Skip to content

Commit

Permalink
Citrix NetScaler Parser (networktocode#153)
Browse files Browse the repository at this point in the history 
* feat: Add parser for Citrix NetScaler

* test: ✅ Add compliance tests for NetScaler

* docs: 📝 Update docs to add NetScaler parser to list

* test: ✅ Add tests for cmdPolicy and ssl features

* docs: 📝 Add documentation around parent/child missing in NS parser

* docs: 📝 Fix indentation in documentation

* revert: Revert indentation

* revert: Revert deleted empty line

Co-authored-by: Justin Drew <[email protected]>
  • Loading branch information
@jdrew82 @itdependsnetworks
2 people authored and itdependsnetworks committed Nov 3, 2022
1 parent 1f61b97 commit 2cc2dca
Show file tree
Hide file tree
Showing 10 changed files with 462 additions and 1 deletion.
6 changes: 5 additions & 1 deletion docs/dev/dev_config.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ The "ltm rule" configuration sections are not uniform nor standardized; therefor

The section banners have been simplified to extract the section header itself. This means that `echo "System Configuration"` will be converted to just "System Configuration".

### Citrix NetScaler Parser

As the NetScaler configuration uses each line to make a specific configuration change there is no support for parent/child relationships in the parser.

### Duplicate Line Detection

In some circumstances replacing lines, such as secrets without uniqueness in the replacement, will result in duplicated lines that are invalid configuration, such as::
Expand Down Expand Up @@ -68,4 +72,4 @@ There are a series of considerations documented below, when developing a new par
- Generally a class method should provide a `comment_chars` and `banner_start` as well as sometimes `banner_end`.
- Generally on the `__init__` should call the `build_config_relationship` method.
- Often can inherit directly from `CiscoConfigParser`.
- Observe the existing patterns, make use of `super`, and inheritance to reuse existing code.
- Observe the existing patterns, make use of `super`, and inheritance to reuse existing code.
1 change: 1 addition & 0 deletions docs/dev/include_parser_list.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
| cisco_asa | netutils.config.parser.ASAConfigParser |
| cisco_ios | netutils.config.parser.IOSConfigParser |
| cisco_nxos | netutils.config.parser.NXOSConfigParser |
| citrix_netscaler | netutils.config.parser.NetscalerConfigParser |
| fortinet_fortios | netutils.config.parser.FortinetConfigParser |
| juniper_junos | netutils.config.parser.JunosConfigParser |
| linux | netutils.config.parser.LINUXConfigParser |
Expand Down
1 change: 1 addition & 0 deletions netutils/config/compliance.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
"cisco_asa": parser.ASAConfigParser,
"fortinet_fortios": parser.FortinetConfigParser,
"nokia_sros": parser.NokiaConfigParser,
"citrix_netscaler": parser.NetscalerConfigParser,
}

# TODO: Once support for 3.7 is dropped, there should be a typing.TypedDict for this which should then also be used
Expand Down
12 changes: 12 additions & 0 deletions netutils/config/parser.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1169,3 +1169,15 @@ def config_lines_only(self) -> str:
config_lines.append(line.rstrip())
self._config = "\n".join(config_lines)
return self._config


class NetscalerConfigParser(BaseSpaceConfigParser):
"""Netscaler config parser."""

comment_chars: t.List[str] = []
banner_start: t.List[str] = []

@property
def banner_end(self) -> str:
"""Demarcate End of Banner char(s)."""
raise NotImplementedError("Netscaler platform doesn't have a banner.")
85 changes: 85 additions & 0 deletions tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_backup.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
#NS13.0 Build 84.11
# Last modified Fri Dec 31 12:00:01 2021
set system parameter -promptString "%u@%h-%T" -maxClient 40 -doppler DISABLED
set ns httpProfile nshttp_default_profile -dropInvalReqs ENABLED
set ns param -timezone "GMT+00:00-UTC"
set ssl service nshttps-::1l-443 -ssl3 disabled -tls1 disabled
set ssl service nshttps-127.0.0.1-443 -ssl3 disabled -tls1 disabled
set ssl parameter -defaultProfile ENABLED
enable ns feature WL SP LB CS SSL CF REWRITE RESPONDER
add route 192.168.0.0 255.255.0.0
set ns encryptionParams -method AES256 -keyValue abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string
set system user nsroot abcdef1234 -encrypted -hashmethod SHA512 -externalAuth DISABLED -timeout 900
set HA node -failSafe ON
set ns rpcNode 203.0.113.1 -password abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string -srcIP 203.0.113.1
set ns rpcNode 203.0.113.1 -password abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string -srcIP 203.0.113.1
add authentication tacacsAction AAA_ACT_TACACS_01 -serverIP 203.0.113.1 -authTimeout 10 -tacacsSecret abcdef1234 -authorization OFF -accounting ON -groupAttrName memberof
add authentication tacacsAction AAA_ACT_TACACS_02 -serverIP 203.0.113.1 -authTimeout 10 -tacacsSecret abcdef1234 -authorization OFF -accounting ON -groupAttrName memberof
add authentication Policy AAA_POL_TACACS_01 -rule true -action AAA_ACT_TACACS_01
add authentication Policy AAA_POL_TACACS_02 -rule true -action AAA_ACT_TACACS_02
bind system global AAA_POL_TACACS_01 -priority 10 -gotoPriorityExpression NEXT
bind system global AAA_POL_TACACS_02 -priority 20 -gotoPriorityExpression NEXT
add system group Admin -timeout 900
bind system group Admin -policyName superuser 100
add system group Support -timeout 900
bind system group Support -policyName XX-CMD-read-only 100
bind system group Support -policyName XX-CMD-partition-read-only 110
add system group Networking -timeout 900
bind system group Networking -policyName XX-CMD-operator 100
bind system group Networking -policyName XX-CMD-partition-operator 110
add system cmdPolicy XX-CMD-read-only ALLOW (^man.*)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)
add system cmdPolicy XX-CMD-operator ALLOW (^show.*)|(^stat.*)|(^(enable|disable) (server|service).*)
add system cmdPolicy XX-CMD-partition-read-only ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)
add system cmdPolicy XX-CMD-partition-operator ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)|(^(enable|disable) (server|service).*)
set audit syslogParams -userDefinedAuditlog YES
set audit nslogParams -userDefinedAuditlog YES
add audit syslogAction sys_act_fdi_rsyslog 203.0.113.1 -logLevel EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFORMATIONAL -timeZone LOCAL_TIME -userDefinedAuditlog YES -transport UDP
add audit syslogPolicy sys_pol_fdi true sys_act_fdi_rsyslog
bind audit syslogGlobal -policyName sys_pol_fdi -priority 2000000010
set snmp alarm CPU-USAGE -thresholdValue 95 -normalValue 35 -severity Informational
set snmp alarm HA-STATE-CHANGE -severity Informational
set snmp alarm IP-CONFLICT -severity Warning
set snmp alarm MEMORY -thresholdValue 95 -normalValue 35 -severity Critical
set snmp alarm POWER-SUPPLY-FAILURE -severity Minor
set snmp alarm SSL-CARD-FAILED -severity Minor
set snmp alarm SSL-CERT-EXPIRY -severity Warning
add snmp view READ 1 -type included
add snmp group NETMON-GROUP authpriv -readViewName READ
add snmp user monitoring -group NETMON-GROUP -authType SHA -authpasswd abcdef1234 -privType AES -privpasswd abcdef1234
add ssl cipher XX-CIPHER-GROUP_1.0_v01
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName SSL3-DES-CBC3-SHA
add ssl cipher XX-CIPHER-GROUP_1.2_v01
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
add ssl cipher XX-CIPHER-GROUP_1.2_v02
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES128-SHA
add ssl cipher XX-CIPHER-LIST_256
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 2
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 3
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES256-GCM-SHA384 -cipherPriority 4
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES-256-SHA256 -cipherPriority 5
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 6
add ssl profile XX-SSL-Profile_1.0_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -denySSLReneg ALL
add ssl profile XX-SSL-Profile_1.2_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg ALL
add ssl profile XX-SSL-Profile_1.2_v02 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg NONSECURE
5 changes: 5 additions & 0 deletions tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_feature.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
features = [
{"name": "user", "ordered": False, "section": ["set system user "]},
{"name": "cmdPolicy", "ordered": False, "section": ["add system cmdPolicy "]},
{"name": "ssl", "ordered": False, "section": ["add ssl ", "bind ssl "]},
]
42 changes: 42 additions & 0 deletions tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_intended.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
set system user nsroot abcdef1234 -encrypted -hashmethod SHA512 -externalAuth DISABLED -timeout 900
add system cmdPolicy XX-CMD-read-only ALLOW (^man.*)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)
add system cmdPolicy XX-CMD-operator ALLOW (^show.*)|(^stat.*)|(^(enable|disable) (server|service).*)
add system cmdPolicy XX-CMD-partition-read-only ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)
add system cmdPolicy XX-CMD-partition-operator ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)|(^(enable|disable) (server|service).*)
add ssl cipher XX-CIPHER-GROUP_1.0_v01
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName SSL3-DES-CBC3-SHA
add ssl cipher XX-CIPHER-GROUP_1.2_v01
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
add ssl cipher XX-CIPHER-GROUP_1.2_v02
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES128-SHA
add ssl cipher XX-CIPHER-LIST_256
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 2
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 3
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES256-GCM-SHA384 -cipherPriority 4
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES-256-SHA256 -cipherPriority 5
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 6
add ssl profile XX-SSL-Profile_1.0_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -denySSLReneg ALL
add ssl profile XX-SSL-Profile_1.2_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg ALL
add ssl profile XX-SSL-Profile_1.2_v02 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg NONSECURE
Loading

0 comments on commit 2cc2dca

Please sign in to comment.