RubyGems - palo_alto - Versions diffs - 0.1.5 → 0.1.9 - Mend

palo_alto 0.1.5 → 0.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

data/lib/palo_alto/op.rb CHANGED Viewed

@@ -1,58 +1,90 @@
-require "nokogiri"
+# frozen_string_literal: true
+require 'nokogiri'
 module PaloAlto
   class XML
     def op
       Op.new
     end
     class Op
-      def execute(obj, additional_payload = {})
+      def execute(cmd, type: nil, location: nil, additional_payload: {})
+        payload = build_payload(cmd).merge(additional_payload)
+        if type == 'tpl'
+          run_with_template_scope(location) { XML.execute(payload) }
+        elsif type == 'dg'
+          XML.execute(payload.merge({ vsys: location }))
+        elsif !type || type == 'shared'
+          XML.execute(payload)
+        else
+          raise(ArgumentError, "invalid type: #{type.inspect}")
+        end
+      end
+      def run_with_template_scope(name)
+        if block_given?
+          run_with_template_scope(name)
+          begin
+            return yield
+          ensure
+            run_with_template_scope(nil)
+          end
+        end
+        cmd = if name
+                { set: { system: { setting: { target: { template: { name: name } } } } } }
+              else
+                { set: { system: { setting: { target: 'none' } } } }
+              end
+        execute(cmd)
+      end
+      def build_payload(obj)
         cmd = to_xml(obj)
-        if obj=='commit' || obj.keys.first.to_sym == :commit
-          type='commit'
-          action='panorama'
-        elsif obj=='commit-all' || obj.keys.first.to_sym == :'commit-all'
-          type='commit'
-          action='all'
+        if obj == 'commit' || obj.keys.first.to_sym == :commit
+          type = 'commit'
+          action = 'panorama'
+        elsif obj == 'commit-all' || obj.keys.first.to_sym == :'commit-all'
+          type = 'commit'
+          action = 'all'
         else
-          type='op'
-          action='panorama'
+          type = 'op'
+          action = 'panorama'
         end
-        payload = {
-          type:   type,
+        {
+          type: type,
           action: action,
-          cmd:   cmd
-        }.merge(additional_payload)
-        XML.execute(payload)
+          cmd: cmd
+        }
       end
       def escape_xpath_tag(tag)
         if tag.to_s.include?('-') # https://stackoverflow.com/questions/48628259/nokogiri-how-to-name-a-node-comment
           tag
         else
-          tag.to_s + "_"
+          "#{tag}_"
         end
       end
       def xml_builder(xml, ops, obj)
-        if obj.is_a?(String)
+        case obj
+        when String
           section = obj
           data = nil
-        elsif obj.is_a?(Hash)
+        when Hash
           section = obj.keys.first
           data = obj[section]
         else
           raise obj.pretty_inspect
         end
-        unless ops.has_key?(section.to_s)
-          err = "Error #{section.to_s} does not exist. Valid: " + ops.keys.pretty_inspect
+        unless ops.key?(section.to_s)
+          err = "Error #{section} does not exist. Valid: " + ops.keys.pretty_inspect
           raise err
         end
@@ -64,50 +96,49 @@ module PaloAlto
         when :element
           xml.public_send(section, data)
         when :array
-          xml.public_send(section) {
-            data.each{|el|
+          xml.public_send(section) do
+            data.each do |el|
               key = ops_tree.keys.first
               xml.public_send(escape_xpath_tag(key), el)
-            }
-          }
+            end
+          end
         when :sequence
-          if data==nil
+          if data.nil?
             xml.send(section)
           elsif data.is_a?(Hash)
-            xml.send(section){
+            xml.send(section)  do
               xml_builder(xml, ops_tree, data)
-            }
+            end
           else # array
             if data.is_a?(Array)
-              attr = data.find { |child| child.is_a?(Hash) && ops_tree[child.keys.first.to_s][:obj]==:'attr-req' }
+              attr = data.find { |child| child.is_a?(Hash) && ops_tree[child.keys.first.to_s][:obj] == :'attr-req' }
               data.delete(attr)
             else
               attr = {}
             end
-            xml.public_send(section, attr){
-              data.each{|child|
+            xml.public_send(section, attr) do
+              data.each do |child|
                 xml_builder(xml, ops_tree, child)
-              }
-            }
+              end
+            end
           end
         when :union
-          k,v=obj.first
-          xml.send("#{k}_"){
+          k, v = obj.first
+          xml.send("#{k}_")  do
             xml_builder(xml, ops_tree, v)
-          }
+          end
         else
           raise ops_tree[:obj].pretty_inspect
         end
         xml
       end
       def to_xml(obj)
-        builder = Nokogiri::XML::Builder.new{|xml|
+        builder = Nokogiri::XML::Builder.new do |xml|
           xml_builder(xml, @@ops, obj)
-        }
+        end
         builder.doc.root.to_xml
       end
 @@ops={"schedule"=>

data/lib/palo_alto/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module PaloAlto
-  VERSION = '0.1.5'
+  VERSION = '0.1.9'
 end

data/lib/palo_alto.rb CHANGED Viewed

@@ -71,13 +71,13 @@ module PaloAlto
   class SessionTimedOutException < TemporaryException
   end
   module Helpers
     class Rest
       def self.make_request(opts)
-        options                            = {}
-        options[:verify_ssl]              = OpenSSL::SSL::VERIFY_PEER
-        options[:timeout]                  = 60
+        options = {}
+        options[:verify_ssl] = OpenSSL::SSL::VERIFY_PEER
+        options[:timeout] = 60
         headers                  = {}
         headers['User-Agent']    = 'ruby-keystone-client'
@@ -101,22 +101,23 @@ module PaloAlto
         response = thread[:http].post('/api/', URI.encode_www_form(options[:payload]), options[:headers])
-        if response.code == '200'
+        case response.code
+        when '200'
           return response.body
-        elsif response.code == '400' or response.code == '403'
+        when '400', '403'
           begin
             data = Nokogiri::XML.parse(response.body)
             message = data.xpath('//response/response/msg').text
             code = response.code.to_i
-          rescue
+          rescue StandardError
             raise ConnectionErrorException, "#{response.code} #{response.message}"
           end
           raise_error(code, message)
         else
           raise ConnectionErrorException, "#{response.code} #{response.message}"
         end
-        nil
+        nil
       rescue Net::OpenTimeout, Errno::ECONNREFUSED => e
         raise ConnectionErrorException, e.message
       end
@@ -141,7 +142,7 @@ module PaloAlto
                 when 19..20 then SuccessException
                 when 22 then SessionTimedOutException
                 else InternalErrorException
-        end
+                end
         raise error, message
       end
@@ -155,36 +156,27 @@ module PaloAlto
         options[:payload] = payload
         options[:headers] = headers
-        if XML.debug.include?(:sent)
-          warn "sent: (#{Time.now}\n#{options.pretty_inspect}\n"
-        end
+        warn "sent: (#{Time.now}\n#{options.pretty_inspect}\n" if XML.debug.include?(:sent)
         start_time = Time.now
         text = Helpers::Rest.make_request(options)
         if XML.debug.include?(:statistics)
-          warn "Elapsed for API call #{payload[:type]}/#{payload[:action]||'(unknown action)'}: #{Time.now-start_time} seconds"
+          warn "Elapsed for API call #{payload[:type]}/#{payload[:action] || '(unknown action)'}: #{Time.now - start_time} seconds"
         end
-        if XML.debug.include?(:received)
-          warn "received: #{Time.now}\n#{text}\n"
-        end
+        warn "received: #{Time.now}\n#{text}\n" if XML.debug.include?(:received)
         data = Nokogiri::XML.parse(text)
         unless data.xpath('//response/@status').to_s == 'success'
-          if XML.debug.include?(:sent_on_error)
-            warn "sent:\n#{options.inspect}\n"
-          end
-          if XML.debug.include?(:received_on_error)
-            warn "received:\n#{text.inspect}\n"
-          end
+          warn "sent:\n#{options.inspect}\n" if XML.debug.include?(:sent_on_error)
+          warn "received:\n#{text.inspect}\n" if XML.debug.include?(:received_on_error)
           code = data.at_xpath('//response/@code')&.value.to_i # sometimes there is no code :( e.g. for 'op' errors
           message = data.xpath('/response/msg/line').map(&:text).map(&:strip).join("\n")
           raise_error(code, message)
         end
-        return data
+        data
       end
     end
   end
@@ -195,30 +187,35 @@ module PaloAlto
       def execute(payload)
         retried = false
         begin
-          Helpers::Rest.execute(payload, headers: {'X-PAN-KEY': self.auth_key})
+          Helpers::Rest.execute(payload, headers: { 'X-PAN-KEY': auth_key })
         rescue TemporaryException => e
-          unless retried
-            if XML.debug.include?(:warnings)
-              warn "Got error #{e.inspect}; retrying"
-            end
+          dont_continue_at = [
+            'Partial revert is not allowed. Full system commit must be completed.',
+            'Config for scope ',
+            'Config is not currently locked for scope ',
+            'Commit lock is not currently held by'
+          ]
+          if retried || dont_continue_at.any? { |x| e.message.start_with?(x) }
+            raise e
+          else
+            warn "Got error #{e.inspect}; retrying" if XML.debug.include?(:warnings)
             retried = true
-            if e.is_a?(SessionTimedOutException)
-              get_auth_key
-            end
+            get_auth_key if e.is_a?(SessionTimedOutException)
             retry
-          else
-            raise e
           end
         end
       end
     end
-    def commit!(all: false)
+    def commit!(all: false, device_groups: nil, wait_for_completion: true)
+      return nil if device_groups.is_a?(Array) && device_groups.empty?
       op = if all
              'commit'
            else
              { commit: { partial: [
                { 'admin': [XML.username] },
+               device_groups ? { 'device-group': device_groups } : nil,
                'no-template',
                'no-template-stack',
                'no-log-collector',
@@ -227,9 +224,107 @@ module PaloAlto
                'no-wildfire-appliance-cluster',
                { 'device-and-network': 'excluded' },
                { 'shared-object': 'excluded' }
-             ] } }
+             ].compact } }
            end
-      Op.new.execute(op)
+      Op.new.execute(op).tap do |result|
+        if wait_for_completion
+          job_id = result.at_xpath('response/result/job')&.text
+          wait_for_job_completion(job_id) if job_id
+        end
+      end
+    end
+    def full_commit_required?
+      result = Op.new.execute({ check: 'full-commit-required' })
+      return true unless result.at_xpath('response/result').text == 'no'
+      false
+    end
+    def primary_active?
+      cmd = { show: { 'high-availability': 'state' } }
+      state = Op.new.execute(cmd)
+      state.at_xpath('response/result/local-info/state').text == 'primary-active'
+    end
+    # area: config, commit
+    def show_locks(area:)
+      cmd = { show: "#{area}-locks" }
+      ret = Op.new.execute(cmd)
+      ret.xpath("response/result/#{area}-locks/entry").map do |lock|
+        comment = lock.at_xpath('comment').inner_text
+        location = lock.at_xpath('name').inner_text
+        {
+          name: lock.attribute('name').value,
+          location: location == 'shared' ? nil : location,
+          type: lock.at_xpath('type').inner_text,
+          comment: comment == '(null)' ? nil : comment
+        }
+      end
+    end
+    # will execute block if given and unlock afterwards. returns false if lock could not be aquired
+    def lock(area:, comment: nil, type: nil, location: nil)
+      if block_given?
+        if lock(area: area, comment: comment, type: type, location: location)
+          begin
+            return yield
+          ensure
+            unlock(area: area, type: type, location: location)
+          end
+        else
+          return false
+        end
+      end
+      begin
+        cmd = { request: { "#{area}-lock": { add: { comment: comment || '(null)' } } } }
+        Op.new.execute(cmd, type: type, location: location)
+        true
+      rescue PaloAlto::InternalErrorException
+        false
+      end
+    end
+    def unlock(area:, type: nil, location: nil, name: nil)
+      begin
+        cmd = if name
+                { request: { "#{area}-lock": { remove: { admin: name } } } }
+              else
+                { request: { "#{area}-lock": 'remove' } }
+              end
+        Op.new.execute(cmd, type: type, location: location)
+      rescue PaloAlto::InternalErrorException
+        return false
+      end
+      true
+    end
+    def remove_all_locks
+      %w[config commit].each do |area|
+        show_locks(area: area).each do |lock|
+          unlock(area: area, type: lock[:type], location: lock[:location], name: area == 'commit' ? lock[:name] : nil)
+        end
+      end
+    end
+    def check_for_changes(usernames: [XML.username])
+      result = Op.new.execute({ show: { config: { list: { 'change-summary': { partial: { admin: usernames } } } } } })
+      result.xpath('response/result/summary/device-group/member').map(&:inner_text)
+    end
+    def wait_for_job_completion(job_id, wait: 5, timeout: 300)
+      cmd = { show: { jobs: { id: job_id } } }
+      start = Time.now
+      loop do
+        result = Op.new.execute(cmd)
+        status = result.at_xpath('response/result/job/status')&.text
+        return result unless %w[ACT PEND].include?(status)
+        sleep wait
+        break unless start + timeout > Time.now
+      end
+      false
     end
     def revert!(all: false)
@@ -266,7 +361,7 @@ module PaloAlto
       @arguments = [Expression.new(:this_node), []]
       # attempt to obtain the auth_key
-      #raise 'Exception attempting to obtain the auth_key' if (self.class.auth_key = get_auth_key).nil?
+      # raise 'Exception attempting to obtain the auth_key' if (self.class.auth_key = get_auth_key).nil?
       self.class.get_auth_key
       self
@@ -274,11 +369,10 @@ module PaloAlto
     # Perform a query to the API endpoint for an auth_key based on the credentials provided
     def self.get_auth_key
       # establish the required options for the key request
       payload = { type: 'keygen',
-                  user: self.username,
-                  password: self.password }
+                  user: username,
+                  password: password }
       # get and parse the response for the key
       xml_data = Helpers::Rest.execute(payload)

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: palo_alto
 version: !ruby/object:Gem::Version
-  version: 0.1.5
+  version: 0.1.9
 platform: ruby
 authors:
 - Sebastian Roesner
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-09-23 00:00:00.000000000 Z
+date: 2021-11-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -31,6 +31,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".gitignore"
 - CHANGELOG.md
 - Gemfile
 - Gemfile.lock