Re-enable policies

opus-codium · Sep 18, 2021 · 009a270 · 009a270
1 parent c9eaba3
commit 009a270
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 12 deletions.
diff --git a/features/policies.feature b/features/policies.feature
@@ -0,0 +1,48 @@
+Feature: Policies
+  Scenario: Default policy
+    Given a file named "network.rb" with:
+    """
+    policy :block
+    node 'example.com' do
+      pass :in, proto: :tcp, to: { port: 443 }
+    end
+    node 'example.net' do
+      policy :pass
+      block :in, proto: :tcp, to: { port: 443 }
+    end
+    """
+    And a file named "network.melt" with:
+    """
+    policy block
+    node 'example.com' do
+      pass in proto tcp from any to any port 443
+    end
+    node 'example.net' do
+      policy pass
+      block in proto tcp from any to any port 443
+    end
+    """
+    When I successfully run `melt generate -f Pf network.rb example.com`
+    Then the stdout should contain:
+    """
+    block in all
+    block out all
+    """
+    When I successfully run `melt generate -f Pf network.rb example.net`
+    Then the stdout should contain:
+    """
+    pass in all
+    pass out all
+    """
+    When I successfully run `melt generate -f Pf network.melt example.com`
+    Then the stdout should contain:
+    """
+    block in all
+    block out all
+    """
+    When I successfully run `melt generate -f Pf network.melt example.net`
+    Then the stdout should contain:
+    """
+    pass in all
+    pass out all
+    """
diff --git a/lib/melt/cli.rb b/lib/melt/cli.rb
@@ -31,18 +31,15 @@ def initialize
             obj = Melt::Dsl.new
             obj.eval_network(args[:network])
             rules = obj.ruleset_for(args[:hostname])
-            # FIXME: policy = obj.policy_for(args[:hostname])
+            policy = obj.policy_for(args[:hostname])
           else
             obj = cli.load_config(args[:network])
             rules = obj.ruleset_for(args[:hostname])
-            # FIXME: Manage policy
-            # policy = config.policy_for(args[:hostname])
+            policy = obj.policy_for(args[:hostname])
           end
 
           formatter = Object.const_get("Melt::Formatters::#{opts[:formatter]}::Ruleset").new
-          # FIXME: Manage policy
-          # puts formatter.emit_ruleset(rules, policy)
-          puts formatter.emit_ruleset(rules)
+          puts formatter.emit_ruleset(rules, policy)
         end
       end
 

diff --git a/lib/melt/parser.y b/lib/melt/parser.y
@@ -2,7 +2,7 @@ class Melt::Parser
 rule
   target: assignation target
         | node target
-        | policy target
+        | policy target { @default_policy = val[0] }
         | service target
         |
         ;
@@ -27,8 +27,8 @@ rule
               | STRING
               ;
 
-  node: NODE '{' node_name_list '}' block { @nodes[val[2]] = val[4] }
-      | NODE node_name block              { @nodes[val[1]] = val[2] }
+  node: NODE '{' node_name_list '}' block_with_policy { @nodes[val[2]] = val[4]; @saved_policies[val[2]] = @policy }
+      | NODE node_name block_with_policy              { @nodes[val[1]] = val[2]; @saved_policies[val[1]] = @policy }
       ;
 
   node_name_list: node_name_list ',' node_name { result = val[0] + [val[2]] }
@@ -40,19 +40,23 @@ rule
            | REGEX
            ;
 
+  block_with_policy: '{' policy rules '}' { @policy = val[1]; result = val[2] }
+                   | DO policy rules END  { @policy = val[1]; result = val[2] }
+                   | block                { @policy = nil; result = val[0] }
+                   ;
+
   block: '{' rules '}' { result = val[1].freeze }
        | DO rules END  { result = val[1].freeze }
        ;
 
   rules: pf_rule rules    { result = val[0] + val[1] }
        | ipv4_block rules { result = val[0] + val[1] }
        | ipv6_block rules { result = val[0] + val[1] }
-       | policy rules     { result = val[1] } # FIXME policy
        |                  { result = [] }
        ;
 
-  policy: POLICY action
-        | POLICY LOG
+  policy: POLICY action { result = val[1][:action] }
+        | POLICY LOG    { result = 'log' }
         ;
 
   ipv4_block: IPV4 DO rules END  { result = val[2].reject { |x| x[:af] == :inet6 }.map { |x| x[:af] = :inet ; x } }
@@ -185,6 +189,7 @@ require 'strscan'
 ---- inner
 
   attr_accessor :yydebug
+  attr_reader :policy
   #attr_accessor :variables, :nodes, :services
 
   def ipaddress?(s)
@@ -293,6 +298,7 @@ require 'strscan'
     super
     @variables = {}
     @nodes = {}
+    @saved_policies = {}
     @services = {} 
     @rule_factory = Melt::RuleFactory.new
   end
@@ -308,3 +314,7 @@ require 'strscan'
       rule_factory.build(r)
     end.flatten
   end
+
+  def policy_for(hostname)
+    @saved_policies[hostname] || @default_policy || :block
+  end