PA: Add field pan-security-profile-group to policy.

Author: hkam40k

capirca/lib/paloaltofw.py

@@ -194,6 +194,7 @@ def ModifyOptions(self, terms, service_map):
     self.options["source"] = []
     self.options["destination"] = []
     self.options["application"] = []
+    self.options["security_profile_group"] = []
     self.options["service"] = []
     self.options["logging"] = []
 
@@ -256,6 +257,11 @@ def pan_ports(ports):
       for pan_app in term.pan_application:
         self.options["application"].append(pan_app)
 
+    if term.pan_security_profile_group:
+      if len(term.pan_security_profile_group) > 1:
+        raise PaloAltoFWOptionError("Only one security profile group allowed")
+      self.options["security_profile_group"].append(term.pan_security_profile_group[0])
+
     if term.source_port or term.destination_port:
       src_ports = pan_ports(term.source_port)
       if term.destination_port:
@@ -367,7 +373,8 @@ def _BuildTokens(self):
         "stateless_reply",
         "timeout",
         "pan_application",
-        "translated",
+        "pan_security_profile_group",
+        "translated"
     }
 
     supported_sub_tokens.update({
@@ -906,6 +913,14 @@ def __str__(self):
             member = etree.SubElement(app, "member")
             member.text = x
 
+        # SECURITY PROFILE GROUP
+        if options["security_profile_group"]:
+          profile_setting = etree.SubElement(entry, "profile-setting")
+          profile_setting_group = etree.SubElement(profile_setting, "group")
+          for x in options["security_profile_group"]:
+            member = etree.SubElement(profile_setting_group, "member")
+            member.text = x
+
         if tag_name is not None:
           rules_tag = etree.SubElement(entry, "tag")
           member = etree.SubElement(rules_tag, "member")

capirca/lib/policy.py

@@ -334,6 +334,7 @@ class Term(object):
     next-ip: VarType.NEXT_IP
     qos: VarType.QOS
     pan-application: VarType.PAN_APPLICATION
+    pan-security-profile-group: VarType.PAN_SECURITY_PROFILE_GROUP
     policer: VarType.POLICER
     priority: VarType.PRIORITY
     vpn: VarType.VPN
@@ -431,6 +432,7 @@ def __init__(self, obj):
     self.protocol_except = []
     self.qos = None
     self.pan_application = []
+    self.pan_security_profile_group = []
     self.routing_instance = None
     self.source_address = []
     self.source_address_exclude = []
@@ -749,6 +751,8 @@ def __str__(self):
       ret_str.append('  qos: %s' % self.qos)
     if self.pan_application:
       ret_str.append('  pan_application: %s' % self.pan_application)
+    if self.pan_security_profile_group:
+      ret_str.append('  pan_security_profile_group: %s' % self.pan_security_profile_group)
     if self.logging:
       ret_str.append('  logging: %s' % self.logging)
     if self.log_limit:
@@ -838,6 +842,10 @@ def __eq__(self, other):
     if sorted(self.pan_application) != sorted(other.pan_application):
       return False
 
+    # pan-security-profile-group
+    if sorted(self.pan_security_profile_group) != sorted(other.pan_security_profile_group):
+      return False
+
     # verbatim
     if self.verbatim != other.verbatim:
       return False
@@ -869,6 +877,8 @@ def __eq__(self, other):
       return False
     if sorted(self.pan_application) != sorted(other.pan_application):
       return False
+    if sorted(self.pan_security_profile_group) != sorted(other.pan_security_profile_group):
+      return False
     if self.packet_length != other.packet_length:
       return False
     if self.fragment_offset != other.fragment_offset:
@@ -1095,6 +1105,8 @@ def AddObject(self, obj):
           self.forwarding_class_except.append(x.value)
         elif x.var_type is VarType.PAN_APPLICATION:
           self.pan_application.append(x.value)
+        elif x.var_type is VarType.PAN_SECURITY_PROFILE_GROUP:
+          self.pan_security_profile_group.append(x.value)
         elif x.var_type is VarType.NEXT_IP:
           self.next_ip = DEFINITIONS.GetNetAddr(x.value)
         elif x.var_type is VarType.PLATFORM:
@@ -1139,6 +1151,8 @@ def AddObject(self, obj):
         self.forwarding_class_except.append(obj.value)
       elif obj.var_type is VarType.PAN_APPLICATION:
         self.pan_application.append(obj.value)
+      elif obj.var_type is VarType.PAN_SECURITY_PROFILE_GROUP:
+        self.pan_security_profile_group.append(obj.value)
       elif obj.var_type is VarType.NEXT_IP:
         self.next_ip = DEFINITIONS.GetNetAddr(obj.value)
       elif obj.var_type is VarType.VERBATIM:
@@ -1500,6 +1514,7 @@ class VarType(object):
   TARGET_RESOURCES = 59
   TARGET_SERVICE_ACCOUNTS = 60
   ENCAPSULATE = 61
+  PAN_SECURITY_PROFILE_GROUP = 62
 
   def __init__(self, var_type, value):
     self.var_type = var_type
@@ -1710,6 +1725,7 @@ def __ne__(self, other):
     'RPAREN',
     'RSQUARE',
     'PAN_APPLICATION',
+    'PAN_SECURITY_PROFILE_GROUP',
     'ROUTING_INSTANCE',
     'SADDR',
     'SADDREXCLUDE',
@@ -1786,6 +1802,7 @@ def __ne__(self, other):
     'protocol-except': 'PROTOCOL_EXCEPT',
     'qos': 'QOS',
     'pan-application': 'PAN_APPLICATION',
+    'pan-security-profile-group': 'PAN_SECURITY_PROFILE_GROUP',
     'routing-instance': 'ROUTING_INSTANCE',
     'source-address': 'SADDR',
     'source-exclude': 'SADDREXCLUDE',
@@ -1963,6 +1980,7 @@ def p_term_spec(p):
                 | term_spec protocol_spec
                 | term_spec qos_spec
                 | term_spec pan_application_spec
+                | term_spec pan_security_profile_group_spec
                 | term_spec routinginstance_spec
                 | term_spec tag_list_spec
                 | term_spec target_resources_spec
@@ -2332,6 +2350,13 @@ def p_pan_application_spec(p):
     p[0].append(VarType(VarType.PAN_APPLICATION, apps))
 
 
+def p_pan_security_profile_group_spec(p):
+  """ pan_security_profile_group_spec : PAN_SECURITY_PROFILE_GROUP ':' ':' one_or_more_strings """
+  p[0] = []
+  for apps in p[4]:
+    p[0].append(VarType(VarType.PAN_SECURITY_PROFILE_GROUP, apps))
+
+
 def p_interface_spec(p):
   """ interface_spec : SINTERFACE ':' ':' STRING
                      | DINTERFACE ':' ':' STRING """

tests/lib/paloaltofw_test.py

@@ -267,6 +267,14 @@
 }
 """
 
+PAN_SECURITY_PROFILE_GROUP = """
+term pan-security-profile-term {
+  protocol:: tcp
+  action:: accept
+  pan-security-profile-group:: url-filtering
+}
+"""
+
 ACTION_ACCEPT_TERM = """
 term test-accept-action {
   comment:: "Testing accept action for tcp."
@@ -377,7 +385,8 @@
     'stateless_reply',
     'timeout',
     'pan_application',
-    'translated',
+    'pan_security_profile_group',
+    'translated'
 })
 
 SUPPORTED_SUB_TOKENS = {
@@ -628,6 +637,14 @@ def testAcceptAction(self):
                                  "/entry[@name='test-accept-action']/action")
     self.assertEqual(x, 'allow', output)
 
+  def testPanSecurityProfileGroup(self):
+    pol = policy.ParsePolicy(GOOD_HEADER_1 + PAN_SECURITY_PROFILE_GROUP, self.naming)
+    paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
+    output = str(paloalto)
+    x = paloalto.config.findtext(PATH_RULES +
+                                 "/entry[@name='pan-security-profile-term']/profile-setting/group/member")
+    self.assertIsNotNone(x, output)
+
   def testDenyAction(self):
     pol = policy.ParsePolicy(GOOD_HEADER_1 + ACTION_DENY_TERM, self.naming)
     paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)