def make_acl(self,
acl_name,
target_url,
protocol,
match_type,
direction_initiated,
local_ports=None,
remote_ports=None):
# (acl_name, protocol_direction, ip_version, target_url, protocol, match_type,
# direction_initiated, local_ports=None, remote_ports=None):
if "v4" in acl_name:
ip_version = IPVersion.IPV4
elif "v6" in acl_name:
ip_version = IPVersion.IPV6
else:
raise InputException("Invalid IPVersion provided")
acl_type_prefix = get_ipversion_string(ip_version)
if acl_name.endswith("to"):
protocol_direction = Direction.TO_DEVICE
elif acl_name.endswith("fr"):
protocol_direction = Direction.FROM_DEVICE
else:
raise InputException("Invalid Direction provided")
return {
'name': acl_name,
'type': acl_type_prefix + '-acl-type',
'aces': {
'ace':
self.make_ace(protocol_direction, target_url, protocol,
match_type, direction_initiated, ip_version,
local_ports, remote_ports)
}
}
def make_acl(protocol_direction,
ip_version,
target_url,
protocol,
match_types,
direction_initiated,
local_ports=None,
remote_ports=None,
acl_name=None,
mud_name=None):
acl_type_prefix = get_ipversion_string(ip_version)
if acl_name is None and mud_name is None:
raise InputException(
'acl_name and mud_name can\'t both by None at the same time')
elif acl_name is None:
acl_name = make_acl_name(mud_name, ip_version, direction_initiated)
return {
'name': acl_name,
'type': acl_type_prefix + '-acl-type',
'aces': {
'ace':
make_ace(protocol_direction, target_url, protocol, match_types,
direction_initiated, ip_version, local_ports,
remote_ports)
}
}
def make_mud_5(self):
#mud = self.support_info
#mud.update(self.policies)
#self.mud_file = {'ietf-mud:mud': mud, 'ietf-access-control-list:acls': {'acl': self.acls}}
#return self.mud_file
#def assemble_mud(self):
if self.ip_version == IPVersion.BOTH:
ip_version = [IPVersion.IPV4, IPVersion.IPV6]
self.acl = [
self.acl_v4_to, self.acl_v4_from, self.acl_v6_to,
self.acl_v6_from
]
else:
ip_version = [self.ip_version]
if self.ip_version == IPVersion.IPV4:
#self.acl_v4_to = {}
#self.acl_v4_from = {}
self.acl = [self.acl_v4_to, self.acl_v4_from]
elif self.ip_version == IPVersion.IPV6:
#self.acl_v6_to = {}
#self.acl_v6_from = {}
self.acl = [self.acl_v6_to, self.acl_v6_from]
rule_list = [(MatchType.IS_LOCAL, self.rules_local),
(MatchType.IS_CLOUD, self.rules_cloud),
(MatchType.IS_CONTROLLER, self.rules_controller),
(MatchType.IS_MY_CONTROLLER, self.rules_controller_my),
(MatchType.IS_MFG, self.rules_manufacturer),
(MatchType.IS_MYMFG, self.rules_manufacturer_my)]
# Not the most efficient way to do this, but it works
for (i, (match_type, rules)) in enumerate(rule_list):
for (j, rule) in enumerate(rules):
for protocol_direction in [
Direction.TO_DEVICE, Direction.FROM_DEVICE
]:
for ipv in ip_version:
sub_ace_name = get_sub_ace_name(
get_ace_name(match_type), protocol_direction, j)
match = {}
ip_version_string = get_ipversion_string(ipv)
source_port = None
destination_port = None
direction_initiated = rule.get('direction_initiated')
if rule.get('ietf-mud:mud') is not None:
match['ietf-mud:mud'] = rule['ietf-mud:mud']
cloud_entry = None
else:
cloud_entry = make_acldns_match(
rule['target_url'], protocol_direction)
if rule['protocol'] is Protocol.ANY:
if cloud_entry:
match[ip_version_string] = cloud_entry
else:
if protocol_direction is Direction.FROM_DEVICE:
source_port = rule.get('remote_port')
destination_port = rule.get('local_port')
elif protocol_direction is Direction.TO_DEVICE:
source_port = rule.get('local_port')
destination_port = rule.get('remote_port')
if rule['protocol'] is Protocol.TCP:
match[ip_version_string] = rule.get(
"cloud_placeholder").copy(
) # {'protocol': 6}
if source_port is not None or destination_port is not None or \
direction_initiated is not None:
match['tcp'] = make_port_range(
direction_initiated, source_port,
destination_port)
elif rule['protocol'] is Protocol.UDP:
match[ip_version_string] = rule.get(
"cloud_placeholder").copy(
) # {'protocol': 17}
if rule.get(
'source_port') is not None or rule.get(
'destination_port') is not None:
match['udp'] = make_port_range(
dir_init=None,
source_port=source_port,
destination_port=destination_port)
else:
raise InputException(
f'protocol is not valid: {rule["protocol"]}'
)
if cloud_entry:
match[ip_version_string].update(cloud_entry)
ace = {
'name': sub_ace_name,
'matches': match,
'actions': {
'forwarding': 'accept'
}
}
if ipv == IPVersion.IPV4:
if protocol_direction == Direction.TO_DEVICE:
self.acl_v4_to['aces']['ace'].append(ace)
#self.acl.append(self.acl_v4_to.copy())
else:
self.acl_v4_from['aces']['ace'].append(ace)
#self.acl.append(self.acl_v4_from.copy())
elif ipv == IPVersion.IPV6:
if protocol_direction == Direction.TO_DEVICE:
self.acl_v6_to['aces']['ace'].append(ace)
#self.acl.append(self.acl_v6_to.copy())
else:
self.acl_v6_from['aces']['ace'].append(ace)
#self.acl.append(self.acl_v6_from.copy())
mud = self.support_info
mud.update(self.policies)
self.mud_file = {
'ietf-mud:mud': mud,
'ietf-access-control-list:acls': {
'acl': self.acl
}
}
return self.mud_file
def make_sub_ace(self,
sub_ace_name,
protocol_direction,
target_url,
protocol,
match_type,
direction_initiated,
ip_version,
local_port=None,
remote_port=None):
if len(target_url) > 140:
raise InputException('target url is too long: {}' % target_url)
match = {}
ip_version = get_ipversion_string(ip_version)
source_port = None
destination_port = None
cloud_ipv4_entry = None
if match_type is MatchType.IS_LOCAL:
match['ietf-mud:mud'] = make_local_match()
elif match_type is MatchType.IS_CLOUD:
cloud_ipv4_entry = make_acldns_match(target_url,
protocol_direction)
elif match_type is MatchType.IS_CONTROLLER:
match['ietf-mud:mud'] = make_controller_match(target_url)
elif match_type is MatchType.IS_MY_CONTROLLER:
match['ietf-mud:mud'] = make_my_controller_match()
elif match_type is MatchType.IS_MFG:
match['ietf-mud:mud'] = make_manufacturer_match(target_url)
elif match_type is MatchType.IS_MYMFG:
match['ietf-mud:mud'] = make_same_manufacturer_match()
if match.get('ietf-mud:mud') is None and cloud_ipv4_entry is None:
raise InputException(f"match_type is not valid: {match_type}")
if protocol is Protocol.ANY:
if cloud_ipv4_entry:
match[ip_version] = cloud_ipv4_entry
else:
if protocol_direction is Direction.FROM_DEVICE:
source_port = remote_port
destination_port = local_port
elif protocol_direction is Direction.TO_DEVICE:
source_port = local_port
destination_port = remote_port
if protocol is Protocol.TCP:
match[ip_version] = {'protocol': 6}
if source_port is not None or destination_port is not None or direction_initiated is not None:
match['tcp'] = make_port_range(direction_initiated,
source_port,
destination_port)
elif protocol is Protocol.UDP:
match[ip_version] = {'protocol': 17}
if source_port is not None or destination_port is not None:
match['udp'] = make_port_range(source_port,
destination_port)
else:
raise InputException(f'protocol is not valid: {protocol}')
if cloud_ipv4_entry:
match[ip_version].update(cloud_ipv4_entry)
return {
'name': sub_ace_name,
'matches': match,
'actions': {
'forwarding': 'accept'
}
}
def __init__(self,
mud_version: int,
mud_url: str,
is_supported: bool,
cache_validity: int = None,
system_info: str = None,
mfg_name: str = None,
documentation: str = None,
masa_server: int = None,
model_name: str = None,
ip_version: IPVersion = None,
last_update: str = None,
firmware_rev: str = None,
software_rev: str = None):
#mud_signature=None
# This may be unnecessary
if ip_version not in [IPVersion.IPV4, IPVersion.IPV6, IPVersion.BOTH]:
raise ValueError(
"Invalid IP Version provided: only IPVersion.BOTH, IPVersion.IPV4, or IPVersion.IPV6 "
"acceptable")
self.ip_version = ip_version
#if ip_version == IPVersion.BOTH:
# self.ip_version = [IPVersion.IPV4, IPVersion.IPV6]
#elif ip_version == IPVersion.IPV4 or ip_version == IPVersion.IPV6:
# self.ip_version = [ip_version]
#else:
# raise ValueError("Invalid IP Version provided: only IPVersion.BOTH, IPVersion.IPV4, or IPVersion.IPV6 "
# "acceptable")
# TODO add mud-signature file
self.support_info = self.make_support_info(
mud_version, mud_url, is_supported, cache_validity, system_info,
documentation, masa_server, mfg_name, last_update, model_name,
firmware_rev, software_rev)
self.mud_name = f'mud-{random.randint(10000, 99999)}'
self.acl = []
self.acl_v4_to = []
self.acl_v4_from = []
self.acl_v6_to = []
self.acl_v6_from = []
self.policies = {}
self.rules_local = []
self.rules_cloud = []
self.rules_controller = []
self.rules_controller_my = []
self.rules_manufacturer = []
self.rules_manufacturer_my = []
self.acl_names = self.make_acl_names()
for acl_name in self.acl_names:
if "v4" in acl_name:
acl_type_prefix = get_ipversion_string(IPVersion.IPV4)
if acl_name.endswith('to'):
self.acl_v4_to = {
'name': acl_name,
'type': acl_type_prefix + '-acl-type',
'aces': {
'ace': []
}
}
elif acl_name.endswith('fr'):
self.acl_v4_from = {
'name': acl_name,
'type': acl_type_prefix + '-acl-type',
'aces': {
'ace': []
}
}
elif "v6" in acl_name:
acl_type_prefix = get_ipversion_string(IPVersion.IPV4)
if acl_name.endswith('to'):
self.acl_v6_to = {
'name': acl_name,
'type': acl_type_prefix + '-acl-type',
'aces': {
'ace': []
}
}
elif acl_name.endswith('fr'):
self.acl_v6_from = {
'name': acl_name,
'type': acl_type_prefix + '-acl-type',
'aces': {
'ace': []
}
}
self.policies.update(self.make_policy())
self.mud_file = {}