Skip to content

Commit

Permalink
Merge pull request #26 from opus-codium/fix-service-constraining
Browse files Browse the repository at this point in the history 
Fix service constraining
  • Loading branch information
@smortex
smortex authored Dec 17, 2022
2 parents d2b0e2d + 8cd4755 commit 55c1961
Show file tree
Hide file tree
Showing 2 changed files with 80 additions and 3 deletions.
57 changes: 57 additions & 0 deletions features/services.feature
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
Feature: Functions
As a systems administrator
In order to make the configuration files more manageable
I want to be define and use reusable blocks

Scenario: Define common services
Given a file named "network.puffy" with:
"""
localhost = {127.0.0.1 ::1}
lan = {192.168.0.0/24 fe80::/10}
service 'mysql' do
pass proto tcp to port mysql
end
service 'ssh' do
pass proto tcp to port ssh
end
service 'ssh-local' do
service 'ssh' from $lan to $lan
end
service 'common' do
server 'ssh-local'
client 'ssh-local'
end
node 'client' do
service 'common'
client 'mysql' to 192.168.18.3
end
node 'server' do
service 'common'
server 'ssh' from 10.100.0.0/23
end
"""
When I successfully run `puffy generate -f Pf network.puffy server`
Then the stdout should contain:
"""
pass in quick proto tcp from 192.168.0.0/24 to 192.168.0.0/24 port 22
pass in quick proto tcp from fe80::/10 to fe80::/10 port 22
pass out quick proto tcp from 192.168.0.0/24 to 192.168.0.0/24 port 22
pass out quick proto tcp from fe80::/10 to fe80::/10 port 22
pass in quick proto tcp from 10.100.0.0/23 to any port 22
"""
When I successfully run `puffy generate -f Pf network.puffy client`
Then the stdout from "puffy generate -f Pf network.puffy client" should not contain:
"""
pass in quick proto tcp from 10.100.0.0/23 to any port 22
"""
And the stdout from "puffy generate -f Pf network.puffy client" should contain:
"""
pass out quick proto tcp to 192.168.18.3 port 3306
"""
26 changes: 23 additions & 3 deletions lib/puffy/parser.y
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,23 +54,23 @@ rule

pf_rule: SERVICE service_name optional_hosts {
begin
result = @services.fetch(val[1]).deep_dup.map { |x| x.merge(val[2]) }
result = constraint_service_to_hosts(val[1], val[2])
rescue KeyError
raise ParseError.new("Parse error: service \"#{val[1]}\" is not defined", val[0])
end
}
| CLIENT service_name optional_hosts {
begin
raise "service #{val[1]} cannot be used as client" if @services.fetch(val[1]).map { |x| x[:dir] }.compact.any?
result = @services.fetch(val[1]).deep_dup.map { |x| x.merge(dir: :out).deep_merge(val[2]) }
result = constraint_service_to_hosts(val[1], val[2]).map { |item| item.merge(dir: :out) }
rescue KeyError
raise ParseError.new("Parse error: service \"#{val[1]}\" is not defined", val[0])
end
}
| SERVER service_name optional_hosts {
begin
raise "service #{val[1]} cannot be used as server" if @services.fetch(val[1]).map { |x| x[:dir] }.compact.any?
result = @services.fetch(val[1]).deep_dup.map { |x| x.merge(dir: :in).deep_merge(val[2]) }
result = constraint_service_to_hosts(val[1], val[2]).map { |item| item.merge(dir: :in) }
rescue KeyError
raise ParseError.new("Parse error: service \"#{val[1]}\" is not defined", val[0])
end
Expand Down Expand Up @@ -350,3 +350,23 @@ require 'strscan'
def policy_for(hostname)
prefered_value_for_hostname(@saved_policies, hostname) || @default_policy || :block
end
def constraint_service_to_hosts(service, hosts)
result = @services.fetch(service).deep_dup
result.map! do |item|
item[:from] = if item[:from]
item[:from].product(hosts.fetch(:from, [{}])).map { |parts| parts[0].merge(parts[1].compact) }
else
hosts.fetch(:from, [{}])
end
item[:to] = if item[:to]
item[:to].product(hosts.fetch(:to, [{}])).map { |parts| parts[0].merge(parts[1].compact) }
else
hosts.fetch(:to, [{}])
end
item
end
result
end

0 comments on commit 55c1961

Please sign in to comment.