def connect(ne_addr, ne_username, ne_password): # check to see if ne_addr is a valid IP(v6) address if not (HostIpCheck(ne_addr).is_ipv4() or HostIpCheck(ne_addr).is_ipv6()): raise ValueError('%s is not a valid IP address' % ne_addr) # TLS Connection (This is the TLS Pinning Handler) class PinningHandler(tlspinning.TLSUnverifiedElementHandler): def __init__(self, pinning_file): self.pinning_file = pinning_file def handle_verify(self, host, hashtype, finger_print, changed): return tlspinning.DecisionType.ACCEPT_ONCE # Connection to my onePK enabled Network Element config = SessionConfig(None) config.set_tls_pinning('', PinningHandler('')) config.transportMode = SessionConfig.SessionTransportMode.TLS network_element = NetworkElement(ne_addr) # Try authenticating, raise error if unsuccessful try: network_element.connect(ne_username, ne_password, config) except OnepConnectionException: raise ValueError('Invalid Credentials or unable to reach %s.' % network_element) return network_element
def create_dynamic_ace(sequence, permit, syslog): ''' Build ACE from syslog message sequence (int): Sequence number of ACE to insert in ACL permit (bool): True == permit, False == deny syslog (str): Syslog message, IP Address order is assumed. ''' ip_addresses = [x for x in syslog.split(' ') if HostIpCheck(x.split('/')[0]).is_ipv4()] protocol = [x for x in syslog.split(' ') if x in ['TCP', 'UDP', 'IP']][0] # Create ACE that matches the syslog addresses l3_ace = L3Ace(sequence, permit) if protocol.lower() == 'tcp': l3_ace.protocol = OnepConstants.AclProtocol.TCP if protocol.lower() == 'udp': l3_ace.protocol = OnepConstants.AclProtocol.UDP if protocol.lower() == 'ip': l3_ace.protocol = OnepConstants.AclProtocol.IP l3_ace.dst_prefix = ip_addresses[1].split('/')[0] l3_ace.dst_prefix_len = 32 dst_port = int(ip_addresses[1].split('/')[1]) l3_ace.set_dst_port_range(dst_port, dst_port) l3_ace.src_prefix = ip_addresses[0].split('/')[0] l3_ace.src_prefix_len = 32 src_port = int(ip_addresses[0].split('/')[1]) l3_ace.set_src_port_range(src_port, src_port) return l3_ace
def _validate_ip_addrs(self, addrs, type): self.log.debug('ip addr: %s self.host %s' % (addrs, self.host)) for addr in addrs: if HostIpCheck(str(addr)) == HostIpCheck(self.host): self.is_valid = True return self.log.warn( 'Host name we connected to "%s" doesn\'t match certificate provided ip address "%s"' % (self.host, addrs)) if type == CertificateMatchType.UNSTRUCTURED_ADDRESS: field = 'unstructuredAddress' else: field = 'subjectAltName' e = TTransportException( type=TTransportException.UNKNOWN, message= 'Host name we connected to "%s" doesn\'t match certificate provided "%s %s"' % (self.host, field, addrs)) self._do_pinning(self.handle.getpeercert(True), e)
def _validate_cert(self): """ Internal method to validate the peer's SSL certificate. raises OnepCertificateException if the certificate fails validation. """ cert = self.handle.getpeercert() self.peercert = cert self.log.debug('cert: %s' % cert) dns_names = [] ip_addrs = [] common_names = [] unstructured_addrs = [] ( dns_names, ip_addrs, common_names, unstructured_addrs, ) = self._get_fields() if HostIpCheck(self.host).is_ipaddress(): if len(ip_addrs) > 0: self._validate_ip_addrs(ip_addrs, CertificateMatchType.IP_ADDRESS) elif len(unstructured_addrs) > 0: self._validate_ip_addrs( unstructured_addrs, CertificateMatchType.UNSTRUCTURED_ADDRESS) else: self.log.warn( 'Certificate provided neither ip address nor unstructured address' ) e = TTransportException( type=TTransportException.UNKNOWN, message= 'Certificate provided neither ip address nor unstructured address' ) self._do_pinning(self.handle.getpeercert(True), e) elif len(dns_names) > 0: self._validate_names(dns_names, CertificateMatchType.DNS_NAME) elif len(common_names) > 0: self._validate_names(common_names, CertificateMatchType.COMMON_NAME) else: self.log.warn( 'Certificate provided neither dns name nor common name') e = TTransportException( type=TTransportException.UNKNOWN, message='Certificate provided neither dns name nor common name' ) self._do_pinning(self.handle.getpeercert(True), e)
def setInterfaceIPAddress(self, networkInterface): if networkInterface == None: logger.error("No interfaces are available.") return None setPrefix = 24; setAddr = None prefixes = networkInterface.get_prefix_list() for prefix in prefixes: if prefix: setPrefix = prefix.prefix_length setAddr = prefix.address if HostIpCheck(setAddr).is_ipv4(): print "\nSetting IPv4 address of interface " + networkInterface.name networkInterface.set_address(1,OnepAddressScopeType.ONEP_ADDRESS_IPv4_PRIMARY,setAddr,setPrefix) print "Successfully set the IP address of interface " + networkInterface.name print " to " + setAddr + " prefix " + str(setPrefix) break
def _validate_ip(ip_addr): if not HostIpCheck(ip_addr).is_ipaddress(): raise OnepIllegalArgumentException('Invalid IP address ' + str(ip_addr)) return ip_addr
def _add_to_acl(self, acl): """ """ self._validate_prefix(self.src_prefix, 'Source') self._validate_prefix_len(self.src_prefix_len, 'Source', HostIpCheck(self.src_prefix).is_ipv4()) self._validate_prefix(self.dst_prefix, 'Destination') self._validate_prefix_len(self.dst_prefix_len, 'Destination', HostIpCheck(self.dst_prefix).is_ipv4()) src_addr_type = self._af_check(self.src_prefix) if src_addr_type == self._AF_INET: if self.src_prefix_len > 32: raise OnepIllegalArgumentException( 'Source prefix length for AF_INET source prefix > 32') elif self.src_prefix_len == None: self.src_prefix_len = 32 src_prefix_af = OnepConstants.OnepAddressFamilyType.ONEP_AF_INET elif src_addr_type == self._AF_INET6: if self.src_prefix_len > 128: raise OnepIllegalArgumentException( 'Source prefix length for AF_INET6 source prefix > 128') elif self.src_prefix_len == None: self.src_prefix_len = 128 src_prefix_af = OnepConstants.OnepAddressFamilyType.ONEP_AF_INET6 else: raise OnepIllegalArgumentException('Invalid Source prefix Address') dst_addr_type = self._af_check(self._dst_prefix) if dst_addr_type == self._AF_INET: if self.dst_prefix_len > 32: raise OnepIllegalArgumentException( 'Destination prefix length for AF_INET destination prefix > 32' ) elif self.dst_prefix_len == None: self.dst_prefix_len = 32 dst_prefix_af = OnepConstants.OnepAddressFamilyType.ONEP_AF_INET elif dst_addr_type == self._AF_INET6: if self.dst_prefix_len > 128: raise OnepIllegalArgumentException( 'Destination prefix length for AF_INET6 destination prefix > 128' ) elif self.dst_prefix_len == None: self.dst_prefix_len = 128 dst_prefix_af = OnepConstants.OnepAddressFamilyType.ONEP_AF_INET6 else: raise OnepIllegalArgumentException( 'Invalid Destination prefix Address') if self.dst_prefix_len == 0: dst_prefix_af = src_prefix_af if self.src_prefix_len == 0: src_prefix_af = dst_prefix_af if not src_prefix_af == dst_prefix_af: raise OnepIllegalArgumentException( 'Source prefix address family and Destination prefix address family are not same.' ) if self.src_prefix_len != 0 and src_prefix_af != acl._afi: raise OnepIllegalArgumentException( 'L3-Ace address family not same as L3-Acl address family') if self.dst_prefix_len != 0 and dst_prefix_af != acl._afi: raise OnepIllegalArgumentException( 'L3-Ace address family not same as L3-Acl address family') if not self._acl == None: raise OnepIllegalArgumentException( 'L3 Access Control Element(ACE) already added to L3 Access Control List(ACL)' ) self.log.info('Basic Validation of all L3-ace parameters completed.') self._acl = acl ace_param = L3AceParam_IDL( c_int(self._sequence).value, self.permit, src_prefix_af, self.src_prefix, self.src_prefix_len, self.dst_prefix, self.dst_prefix_len, self.protocol, self.src_port_oper, c_short(self.src_port1).value, c_short(self._src_port2).value, self.dst_port_oper, c_short(self.dst_port1).value, c_short(self._dst_port2).value, self._tcp_flag_value, self._tcp_flag_mask, self._tcp_flag_match, self._dscp, self._flags, self._ttl, acl._app_id, acl._app_id, self._dscp_v2) self.log.info( 'Successfully created L3-ace parameters through idl call L3AceParam_IDL' ) if acl._acl_header: try: self.log.debug('Added named ACE to ACL') self._ace_handle = acl._acl_client.addNamedL3Ace_IDL( acl._acl_header.name, acl._acl_handle, acl._acl_header.lifetime, acl._acl_header.addrFamily, ace_param) self.log.info( 'Returned from addNamedL3Ace_IDL idl call to add a L3-ace in L3-acl' ) except ExceptionIDL as e: raise OnepRemoteProcedureException(e) except TException as e: raise OnepConnectionException(e.message, e) else: try: self.log.debug('Added ACE to ACL') self._ace_handle = acl._acl_client.addL3Ace_IDL( acl._acl_handle, ace_param) self.log.info( 'Returned from addL3Ace_IDL idl call to add a L3-ace in L3-acl' ) except ExceptionIDL as e: raise OnepRemoteProcedureException(e) except TException as e: raise OnepConnectionException(e.message, e)
import sys if len(sys.argv) < 5: print 'Usage: python script_name.py [ip_address] [username] [password] [interface_name] [ip/prefix]' quit() # Connect using passed in connection values # (will raise a ValueError if bad IP address or credentials) ne = connect(sys.argv[1], sys.argv[2], sys.argv[3]) try: #separate IP and prefix ip_address, ip_prefix = sys.argv[5].split('/') # Test for IPv4 or IPv6 address and assign accordingly if HostIpCheck(ip_address).is_ipv4(): scope_type = OnepConstants.OnepAddressScopeType.ONEP_ADDRESS_IPv4_PRIMARY if not (0 < int(ip_prefix) <= 32): raise ValueError('%s is not a valid IPv4 prefix' % ip_prefix) elif HostIpCheck(ip_address).is_ipv6(): scope_type = OnepConstants.OnepAddressScopeType.ONEP_ADDRESS_IPv6_ALL if not (0 < int(ip_prefix) <= 32): raise ValueError('%s is not a valid IPv6 prefix' % ip_prefix) else: raise ValueError('%s is not a valid IP address' % ip_address) #get interface by name try: iface = ne.get_interface_by_name(sys.argv[4]) except: