cisco_acl_intp 0.0.1 → 0.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ca5d93222e696b7d5cbe8af83c2993454a7ce56f
-  data.tar.gz: e6d9b5ce240ae6a494b11f46a461bdc6ac90ac27
+  metadata.gz: d664d74e52b4738c1835532f0fecefe1ee162ece
+  data.tar.gz: 56a40d167de808a4bf0ef778d8f443b01c408a22
 SHA512:
-  metadata.gz: 0e7d8aa8410bd44bc5406424548936d6a245f76c4c473c64dfe9bb2834e9f8348ddb797b513317a699e3615b455a68a3e201e6a60ef464faf0c4a2df9303e921
-  data.tar.gz: 37a36a2086e4106d327b08d6c157d829af96b2dfe807fd8fb008c52be07ddd6be0a6b221446d79e975f76a89a8428b1a34610f5f56b161cb94f95e1afffd3b9d
+  metadata.gz: 63c07906a0c2910a1cdbb6cb53b02cb9ef36c32b4138223c400147d8447f101b9c44fb9af211363a9a79be6f4dde533f448483975cb132fd6461a4e49a7cf463
+  data.tar.gz: c5208c436298dde049720eb9b5f15f41b09d482b696aa592c95220ec5fc6f779f2e8b4aebd2dda7539946d8eded55cdbfc4ba1a1b871afebefb1daf88b5d9cc2

data/.coveralls.yml

@@ -0,0 +1 @@
+service_name: travis-ci

data/.travis.yml

@@ -1,3 +1,5 @@
 language: ruby
+script: 'rake travis'
 rvm:
+  - 1.9.3
   - 2.0.0

data/.yardopts

@@ -1,4 +1,4 @@
 --exclude parser.rb
---exclude spec/data/*
+--exclude spec/**/*.rb
 --private
 --protected

data/Gemfile

@@ -1,13 +1,17 @@
+# -*- coding: utf-8 -*-
+
 source 'https://rubygems.org'
 
 # Specify your gem's dependencies in cisco_acl_intp.gemspec
 gemspec
 
 group :development, :test do
+  gem 'coveralls', require: false
   gem 'racc', '~> 1.4.11'
   gem 'rake', '~> 10.1.1'
+  gem 'reek', '~> 1.3.6'
   gem 'rspec', '~> 2.14.1'
-  gem 'rubocop', '~> 0.16.0' if RUBY_VERSION >= '1.9.0'
+  gem 'rubocop', '~> 0.18.1' if RUBY_VERSION >= '1.9.0'
   gem 'simplecov', '~> 0.8.2' if RUBY_VERSION >= '1.9.0'
   gem 'yard', '~> 0.8.7'
 end

data/README.md

@@ -1,4 +1,8 @@
 # CiscoAclIntp
+[![Gem Version](https://badge.fury.io/rb/cisco_acl_intp.png)](http://badge.fury.io/rb/cisco_acl_intp)
+[![Build Status](https://travis-ci.org/stereocat/cisco_acl_intp.png?branch=master)](https://travis-ci.org/stereocat/cisco_acl_intp)
+[![Dependency Status](https://gemnasium.com/stereocat/cisco_acl_intp.png)](https://gemnasium.com/stereocat/cisco_acl_intp)
+[![Coverage Status](https://coveralls.io/repos/stereocat/cisco_acl_intp/badge.png?branch=master)](https://coveralls.io/r/stereocat/cisco_acl_intp?branch=master)
 
 CiscoAclIntp is a interpreter of Cisco IOS access control list (ACL).
 
@@ -52,28 +56,70 @@ CiscoAclIntp parser and output parser results.
 In directory `acl_examples`, there are some Cisco IOS ACL sample
 files. Run `check_acl.rb` with ACL sample files, like below.
 
-    $ ~/cisco_acl_intp$ ruby tools/check_acl.rb -c -f acl_examples/numd-acl.txt
-    acl name : 1
-    access-list 1  permit 192.168.0.0 0.0.255.255
-    access-list 1  deny any  log
-    acl name : 100
-    access-list 100  remark General Internet Access
-    access-list 100  permit icmp any  any
-    access-list 100  permit ip 192.168.0.0 0.0.255.255  any
-    access-list 100  remark NTP
-    access-list 100  permit tcp any  host 210.197.74.200
-    access-list 100  permit udp any eq ntp  any eq ntp
-    access-list 100  remark 6to4
-    access-list 100  permit 41 any  host 192.88.99.1
-    access-list 100  permit ip any  host 192.88.99.1
-    access-list 100  remark others
-    access-list 100  permit tcp any eq 0  any eq 0
-    access-list 100  permit udp any eq 0  any eq 0
-    access-list 100  deny ip any  any   log
-    acl name : 110
-    access-list 110  remark SPLIT_VPN
-    access-list 110  permit ip 192.168.0.0 0.0.255.255  any
-    $ ~/cisco_acl_intp$
+```
+$ ruby tools/check_acl.rb -c term -f acl_examples/err-acl.txt
+--------------------
+in acl: 100, line: 6, near value: udp, (token: "udp")
+in acl: 100, line: 8, near value: 100, (token: NUMBER)
+in acl: 100, line: 11, Wrong protocol number: 256
+in acl: 100, line: 14, near value: hoge, (token: error)
+in acl: FA8-OUT, line: 4, Wrong protocol number: 65536
+in acl: FA8-OUT, line: 7, Provided wildcard mask failed validation: 0.0.240.256 is invalid (IPv4 octets should be between 0 and 255).
+in acl: FA8-OUT, line: 13, near value: up, (token: error)
+--------------------
+acl name : 1
+access-list 1 permit 192.168.0.0 0.0.255.255
+access-list 1 deny any log
+acl name : 100
+access-list 100 remark General Internet Access
+access-list 100 permit icmp any any
+access-list 100 permit ip 192.168.0.0 0.0.255.255 any
+access-list 100 permit tcp any host 210.197.74.200
+access-list 100 remark !wrong acl number!
+access-list 100 remark !------cleared------!
+access-list 100 remark !wrong header! caccess-list
+access-list 100 remark !------cleared------!
+access-list 100 permit 41 any host 192.88.99.1
+access-list 100 remark !wrong ip proto number!
+access-list 100 !! error !! 192.88.99.1
+access-list 100 remark !------cleared------!
+access-list 100 remark !wrong ip proto!
+access-list 100 !! error !! 192.88.99.1
+access-list 100 remark !------cleared------!
+access-list 100 permit ip any host 192.88.99.1
+access-list 100 remark others
+access-list 100 permit tcp any eq 0 any eq 0
+access-list 100 permit udp any eq 0 any eq 0
+access-list 100 deny ip any any log
+acl name : 10
+access-list 10 !! error !! ntp
+acl name : 110
+access-list 110 remark SPLIT_VPN
+access-list 110 permit ip 192.168.0.0 0.0.255.255 any
+acl name : FA8-OUT
+ip access-list extended FA8-OUT
+ deny udp any any eq bootpc
+ deny udp any any eq bootps
+ remark !argment error! 65536
+ !! error !! 65536
+ remark !------cleared------!
+ remark !argment error! 255 => 256
+ !! error !! 80
+ remark !------cleared------!
+ remark network access-list remark!!
+ permit tcp any any established
+ deny tcp any any syn rst
+ remark !syntax error! tcp -> tp (typo)
+ !! error !! hoge
+ remark !------cleared------!
+ permit ip any any log
+acl name : remote-ipv4
+ip access-list standard remote-ipv4
+ permit 192.168.0.0 0.0.255.255
+ remark standard access-list last deny!?
+ deny any log
+$
+```
 
 By putting `-c` (`--color`) option, `check_acl.rb` outputs
 **color-coded ACL** according to type of each word. It can parse
@@ -117,8 +163,16 @@ table is "ACL object". "ACL object" is build by ACL components. For
 example, source/destination address obj, action obj, tcp/udp protocol
 obj,... See more detail in documents (see also, Documents section)
 
+### ACL Varidator Web Frontend
+
+Front-end of ACL Varidator is at
+[github](https://github.com/stereocat/cisco_acl_web). It not only can
+parse (with CLI tool, it can only parse), but also search for ACL(ACE).
+
 ## Documents
 
+* [API document generated with YARD](http://rubydoc.info/gems/cisco_acl_intp/)
+
 It can generate documents with YARD.
 
     $ rake yard

data/Rakefile

@@ -1,6 +1,11 @@
+# -*- coding: utf-8 -*-
+
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
 require 'rake/clean'
+require 'yard'
+require 'yard/rake/yardoc_task'
+require 'reek/rake/task'
 
 LIB_DIR = './lib'
 PACKAGE_NAME = 'cisco_acl_intp'
@@ -23,7 +28,8 @@ CLOBBER.include(
   CLASS_GRAPH_PNG
 )
 
-task default: [:parser, :spec]
+task default: :travis
+task travis: [:parser, :spec, :rubocop]
 task parser: [PARSER_RUBY]
 task spec: [SPEC_DATA_DIR]
 
@@ -47,12 +53,9 @@ RSpec::Core::RakeTask.new(fullspec: [:fullfill]) do |spec|
   spec.rspec_opts = '--format documentation --color'
 end
 
-# documentation by yard
-require 'yard'
-require 'yard/rake/yardoc_task'
 YARD::Rake::YardocTask.new do |task|
   # yardoc options in .yardopts
-  task.files = ["#{LIB_DIR}/**/*.rb"]
+  task.files = FileList["#{LIB_DIR}/**/*.rb"]
 end
 
 task :docgraph do
@@ -61,7 +64,16 @@ task :docgraph do
   sh "dot -Tpng #{CLASS_GRAPH_DOT} -o #{CLASS_GRAPH_PNG}"
 end
 
-# rubocop settings
+Reek::Rake::Task.new do |t|
+  t.fail_on_error = false
+  t.verbose = false
+  t.ruby_opts = ['-rubygems']
+  t.reek_opts = '--quiet'
+  t.source_files = FileList["#{LIB_DIR}/**/*.rb"].delete_if do |f|
+    f =~ /parser.rb/
+  end
+end
+
 if RUBY_VERSION >= '1.9.0'
   task quality: :rubocop
   require 'rubocop/rake_task'

data/cisco_acl_intp.gemspec

@@ -9,9 +9,9 @@ Gem::Specification.new do |spec|
   spec.version       = CiscoAclIntp::VERSION
   spec.authors       = ['stereocat']
   spec.email         = ['stereocat@gmail.com']
-  spec.description   = %q{Cisco Access List Interpreter}
-  spec.summary       = %q{Cisco Access List Interpreter}
-  spec.homepage      = ''
+  spec.description   = %q{Cisco ACL Interpreter}
+  spec.summary       = %q{Cisco IOS Access Control List Interpreter}
+  spec.homepage      = 'https://github.com/stereocat/cisco_acl_intp'
   spec.license       = 'MIT'
 
   spec.files         = `git ls-files`.split("\n")
@@ -20,8 +20,8 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
 
   spec.add_runtime_dependency 'netaddr', '~> 1.5.0'
-  spec.add_runtime_dependency 'term-ansicolor', '~> 1.2.2'
-  spec.add_development_dependency 'bundler', '~> 1.3'
+  spec.add_runtime_dependency 'term-ansicolor', '~> 1.3.0'
+  spec.add_development_dependency 'bundler', '~> 1.5.3'
 end
 
 ### Local variables:

data/lib/cisco_acl_intp.rb

@@ -1,3 +1,5 @@
+# -*- coding: utf-8 -*-
+
 require 'rubygems'
 require 'cisco_acl_intp/acl'
 require 'cisco_acl_intp/parser'
@@ -7,3 +9,9 @@ require 'cisco_acl_intp/version'
 # define scanner functions and ACL container classes
 module CiscoAclIntp
 end
+
+### Local variables:
+### mode: Ruby
+### coding: utf-8-unix
+### indent-tabs-mode: nil
+### End:

data/lib/cisco_acl_intp/ace.rb

@@ -47,6 +47,20 @@ module CiscoAclIntp
     end
   end
 
+  # Error entry container
+  class ErrorAce < AceBase
+    attr_accessor :line
+
+    def initialize(line)
+      super({})
+      @line = line
+    end
+
+    def to_s
+      tag_error(sprintf('!! error !! %s', @line))
+    end
+  end
+
   # Remark entry container
   class RemarkAce < AceBase
     # @param [String] value Comment string
@@ -70,7 +84,7 @@ module CiscoAclIntp
     # Generate string for Cisco IOS access list
     # @return [String] Comment string
     def to_s
-      sprintf ' remark %s', c_rmk(@comment.to_s)
+      sprintf 'remark %s', tag_remark(@comment.to_s)
     end
 
     # Search matched ACE
@@ -118,14 +132,14 @@ module CiscoAclIntp
     # Generate string for Cisco IOS access list
     # @return [String]
     def to_s
-      sprintf 'evaluate %s', c_name(@recursive_name)
+      sprintf 'evaluate %s', tag_name(@recursive_name)
     end
 
     # Search matched ACE
     # @param [Hash] opts Options
-    # return [Boolean] false, Recursive does not implemented yet
+    # return [Boolean]
+    # @todo for Recursive name matching is not implemented yet
     def matches?(opts = nil)
-      ## TODO
       false
     end
   end
@@ -170,10 +184,10 @@ module CiscoAclIntp
     # @return [String]
     def to_s
       sprintf(
-        ' %s %s %s',
-        c_act(@action.to_s),
+        '%s %s %s',
+        tag_action(@action.to_s),
         @src_spec,
-        @log_spec ? @log_spec : ''
+        tag_other_qualifier(@log_spec ? @log_spec : '')
      )
     end
 
@@ -184,7 +198,7 @@ module CiscoAclIntp
     # @raise [AclArgumentError] Invalid src_ip
     def matches?(opts)
       if opts.key?(:src_ip)
-        @src_spec.ip_spec.matches?(opts[:src_ip])
+        @src_spec.matches?(opts[:src_ip])
       else
         fail AclArgumentError, 'Invalid match target src IP address'
       end
@@ -310,13 +324,13 @@ module CiscoAclIntp
     # @return [String]
     def to_s
       sprintf(
-        ' %s %s %s %s %s %s',
-        c_act(@action.to_s),
-        c_pp(@protocol.to_s),
+        '%s %s %s %s %s %s',
+        tag_action(@action.to_s),
+        tag_protocol(@protocol.to_s),
         @src_spec,
         @dst_spec,
-        @tcp_flags ? @tcp_flags : '',
-        @tcp_other_qualifiers ? @tcp_other_qualifiers : ''
+        @tcp_flags,
+        @tcp_other_qualifiers
      )
     end
 
@@ -325,21 +339,19 @@ module CiscoAclIntp
     # @option opts [String] :protocol L3/L4 protocol name
     #   (allows "tcp", "udp" and "icmp")
     # @option opts [String] :src_ip Source IP Address
-    # @option opts [Integer] :src_port Source Port No.
+    # @option opts [Integer,String] :src_port Source Port No./Name
     # @option opts [String] :dst_ip Destination IP Address
-    # @option opts [Integer] :dst_port Destination Port No.
+    # @option opts [Integer,String] :dst_port Destination Port No./Name
     # @return [Boolean] Matched or not
     # @raise [AclArgumentError]
     def matches?(opts)
       if opts.key?(:protocol)
-        match_proto = match_protocol?(opts[:protocol])
-        match_src = match_addr_port?(@src_spec, opts[:src_ip], opts[:src_port])
-        match_dst = match_addr_port?(@dst_spec, opts[:dst_ip], opts[:dst_port])
+        match_protocol?(opts[:protocol]) &&
+          @src_spec.matches?(opts[:src_ip], opts[:src_port]) &&
+          @dst_spec.matches?(opts[:dst_ip], opts[:dst_port])
       else
         fail AclArgumentError, 'Invalid match target protocol'
       end
-
-      (match_proto && match_src && match_dst)
     end
 
     private
@@ -350,30 +362,15 @@ module CiscoAclIntp
     # @raise [AclArgumentError]
     def match_protocol?(protocol)
       protocol_str = @protocol.to_s
-      if protocol_str == 'ip'
-        true # allow tcp/udp
+      if [protocol_str, protocol].include?('ip')
+        true # allow any of icmp/tcp/udp
       else
-        ## TBD
-        ## what to do when NO name and only protocol number is specified?
-        # In principle, it must be compared by object.
+        # @todo what to do when NO name and only protocol number is
+        #   specified?  In principle, it must be compared by object.
         protocol == protocol_str
       end
     end
 
-    # check src/dst address
-    # @option srcdst_spec [AceSrcDstSpec] src/dst address/port
-    # @option ip [String] ip addr to compare
-    # @option port [Integer] port number to compare
-    # @return [Boolean] Matched or not
-    # @raise [AclArgumentError]
-    def match_addr_port?(srcdst_spec, ip, port)
-      if ip
-        srcdst_spec.matches?(ip, port)
-      else
-        fail AclArgumentError, 'Not specified match target IP Addr'
-      end
-    end
-
     # Set instance variables
     # return [AceIpProtoSpec] IP protocol object
     # raise [AclArgumentError]

data/lib/cisco_acl_intp/ace_ip.rb

@@ -12,20 +12,19 @@ module CiscoAclIntp
     # @param [NetAddr::CIDR] value IP address
     #   (dotted decimal notation)
     # @return [NetAddr::CIDR]
-    attr_accessor :ipaddr
+    attr_reader :ipaddr
 
     # @param [Integer] value Netmask length
     # @return [Integer]
-    attr_accessor :netmask
+    attr_reader :netmask
 
     # @param [String] value Wildcard mask
     #   (dotted decimal and bit flapped notation)
     # @return [String]
-    attr_accessor :wildcard
+    attr_reader :wildcard
 
     def_delegator :@ipaddr, :ip, :ipaddr
-    # `contained_ip?' method is cidr(ipaddr/nn) operation
-    def_delegator :@ipaddr, :is_contained?, :contained_ip?
+
     # `matches?' method is wildcard mask operation
     def_delegators :@ipaddr, :matches?
 
@@ -40,7 +39,8 @@ module CiscoAclIntp
     # @return [AceIpSpec]
     def initialize(opts)
       if opts.key?(:ipaddr)
-        define_addrinfo(opts)
+        @options = opts
+        define_addrinfo
       else
         fail AclArgumentError, 'Not specified IP address'
       end
@@ -59,13 +59,13 @@ module CiscoAclIntp
     def to_s
       if to_wmasked_ip_s == '0.0.0.0'
         # ip = '0.0.0.0' or wildcard = '255.255.255.255'
-        c_ip('any')
+        tag_ip('any')
       else
         if @wildcard == '0.0.0.0'
           # /32 mask
-          sprintf('%s %s', c_mask('host'), c_ip(@ipaddr.ip))
+          sprintf('%s %s', tag_mask('host'), tag_ip(@ipaddr.ip))
         else
-          sprintf('%s %s', c_ip(to_wmasked_ip_s), c_mask(@wildcard))
+          sprintf('%s %s', tag_ip(to_wmasked_ip_s), tag_mask(@wildcard))
         end
       end
     end
@@ -75,54 +75,96 @@ module CiscoAclIntp
     def to_wmasked_ip_s
       ai = NetAddr.ip_to_i(@ipaddr.ip)
       mi = NetAddr.ip_to_i(@ipaddr.wildcard_mask)
-      ami = ai & mi
-      NetAddr.i_to_ip(ami)
+      NetAddr.i_to_ip(ai & mi)
+    end
+
+    # Check subnet contained this object or not.
+    # @param [String] address Subnet address string
+    #   e.g. 192.168.0.0/24, 192.168.0.0/255.255.255.0
+    # @return [Boolean]
+    # @raise [NetAddr::ValidationError]
+    def contains?(address)
+      # `@ipaddr` contains(1), is same block(0),
+      # is `contained(-1), is not related(nil)
+      [0, 1].include?(@ipaddr.cmp(address))
     end
 
     private
 
+    # Convert table of IPv4 bit-flapped wildcard octet to bit length
+    OCTET_BIT_LENGTH = {
+      '255' => 0, '127' => 1, '63' => 2, '31' => 3,
+      '15' => 4, '7' => 5, '3' => 6, '1' => 7, '0' => 8
+    }
+
+    # Covnet IPv4 bit-flapped wildcard to netmask length
+    # @return [Fixnum] netmask length
+    #   or `nil` when discontinuous-bits-wildcard-mask
+    def wildcard_bitlength
+      @wildcard.split(/\./).reduce(0) do |len, octet|
+        if len && OCTET_BIT_LENGTH.key?(octet)
+          len + OCTET_BIT_LENGTH[octet]
+        else
+          nil
+        end
+      end
+    end
+
     # Set instance variables
-    # @param [Hash] opts Options of constructor
-    def define_addrinfo(opts)
-      case
-      when opts[:wildcard]
-        define_addrinfo_with_wildcard(opts)
-      when opts[:netmask]
-        define_addrinfo_with_netmask(opts)
+    def define_addrinfo
+      if @options.key?(:wildcard)
+        define_addrinfo_prefer_wildcard
+      else
+        define_addrinfo_by_netmask_or_default
+      end
+    end
+
+    # Set instance variables. assume that wildcard is primary option.
+    def define_addrinfo_prefer_wildcard
+      @wildcard = @options[:wildcard]
+      @netmask = wildcard_bitlength
+      if @netmask
+        @options[:netmask] = @netmask
+        define_addrinfo_with_netmask
+      else
+        define_addrinfo_with_wildcard
+      end
+    end
+
+    # Set instance variables. Secondary prioritize option is netmask,
+    #   and third(last) one is default-mask
+    def define_addrinfo_by_netmask_or_default
+      if @options.key?(:netmask)
+        define_addrinfo_with_netmask
       else
-        define_addrinfo_with_default_netmask(opts)
+        define_addrinfo_with_default_netmask
       end
     end
 
     # Set instance variables with ip/wildcard
-    # @param [Hash] opts Options of constructor
-    def define_addrinfo_with_wildcard(opts)
-      @wildcard = opts[:wildcard]
+    def define_addrinfo_with_wildcard
       @ipaddr = NetAddr::CIDR.create(
-        opts[:ipaddr],
+        @options[:ipaddr],
         WildcardMask: [@wildcard, true]
       )
-      ## TBD : is it OK? must convert if possible?
       @netmask = nil
     end
 
     # Set instance variables with ip/netmask
-    # @param [Hash] opts Options of constructor
-    def define_addrinfo_with_netmask(opts)
-      @netmask = opts[:netmask]
+    def define_addrinfo_with_netmask
+      @netmask = @options[:netmask]
       @ipaddr = NetAddr::CIDR.create(
-        [opts[:ipaddr], @netmask].join('/')
+        [@options[:ipaddr], @netmask].join('/')
       )
       @wildcard = @ipaddr.wildcard_mask(true)
     end
 
     # Set instance variables with ip/default-netmask
-    # @param [Hash] opts Options of constructor
-    def define_addrinfo_with_default_netmask(opts)
+    def define_addrinfo_with_default_netmask
       # default mask
       @netmask = '255.255.255.255'
       @ipaddr = NetAddr::CIDR.create(
-        [opts[:ipaddr], @netmask].join(' ')
+        [@options[:ipaddr], @netmask].join(' ')
       )
       @wildcard = @ipaddr.wildcard_mask(true)
     end