def va_unconfig_deceptionserver(self, server=None, commit=None): """ API to unconfig darknet policy param : pname : darknet policy name pcommit : commit flag set example : va_unconfig_darknet('darknet1') return : True/False """ logger.info("We are in ::" + sys._getframe().f_code.co_name) if not server: raise ValueError(" Policy name is mandatory for setting policy") cmd = [] cmd.append('unset deception server %s' % (server)) logger.info('Unconfiguring the darknet policy' + str(cmd)) if commit: cmd.append('commit') logger.info("Now commiting the configs") logger.info('Unconfiguring the deception server' + str(cmd)) config_status, output = self._access.va_config(cmd) logger.info("the commit status :" + str(config_status) + str(output)) cmd = 'show running | grep \"deception server\"' logger.info("Executing show command" + str(cmd)) cmdkey = 'set deception server ' + str(server) routput = self._access.va_cli(cmd) logger.info("the execution status :" + str(routput)) logger.debug('Command key to check in running config' + cmdkey) if str(cmdkey) in routput: logger.error('The config not removed from running configs' + str(cmd)) return False, routput logger.debug( 'The given deception server is removed from running configs') return config_status, output
def va_clear_session(self): """ API to clear session param : None example : va_clear_session() returns: :True|False (bool): True if success else False """ logger.info("\nIn subroutine: " + sys._getframe().f_code.co_name) times = 1 sleeptime = 2 self._access.va_cli('clear session') session = self.va_get_session('is_fail') pattern = re.compile(r'((\d+\.){3}\d+)') while pattern.search(session) is not None and times <= 6: time.sleep(sleeptime) logger.debug('Retry {} times to clear session'.format(times)) self._access.va_cli('clear session') session = self.va_get_session('is_fail') times += 1 if pattern.search(session) is not None: logger.error("Session can't be cleared") return False logger.info('Session are cleared') return True
def va_check_session_packets_increment(self, session_before, session_after, *args, **kwargs): """ API to check if packets counter of data session increase param : 'session_before', should be single data session before increment 'session_after', should be single data session after increment } example : va_check_session_packets_increment(session_before, session_after) returns: :True|False (bool): True on success, False on failure """ logger.info("\nIn subroutine: " + sys._getframe().f_code.co_name) in_packets_before = int(session_before.get('in_packets')) in_packets_after = int(session_after.get('in_packets')) out_packets_before = int(session_before.get('out_packets')) out_packets_after = int(session_after.get('out_packets')) if in_packets_before > in_packets_after or \ out_packets_before > out_packets_after: logger.debug('In_packets: {}, {}'.format(in_packets_before, in_packets_after)) logger.debug('Out_packets: {}, {}'.format(out_packets_before, out_packets_after)) logger.error('Packet counter of data session is not increasing!') return False logger.info('Packet counter of data session is increasing.') return True
def _va_parse_app_profile(self, output=None): """ Parse the Output of show policy and check the given app profile is associated with policy :param output: :return: """ logger.info("We are in ::" + sys._getframe().f_code.co_name) if not output: logger.error(" The output is empty string and \ nothing to verify") return False logger.debug(" The output :") parsed = list() for line in output.splitlines()[1:]: line = line.strip() if not line.startswith('index') and \ not line.startswith('=') and \ not line.startswith('Total'): parsed.append(line.split()) logger.info(parsed) return parsed
def va_unconfig_global_applog(self, application=None, port=None, commit=None): ''' API to configure global applog :param application: :param port: :param commit: :return: ''' logger.info('We are in ::' + sys._getframe().f_code.co_name) if not application: return False, 'Application name is mandotory' if port: cmd = 'unset system app-log %s port %s' %(application, port) else: cmd = 'unset system app-log %s' %(application) if commit : cmd.append('commit') config_status, output = self._access.va_config(cmd) logger.debug('UnConfiguration of Global APPLOG : ' + str(config_status) + str(output)) if config_status is False: logger.error('Global APPLOG Configuration/commit FAILED') return False, output else: logger.info('Global APPLOG Configuration/commit is successful') print('Configuration of GLOBAL APPLOG: ', config_status, output) return True, output
def va_install_image(self, image, **kwargs ): """ Install image Arguments: :image (str): Software image name :kwargs (dict) : 'install_os' : primary/secondary 'install_delay' : time of install image returns: :False: Failed to install image. :True: Succeed to install image. Examples: va_install_image('image-file.tar') va_install_image('image-file.tar',\ {'install_os':'primary','install_delay':200}) """ if not 'install_os' in kwargs: install_os = 'primary' else : install_os = kwargs['install_os'] if not 'install_delay' in kwargs: install_delay = 300 else : install_delay = kwargs['install_delay'] if not 'reboot_delay' in kwargs: reboot_delay = 120 else: reboot_delay = kwargs['reboot_delay'] logger.info('install delay is {}'.format(install_delay)) self._access.va_cli("request install software {} {}"\ .format(image, install_os),install_delay) #check the status of install firmeare if not self.va_check_install_status_for_ep_or_cp(): return False if not self.va_check_install_status_for_epi() : return False logger.debug("Change boot-sector to %s" % install_os) self._access.va_cli("request system boot-sector {}" .format(install_os)) time.sleep(30) logger.info("**************Completed install image to all devices************") return True
def _va_parse_show_session(self, output=None): """ Parse the Output of show policy and check the given app profile is associated with policy :param output: :return: """ logger.info("We are in ::" + sys._getframe().f_code.co_name) if not output: logger.error(" The output is empty string and \ nothing to verify") return False logger.debug(" The \"show session\" output :")
def va_deceptionserver_enabled(self, server=None): """ API to check given Deception server enabled? """ logger.info("We are in ::" + sys._getframe().f_code.co_name) if not server: raise ValueError(" Deception server name is\ mandatory for setting policy") cmd = "show deception server {}".format(server) logger.info("Executing show command ->" + str(cmd)) cstatus = self._access.va_cli(cmd) logger.info("the execution status :" + str(cstatus)) if 'enable' in str(cstatus): logger.debug('The given Deception Server is enabled') return True, cstatus else: logger.error('Given Deception Server is NOT enabled') return False, cstatus
def va_globalapplog_conf_in_running(self, config=None): """ :param config: :return: True if it is enabled False if not """ logger.info("We are in ::" + sys._getframe().f_code.co_name) if not config: raise ValueError(" Policy name is mandatory for setting policy") cmd = 'show running | grep \"set system app-log\" ' logger.info("Executing show command : " + str(cmd)) routput = self._access.va_cli(cmd) logger.info("the execution status : " + str(routput)) for i in config: if i not in routput: logger.error('The command is not in running configs: ' + i) return False, routput logger.debug('The command is available in running configs :' + i) return True, routput
def va_disable_deceptionserver(self, server=None, commit=None): ''' API to disable the deception server In this case the policy will not be deleted, just disabled state :param data: :param args: :param kwargs: :return: ''' logger.info("We are in ::" + sys._getframe().f_code.co_name) if not server: raise ValueError(" Policy name is mandatory for setting policy") logger.debug('data1........ in darknet,' + str(data1)) cmds = [] cmds.append('set deception server %s disable' % data1['name']) if commit: cmds.append('commit') logger.info('Darknet command :' + str(cmds)) config_status, output = self._access.va_config(cmds) logger.debug('Configuration of Deception disable: {} :: \ {} '.format(config_status, output)) if config_status is False: logger.error('Configuration/commit FAILED') return False, output else: logger.info('Configuration and commit is successful') logger.debug('Configuration of DARKNET: {} \ :: {} '.format(config_status, output)) return True, output
def va_darknet_enabled(self, pname=None): """ API to check given darknet policy enabled? param : pname : darknet policy name Check given policy is enabled or not. example : va_darknet_enabled('darknet1') return : True if it is enabled False if not """ logger.info("We are in ::" + sys._getframe().f_code.co_name) if not pname: raise ValueError(" Policy name is mandatory for setting policy") cmd = "show deception dark-net {}".format(pname) logger.info("Executing show command" + str(cmd)) cstatus = self._access.va_cli(cmd) logger.info("the execution status :" + str(cstatus)) if 'enable' in str(cstatus): logger.debug('The given DARKNET policy is enabled') return True, cstatus else: logger.error('Given DARKNET policy is NOT enabled') return False, cstatus
def va_deceptionserver_in_running(self, config=None): """ API to check given darknet policy available in running configs param : pname : darknet policy name Check given policy is available in running conf or not. example : va_darknetconf_in_running('darknet1') return : True if it is enabled False if not """ logger.info("We are in ::" + sys._getframe().f_code.co_name) if not config: raise ValueError(" Policy name is mandatory for setting policy") cmd = 'show running | grep deception server' logger.info("Executing show command" + str(cmd)) output = self._access.va_cli(cmd) logger.info("the execution status :" + str(output)) for i in config: if i not in output: logger.error('The command is not in running configs' + i) return False, output logger.debug('The given policy is available in running configs') return True, output
def va_unset_applog_profile(self, app_log_name=None, app_log_commit=None): ''' :param app_log_name: :param app_log_commit: :return: complete command if commit is not passed Else : True on success of configuration on DUT Raises: :AddressValueError: if invalid address is provided :NetmaskValueError: if invalid mask is provided :ParamRequired: if interface is not provided ''' logger.info("We are in ::" + sys._getframe().f_code.co_name) mandatory = [app_log_name] for param in mandatory: if not param: pass # TODO: raise ValueError raise ValueError(" The app profile parameter is not provided, \ This is mandetory Argument\n") cmd = [] cmd.append('unset profile app-log {} '.format(app_log_name)) logger.debug('APPLOG command :' + str(cmd)) if app_log_commit: cmd.append('commit') config_status, output = self._access.va_config(cmd) logger.debug('commit status' + str(config_status) + str(output)) return config_status, output
def va_disable_darknet(self, data, *args, **kwargs): ''' API to disable the darknet policy In this case the policy will not be deleted, just disabled state :param data: Where Data is the dictionary with darknet policy details as shown below: data = { 'name': 'darknet policy name', 'iscommit': ' commit it or not' } :param args: :param kwargs: :return: ''' logger.info("We are in ::" + sys._getframe().f_code.co_name) data1 = copy.deepcopy(data) if 'name' not in data1: data1['name'] = 'darknet_new1' if 'iscommit' not in data1: data1['iscommit'] = 'ON' logger.debug('data1........ in darknet,' + str(data1)) cmds = [] cmds.append('unset deception dark-net %s enable' % data1['name']) if data1['iscommit'] == 'ON': cmds.append('commit') logger.info('Darknet command :' + str(cmds)) config_status, output = self._access.va_config(cmds) logger.debug('Configuration of DARKNET: {} :: {} '.format( config_status, output)) if config_status is False: logger.error('Configuration/commit FAILED') return False, output else: logger.info('Configuration and commit is successful') logger.debug('Configuration of DARKNET: {} :: {} '.format( config_status, output)) return True, output
def va_set_applog_profile(self, app_log_name=None, app_log_rule=None, app_log_application=None, app_log_context=None, app_log_filter=None, app_log_modifier=None, app_log_commit=None): """ :param app_log_name: Profile name :param app_log_rule: Matching rule name :param app_log_application: Supported Application name :param app_log_context: Attribute for provided application :param app_log_filter: String to match the context :param app_log_modifier: Modifier string (Optional) :param app_log_commit: string, will configure on DUT if it is passed :return: complete command if commit is not passed Else : True on success of configuration on DUT Raises: :AddressValueError: if invalid address is provided :NetmaskValueError: if invalid mask is provided :ParamRequired: if interface is not provided """ logger.info("We are in ::" + sys._getframe().f_code.co_name) mandatory = [app_log_name, app_log_rule, app_log_application, app_log_context, app_log_filter] for param in mandatory: if not param: pass # TODO: raise ValueError raise ValueError(" The app profile parameter is not provided, \ This is mandetory Argument\n") cmd = [] if app_log_modifier: cmd.append('set profile app-log {} rule {} application {} context {} ' 'filter {} modifier {}'.format(app_log_name, app_log_rule, app_log_application, app_log_context, app_log_filter, app_log_modifier)) logger.debug('APPLOG command :' + str(cmd)) else: cmd.append('set profile app-log {} rule {} application {} context {} ' 'filter {} '.format(app_log_name, app_log_rule, app_log_application, app_log_context, app_log_filter)) logger.debug('APPLOG command :' + str(cmd)) if app_log_commit: cmd.append('commit') config_status, output = self._access.va_config(cmd) logger.debug('commit status' + str(config_status) + str(output)) gcmd = 'show running | grep \"set profile app-log\" ' logger.info("Executing show command : " + str(gcmd)) routput = self._access.va_cli(gcmd) logger.info("the execution status : " + str(routput)) for i in cmd: if i not in routput: logger.error('The command is not in running configs: ' + i) return False, routput logger.debug('The command is available in running configs :' + i) return config_status, output
def va_verify_app_log(self, policy_name=None, app_log_profile_name=None, policy_template=None): """ :param policy_name: :param app_log_profile_name: :param policy_template: :return: True if app-log profile is associated with policy else False """ logger.info("We are in ::" + sys._getframe().f_code.co_name) mandatory = [app_log_profile_name] if not policy_template: policy_template = "policy_template" for param in mandatory: if not param: # TODO: raise ValueError raise ValueError(" The app profile parameter is not provided, \ This is mandetory Argument\n") if policy_name: cmd = "show policy name {}".format(policy_name) else: cmd = "show policy" output = self._access.exec_command(cmd) logger.info("TextFSM parsing POC") policy_template = open(policy_template) policy_table = jtextfsm.TextFSM(policy_template) logger.debug("CLI OUTPUT :\n" + output + "\n\n\n\n") policy_fsm_results = policy_table.ParseText(output) # Results will be writen to output file outputfile_name = open("show_policy_output.csv", "w+") outfile = outputfile_name for s in policy_table.header: outfile.write("%s;" % s) outfile.write("\n") # Iterate for all the rows logger.info(" Here is the result parsed using TextFSM:") counter = 0 for row in policy_fsm_results: logger.info(" Row :" + str(counter) + " columns :" + str(row)) for s in row: outfile.write("%s;" % s) outfile.write("\n") counter += 1 logger.info(" Number of records:" + str(counter)) exit() # below code will do regular pattern matching parsed = self._va_parse_app_profile(output) logger.debug(parsed) for line in parsed: app_log_profile_name = app_log_profile_name if line[1] == policy_name and app_log_profile_name in line[8]: logger.info(" The profile is associated with policy") return True else: logger.error(" The app profile is not \ associated with policy") return False
def va_get_active_device(self): """ get the number of active devices of director and CP/EP kwargs: None returns: dict : {'active_devices': The number of active devices except EPI, 'active_epis': The number of active EPIs } Examples: va_get_active_device() """ count_dev = 0 count_epis = 0 return_value = {} chassis_info = self.controller.va_show_chassis() dev_status = chassis_info.get('devices status') total_dev_counts = dev_status.get('total devices connected') inactive_devs = dev_status.get('inactive devices') match_tol_act_devs = re.search(r'^(\d+)\s+\(',total_dev_counts, re.I | re.M) if match_tol_act_devs is not None: total_dev_count = match_tol_act_devs.group(1) if int(total_dev_count) != 0: logger.debug("The number of devices are %s" % total_dev_count) else: logger.warn("The number of total connected devices is incorrect") else: logger.error("Failed to get 'total devices connected' \ information via 'show chassis'") match_rt = re.search(r'(\d+)\s+\(', inactive_devs, re.I|re.M) if match_rt is not None: inactive_dev_count = match_rt.group(1) if int(inactive_dev_count) == 0: logger.debug("No inactivate devices") else: logger.warn("The number of inactive device are %s" % inactive_dev_count) else: logger.error("Failed to get information of inactive device") #number of activate devices except EPI. count_dev = int(total_dev_count) - int(inactive_dev_count) return_value['active_devices'] = count_dev #get number of activate EPIs rt = self._access.va_cli('show chassis epi') match_rt = re.search(r'Total active EPIs:\s+(\d+)', rt, re.I | re.M) if match_rt is not None: count_epis = match_rt.group(1) if count_epis != 0: logger.debug("The number of EPIs are %s" % count_epis) else: logger.debug("No activate EPIs") else: logger.error("Failed to get information of EPIs") return_value['active_epis'] = count_epis return return_value
def va_config_darknet(self, data, *args, **kwargs): """ API to config darknet policy param : data1 = { 'name' : 'Darknet policy name' 'epi' : 'EPI UUID' or by default it is all 'segment' : 'segment ID' or by default it is all 'from2address': pair address from and to 'isenable' : 'enable' or by default yes 'is_commit" : Commit pending configuration example : va_config_darknet(data1) return : True/False """ logger.info("We are in ::" + sys._getframe().f_code.co_name) data1 = copy.deepcopy(data) if 'name' not in data1: data1['name'] = 'darknet_new1' if 'iscommit' not in data1: data1['iscommit'] = 'ON' if 'isenable' not in data1: data1['isenable'] = 'enable' if 'epi' not in data1: data1['epi'] = 'all' if 'segment' not in data1: data1['segment'] = 'all' logger.debug('data1........ in darknet,' + str(data1)) cmds = [] cmds.append('set deception dark-net %s epi %s segment %s' % (data1['name'], data1['epi'], data1['segment'])) darknetaddresses = data1['from2address'] print('Length of from2address list :', len(data1['from2address']), darknetaddresses, darknetaddresses[0]) if type(darknetaddresses) == str: cmds.append('set deception dark-net %s address %s to %s' % (data1['name'], darknetaddresses, darknetaddresses)) elif len(darknetaddresses) == 2 and type(darknetaddresses[0]) == str: cmds.append( 'set deception dark-net %s address %s to %s' % (data1['name'], darknetaddresses[0], darknetaddresses[1])) else: logger.debug('THIS IS FOR MORE THAN ONE LIST') for e in darknetaddresses: print(' each element in darknet', e) if len(e) == 1: cmds.append('set deception dark-net %s address %s to %s' % (data1['name'], e[0], e[0])) else: cmds.append('set deception dark-net %s address %s to %s' % (data1['name'], e[0], e[1])) cmds.append('set deception dark-net %s %s' % (data1['name'], data1['isenable'])) logger.info('Darknet command :' + str(cmds)) config_status, output = self._access.va_config(cmds) print('Configuration of DARKNET: ', config_status, output) if config_status is False: logger.error('Configuration/commit FAILED') return False, output else: logger.info('Configuration and commit is successful') print('Configuration of DARKNET: ', config_status, output) rstatus, output = self.va_darknetconf_in_running(cmds) return True, output
def va_get_data_session(self, *args, **kwargs): """ API to get data session, not support multiple session at same time param : kwargs : dict kwargs = { 'session' : session_val, 'proto' : 'icmp' | 'ftp', 'policy' : 'pol_test', more parameters refer to _va_check_single_session, } example : va_get_session_id(**kwargs) return: a dict of session like this {'app': '--', 'in_dst_ip': '5.5.5.3', 'out_dst_ip': '5.5.5.3', 'in_dst_port': '17436', 'out_dst_port': '17436', 'flag': '0x21c004a4', 'id': '0x6020000000007c0', 'in_intf': '603', 'out_intf': '603', 'in_micro_vlan': '1', 'out_micro_vlan': '2', 'in_packets': '1', 'out_packets': '1', 'policy': 'p1', 'proto': '1', 'segment': '20', 'in_src_ip': '5.5.5.2', 'out_src_ip': '5.5.5.2', 'in_src_port': '61', 'out_src_port': '61', 'state': '-1--1', 'time': '1', 'vsys_id': '1', } """ logger.info("\nIn subroutine: " + sys._getframe().f_code.co_name) if not 'session' in kwargs: session = self.va_get_session() else: session = kwargs.pop('session') if not 'proto' in kwargs: proto_name = 'ftp' else: proto_name = kwargs.pop('proto').split('-')[0] if proto_name in ['ftp', 'tftp']: f = lambda x,y:x!=y else: f = lambda x,y:x==y if not 'policy' in kwargs: kwargs['policy'] = "pol_test" port = port_map.get(proto_name) kwargs['proto'] = proto_map.get(proto_name) session_stats = self._va_parse_session(session) data_session = dict() for device in session_stats: for active_sessions in session_stats.get(device): for session in active_sessions.get('sessions'): match, no_matches, failed = self._va_check_single_session(kwargs, session) in_dst_port = int(session.get('in_dst_port')) logger.debug('Session : \n{}'.format(session)) logger.debug('Matched : {}'.format(match)) logger.debug('Not Matched: {}'.format(no_matches)) logger.debug('Failed : {}'.format(failed)) if len(failed) != 0: match = True for name in failed: failed_name = str(kwargs.get(name)) session_name = session.values() if failed_name not in session_name: match = False if not match: logger.error('Not matched: {}, {}'.format(failed_name, session_name)) if match: if f(in_dst_port, port): data_session = session break else: continue logger.info('Data session: {}'.format(data_session)) return data_session
def va_verify_interface(self, *args, **kwargs): """ Verify interface info,the API can supports physical interface and logical interfaces example is a part of parameter,the method supports verify the following: 'packets sent','Interface index','Local address','Link address', 'Security token','packets received',Vrouter','Logical interface', 'bytes received',bytes sent','ospf','flags','Security zone', 'Logical interface counters','Vrouter','MTU','Allowed in-bound traffic' 'collisions','frame alignment errors','packets dropped by TX', 'Current address','transmit errors','Link-level type',Link-mode, 'Speed','Auto-negotiation','packets with RX overrun','Physical interface', 'Native vlan id','Physical interface counters','packets with RX overrun', 'CRC errors','packets dropped by RX','receive errors' Param : kwargs : dict kwargs = { 'name' (str) : expected to check interface name 'packets sent'(str) : interface packets sent 'Interface index'(str) : interface Interface index 'Local address'(str) : interface local address 'Link address'(str) : interface link address 'Security token'(str) : interface security token 'packets received'(str) : interface packets received 'Vrouter'(str) : interface vrouter 'Logical interface'(str) : logical interface 'bytes received'(str) : interface bytes received 'bytes sent'(str) : interface bytes sent 'ospf'(str) : interface ospf 'flags'(str) : interface flags 'Security zone'(str) : security zone 'Logical interface counters'(str) : logical interface counters 'MTU'(str) : interface MTU 'Allowed in-bound traffic'(str) : allowed in-bound traffic } Return : boolean True False Example : va_verify_interface(**kwargs) kwargs = { 'name':'xe-3/0/1.1', 'Local address': '10.11.120.46/24', 'Allowed in-bound traffic': '', 'packets sent': '0', 'packets received': '0', 'Security token': '0x000000', 'MTU': '1500', 'flags': '0x0', 'Security zone': 'Null', 'ospf': 'OSPF is not configured', 'bytes received': '0', 'Vrouter': 'vr-default', 'Interface index': '0x801001', 'Logical interface counters': '', 'bytes sent': '0', 'Link address': '0.0.0.0/0', 'Logical interface': 'xe-3/0/1.1, Enabled, Physical link is Up' } """ logger.info("\nIn subroutine: " + sys._getframe().f_code.co_name) interface_info_dict = {} error_value = [] if 'name' not in kwargs: raise ValueError("name is mandatory parameter!\n") name = kwargs['name'] interface_info_dict = self.va_show_interface(interface=name) interface_key_dict = interface_info_dict.keys() logger.debug("Actual interface info for {} : {} ".format( name, interface_info_dict)) for expected_key in kwargs.keys(): if expected_key == 'name': continue if expected_key not in interface_key_dict: error_value.append("{} is not exist".format(expected_key)) continue if kwargs[expected_key] != interface_info_dict[expected_key]: error_value.append(expected_key + "is not right") logger.error("Fail,expected {} is {} the actual {} is {}"\ .format(expected_key,kwargs[expected_key],expected_key,interface_info_dict[expected_key])) if len(error_value) > 0: logger.error(str(error_value)) return False else: logger.info("Succeed to varify interface info") return True
def va_check_epi_forwarding_table(self, *args, **kwargs): """ check epi forwarding table if it is correct according to the value of epi,vm-mac, micro-vlan and seg-id or option parameter (epi-mac, epi-ip and flag) param : kwargs : dict kwargs = { 'epi' : uuid or hostname of the epi. eg: 2-6 or epi6 'fw_data' :[ { 'EPI-MAC': the value of epi-mac[option], 'EPI-IP': the value of epi ip[Option] 'SEG-ID': 'the value of seg id 'MICRO-VLAN': the value of micor vlan 'VM-MAC': the value of vm mac 'FLAG': the value of flag[option]} } ], 'Total remote entries' : option, 'Total local entries': option } return: bool Success: return True Failure: return False example : va_check_epi_forwarding_table(**kwargs) kwargs = { 'epi': '2-6', 'fw_data': [ { 'EPI-MAC': 'local', 'EPI-IP': 'local', 'SEG-ID': '3000', 'MICRO-VLAN': '2002', 'VM-MAC': '0:c:29:51:77:f8', 'FLAG': '111' }, {'SEG-ID': '3000', 'MICRO-VLAN': '2003', 'VM-MAC': '0:50:56:8e:ed:8'}], 'Total local entries' : 2, 'Total remote entries': 0 } """ logger.info("\nIn subroutine: " + sys._getframe().f_code.co_name) if not 'epi' in kwargs: raise ValueError( "uuid of hostname of epi is mandatory parameter!\n") if not 'fw_data' in kwargs: raise ValueError("fw_table is mandatory parameter!\n") result, forwarding_info = self.va_get_epi_forwarding_table( **{'epi': kwargs.get('epi')}) if result == False: return False expect_fw_data = kwargs.get('fw_data') if 'Total remote entries' in kwargs: expect_val = int(kwargs.get('Total remote entries')) actual_val = int(forwarding_info.get('Total remote entries')) if actual_val != expect_val: logger.error('The value of total remove entries is incorrect') logger.debug( 'Expect value of total remove entries is {}'.format( expect_val)) logger.debug( 'Actual value of total remove entries is {}'.format( actual_val)) return False if 'Total local entries' in kwargs: expect_val = int(kwargs.get('Total local entries')) actual_val = int(forwarding_info.get('Total local entries')) if actual_val != expect_val: logger.error('The value of Total local entries is incorrect') logger.debug( 'Expect value of Total local entries is {}'.format( expect_val)) logger.debug( 'Actual value of Total local entries is {}'.format( actual_val)) return False for each_fw_info in expect_fw_data: vm_mac = each_fw_info.get('VM-MAC') micro_vlan = each_fw_info.get('MICRO-VLAN') seg_id = each_fw_info.get('SEG-ID') if not vm_mac.strip() in forwarding_info: logger.error( 'Not found vm_mac {} in forwarding table'.format(vm_mac)) return False actual_fw = forwarding_info.get(vm_mac.strip()) if vm_mac.strip() != actual_fw.get('VM-MAC') or \ micro_vlan.strip() != actual_fw.get('MICRO-VLAN') or \ seg_id.strip() != actual_fw.get('SEG-ID') : logger.error('Verification failure!!!') logger.debug('Expect value are:vm_mac:{},micro_vlan:{},\ seg_id:{}'.format(vm_mac, micro_vlan, seg_id)) logger.debug('Acutal values are:vm_mac:{},micro_vlan:{},\ seg_id:{}'.format(actual_fw.get('VM-MAC'), actual_fw.get('MICRO-VLAN'), actual_fw.get('SEG-ID'))) return False if 'EPI-MAC' in each_fw_info: epi_mac = each_fw_info.get('EPI-MAC') if epi_mac != actual_fw.get('EPI-MAC'): logger.error( 'Verification failure for EPI-MAC. expect value:{}, \ actual value:{}'.format(actual_fw.get('EPI-MAC'), epi_mac)) return False if 'EPI-IP' in each_fw_info: epi_ip = each_fw_info.get('EPI-IP') if epi_ip != actual_fw.get('EPI-IP'): logger.error( 'Verification failure for EPI-IP. expect value:{}, \ actual value:{}'.format( actual_fw.get('EPI-IP'), epi_ip)) return False if 'FLAG' in each_fw_info: flag = each_fw_info.get('FLAG') if flag != actual_fw.get('FLAG'): logger.error( 'Verification failure for FLAG. expect value:{}, \ actual value:{}'.format( actual_fw.get('FLAG'), flag)) return False logger.info( 'Succeed to check forwaring for vm_mac {}'.format(vm_mac)) logger.info('Succeed to check forwarding for epi {}'.format( kwargs.get('epi'))) return True
def va_config_deceptionserver(self, data, *args, **kwargs): """ API to config deception server policy Here user credential are optional, it will be configure if user provide the details param : data = { 'server' : 'Deception server name' 'endpoint-ip' : 'Server end point IP' - Note that DNS name is not supported 'username' : 'UserID to connect server' 'passphrase' : 'password' 'encrypted' : True/False, by default it is False provided password is encrypted? 'is_commit" : Commit pending configuration example : va_config_deception_server(data) return : tuple with True/False and log output """ logger.info("We are in ::" + sys._getframe().f_code.co_name) data1 = copy.deepcopy(data) if 'server' not in data1: logger.error('Missing the mandotory argument: Server') raise ValueError('Missing the mandotory argument: Server') if 'endpoint-ip' not in data1: logger.error('Missing the mandotory argument: {}'.format( data1['server'])) raise ValueError('Missing the mandotory argument: \ {}'.format(data1['server'])) if 'iscommit' not in data1: data1['iscommit'] = 'ON' if 'username' in data1: if 'passphrase' not in data: logger.error('passphrase required for user {}'.format( data['username'])) raise ValueError('passphrase required for \ user {}'.format(data['username'])) if 'encrypted' not in data1: data1['encrypted'] = False logger.debug('data1........ in darknet,' + str(data1)) cmds = [] cmds.append('set deception server %s endpoint-ip %s' % (data1['server'], data1['endpoint-ip'])) if 'username' in data1: cmds.append('set deception server %s username %s' % (data1['server'], data1['username'])) if data1['encrypted'] is True: cmds.append( 'set deception server %s passphrase encrypted-password %s' % (data1['server'], data1['passphrase'])) logger.info('Deception Server command :' + str(cmds)) config_status, output = self._access.va_config(cmds) logger.info('Configuration of DECEPTION: {} : {} '.format( config_status, output)) else: #TODO NEED TO CHECK HOW INTERACTIVE COMMAND EXECUTED IN CLI # replace below code with commented one logger.info('Deception Server command :' + str(cmds)) config_status, output = self._access.va_config(cmds) logger.info('Configuration of DECEPTION: {} : {} '.format( config_status, output)) ''' cmds.append('set deception server %s passphrase ' % (data1['server'])) config_status, output = self._access.va_config(cmds) logger.info('Configuration of DECEPTION: {} : {} '.format(config_status, output)) #cmds.append( data1['passphrase']) #cmds.append( data1['passphrase']) config_status, output = self._access.va_cli(data1['passphrase']) config_status, output = self._access.va_cli(data1['passphrase']) ''' else: logger.info('Deception Server command :' + str(cmds)) config_status, output = self._access.va_config(cmds) logger.info('Configuration of DECEPTION: {} : {} '.format( config_status, output)) '''logger.info('Deception Server command :' + str(cmds)) config_status, output = self._access.va_config(cmds) print('Configuration of DARKNET: ', config_status, output) ''' if config_status is False: logger.error('Configuration/commit FAILED') return False, output else: if 'username' in data1: logger.info('Configuration and commit is successful') print('Configuration of DECEPTION: ', config_status, output) if data1['encrypted'] is True: cmds.pop() else: #TODO THESE required when interactive cli is available #cmds.pop() cmds.pop() rstatus, output = self.va_deceptionserver_in_running(cmds) return True, output
def va_check_session(self, data=None, *args): """ method to match a bunch of keyswords related to session output. The session output is part of the data. Look at the following data dict for the valid keywords. data should have a mandatory key - session, which is the session output. other keywords are optional. { 'app': '--', 'flag': '0x00c00004', 'id': '0x5000100000008', 'in_dst_ip': '152.32.13.174', 'in_dst_port': '10001', 'in_intf': 'reth0', 'in_micro_vlan': '1', 'in_packets': '213', 'in_phy_intf': '(xe-2/0/2)', 'in_src_ip': '152.16.13.174', 'in_src_port': '1087', 'out_dst_ip': '152.16.13.174', 'out_dst_port': '1087', 'out_intf': 'reth1', 'out_micro_vlan': '1', 'out_packets': '0', 'out_phy_intf': '(xe-2/0/3)', 'out_src_ip': '152.32.13.174', 'out_src_port': '10001', 'policy': 'Any', 'proto': '17', 'state': '-1--1', 'time': '1769', 'vsys_id': '1' } raises: :ValueError: if data does not have session defined returns: :True|False (bool): True if match succeeds else False """ found_match = False match_counter = 0 most_match_session = dict() failed_in_most_match = None output = data.get('session') if not output: raise ValueError data.pop('session') session_stats = self._va_parse_session(output) if 'data_session' in args: in_ip = data.pop('in_dst_ip') out_ip = data.pop('out_dst_ip') data['in_dst_ip'] = data.pop('in_src_ip') data['in_src_ip'] = in_ip data['out_dst_ip'] = data.pop('out_src_ip') data['out_src_ip'] = out_ip for device in session_stats: if found_match: break for active_sessions in session_stats.get(device): if found_match: break for session in active_sessions.get('sessions'): match, no_matches, failed = self._va_check_single_session( data, session ) if no_matches > match_counter: match_counter = no_matches most_match_session = session failed_in_most_match = failed if match: found_match = True break else: continue if not found_match: logger.debug('Expected match session info:\n%s' % data) logger.debug("failed keywords: {}".format(failed_in_most_match)) logger.debug("session with most matches: {}" .format(most_match_session)) logger.error("session match failed!") logger.info("session match succeed!") return found_match
def va_get_epi_forwarding_table(self, *args, **kwargs): """ get epi forwarding table according to uuid or hostname of epi param : kwargs : dict kwargs = { 'epi' : uuid or hostname of the epi. eg: 2-6 or epi6 } return: tuple Success: True, : {'0:50:56:8e:ed:8': { 'EPI-MAC': 'local', 'EPI-IP': 'local', 'SEG-ID': '3000', 'MICRO-VLAN': '2003', 'VM-MAC': '0:50:56:8e:ed:8', 'FLAG': '110'}, 'Total remote entries': '0', 'Total local entries': '2', '0:c:29:51:77:f8': { 'EPI-MAC': 'local', 'EPI-IP': 'local', 'SEG-ID': '3000', 'MICRO-VLAN': '2002', 'VM-MAC': '0:c:29:51:77:f8', 'FLAG': '110' } } Failure: False,{} example : va_get_epi_forwarding_table(**kwargs) """ logger.info("\nIn subroutine: " + sys._getframe().f_code.co_name) return_data = {} if not 'epi' in kwargs: raise ValueError( "uuid of hostname of epi is mandatory parameter!\n") cmd = 'show chassis epi {} forwarding'.format(kwargs.get('epi')) output = self._access.va_cli(cmd) if re.search(r'Fail to find EPI', output, re.M | re.I) is not None: logger.error('Failed to find EPI {}'.format(kwargs.get('epi'))) return False, return_data output = output.split('\n') output.pop(0) last_index = len(output) - 1 output.pop(int(last_index)) output.pop(1) #address the number of tatal local/remove entries for i in range(1, 3): total_line = output.pop(-1).split(':') return_data[total_line[0].strip()] = total_line[1].strip() #get key name key_name = output.pop(0) key_name = key_name.split() #get forwarding information for each vm-mac for fw_in in output: fw_in_l = fw_in.split() num = len(fw_in_l) vm_mac = fw_in_l[0] return_data[vm_mac] = {} for i in range(0, num): fw_in_e_v = fw_in_l[i].strip() fw_in_e_k = key_name[i].strip() return_data[vm_mac][fw_in_e_k] = fw_in_e_v logger.debug('forwaing table of {} epi is {}\n'.format( kwargs.get('epi'), return_data)) return True, return_data