puffy 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: b53bffbf2f30ba597482608cf4f3e005cf481bd69cbfa4fdaf7a9de14f1b90ca
+  data.tar.gz: 5c4fee30b67e7c8cd777d219173473d2e2d4f0b437c9df02e7f0d16ca9341515
+SHA512:
+  metadata.gz: 7a23559f7ff420013adaeafa437f13450a78b41bf1757e584c8bea54c7cade3fd51da7fc31497a2c70844c011d13d841edb0091eb801c03eee7737d9f0fe7a19
+  data.tar.gz: a3c6db0679f173cd714665e9a884c5eff22df4847562cb188f8d04c18da31ec79d3b9e54f6084d2a9514eb0dfb831337c878b58e92391ed86a7fd125888e181c

data/.github/workflows/ci.yml

@@ -0,0 +1,36 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+      - master
+  pull_request:
+    branches:
+      - main
+      - master
+
+jobs:
+  unit:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby:
+          - "2.6"
+          - "2.7"
+          - "3.0"
+    name: Ruby ${{ matrix.ruby }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+      - name: Install dependencies
+        run: |
+          gem install bundler
+          bundle install --jobs 4 --retry 3
+      - name: Generate the parser
+        run: bundle exec rake gen_parser
+      - name: Run tests
+        run: bundle exec rake

data/.gitignore

@@ -0,0 +1,5 @@
+Gemfile.lock
+coverage
+lib/puffy/parser.tab.rb
+tags
+tmp

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,39 @@
+AllCops:
+  TargetRubyVersion: '2.5'
+  AllowSymlinksInCacheRootDirectory: true
+  NewCops: enable
+  Exclude:
+    - lib/melt/*.tab.rb
+    - tmp/**/*.rb
+
+Layout/HashAlignment:
+  EnforcedColonStyle: table
+  EnforcedHashRocketStyle: table
+
+Layout/LineLength:
+  Enabled: false
+
+Metrics/BlockLength:
+  Exclude:
+    - spec/**/*.rb
+
+Metrics/ClassLength:
+  Max: 200
+
+Metrics/ModuleLength:
+  Exclude:
+    - spec/**/*.rb
+
+Style/Documentation:
+  Exclude:
+    - features/support/env.rb
+    - spec/**/*.rb
+
+Style/TrailingCommaInArrayLiteral:
+  EnforcedStyleForMultiline: comma
+
+Style/TrailingCommaInHashLiteral:
+  EnforcedStyleForMultiline: comma
+
+Style/TrailingCommaInArguments:
+  EnforcedStyleForMultiline: comma

data/.simplecov

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+# vim:set syntax=ruby:
+
+SimpleCov.start do
+  add_filter '/spec/'
+  add_group 'Formatters', 'lib/melt/formatters'
+end

data/Gemfile

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in puffy.gemspec
+gemspec

data/README.md

@@ -0,0 +1,51 @@
+# Puffy
+
+[![Build Status](https://travis-ci.com/opus-codium/puffy.svg?branch=master)](https://travis-ci.com/opus-codium/puffy)
+[![Maintainability](https://api.codeclimate.com/v1/badges/1d46ac8511718fd284fd/maintainability)](https://codeclimate.com/github/opus-codium/puffy/maintainability)
+[![Test Coverage](https://api.codeclimate.com/v1/badges/1d46ac8511718fd284fd/test_coverage)](https://codeclimate.com/github/opus-codium/puffy/test_coverage)
+[![Inline docs](http://inch-ci.org/github/opus-codium/puffy.svg?branch=master)](http://inch-ci.org/github/opus-codium/puffy)
+
+## Features
+
+* Generate rules for [Netfilter](http://www.netfilter.org/) and [PF](http://www.openbsd.org/faq/pf/) (extensible);
+* IPv6 and IPv4 support;
+* Define the configuration of multiple *nodes* in a single file;
+* Define *services* as group of rules to mix-in in *nodes* rules definitions;
+* Handle NAT & port redirection;
+
+## Requirements
+
+* Accurate DNS information;
+
+## Syntax
+
+The Puffy syntax is inspired by the syntax of the [OpenBSD Packet Filter](http://www.openbsd.org/faq/pf/), with the ability to group rules in reusable blocks in order to describe all rules of a network of nodes in a single file.
+
+Rules must appear in either a *node* or *service* definition, *services* being
+reusable blocks of related rules:
+
+~~~
+service base do
+  service ntp
+  service ssh
+end
+
+service ntp do
+  pass out proto udp from any to port ntp
+end
+
+service ssh do
+  pass in proto tcp form any to port ssh
+end
+
+node 'db.example.com' do
+  service base
+  pass in proto tcp from 'www1.example.com' to port postgresql
+end
+
+node /www\d+.example.com/ do
+  service base
+  pass in proto tcp from any to port www
+  pass out proto tcp from any to 'db.example.com' port postgresql
+end
+~~~

data/Rakefile

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'cucumber'
+require 'cucumber/rake/task'
+
+RSpec::Core::RakeTask.new(:spec)
+Cucumber::Rake::Task.new(:features)
+
+task test: %i[spec features]
+
+task default: :test
+
+desc 'Generate the puffy language parser'
+task gen_parser: 'lib/puffy/parser.tab.rb'
+
+file 'lib/puffy/parser.tab.rb' => 'lib/puffy/parser.y' do
+  `racc -S lib/puffy/parser.y`
+end

data/bin/puffy

@@ -0,0 +1,17 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+$LOAD_PATH << File.expand_path('../lib', __dir__)
+
+require 'puffy/cli'
+
+begin
+  cli = Puffy::Cli.new
+  cli.execute(ARGV)
+rescue Puffy::SyntaxError => e
+  $stderr.puts e.message
+  exit 1
+rescue Puffy::ParseError => e
+  $stderr.puts e.message
+  exit 1
+end

data/lib/core_ext.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+# Mixin for combining variations
+#
+#   { a: :b }.expand       #=> [{ a: :b }]
+#   { a: [:b, :c] }.expand #=> [{ a: :b }, { a: :c }]
+#   {
+#     a: [:b, :c],
+#     d: [:e, :f],
+#   }.expand
+#   #=> [{ a: :b, d: :e }, {a: :b, d: :f}, { a: :c, d: :e }, { a: :c, d: :f }]
+module Expandable
+  # Returns an array composed of all possible variation of the object by
+  # combining all the items of it's array values.
+  #
+  # @return [Array]
+  def expand
+    @expand_res = [{}]
+    each do |key, value|
+      case value
+      when Array then expand_array(key)
+      when Hash then expand_hash(key)
+      else @expand_res.map! { |hash| hash.merge(key => value) }
+      end
+    end
+    @expand_res
+  end
+
+  private
+
+  def expand_array(key)
+    orig = @expand_res
+    @expand_res = []
+    fetch(key).each do |value|
+      @expand_res += orig.map { |hash| hash.merge(key => value) }
+    end
+  end
+
+  def expand_hash(key)
+    orig = @expand_res
+    @expand_res = []
+    fetch(key).expand.each do |value|
+      @expand_res += orig.map { |hash| hash.merge(key => value) }
+    end
+  end
+end
+
+class Array # :nodoc:
+  def deep_dup
+    array = []
+    each do |value|
+      array << if value.respond_to?(:deep_dup)
+                 value.deep_dup
+               else
+                 value.dup
+               end
+    end
+    array
+  end
+end
+
+class Hash # :nodoc:
+  include Expandable
+
+  def deep_dup
+    hash = dup
+    each_pair do |key, value|
+      hash[key.dup] = if value.respond_to?(:deep_dup)
+                        value.deep_dup
+                      else
+                        value.dup
+                      end
+    end
+    hash
+  end
+end

data/lib/puffy/cli.rb

@@ -0,0 +1,132 @@
+# frozen_string_literal: true
+
+require 'cri'
+require 'puffy'
+require 'fileutils'
+
+module Puffy
+  # Command-line processing
+  class Cli
+    def initialize
+      cli = self
+
+      @main = Cri::Command.define do
+        name    'puffy'
+        usage   'puffy [options] <command>'
+        summary 'Network firewall rules made easy!'
+
+        description <<~DESCRIPTION
+          Generate firewall rules for multiple nodes from a single network
+          specification file.
+        DESCRIPTION
+
+        flag :h, :help, 'Show help for this command' do |_value, cmd|
+          puts cmd.help
+          exit 0
+        end
+
+        run do |_opts, _args, cmd|
+          puts cmd.help
+          exit 0
+        end
+      end
+
+      @main.define_command do
+        name    'generate'
+        usage   'generate [options] <network> <hostname>'
+        summary 'Generate the firewall configuration for a node'
+
+        description <<~DESCRIPTION
+          Generate the firewall configuration for the node "hostname" for which
+          the configuration is described in the "network" specification file.
+        DESCRIPTION
+
+        required :f, :formatter, 'The formatter to use', default: 'Pf'
+
+        param('network')
+        param('hostname')
+
+        run do |opts, args|
+          parser = cli.load_network(args[:network])
+          rules = parser.ruleset_for(args[:hostname])
+          policy = parser.policy_for(args[:hostname])
+
+          formatter = Object.const_get("Puffy::Formatters::#{opts[:formatter]}::Ruleset").new
+          puts formatter.emit_ruleset(rules, policy)
+        end
+      end
+
+      puppet = @main.define_command do
+        name    'puppet'
+        usage   'puppet [options] <subcommand>'
+        summary 'Run puppet actions'
+
+        description <<~DESCRIPTION
+          Manage a directory of firewall configurations files suitable for Puppet.
+        DESCRIPTION
+
+        required :o, :output, 'Base directory for network firewall rules', default: '.'
+
+        run do |_opts, _args, cmd|
+          puts cmd.help
+          exit 0
+        end
+      end
+
+      puppet.define_command do
+        name    'diff'
+        usage   'diff [options] <network>'
+        summary 'Show differences between network specification and firewall rules'
+
+        description <<~DESCRIPTION
+          Show the changes that would be introduced by running `puffy puppet
+          generate` with the current "network" specification file.
+        DESCRIPTION
+
+        param('network')
+
+        run do |opts, args|
+          parser = cli.load_network(args[:network])
+          puppet = Puffy::Puppet.new(opts[:output], parser)
+          puppet.diff
+        end
+      end
+
+      puppet.define_command do
+        name    'generate'
+        usage   'generate [options] <network>'
+        summary 'Generate network firewall rules according to network specification'
+
+        description <<~DESCRIPTION
+          Generate a tree of configuration files suitable for all supported
+          firewalls for all the nodes described in the "network" specification
+          file.
+        DESCRIPTION
+
+        param('network')
+
+        run do |opts, args|
+          parser = cli.load_network(args[:network])
+          puppet = Puffy::Puppet.new(opts[:output], parser)
+          puppet.save
+        end
+      end
+
+      help_command = Cri::Command.new_basic_help.modify do
+        summary 'Show help for a command'
+      end
+
+      @main.add_command(help_command)
+    end
+
+    def load_network(filename)
+      parser = Puffy::Parser.new
+      parser.parse_file(filename)
+      parser
+    end
+
+    def execute(argv)
+      @main.run(argv)
+    end
+  end
+end

data/lib/puffy/formatters/base.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+module Puffy
+  module Formatters # :nodoc:
+    module Base # :nodoc:
+      # Returns the loopback IPv4 IPAddr
+      #
+      # @return [IPAddr]
+      def self.loopback_ipv4
+        IPAddr.new('127.0.0.1')
+      end
+
+      # Returns the loopback IPv6 IPAddr
+      #
+      # @return [IPAddr]
+      def self.loopback_ipv6
+        IPAddr.new('::1')
+      end
+
+      # Returns a list of loopback addresses
+      #
+      # @return [Array<IPAddr>]
+      def self.loopback_addresses
+        [nil, loopback_ipv4, loopback_ipv6]
+      end
+
+      # Base class for Puffy Formatter Rulesets
+      class Ruleset
+        def initialize
+          @rule_formatter = Class.const_get(self.class.name.sub(/set$/, '')).new
+        end
+
+        def emit_header
+          ["# Generated by puffy v#{Puffy::VERSION} on #{Time.now.strftime('%c')}"]
+        end
+
+        # Returns a String representation of the provided +rules+ Array of Puffy::Rule with the +policy+ policy.
+        #
+        # @param rules [Array<Puffy::Rule>] array of Puffy::Rule.
+        # @param _policy [Symbol] ruleset policy.
+        # @return [String]
+        def emit_ruleset(rules, _policy = nil)
+          rules.collect { |rule| @rule_formatter.emit_rule(rule) }.join("\n")
+        end
+
+        # Filename for a firewall configuration fragment emitted by the formatter.
+        #
+        # @return [Array<String>]
+        def filename_fragment
+          raise 'Formatters#filename_fragment MUST be overriden'
+        end
+      end
+
+      # Base class for Puffy Formatter Rulesets
+      class Rule
+        protected
+
+        # Returns the loopback IPAddr of the given +address_family+
+        #
+        # @param address_family [Symbol] the address family, +:inet+ or +:inet6+
+        # @return [IPAddr,nil]
+        def loopback_address(address_family)
+          case address_family
+          when nil    then nil
+          when :inet  then Puffy::Formatters::Base.loopback_ipv4
+          when :inet6 then Puffy::Formatters::Base.loopback_ipv6
+          else raise "Unsupported address family #{address_family.inspect}"
+          end
+        end
+
+        # Return a string representation of the +host+ IPAddr as a host or network.
+        # @param host [IPAddr]
+        # @return [String] IP address
+        def emit_address(host)
+          if (host.ipv4? && host.prefix.to_i == 32) || (host.ipv6? && host.prefix.to_i == 128)
+            host.to_s
+          else
+            "#{host}/#{host.prefix}"
+          end
+        end
+
+        # Return a string representation of the +port+ port.
+        # #param port [Integer,Range]
+        # @return [String] Port
+        def emit_port(port)
+          case port
+          when Integer then port.to_s
+          when Range   then "#{port.begin}:#{port.end}"
+          else raise "Unexpected #{port.class.name}"
+          end
+        end
+      end
+    end
+  end
+end