP('10.0.0.0/8')])
self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25'])
self.mox.ReplayAll()
acl = pcap.PcapFilter(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_TCP, self.naming),
EXP_INFO)
result = str(acl)
self.failUnless(
'(dst net 10.0.0.0/8) and (proto \\tcp) and (dst port 25)'
in result, 'did not find actual term for good-term-tcp')
def testTcp(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
self.naming.GetServiceByProto.return_value = ['25']
acl = pcap.PcapFilter(policy.ParsePolicy(
GOOD_HEADER + GOOD_TERM_TCP, self.naming), EXP_INFO)
result = str(acl)
self.failUnless(
'(dst net 10.0.0.0/8) and (proto \\tcp) and (dst port 25)' in result,
'did not find actual term for good-term-tcp')
self.naming.GetNetAddr.assert_called_once_with('PROD_NETWRK')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def RenderFile(input_file, output_directory, definitions, exp_info,
write_files):
"""Render a single file.
Args:
input_file: the name of the input policy file.
output_directory: the directory in which we place the rendered file.
definitions: the definitions from naming.Naming().
exp_info: print a info message when a term is set to expire
in that many weeks.
write_files: a list of file tuples, (output_file, acl_text), to write
"""
logging.debug('rendering file: %s into %s', input_file, output_directory)
pol = None
jcl = False
acl = False
asacl = False
aacl = False
bacl = False
eacl = False
gcefw = False
ips = False
ipt = False
spd = False
nsx = False
pcap_accept = False
pcap_deny = False
pf = False
srx = False
jsl = False
nft = False
win_afw = False
xacl = False
paloalto = False
try:
conf = open(input_file).read()
logging.debug('opened and read %s', input_file)
except IOError as e:
logging.warn('bad file: \n%s', e)
raise
try:
pol = policy.ParsePolicy(conf,
definitions,
optimize=FLAGS.optimize,
base_dir=FLAGS.base_directory,
shade_check=FLAGS.shade_check)
except policy.ShadingError as e:
logging.warn('shading errors for %s:\n%s', input_file, e)
return
except (policy.Error, naming.Error):
raise ACLParserError(
'Error parsing policy file %s:\n%s%s' %
(input_file, sys.exc_info()[0], sys.exc_info()[1]))
platforms = set()
for header in pol.headers:
platforms.update(header.platforms)
if 'juniper' in platforms:
jcl = copy.deepcopy(pol)
if 'cisco' in platforms:
acl = copy.deepcopy(pol)
if 'ciscoasa' in platforms:
asacl = copy.deepcopy(pol)
if 'brocade' in platforms:
bacl = copy.deepcopy(pol)
if 'arista' in platforms:
eacl = copy.deepcopy(pol)
if 'aruba' in platforms:
aacl = copy.deepcopy(pol)
if 'ipset' in platforms:
ips = copy.deepcopy(pol)
if 'iptables' in platforms:
ipt = copy.deepcopy(pol)
if 'nsxv' in platforms:
nsx = copy.deepcopy(pol)
if 'packetfilter' in platforms:
pf = copy.deepcopy(pol)
if 'pcap' in platforms:
pcap_accept = copy.deepcopy(pol)
pcap_deny = copy.deepcopy(pol)
if 'speedway' in platforms:
spd = copy.deepcopy(pol)
if 'srx' in platforms:
srx = copy.deepcopy(pol)
if 'srxlo' in platforms:
jsl = copy.deepcopy(pol)
if 'windows_advfirewall' in platforms:
win_afw = copy.deepcopy(pol)
if 'ciscoxr' in platforms:
xacl = copy.deepcopy(pol)
if 'nftables' in platforms:
nft = copy.deepcopy(pol)
if 'gce' in platforms:
gcefw = copy.deepcopy(pol)
if 'paloalto' in platforms:
paloalto = copy.deepcopy(pol)
if not output_directory.endswith('/'):
output_directory += '/'
try:
if jcl:
acl_obj = juniper.Juniper(jcl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if srx:
acl_obj = junipersrx.JuniperSRX(srx, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if acl:
acl_obj = cisco.Cisco(acl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if asacl:
acl_obj = ciscoasa.CiscoASA(acl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if aacl:
acl_obj = aruba.Aruba(aacl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if bacl:
acl_obj = brocade.Brocade(bacl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if eacl:
acl_obj = arista.Arista(eacl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if ips:
acl_obj = ipset.Ipset(ips, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if ipt:
acl_obj = iptables.Iptables(ipt, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if nsx:
acl_obj = nsxv.Nsxv(nsx, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if spd:
acl_obj = speedway.Speedway(spd, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if pcap_accept:
acl_obj = pcap.PcapFilter(pcap_accept, exp_info)
RenderACL(str(acl_obj), '-accept' + acl_obj.SUFFIX,
output_directory, input_file, write_files)
if pcap_deny:
acl_obj = pcap.PcapFilter(pcap_deny, exp_info, invert=True)
RenderACL(str(acl_obj), '-deny' + acl_obj.SUFFIX, output_directory,
input_file, write_files)
if pf:
acl_obj = packetfilter.PacketFilter(pf, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if win_afw:
acl_obj = windows_advfirewall.WindowsAdvFirewall(win_afw, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if jsl:
acl_obj = srxlo.SRXlo(jsl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if xacl:
acl_obj = ciscoxr.CiscoXR(xacl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if nft:
acl_obj = nftables.Nftables(nft, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if gcefw:
acl_obj = gce.GCE(gcefw, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if paloalto:
acl_obj = paloaltofw.PaloAltoFW(paloalto, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
# TODO(robankeny) add additional errors.
except (juniper.Error, junipersrx.Error, cisco.Error, ipset.Error,
iptables.Error, speedway.Error, pcap.Error, aclgenerator.Error,
aruba.Error, nftables.Error, gce.Error):
raise ACLGeneratorError(
'Error generating target ACL for %s:\n%s%s' %
(input_file, sys.exc_info()[0], sys.exc_info()[1]))
def testBadIcmp(self):
acl = pcap.PcapFilter(
policy.ParsePolicy(GOOD_HEADER + BAD_TERM_ICMP, self.naming),
EXP_INFO)
self.assertRaises(aclgenerator.UnsupportedFilterError, str, acl)
