Arguments et commentaires

firewall.json

@@ -6,5 +6,7 @@
     "NAT": {
         "srv-nat": "185.230.79.64/26",
         "adh-nat": "185.230.77.0/24"
-    }
+    },
+
+    "ldap_url": "ldaps://172.16.1.1"
 }

firewall.py

 #!/bin/env python3
 import argparse
 import configparser
+import getpass
 import ipaddress
 import json
 import os
@@ -16,6 +17,9 @@ path = os.path.dirname(os.path.abspath(__file__))
 
 
 def nat_map(private_subnet, public_subnet):
+    """
+    Divise private_subnet en subnets de même taille et map ces subnets derrière les ip de public_subnet
+    """
     nat_subnets = [ nat_subnet for nat_subnet in private_subnet.subnets(prefixlen_diff=public_subnet.num_addresses.bit_length()-1) ]
     return list(zip(nat_subnets, public_subnet))
 
@@ -24,15 +28,25 @@ if __name__ == "__main__":
     parser = argparse.ArgumentParser(
         description="Generate firewall from LDAP",
     )
-    parser.add_argument("-e", "--export", help="Exporte le contenu des pare-feu", action="store_true")
+    parser.add_argument("-e", "--export", help="Exporte le contenu des pare-feu sur la sortie standard", action="store_true")
+    parser.add_argument("-l", "--ldap-server", help="URL de la base ldap à contacter", type=str, default=None)
+    parser.add_argument("-r", "--re2o-server", help="Nom du serveur re2o à contacter", type=str, default=None)
+    parser.add_argument("-u", "--re2o-user", help="Utilisateur re2o", type=str, default=None)
+    parser.add_argument("-p", "--re2o-password", help="Demande le mot de passe de l'utilisateur re2o", action="store_true")
     args = parser.parse_args()
 
     with open(os.path.join(path, "firewall.json")) as config_file:
         config = json.load(config_file)
 
-    base = ldap.initialize('ldaps://172.16.1.1/')
-    base.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
-    base.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
+    if args.ldap_server is not None:
+        config['ldap_url'] = args.ldap_server
+
+    base = ldap.initialize(config['ldap_url'])
+    if config['ldap_url'].startswith('ldaps://'):
+        # On ne vérifie pas le certificat pour le LDAPS
+        base.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
+        base.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
+
     hosts_query_id = base.search("ou=hosts,dc=crans,dc=org", ldap.SCOPE_SUBTREE, "objectClass=ipHost")
     hosts_query = base.result(hosts_query_id)
     services_query_id = base.search("ou=services,dc=crans,dc=org", ldap.SCOPE_SUBTREE, "objectClass=ipService")
@@ -42,6 +56,7 @@ if __name__ == "__main__":
 
     networks = {}
 
+    # On récupère les subnets depuis la base LDAP, en particulier les subnet natés pour la génération du nat
     for dn, entry in networks_query[1]:
         networks[entry['cn'][0].decode('utf-8')] = ipaddress.ip_network(entry['ipNetworkNumber'][0].decode('utf-8') + '/' + entry['ipNetmaskNumber'][0].decode('utf-8'))
 
@@ -49,6 +64,7 @@ if __name__ == "__main__":
 
     for dn, entry in services_query[1]:
         if 'description' in entry:
+            # C'est une range de port, le port final est dans la description du service
             ports = (int(entry['ipServicePort'][0]), int(entry['description'][0]))
         else:
             port = int(entry['ipServicePort'][0])
@@ -66,6 +82,7 @@ if __name__ == "__main__":
         elif len(domain) == 4:
             subnet = domain[1]
         if 'description' not in entry:
+            # Pas d'ouverture de port : on utilise l'ouverture par défaut du subnet
             if subnet in config['DEFAULT_SERVICES']:
                 opening = config['DEFAULT_SERVICES'][subnet]
             else:
@@ -94,14 +111,23 @@ if __name__ == "__main__":
     re2o_config = configparser.ConfigParser()
     re2o_config.read(os.path.join(path, 're2o-config.ini'))
 
-    api_hostname = re2o_config.get('Re2o', 'hostname')
-    api_password = re2o_config.get('Re2o', 'password')
-    api_username = re2o_config.get('Re2o', 'username')
+    if args.re2o_server is not None:
+        api_hostname = args.re2o_server
+    else:
+        api_hostname = re2o_config.get('Re2o', 'hostname')
+    if args.re2o_user is not None:
+        api_username = args.re2o_user
+    else:
+        api_username = re2o_config.get('Re2o', 'username')
+    if args.re2o_password:
+        api_password = getpass.getpass('Re2o password: ')
+    else:
+        api_password = re2o_config.get('Re2o', 'password')
 
     api_client = re2oapi.Re2oAPIClient(api_hostname, api_username, api_password, use_tls=False)
 
     interface_ports = api_client.list("firewall/interface-ports/")
-    ports_openings_adh = []
+    ports_openings_adh = [] # les ouvertures de ports des serveurs des adhérents
 
     for interface in interface_ports:
         for ip in [ ipaddress.ip_address(interface['ipv4']) ] + [ ipaddress.ip_address(ipv6['ipv6']) for ipv6 in interface['ipv6'] ]: