RubyGems - cisco_acl_intp - Versions diffs - 0.0.1 - Mend

cisco_acl_intp 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (53) hide show

checksums.yaml +7 -0
data/.gitignore +17 -0
data/.rspec +2 -0
data/.rubocop.yml +13 -0
data/.travis.yml +3 -0
data/.yardopts +4 -0
data/Gemfile +19 -0
data/LICENSE.txt +22 -0
data/README.md +132 -0
data/Rakefile +78 -0
data/acl_examples/err-acl.txt +49 -0
data/acl_examples/named-ext-acl.txt +12 -0
data/acl_examples/named-std-acl.txt +6 -0
data/acl_examples/numd-acl.txt +21 -0
data/cisco_acl_intp.gemspec +31 -0
data/lib/cisco_acl_intp/ace.rb +432 -0
data/lib/cisco_acl_intp/ace_ip.rb +136 -0
data/lib/cisco_acl_intp/ace_other_qualifiers.rb +102 -0
data/lib/cisco_acl_intp/ace_port.rb +146 -0
data/lib/cisco_acl_intp/ace_proto.rb +319 -0
data/lib/cisco_acl_intp/ace_srcdst.rb +114 -0
data/lib/cisco_acl_intp/ace_tcp_flags.rb +65 -0
data/lib/cisco_acl_intp/acl.rb +272 -0
data/lib/cisco_acl_intp/acl_base.rb +111 -0
data/lib/cisco_acl_intp/parser.rb +3509 -0
data/lib/cisco_acl_intp/parser.ry +1397 -0
data/lib/cisco_acl_intp/scanner.rb +176 -0
data/lib/cisco_acl_intp/scanner_special_token_handler.rb +66 -0
data/lib/cisco_acl_intp/version.rb +5 -0
data/lib/cisco_acl_intp.rb +9 -0
data/spec/cisco_acl_intp/ace_ip_spec.rb +111 -0
data/spec/cisco_acl_intp/ace_other_qualifier_spec.rb +63 -0
data/spec/cisco_acl_intp/ace_port_spec.rb +214 -0
data/spec/cisco_acl_intp/ace_proto_spec.rb +200 -0
data/spec/cisco_acl_intp/ace_spec.rb +605 -0
data/spec/cisco_acl_intp/ace_srcdst_spec.rb +296 -0
data/spec/cisco_acl_intp/ace_tcp_flags_spec.rb +38 -0
data/spec/cisco_acl_intp/acl_spec.rb +523 -0
data/spec/cisco_acl_intp/cisco_acl_intp_spec.rb +7 -0
data/spec/cisco_acl_intp/parser_spec.rb +53 -0
data/spec/cisco_acl_intp/scanner_spec.rb +122 -0
data/spec/conf/extacl_objgrp_token_seq.yml +36 -0
data/spec/conf/extacl_token_seq.yml +88 -0
data/spec/conf/extended_acl.yml +226 -0
data/spec/conf/scanner_spec_data.yml +120 -0
data/spec/conf/single_tokens.yml +235 -0
data/spec/conf/stdacl_token_seq.yml +8 -0
data/spec/conf/tokens1.yml +158 -0
data/spec/conf/tokens2.yml +206 -0
data/spec/parser_fullfill_patterns.rb +145 -0
data/spec/spec_helper.rb +54 -0
data/tools/check_acl.rb +48 -0
metadata +159 -0

data/lib/cisco_acl_intp/ace.rb ADDED Viewed

@@ -0,0 +1,432 @@
+# -*- coding: utf-8 -*-
+require 'cisco_acl_intp/ace_srcdst'
+module CiscoAclIntp
+  # Access control entry base model
+  class AceBase < AclContainerBase
+    include Comparable
+    # @param [Integer] value ACL sequence number
+    # @return [Integer]
+    attr_accessor :seq_number
+    # Number used when ACE does not has sequence number
+    NO_SEQ_NUMBER = -1
+    # Constructor
+    # @param [Hash] opts
+    # @option opts [Integer] :number Sequence number
+    # @return [AceBase]
+    def initialize(opts)
+      @seq_number = opts[:number] || NO_SEQ_NUMBER
+    end
+    # Check this object has sequence number
+    # @return [Boolean]
+    def seq_number?
+      @seq_number > NO_SEQ_NUMBER
+    end
+    # Compare by sequence number
+    # @note Using "Comparable" module, '==' operator is defined by
+    #   '<=>' operator.  But ACE object will be compared by its value
+    #   (comparison by the equivalence), instead of sequence
+    #   number. The '==' operator will be overriden in child class.
+    # @param [AceBase] other RHS object
+    # @return [Integer] Compare with protocol/port number
+    def <=>(other)
+      @seq_number <=> other.seq_number
+    end
+    # Search matched ACE
+    # @return [Boolean] Matched or not
+    # @abstract
+    def matches?
+      false
+    end
+  end
+  # Remark entry container
+  class RemarkAce < AceBase
+    # @param [String] value Comment string
+    # @return [String]
+    attr_accessor :comment
+    # Constructor
+    # @param [String] str Comment string
+    # @return [RemarkAce]
+    def initialize(str)
+      @comment = str.strip
+      @seq_number = NO_SEQ_NUMBER # remark does not takes line number
+    end
+    # Check equality
+    # @return [Boolean] Compare with comment string
+    def ==(other)
+      @comment == other.comment
+    end
+    # Generate string for Cisco IOS access list
+    # @return [String] Comment string
+    def to_s
+      sprintf ' remark %s', c_rmk(@comment.to_s)
+    end
+    # Search matched ACE
+    # @param [Hash] opts Options
+    # return [Boolean] false, Remark does not match anithyng.
+    def matches?(opts = nil)
+      false
+    end
+  end
+  # Evaluate entry container
+  class EvaluateAce < AceBase
+    # @param [String] value Recutsive entry name
+    # @return [String]
+    attr_accessor :recursive_name
+    # Constructor
+    # @param [Hash] opts Options
+    # @option opts [Integer] :number Sequence number
+    # @option opts [String] :recursive_name Recursive entry name
+    # @return [EvaluateAce]
+    # @raise [AclArgumentError]
+    def initialize(opts)
+      super
+      @options = opts
+      @recursive_name = define_recursive_name
+    end
+    # Set instance variables
+    # return [String] Recursive entry name
+    # raise [AclArgumentError]
+    def define_recursive_name
+      if @options.key?(:recursive_name)
+        @options[:recursive_name]
+      else
+        fail AclArgumentError, 'name not specified'
+      end
+    end
+    # @return [Boolean] Compare with recursive entry name
+    def ==(other)
+      @recursive_name == other.recursive_name
+    end
+    # Generate string for Cisco IOS access list
+    # @return [String]
+    def to_s
+      sprintf 'evaluate %s', c_name(@recursive_name)
+    end
+    # Search matched ACE
+    # @param [Hash] opts Options
+    # return [Boolean] false, Recursive does not implemented yet
+    def matches?(opts = nil)
+      ## TODO
+      false
+    end
+  end
+  # ACE for standard access list
+  class StandardAce < AceBase
+    # @param [String] value Action
+    # @return [String]
+    attr_accessor :action
+    # @param [AceSrcDstSpec] value Source spec object
+    # @return [AceSrcDstSpec]
+    attr_accessor :src_spec
+    # @param [AceLogSpec] value Log spec object
+    # @return [AceLogSpec]
+    attr_accessor :log_spec
+    # Constructor
+    # @param [Hash] opts Options
+    # @option opts [Integer] :number Sequence number
+    # @option opts [String] :action Action (permit/deny)
+    # @option opts [AceSrcDstSpec] :src Source spec object
+    # @option opts [Hash] :src Source spec parmeters
+    # @option opts [AceLogSpec] :log Log spec object
+    # @return [StandardAce]
+    # @raise [AclArgumentError]
+    def initialize(opts)
+      super
+      @options = opts
+      @action = define_action
+      @src_spec = define_src_spec
+      @log_spec = define_log_spec
+    end
+    # @return [Boolean]
+    def ==(other)
+      @action == other.action && @src_spec == other.src_spec
+    end
+    # Generate string for Cisco IOS access list
+    # @return [String]
+    def to_s
+      sprintf(
+        ' %s %s %s',
+        c_act(@action.to_s),
+        @src_spec,
+        @log_spec ? @log_spec : ''
+     )
+    end
+    # Search matched ACE
+    # @param [Hash] opts Options (target packet info)
+    # @option opts [String] :src_ip Source IP Address
+    # @return [Boolean] Matched or not
+    # @raise [AclArgumentError] Invalid src_ip
+    def matches?(opts)
+      if opts.key?(:src_ip)
+        @src_spec.ip_spec.matches?(opts[:src_ip])
+      else
+        fail AclArgumentError, 'Invalid match target src IP address'
+      end
+    end
+    private
+    # Set instance variables
+    # @return [String] Action string
+    # @raise [AclArgumentError]
+    def define_action
+      if @options.key?(:action)
+        @options[:action]
+      else
+        fail AclArgumentError, 'Not specified action'
+      end
+    end
+    # Set instance variables
+    # @return [AceSrcDstSpec] Source spec object
+    # @raise [AclArgumentError]
+    def define_src_spec
+      if @options.key?(:src)
+        src = @options[:src]
+        case src
+        when Hash
+          AceSrcDstSpec.new(src)
+        when AceSrcDstSpec
+          src
+        else
+          fail AclArgumentError, 'src spec: unknown class'
+        end
+      else
+        fail AclArgumentError, 'Not specified src spec'
+      end
+    end
+    # Set instance variables
+    # @return [String] Log spec object
+    # @raise [AclArgumentError]
+    def define_log_spec
+      @options[:log] || nil
+    end
+  end
+  # ACE for extended access list
+  class ExtendedAce < StandardAce
+    # @param [String] value L3/L4 protocol
+    # @return [String]
+    attr_accessor :protocol
+    # @param [AceSrcDstSpec] value Destination spec object
+    # @return [AceSrcDstSpec]
+    attr_accessor :dst_spec
+    # @param [AceTcpFlagList] value
+    #   TCP flags (used when '@protocol':tcp)
+    # @return [AceTcpFlagList]
+    attr_accessor :tcp_flags
+    # @param [AceOtherQualifierList] value
+    #   TCP other qualifier list object (used when '@protocol':tcp)
+    # @return [AceOtherQualifierList]
+    attr_accessor :tcp_other_qualifiers
+    # Option,
+    # :src and :dst can handle multiple types of object generation,
+    # so that the argments can takes hash of AceSrcDstSpec.new or
+    # AceSrcDstSpec instance.
+    # :protocol and so on. (AceIpProtoSpec Object)
+    #
+    # about :protocol, it has specification of name and number
+    # (specified in internal of parser).
+    # basically, it is OK that specify only name.
+    # (does it convert name <=> number each oether?)
+    # (does it use number?
+    #
+    # Constructor
+    # @param [Hash] opts Options
+    # @option opts [String] :protocol L3/L4 protocol
+    # @option opts [Integer] :number Protocol/Port number
+    # @option opts [String] :action Action
+    # @option opts [AceSrcDstSpec] :src Source spec object
+    # @option opts [Hash] :src Source spec parmeters
+    # @option opts [AceSrcDstSpec] :dst Destination spec object
+    # @option opts [Hash] :dst Destination spec parmeters
+    # @option opts [AceTcpFlagList] :tcp_port_qualifier
+    #   TCP Flags object
+    # @raise [AclArgumentError]
+    # @return [ExtendACE]
+    #
+    # @example Construct ACE object
+    #   ExtendACE.new(
+    #     :protocol => 'tcp',
+    #     :number => 10,
+    #     :action => 'permit',
+    #     :src => { :ipaddr => '192.168.3.0', :wildcard => '0.0.0.127' },
+    #     :dst => { :ipaddr => '172.30.0.0', :wildcard => '0.0.7.127',
+    #               :operator => 'eq', :begin_port => 80 })
+    #
+    def initialize(opts)
+      super
+      @options = opts
+      @protocol = define_protocol
+      @dst_spec = define_dst_spec
+      @tcp_flags = define_tcp_flags
+      @tcp_other_qualifiers = nil # not yet.
+    end
+    # @param [ExtendACE] other RHS object
+    # @return [Boolean]
+    def ==(other)
+      @action == other.action &&
+        @protocol == other.protocol &&
+        @src_spec == other.src_spec &&
+        @dst_spec == other.dst_spec &&
+        @tcp_flags == other.tcp_flags
+      ## does it need to compare? : tcp_other_qualifiers
+    end
+    # Generate string for Cisco IOS access list
+    # @return [String]
+    def to_s
+      sprintf(
+        ' %s %s %s %s %s %s',
+        c_act(@action.to_s),
+        c_pp(@protocol.to_s),
+        @src_spec,
+        @dst_spec,
+        @tcp_flags ? @tcp_flags : '',
+        @tcp_other_qualifiers ? @tcp_other_qualifiers : ''
+     )
+    end
+    # Search matched ACE
+    # @param [Hash] opts Options (target packet info)
+    # @option opts [String] :protocol L3/L4 protocol name
+    #   (allows "tcp", "udp" and "icmp")
+    # @option opts [String] :src_ip Source IP Address
+    # @option opts [Integer] :src_port Source Port No.
+    # @option opts [String] :dst_ip Destination IP Address
+    # @option opts [Integer] :dst_port Destination Port No.
+    # @return [Boolean] Matched or not
+    # @raise [AclArgumentError]
+    def matches?(opts)
+      if opts.key?(:protocol)
+        match_proto = match_protocol?(opts[:protocol])
+        match_src = match_addr_port?(@src_spec, opts[:src_ip], opts[:src_port])
+        match_dst = match_addr_port?(@dst_spec, opts[:dst_ip], opts[:dst_port])
+      else
+        fail AclArgumentError, 'Invalid match target protocol'
+      end
+      (match_proto && match_src && match_dst)
+    end
+    private
+    # check protocol
+    # @option protocol [AceProtoSpecBase] protocol
+    # @return [Boolean] Matched or not
+    # @raise [AclArgumentError]
+    def match_protocol?(protocol)
+      protocol_str = @protocol.to_s
+      if protocol_str == 'ip'
+        true # allow tcp/udp
+      else
+        ## TBD
+        ## what to do when NO name and only protocol number is specified?
+        # In principle, it must be compared by object.
+        protocol == protocol_str
+      end
+    end
+    # check src/dst address
+    # @option srcdst_spec [AceSrcDstSpec] src/dst address/port
+    # @option ip [String] ip addr to compare
+    # @option port [Integer] port number to compare
+    # @return [Boolean] Matched or not
+    # @raise [AclArgumentError]
+    def match_addr_port?(srcdst_spec, ip, port)
+      if ip
+        srcdst_spec.matches?(ip, port)
+      else
+        fail AclArgumentError, 'Not specified match target IP Addr'
+      end
+    end
+    # Set instance variables
+    # return [AceIpProtoSpec] IP protocol object
+    # raise [AclArgumentError]
+    def define_protocol
+      if @options.key?(:protocol)
+        protocol = @options[:protocol]
+        case protocol
+        when AceIpProtoSpec
+          protocol
+        else
+          AceIpProtoSpec.new(
+            name: protocol,
+            number: @options[:protocol_num]
+          )
+        end
+      else
+        fail AclArgumentError, 'Not specified IP protocol'
+      end
+    end
+    # Set instance variables
+    # @return [AceSrcDstSpec] Destination spec object
+    # @raise [AclArgumentError]
+    def define_dst_spec
+      if @options.key?(:dst)
+        dst = @options[:dst]
+        case dst
+        when Hash
+          AceSrcDstSpec.new(dst)
+        when AceSrcDstSpec
+          dst
+        else
+          fail AclArgumentError, 'Dst spec: unknown class'
+        end
+      else
+        fail AclArgumentError, 'Not specified dst spec'
+      end
+    end
+    # Set instance variables
+    # @return [AceOtherQualifierList]
+    def define_tcp_flags
+      if @protocol.name == 'tcp' && @options.key?(:tcp_flags_qualifier)
+        @options[:tcp_flags_qualifier]
+      else
+        nil
+      end
+    end
+  end
+end # module
+### Local variables:
+### mode: Ruby
+### coding: utf-8-unix
+### indent-tabs-mode: nil
+### End:

data/lib/cisco_acl_intp/ace_ip.rb ADDED Viewed

@@ -0,0 +1,136 @@
+# -*- coding: utf-8 -*-
+require 'forwardable'
+require 'netaddr'
+require 'cisco_acl_intp/acl_base'
+module CiscoAclIntp
+  # IP Address and Wildcard mask container
+  class AceIpSpec < AclContainerBase
+    extend Forwardable
+    # @param [NetAddr::CIDR] value IP address
+    #   (dotted decimal notation)
+    # @return [NetAddr::CIDR]
+    attr_accessor :ipaddr
+    # @param [Integer] value Netmask length
+    # @return [Integer]
+    attr_accessor :netmask
+    # @param [String] value Wildcard mask
+    #   (dotted decimal and bit flapped notation)
+    # @return [String]
+    attr_accessor :wildcard
+    def_delegator :@ipaddr, :ip, :ipaddr
+    # `contained_ip?' method is cidr(ipaddr/nn) operation
+    def_delegator :@ipaddr, :is_contained?, :contained_ip?
+    # `matches?' method is wildcard mask operation
+    def_delegators :@ipaddr, :matches?
+    # Constructor
+    # @param [Hash] opts Options
+    # @option opts [String] :ipaddr IP address
+    #   (dotted decimal notation)
+    # @option opts [String] :wildcard Wildcard mask
+    #   (dotted decimal and bit flipped notation)
+    # @option opts [Integer] :netmask Network Mask Length
+    # @raise [AclArgumentError]
+    # @return [AceIpSpec]
+    def initialize(opts)
+      if opts.key?(:ipaddr)
+        define_addrinfo(opts)
+      else
+        fail AclArgumentError, 'Not specified IP address'
+      end
+    end
+    # @param [AceIpSpec] other RHS Object
+    # @return [Boolean]
+    def ==(other)
+      @ipaddr == other.ipaddr &&
+        @netmask == other.netmask &&
+        @wildcard == other.wildcard
+    end
+    # Generate string for Cisco IOS access list
+    # @return [String]
+    def to_s
+      if to_wmasked_ip_s == '0.0.0.0'
+        # ip = '0.0.0.0' or wildcard = '255.255.255.255'
+        c_ip('any')
+      else
+        if @wildcard == '0.0.0.0'
+          # /32 mask
+          sprintf('%s %s', c_mask('host'), c_ip(@ipaddr.ip))
+        else
+          sprintf('%s %s', c_ip(to_wmasked_ip_s), c_mask(@wildcard))
+        end
+      end
+    end
+    # Generate wildcard-masked ip address string
+    # @return [String] wildcard-masked ip address string
+    def to_wmasked_ip_s
+      ai = NetAddr.ip_to_i(@ipaddr.ip)
+      mi = NetAddr.ip_to_i(@ipaddr.wildcard_mask)
+      ami = ai & mi
+      NetAddr.i_to_ip(ami)
+    end
+    private
+    # Set instance variables
+    # @param [Hash] opts Options of constructor
+    def define_addrinfo(opts)
+      case
+      when opts[:wildcard]
+        define_addrinfo_with_wildcard(opts)
+      when opts[:netmask]
+        define_addrinfo_with_netmask(opts)
+      else
+        define_addrinfo_with_default_netmask(opts)
+      end
+    end
+    # Set instance variables with ip/wildcard
+    # @param [Hash] opts Options of constructor
+    def define_addrinfo_with_wildcard(opts)
+      @wildcard = opts[:wildcard]
+      @ipaddr = NetAddr::CIDR.create(
+        opts[:ipaddr],
+        WildcardMask: [@wildcard, true]
+      )
+      ## TBD : is it OK? must convert if possible?
+      @netmask = nil
+    end
+    # Set instance variables with ip/netmask
+    # @param [Hash] opts Options of constructor
+    def define_addrinfo_with_netmask(opts)
+      @netmask = opts[:netmask]
+      @ipaddr = NetAddr::CIDR.create(
+        [opts[:ipaddr], @netmask].join('/')
+      )
+      @wildcard = @ipaddr.wildcard_mask(true)
+    end
+    # Set instance variables with ip/default-netmask
+    # @param [Hash] opts Options of constructor
+    def define_addrinfo_with_default_netmask(opts)
+      # default mask
+      @netmask = '255.255.255.255'
+      @ipaddr = NetAddr::CIDR.create(
+        [opts[:ipaddr], @netmask].join(' ')
+      )
+      @wildcard = @ipaddr.wildcard_mask(true)
+    end
+  end
+end # module
+### Local variables:
+### mode: Ruby
+### coding: utf-8-unix
+### indent-tabs-mode: nil
+### End:

data/lib/cisco_acl_intp/ace_other_qualifiers.rb ADDED Viewed

@@ -0,0 +1,102 @@
+# -*- coding: utf-8 -*-
+require 'forwardable'
+require 'cisco_acl_intp/acl_base'
+module CiscoAclIntp
+  # List of other-qualifiers for extended ace
+  class AceOtherQualifierList < AclContainerBase
+    extend Forwardable
+    # @param [Array] value List of {AceOtherQualifierList} object
+    # @return [Array]
+    attr_accessor :list
+    def_delegators :@list, :push, :pop, :shift, :unshift, :size, :length
+    # Constructor
+    # @return [AceOtherQualifierList]
+    def initialize
+      @list = []
+    end
+    # Generate string for Cisco IOS access list
+    # @return [String]
+    def to_s
+      c_pp(@list.map { | each | each.to_s }.join(' '))
+    end
+    # @param [AceOtherQualifierList] other RHS Object
+    # @return [Boolean]
+    def ==(other)
+      @list == other.list
+    end
+  end
+  # Access list entry qualifier base
+  class AceOtherQualifierBase < AclContainerBase
+  end
+  # Log spec container
+  class AceLogSpec < AceOtherQualifierBase
+    # @param [String] value Log cookie
+    # @return [String]
+    attr_accessor :cookie
+    # Specified log-input logging?
+    # @return [Boolean]
+    attr_reader :input
+    # alias as boolean method
+    # @return [Boolean]
+    alias_method(:input?, :input)
+    # Constructor
+    # @param [String] cookie Log cookie
+    # @param [Boolean] input set true 'log-input' logging
+    # @return [AceLogSpec]
+    def initialize(cookie = nil, input = false)
+      @input = input
+      @cookie = cookie
+    end
+    # Generate string for Cisco IOS access list
+    # @return [String]
+    def to_s
+      sprintf(
+        '%s %s',
+        @input ? 'log-input' : 'log',
+        @cookie ? @cookie : ''
+      )
+    end
+  end
+  # Recursive qualifier container
+  class AceRecursiveQualifier < AceOtherQualifierBase
+    # @param [String] value Recursive name
+    # @return [String]
+    attr_accessor :recursive_name
+    # Constructor
+    # @param [String] name Recursive name
+    def initialize(name)
+      if name && (!name.empty?)
+        @recursive_name = name
+      else
+        fail AclArgumentError, 'Not specified recursive name'
+      end
+    end
+    # Generate string for Cisco IOS access list
+    # @return [String]
+    def to_s
+      sprintf 'reflect %s', c_name(@recursive_name)
+    end
+  end
+end # module
+### Local variables:
+### mode: Ruby
+### coding: utf-8-unix
+### indent-tabs-mode: nil
+### End: