Exemplo n.º 1
0
def assert_filter_denies(filter_name, headers, startLocation=None, soft=False):
    # type: (str, HeaderConstraints, str, bool) -> bool
    """
    Check if a named ACL denies a specified set of flows.

    :param filter_name: the name of ACL to check
    :param headers: :py:class:`~pybatfish.datamodel.flow.HeaderConstraints`
    :param startLocation: LocationSpec indicating where a flow starts
    :param soft: whether this assertion is soft (i.e., generates a warning but
        not a failure)
    :return: True if the assertion passes
    """
    __tracebackhide__ = operator.methodcaller("errisinstance",
                                              BatfishAssertException)

    kwargs = dict(filters=filter_name, headers=headers, action="permit")
    if startLocation is not None:
        kwargs.update(startLocation=startLocation)

    df = bfq.searchFilters(**kwargs).answer().frame()  # type: ignore
    if len(df) > 0:
        return _raise_common(
            "Found a flow that was permitted, when expected to be denied\n{}".
            format(df.to_string()), soft)
    return True
Exemplo n.º 2
0
def test_answer_fail(network):
    """Expect a BatfishException with searchFilters specifying a non-existant filter."""
    with pytest.raises(BatfishException) as err:
        bfq.searchFilters(filters="undefined").answer().frame()
    assert "Work terminated abnormally" in str(err.value)
Exemplo n.º 3
0
                 name=CANDIDATE2_SNAPSHOT_NAME,
                 overwrite=True)

node_name = "eos-acl"
filter_name = "acl_in"

traffic1 = HeaderConstraints(srcIps="192.168.2.0/24",
                             dstIps="192.168.1.4/32, 192.168.1.5/32",
                             ipProtocols=["tcp"],
                             dstPorts="80,8080")
traffic2 = HeaderConstraints(srcIps="192.168.2.0/24",
                             dstIps="192.168.1.0 \ (192.168.1.4, 192.168.1.5)",
                             ipProtocols=["tcp"],
                             dstPorts="80,8080")
currentdeny = bfq.searchFilters(
    headers=traffic1, filters=filter_name, nodes=node_name,
    action="deny").answer(snapshot=CURRENT_SNAPSHOT_NAME)
# No output indicates the traffic was permitted, i.e. find flows that match this search
print(currentdeny.frame())

# testing the opposite case.. here we see that there is no traffic permitted that
# isn't destined for those two hosts
currentpermit = bfq.searchFilters(
    headers=traffic2, filters=filter_name, nodes=node_name,
    action="permit").answer(snapshot=CURRENT_SNAPSHOT_NAME)
print(currentpermit.frame())
# pybatfish.client.asserts.assert_filter_denies(filters, headers, startLocation=None, soft=False, snapshot=None, session=None, df_format='table')

answer2 = bfq.searchFilters(
    headers=traffic1, filters=filter_name, nodes=node_name,
    action="deny").answer(snapshot=CANDIDATE1_SNAPSHOT_NAME)
Exemplo n.º 4
0
result = bfq.nodeProperties().answer().frame()
# permiturl = 'http://dmz-gitlab.sjc.aristanetworks.com/network/cloudvision/-/raw/master/permit.json'
permit_url = GITLAB_API_URL + "/projects/" + GITLAB_PROJECT_ID + \
    "/repository/files" + "/permit.json" + "/raw?ref=" + GITLAB_BRANCH
resp = requests.get(permit_url, headers=tokenheader)
permits = resp.json()
print(f"ACL SNAPSHOT: {acl_snapshot}")
for p in permits['permit']:
    headers = HeaderConstraints(dstIps=p["dstIps"],
                                ipProtocols=p["ipProtocols"],
                                dstPorts=p["dstPorts"])
    # print(headers)
    # answer = bfq.searchFilters(headers=headers,
    #                            action="permit").answer(snapshot=SNAPSHOT_NAME)
    answer2 = bfq.searchFilters(headers=headers,
                                action="permit").answer(snapshot=acl_snapshot)
    # print(answer.frame())
    print("*********")
    # print(answer2.frame())
    if answer2.frame().empty:
        print(
            f"{bcolors.FAIL}*** Traffic is unable to reach {headers.dstIps}{bcolors.ENDC}"
        )
        exit(1)
    else:
        print(
            f"{bcolors.OKGREEN}*** Host {headers.dstIps} is reachable{bcolors.ENDC}"
        )
        continue

exit(0)