nickrusso42518 / narc Goto Github PK
View Code? Open in Web Editor NEWNornir/Netmiko ASA Rule Checker - Validate firewall rule compliance
License: BSD 3-Clause "New" or "Revised" License
Nornir/Netmiko ASA Rule Checker - Validate firewall rule compliance
License: BSD 3-Clause "New" or "Revised" License
Add another key to test dictionaries to contain more precise strings for testing equality, rather than embedding them in the unit test source code.
Individual validation checks should be enumerated in the README for clarity. Also, clarify that JSON and YAML can both be used as host_var sources.
It only exists to fix module import issues, instead add current path to pythonpath via pytest. A few options:
Running pytest with python -m pytest [...] instead of pytest [...] yields nearly equivalent behaviour, except that the former call will add the current directory to sys.path.
In setup.cfg
, consider:
[tool:pytest]
python_paths = ./
Two things:
Hi Nick, I suffer from this issue when I run the script:
(narc) [franquezaj narc]$ python runbook.py --status
ASAV1@2021-01-25T13:55:00.854568: loading YAML vars
ASAV1@2021-01-25T13:55:00.859045: loading vars succeeded
ASAV1@2021-01-25T13:55:00.859180: starting check DNS OUTBOUND (1/1)
ASAV1@2021-01-25T13:55:06.167691: completed check DNS OUTBOUND (1/1)
Traceback (most recent call last):
File "runbook.py", line 68, in <module>
main(_process_args())
File "runbook.py", line 25, in main
aresult = nornir.run(task=run_checks, args=args)
File "/home/dpko.un.org/franquezaj-su/narc/lib64/python3.6/site-packages/nornir/core/__init__.py", line 148, in run
result = self._run_parallel(task, run_on, num_workers, **kwargs)
File "/home/dpko.un.org/franquezaj-su/narc/lib64/python3.6/site-packages/nornir/core/__init__.py", line 86, in _run_parallel
r = rp.get()
File "/usr/lib64/python3.6/multiprocessing/pool.py", line 644, in get
raise self._value
File "/usr/lib64/python3.6/multiprocessing/pool.py", line 119, in worker
result = (True, func(*args, **kwds))
File "/home/dpko.un.org/franquezaj-su/narc/lib64/python3.6/site-packages/nornir/core/task.py", line 117, in start
self.nornir.processors.task_instance_completed(self, host, self.results)
File "/home/dpko.un.org/franquezaj-su/narc/lib64/python3.6/site-packages/nornir/core/processor.py", line 85, in task_instance_completed
p.task_instance_completed(task, host, result)
File "/home/reponeg/nexus/franquezaj/PYTHON/russo/narc/narc/processors/proc_csv.py", line 53, in task_instance_completed
action = data["root"]["result"]["action"]
TypeError: string indices must be integers
Consider adding support for Cisco FTD. Device type does not show up as supported by netmiko yet. The packet-tracer
commands, including xml
format, are all present on this FTD version. Probably need to add an ftd
Nornir inventory group to differentiate device drivers.
---------------------[ fdm65 ]----------------------
Model : Cisco Firepower Threat Defense for VMWare (75) Version 6.5.0 (Build 115)
UUID : 9d4b06f4-f4d2-11e9-8c86-eb98e807d9d8
Rules update version : 2019-08-12-001-vrt
VDB version : 309
----------------------------------------------------
Need to test how the solution works using some mocked host_vars
files and packet-tracer ... xml
outputs.
Consider changing terse
to be one line:
host: name -> result
No technical details needed as those can be viewed in CSV or JSON format.
Additionally, perform the initial looping in process_result()
then call each function to assemble the data. Need to consider the initial CSV printout and the JSON root_dict
initialization, which are special cases. Consider removing the style_map
and using simple if
statements, performing the pre-setup along with the function assignment, then call the function inside the common loops.
Need to ensure there are no duplicate id
values between checks
. This would break json
formatting. Easy answer is to create an empty set, add to it in the validate loop, then compare its length against the list length at the end. Somewhere around here:
Line 22 in 5487164
Even if packet-tracer doesn't let you omit values, the vars files should be able to tolerate missing values. Perform a check normalization process somewhere, maybe in run_check()
, to populate any missing keys based on default values. The default values should be declared as group level variables in the inventory.
The CSV output has no way to identify the device on which a given check was run. Add a hostname
column as the first column to account for this, and update the documentation.
Bad copy/paste job
Line 5 in 5487164
Rather than a TCP/UDP source and destination port, there should be an ICMP type and code instead, each of which are unsigned 8-bit integers. Perhaps:
---
checks:
- name: ICMP TEST
proto: icmp
type: 8
code: 0
(other fields omitted)
Bad copy paste job
Line 5 in 5487164
Re-generate samples/
with some IPv6 examples, and make them part of the version-controlled var examples.
I run this in the Windows & my Linux box with virtual Enviornment & I get the same result.
I do see ssh connection to the ASA so I know that part may be working but not sure how to troubleshoot .
Do you start from the top where error gives or bottom.
ASA version is 9.1(5)16
(narc) lab@lab-vm:~/narc$ python -V
Python 3.6.9
E:\Python\00_Nick_Russo\narc-master>python3 -i runbook.py --status
ASAV1@2020-09-02T15:29:13.228952: loading YAML vars
ASAV1@2020-09-02T15:29:13.243908: loading vars succeeded
ASAV1@2020-09-02T15:29:13.243908: starting check DNS OUTBOUND (1/5)
ASAV1@2020-09-02T15:29:21.357049: completed check DNS OUTBOUND (1/5)
ASAV1@2020-09-02T15:29:21.357049: starting check HTTPS OUTBOUND (2/5)
ASAV1@2020-09-02T15:29:22.262786: completed check HTTPS OUTBOUND (2/5)
ASAV1@2020-09-02T15:29:22.262786: starting check SSH INBOUND (3/5)
ASAV1@2020-09-02T15:29:23.268578: completed check SSH INBOUND (3/5)
ASAV1@2020-09-02T15:29:23.268578: starting check PING OUTBOUND (4/5)
ASAV1@2020-09-02T15:29:24.274980: completed check PING OUTBOUND (4/5)
ASAV1@2020-09-02T15:29:24.275932: starting check L2TP OUTBOUND (5/5)
ASAV1@2020-09-02T15:29:25.484300: completed check L2TP OUTBOUND (5/5)
Traceback (most recent call last):
File "runbook.py", line 68, in <module>
main(_process_args())
File "runbook.py", line 25, in main
aresult = nornir.run(task=run_checks, args=args)
File "C:\Users\vpatel\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.8_qbz5n2kfra8p0\LocalCache\local-packages\Python38\site-packages\nornir\core\__init__.py", li
ne 155, in run
result = self._run_parallel(task, run_on, num_workers, **kwargs)
File "C:\Users\vpatel\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.8_qbz5n2kfra8p0\LocalCache\local-packages\Python38\site-packages\nornir\core\__init__.py", li
ne 93, in _run_parallel
worker_result = future.result()
File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.8_3.8.1520.0_x64__qbz5n2kfra8p0\lib\concurrent\futures\_base.py", line 432, in result
return self.__get_result()
File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.8_3.8.1520.0_x64__qbz5n2kfra8p0\lib\concurrent\futures\_base.py", line 388, in __get_result
raise self._exception
File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.8_3.8.1520.0_x64__qbz5n2kfra8p0\lib\concurrent\futures\thread.py", line 57, in run
result = self.fn(*self.args, **self.kwargs)
File "C:\Users\vpatel\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.8_qbz5n2kfra8p0\LocalCache\local-packages\Python38\site-packages\nornir\core\task.py", line 1
17, in start
self.nornir.processors.task_instance_completed(self, host, self.results)
File "C:\Users\vpatel\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.8_qbz5n2kfra8p0\LocalCache\local-packages\Python38\site-packages\nornir\core\processor.py", l
ine 85, in task_instance_completed
p.task_instance_completed(task, host, result)
File "E:\Python\00_Nick_Russo\narc-master\narc\processors\proc_terse.py", line 50, in task_instance_completed
action = data["root"]["result"]["action"]
TypeError: string indices must be integers
Perhaps these can replace the style
functions to provide output faster as hosts finish.
https://nornir.readthedocs.io/en/latest/tutorials/intro/processors.html
Talking about checks before they are even validated
Line 24 in 5487164
In high-scale testing, YAML is known to be much slower to load than JSON. Given the purpose of this project, it is reasonable to expect the checks
list can grow to many thousands of entries. JSON should be preferred, falling back to YAML if a JSON file does not exist.
id
is required, so this code should be unnecessary.
Line 32 in 5487164
Some basic test data in the README (10, 100, 1000 hosts) with timestamps would be useful
Currently, lots of copy/paste when a for
loop could be used relatively easily. Need to weigh whether increased test complexity (and possibility of new bugs) is worth it.
The helper functions need unit tests, especially the validation steps. Using pytest
and create test cases that feed in checks
lists of length 1 to target specific issues. Be sure to test compound issues to ensure the first failure condition is matched. Add this to Makefile
as make unit
and add pytest
and netaddr
to requirements.txt
.
Consider another version of run_checks()
with http_method
instead of netmiko_send_command
. This would avoid using SSH and interact with the REST API instead. Need to research whether packet-tracer
commands are supported via the API.
Need new formats and multiple hosts to make exmaples useful.
A long checks
list means a long time with no output. Maybe a print
statement that has the hostname, check ID, current iteration, and total iterations, similar to Ansible. Can be toggled on by option -s
or --status
, defaulted to false.
Too much copy/paste in style.py
. Consider moving the style_map
into an aggregation function like style(format_str)
. Also consider using an internal _style_general()
function to reduce copy paste. Decorators?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.