palo_alto 0.5.0 → 0.6.0

data/lib/palo_alto/op.rb

@@ -75,63 +75,84 @@ module PaloAlto
         end
       end
 
-      def xml_builder(xml, ops, obj)
-        case obj
+      def xml_builder_iter(xml, ops, data)
+        raise 'No Ops?!' if ops.nil?
+
+        case data
         when String
-          section = obj
-          data = nil
-        when Hash
-          section = obj.keys.first
-          data = obj[section]
+          section = data
+          data2 = nil
+          xml_builder(xml, ops, section, data2)
+        when Hash, Array
+          data.each do |section, data2|
+            xml_builder(xml, ops, section, data2)
+          end
         else
-          raise obj.pretty_inspect
-        end
-
-        unless ops.key?(section.to_s)
-          err = "Error #{section} does not exist. Valid: " + ops.keys.pretty_inspect
-          raise err
+          raise data.pretty_inspect
         end
+      end
 
-        ops_tree = ops[section.to_s]
-
-        section = escape_xpath_tag(section)
+      def xml_builder(xml, ops, section, data, type = ops[section.to_s]&.[](:obj))
+        ops_tree = ops[section.to_s] || raise("no ops tree for section #{section}, #{ops.keys.inspect}")
+        # pp [:xml_builder, :section, section, :type, type]
+        # obj = data
 
-        case ops_tree[:obj]
+        case type
         when :element
-          xml.public_send(section, data)
+          xml.public_send(escape_xpath_tag(section), data)
         when :array
-          xml.public_send(section) do
+          xml.public_send(escape_xpath_tag(section)) do
+            raise 'data is Hash and should be Array' if data.is_a?(Hash)
+
             data.each do |el|
               key = ops_tree.keys.first
-              xml.public_send(escape_xpath_tag(key), el)
+              case el
+              when Hash
+                attr = ops_tree[key].find { |_k, v| v.is_a?(Hash) && v[:obj] == :'attr-req' }.first
+                xml.public_send(escape_xpath_tag(key), { attr => el[attr.to_sym] }) do
+                  remaining_attrs = el.reject { |k, _v| k == attr.to_sym }
+
+                  if remaining_attrs.any?
+                    xml_builder(xml, ops_tree[key], remaining_attrs.keys.first.to_s, remaining_attrs.values.first,
+                                :array)
+                  end
+                end
+              when String
+                xml.public_send(key, el)
+              end
             end
           end
         when :sequence
-          if data.nil?
-            xml.send(section)
+          if data.nil? || data == true
+            xml.send(escape_xpath_tag(section))
           elsif data.is_a?(Hash)
-            xml.send(section)  do
-              xml_builder(xml, ops_tree, data)
+            xml.send(escape_xpath_tag(section)) do
+              xml_builder_iter(xml, ops_tree, data)
             end
-          else # array
+          else # array, what else could it be?!
+            raise "Unknown: #{attr.inspect}" unless data.is_a?(Array)
 
-            if data.is_a?(Array)
-              attr = data.find { |child| child.is_a?(Hash) && ops_tree[child.keys.first.to_s][:obj] == :'attr-req' }
-              data.delete(attr)
-            else
-              attr = {}
-            end
+            raise 'Too many hashes in an array, please update' if data.length > 1
+
+            key = ops_tree.keys.first
+            attr_name = ops_tree[key].find { |_k, v| v.is_a?(Hash) && v[:obj] == :'attr-req' }.first
+
+            hash = data.first.dup
+
+            data = [hash.reject { |k| k == attr_name.to_sym }]
+            attr = { attr_name => hash[attr_name.to_sym] }
 
-            xml.public_send(section, attr) do
-              data.each do |child|
-                xml_builder(xml, ops_tree, child)
+            xml.public_send(escape_xpath_tag(section)) do
+              xml.public_send(escape_xpath_tag(key), attr) do
+                data.each do |child|
+                  xml_builder_iter(xml, ops_tree[key], child)
+                end
               end
             end
           end
         when :union
-          k, v = obj.first
-          xml.send("#{k}_")  do
-            xml_builder(xml, ops_tree, v)
+          xml.public_send(escape_xpath_tag(section)) do
+            xml_builder_iter(xml, ops[section.to_s], data)
           end
         else
           raise ops_tree[:obj].pretty_inspect
@@ -141,7 +162,7 @@ module PaloAlto
 
       def to_xml(obj)
         builder = Nokogiri::XML::Builder.new do |xml|
-          xml_builder(xml, @@ops, obj)
+          xml_builder_iter(xml, @@ops, obj)
         end
         builder.doc.root.to_xml
       end

data/lib/palo_alto/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PaloAlto
-  VERSION = '0.5.0'
+  VERSION = '0.6.0'
 end

data/lib/palo_alto.rb

@@ -3,7 +3,6 @@
 require 'openssl'
 require 'nokogiri'
 require 'net/http'
-require 'pp'
 
 require_relative 'palo_alto/version'
 
@@ -129,6 +128,7 @@ module PaloAlto
           raise SessionTimedOutException
         when '400', '403'
           begin
+            pp [:error, options[:host], response.code, response.message]
             data = Nokogiri::XML.parse(response.body)
             message = data.xpath('//response/response/msg').text
             code = response.code.to_i
@@ -141,8 +141,8 @@ module PaloAlto
         end
 
         nil
-      rescue Net::OpenTimeout, Errno::ECONNREFUSED, Errno::ETIMEDOUT => e
-        raise ConnectionErrorException, e.message
+      rescue Net::OpenTimeout, Errno::ECONNREFUSED, Errno::ETIMEDOUT, Errno::ECONNRESET => e
+        raise ConnectionErrorException, [e.message, options[:host]].inspect
       end
 
       def self.raise_error(code, message)
@@ -175,13 +175,43 @@ module PaloAlto
     attr_accessor :host, :username, :auth_key, :verify_ssl, :debug, :timeout
 
     def pretty_print_instance_variables
-      super - [:@password, :@subclasses, :@subclasses, :@expression, :@arguments, :@cache, :@op, :@auth_key]
+      super - %i[@password @subclasses @subclasses @expression @arguments @cache @op @auth_key]
     end
 
-    def execute(payload, skip_authentication: false, skip_cache: false)
-      if !auth_key && !skip_authentication
-        get_auth_key
+    @@output_lock = Mutex.new
+
+    def print_sent(options, method = :puts)
+      @@output_lock.synchronize do
+        send(method, "Sent (#{Time.now}, #{options[:session_id]}):")
+        options.each do |k, v|
+          case k
+          when :debug
+            send(method, " #{k}: #{v.reject { |str| str.start_with?('_') }.join(', ')}")
+          when :headers
+            headers = options[:headers].dup.transform_keys(&:to_s)
+            headers['X-PAN-KEY'] = '***' if headers.key?('X-PAN-KEY')
+            puts " #{k}: #{headers}"
+          when :payload
+            send(method, ' payload: ' + options[:payload].map do |k, v|
+              element_length = 1024
+              if k == :element && v.length >= element_length
+                [k.to_s, "#{v[..element_length]}..."]
+              elsif k == :password
+                [k.to_s, '***']
+              else
+                [k.to_s, v]
+              end
+            end.to_h.inspect)
+          else
+            send(method, " #{k}: #{v}")
+          end
+        end
       end
+    end
+
+    def execute(payload, skip_authentication: false, skip_cache: false)
+      get_auth_key if !auth_key && !skip_authentication
+      session_id = (0...6).map { ('a'..'z').to_a[rand(26)] }.join
 
       if payload[:type] == 'config' && !skip_cache
         if payload[:action] == 'get'
@@ -191,13 +221,13 @@ module PaloAlto
             next unless search_xpath.start_with?(cached_xpath)
 
             remove = cached_xpath.split('/')[1...-1].join('/').length
-            new_xpath = 'response/result/' + search_xpath[(remove+2)..]
+            new_xpath = "response/result/#{search_xpath[(remove + 2)..]}"
 
             results = cache.xpath(new_xpath)
-						xml = Nokogiri.parse("<?xml version=\"1.0\"?><response><result>#{results.to_s}</result></response>")
+            xml = Nokogiri.parse("<?xml version=\"1.0\"?><response><result>#{results}</result></response>")
 
             if debug.include?(:statistics)
-              warn "Elapsed for parsing cache: #{Time.now - start_time} seconds"
+              warn "Elapsed for parsing cache: #{Time.now - start_time} seconds (#{session_id})"
             end
 
             return xml
@@ -212,32 +242,40 @@ module PaloAlto
         # configure options for the request
         options = {}
         options[:host]       = host
+        options[:session_id] = session_id
         options[:verify_ssl] = verify_ssl
         options[:payload]    = payload
         options[:debug]      = debug
-        options[:timeout]    = timeout || 180
+        options[:timeout]    = timeout || 600
         options[:headers]    = if payload[:type] == 'keygen'
                                  {}
                                else
                                  { 'X-PAN-KEY': auth_key }
                                end
 
-        warn "sent: (#{Time.now}\n#{options.pretty_inspect}\n" if debug.include?(:sent)
+        print_sent(options) if debug.include?(:sent)
 
         start_time = Time.now
         text = Helpers::Rest.make_request(options)
-        if debug.include?(:statistics)
-          warn "Elapsed for API call #{payload[:type]}/#{payload[:action] || '(unknown action)'} on #{host}: #{Time.now - start_time} seconds, #{text.length} bytes"
-        end
 
-        warn "received: #{Time.now}\n#{text}\n" if debug.include?(:received)
+        @@output_lock.synchronize do
+          if debug.include?(:statistics)
+            warn "Elapsed for API call #{payload[:type]}/#{payload[:action] || '(unknown action)'} on #{host}: #{Time.now - start_time} seconds, #{text.length} bytes (#{session_id})"
+          end
+
+          warn "Received at #{Time.now} (#{session_id}):\n#{text.inspect}\n" if debug.include?(:received)
+        end
 
         data = Nokogiri::XML.parse(text)
         unless data.xpath('//response/@status').to_s == 'success'
           unless %w[op commit].include?(payload[:type]) # here we fail silent
-            warn "command failed on host #{host} at #{Time.now}"
-            warn "sent:\n#{options.inspect}\n" if debug.include?(:sent_on_error)
-            warn "received:\n#{text.inspect}\n" if debug.include?(:received_on_error)
+            warn "Command failed on host #{host} at #{Time.now} (#{session_id})"
+            print_sent(options, :warn) if debug.include?(:sent_on_error) && !debug.include?(:sent)
+            if debug.include?(:received_on_error) && !debug.include?(:received)
+              @@output_lock.synchronize do
+                warn "Received at #{Time.now} (#{session_id}):\n#{text.inspect}\n"
+              end
+            end
           end
           code = data.at_xpath('//response/@code')&.value.to_i # sometimes there is no code :( e.g. for 'op' errors
           message = data.xpath('/response/msg/line').map(&:text).map(&:strip).join("\n")
@@ -245,23 +283,35 @@ module PaloAlto
         end
 
         data
+      rescue ConnectionErrorException => e
+        # for ConnectionErrorException, you don't know if the command was successful as you don't get a result after an action started:(
+        # As it's a temporary error, we need to rescue/raise it explicitly
+        # #edit! rescues it, for other calls, it normally should not happen.....
+        raise e
       rescue EOFError, Net::ReadTimeout => e
         max_retries = if %w[keygen config].include?(payload[:type])
                         # TODO: only retry on config, when it's get or edit, otherwise you may get strange errors
-                        3
+                        40
                       else
                         0
                       end
 
-        raise e if retried >= max_retries
+        if retried >= max_retries
+          raise ConnectionErrorException, [e.message, options[:host], payload[:type]].inspect
+        end
 
         retried += 1
-        warn "Got error #{e.inspect}; retrying (try #{retried})" if debug.include?(:warnings)
+        if debug.include?(:warnings)
+          @@output_lock.synchronize do
+            warn "Got connection error #{e.inspect} from #{host}; retrying (try #{retried} of #{max_retries}, #{session_id})"
+          end
+        end
         sleep 10
         retry
       rescue TemporaryException => e
         dont_retry_at = [
           'Partial revert is not allowed. Full system commit must be completed.',
+          'Local commit jobs are queued. Revert operation is not allowed.',
           'Config for scope ',
           'Config is not currently locked for scope ',
           'Commit lock is not currently held by',
@@ -269,13 +319,14 @@ module PaloAlto
           'This operation is blocked because of ',
           'Other administrators are holding config locks ',
           'Configuration is locked by ',
+          'device-group', #  device-group -> ... is already in use
           ' device-group' #  device-group -> ... is already in use
         ]
 
         max_retries = if dont_retry_at.any? { |str| e.message.start_with?(str) }
                         0
                       elsif e.message.start_with?('Timed out while getting config lock. Please try again.')
-                        10
+                        40
                       else
                         1
                       end
@@ -283,7 +334,11 @@ module PaloAlto
         raise e if retried >= max_retries
 
         retried += 1
-        warn "Got error #{e.inspect}; retrying (try #{retried})" if debug.include?(:warnings)
+        if debug.include?(:warnings)
+          @@output_lock.synchronize do
+            warn "Got temporary error #{e.inspect}; retrying (try #{retried} of #{max_retries})"
+          end
+        end
 
         get_auth_key if e.is_a?(SessionTimedOutException)
         retry
@@ -321,23 +376,29 @@ module PaloAlto
       cmd = if all
               'commit'
             else
-              { commit: { partial: [
-                { 'admin': admins },
-                if device_groups
-                  device_groups.empty? ? 'no-device-group' : { 'device-group': device_groups }
-                end,
-                if templates
-                  templates.empty? ? 'no-template' : { 'template': templates }
-                end,
-                'no-template-stack',
-                'no-log-collector',
-                'no-log-collector-group',
-                'no-wildfire-appliance',
-                'no-wildfire-appliance-cluster',
-                { 'device-and-network': 'excluded' },
-                { 'shared-object': 'excluded' }
-              ].compact } }
+              commit_partial = {
+                'no-template-stack': true,
+                'no-log-collector': true,
+                'no-log-collector-group': true,
+                'no-wildfire-appliance': true,
+                'no-wildfire-appliance-cluster': true,
+                'device-and-network': 'excluded',
+                'shared-object': 'excluded'
+              }
+
+              if device_groups
+                commit_partial.merge!(device_groups.empty? ? { 'no-device-group': true } : { 'device-group': device_groups })
+              end
+
+              if templates
+                commit_partial.merge!(templates.empty? ? { 'no-template': true } : { template: templates })
+              end
+
+              commit_partial.merge!({ admin: admins }) if admins
+
+              { commit: { partial: commit_partial } }
             end
+
       result = op.execute(cmd)
 
       return result if raw_result
@@ -358,7 +419,7 @@ module PaloAlto
     def primary_active?
       cmd = { show: { 'high-availability': 'state' } }
       state = op.execute(cmd)
-      state.at_xpath('response/result/local-info/state').text == 'primary-active'
+      state.at_xpath('response/result/local-info/state')&.text == 'primary-active'
     end
 
     # area: config, commit
@@ -380,6 +441,7 @@ module PaloAlto
     # will execute block if given and unlock afterwards. returns false if lock could not be aquired
     def lock(area:, comment: nil, type: nil, location: nil)
       raise MalformedCommandException, 'No type specified' if location && !type
+
       if block_given?
         return false unless lock(area: area, comment: comment, type: type, location: location)
 
@@ -448,7 +510,7 @@ module PaloAlto
       return result unless %w[ACT PEND].include?(status)
 
       nil
-    rescue => e
+    rescue StandardError => e
       warn [:job_query_error, @host, e].inspect
       false
     end
@@ -469,9 +531,11 @@ module PaloAlto
       end
 
       job_result = query_and_parse_job(job_id)
-      return job_result if !job_result # can be either nil or false (errored)
+      return job_result unless job_result # can be either nil or false (errored)
 
-      return true if job_result.xpath('response/result/job/details/line').text&.include?('Configuration committed successfully')
+      if job_result.xpath('response/result/job/details/line').text&.include?('Configuration committed successfully')
+        return true
+      end
 
       job_result
     end
@@ -484,7 +548,7 @@ module PaloAlto
           result = op.execute(cmd)
           status = result.at_xpath('response/result/job/status')&.text
           return result unless %w[ACT PEND].include?(status)
-        rescue => e
+        rescue StandardError => e
           warn [:job_query_error, Time.now, @host, e].inspect
           return false if e.message =~ /\Ajob \d+ not found\z/
         end
@@ -500,17 +564,17 @@ module PaloAlto
       cmd = if all
               { revert: 'config' }
             else
-              { revert: { config: { partial: [
-                { 'admin': [username] },
-                'no-template',
-                'no-template-stack',
-                'no-log-collector',
-                'no-log-collector-group',
-                'no-wildfire-appliance',
-                'no-wildfire-appliance-cluster',
-                { 'device-and-network': 'excluded' },
-                { 'shared-object': 'excluded' }
-              ] } } }
+              { revert: { config: { partial: {
+                admin: [username],
+                'no-template': true,
+                'no-template-stack': true,
+                'no-log-collector': true,
+                'no-log-collector-group': true,
+                'no-wildfire-appliance': true,
+                'no-wildfire-appliance-cluster': true,
+                'device-and-network': 'excluded',
+                'shared-object': 'excluded'
+              } } } }
             end
 
       waited = 0

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: palo_alto
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.6.0
 platform: ruby
 authors:
 - Sebastian Roesner
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-11-28 00:00:00.000000000 Z
+date: 2024-12-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri