def testBuildWarningTokens(self): pol1 = windows_advfirewall.WindowsAdvFirewall( policy.ParsePolicy(GOOD_HEADER_IN + GOOD_SIMPLE_WARNING, self.naming), EXP_INFO) st, sst = pol1._BuildTokens() self.assertEquals(st, SUPPORTED_TOKENS) self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def testExpiredTerm(self, mock_warn): windows_advfirewall.WindowsAdvFirewall( policy.ParsePolicy(GOOD_HEADER_OUT + EXPIRED_TERM, self.naming), EXP_INFO) mock_warn.assert_called_once_with( 'WARNING: Term %s in policy %s is expired ' 'and will not be rendered.', 'expired_test', 'out')
def testIcmp(self): acl = windows_advfirewall.WindowsAdvFirewall( policy.ParsePolicy(GOOD_HEADER_OUT + GOOD_TERM_ICMP, self.naming), EXP_INFO) result = str(acl) self.FailUnless([ 'name=o_good-term-icmp enable=yes interfacetype=any dir=out' ' localip=any remoteip=any protocol=icmpv4 action=allow' ], result, 'did not find actual term for good-term-icmp')
def testExpiredTerm(self): self.mox.StubOutWithMock(windows_advfirewall.logging, 'warn') # create mock to ensure we warn about expired terms being skipped windows_advfirewall.logging.warn( 'WARNING: Term %s in policy %s is expired ' 'and will not be rendered.', 'expired_test', 'out') self.mox.ReplayAll() windows_advfirewall.WindowsAdvFirewall( policy.ParsePolicy(GOOD_HEADER_OUT + EXPIRED_TERM, self.naming), EXP_INFO)
def testExpiringTerm(self, mock_info): exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO) windows_advfirewall.WindowsAdvFirewall( policy.ParsePolicy( GOOD_HEADER_OUT + EXPIRING_TERM % exp_date.strftime('%Y-%m-%d'), self.naming), EXP_INFO) mock_info.assert_called_once_with( 'INFO: Term %s in policy %s expires in ' 'less than two weeks.', 'is_expiring', 'out')
def testMultiprotocol(self): acl = windows_advfirewall.WindowsAdvFirewall( policy.ParsePolicy(GOOD_HEADER_OUT + MULTIPLE_PROTOCOLS_TERM, self.naming), EXP_INFO) result = str(acl) self.FailUnless([ 'name=o_multi-proto enable=yes interfacetype=any dir=out localip=any' ' remoteip=any protocol=tcp action=allow', 'name=o_multi-proto enable=yes interfacetype=any dir=out localip=any' ' remoteip=any protocol=udp action=allow', 'name=o_multi-proto enable=yes interfacetype=any dir=out localip=any' ' remoteip=any protocol=icmpv4 action=allow' ], result, 'did not find actual term for multi-proto')
def testDirectionIn(self): self.naming.GetNetAddr('PROD_NETWRK').AndReturn( [nacaddr.IP('10.0.0.0/8')]) self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25']) self.mox.ReplayAll() acl = windows_advfirewall.WindowsAdvFirewall( policy.ParsePolicy(GOOD_HEADER_IN + GOOD_TERM_TCP, self.naming), EXP_INFO) result = str(acl) self.FailUnless([ 'name=i_good-term-tcp enable=yes interfacetype=any dir=in remoteip=any' ' localip=10.0.0.0/8 localport=25 protocol=tcp action=allow' ], result, 'did not find actual term for good-term-tcp-direction-in')
def testExpiringTerm(self): self.mox.StubOutWithMock(windows_advfirewall.logging, 'info') # create mock to ensure we inform about expiring terms windows_advfirewall.logging.info( 'INFO: Term %s in policy %s expires in ' 'less than two weeks.', 'is_expiring', 'out') self.mox.ReplayAll() exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO) windows_advfirewall.WindowsAdvFirewall( policy.ParsePolicy( GOOD_HEADER_OUT + EXPIRING_TERM % exp_date.strftime('%Y-%m-%d'), self.naming), EXP_INFO)
def testIcmpTypes(self): self.mox.ReplayAll() acl = windows_advfirewall.WindowsAdvFirewall( policy.ParsePolicy(GOOD_HEADER_OUT + GOOD_TERM_ICMP_TYPES, self.naming), EXP_INFO) result = str(acl) self.FailUnless([ 'name=o_good-term-icmp-types enable=yes interfacetype=any dir=out' ' localip=any remoteip=any protocol=icmpv4:0 action=block', 'name=o_good-term-icmp-types enable=yes interfacetype=any dir=out' ' localip=any remoteip=any protocol=icmpv4:3 action=block', 'name=o_good-term-icmp-types enable=yes interfacetype=any dir=out' ' localip=any remoteip=any protocol=icmpv4:11 action=block' ], result, 'did not find actual term for good-term-icmp-types')
def testTcp(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')] self.naming.GetServiceByProto.return_value = ['25'] acl = windows_advfirewall.WindowsAdvFirewall( policy.ParsePolicy(GOOD_HEADER_OUT + GOOD_TERM_TCP, self.naming), EXP_INFO) result = str(acl) self.FailUnless([ 'name=o_good-term-tcp enable=yes interfacetype=any dir=out localip=any' ' remoteip=10.0.0.0/8 remoteport=25 protocol=tcp action=allow' ], result, 'did not find actual term for good-term-tcp') self.naming.GetNetAddr.assert_called_once_with('PROD_NETWRK') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def RenderFile(input_file, output_directory, definitions, exp_info, write_files): """Render a single file. Args: input_file: the name of the input policy file. output_directory: the directory in which we place the rendered file. definitions: the definitions from naming.Naming(). exp_info: print a info message when a term is set to expire in that many weeks. write_files: a list of file tuples, (output_file, acl_text), to write """ logging.debug('rendering file: %s into %s', input_file, output_directory) pol = None jcl = False acl = False asacl = False aacl = False bacl = False eacl = False gcefw = False ips = False ipt = False spd = False nsx = False pcap_accept = False pcap_deny = False pf = False srx = False jsl = False nft = False win_afw = False xacl = False paloalto = False try: conf = open(input_file).read() logging.debug('opened and read %s', input_file) except IOError as e: logging.warn('bad file: \n%s', e) raise try: pol = policy.ParsePolicy(conf, definitions, optimize=FLAGS.optimize, base_dir=FLAGS.base_directory, shade_check=FLAGS.shade_check) except policy.ShadingError as e: logging.warn('shading errors for %s:\n%s', input_file, e) return except (policy.Error, naming.Error): raise ACLParserError( 'Error parsing policy file %s:\n%s%s' % (input_file, sys.exc_info()[0], sys.exc_info()[1])) platforms = set() for header in pol.headers: platforms.update(header.platforms) if 'juniper' in platforms: jcl = copy.deepcopy(pol) if 'cisco' in platforms: acl = copy.deepcopy(pol) if 'ciscoasa' in platforms: asacl = copy.deepcopy(pol) if 'brocade' in platforms: bacl = copy.deepcopy(pol) if 'arista' in platforms: eacl = copy.deepcopy(pol) if 'aruba' in platforms: aacl = copy.deepcopy(pol) if 'ipset' in platforms: ips = copy.deepcopy(pol) if 'iptables' in platforms: ipt = copy.deepcopy(pol) if 'nsxv' in platforms: nsx = copy.deepcopy(pol) if 'packetfilter' in platforms: pf = copy.deepcopy(pol) if 'pcap' in platforms: pcap_accept = copy.deepcopy(pol) pcap_deny = copy.deepcopy(pol) if 'speedway' in platforms: spd = copy.deepcopy(pol) if 'srx' in platforms: srx = copy.deepcopy(pol) if 'srxlo' in platforms: jsl = copy.deepcopy(pol) if 'windows_advfirewall' in platforms: win_afw = copy.deepcopy(pol) if 'ciscoxr' in platforms: xacl = copy.deepcopy(pol) if 'nftables' in platforms: nft = copy.deepcopy(pol) if 'gce' in platforms: gcefw = copy.deepcopy(pol) if 'paloalto' in platforms: paloalto = copy.deepcopy(pol) if not output_directory.endswith('/'): output_directory += '/' try: if jcl: acl_obj = juniper.Juniper(jcl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if srx: acl_obj = junipersrx.JuniperSRX(srx, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if acl: acl_obj = cisco.Cisco(acl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if asacl: acl_obj = ciscoasa.CiscoASA(acl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if aacl: acl_obj = aruba.Aruba(aacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if bacl: acl_obj = brocade.Brocade(bacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if eacl: acl_obj = arista.Arista(eacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if ips: acl_obj = ipset.Ipset(ips, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if ipt: acl_obj = iptables.Iptables(ipt, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if nsx: acl_obj = nsxv.Nsxv(nsx, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if spd: acl_obj = speedway.Speedway(spd, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if pcap_accept: acl_obj = pcap.PcapFilter(pcap_accept, exp_info) RenderACL(str(acl_obj), '-accept' + acl_obj.SUFFIX, output_directory, input_file, write_files) if pcap_deny: acl_obj = pcap.PcapFilter(pcap_deny, exp_info, invert=True) RenderACL(str(acl_obj), '-deny' + acl_obj.SUFFIX, output_directory, input_file, write_files) if pf: acl_obj = packetfilter.PacketFilter(pf, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if win_afw: acl_obj = windows_advfirewall.WindowsAdvFirewall(win_afw, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if jsl: acl_obj = srxlo.SRXlo(jsl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if xacl: acl_obj = ciscoxr.CiscoXR(xacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if nft: acl_obj = nftables.Nftables(nft, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if gcefw: acl_obj = gce.GCE(gcefw, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if paloalto: acl_obj = paloaltofw.PaloAltoFW(paloalto, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) # TODO(robankeny) add additional errors. except (juniper.Error, junipersrx.Error, cisco.Error, ipset.Error, iptables.Error, speedway.Error, pcap.Error, aclgenerator.Error, aruba.Error, nftables.Error, gce.Error): raise ACLGeneratorError( 'Error generating target ACL for %s:\n%s%s' % (input_file, sys.exc_info()[0], sys.exc_info()[1]))
def testBadIcmp(self): acl = windows_advfirewall.WindowsAdvFirewall( policy.ParsePolicy(GOOD_HEADER_OUT + BAD_TERM_ICMP, self.naming), EXP_INFO) self.assertRaises(aclgenerator.UnsupportedFilterError, str, acl)