def make_ace(self,
protocol_direction,
target_url,
protocol,
match_type,
direction_initiated,
ip_version,
local_ports=None,
remote_ports=None):
ace = []
number_local_ports = len(local_ports) if type(
local_ports) == list else 1
number_remote_ports = len(remote_ports) if type(
remote_ports) == list else 1
for l in range(number_local_ports):
for r in range(number_remote_ports):
ace.append(
self.make_sub_ace(
get_sub_ace_name(get_ace_name(match_type),
protocol_direction, l + r),
protocol_direction, target_url, protocol, match_type,
direction_initiated, ip_version,
local_ports[l] if local_ports is not None else None,
remote_ports[r] if remote_ports is not None else None))
return ace
def make_ace(protocol_direction,
target_url,
protocol,
match_types,
direction_initiated,
ip_version,
local_ports=None,
remote_ports=None):
ace = []
number_local_ports = len(local_ports) if type(local_ports) == list else 1
number_remote_ports = len(remote_ports) if type(
remote_ports) == list else 1
for i in range(len(match_types)) if not isinstance(
match_types, MatchType) else range(1):
match_type = match_types[i] if not isinstance(
match_types, MatchType) else match_types
for l in range(number_local_ports):
for r in range(number_remote_ports):
ace.append(
make_sub_ace(
#get_sub_ace_name(get_ace_name(match_type), direction_initiated, i + l + r),
get_sub_ace_name(get_ace_name(match_type),
protocol_direction, i + l + r),
protocol_direction,
target_url,
protocol,
match_type,
direction_initiated,
ip_version,
local_ports[l] if local_ports is not None else None,
remote_ports[r] if remote_ports is not None else None))
return ace
def append_sub_ace(ace,
protocol_direction,
target_url,
protocol,
match_type,
direction_initiated,
ip_version,
local_port=None,
remote_port=None):
# Determine what number instance this sub_ace will be
ace_name = get_ace_name(match_type)
iteration = 0
for i in ace:
if i["name"].startswith(ace_name):
iteration += 1
ace.append(
make_sub_ace(
get_sub_ace_name(get_ace_name(match_type), direction_initiated,
iteration), protocol_direction, target_url,
protocol, match_type, direction_initiated, ip_version, local_port,
remote_port))
return ace
def make_mud_5(self):
#mud = self.support_info
#mud.update(self.policies)
#self.mud_file = {'ietf-mud:mud': mud, 'ietf-access-control-list:acls': {'acl': self.acls}}
#return self.mud_file
#def assemble_mud(self):
if self.ip_version == IPVersion.BOTH:
ip_version = [IPVersion.IPV4, IPVersion.IPV6]
self.acl = [
self.acl_v4_to, self.acl_v4_from, self.acl_v6_to,
self.acl_v6_from
]
else:
ip_version = [self.ip_version]
if self.ip_version == IPVersion.IPV4:
#self.acl_v4_to = {}
#self.acl_v4_from = {}
self.acl = [self.acl_v4_to, self.acl_v4_from]
elif self.ip_version == IPVersion.IPV6:
#self.acl_v6_to = {}
#self.acl_v6_from = {}
self.acl = [self.acl_v6_to, self.acl_v6_from]
rule_list = [(MatchType.IS_LOCAL, self.rules_local),
(MatchType.IS_CLOUD, self.rules_cloud),
(MatchType.IS_CONTROLLER, self.rules_controller),
(MatchType.IS_MY_CONTROLLER, self.rules_controller_my),
(MatchType.IS_MFG, self.rules_manufacturer),
(MatchType.IS_MYMFG, self.rules_manufacturer_my)]
# Not the most efficient way to do this, but it works
for (i, (match_type, rules)) in enumerate(rule_list):
for (j, rule) in enumerate(rules):
for protocol_direction in [
Direction.TO_DEVICE, Direction.FROM_DEVICE
]:
for ipv in ip_version:
sub_ace_name = get_sub_ace_name(
get_ace_name(match_type), protocol_direction, j)
match = {}
ip_version_string = get_ipversion_string(ipv)
source_port = None
destination_port = None
direction_initiated = rule.get('direction_initiated')
if rule.get('ietf-mud:mud') is not None:
match['ietf-mud:mud'] = rule['ietf-mud:mud']
cloud_entry = None
else:
cloud_entry = make_acldns_match(
rule['target_url'], protocol_direction)
if rule['protocol'] is Protocol.ANY:
if cloud_entry:
match[ip_version_string] = cloud_entry
else:
if protocol_direction is Direction.FROM_DEVICE:
source_port = rule.get('remote_port')
destination_port = rule.get('local_port')
elif protocol_direction is Direction.TO_DEVICE:
source_port = rule.get('local_port')
destination_port = rule.get('remote_port')
if rule['protocol'] is Protocol.TCP:
match[ip_version_string] = rule.get(
"cloud_placeholder").copy(
) # {'protocol': 6}
if source_port is not None or destination_port is not None or \
direction_initiated is not None:
match['tcp'] = make_port_range(
direction_initiated, source_port,
destination_port)
elif rule['protocol'] is Protocol.UDP:
match[ip_version_string] = rule.get(
"cloud_placeholder").copy(
) # {'protocol': 17}
if rule.get(
'source_port') is not None or rule.get(
'destination_port') is not None:
match['udp'] = make_port_range(
dir_init=None,
source_port=source_port,
destination_port=destination_port)
else:
raise InputException(
f'protocol is not valid: {rule["protocol"]}'
)
if cloud_entry:
match[ip_version_string].update(cloud_entry)
ace = {
'name': sub_ace_name,
'matches': match,
'actions': {
'forwarding': 'accept'
}
}
if ipv == IPVersion.IPV4:
if protocol_direction == Direction.TO_DEVICE:
self.acl_v4_to['aces']['ace'].append(ace)
#self.acl.append(self.acl_v4_to.copy())
else:
self.acl_v4_from['aces']['ace'].append(ace)
#self.acl.append(self.acl_v4_from.copy())
elif ipv == IPVersion.IPV6:
if protocol_direction == Direction.TO_DEVICE:
self.acl_v6_to['aces']['ace'].append(ace)
#self.acl.append(self.acl_v6_to.copy())
else:
self.acl_v6_from['aces']['ace'].append(ace)
#self.acl.append(self.acl_v6_from.copy())
mud = self.support_info
mud.update(self.policies)
self.mud_file = {
'ietf-mud:mud': mud,
'ietf-access-control-list:acls': {
'acl': self.acl
}
}
return self.mud_file