conpar 0.1.0

data/lib/conpar/directive/access_list/standard.rb

@@ -0,0 +1,42 @@
+module Conpar
+  module Directive
+    module AccessList
+      # Class that maps directly to Cisco standard ACL definition
+      # See http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/acl_standard.html
+      class Standard < Base
+        SIGNATURE = /^(access-list)\b.*\b(standard)\b/i
+
+        def initialize(content="", options={})
+          super
+
+          @sub_ilk = "standard"
+
+          parse_regex = %r/
+            (access-list)\s*                 # Directive signature
+            (?<name>[\-\w]+)\s*              # ACL Name
+            (?<type>(standard))\s*           # Standard ACL Type
+            (?<permission>(permit|deny))?\s* # permit or deny
+            (?<rule>.+)                      # Everything else on line
+          $/x
+          @match_data = parse_regex.match(@content)
+
+          self
+        end#initialize
+
+        # Method for each match name in the parsed match data (see regex above)
+        [ :name,
+          :permission,
+          :rule
+        ].each do |m|
+          define_method(m) do
+            begin
+              @match_data[m]
+            rescue IndexError
+              nil
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/conpar/directive/access_list/unknown_type.rb

@@ -0,0 +1,16 @@
+module Conpar
+  module Directive
+    module AccessList
+      # Class that matches a basic signature of an AccessList but is not a recognized type
+      class UnknownType < Base
+
+        def initialize(content="", options={})
+          super
+          @sub_ilk = "unknown"
+          self
+        end#initialize
+
+      end
+    end#AccessList
+  end#Directive
+end#Conpar

data/lib/conpar/directive/access_list/web_type.rb

@@ -0,0 +1,42 @@
+module Conpar
+  module Directive
+    module AccessList
+      # Class that maps directly to Cisco webtype ACL definition
+      # See http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/acl_webtype.html
+      class WebType < Base
+        SIGNATURE = /^(access-list)\b.*\b(webtype)\b/i
+
+        def initialize(content="", options={})
+          super
+
+          @sub_ilk = "webtype"
+
+          parse_regex = %r/
+            (access-list)\s*                 # Directive Signature
+            (?<name>[\-\w]+)\s*              # ACL name
+            (?<type>(webtype))\s*            # Webtype ACL Type
+            (?<permission>(permit|deny))?\s* # permit or deny
+            (?<rule>.+)                      # Everything else on line
+          /x
+          @match_data = parse_regex.match(@content)
+
+          self
+        end#initialize
+
+        # Method for each match name in the parsed match data (see regex above)
+        [ :name,
+          :permission,
+          :rule
+        ].each do |m|
+          define_method(m) do
+            begin
+              @match_data[m]
+            rescue IndexError
+              nil
+            end
+          end
+        end
+      end
+    end#AccessList
+  end#Directive
+end#Conpar

data/lib/conpar/directive/base.rb

@@ -0,0 +1,52 @@
+module Conpar
+  module Directive
+    # Base class for all Directives
+    class Base
+      SIGNATURE = /^(.*)$/ # Matches any non-empty string
+
+      # @!attribute [rw] line_number
+      # @return [Integer]
+      #   1-based line number within the configuration
+      attr_accessor :line_number
+
+      # @!attribute [rw] line_span
+      # @return [Integer]
+      #   Number of lines this directive spans within the configuration
+      attr_accessor :line_span
+
+      # @!attribute [r] content
+      # @return [String]
+      #   directive content
+      attr_reader :content
+
+      # @!attribute [r] ilk
+      # @return [Symbol]
+      #   shorthand type of directive
+      attr_reader :ilk
+
+      # @!attribute [r] sub_ilk
+      # @return [String]
+      #   a.k.a. "sub type"
+      attr_reader :sub_ilk
+
+      # @!attribute [r] match_data
+      # @return [MatchData]
+      #   This value is to be set internally by subclasses
+      attr_reader :match_data
+
+      # @!attribute [r] rule
+      # @return [String]
+      attr_reader :rule
+
+
+      def initialize(content="", options={})
+        @line_number = options[:line_number]
+        @line_span = options.fetch(:line_span, 1)
+        @content = content
+        @ilk = :directive
+        @sub_ilk = ""
+        self
+      end#initialize
+    end
+  end
+end

data/lib/conpar/directive/comment.rb

@@ -0,0 +1,13 @@
+module Conpar
+  module Directive
+    # Class for a commented line
+    class Comment < Base
+      SIGNATURE = /^\:(.*)?$/
+
+      def initialize(content="", options={})
+        super
+        @ilk = :comment
+      end
+    end
+  end
+end

data/lib/conpar/directive/empty.rb

@@ -0,0 +1,12 @@
+module Conpar
+  module Directive
+    # Class for line that contains only whitespace
+    class Empty < Base
+      SIGNATURE = /^\s*$/
+      def initialize(content, options={})
+        super
+        @ilk = :empty
+      end
+    end
+  end#Directive
+end#Conpar

data/lib/conpar/document.rb

@@ -0,0 +1,24 @@
+module Conpar
+  class Document
+    # @param [String] fw_config
+    #   Firewall configuration as string
+    # @return [Array]
+    #   Array of Directive objects with which to perform logic
+    def self.parse(fw_config)
+      if fw_config.class != String
+        raise ArgumentError, "fw_config must be string"
+      end
+
+      parsed = []
+      lines = fw_config.split("\n")
+
+      lines.each_with_index do |line, i|
+        human_line = i+1
+        parsed << Conpar.config.parser.new( line, line_number:human_line )
+      end
+
+      return parsed
+    end#self.parse
+
+  end
+end

data/lib/conpar/version.rb

@@ -0,0 +1,3 @@
+module Conpar
+  VERSION = "0.1.0"
+end

data/spec/conpar_spec.rb

@@ -0,0 +1,20 @@
+require 'spec_helper'
+
+describe Conpar do
+  describe ".configure" do
+    context "yielded value" do
+      it "should be the same object asa .config()" do
+        yielded = nil
+        Conpar.configure { |c| yielded = c }
+        expect(yielded).to eq(Conpar.config)
+      end
+    end
+  end
+
+  describe ".config" do
+    subject { Conpar.config }
+    it "should be a Conpar::Configuration object" do
+      expect(subject).to be_a_kind_of(Conpar::Configuration)
+    end
+  end
+end

data/spec/lib/directive/access_list/base_spec.rb

@@ -0,0 +1,5 @@
+require 'spec_helper'
+
+describe Conpar::Directive::AccessList::Base do
+  let(:klass) { Conpar::Directive::AccessList::Base }
+end

data/spec/lib/directive/access_list/ether_type_spec.rb

@@ -0,0 +1,32 @@
+require 'spec_helper'
+
+describe Conpar::Directive::AccessList::EtherType do
+  let(:klass) { Conpar::Directive::AccessList::EtherType }
+  {
+    "access-list NONIP ethertype permit bpdu" => {
+     name: "NONIP",
+     permission: "permit",
+     rule: "bpdu"
+    },
+    "access-list ETHER ethertype permit ipx" => {
+      name: "ETHER",
+      permission: "permit",
+      rule: "ipx",
+    },
+  }.each do |conf,attrs|
+    it "::SIGNATURE should match '#{conf}'" do
+      expect(conf).to match(klass::SIGNATURE)
+    end
+    context "for config line '#{conf}'" do
+      subject { klass.new(conf) }
+      it ".sub_ilk should be 'ethertype'" do
+        expect(subject.sub_ilk).to eq("ethertype")
+      end
+      attrs.each do |k,v|
+        it ".#{k} should be '#{v || 'nil'}'" do
+          expect(subject.send(k)).to eq(v)
+        end
+      end#attrs
+    end#context
+  end
+end

data/spec/lib/directive/access_list/extended_spec.rb

@@ -0,0 +1,71 @@
+require 'spec_helper'
+
+describe Conpar::Directive::AccessList::Extended do
+  let(:klass) { Conpar::Directive::AccessList::Extended }
+  {
+    # example from cisco documenation
+    # rule any any
+    "access-list ACL_IN extended permit ip any any" => {
+      name: "ACL_IN", line: nil,
+      permission: "permit", protocol: "ip",
+      rule:"any any"
+    },
+    # Rule contains more than two object-group statements
+    "access-list foo extended permit tcp object-group OBJGRP1 object-group OBJGRP2 object-group OBJGRP3" => {
+      name: "foo", line: nil,
+      permission: "permit", protocol: "tcp",
+      rule:"object-group OBJGRP1 object-group OBJGRP2 object-group OBJGRP3"
+    },
+    # rule contains object-group BLAH to any
+    "access-list bar extended permit ip object-group OBJGRP1 any" => {
+      name: "bar", line: nil,
+      permission: "permit", protocol: "ip",
+      rule:"object-group OBJGRP1 any"
+    },
+    # rule ip mask any
+    "access-list bang extended permit ip 10.1.1.0 255.255.255.240 any" => {
+      name: "bang", line: nil,
+      permission: "permit", protocol: "ip",
+      rule:"10.1.1.0 255.255.255.240 any"
+    },
+    # rule host ip any
+    "access-list biz extended permit ip host 192.168.1.50 any" => {
+      name: "biz", line: nil,
+      permission: "permit", protocol: "ip",
+      rule:"host 192.168.1.50 any"
+    },
+    # rule ip mask to ip mask
+    "access-list nonat extended deny ip 10.9.8.7 255.255.255.0 7.8.9.10 255.255.255.0" => {
+      name: "nonat", line: nil,
+      permission: "deny", protocol: "ip",
+      rule:"10.9.8.7 255.255.255.0 7.8.9.10 255.255.255.0"
+    },
+    # rule with line number
+    "access-list foo line 16 extended permit ip any any" => {
+      name: "foo", line: "16",
+      permission: "permit", protocol: "ip",
+      rule: "any any"
+    }
+  }.each do |conf, attrs|
+    it "::SIGNATURE should match '#{conf}'" do
+      expect(conf).to match(klass::SIGNATURE)
+    end
+    context "for config def '#{conf}'" do
+      subject { klass.new(conf) }
+      it ".sub_ilk should be 'extended'" do
+        expect(subject.sub_ilk).to eq("extended")
+      end
+      attrs.each do |k,v|
+        it ".#{k} should be '#{v || 'nil'}'" do
+          expect(subject.send(k)).to eq(v)
+        end
+      end#attrs
+      context "with explicit line_number as #new argument" do
+        subject { klass.new(conf, line_number: 42) }
+        it ".line_number should be 42" do
+          expect(subject.line_number).to eq(42)
+        end
+      end
+    end#context
+  end#hash
+end

data/spec/lib/directive/access_list/standard_spec.rb

@@ -0,0 +1,32 @@
+require 'spec_helper'
+
+describe Conpar::Directive::AccessList::Standard do
+  let(:klass) { Conpar::Directive::AccessList::Standard }
+  {
+    "access-list OSPF standard permit 192.168.1.0 255.255.255.0" => {
+      name: "OSPF",
+      permission: "permit",
+      rule: "192.168.1.0 255.255.255.0"
+    },
+    "access-list foo standard permit 192.168.1.50 255.255.255.0" => {
+      name: "foo",
+      permission: "permit",
+      rule: "192.168.1.50 255.255.255.0"
+    }
+  }.each do |conf, attrs|
+    it "::SIGNATURE should match '#{conf}'" do
+      expect(conf).to match(klass::SIGNATURE)
+    end
+    context "for config line '#{conf}'" do
+      subject { klass.new(conf) }
+      it ".sub_ilk should be 'standard'" do
+        expect(subject.sub_ilk).to eq('standard')
+      end
+      attrs.each do |k,v|
+        it ".#{k} should be '#{v || 'nil'}'" do
+          expect(subject.send(k)).to eq(v)
+        end
+      end#attrs
+    end#context
+  end#hash
+end

data/spec/lib/directive/access_list/unknown_spec.rb

@@ -0,0 +1,8 @@
+require 'spec_helper'
+
+describe Conpar::Directive::AccessList::UnknownType do
+  let(:klass) { Conpar::Directive::AccessList::UnknownType }
+  it "should have correct sub_ilk" do
+    expect(klass.new("access-list foo unknowntype permit all").sub_ilk).to eq("unknown")
+  end
+end

data/spec/lib/directive/access_list/web_type_spec.rb

@@ -0,0 +1,27 @@
+require 'spec_helper'
+
+describe Conpar::Directive::AccessList::WebType do
+  let(:klass) { Conpar::Directive::AccessList::WebType }
+  {
+    "access-list acl_company webtype deny url http://*.cisco.example" => {
+      name: "acl_company",
+      permission: "deny",
+      rule: "url http://*.cisco.example"
+    }
+  }.each do |conf,attrs|
+    it "::SIGNATURE should match '#{conf}'" do
+      expect(conf).to match(klass::SIGNATURE)
+    end
+    context "for config line '#{conf}'" do
+      subject { klass.new(conf) }
+      it ".sub_ilk should be 'webtype'" do
+        expect(subject.sub_ilk).to eq('webtype')
+      end
+      attrs.each do |k,v|
+        it ".#{k} should be '#{v || 'nil'}'" do
+          expect(subject.send(k)).to eq(v)
+        end
+      end#attrs
+    end#context
+  end
+end

data/spec/lib/directive/access_list_spec.rb

@@ -0,0 +1,17 @@
+require 'spec_helper'
+
+describe Conpar::Directive::AccessList do
+  context ".new" do
+    {
+      "access-list foo standard deny all"    => Conpar::Directive::AccessList::Standard,
+      "access-list foo extended deny all"    => Conpar::Directive::AccessList::Extended,
+      "access-list foo webtype deny all"     => Conpar::Directive::AccessList::WebType,
+      "access-list foo ethertype deny all"   => Conpar::Directive::AccessList::EtherType,
+      "access-list foo unknowntype deny all" => Conpar::Directive::AccessList::Base
+    }.each do |line, klass_output|
+      it "for '#{line}' should return a #{klass_output.name}" do
+        expect(subject.new(line)).to be_a_kind_of(klass_output)
+      end
+    end
+  end
+end