Skip to content

Commit

Permalink
JSON Schema support for Policy, Definition YAML files (aerleon#182)
Browse files Browse the repository at this point in the history 
Suggested VSCode configuration:

    "yaml.schemas": {
        "schemas/aerleon-config.schema.json": ["aerleon.yml"],
        "schemas/aerleon-policy-yaml.schema.json": ["*.policy.yaml", "policies/**/*.yaml"],
        "schemas/aerleon-definition-yaml.schema.json": ["*.definition.yaml", "def/**/*.yaml"],
    },

---------

Co-authored-by: Jason Benterou <[email protected]>
  • Loading branch information
@jtwb @jtwb2
jtwb and jtwb2 authored Feb 16, 2023
1 parent 8ee2337 commit 74f8ee7
Show file tree
Hide file tree
Showing 4 changed files with 260 additions and 11 deletions.
23 changes: 12 additions & 11 deletions policies/includes/untrusted-networks-blocking.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
terms:
- name: deny-from-bogons
comment: this is a sample edge input filter with a very very very long and
multi-line comment that also has multiple entries.
source-address: BOGON
action: deny
- name: deny-from-bogons
comment:
this is a sample edge input filter with a very very very long and
multi-line comment that also has multiple entries.
source-address: BOGON
action: deny

- name: deny-from-reserved
source-address: RESERVED
action: deny
- name: deny-from-reserved
source-address: RESERVED
action: deny

- name: deny-to-rfc1918
destination-address: RFC1918
action: deny
- name: deny-to-rfc1918
destination-address: RFC1918
action: deny
53 changes: 53 additions & 0 deletions schemas/aerleon-config.schema.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
{
"$id": "urn:aerleon:schemas:aerleon-config:1.0.0",
"$schema": "http://json-schema.org/draft-04/schema#",
"title": "Aerleon CLI",
"description": "YAML Schema for Aerleon CLI tools",
"type": "object",
"properties": {
"base_directory": {
"type": "string",
"description": "When using the aclgen or aclcheck programs, base_directory specifies a root directory expected to contain policy files.\n\nRelative paths used in file includes will be resolved against base_directory.\n\nBy default, aclgen will process all policy files found within base_directory and any subdirectories of base_directory. If configured with --policy_file, aclgen will only process the file or files given by that flag.",
"minLength": 1
},
"definitions_directory": {
"type": "string",
"description": "When using the aclgen or aclcheck programs, definitions_directory specifies a root directory expected to contain network/service definition files.\n\nBoth aclgen and aclcheck will search this directory and its subdirectories for definition files and load them into memory. These definitions will be used to resolve network and service names referenced by policy files.",
"minLength": 1
},
"output_directory": {
"type": "string",
"description": "When using the aclgen program, output_directory controls where generated ACL files will be placed.\n\nGenerated ACL files will be placed in the current directory if ouput_directory is not set.",
"minLength": 1
},
"optimize": {
"type": "boolean",
"description": "When using the aclgen program, setting optimize to true causes the program to produce a more compact address book by collapsing adjacent or overlapping CIDR expressions within the same network.\n\nOn some platforms (Juniper SRX and platforms configured with the 'object-group' option) address book compression is restricted to only collapse addresses that share the same network token (name).\n\nThis flag is not enabled by default, although an secondary address book compression pass is always performed for Juniper SRX and Palo Alto Networks firewalls regardless of this setting."
},
"recursive": {
"type": "boolean",
"description": "UNUSED. This field is not used."
},
"debug": {
"type": "boolean",
"description": "When using the aclgen program, setting debug to true displays very detailed log messages."
},
"verbose": {
"type": "boolean",
"description": "UNUSED. This field is not used. To get detailed log messages, use 'debug'."
},
"max_renderers": {
"type": "integer",
"description": "When using the aclgen program, max_renderers controls the number of parallel processes used to render ACLs. The aclgen program uses Python's OS process-based multiprocessing, so setting max_renderers to '2' would cause aclgen to spawn two OS processes that will generate ACLs.\n\nSetting max_renderers to '1' will disable multiprocessing.\n\nBy default, max_renderers is set to '10'. Users may wish to set this to the number of available CPUs on the current system."
},
"shade_check": {
"type": "boolean",
"description": "When using the aclgen program, setting shade_check to true causes the program to produce a warning if any unreachable term is encountered."
},
"exp_info": {
"type": "integer",
"description": "When using the aclgen program, aclgen will produce a warning if it encounters a term set to expire in the near future. Expired terms are ignored. Setting exp_info controls the number of weeks ahead that aclgen will check for soon-to-expire terms.\n\nBy default, exp_info is set to '2' (two weeks)."
}
},
"additionalProperties": false
}
114 changes: 114 additions & 0 deletions schemas/aerleon-definition-yaml.schema.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$comment": "https://aerleon.readthedocs.io/en/latest/reference/naming/",
"title": "Aerleon Definition File",
"type": "object",
"additionalProperties": false,
"properties": {
"networks": {
"description": "An Aerleon definition file defines named networks and services which can be referenced by Aerleon Policy files. Networks are lists of IP addresses or CIDR IP address ranges. Services are lists of port/protocol pairs (e.g. tcp/80) and can include port ranges.\nDefinition files must include a \"networks\" section, a \"services\" section, or both.\nNetworks and services may use composition in their definitions. Include another definition by creating an item containing the \"name\" property.",
"type": "object",
"additionalProperties": { "$ref": "#/$defs/networkDefinition" },
"propertyNames": { "$ref": "#/$defs/token" }
},
"services": {
"description": "An Aerleon definition file defines named networks and services which can be referenced by Aerleon Policy files. Networks are lists of IP addresses or CIDR IP address ranges. Services are lists of port/protocol pairs (e.g. tcp/80) and can include port ranges.\nDefinition files must include a \"networks\" section, a \"services\" section, or both.\nNetworks and services may use composition in their definitions. Include another definition by creating an item containing the \"name\" property.",
"type": "object",
"additionalProperties": { "$ref": "#/$defs/serviceDefinition" },
"propertyNames": { "$ref": "#/$defs/token" }
}
},
"$defs": {
"token": {
"type": "string",
"pattern": "^[-_A-Z0-9]+$"
},
"comment": {
"description": "When inserting a network or service value you can attach a comment directly to that value. The comment will be loaded and potentially included in generated output on platforms that support it.",
"type": "string"
},
"address": {
"description": "When defining a network you can insert data as a specific IP address or a CIDR IP address range expression.",
"type": "string"
},
"networkDefinition": {
"type": "object",
"title": "Network Definition",
"description": "Defines a named network, composed of IP addresses, IP address ranges, and references to other networks.\nAn object with the \"address\" property adds that address or address range to the network.\nAn object with the \"name\" property includes the contents of that network into this one.\nA single string also includes the content of that network into this one.",
"additionalProperties": false,
"required": ["values"],
"properties": {
"values": {
"description": "Defines a named network, composed of IP addresses, IP address ranges, and references to other networks.\nAn object with the \"address\" property adds that address or address range to the network.\nAn object with the \"name\" property includes the contents of that network into this one.\nA single string also includes the content of that network into this one.",
"type": "array",
"items": {
"description": "Defines a named network, composed of IP addresses, IP address ranges, and references to other networks.\nAn object with the \"address\" property adds that address or address range to the network.\nAn object with the \"name\" property includes the contents of that network into this one.\nA single string also includes the content of that network into this one.",
"oneOf": [
{
"type": "string",
"$ref": "#/$defs/token"
},
{
"type": "object",
"required": ["address"],
"properties": {
"address": { "$ref": "#/$defs/address" },
"comment": { "$ref": "#/$defs/comment" }
},
"additionalProperties": false
},
{
"type": "object",
"required": ["name"],
"properties": {
"name": { "$ref": "#/$defs/token" },
"comment": { "$ref": "#/$defs/comment" }
},
"additionalProperties": false
}
]
}
}
}
},
"serviceDefinition": {
"type": "array",
"title": "ServiceDefinition",
"description": "Defines a named service, composed of portocol / port pairs and references to other services.",
"items": {
"oneOf": [
{
"type": "object",
"title": "ServiceValueEntry",
"description": "Describes a protocol / port pair or protocol / port range pair.",
"required": ["port", "protocol"],
"properties": {
"port": {
"oneOf": [
{ "type": "string", "pattern": "^\\d+-\\d+|^\\d+$" },
{ "type": "integer" }
]
},
"protocol": {
"oneOf": [{ "type": "integer" }, { "type": "string" }]
},
"comment": { "type": "string" }
},
"additionalProperties": false
},
{
"type": "object",
"title": "ServiceReference",
"description": "References another service.",
"required": ["name"],
"properties": {
"name": { "$ref": "#/$defs/token" },
"comment": { "type": "string" }
},
"additionalProperties": false
}
]
}
}
}
}
81 changes: 81 additions & 0 deletions schemas/aerleon-policy-yaml.schema.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
{
"$id": "urn:aerleon:schemas:aerleon-policy-yaml:1.0.0",
"$schema": "http://json-schema.org/draft-04/schema#",
"title": "AerleonPolicyFile",
"description": "An Aerleon policy file represents a platform-agnostic network policy. It must define one or more filter objects.",
"oneOf": [
{ "$ref": "#/$defs/policyIncludeFile" },
{ "$ref": "#/$defs/policyFile" }
],
"$defs": {
"policyFile": {
"type": "object",
"title": "PolicyFile",
"description": "A policy file contains one or more filters, where each filter has a unique list of target platforms and a unique list of terms.",
"required": ["filters"],
"properties": {
"filters": {
"type": "array",
"items": { "$ref": "#/$defs/filter" }
}
}
},
"policyIncludeFile": {
"type": "object",
"title": "PolicyIncludeFile",
"description": "A policy include file only defines a list of terms. This file can be inserted into any list of terms.",
"required": ["terms"],
"properties": {
"terms": {
"type": "array",
"items": { "$ref": "#/$defs/term" }
}
}
},
"filter": {
"type": "object",
"required": ["header", "terms"],
"header": {
"type": { "$ref": "#/$defs/filterHeader" }
},
"terms": {
"type": "list",
"items": { "$ref": "#/$defs/term" }
},
"additionalProperties": true
},
"filterHeader": {
"type": "object",
"title": "FilterHeader",
"required": ["targets"],
"targets": {
"type": "object"
}
},
"term": {
"title": "Term",
"oneOf": [
{
"type": "object",
"required": "name",
"properties": {
"name": {
"type": "string"
}
},
"additionalProperties": true
},
{
"type": "object",
"required": "include",
"properties": {
"name": {
"type": "string"
}
},
"additionalProperties": false
}
]
}
}
}

0 comments on commit 74f8ee7

Please sign in to comment.