palo_alto 0.3.0 → 0.3.2

data/lib/palo_alto/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PaloAlto
-  VERSION = '0.3.0'
+  VERSION = '0.3.2'
 end

data/lib/palo_alto.rb

@@ -74,7 +74,6 @@ module PaloAlto
 
   module Helpers
     class Rest
-      @http_clients = {} # will include [http_client, lock]
       @global_lock = Mutex.new
 
       def self.make_request(opts)
@@ -91,16 +90,18 @@ module PaloAlto
         options = options.merge(opts)
         options[:headers].merge!(headers)
 
-        http_client = lock = nil
+        http_client = nil
 
         @global_lock.synchronize do
-          unless (http_client, lock = @http_clients[options[:host]])
+          Thread.current[:http_clients] ||= {}
+
+          unless (http_client = Thread.current[:http_clients][options[:host]])
             http_client = Net::HTTP.new(options[:host], 443)
             http_client.use_ssl = true
             http_client.verify_mode = options[:verify_ssl]
             http_client.read_timeout = http_client.open_timeout = (options[:timeout] || 60)
             http_client.set_debug_output(options[:debug].include?(:http) ? $stdout : nil)
-            @http_clients[options[:host]] = [http_client, (lock = Mutex.new)]
+            Thread.current[:http_clients][options[:host]] = http_client
           end
         end
 
@@ -114,11 +115,9 @@ module PaloAlto
           post_req.set_form_data(payload)
         end
 
-        response = lock.synchronize do
-          http_client.start unless http_client.started?
+        http_client.start unless http_client.started?
 
-          http_client.request(post_req)
-        end
+        response = http_client.request(post_req)
 
         case response.code
         when '200'
@@ -168,9 +167,41 @@ module PaloAlto
   end
 
   class XML
-    attr_accessor :host, :username, :password, :auth_key, :verify_ssl, :debug, :timeout
+    attr_accessor :host, :username, :auth_key, :verify_ssl, :debug, :timeout
+
+    def pretty_print_instance_variables
+      super - [:@password, :@subclasses, :@subclasses, :@expression, :@arguments, :@cache]
+    end
+
+    def execute(payload, skip_authentication: false, skip_cache: false)
+      if !auth_key && !skip_authentication
+        get_auth_key
+      end
+
+      if payload[:type] == 'config' && !skip_cache
+        if payload[:action] == 'get'
+          start_time = Time.now
+          @cache.each do |cached_xpath, cache|
+            search_xpath = payload[:xpath].sub('/descendant::device-group[1]/', '/device-group/')
+            next unless search_xpath.start_with?(cached_xpath)
+
+            remove = cached_xpath.split('/')[1...-1].join('/').length
+            new_xpath = 'response/result/' + search_xpath[(remove+2)..]
+
+            results = cache.xpath(new_xpath)
+						xml = Nokogiri.parse("<?xml version=\"1.0\"?><response><result>#{results.to_s}</result></response>")
+
+            if debug.include?(:statistics)
+              warn "Elapsed for parsing cache: #{Time.now - start_time} seconds"
+            end
+
+            return xml
+          end
+        elsif !@keep_cache_on_edit
+          @cache = {}
+        end
+      end
 
-    def execute(payload)
       retried = false
       begin
         # configure options for the request
@@ -191,14 +222,14 @@ module PaloAlto
         start_time = Time.now
         text = Helpers::Rest.make_request(options)
         if debug.include?(:statistics)
-          warn "Elapsed for API call #{payload[:type]}/#{payload[:action] || '(unknown action)'}: #{Time.now - start_time} seconds"
+          warn "Elapsed for API call #{payload[:type]}/#{payload[:action] || '(unknown action)'} on #{host}: #{Time.now - start_time} seconds, #{text.length} bytes"
         end
 
         warn "received: #{Time.now}\n#{text}\n" if debug.include?(:received)
 
         data = Nokogiri::XML.parse(text)
         unless data.xpath('//response/@status').to_s == 'success'
-          warn 'command failed'
+          warn "command failed on host #{host} at #{Time.now}"
           warn "sent:\n#{options.inspect}\n" if debug.include?(:sent_on_error)
           warn "received:\n#{text.inspect}\n" if debug.include?(:received_on_error)
           code = data.at_xpath('//response/@code')&.value.to_i # sometimes there is no code :( e.g. for 'op' errors
@@ -224,16 +255,45 @@ module PaloAlto
       end
     end
 
-    def commit!(all: false, device_groups: nil, templates: nil, wait_for_completion: true, wait: 5, timeout: 480)
+    def clear_cache!
+      @cache = {}
+      @keep_cache_on_edit = nil
+    end
+
+    def keep_cache_on_edit!
+      @keep_cache_on_edit = true
+    end
+
+    def cache!(xpath)
+      cached_xpath = xpath.is_a?(String) ? xpath : xpath.to_xpath
+
+      payload = {
+        type: 'config',
+        action: 'get',
+        xpath: cached_xpath
+      }
+
+      @cache[cached_xpath] = execute(payload, skip_cache: true)
+      true
+    end
+
+    def commit!(all: false, device_groups: nil, templates: nil,
+                admins: [username],
+                raw_result: false,
+                wait_for_completion: true, wait: 5, timeout: 480)
       return nil if device_groups.is_a?(Array) && device_groups.empty? && templates.is_a?(Array) && templates.empty?
 
       cmd = if all
               'commit'
             else
               { commit: { partial: [
-                { 'admin': [username] },
-                device_groups ? ( device_groups.empty? ? 'no-device-group' : { 'device-group': device_groups } ) : nil,
-                templates ? ( templates.empty? ? 'no-template' : { 'template': templates } ) : nil,
+                { 'admin': admins },
+                if device_groups
+                  device_groups.empty? ? 'no-device-group' : { 'device-group': device_groups }
+                end,
+                if templates
+                  templates.empty? ? 'no-template' : { 'template': templates }
+                end,
                 'no-template-stack',
                 'no-log-collector',
                 'no-log-collector-group',
@@ -245,8 +305,9 @@ module PaloAlto
             end
       result = op.execute(cmd)
 
-      job_id = result.at_xpath('response/result/job')&.text
+      return result if raw_result
 
+      job_id = result.at_xpath('response/result/job')&.text
       return result unless job_id && wait_for_completion
 
       wait_for_job_completion(job_id, wait: wait, timeout: timeout) if job_id
@@ -283,6 +344,7 @@ module PaloAlto
 
     # will execute block if given and unlock afterwards. returns false if lock could not be aquired
     def lock(area:, comment: nil, type: nil, location: nil)
+      raise MalformedCommandException, 'No type specified' if location && !type
       if block_given?
         return false unless lock(area: area, comment: comment, type: type, location: location)
 
@@ -298,7 +360,8 @@ module PaloAlto
         op.execute(cmd, type: type, location: location)
         true
       rescue PaloAlto::InternalErrorException => e
-        return true if e.message.start_with?('You already own a config lock for scope ')
+        return true if e.message.start_with?('You already own a config lock for scope ') ||
+                       e.message == "Config for scope shared is currently locked by #{username}"
 
         false
       end
@@ -326,9 +389,9 @@ module PaloAlto
       end
     end
 
-    def check_for_changes(usernames: [username])
-      cmd = if usernames
-              { show: { config: { list: { 'change-summary': { partial: { admin: usernames } } } } } }
+    def check_for_changes(admins: [username])
+      cmd = if admins
+              { show: { config: { list: { 'change-summary': { partial: { admin: admins } } } } } }
             else
               { show: { config: { list: 'change-summary' } } }
             end
@@ -339,14 +402,53 @@ module PaloAlto
       }
     end
 
-    def wait_for_job_completion(job_id, wait: 5, timeout: 480)
+    # returns nil if job isn't finished yet, otherwise the job result
+    def query_and_parse_job(job_id)
+      cmd = { show: { jobs: { id: job_id } } }
+      result = op.execute(cmd)
+      status = result.at_xpath('response/result/job/status')&.text
+      return result unless %w[ACT PEND].include?(status)
+
+      nil
+    rescue => e
+      warn [:job_query_error, e].inspect
+      false
+    end
+
+    # returns true if successful
+    # returns nil if not completed yet
+    # otherwise returns the error
+    def commit_successful?(commit_result)
+      if commit_result.at_xpath('response/msg')&.text&.start_with?('The result of this commit would be the same as the previous commit queued/processed') ||
+         commit_result.at_xpath('response/msg')&.text == 'There are no changes to commit.'
+        return true
+      end
+
+      job_id = commit_result.at_xpath('response/result/job')&.text
+      unless job_id
+        warn [:no_job_id, result].inspect
+        return false
+      end
+
+      job_result = query_and_parse_job(job_id)
+      return job_result if !job_result # can be either nil or false (errored)
+
+      return true if job_result.xpath('response/result/job/details/line').text&.include?('Configuration committed successfully')
+
+      job_result
+    end
+
+    def wait_for_job_completion(job_id, wait: 5, timeout: 600)
       cmd = { show: { jobs: { id: job_id } } }
       start = Time.now
       loop do
-        result = op.execute(cmd)
-        status = result.at_xpath('response/result/job/status')&.text
-        return result unless %w[ACT PEND].include?(status)
-
+        begin
+          result = op.execute(cmd)
+          status = result.at_xpath('response/result/job/status')&.text
+          return result unless %w[ACT PEND].include?(status)
+        rescue => e
+          warn [:job_query_error, e].inspect
+        end
         sleep wait
         break unless start + timeout > Time.now
       end
@@ -384,20 +486,19 @@ module PaloAlto
     end
 
     def initialize(host:, username:, password:, verify_ssl: OpenSSL::SSL::VERIFY_NONE, debug: [])
-      self.host       = host
-      self.username   = username
-      self.password   = password
-      self.verify_ssl = verify_ssl
-      self.debug      = debug
+      @host       = host
+      @username   = username
+      @password   = password
+      @verify_ssl = verify_ssl
+      @debug      = debug
 
       @subclasses = {}
 
+      @cache = {}
+
       # xpath
       @expression = :root
       @arguments = [Expression.new(:this_node), []]
-
-      # attempt to obtain the auth_key
-      get_auth_key
     end
 
     # Perform a query to the API endpoint for an auth_key based on the credentials provided
@@ -405,10 +506,10 @@ module PaloAlto
       # establish the required options for the key request
       payload = { type: 'keygen',
                   user: username,
-                  password: password }
+                  password: @password }
 
       # get and parse the response for the key
-      xml_data = execute(payload)
+      xml_data = execute(payload, skip_authentication: true)
       self.auth_key = xml_data.xpath('//response/result/key')[0].content
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: palo_alto
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.2
 platform: ruby
 authors:
 - Sebastian Roesner
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-08-09 00:00:00.000000000 Z
+date: 2023-01-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri