-
Notifications
You must be signed in to change notification settings - Fork 228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Misc updates for cisco router configurations #466
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need changes to enable_password and variable_password. Recommend offline discussion due to complexity of implementing lexer modes.
@@ -491,6 +491,11 @@ variable_interface_name | |||
NAME | NEWLINE | TAG | TRACK | VARIABLE ) | |||
; | |||
|
|||
variable_password | |||
: | |||
(~NEWLINE)+ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With respect to ENCRYPTED
:
Based on the usage above, the variable_password
rule must specifically exclude ENCRYPTED
, or it will swallow it. Therefore a potential definition here is: ~(NEWLINE | ENCRYPTED)+
Also, any definition that generally eats up non-newline tokens will necessarily swallow up the variable
named seed
in the change to enable_password
above. That is, seed
will never be assigned. In fact this is visible in the updated reference output in this PR. The only solution that will allow a multi-token password will necessitate use of lexer modes and at least some modification to variable_password
. This is tricky, and we should discuss in depth if you want to fix yourself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have no desire to learn the deep complexity of ANTLR... so if it's easy for you to fix, by all means do so. We encountered the 'enable password' line on an ASA, so... as long as that doesn't throw a parsing error as it did previously, that's all I care about. :)
I don't think Batfish currently does anything with the password anyways, so if it swallowed the seed then that's probably "ok", though probably not the Right Thing to do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's fine. I'll just finish this one then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are breaking changes here. Please add unit tests justifying each change here, so I know how to fix.
@@ -237,6 +238,7 @@ null_block | |||
| TEMPLATE | |||
| TERMINAL | |||
| TIME_RANGE | |||
| TIMEOUT |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a breaking change. It needs to be more granular. In particular, it interferes with ts_timeout
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sad.. it's true, I hadn't ran the unit tests yet. Alright, I'll fix it on Friday. Here are some of the line(s):
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
... there are a bunch of other variations also
From ASA command reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/T-Z/cmdref4/t1.html?dtid=osscdc0002833#pgfId-1649892
btw, If you made your other changes (the encrypted variable stuff), you could just cherry pick the first commit from this and push that and I'll fix the second commit later. |
@@ -6,5 +6,6 @@ enable secret 5 $1$aaaaaaaaaaaaaaaaaaaaaaaaaaa | |||
enable super-user-password aaaaaaaaaaaaaaaaaaaaa | |||
enable telnet authentication | |||
enable telnet password aaaaaaaaaaaaaaaaaaaaaaaaa | |||
enable password $sha512$5000$98pqLCa2lpNvN6gnQl3zyQ==$QvdeF/4EqAATT2/e64ujg== woldj4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What configuration language is this? I cannot enter this on my ASA VM. Also, it looks like it contains an invalid base64 string after the last $
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The password was from an ASA and 'looks like' that (the important part that breaks parsing are the random $
symbols and the last part) -- but in reality I just randomly changed various characters so it wouldn't match, so I'm not surprised it's not a valid base64 string.
I didn't create the ASA config, @asydney did, so if the password isn't sensitive I suspect he could share the original string if you need it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No I just made it valid base64 by inserting a character. It's just a hash, so I don't need anything original.
#481 has been merged. You should update this branch before your next review request. |
ca49057
to
3a56b45
Compare
Updated, should be good to go now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes to the cisco_misc file do not nearly justify the changes to the grammar files. Please add complete unit tests justifying all changes.
By the way, a recently merged PR includes major changes to the Cisco parser/lexer files. Don't merge it into your PR - I will resolve conflicts myself after this is ready to go.
Alright. I won't have time to get to it until late next week. |
3a56b45
to
0a248b4
Compare
Sorry for the delay on this, we got redirected and paused for awhile. I added more to the tests, this should be ready to be merged now. |
Hey thanks for the update! I just need a few more unit test lines from you. See inline comments. Reviewed 6 of 6 files at r1. projects/batfish/src/main/antlr4/org/batfish/grammar/cisco/Cisco_ignored.g4, line 919 at r1 (raw file):
Missing unit test. projects/batfish/src/main/antlr4/org/batfish/grammar/cisco/Cisco_ospf.g4, line 194 at r1 (raw file):
Missing unit test. projects/batfish/src/main/antlr4/org/batfish/grammar/cisco/CiscoLexer.g4, line 10678 at r1 (raw file):
Missing parser rule referencing this token, and missing unit test. Comments from Reviewable |
Updated. |
Reviewed 3 of 3 files at r2, 1 of 1 files at r3. Comments from Reviewable |
Found on a cisco ASA
This change is