trigger 2.0.0__py3-none-any.whl

trigger/acl/dicts.py

@@ -0,0 +1,357 @@
+"""
+This code is originally from parser.py. It contains all the simple data definitions in
+form of dictionaries and lists and such. This file is not meant to by used by itself.
+Imported into support.py.
+
+Variables defined:
+
+  adrsbk
+  dscp_names
+  fragment_flag_names
+  icmp_reject_codes
+  icmp_types
+  icmp_codes
+  ip_option_names
+  ios_icmp_messages
+  ios_icmp_names
+  junos_match_ordering_list
+  junos_match_order
+  address_matches
+  ports
+  precedence_names
+  tcp_flag_names
+  tcp_flag_specials
+  tcp_flag_rev
+"""
+
+__author__ = "Jathan McCollum, Mike Biancaniello, Michael Harding, Michael Shields"
+__editor__ = "Joseph Malone"
+__maintainer__ = "Jathan McCollum"
+__email__ = "jathanism@aol.com"
+__copyright__ = "Copyright 2006-2013, AOL Inc.; 2013 Saleforce.com"
+
+adrsbk = {"svc": {"group": {}, "book": {}}, "addr": {"group": {}, "book": {}}}
+
+dscp_names = {
+    "be": 0,
+    "cs0": 0,
+    "cs1": 8,
+    "af11": 10,
+    "af12": 12,
+    "af13": 14,
+    "cs2": 16,
+    "af21": 18,
+    "af22": 20,
+    "af23": 22,
+    "cs3": 24,
+    "af31": 26,
+    "af32": 28,
+    "af33": 30,
+    "cs4": 32,
+    "af41": 34,
+    "af42": 36,
+    "af43": 38,
+    "cs5": 40,
+    "ef": 46,
+    "cs6": 48,
+    "cs7": 56,
+}
+
+fragment_flag_names = {
+    "dont-fragment": 0x4000,
+    "more-fragments": 0x2000,
+    "reserved": 0x8000,
+}
+
+icmp_reject_codes = (
+    "administratively-prohibited",
+    "bad-host-tos",
+    "bad-network-tos",
+    "host-prohibited",
+    "host-unknown",
+    "host-unreachable",
+    "network-prohibited",
+    "network-unknown",
+    "network-unreachable",
+    "port-unreachable",
+    "precedence-cutoff",
+    "precedence-violation",
+    "protocol-unreachable",
+    "source-host-isolated",
+    "source-route-failed",
+    "tcp-reset",
+)
+
+icmp_types = {
+    "echo-reply": 0,
+    "echo-request": 8,
+    "echo": 8,  # undocumented
+    "info-reply": 16,
+    "info-request": 15,
+    "information-reply": 16,
+    "information-request": 15,
+    "mask-request": 17,
+    "mask-reply": 18,
+    "parameter-problem": 12,
+    "redirect": 5,
+    "router-advertisement": 9,
+    "router-solicit": 10,
+    "source-quench": 4,
+    "time-exceeded": 11,
+    "timestamp": 13,
+    "timestamp-reply": 14,
+    "unreachable": 3,
+}
+
+icmp_codes = {
+    "ip-header-bad": 0,
+    "required-option-missing": 1,
+    "redirect-for-host": 1,
+    "redirect-for-network": 0,
+    "redirect-for-tos-and-host": 3,
+    "redirect-for-tos-and-net": 2,
+    "ttl-eq-zero-during-reassembly": 1,
+    "ttl-eq-zero-during-transit": 0,
+    "communication-prohibited-by-filtering": 13,
+    "destination-host-prohibited": 10,
+    "destination-host-unknown": 7,
+    "destination-network-prohibited": 9,
+    "destination-network-unknown": 6,
+    "fragmentation-needed": 4,
+    "host-precedence-violation": 14,
+    "host-unreachable": 1,
+    "host-unreachable-for-TOS": 12,
+    "network-unreachable": 0,
+    "network-unreachable-for-TOS": 11,
+    "port-unreachable": 3,
+    "precedence-cutoff-in-effect": 15,
+    "protocol-unreachable": 2,
+    "source-host-isolated": 8,
+    "source-route-failed": 5,
+}
+
+ip_option_names = {
+    "loose-source-route": 131,
+    "record-route": 7,
+    "router-alert": 148,
+    "strict-source-route": 137,
+    "timestamp": 68,
+}
+
+# Cisco "ICMP message type names and ICMP message type and code names" from
+# IOS 12.0 documentation.  Verified these against actual practice of 12.1(21),
+# since documentation is incomplete.  For example, is 'echo' code 8, type 0
+# or code 8, type any?  Experiment shows that it is code 8, type any.
+ios_icmp_messages = {
+    "administratively-prohibited": (3, 13),
+    "alternate-address": (6,),
+    "conversion-error": (31,),
+    "dod-host-prohibited": (3, 10),
+    "dod-net-prohibited": (3, 9),
+    "echo": (8,),
+    "echo-reply": (0,),
+    "general-parameter-problem": (12, 0),
+    "host-isolated": (3, 8),
+    "host-precedence-unreachable": (3, 14),
+    "host-redirect": (5, 1),
+    "host-tos-redirect": (5, 3),
+    "host-tos-unreachable": (3, 12),
+    "host-unknown": (3, 7),
+    "host-unreachable": (3, 1),
+    "information-reply": (16,),
+    "information-request": (15,),
+    "mask-reply": (18,),
+    "mask-request": (17,),
+    "mobile-redirect": (32,),
+    "net-redirect": (5, 0),
+    "net-tos-redirect": (5, 2),
+    "net-tos-unreachable": (3, 11),
+    "net-unreachable": (3, 0),
+    "network-unknown": (3, 6),
+    "no-room-for-option": (12, 2),
+    "option-missing": (12, 1),
+    "packet-too-big": (3, 4),
+    "parameter-problem": (12,),
+    "port-unreachable": (3, 3),
+    "precedence-unreachable": (3, 14),  # not (3, 15)
+    "protocol-unreachable": (3, 2),
+    "reassembly-timeout": (11, 1),  # not (11, 2)
+    "redirect": (5,),
+    "router-advertisement": (9,),
+    "router-solicitation": (10,),
+    "source-quench": (4,),
+    "source-route-failed": (3, 5),
+    "time-exceeded": (11,),
+    "timestamp-reply": (14,),
+    "timestamp-request": (13,),
+    "traceroute": (30,),
+    "ttl-exceeded": (11, 0),
+    "unreachable": (3,),
+}
+
+ios_icmp_names = {v: k for k, v in ios_icmp_messages.items()}
+
+# Ordering for JunOS match clauses.  AOL style rules:
+# 1. Use the order found in the IP header, except, put protocol at the end
+#    so it is close to the port and tcp-flags.
+# 2. General before specific.
+# 3. Source before destination.
+junos_match_ordering_list = (
+    "source-mac-address",
+    "destination-mac-address",
+    "packet-length",
+    "fragment-flags",
+    "fragment-offset",
+    "first-fragment",
+    "is-fragment",
+    "prefix-list",
+    "address",
+    "source-prefix-list",
+    "source-address",
+    "destination-prefix-list",
+    "destination-address",
+    "ip-options",
+    "protocol",
+    # TCP/UDP
+    "tcp-flags",
+    "port",
+    "source-port",
+    "destination-port",
+    # ICMP
+    "icmp-code",
+    "icmp-type",
+)
+
+junos_match_order = {}
+
+for i, match in enumerate(junos_match_ordering_list):
+    junos_match_order[match] = i * 2
+    junos_match_order[match + "-except"] = i * 2 + 1
+
+# These types of Juniper matches go in braces, not square brackets.
+address_matches = {
+    "address",
+    "destination-address",
+    "source-address",
+    "prefix-list",
+    "source-prefix-list",
+    "destination-prefix-list",
+}
+
+for match in list(address_matches):
+    address_matches.add(match + "-except")
+
+# Not all of these are in /etc/services even as of RHEL 4; for example, it
+# has 'syslog' only in UDP, and 'dns' as 'domain'.  Also, Cisco (according
+# to the IOS 12.0 documentation at least) allows 'dns' in UDP and not TCP,
+# along with other anomalies.  We'll be somewhat more generous in parsing
+# input, and always output as integers.
+ports = {
+    "afs": 1483,  # JunOS
+    "bgp": 179,
+    "biff": 512,
+    "bootpc": 68,
+    "bootps": 67,
+    "chargen": 19,
+    "cmd": 514,  # undocumented IOS
+    "cvspserver": 2401,  # JunOS
+    "daytime": 13,
+    "dhcp": 67,  # JunOS
+    "discard": 9,
+    "dns": 53,
+    "dnsix": 90,
+    "domain": 53,
+    "echo": 7,
+    "eklogin": 2105,  # JunOS
+    "ekshell": 2106,  # JunOS
+    "exec": 512,  # undocumented IOS
+    "finger": 79,
+    "ftp": 21,
+    "ftp-data": 20,
+    "gopher": 70,
+    "hostname": 101,
+    "http": 80,  # JunOS
+    "https": 443,  # JunOS
+    "ident": 113,  # undocumented IOS
+    "imap": 143,  # JunOS
+    "irc": 194,
+    "isakmp": 500,  # undocumented IOS
+    "kerberos-sec": 88,  # JunOS
+    "klogin": 543,
+    "kpasswd": 761,  # JunOS
+    "kshell": 544,
+    "ldap": 389,  # JunOS
+    "ldp": 646,  # undocumented JunOS
+    "login": 513,  # JunOS
+    "lpd": 515,
+    "mobile-ip": 434,
+    "mobileip-agent": 434,  # JunOS
+    "mobileip-mn": 435,  # JunOS
+    "msdp": 639,  # JunOS
+    "nameserver": 42,
+    "netbios-dgm": 138,
+    "netbios-ns": 137,
+    "netbios-ssn": 139,  # JunOS
+    "nfsd": 2049,  # JunOS
+    "nntp": 119,
+    "ntalk": 518,  # JunOS
+    "ntp": 123,
+    "pop2": 109,
+    "pop3": 110,
+    "pptp": 1723,  # JunOS
+    "printer": 515,  # JunOS
+    "radacct": 1813,  # JunOS
+    "radius": 1812,  # JunOS and undocumented IOS
+    "rip": 520,
+    "rkinit": 2108,  # JunOS
+    "smtp": 25,
+    "snmp": 161,
+    "snmptrap": 162,
+    "snmp-trap": 162,  # undocumented IOS
+    "snpp": 444,  # JunOS
+    "socks": 1080,  # JunOS
+    "ssh": 22,  # JunOS
+    "sunrpc": 111,
+    "syslog": 514,
+    "tacacs": 49,  # undocumented IOS
+    "tacacs-ds": 49,
+    "talk": 517,
+    "telnet": 23,
+    "tftp": 69,
+    "time": 37,
+    "timed": 525,  # JunOS
+    "uucp": 540,
+    "who": 513,
+    "whois": 43,
+    "www": 80,
+    "xdmcp": 177,
+    "zephyr-clt": 2103,  # JunOS
+    "zephyr-hm": 2104,  # JunOS
+}
+
+precedence_names = {
+    "critical-ecp": 0xA0,  # JunOS
+    "critical": 0xA0,  # IOS
+    "flash": 0x60,
+    "flash-override": 0x80,
+    "immediate": 0x40,
+    "internet-control": 0xC0,  # JunOS
+    "internet": 0xC0,  # IOS
+    "net-control": 0xE0,  # JunOS
+    "network": 0xE0,  # IOS
+    "priority": 0x20,
+    "routine": 0x00,
+}
+
+tcp_flag_names = {
+    "ack": 0x10,
+    "fin": 0x01,
+    "push": 0x08,
+    "rst": 0x04,
+    "syn": 0x02,
+    "urgent": 0x20,
+}
+
+tcp_flag_specials = {"tcp-established": '"ack | rst"', "tcp-initial": '"syn & !ack"'}
+
+tcp_flag_rev = {v: k for k, v in tcp_flag_specials.items()}

trigger/acl/grammar.py

@@ -0,0 +1,112 @@
+"""
+This code is originally from parser.py. This is the basic grammar and rules
+from which the other specific grammars are built. This file is not meant to by used by itself.
+Imported into the specific grammar files.
+
+#Constants
+    errs
+    rules
+#Functions
+    S
+    literals
+    update
+    dict_sum
+"""
+
+__author__ = "Jathan McCollum, Mike Biancaniello, Michael Harding, Michael Shields"
+__editor__ = "Joseph Malone"
+__maintainer__ = "Jathan McCollum"
+__email__ = "jathanism@aol.com"
+__copyright__ = "Copyright 2006-2013, AOL Inc.; 2013 Saleforce.com"
+
+from .support import *
+
+# Each production can be any of:
+# 1. string
+#    if no subtags: -> matched text
+#    if single subtag: -> value of that
+#    if list: -> list of the value of each tag
+# 2. (string, object) -> object
+# 3. (string, callable_object) -> object(arg)
+
+subtagged = set()
+
+
+def S(prod):
+    """
+    Wrap your grammar token in this to call your helper function with a list
+    of each parsed subtag, instead of the raw text. This is useful for
+    performing modifiers.
+
+    :param prod: The parser product.
+    """
+    subtagged.add(prod)
+    return prod
+
+
+def literals(d):
+    """Longest match of all the strings that are keys of 'd'."""
+    keys = [str(key) for key in d]
+    keys.sort(key=lambda x: -len(x))  # Sort by length descending
+    return " / ".join(['"%s"' % key for key in keys])
+
+
+def update(d, **kwargs):
+    # Check for duplicate subterms, which is legal but too confusing to be
+    # allowed at AOL.  For example, a Juniper term can have two different
+    # 'destination-address' clauses, which means that the first will be
+    # ignored.  This led to an outage on 2006-10-11.
+    for key in kwargs.keys():
+        if key in d:
+            raise exceptions.ParseError("duplicate %s" % key)
+    d.update(kwargs)
+    return d
+
+
+def dict_sum(dlist):
+    dsum = {}
+    for d in dlist:
+        for k, v in d.items():
+            if k in dsum:
+                dsum[k] += v
+            else:
+                dsum[k] = v
+    return dsum
+
+
+## syntax error messages
+errs = {
+    "comm_start": '"comment missing /* below line %(line)s"',
+    "comm_stop": '"comment missing */ below line %(line)s"',
+    "default": '"expected %(expected)s line %(line)s"',
+    "semicolon": '"missing semicolon on line %(line)s"',
+}
+
+rules = {
+    "digits": "[0-9]+",
+    "<digits_s>": "[0-9]+",
+    "<ts>": "[ \\t]+",
+    "<ws>": "[ \\t\\n]+",
+    "<EOL>": "('\r'?,'\n')/EOF",
+    "alphanums": "[a-zA-Z0-9]+",
+    "word": "[a-zA-Z0-9_.-]+",
+    "anychar": "[ a-zA-Z0-9.$:()&,/'_-]",
+    "hex": "[0-9a-fA-F]+",
+    "ipchars": "[0-9a-fA-F:.]+",
+    "ipv4": ('digits, (".", digits)*', TIP),
+    "ipaddr": ("ipchars", TIP),
+    "cidr": (
+        '("inactive:", ws+)?, (ipaddr / ipv4), "/", digits, (ws+, "except")?',
+        TIP,
+    ),
+    "macaddr": 'hex, (":", hex)+',
+    "protocol": (literals(Protocol.name2num) + " / digits", do_protocol_lookup),
+    "tcp": ('"tcp" / "6"', Protocol("tcp")),
+    "udp": ('"udp" / "17"', Protocol("udp")),
+    "icmp": ('"icmp" / "1"', Protocol("icmp")),
+    "icmp_type": (literals(icmp_types) + " / digits", do_icmp_type_lookup),
+    "icmp_code": (literals(icmp_codes) + " / digits", do_icmp_code_lookup),
+    "port": (literals(ports) + " / digits", do_port_lookup),
+    "dscp": (literals(dscp_names) + " / digits", do_dscp_lookup),
+    "root": "ws?, junos_raw_acl / junos_replace_family_acl / junos_replace_acl / junos_replace_policers / ios_acl, ws?",
+}

trigger/acl/ios.py

@@ -0,0 +1,222 @@
+"""
+This code is originally from parser.py. This file is not meant to by used by itself.
+This is for IOS like ACLs
+
+#Constants
+    unary_port_operators
+    rules - this is really from the grammar.py
+# Classes
+    'Remark',
+# Functions
+    'handle_ios_match',
+    'handle_ios_acl',
+"""
+
+# Copied metadata from parser.py
+__author__ = "Jathan McCollum, Mike Biancaniello, Michael Harding, Michael Shields"
+__editor__ = "Joseph Malone"
+__maintainer__ = "Jathan McCollum"
+__email__ = "jathanism@aol.com"
+__copyright__ = "Copyright 2006-2013, AOL Inc.; 2013 Saleforce.com"
+
+from .grammar import *
+
+
+class Remark(Comment):
+    """
+    IOS extended ACL "remark" lines automatically become comments when
+    converting to other formats of ACL.
+    """
+
+    def output_ios_named(self):
+        """Output the Remark to IOS named format."""
+        return " remark " + self.data
+
+
+# Build a table to unwind Cisco's weird inverse netmask.
+# TODO (jathan): These don't actually get sorted properly, but it doesn't seem
+# to have mattered up until now. Worth looking into it at some point, though.
+inverse_mask_table = dict([(make_inverse_mask(x), x) for x in range(0, 33)])
+
+
+def handle_ios_match(a):
+    protocol, source, dest = a[:3]
+    extra = a[3:]
+
+    match = Matches()
+    modifiers = Modifiers()
+
+    if protocol:
+        match["protocol"] = [protocol]
+
+    for sd, arg in (("source", source), ("destination", dest)):
+        if isinstance(arg, list):
+            if arg[0] is not None:
+                match[sd + "-address"] = [arg[0]]
+            match[sd + "-port"] = arg[1]
+        else:
+            if arg is not None:
+                match[sd + "-address"] = [arg]
+
+    if "log" in extra:
+        modifiers["syslog"] = True
+        extra.remove("log")
+
+    if protocol == "icmp":
+        if len(extra) > 2:
+            raise NotImplementedError(extra)
+        if extra and isinstance(extra[0], tuple):
+            extra = extra[0]
+        if len(extra) >= 1:
+            match["icmp-type"] = [extra[0]]
+        if len(extra) >= 2:
+            match["icmp-code"] = [extra[1]]
+    elif protocol == "tcp":
+        if extra == ["established"]:
+            match["tcp-flags"] = [tcp_flag_specials["tcp-established"]]
+        elif extra:
+            raise NotImplementedError(extra)
+    elif extra:
+        raise NotImplementedError(extra)
+
+    return {"match": match, "modifiers": modifiers}
+
+
+def handle_ios_acl(rows):
+    acl = ACL()
+    for d in rows:
+        if not d:
+            continue
+        for k, v in d.items():
+            if k == "no":
+                acl = ACL()
+            elif k == "name":
+                if acl.name:
+                    if v != acl.name:
+                        raise exceptions.ACLNameError(
+                            f"Name '{v}' does not match ACL '{acl.name}'"
+                        )
+                else:
+                    acl.name = v
+            elif k == "term":
+                acl.terms.append(v)
+            elif k == "format":
+                acl.format = v
+            # Brocade receive-acl
+            elif k == "receive_acl":
+                acl.is_receive_acl = True
+            else:
+                raise RuntimeError(f'unknown key "{k}" (value {v})')
+    # In traditional ACLs, comments that belong to the first ACE are
+    # indistinguishable from comments that belong to the ACL.
+    # if acl.format == 'ios' and acl.terms:
+    if acl.format in ("ios", "ios_brocade") and acl.terms:
+        acl.comments += acl.terms[0].comments
+        acl.terms[0].comments = []
+    return acl
+
+
+unary_port_operators = {
+    "eq": lambda x: [x],
+    "le": lambda x: [(0, x)],
+    "lt": lambda x: [(0, x - 1)],
+    "ge": lambda x: [(x, 65535)],
+    "gt": lambda x: [(x + 1, 65535)],
+    "neq": lambda x: [(0, x - 1), (x + 1, 65535)],
+}
+
+rules.update(
+    {
+        "ios_ip": "kw_any / host_ipv4 / ios_masked_ipv4",
+        "kw_any": ('"any"', None),
+        "host_ipv4": '"host", ts, ipv4',
+        S("ios_masked_ipv4"): (
+            "ipv4, ts, ipv4_inverse_mask",
+            # Python 3: Explicit tuple unpacking for string formatting
+            lambda x: TIP("%s/%d" % (x[0], x[1])),
+        ),
+        "ipv4_inverse_mask": (
+            literals(inverse_mask_table),
+            lambda x: inverse_mask_table[TIP(x)],
+        ),
+        "kw_ip": ('"ip"', None),
+        S("ios_match"): (
+            "kw_ip / protocol, ts, ios_ip, ts, ios_ip, (ts, ios_log)?",
+            handle_ios_match,
+        ),
+        S("ios_tcp_port_match"): (
+            "tcp, ts, ios_ip_port, ts, ios_ip_port, (ts, established)?, (ts, ios_log)?",
+            handle_ios_match,
+        ),
+        S("ios_udp_port_match"): (
+            "udp, ts, ios_ip_port, ts, ios_ip_port, (ts, ios_log)?",
+            handle_ios_match,
+        ),
+        S("ios_ip_port"): "ios_ip, (ts, unary_port / ios_range)?",
+        S("unary_port"): (
+            "unary_port_operator, ts, port",
+            lambda x: unary_port_operators[x[0]](x[1]),
+        ),
+        "unary_port_operator": literals(unary_port_operators),
+        S("ios_range"): ('"range", ts, port, ts, port', lambda xy: [(xy[0], xy[1])]),
+        "established": '"established"',
+        S("ios_icmp_match"): (
+            "icmp, ts, ios_ip, ts, ios_ip, (ts, ios_log)?, "
+            "(ts, ios_icmp_message / "
+            " (icmp_type, (ts, icmp_code)?))?, (ts, ios_log)?",
+            handle_ios_match,
+        ),
+        "ios_icmp_message": (
+            literals(ios_icmp_messages),
+            lambda x: ios_icmp_messages[x],
+        ),
+        "ios_action": '"permit" / "deny"',
+        "ios_log": '"log-input" / "log"',
+        S("ios_action_match"): (
+            "ios_action, ts, ios_tcp_port_match / "
+            "ios_udp_port_match / ios_icmp_match / ios_match",
+            lambda x: {"term": Term(action=x[0], **x[1])},
+        ),
+        "ios_acl_line": "ios_acl_match_line / ios_acl_no_line",
+        S("ios_acl_match_line"): (
+            '"access-list", ts, digits, ts, ios_action_match',
+            lambda x: update(x[1], name=x[0], format="ios"),
+        ),
+        S("ios_acl_no_line"): (
+            '"no", ts, "access-list", ts, digits',
+            lambda x: {"no": True, "name": x[0]},
+        ),
+        "ios_ext_line": (
+            "ios_action_match / ios_ext_name_line / "
+            "ios_ext_no_line / ios_remark_line / "
+            "ios_rebind_acl_line / ios_rebind_receive_acl_line"
+        ),
+        S("ios_ext_name_line"): (
+            '"ip", ts, "access-list", ts, "extended", ts, word',
+            lambda x: {"name": x[0], "format": "ios_named"},
+        ),
+        S("ios_ext_no_line"): (
+            '"no", ts, "ip", ts, "access-list", ts, "extended", ts, word',
+            lambda x: {"no": True, "name": x[0]},
+        ),
+        # Brocade "ip rebind-acl foo" or "ip rebind-receive-acl foo" syntax
+        S("ios_rebind_acl_line"): (
+            '"ip", ts, "rebind-acl", ts, word',
+            lambda x: {"name": x[0], "format": "ios_brocade"},
+        ),
+        # Brocade "ip rebind-acl foo" or "ip rebind-receive-acl foo" syntax
+        S("ios_rebind_receive_acl_line"): (
+            '"ip", ts, "rebind-receive-acl", ts, word',
+            lambda x: {"name": x[0], "format": "ios_brocade", "receive_acl": True},
+        ),
+        S("icomment"): ('"!", ts?, icomment_body', lambda x: x),
+        "icomment_body": ('-"\n"*', Comment),
+        S("ios_remark_line"): (
+            '("access-list", ts, digits_s, ts)?, "remark", ts, remark_body',
+            lambda x: x,
+        ),
+        "remark_body": ('-"\n"*', Remark),
+        ">ios_line<": ('ts?, (ios_acl_line / ios_ext_line / "end")?, ts?, icomment?'),
+        S("ios_acl"): ('(ios_line, "\n")*, ios_line', handle_ios_acl),
+    }
+)