palo_alto 0.1.3 → 0.1.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ad314eed2154013cd0dd81166c795481debf4762a5d5b5b47f0943d8db612f98
-  data.tar.gz: 02ba2cb368a2bae0a3bc7c4c121d79628b600df89e70f837a613871e1db041c6
+  metadata.gz: f3f5565d4ace0fcd1e96290bcd2b5e2d1ffa726b53fd7fe691497f7a2c137d42
+  data.tar.gz: 9e8e63ab0508abf76cc5fdf13e6827067aa42100f6beb996ef16b1256dd96f5b
 SHA512:
-  metadata.gz: a63062907d61012d713da785791526c167370d39248190a356f17f3bc4392ba3010e9ace8a1bd25fd693914bca6440a97ae03c95ce7d81296c275157299e370c
-  data.tar.gz: c752bc2dce7f2e325708d4284d74a0c167ae4b623569dd4254a93636fefbf2df0e2f72a247ac4207791c4edcf4c05ef1a0d10d72b95acb703a554d62e6c2d9bb
+  metadata.gz: 59e3ee0f6f425554cf6dd10ac49310cdc4ebba3ec24ad9cf3914f7e5a6c465a386ccfe8cae77041691ddbc157c281c66aaee84b49f617057bcd750cd81e7c0e3
+  data.tar.gz: ad822a803c73d950cfdf0e428c41ee47b7fc3c3dd8b3fb631cecf2cf19c4b07e31d120fe0468cf25bed0ad250b859e7ee3d6ce7467a7c9adf7254a9697d7e1fa

data/lib/palo_alto/config.rb

@@ -1,4 +1,4 @@
-# generated: 2021-08-27 17:33:49 +0200
+# generated: 2021-10-19 00:56:02 +0200
 require 'openssl'
 require 'nokogiri'
 
@@ -268,7 +268,11 @@ module PaloAlto
 		end
 
 		def binary_operator(name, left, right)
-			"#{left}#{name}#{right}".gsub('./@', '@')
+			if %w(and or).include?(name)
+				"(#{left} #{name} #{right})".gsub('./@', '@')
+			else
+				"#{left}#{name}#{right}".gsub('./@', '@')
+			end
 		end
 
 		def root(current, element_names)
@@ -425,7 +429,7 @@ module PaloAlto
 				start_time=Time.now
 				result = self.parent_instance.dup.create!.clear!.external_set(data.xpath('//response/result').first)
 				if XML.debug.include?(:statistics)
-					puts "Elapsed for parsing #{result.length} results: #{Time.now-start_time} seconds"
+					warn "Elapsed for parsing #{result.length} results: #{Time.now-start_time} seconds"
 				end
 				result
 			end
@@ -436,7 +440,7 @@ module PaloAlto
 				self
 			end
 
-			def get(ignore_empty_result: false, xpath: self.to_xpath)
+			def get(ignore_empty_result: false, xpath: self.to_xpath, return_only: false)
 				if self.class.superclass == ArrayConfigClass && !@selector
 					raise(InvalidCommandException, "Please use 'get_all' here")
 				end
@@ -454,23 +458,28 @@ module PaloAlto
 					if ignore_empty_result==false
 						raise(ObjectNotPresentException, "empty result: #{payload.inspect}")
 					end
+				end
+
+				if return_only
+					data.xpath('//response/result/*')
 				else
-					#self.parent_instance.dup.create!.clear!.external_set(data.xpath('//response/result').first).first
 					@create_children=true
 					n = data.xpath('//response/result/*')
+					if n.any?
+						clear!
+						external_set(n.first)
 
-					clear!
-					external_set(n.first)
-
-					if is_a?(ArrayConfigClass)
-						primary_key = get_primary_key(n.first.attribute_nodes, self.class.props)
-						set_array_class_attributes(n.first, primary_key) # primary key, api_attributes
+						if is_a?(ArrayConfigClass)
+							primary_key = get_primary_key(n.first.attribute_nodes, self.class.props)
+							set_array_class_attributes(n.first, primary_key) # primary key, api_attributes
+						end
+					end
+					self
+				end.tap do
+					if XML.debug.include?(:statistics)
+						warn "Elapsed for parsing: #{Time.now-start_time} seconds"
 					end
 				end
-				if XML.debug.include?(:statistics)
-					puts "Elapsed for parsing: #{Time.now-start_time} seconds"
-				end
-				self
 			end
 
 			def get_primary_key(attribute_nodes, props)
@@ -526,9 +535,9 @@ module PaloAlto
 					when 'bool'
 						return true if ['yes', true].include?(value)
 						return false if ['no', false].include?(value)
-						raise ArgumentError, 'Not bool: ' + value.inspect
+						raise ArgumentError, "Not bool: #{value.inspect}"
 					when 'string', 'ipdiscontmask', 'iprangespec', 'ipspec', 'rangelistspec'
-						raise(ArgumentError, 'Not string') unless value.is_a?(String)
+						raise(ArgumentError, "Not string: #{value.inspect}") unless value.is_a?(String)
 						if prop_arr['regex']
 							raise ArgumentError, "Not matching regex: #{value.inspect} (#{prop_arr["regex"].inspect})" unless value.match(prop_arr["regex"])
 						end
@@ -662,28 +671,34 @@ module PaloAlto
 				elsif @external_values.has_key?(prop)
 					return @external_values[prop]
 				elsif my_prop.has_key?("default") && include_defaults
-					return enforce_type(my_prop, my_prop['default'])
+					return enforce_types(my_prop, my_prop['default'])
 				else
 					return nil
 				end
 			end
 
-			def prop_set(prop, value)
-				my_prop = self.class.props[prop] or raise(InternalErrorException, "Unknown attribute for #{self.class}: #{prop}")
+			def enforce_types(prop_arr, values)
+				return if values.nil?
 
-				if has_multiple_values? && value.is_a?(String)
-					value = value.split(/\s+/)
+				if has_multiple_values? && values.is_a?(String)
+					values = values.split(/\s+/)
 				end
 
-				if value.is_a?(Array)
-					@values[prop] = value.map{|v| enforce_type(my_prop, v)}
-				elsif value.nil?
-					@values[prop] = nil
+				if values.is_a?(Array) && has_multiple_values?
+					values.map{|v| enforce_type(prop_arr, v)}
+				elsif !has_multiple_values?
+					enforce_type(prop_arr, values)
 				else
-					@values[prop] = enforce_type(my_prop, value)
+					raise(ArgumentError, 'Needs to be Array but is not, or vice versa')
 				end
 			end
 
+			def prop_set(prop, value)
+				my_prop = self.class.props[prop] or raise(InternalErrorException, "Unknown attribute for #{self.class}: #{prop}")
+
+				@values[prop] = enforce_types(my_prop, value)
+			end
+
 			def to_xml(changed_only:, full_tree:, include_root: )
 				builder = Nokogiri::XML::Builder.new{|xml|
 					xml.send(self._section, (self.selector rescue nil)) {
@@ -768,23 +783,25 @@ module PaloAlto
 
 			def set_xpath_from_selector(selector: @selector)
 				xpath = self.parent_instance.child(_section)
-				k,v=selector.first
+				k, v = selector.first
 				obj = xpath.where(PaloAlto.xpath_attr(k.to_sym) == v)
 
 				@expression = obj.expression
 				@arguments = obj.arguments
 			end
 
-			def rename!(new_name)
+			def rename!(new_name, internal_only: false)
 				# https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/pan-os-xml-api-request-types/configuration-api/rename-configuration.html
-				payload = {
-					type:		'config',
-					action: 'rename',
-					xpath:	self.to_xpath,
-					newname: new_name
-				}
+				unless internal_only
+					payload = {
+						type:   'config',
+						action: 'rename',
+						xpath:  self.to_xpath,
+						newname: new_name
+					}
 
-				result = XML.execute(payload)
+					result = XML.execute(payload)
+				end
 
 				# now update also the internal value to the new name
 				self.selector.transform_values!{new_name}

data/lib/palo_alto/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PaloAlto
-  VERSION = '0.1.3'
+  VERSION = '0.1.7'
 end

data/lib/palo_alto.rb

@@ -197,7 +197,11 @@ module PaloAlto
         begin
           Helpers::Rest.execute(payload, headers: {'X-PAN-KEY': self.auth_key})
         rescue TemporaryException => e
-          unless retried
+          dont_continue_at = [
+            'Partial revert is not allowed. Full system commit must be completed.',
+            'Config for scope '
+          ]
+          unless retried || dont_continue_at.any? { |x| e.message.start_with?(x) }
             if XML.debug.include?(:warnings)
               warn "Got error #{e.inspect}; retrying"
             end
@@ -213,12 +217,15 @@ module PaloAlto
       end
     end
 
-    def commit!(all: false)
+    def commit!(all: false, device_groups: nil, wait_for_completion: true)
+      return nil if device_groups.is_a?(Array) && device_groups.empty?
+
       op = if all
              'commit'
            else
              { commit: { partial: [
                { 'admin': [XML.username] },
+               device_groups ? {'device-group': device_groups } : nil,
                'no-template',
                'no-template-stack',
                'no-log-collector',
@@ -227,9 +234,102 @@ module PaloAlto
                'no-wildfire-appliance-cluster',
                { 'device-and-network': 'excluded' },
                { 'shared-object': 'excluded' }
-             ] } }
+             ].compact } }
            end
-      Op.new.execute(op)
+      Op.new.execute(op).tap do |result|
+        if wait_for_completion
+          job_id = result.at_xpath('response/result/job')&.text
+          wait_for_job_completion(job_id) if job_id
+        end
+      end
+    end
+
+    def full_commit_required?
+      result = Op.new.execute({check: 'full-commit-required'})
+      return true unless result.at_xpath('response/result').text == 'no'
+
+      false
+    end
+
+    def primary_active?
+      cmd = {show: {'high-availability': 'state'}}
+      state = Op.new.execute(cmd)
+      state.at_xpath("response/result/local-info/state").text == "primary-active"
+    end
+
+    # area: config, commit
+    def show_locks(area:)
+      cmd = {show: "#{area}-locks"}
+      ret = Op.new.execute(cmd)
+      ret.xpath("response/result/#{area}-locks/entry").map do |lock|
+        comment = lock.at_xpath('comment').inner_text
+        location = lock.at_xpath('name').inner_text
+        {
+          name: lock.attribute('name').value,
+          location: location == 'shared' ? nil : location,
+          type: lock.at_xpath('type').inner_text,
+          comment: comment == '(null)' ? nil : comment
+        }
+      end
+    end
+
+    # will execute block if given and unlock afterwards. returns false if lock could not be aquired
+    def lock(area:, comment: nil, type: nil, location: nil)
+      if block_given?
+        if lock(area: area, comment: comment, type: type, location: location)
+          begin
+            return yield
+          ensure
+            unlock(area: area, type: type, location: location)
+          end
+        else
+          return false
+        end
+      end
+
+      begin
+        cmd = {request: {"#{area}-lock": {add: {comment: comment || '(null)' }}}}
+        Op.new.execute(cmd, get_extra_argument(type: type, location: location))
+        true
+      rescue PaloAlto::InternalErrorException
+        false
+      end
+    end
+
+    def unlock(area:, type: nil, location: nil)
+      begin
+        cmd = {request: {"#{area}-lock": 'remove'}}
+        Op.new.execute(cmd, get_extra_argument(type: type, location: location))
+      rescue PaloAlto::InternalErrorException
+        return false
+      end
+      true
+    end
+
+    def remove_all_locks
+      %w(config commit).each do |area|
+        show_locks(area: area).each {|lock|
+          unlock(area: area, type: lock[:type], location: lock[:location])
+        }
+      end
+    end
+
+    def check_for_changes(usernames: [XML.username])
+      result = Op.new.execute({show: {config: {list: {'change-summary': {partial: {admin: usernames}}}}}})
+      result.xpath('response/result/summary/device-group/member').map(&:inner_text)
+    end
+
+    def wait_for_job_completion(job_id, wait: 5, timeout: 300)
+      cmd = {show: {jobs: {id: job_id}}}
+      start = Time.now
+      begin
+        result = Op.new.execute(cmd)
+        unless result.at_xpath('response/result/job/status')&.text=='ACT'
+          return result
+        end
+        sleep wait
+      end while start+timeout > Time.now
+      return false
     end
 
     def revert!(all: false)
@@ -284,5 +384,17 @@ module PaloAlto
       xml_data = Helpers::Rest.execute(payload)
       self.auth_key = xml_data.xpath('//response/result/key')[0].content
     end
+
+    private
+
+    # used to limit an op command to a specifc dg/template
+    def get_extra_argument(type:, location:)
+      case type
+        when 'dg'  then {vsys: location}
+        when 'tpl' then raise
+        else {}
+      end
+    end
+
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: palo_alto
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.7
 platform: ruby
 authors:
 - Sebastian Roesner
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-09-08 00:00:00.000000000 Z
+date: 2021-10-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri