def connect(ne_addr, ne_username, ne_password):
# check to see if ne_addr is a valid IP(v6) address
if not (HostIpCheck(ne_addr).is_ipv4() or HostIpCheck(ne_addr).is_ipv6()):
raise ValueError('%s is not a valid IP address' % ne_addr)
# TLS Connection (This is the TLS Pinning Handler)
class PinningHandler(tlspinning.TLSUnverifiedElementHandler):
def __init__(self, pinning_file):
self.pinning_file = pinning_file
def handle_verify(self, host, hashtype, finger_print, changed):
return tlspinning.DecisionType.ACCEPT_ONCE
# Connection to my onePK enabled Network Element
config = SessionConfig(None)
config.set_tls_pinning('', PinningHandler(''))
config.transportMode = SessionConfig.SessionTransportMode.TLS
network_element = NetworkElement(ne_addr)
# Try authenticating, raise error if unsuccessful
try:
network_element.connect(ne_username, ne_password, config)
except OnepConnectionException:
raise ValueError('Invalid Credentials or unable to reach %s.' %
network_element)
return network_element
def create_dynamic_ace(sequence, permit, syslog):
''' Build ACE from syslog message
sequence (int): Sequence number of ACE to insert in ACL
permit (bool): True == permit, False == deny
syslog (str): Syslog message, IP Address order is assumed.
'''
ip_addresses = [x for x in syslog.split(' ') if HostIpCheck(x.split('/')[0]).is_ipv4()]
protocol = [x for x in syslog.split(' ') if x in ['TCP', 'UDP', 'IP']][0]
# Create ACE that matches the syslog addresses
l3_ace = L3Ace(sequence, permit)
if protocol.lower() == 'tcp':
l3_ace.protocol = OnepConstants.AclProtocol.TCP
if protocol.lower() == 'udp':
l3_ace.protocol = OnepConstants.AclProtocol.UDP
if protocol.lower() == 'ip':
l3_ace.protocol = OnepConstants.AclProtocol.IP
l3_ace.dst_prefix = ip_addresses[1].split('/')[0]
l3_ace.dst_prefix_len = 32
dst_port = int(ip_addresses[1].split('/')[1])
l3_ace.set_dst_port_range(dst_port, dst_port)
l3_ace.src_prefix = ip_addresses[0].split('/')[0]
l3_ace.src_prefix_len = 32
src_port = int(ip_addresses[0].split('/')[1])
l3_ace.set_src_port_range(src_port, src_port)
return l3_ace
def _validate_ip_addrs(self, addrs, type):
self.log.debug('ip addr: %s self.host %s' % (addrs, self.host))
for addr in addrs:
if HostIpCheck(str(addr)) == HostIpCheck(self.host):
self.is_valid = True
return
self.log.warn(
'Host name we connected to "%s" doesn\'t match certificate provided ip address "%s"'
% (self.host, addrs))
if type == CertificateMatchType.UNSTRUCTURED_ADDRESS:
field = 'unstructuredAddress'
else:
field = 'subjectAltName'
e = TTransportException(
type=TTransportException.UNKNOWN,
message=
'Host name we connected to "%s" doesn\'t match certificate provided "%s %s"'
% (self.host, field, addrs))
self._do_pinning(self.handle.getpeercert(True), e)
def _validate_cert(self):
"""
Internal method to validate the peer's SSL certificate.
raises OnepCertificateException if the certificate fails validation.
"""
cert = self.handle.getpeercert()
self.peercert = cert
self.log.debug('cert: %s' % cert)
dns_names = []
ip_addrs = []
common_names = []
unstructured_addrs = []
(
dns_names,
ip_addrs,
common_names,
unstructured_addrs,
) = self._get_fields()
if HostIpCheck(self.host).is_ipaddress():
if len(ip_addrs) > 0:
self._validate_ip_addrs(ip_addrs,
CertificateMatchType.IP_ADDRESS)
elif len(unstructured_addrs) > 0:
self._validate_ip_addrs(
unstructured_addrs,
CertificateMatchType.UNSTRUCTURED_ADDRESS)
else:
self.log.warn(
'Certificate provided neither ip address nor unstructured address'
)
e = TTransportException(
type=TTransportException.UNKNOWN,
message=
'Certificate provided neither ip address nor unstructured address'
)
self._do_pinning(self.handle.getpeercert(True), e)
elif len(dns_names) > 0:
self._validate_names(dns_names, CertificateMatchType.DNS_NAME)
elif len(common_names) > 0:
self._validate_names(common_names,
CertificateMatchType.COMMON_NAME)
else:
self.log.warn(
'Certificate provided neither dns name nor common name')
e = TTransportException(
type=TTransportException.UNKNOWN,
message='Certificate provided neither dns name nor common name'
)
self._do_pinning(self.handle.getpeercert(True), e)
def setInterfaceIPAddress(self, networkInterface):
if networkInterface == None:
logger.error("No interfaces are available.")
return None
setPrefix = 24;
setAddr = None
prefixes = networkInterface.get_prefix_list()
for prefix in prefixes:
if prefix:
setPrefix = prefix.prefix_length
setAddr = prefix.address
if HostIpCheck(setAddr).is_ipv4():
print "\nSetting IPv4 address of interface " + networkInterface.name
networkInterface.set_address(1,OnepAddressScopeType.ONEP_ADDRESS_IPv4_PRIMARY,setAddr,setPrefix)
print "Successfully set the IP address of interface " + networkInterface.name
print " to " + setAddr + " prefix " + str(setPrefix)
break
def _validate_ip(ip_addr):
if not HostIpCheck(ip_addr).is_ipaddress():
raise OnepIllegalArgumentException('Invalid IP address ' +
str(ip_addr))
return ip_addr
def _add_to_acl(self, acl):
"""
"""
self._validate_prefix(self.src_prefix, 'Source')
self._validate_prefix_len(self.src_prefix_len, 'Source',
HostIpCheck(self.src_prefix).is_ipv4())
self._validate_prefix(self.dst_prefix, 'Destination')
self._validate_prefix_len(self.dst_prefix_len, 'Destination',
HostIpCheck(self.dst_prefix).is_ipv4())
src_addr_type = self._af_check(self.src_prefix)
if src_addr_type == self._AF_INET:
if self.src_prefix_len > 32:
raise OnepIllegalArgumentException(
'Source prefix length for AF_INET source prefix > 32')
elif self.src_prefix_len == None:
self.src_prefix_len = 32
src_prefix_af = OnepConstants.OnepAddressFamilyType.ONEP_AF_INET
elif src_addr_type == self._AF_INET6:
if self.src_prefix_len > 128:
raise OnepIllegalArgumentException(
'Source prefix length for AF_INET6 source prefix > 128')
elif self.src_prefix_len == None:
self.src_prefix_len = 128
src_prefix_af = OnepConstants.OnepAddressFamilyType.ONEP_AF_INET6
else:
raise OnepIllegalArgumentException('Invalid Source prefix Address')
dst_addr_type = self._af_check(self._dst_prefix)
if dst_addr_type == self._AF_INET:
if self.dst_prefix_len > 32:
raise OnepIllegalArgumentException(
'Destination prefix length for AF_INET destination prefix > 32'
)
elif self.dst_prefix_len == None:
self.dst_prefix_len = 32
dst_prefix_af = OnepConstants.OnepAddressFamilyType.ONEP_AF_INET
elif dst_addr_type == self._AF_INET6:
if self.dst_prefix_len > 128:
raise OnepIllegalArgumentException(
'Destination prefix length for AF_INET6 destination prefix > 128'
)
elif self.dst_prefix_len == None:
self.dst_prefix_len = 128
dst_prefix_af = OnepConstants.OnepAddressFamilyType.ONEP_AF_INET6
else:
raise OnepIllegalArgumentException(
'Invalid Destination prefix Address')
if self.dst_prefix_len == 0:
dst_prefix_af = src_prefix_af
if self.src_prefix_len == 0:
src_prefix_af = dst_prefix_af
if not src_prefix_af == dst_prefix_af:
raise OnepIllegalArgumentException(
'Source prefix address family and Destination prefix address family are not same.'
)
if self.src_prefix_len != 0 and src_prefix_af != acl._afi:
raise OnepIllegalArgumentException(
'L3-Ace address family not same as L3-Acl address family')
if self.dst_prefix_len != 0 and dst_prefix_af != acl._afi:
raise OnepIllegalArgumentException(
'L3-Ace address family not same as L3-Acl address family')
if not self._acl == None:
raise OnepIllegalArgumentException(
'L3 Access Control Element(ACE) already added to L3 Access Control List(ACL)'
)
self.log.info('Basic Validation of all L3-ace parameters completed.')
self._acl = acl
ace_param = L3AceParam_IDL(
c_int(self._sequence).value, self.permit, src_prefix_af,
self.src_prefix, self.src_prefix_len, self.dst_prefix,
self.dst_prefix_len, self.protocol, self.src_port_oper,
c_short(self.src_port1).value,
c_short(self._src_port2).value, self.dst_port_oper,
c_short(self.dst_port1).value,
c_short(self._dst_port2).value, self._tcp_flag_value,
self._tcp_flag_mask, self._tcp_flag_match, self._dscp, self._flags,
self._ttl, acl._app_id, acl._app_id, self._dscp_v2)
self.log.info(
'Successfully created L3-ace parameters through idl call L3AceParam_IDL'
)
if acl._acl_header:
try:
self.log.debug('Added named ACE to ACL')
self._ace_handle = acl._acl_client.addNamedL3Ace_IDL(
acl._acl_header.name, acl._acl_handle,
acl._acl_header.lifetime, acl._acl_header.addrFamily,
ace_param)
self.log.info(
'Returned from addNamedL3Ace_IDL idl call to add a L3-ace in L3-acl'
)
except ExceptionIDL as e:
raise OnepRemoteProcedureException(e)
except TException as e:
raise OnepConnectionException(e.message, e)
else:
try:
self.log.debug('Added ACE to ACL')
self._ace_handle = acl._acl_client.addL3Ace_IDL(
acl._acl_handle, ace_param)
self.log.info(
'Returned from addL3Ace_IDL idl call to add a L3-ace in L3-acl'
)
except ExceptionIDL as e:
raise OnepRemoteProcedureException(e)
except TException as e:
raise OnepConnectionException(e.message, e)
import sys
if len(sys.argv) < 5:
print 'Usage: python script_name.py [ip_address] [username] [password] [interface_name] [ip/prefix]'
quit()
# Connect using passed in connection values
# (will raise a ValueError if bad IP address or credentials)
ne = connect(sys.argv[1], sys.argv[2], sys.argv[3])
try:
#separate IP and prefix
ip_address, ip_prefix = sys.argv[5].split('/')
# Test for IPv4 or IPv6 address and assign accordingly
if HostIpCheck(ip_address).is_ipv4():
scope_type = OnepConstants.OnepAddressScopeType.ONEP_ADDRESS_IPv4_PRIMARY
if not (0 < int(ip_prefix) <= 32):
raise ValueError('%s is not a valid IPv4 prefix' % ip_prefix)
elif HostIpCheck(ip_address).is_ipv6():
scope_type = OnepConstants.OnepAddressScopeType.ONEP_ADDRESS_IPv6_ALL
if not (0 < int(ip_prefix) <= 32):
raise ValueError('%s is not a valid IPv6 prefix' % ip_prefix)
else:
raise ValueError('%s is not a valid IP address' % ip_address)
#get interface by name
try:
iface = ne.get_interface_by_name(sys.argv[4])
except: