From 7d1489b422a0a7cd3336fdb966235b04d8461fa6 Mon Sep 17 00:00:00 2001 From: Hannu Kamarainen Date: Thu, 7 Jan 2021 15:15:20 +0100 Subject: [PATCH] PA: Add field pan-security-profile-group to policy. --- capirca/lib/paloaltofw.py | 17 ++++++++++++++++- capirca/lib/policy.py | 25 +++++++++++++++++++++++++ tests/lib/paloaltofw_test.py | 19 ++++++++++++++++++- 3 files changed, 59 insertions(+), 2 deletions(-) diff --git a/capirca/lib/paloaltofw.py b/capirca/lib/paloaltofw.py index 00ec3054..74204605 100644 --- a/capirca/lib/paloaltofw.py +++ b/capirca/lib/paloaltofw.py @@ -194,6 +194,7 @@ def ModifyOptions(self, terms, service_map): self.options["source"] = [] self.options["destination"] = [] self.options["application"] = [] + self.options["security_profile_group"] = [] self.options["service"] = [] self.options["logging"] = [] @@ -256,6 +257,11 @@ def pan_ports(ports): for pan_app in term.pan_application: self.options["application"].append(pan_app) + if term.pan_security_profile_group: + if len(term.pan_security_profile_group) > 1: + raise PaloAltoFWOptionError("Only one security profile group allowed") + self.options["security_profile_group"].append(term.pan_security_profile_group[0]) + if term.source_port or term.destination_port: src_ports = pan_ports(term.source_port) if term.destination_port: @@ -367,7 +373,8 @@ def _BuildTokens(self): "stateless_reply", "timeout", "pan_application", - "translated", + "pan_security_profile_group", + "translated" } supported_sub_tokens.update({ @@ -906,6 +913,14 @@ def __str__(self): member = etree.SubElement(app, "member") member.text = x + # SECURITY PROFILE GROUP + if options["security_profile_group"]: + profile_setting = etree.SubElement(entry, "profile-setting") + profile_setting_group = etree.SubElement(profile_setting, "group") + for x in options["security_profile_group"]: + member = etree.SubElement(profile_setting_group, "member") + member.text = x + if tag_name is not None: rules_tag = etree.SubElement(entry, "tag") member = etree.SubElement(rules_tag, "member") diff --git a/capirca/lib/policy.py b/capirca/lib/policy.py index ba2132c6..e676b4c5 100644 --- a/capirca/lib/policy.py +++ b/capirca/lib/policy.py @@ -334,6 +334,7 @@ class Term(object): next-ip: VarType.NEXT_IP qos: VarType.QOS pan-application: VarType.PAN_APPLICATION + pan-security-profile-group: VarType.PAN_SECURITY_PROFILE_GROUP policer: VarType.POLICER priority: VarType.PRIORITY vpn: VarType.VPN @@ -431,6 +432,7 @@ def __init__(self, obj): self.protocol_except = [] self.qos = None self.pan_application = [] + self.pan_security_profile_group = [] self.routing_instance = None self.source_address = [] self.source_address_exclude = [] @@ -749,6 +751,8 @@ def __str__(self): ret_str.append(' qos: %s' % self.qos) if self.pan_application: ret_str.append(' pan_application: %s' % self.pan_application) + if self.pan_security_profile_group: + ret_str.append(' pan_security_profile_group: %s' % self.pan_security_profile_group) if self.logging: ret_str.append(' logging: %s' % self.logging) if self.log_limit: @@ -838,6 +842,10 @@ def __eq__(self, other): if sorted(self.pan_application) != sorted(other.pan_application): return False + # pan-security-profile-group + if sorted(self.pan_security_profile_group) != sorted(other.pan_security_profile_group): + return False + # verbatim if self.verbatim != other.verbatim: return False @@ -869,6 +877,8 @@ def __eq__(self, other): return False if sorted(self.pan_application) != sorted(other.pan_application): return False + if sorted(self.pan_security_profile_group) != sorted(other.pan_security_profile_group): + return False if self.packet_length != other.packet_length: return False if self.fragment_offset != other.fragment_offset: @@ -1095,6 +1105,8 @@ def AddObject(self, obj): self.forwarding_class_except.append(x.value) elif x.var_type is VarType.PAN_APPLICATION: self.pan_application.append(x.value) + elif x.var_type is VarType.PAN_SECURITY_PROFILE_GROUP: + self.pan_security_profile_group.append(x.value) elif x.var_type is VarType.NEXT_IP: self.next_ip = DEFINITIONS.GetNetAddr(x.value) elif x.var_type is VarType.PLATFORM: @@ -1139,6 +1151,8 @@ def AddObject(self, obj): self.forwarding_class_except.append(obj.value) elif obj.var_type is VarType.PAN_APPLICATION: self.pan_application.append(obj.value) + elif obj.var_type is VarType.PAN_SECURITY_PROFILE_GROUP: + self.pan_security_profile_group.append(obj.value) elif obj.var_type is VarType.NEXT_IP: self.next_ip = DEFINITIONS.GetNetAddr(obj.value) elif obj.var_type is VarType.VERBATIM: @@ -1500,6 +1514,7 @@ class VarType(object): TARGET_RESOURCES = 59 TARGET_SERVICE_ACCOUNTS = 60 ENCAPSULATE = 61 + PAN_SECURITY_PROFILE_GROUP = 62 def __init__(self, var_type, value): self.var_type = var_type @@ -1710,6 +1725,7 @@ def __ne__(self, other): 'RPAREN', 'RSQUARE', 'PAN_APPLICATION', + 'PAN_SECURITY_PROFILE_GROUP', 'ROUTING_INSTANCE', 'SADDR', 'SADDREXCLUDE', @@ -1786,6 +1802,7 @@ def __ne__(self, other): 'protocol-except': 'PROTOCOL_EXCEPT', 'qos': 'QOS', 'pan-application': 'PAN_APPLICATION', + 'pan-security-profile-group': 'PAN_SECURITY_PROFILE_GROUP', 'routing-instance': 'ROUTING_INSTANCE', 'source-address': 'SADDR', 'source-exclude': 'SADDREXCLUDE', @@ -1963,6 +1980,7 @@ def p_term_spec(p): | term_spec protocol_spec | term_spec qos_spec | term_spec pan_application_spec + | term_spec pan_security_profile_group_spec | term_spec routinginstance_spec | term_spec tag_list_spec | term_spec target_resources_spec @@ -2332,6 +2350,13 @@ def p_pan_application_spec(p): p[0].append(VarType(VarType.PAN_APPLICATION, apps)) +def p_pan_security_profile_group_spec(p): + """ pan_security_profile_group_spec : PAN_SECURITY_PROFILE_GROUP ':' ':' one_or_more_strings """ + p[0] = [] + for apps in p[4]: + p[0].append(VarType(VarType.PAN_SECURITY_PROFILE_GROUP, apps)) + + def p_interface_spec(p): """ interface_spec : SINTERFACE ':' ':' STRING | DINTERFACE ':' ':' STRING """ diff --git a/tests/lib/paloaltofw_test.py b/tests/lib/paloaltofw_test.py index d3eef269..ebf88627 100644 --- a/tests/lib/paloaltofw_test.py +++ b/tests/lib/paloaltofw_test.py @@ -267,6 +267,14 @@ } """ +PAN_SECURITY_PROFILE_GROUP = """ +term pan-security-profile-term { + protocol:: tcp + action:: accept + pan-security-profile-group:: url-filtering +} +""" + ACTION_ACCEPT_TERM = """ term test-accept-action { comment:: "Testing accept action for tcp." @@ -377,7 +385,8 @@ 'stateless_reply', 'timeout', 'pan_application', - 'translated', + 'pan_security_profile_group', + 'translated' }) SUPPORTED_SUB_TOKENS = { @@ -628,6 +637,14 @@ def testAcceptAction(self): "/entry[@name='test-accept-action']/action") self.assertEqual(x, 'allow', output) + def testPanSecurityProfileGroup(self): + pol = policy.ParsePolicy(GOOD_HEADER_1 + PAN_SECURITY_PROFILE_GROUP, self.naming) + paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) + output = str(paloalto) + x = paloalto.config.findtext(PATH_RULES + + "/entry[@name='pan-security-profile-term']/profile-setting/group/member") + self.assertIsNotNone(x, output) + def testDenyAction(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + ACTION_DENY_TERM, self.naming) paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)