Version 2.1.2

Author: Jean-François Hivert

README.md

@@ -1,9 +1,12 @@
-# PHP-CLI SHELL for FIREWALL
+PHP-CLI SHELL for FIREWALL
+-------------------
 
 This repository is the addon for PHP-CLI SHELL about FIREWALL (acl) service.  
 With this addon you can create ACLs (monosite, failover and fullmesh) and generate template for your firewall appliance.  
 It is possible to upload ACLs config file to firewall with SCP. For SCP, you can use an SSH bastion.    
 
+![demo](documentation/readme/demo.gif)
+
 For the moment, there are 3 templates:
 * Juniper JunOS  
   __there are 2 templates for Juniper JunOS: one formated with {} and one with set commands__
@@ -21,7 +24,8 @@ ACL failover:
 You have to use base PHP-CLI SHELL project that is here: https://github.com/cloudwatt/php-cli-shell_base
 
 
-# INSTALLATION
+INSTALLATION
+-------------------
 
 #### APT PHP
 Ubuntu only, you can get last PHP version from this PPA:  
@@ -40,35 +44,58 @@ pcre.jit=0
 ```
 *To locate your php.ini, use this command: php -i | grep "Configuration File"*
 
+
+## USE PHAR
+
+#### WIZARD
+
+Download last PHAR release and its key from [releases](https://github.com/cloudwatt/php-cli-shell_firewall/releases)
+
+![wizard](documentation/readme/wizard.gif)
+
+Wizard help:
+`$ php php-cli-shell.phar --help`
+
+Create firewall configuration with command:  
+`$ php php-cli-shell.phar configuration:application:factory firewall`  
+*For more informations about configuration file, see 'CONFIGURATION FILE' section*
+
+Create firewall launcher with command:
+`$ php php-cli-shell.phar launcher:application:factory firewall`
+
+__*The PHAR contains all PHP-CLI SHELL components (Base, DCIM, IPAM and Firewall)*__
+
+
+## USE SOURCE
+
 #### REPOSITORIES
 * git clone https://github.com/cloudwatt/php-cli-shell_base
-* git checkout tags/v2.1.1
+* git checkout tags/v2.1.2
 * git clone https://github.com/cloudwatt/php-cli-shell_firewall
-* git checkout tags/v2.1.1
+* git checkout tags/v2.1.2
 * Merge these two repositories
 
 #### PHPIPAM (Optionnal)
 If you have PHPIPAM and you want object name autocompletion, you have to perform these steps:
 * git clone https://github.com/cloudwatt/php-cli-shell_phpipam
-* git checkout tags/v2.1.1
+* git checkout tags/v2.1.2
 * Merge this repository with two previous repositories (base and firewall)
-* Install PHP-CLI SHELL for PHPIPAM with README helper  
-  https://github.com/cloudwatt/php-cli-shell_phpipam
+* Install PHP-CLI SHELL for PHPIPAM with [README](https://github.com/cloudwatt/php-cli-shell_phpipam) helper
 
 #### CONFIGURATION FILE
 __[env] is not used by PHP-CLI, it is for user when he has many environments or sites to managed__
-* mv applications/firewall/configurations/firewall.envA.json.example configurations/firewall.[env].json
+* mv configurations/firewall.envA.json.example configurations/firewall.[env].json
 * vim configurations/firewall.[env].json
     * Adapt configuration to your network topology
 	* Of course you can add more than two sites
 	* Do not change topology attribute names: internet, onPremise, interSite, private
 * Optionnal
     * You can create user configuration files for base and firewall services to overwrite some configurations  
 	  These files will be ignored for commits, so your user config files can not be overwrited by a futur release
-	* mv applications/firewall/configurations/firewall.envA.user.json.example configurations/firewall.[env].user.json
+	* mv configurations/firewall.envA.user.json.example configurations/firewall.[env].user.json
 	* vim configurations/firewall.[env].user.json
 	  Change configuration like path or file
-	* All *.user.json files are ignored by .gitignore
+	* All \*.user.json files are ignored by .gitignore
 * Juniper JunOS
     * In firewall.json, you can change the configuration push method:  
 	```json
@@ -98,36 +125,26 @@ __[env] is not used by PHP-CLI, it is for user when he has many environments or
 * vim firewall.[env].php
     * Change [env] with the name of your environment
 
+
+EXECUTION
+-------------------
+
 #### CREDENTIALS FILE
 __*Change informations which are between []*__
 * vim credentialsFile
     * read -sr USER_PASSWORD_INPUT
-	* export SSH_SYS_LOGIN=[YourSystemLoginHere]
-	* export SSH_NET_LOGIN=[YourNetworkLoginHere]
-	* export SSH_NET_PASSWORD=$USER_PASSWORD_INPUT  
-	__Bastion authentication must be base on certificate__  
-
-	__PHPIPAM__ (Only if you use PHPIPAM service/addon)  
-	/!\ For security reason, use a read only account!
-	* export IPAM_[IPAM_SERVER_KEY]_LOGIN=[YourLoginHere]
+        * export SSH_SYS_LOGIN=[YourSystemLoginHere]
+        * export SSH_NET_LOGIN=[YourNetworkLoginHere]
+        * export SSH_NET_PASSWORD=$USER_PASSWORD_INPUT  
+        __Bastion authentication must be base on certificate__
+
+        __PHPIPAM__ (Only if you use PHPIPAM service/addon)
+        /!\ For security reason, use a read only account!
+        * export IPAM_[IPAM_SERVER_KEY]_LOGIN=[YourLoginHere]
     * export IPAM_[IPAM_SERVER_KEY]_PASSWORD=$USER_PASSWORD_INPUT  
-	__Change [IPAM_SERVER_KEY] with the key of your PHPIPAM server in configuration file__  
-
-
-# EXECUTION
+        __Change [IPAM_SERVER_KEY] with the key of your PHPIPAM server in configuration file__
 
 #### SHELL
 Launch PHP-CLI Shell for FIREWALL service
 * source credentialsFile
 * php firewall.[env].php
-
-#### CLI
-Call commands directly from your OS shell.  
-__*Informations between [] are optionnal*__
-* source credentialsFile
-* php firewall.php --site name|all --create_host "name;IPv4[;IPv6]" --create_subnet "name;IPv4/mask[;IPv6/mask]" --create_network "name;IPv4-IPv4[;IPv6-IPv6]"  
-  --create_rule monosite|failover [--fullmesh] --action permit|deny  
-  --source_host name --source_subnet name --source_network name  
-  --destination_host name --destination_subnet name --destination_network name  
-  --protocol protocol;number[-number] --description maDescription  
-  --save [name;[force]] --export_configuration "junos[;force]"

applications/firewall/configurations/demo.json

@@ -0,0 +1,69 @@
+{
+	"FIREWALL": {
+		"sites": {
+			"datacenter_A": {
+				"location": "Paris, FRANCE",
+				"hostname": "firewall_dcA",
+				"ip": false,
+				"os": "juniper-junos",
+				"gui": false,
+				"scp": false,
+				"scp_loginCredential": false,
+				"scp_loginEnvVarName": false,
+				"scp_passwordCredential": false,
+				"scp_passwordEnvVarName": false,
+				"scp_remoteFile": false,
+				"ssh_remotePort": false,
+				"ssh_bastionHost": false,
+				"ssh_bastionPort": false,
+				"ssh_portForwarding": false,
+				"ssh_loginCredential": false,
+				"ssh_loginEnvVarName": false,
+				"ssh_passwordCredential": false,
+				"ssh_passwordEnvVarName": false,
+				"zones": {
+					"WAN": {
+						"ipv4": [ "0.0.0.0/0" ],
+						"ipv6": [ "::/0" ]
+					},
+					"LOCAL":	{
+						"ipv4": [ "10.0.0.0/16" ],
+						"ipv6": [ "2000::/64" ]
+					},
+					"__PRIVATE__": {
+						"ipv4": [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ],
+						"ipv6": [ ]
+					}
+				},
+				"topology": {
+					"onPremise": [ "LOCAL" ],
+					"interSite": {
+					},
+					"private": [ "__PRIVATE__" ],
+					"internet": [ "WAN" ]
+				},
+				"metadata": {
+				},
+				"options": {
+				}
+			}
+		},
+		"configuration": {
+			"paths": {
+				"objects": "backup/firewall/objects.json",
+				"configs": "backup/firewall/configurations",
+				"exports": "tmp/firewall",
+				"autosave": "backup/firewall/autosave.json",
+				"templates": "templates/firewall"
+			},
+			"autosave": {
+				"status": false
+			},
+			"templates": {
+				"juniper-junos_set": {
+					"updateMode": "replace"
+				}
+			}
+		}
+	}
+}

applications/firewall/launchers/firewall.php

@@ -1,7 +1,7 @@
 <?php
 	namespace App\Firewall;
 
-	require_once(ROOT_DIR . '/launchers/abstract.php');
+	require_once(PROJECT_ROOT_DIR . '/launchers/abstract.php');
 
 	class Launcher_Firewall extends \Launcher_Abstract
 	{

applications/firewall/shell/firewall.php

@@ -396,9 +396,15 @@ class Shell_Firewall extends Cli\Shell\Shell
 		protected $_sites = null;
 
 
-		public function __construct($configFilename, array $servers, $autoInitialisation = true)
+		/**
+		  * @param string|array|Core\Config $configuration
+		  * @param array $servers IPAM server keys
+		  * @param bool $autoInitialisation
+		  * @return $this
+		  */
+		public function __construct($configuration, array $servers = array(), $autoInitialisation = true)
 		{
-			parent::__construct($configFilename);
+			parent::__construct($configuration);
 
 			if(!$this->isOneShotCall()) {
 				$printInfoMessages = true;

applications/firewall/shell/program/firewall/config/extension/csv.php

@@ -123,6 +123,7 @@ protected function _save(array $configs, $filename)
 
 			$fileExists = file_exists($filename);
 			$pathname = pathinfo($filename, PATHINFO_DIRNAME);
+			$pathname = C\Tools::pathname($pathname, true, true);		// Permet juste le mkdir
 
 			if((!$fileExists && is_writable($pathname)) || ($fileExists && is_writable($filename)))
 			{

applications/firewall/shell/program/firewall/config/extension/json.php

@@ -197,6 +197,7 @@ protected function _save(array $configs, $filename)
 
 			$fileExists = file_exists($filename);
 			$pathname = pathinfo($filename, PATHINFO_DIRNAME);
+			$pathname = C\Tools::pathname($pathname, true, true);		// Permet juste le mkdir
 
 			if((!$fileExists && is_writable($pathname)) || ($fileExists && is_writable($filename)))
 			{

applications/firewall/shell/program/firewall/object/rule.php

@@ -874,6 +874,8 @@ public function filterFlow($type, $filter, $strict = false)
 									$flows[] = new ArrayObject(array(
 										'ruleId' => $ruleId,
 										'ruleName' => $Firewall_Api_Rule->name,
+										'state' => $Firewall_Api_Rule->state,
+										'action' => $Firewall_Api_Rule->action,
 										'source' => $Core_Api_Address__src,
 										'destination' => $Core_Api_Address__dst,
 										'protocol' => $Core_Api_Protocol
@@ -885,7 +887,7 @@ public function filterFlow($type, $filter, $strict = false)
 
 					$time2 = microtime(true);
 					$this->_TERMINAL->deleteMessage(1, true);
-					$this->_SHELL->print("Inventaire des flows (".round($time2-$time1)."s) [OK]", 'green');
+					$this->_SHELL->print("Inventaire des flows {".count($flows)."} (".round($time2-$time1)."s) [OK]", 'green');
 					$this->_SHELL->print("Vérification doublons ...", 'orange');
 
 					foreach($flows as $index_a => $flow_a)
@@ -895,10 +897,10 @@ public function filterFlow($type, $filter, $strict = false)
 
 						foreach($flows as $index_b => $flow_b)
 						{
-							if($index_a === $index_b) {
+							if($index_a >= $index_b) {
 								continue;
 							}
-							else
+							elseif($flow_a->action === $flow_b->action)
 							{
 								/**
 								  * /!\ A peut ne pas inclure B mais B peut inclure A