Commit 5fdcd194 authored by Benjamin Graillot's avatar Benjamin Graillot
Browse files

Arguments et commentaires

parent a7b7bc5f
......@@ -6,5 +6,7 @@
"NAT": {
"srv-nat": "185.230.79.64/26",
"adh-nat": "185.230.77.0/24"
}
},
"ldap_url": "ldaps://172.16.1.1"
}
#!/bin/env python3
import argparse
import configparser
import getpass
import ipaddress
import json
import os
......@@ -16,6 +17,9 @@ path = os.path.dirname(os.path.abspath(__file__))
def nat_map(private_subnet, public_subnet):
"""
Divise private_subnet en subnets de même taille et map ces subnets derrière les ip de public_subnet
"""
nat_subnets = [ nat_subnet for nat_subnet in private_subnet.subnets(prefixlen_diff=public_subnet.num_addresses.bit_length()-1) ]
return list(zip(nat_subnets, public_subnet))
......@@ -24,15 +28,25 @@ if __name__ == "__main__":
parser = argparse.ArgumentParser(
description="Generate firewall from LDAP",
)
parser.add_argument("-e", "--export", help="Exporte le contenu des pare-feu", action="store_true")
parser.add_argument("-e", "--export", help="Exporte le contenu des pare-feu sur la sortie standard", action="store_true")
parser.add_argument("-l", "--ldap-server", help="URL de la base ldap à contacter", type=str, default=None)
parser.add_argument("-r", "--re2o-server", help="Nom du serveur re2o à contacter", type=str, default=None)
parser.add_argument("-u", "--re2o-user", help="Utilisateur re2o", type=str, default=None)
parser.add_argument("-p", "--re2o-password", help="Demande le mot de passe de l'utilisateur re2o", action="store_true")
args = parser.parse_args()
with open(os.path.join(path, "firewall.json")) as config_file:
config = json.load(config_file)
base = ldap.initialize('ldaps://172.16.1.1/')
base.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
base.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
if args.ldap_server is not None:
config['ldap_url'] = args.ldap_server
base = ldap.initialize(config['ldap_url'])
if config['ldap_url'].startswith('ldaps://'):
# On ne vérifie pas le certificat pour le LDAPS
base.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
base.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
hosts_query_id = base.search("ou=hosts,dc=crans,dc=org", ldap.SCOPE_SUBTREE, "objectClass=ipHost")
hosts_query = base.result(hosts_query_id)
services_query_id = base.search("ou=services,dc=crans,dc=org", ldap.SCOPE_SUBTREE, "objectClass=ipService")
......@@ -42,6 +56,7 @@ if __name__ == "__main__":
networks = {}
# On récupère les subnets depuis la base LDAP, en particulier les subnet natés pour la génération du nat
for dn, entry in networks_query[1]:
networks[entry['cn'][0].decode('utf-8')] = ipaddress.ip_network(entry['ipNetworkNumber'][0].decode('utf-8') + '/' + entry['ipNetmaskNumber'][0].decode('utf-8'))
......@@ -49,6 +64,7 @@ if __name__ == "__main__":
for dn, entry in services_query[1]:
if 'description' in entry:
# C'est une range de port, le port final est dans la description du service
ports = (int(entry['ipServicePort'][0]), int(entry['description'][0]))
else:
port = int(entry['ipServicePort'][0])
......@@ -66,6 +82,7 @@ if __name__ == "__main__":
elif len(domain) == 4:
subnet = domain[1]
if 'description' not in entry:
# Pas d'ouverture de port : on utilise l'ouverture par défaut du subnet
if subnet in config['DEFAULT_SERVICES']:
opening = config['DEFAULT_SERVICES'][subnet]
else:
......@@ -94,14 +111,23 @@ if __name__ == "__main__":
re2o_config = configparser.ConfigParser()
re2o_config.read(os.path.join(path, 're2o-config.ini'))
api_hostname = re2o_config.get('Re2o', 'hostname')
api_password = re2o_config.get('Re2o', 'password')
api_username = re2o_config.get('Re2o', 'username')
if args.re2o_server is not None:
api_hostname = args.re2o_server
else:
api_hostname = re2o_config.get('Re2o', 'hostname')
if args.re2o_user is not None:
api_username = args.re2o_user
else:
api_username = re2o_config.get('Re2o', 'username')
if args.re2o_password:
api_password = getpass.getpass('Re2o password: ')
else:
api_password = re2o_config.get('Re2o', 'password')
api_client = re2oapi.Re2oAPIClient(api_hostname, api_username, api_password, use_tls=False)
interface_ports = api_client.list("firewall/interface-ports/")
ports_openings_adh = []
ports_openings_adh = [] # les ouvertures de ports des serveurs des adhérents
for interface in interface_ports:
for ip in [ ipaddress.ip_address(interface['ipv4']) ] + [ ipaddress.ip_address(ipv6['ipv6']) for ipv6 in interface['ipv6'] ]:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment