junos-ez-srx 0.0.8

data/lib/junos-ez/srx/policyrules.rb

@@ -0,0 +1,239 @@
+class Junos::Ez::SRX::PolicyRules::Provider < Junos::Ez::Provider::Parent
+    
+  ### ---------------------------------------------------------------
+  ### XML top placement
+  ### ---------------------------------------------------------------
+  
+  def xml_at_top
+    xml = @parent.xml_at_top
+    xml_element_top( xml, @name ) 
+  end
+  
+  def xml_element_top( xml, name )
+    xml.policy { 
+      xml.name name
+      return xml
+    }
+  end
+  
+  ### ---------------------------------------------------------------
+  ### XML readers
+  ### ---------------------------------------------------------------
+  
+  def xml_get_has_xml( xml )
+    xml.xpath('security/policies/policy/policy')[0]
+  end
+    
+  def xml_read_parser( as_xml, as_hash )  
+    
+    set_has_status( as_xml, as_hash )      
+    
+    r_match = as_xml.xpath('match')
+    r_then = as_xml.xpath('then')
+        
+    descr = as_xml.xpath('description').text
+    as_hash[:description] = descr unless descr.empty?
+    
+    ## --------------------------------
+    ## "match" criteria
+    ## --------------------------------
+    
+    as_hash[:match_srcs] = r_match.xpath('source-address').collect do |src|
+      src.text
+    end
+    as_hash[:match_dsts] = r_match.xpath('destination-address').collect do |dst|
+      dst.text
+    end
+    as_hash[:match_apps] = r_match.xpath('application').collect do |dst|
+      dst.text
+    end    
+
+    ## --------------------------------
+    ## "then" criteria
+    ## --------------------------------
+    
+    action = r_then.xpath('permit | reject | deny')[0]
+    as_hash[:action] = action.name.to_sym
+    
+    xml_when_item( r_then.xpath('count' )){ as_hash[:count] = true }
+    xml_when_item( r_then.xpath('log/session-init')){ as_hash[:log_init] = true }
+    xml_when_item( r_then.xpath('log/session-close')){ as_hash[:log_close] = true }
+    
+    return true
+  end   
+  
+  ### ---------------------------------------------------------------
+  ### XML property writers
+  ### ---------------------------------------------------------------  
+  
+  def xml_change_match_srcs( xml )
+    add, del = diff_property_array( :match_srcs )       
+    return false if add.empty? and del.empty?
+        
+    ele = :'source-address'
+    xml.match {
+      add.each{ |a| xml.send(ele, a) }
+      del.each{ |a| xml.send(ele, a, Netconf::JunosConfig::DELETE ) }
+    }
+  end
+  
+  def xml_change_match_dsts( xml )
+    add, del = diff_property_array( :match_dsts )        
+    return false if add.empty? and del.empty?
+    
+    ele = :'destination-address'
+    xml.match {
+      add.each{ |a| xml.send(ele, a) }
+      del.each{ |a| xml.send(ele, a, Netconf::JunosConfig::DELETE ) }
+    }
+  end
+  
+  def xml_change_match_apps( xml )
+    add, del = diff_property_array( :match_apps )        
+    return false if add.empty? and del.empty?
+    
+    xml.match {
+      add.each{ |a| xml.application a }
+      del.each{ |a| xml.application a, Netconf::JunosConfig::DELETE  }
+    }
+  end
+  
+  def xml_change_action( xml )
+    xml.then { xml.send( @should[:action] ) }
+  end
+  
+  def xml_change_count( xml )
+    xml.then {
+      xml_set_or_delete_element( xml, 'count', @should[:count] )
+    }
+  end
+  
+  def xml_change_log_init( xml )
+    xml.then { xml.log {
+      xml_set_or_delete_element( xml, 'session-init', @should[:log_init] )
+    }}
+  end
+  
+  def xml_change_log_close( xml )
+    xml.then { xml.log {
+      xml_set_or_delete_element( xml, 'session-close', @should[:log_close] )
+    }}    
+  end
+    
+end
+
+##### ---------------------------------------------------------------
+##### Provider collection methods
+##### ---------------------------------------------------------------
+
+class Junos::Ez::SRX::PolicyRules::Provider  
+  
+  def build_list
+    xml_get = @parent.xml_at_top
+    xml_get.policy( :recurse => 'false' )
+    xml_got = @ndev.rpc.get_configuration( xml_get )    
+    xml_got.xpath('//name').collect{|n| n.text }
+  end
+  
+  def build_catalog
+    @catalog = {}
+    xml_got = @ndev.rpc.get_configuration( @parent.xml_at_top )
+    pols = xml_got.xpath('security/policies/policy')
+    pols.xpath('policy').each do |pol|
+      name = pol.xpath('name').text
+      @catalog[name] = {}
+      xml_read_parser( pol, @catalog[name] )
+    end
+    return @catalog
+  end  
+  
+end
+
+##### ---------------------------------------------------------------
+##### Provider Misc. operational methods
+##### ---------------------------------------------------------------
+
+class Junos::Ez::SRX::PolicyRules::Provider
+  
+  ## 'catalog_expanded' does the equivalent of the show w/detail option
+  ## this expands the security object names into their exact values.
+  ## note that this processing could take some time given the size of
+  ## the address-books and application database involved. yo!
+  
+  def catalog_expanded( policy_name = nil, opts = {} )
+    
+    context = @parent.name
+    
+    catalog_h = { :name => context }
+    catalog_h[:rules] = []
+    
+    args = { :detail => true, :from_zone => context[0], :to_zone => context[1] }
+    args[:policy_name] = policy_name if policy_name     
+    got = @ndev.rpc.get_firewall_policies( args )
+    
+    got.xpath('security-context/policies/policy-information').each do |pi|
+      catalog_h[:rules] << _pi_to_h_( pi )
+    end     
+    
+    return catalog_h    
+  end
+  
+  ### ---------------------------------------------------------------
+  ### !!! PRIVATE METHODS
+  ### ---------------------------------------------------------------
+
+  private
+  
+  def _pi_to_h_( xml )
+    
+    name = xml.xpath('policy-name').text
+    action = xml.xpath('policy-action/action-type').text.to_sym
+    
+    srcs = xml.xpath('source-addresses/source-address').collect do |i|
+      [ i.xpath('address-name').text, i.xpath('prefixes/address-prefix').text ]
+    end
+    
+    dsts = xml.xpath('destination-addresses/destination-address').collect do |i|
+      [ i.xpath('address-name').text, i.xpath('prefixes/address-prefix').text ]
+    end
+    
+    apps = {}
+    xml.xpath('applications/application').each do |i|
+      app_name = i.xpath('application-name').text
+      app_terms_xml = i.xpath('application-term')
+      app_terms_a = []
+      app_terms_xml.each do |app_term|            
+        app_term_h = {}
+        app_term_h[:proto] = app_term.xpath('protocol').text       
+        app_term_h[:timeout] = app_term.xpath('inactivity-timeout').text.to_i
+        if app_term_h[:proto] == 'icmp'
+          app_term_h[:icmp_type] = app_term.xpath('icmp-info/icmp-type').text
+          app_term_h[:icmp_code] = app_term.xpath('icmp-info/icmp-code').text
+        else        
+          app_sports = [ app_term.xpath('source-port-range/low').text.to_i,
+          app_term.xpath('source-port-range/high').text.to_i ]                          
+          app_dports = [ app_term.xpath('destination-port-range/low').text.to_i,
+          app_term.xpath('destination-port-range/high').text.to_i ]                                
+          app_term_h[:src_ports] = app_sports                    
+          app_term_h[:dst_ports] = app_dports
+        end
+        app_terms_a << app_term_h
+      end
+      apps[app_name] = app_terms_a
+    end
+  
+    to_h = {}
+    to_h[:name] = name
+    to_h[:action] = action
+    to_h[:match_srcs] = Hash[srcs]
+    to_h[:match_dsts] = Hash[dsts]
+    to_h[:match_apps] = apps
+    
+    return to_h
+  end
+  
+end
+
+
+
+

data/lib/junos-ez/srx/zones.rb

@@ -0,0 +1,275 @@
+class Junos::Ez::SRX::Zones::Provider < Junos::Ez::Provider::Parent
+  
+  def initialize( p_obj, name = nil, opts = {} )
+    super
+    
+    ## binding child providers ...
+    ##    'interfaces' for zone-interfaces
+    ##    'addrs' for address-book address entries
+    ##    'sets' for address-book address sets
+    
+    Junos::Ez::SRX::Interfaces::Provider( self, :interfaces, :parent => self ) 
+    Junos::Ez::SRX::AddressBookEntries::Provider( self, :addrs, :parent => self )
+    Junos::Ez::SRX::AddressBookSets::Provider( self, :sets, :parent => self )
+  end
+  
+  ### ---------------------------------------------------------------
+  ### XML top placement
+  ### ---------------------------------------------------------------
+  
+  def xml_at_top
+    Nokogiri::XML::Builder.new{|x| x.configuration{ 
+      x.security { x.zones {
+        x.send(:'security-zone') { 
+          x.name @name
+          return x
+        }
+      }}
+    }}
+  end
+
+  ## for this provider, we only want to retrieve the
+  ## configuration for the 'host-inbound-traffic' section
+  
+  def xml_config_read!
+    xml = xml_at_top
+    xml.description
+    xml.send(:'host-inbound-traffic')
+    xml.interfaces
+    @ndev.rpc.get_configuration( xml )      
+  end  
+  
+  ### ---------------------------------------------------------------
+  ### XML readers
+  ### ---------------------------------------------------------------
+
+  def xml_get_has_xml( xml )
+    zone_xml = xml.xpath('//security-zone')[0]
+    return zone_xml if zone_xml
+    
+    # so there is a corner case if the zone exists, but doesn't
+    # have any interfaces or host-inbound-services.  this is probably
+    # a highly unlikely case, since a zone needs at least one inteface
+    # to be useful.  but just in case, let's check.
+    sh_zone = @ndev.rpc.get_zones_information(:get_zones_named_information => @name)
+    if sh_zone.xpath('zones-security')[0]    
+      @has[:_exist] = true
+      @has[:_active] = true
+      @has[:host_inbound_services] = []
+      @has[:host_inbound_protocols] = []
+      @has[:interfaces] = []
+    end
+    nil
+  end
+    
+  def xml_read_parser( as_xml, as_hash )    
+    set_has_status( as_xml, as_hash )        
+    
+    xml_when_item( as_xml.xpath('description')){|item| as_hash[:description] = item.text }
+    
+    host_ib = as_xml.xpath('host-inbound-traffic')    
+    as_hash[:host_inbound_services] = host_ib.xpath('system-services').collect do |svc|
+      svc.xpath('name').text.strip
+    end    
+    as_hash[:host_inbound_protocols] = host_ib.xpath('protocols').collect do |proto|
+      proto.xpath('name').text.strip
+    end
+    
+    as_hash[:interfaces] = as_xml.xpath('interfaces/name').collect do |zif|
+      zif.text.strip
+    end    
+     
+    return true
+  end    
+  
+  ### ---------------------------------------------------------------
+  ### XML property writers
+  ### ---------------------------------------------------------------
+  
+  def xml_change_host_inbound_services( xml )
+    add, del = diff_property_array( :host_inbound_services ) 
+    return false if add.empty? and del.empty?    
+            
+    xml.send( :'host-inbound-traffic' ) {
+      del.each do |i| 
+        xml.send(:'system-services', Netconf::JunosConfig::DELETE) {
+          xml.name i 
+        }
+      end
+      add.each{|i| xml.send(:'system-services', i ) }
+    }
+    
+  end
+  
+  def xml_change_host_inbound_protocols( xml )
+    add, del = diff_property_array( :host_inbound_protocols ) 
+    return false if add.empty? and del.empty?    
+        
+    xml.send( :'host-inbound-traffic' ) {
+      del.each do |i| 
+        xml.protocols( Netconf::JunosConfig::DELETE ) {
+          xml.name i 
+        }
+      end
+      add.each{ |i| xml.protocols i }
+    }   
+  end    
+  
+end
+
+##### ---------------------------------------------------------------
+##### Provider collection methods
+##### ---------------------------------------------------------------
+
+class Junos::Ez::SRX::Zones::Provider
+  
+  def build_list     
+    zones = @ndev.rpc.get_zones_information
+    zones.xpath('zones-security/zones-security-zonename').collect do |zone|
+      zone.text.strip
+    end
+  end
+  
+  def build_catalog
+    @catalog = {}
+    
+    zlist = list!
+    xml_cfg = @ndev.rpc.get_configuration{|x|
+      x.security { x.zones {
+        zlist.each do |zone_name|
+          @catalog[zone_name] = {}
+          x.send(:'security-zone') {
+            x.name zone_name
+            x.description
+            x.send(:'host-inbound-traffic')
+            x.interfaces
+          }
+        end
+      }}
+    }
+    
+    xml_cfg.xpath('//security-zone').each do |zone|
+      zn_name = zone.xpath('name').text.strip
+      @catalog[zn_name] = {}
+      xml_read_parser( zone, @catalog[zn_name] )
+    end    
+    
+    return @catalog  
+  end
+  
+end
+
+##### ---------------------------------------------------------------
+##### Provider YAML/Hash methods
+##### ---------------------------------------------------------------
+
+class Junos::Ez::SRX::Zones::Provider
+  
+  ## ----------------------------------------------------------------
+  ## create an 'expanded' hash structure
+  ## ----------------------------------------------------------------
+  
+  def to_h_expanded( opts = {} )       
+    { :name => @name,
+      :_exist => @has[:_exist],
+      :_active => @has[:_active],
+      :host_inbound_services => @has[:host_inbound_services],
+      :host_inbound_protocols => @has[:host_inbound_protocols],
+      :interfaces => interfaces.catalog
+    } 
+  end   
+  
+  def xml_from_h_expanded( from_hash, opts = {} )    
+    raise ArgumentError, "This is not a provider" unless is_provider?       
+    raise ArgumentError, ":name not provided in hash" unless from_hash[:name]
+    
+    provd = self.class.new( @ndev, from_hash[:name], @opts )   
+    provd.properties = Junos::Ez::Provider::PROPERTIES + Junos::Ez::SRX::Zones::PROPERTIES    
+    provd[:host_inbound_services] = from_hash[:host_inbound_services] || []
+    provd[:host_inbound_protocols] = from_hash[:host_inbound_protocols] || []
+    provd[:_exist] = from_hash[:_exist] || true
+    provd[:_active] = from_hash[:_active] || true
+    
+    # setup the XML for writing the complete configuration
+    
+    xml_top = provd.xml_at_top    
+    xml_add_here = xml_top.parent
+        
+    Nokogiri::XML::Builder.with( xml_add_here ) do |xml|
+      provd.xml_build_change( xml )      
+    end
+        
+    # iterate through each of the policy rules. @@@ need
+    # to validate that the HASH actually contains this, yo!
+    
+    from_hash[:interfaces].each do |name, hash|
+      Nokogiri::XML::Builder.with( xml_add_here ) do |xml|
+        
+        # create the new object so we can generate XML on it
+        obj = Junos::Ez::SRX::Interfaces::Provider.new( @ndev, name, :parent => provd )            
+                
+        # generate the object specific XML inside
+        obj.should = hash || {}
+        obj_xml = obj.xml_element_top( xml, name )    
+        obj.xml_build_change( obj_xml )
+      end      
+    end
+    
+    xml_top.parent[:replace] = "replace" if opts[:replace]    
+    xml_top.doc.root
+  end
+  
+end
+
+
+##### ---------------------------------------------------------------
+##### Provider Misc. methods
+##### ---------------------------------------------------------------
+
+class Junos::Ez::SRX::Zones::Provider
+  
+  def find_route( ip_prefix = nil, opts = {} )
+    raise ArgumentError, "ip_prefix required" unless ip_prefix
+    
+    ## do a standard route lookup to find the specific interface
+    ## providing a route for the provided ip_prefix
+    
+    got = @ndev.rpc.get_route_information( :destination => ip_prefix, :best => true )
+    return nil unless rt = got.xpath('route-table/rt')[0]
+    rt_ent = rt.xpath('rt-entry')[0]
+    
+    found = {}
+    found[:find] = ip_prefix
+    found[:found] = rt.xpath('rt-destination').text
+    found[:proto] = rt_ent.xpath('protocol-name').text
+    found[:pref] = rt_ent.xpath('preference').text.to_i
+    found[:via] = rt_ent.xpath('nh/via | nh/nh-local-interface').text 
+        
+    ## now find a zone based on the interface (via)    
+    
+    ifs = @ndev.rpc.get_interface_information( :interface_name => found[:via] )
+    found[:zone] = ifs.xpath('logical-interface/logical-interface-zone-name').text.strip
+    
+    ## if the calling object is a resource, then see if the zone
+    ## matches on the lookup, and mark accordingly.
+    
+    if @name; found[:zone_match] = (found[:zone] == @name) end
+    
+    ## if opts[:addrs] is set to true, then search through the zone address book
+    ## to see what matches.  first nab the zone provider depending if the calling
+    ## object is a provider or zone resource.  If it's a zone resource then we
+    ## also need to make sure that the route lookup landed in this zone
+    
+    if opts[:addrs]
+      if is_provider?
+        found[:addrs] = self[found[:zone]].addrs.find( ip_prefix )        
+      else
+        found[:addrs] = (found[:zone_match] == true) ? self.addrs.find(ip_prefix) : nil
+      end      
+    end
+        
+    return found
+  end
+    
+end
+