def _get_acl_text(pol, platform):
# type: (policy.Policy, str) -> str
# Capirca policy terms can have expiration dates, and Capirca warns if any
# of the terms expire before this future date. Just set to a large number to
# prevent warning - Capirca already warns itself if terms are expired.
exp_info_weeks = 52 * 100 # ~100 years
platform = platform.strip().lower()
if platform == 'arista':
from capirca.lib import arista
return str(arista.Arista(pol, exp_info_weeks))
elif platform == 'cisco' or platform == 'cisco-nx':
from capirca.lib import cisco
return str(cisco.Cisco(pol, exp_info_weeks))
elif platform == 'cisco-xr':
from capirca.lib import ciscoxr
return str(ciscoxr.CiscoXR(pol, exp_info_weeks))
elif platform == 'ciscoasa':
from capirca.lib import ciscoasa
return str(ciscoasa.CiscoASA(pol, exp_info_weeks))
elif platform == 'juniper':
from capirca.lib import juniper
return str(juniper.Juniper(pol, exp_info_weeks))
elif platform == 'juniper-srx':
from capirca.lib import junipersrx
return str(junipersrx.JuniperSRX(pol, exp_info_weeks))
elif platform == 'paloalto':
# from capirca.lib import paloaltofw
# return str(paloaltofw.PaloAltoFW(pol, exp_info_weeks))
raise ValueError(
'Capirca generates Palo Alto ACLs in XML form, which Batfish does not yet parse')
else:
raise ValueError(
'Either Capirca or Pybatfish does not handle converting to ACLs in platform: ' + platform)
def testNoVerbose(self):
self.naming.GetNetAddr.return_value = _IPSET
self.naming.GetServiceByProto.return_value = ['25']
pol = policy.ParsePolicy(GOOD_HEADER_NOVERBOSE + GOOD_TERM_1, self.naming)
srx = junipersrx.JuniperSRX(pol, EXP_INFO)
self.assertNotIn('This is a test acl with a comment', str(srx))
self.assertNotIn('very very very', str(srx))
def testLargeTermSplitIgnoreV6(self):
ips = list(
nacaddr.IP('2620:0:1000:3103:eca0:2c09:6b32:e000/119').subnets(
new_prefix=128))
mo_ips = []
counter = 0
for ip in ips:
if counter % 2 == 0:
mo_ips.append(nacaddr.IP(ip))
counter += 1
ips = list(
nacaddr.IP('2720:0:1000:3103:eca0:2c09:6b32:e000/119').subnets(
new_prefix=128))
ips.append(nacaddr.IPv4('10.0.0.1/32'))
prodcolos_ips = []
counter = 0
for ip in ips:
if counter % 2 == 0:
prodcolos_ips.append(nacaddr.IP(ip))
counter += 1
self.naming.GetNetAddr.side_effect = [mo_ips, prodcolos_ips]
self.naming.GetServiceByProto.return_value = ['25']
pol = policy.ParsePolicy(GOOD_HEADER_3 + GOOD_TERM_14, self.naming)
srx = junipersrx.JuniperSRX(pol, EXP_INFO)
self.assertEqual(len(srx.policy.filters[0][1]), 1)
def testExpiredTerm(self, mock_warn):
_ = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + EXPIRED_TERM_1,
self.naming), EXP_INFO)
mock_warn.assert_called_once_with(
'WARNING: Term %s in policy %s>%s is expired.',
'expired_test', 'trust', 'untrust')
def testOwnerTerm(self):
pol = policy.ParsePolicy(GOOD_HEADER + OWNER_TERM, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.failUnless(
' /*\n'
' Owner: [email protected]\n'
' */' in output, output)
def testLoggingBoth(self):
srx = junipersrx.JuniperSRX(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_5, self.naming),
EXP_INFO)
output = str(srx)
self.failUnless('session-init;' in output, output)
self.failUnless('session-close;' in output, output)
def testLargeTermSplittingV6(self):
ips = list(
nacaddr.IP('2620:0:1000:3103:eca0:2c09:6b32:e000/119').subnets(
new_prefix=128))
mo_ips = []
counter = 0
for ip in ips:
if counter % 2 == 0:
mo_ips.append(nacaddr.IP(ip))
counter += 1
ips = list(
nacaddr.IP('2720:0:1000:3103:eca0:2c09:6b32:e000/119').subnets(
new_prefix=128))
prodcolos_ips = []
counter = 0
for ip in ips:
if counter % 2 == 0:
prodcolos_ips.append(nacaddr.IP(ip))
counter += 1
self.naming.GetNetAddr.side_effect = [mo_ips, prodcolos_ips]
self.naming.GetServiceByProto.return_value = ['25']
pol = policy.ParsePolicy(GOOD_HEADER_2 + GOOD_TERM_14, self.naming)
srx = junipersrx.JuniperSRX(pol, EXP_INFO)
self.assertEqual(len(srx.policy.filters[0][1]), 4)
self.naming.GetNetAddr.assert_has_calls(
[mock.call('FOOBAR'), mock.call('SOME_HOST')])
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testOptimizedGlobalAddressBook(self):
foobar_ips = [nacaddr.IP('172.16.0.0/16', token='FOOBAR'),
nacaddr.IP('172.17.0.0/16', token='FOOBAR'),
nacaddr.IP('172.18.0.0/16', token='FOOBAR'),
nacaddr.IP('172.19.0.0/16', token='FOOBAR'),
nacaddr.IP('172.22.0.0/16', token='FOOBAR'),
nacaddr.IP('172.23.0.0/16', token='FOOBAR'),
nacaddr.IP('172.24.0.0/16', token='FOOBAR'),
nacaddr.IP('172.25.0.0/16', token='FOOBAR'),
nacaddr.IP('172.26.0.0/16', token='FOOBAR'),
nacaddr.IP('172.27.0.0/16', token='FOOBAR'),
nacaddr.IP('172.28.0.0/16', token='FOOBAR'),
nacaddr.IP('172.29.0.0/16', token='FOOBAR'),
nacaddr.IP('172.30.0.0/16', token='FOOBAR'),
nacaddr.IP('172.31.0.0/16', token='FOOBAR')]
some_host_ips = [nacaddr.IP('172.20.0.0/16', token='SOME_HOST'),
nacaddr.IP('172.21.0.0/16', token='SOME_HOST'),
nacaddr.IP('10.0.0.0/8', token='SOME_HOST')]
self.naming.GetNetAddr.side_effect = [foobar_ips, some_host_ips,
some_host_ips]
self.naming.GetServiceByProto.return_value = ['25']
pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_17 + GOOD_HEADER_2 +
GOOD_TERM_15, self.naming)
srx = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.failUnless('address FOOBAR_0 172.16.0.0/14' in srx, srx)
self.failUnless('address FOOBAR_1 172.22.0.0/15;' in srx, srx)
self.failUnless('address FOOBAR_2 172.24.0.0/13;' in srx, srx)
self.failUnless('address SOME_HOST_0 10.0.0.0/8;' in srx, srx)
self.failUnless('address SOME_HOST_1 172.20.0.0/15;' in srx, srx)
self.failUnless('/16' not in srx, srx)
def testBuildTokens(self):
self.naming.GetServiceByProto.side_effect = [['25'], ['26']]
pol1 = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_2,
self.naming), EXP_INFO)
st, sst = pol1._BuildTokens()
self.assertEquals(st, SUPPORTED_TOKENS)
self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def testLoggingTrueDeny(self):
srx = junipersrx.JuniperSRX(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_LOG_4, self.naming),
EXP_INFO)
output = str(srx)
self.assertIn('session-init;', output)
self.assertNotIn('session-close;', output)
def testMixedVersionIcmp(self):
pol = policy.ParsePolicy(
GOOD_HEADER + ICMP_TYPE_TERM_1 + IPV6_ICMP_TERM, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.failUnless('term t6 protocol icmp6 icmp6-type 129 '
'inactivity-timeout 60;' in output)
self.failUnless('term t1 protocol icmp icmp-type 0 '
'inactivity-timeout 60;' in output)
def testDscpWithByte(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_10,
self.naming), EXP_INFO)
output = str(srx)
self.failUnless('dscp b111000;' in output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testIcmpTypes(self):
pol = policy.ParsePolicy(GOOD_HEADER + ICMP_TYPE_TERM_1, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.failUnless('application test-icmp-app;' in output, output)
self.failUnless('application test-icmp-app {' in output, output)
self.failUnless('term t1 protocol icmp icmp-type 0 inactivity-timeout 60'
in output, output)
self.failUnless('term t2 protocol icmp icmp-type 8 inactivity-timeout 60'
in output, output)
def testVpnWithoutPolicy(self):
self.naming.GetNetAddr.return_value = _IPSET
srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_3,
self.naming), EXP_INFO)
output = str(srx)
self.failUnless('ipsec-vpn good-vpn-3;' in output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testVpnWithDrop(self):
self.naming.GetNetAddr.return_value = _IPSET
srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + BAD_TERM_1,
self.naming), EXP_INFO)
output = str(srx)
self.assertNotIn('ipsec-vpn good-vpn-4;', output, output)
self.assertNotIn('pair-policy policy-4;', output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testExpiringTerm(self, mock_info):
exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO)
_ = junipersrx.JuniperSRX(
policy.ParsePolicy(
GOOD_HEADER + EXPIRING_TERM % exp_date.strftime('%Y-%m-%d'),
self.naming), EXP_INFO)
mock_info.assert_called_once_with(
'INFO: Term %s in policy %s>%s expires in '
'less than two weeks.', 'is_expiring', 'trust', 'untrust')
def testAddressBookOrderingSuccess(self):
self.naming.GetNetAddr.return_value = self._OutOfOrderAddresses()
self.naming.GetServiceByProto.return_value = ['25']
pol = policy.ParsePolicy(GOOD_HEADER_3 + GOOD_TERM_2, self.naming)
p = junipersrx.JuniperSRX(pol, EXP_INFO)
self._FailIfUnorderedAddressBook(p._GenerateAddressBook())
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testTermAndFilterName(self):
self.naming.GetNetAddr.return_value = _IPSET
self.naming.GetServiceByProto.return_value = ['25']
srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1,
self.naming), EXP_INFO)
output = str(srx)
self.failUnless('policy good-term-1 {' in output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testDscpWithClass(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_11,
self.naming), EXP_INFO)
output = str(srx)
self.failUnless('dscp af42;' in output, output)
self.failUnless('dscp [ af41-af42 5 ];' in output, output)
self.failUnless('dscp-except [ be ];' in output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testExpressPath(self):
some_host = [nacaddr.IP('10.0.0.1/32', token='SOMEHOST')]
self.naming.GetNetAddr.side_effect = [some_host, some_host]
self.naming.GetServiceByProto.side_effect = [['25', '25'], ['25', '25']]
pol = policy.ParsePolicy(GOOD_HEADER_14 + GOOD_TERM_2 + DEFAULT_TERM_1 +
GOOD_HEADER + GOOD_TERM_1, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.assertIn('services-offload;', output)
self.assertIn('deny;', output)
self.assertIn('permit;', output)
def testReplaceStatement(self):
self.naming.GetNetAddr.return_value = _IPSET
self.naming.GetServiceByProto.return_value = ['25']
pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.failUnless('replace: address-book' in output, output)
self.failUnless('replace: policies' in output, output)
self.failUnless('replace: applications' in output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testZoneAdressBookIPv6(self):
self.naming.GetNetAddr.return_value = _IPSET
self.naming.GetServiceByProto.return_value = ['25']
pol = policy.ParsePolicy(GOOD_HEADER_8 + GOOD_TERM_1, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.failUnless('security-zone untrust {' in output, output)
self.failUnless('replace: address-book {' in output, output)
self.failUnless('2001:4860:8000::/33' in output, output)
self.failUnless('10.0.0.0/8' not in output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testDropEstablished(self):
some_host = [nacaddr.IP('10.0.0.1/32', token='FOO')]
self.naming.GetServiceByProto.side_effect = [['25', '25'], ['443', '443'],
['25', '25'], ['443', '443']]
self.naming.GetNetAddr.side_effect = [some_host, some_host, some_host,
some_host]
pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1 + GOOD_TERM_21 +
DEFAULT_TERM_1 + GOOD_HEADER_2 +
TCP_ESTABLISHED_TERM + UDP_ESTABLISHED_TERM +
DEFAULT_TERM_1, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.assertNotIn('udp-established-term', output)
self.assertNotIn('tcp-established-term', output)
def testMultipleProtocolGrouping(self):
pol = policy.ParsePolicy(GOOD_HEADER + MULTIPLE_PROTOCOLS_TERM, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.failUnless('application-set multi-proto-app {' in output, output)
self.failUnless('application multi-proto-app1;' in output, output)
self.failUnless('application multi-proto-app2;' in output, output)
self.failUnless('application multi-proto-app3;' in output, output)
self.failUnless('application multi-proto-app1 {' in output, output)
self.failUnless('term t1 protocol tcp;' in output, output)
self.failUnless('application multi-proto-app2 {' in output, output)
self.failUnless('term t2 protocol udp;' in output, output)
self.failUnless('application multi-proto-app3 {' in output, output)
self.failUnless('term t3 protocol icmp;' in output, output)
def testAdressBookIPv6(self):
self.naming.GetNetAddr.return_value = _IPSET
self.naming.GetServiceByProto.return_value = ['25']
pol = policy.ParsePolicy(GOOD_HEADER_4 + GOOD_TERM_1, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.assertIn('replace: address-book {', output, output)
self.assertIn('global {', output, output)
self.assertIn('2001:4860:8000::/33', output, output)
self.assertNotIn('10.0.0.0/8', output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testAllIcmpTypes(self):
pol = policy.ParsePolicy(GOOD_HEADER + ICMP_ALL_TERM, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
# Check for split into application set of many applications; 18 terms.
pattern = re.compile(
r'application-set accept-icmp-types-app \{\s+(application accept-icmp-types-app\d{1,2};\s+){18}\}')
self.assertTrue(pattern.search(output), output)
# Check that each of the 18 applications have 1 term each.
pattern = re.compile(
r'(application accept-icmp-types-app\d{1,2} \{\s+(term t1 protocol icmp icmp-type \d{1,3} inactivity-timeout 60;\s+)\}\s+){18}'
)
self.assertTrue(pattern.search(output), output)
def testAllIcmp6Types(self):
pol = policy.ParsePolicy(GOOD_HEADER + ICMP6_ALL_TERM, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
# Check for 29 applications.
pattern = re.compile(
r'application-set accept-icmpv6-types-app \{\s+(application accept-icmpv6-types-app\d{1,2};\s+){29}\}'
)
self.assertTrue(pattern.search(output), output)
# Check that each of the 4 applications have between 1 and 8 terms.
pattern = re.compile(
r'(application accept-icmpv6-types-app\d{1,2} \{\s+(term t1 protocol icmp6 icmp6-type \d{1,3} inactivity-timeout 60;\s+)\}\s+){29}'
)
self.assertTrue(pattern.search(output), output)
def testLongSplitIcmpTypes(self):
pol = policy.ParsePolicy(GOOD_HEADER + LONG_IPV6_ICMP_TERM2, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
# Check the application was split into a set of many applications; 9 terms.
pattern = re.compile(
r'application-set accept-icmpv6-types-app \{\s+(application accept-icmpv6-types-app\d;\s+){9}\}')
self.assertTrue(pattern.search(output), output)
# Check that each of the 9 applications with 1 term each.
pattern = re.compile(
r'(application accept-icmpv6-types-app\d \{\s+(term t1 protocol icmp6 icmp6-type \d{1,3} inactivity-timeout 60;\s+)\}\s+){9}'
)
self.assertTrue(pattern.search(output), output)
def testNakedExclude(self):
small = [nacaddr.IP('10.0.0.0/24', 'SMALL', 'SMALL')]
self.naming.GetNetAddr.side_effect = [small]
pol = policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_18, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.assertIn('address GOOD_TERM_18_SRC_EXCLUDE_2 10.0.1.0/24;',
output, output)
self.assertIn('address GOOD_TERM_18_SRC_EXCLUDE_3 10.0.2.0/23;',
output, output)
self.assertIn('address GOOD_TERM_18_SRC_EXCLUDE_4 10.0.4.0/22;',
output, output)
self.assertIn('address GOOD_TERM_18_SRC_EXCLUDE_5 10.0.8.0/21;',
output, output)
self.assertNotIn('10.0.0.0', output)
def testLongComment(self):
expected_output = """
/*
This header is very very very very very very very very very very
very very very very very very very very very very large
*/"""
self.naming.GetNetAddr.return_value = _IPSET
self.naming.GetServiceByProto.return_value = ['25']
srx = junipersrx.JuniperSRX(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1,
self.naming), EXP_INFO)
output = str(srx)
self.failUnless(expected_output in output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
