nickrusso42518 / narc Goto Github PK
View Code? Open in Web Editor NEWNornir/Netmiko ASA Rule Checker - Validate firewall rule compliance
License: BSD 3-Clause "New" or "Revised" License
narc's People
Contributors
Stargazers
Watchers
Forkers
devnet9 techiewarrior kwadjooe bucketsadmin ccie59071 kevinhuy ioqik ncnetworkcloud an-maksimov yusmantj cvlabsio ashwini-mhatrenarc's Issues
Embed expected results in checks
Add another key to test dictionaries to contain more precise strings for testing equality, rather than embedding them in the unit test source code.
Explain verification in README
Individual validation checks should be enumerated in the README for clarity. Also, clarify that JSON and YAML can both be used as host_var sources.
Consider removing test_unit.py
It only exists to fix module import issues, instead add current path to pythonpath via pytest. A few options:
Running pytest with python -m pytest [...] instead of pytest [...] yields nearly equivalent behaviour, except that the former call will add the current directory to sys.path.
In setup.cfg, consider:
[tool:pytest]
python_paths = ./
README cleanup
Two things:
- Add simple high-level diagram
- Explain that XML is never an output format
error with string indices that should be integer
Hi Nick, I suffer from this issue when I run the script:
(narc) [franquezaj narc]$ python runbook.py --status
ASAV1@2021-01-25T13:55:00.854568: loading YAML vars
ASAV1@2021-01-25T13:55:00.859045: loading vars succeeded
ASAV1@2021-01-25T13:55:00.859180: starting check DNS OUTBOUND (1/1)
ASAV1@2021-01-25T13:55:06.167691: completed check DNS OUTBOUND (1/1)
Traceback (most recent call last):
File "runbook.py", line 68, in <module>
main(_process_args())
File "runbook.py", line 25, in main
aresult = nornir.run(task=run_checks, args=args)
File "/home/dpko.un.org/franquezaj-su/narc/lib64/python3.6/site-packages/nornir/core/__init__.py", line 148, in run
result = self._run_parallel(task, run_on, num_workers, **kwargs)
File "/home/dpko.un.org/franquezaj-su/narc/lib64/python3.6/site-packages/nornir/core/__init__.py", line 86, in _run_parallel
r = rp.get()
File "/usr/lib64/python3.6/multiprocessing/pool.py", line 644, in get
raise self._value
File "/usr/lib64/python3.6/multiprocessing/pool.py", line 119, in worker
result = (True, func(*args, **kwds))
File "/home/dpko.un.org/franquezaj-su/narc/lib64/python3.6/site-packages/nornir/core/task.py", line 117, in start
self.nornir.processors.task_instance_completed(self, host, self.results)
File "/home/dpko.un.org/franquezaj-su/narc/lib64/python3.6/site-packages/nornir/core/processor.py", line 85, in task_instance_completed
p.task_instance_completed(task, host, result)
File "/home/reponeg/nexus/franquezaj/PYTHON/russo/narc/narc/processors/proc_csv.py", line 53, in task_instance_completed
action = data["root"]["result"]["action"]
TypeError: string indices must be integers
Add FTD support
Consider adding support for Cisco FTD. Device type does not show up as supported by netmiko yet. The packet-tracer commands, including xml format, are all present on this FTD version. Probably need to add an ftd Nornir inventory group to differentiate device drivers.
---------------------[ fdm65 ]----------------------
Model : Cisco Firepower Threat Defense for VMWare (75) Version 6.5.0 (Build 115)
UUID : 9d4b06f4-f4d2-11e9-8c86-eb98e807d9d8
Rules update version : 2019-08-12-001-vrt
VDB version : 309
----------------------------------------------------
Add mock tests and complementary CI
Need to test how the solution works using some mocked host_vars files and packet-tracer ... xml outputs.
Clean up styles
Consider changing terse to be one line:
host: name -> result
No technical details needed as those can be viewed in CSV or JSON format.
Additionally, perform the initial looping in process_result() then call each function to assemble the data. Need to consider the initial CSV printout and the JSON root_dict initialization, which are special cases. Consider removing the style_map and using simple if statements, performing the pre-setup along with the function assignment, then call the function inside the common loops.
Duplicate id checking
Need to ensure there are no duplicate id values between checks. This would break json formatting. Easy answer is to create an empty set, add to it in the validate loop, then compare its length against the list length at the end. Somewhere around here:
Line 22 in 5487164
Allow field omissions
Even if packet-tracer doesn't let you omit values, the vars files should be able to tolerate missing values. Perform a check normalization process somewhere, maybe in run_check(), to populate any missing keys based on default values. The default values should be declared as group level variables in the inventory.
CSV needs hostname as column
The CSV output has no way to identify the device on which a given check was run. Add a hostname column as the first column to account for this, and update the documentation.
Update description
Bad copy/paste job
Line 5 in 5487164
Add non TCP/UDP support
Rather than a TCP/UDP source and destination port, there should be an ICMP type and code instead, each of which are unsigned 8-bit integers. Perhaps:
---
checks:
- name: ICMP TEST
proto: icmp
type: 8
code: 0
(other fields omitted)
Need better runbook description
Bad copy paste job
Line 5 in 5487164
Add IPv6 examples to existing vars
Re-generate samples/ with some IPv6 examples, and make them part of the version-controlled var examples.
Failing with TypeError: string indices must be integers
I run this in the Windows & my Linux box with virtual Enviornment & I get the same result.
I do see ssh connection to the ASA so I know that part may be working but not sure how to troubleshoot .
Do you start from the top where error gives or bottom.
ASA version is 9.1(5)16
(narc) lab@lab-vm:~/narc$ python -V
Python 3.6.9
E:\Python\00_Nick_Russo\narc-master>python3 -i runbook.py --status
ASAV1@2020-09-02T15:29:13.228952: loading YAML vars
ASAV1@2020-09-02T15:29:13.243908: loading vars succeeded
ASAV1@2020-09-02T15:29:13.243908: starting check DNS OUTBOUND (1/5)
ASAV1@2020-09-02T15:29:21.357049: completed check DNS OUTBOUND (1/5)
ASAV1@2020-09-02T15:29:21.357049: starting check HTTPS OUTBOUND (2/5)
ASAV1@2020-09-02T15:29:22.262786: completed check HTTPS OUTBOUND (2/5)
ASAV1@2020-09-02T15:29:22.262786: starting check SSH INBOUND (3/5)
ASAV1@2020-09-02T15:29:23.268578: completed check SSH INBOUND (3/5)
ASAV1@2020-09-02T15:29:23.268578: starting check PING OUTBOUND (4/5)
ASAV1@2020-09-02T15:29:24.274980: completed check PING OUTBOUND (4/5)
ASAV1@2020-09-02T15:29:24.275932: starting check L2TP OUTBOUND (5/5)
ASAV1@2020-09-02T15:29:25.484300: completed check L2TP OUTBOUND (5/5)
Traceback (most recent call last):
File "runbook.py", line 68, in <module>
main(_process_args())
File "runbook.py", line 25, in main
aresult = nornir.run(task=run_checks, args=args)
File "C:\Users\vpatel\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.8_qbz5n2kfra8p0\LocalCache\local-packages\Python38\site-packages\nornir\core\__init__.py", li
ne 155, in run
result = self._run_parallel(task, run_on, num_workers, **kwargs)
File "C:\Users\vpatel\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.8_qbz5n2kfra8p0\LocalCache\local-packages\Python38\site-packages\nornir\core\__init__.py", li
ne 93, in _run_parallel
worker_result = future.result()
File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.8_3.8.1520.0_x64__qbz5n2kfra8p0\lib\concurrent\futures\_base.py", line 432, in result
return self.__get_result()
File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.8_3.8.1520.0_x64__qbz5n2kfra8p0\lib\concurrent\futures\_base.py", line 388, in __get_result
raise self._exception
File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.8_3.8.1520.0_x64__qbz5n2kfra8p0\lib\concurrent\futures\thread.py", line 57, in run
result = self.fn(*self.args, **self.kwargs)
File "C:\Users\vpatel\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.8_qbz5n2kfra8p0\LocalCache\local-packages\Python38\site-packages\nornir\core\task.py", line 1
17, in start
self.nornir.processors.task_instance_completed(self, host, self.results)
File "C:\Users\vpatel\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.8_qbz5n2kfra8p0\LocalCache\local-packages\Python38\site-packages\nornir\core\processor.py", l
ine 85, in task_instance_completed
p.task_instance_completed(task, host, result)
File "E:\Python\00_Nick_Russo\narc-master\narc\processors\proc_terse.py", line 50, in task_instance_completed
action = data["root"]["result"]["action"]
TypeError: string indices must be integers
Consider processors
Perhaps these can replace the style functions to provide output faster as hosts finish.
https://nornir.readthedocs.io/en/latest/tutorials/intro/processors.html
Bad comment
Talking about checks before they are even validated
Line 24 in 5487164
Support JSON variables
In high-scale testing, YAML is known to be much slower to load than JSON. Given the purpose of this project, it is reasonable to expect the checks list can grow to many thousands of entries. JSON should be preferred, falling back to YAML if a JSON file does not exist.
Impossible condition
id is required, so this code should be unnecessary.
Line 32 in 5487164
Add performance test data
Some basic test data in the README (10, 100, 1000 hosts) with timestamps would be useful
Consider more dynamic unit tests
Currently, lots of copy/paste when a for loop could be used relatively easily. Need to weigh whether increased test complexity (and possibility of new bugs) is worth it.
Add unit tests
The helper functions need unit tests, especially the validation steps. Using pytest and create test cases that feed in checks lists of length 1 to target specific issues. Be sure to test compound issues to ensure the first failure condition is matched. Add this to Makefile as make unit and add pytest and netaddr to requirements.txt.
Add API support
Consider another version of run_checks() with http_method instead of netmiko_send_command. This would avoid using SSH and interact with the REST API instead. Need to research whether packet-tracer commands are supported via the API.
Update samples
Need new formats and multiple hosts to make exmaples useful.
Consider intra-task status
A long checks list means a long time with no output. Maybe a print statement that has the hostname, check ID, current iteration, and total iterations, similar to Ansible. Can be toggled on by option -s or --status, defaulted to false.
Style abstraction
Too much copy/paste in style.py. Consider moving the style_map into an aggregation function like style(format_str). Also consider using an internal _style_general() function to reduce copy paste. Decorators?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.