def make_acl(self, acl_name, target_url, protocol, match_type, direction_initiated, local_ports=None, remote_ports=None): # (acl_name, protocol_direction, ip_version, target_url, protocol, match_type, # direction_initiated, local_ports=None, remote_ports=None): if "v4" in acl_name: ip_version = IPVersion.IPV4 elif "v6" in acl_name: ip_version = IPVersion.IPV6 else: raise InputException("Invalid IPVersion provided") acl_type_prefix = get_ipversion_string(ip_version) if acl_name.endswith("to"): protocol_direction = Direction.TO_DEVICE elif acl_name.endswith("fr"): protocol_direction = Direction.FROM_DEVICE else: raise InputException("Invalid Direction provided") return { 'name': acl_name, 'type': acl_type_prefix + '-acl-type', 'aces': { 'ace': self.make_ace(protocol_direction, target_url, protocol, match_type, direction_initiated, ip_version, local_ports, remote_ports) } }
def make_acl(protocol_direction, ip_version, target_url, protocol, match_types, direction_initiated, local_ports=None, remote_ports=None, acl_name=None, mud_name=None): acl_type_prefix = get_ipversion_string(ip_version) if acl_name is None and mud_name is None: raise InputException( 'acl_name and mud_name can\'t both by None at the same time') elif acl_name is None: acl_name = make_acl_name(mud_name, ip_version, direction_initiated) return { 'name': acl_name, 'type': acl_type_prefix + '-acl-type', 'aces': { 'ace': make_ace(protocol_direction, target_url, protocol, match_types, direction_initiated, ip_version, local_ports, remote_ports) } }
def make_mud_5(self): #mud = self.support_info #mud.update(self.policies) #self.mud_file = {'ietf-mud:mud': mud, 'ietf-access-control-list:acls': {'acl': self.acls}} #return self.mud_file #def assemble_mud(self): if self.ip_version == IPVersion.BOTH: ip_version = [IPVersion.IPV4, IPVersion.IPV6] self.acl = [ self.acl_v4_to, self.acl_v4_from, self.acl_v6_to, self.acl_v6_from ] else: ip_version = [self.ip_version] if self.ip_version == IPVersion.IPV4: #self.acl_v4_to = {} #self.acl_v4_from = {} self.acl = [self.acl_v4_to, self.acl_v4_from] elif self.ip_version == IPVersion.IPV6: #self.acl_v6_to = {} #self.acl_v6_from = {} self.acl = [self.acl_v6_to, self.acl_v6_from] rule_list = [(MatchType.IS_LOCAL, self.rules_local), (MatchType.IS_CLOUD, self.rules_cloud), (MatchType.IS_CONTROLLER, self.rules_controller), (MatchType.IS_MY_CONTROLLER, self.rules_controller_my), (MatchType.IS_MFG, self.rules_manufacturer), (MatchType.IS_MYMFG, self.rules_manufacturer_my)] # Not the most efficient way to do this, but it works for (i, (match_type, rules)) in enumerate(rule_list): for (j, rule) in enumerate(rules): for protocol_direction in [ Direction.TO_DEVICE, Direction.FROM_DEVICE ]: for ipv in ip_version: sub_ace_name = get_sub_ace_name( get_ace_name(match_type), protocol_direction, j) match = {} ip_version_string = get_ipversion_string(ipv) source_port = None destination_port = None direction_initiated = rule.get('direction_initiated') if rule.get('ietf-mud:mud') is not None: match['ietf-mud:mud'] = rule['ietf-mud:mud'] cloud_entry = None else: cloud_entry = make_acldns_match( rule['target_url'], protocol_direction) if rule['protocol'] is Protocol.ANY: if cloud_entry: match[ip_version_string] = cloud_entry else: if protocol_direction is Direction.FROM_DEVICE: source_port = rule.get('remote_port') destination_port = rule.get('local_port') elif protocol_direction is Direction.TO_DEVICE: source_port = rule.get('local_port') destination_port = rule.get('remote_port') if rule['protocol'] is Protocol.TCP: match[ip_version_string] = rule.get( "cloud_placeholder").copy( ) # {'protocol': 6} if source_port is not None or destination_port is not None or \ direction_initiated is not None: match['tcp'] = make_port_range( direction_initiated, source_port, destination_port) elif rule['protocol'] is Protocol.UDP: match[ip_version_string] = rule.get( "cloud_placeholder").copy( ) # {'protocol': 17} if rule.get( 'source_port') is not None or rule.get( 'destination_port') is not None: match['udp'] = make_port_range( dir_init=None, source_port=source_port, destination_port=destination_port) else: raise InputException( f'protocol is not valid: {rule["protocol"]}' ) if cloud_entry: match[ip_version_string].update(cloud_entry) ace = { 'name': sub_ace_name, 'matches': match, 'actions': { 'forwarding': 'accept' } } if ipv == IPVersion.IPV4: if protocol_direction == Direction.TO_DEVICE: self.acl_v4_to['aces']['ace'].append(ace) #self.acl.append(self.acl_v4_to.copy()) else: self.acl_v4_from['aces']['ace'].append(ace) #self.acl.append(self.acl_v4_from.copy()) elif ipv == IPVersion.IPV6: if protocol_direction == Direction.TO_DEVICE: self.acl_v6_to['aces']['ace'].append(ace) #self.acl.append(self.acl_v6_to.copy()) else: self.acl_v6_from['aces']['ace'].append(ace) #self.acl.append(self.acl_v6_from.copy()) mud = self.support_info mud.update(self.policies) self.mud_file = { 'ietf-mud:mud': mud, 'ietf-access-control-list:acls': { 'acl': self.acl } } return self.mud_file
def make_sub_ace(self, sub_ace_name, protocol_direction, target_url, protocol, match_type, direction_initiated, ip_version, local_port=None, remote_port=None): if len(target_url) > 140: raise InputException('target url is too long: {}' % target_url) match = {} ip_version = get_ipversion_string(ip_version) source_port = None destination_port = None cloud_ipv4_entry = None if match_type is MatchType.IS_LOCAL: match['ietf-mud:mud'] = make_local_match() elif match_type is MatchType.IS_CLOUD: cloud_ipv4_entry = make_acldns_match(target_url, protocol_direction) elif match_type is MatchType.IS_CONTROLLER: match['ietf-mud:mud'] = make_controller_match(target_url) elif match_type is MatchType.IS_MY_CONTROLLER: match['ietf-mud:mud'] = make_my_controller_match() elif match_type is MatchType.IS_MFG: match['ietf-mud:mud'] = make_manufacturer_match(target_url) elif match_type is MatchType.IS_MYMFG: match['ietf-mud:mud'] = make_same_manufacturer_match() if match.get('ietf-mud:mud') is None and cloud_ipv4_entry is None: raise InputException(f"match_type is not valid: {match_type}") if protocol is Protocol.ANY: if cloud_ipv4_entry: match[ip_version] = cloud_ipv4_entry else: if protocol_direction is Direction.FROM_DEVICE: source_port = remote_port destination_port = local_port elif protocol_direction is Direction.TO_DEVICE: source_port = local_port destination_port = remote_port if protocol is Protocol.TCP: match[ip_version] = {'protocol': 6} if source_port is not None or destination_port is not None or direction_initiated is not None: match['tcp'] = make_port_range(direction_initiated, source_port, destination_port) elif protocol is Protocol.UDP: match[ip_version] = {'protocol': 17} if source_port is not None or destination_port is not None: match['udp'] = make_port_range(source_port, destination_port) else: raise InputException(f'protocol is not valid: {protocol}') if cloud_ipv4_entry: match[ip_version].update(cloud_ipv4_entry) return { 'name': sub_ace_name, 'matches': match, 'actions': { 'forwarding': 'accept' } }
def __init__(self, mud_version: int, mud_url: str, is_supported: bool, cache_validity: int = None, system_info: str = None, mfg_name: str = None, documentation: str = None, masa_server: int = None, model_name: str = None, ip_version: IPVersion = None, last_update: str = None, firmware_rev: str = None, software_rev: str = None): #mud_signature=None # This may be unnecessary if ip_version not in [IPVersion.IPV4, IPVersion.IPV6, IPVersion.BOTH]: raise ValueError( "Invalid IP Version provided: only IPVersion.BOTH, IPVersion.IPV4, or IPVersion.IPV6 " "acceptable") self.ip_version = ip_version #if ip_version == IPVersion.BOTH: # self.ip_version = [IPVersion.IPV4, IPVersion.IPV6] #elif ip_version == IPVersion.IPV4 or ip_version == IPVersion.IPV6: # self.ip_version = [ip_version] #else: # raise ValueError("Invalid IP Version provided: only IPVersion.BOTH, IPVersion.IPV4, or IPVersion.IPV6 " # "acceptable") # TODO add mud-signature file self.support_info = self.make_support_info( mud_version, mud_url, is_supported, cache_validity, system_info, documentation, masa_server, mfg_name, last_update, model_name, firmware_rev, software_rev) self.mud_name = f'mud-{random.randint(10000, 99999)}' self.acl = [] self.acl_v4_to = [] self.acl_v4_from = [] self.acl_v6_to = [] self.acl_v6_from = [] self.policies = {} self.rules_local = [] self.rules_cloud = [] self.rules_controller = [] self.rules_controller_my = [] self.rules_manufacturer = [] self.rules_manufacturer_my = [] self.acl_names = self.make_acl_names() for acl_name in self.acl_names: if "v4" in acl_name: acl_type_prefix = get_ipversion_string(IPVersion.IPV4) if acl_name.endswith('to'): self.acl_v4_to = { 'name': acl_name, 'type': acl_type_prefix + '-acl-type', 'aces': { 'ace': [] } } elif acl_name.endswith('fr'): self.acl_v4_from = { 'name': acl_name, 'type': acl_type_prefix + '-acl-type', 'aces': { 'ace': [] } } elif "v6" in acl_name: acl_type_prefix = get_ipversion_string(IPVersion.IPV4) if acl_name.endswith('to'): self.acl_v6_to = { 'name': acl_name, 'type': acl_type_prefix + '-acl-type', 'aces': { 'ace': [] } } elif acl_name.endswith('fr'): self.acl_v6_from = { 'name': acl_name, 'type': acl_type_prefix + '-acl-type', 'aces': { 'ace': [] } } self.policies.update(self.make_policy()) self.mud_file = {}