# Copyright 2014-2015, Tresys Technology, LLC
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as
# published by the Free Software Foundation, either version 2.1 of
# the License, or (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with SETools. If not, see
# <http://www.gnu.org/licenses/>.
#
import logging
from socket import IPPROTO_TCP, IPPROTO_UDP
from . import contextquery
from .policyrep.netcontext import port_range
class PortconQuery(contextquery.ContextQuery):
"""
Port context query.
Parameter:
policy The policy to query.
Keyword Parameters/Class attributes:
protocol The protocol to match (socket.IPPROTO_TCP for
TCP or socket.IPPROTO_UDP for UDP)
ports A 2-tuple of the port range to match. (Set both to
the same value for a single port)
ports_subset If true, the criteria will match if it is a subset
of the portcon's range.
ports_overlap If true, the criteria will match if it overlaps
any of the portcon's range.
ports_superset If true, the criteria will match if it is a superset
of the portcon's range.
ports_proper If true, use proper superset/subset operations.
No effect if not using set operations.
user The criteria to match the context's user.
user_regex If true, regular expression matching
will be used on the user.
role The criteria to match the context's role.
role_regex If true, regular expression matching
will be used on the role.
type_ The criteria to match the context's type.
type_regex If true, regular expression matching
will be used on the type.
range_ The criteria to match the context's range.
range_subset If true, the criteria will match if it is a subset
of the context's range.
range_overlap If true, the criteria will match if it overlaps
any of the context's range.
range_superset If true, the criteria will match if it is a superset
of the context's range.
range_proper If true, use proper superset/subset operations.
No effect if not using set operations.
"""
_protocol = None
_ports = None
ports_subset = False
ports_overlap = False
ports_superset = False
ports_proper = False
@property
def ports(self):
return self._ports
@ports.setter
def ports(self, value):
pending_ports = port_range(*value)
if all(pending_ports):
if pending_ports.low < 1 or pending_ports.high < 1:
raise ValueError("Port numbers must be positive: {0.low}-{0.high}".
format(pending_ports))
if pending_ports.low > pending_ports.high:
raise ValueError(
"The low port must be smaller than the high port: {0.low}-{0.high}".
format(pending_ports))
self._ports = pending_ports
else:
self._ports = None
@property
def protocol(self):
return self._protocol
@protocol.setter
def protocol(self, value):
if value:
if not (value == IPPROTO_TCP or value == IPPROTO_UDP):
raise ValueError(
"The protocol must be {0} for TCP or {1} for UDP.".
format(IPPROTO_TCP, IPPROTO_UDP))
self._protocol = value
else:
self._protocol = None
def results(self):
"""Generator which yields all matching portcons."""
self.log.info("Generating results from {0.policy}".format(self))
self.log.debug("Ports: {0.ports}, overlap: {0.ports_overlap}, "
"subset: {0.ports_subset}, superset: {0.ports_superset}, "
"proper: {0.ports_proper}".format(self))
self.log.debug("User: {0.user!r}, regex: {0.user_regex}".format(self))
self.log.debug("Role: {0.role!r}, regex: {0.role_regex}".format(self))
self.log.debug("Type: {0.type_!r}, regex: {0.type_regex}".format(self))
self.log.debug("Range: {0.range_!r}, subset: {0.range_subset}, overlap: {0.range_overlap}, "
"superset: {0.range_superset}, proper: {0.range_proper}".format(self))
for portcon in self.policy.portcons():
if self.ports and not self._match_range(
portcon.ports,
self.ports,
self.ports_subset,
self.ports_overlap,
self.ports_superset,
self.ports_proper):
continue
if self.protocol and self.protocol != portcon.protocol:
continue
if not self._match_context(portcon.context):
continue
yield portcon