@Override @Nonnull public IpSpace toIpSpace() { return new IpSpaceReference(_name, String.format("Match network object: '%s'", _name)); } }
@Override @Nonnull public IpSpace toIpSpace() { return new IpSpaceReference(_name, String.format("Match network object-group: '%s'", _name)); } }
@Override public IpSpace visitIpSpaceReference(IpSpaceReference ipSpaceReference) { return new IpSpaceReference( _renamer.apply(ipSpaceReference.getName()), ipSpaceReference.getDescription()); }
@Override public Void visitNatRuleMatchDstAddrName(NatRuleMatchDstAddrName natRuleMatchDstAddrName) { _headerSpace.setDstIps( new IpSpaceReference(GLOBAL_ADDRESS_BOOK_PREFIX + natRuleMatchDstAddrName.getName())); return null; }
@Override public Void visitNatRuleMatchSrcAddrName(NatRuleMatchSrcAddrName natRuleMatchSrcAddrName) { _headerSpace.setSrcIps( new IpSpaceReference(GLOBAL_ADDRESS_BOOK_PREFIX + natRuleMatchSrcAddrName.getName())); return null; }
@Override public void exitOggn_group_object(Oggn_group_objectContext ctx) { String name = ctx.name.getText(); _currentNetworkObjectGroup.getLines().add(new IpSpaceReference(name)); _configuration.referenceStructure( NETWORK_OBJECT_GROUP, name, NETWORK_OBJECT_GROUP_GROUP_OBJECT, ctx.name.start.getLine()); }
@Override public void exitOgn_group_object(Ogn_group_objectContext ctx) { String name = ctx.name.getText(); _currentNetworkObjectGroup.getLines().add(new IpSpaceReference(name)); _configuration.referenceStructure( NETWORK_OBJECT_GROUP, name, NETWORK_OBJECT_GROUP_GROUP_OBJECT, ctx.name.start.getLine()); }
/** Convert address book into corresponding IpSpaces */ private Map<String, IpSpace> toIpSpaces(String bookName, AddressBook book) { Map<String, IpSpace> ipSpaces = new TreeMap<>(); book.getEntries() .forEach( (n, entry) -> { String entryName = bookName + "~" + n; // If this address book references other entries, add them to an AclIpSpace if (!entry.getEntries().isEmpty()) { AclIpSpace.Builder aclIpSpaceBuilder = AclIpSpace.builder(); entry .getEntries() .keySet() .forEach( name -> { String subEntryName = bookName + "~" + name; aclIpSpaceBuilder.thenPermitting(new IpSpaceReference(subEntryName)); }); ipSpaces.put(entryName, aclIpSpaceBuilder.build()); } else { ipSpaces.put( entryName, IpWildcardSetIpSpace.builder().including(entry.getIpWildcards(_w)).build()); } }); return ipSpaces; }
@Override public void applyTo( HeaderSpace.Builder headerSpaceBuilder, JuniperConfiguration jc, Warnings w, Configuration c) { AddressBook addressBook = _zone == null ? _globalAddressBook : _zone.getAddressBook(); String addressBookName = addressBook.getAddressBookName(_addressBookEntryName); String ipSpaceName = addressBookName + "~" + _addressBookEntryName; IpSpaceReference ipSpaceReference = new IpSpaceReference(ipSpaceName); if (headerSpaceBuilder.getDstIps() != null) { headerSpaceBuilder.setDstIps( AclIpSpace.union( ImmutableList.<IpSpace>builder() .add(ipSpaceReference) .add(headerSpaceBuilder.getDstIps()) .build())); } else { headerSpaceBuilder.setDstIps(AclIpSpace.union(ipSpaceReference)); } } }
@Override public void applyTo( HeaderSpace.Builder headerSpaceBuilder, JuniperConfiguration jc, Warnings w, Configuration c) { AddressBook addressBook = _zone == null ? _globalAddressBook : _zone.getAddressBook(); String addressBookName = addressBook.getAddressBookName(_addressBookEntryName); String ipSpaceName = addressBookName + "~" + _addressBookEntryName; IpSpaceReference ipSpaceReference = new IpSpaceReference(ipSpaceName); if (headerSpaceBuilder.getSrcIps() != null) { headerSpaceBuilder.setSrcIps( AclIpSpace.union( ImmutableList.<IpSpace>builder() .add(ipSpaceReference) .add(headerSpaceBuilder.getSrcIps()) .build())); } else { headerSpaceBuilder.setSrcIps(AclIpSpace.union(ipSpaceReference)); } } }
@Test public void testCircularIpSpaceReference() { IpSpace foo = new IpSpaceReference("foo"); IpSpace bar = new IpSpaceReference("bar"); Map<String, IpSpace> namedIpSpaces = ImmutableMap.of("foo", bar, "bar", foo); IpSpaceToBDD ipSpaceToBDD = new IpSpaceToBDD(_ipAddrBdd, namedIpSpaces); exception.expect(BatfishException.class); exception.expectMessage("Circular IpSpaceReference: foo"); foo.accept(ipSpaceToBDD); } }
@Test public void testIpSpaceReference() { Ip ip = Ip.parse("1.1.1.1"); Map<String, IpSpace> namedIpSpaces = ImmutableMap.of("foo", ip.toIpSpace()); IpSpace reference = new IpSpaceReference("foo"); IpSpaceToBDD ipSpaceToBDD = new IpSpaceToBDD(_ipAddrBdd, namedIpSpaces); BDD ipBDD = ip.toIpSpace().accept(ipSpaceToBDD); BDD referenceBDD = reference.accept(ipSpaceToBDD); assertThat(referenceBDD, equalTo(ipBDD)); }
@Test public void testWithUndefinedIpSpaceReference() { _aclb .setLines( ImmutableList.of( IpAccessListLine.accepting() .setMatchCondition( new MatchHeaderSpace( HeaderSpace.builder().setSrcIps(new IpSpaceReference("???")).build())) .build())) .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // The sanitized version of the acl should have one unmatchable line assertThat(aclSpecs, hasSize(1)); AclSpecs spec = aclSpecs.get(0); assertThat(spec.acl.getSanitizedAcl().getLines(), equalTo(ImmutableList.of(UNMATCHABLE))); }
@Test public void testUndefinedIpSpaceReference() { IpSpace reference = new IpSpaceReference("foo"); exception.expect(IllegalArgumentException.class); exception.expectMessage("Undefined IpSpace reference: foo"); reference.accept(_ipSpaceToBdd); }
@Override public void exitOgn_network_object(Ogn_network_objectContext ctx) { IpSpace ipSpace = null; if (ctx.prefix != null) { ipSpace = new IpWildcard(ctx.prefix.getText()).toIpSpace(); } else if (ctx.wildcard_address != null && ctx.wildcard_mask != null) { // Mask needs to be inverted since zeros are don't-cares in this context ipSpace = new IpWildcard(toIp(ctx.wildcard_address), toIp(ctx.wildcard_mask).inverted()) .toIpSpace(); } else if (ctx.address != null) { ipSpace = new IpWildcard(ctx.address.getText()).toIpSpace(); } else if (ctx.name != null) { String name = ctx.name.getText(); ipSpace = new IpSpaceReference(name); _configuration.referenceStructure( NETWORK_OBJECT, name, NETWORK_OBJECT_GROUP_NETWORK_OBJECT, ctx.name.start.getLine()); } if (ipSpace == null) { _w.redFlag("Unimplemented object-group network line: " + getFullText(ctx)); } else { _currentNetworkObjectGroup.getLines().add(ipSpace); } }
@Test public void testAclIpSpace() { IpSpaceDereferencer dereferencer = new IpSpaceDereferencer(NAMED_IP_SPACES); AclIpSpace input = AclIpSpace.builder() .thenPermitting(new IpSpaceReference("empty")) .thenRejecting(new IpSpaceReference("prefix")) .thenPermitting(new IpSpaceReference("namedIp")) .thenRejecting(UniverseIpSpace.INSTANCE) .build(); AclIpSpace expected = AclIpSpace.builder() .thenPermitting(NAMED_IP_SPACES.get("empty")) .thenRejecting(NAMED_IP_SPACES.get("prefix")) .thenPermitting(NAMED_IP_SPACES.get("ip")) .thenRejecting(UniverseIpSpace.INSTANCE) .build(); assertThat(dereferencer.visitAclIpSpace(input), equalTo(expected)); } }
@Test public void testDefaultDeniedByNamedAclIpSpace() { AclIpSpace aclIpSpace = AclIpSpace.DENY_ALL; IpAccessList acl = IpAccessList.builder() .setName(ACL_NAME) .setLines( ImmutableList.of( IpAccessListLine.acceptingHeaderSpace( HeaderSpace.builder() .setDstIps(new IpSpaceReference(ACL_IP_SPACE_NAME)) .build()))) .build(); Map<String, IpAccessList> availableAcls = ImmutableMap.of(ACL_NAME, acl); Map<String, IpSpace> namedIpSpaces = ImmutableMap.of(ACL_IP_SPACE_NAME, aclIpSpace); Map<String, IpSpaceMetadata> namedIpSpaceMetadata = ImmutableMap.of(ACL_IP_SPACE_NAME, new IpSpaceMetadata(ACL_IP_SPACE_NAME, TEST_ACL)); AclTrace trace = AclTracer.trace( acl, FLOW, SRC_INTERFACE, availableAcls, namedIpSpaces, namedIpSpaceMetadata); assertThat( trace, hasEvents(contains(ImmutableList.of(isDefaultDeniedByIpAccessListNamed(ACL_NAME))))); }
@Test public void testDeniedByNamedAclIpSpaceLine() { AclIpSpace aclIpSpace = AclIpSpace.of(AclIpSpaceLine.DENY_ALL); IpAccessList acl = IpAccessList.builder() .setName(ACL_NAME) .setLines( ImmutableList.of( IpAccessListLine.acceptingHeaderSpace( HeaderSpace.builder() .setDstIps(new IpSpaceReference(ACL_IP_SPACE_NAME)) .build()))) .build(); Map<String, IpAccessList> availableAcls = ImmutableMap.of(ACL_NAME, acl); Map<String, IpSpace> namedIpSpaces = ImmutableMap.of(ACL_IP_SPACE_NAME, aclIpSpace); Map<String, IpSpaceMetadata> namedIpSpaceMetadata = ImmutableMap.of(ACL_IP_SPACE_NAME, new IpSpaceMetadata(ACL_IP_SPACE_NAME, TEST_ACL)); AclTrace trace = AclTracer.trace( acl, FLOW, SRC_INTERFACE, availableAcls, namedIpSpaces, namedIpSpaceMetadata); assertThat( trace, hasEvents(contains(ImmutableList.of(isDefaultDeniedByIpAccessListNamed(ACL_NAME))))); }
@Test public void testDeniedByNamedSimpleIpSpace() { String ipSpaceName = "aclIpSpace"; IpAccessList acl = IpAccessList.builder() .setName(ACL_NAME) .setLines( ImmutableList.of( IpAccessListLine.acceptingHeaderSpace( HeaderSpace.builder() .setDstIps(new IpSpaceReference(ipSpaceName)) .build()))) .build(); Map<String, IpAccessList> availableAcls = ImmutableMap.of(ACL_NAME, acl); Map<String, IpSpace> namedIpSpaces = ImmutableMap.of(ipSpaceName, Ip.MAX.toIpSpace()); Map<String, IpSpaceMetadata> namedIpSpaceMetadata = ImmutableMap.of(ipSpaceName, new IpSpaceMetadata(ipSpaceName, TEST_ACL)); AclTrace trace = AclTracer.trace( acl, FLOW, SRC_INTERFACE, availableAcls, namedIpSpaces, namedIpSpaceMetadata); assertThat( trace, hasEvents(contains(ImmutableList.of(isDefaultDeniedByIpAccessListNamed(ACL_NAME))))); }
@Test public void testWithIpSpaceReference() { _aclb .setLines( ImmutableList.of( IpAccessListLine.rejecting() .setMatchCondition( new MatchHeaderSpace( HeaderSpace.builder() .setSrcIps(new IpSpaceReference("ipSpace")) .build())) .build())) .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // The sanitized version of the acl should directly reject 1.2.3.4 assertThat(aclSpecs, hasSize(1)); AclSpecs spec = aclSpecs.get(0); assertThat( spec.acl.getSanitizedAcl().getLines(), equalTo( ImmutableList.of( rejectingHeaderSpace( HeaderSpace.builder().setSrcIps(Ip.parse("1.2.3.4").toIpSpace()).build())))); }