trigger 2.0.0__py3-none-any.whl

trigger/bin/check_access.py

@@ -0,0 +1,93 @@
+#!/usr/bin/env python3
+
+"""
+check_access - Determines whether access is permitted by a given ACL.
+"""
+
+__version__ = "1.2"
+
+import optparse
+import sys
+
+from simpleparse.error import ParserSyntaxError
+
+from trigger.acl.parser import TIP, Comment, Protocol, parse
+from trigger.acl.tools import check_access, create_trigger_term
+
+
+def main():
+    """Main entry point for the CLI tool."""
+    optp = optparse.OptionParser(
+        description="""\
+Determine whether access is permitted by a given ACL.  Exits 0 if permitted,
+1 if edits are needed. Lists the terms that apply and what edits are needed.
+Note that in order for the suggested edits feature to work, your policy must
+end with an explicit deny.""",
+        usage="%prog [opts] file source dest [protocol [port]]",
+    )
+    optp.add_option("-q", "--quiet", action="store_true", help="suppress output")
+    (opts, args) = optp.parse_args()
+
+    if not 3 <= len(args) <= 5:
+        optp.error("not enough arguments")
+
+    acl_file = args[0]
+
+    source = dest = protocol = port = []
+
+    if args[1] == "any":
+        source = []
+    else:
+        source = [TIP(args[1])]
+    if args[2] == "any":
+        dest = []
+    else:
+        dest = [TIP(args[2])]
+
+    if len(args) <= 3:
+        protocol = []
+        port = []
+    elif len(args) == 4:
+        try:
+            protocol = [Protocol("tcp")]
+            port = [int(args[3])]
+        except ValueError:
+            protocol = [Protocol(args[3])]
+            port = []
+    else:
+        protocol = [Protocol(args[3])]
+        port = [int(args[4])]
+
+    new_term = create_trigger_term(
+        source_ips=source,
+        dest_ips=dest,
+        source_ports=[],
+        dest_ports=port,
+        protocols=protocol,
+        name="sr_____",
+    )
+    new_term.modifiers["count"] = "sr_____"
+    new_term.comments.append(Comment("check_access: ADD THIS TERM"))
+
+    try:
+        acl = parse(open(acl_file))
+        permitted = None
+    except ParserSyntaxError as e:
+        etxt = str(e).split()
+        sys.exit(f"Cannot parse {acl_file}:" + " ".join(etxt[1:]))
+
+    permitted = check_access(
+        acl.terms, new_term, opts.quiet, format=acl.format, acl_name=acl.name
+    )
+
+    if permitted and not opts.quiet:
+        print("No edits needed.")
+
+    if permitted:
+        sys.exit(0)
+    else:
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()

trigger/bin/check_syntax.py

@@ -0,0 +1,66 @@
+#!/usr/bin/env python3
+
+"""
+check_syntax - Determines if ACL passes parsing check
+"""
+
+__version__ = "1.0"
+
+import optparse
+import os
+import sys
+import tempfile
+
+from twisted.python import log
+
+from trigger.acl.parser import parse as acl_parse
+
+CONTEXT = 3
+
+
+def parse_args(argv):
+    optp = optparse.OptionParser(
+        description="""\
+        Determine if ACL file passes trigger's parsing checks.""",
+        usage="%prog [opts] file",
+    )
+    optp.add_option("-q", "--quiet", action="store_true", help="suppress output")
+    (opts, args) = optp.parse_args(argv)
+
+    return opts, args
+
+
+def main():
+    """Main entry point for the CLI tool."""
+    global opts
+
+    tmpfile = tempfile.mktemp() + "_parsing_check"
+    log.startLogging(open(tmpfile, "a"), setStdout=False)
+    log.msg(
+        'User %s (uid:%d) executed "%s"'
+        % (os.environ["LOGNAME"], os.getuid(), " ".join(sys.argv))
+    )
+
+    opts, args = parse_args(sys.argv)
+
+    for file in args[1:]:
+        if not os.path.exists(file):
+            print(f"Moving on.  File does not exist: {file}")
+            continue
+        if not os.path.isfile(file):
+            print(f"Moving on.  Not a normal file: {file}")
+            continue
+        # Calling `read()` on the fd immediately closes it
+        file_contents = open(file).read()
+
+        try:
+            acl_parse(file_contents)
+            print(f"File {file} passes the syntax check.")
+        except Exception as e:
+            print(f"File {file} FAILED the syntax check.  Here is the error:")
+            print(e)
+            print("")
+
+
+if __name__ == "__main__":
+    main()

trigger/bin/fe.py

@@ -0,0 +1,197 @@
+#!/usr/bin/env python
+
+"""
+fe - the File Editor. Uses RCS to maintain ACL policy versioning.
+"""
+
+__version__ = "1.2.1"
+
+
+import os
+import re
+import sys
+
+from simpleparse.error import ParserSyntaxError
+
+from trigger import acl
+from trigger.acl.parser import TIP
+from trigger.utils.cli import yesno
+
+psa_checks = (
+    (lambda t: "source-port" in t.match, "source port"),
+    (lambda t: "tos" in t.match, "ToS"),
+    (lambda t: "precedence" in t.match, "precedence"),
+    (lambda t: "protocol" in t.match and "igmp" in t.match["protocol"], "IGMP"),
+)
+
+
+def gsr_checks(a):
+    """PSA and SALSA checks, if the ACL is tagged appropriately."""
+    ok = True
+    max_lines, psa = None, False
+    if [c for c in a.comments if "SALSA" in c]:
+        max_lines = 128
+    elif [c for c in a.comments if "PSA-128" in c]:
+        max_lines, psa = 128, True
+    elif [c for c in a.comments if "PSA-448" in c]:
+        max_lines, psa = 448, True
+    if max_lines and len(a.terms) > max_lines:
+        print("ACL has %d lines, max %d (GSR limit)" % (len(a.terms), max_lines))
+        ok = False
+    if psa:
+        for t in a.terms:
+            for check, reason in psa_checks:
+                if check(t):
+                    print(f"Match on {reason} not permitted in PSA mode")
+                    for line in t.output_ios():
+                        print("    " + line)
+                    ok = False
+    return ok
+
+
+def normalize(a):
+    """Fix up the ACL, and return False if there are problems."""
+
+    if isinstance(a, acl.PolicerGroup):
+        return True
+
+    ok = True
+
+    # JunOS counter policy and duplicate term names.
+    if a.format == "junos":
+        names = set()
+        for t in a.terms:
+            if t.name in names:
+                print("Duplicate term name", t.name)
+                ok = False
+            else:
+                names.add(t.name)
+
+    # GSR checks.
+    if a.format == "ios":  # not ios_named
+        if not gsr_checks(a):
+            ok = False
+
+    # Check for 10/8.
+    for t in a.terms:
+        for addr in ("address", "source-address", "destination-address"):
+            for block in t.match.get(addr, []):
+                if block == TIP("10.0.0.0/8"):
+                    print("Matching on 10.0.0.0/8 is never correct")
+                    for line in t.output(a.format):
+                        print("    " + line)
+                    ok = False
+
+    # Here is the place to put other policy checks; for example, we could
+    # check blue to green HTTP and make sure all those terms have a comment
+    # in a standardized format saying it was approved.
+
+    return ok
+
+
+def edit(editfile):
+    """
+    Edits the file and calls normalize(). Loops until it passes or the user
+    confirms they want to bypass failed normalization. Returns a file object of
+    the diff output.
+    """
+    editor = os.environ.get("EDITOR", "vim")
+    if editor.startswith("vi"):
+        os.spawnlp(
+            os.P_WAIT, editor, editor, "+set sw=4", "+set softtabstop=4", editfile
+        )
+    else:
+        os.spawnlp(os.P_WAIT, editor, editor, editfile)
+
+    if os.path.basename(editfile):  # .startswith('acl.'):
+        print("Normalizing ACL...")
+        a = None
+        try:
+            a = acl.parse(open(editfile))
+        except ParserSyntaxError as e:
+            print(e)
+        except TypeError as e:
+            print(e)
+        except Exception as e:
+            print("ACL parse failed: ", sys.exc_info()[0], ":", e)
+        if a and normalize(a):
+            output = "\n".join(a.output(replace=True)) + "\n"
+            open(editfile, "w").write(output)
+        else:
+            if yesno("Re-edit?"):
+                return edit(editfile)
+
+    # should use a list version of popen
+    return os.popen("rcsdiff -u -b -q " + editfile).read()
+
+
+def main():
+    """Main entry point for the CLI tool."""
+    if len(sys.argv) < 2:
+        print("usage: fe files...", file=sys.stderr)
+        sys.exit(2)
+
+    for editfile in sys.argv[1:]:
+        try:
+            stat = os.stat(editfile)
+        except OSError:
+            stat = None
+
+        if not stat:
+            if yesno(f"{editfile} does not exist; create?", False):
+                edit(editfile)
+                os.spawnlp(os.P_WAIT, "ci", "ci", "-u", editfile)
+
+        else:
+            rv = os.spawnlp(os.P_WAIT, "co", "co", "-f", "-l", editfile)
+            if rv:
+                print("couldn't check out " + editfile, file=sys.stderr)
+                continue
+
+            diff = edit(editfile)
+            if not diff:
+                print("No changes made.")
+                os.spawnlp(os.P_WAIT, "rcs", "rcs", "-u", editfile)
+                # When no changes are made, ci leaves the file writable.
+                os.chmod(editfile, stat.st_mode & 0o555)
+                continue
+
+            print("")
+            print(f'"{os.path.basename(editfile)}"')
+            print("BEGINNING OF CHANGES========================")
+            print(diff, end="")
+            print("END OF CHANGES==============================")
+            print("")
+            print("")
+
+            if not yesno("Do you want to save changes?"):
+                print("Restoring original file")
+                os.spawnlp(os.P_WAIT, "co", "co", "-f", "-u", editfile)
+                continue
+
+            # Try to auto-detect log message from comments.
+            log = ""
+            pats = (re.compile(r"^\+.*!+(.*)"), re.compile(r"^\+.*/\*(.*)\*/"))
+            for line in diff.split("\n"):
+                for pat in pats:
+                    m = pat.match(line)
+                    if m:
+                        msg = m.group(1).strip()
+                        if msg:
+                            log += m.group(1).strip() + "\n"
+                        break
+            if log:
+                print("Autodetected log message:")
+                print(log)
+                print("")
+                if not yesno("Use this?"):
+                    log = ""
+
+            if log:
+                os.spawnlp(os.P_WAIT, "ci", "ci", "-u", "-m" + log, editfile)
+            else:
+                os.spawnlp(os.P_WAIT, "ci", "ci", "-u", editfile)
+
+
+if __name__ == "__main__":
+    main()

trigger/bin/find_access.py

@@ -0,0 +1,191 @@
+#!/usr/bin/env python
+
+"""
+find_access - Like check_access but reports on networks inside of networks.
+"""
+
+__version__ = "1.6"
+
+import sys
+from optparse import OptionParser
+
+from simpleparse.error import ParserSyntaxError
+
+from trigger.acl.parser import TIP, parse
+
+
+def parse_args(argv):
+    parser = OptionParser(
+        usage="%prog [options] [acls]",
+        add_help_option=False,
+        description="a more detailed varient of check_access.",
+    )
+    desc = """
+This is used more for reporting purposes. Currently check_access will do the
+right thing for finding access that is requested, but lacks the ability to
+report on networks inside networks.
+
+For example if an administrator ran the command:
+check_access /netsec/firewalls/acl.131mj 172.16.0.0/12 any
+
+This would only show terms where the source address was specifically
+172.168.0.0/12 but nothing smaller. This is due to the fact that if
+an engineer wanted to add new access for this range - this wouldn't
+actually be the correct access to add.
+
+This script looks in a slighty more detailed manner. If the input
+address is 172.16.1.0/24 and a term contains 172.16.1.5/32 that access
+would be reported on.
+
+This works in reverse, if the input is 172.16.1.0/24 and a term contains
+172.16.0.0/16 this access is reported.\n"""
+
+    parser.add_option("-h", "--help", action="store_true")
+    parser.add_option("-s", "--source-network", help="Supply a source network to find")
+    parser.add_option(
+        "-d", "--destination-network", help="Supply a destination network to find"
+    )
+    parser.add_option(
+        "-p",
+        "--ports",
+        help="Specify a set of ports comma seperated, allows for ranges",
+    )
+    parser.add_option(
+        "-S",
+        "--no-any-source",
+        action="store_true",
+        help='Do not include terms with source-address of "any"',
+    )
+    parser.add_option(
+        "-D",
+        "--no-any-destination",
+        action="store_true",
+        help='Do not include terms with destination-address of "any"',
+    )
+
+    opts, args = parser.parse_args(argv)
+
+    if opts.help:
+        parser.print_help()
+        sys.exit(desc)
+
+    return opts, args
+
+
+def match_term(term, data, type, opts):
+    # If any source/dest, return False
+    if opts.no_any_source and any_source(term):
+        return False
+    if opts.no_any_destination and any_dest(term):
+        return False
+
+    # If no input data or term field src/dst is any...
+    if not data or not term.match.has_key(type):
+        return True
+
+    if "port" in type:
+        for port in data:
+            if port in term.match[type]:
+                return True
+        return False
+
+    for data_in_term in term.match[type]:
+        for data_entry in data:
+            if data_entry in data_in_term or data_in_term in data_entry:
+                return True
+
+    return False
+
+
+def match_terms(acl, sources, dests, ports, opts):
+    matched = []
+
+    for term in acl.terms:
+        matched_sources = False
+        matched_dests = False
+        matched_ports = False
+
+        matched_sources = match_term(term, sources, "source-address", opts)
+        matched_dests = match_term(term, dests, "destination-address", opts)
+        matched_ports = match_term(term, ports, "destination-port", opts)
+
+        if matched_sources and matched_dests and matched_ports:
+            matched.append(term)
+
+    return matched
+
+
+def permits_from_any(term):
+    """Returns True if action is "accept" and term has no 'source-address'"""
+    return term.action[0] == "accept" and not term.match.get("source-address")
+
+
+def any_source(term):
+    """Returns True term has no 'source-address'"""
+    return not term.match.get("source-address")
+
+
+def any_dest(term):
+    """Returns True term has no 'destination-address'"""
+    return not term.match.get("destination-address")
+
+
+def do_work(acl_files, opts):
+    acl_file_data = {}
+    sources = []
+    dests = []
+    ports = []
+
+    if opts.source_network:
+        for x in opts.source_network.split(","):
+            sources.append(TIP(x))
+
+    if opts.destination_network:
+        for x in opts.destination_network.split(","):
+            dests.append(TIP(x))
+
+    if opts.ports:
+        for x in opts.ports.split(","):
+            ports.append(int(x))
+
+    for acl_file in acl_files:
+        try:
+            acl = parse(open(acl_file))
+        except ParserSyntaxError as e:
+            etxt = str(e).split()
+            sys.exit(etxt)
+
+        matching_terms = match_terms(acl, sources, dests, ports, opts)
+
+        acl.filename = acl_file  # Store this for a hot minute
+        acl.terms = []  # Nuke this in case it's huge
+        acl_file_data[acl] = matching_terms
+
+    return acl_file_data
+
+
+def print_report(data):
+    for aclobj, terms in data.items():
+        print(aclobj.filename)
+        print("=================================================")
+        for term in terms:
+            for o in term.output(format=aclobj.format, acl_name=aclobj.name):
+                print(o)
+        print("")
+
+
+def main():
+    """Main entry point for the CLI tool."""
+    opts, args = parse_args(sys.argv)
+
+    acls_to_check = args[1:]
+
+    if not opts.source_network and not opts.destination_network or not acls_to_check:
+        sys.exit("ERROR: No source or destination networks defined. Try -h for help.")
+
+    data = do_work(acls_to_check, opts)
+    print_report(data)
+
+
+if __name__ == "__main__":
+    main()