RubyGems - cisco_acl_intp - Versions diffs - 0.0.1 - Mend

cisco_acl_intp 0.0.1

Files changed (53) hide show

checksums.yaml +7 -0
data/.gitignore +17 -0
data/.rspec +2 -0
data/.rubocop.yml +13 -0
data/.travis.yml +3 -0
data/.yardopts +4 -0
data/Gemfile +19 -0
data/LICENSE.txt +22 -0
data/README.md +132 -0
data/Rakefile +78 -0
data/acl_examples/err-acl.txt +49 -0
data/acl_examples/named-ext-acl.txt +12 -0
data/acl_examples/named-std-acl.txt +6 -0
data/acl_examples/numd-acl.txt +21 -0
data/cisco_acl_intp.gemspec +31 -0
data/lib/cisco_acl_intp/ace.rb +432 -0
data/lib/cisco_acl_intp/ace_ip.rb +136 -0
data/lib/cisco_acl_intp/ace_other_qualifiers.rb +102 -0
data/lib/cisco_acl_intp/ace_port.rb +146 -0
data/lib/cisco_acl_intp/ace_proto.rb +319 -0
data/lib/cisco_acl_intp/ace_srcdst.rb +114 -0
data/lib/cisco_acl_intp/ace_tcp_flags.rb +65 -0
data/lib/cisco_acl_intp/acl.rb +272 -0
data/lib/cisco_acl_intp/acl_base.rb +111 -0
data/lib/cisco_acl_intp/parser.rb +3509 -0
data/lib/cisco_acl_intp/parser.ry +1397 -0
data/lib/cisco_acl_intp/scanner.rb +176 -0
data/lib/cisco_acl_intp/scanner_special_token_handler.rb +66 -0
data/lib/cisco_acl_intp/version.rb +5 -0
data/lib/cisco_acl_intp.rb +9 -0
data/spec/cisco_acl_intp/ace_ip_spec.rb +111 -0
data/spec/cisco_acl_intp/ace_other_qualifier_spec.rb +63 -0
data/spec/cisco_acl_intp/ace_port_spec.rb +214 -0
data/spec/cisco_acl_intp/ace_proto_spec.rb +200 -0
data/spec/cisco_acl_intp/ace_spec.rb +605 -0
data/spec/cisco_acl_intp/ace_srcdst_spec.rb +296 -0
data/spec/cisco_acl_intp/ace_tcp_flags_spec.rb +38 -0
data/spec/cisco_acl_intp/acl_spec.rb +523 -0
data/spec/cisco_acl_intp/cisco_acl_intp_spec.rb +7 -0
data/spec/cisco_acl_intp/parser_spec.rb +53 -0
data/spec/cisco_acl_intp/scanner_spec.rb +122 -0
data/spec/conf/extacl_objgrp_token_seq.yml +36 -0
data/spec/conf/extacl_token_seq.yml +88 -0
data/spec/conf/extended_acl.yml +226 -0
data/spec/conf/scanner_spec_data.yml +120 -0
data/spec/conf/single_tokens.yml +235 -0
data/spec/conf/stdacl_token_seq.yml +8 -0
data/spec/conf/tokens1.yml +158 -0
data/spec/conf/tokens2.yml +206 -0
data/spec/parser_fullfill_patterns.rb +145 -0
data/spec/spec_helper.rb +54 -0
data/tools/check_acl.rb +48 -0
metadata +159 -0

data/lib/cisco_acl_intp/ace.rb ADDED Viewed

@@ -0,0 +1,432 @@
+# -*- coding: utf-8 -*-
+require 'cisco_acl_intp/ace_srcdst'
+module CiscoAclIntp
+  # Access control entry base model
+  class AceBase < AclContainerBase
+    include Comparable
+    # @param [Integer] value ACL sequence number
+    # @return [Integer]
+    attr_accessor :seq_number
+    # Number used when ACE does not has sequence number
+    NO_SEQ_NUMBER = -1
+    # Constructor
+    # @param [Hash] opts
+    # @option opts [Integer] :number Sequence number
+    # @return [AceBase]
+    def initialize(opts)
+      @seq_number = opts[:number] || NO_SEQ_NUMBER
+    end
+    # Check this object has sequence number
+    # @return [Boolean]
+    def seq_number?
+      @seq_number > NO_SEQ_NUMBER
+    end
+    # Compare by sequence number
+    # @note Using "Comparable" module, '==' operator is defined by
+    #   '<=>' operator.  But ACE object will be compared by its value
+    #   (comparison by the equivalence), instead of sequence
+    #   number. The '==' operator will be overriden in child class.
+    # @param [AceBase] other RHS object
+    # @return [Integer] Compare with protocol/port number
+    def <=>(other)
+      @seq_number <=> other.seq_number
+    end
+    # Search matched ACE
+    # @return [Boolean] Matched or not
+    # @abstract
+    def matches?
+      false
+    end
+  end
+  # Remark entry container
+  class RemarkAce < AceBase
+    # @param [String] value Comment string
+    # @return [String]
+    attr_accessor :comment
+    # Constructor
+    # @param [String] str Comment string
+    # @return [RemarkAce]
+    def initialize(str)
+      @comment = str.strip
+      @seq_number = NO_SEQ_NUMBER # remark does not takes line number
+    end
+    # Check equality
+    # @return [Boolean] Compare with comment string
+    def ==(other)
+      @comment == other.comment
+    end
+    # Generate string for Cisco IOS access list
+    # @return [String] Comment string
+    def to_s
+      sprintf ' remark %s', c_rmk(@comment.to_s)
+    end
+    # Search matched ACE
+    # @param [Hash] opts Options
+    # return [Boolean] false, Remark does not match anithyng.
+    def matches?(opts = nil)
+      false
+    end
+  end
+  # Evaluate entry container
+  class EvaluateAce < AceBase
+    # @param [String] value Recutsive entry name
+    # @return [String]
+    attr_accessor :recursive_name
+    # Constructor
+    # @param [Hash] opts Options
+    # @option opts [Integer] :number Sequence number
+    # @option opts [String] :recursive_name Recursive entry name
+    # @return [EvaluateAce]
+    # @raise [AclArgumentError]
+    def initialize(opts)
+      super
+      @options = opts
+      @recursive_name = define_recursive_name
+    end
+    # Set instance variables
+    # return [String] Recursive entry name
+    # raise [AclArgumentError]
+    def define_recursive_name
+      if @options.key?(:recursive_name)
+        @options[:recursive_name]
+      else
+        fail AclArgumentError, 'name not specified'
+      end
+    end
+    # @return [Boolean] Compare with recursive entry name
+    def ==(other)
+      @recursive_name == other.recursive_name
+    end
+    # Generate string for Cisco IOS access list
+    # @return [String]
+    def to_s
+      sprintf 'evaluate %s', c_name(@recursive_name)
+    end
+    # Search matched ACE
+    # @param [Hash] opts Options
+    # return [Boolean] false, Recursive does not implemented yet
+    def matches?(opts = nil)
+      ## TODO
+      false
+    end
+  end
+  # ACE for standard access list
+  class StandardAce < AceBase
+    # @param [String] value Action
+    # @return [String]
+    attr_accessor :action
+    # @param [AceSrcDstSpec] value Source spec object
+    # @return [AceSrcDstSpec]
+    attr_accessor :src_spec
+    # @param [AceLogSpec] value Log spec object
+    # @return [AceLogSpec]
+    attr_accessor :log_spec
+    # Constructor
+    # @param [Hash] opts Options
+    # @option opts [Integer] :number Sequence number
+    # @option opts [String] :action Action (permit/deny)
+    # @option opts [AceSrcDstSpec] :src Source spec object
+    # @option opts [Hash] :src Source spec parmeters
+    # @option opts [AceLogSpec] :log Log spec object
+    # @return [StandardAce]
+    # @raise [AclArgumentError]
+    def initialize(opts)
+      super
+      @options = opts
+      @action = define_action
+      @src_spec = define_src_spec
+      @log_spec = define_log_spec
+    end
+    # @return [Boolean]
+    def ==(other)
+      @action == other.action && @src_spec == other.src_spec
+    end
+    # Generate string for Cisco IOS access list
+    # @return [String]
+    def to_s
+      sprintf(
+        ' %s %s %s',
+        c_act(@action.to_s),
+        @src_spec,
+        @log_spec ? @log_spec : ''
+     )
+    end
+    # Search matched ACE
+    # @param [Hash] opts Options (target packet info)
+    # @option opts [String] :src_ip Source IP Address
+    # @return [Boolean] Matched or not
+    # @raise [AclArgumentError] Invalid src_ip
+    def matches?(opts)
+      if opts.key?(:src_ip)
+        @src_spec.ip_spec.matches?(opts[:src_ip])
+      else
+        fail AclArgumentError, 'Invalid match target src IP address'
+      end
+    end
+    private
+    # Set instance variables
+    # @return [String] Action string
+    # @raise [AclArgumentError]
+    def define_action
+      if @options.key?(:action)
+        @options[:action]
+      else
+        fail AclArgumentError, 'Not specified action'
+      end
+    end
+    # Set instance variables
+    # @return [AceSrcDstSpec] Source spec object
+    # @raise [AclArgumentError]
+    def define_src_spec
+      if @options.key?(:src)
+        src = @options[:src]
+        case src
+        when Hash
+          AceSrcDstSpec.new(src)
+        when AceSrcDstSpec
+          src
+        else
+          fail AclArgumentError, 'src spec: unknown class'
+        end
+      else
+        fail AclArgumentError, 'Not specified src spec'
+      end
+    end
+    # Set instance variables
+    # @return [String] Log spec object
+    # @raise [AclArgumentError]
+    def define_log_spec
+      @options[:log] || nil
+    end
+  end
+  # ACE for extended access list
+  class ExtendedAce < StandardAce
+    # @param [String] value L3/L4 protocol
+    # @return [String]
+    attr_accessor :protocol
+    # @param [AceSrcDstSpec] value Destination spec object
+    # @return [AceSrcDstSpec]
+    attr_accessor :dst_spec
+    # @param [AceTcpFlagList] value
+    #   TCP flags (used when '@protocol':tcp)
+    # @return [AceTcpFlagList]
+    attr_accessor :tcp_flags
+    # @param [AceOtherQualifierList] value
+    #   TCP other qualifier list object (used when '@protocol':tcp)
+    # @return [AceOtherQualifierList]
+    attr_accessor :tcp_other_qualifiers
+    # Option,
+    # :src and :dst can handle multiple types of object generation,
+    # so that the argments can takes hash of AceSrcDstSpec.new or
+    # AceSrcDstSpec instance.
+    # :protocol and so on. (AceIpProtoSpec Object)
+    #
+    # about :protocol, it has specification of name and number
+    # (specified in internal of parser).
+    # basically, it is OK that specify only name.
+    # (does it convert name <=> number each oether?)
+    # (does it use number?
+    #
+    # Constructor
+    # @param [Hash] opts Options
+    # @option opts [String] :protocol L3/L4 protocol
+    # @option opts [Integer] :number Protocol/Port number
+    # @option opts [String] :action Action
+    # @option opts [AceSrcDstSpec] :src Source spec object
+    # @option opts [Hash] :src Source spec parmeters
+    # @option opts [AceSrcDstSpec] :dst Destination spec object
+    # @option opts [Hash] :dst Destination spec parmeters
+    # @option opts [AceTcpFlagList] :tcp_port_qualifier
+    #   TCP Flags object
+    # @raise [AclArgumentError]
+    # @return [ExtendACE]
+    #
+    # @example Construct ACE object
+    #   ExtendACE.new(
+    #     :protocol => 'tcp',
+    #     :number => 10,
+    #     :action => 'permit',
+    #     :src => { :ipaddr => '192.168.3.0', :wildcard => '0.0.0.127' },
+    #     :dst => { :ipaddr => '172.30.0.0', :wildcard => '0.0.7.127',
+    #               :operator => 'eq', :begin_port => 80 })
+    #
+    def initialize(opts)
+      super
+      @options = opts
+      @protocol = define_protocol
+      @dst_spec = define_dst_spec
+      @tcp_flags = define_tcp_flags
+      @tcp_other_qualifiers = nil # not yet.
+    end
+    # @param [ExtendACE] other RHS object
+    # @return [Boolean]
+    def ==(other)
+      @action == other.action &&
+        @protocol == other.protocol &&
+        @src_spec == other.src_spec &&
+        @dst_spec == other.dst_spec &&
+        @tcp_flags == other.tcp_flags
+      ## does it need to compare? : tcp_other_qualifiers
+    end
+    # Generate string for Cisco IOS access list
+    # @return [String]
+    def to_s
+      sprintf(
+        ' %s %s %s %s %s %s',
+        c_act(@action.to_s),
+        c_pp(@protocol.to_s),
+        @src_spec,
+        @dst_spec,
+        @tcp_flags ? @tcp_flags : '',
+        @tcp_other_qualifiers ? @tcp_other_qualifiers : ''
+     )
+    end
+    # Search matched ACE
+    # @param [Hash] opts Options (target packet info)
+    # @option opts [String] :protocol L3/L4 protocol name
+    #   (allows "tcp", "udp" and "icmp")
+    # @option opts [String] :src_ip Source IP Address
+    # @option opts [Integer] :src_port Source Port No.
+    # @option opts [String] :dst_ip Destination IP Address
+    # @option opts [Integer] :dst_port Destination Port No.
+    # @return [Boolean] Matched or not
+    # @raise [AclArgumentError]
+    def matches?(opts)
+      if opts.key?(:protocol)
+        match_proto = match_protocol?(opts[:protocol])
+        match_src = match_addr_port?(@src_spec, opts[:src_ip], opts[:src_port])
+        match_dst = match_addr_port?(@dst_spec, opts[:dst_ip], opts[:dst_port])
+      else
+        fail AclArgumentError, 'Invalid match target protocol'
+      end
+      (match_proto && match_src && match_dst)
+    end
+    private
+    # check protocol
+    # @option protocol [AceProtoSpecBase] protocol
+    # @return [Boolean] Matched or not
+    # @raise [AclArgumentError]
+    def match_protocol?(protocol)
+      protocol_str = @protocol.to_s
+      if protocol_str == 'ip'
+        true # allow tcp/udp
+      else
+        ## TBD
+        ## what to do when NO name and only protocol number is specified?
+        # In principle, it must be compared by object.
+        protocol == protocol_str
+      end
+    end
+    # check src/dst address
+    # @option srcdst_spec [AceSrcDstSpec] src/dst address/port
+    # @option ip [String] ip addr to compare
+    # @option port [Integer] port number to compare
+    # @return [Boolean] Matched or not
+    # @raise [AclArgumentError]
+    def match_addr_port?(srcdst_spec, ip, port)
+      if ip
+        srcdst_spec.matches?(ip, port)
+      else
+        fail AclArgumentError, 'Not specified match target IP Addr'
+      end
+    end
+    # Set instance variables
+    # return [AceIpProtoSpec] IP protocol object
+    # raise [AclArgumentError]
+    def define_protocol
+      if @options.key?(:protocol)
+        protocol = @options[:protocol]
+        case protocol
+        when AceIpProtoSpec
+          protocol
+        else
+          AceIpProtoSpec.new(
+            name: protocol,
+            number: @options[:protocol_num]
+          )
+        end
+      else
+        fail AclArgumentError, 'Not specified IP protocol'
+      end
+    end
+    # Set instance variables
+    # @return [AceSrcDstSpec] Destination spec object
+    # @raise [AclArgumentError]
+    def define_dst_spec
+      if @options.key?(:dst)
+        dst = @options[:dst]
+        case dst
+        when Hash
+          AceSrcDstSpec.new(dst)
+        when AceSrcDstSpec
+          dst
+        else
+          fail AclArgumentError, 'Dst spec: unknown class'
+        end
+      else
+        fail AclArgumentError, 'Not specified dst spec'
+      end
+    end
+    # Set instance variables
+    # @return [AceOtherQualifierList]
+    def define_tcp_flags
+      if @protocol.name == 'tcp' && @options.key?(:tcp_flags_qualifier)
+        @options[:tcp_flags_qualifier]
+      else
+        nil
+      end
+    end
+  end
+end # module
+### Local variables:
+### mode: Ruby
+### coding: utf-8-unix
+### indent-tabs-mode: nil
+### End:

data/lib/cisco_acl_intp/ace_ip.rb ADDED Viewed

@@ -0,0 +1,136 @@
+# -*- coding: utf-8 -*-
+require 'forwardable'
+require 'netaddr'
+require 'cisco_acl_intp/acl_base'
+module CiscoAclIntp
+  # IP Address and Wildcard mask container
+  class AceIpSpec < AclContainerBase
+    extend Forwardable
+    # @param [NetAddr::CIDR] value IP address
+    #   (dotted decimal notation)
+    # @return [NetAddr::CIDR]
+    attr_accessor :ipaddr
+    # @param [Integer] value Netmask length
+    # @return [Integer]
+    attr_accessor :netmask
+    # @param [String] value Wildcard mask
+    #   (dotted decimal and bit flapped notation)
+    # @return [String]
+    attr_accessor :wildcard
+    def_delegator :@ipaddr, :ip, :ipaddr
+    # `contained_ip?' method is cidr(ipaddr/nn) operation
+    def_delegator :@ipaddr, :is_contained?, :contained_ip?
+    # `matches?' method is wildcard mask operation
+    def_delegators :@ipaddr, :matches?
+    # Constructor
+    # @param [Hash] opts Options
+    # @option opts [String] :ipaddr IP address
+    #   (dotted decimal notation)
+    # @option opts [String] :wildcard Wildcard mask
+    #   (dotted decimal and bit flipped notation)
+    # @option opts [Integer] :netmask Network Mask Length
+    # @raise [AclArgumentError]
+    # @return [AceIpSpec]
+    def initialize(opts)
+      if opts.key?(:ipaddr)
+        define_addrinfo(opts)
+      else
+        fail AclArgumentError, 'Not specified IP address'
+      end
+    end
+    # @param [AceIpSpec] other RHS Object
+    # @return [Boolean]
+    def ==(other)
+      @ipaddr == other.ipaddr &&
+        @netmask == other.netmask &&
+        @wildcard == other.wildcard
+    end
+    # Generate string for Cisco IOS access list
+    # @return [String]
+    def to_s
+      if to_wmasked_ip_s == '0.0.0.0'
+        # ip = '0.0.0.0' or wildcard = '255.255.255.255'
+        c_ip('any')
+      else
+        if @wildcard == '0.0.0.0'
+          # /32 mask
+          sprintf('%s %s', c_mask('host'), c_ip(@ipaddr.ip))
+        else
+          sprintf('%s %s', c_ip(to_wmasked_ip_s), c_mask(@wildcard))
+        end
+      end
+    end
+    # Generate wildcard-masked ip address string
+    # @return [String] wildcard-masked ip address string
+    def to_wmasked_ip_s
+      ai = NetAddr.ip_to_i(@ipaddr.ip)
+      mi = NetAddr.ip_to_i(@ipaddr.wildcard_mask)
+      ami = ai & mi
+      NetAddr.i_to_ip(ami)
+    end
+    private
+    # Set instance variables
+    # @param [Hash] opts Options of constructor
+    def define_addrinfo(opts)
+      case
+      when opts[:wildcard]
+        define_addrinfo_with_wildcard(opts)
+      when opts[:netmask]
+        define_addrinfo_with_netmask(opts)
+      else
+        define_addrinfo_with_default_netmask(opts)
+      end
+    end
+    # Set instance variables with ip/wildcard
+    # @param [Hash] opts Options of constructor
+    def define_addrinfo_with_wildcard(opts)
+      @wildcard = opts[:wildcard]
+      @ipaddr = NetAddr::CIDR.create(
+        opts[:ipaddr],
+        WildcardMask: [@wildcard, true]
+      )
+      ## TBD : is it OK? must convert if possible?
+      @netmask = nil
+    end
+    # Set instance variables with ip/netmask
+    # @param [Hash] opts Options of constructor
+    def define_addrinfo_with_netmask(opts)
+      @netmask = opts[:netmask]
+      @ipaddr = NetAddr::CIDR.create(
+        [opts[:ipaddr], @netmask].join('/')
+      )
+      @wildcard = @ipaddr.wildcard_mask(true)
+    end
+    # Set instance variables with ip/default-netmask
+    # @param [Hash] opts Options of constructor
+    def define_addrinfo_with_default_netmask(opts)
+      # default mask
+      @netmask = '255.255.255.255'
+      @ipaddr = NetAddr::CIDR.create(
+        [opts[:ipaddr], @netmask].join(' ')
+      )
+      @wildcard = @ipaddr.wildcard_mask(true)
+    end
+  end
+end # module
+### Local variables:
+### mode: Ruby
+### coding: utf-8-unix
+### indent-tabs-mode: nil
+### End:

data/lib/cisco_acl_intp/ace_other_qualifiers.rb ADDED Viewed

@@ -0,0 +1,102 @@
+# -*- coding: utf-8 -*-
+require 'forwardable'
+require 'cisco_acl_intp/acl_base'
+module CiscoAclIntp
+  # List of other-qualifiers for extended ace
+  class AceOtherQualifierList < AclContainerBase
+    extend Forwardable
+    # @param [Array] value List of {AceOtherQualifierList} object
+    # @return [Array]
+    attr_accessor :list
+    def_delegators :@list, :push, :pop, :shift, :unshift, :size, :length
+    # Constructor
+    # @return [AceOtherQualifierList]
+    def initialize
+      @list = []
+    end
+    # Generate string for Cisco IOS access list
+    # @return [String]
+    def to_s
+      c_pp(@list.map { | each | each.to_s }.join(' '))
+    end
+    # @param [AceOtherQualifierList] other RHS Object
+    # @return [Boolean]
+    def ==(other)
+      @list == other.list
+    end
+  end
+  # Access list entry qualifier base
+  class AceOtherQualifierBase < AclContainerBase
+  end
+  # Log spec container
+  class AceLogSpec < AceOtherQualifierBase
+    # @param [String] value Log cookie
+    # @return [String]
+    attr_accessor :cookie
+    # Specified log-input logging?
+    # @return [Boolean]
+    attr_reader :input
+    # alias as boolean method
+    # @return [Boolean]
+    alias_method(:input?, :input)
+    # Constructor
+    # @param [String] cookie Log cookie
+    # @param [Boolean] input set true 'log-input' logging
+    # @return [AceLogSpec]
+    def initialize(cookie = nil, input = false)
+      @input = input
+      @cookie = cookie
+    end
+    # Generate string for Cisco IOS access list
+    # @return [String]
+    def to_s
+      sprintf(
+        '%s %s',
+        @input ? 'log-input' : 'log',
+        @cookie ? @cookie : ''
+      )
+    end
+  end
+  # Recursive qualifier container
+  class AceRecursiveQualifier < AceOtherQualifierBase
+    # @param [String] value Recursive name
+    # @return [String]
+    attr_accessor :recursive_name
+    # Constructor
+    # @param [String] name Recursive name
+    def initialize(name)
+      if name && (!name.empty?)
+        @recursive_name = name
+      else
+        fail AclArgumentError, 'Not specified recursive name'
+      end
+    end
+    # Generate string for Cisco IOS access list
+    # @return [String]
+    def to_s
+      sprintf 'reflect %s', c_name(@recursive_name)
+    end
+  end
+end # module
+### Local variables:
+### mode: Ruby
+### coding: utf-8-unix
+### indent-tabs-mode: nil
+### End: