From 29784fa8ade261c51e4e8585b19d60d552971d85 Mon Sep 17 00:00:00 2001 From: Justin Drew Date: Tue, 11 Oct 2022 08:23:03 -0500 Subject: [PATCH 1/8] feat: Add parser for Citrix NetScaler --- netutils/config/compliance.py | 1 + netutils/config/parser.py | 12 ++ .../netscaler_full_received.py | 194 ++++++++++++++++++ .../citrix_netscaler/netscaler_full_sent.txt | 85 ++++++++ 4 files changed, 292 insertions(+) create mode 100644 tests/unit/mock/config/parser/citrix_netscaler/netscaler_full_received.py create mode 100644 tests/unit/mock/config/parser/citrix_netscaler/netscaler_full_sent.txt diff --git a/netutils/config/compliance.py b/netutils/config/compliance.py index 703b3db2..408d09ef 100644 --- a/netutils/config/compliance.py +++ b/netutils/config/compliance.py @@ -15,6 +15,7 @@ "cisco_asa": parser.ASAConfigParser, "fortinet_fortios": parser.FortinetConfigParser, "nokia_sros": parser.NokiaConfigParser, + "citrix_netscaler": parser.NetscalerConfigParser, } # TODO: Once support for 3.7 is dropped, there should be a typing.TypedDict for this which should then also be used diff --git a/netutils/config/parser.py b/netutils/config/parser.py index 93f3324b..812011f2 100644 --- a/netutils/config/parser.py +++ b/netutils/config/parser.py @@ -1172,3 +1172,15 @@ def config_lines_only(self) -> str: config_lines.append(line.rstrip()) self._config = "\n".join(config_lines) return self._config + + +class NetscalerConfigParser(BaseSpaceConfigParser): + """Netscaler config parser.""" + + comment_chars: t.List[str] = [] + banner_start: t.List[str] = [] + + @property + def banner_end(self) -> str: + """Demarcate End of Banner char(s).""" + raise NotImplementedError("Netscaler platform doesn't have a banner.") diff --git a/tests/unit/mock/config/parser/citrix_netscaler/netscaler_full_received.py b/tests/unit/mock/config/parser/citrix_netscaler/netscaler_full_received.py new file mode 100644 index 00000000..a64dff11 --- /dev/null +++ b/tests/unit/mock/config/parser/citrix_netscaler/netscaler_full_received.py @@ -0,0 +1,194 @@ +from netutils.config.parser import ConfigLine + +data = [ + ConfigLine(config_line="#NS13.0 Build 84.11", parents=()), + ConfigLine(config_line="# Last modified Fri Dec 31 12:00:01 2021", parents=()), + ConfigLine(config_line='set system parameter -promptString "%u@%h-%T" -maxClient 40 -doppler DISABLED', parents=()), + ConfigLine(config_line="set ns httpProfile nshttp_default_profile -dropInvalReqs ENABLED", parents=()), + ConfigLine(config_line='set ns param -timezone "GMT+00:00-UTC"', parents=()), + ConfigLine(config_line="set ssl service nshttps-::1l-443 -ssl3 disabled -tls1 disabled", parents=()), + ConfigLine(config_line="set ssl service nshttps-127.0.0.1-443 -ssl3 disabled -tls1 disabled", parents=()), + ConfigLine(config_line="set ssl parameter -defaultProfile ENABLED", parents=()), + ConfigLine(config_line="enable ns feature WL SP LB CS SSL CF REWRITE RESPONDER", parents=()), + ConfigLine(config_line="add route 192.168.0.0 255.255.0.0", parents=()), + ConfigLine( + config_line="set ns encryptionParams -method AES256 -keyValue abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string", + parents=(), + ), + ConfigLine( + config_line="set system user nsroot abcdef1234 -encrypted -hashmethod SHA512 -externalAuth DISABLED -timeout 900", + parents=(), + ), + ConfigLine(config_line="set HA node -failSafe ON", parents=()), + ConfigLine( + config_line="set ns rpcNode 203.0.113.1 -password abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string -srcIP 203.0.113.1", + parents=(), + ), + ConfigLine( + config_line="set ns rpcNode 203.0.113.1 -password abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string -srcIP 203.0.113.1", + parents=(), + ), + ConfigLine( + config_line="add authentication tacacsAction AAA_ACT_TACACS_01 -serverIP 203.0.113.1 -authTimeout 10 -tacacsSecret abcdef1234 -authorization OFF -accounting ON -groupAttrName memberof", + parents=(), + ), + ConfigLine( + config_line="add authentication tacacsAction AAA_ACT_TACACS_02 -serverIP 203.0.113.1 -authTimeout 10 -tacacsSecret abcdef1234 -authorization OFF -accounting ON -groupAttrName memberof", + parents=(), + ), + ConfigLine( + config_line="add authentication Policy AAA_POL_TACACS_01 -rule true -action AAA_ACT_TACACS_01", parents=() + ), + ConfigLine( + config_line="add authentication Policy AAA_POL_TACACS_02 -rule true -action AAA_ACT_TACACS_02", parents=() + ), + ConfigLine( + config_line="bind system global AAA_POL_TACACS_01 -priority 10 -gotoPriorityExpression NEXT", parents=() + ), + ConfigLine( + config_line="bind system global AAA_POL_TACACS_02 -priority 20 -gotoPriorityExpression NEXT", parents=() + ), + ConfigLine(config_line="add system group Admin -timeout 900", parents=()), + ConfigLine(config_line="bind system group Admin -policyName superuser 100", parents=()), + ConfigLine(config_line="add system group Support -timeout 900", parents=()), + ConfigLine(config_line="bind system group Support -policyName XX-CMD-read-only 100", parents=()), + ConfigLine(config_line="bind system group Support -policyName XX-CMD-partition-read-only 110", parents=()), + ConfigLine(config_line="add system group Networking -timeout 900", parents=()), + ConfigLine(config_line="bind system group Networking -policyName XX-CMD-operator 100", parents=()), + ConfigLine(config_line="bind system group Networking -policyName XX-CMD-partition-operator 110", parents=()), + ConfigLine( + config_line="add system cmdPolicy XX-CMD-read-only ALLOW (^man.*)|(^show\\s+(\\?!system)(\\?!configstatus)(\\?!audit messages)(\\?!techsupport).*)|(^stat.*)", + parents=(), + ), + ConfigLine( + config_line="add system cmdPolicy XX-CMD-operator ALLOW (^show.*)|(^stat.*)|(^(enable|disable) (server|service).*)", + parents=(), + ), + ConfigLine( + config_line="add system cmdPolicy XX-CMD-partition-read-only ALLOW (^man.*)|(^switch)|(^show\\s+(\\?!system)(\\?!configstatus)(\\?!audit messages)(\\?!techsupport).*)|(^stat.*)", + parents=(), + ), + ConfigLine( + config_line="add system cmdPolicy XX-CMD-partition-operator ALLOW (^man.*)|(^switch)|(^show\\s+(\\?!system)(\\?!configstatus)(\\?!audit messages)(\\?!techsupport).*)|(^stat.*)|(^(enable|disable) (server|service).*)", + parents=(), + ), + ConfigLine(config_line="set audit syslogParams -userDefinedAuditlog YES", parents=()), + ConfigLine(config_line="set audit nslogParams -userDefinedAuditlog YES", parents=()), + ConfigLine( + config_line="add audit syslogAction sys_act_fdi_rsyslog 203.0.113.1 -logLevel EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFORMATIONAL -timeZone LOCAL_TIME -userDefinedAuditlog YES -transport UDP", + parents=(), + ), + ConfigLine(config_line="add audit syslogPolicy sys_pol_fdi true sys_act_fdi_rsyslog", parents=()), + ConfigLine(config_line="bind audit syslogGlobal -policyName sys_pol_fdi -priority 2000000010", parents=()), + ConfigLine( + config_line="set snmp alarm CPU-USAGE -thresholdValue 95 -normalValue 35 -severity Informational", parents=() + ), + ConfigLine(config_line="set snmp alarm HA-STATE-CHANGE -severity Informational", parents=()), + ConfigLine(config_line="set snmp alarm IP-CONFLICT -severity Warning", parents=()), + ConfigLine(config_line="set snmp alarm MEMORY -thresholdValue 95 -normalValue 35 -severity Critical", parents=()), + ConfigLine(config_line="set snmp alarm POWER-SUPPLY-FAILURE -severity Minor", parents=()), + ConfigLine(config_line="set snmp alarm SSL-CARD-FAILED -severity Minor", parents=()), + ConfigLine(config_line="set snmp alarm SSL-CERT-EXPIRY -severity Warning", parents=()), + ConfigLine(config_line="add snmp view READ 1 -type included", parents=()), + ConfigLine(config_line="add snmp group NETMON-GROUP authpriv -readViewName READ", parents=()), + ConfigLine( + config_line="add snmp user monitoring -group NETMON-GROUP -authType SHA -authpasswd abcdef1234 -privType AES -privpasswd abcdef1234", + parents=(), + ), + ConfigLine(config_line="add ssl cipher XX-CIPHER-GROUP_1.0_v01", parents=()), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384", parents=() + ), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256", parents=() + ), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384", parents=() + ), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256", parents=() + ), + ConfigLine(config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES256-SHA", parents=()), + ConfigLine(config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES128-SHA", parents=()), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384", parents=() + ), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256", parents=() + ), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA", parents=() + ), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA", parents=() + ), + ConfigLine(config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-256-CBC-SHA", parents=()), + ConfigLine(config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-128-CBC-SHA", parents=()), + ConfigLine(config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName SSL3-DES-CBC3-SHA", parents=()), + ConfigLine(config_line="add ssl cipher XX-CIPHER-GROUP_1.2_v01", parents=()), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384", parents=() + ), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256", parents=() + ), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384", parents=() + ), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256", parents=() + ), + ConfigLine(config_line="add ssl cipher XX-CIPHER-GROUP_1.2_v02", parents=()), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305", parents=() + ), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384", parents=() + ), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256", parents=() + ), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384", parents=() + ), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256", parents=() + ), + ConfigLine(config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES256-SHA", parents=()), + ConfigLine(config_line="bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES128-SHA", parents=()), + ConfigLine(config_line="add ssl cipher XX-CIPHER-LIST_256", parents=()), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1", + parents=(), + ), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 2", + parents=(), + ), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 3", + parents=(), + ), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES256-GCM-SHA384 -cipherPriority 4", + parents=(), + ), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES-256-SHA256 -cipherPriority 5", parents=() + ), + ConfigLine( + config_line="bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 6", parents=() + ), + ConfigLine( + config_line="add ssl profile XX-SSL-Profile_1.0_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -denySSLReneg ALL", + parents=(), + ), + ConfigLine( + config_line="add ssl profile XX-SSL-Profile_1.2_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg ALL", + parents=(), + ), + ConfigLine( + config_line="add ssl profile XX-SSL-Profile_1.2_v02 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg NONSECURE", + parents=(), + ), +] diff --git a/tests/unit/mock/config/parser/citrix_netscaler/netscaler_full_sent.txt b/tests/unit/mock/config/parser/citrix_netscaler/netscaler_full_sent.txt new file mode 100644 index 00000000..108237c7 --- /dev/null +++ b/tests/unit/mock/config/parser/citrix_netscaler/netscaler_full_sent.txt @@ -0,0 +1,85 @@ +#NS13.0 Build 84.11 +# Last modified Fri Dec 31 12:00:01 2021 +set system parameter -promptString "%u@%h-%T" -maxClient 40 -doppler DISABLED +set ns httpProfile nshttp_default_profile -dropInvalReqs ENABLED +set ns param -timezone "GMT+00:00-UTC" +set ssl service nshttps-::1l-443 -ssl3 disabled -tls1 disabled +set ssl service nshttps-127.0.0.1-443 -ssl3 disabled -tls1 disabled +set ssl parameter -defaultProfile ENABLED +enable ns feature WL SP LB CS SSL CF REWRITE RESPONDER +add route 192.168.0.0 255.255.0.0 +set ns encryptionParams -method AES256 -keyValue abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string +set system user nsroot abcdef1234 -encrypted -hashmethod SHA512 -externalAuth DISABLED -timeout 900 +set HA node -failSafe ON +set ns rpcNode 203.0.113.1 -password abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string -srcIP 203.0.113.1 +set ns rpcNode 203.0.113.1 -password abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string -srcIP 203.0.113.1 +add authentication tacacsAction AAA_ACT_TACACS_01 -serverIP 203.0.113.1 -authTimeout 10 -tacacsSecret abcdef1234 -authorization OFF -accounting ON -groupAttrName memberof +add authentication tacacsAction AAA_ACT_TACACS_02 -serverIP 203.0.113.1 -authTimeout 10 -tacacsSecret abcdef1234 -authorization OFF -accounting ON -groupAttrName memberof +add authentication Policy AAA_POL_TACACS_01 -rule true -action AAA_ACT_TACACS_01 +add authentication Policy AAA_POL_TACACS_02 -rule true -action AAA_ACT_TACACS_02 +bind system global AAA_POL_TACACS_01 -priority 10 -gotoPriorityExpression NEXT +bind system global AAA_POL_TACACS_02 -priority 20 -gotoPriorityExpression NEXT +add system group Admin -timeout 900 +bind system group Admin -policyName superuser 100 +add system group Support -timeout 900 +bind system group Support -policyName XX-CMD-read-only 100 +bind system group Support -policyName XX-CMD-partition-read-only 110 +add system group Networking -timeout 900 +bind system group Networking -policyName XX-CMD-operator 100 +bind system group Networking -policyName XX-CMD-partition-operator 110 +add system cmdPolicy XX-CMD-read-only ALLOW (^man.*)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*) +add system cmdPolicy XX-CMD-operator ALLOW (^show.*)|(^stat.*)|(^(enable|disable) (server|service).*) +add system cmdPolicy XX-CMD-partition-read-only ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*) +add system cmdPolicy XX-CMD-partition-operator ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)|(^(enable|disable) (server|service).*) +set audit syslogParams -userDefinedAuditlog YES +set audit nslogParams -userDefinedAuditlog YES +add audit syslogAction sys_act_fdi_rsyslog 203.0.113.1 -logLevel EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFORMATIONAL -timeZone LOCAL_TIME -userDefinedAuditlog YES -transport UDP +add audit syslogPolicy sys_pol_fdi true sys_act_fdi_rsyslog +bind audit syslogGlobal -policyName sys_pol_fdi -priority 2000000010 +set snmp alarm CPU-USAGE -thresholdValue 95 -normalValue 35 -severity Informational +set snmp alarm HA-STATE-CHANGE -severity Informational +set snmp alarm IP-CONFLICT -severity Warning +set snmp alarm MEMORY -thresholdValue 95 -normalValue 35 -severity Critical +set snmp alarm POWER-SUPPLY-FAILURE -severity Minor +set snmp alarm SSL-CARD-FAILED -severity Minor +set snmp alarm SSL-CERT-EXPIRY -severity Warning +add snmp view READ 1 -type included +add snmp group NETMON-GROUP authpriv -readViewName READ +add snmp user monitoring -group NETMON-GROUP -authType SHA -authpasswd abcdef1234 -privType AES -privpasswd abcdef1234 +add ssl cipher XX-CIPHER-GROUP_1.0_v01 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES256-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES128-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-256-CBC-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-128-CBC-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName SSL3-DES-CBC3-SHA +add ssl cipher XX-CIPHER-GROUP_1.2_v01 +bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 +bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 +add ssl cipher XX-CIPHER-GROUP_1.2_v02 +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES256-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES128-SHA +add ssl cipher XX-CIPHER-LIST_256 +bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1 +bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 2 +bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 3 +bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES256-GCM-SHA384 -cipherPriority 4 +bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES-256-SHA256 -cipherPriority 5 +bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 6 +add ssl profile XX-SSL-Profile_1.0_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -denySSLReneg ALL +add ssl profile XX-SSL-Profile_1.2_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg ALL +add ssl profile XX-SSL-Profile_1.2_v02 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg NONSECURE \ No newline at end of file From b3ed48106d922a8b2a838a2a53cf3e184174f689 Mon Sep 17 00:00:00 2001 From: Justin Drew Date: Tue, 11 Oct 2022 13:15:58 -0500 Subject: [PATCH 2/8] =?UTF-8?q?test:=20=E2=9C=85=20Add=20compliance=20test?= =?UTF-8?q?s=20for=20NetScaler?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../netscaler_basic_backup.txt | 85 +++++++++++++++++++ .../netscaler_basic_feature.py | 3 + .../netscaler_basic_intended.txt | 1 + .../netscaler_basic_received.json | 12 +++ 4 files changed, 101 insertions(+) create mode 100644 tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_backup.txt create mode 100644 tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_feature.py create mode 100644 tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_intended.txt create mode 100644 tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_received.json diff --git a/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_backup.txt b/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_backup.txt new file mode 100644 index 00000000..108237c7 --- /dev/null +++ b/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_backup.txt @@ -0,0 +1,85 @@ +#NS13.0 Build 84.11 +# Last modified Fri Dec 31 12:00:01 2021 +set system parameter -promptString "%u@%h-%T" -maxClient 40 -doppler DISABLED +set ns httpProfile nshttp_default_profile -dropInvalReqs ENABLED +set ns param -timezone "GMT+00:00-UTC" +set ssl service nshttps-::1l-443 -ssl3 disabled -tls1 disabled +set ssl service nshttps-127.0.0.1-443 -ssl3 disabled -tls1 disabled +set ssl parameter -defaultProfile ENABLED +enable ns feature WL SP LB CS SSL CF REWRITE RESPONDER +add route 192.168.0.0 255.255.0.0 +set ns encryptionParams -method AES256 -keyValue abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string +set system user nsroot abcdef1234 -encrypted -hashmethod SHA512 -externalAuth DISABLED -timeout 900 +set HA node -failSafe ON +set ns rpcNode 203.0.113.1 -password abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string -srcIP 203.0.113.1 +set ns rpcNode 203.0.113.1 -password abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string -srcIP 203.0.113.1 +add authentication tacacsAction AAA_ACT_TACACS_01 -serverIP 203.0.113.1 -authTimeout 10 -tacacsSecret abcdef1234 -authorization OFF -accounting ON -groupAttrName memberof +add authentication tacacsAction AAA_ACT_TACACS_02 -serverIP 203.0.113.1 -authTimeout 10 -tacacsSecret abcdef1234 -authorization OFF -accounting ON -groupAttrName memberof +add authentication Policy AAA_POL_TACACS_01 -rule true -action AAA_ACT_TACACS_01 +add authentication Policy AAA_POL_TACACS_02 -rule true -action AAA_ACT_TACACS_02 +bind system global AAA_POL_TACACS_01 -priority 10 -gotoPriorityExpression NEXT +bind system global AAA_POL_TACACS_02 -priority 20 -gotoPriorityExpression NEXT +add system group Admin -timeout 900 +bind system group Admin -policyName superuser 100 +add system group Support -timeout 900 +bind system group Support -policyName XX-CMD-read-only 100 +bind system group Support -policyName XX-CMD-partition-read-only 110 +add system group Networking -timeout 900 +bind system group Networking -policyName XX-CMD-operator 100 +bind system group Networking -policyName XX-CMD-partition-operator 110 +add system cmdPolicy XX-CMD-read-only ALLOW (^man.*)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*) +add system cmdPolicy XX-CMD-operator ALLOW (^show.*)|(^stat.*)|(^(enable|disable) (server|service).*) +add system cmdPolicy XX-CMD-partition-read-only ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*) +add system cmdPolicy XX-CMD-partition-operator ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)|(^(enable|disable) (server|service).*) +set audit syslogParams -userDefinedAuditlog YES +set audit nslogParams -userDefinedAuditlog YES +add audit syslogAction sys_act_fdi_rsyslog 203.0.113.1 -logLevel EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFORMATIONAL -timeZone LOCAL_TIME -userDefinedAuditlog YES -transport UDP +add audit syslogPolicy sys_pol_fdi true sys_act_fdi_rsyslog +bind audit syslogGlobal -policyName sys_pol_fdi -priority 2000000010 +set snmp alarm CPU-USAGE -thresholdValue 95 -normalValue 35 -severity Informational +set snmp alarm HA-STATE-CHANGE -severity Informational +set snmp alarm IP-CONFLICT -severity Warning +set snmp alarm MEMORY -thresholdValue 95 -normalValue 35 -severity Critical +set snmp alarm POWER-SUPPLY-FAILURE -severity Minor +set snmp alarm SSL-CARD-FAILED -severity Minor +set snmp alarm SSL-CERT-EXPIRY -severity Warning +add snmp view READ 1 -type included +add snmp group NETMON-GROUP authpriv -readViewName READ +add snmp user monitoring -group NETMON-GROUP -authType SHA -authpasswd abcdef1234 -privType AES -privpasswd abcdef1234 +add ssl cipher XX-CIPHER-GROUP_1.0_v01 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES256-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES128-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-256-CBC-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-128-CBC-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName SSL3-DES-CBC3-SHA +add ssl cipher XX-CIPHER-GROUP_1.2_v01 +bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 +bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 +add ssl cipher XX-CIPHER-GROUP_1.2_v02 +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES256-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES128-SHA +add ssl cipher XX-CIPHER-LIST_256 +bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1 +bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 2 +bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 3 +bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES256-GCM-SHA384 -cipherPriority 4 +bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES-256-SHA256 -cipherPriority 5 +bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 6 +add ssl profile XX-SSL-Profile_1.0_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -denySSLReneg ALL +add ssl profile XX-SSL-Profile_1.2_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg ALL +add ssl profile XX-SSL-Profile_1.2_v02 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg NONSECURE \ No newline at end of file diff --git a/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_feature.py b/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_feature.py new file mode 100644 index 00000000..cde0c57d --- /dev/null +++ b/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_feature.py @@ -0,0 +1,3 @@ +features = [ + {"name": "user", "ordered": False, "section": ["set system user "]}, +] diff --git a/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_intended.txt b/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_intended.txt new file mode 100644 index 00000000..0645c0e5 --- /dev/null +++ b/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_intended.txt @@ -0,0 +1 @@ +set system user nsroot abcdef1234 -encrypted -hashmethod SHA512 -externalAuth DISABLED -timeout 900 \ No newline at end of file diff --git a/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_received.json b/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_received.json new file mode 100644 index 00000000..2960f74e --- /dev/null +++ b/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_received.json @@ -0,0 +1,12 @@ +{ + "user": { + "actual": "set system user nsroot abcdef1234 -encrypted -hashmethod SHA512 -externalAuth DISABLED -timeout 900", + "cannot_parse": true, + "compliant": true, + "extra": "", + "intended": "set system user nsroot abcdef1234 -encrypted -hashmethod SHA512 -externalAuth DISABLED -timeout 900", + "missing": "", + "ordered_compliant": true, + "unordered_compliant": true + } +} \ No newline at end of file From 6e1b115ef9bf73ebf65af1640711ff3781b54a05 Mon Sep 17 00:00:00 2001 From: Justin Drew Date: Thu, 13 Oct 2022 11:40:59 -0500 Subject: [PATCH 3/8] =?UTF-8?q?docs:=20=F0=9F=93=9D=20Update=20docs=20to?= =?UTF-8?q?=20add=20NetScaler=20parser=20to=20list?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/dev/include_parser_list.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/dev/include_parser_list.md b/docs/dev/include_parser_list.md index cf94b258..39a474ce 100644 --- a/docs/dev/include_parser_list.md +++ b/docs/dev/include_parser_list.md @@ -6,6 +6,7 @@ | cisco_asa | netutils.config.parser.ASAConfigParser | | cisco_ios | netutils.config.parser.IOSConfigParser | | cisco_nxos | netutils.config.parser.NXOSConfigParser | +| citrix_netscaler | netutils.config.parser.NetscalerConfigParser | | fortinet_fortios | netutils.config.parser.FortinetConfigParser | | juniper_junos | netutils.config.parser.JunosConfigParser | | linux | netutils.config.parser.LINUXConfigParser | From bd71d70e9c3ca5ac9c3920d85b0c99338bd4cdee Mon Sep 17 00:00:00 2001 From: Justin Drew Date: Fri, 14 Oct 2022 09:27:08 -0500 Subject: [PATCH 4/8] =?UTF-8?q?test:=20=E2=9C=85=20Add=20tests=20for=20cmd?= =?UTF-8?q?Policy=20and=20ssl=20features?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../netscaler_basic_feature.py | 2 + .../netscaler_basic_intended.txt | 43 ++++++++++++++++++- .../netscaler_basic_received.json | 20 +++++++++ 3 files changed, 64 insertions(+), 1 deletion(-) diff --git a/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_feature.py b/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_feature.py index cde0c57d..1fca1828 100644 --- a/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_feature.py +++ b/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_feature.py @@ -1,3 +1,5 @@ features = [ {"name": "user", "ordered": False, "section": ["set system user "]}, + {"name": "cmdPolicy", "ordered": False, "section": ["add system cmdPolicy "]}, + {"name": "ssl", "ordered": False, "section": ["add ssl ", "bind ssl "]}, ] diff --git a/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_intended.txt b/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_intended.txt index 0645c0e5..6e8f0ab8 100644 --- a/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_intended.txt +++ b/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_intended.txt @@ -1 +1,42 @@ -set system user nsroot abcdef1234 -encrypted -hashmethod SHA512 -externalAuth DISABLED -timeout 900 \ No newline at end of file +set system user nsroot abcdef1234 -encrypted -hashmethod SHA512 -externalAuth DISABLED -timeout 900 +add system cmdPolicy XX-CMD-read-only ALLOW (^man.*)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*) +add system cmdPolicy XX-CMD-operator ALLOW (^show.*)|(^stat.*)|(^(enable|disable) (server|service).*) +add system cmdPolicy XX-CMD-partition-read-only ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*) +add system cmdPolicy XX-CMD-partition-operator ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)|(^(enable|disable) (server|service).*) +add ssl cipher XX-CIPHER-GROUP_1.0_v01 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES256-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES128-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256 +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-256-CBC-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-128-CBC-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName SSL3-DES-CBC3-SHA +add ssl cipher XX-CIPHER-GROUP_1.2_v01 +bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 +bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 +add ssl cipher XX-CIPHER-GROUP_1.2_v02 +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256 +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES256-SHA +bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES128-SHA +add ssl cipher XX-CIPHER-LIST_256 +bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1 +bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 2 +bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 3 +bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES256-GCM-SHA384 -cipherPriority 4 +bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES-256-SHA256 -cipherPriority 5 +bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 6 +add ssl profile XX-SSL-Profile_1.0_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -denySSLReneg ALL +add ssl profile XX-SSL-Profile_1.2_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg ALL +add ssl profile XX-SSL-Profile_1.2_v02 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg NONSECURE \ No newline at end of file diff --git a/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_received.json b/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_received.json index 2960f74e..ac471610 100644 --- a/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_received.json +++ b/tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_received.json @@ -8,5 +8,25 @@ "missing": "", "ordered_compliant": true, "unordered_compliant": true + }, + "cmdPolicy": { + "actual": "add system cmdPolicy XX-CMD-read-only ALLOW (^man.*)|(^show\\s+(\\?!system)(\\?!configstatus)(\\?!audit messages)(\\?!techsupport).*)|(^stat.*)\nadd system cmdPolicy XX-CMD-operator ALLOW (^show.*)|(^stat.*)|(^(enable|disable) (server|service).*)\nadd system cmdPolicy XX-CMD-partition-read-only ALLOW (^man.*)|(^switch)|(^show\\s+(\\?!system)(\\?!configstatus)(\\?!audit messages)(\\?!techsupport).*)|(^stat.*)\nadd system cmdPolicy XX-CMD-partition-operator ALLOW (^man.*)|(^switch)|(^show\\s+(\\?!system)(\\?!configstatus)(\\?!audit messages)(\\?!techsupport).*)|(^stat.*)|(^(enable|disable) (server|service).*)", + "cannot_parse": true, + "compliant": true, + "extra": "", + "intended": "add system cmdPolicy XX-CMD-read-only ALLOW (^man.*)|(^show\\s+(\\?!system)(\\?!configstatus)(\\?!audit messages)(\\?!techsupport).*)|(^stat.*)\nadd system cmdPolicy XX-CMD-operator ALLOW (^show.*)|(^stat.*)|(^(enable|disable) (server|service).*)\nadd system cmdPolicy XX-CMD-partition-read-only ALLOW (^man.*)|(^switch)|(^show\\s+(\\?!system)(\\?!configstatus)(\\?!audit messages)(\\?!techsupport).*)|(^stat.*)\nadd system cmdPolicy XX-CMD-partition-operator ALLOW (^man.*)|(^switch)|(^show\\s+(\\?!system)(\\?!configstatus)(\\?!audit messages)(\\?!techsupport).*)|(^stat.*)|(^(enable|disable) (server|service).*)", + "missing": "", + "ordered_compliant": true, + "unordered_compliant": true + }, + "ssl": { + "actual": "add ssl cipher XX-CIPHER-GROUP_1.0_v01\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES256-SHA\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES128-SHA\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-256-CBC-SHA\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-128-CBC-SHA\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName SSL3-DES-CBC3-SHA\nadd ssl cipher XX-CIPHER-GROUP_1.2_v01\nbind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\nbind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256\nbind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384\nbind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256\nadd ssl cipher XX-CIPHER-GROUP_1.2_v02\nbind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305\nbind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\nbind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256\nbind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384\nbind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256\nbind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES256-SHA\nbind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES128-SHA\nadd ssl cipher XX-CIPHER-LIST_256\nbind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1\nbind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 2\nbind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 3\nbind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES256-GCM-SHA384 -cipherPriority 4\nbind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES-256-SHA256 -cipherPriority 5\nbind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 6\nadd ssl profile XX-SSL-Profile_1.0_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -denySSLReneg ALL\nadd ssl profile XX-SSL-Profile_1.2_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg ALL\nadd ssl profile XX-SSL-Profile_1.2_v02 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg NONSECURE", + "cannot_parse": true, + "compliant": true, + "extra": "", + "intended": "add ssl cipher XX-CIPHER-GROUP_1.0_v01\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES256-SHA\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES128-SHA\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-256-CBC-SHA\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-128-CBC-SHA\nbind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName SSL3-DES-CBC3-SHA\nadd ssl cipher XX-CIPHER-GROUP_1.2_v01\nbind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\nbind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256\nbind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384\nbind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256\nadd ssl cipher XX-CIPHER-GROUP_1.2_v02\nbind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305\nbind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\nbind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256\nbind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384\nbind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256\nbind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES256-SHA\nbind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES128-SHA\nadd ssl cipher XX-CIPHER-LIST_256\nbind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1\nbind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 2\nbind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 3\nbind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES256-GCM-SHA384 -cipherPriority 4\nbind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES-256-SHA256 -cipherPriority 5\nbind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 6\nadd ssl profile XX-SSL-Profile_1.0_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -denySSLReneg ALL\nadd ssl profile XX-SSL-Profile_1.2_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg ALL\nadd ssl profile XX-SSL-Profile_1.2_v02 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg NONSECURE", + "missing": "", + "ordered_compliant": true, + "unordered_compliant": true } } \ No newline at end of file From 5688419ec6a29f06705d165806db6567ae59383a Mon Sep 17 00:00:00 2001 From: Justin Drew Date: Fri, 14 Oct 2022 09:31:08 -0500 Subject: [PATCH 5/8] =?UTF-8?q?docs:=20=F0=9F=93=9D=20Add=20documentation?= =?UTF-8?q?=20around=20parent/child=20missing=20in=20NS=20parser?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/dev/dev_config.md | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/docs/dev/dev_config.md b/docs/dev/dev_config.md index ae5462bd..1279fd54 100644 --- a/docs/dev/dev_config.md +++ b/docs/dev/dev_config.md @@ -22,6 +22,10 @@ The "ltm rule" configuration sections are not uniform nor standardized; therefor The section banners have been simplified to extract the section header itself. This means that `echo "System Configuration"` will be converted to just "System Configuration". +### Citrix NetScaler Parser + +As the NetScaler configuration uses each line to make a specific configuration change there is no support for parent/child relationships in the parser. + ### Duplicate Line Detection In some circumstances replacing lines, such as secrets without uniqueness in the replacement, will result in duplicated lines that are invalid configuration, such as:: @@ -50,22 +54,21 @@ Documented use cases that are actual configuration on a network device are consi ## New Parsers - There are a series of considerations documented below, when developing a new parser. - Creation of a new class that must be created in `netutils/config/parser.py` file. - Creation of a parser class that inherits from the class `BaseConfigParser` in the Python Method Resolution Order (MRO). - - In nearly all cases should inherit directory off of `BaseSpaceConfigParser` or `BaseBraceConfigParser`. - - `BaseSpaceConfigParser` is for Cisco IOS-like configurations. - - `BaseBraceConfigParser` is for JUNOS-like configurations that use curly braces. + - In nearly all cases should inherit directory off of `BaseSpaceConfigParser` or `BaseBraceConfigParser`. + - `BaseSpaceConfigParser` is for Cisco IOS-like configurations. + - `BaseBraceConfigParser` is for JUNOS-like configurations that use curly braces. - Create the class name in the format of `{os_name.title()}ConfigParser`. - - The classes `__init__` method must keep true to the signature or `__init__(self, config)`. - - The class must provide a `self.config_lines` that is a list of `ConfigLine` named tuples. + - The classes `__init__` method must keep true to the signature or `__init__(self, config)`. + - The class must provide a `self.config_lines` that is a list of `ConfigLine` named tuples. - Build tests for the `tests/unit/mock/config/compliance/{os_name}/*` and `tests/unit/mock/config/parser/{os_name}/*`. - Add to `netutils/config/compliance.py` the `parser_map`, that maps the name of the parser to the Plugin. - Fill out docstrings in the class and methods within the class that describe the parameters and an Example that compiles. - The following tips will generally be applicable. - - Generally a class method should provide a `comment_chars` and `banner_start` as well as sometimes `banner_end`. - - Generally on the `__init__` should call the `build_config_relationship` method. - - Often can inherit directly from `CiscoConfigParser`. - - Observe the existing patterns, make use of `super`, and inheritance to reuse existing code. \ No newline at end of file + - Generally a class method should provide a `comment_chars` and `banner_start` as well as sometimes `banner_end`. + - Generally on the `__init__` should call the `build_config_relationship` method. + - Often can inherit directly from `CiscoConfigParser`. + - Observe the existing patterns, make use of `super`, and inheritance to reuse existing code. From 87add4458e99da3cfaac0a45d72b91df9983350a Mon Sep 17 00:00:00 2001 From: Justin Drew Date: Mon, 17 Oct 2022 12:38:17 -0500 Subject: [PATCH 6/8] =?UTF-8?q?docs:=20=F0=9F=93=9D=20Fix=20indentation=20?= =?UTF-8?q?in=20documentation?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/dev/dev_config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/dev/dev_config.md b/docs/dev/dev_config.md index 1279fd54..8fe10b0c 100644 --- a/docs/dev/dev_config.md +++ b/docs/dev/dev_config.md @@ -58,7 +58,7 @@ There are a series of considerations documented below, when developing a new par - Creation of a new class that must be created in `netutils/config/parser.py` file. - Creation of a parser class that inherits from the class `BaseConfigParser` in the Python Method Resolution Order (MRO). - - In nearly all cases should inherit directory off of `BaseSpaceConfigParser` or `BaseBraceConfigParser`. +- In nearly all cases should inherit directory off of `BaseSpaceConfigParser` or `BaseBraceConfigParser`. - `BaseSpaceConfigParser` is for Cisco IOS-like configurations. - `BaseBraceConfigParser` is for JUNOS-like configurations that use curly braces. - Create the class name in the format of `{os_name.title()}ConfigParser`. From 5cf91520bbe04bab7ae20ae220a87ef16ef40d8b Mon Sep 17 00:00:00 2001 From: Justin Drew Date: Tue, 18 Oct 2022 16:36:38 -0500 Subject: [PATCH 7/8] revert: Revert indentation --- docs/dev/dev_config.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/dev/dev_config.md b/docs/dev/dev_config.md index 8fe10b0c..0a3d81da 100644 --- a/docs/dev/dev_config.md +++ b/docs/dev/dev_config.md @@ -58,17 +58,17 @@ There are a series of considerations documented below, when developing a new par - Creation of a new class that must be created in `netutils/config/parser.py` file. - Creation of a parser class that inherits from the class `BaseConfigParser` in the Python Method Resolution Order (MRO). -- In nearly all cases should inherit directory off of `BaseSpaceConfigParser` or `BaseBraceConfigParser`. - - `BaseSpaceConfigParser` is for Cisco IOS-like configurations. - - `BaseBraceConfigParser` is for JUNOS-like configurations that use curly braces. + - In nearly all cases should inherit directory off of `BaseSpaceConfigParser` or `BaseBraceConfigParser`. + - `BaseSpaceConfigParser` is for Cisco IOS-like configurations. + - `BaseBraceConfigParser` is for JUNOS-like configurations that use curly braces. - Create the class name in the format of `{os_name.title()}ConfigParser`. - - The classes `__init__` method must keep true to the signature or `__init__(self, config)`. - - The class must provide a `self.config_lines` that is a list of `ConfigLine` named tuples. + - The classes `__init__` method must keep true to the signature or `__init__(self, config)`. + - The class must provide a `self.config_lines` that is a list of `ConfigLine` named tuples. - Build tests for the `tests/unit/mock/config/compliance/{os_name}/*` and `tests/unit/mock/config/parser/{os_name}/*`. - Add to `netutils/config/compliance.py` the `parser_map`, that maps the name of the parser to the Plugin. - Fill out docstrings in the class and methods within the class that describe the parameters and an Example that compiles. - The following tips will generally be applicable. - - Generally a class method should provide a `comment_chars` and `banner_start` as well as sometimes `banner_end`. - - Generally on the `__init__` should call the `build_config_relationship` method. - - Often can inherit directly from `CiscoConfigParser`. - - Observe the existing patterns, make use of `super`, and inheritance to reuse existing code. + - Generally a class method should provide a `comment_chars` and `banner_start` as well as sometimes `banner_end`. + - Generally on the `__init__` should call the `build_config_relationship` method. + - Often can inherit directly from `CiscoConfigParser`. + - Observe the existing patterns, make use of `super`, and inheritance to reuse existing code. From 1f3c7dd9787f2ef2923538849f59c797b18d8462 Mon Sep 17 00:00:00 2001 From: Justin Drew Date: Tue, 18 Oct 2022 16:39:53 -0500 Subject: [PATCH 8/8] revert: Revert deleted empty line --- docs/dev/dev_config.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/dev/dev_config.md b/docs/dev/dev_config.md index 0a3d81da..9b630261 100644 --- a/docs/dev/dev_config.md +++ b/docs/dev/dev_config.md @@ -54,6 +54,7 @@ Documented use cases that are actual configuration on a network device are consi ## New Parsers + There are a series of considerations documented below, when developing a new parser. - Creation of a new class that must be created in `netutils/config/parser.py` file.