diff options
Diffstat (limited to 'plugins/module_utils')
7 files changed, 1354 insertions, 0 deletions
| diff --git a/plugins/module_utils/network/vyos/argspec/firewall_global/__init__.py b/plugins/module_utils/network/vyos/argspec/firewall_global/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/plugins/module_utils/network/vyos/argspec/firewall_global/__init__.py diff --git a/plugins/module_utils/network/vyos/argspec/firewall_global/firewall_global.py b/plugins/module_utils/network/vyos/argspec/firewall_global/firewall_global.py new file mode 100644 index 00000000..4c267732 --- /dev/null +++ b/plugins/module_utils/network/vyos/argspec/firewall_global/firewall_global.py @@ -0,0 +1,152 @@ +# +# -*- coding: utf-8 -*- +# Copyright 2019 Red Hat +# GNU General Public License v3.0+ +# (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +############################################# +#                WARNING                    # +############################################# +# +# This file is auto generated by the resource +#   module builder playbook. +# +# Do not edit this file manually. +# +# Changes to this file will be over written +#   by the resource module builder. +# +# Changes should be made in the model used to +#   generate this file or in the resource module +#   builder template. +# +############################################# +""" +The arg spec for the vyos_firewall_global module +""" + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + + +class Firewall_globalArgs(object):  # pylint: disable=R0903 +    """The arg spec for the vyos_firewall_global module +    """ + +    def __init__(self, **kwargs): +        pass + +    argument_spec = { +        "config": { +            "options": { +                "config_trap": {"type": "bool"}, +                "group": { +                    "options": { +                        "address_group": { +                            "elements": "dict", +                            "options": { +                                "description": {"type": "str"}, +                                "members": { +                                    "elements": "dict", +                                    "options": {"address": {"type": "str"}}, +                                    "type": "list", +                                }, +                                "name": {"required": True, "type": "str"}, +                            }, +                            "type": "list", +                        }, +                        "network_group": { +                            "elements": "dict", +                            "options": { +                                "description": {"type": "str"}, +                                "members": { +                                    "elements": "dict", +                                    "options": {"address": {"type": "str"}}, +                                    "type": "list", +                                }, +                                "name": {"required": True, "type": "str"}, +                            }, +                            "type": "list", +                        }, +                        "port_group": { +                            "elements": "dict", +                            "options": { +                                "description": {"type": "str"}, +                                "members": { +                                    "elements": "dict", +                                    "options": {"port": {"type": "str"}}, +                                    "type": "list", +                                }, +                                "name": {"required": True, "type": "str"}, +                            }, +                            "type": "list", +                        }, +                    }, +                    "type": "dict", +                }, +                "log_martians": {"type": "bool"}, +                "ping": { +                    "options": { +                        "all": {"type": "bool"}, +                        "broadcast": {"type": "bool"}, +                    }, +                    "type": "dict", +                }, +                "route_redirects": { +                    "elements": "dict", +                    "options": { +                        "afi": { +                            "choices": ["ipv4", "ipv6"], +                            "required": True, +                            "type": "str", +                        }, +                        "icmp_redirects": { +                            "options": { +                                "receive": {"type": "bool"}, +                                "send": {"type": "bool"}, +                            }, +                            "type": "dict", +                        }, +                        "ip_src_route": {"type": "bool"}, +                    }, +                    "type": "list", +                }, +                "state_policy": { +                    "elements": "dict", +                    "options": { +                        "action": { +                            "choices": ["accept", "drop", "reject"], +                            "type": "str", +                        }, +                        "connection_type": { +                            "choices": ["established", "invalid", "related"], +                            "type": "str", +                        }, +                        "log": {"type": "bool"}, +                    }, +                    "type": "list", +                }, +                "syn_cookies": {"type": "bool"}, +                "twa_hazards_protection": {"type": "bool"}, +                "validation": { +                    "choices": ["strict", "loose", "disable"], +                    "type": "str", +                }, +            }, +            "type": "dict", +        }, +        "running_config": {"type": "str"}, +        "state": { +            "choices": [ +                "merged", +                "replaced", +                "deleted", +                "gathered", +                "rendered", +                "parsed", +            ], +            "default": "merged", +            "type": "str", +        }, +    }  # pylint: disable=C0301 diff --git a/plugins/module_utils/network/vyos/config/firewall_global/__init__.py b/plugins/module_utils/network/vyos/config/firewall_global/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/plugins/module_utils/network/vyos/config/firewall_global/__init__.py diff --git a/plugins/module_utils/network/vyos/config/firewall_global/firewall_global.py b/plugins/module_utils/network/vyos/config/firewall_global/firewall_global.py new file mode 100644 index 00000000..afc98538 --- /dev/null +++ b/plugins/module_utils/network/vyos/config/firewall_global/firewall_global.py @@ -0,0 +1,810 @@ +# +# -*- coding: utf-8 -*- +# Copyright 2019 Red Hat +# GNU General Public License v3.0+ +# (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) +""" +The vyos_firewall_global class +It is in this file where the current configuration (as dict) +is compared to the provided configuration (as dict) and the command set +necessary to bring the current configuration to it's desired end-state is +created +""" +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +from copy import deepcopy +from ansible_collections.ansible.netcommon.plugins.module_utils.network.common.cfg.base import ( +    ConfigBase, +) +from ansible_collections.ansible.netcommon.plugins.module_utils.network.common.utils import ( +    to_list, +    remove_empties, +) +from ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.facts.facts import ( +    Facts, +) +from ansible.module_utils.six import iteritems +from ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.utils.utils import ( +    list_diff_want_only, +) + + +class Firewall_global(ConfigBase): +    """ +    The vyos_firewall_global class +    """ + +    gather_subset = [ +        "!all", +        "!min", +    ] + +    gather_network_resources = [ +        "firewall_global", +    ] + +    def __init__(self, module): +        super(Firewall_global, self).__init__(module) + +    def get_firewall_global_facts(self, data=None): +        """ Get the 'facts' (the current configuration) + +        :rtype: A dictionary +        :returns: The current configuration as a dictionary +        """ +        facts, _warnings = Facts(self._module).get_facts( +            self.gather_subset, self.gather_network_resources, data=data +        ) +        firewall_global_facts = facts["ansible_network_resources"].get( +            "firewall_global" +        ) +        if not firewall_global_facts: +            return [] +        return firewall_global_facts + +    def execute_module(self): +        """ Execute the module + +        :rtype: A dictionary +        :returns: The result from module execution +        """ +        result = {"changed": False} +        warnings = list() +        commands = list() + +        if self.state in self.ACTION_STATES: +            existing_firewall_global_facts = self.get_firewall_global_facts() +        else: +            existing_firewall_global_facts = [] + +        if self.state in self.ACTION_STATES or self.state == "rendered": +            commands.extend(self.set_config(existing_firewall_global_facts)) + +        if commands and self.state in self.ACTION_STATES: +            if not self._module.check_mode: +                self._connection.edit_config(commands) +            result["changed"] = True + +        if self.state in self.ACTION_STATES: +            result["commands"] = commands + +        if self.state in self.ACTION_STATES or self.state == "gathered": +            changed_firewall_global_facts = self.get_firewall_global_facts() +        elif self.state == "rendered": +            result["rendered"] = commands +        elif self.state == "parsed": +            running_config = self._module.params["running_config"] +            if not running_config: +                self._module.fail_json( +                    msg="value of running_config parameter must not be empty for state parsed" +                ) +            result["parsed"] = self.get_firewall_global_facts( +                data=running_config +            ) +        else: +            changed_firewall_global_facts = [] + +        if self.state in self.ACTION_STATES: +            result["before"] = existing_firewall_global_facts +            if result["changed"]: +                result["after"] = changed_firewall_global_facts +        elif self.state == "gathered": +            result["gathered"] = changed_firewall_global_facts + +        result["warnings"] = warnings +        return result + +    def set_config(self, existing_firewall_global_facts): +        """ Collect the configuration from the args passed to the module, +            collect the current configuration (as a dict from facts) + +        :rtype: A list +        :returns: the commands necessary to migrate the current configuration +                  to the desired configuration +        """ +        want = self._module.params["config"] +        have = existing_firewall_global_facts +        resp = self.set_state(want, have) +        return to_list(resp) + +    def set_state(self, w, h): +        """ Select the appropriate function based on the state provided + +        :param want: the desired configuration as a dictionary +        :param have: the current configuration as a dictionary +        :rtype: A list +        :returns: the commands necessary to migrate the current configuration +                  to the desired configuration +        """ +        commands = [] +        if self.state in ("merged", "replaced", "rendered") and not w: +            self._module.fail_json( +                msg="value of config parameter must not be empty for state {0}".format( +                    self.state +                ) +            ) +        if self.state == "deleted": +            commands.extend(self._state_deleted(want=None, have=h)) +        elif w: +            if self.state == "merged" or self.state == "rendered": +                commands.extend(self._state_merged(w, h)) +            elif self.state == "replaced": +                commands.extend(self._state_replaced(w, h)) +        return commands + +    def _state_replaced(self, want, have): +        """ The command generator when state is replaced +         :rtype: A list +         :returns: the commands necessary to migrate the current configuration +                   to the desired configuration +         """ +        commands = [] +        if have: +            commands.extend(self._state_deleted(have, want)) +        commands.extend(self._state_merged(want, have)) +        return commands + +    def _state_merged(self, want, have): +        """ The command generator when state is merged + +        :rtype: A list +        :returns: the commands necessary to merge the provided into +                  the current configuration +        """ +        commands = [] +        commands.extend(self._add_global_attr(want, have)) +        return commands + +    def _state_deleted(self, want, have): +        """ The command generator when state is deleted + +        :rtype: A list +        :returns: the commands necessary to remove the current configuration +                  of the provided objects +        """ +        commands = [] +        b_set = ( +            "config_trap", +            "validation", +            "log_martians", +            "syn_cookies", +            "twa_hazards_protection", +        ) +        if want: +            for key, val in iteritems(want): +                if val and key in b_set and not have: +                    commands.append(self._form_attr_cmd(attr=key, opr=False)) +                elif ( +                    val +                    and key in b_set +                    and have +                    and key in have +                    and have[key] != val +                ): +                    commands.append(self._form_attr_cmd(attr=key, opr=False)) +                else: +                    commands.extend(self._render_attr_config(want, have, key)) +        elif not want and have: +            commands.append(self._compute_command(opr=False)) +        elif have: +            for key, val in iteritems(have): +                if val and key in b_set: +                    commands.append(self._form_attr_cmd(attr=key, opr=False)) +                else: +                    commands.extend(self._render_attr_config(want, have, key)) +        return commands + +    def _render_attr_config(self, w, h, key, opr=False): +        """ +        This function invoke the function to extend commands +        based on the key. +        :param w: the desired configuration. +        :param h: the current configuration. +        :param key: attribute name +        :param opr: operation +        :return: list of commands +        """ +        commands = [] +        if key == "ping": +            commands.extend(self._render_ping(key, w, h, opr=opr)) +        elif key == "group": +            commands.extend(self._render_group(key, w, h, opr=opr)) +        elif key == "state_policy": +            commands.extend(self._render_state_policy(key, w, h, opr=opr)) +        elif key == "route_redirects": +            commands.extend(self._render_route_redirects(key, w, h, opr=opr)) +        return commands + +    def _add_global_attr(self, w, h, opr=True): +        """ +        This function forms the set/delete commands based on the 'opr' type +        for firewall_global attributes. +        :param w: the desired config. +        :param h: the target config. +        :param opr: True/False. +        :return: generated commands list. +        """ +        commands = [] +        w_fg = deepcopy(remove_empties(w)) +        l_set = ( +            "config_trap", +            "validation", +            "log_martians", +            "syn_cookies", +            "twa_hazards_protection", +        ) +        if w_fg: +            for key, val in iteritems(w_fg): +                if ( +                    opr +                    and key in l_set +                    and not (h and self._is_w_same(w_fg, h, key)) +                ): +                    commands.append( +                        self._form_attr_cmd( +                            attr=key, val=self._bool_to_str(val), opr=opr +                        ) +                    ) +                elif not opr: +                    if key and self._is_del(l_set, h): +                        commands.append( +                            self._form_attr_cmd( +                                attr=key, key=self._bool_to_str(val), opr=opr +                            ) +                        ) +                        continue +                    elif ( +                        key in l_set +                        and not (h and self._in_target(h, key)) +                        and not self._is_del(l_set, h) +                    ): +                        commands.append( +                            self._form_attr_cmd( +                                attr=key, val=self._bool_to_str(val), opr=opr +                            ) +                        ) +                else: +                    commands.extend( +                        self._render_attr_config(w_fg, h, key, opr) +                    ) +        return commands + +    def _render_ping(self, attr, w, h, opr): +        """ +        This function forms the commands for 'ping' attributes based on the 'opr'. +        :param attr: attribute name. +        :param w: the desired configuration. +        :param h: the target config. +        :param opr: True/False. +        :return: generated list of commands. +        """ +        commands = [] +        h_ping = {} +        l_set = ("all", "broadcast") +        if h: +            h_ping = h.get(attr) or {} +        if self._is_root_del(w[attr], h_ping, attr): +            for item, value in iteritems(h[attr]): +                if not opr and item in l_set: +                    commands.append(self._form_attr_cmd(attr=item, opr=opr)) +        elif w[attr]: +            if h and attr in h.keys(): +                h_ping = h.get(attr) or {} +            for item, value in iteritems(w[attr]): +                if ( +                    opr +                    and item in l_set +                    and not (h_ping and self._is_w_same(w[attr], h_ping, item)) +                ): +                    commands.append( +                        self._form_attr_cmd( +                            attr=item, val=self._bool_to_str(value), opr=opr +                        ) +                    ) +                elif ( +                    not opr +                    and item in l_set +                    and not (h_ping and self._is_w_same(w[attr], h_ping, item)) +                ): +                    commands.append(self._form_attr_cmd(attr=item, opr=opr)) +        return commands + +    def _render_group(self, attr, w, h, opr): +        """ +        This function forms the commands for 'group' attribute based on the 'opr'. +        :param attr: attribute name. +        :param w: base config. +        :param h: target config. +        :param opr: True/False. +        :return: generated list of commands. +        """ +        commands = [] +        h_grp = {} +        if not opr and self._is_root_del(h, w, attr): +            commands.append(self._form_attr_cmd(attr=attr, opr=opr)) +        else: +            if h: +                h_grp = h.get("group") or {} +            if w: +                commands.extend( +                    self._render_grp_mem("port-group", w["group"], h_grp, opr) +                ) +                commands.extend( +                    self._render_grp_mem( +                        "address_group", w["group"], h_grp, opr +                    ) +                ) +                commands.extend( +                    self._render_grp_mem( +                        "network_group", w["group"], h_grp, opr +                    ) +                ) +        return commands + +    def _render_grp_mem(self, attr, w, h, opr): +        """ +        This function forms the commands for group list/members attributes based on the 'opr'. +        :param attr: attribute name. +        :param w: the desired config. +        :param h: the target config. +        :param opr: True/False. +        :return: generated list of commands. +        """ +        commands = [] +        h_grp = [] +        w_grp = [] +        l_set = ("name", "description") +        if w: +            w_grp = w.get(attr) or [] +        if h: +            h_grp = h.get(attr) or [] + +        if w_grp: +            for want in w_grp: +                cmd = self._compute_command(key="group", attr=attr, opr=opr) +                h = self.search_attrib_in_have(h_grp, want, "name") +                for key, val in iteritems(want): +                    if val: +                        if ( +                            opr +                            and key in l_set +                            and not (h and self._is_w_same(want, h, key)) +                        ): +                            if key == "name": +                                commands.append(cmd + " " + str(val)) +                            else: +                                commands.append( +                                    cmd +                                    + " " +                                    + want["name"] +                                    + " " +                                    + key +                                    + " '" +                                    + str(want[key]) +                                    + "'" +                                ) +                        elif not opr and key in l_set: +                            if key == "name" and self._is_grp_del( +                                h, want, key +                            ): +                                commands.append(cmd + " " + want["name"]) +                                continue +                            elif not ( +                                h and self._in_target(h, key) +                            ) and not self._is_grp_del(h, want, key): +                                commands.append( +                                    cmd + " " + want["name"] + " " + key +                                ) +                        elif key == "members": +                            commands.extend( +                                self._render_ports_addrs( +                                    key, want, h, opr, cmd, want["name"], attr +                                ) +                            ) +        return commands + +    def _render_ports_addrs(self, attr, w, h, opr, cmd, name, type): +        """ +        This function forms the commands for port/address/network group members +        based on the 'opr'. +        :param attr: attribute name. +        :param w: the desired config. +        :param h: the target config. +        :param cmd: commands to be prepend. +        :param name: name of group. +        :param type: group type. +        :return: generated list of commands. +        """ +        commands = [] +        have = [] +        if w: +            want = w.get(attr) or [] +        if h: +            have = h.get(attr) or [] + +        if want: +            if opr: +                members = list_diff_want_only(want, have) +                for member in members: +                    commands.append( +                        cmd +                        + " " +                        + name +                        + " " +                        + self._grp_type(type) +                        + " " +                        + member[self._get_mem_type(type)] +                    ) +            elif not opr and have: +                members = list_diff_want_only(want, have) +                for member in members: +                    commands.append( +                        cmd +                        + " " +                        + name +                        + " " +                        + self._grp_type(type) +                        + " " +                        + member[self._get_mem_type(type)] +                    ) +        return commands + +    def _get_mem_type(self, group): +        """ +        This function returns the member type +        based on the type of group. +        """ +        return "port" if group == "port_group" else "address" + +    def _render_state_policy(self, attr, w, h, opr): +        """ +        This function forms the commands for 'state-policy' attributes +        based on the 'opr'. +        :param attr: attribute name. +        :param w: the desired config. +        :param h: the target config. +        :param opr: True/False. +        :return: generated list of commands. +        """ +        commands = [] +        have = [] +        l_set = ("log", "action", "connection_type") +        if not opr and self._is_root_del(h, w, attr): +            commands.append(self._form_attr_cmd(attr=attr, opr=opr)) +        else: +            w_sp = deepcopy(remove_empties(w)) +            want = w_sp.get(attr) or [] +            if h: +                have = h.get(attr) or [] +            if want: +                for w in want: +                    h = self.search_attrib_in_have(have, w, "connection_type") +                    for key, val in iteritems(w): +                        if val and key != "connection_type": +                            if ( +                                opr +                                and key in l_set +                                and not (h and self._is_w_same(w, h, key)) +                            ): +                                commands.append( +                                    self._form_attr_cmd( +                                        key=attr + " " + w["connection_type"], +                                        attr=key, +                                        val=self._bool_to_str(val), +                                        opr=opr, +                                    ) +                                ) +                            elif not opr and key in l_set: +                                if not ( +                                    h and self._in_target(h, key) +                                ) and not self._is_del(l_set, h): +                                    if key == "action": +                                        commands.append( +                                            self._form_attr_cmd( +                                                attr=attr +                                                + " " +                                                + w["connection_type"], +                                                opr=opr, +                                            ) +                                        ) +                                    else: +                                        commands.append( +                                            self._form_attr_cmd( +                                                attr=attr +                                                + " " +                                                + w["connection_type"], +                                                val=self._bool_to_str(val), +                                                opr=opr, +                                            ) +                                        ) +        return commands + +    def _render_route_redirects(self, attr, w, h, opr): +        """ +        This function forms the commands for 'route_redirects' attributes based on the 'opr'. +        :param attr: attribute name. +        :param w: the desired config. +        :param h: the target config. +        :param opr: True/False. +        :return: generated list of commands. +        """ +        commands = [] +        have = [] +        l_set = ("afi", "ip_src_route") + +        if w: +            want = w.get(attr) or [] +        if h: +            have = h.get(attr) or [] + +        if want: +            for w in want: +                h = self.search_attrib_in_have(have, w, "afi") +                for key, val in iteritems(w): +                    if val and key != "afi": +                        if ( +                            opr +                            and key in l_set +                            and not (h and self._is_w_same(w, h, key)) +                        ): +                            commands.append( +                                self._form_attr_cmd( +                                    attr=key, +                                    val=self._bool_to_str(val), +                                    opr=opr, +                                ) +                            ) +                        elif not opr and key in l_set: +                            if self._is_del(l_set, h): +                                commands.append( +                                    self._form_attr_cmd( +                                        attr=key, +                                        val=self._bool_to_str(val), +                                        opr=opr, +                                    ) +                                ) +                                continue +                            elif not ( +                                h and self._in_target(h, key) +                            ) and not self._is_del(l_set, h): +                                commands.append( +                                    self._form_attr_cmd( +                                        attr=key, +                                        val=self._bool_to_str(val), +                                        opr=opr, +                                    ) +                                ) +                        elif key == "icmp_redirects": +                            commands.extend( +                                self._render_icmp_redirects(key, w, h, opr) +                            ) +        return commands + +    def _render_icmp_redirects(self, attr, w, h, opr): +        """ +        This function forms the commands for 'icmp_redirects' attributes +        based on the 'opr'. +        :param attr: attribute name. +        :param w: the desired config. +        :param h: the target config. +        :param opr: True/False. +        :return: generated list of commands. +        """ +        commands = [] +        h_red = {} +        l_set = ("send", "receive") +        if w[attr]: +            if h and attr in h.keys(): +                h_red = h.get(attr) or {} +            for item, value in iteritems(w[attr]): +                if ( +                    opr +                    and item in l_set +                    and not (h_red and self._is_w_same(w[attr], h_red, item)) +                ): +                    commands.append( +                        self._form_attr_cmd( +                            attr=item, val=self._bool_to_str(value), opr=opr +                        ) +                    ) +                elif ( +                    not opr +                    and item in l_set +                    and not (h_red and self._is_w_same(w[attr], h_red, item)) +                ): +                    commands.append(self._form_attr_cmd(attr=item, opr=opr)) +        return commands + +    def search_attrib_in_have(self, have, want, attr): +        """ +        This function  returns the attribute if it is present in target config. +        :param have: the target config. +        :param want: the desired config. +        :param attr: attribute name . +        :return: attribute/None +        """ +        if have: +            for h in have: +                if h[attr] == want[attr]: +                    return h +        return None + +    def _form_attr_cmd(self, key=None, attr=None, val=None, opr=True): +        """ +        This function forms the command for leaf attribute. +        :param key: parent key. +        :param attr: attribute name +        :param value: value +        :param opr: True/False. +        :return: generated command. +        """ +        command = self._compute_command( +            key=key, attr=self._map_attrib(attr), val=val, opr=opr +        ) +        return command + +    def _compute_command( +        self, key=None, attr=None, val=None, remove=False, opr=True +    ): +        """ +        This function construct the add/delete command based on passed attributes. +        :param key: parent key. +        :param attr: attribute name +        :param value: value +        :param remove: True/False. +        :param opr: True/False. +        :return: generated command. +        """ +        if remove or not opr: +            cmd = "delete firewall " +        else: +            cmd = "set firewall " +        if key: +            cmd += key.replace("_", "-") + " " +        if attr: +            cmd += attr.replace("_", "-") +        if val and opr: +            cmd += " '" + str(val) + "'" +        return cmd + +    def _bool_to_str(self, val): +        """ +        This function converts the bool value into string. +        :param val: bool value. +        :return: enable/disable. +        """ +        return ( +            "enable" +            if str(val) == "True" +            else "disable" +            if str(val) == "False" +            else val +        ) + +    def _grp_type(self, val): +        """ +        This function returns the group member type based on value argument. +        :param val: value. +        :return: member type. +        """ +        return ( +            "address" +            if val == "address_group" +            else "network" +            if val == "network_group" +            else "port" +        ) + +    def _is_w_same(self, w, h, key): +        """ +        This function checks whether the key value is same in desired and +        target config dictionary. +        :param w: base config. +        :param h: target config. +        :param key:attribute name. +        :return: True/False. +        """ +        return True if h and key in h and h[key] == w[key] else False + +    def _in_target(self, h, key): +        """ +        This function checks whether the target exist and key present in target config. +        :param h: target config. +        :param key: attribute name. +        :return: True/False. +        """ +        return True if h and key in h else False + +    def _is_grp_del(self, w, h, key): +        """ +        This function checks whether group needed to be deleted based on +        desired and target configs. +        :param w: the desired config. +        :param h: the target config. +        :param key: group name. +        :return: True/False. +        """ +        return ( +            True +            if h and key in h and (not w or key not in w or not w[key]) +            else False +        ) + +    def _is_root_del(self, w, h, key): +        """ +        This function checks whether a root attribute which can have +        further child attributes needed to be deleted. +        :param w: the desired config. +        :param h: the target config. +        :param key: attribute name. +        :return: True/False. +        """ +        return ( +            True +            if h and key in h and (not w or key not in w or not w[key]) +            else False +        ) + +    def _is_del(self, b_set, h, key="number"): +        """ +        This function checks whether attribute needs to be deleted +        when operation is false and attribute present in present target config. +        :param b_set: attribute set. +        :param h: target config. +        :param key: number. +        :return: True/False. +        """ +        return key in b_set and not (h and self._in_target(h, key)) + +    def _map_attrib(self, attrib, type=None): +        """ +        - This function construct the regex string. +        - replace the underscore with hyphen. +        :param attrib: attribute +        :return: regex string +        """ +        regex = attrib.replace("_", "-") +        if attrib == "send": +            if type == "ipv6": +                regex = "ipv6-send-redirects" +            else: +                regex = "send-redirects" +        elif attrib == "ip_src_route": +            if type == "ipv6": +                regex = "ipv6-src-route" +        elif attrib == "receive": +            if type == "ipv6": +                regex = "ipv6-receive-redirects" +            else: +                regex = "receive-redirects" +        elif attrib == "disabled": +            regex = "disable" +        elif attrib == "all": +            regex = "all-ping" +        elif attrib == "broadcast": +            regex = "broadcast-ping" +        elif attrib == "validation": +            regex = "source-validation" +        return regex diff --git a/plugins/module_utils/network/vyos/facts/facts.py b/plugins/module_utils/network/vyos/facts/facts.py index 8f0a3bb6..6e6a82be 100644 --- a/plugins/module_utils/network/vyos/facts/facts.py +++ b/plugins/module_utils/network/vyos/facts/facts.py @@ -33,6 +33,9 @@ from ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.facts.firew  from ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.facts.static_routes.static_routes import (      Static_routesFacts,  ) +from ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.facts.firewall_global.firewall_global import ( +    Firewall_globalFacts, +)  from ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.facts.legacy.base import (      Default,      Neighbors, @@ -49,6 +52,7 @@ FACT_RESOURCE_SUBSETS = dict(      lldp_interfaces=Lldp_interfacesFacts,      static_routes=Static_routesFacts,      firewall_rules=Firewall_rulesFacts, +    firewall_global=Firewall_globalFacts,  ) diff --git a/plugins/module_utils/network/vyos/facts/firewall_global/__init__.py b/plugins/module_utils/network/vyos/facts/firewall_global/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/plugins/module_utils/network/vyos/facts/firewall_global/__init__.py diff --git a/plugins/module_utils/network/vyos/facts/firewall_global/firewall_global.py b/plugins/module_utils/network/vyos/facts/firewall_global/firewall_global.py new file mode 100644 index 00000000..08232596 --- /dev/null +++ b/plugins/module_utils/network/vyos/facts/firewall_global/firewall_global.py @@ -0,0 +1,388 @@ +# +# -*- coding: utf-8 -*- +# Copyright 2019 Red Hat +# GNU General Public License v3.0+ +# (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) +""" +The vyos firewall_global fact class +It is in this file the configuration is collected from the device +for a given resource, parsed, and the facts tree is populated +based on the configuration. +""" +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +from copy import deepcopy +from re import findall, search, M +from ansible_collections.ansible.netcommon.plugins.module_utils.network.common import ( +    utils, +) +from ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.argspec.firewall_global.firewall_global import ( +    Firewall_globalArgs, +) + + +class Firewall_globalFacts(object): +    """ The vyos firewall_global fact class +    """ + +    def __init__(self, module, subspec="config", options="options"): +        self._module = module +        self.argument_spec = Firewall_globalArgs.argument_spec +        spec = deepcopy(self.argument_spec) +        if subspec: +            if options: +                facts_argument_spec = spec[subspec][options] +            else: +                facts_argument_spec = spec[subspec] +        else: +            facts_argument_spec = spec + +        self.generated_spec = utils.generate_dict(facts_argument_spec) + +    def get_device_data(self, connection): +        return connection.get_config() + +    def populate_facts(self, connection, ansible_facts, data=None): +        """ Populate the facts for firewall_global +        :param connection: the device connection +        :param ansible_facts: Facts dictionary +        :param data: previously collected conf +        :rtype: dictionary +        :returns: facts +        """ +        if not data: +            # typically data is populated from the current device configuration +            # data = connection.get('show running-config | section ^interface') +            # using mock data instead +            data = self.get_device_data(connection) +        objs = {} +        firewalls = findall(r"^set firewall .*$", data, M) +        if firewalls: +            objs = self.render_config(firewalls) +        facts = {} +        params = utils.validate_config(self.argument_spec, {"config": objs}) +        facts["firewall_global"] = utils.remove_empties(params["config"]) +        ansible_facts["ansible_network_resources"].update(facts) +        return ansible_facts + +    def render_config(self, conf): +        """ +        Render config as dictionary structure and delete keys +          from spec for null values + +        :param spec: The facts tree, generated from the argspec +        :param conf: The configuration +        :rtype: dictionary +        :returns: The generated config +        """ +        conf = "\n".join( +            filter( +                lambda x: ("firewall ipv6-name" and "firewall name" not in x), +                conf, +            ) +        ) + +        a_lst = [ +            "config_trap", +            "validation", +            "log_martians", +            "syn_cookies", +            "twa_hazards_protection", +        ] +        firewall = self.parse_attr(conf, a_lst) +        f_sub = { +            "ping": self.parse_ping(conf), +            "group": self.parse_group(conf), +            "route_redirects": self.route_redirects(conf), +            "state_policy": self.parse_state_policy(conf), +        } +        firewall.update(f_sub) +        return firewall + +    def route_redirects(self, conf): +        """ +        This function forms the regex to fetch the afi and invoke +        functions to fetch route redirects and source routes +        :param conf: configuration data. +        :return: generated rule list configuration. +        """ +        rr_lst = [] + +        v6_attr = findall( +            r"^set firewall (?:ipv6-src-route|ipv6-receive-redirects) (\S+)", +            conf, +            M, +        ) +        if v6_attr: +            obj = self.parse_rr_attrib(conf, "ipv6") +            if obj: +                rr_lst.append(obj) + +        v4_attr = findall( +            r"^set firewall (?:ip-src-route|receive-redirects|send-redirects) (\S+)", +            conf, +            M, +        ) +        if v4_attr: +            obj = self.parse_rr_attrib(conf, "ipv4") +            if obj: +                rr_lst.append(obj) +        return rr_lst + +    def parse_rr_attrib(self, conf, attrib=None): +        """ +        This function fetches the 'ip_src_route' +        invoke function to parse icmp redirects. +        :param conf: configuration to be parsed. +        :param attrib: 'ipv4/ipv6'. +        :return: generated config dictionary. +        """ + +        cfg_dict = self.parse_attr(conf, ["ip_src_route"], type=attrib) +        cfg_dict["icmp_redirects"] = self.parse_icmp_redirects(conf, attrib) +        cfg_dict["afi"] = attrib +        return cfg_dict + +    def parse_icmp_redirects(self, conf, attrib=None): +        """ +        This function triggers the parsing of 'icmp_redirects' attributes. +        :param conf: configuration to be parsed. +        :param attrib: 'ipv4/ipv6'. +        :return: generated config dictionary. +        """ +        a_lst = ["send", "receive"] +        cfg_dict = self.parse_attr(conf, a_lst, type=attrib) +        return cfg_dict + +    def parse_ping(self, conf): +        """ +        This function triggers the parsing of 'ping' attributes. +        :param conf: configuration to be parsed. +        :return: generated config dictionary. +        """ +        a_lst = ["all", "broadcast"] +        cfg_dict = self.parse_attr(conf, a_lst) +        return cfg_dict + +    def parse_state_policy(self, conf): +        """ +        This function fetched the connecton type and invoke +        function to parse other state-policy attributes. +        :param conf: configuration data. +        :return: generated rule list configuration. +        """ +        sp_lst = [] +        attrib = "state-policy" +        policies = findall(r"^set firewall " + attrib + " (\\S+)", conf, M) + +        if policies: +            rules_lst = [] +            for sp in set(policies): +                sp_regex = r" %s .+$" % sp +                cfg = "\n".join(findall(sp_regex, conf, M)) +                obj = self.parse_policies(cfg, sp) +                obj["connection_type"] = sp +                if obj: +                    rules_lst.append(obj) +            sp_lst = sorted(rules_lst, key=lambda i: i["connection_type"]) +        return sp_lst + +    def parse_policies(self, conf, attrib=None): +        """ +        This function triggers the parsing of policy attributes +        action and log. +        :param conf: configuration +        :param attrib: connection type. +        :return: generated rule configuration dictionary. +        """ +        a_lst = ["action", "log"] +        cfg_dict = self.parse_attr(conf, a_lst, match=attrib) +        return cfg_dict + +    def parse_group(self, conf): +        """ +        This function triggers the parsing of 'group' attributes. +        :param conf: configuration. +        :return: generated config dictionary. +        """ +        cfg_dict = {} +        cfg_dict["port_group"] = self.parse_group_lst(conf, "port-group") +        cfg_dict["address_group"] = self.parse_group_lst(conf, "address-group") +        cfg_dict["network_group"] = self.parse_group_lst(conf, "network-group") +        return cfg_dict + +    def parse_group_lst(self, conf, type): +        """ +        This function fetches the name of group and invoke function to +        parse group attributes'. +        :param conf: configuration data. +        :param type: type of group. +        :return: generated group list configuration. +        """ +        g_lst = [] + +        groups = findall(r"^set firewall group " + type + " (\\S+)", conf, M) +        if groups: +            rules_lst = [] +            for gr in set(groups): +                gr_regex = r" %s .+$" % gr +                cfg = "\n".join(findall(gr_regex, conf, M)) +                obj = self.parse_groups(cfg, type, gr) +                obj["name"] = gr.strip("'") +                if obj: +                    rules_lst.append(obj) +            g_lst = sorted(rules_lst, key=lambda i: i["name"]) +        return g_lst + +    def parse_groups(self, conf, type, name): +        """ +        This function fetches the description and invoke +        the parsing of group members. +        :param conf: configuration. +        :param type: type of group. +        :param name: name of group. +        :return: generated configuration dictionary. +        """ +        a_lst = ["name", "description"] +        group = self.parse_attr(conf, a_lst) +        key = self.get_key(type) +        r_sub = {key[0]: self.parse_address_port_lst(conf, name, key[1])} +        group.update(r_sub) +        return group + +    def parse_address_port_lst(self, conf, name, key): +        """ +        This function forms the regex to fetch the +        group members attributes. +        :param conf: configuration data. +        :param name: name of group. +        :param key: key value. +        :return: generated member list configuration. +        """ +        l_lst = [] +        attribs = findall(r"^.*" + name + " " + key + " (\\S+)", conf, M) +        if attribs: +            for attr in attribs: +                if key == "port": +                    l_lst.append({"port": attr.strip("'")}) +                else: +                    l_lst.append({"address": attr.strip("'")}) +        return l_lst + +    def parse_attr(self, conf, attr_list, match=None, type=None): +        """ +        This function peforms the following: +        - Form the regex to fetch the required attribute config. +        - Type cast the output in desired format. +        :param conf: configuration. +        :param attr_list: list of attributes. +        :param match: parent node/attribute name. +        :return: generated config dictionary. +        """ +        config = {} +        for attrib in attr_list: +            regex = self.map_regex(attrib, type) +            if match: +                regex = match + " " + regex +            if conf: +                if self.is_bool(attrib): +                    attr = self.map_regex(attrib, type) +                    out = conf.find(attr.replace("_", "-")) +                    dis = conf.find(attr.replace("_", "-") + " 'disable'") +                    if out >= 1: +                        if dis >= 1: +                            config[attrib] = False +                        else: +                            config[attrib] = True +                else: +                    out = search(r"^.*" + regex + " (.+)", conf, M) +                    if out: +                        val = out.group(1).strip("'") +                        if self.is_num(attrib): +                            val = int(val) +                        config[attrib] = val +        return config + +    def get_key(self, type): +        """ +        This function map the group type to +        member type +        :param type: +        :return: +        """ +        key = () +        if type == "port-group": +            key = ("members", "port") +        elif type == "address-group": +            key = ("members", "address") +        elif type == "network-group": +            key = ("members", "network") +        return key + +    def map_regex(self, attrib, type=None): +        """ +        - This function construct the regex string. +        - replace the underscore with hyphen. +        :param attrib: attribute +        :return: regex string +        """ +        regex = attrib.replace("_", "-") +        if attrib == "all": +            regex = "all-ping" +        elif attrib == "disabled": +            regex = "disable" +        elif attrib == "broadcast": +            regex = "broadcast-ping" +        elif attrib == "send": +            if type == "ipv6": +                regex = "ipv6-send-redirects" +            else: +                regex = "send-redirects" +        elif attrib == "ip_src_route": +            if type == "ipv6": +                regex = "ipv6-src-route" +        elif attrib == "receive": +            if type == "ipv6": +                regex = "ipv6-receive-redirects" +            else: +                regex = "receive-redirects" +        return regex + +    def is_num(self, attrib): +        """ +        This function looks for the attribute in predefined integer type set. +        :param attrib: attribute. +        :return: True/false. +        """ +        num_set = ("time", "code", "type", "count", "burst", "number") +        return True if attrib in num_set else False + +    def get_src_route(self, attrib): +        """ +        This function looks for the attribute in predefined integer type set. +        :param attrib: attribute. +        :return: True/false. +        """ +        return "ipv6_src_route" if attrib == "ipv6" else "ip_src_route" + +    def is_bool(self, attrib): +        """ +        This function looks for the attribute in predefined bool type set. +        :param attrib: attribute. +        :return: True/False +        """ +        bool_set = ( +            "all", +            "log", +            "send", +            "receive", +            "broadcast", +            "config_trap", +            "log_martians", +            "syn_cookies", +            "ip_src_route", +            "twa_hazards_protection", +        ) +        return True if attrib in bool_set else False | 
