illumio-pylo 0.3.9__tar.gz → 0.3.11__tar.gz

{illumio_pylo-0.3.9 → illumio_pylo-0.3.11}/.github/workflows/python-publish.yml

@@ -26,10 +26,10 @@ jobs:
         python-version: '3.11'
     - name: Install dependencies
       run: |
-        python -m pip install --upgrade pip
+        python -m pip install --upgrade pip setuptools wheel twine pkginfo
         pip install build
     - name: Build package
       run: python -m build
     - name: Publish package
-      uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
 

{illumio_pylo-0.3.9/illumio_pylo.egg-info → illumio_pylo-0.3.11}/PKG-INFO

@@ -1,6 +1,6 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.4
 Name: illumio_pylo
-Version: 0.3.9
+Version: 0.3.11
 Summary: A set of tools and library for working with Illumio PCE
 Home-page: https://github.com/cpainchaud/pylo
 Author: Christophe Painchaud
@@ -187,11 +187,17 @@ Requires-Python: >=3.11
 License-File: LICENSE
 Requires-Dist: click==8.1.7
 Requires-Dist: colorama~=0.4.4
-Requires-Dist: cryptography==42.0.7
+Requires-Dist: cryptography==44.0.1
 Requires-Dist: openpyxl~=3.1.3
 Requires-Dist: paramiko~=3.4.0
 Requires-Dist: prettytable~=3.10.0
 Requires-Dist: requests~=2.32.0
 Requires-Dist: xlsxwriter~=3.2.0
+Dynamic: author
+Dynamic: author-email
+Dynamic: description
+Dynamic: home-page
+Dynamic: license-file
+Dynamic: requires-python
 
 README.md

{illumio_pylo-0.3.9 → illumio_pylo-0.3.11}/illumio_pylo/API/APIConnector.py

@@ -69,14 +69,14 @@ class APIConnector:
         if type(port) is int:
             port = str(port)
         self.port: int = port
-        self._api_key: str = api_key
-        self._decrypted_api_key: Optional[str] = None
         self.api_user: str = api_user
+        self._api_key: str = api_key
+        self._decrypted_api_key: Optional[str] = None  # if api_key is encrypted, this will hold the decrypted value after first use
         self.org_id: int = org_id
         self.skipSSLCertCheck: bool = skip_ssl_cert_check
         self.version: Optional['pylo.SoftwareVersion'] = None
         self.version_string: str = "Not Defined"
-        self._cached_session = requests.session()
+        self._cached_session = requests.sessions.Session()
 
     @property
     def api_key(self):
@@ -533,13 +533,19 @@ class APIConnector:
             params = {'include_deny_rules': include_boundary_rules}
         return self.do_post_call(path='/sec_policy/draft/rule_coverage', json_arguments=data, include_org_id=True, json_output_expected=True, async_call=False, params=params)
 
-    def objects_label_get(self, max_results: int = None, async_mode=True) -> List[LabelObjectJsonStructure]:
+    def objects_label_get(self, max_results: int = None, async_mode=True, get_usage: bool = False, get_deleted: bool = False) -> List[LabelObjectJsonStructure]:
         path = '/labels'
         data = {}
 
         if max_results is not None:
             data['max_results'] = max_results
 
+        if get_usage:
+            data['usage'] = 'true'
+
+        if get_deleted:
+            data['includeDeleted'] = 'true'
+
         return self.do_get_call(path=path, async_call=async_mode, params=data)
 
     def objects_label_update(self, href: str, data: LabelObjectUpdateJsonStructure):
@@ -553,6 +559,60 @@ class APIConnector:
 
         return self.do_delete_call(path=path, json_output_expected=False, include_org_id=False)
 
+    class LabelMultiDeleteTracker:
+        _errors: Dict[str, str]
+        _hrefs: Dict[str, bool]
+        _labels: Dict[str, 'pylo.Label']  # dict of workloads by HREF
+        connector: 'pylo.APIConnector'
+
+        def __init__(self, connector: 'pylo.APIConnector'):
+            self.connector = connector
+            self._errors: Dict[str, Union[bool, str]] = {}
+            self._hrefs: Dict[str, str] = {}
+            self._labels: Dict[str, 'pylo.Label'] = {}
+
+        def add_label(self, label_or_href: Union['pylo.Label', str]):
+            if type(label_or_href) is str:
+                self._hrefs[label_or_href] = True
+                return
+            self._labels[label_or_href.href] = label_or_href
+            self._hrefs[label_or_href.href] = True
+
+        def execute_deletion(self):
+            for href in self._hrefs.keys():
+                try:
+                    self.connector.objects_label_delete(href)
+                    self._errors[href] = False
+                except Exception as e:
+                    self._errors[href] = str(e)
+
+            return self._errors
+
+        def has_errors(self) -> bool:
+            for href in self._errors.keys():
+                if self._errors[href] is not False:
+                    return True
+            return False
+
+        def get_errors_count(self) -> int:
+            count = 0
+            for href in self._errors.keys():
+                if self._errors[href] is not False:
+                    count += 1
+            return count
+
+        def get_error(self, label_or_href: Union['pylo.Label', str]) -> Optional[str]:
+            href = label_or_href
+            if type(label_or_href) is pylo.Label:
+                href = label_or_href.href
+            error = self._errors.get(href, None)
+            if error is None or error is False:
+                return None
+            return error
+
+    def new_tracker_for_label_multi_deletion(self) -> 'pylo.APIConnector.LabelMultiDeleteTracker':
+        return pylo.APIConnector.LabelMultiDeleteTracker(self)
+
     def objects_label_create(self, label_name: str, label_type: str):
         path = '/labels'
         data: LabelObjectCreationJsonStructure = {'key': label_type, 'value': label_name}
@@ -1378,7 +1438,4 @@ class APIConnector:
     def get_pce_ui_workload_url(self, href: str) -> str:
         # extract UUID from workload HREF:
         uuid = href.split('/')[-1]
-        return self._make_base_url('/#/workloads/' + uuid )
-
-
-
+        return self._make_base_url('/#/workloads/' + uuid)

{illumio_pylo-0.3.9 → illumio_pylo-0.3.11}/illumio_pylo/API/Explorer.py

@@ -6,6 +6,7 @@ import illumio_pylo as pylo
 from .JsonPayloadTypes import RuleCoverageQueryEntryJsonStructure
 from illumio_pylo.API.APIConnector import APIConnector
 
+
 class ExplorerResult:
     _draft_mode_policy_decision: Optional[Literal['allowed', 'blocked', 'blocked_by_boundary']]
     destination_workload_labels_href: List[str]
@@ -375,6 +376,15 @@ class RuleCoverageQueryManager:
             if log_id not in self.service_index_to_log_ids[service_index]:
                 self.service_index_to_log_ids[service_index].append(log_id)
 
+        def get_allow_rules_for_log_id(self, log_id: int):
+            rules = []
+            for service_id, list_of_log_ids in self.service_index_to_log_ids.items():
+                if log_id in list_of_log_ids:
+                    policy_coverage = self.service_index_policy_coverage[service_id]
+                    for rule in policy_coverage:
+                        rules.append(rule)
+            return rules
+
         def get_policy_decision_for_log_id(self, log_id: int) -> Optional[Literal['allowed', 'blocked', 'blocked_by_boundary']]:
             policy_decision = None
             found_boundary_block = False
@@ -406,6 +416,9 @@ class RuleCoverageQueryManager:
         def add_service(self, service_record: Dict, log_id: int):
             self.services.add_service(service_record, log_id)
 
+        def get_allow_rules_for_log_id(self, log_id: int) -> List[str]:
+            return self.services.get_allow_rules_for_log_id(log_id)
+
         def get_policy_decision_for_log_id(self, log_id: int) -> Optional[Literal['allowed', 'blocked', 'blocked_by_boundary']]:
             return self.services.get_policy_decision_for_log_id(log_id)
 
@@ -511,6 +524,19 @@ class RuleCoverageQueryManager:
                         # print(f'Processing deny_edge {edge} against query {query.src_workload_href} -> {query.dst_workload_href} -> {len(query.services.services_array)}')
                         query.process_response_boundary_deny(deny_rules, edge)
 
+        def get_allow_rules_for_log_id(self, log_id: int) -> List[str]:
+            rules = []
+            for query in self.queries.values():
+                results = query.get_allow_rules_for_log_id(log_id)
+                if results is not None:
+                    for rule_dict in results:
+                        rules.append(rule_dict['href'])
+
+            # make them unique
+            rules = list(set(rules))
+
+            return rules
+
         def get_policy_decision_for_log_id(self, log_id: int) -> Optional[Literal["allowed", "blocked", "blocked_by_boundary"]]:
             policy_decision: Optional[Literal["allowed", "blocked", "blocked_by_boundary"]] = None
             found_blocked_by_boundary = False
@@ -615,6 +641,24 @@ class RuleCoverageQueryManager:
 
         return len(_log_ids)
 
+    def get_allow_rules_for_log(self, log: ExplorerResult) -> List[str]:
+        log_id = self.log_to_id[log]
+        if log_id is None:
+            raise pylo.PyloEx('No log_id found for log', log)
+
+        rules: List[str] = []
+
+        rules.extend(self.iplist_to_workload_query_manager.get_allow_rules_for_log_id(log_id))
+        rules.extend(self.workload_to_iplist_query_manager.get_allow_rules_for_log_id(log_id))
+        rules.extend(self.workload_to_workload_query_manager.get_allow_rules_for_log_id(log_id))
+
+        # make them unique
+        rules = list(set(rules))
+
+        return rules
+
+
+
     def _get_policy_decision_for_log_id(self, log_id: int) -> Optional[Literal['allowed', 'blocked', 'blocked_by_boundary']]:
         decision = self.iplist_to_workload_query_manager.get_policy_decision_for_log_id(log_id)
         if decision == 'allowed':

{illumio_pylo-0.3.9 → illumio_pylo-0.3.11}/illumio_pylo/API/JsonPayloadTypes.py

@@ -25,6 +25,26 @@ class ServiceHrefRef(TypedDict):
 class VirtualServiceHrefRef(TypedDict):
     virtual_service: HrefReference
 
+
+class LabelObjectUsageJsonStructure(TypedDict):
+    virtual_server: bool
+    label_group: bool
+    static_policy_scopes: bool
+    pairing_profile: bool
+    permission: bool
+    workload: bool
+    container_workload: bool
+    firewall_coexistence_scope: bool
+    containers_inherit_host_policy_scopes: bool
+    container_workload_profile: bool
+    blocked_connection_reject_scopes: bool
+    enforcement_boundary: bool
+    loopback_interfaces_in_policy_scopes: bool
+    ip_forwarding_enabled_scopes: bool
+    rule_hit_count_enabled_scopes: bool
+    label_mapping_rule: bool
+    virtual_service: bool
+
 class LabelObjectJsonStructure(TypedDict):
     created_at: str
     created_by: Optional[HrefReferenceWithName]
@@ -33,6 +53,7 @@ class LabelObjectJsonStructure(TypedDict):
     key: str
     updated_at: str
     updated_by: Optional[HrefReferenceWithName]
+    usage: Optional[LabelObjectUsageJsonStructure]
     value: str
 
 
@@ -81,6 +102,7 @@ class WorkloadInterfaceObjectJsonStructure(TypedDict):
     name: str
     address: str
 
+
 class WorkloadObjectJsonStructure(TypedDict):
     created_at: str
     created_by: Optional[HrefReferenceWithName]
@@ -95,6 +117,7 @@ class WorkloadObjectJsonStructure(TypedDict):
     updated_at: str
     updated_by: Optional[HrefReferenceWithName]
 
+
 class WorkloadObjectCreateJsonStructure(TypedDict):
     """
     This is the structure of the JSON payload for creating a workload.
@@ -106,14 +129,18 @@ class WorkloadObjectCreateJsonStructure(TypedDict):
     name: NotRequired[str]
     public_ip: NotRequired[Optional[str]]
 
+
 class WorkloadObjectMultiCreateJsonStructure(WorkloadObjectCreateJsonStructure):
     href: str
 
+
 WorkloadObjectMultiCreateJsonRequestPayload = List[WorkloadObjectMultiCreateJsonStructure]
 
+
 class WorkloadBulkUpdateEntryJsonStructure(WorkloadObjectCreateJsonStructure):
     href: str
 
+
 class WorkloadBulkUpdateResponseEntry(TypedDict):
     href: str
     status: Literal['updated', 'error', 'validation_failure']
@@ -150,11 +177,13 @@ class VenObjectJsonStructure(TypedDict):
     os_platform: Optional[str]
     uid: Optional[str]
 
+
 class VENUnpairApiResponseSingleErrorObjectJsonStructure(TypedDict):
     token: str
     message: str
     hrefs: List[str]
 
+
 class VENUnpairApiResponseObjectJsonStructure(TypedDict):
     errors: List[VENUnpairApiResponseSingleErrorObjectJsonStructure]
 
@@ -173,6 +202,7 @@ class RuleDirectServiceReferenceObjectJsonStructure(TypedDict):
 class RuleObjectJsonStructure(TypedDict):
     created_at: str
     created_by: Optional[HrefReferenceWithName]
+    description: str
     href: str
     ingress_services: List[RuleDirectServiceReferenceObjectJsonStructure|RuleServiceReferenceObjectJsonStructure]
     updated_at: str
@@ -219,26 +249,31 @@ class VirtualServiceObjectJsonStructure(TypedDict):
     updated_at: str
     updated_by: Optional[HrefReferenceWithName]
 
+
 class NetworkDeviceConfigObjectJsonStructure(TypedDict):
     device_type: Literal['switch']
     name: str
 
+
 class NetworkDeviceObjectJsonStructure(TypedDict):
     href: str
     config: NetworkDeviceConfigObjectJsonStructure
     supported_endpoint_type: Literal['switch_port']
 
+
 class NetworkDeviceEndpointConfigObjectJsonStructure(TypedDict):
     type: Literal['switch_port']
     name: str
     workload_discovery: bool
 
+
 class NetworkDeviceEndpointObjectJsonStructure(TypedDict):
     href: str
     config: NetworkDeviceEndpointConfigObjectJsonStructure
     status: Literal['unmonitored', 'monitored']
     workloads: List[HrefReference]
 
+
 class SecurityPrincipalObjectJsonStructure(TypedDict):
     created_at: str
     created_by: Optional[HrefReferenceWithName]
@@ -247,6 +282,7 @@ class SecurityPrincipalObjectJsonStructure(TypedDict):
     updated_at: str
     updated_by: Optional[HrefReferenceWithName]
 
+
 class LabelDimensionObjectStructure(TypedDict):
     created_at: str
     created_by: Optional[HrefReferenceWithName]
@@ -286,13 +322,16 @@ WorkloadsGetQueryLabelFilterJsonStructure = List[List[str]]
 
 AuditLogApiEventType = Literal['agent.clone_detected', 'workloads.update', 'workload.update', 'workload_interfaces.update']
 
+
 class AuditLogEntryJsonStructure(TypedDict):
     event_type: AuditLogApiEventType
     timestamp: str
 
+
 class AuditLogApiRequestPayloadStructure(TypedDict):
     pass
 
+
 class AuditLogApiReplyEventJsonStructure(TypedDict):
     pass
 

{illumio_pylo-0.3.9 → illumio_pylo-0.3.11}/illumio_pylo/IPList.py

@@ -1,5 +1,5 @@
 from .API.JsonPayloadTypes import IPListObjectJsonStructure
-from illumio_pylo import log
+from illumio_pylo import log, IP4Map
 from .Helpers import *
 
 
@@ -20,6 +20,7 @@ class IPList(pylo.ReferenceTracker):
         self.description = description
         self.raw_json = None
         self.raw_entries = {}
+        self._ip4map: IP4Map = None
 
     def count_entries(self) -> int:
         return len(self.raw_entries)
@@ -56,15 +57,21 @@ class IPList(pylo.ReferenceTracker):
             self.raw_entries[entry] = entry
 
     def get_ip4map(self) -> pylo.IP4Map:
-        new_map = pylo.IP4Map()
+        return self.ip4map
 
-        for entry in self.raw_entries:
-            if entry[0] == '!':
-                new_map.subtract_from_text(entry[1:], ignore_ipv6=True)
-            else:
-                new_map.add_from_text(entry, ignore_ipv6=True)
+    @property
+    def ip4map(self) -> pylo.IP4Map:
+        if self._ip4map is None:
+            new_map = pylo.IP4Map()
+            self._ip4map = new_map
+
+            for entry in self.raw_entries:
+                if entry[0] == '!':
+                    new_map.subtract_from_text(entry[1:], ignore_ipv6=True)
+                else:
+                    new_map.add_from_text(entry, ignore_ipv6=True)
 
-        return new_map
+        return self._ip4map
 
     def get_raw_entries_as_string_list(self, separator=',') -> str:
         return pylo.string_list_to_text(self.raw_entries.values(), separator=separator)

{illumio_pylo-0.3.9 → illumio_pylo-0.3.11}/illumio_pylo/IPMap.py

@@ -107,6 +107,15 @@ class IP4Map:
             return True
         return False
 
+    def match_single_ip(self, ip: str) -> bool:
+        ip_object = ipaddress.IPv4Address(ip)
+        for entry in self._entries:
+            if entry[start] <= int(ip_object) <= entry[end]:
+                return True
+            if entry[start] > int(ip_object):
+                return False
+        return False
+
     def substract(self, another_map: 'IP4Map'):
         affected_rows = 0
         for entry in another_map._entries:

{illumio_pylo-0.3.9 → illumio_pylo-0.3.11}/illumio_pylo/__init__.py

@@ -1,4 +1,4 @@
-__version__ = "0.3.9"
+__version__ = "0.3.11"
 
 from typing import Callable
 

{illumio_pylo-0.3.9 → illumio_pylo-0.3.11}/illumio_pylo/cli/commands/__init__.py

@@ -32,3 +32,4 @@ from .workload_reset_names_to_null import command_object
 from .credential_manager import command_object
 from .iplist_analyzer import command_object
 from .ven_compatibility_report_export import command_object
+from .label_delete_unused import command_object

illumio_pylo-0.3.11/illumio_pylo/cli/commands/label_delete_unused.py

@@ -0,0 +1,82 @@
+import argparse
+from typing import Optional, List
+
+import illumio_pylo as pylo
+import json
+import hashlib
+
+from illumio_pylo import log
+from . import Command
+from illumio_pylo.API.JsonPayloadTypes import LabelObjectJsonStructure
+
+command_name = "label-delete-unused"
+objects_load_filter = []  # No need to load any objects from PCE
+
+
+def fill_parser(parser: argparse.ArgumentParser):
+    parser.add_argument('--confirm', action='store_true',
+                        help='No change will be implemented in the PCE until you use this function to confirm you\'re good with them after review')
+    parser.add_argument('--limit', type=int, required=False, default=None,
+                        help='Maximum number of unused labels to delete (default: all found unused labels)')
+
+
+def __main(args, org: pylo.Organization = None, connector: pylo.APIConnector = None, config_data=None, **kwargs):
+
+    settings_confirmed_changes: bool = args['confirm']
+    settings_limit_deletions: Optional[int] = args['limit']
+
+    print("Fetching all Labels from the PCE... ", end='', flush=True)
+    # pylo.log_set_debug()
+    labels_json = connector.objects_label_get(max_results=199000, get_usage=True, async_mode=False)
+    print("OK!")
+
+    print(f"Analyzing {len(labels_json)} labels to find unused ones... ")
+    unused_labels: List[LabelObjectJsonStructure] = []
+
+    for label_json in labels_json:
+        usage_json = label_json.get('usage', {})
+        label_is_used = False
+
+        for usage_type, usage_confirmed in usage_json.items():
+            if usage_confirmed:
+                label_is_used = True
+                print(f"Label '{label_json.get('value')}' is used in '{usage_type}', skipping deletion.")
+                break
+
+        if not label_is_used:
+            print(f"Label '{label_json.get('value')}' is unused, marking for deletion.")
+            unused_labels.append(label_json)
+
+    print()
+    print(f"Found {len(unused_labels)} unused labels vs total of {len(labels_json)} labels.")
+
+    if len(unused_labels) > 0:
+        if not settings_confirmed_changes:
+            print("No change will be implemented in the PCE until you use the '--confirm' flag to confirm you're good with them after review.")
+        else:
+            print()
+            print(f"Proceeding to delete unused labels up to the limit of '{settings_limit_deletions if settings_limit_deletions is not None else 'all'}'...")
+            tracker = connector.new_tracker_for_label_multi_deletion()
+
+            if settings_limit_deletions is not None:
+                unused_labels = unused_labels[:settings_limit_deletions]
+
+            for label_json in unused_labels:
+                tracker.add_label(label_json['href'])
+
+            tracker.execute_deletion()
+            errors_count = tracker.get_errors_count()
+            success_count = len(unused_labels) - errors_count
+
+            for label_json in unused_labels:
+                error = tracker.get_error(label_json['href'])
+                if error is not None:
+                    print(f" - ERROR deleting label '{label_json.get('value')}': {error}")
+                else:
+                    print(f" - SUCCESS deleting label '{label_json.get('value')}'")
+
+            print()
+            print(f"Deletion completed: {success_count} labels deleted successfully, {errors_count} errors encountered.")
+
+
+command_object = Command(command_name, __main, fill_parser, skip_pce_config_loading=True, load_specific_objects_only=objects_load_filter)

{illumio_pylo-0.3.9 → illumio_pylo-0.3.11}/illumio_pylo/cli/commands/ven_duplicate_remover.py

@@ -4,7 +4,7 @@ import click
 import argparse
 
 import illumio_pylo as pylo
-from illumio_pylo import ExcelHeader
+from illumio_pylo import ExcelHeader, nice_json
 
 from .utils.misc import make_filename_with_timestamp
 from . import Command
@@ -134,8 +134,8 @@ def __main(args, org: pylo.Organization, pce_cache_was_used: bool, **kwargs):
         url_link_to_pce = workload.get_pce_ui_url()
         new_row = {
             'hostname': workload.hostname,
-            'online': workload.online,
-            'last_heartbeat': workload.ven_agent.get_last_heartbeat_date().strftime('%Y-%m-%d %H:%M'),
+            'online': workload.online if not workload.unmanaged else 'UNMANAGED',
+            'last_heartbeat': workload.ven_agent.get_last_heartbeat_date().strftime('%Y-%m-%d %H:%M') if not workload.unmanaged else 'UNMANAGED',
             'created_at': workload.created_at_datetime().strftime('%Y-%m-%d %H:%M'),
             'href': workload.href,
             'link_to_pce': url_link_to_pce,
@@ -172,48 +172,66 @@ def __main(args, org: pylo.Organization, pce_cache_was_used: bool, **kwargs):
                                                                                                len(dup_record.offline),
                                                                                                len(dup_record.unmanaged)))
 
-        latest_created_workload = dup_record.find_latest_created_at()
-        latest_heartbeat_workload = dup_record.find_latest_heartbeat()
-        print("     - Latest created at {} and latest heartbeat at {}".format(latest_created_workload.created_at, latest_heartbeat_workload.ven_agent.get_last_heartbeat_date()))
+        if not dup_record.has_no_managed_workloads():
+            latest_created_workload = dup_record.find_latest_managed_created_at()
+            latest_heartbeat_workload = dup_record.find_latest_heartbeat()
 
-        if dup_record.count_online() == 0:
-            print("     - IGNORED: there is no VEN online")
-            for wkl in dup_record.offline:
-                add_workload_to_report(wkl, "ignored (no VEN online)")
-            continue
+            print("    - Latest created at {} and latest heartbeat at {}".format(latest_created_workload.created_at, latest_heartbeat_workload.ven_agent.get_last_heartbeat_date()))
 
-        if dup_record.count_online() > 1:
-            print("     - WARNING: there are more than 1 VEN online")
-
-        # Don't delete online workloads but still show them in the report
-        for wkl in dup_record.online:
-            add_workload_to_report(wkl, "ignored (VEN is online)")
-
-        for wkl in dup_record.offline:
-            if arg_do_not_delete_the_most_recent_workload and wkl is latest_created_workload:
-                print("    - IGNORED: wkl {}/{} is the most recent".format(wkl.get_name_stripped_fqdn(), wkl.href))
-                add_workload_to_report(wkl, "ignored (it is the most recently created)")
-            elif arg_do_not_delete_the_most_recently_heartbeating_workload and wkl is latest_heartbeat_workload:
-                print("    - IGNORED: wkl {}/{} is the most recently heartbeating".format(wkl.get_name_stripped_fqdn(), wkl.href))
-                add_workload_to_report(wkl, "ignored (it is the most recently heartbeating)")
-            elif arg_do_not_delete_if_last_heartbeat_is_more_recent_than is not None and wkl.ven_agent.get_last_heartbeat_date() > datetime.datetime.now() - datetime.timedelta(days=arg_do_not_delete_if_last_heartbeat_is_more_recent_than):
-                print("    - IGNORED: wkl {}/{} has a last heartbeat more recent than {} days".format(wkl.get_name_stripped_fqdn(), wkl.href, arg_do_not_delete_if_last_heartbeat_is_more_recent_than))
-                add_workload_to_report(wkl, "ignored (last heartbeat is more recent than {} days)".format(arg_do_not_delete_if_last_heartbeat_is_more_recent_than))
-            else:
+            if dup_record.count_online() == 0:
+                print("     - IGNORED: there is no VEN online")
+                for wkl in dup_record.offline:
+                    add_workload_to_report(wkl, "ignored (no VEN online)")
+                continue
+
+            if dup_record.count_online() > 1:
+                print("     - WARNING: there are more than 1 VEN online")
+
+            # Don't delete online workloads but still show them in the report
+            for wkl in dup_record.online:
+                add_workload_to_report(wkl, "ignored (VEN is online)")
+
+            for wkl in dup_record.offline:
+                if arg_do_not_delete_the_most_recent_workload and wkl is latest_created_workload:
+                    print("    - IGNORED: wkl {}/{} is the most recent".format(wkl.get_name_stripped_fqdn(), wkl.href))
+                    add_workload_to_report(wkl, "ignored (it is the most recently created)")
+                elif arg_do_not_delete_the_most_recently_heartbeating_workload and wkl is latest_heartbeat_workload:
+                    print("    - IGNORED: wkl {}/{} is the most recently heartbeating".format(wkl.get_name_stripped_fqdn(), wkl.href))
+                    add_workload_to_report(wkl, "ignored (it is the most recently heartbeating)")
+                elif arg_do_not_delete_if_last_heartbeat_is_more_recent_than is not None and wkl.ven_agent.get_last_heartbeat_date() > datetime.datetime.now() - datetime.timedelta(days=arg_do_not_delete_if_last_heartbeat_is_more_recent_than):
+                    print("    - IGNORED: wkl {}/{} has a last heartbeat more recent than {} days".format(wkl.get_name_stripped_fqdn(), wkl.href, arg_do_not_delete_if_last_heartbeat_is_more_recent_than))
+                    add_workload_to_report(wkl, "ignored (last heartbeat is more recent than {} days)".format(arg_do_not_delete_if_last_heartbeat_is_more_recent_than))
+                else:
+                    if arg_limit_number_of_deleted_workloads is not None and delete_tracker.count_entries() >= arg_limit_number_of_deleted_workloads:
+                        print("    - IGNORED: wkl {}/{} because the limit of {} workloads to be deleted was reached".format(wkl.get_name_stripped_fqdn(), wkl.href, arg_limit_number_of_deleted_workloads))
+                        add_workload_to_report(wkl, "ignored (limit of {} workloads to be deleted was reached)".format(arg_limit_number_of_deleted_workloads))
+                    else:
+                        delete_tracker.add_workload(wkl)
+                        print("    - added offline wkl {}/{} to the delete list".format(wkl.get_name_stripped_fqdn(), wkl.href))
+
+            for wkl in dup_record.unmanaged:
                 if arg_limit_number_of_deleted_workloads is not None and delete_tracker.count_entries() >= arg_limit_number_of_deleted_workloads:
                     print("    - IGNORED: wkl {}/{} because the limit of {} workloads to be deleted was reached".format(wkl.get_name_stripped_fqdn(), wkl.href, arg_limit_number_of_deleted_workloads))
                     add_workload_to_report(wkl, "ignored (limit of {} workloads to be deleted was reached)".format(arg_limit_number_of_deleted_workloads))
                 else:
                     delete_tracker.add_workload(wkl)
-                    print("    - added offline wkl {}/{} to the delete list".format(wkl.get_name_stripped_fqdn(), wkl.href))
-
-        for wkl in dup_record.unmanaged:
-            if arg_limit_number_of_deleted_workloads is not None and delete_tracker.count_entries() >= arg_limit_number_of_deleted_workloads:
-                print("    - IGNORED: wkl {}/{} because the limit of {} workloads to be deleted was reached".format(wkl.get_name_stripped_fqdn(), wkl.href, arg_limit_number_of_deleted_workloads))
-                add_workload_to_report(wkl, "ignored (limit of {} workloads to be deleted was reached)".format(arg_limit_number_of_deleted_workloads))
-            else:
-                delete_tracker.add_workload(wkl)
-                print("    - added unmanaged wkl {}/{} to the delete list".format(wkl.get_name_stripped_fqdn(), wkl.href))
+                    print("    - added unmanaged wkl {}/{} to the delete list".format(wkl.get_name_stripped_fqdn(), wkl.href))
+        else:
+            latest_created_workload = dup_record.find_latest_unmanaged_created_at()
+            if latest_created_workload is None:
+                raise pylo.PyloEx("Internal error: cannot find the latest created unmanaged workload for hostname '{}'".format(dup_hostname))
+            print("    - All workloads are unmanaged. Latest created at {} will be kept".format(latest_created_workload.created_at))
+            for wkl in dup_record.unmanaged:
+                if wkl is latest_created_workload:
+                    print("    - IGNORED: wkl {}/{} is the most recent".format(wkl.get_name_stripped_fqdn(), wkl.href))
+                    add_workload_to_report(wkl, "ignored (it is the most recently created)")
+                else:
+                    if arg_limit_number_of_deleted_workloads is not None and delete_tracker.count_entries() >= arg_limit_number_of_deleted_workloads:
+                        print("    - IGNORED: wkl {}/{} because the limit of {} workloads to be deleted was reached".format(wkl.get_name_stripped_fqdn(), wkl.href, arg_limit_number_of_deleted_workloads))
+                        add_workload_to_report(wkl, "ignored (limit of {} workloads to be deleted was reached)".format(arg_limit_number_of_deleted_workloads))
+                    else:
+                        delete_tracker.add_workload(wkl)
+                        print("    - added unmanaged wkl {}/{} to the delete list".format(wkl.get_name_stripped_fqdn(), wkl.href))
 
     print()
 
@@ -324,7 +342,12 @@ class DuplicateRecordManager:
                 return True
             return False
 
-        def find_latest_created_at(self) -> 'pylo.Workload':
+        def has_no_managed_workloads(self):
+            if len(self.offline) + len(self.online) == 0:
+                return True
+            return False
+
+        def find_latest_managed_created_at(self) -> Optional['pylo.Workload']:
             latest: Optional[pylo.Workload] = None
             for wkl in self.all:
                 if wkl.unmanaged:
@@ -333,7 +356,16 @@ class DuplicateRecordManager:
                     latest = wkl
             return latest
 
-        def find_latest_heartbeat(self) -> 'pylo.Workload':
+        def find_latest_unmanaged_created_at(self) -> Optional['pylo.Workload']:
+            latest: Optional[pylo.Workload] = None
+            for wkl in self.all:
+                if not wkl.unmanaged:
+                    continue
+                if latest is None or wkl.created_at > latest.created_at:
+                    latest = wkl
+            return latest
+
+        def find_latest_heartbeat(self) ->  Optional['pylo.Workload']:
             latest: Optional[pylo.Workload] = None
             for wkl in self.all:
                 if wkl.unmanaged:

{illumio_pylo-0.3.9 → illumio_pylo-0.3.11/illumio_pylo.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.4
 Name: illumio_pylo
-Version: 0.3.9
+Version: 0.3.11
 Summary: A set of tools and library for working with Illumio PCE
 Home-page: https://github.com/cpainchaud/pylo
 Author: Christophe Painchaud
@@ -187,11 +187,17 @@ Requires-Python: >=3.11
 License-File: LICENSE
 Requires-Dist: click==8.1.7
 Requires-Dist: colorama~=0.4.4
-Requires-Dist: cryptography==42.0.7
+Requires-Dist: cryptography==44.0.1
 Requires-Dist: openpyxl~=3.1.3
 Requires-Dist: paramiko~=3.4.0
 Requires-Dist: prettytable~=3.10.0
 Requires-Dist: requests~=2.32.0
 Requires-Dist: xlsxwriter~=3.2.0
+Dynamic: author
+Dynamic: author-email
+Dynamic: description
+Dynamic: home-page
+Dynamic: license-file
+Dynamic: requires-python
 
 README.md

{illumio_pylo-0.3.9 → illumio_pylo-0.3.11}/illumio_pylo.egg-info/SOURCES.txt

@@ -82,6 +82,7 @@ illumio_pylo/cli/commands/__init__.py
 illumio_pylo/cli/commands/credential_manager.py
 illumio_pylo/cli/commands/iplist_analyzer.py
 illumio_pylo/cli/commands/iplist_import_from_file.py
+illumio_pylo/cli/commands/label_delete_unused.py
 illumio_pylo/cli/commands/ruleset_export.py
 illumio_pylo/cli/commands/update_pce_objects_cache.py
 illumio_pylo/cli/commands/ven_compatibility_report_export.py

{illumio_pylo-0.3.9 → illumio_pylo-0.3.11}/illumio_pylo.egg-info/requires.txt

@@ -1,6 +1,6 @@
 click==8.1.7
 colorama~=0.4.4
-cryptography==42.0.7
+cryptography==44.0.1
 openpyxl~=3.1.3
 paramiko~=3.4.0
 prettytable~=3.10.0

{illumio_pylo-0.3.9 → illumio_pylo-0.3.11}/requirements.txt

@@ -1,6 +1,6 @@
 click==8.1.7
 colorama~=0.4.4
-cryptography==42.0.7
+cryptography==44.0.1
 openpyxl~=3.1.3
 paramiko~=3.4.0
 prettytable~=3.10.0