firewall_objects/service/

definition.rs

//! High-level service definition parser (comma-separated lists, ranges).

use super::transport::TransportService;
use std::fmt;
use std::str::FromStr;

/// Layer-4 protocol supported for range expressions.
#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
pub enum Layer4Protocol {
    Tcp,
    Udp,
}

impl fmt::Display for Layer4Protocol {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            Layer4Protocol::Tcp => write!(f, "tcp"),
            Layer4Protocol::Udp => write!(f, "udp"),
        }
    }
}

/// Parsed token within a service definition list.
#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum ServiceToken {
    Single(TransportService),
    Range {
        protocol: Layer4Protocol,
        start: u16,
        end: u16,
    },
}

impl ServiceToken {
    /// Expand a range token into individual transport services.
    pub fn expand(&self) -> Vec<TransportService> {
        match self {
            ServiceToken::Single(svc) => vec![svc.clone()],
            ServiceToken::Range {
                protocol,
                start,
                end,
            } => match protocol {
                Layer4Protocol::Tcp => (*start..=*end).map(TransportService::tcp).collect(),
                Layer4Protocol::Udp => (*start..=*end).map(TransportService::udp).collect(),
            },
        }
    }
}

/// Representation of a comma-separated service definition string.
#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct ServiceDefinition {
    tokens: Vec<ServiceToken>,
}

impl ServiceDefinition {
    /// Parse a string like `"tcp/80, udp/53, tcp/1000-1005"` into tokens.
    pub fn parse(input: &str) -> Result<Self, String> {
        let mut tokens = Vec::new();

        for (idx, raw_token) in input.split(',').enumerate() {
            let token = raw_token.trim();
            if token.is_empty() {
                return Err(format!("empty service token at position {}", idx + 1));
            }

            if let Some(range) = parse_range(token)? {
                tokens.push(range);
                continue;
            }

            let service = TransportService::from_str(token)?;
            tokens.push(ServiceToken::Single(service));
        }

        if tokens.is_empty() {
            return Err("service definition cannot be empty".into());
        }

        Ok(Self { tokens })
    }

    /// Return the parsed tokens.
    pub fn tokens(&self) -> &[ServiceToken] {
        &self.tokens
    }

    /// Iterate over tokens.
    pub fn iter(&self) -> impl Iterator<Item = &ServiceToken> {
        self.tokens.iter()
    }

    /// Expand all tokens into explicit `TransportService` values.
    ///
    /// Ranges will produce one element per port in the span, while aliases
    /// and single entries retain their normalized representation.
    pub fn expand(&self) -> Vec<TransportService> {
        self.tokens.iter().flat_map(ServiceToken::expand).collect()
    }
}

fn parse_range(token: &str) -> Result<Option<ServiceToken>, String> {
    let (proto_raw, rest) = match token.split_once('/') {
        Some(parts) => parts,
        None => return Ok(None),
    };

    let proto = proto_raw.trim().to_ascii_lowercase();
    let layer4 = match proto.as_str() {
        "tcp" => Layer4Protocol::Tcp,
        "udp" => Layer4Protocol::Udp,
        _ => return Ok(None),
    };

    let value = rest.trim();
    if let Some((start_raw, end_raw)) = value.split_once('-') {
        let start = start_raw
            .trim()
            .parse::<u16>()
            .map_err(|_| "invalid start port in range".to_string())?;
        let end = end_raw
            .trim()
            .parse::<u16>()
            .map_err(|_| "invalid end port in range".to_string())?;

        if start > end {
            return Err("range start must be <= end".into());
        }

        return Ok(Some(ServiceToken::Range {
            protocol: layer4,
            start,
            end,
        }));
    }

    Ok(None)
}

impl std::str::FromStr for ServiceDefinition {
    type Err = String;

    fn from_str(s: &str) -> Result<Self, Self::Err> {
        ServiceDefinition::parse(s)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn parses_mixed_tokens() {
        let def = ServiceDefinition::parse("tcp/80, udp/53, https").unwrap();
        assert_eq!(def.tokens().len(), 3);
    }

    #[test]
    fn parses_ranges() {
        let def = ServiceDefinition::parse("tcp/1000-1002").unwrap();
        match def.tokens()[0] {
            ServiceToken::Range {
                protocol,
                start,
                end,
            } => {
                assert_eq!(protocol, Layer4Protocol::Tcp);
                assert_eq!(start, 1000);
                assert_eq!(end, 1002);
            }
            _ => panic!("expected range"),
        }

        let expanded = def.expand();
        assert_eq!(
            expanded.iter().map(|s| s.to_string()).collect::<Vec<_>>(),
            vec!["tcp/1000", "tcp/1001", "tcp/1002"]
        );
    }

    #[test]
    fn rejects_bad_ranges() {
        assert!(ServiceDefinition::parse("tcp/2000-1000").is_err());
        assert!(ServiceDefinition::parse("tcp/-100").is_err());
    }

    #[test]
    fn rejects_empty_tokens() {
        assert!(ServiceDefinition::parse("tcp/80,,udp/53").is_err());
    }
}