Citrix NetScaler Parser (#153)

* feat: Add parser for Citrix NetScaler

* test: ✅ Add compliance tests for NetScaler

* docs: 📝 Update docs to add NetScaler parser to list

* test: ✅ Add tests for cmdPolicy and ssl features

* docs: 📝 Add documentation around parent/child missing in NS parser

* docs: 📝 Fix indentation in documentation

* revert: Revert indentation

* revert: Revert deleted empty line

Co-authored-by: Justin Drew <jdrew82@users.noreply.github.com>

Author: jdrew82

docs/dev/dev_config.md

@@ -22,6 +22,10 @@ The "ltm rule" configuration sections are not uniform nor standardized; therefor
 
 The section banners have been simplified to extract the section header itself. This means that `echo "System Configuration"` will be converted to just "System Configuration".
 
+### Citrix NetScaler Parser
+
+As the NetScaler configuration uses each line to make a specific configuration change there is no support for parent/child relationships in the parser.
+
 ### Duplicate Line Detection
 
 In some circumstances replacing lines, such as secrets without uniqueness in the replacement, will result in duplicated lines that are invalid configuration, such as::
@@ -68,4 +72,4 @@ There are a series of considerations documented below, when developing a new par
     - Generally a class method should provide a `comment_chars` and `banner_start` as well as sometimes `banner_end`.
     - Generally on the `__init__` should call the `build_config_relationship` method.
     - Often can inherit directly from `CiscoConfigParser`.
-    - Observe the existing patterns, make use of `super`, and inheritance to reuse existing code.
+    - Observe the existing patterns, make use of `super`, and inheritance to reuse existing code.

docs/dev/include_parser_list.md

@@ -6,6 +6,7 @@
 | cisco_asa | netutils.config.parser.ASAConfigParser |
 | cisco_ios | netutils.config.parser.IOSConfigParser |
 | cisco_nxos | netutils.config.parser.NXOSConfigParser |
+| citrix_netscaler | netutils.config.parser.NetscalerConfigParser |
 | fortinet_fortios | netutils.config.parser.FortinetConfigParser |
 | juniper_junos | netutils.config.parser.JunosConfigParser |
 | linux | netutils.config.parser.LINUXConfigParser |

netutils/config/compliance.py

@@ -15,6 +15,7 @@
     "cisco_asa": parser.ASAConfigParser,
     "fortinet_fortios": parser.FortinetConfigParser,
     "nokia_sros": parser.NokiaConfigParser,
+    "citrix_netscaler": parser.NetscalerConfigParser,
 }
 
 # TODO: Once support for 3.7 is dropped, there should be a typing.TypedDict for this which should then also be used

netutils/config/parser.py

@@ -1172,3 +1172,15 @@ def config_lines_only(self) -> str:
                         config_lines.append(line.rstrip())
             self._config = "\n".join(config_lines)
         return self._config
+
+
+class NetscalerConfigParser(BaseSpaceConfigParser):
+    """Netscaler config parser."""
+
+    comment_chars: t.List[str] = []
+    banner_start: t.List[str] = []
+
+    @property
+    def banner_end(self) -> str:
+        """Demarcate End of Banner char(s)."""
+        raise NotImplementedError("Netscaler platform doesn't have a banner.")

tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_backup.txt

@@ -0,0 +1,85 @@
+#NS13.0 Build 84.11
+# Last modified Fri Dec  31 12:00:01 2021
+set system parameter -promptString "%u@%h-%T" -maxClient 40 -doppler DISABLED
+set ns httpProfile nshttp_default_profile -dropInvalReqs ENABLED
+set ns param -timezone "GMT+00:00-UTC"
+set ssl service nshttps-::1l-443 -ssl3 disabled -tls1 disabled
+set ssl service nshttps-127.0.0.1-443 -ssl3 disabled -tls1 disabled
+set ssl parameter -defaultProfile ENABLED
+enable ns feature WL SP LB CS SSL CF REWRITE RESPONDER
+add route 192.168.0.0 255.255.0.0
+set ns encryptionParams -method AES256 -keyValue abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string
+set system user nsroot abcdef1234 -encrypted -hashmethod SHA512 -externalAuth DISABLED -timeout 900
+set HA node -failSafe ON
+set ns rpcNode 203.0.113.1 -password abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string -srcIP 203.0.113.1
+set ns rpcNode 203.0.113.1 -password abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string -srcIP 203.0.113.1
+add authentication tacacsAction AAA_ACT_TACACS_01 -serverIP 203.0.113.1 -authTimeout 10 -tacacsSecret abcdef1234 -authorization OFF -accounting ON -groupAttrName memberof
+add authentication tacacsAction AAA_ACT_TACACS_02 -serverIP 203.0.113.1 -authTimeout 10 -tacacsSecret abcdef1234 -authorization OFF -accounting ON -groupAttrName memberof
+add authentication Policy AAA_POL_TACACS_01 -rule true -action AAA_ACT_TACACS_01
+add authentication Policy AAA_POL_TACACS_02 -rule true -action AAA_ACT_TACACS_02
+bind system global AAA_POL_TACACS_01 -priority 10 -gotoPriorityExpression NEXT
+bind system global AAA_POL_TACACS_02 -priority 20 -gotoPriorityExpression NEXT
+add system group Admin -timeout 900
+bind system group Admin -policyName superuser 100
+add system group Support -timeout 900
+bind system group Support -policyName XX-CMD-read-only 100
+bind system group Support -policyName XX-CMD-partition-read-only 110
+add system group Networking -timeout 900
+bind system group Networking -policyName XX-CMD-operator 100
+bind system group Networking -policyName XX-CMD-partition-operator 110
+add system cmdPolicy XX-CMD-read-only ALLOW (^man.*)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)
+add system cmdPolicy XX-CMD-operator ALLOW (^show.*)|(^stat.*)|(^(enable|disable) (server|service).*)
+add system cmdPolicy XX-CMD-partition-read-only ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)
+add system cmdPolicy XX-CMD-partition-operator ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)|(^(enable|disable) (server|service).*)
+set audit syslogParams -userDefinedAuditlog YES
+set audit nslogParams -userDefinedAuditlog YES
+add audit syslogAction sys_act_fdi_rsyslog 203.0.113.1 -logLevel EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFORMATIONAL -timeZone LOCAL_TIME -userDefinedAuditlog YES -transport UDP
+add audit syslogPolicy sys_pol_fdi true sys_act_fdi_rsyslog
+bind audit syslogGlobal -policyName sys_pol_fdi -priority 2000000010
+set snmp alarm CPU-USAGE -thresholdValue 95 -normalValue 35 -severity Informational
+set snmp alarm HA-STATE-CHANGE -severity Informational
+set snmp alarm IP-CONFLICT -severity Warning
+set snmp alarm MEMORY -thresholdValue 95 -normalValue 35 -severity Critical
+set snmp alarm POWER-SUPPLY-FAILURE -severity Minor
+set snmp alarm SSL-CARD-FAILED -severity Minor
+set snmp alarm SSL-CERT-EXPIRY -severity Warning
+add snmp view READ 1 -type included
+add snmp group NETMON-GROUP authpriv -readViewName READ
+add snmp user monitoring -group NETMON-GROUP -authType SHA -authpasswd abcdef1234 -privType AES -privpasswd abcdef1234
+add ssl cipher XX-CIPHER-GROUP_1.0_v01
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES256-SHA
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES128-SHA
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-256-CBC-SHA
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-128-CBC-SHA
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName SSL3-DES-CBC3-SHA
+add ssl cipher XX-CIPHER-GROUP_1.2_v01
+bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
+bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
+bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
+bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
+add ssl cipher XX-CIPHER-GROUP_1.2_v02
+bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305
+bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
+bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
+bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
+bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
+bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES256-SHA
+bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES128-SHA
+add ssl cipher XX-CIPHER-LIST_256
+bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1
+bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 2
+bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 3
+bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES256-GCM-SHA384 -cipherPriority 4
+bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES-256-SHA256 -cipherPriority 5
+bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 6
+add ssl profile XX-SSL-Profile_1.0_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -denySSLReneg ALL
+add ssl profile XX-SSL-Profile_1.2_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg ALL
+add ssl profile XX-SSL-Profile_1.2_v02 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg NONSECURE

tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_feature.py

@@ -0,0 +1,5 @@
+features = [
+    {"name": "user", "ordered": False, "section": ["set system user "]},
+    {"name": "cmdPolicy", "ordered": False, "section": ["add system cmdPolicy "]},
+    {"name": "ssl", "ordered": False, "section": ["add ssl ", "bind ssl "]},
+]

tests/unit/mock/config/compliance/compliance/citrix_netscaler/netscaler_basic_intended.txt

@@ -0,0 +1,42 @@
+set system user nsroot abcdef1234 -encrypted -hashmethod SHA512 -externalAuth DISABLED -timeout 900
+add system cmdPolicy XX-CMD-read-only ALLOW (^man.*)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)
+add system cmdPolicy XX-CMD-operator ALLOW (^show.*)|(^stat.*)|(^(enable|disable) (server|service).*)
+add system cmdPolicy XX-CMD-partition-read-only ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)
+add system cmdPolicy XX-CMD-partition-operator ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)|(^(enable|disable) (server|service).*)
+add ssl cipher XX-CIPHER-GROUP_1.0_v01
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES256-SHA
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES128-SHA
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-256-CBC-SHA
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-128-CBC-SHA
+bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName SSL3-DES-CBC3-SHA
+add ssl cipher XX-CIPHER-GROUP_1.2_v01
+bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
+bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
+bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
+bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
+add ssl cipher XX-CIPHER-GROUP_1.2_v02
+bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305
+bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
+bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
+bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
+bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
+bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES256-SHA
+bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES128-SHA
+add ssl cipher XX-CIPHER-LIST_256
+bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1
+bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 2
+bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 3
+bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES256-GCM-SHA384 -cipherPriority 4
+bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES-256-SHA256 -cipherPriority 5
+bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 6
+add ssl profile XX-SSL-Profile_1.0_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -denySSLReneg ALL
+add ssl profile XX-SSL-Profile_1.2_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg ALL
+add ssl profile XX-SSL-Profile_1.2_v02 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg NONSECURE