cisco_acl_intp 0.0.1

data/lib/cisco_acl_intp/scanner.rb

@@ -0,0 +1,176 @@
+# -*- coding: utf-8 -*-
+require 'strscan'
+require 'cisco_acl_intp/scanner_special_token_handler'
+
+module CiscoAclIntp
+  # Lexical analyzer (Scanner)
+  class Scanner
+    # include special tokens data and its handlers
+    include SpecialTokenHandler
+
+    # Constructor
+    # @return [Scanner]
+    def initialize
+      @arg_tokens = gen_arg_token_lists
+    end
+
+    # Scan ACL from file to parse
+    # @param [File] file File name
+    # @return [Array] Scanned tokens array (Queue)
+    def scan_file(file)
+      queue = []
+      file.each_line do |each|
+        queue.concat(scan_one_line(each))
+      end
+      queue.push [false, 'EOF']
+    end
+
+    # Scan ACL from variable
+    # @param [String] str Access list string
+    # @return [Array] Scanned tokens array (Queue)
+    def scan_line(str)
+      queue = []
+      str.split(/$/).each do |each|
+        each.chomp!
+        # add word separator at end of line
+        each.concat(' ')
+        queue.concat(scan_one_line(each))
+      end
+      queue.push [false, 'EOF']
+    end
+
+    # Scan ACL
+    # @param [String] line Access list string
+    # @return [Array] Scanned tokens array (Queue)
+    def scan_one_line(line)
+      run_scanning(line)
+    end
+
+    private
+
+    # Scan a line
+    # @param [String] line ACL String
+    # @param [Array] queue Queue
+    # @return [Array] Scanned tokens array (Queue)
+    def run_scanning(line, queue = [])
+      ss = StringScanner.new(line)
+      until ss.eos?
+        case
+        when scan_match_arg_tokens(ss, queue)
+        when scan_match_acl_header(ss, queue)
+        when scan_match_ipaddr(ss, queue)
+        else scan_match_common(ss, queue)
+        end
+      end
+      queue.push [:EOS, nil] # Add end-of-string
+    end
+
+    # Numbered ACL header checker
+    # @param [Integer] aclnum ACL number
+    # @return [Array] Token list
+    def check_numd_acl_type(aclnum)
+      if (1..99).include?(aclnum) || (1300..1999).include?(aclnum)
+        [:NUMD_STD_ACL, aclnum]
+      elsif (100..199).include?(aclnum) || (2000..2699).include?(aclnum)
+        [:NUMD_EXT_ACL, aclnum]
+      else
+        [:UNKNOWN, "access-list #{aclnum}"]
+      end
+    end
+
+    # Scanner of acl header
+    # @param [StringScanner] ss Scanned ACL line
+    # @param [Array] queue Queue
+    # @return [Boolean] if line matched acl header
+    def scan_match_acl_header(ss, queue)
+      case
+      when ss.scan(/\s*!.*$/), ss.scan(/\s*#.*$/)
+        ## "!/# comment" and whitespace line, NO-OP
+      when ss.scan(/\s+/), ss.scan(/\A\s*\Z/)
+        ## whitespace, NO-OP
+        # queue.push [:WHITESPACE, ""] # for debug
+      when ss.scan(/(?:access-list)\s+(\d+)\s/)
+        ## Numbered ACL Header
+        ## numbered acl has no difference
+        ## in format between Standard and Extended...
+        queue.push check_numd_acl_type(ss[1].to_i)
+      when ss.scan(/(ip\s+access\-list)\s/)
+        ## Named ACL Header
+        queue.push [:NAMED_ACL, ss[1]]
+      end
+      ss.matched?
+    end
+
+    # Scanner of IP address
+    # @param [StringScanner] ss Scanned ACL line
+    # @param [Array] queue Queue
+    # @return [Boolean] if line matched IP address
+    def scan_match_ipaddr(ss, queue)
+      case
+      when ss.scan(/(\d+\.\d+\.\d+\.\d+)\s/)
+        ## IP Address
+        queue.push [:IPV4_ADDR, ss[1]]
+      when ss.scan(/(\d+\.\d+\.\d+\.\d+)(\/)(\d+)\s/)
+        ## IP Address of 'ip/mask' notation
+        queue.push [:IPV4_ADDR, ss[1]]
+        queue.push ['/',        ss[2]]
+        queue.push [:NUMBER,    ss[3].to_i]
+      end
+      ss.matched?
+    end
+
+    # Scanner of common tokens
+    # @param [StringScanner] ss Scanned ACL line
+    # @param [Array] queue Queue
+    # @return [Boolean] if line matched tokens
+    def scan_match_common(ss, queue)
+      case
+      when ss.scan(/(\d+)\s/)
+        ## Number
+        queue.push [:NUMBER, ss[1].to_i]
+      when ss.scan(/([\+\-]?#{STR_REGEXP})/)
+        ## Tokens (echo back)
+        ## defined in module SpecialTokenHandler
+        ## plus/minus used in tcp flag token e.g. +syn -ack
+        queue.push token_list(ss[1])
+      else
+        ## do not match any?
+        ## then scanned whole line and
+        ## put in queue as unknown.
+        ss.scan(/(.*)$/) # match all
+        queue.push [:UNKNOWN, ss[1]]
+      end
+      ss.matched?
+    end
+
+    # Scanner of special tokens
+    # @param [StringScanner] ss Scanned ACL line
+    # @param [Array] queue Queue
+    # @return [Boolean] if line matched tokens
+    def scan_match_arg_tokens(ss, queue)
+      @arg_tokens.each do |(str, length)|
+        if ss.scan(/#{str}/)
+          (1...length).each do |idx|
+            queue.push token_list(ss[idx])
+          end
+          queue.push [:STRING, ss[length]] # last element
+          break
+        end
+      end
+      ss.matched?
+    end
+
+    # Generate echo-backed token array
+    # @param [String] token Token
+    # @return [Array] Token array for scanner queue
+    def token_list(token)
+      [token, token]
+    end
+  end # class Scanner
+end # module
+
+### Local variables:
+### mode: Ruby
+### coding: utf-8-unix
+### indent-tabs-mode: nil
+### End:

data/lib/cisco_acl_intp/scanner_special_token_handler.rb

@@ -0,0 +1,66 @@
+# -*- coding: utf-8 -*-
+require 'strscan'
+
+module CiscoAclIntp
+  # Data and Handler functions of special tokens
+  module SpecialTokenHandler
+    # STRING token regexp:
+    # first letter is alphabet or digit
+    STR_REGEXP = '[a-zA-Z\d]\S*'
+
+    # Tokens that takes string parameter
+    STRING_ARG_TOKENS = [
+      ['remark', :leftover],
+      ['description', :leftover],
+      ['extended', :word],
+      ['standard', :word],
+      ['dynamic', :word],
+      ['log-input', :word],
+      ['log', :word],
+      ['time-range', :word],
+      ['reflect', :word],
+      ['evaluate', :word],
+      ['object-group', 'network', :word],
+      ['object-group', 'service', :word],
+      ['object-group', :word], # longest match
+      ['group-object', :word],
+    ]
+
+    # Conversion table of string-tokens
+    SYMBOL_TO_REGEXPSTR = {
+      word: ['(', STR_REGEXP, ')'].join,
+      leftover: '(.*)$'
+    }
+
+    # Convert STRING_ARG_TOKENS to Regexp string
+    # @param [Array] set Special tokens set
+    # @returns [String] Regexp string
+    def convert_tokens_to_regexpstr(set)
+      # puts "## set #{set}"
+      set.map do |each|
+        case each
+        when String
+          '(' + each + ')'
+        when Symbol
+          SYMBOL_TO_REGEXPSTR[each]
+        end
+      end
+    end
+
+    # Generate regexp string list for scanner
+    # @return [Array] set of regexp and number of token
+    def gen_arg_token_lists
+      STRING_ARG_TOKENS.map do |each|
+        re_str_list = convert_tokens_to_regexpstr(each)
+        # puts "### #{re_str_list}"
+        [re_str_list.join('\s+'), each.length]
+      end
+    end
+  end # module SpecialTokenMgr
+end # module CiscoAclIntp
+
+### Local variables:
+### mode: Ruby
+### coding: utf-8-unix
+### indent-tabs-mode: nil
+### End:

data/lib/cisco_acl_intp/version.rb

@@ -0,0 +1,5 @@
+# CiscoAclIntp Module, version definition
+module CiscoAclIntp
+  # Version number
+  VERSION = '0.0.1'
+end

data/lib/cisco_acl_intp.rb

@@ -0,0 +1,9 @@
+require 'rubygems'
+require 'cisco_acl_intp/acl'
+require 'cisco_acl_intp/parser'
+require 'cisco_acl_intp/version'
+
+# Cisco Access List Interpreter,
+# define scanner functions and ACL container classes
+module CiscoAclIntp
+end

data/spec/cisco_acl_intp/ace_ip_spec.rb

@@ -0,0 +1,111 @@
+# -*- coding: utf-8 -*-
+require 'spec_helper'
+
+describe AceIpSpec do
+  describe '#to_s' do
+    it 'should be "192.168.15.15 0.0.7.6"' do
+      ip = AceIpSpec.new(
+        ipaddr: '192.168.15.15',
+        wildcard: '0.0.7.6'
+      )
+      ip.to_s.should be_aclstr('192.168.8.9 0.0.7.6')
+    end
+
+    it 'should be "any"' do
+      ip = AceIpSpec.new(
+        ipaddr: '0.0.0.0',
+        wildcard: '255.255.255.255'
+      )
+      ip.to_s.should be_aclstr('any')
+    end
+
+    it 'should be "any" with full-bit wildcard mask' do
+      ip = AceIpSpec.new(
+        ipaddr: '192.168.15.15',
+        wildcard: '255.255.255.255'
+      )
+      ip.to_s.should be_aclstr('any')
+    end
+
+    it 'should be "any" with zero-ip' do
+      ip = AceIpSpec.new(
+        ipaddr: '0.0.0.0',
+        wildcard: '0.0.7.6'
+      )
+      ip.to_s.should be_aclstr('any')
+    end
+
+    it 'should be "host 192.168.15.15"' do
+      ip = AceIpSpec.new(
+        ipaddr: '192.168.15.15',
+        wildcard: '0.0.0.0'
+      )
+      ip.to_s.should be_aclstr('host 192.168.15.15')
+    end
+
+    it 'should be "192.168.14.0 0.0.1.255" with netmask /23' do
+      ip = AceIpSpec.new(
+        ipaddr: '192.168.15.15',
+        netmask: 23
+      )
+      ip.to_s.should be_aclstr('192.168.14.0 0.0.1.255')
+    end
+
+    it 'should be "any" with netmask /0' do
+      ip = AceIpSpec.new(
+        ipaddr: '192.168.15.15',
+        netmask: 0
+      )
+      ip.to_s.should be_aclstr('any')
+    end
+
+    it 'should be "host 192.168.15.15" with netmask /32' do
+      ip = AceIpSpec.new(
+        ipaddr: '192.168.15.15',
+        netmask: 32
+      )
+      ip.to_s.should be_aclstr('host 192.168.15.15')
+    end
+
+    it 'should be "host 192.168.15.15" in default' do
+      ip = AceIpSpec.new(
+        ipaddr: '192.168.15.15'
+      )
+      ip.to_s.should be_aclstr('host 192.168.15.15')
+    end
+
+    context 'Argument Error Case' do
+      it 'raise error without ipaddr' do
+        lambda do
+          AceIpSpec.new(
+            netmask: 32
+          )
+        end.should raise_error(AclArgumentError)
+      end
+
+      it 'raise error with invalid ipaddr' do
+        lambda do
+          AceIpSpec.new(
+            ipaddr: '192.168.15.256'
+          )
+        end.should raise_error
+        lambda do
+          AceIpSpec.new(
+            ipaddr: '192.168.250.3.3'
+          )
+        end.should raise_error
+        lambda do
+          AceIpSpec.new(
+            ipaddr: '192,168.250.3'
+          )
+        end.should raise_error
+      end
+    end
+  end
+end
+
+### Local variables:
+### mode: Ruby
+### coding: utf-8-unix
+### indent-tabs-mode: nil
+### End:

data/spec/cisco_acl_intp/ace_other_qualifier_spec.rb

@@ -0,0 +1,63 @@
+# -*- coding: utf-8 -*-
+require 'spec_helper'
+
+describe AceLogSpec do
+  describe '#to_s' do
+    it 'should be log without cookie' do
+      log = AceLogSpec.new
+      log.to_s.should be_aclstr('log')
+    end
+
+    it 'should be log-input without cookie string' do
+      log = AceLogSpec.new('', true)
+      log.to_s.should be_aclstr('log-input')
+    end
+
+    it 'should be log with cookie' do
+      log = AceLogSpec.new('Cookie0123')
+      log.to_s.should be_aclstr('log Cookie0123')
+    end
+
+    it 'should be log-input with cookie string' do
+      log = AceLogSpec.new('log', true)
+      log.to_s.should be_aclstr('log-input log')
+    end
+  end
+end
+
+describe AceRecursiveQualifier do
+  describe '#to_s' do
+    it 'should be reflect spec string' do
+      rcsv = AceRecursiveQualifier.new('established')
+      rcsv.to_s.should be_aclstr('reflect established')
+    end
+
+    it 'should be raised error' do
+      lambda do
+        AceRecursiveQualifier.new('')
+      end.should raise_error(AclArgumentError)
+    end
+  end
+end
+
+describe AceOtherQualifierList do
+  describe '#to_s' do
+    before do
+      @oq1 = AceLogSpec.new
+      @oq2 = AceRecursiveQualifier.new('iptraffic')
+      @list = AceOtherQualifierList.new
+    end
+
+    it 'should be size 0 when empty list'do
+      @list.size.should be_zero
+    end
+
+    it 'should count-up size when added AceTcpFlag objects' do
+      @list.push @oq1
+      @list.size.should eq 1
+      @list.push @oq2
+      @list.size.should eq 2
+      @list.to_s.should be_aclstr('log reflect iptraffic')
+    end
+  end
+end

data/spec/cisco_acl_intp/ace_port_spec.rb

@@ -0,0 +1,214 @@
+# -*- coding: utf-8 -*-
+require 'spec_helper'
+
+describe AcePortSpec do
+  describe '#new' do
+    it 'shoud be error with unknown operator' do
+      lambda do
+        AcePortSpec.new(
+          operator: 'equal',
+          port: 443
+        )
+      end.should raise_error(AclArgumentError)
+    end
+
+    it 'should be error with invalid ports' do
+      lambda do
+        AcePortSpec.new(
+          operator: 'range',
+          begin_port: 443,
+          end_port: 139
+        )
+      end.should raise_error(AclArgumentError)
+    end
+  end
+
+  describe '#to_s' do
+    before do
+      @p1 = AceTcpProtoSpec.new(number: 22)
+      @p2 = AceTcpProtoSpec.new(number: 80)
+    end
+
+    context 'Normal case' do
+      it 'should be "eq 22"' do
+        p = AcePortSpec.new(
+          operator: 'eq', port: @p1
+        )
+        p.to_s.should be_aclstr('eq 22')
+      end
+
+      it 'should be "lt www"' do
+        p = AcePortSpec.new(
+          operator: 'lt', port: @p2
+        )
+        p.to_s.should be_aclstr('lt www')
+      end
+
+      it 'should be "gt www"' do
+        p = AcePortSpec.new(
+          operator: 'gt', port: @p2
+        )
+        p.to_s.should be_aclstr('gt www')
+      end
+
+      it 'should be "range 22 www"' do
+        p = AcePortSpec.new(
+          operator: 'range',
+          begin_port: @p1, end_port: @p2
+        )
+        p.to_s.should be_aclstr('range 22 www')
+      end
+
+      it 'should be empty when any port' do
+        p = AcePortSpec.new(
+          operator: 'any',
+          begin_port: @p1, end_port: @p2
+        )
+        p.to_s.should be_empty
+      end
+
+    end
+    context 'Argument error case' do
+      it 'raise error when not specified operator' do
+        lambda do
+          AcePortSpec.new(
+            end_port: @p1
+          )
+        end.should raise_error(AclArgumentError)
+      end
+
+      it 'raise error when not specified begin_port' do
+        lambda do
+          AcePortSpec.new(
+            operator: 'eq',
+            end_port: @p1
+          )
+        end.should raise_error(AclArgumentError)
+      end
+
+      it 'raise error when wrong port sequence' do
+        lambda do
+          AcePortSpec.new(
+            operator: 'range',
+            begin_port: @p2, end_port: @p1
+          )
+        end.should raise_error(AclArgumentError)
+      end
+    end
+  end
+
+  describe '#matches?' do
+    before do
+      @p1 = AceTcpProtoSpec.new(number: 22)
+      @p2 = AceTcpProtoSpec.new(number: 32_768)
+
+      @any = AcePortSpec.new(
+        operator: 'any'
+      )
+      @eq1 = AcePortSpec.new(
+        operator: 'eq', begin_port: @p1
+      )
+      @neq1 = AcePortSpec.new(
+        operator: 'neq', port: @p1
+      )
+      @lt1 = AcePortSpec.new(
+        operator: 'lt', port: @p1
+      )
+      @gt1 = AcePortSpec.new(
+        operator: 'gt', port: @p1
+      )
+      @range = AcePortSpec.new(
+        operator: 'range',
+        port: @p1, end_port: @p2
+      )
+    end
+
+    it 'match any if valid port range' do
+      lambda do
+        @any.matches?(-1)
+      end.should raise_error(AclArgumentError)
+      @any.matches?(0).should be_true
+      @any.matches?(21).should be_true
+      @any.matches?(22).should be_true
+      @any.matches?(23).should be_true
+      @any.matches?(65_535).should be_true
+      lambda do
+        @any.matches?(65_536)
+      end.should raise_error(AclArgumentError)
+    end
+
+    it 'match correct number by op:eq' do
+      lambda do
+        @eq1.matches?(-1)
+      end.should raise_error(AclArgumentError)
+      @eq1.matches?(0).should be_false
+      @eq1.matches?(21).should be_false
+      @eq1.matches?(22).should be_true
+      @eq1.matches?(23).should be_false
+      @eq1.matches?(65_535).should be_false
+      lambda do
+        @eq1.matches?(65_536)
+      end.should raise_error(AclArgumentError)
+    end
+
+    it 'match correct number by op:neq' do
+      lambda do
+        @neq1.matches?(-1)
+      end.should raise_error(AclArgumentError)
+      @neq1.matches?(0).should be_true
+      @neq1.matches?(21).should be_true
+      @neq1.matches?(22).should be_false
+      @neq1.matches?(23).should be_true
+      @neq1.matches?(65_535).should be_true
+      lambda do
+        @neq1.matches?(65_536)
+      end.should raise_error(AclArgumentError)
+    end
+
+    it 'match lower number by op:lt' do
+      lambda do
+        @lt1.matches?(-1)
+      end.should raise_error(AclArgumentError)
+      @lt1.matches?(0).should be_true
+      @lt1.matches?(21).should be_true
+      @lt1.matches?(22).should be_false
+      @lt1.matches?(23).should be_false
+      @lt1.matches?(65_535).should be_false
+      lambda do
+        @lt1.matches?(65_536)
+      end.should raise_error(AclArgumentError)
+    end
+
+    it 'match lower number by op:gt' do
+      lambda do
+        @gt1.matches?(-1)
+      end.should raise_error(AclArgumentError)
+      @gt1.matches?(0).should be_false
+      @gt1.matches?(21).should be_false
+      @gt1.matches?(22).should be_false
+      @gt1.matches?(23).should be_true
+      @gt1.matches?(65_535).should be_true
+      lambda do
+        @gt1.matches?(65_536)
+      end.should raise_error(AclArgumentError)
+    end
+
+    it 'match lower number by op:range' do
+      lambda do
+        @range.matches?(-1)
+      end.should raise_error(AclArgumentError)
+      @range.matches?(0).should be_false
+      @range.matches?(21).should be_false
+      @range.matches?(22).should be_true
+      @range.matches?(23).should be_true
+      @range.matches?(32_767).should be_true
+      @range.matches?(32_768).should be_true
+      @range.matches?(32_769).should be_false
+      @range.matches?(65_535).should be_false
+      lambda do
+        @range.matches?(65_536)
+      end.should raise_error(AclArgumentError)
+    end
+
+  end
+end