palo_alto 0.1.4 → 0.1.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: be267a4c14845513d0ca0b93dcdf2673829983dbf58c6c321f57817bd30f3d82
-  data.tar.gz: 268e375e0f17b1b5eb1a7dea2fb838a7fe55047bfabe66def538f7afdaf8111f
+  metadata.gz: aa30215e631895511ecb3645281eb160db2df58f0a6f6351d2d88069d80d1adc
+  data.tar.gz: e9acd3ba580ac92ec84546fc626ab52d9b7cfdd27591bb7b702082d3ddb1e791
 SHA512:
-  metadata.gz: f71277a31b9157ebee6b7045327998e483faa68329158d97d70deca570c5486c86eaf3505458b89275991bae635e8e0bdc99e8115b55356a5fcdf43fc32d96bb
-  data.tar.gz: '084b3b801f5c1390dd668bc45f1c29ddbe00202430c2f68baff227c469d8853575bcd14243c03823bb58f25b4175de2d26bf6f64280a56d2b2155d5e06444248'
+  metadata.gz: c556ea99594a4c09967e3271a0250d9864856ef42e8f89e518fe28b4054aeffc40160f5a1c298ebf5c77937c10d25a6bb5443eef64d0c03708bf9283c5647203
+  data.tar.gz: cc4a72eeea889757961e407712a9067cf54ee1fad39b394d3e29e230dbc8f306e9f53df2966ed576298135b9afb8496a77e4f372dd63c4d30a493653ca5b5136

data/lib/palo_alto/config.rb

@@ -1,4 +1,4 @@
-# generated: 2021-08-27 17:33:49 +0200
+# generated: 2021-10-19 00:56:02 +0200
 require 'openssl'
 require 'nokogiri'
 
@@ -268,7 +268,11 @@ module PaloAlto
 		end
 
 		def binary_operator(name, left, right)
-			"#{left}#{name}#{right}".gsub('./@', '@')
+			if %w(and or).include?(name)
+				"(#{left} #{name} #{right})".gsub('./@', '@')
+			else
+				"#{left}#{name}#{right}".gsub('./@', '@')
+			end
 		end
 
 		def root(current, element_names)
@@ -425,7 +429,7 @@ module PaloAlto
 				start_time=Time.now
 				result = self.parent_instance.dup.create!.clear!.external_set(data.xpath('//response/result').first)
 				if XML.debug.include?(:statistics)
-					puts "Elapsed for parsing #{result.length} results: #{Time.now-start_time} seconds"
+					warn "Elapsed for parsing #{result.length} results: #{Time.now-start_time} seconds"
 				end
 				result
 			end
@@ -461,19 +465,19 @@ module PaloAlto
 				else
 					@create_children=true
 					n = data.xpath('//response/result/*')
+					if n.any?
+						clear!
+						external_set(n.first)
 
-					clear!
-					external_set(n.first)
-
-					if is_a?(ArrayConfigClass)
-						primary_key = get_primary_key(n.first.attribute_nodes, self.class.props)
-						set_array_class_attributes(n.first, primary_key) # primary key, api_attributes
+						if is_a?(ArrayConfigClass)
+							primary_key = get_primary_key(n.first.attribute_nodes, self.class.props)
+							set_array_class_attributes(n.first, primary_key) # primary key, api_attributes
+						end
 					end
-
 					self
 				end.tap do
 					if XML.debug.include?(:statistics)
-						puts "Elapsed for parsing: #{Time.now-start_time} seconds"
+						warn "Elapsed for parsing: #{Time.now-start_time} seconds"
 					end
 				end
 			end
@@ -531,9 +535,9 @@ module PaloAlto
 					when 'bool'
 						return true if ['yes', true].include?(value)
 						return false if ['no', false].include?(value)
-						raise ArgumentError, 'Not bool: ' + value.inspect
+						raise ArgumentError, "Not bool: #{value.inspect}"
 					when 'string', 'ipdiscontmask', 'iprangespec', 'ipspec', 'rangelistspec'
-						raise(ArgumentError, 'Not string') unless value.is_a?(String)
+						raise(ArgumentError, "Not string: #{value.inspect}") unless value.is_a?(String)
 						if prop_arr['regex']
 							raise ArgumentError, "Not matching regex: #{value.inspect} (#{prop_arr["regex"].inspect})" unless value.match(prop_arr["regex"])
 						end
@@ -667,28 +671,34 @@ module PaloAlto
 				elsif @external_values.has_key?(prop)
 					return @external_values[prop]
 				elsif my_prop.has_key?("default") && include_defaults
-					return enforce_type(my_prop, my_prop['default'])
+					return enforce_types(my_prop, my_prop['default'])
 				else
 					return nil
 				end
 			end
 
-			def prop_set(prop, value)
-				my_prop = self.class.props[prop] or raise(InternalErrorException, "Unknown attribute for #{self.class}: #{prop}")
+			def enforce_types(prop_arr, values)
+				return if values.nil?
 
-				if has_multiple_values? && value.is_a?(String)
-					value = value.split(/\s+/)
+				if has_multiple_values? && values.is_a?(String)
+					values = values.split(/\s+/)
 				end
 
-				if value.is_a?(Array)
-					@values[prop] = value.map{|v| enforce_type(my_prop, v)}
-				elsif value.nil?
-					@values[prop] = nil
+				if values.is_a?(Array) && has_multiple_values?
+					values.map{|v| enforce_type(prop_arr, v)}
+				elsif !has_multiple_values?
+					enforce_type(prop_arr, values)
 				else
-					@values[prop] = enforce_type(my_prop, value)
+					raise(ArgumentError, 'Needs to be Array but is not, or vice versa')
 				end
 			end
 
+			def prop_set(prop, value)
+				my_prop = self.class.props[prop] or raise(InternalErrorException, "Unknown attribute for #{self.class}: #{prop}")
+
+				@values[prop] = enforce_types(my_prop, value)
+			end
+
 			def to_xml(changed_only:, full_tree:, include_root: )
 				builder = Nokogiri::XML::Builder.new{|xml|
 					xml.send(self._section, (self.selector rescue nil)) {

data/lib/palo_alto/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PaloAlto
-  VERSION = '0.1.4'
+  VERSION = '0.1.8'
 end

data/lib/palo_alto.rb

@@ -71,13 +71,13 @@ module PaloAlto
 
   class SessionTimedOutException < TemporaryException
   end
-  
+
   module Helpers
     class Rest
       def self.make_request(opts)
-        options                            = {}
-        options[:verify_ssl]              = OpenSSL::SSL::VERIFY_PEER
-        options[:timeout]                  = 60
+        options = {}
+        options[:verify_ssl] = OpenSSL::SSL::VERIFY_PEER
+        options[:timeout] = 60
 
         headers                  = {}
         headers['User-Agent']    = 'ruby-keystone-client'
@@ -101,22 +101,23 @@ module PaloAlto
 
         response = thread[:http].post('/api/', URI.encode_www_form(options[:payload]), options[:headers])
 
-        if response.code == '200'
+        case response.code
+        when '200'
           return response.body
-        elsif response.code == '400' or response.code == '403'
+        when '400', '403'
           begin
             data = Nokogiri::XML.parse(response.body)
             message = data.xpath('//response/response/msg').text
             code = response.code.to_i
-          rescue
+          rescue StandardError
             raise ConnectionErrorException, "#{response.code} #{response.message}"
           end
           raise_error(code, message)
         else
           raise ConnectionErrorException, "#{response.code} #{response.message}"
         end
-        nil
 
+        nil
       rescue Net::OpenTimeout, Errno::ECONNREFUSED => e
         raise ConnectionErrorException, e.message
       end
@@ -141,7 +142,7 @@ module PaloAlto
                 when 19..20 then SuccessException
                 when 22 then SessionTimedOutException
                 else InternalErrorException
-        end
+                end
         raise error, message
       end
 
@@ -155,36 +156,27 @@ module PaloAlto
         options[:payload] = payload
         options[:headers] = headers
 
-        if XML.debug.include?(:sent)
-          warn "sent: (#{Time.now}\n#{options.pretty_inspect}\n"
-        end
+        warn "sent: (#{Time.now}\n#{options.pretty_inspect}\n" if XML.debug.include?(:sent)
 
         start_time = Time.now
         text = Helpers::Rest.make_request(options)
         if XML.debug.include?(:statistics)
-          warn "Elapsed for API call #{payload[:type]}/#{payload[:action]||'(unknown action)'}: #{Time.now-start_time} seconds"
+          warn "Elapsed for API call #{payload[:type]}/#{payload[:action] || '(unknown action)'}: #{Time.now - start_time} seconds"
         end
 
-        if XML.debug.include?(:received)
-          warn "received: #{Time.now}\n#{text}\n"
-        end
+        warn "received: #{Time.now}\n#{text}\n" if XML.debug.include?(:received)
 
         data = Nokogiri::XML.parse(text)
         unless data.xpath('//response/@status').to_s == 'success'
-          if XML.debug.include?(:sent_on_error)
-            warn "sent:\n#{options.inspect}\n"
-          end
-          if XML.debug.include?(:received_on_error)
-            warn "received:\n#{text.inspect}\n"
-          end
+          warn "sent:\n#{options.inspect}\n" if XML.debug.include?(:sent_on_error)
+          warn "received:\n#{text.inspect}\n" if XML.debug.include?(:received_on_error)
           code = data.at_xpath('//response/@code')&.value.to_i # sometimes there is no code :( e.g. for 'op' errors
           message = data.xpath('/response/msg/line').map(&:text).map(&:strip).join("\n")
           raise_error(code, message)
         end
 
-        return data
+        data
       end
-
     end
   end
 
@@ -195,30 +187,35 @@ module PaloAlto
       def execute(payload)
         retried = false
         begin
-          Helpers::Rest.execute(payload, headers: {'X-PAN-KEY': self.auth_key})
+          Helpers::Rest.execute(payload, headers: { 'X-PAN-KEY': auth_key })
         rescue TemporaryException => e
-          unless retried
-            if XML.debug.include?(:warnings)
-              warn "Got error #{e.inspect}; retrying"
-            end
+          dont_continue_at = [
+            'Partial revert is not allowed. Full system commit must be completed.',
+            'Config for scope ',
+            'Config is not currently locked for scope ',
+            'Commit lock is not currently held by'
+          ]
+          if retried || dont_continue_at.any? { |x| e.message.start_with?(x) }
+            raise e
+          else
+            warn "Got error #{e.inspect}; retrying" if XML.debug.include?(:warnings)
             retried = true
-            if e.is_a?(SessionTimedOutException)
-              get_auth_key
-            end
+            get_auth_key if e.is_a?(SessionTimedOutException)
             retry
-          else
-            raise e
           end
         end
       end
     end
 
-    def commit!(all: false)
+    def commit!(all: false, device_groups: nil, wait_for_completion: true)
+      return nil if device_groups.is_a?(Array) && device_groups.empty?
+
       op = if all
              'commit'
            else
              { commit: { partial: [
                { 'admin': [XML.username] },
+               device_groups ? { 'device-group': device_groups } : nil,
                'no-template',
                'no-template-stack',
                'no-log-collector',
@@ -227,9 +224,137 @@ module PaloAlto
                'no-wildfire-appliance-cluster',
                { 'device-and-network': 'excluded' },
                { 'shared-object': 'excluded' }
-             ] } }
+             ].compact } }
            end
-      Op.new.execute(op)
+      Op.new.execute(op).tap do |result|
+        if wait_for_completion
+          job_id = result.at_xpath('response/result/job')&.text
+          wait_for_job_completion(job_id) if job_id
+        end
+      end
+    end
+
+    def full_commit_required?
+      result = Op.new.execute({ check: 'full-commit-required' })
+      return true unless result.at_xpath('response/result').text == 'no'
+
+      false
+    end
+
+    def primary_active?
+      cmd = { show: { 'high-availability': 'state' } }
+      state = Op.new.execute(cmd)
+      state.at_xpath('response/result/local-info/state').text == 'primary-active'
+    end
+
+    # area: config, commit
+    def show_locks(area:)
+      cmd = { show: "#{area}-locks" }
+      ret = Op.new.execute(cmd)
+      ret.xpath("response/result/#{area}-locks/entry").map do |lock|
+        comment = lock.at_xpath('comment').inner_text
+        location = lock.at_xpath('name').inner_text
+        {
+          name: lock.attribute('name').value,
+          location: location == 'shared' ? nil : location,
+          type: lock.at_xpath('type').inner_text,
+          comment: comment == '(null)' ? nil : comment
+        }
+      end
+    end
+
+    def execute_with_type(cmd, type:, location:)
+      if type == 'tpl'
+        run_with_template_scope(location) { Op.new.execute(cmd) }
+      elsif type == 'dg'
+        Op.new.execute(cmd, { vsys: location })
+      elsif !type || type == 'shared'
+        Op.new.execute(cmd)
+      else
+        raise(ArgumentError, "invalid type: #{type.inspect}")
+      end
+    end
+
+    # will execute block if given and unlock afterwards. returns false if lock could not be aquired
+    def lock(area:, comment: nil, type: nil, location: nil)
+      if block_given?
+        if lock(area: area, comment: comment, type: type, location: location)
+          begin
+            return yield
+          ensure
+            unlock(area: area, type: type, location: location)
+          end
+        else
+          return false
+        end
+      end
+
+      begin
+        cmd = { request: { "#{area}-lock": { add: { comment: comment || '(null)' } } } }
+        execute_with_type(cmd, type: type, location: location)
+        true
+      rescue PaloAlto::InternalErrorException
+        false
+      end
+    end
+
+    def unlock(area:, type: nil, location: nil, name: nil)
+      begin
+        cmd = if name
+                { request: { "#{area}-lock": { remove: { admin: name } } } }
+              else
+                { request: { "#{area}-lock": 'remove' } }
+              end
+        execute_with_type(cmd, type: type, location: location)
+      rescue PaloAlto::InternalErrorException
+        return false
+      end
+      true
+    end
+
+    def remove_all_locks
+      %w[config commit].each do |area|
+        show_locks(area: area).each do |lock|
+          unlock(area: area, type: lock[:type], location: lock[:location], name: area=='commit' ? lock[:name] : nil )
+        end
+      end
+    end
+
+    def run_with_template_scope(name)
+      if block_given?
+        run_with_template_scope(name)
+        begin
+          return yield
+        ensure
+          run_with_template_scope(nil)
+        end
+      end
+
+      cmd = if name
+              { set: { system: { setting: { target: { template: { name: name } } } } } }
+            else
+              { set: { system: { setting: { target: 'none' } } } }
+            end
+
+      Op.new.execute(cmd)
+    end
+
+    def check_for_changes(usernames: [XML.username])
+      result = Op.new.execute({ show: { config: { list: { 'change-summary': { partial: { admin: usernames } } } } } })
+      result.xpath('response/result/summary/device-group/member').map(&:inner_text)
+    end
+
+    def wait_for_job_completion(job_id, wait: 5, timeout: 300)
+      cmd = { show: { jobs: { id: job_id } } }
+      start = Time.now
+      loop do
+        result = Op.new.execute(cmd)
+        return result unless result.at_xpath('response/result/job/status')&.text == 'ACT'
+
+        sleep wait
+        break unless start + timeout > Time.now
+      end
+      false
     end
 
     def revert!(all: false)
@@ -266,7 +391,7 @@ module PaloAlto
       @arguments = [Expression.new(:this_node), []]
 
       # attempt to obtain the auth_key
-      #raise 'Exception attempting to obtain the auth_key' if (self.class.auth_key = get_auth_key).nil?
+      # raise 'Exception attempting to obtain the auth_key' if (self.class.auth_key = get_auth_key).nil?
       self.class.get_auth_key
 
       self
@@ -274,11 +399,10 @@ module PaloAlto
 
     # Perform a query to the API endpoint for an auth_key based on the credentials provided
     def self.get_auth_key
-
       # establish the required options for the key request
       payload = { type: 'keygen',
-                  user: self.username,
-                  password: self.password }
+                  user: username,
+                  password: password }
 
       # get and parse the response for the key
       xml_data = Helpers::Rest.execute(payload)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: palo_alto
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 0.1.8
 platform: ruby
 authors:
 - Sebastian Roesner
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-09-20 00:00:00.000000000 Z
+date: 2021-10-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri