illumio-pylo 0.2.5__py3-none-any.whl

illumio_pylo/API/JsonPayloadTypes.py

@@ -0,0 +1,240 @@
+"""This module contains the JSON payload types for the PCE API."""
+
+from typing import List, Optional, TypedDict, NotRequired, Union, Literal
+
+
+class HrefReference(TypedDict):
+    href: str
+
+class HrefReferenceWithName(TypedDict):
+    href: str
+    name: str
+
+class LabelHrefRef(TypedDict):
+    label: HrefReference
+
+class WorkloadHrefRef(TypedDict):
+    workload: HrefReference
+
+class IPListHrefRef(TypedDict):
+    ip_list: HrefReference
+
+class ServiceHrefRef(TypedDict):
+    service: HrefReference
+
+class VirtualServiceHrefRef(TypedDict):
+    virtual_service: HrefReference
+
+class LabelObjectJsonStructure(TypedDict):
+    created_at: str
+    created_by: Optional[HrefReferenceWithName]
+    deleted: bool
+    href: str
+    key: str
+    updated_at: str
+    updated_by: Optional[HrefReferenceWithName]
+    value: str
+
+
+class LabelObjectCreationJsonStructure(TypedDict):
+    value: str
+    key: str
+
+
+class LabelObjectUpdateJsonStructure(TypedDict):
+    value: str
+
+
+class LabelGroupObjectJsonStructure(TypedDict):
+    created_at: str
+    created_by: Optional[HrefReferenceWithName]
+    deleted: bool
+    href: str
+    key: str
+    labels: List[HrefReference]
+    name: str
+    updated_at: str
+    updated_by: Optional[HrefReferenceWithName]
+
+
+class LabelGroupObjectUpdateJsonStructure(TypedDict):
+    labels: NotRequired[List[HrefReference]]
+    name: NotRequired[str]
+
+class IPListObjectJsonStructure(TypedDict):
+    created_at: str
+    created_by: Optional[HrefReferenceWithName]
+    description: str
+    href: str
+    ip_ranges: List[TypedDict('record', {'from_ip': str, 'to_ip': str, 'exclusion': bool})]
+    name: str
+    updated_at: str
+    updated_by: Optional[HrefReferenceWithName]
+
+class IPListObjectCreationJsonStructure(TypedDict):
+    description: str
+    ip_ranges: List[TypedDict('record', {'from_ip': str, 'to_ip': str, 'exclusion': bool})]
+    name: str
+
+
+class WorkloadInterfaceObjectJsonStructure(TypedDict):
+    name: str
+    address: str
+
+class WorkloadObjectJsonStructure(TypedDict):
+    created_at: str
+    created_by: Optional[HrefReferenceWithName]
+    description: Optional[str]
+    hostname: Optional[str]
+    href: str
+    interfaces: List[WorkloadInterfaceObjectJsonStructure]
+    labels: List[HrefReference]
+    name: Optional[str]
+    public_ip: Optional[str]
+    managed: bool
+    updated_at: str
+    updated_by: Optional[HrefReferenceWithName]
+
+class WorkloadObjectCreateJsonStructure(TypedDict):
+    description: Optional[str]
+    hostname: Optional[str]
+    interfaces: NotRequired[List[WorkloadInterfaceObjectJsonStructure]]
+    labels: NotRequired[List[HrefReference]]
+    name: Optional[str]
+    public_ip: NotRequired[Optional[str]]
+
+class RuleServiceReferenceObjectJsonStructure(TypedDict):
+    href: str
+    name: str
+
+
+class RuleDirectServiceReferenceObjectJsonStructure(TypedDict):
+    port: int
+    proto: int
+    to_port: NotRequired[int]
+
+
+class RuleObjectJsonStructure(TypedDict):
+    created_at: str
+    created_by: Optional[HrefReferenceWithName]
+    href: str
+    ingress_services: List[RuleDirectServiceReferenceObjectJsonStructure|RuleServiceReferenceObjectJsonStructure]
+    updated_at: str
+    updated_by: Optional[HrefReferenceWithName]
+
+
+class RulesetScopeEntryLineJsonStructure(TypedDict):
+    label: NotRequired[HrefReference]
+    label_group: NotRequired[HrefReference]
+
+
+class RulesetObjectJsonStructure(TypedDict):
+    created_at: str
+    created_by: Optional[HrefReferenceWithName]
+    description: str
+    href: str
+    name: str
+    rules: List[RuleObjectJsonStructure]
+    scopes: List[List[RulesetScopeEntryLineJsonStructure]]
+    updated_at: str
+    updated_by: Optional[HrefReferenceWithName]
+
+
+class RulesetObjectUpdateStructure(TypedDict):
+    name: NotRequired[str]
+    description: NotRequired[str]
+    scopes: NotRequired[List[List[RulesetScopeEntryLineJsonStructure]]]
+
+
+class ServiceObjectJsonStructure(TypedDict):
+    created_at: str
+    href: str
+    name: str
+    updated_at: str
+    updated_by: Optional[HrefReferenceWithName]
+
+
+class VirtualServiceObjectJsonStructure(TypedDict):
+    created_at: str
+    created_by: Optional[HrefReferenceWithName]
+    href: str
+    name: str
+    updated_at: str
+    updated_by: Optional[HrefReferenceWithName]
+
+class NetworkDeviceConfigObjectJsonStructure(TypedDict):
+    device_type: Literal['switch']
+    name: str
+
+class NetworkDeviceObjectJsonStructure(TypedDict):
+    href: str
+    config: NetworkDeviceConfigObjectJsonStructure
+    supported_endpoint_type: Literal['switch_port']
+
+class NetworkDeviceEndpointConfigObjectJsonStructure(TypedDict):
+    type: Literal['switch_port']
+    name: str
+    workload_discovery: bool
+
+class NetworkDeviceEndpointObjectJsonStructure(TypedDict):
+    href: str
+    config: NetworkDeviceEndpointConfigObjectJsonStructure
+    status: Literal['unmonitored', 'monitored']
+    workloads: List[HrefReference]
+
+class SecurityPrincipalObjectJsonStructure(TypedDict):
+    created_at: str
+    created_by: Optional[HrefReferenceWithName]
+    href: str
+    name: str
+    updated_at: str
+    updated_by: Optional[HrefReferenceWithName]
+
+class LabelDimensionObjectStructure(TypedDict):
+    created_at: str
+    created_by: Optional[HrefReferenceWithName]
+    display_name: str
+    href: str
+    key: str
+    updated_at: str
+    updated_by: Optional[HrefReferenceWithName]
+
+
+class PCEObjectsJsonStructure(TypedDict):
+    iplists: List[IPListObjectJsonStructure]
+    labelgroups: List[LabelGroupObjectJsonStructure]
+    labels: List[LabelObjectJsonStructure]
+    rulesets: List[RulesetObjectJsonStructure]
+    security_principals: List[SecurityPrincipalObjectJsonStructure]
+    services: List[ServiceObjectJsonStructure]
+    virtual_services: List[VirtualServiceObjectJsonStructure]
+    workloads: List[WorkloadObjectJsonStructure]
+    label_dimensions: List[LabelDimensionObjectStructure]
+
+
+class PCECacheFileJsonStructure(TypedDict):
+    data: PCEObjectsJsonStructure
+    pce_version: str
+    generation_date: str
+
+
+class RuleCoverageQueryEntryJsonStructure(TypedDict):
+    source: Union[IPListHrefRef, WorkloadHrefRef]
+    destination: Union[IPListHrefRef, WorkloadHrefRef]
+    services: List
+
+
+WorkloadsGetQueryLabelFilterJsonStructure = List[List[str]]
+
+AuditLogApiEventType = Literal['agent.clone_detected', 'workloads.update', 'workload.update', 'workload_interfaces.update']
+
+class AuditLogEntryJsonStructure(TypedDict):
+    event_type: AuditLogApiEventType
+    timestamp: str
+
+class AuditLogApiRequestPayloadStructure(TypedDict):
+    pass
+
+class AuditLogApiReplyEventJsonStructure(TypedDict):
+    pass
+

illumio_pylo/API/RuleSearchQuery.py

@@ -0,0 +1,128 @@
+from typing import List, Union, Dict, Optional
+import illumio_pylo as pylo
+
+
+class RuleSearchQueryResolvedResultSet:
+    rules: Dict[str, 'pylo.Rule']
+    rules_per_ruleset: Dict['pylo.Ruleset', Dict[str, 'pylo.Rule']]
+
+    def count_results(self):
+        return len(self.rules)
+
+    def __init__(self, raw_json_data, organization: 'pylo.Organization'):
+        self._raw_json = raw_json_data
+        self.rules = {}
+        self.rules_per_ruleset = {}
+
+        for rule_data in raw_json_data:
+            rule_href = rule_data.get('href')
+            if rule_href is None:
+                raise pylo.PyloEx('Cannot find rule HREF in RuleSearchQuery response', rule_data)
+            rule_found = organization.RulesetStore.find_rule_by_href(rule_href)
+            if rule_found is None:
+                raise pylo.PyloEx("Cannot find rule with HREF '{}' in Organization".format(rule_href), rule_data)
+
+            self.rules[rule_found.href] = rule_found
+            ruleset_found = self.rules_per_ruleset.get(rule_found.owner)
+            if ruleset_found is None:
+                # print("new ruleset")
+                self.rules_per_ruleset[rule_found.owner] = {rule_found.href: rule_found}
+            else:
+                # print("existing rs")
+                self.rules_per_ruleset[rule_found.owner][rule_found.href] = rule_found
+
+
+class RuleSearchQuery:
+    _advanced_mode_consumer_labels: Dict[str, Union['pylo.Label', 'pylo.LabelGroup']] = {}
+    _advanced_mode_provider_labels: Dict[str, Union['pylo.Label', 'pylo.LabelGroup']] = {}
+    _basic_mode_labels: Dict[str, 'pylo.Label']
+    connector: 'pylo.APIConnector'
+    max_results: int = 10000
+
+    def __init__(self, connector: 'pylo.APIConnector'):
+        self.connector = connector
+        self.mode_is_basic = True
+        self._basic_mode_labels = {}
+        self._advanced_mode_provider_labels = {}
+        self._advanced_mode_consumer_labels = {}
+        self._exact_matches = True
+        self._mode_is_draft = True
+
+    def set_basic_mode(self):
+        self.mode_is_basic = True
+        self._advanced_mode_provider_labels = {}
+        self._advanced_mode_consumer_labels = {}
+
+    def set_advanced_mode(self):
+        self.mode_is_basic = False
+        self._basic_mode_labels = {}
+
+    def set_draft_mode(self):
+        self._mode_is_draft = True
+
+    def set_active_mode(self):
+        self._mode_is_draft = False
+
+    def set_max_results(self, max_results: int):
+        if max_results < 1:
+            raise pylo.PyloEx("max_results must be greater than 0")
+        self.max_results = max_results
+
+    def add_label(self, label: 'pylo.Label'):
+        if not self.mode_is_basic:
+            raise pylo.PyloEx('You can add labels to RuleSearchQuery only in Basic mode. Use consumer/provider counterparts with Advanced mode')
+        self._basic_mode_labels[label.href] = label
+
+    def add_consumer_label(self, label: 'pylo.Label'):
+        if self.mode_is_basic:
+            raise pylo.PyloEx('You can add labels to RuleSearchQuery consumers only in Advanced mode')
+        self._advanced_mode_consumer_labels[label.href] = label
+
+    def add_provider_label(self, label: 'pylo.Label'):
+        if self.mode_is_basic:
+            raise pylo.PyloEx('You can add labels to RuleSearchQuery providers only in Advanced mode')
+        self._advanced_mode_provider_labels[label.href] = label
+
+    def use_exact_matches(self):
+        self._exact_matches = True
+
+    def use_resolved_matches(self):
+        self._exact_matches = False
+
+    def execute(self):
+        data = {'max_results': self.max_results}
+        if not self._exact_matches:
+            data['resolve_actors'] = True
+
+        uri = '/sec_policy/draft/rule_search'
+        if not self._mode_is_draft:
+            uri = '/sec_policy/active/rule_search'
+
+        if self.mode_is_basic:
+            if len(self._basic_mode_labels) > 0:
+                data['providers_or_consumers'] = []
+                for label_href, label in self._basic_mode_labels.items():
+                    if label.is_label():
+                        data['providers_or_consumers'].append({'label': {'href': label_href}})
+                    else:
+                        data['providers_or_consumers'].append({'label_group': {'href': label_href}})
+        else:
+            if len(self._advanced_mode_provider_labels) > 0:
+                data['providers'] = []
+                for label_href, label in self._advanced_mode_provider_labels.items():
+                    if label.is_label():
+                        data['providers'].append({'label': {'href': label_href}})
+                    else:
+                        data['providers'].append({'label_group': {'href': label_href}})
+            if len(self._advanced_mode_consumer_labels) > 0:
+                data['consumers'] = []
+                for label_href, label in self._advanced_mode_consumer_labels.items():
+                    if label.is_label():
+                        data['consumers'].append({'label': {'href': label_href}})
+                    else:
+                        data['consumers'].append({'label_group': {'href': label_href}})
+
+        return self.connector.do_post_call(uri, data)
+
+    def execute_and_resolve(self, organization: 'pylo.Organization'):
+        return RuleSearchQueryResolvedResultSet(self.execute(), organization)

illumio_pylo/AgentStore.py

@@ -0,0 +1,139 @@
+from datetime import datetime
+
+import illumio_pylo as pylo
+from illumio_pylo import log, SoftwareVersion
+from .Helpers import *
+import re
+import datetime
+from typing import *
+
+# version_regex = re.compile(r"^(?P<major>[0-9]+)\.(?P<middle>[0-9]+)\.(?P<minor>[0-9]+)-(?P<build>[0-9]+)(u[0-9]+)?$")
+
+
+class VENAgent(pylo.ReferenceTracker):
+
+    def __init__(self, href: str, owner: 'pylo.AgentStore', workload: 'pylo.Workload' = None):
+        pylo.ReferenceTracker.__init__(self)
+        self.href: str = href
+        self.owner: 'pylo.AgentStore' = owner
+        self.workload: Optional['pylo.Workload'] = workload
+
+        self.software_version: Optional['pylo.SoftwareVersion'] = None
+        self._last_heartbeat: Optional[datetime.datetime] = None
+
+        self._status_security_policy_sync_state: Optional[str] = None
+        self._status_security_policy_applied_at: Optional[str] = None
+        self._status_rule_count: Optional[int] = None
+
+        self.mode = None
+
+        self.raw_json = None
+
+    def _get_date_from_json(self, prop_name_in_json: str) -> Optional[datetime.datetime]:
+        status_json = self.raw_json.get('status')
+        if status_json is None:
+            return None
+
+        prop_value = status_json.get(prop_name_in_json)
+        if prop_value is None:
+            return None
+
+        if '.' in prop_value:
+            time_found = datetime.datetime.strptime(prop_value, "%Y-%m-%dT%H:%M:%S.%fZ")
+        else:
+            time_found = datetime.datetime.strptime(prop_value, "%Y-%m-%dT%H:%M:%SZ")
+
+        return time_found
+
+    def load_from_json(self, data):
+        self.raw_json = data
+
+        status_json = data.get('status')
+        if status_json is None:
+            raise pylo.PyloEx("Cannot find VENAgent status in JSON from '{}'".format(self.href))
+
+        version_string = status_json.get('agent_version')
+        if version_string is None:
+            raise pylo.PyloEx("Cannot find VENAgent version from '{}'".format(self.href))
+        self.software_version = pylo.SoftwareVersion(version_string)
+        if self.software_version.is_unknown:
+            pylo.log.warn("Agent {} from Workload {}/{} has unknown software version: {}".format(
+                self.href,
+                self.workload.get_name(),
+                self.workload.href,
+                self.software_version.version_string))
+
+        self._status_security_policy_sync_state = status_json.get('security_policy_sync_state')
+
+        self._status_rule_count = status_json.get('firewall_rule_count')
+        # if self._status_rule_count is None:
+        #    raise pylo.PyloEx("Cannot find firewall_rule_count VENAgent '{}' rule count ".format(self.href), status_json)
+
+        config_json = data.get('config')
+        if config_json is None:
+            raise pylo.PyloEx("Cannot find Agent's config in JSON", data)
+
+        self.mode = config_json.get('mode')
+        if self.mode is None:
+            raise pylo.PyloEx("Cannot find Agent's mode in config JSON", config_json)
+
+        if self.mode == 'illuminated':
+            log_traffic = config_json.get('log_traffic')
+            if log_traffic:
+                self.mode = "test"
+            else:
+                self.mode = "build"
+
+    @property
+    def status(self) -> Literal['stopped','active','suspended','uninstalled']:
+        return self.raw_json['status']['status']
+
+    def get_last_heartbeat_date(self) -> Optional[datetime.datetime]:
+        if self._last_heartbeat is None:
+            self._last_heartbeat = self._get_date_from_json('last_heartbeat_on')
+        return self._last_heartbeat
+
+    def get_status_security_policy_applied_at(self):
+        if self._status_security_policy_applied_at is None:
+            self._status_security_policy_applied_at = self._get_date_from_json('security_policy_applied_at')
+        return self._status_security_policy_applied_at
+
+    def get_status_security_policy_sync_state(self):
+        return self._status_security_policy_sync_state
+
+
+class AgentStore:
+
+    def __init__(self, owner: 'pylo.Organization'):
+        self.owner = owner
+        self.items_by_href: Dict[str, pylo.VENAgent] = {}
+
+    @property
+    def agents(self) -> List['pylo.VENAgent']:
+        """
+        Returns a copy of the list of all agents in the store
+        :return:
+        """
+        return list(self.items_by_href.values())
+
+    def find_by_href(self, href: str) -> VENAgent:
+        return self.items_by_href.get(href)
+
+    def create_ven_agent_from_workload_record(self, workload: 'pylo.Workload', json_data) -> 'pylo.VENAgent':
+        # For developer use only. This is called by the WorkloadStore when it creates a new workload as the Agent records are read from there
+        href = json_data.get('href')
+        if href is None:
+            raise pylo.PyloEx("Cannot extract Agent href from workload '{}'".format(workload.href))
+
+        agent = pylo.VENAgent(href, self, workload)
+        agent.load_from_json(json_data)
+
+        self.items_by_href[href] = agent
+
+        return agent
+
+    def count_agents(self) -> int:
+        return len(self.items_by_href)
+
+
+

illumio_pylo/Exception.py

@@ -0,0 +1,44 @@
+from .Helpers import nice_json
+
+
+class PyloEx(Exception):
+    """
+    Base class for all Pylo exceptions
+    """
+    def __init__(self, arg, json_object=None):
+        if json_object is None:
+            Exception.__init__(self, arg)
+            return
+
+        text = "{}\nJSON output:\n{}".format(arg, nice_json(json_object))
+        super().__init__(self, text)
+
+
+class PyloObjectNotFound(PyloEx):
+    def __init__(self, arg, json_object=None):
+        PyloEx(arg, json_object)
+
+
+class PyloApiEx(PyloEx):
+    """
+    Base class for all Pylo API exceptions
+    """
+    def __init__(self, arg, json_object=None):
+        PyloEx(arg, json_object)
+
+
+class PyloApiTooManyRequestsEx(PyloApiEx):
+    def __init__(self, arg, json_object=None):
+        PyloApiEx(arg, json_object)
+
+
+class PyloApiUnexpectedSyntax(PyloApiEx):
+    def __init__(self, arg, json_object=None):
+        PyloApiEx(arg, json_object)
+
+class PyloApiRequestForbiddenEx(PyloApiEx):
+    def __init__(self, arg, json_object=None):
+        PyloApiEx(arg, json_object)
+
+
+

illumio_pylo/Helpers/__init__.py

@@ -0,0 +1,3 @@
+
+from .functions import *
+from .exports import *