From f89baff3d7a143fa6ef3c9e434465bc62e2c1fce Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 10 Jun 2020 14:05:19 -0400
Subject: [PATCH] adding ability to assign hostgroup to single minion -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641

---
 .../assigned_hostgroups.local.map.yaml        |  0
 .../firewall/hostgroups.local.yaml            |  1 +
 .../firewall/portgroups.local.yaml            |  0
 salt/firewall/init.sls                        |  5 ++--
 salt/firewall/map.jinja                       | 26 ++++++++++++++++++-
 5 files changed, 28 insertions(+), 4 deletions(-)
 rename {salt => files}/firewall/assigned_hostgroups.local.map.yaml (100%)
 rename {salt => files}/firewall/hostgroups.local.yaml (94%)
 rename {salt => files}/firewall/portgroups.local.yaml (100%)

diff --git a/salt/firewall/assigned_hostgroups.local.map.yaml b/files/firewall/assigned_hostgroups.local.map.yaml
similarity index 100%
rename from salt/firewall/assigned_hostgroups.local.map.yaml
rename to files/firewall/assigned_hostgroups.local.map.yaml
diff --git a/salt/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml
similarity index 94%
rename from salt/firewall/hostgroups.local.yaml
rename to files/firewall/hostgroups.local.yaml
index f933dd7c4..dad7200c6 100644
--- a/salt/firewall/hostgroups.local.yaml
+++ b/files/firewall/hostgroups.local.yaml
@@ -20,6 +20,7 @@ firewall:
       ips:
         delete:
         insert:
+          - 10.10.10.10
     minion:
       ips:
         delete:
diff --git a/salt/firewall/portgroups.local.yaml b/files/firewall/portgroups.local.yaml
similarity index 100%
rename from salt/firewall/portgroups.local.yaml
rename to files/firewall/portgroups.local.yaml
diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index 12e6366a7..83949349f 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -1,7 +1,6 @@
 # Firewall Magic for the grid
 {% from 'firewall/map.jinja' import hostgroups with context %}
 {% from 'firewall/map.jinja' import assigned_hostgroups with context %}
-{% set role = grains.id.split('_') | last %}
 
 # Quick Fix for Docker being difficult
 iptables_fix_docker:
@@ -85,8 +84,8 @@ enable_docker_user_established:
     - match: conntrack
     - ctstate: 'RELATED,ESTABLISHED'
 
-{% for chain, hg in assigned_hostgroups.role[role].chain.items() %}
-  {% for hostgroup, portgroups in assigned_hostgroups.role[role].chain[chain].hostgroups.items() %}
+{% for chain, hg in assigned_hostgroups.chain.items() %}
+  {% for hostgroup, portgroups in assigned_hostgroups.chain[chain].hostgroups.items() %}
     {% for action in ['insert', 'delete' ] %}
       {% if hostgroups[hostgroup].ips[action] %}
         {% for ip in hostgroups[hostgroup].ips[action] %}
diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja
index 32669692f..0f1b3c05b 100644
--- a/salt/firewall/map.jinja
+++ b/salt/firewall/map.jinja
@@ -1,7 +1,31 @@
+{% set role = grains.id.split('_') | last %}
+
+{% import_yaml 'firewall/portgroups.yaml' as default_portgroups %}
+{% set default_portgroups = default_portgroups.firewall.aliases.ports %}
+{% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %}
+{% set local_portgroups = local_portgroups.firewall.aliases.ports %}
+{% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %}
+{% set defined_portgroups = portgroups %}
+
 {% import_yaml 'firewall/hostgroups.yaml' as default_hostgroups %}
 {% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %}
 {% set hostgroups = salt['defaults.merge'](default_hostgroups.firewall.hostgroups, local_hostgroups.firewall.hostgroups, in_place=False) %}
 
+{# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #}
+{% if salt['pillar.get']('firewall:assigned_hostgroups:chain') %}
+  {% set translated_pillar_assigned_hostgroups = {} %}
+  {% for chain, hg in salt['pillar.get']('firewall:assigned_hostgroups:chain').items() %}
+    {% for pillar_hostgroup, pillar_portgroups in salt['pillar.get']('firewall:assigned_hostgroups:chain')[chain].hostgroups.items() %}
+      {% do translated_pillar_assigned_hostgroups.update({"chain": {chain: {"hostgroups": {pillar_hostgroup: {"portgroups": []}}}}}) %}
+      {% for pillar_portgroup in pillar_portgroups.portgroups %}
+        {% set pillar_portgroup = pillar_portgroup.split('.') | last %}
+        {% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups[pillar_hostgroup].portgroups.append(defined_portgroups[pillar_portgroup]) %}
+      {% endfor %}
+    {% endfor %}
+  {% endfor %}
+{% endif %}
+
 {% import_yaml 'firewall/assigned_hostgroups.map.yaml' as default_assigned_hostgroups %}
 {% import_yaml 'firewall/assigned_hostgroups.local.map.yaml' as local_assigned_hostgroups %}
-{% set assigned_hostgroups = salt['defaults.merge'](local_assigned_hostgroups, default_assigned_hostgroups, merge_lists=True, in_place=False) %}
\ No newline at end of file
+{% set assigned_hostgroups = salt['defaults.merge'](local_assigned_hostgroups.role[role], default_assigned_hostgroups.role[role], merge_lists=True, in_place=False) %}
+{% do salt['defaults.merge'](assigned_hostgroups, translated_pillar_assigned_hostgroups, merge_lists=True, in_place=True) %}
\ No newline at end of file