search

nautobot / nautobot-app-firewall-models

Model Firewall policies in Nautobot
https://docs.nautobot.com/projects/firewall-models/en/latest/
Other
32 stars 12 forks source link

add parent object to Service Group class #97

Open bvilajol opened 1 year ago

bvilajol commented 1 year ago

Environment

When you define a tenant group, you can select another object as parent. That leads to the ability to anidate this object.

Service Group would need same approach. This way amount of objects decreases as well as different levels of anidation of Services could be implemented.

Proposed Functionality

SERVICE1 SERVICE2 SERVICE3 SERVICE4 SERVICE5 SERVICE6

GROUP1 = SERVICE1+SERVICE2 GROUP2 = SERVICE3+SERVICE4 GROUP3= SERVICE4+SERVICE5

GROUP4, parent from GROUP3 + SERVICE4

bvilajol commented 1 year ago

Attached serialization of a custom class 'Service Catalog'. Service Catalog can contain Service Groups, Services and Packets (as builing block for upper objects).

    {
        "name": "PGR_ITIST07_AVD",
        "description": "A Service Catalog Containing 2 complex Service Groups",
        "packets": [
            "PGR_ITIST07_UDP_53",
            "PGR_ITIST07_TCP_700-750",
            "PGR_ITIST07_TCP_22",
            "PGR_ITIST07_TCP_5000-6000",
            "PGR_ITIST07_TCP_21",
            "PGR_ITIST07_ICMP_6",
            "PGR_ITIST07_UDP_7000-8000",
            "PGR_ITIST07_TCP_2000",
            "PGR_ITIST07_ICMP_7",
            "PGR_ITIST07_TCP_3000",
            "PGR_ITIST07_ICMP_8",
            "PGR_ITIST07_UDP_67",
            "PGR_ITIST07_TCP_9000-10000",
            "PGR_ITIST07_IP_51"
        ],
        "inner_packets": [{
                "name": "PGR_ITIST07_UDP_53",
                "protocol": 17,
                "protocol_name": "UDP",
                "description": "UDP 53 for DNS",
                "icon": "static/PGR_ITIST07_UDP_53.png",
                "ports": [
                    53
                ]
            },
            {
                "name": "PGR_ITIST07_TCP_700-750",
                "protocol": 6,
                "protocol_name": "TCP",
                "description": null,
                "icon": "static/PGR_ITIST07_TCP_700-750.png",
                "ports": [
                    700,
                    750
                ]
            },
            {
                "name": "PGR_ITIST07_TCP_22",
                "protocol": 6,
                "protocol_name": "TCP",
                "description": "SSH",
                "icon": "static/PGR_ITIST07_TCP_22.png",
                "ports": [
                    22
                ]
            },
            {
                "name": "PGR_ITIST07_TCP_5000-6000",
                "protocol": 6,
                "protocol_name": "TCP",
                "description": "SFTP Data Ports",
                "icon": "static/PGR_ITIST07_TCP_5000-6000.png",
                "ports": [
                    5000,
                    6000
                ]
            },
            {
                "name": "PGR_ITIST07_TCP_21",
                "protocol": 6,
                "protocol_name": "TCP",
                "description": "SFTP Control Port",
                "icon": "static/PGR_ITIST07_TCP_21.png",
                "ports": [
                    21
                ]
            },
            {
                "name": "PGR_ITIST07_ICMP_6",
                "protocol": 1,
                "protocol_name": "Destination network unknown",
                "description": "ICMP",
                "icon": "static/PGR_ITIST07_ICMP_6.png",
                "icmp_code": 6
            },
            {
                "name": "PGR_ITIST07_UDP_7000-8000",
                "protocol": 17,
                "protocol_name": "UDP",
                "description": null,
                "icon": "static/PGR_ITIST07_UDP_7000-8000.png",
                "ports": [
                    7000,
                    8000
                ]
            },
            {
                "name": "PGR_ITIST07_TCP_2000",
                "protocol": 6,
                "protocol_name": "TCP",
                "description": "A random port for testing",
                "icon": "static/PGR_ITIST07_TCP_2000.png",
                "ports": [
                    2000
                ]
            },
            {
                "name": "PGR_ITIST07_ICMP_7",
                "protocol": 1,
                "protocol_name": "Destination host unknown",
                "description": "ICMP",
                "icon": "static/PGR_ITIST07_ICMP_7.png",
                "icmp_code": 7
            },
            {
                "name": "PGR_ITIST07_TCP_3000",
                "protocol": 6,
                "protocol_name": "TCP",
                "description": "A random port for testing",
                "icon": "static/PGR_ITIST07_TCP_3000.png",
                "ports": [
                    3000
                ]
            },
            {
                "name": "PGR_ITIST07_ICMP_8",
                "protocol": 1,
                "protocol_name": "Source host isolated error (military use only)",
                "description": "ICMP",
                "icon": "static/PGR_ITIST07_ICMP_8.png",
                "icmp_code": 8
            },
            {
                "name": "PGR_ITIST07_UDP_67",
                "protocol": 17,
                "protocol_name": "UDP",
                "description": "UDP 67 for",
                "icon": "static/PGR_ITIST07_UDP_67.png",
                "ports": [
                    67
                ]
            },
            {
                "name": "PGR_ITIST07_TCP_9000-10000",
                "protocol": 6,
                "protocol_name": "TCP",
                "description": "A random port for testing",
                "icon": "static/PGR_ITIST07_TCP_9000-10000.png",
                "ports": [
                    9000,
                    10000
                ]
            },
            {
                "name": "PGR_ITIST07_IP_51",
                "protocol": 51,
                "protocol_name": "AH Header",
                "description": "VPN",
                "icon": "static/PGR_ITIST07_IP_51.png"
            }
        ],
        "services": [
            "PGR_ITIST07_AVDT02RWDC",
            "PGR_ITIST07_AVDT12RWDC",
            "PGR_ITIST07_AVDT22RWDC",
            "PGR_ITIST07_AVD2SCCM",
            "PGR_ITIST07_BOGUS"
        ],
        "inner_services": [{
                "name": "PGR_ITIST07_AVDT02RWDC",
                "description": "Protocols and ports from AVD T0 to RWDC",
                "packets": [
                    "PGR_ITIST07_UDP_53",
                    "PGR_ITIST07_TCP_700-750",
                    "PGR_ITIST07_TCP_22",
                    "PGR_ITIST07_TCP_5000-6000",
                    "PGR_ITIST07_TCP_21",
                    "PGR_ITIST07_ICMP_6"
                ]
            },
            {
                "name": "PGR_ITIST07_AVDT12RWDC",
                "description": "Protocols and ports from AVD T1 to RWDC",
                "packets": [
                    "PGR_ITIST07_UDP_53",
                    "PGR_ITIST07_UDP_7000-8000",
                    "PGR_ITIST07_TCP_2000",
                    "PGR_ITIST07_ICMP_7"
                ]
            },
            {
                "name": "PGR_ITIST07_AVDT22RWDC",
                "description": "Protocols and ports from AVD T2 to RWDC",
                "packets": [
                    "PGR_ITIST07_UDP_7000-8000",
                    "PGR_ITIST07_TCP_3000",
                    "PGR_ITIST07_ICMP_8"
                ]
            },
            {
                "name": "PGR_ITIST07_AVD2SCCM",
                "description": "Protocols and ports from AVD to SCCM",
                "packets": [
                    "PGR_ITIST07_UDP_7000-8000",
                    "PGR_ITIST07_UDP_67",
                    "PGR_ITIST07_TCP_9000-10000",
                    "PGR_ITIST07_IP_51"
                ]
            },
            {
                "name": "PGR_ITIST07_BOGUS",
                "description": null,
                "packets": [
                    "PGR_ITIST07_UDP_7000-8000",
                    "PGR_ITIST07_UDP_67"
                ]
            }
        ],
        "groups": [
            "PGR_ITIST07_GROUP1",
            "PGR_ITIST07_GROUP2"
        ],
        "inner_groups": [{
                "name": "PGR_ITIST07_GROUP1",
                "parent": null,
                "description": "PGR_ITIST07_GROUP1",
                "services": [
                    "PGR_ITIST07_AVD2SCCM",
                    "PGR_ITIST07_AVDT22RWDC"
                ],
                "packets": [
                    "PGR_ITIST07_TCP_21",
                    "PGR_ITIST07_ICMP_6"
                ]
            },
            {
                "name": "PGR_ITIST07_GROUP2",
                "parent": "PGR_ITIST07_GROUP1",
                "description": "PGR_ITIST07_GROUP2",
                "services": [ ],
                "packets": [
                    "PGR_ITIST07_TCP_3000"
                ]
            }
        ]
    }
whitej6 commented 1 year ago

Great idea, will need to review internally on introducing nested groups and what level of sanity validation would be needed from the Django ORM perspective.

bvilajol commented 1 year ago

Hi there, as per now I went deep into two different and quite opposite firewall manufacturer API's. Main focus is to serialize custom objects yet extending a base one (service, address, etc up to ruleset). Implemented. For both cases I could say (testing alternatives) to achive "infinite" levels of inheretance between service and service group is to use same serializer object towards foreign API endpoint: the existance of "members" or similar key within the returned object is the only difference between a service and a service group. Altough this code is not yet into own dev-lab for nauto (azure extension for secrets procider is) there is no problem to share. Btw: what an evolution in 6 month, nice to see!