Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Citrix NetScaler Parser #153

Merged
merged 8 commits into from
Oct 27, 2022
Merged

Citrix NetScaler Parser #153

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
29784fa
feat: Add parser for Citrix NetScaler
jdrew82 Oct 11, 2022
b3ed481
test: ✅ Add compliance tests for NetScaler
jdrew82 Oct 11, 2022
6e1b115
docs: 📝 Update docs to add NetScaler parser to list
jdrew82 Oct 13, 2022
bd71d70
test: ✅ Add tests for cmdPolicy and ssl features
jdrew82 Oct 14, 2022
5688419
docs: 📝 Add documentation around parent/child missing in NS parser
jdrew82 Oct 14, 2022
87add44
docs: 📝 Fix indentation in documentation
jdrew82 Oct 17, 2022
5cf9152
revert: Revert indentation
jdrew82 Oct 18, 2022
1f3c7dd
revert: Revert deleted empty line
jdrew82 Oct 18, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 13 additions & 10 deletions docs/dev/dev_config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ The "ltm rule" configuration sections are not uniform nor standardized; therefor

The section banners have been simplified to extract the section header itself. This means that `echo "System Configuration"` will be converted to just "System Configuration".

### Citrix NetScaler Parser

As the NetScaler configuration uses each line to make a specific configuration change there is no support for parent/child relationships in the parser.

### Duplicate Line Detection

In some circumstances replacing lines, such as secrets without uniqueness in the replacement, will result in duplicated lines that are invalid configuration, such as::
Expand Down Expand Up @@ -50,22 +54,21 @@ Documented use cases that are actual configuration on a network device are consi

## New Parsers


There are a series of considerations documented below, when developing a new parser.

- Creation of a new class that must be created in `netutils/config/parser.py` file.
- Creation of a parser class that inherits from the class `BaseConfigParser` in the Python Method Resolution Order (MRO).
- In nearly all cases should inherit directory off of `BaseSpaceConfigParser` or `BaseBraceConfigParser`.
itdependsnetworks marked this conversation as resolved.
Show resolved Hide resolved
- `BaseSpaceConfigParser` is for Cisco IOS-like configurations.
- `BaseBraceConfigParser` is for JUNOS-like configurations that use curly braces.
- In nearly all cases should inherit directory off of `BaseSpaceConfigParser` or `BaseBraceConfigParser`.
- `BaseSpaceConfigParser` is for Cisco IOS-like configurations.
- `BaseBraceConfigParser` is for JUNOS-like configurations that use curly braces.
- Create the class name in the format of `{os_name.title()}ConfigParser`.
- The classes `__init__` method must keep true to the signature or `__init__(self, config)`.
- The class must provide a `self.config_lines` that is a list of `ConfigLine` named tuples.
- The classes `__init__` method must keep true to the signature or `__init__(self, config)`.
- The class must provide a `self.config_lines` that is a list of `ConfigLine` named tuples.
- Build tests for the `tests/unit/mock/config/compliance/{os_name}/*` and `tests/unit/mock/config/parser/{os_name}/*`.
- Add to `netutils/config/compliance.py` the `parser_map`, that maps the name of the parser to the Plugin.
- Fill out docstrings in the class and methods within the class that describe the parameters and an Example that compiles.
- The following tips will generally be applicable.
- Generally a class method should provide a `comment_chars` and `banner_start` as well as sometimes `banner_end`.
- Generally on the `__init__` should call the `build_config_relationship` method.
- Often can inherit directly from `CiscoConfigParser`.
- Observe the existing patterns, make use of `super`, and inheritance to reuse existing code.
- Generally a class method should provide a `comment_chars` and `banner_start` as well as sometimes `banner_end`.
- Generally on the `__init__` should call the `build_config_relationship` method.
- Often can inherit directly from `CiscoConfigParser`.
- Observe the existing patterns, make use of `super`, and inheritance to reuse existing code.
1 change: 1 addition & 0 deletions docs/dev/include_parser_list.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
| cisco_asa | netutils.config.parser.ASAConfigParser |
| cisco_ios | netutils.config.parser.IOSConfigParser |
| cisco_nxos | netutils.config.parser.NXOSConfigParser |
| citrix_netscaler | netutils.config.parser.NetscalerConfigParser |
| fortinet_fortios | netutils.config.parser.FortinetConfigParser |
| juniper_junos | netutils.config.parser.JunosConfigParser |
| linux | netutils.config.parser.LINUXConfigParser |
Expand Down
1 change: 1 addition & 0 deletions netutils/config/compliance.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
"cisco_asa": parser.ASAConfigParser,
"fortinet_fortios": parser.FortinetConfigParser,
"nokia_sros": parser.NokiaConfigParser,
"citrix_netscaler": parser.NetscalerConfigParser,
}

# TODO: Once support for 3.7 is dropped, there should be a typing.TypedDict for this which should then also be used
Expand Down
12 changes: 12 additions & 0 deletions netutils/config/parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1172,3 +1172,15 @@ def config_lines_only(self) -> str:
config_lines.append(line.rstrip())
self._config = "\n".join(config_lines)
return self._config


class NetscalerConfigParser(BaseSpaceConfigParser):
"""Netscaler config parser."""

comment_chars: t.List[str] = []
banner_start: t.List[str] = []

@property
def banner_end(self) -> str:
"""Demarcate End of Banner char(s)."""
raise NotImplementedError("Netscaler platform doesn't have a banner.")
85 changes: 85 additions & 0 deletions tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_backup.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
#NS13.0 Build 84.11
# Last modified Fri Dec 31 12:00:01 2021
set system parameter -promptString "%u@%h-%T" -maxClient 40 -doppler DISABLED
set ns httpProfile nshttp_default_profile -dropInvalReqs ENABLED
set ns param -timezone "GMT+00:00-UTC"
set ssl service nshttps-::1l-443 -ssl3 disabled -tls1 disabled
set ssl service nshttps-127.0.0.1-443 -ssl3 disabled -tls1 disabled
set ssl parameter -defaultProfile ENABLED
enable ns feature WL SP LB CS SSL CF REWRITE RESPONDER
add route 192.168.0.0 255.255.0.0
set ns encryptionParams -method AES256 -keyValue abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string
set system user nsroot abcdef1234 -encrypted -hashmethod SHA512 -externalAuth DISABLED -timeout 900
set HA node -failSafe ON
set ns rpcNode 203.0.113.1 -password abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string -srcIP 203.0.113.1
set ns rpcNode 203.0.113.1 -password abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string -srcIP 203.0.113.1
add authentication tacacsAction AAA_ACT_TACACS_01 -serverIP 203.0.113.1 -authTimeout 10 -tacacsSecret abcdef1234 -authorization OFF -accounting ON -groupAttrName memberof
add authentication tacacsAction AAA_ACT_TACACS_02 -serverIP 203.0.113.1 -authTimeout 10 -tacacsSecret abcdef1234 -authorization OFF -accounting ON -groupAttrName memberof
add authentication Policy AAA_POL_TACACS_01 -rule true -action AAA_ACT_TACACS_01
add authentication Policy AAA_POL_TACACS_02 -rule true -action AAA_ACT_TACACS_02
bind system global AAA_POL_TACACS_01 -priority 10 -gotoPriorityExpression NEXT
bind system global AAA_POL_TACACS_02 -priority 20 -gotoPriorityExpression NEXT
add system group Admin -timeout 900
bind system group Admin -policyName superuser 100
add system group Support -timeout 900
bind system group Support -policyName XX-CMD-read-only 100
bind system group Support -policyName XX-CMD-partition-read-only 110
add system group Networking -timeout 900
bind system group Networking -policyName XX-CMD-operator 100
bind system group Networking -policyName XX-CMD-partition-operator 110
add system cmdPolicy XX-CMD-read-only ALLOW (^man.*)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)
add system cmdPolicy XX-CMD-operator ALLOW (^show.*)|(^stat.*)|(^(enable|disable) (server|service).*)
add system cmdPolicy XX-CMD-partition-read-only ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)
add system cmdPolicy XX-CMD-partition-operator ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)|(^(enable|disable) (server|service).*)
set audit syslogParams -userDefinedAuditlog YES
set audit nslogParams -userDefinedAuditlog YES
add audit syslogAction sys_act_fdi_rsyslog 203.0.113.1 -logLevel EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFORMATIONAL -timeZone LOCAL_TIME -userDefinedAuditlog YES -transport UDP
add audit syslogPolicy sys_pol_fdi true sys_act_fdi_rsyslog
bind audit syslogGlobal -policyName sys_pol_fdi -priority 2000000010
set snmp alarm CPU-USAGE -thresholdValue 95 -normalValue 35 -severity Informational
set snmp alarm HA-STATE-CHANGE -severity Informational
set snmp alarm IP-CONFLICT -severity Warning
set snmp alarm MEMORY -thresholdValue 95 -normalValue 35 -severity Critical
set snmp alarm POWER-SUPPLY-FAILURE -severity Minor
set snmp alarm SSL-CARD-FAILED -severity Minor
set snmp alarm SSL-CERT-EXPIRY -severity Warning
add snmp view READ 1 -type included
add snmp group NETMON-GROUP authpriv -readViewName READ
add snmp user monitoring -group NETMON-GROUP -authType SHA -authpasswd abcdef1234 -privType AES -privpasswd abcdef1234
add ssl cipher XX-CIPHER-GROUP_1.0_v01
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
jdrew82 marked this conversation as resolved.
Show resolved Hide resolved
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName SSL3-DES-CBC3-SHA
add ssl cipher XX-CIPHER-GROUP_1.2_v01
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
add ssl cipher XX-CIPHER-GROUP_1.2_v02
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES128-SHA
add ssl cipher XX-CIPHER-LIST_256
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 2
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 3
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES256-GCM-SHA384 -cipherPriority 4
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES-256-SHA256 -cipherPriority 5
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 6
add ssl profile XX-SSL-Profile_1.0_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -denySSLReneg ALL
add ssl profile XX-SSL-Profile_1.2_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg ALL
add ssl profile XX-SSL-Profile_1.2_v02 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg NONSECURE
5 changes: 5 additions & 0 deletions tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_feature.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
features = [
{"name": "user", "ordered": False, "section": ["set system user "]},
jdrew82 marked this conversation as resolved.
Show resolved Hide resolved
{"name": "cmdPolicy", "ordered": False, "section": ["add system cmdPolicy "]},
{"name": "ssl", "ordered": False, "section": ["add ssl ", "bind ssl "]},
]
42 changes: 42 additions & 0 deletions tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_intended.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
set system user nsroot abcdef1234 -encrypted -hashmethod SHA512 -externalAuth DISABLED -timeout 900
add system cmdPolicy XX-CMD-read-only ALLOW (^man.*)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)
add system cmdPolicy XX-CMD-operator ALLOW (^show.*)|(^stat.*)|(^(enable|disable) (server|service).*)
add system cmdPolicy XX-CMD-partition-read-only ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)
add system cmdPolicy XX-CMD-partition-operator ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)|(^(enable|disable) (server|service).*)
add ssl cipher XX-CIPHER-GROUP_1.0_v01
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName SSL3-DES-CBC3-SHA
add ssl cipher XX-CIPHER-GROUP_1.2_v01
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
add ssl cipher XX-CIPHER-GROUP_1.2_v02
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES128-SHA
add ssl cipher XX-CIPHER-LIST_256
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 2
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 3
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES256-GCM-SHA384 -cipherPriority 4
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES-256-SHA256 -cipherPriority 5
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 6
add ssl profile XX-SSL-Profile_1.0_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -denySSLReneg ALL
add ssl profile XX-SSL-Profile_1.2_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg ALL
add ssl profile XX-SSL-Profile_1.2_v02 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg NONSECURE
Loading