def testNoIPv6InOutput(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('2620:0:1000::/40')]
pol = policy.ParsePolicy(GOOD_STANDARD_HEADER_1 + GOOD_STANDARD_TERM_2,
self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
self.failIf('::' in str(acl), '[%s]' % str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testRemark(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.1.1.1/32')]
# Extended ACLs should have extended remark style.
acl = cisco.Cisco(
policy.ParsePolicy(GOOD_EXTENDED_NUMBERED_HEADER + GOOD_TERM_1,
self.naming), EXP_INFO)
self.failUnless('ip access-list extended 150' in str(acl), str(acl))
self.failUnless(' remark numbered extended' in str(acl), str(acl))
self.failIf('150 remark' in str(acl), str(acl))
# Extended ACLs should have extended remark style.
acl = cisco.Cisco(
policy.ParsePolicy(
GOOD_STANDARD_NUMBERED_HEADER + GOOD_STANDARD_TERM_1,
self.naming), EXP_INFO)
self.failUnless('access-list 50 remark' in str(acl), str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testProtoInts(self):
pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_7 + GOOD_TERM_9,
self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
self.assertIn('permit 112 any any', str(acl), str(acl))
self.assertIn('permit tcp any any range 1024 65535 '
'established', str(acl), str(acl))
self.assertIn('permit udp any any range 1024 65535', str(acl),
str(acl))
def testExpiringTerm(self, mock_info):
exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO)
_ = cisco.Cisco(policy.ParsePolicy(GOOD_HEADER + EXPIRING_TERM %
exp_date.strftime('%Y-%m-%d'),
self.naming), EXP_INFO)
mock_info.assert_called_once_with(
'INFO: Term %s in policy %s expires in '
'less than two weeks.', 'is_expiring', 'test-filter')
def testTermDSCPMarker(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/24')]
acl = cisco.Cisco(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_21,
self.naming), EXP_INFO)
expected = 'permit ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255'
self.failUnless(expected in str(acl), str(acl))
self.naming.GetNetAddr.assert_has_calls([mock.call('cs4-valid_network_name'),
mock.call('cs4-valid_network_name')])
def testFragments(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/24')]
acl = cisco.Cisco(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_20,
self.naming), EXP_INFO)
expected = 'permit ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255 fragments'
self.assertIn(expected, str(acl), str(acl))
self.naming.GetNetAddr.assert_has_calls([mock.call('SOME_HOST'),
mock.call('SOME_HOST')])
def testRestrictAddressFamilyType(self):
self.naming.GetNetAddr.return_value = [
nacaddr.IPv4('127.0.0.1'), nacaddr.IPv6('::1/128')]
acl = cisco.Cisco(policy.ParsePolicy(GOOD_MIXED_HEADER + GOOD_TERM_23,
self.naming), EXP_INFO)
output = str(acl)
self.assertIn('127.0.0.1', output, output)
self.assertNotIn('::1/128', output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testStandardTermHost(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.1.1.1/32')]
pol = policy.ParsePolicy(GOOD_STANDARD_HEADER_1 + GOOD_STANDARD_TERM_1,
self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
expected = 'access-list 99 permit 10.1.1.1'
self.failUnless(expected in str(acl), '[%s]' % str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testNoVerbose(self):
for i in [
GOOD_NOVERBOSE_HEADER, GOOD_NOVERBOSE_STANDARD_HEADER,
GOOD_NOVERBOSE_OBJGRP_HEADER, GOOD_NOVERBOSE_INET6_HEADER
]:
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/24')]
acl = cisco.Cisco(
policy.ParsePolicy(i + GOOD_STANDARD_TERM_1, self.naming),
EXP_INFO)
self.assertNotIn('remark', str(acl), str(acl))
def testIcmpInet6Mismatch(self, mock_debug):
acl = cisco.Cisco(policy.ParsePolicy(GOOD_INET6_HEADER + GOOD_TERM_1,
self.naming), EXP_INFO)
# output happens in __str_
str(acl)
mock_debug.assert_called_once_with(
'Term good-term-1 will not be rendered,'
' as it has icmp match specified but '
'the ACL is of inet6 address family.')
def testStandardTermNet(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
pol = policy.ParsePolicy(GOOD_STANDARD_HEADER_1 + GOOD_STANDARD_TERM_2,
self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
expected = 'access-list 99 permit 10.0.0.0 0.255.255.255'
self.assertIn(expected, str(acl), '[%s]' % str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testIPVersion(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('0.0.0.0/0'),
nacaddr.IP('::/0')]
pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_6, self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
# check if we've got a v6 address in there.
self.assertNotIn('::', str(acl), str(acl))
self.naming.GetNetAddr.assert_called_once_with('ANY')
def testIpv6IcmpTypes(self):
acl = cisco.Cisco(
policy.ParsePolicy(GOOD_INET6_HEADER + GOOD_TERM_11, self.naming),
EXP_INFO)
# echo-reply = icmp-type code 129
self.failUnless(re.search('permit 58 any any 129', str(acl)), str(acl))
# destination-unreachable = icmp-type code 1
self.failUnless(re.search('permit 58 any any 1', str(acl)), str(acl))
# time-exceeded = icmp-type code 3
self.failUnless(re.search('permit 58 any any 3', str(acl)), str(acl))
def testIcmpTypes(self):
acl = cisco.Cisco(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_10, self.naming),
EXP_INFO)
# echo-reply = 0
self.failUnless(re.search('permit icmp any any 0', str(acl)), str(acl))
# unreachable = 3
self.failUnless(re.search('permit icmp any any 3', str(acl)), str(acl))
# time-exceeded = 11
self.failUnless(re.search('permit icmp any any 11', str(acl)),
str(acl))
def testNamedStandard(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
pol = policy.ParsePolicy(GOOD_STANDARD_HEADER_2 + GOOD_STANDARD_TERM_2,
self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
expected = 'ip access-list standard FOO'
self.failUnless(expected in str(acl), '[%s]' % str(acl))
expected = ' permit 10.0.0.0 0.255.255.255\n'
self.failUnless(expected in str(acl), '[%s]' % str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testDsmo(self):
addr_list = list()
for octet in range(0, 256):
net = nacaddr.IP('192.168.' + str(octet) + '.64/27')
addr_list.append(net)
self.naming.GetNetAddr.return_value = addr_list
acl = cisco.Cisco(policy.ParsePolicy(GOOD_DSMO_HEADER + GOOD_TERM_8,
self.naming), EXP_INFO)
self.assertIn('permit tcp any 192.168.0.64 0.0.255.31', str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testOptions(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
self.naming.GetServiceByProto.return_value = ['80']
acl = cisco.Cisco(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_2,
self.naming), EXP_INFO)
# this is a hacky sort of way to test that 'established' maps to HIGH_PORTS
# in the destination port section.
range_test = 'permit tcp any eq 80 10.0.0.0 0.255.255.255 range 1024 65535'
self.assertIn(range_test, str(acl), '[%s]' % str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('HTTP', 'tcp')
def testRemark(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.1.1.1/32')]
# Extended ACLs should have extended remark style.
acl = cisco.Cisco(policy.ParsePolicy(
GOOD_EXTENDED_NUMBERED_HEADER + GOOD_TERM_1, self.naming), EXP_INFO)
self.assertIn('ip access-list extended 150', str(acl), str(acl))
self.assertIn(' remark numbered extended', str(acl), str(acl))
self.assertNotIn('150 remark', str(acl), str(acl))
# Standard ACLs should have standard remark style.
acl = cisco.Cisco(policy.ParsePolicy(
GOOD_STANDARD_NUMBERED_HEADER + GOOD_STANDARD_TERM_1, self.naming),
EXP_INFO)
self.assertIn('access-list 50 remark numbered standard', str(acl),
str(acl))
self.assertIn('access-list 50 remark standard-term-1', str(acl),
str(acl))
self.assertIn('access-list 50 remark %sId:%s' % ('$', '$'), str(acl),
str(acl))
self.assertNotIn('access-list 50 remark %sRevision:%s' % ('$', '$'),
str(acl), str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testExpandingConsequtivePorts(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
self.naming.GetServiceByProto.return_value = ['80', '81']
acl = cisco.Cisco(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_14,
self.naming), EXP_INFO)
first_string = 'permit tcp any 10.0.0.0 0.255.255.255 eq 80'
second_string = 'permit tcp any 10.0.0.0 0.255.255.255 eq 81'
self.assertIn(first_string, str(acl), '[%s]' % str(acl))
self.assertIn(second_string, str(acl), '[%s]' % str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with(
'CONSECUTIVE_PORTS', 'tcp')
def testInet6(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8'),
nacaddr.IP('2001:4860:8000::/33')]
acl = cisco.Cisco(policy.ParsePolicy(GOOD_INET6_HEADER + GOOD_TERM_8,
self.naming), EXP_INFO)
inet6_test1 = 'no ipv6 access-list inet6_acl'
inet6_test2 = 'ipv6 access-list inet6_acl'
inet6_test3 = 'permit tcp any 2001:4860:8000::/33'
self.assertIn(inet6_test1, str(acl), '[%s]' % str(acl))
self.assertIn(inet6_test2, str(acl), '[%s]' % str(acl))
self.assertTrue(re.search(inet6_test3, str(acl)), str(acl))
self.assertNotIn('10.0.0.0', str(acl), str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testLongHeader(self):
pol = policy.ParsePolicy(
LONG_VERSION_HEADER + GOOD_TERM_7,
self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
print(acl)
self.assertIn('remark This long header should be split even on a', str(acl))
self.assertIn(('remark looooooooooooooooooooooooooonnnnnnnnnnnnnnnnnn'
'gggggggggg string.'), str(acl))
self.assertIn(('remark https://www.google.com/maps/place/1600+Amphitheatr'
'e+Parkway,+Mountain+'), str(acl))
self.assertIn(('remark View,+CA/@37.507491,-122.2540443,15z/data=!4m5!3m4!'
'1s0x808fb99f8c51e88'), str(acl))
self.assertIn(('remark 5:0x169ef02a512c5b28!8m2!3d37.4220579!4d-122.084'
'0897'), str(acl))
def _get_acl_text(pol, platform):
# type: (policy.Policy, str) -> str
# Capirca policy terms can have expiration dates, and Capirca warns if any
# of the terms expire before this future date. Just set to a large number to
# prevent warning - Capirca already warns itself if terms are expired.
exp_info_weeks = 52 * 100 # ~100 years
platform = platform.strip().lower()
if platform == "arista":
from capirca.lib import arista
return str(arista.Arista(pol, exp_info_weeks))
elif platform == "cisco" or platform == "cisco-nx":
from capirca.lib import cisco
return str(cisco.Cisco(pol, exp_info_weeks))
elif platform == "cisco-xr":
from capirca.lib import ciscoxr
return str(ciscoxr.CiscoXR(pol, exp_info_weeks))
elif platform == "ciscoasa":
from capirca.lib import ciscoasa
return str(ciscoasa.CiscoASA(pol, exp_info_weeks))
elif platform == "juniper":
from capirca.lib import juniper
return str(juniper.Juniper(pol, exp_info_weeks))
elif platform == "juniper-srx":
from capirca.lib import junipersrx
return str(junipersrx.JuniperSRX(pol, exp_info_weeks))
elif platform == "paloalto":
# from capirca.lib import paloaltofw
# return str(paloaltofw.PaloAltoFW(pol, exp_info_weeks))
raise ValueError(
"Capirca generates Palo Alto ACLs in XML form, which Batfish does not yet parse"
)
else:
raise ValueError(
"Either Capirca or Pybatfish does not handle converting to ACLs in platform: "
+ platform
)
def testObjectGroup(self):
ip_grp = ['object-group network ipv4 SOME_HOST']
ip_grp.append(' 10.0.0.0/8')
ip_grp.append('exit')
port_grp1 = ['object-group port 80-80']
port_grp1.append(' eq 80')
port_grp1.append('exit')
port_grp2 = ['object-group port 1024-65535']
port_grp2.append(' range 1024 65535')
port_grp2.append('exit')
self.naming.GetNetAddr.return_value = [
nacaddr.IP('10.0.0.0/8', token='SOME_HOST')
]
self.naming.GetServiceByProto.return_value = ['80']
pol = policy.ParsePolicy(
GOOD_OBJGRP_HEADER + GOOD_TERM_2 + GOOD_TERM_18, self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
self.failUnless('\n'.join(ip_grp) in str(acl),
'%s %s' % ('\n'.join(ip_grp), str(acl)))
self.failUnless('\n'.join(port_grp1) in str(acl),
'%s %s' % ('\n'.join(port_grp1), str(acl)))
self.failUnless('\n'.join(port_grp2) in str(acl),
'%s %s' % ('\n'.join(port_grp2), str(acl)))
# Object-group terms should use the object groups created.
self.failUnless(
' permit tcp any port-group 80-80 net-group SOME_HOST port-group'
' 1024-65535' in str(acl), str(acl))
self.failUnless(
' permit ip net-group SOME_HOST net-group SOME_HOST' in str(acl),
str(acl))
# There should be no addrgroups that look like IP addresses.
for addrgroup in re.findall(r'net-group ([a-f0-9.:/]+)', str(acl)):
self.assertRaises(ValueError, nacaddr.IP(addrgroup))
self.naming.GetNetAddr.assert_has_calls(
[mock.call('SOME_HOST'),
mock.call('SOME_HOST')])
self.naming.GetServiceByProto.assert_called_once_with('HTTP', 'tcp')
def testMixed(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8'),
nacaddr.IP('2001:4860:8000::/33')]
acl = cisco.Cisco(policy.ParsePolicy(GOOD_MIXED_HEADER + GOOD_TERM_8,
self.naming), EXP_INFO)
inet6_test1 = 'no ip access-list extended mixed_acl'
inet6_test2 = 'ip access-list extended mixed_acl'
inet6_test3 = 'permit tcp any 10.0.0.0 0.255.255.255'
inet6_test4 = 'no ipv6 access-list ipv6-mixed_acl'
inet6_test5 = 'ipv6 access-list ipv6-mixed_acl'
inet6_test6 = 'permit tcp any 2001:4860:8000::/33'
aclout = str(acl)
self.assertIn(inet6_test1, aclout, '[%s]' % aclout)
self.assertIn(inet6_test2, aclout, '[%s]' % aclout)
self.assertTrue(re.search(inet6_test3, aclout), aclout)
self.assertIn(inet6_test4, aclout, '[%s]' % aclout)
self.assertIn(inet6_test5, aclout, '[%s]' % aclout)
self.assertTrue(re.search(inet6_test6, aclout), aclout)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testBuildWarningTokens(self):
pol1 = cisco.Cisco(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_17,
self.naming), EXP_INFO)
st, sst = pol1._BuildTokens()
self.assertEqual(st, SUPPORTED_TOKENS)
self.assertEqual(sst, SUPPORTED_SUB_TOKENS)
def testOwnerTerm(self):
acl = cisco.Cisco(policy.ParsePolicy(GOOD_HEADER +
GOOD_TERM_13, self.naming), EXP_INFO)
self.assertTrue(re.search(' remark Owner: [email protected]',
str(acl)), str(acl))
def testTermHopByHop(self):
acl = cisco.Cisco(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_15,
self.naming), EXP_INFO)
self.assertIn('permit hbh any any', str(acl), str(acl))
def testDefaultInet6Protocol(self):
acl = cisco.Cisco(policy.ParsePolicy(GOOD_INET6_HEADER + GOOD_TERM_12,
self.naming), EXP_INFO)
self.assertTrue(re.search('permit ipv6 any any', str(acl)), str(acl))
def testIcmpCode(self):
acl = cisco.Cisco(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_19,
self.naming), EXP_INFO)
output = str(acl)
self.assertIn(' permit icmp any any 3 3', output, output)
self.assertIn(' permit icmp any any 3 4', output, output)
def testUdpEstablished(self):
acl = cisco.Cisco(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_9,
self.naming), EXP_INFO)
self.assertFalse(re.search('permit 17 any any established',
str(acl)), str(acl))