Merge branch 'release/0.6.4'

Author: shinmog

HISTORY.rst

@@ -3,6 +3,19 @@
 History
 =======
 
+0.6.4
+-----
+
+Released: 2018-07-10
+
+Status: Alpha
+
+- Added .move() function to move config elements
+- Added objects.SecurityProfileGroup
+- Added "devices" param to panorama.TemplateStack
+- Added dynamic NAT translation support for PAN-OS 8.1+
+- Fixed ha.HighAvailability for PAN-OS 8.1+
+
 0.6.3
 -----
 

pandevice/__init__.py

@@ -23,7 +23,7 @@
 
 __author__ = 'Palo Alto Networks'
 __email__ = '[email protected]'
-__version__ = '0.6.3'
+__version__ = '0.6.4'
 
 
 import logging

pandevice/base.py

@@ -627,6 +627,80 @@ def update(self, variable):
             device.xapi.edit(xpath, ET.tostring(element, encoding='utf-8'),
                              retry_on_peer=self.HA_SYNC)
 
+    def move(self, location, ref=None, update=True):
+        """Moves the current object.
+
+        **Modifies the live device**
+
+        This is useful for stuff like moving one security policy above another.
+
+        If this object's parent is a rulebase object, then this object is also
+        moved to the appropriate position in the local pandevice object tree.
+
+        Args:
+            location (str): Any of the following: before, after, top, or bottom
+            ref (PanObject/str): If location is "before" or "after", move this object before/after the ref object.  If this is a string, then the string should just be the name of the object.
+            update (bool): If this is set to False, then only move this object in the pandevice object tree, do not actually perform the MOVE operation on the live device.  Note that in order for this object to be moved in the pandevice object tree, the parent object must be a rulebase object.
+
+        Raises:
+            ValueError
+
+        """
+        d = self.nearest_pandevice()
+        dst = None
+        new_index = None
+        rbs = ('Rulebase', 'PreRulebase', 'PostRulebase')
+        ref_locs = ('before', 'after')
+        standalone_locs = ('top', 'bottom')
+        parent = self.parent
+
+        # Sanity checks + determine move location.
+        if parent is None:
+            raise ValueError('No parent for object {0}'.format(self.uid))
+        elif location in standalone_locs:
+            if ref is not None:
+                raise ValueError('ref should be None for {0} move'.format(
+                                 location))
+            if parent.__class__.__name__ in rbs:
+                new_index = 0 if location == 'top' else len(parent.children) - 1
+        elif location in ref_locs:
+            if ref is None:
+                raise ValueError('ref must be specified for {0} move'.format(
+                                 location))
+            dst = str(ref)
+            if self.uid == dst:
+                raise ValueError('Cannot move rule in relation to self')
+            if parent.__class__.__name__ in rbs:
+                offset = 0
+                for i, x in enumerate(parent.children):
+                    if self == x:
+                        offset = 1
+                    elif type(x) == type(self) and x.uid == dst:
+                        new_index = (
+                            i - offset
+                            if location == 'before'
+                            else i - offset + 1)
+                        break
+        else:
+            raise ValueError('Location must be one of:  {0} or {1}'.format(
+                             ref_locs, standalone_locs))
+
+        logger.debug('{0}: move called on {1} "{2}"'.format(
+            d.id, type(self), self.uid))
+
+        # Move the rule in the pandevice object tree, if applicable.
+        if new_index is not None:
+            parent.remove(self)
+            parent.insert(new_index, self)
+
+        # Done if we're not updating.
+        if not update:
+            return
+
+        # Perform the move on the nearest pandevice.
+        d.set_config_changed()
+        d.xapi.move(self.xpath(), location, dst)
+
     def _get_param_specific_info(self, variable):
         """Gets a tuple of info for the given parameter.
 
@@ -2544,7 +2618,9 @@ def element(self, elm, settings, comparable=False):
                 continue
             if token.startswith('entry '):
                 junk, var_to_use = token.split()
-                child = ET.Element('entry', {'name': settings[var_to_use]})
+                sol_val = pandevice.string_or_list(settings[var_to_use])[0]
+                child = ET.Element('entry',
+                    {'name': str(sol_val)})
             elif token == "entry[@name='localhost.localdomain']":
                 child = ET.Element('entry', {'name': 'localhost.localdomain'})
             else:
@@ -2620,7 +2696,8 @@ def parse_xml(self, xml, settings, possibilities):
                     if ans is None:
                         return
                     settings[entry_var] = ans.attrib['name']
-                path_str = "entry[@name='{0}']".format(settings[entry_var])
+                sol_val = pandevice.string_or_list(settings[entry_var])[0]
+                path_str = "entry[@name='{0}']".format(sol_val)
             else:
                 # Standard path part
                 try:

pandevice/device.py

@@ -110,6 +110,7 @@ class Vsys(VersionedPanObject):
         "objects.ApplicationObject",
         "objects.ApplicationGroup",
         "objects.ApplicationFilter",
+        "objects.SecurityProfileGroup",
         "policies.Rulebase",
         "network.EthernetInterface",
         "network.AggregateInterface",

pandevice/firewall.py

@@ -75,6 +75,7 @@ class Firewall(PanDevice):
         "objects.ApplicationObject",
         "objects.ApplicationGroup",
         "objects.ApplicationFilter",
+        "objects.SecurityProfileGroup",
         "policies.Rulebase",
         "network.EthernetInterface",
         "network.AggregateInterface",

pandevice/ha.py

@@ -26,6 +26,8 @@
 from pandevice import getlogger, isstring
 from pandevice.base import PanObject, PanDevice, Root, MEMBER, ENTRY
 from pandevice.base import VarPath as Var
+from pandevice.base import VersionedPanObject
+from pandevice.base import VersionedParamPath
 from pandevice import  network, firewall
 import pandevice.errors as err
 
@@ -264,12 +266,13 @@ def variables(cls):
         )
 
 
-class HighAvailability(PanObject):
+class HighAvailability(VersionedPanObject):
     """High availability configuration base object
 
     All high availability configuration is in this object or is a child of this object
 
     Args:
+        name: (unused, and may be omitted)
         enabled (bool): Enable HA (Default: True)
         group_id (int): The group identifier
         description (str): Description for HA pairing
@@ -284,42 +287,99 @@ class HighAvailability(PanObject):
 
     """
     ROOT = Root.DEVICE
-    XPATH = "/deviceconfig/high-availability"
+    SUFFIX = None
     HA_SYNC = False
     CHILDTYPES = (
-        "ha.HA1",
-        "ha.HA1Backup",
-        "ha.HA2",
-        "ha.HA2Backup",
-        "ha.HA3",
+        'ha.HA1',
+        'ha.HA1Backup',
+        'ha.HA2',
+        'ha.HA2Backup',
+        'ha.HA3',
     )
 
-    ACTIVE_PASSIVE = "active-passive"
-    ACTIVE_ACTIVE = "active-active"
-
-    @classmethod
-    def variables(cls):
-        return (
-            # Enabled flag
-            Var("enabled", vartype="bool", default=True),
-            # Group
-            Var("group", "group_id", vartype="entry", default=(1,)),
-            Var("{{group_id}}/description"),
-            Var("{{group_id}}/configuration-synchronization/enabled", "config_sync", vartype="bool"),
-            Var("{{group_id}}/peer-ip"),
-            # HA Mode (A/P, A/A)
-            Var("{{group_id}}/mode/(active-passive|active-active)", "mode", default="active-passive"),
-            Var("{{group_id}}/mode/{{mode}}/passive-link-state"),
-            # State Synchronization
-            Var("{{group_id}}/state-synchronization/enabled", "state_sync", vartype="bool", default=False),
-            # HA2 Keep-alive
-            Var("{{group_id}}/state-synchronization/ha2-keep-alive/enabled", "ha2_keepalive", vartype="bool"),
-            Var("{{group_id}}/state-synchronization/ha2-keep-alive/action", "ha2_keepalive_action"),
-            Var("{{group_id}}/state-synchronization/ha2-keep-alive/threshold", "ha2_keepalive_threshold", vartype="int"),
-            Var("interface", vartype="none"),
-            Var("interface/ha1", vartype="none"),
-            Var("interface/ha1-backup", vartype="none"),
-            Var("interface/ha2", vartype="none"),
-            Var("interface/ha2-backup", vartype="none"),
-            Var("interface/ha3", vartype="none"),
-        )
+    ACTIVE_PASSIVE = 'active-passive'
+    ACTIVE_ACTIVE = 'active-active'
+
+    def _setup(self):
+        # xpaths
+        self._xpaths.add_profile(value='/deviceconfig/high-availability')
+
+        # params
+        params = []
+
+        params.append(VersionedParamPath(
+            'enabled', default=True, vartype='yesno', path='enabled'))
+        params.append(VersionedParamPath(
+            'group_id', default=1, vartype='entry', path='group'))
+        params[-1].add_profile(
+            '8.1.0',
+            vartype='int', path='group/group-id')
+        params.append(VersionedParamPath(
+            'description', path='group/entry group_id/description'))
+        params[-1].add_profile(
+            '8.1.0',
+            path='group/description')
+        params.append(VersionedParamPath(
+            'config_sync', vartype='yesno',
+            path='group/entry group_id/configuration-synchronization/enabled'))
+        params[-1].add_profile(
+            '8.1.0',
+            vartype='yesno',
+            path='group/configuration-synchronization/enabled')
+        params.append(VersionedParamPath(
+            'peer_ip', path='group/entry group_id/peer-ip'))
+        params[-1].add_profile(
+            '8.1.0',
+            path='group/peer-ip')
+        params.append(VersionedParamPath(
+            'mode', default='active-passive',
+            values=('active-passive', 'active-active'),
+            path='group/entry group_id/mode/{mode}'))
+        params[-1].add_profile(
+            '8.1.0',
+            values=('active-passive', 'active-active'),
+            path='group/mode/{mode}')
+        params.append(VersionedParamPath(
+            'passive_link_state', condition={'mode': 'active-passive'},
+            path='group/entry group_id/mode/{mode}/passive-link-state'))
+        params[-1].add_profile(
+            '8.1.0',
+            condition={'mode': 'active-passive'},
+            path='group/mode/{mode}/passive-link-state')
+        params.append(VersionedParamPath(
+            'state_sync', vartype='yesno', default=False,
+            path='group/entry group_id/state-synchronization/enabled'))
+        params[-1].add_profile(
+            '8.1.0',
+            vartype='yesno',
+            path='group/state-synchronization/enabled')
+        params.append(VersionedParamPath(
+            'ha2_keepalive', vartype='yesno',
+            path='group/entry group_id/state-synchronization/ha2-keep-alive/enabled'))
+        params[-1].add_profile(
+            '8.1.0',
+            vartype='yesno',
+            path='group/state-synchronization/ha2-keep-alive/enabled')
+        params.append(VersionedParamPath(
+            'ha2_keepalive_action', values=('log-only', 'split-datapath'),
+            path='group/entry group_id/state-synchronization/ha2-keep-alive/action'))
+        params[-1].add_profile(
+            '8.1.0',
+            values=('log-only', 'split-datapath'),
+            path='group/state-synchronization/ha2-keep-alive/action')
+        params.append(VersionedParamPath(
+            'ha2_keepalive_threshold', vartype='int',
+            path='group/entry group_id/state-synchronization/ha2-keep-alive/threshold'))
+        params[-1].add_profile(
+            '8.1.0',
+            vartype='int',
+            path='group/state-synchronization/ha2-keep-alive/threshold')
+
+        self._params = tuple(params)
+
+        # stubs
+        self._stubs.add_profile(
+            '0.0.0',
+            'interface/ha1', 'interface/ha1-backup',
+            'interface/ha2', 'interface/ha2-backup',
+            'interface/ha3')

pandevice/objects.py

@@ -470,3 +470,45 @@ def _setup(self):
             'applications', path='functions', vartype='member'))
 
         self._params = tuple(params)
+
+
+class SecurityProfileGroup(VersionedPanObject):
+    """Security Profile Group object
+
+    Args:
+        name (str): The group name
+        virus (str): Antivirus profile
+        spyware (str): Anti-spyware profile
+        vulnerability (str): Vulnerability protection profile
+        url_filtering (str): URL filtering profile
+        file_blocking (str): File blocking profile
+        data_filtering (str): Data filtering profile
+        wildfire_analysis (str): WildFire analysis profile
+
+    """
+    ROOT = Root.VSYS
+    SUFFIX = ENTRY
+
+    def _setup(self):
+        # xpaths
+        self._xpaths.add_profile(value='/profile-group')
+
+        # params
+        params = []
+
+        params.append(VersionedParamPath(
+            'virus', path='virus', vartype='member'))
+        params.append(VersionedParamPath(
+            'spyware', path='spyware', vartype='member'))
+        params.append(VersionedParamPath(
+            'vulnerability', path='vulnerability', vartype='member'))
+        params.append(VersionedParamPath(
+            'url_filtering', path='url-filtering', vartype='member'))
+        params.append(VersionedParamPath(
+            'file_blocking', path='file-blocking', vartype='member'))
+        params.append(VersionedParamPath(
+            'data_filtering', path='data-filtering', vartype='member'))
+        params.append(VersionedParamPath(
+            'wildfire_analysis', path='wildfire-analysis', vartype='member'))
+
+        self._params = tuple(params)

pandevice/panorama.py

@@ -65,6 +65,7 @@ class DeviceGroup(VersionedPanObject):
         "objects.ApplicationObject",
         "objects.ApplicationGroup",
         "objects.ApplicationFilter",
+        "objects.SecurityProfileGroup",
     )
 
     def _setup(self):
@@ -181,6 +182,7 @@ class TemplateStack(VersionedPanObject):
         name: Stack name
         description: The description
         templates (str/list): The list of templates in this stack
+        devices (str/list): The list of serial numbers in this template
 
     """
     ROOT = Root.DEVICE
@@ -197,6 +199,8 @@ def _setup(self):
             'description', path='description'))
         params.append(VersionedParamPath(
             'templates', path='templates', vartype='member'))
+        params.append(VersionedParamPath(
+            'devices', vartype='entry', path='devices'))
 
         self._params = tuple(params)