PA: Add field pan-security-profile-group to policy.

hkam40k · hkam40k · commit b1bd341654e3 · 2021-01-07T15:15:20.000+01:00
diff --git a/capirca/lib/paloaltofw.py b/capirca/lib/paloaltofw.py
@@ -171,6 +171,7 @@ def ModifyOptions(self, terms):
     self.options["source"] = []
     self.options["destination"] = []
     self.options["application"] = []
+    self.options["security_profile_group"] = []
     self.options["service"] = []
     self.options["action"] = "allow"
 
@@ -203,6 +204,11 @@ def ModifyOptions(self, terms):
       for pan_app in term.pan_application:
         self.options["application"].append(pan_app)
 
+    if term.pan_security_profile_group:
+      if len(term.pan_security_profile_group) > 1:
+        raise PaloAltoFWOptionError("Only one security profile group allowed")
+      self.options["security_profile_group"].append(term.pan_security_profile_group[0])
+
     if term.destination_port:
       ports = []
       for tup in term.destination_port:
@@ -250,7 +256,6 @@ def __init__(self, pol, exp_info):
     self.pafw_policies = []
     self.addressbook = collections.OrderedDict()
     self.applications = []
-    self.pan_applications = []
     self.ports = []
     self.from_zone = ""
     self.to_zone = ""
@@ -283,6 +288,7 @@ def _BuildTokens(self):
         "stateless_reply",
         "timeout",
         "pan_application",
+        "pan_security_profile_group",
         "translated"
     }
 
@@ -603,6 +609,14 @@ def __str__(self):
           rules.append(self.INDENT * 10 + "<member>" + a + "</member>")
       rules.append(self.INDENT * 9 + "</application>")
 
+      if options["security_profile_group"]:
+        rules.append(self.INDENT * 9 + "<profile-setting>")
+        rules.append(self.INDENT * 10 + "<group>")
+        for p in options["security_profile_group"]:
+          rules.append(self.INDENT * 11 + "<member>" + p + "</member>")
+        rules.append(self.INDENT * 10 + "</group>")
+        rules.append(self.INDENT * 9 + "</profile-setting>")
+
       rules.append(self.INDENT * 8 + "</entry>")
 
     rules.append(self.INDENT * 7 + "</rules>")
diff --git a/capirca/lib/policy.py b/capirca/lib/policy.py
@@ -334,6 +334,7 @@ class Term(object):
     next-ip: VarType.NEXT_IP
     qos: VarType.QOS
     pan-application: VarType.PAN_APPLICATION
+    pan-security-profile-group: VarType.PAN_SECURITY_PROFILE_GROUP
     policer: VarType.POLICER
     priority: VarType.PRIORITY
     vpn: VarType.VPN
@@ -431,6 +432,7 @@ def __init__(self, obj):
     self.protocol_except = []
     self.qos = None
     self.pan_application = []
+    self.pan_security_profile_group = []
     self.routing_instance = None
     self.source_address = []
     self.source_address_exclude = []
@@ -749,6 +751,8 @@ def __str__(self):
       ret_str.append('  qos: %s' % self.qos)
     if self.pan_application:
       ret_str.append('  pan_application: %s' % self.pan_application)
+    if self.pan_security_profile_group:
+      ret_str.append('  pan_security_profile_group: %s' % self.pan_security_profile_group)
     if self.logging:
       ret_str.append('  logging: %s' % self.logging)
     if self.log_limit:
@@ -838,6 +842,10 @@ def __eq__(self, other):
     if sorted(self.pan_application) != sorted(other.pan_application):
       return False
 
+    # pan-security-profile-group
+    if sorted(self.pan_security_profile_group) != sorted(other.pan_security_profile_group):
+      return False
+
     # verbatim
     if self.verbatim != other.verbatim:
       return False
@@ -869,6 +877,8 @@ def __eq__(self, other):
       return False
     if sorted(self.pan_application) != sorted(other.pan_application):
       return False
+    if sorted(self.pan_security_profile_group) != sorted(other.pan_security_profile_group):
+      return False
     if self.packet_length != other.packet_length:
       return False
     if self.fragment_offset != other.fragment_offset:
@@ -1095,6 +1105,8 @@ def AddObject(self, obj):
           self.forwarding_class_except.append(x.value)
         elif x.var_type is VarType.PAN_APPLICATION:
           self.pan_application.append(x.value)
+        elif x.var_type is VarType.PAN_SECURITY_PROFILE_GROUP:
+          self.pan_security_profile_group.append(x.value)
         elif x.var_type is VarType.NEXT_IP:
           self.next_ip = DEFINITIONS.GetNetAddr(x.value)
         elif x.var_type is VarType.PLATFORM:
@@ -1139,6 +1151,8 @@ def AddObject(self, obj):
         self.forwarding_class_except.append(obj.value)
       elif obj.var_type is VarType.PAN_APPLICATION:
         self.pan_application.append(obj.value)
+      elif obj.var_type is VarType.PAN_SECURITY_PROFILE_GROUP:
+        self.pan_security_profile_group.append(obj.value)
       elif obj.var_type is VarType.NEXT_IP:
         self.next_ip = DEFINITIONS.GetNetAddr(obj.value)
       elif obj.var_type is VarType.VERBATIM:
@@ -1500,6 +1514,7 @@ class VarType(object):
   TARGET_RESOURCES = 59
   TARGET_SERVICE_ACCOUNTS = 60
   ENCAPSULATE = 61
+  PAN_SECURITY_PROFILE_GROUP = 62
 
   def __init__(self, var_type, value):
     self.var_type = var_type
@@ -1710,6 +1725,7 @@ def __ne__(self, other):
     'RPAREN',
     'RSQUARE',
     'PAN_APPLICATION',
+    'PAN_SECURITY_PROFILE_GROUP',
     'ROUTING_INSTANCE',
     'SADDR',
     'SADDREXCLUDE',
@@ -1786,6 +1802,7 @@ def __ne__(self, other):
     'protocol-except': 'PROTOCOL_EXCEPT',
     'qos': 'QOS',
     'pan-application': 'PAN_APPLICATION',
+    'pan-security-profile-group': 'PAN_SECURITY_PROFILE_GROUP',
     'routing-instance': 'ROUTING_INSTANCE',
     'source-address': 'SADDR',
     'source-exclude': 'SADDREXCLUDE',
@@ -1963,6 +1980,7 @@ def p_term_spec(p):
                 | term_spec protocol_spec
                 | term_spec qos_spec
                 | term_spec pan_application_spec
+                | term_spec pan_security_profile_group_spec
                 | term_spec routinginstance_spec
                 | term_spec tag_list_spec
                 | term_spec target_resources_spec
@@ -2332,6 +2350,13 @@ def p_pan_application_spec(p):
     p[0].append(VarType(VarType.PAN_APPLICATION, apps))
 
 
+def p_pan_security_profile_group_spec(p):
+  """ pan_security_profile_group_spec : PAN_SECURITY_PROFILE_GROUP ':' ':' one_or_more_strings """
+  p[0] = []
+  for apps in p[4]:
+    p[0].append(VarType(VarType.PAN_SECURITY_PROFILE_GROUP, apps))
+
+
 def p_interface_spec(p):
   """ interface_spec : SINTERFACE ':' ':' STRING
                      | DINTERFACE ':' ':' STRING """
diff --git a/policies/pol/sample_paloalto.pol b/policies/pol/sample_paloalto.pol
@@ -41,6 +41,7 @@ term allow-icmp{
 
 term allow-only-pan-app{
   pan-application:: http
+  pan-security-profile-group:: my-group
   action:: accept
 }
 
diff --git a/tests/lib/paloaltofw_test.py b/tests/lib/paloaltofw_test.py
@@ -63,6 +63,7 @@
   destination-address:: SOME_HOST
   protocol:: tcp
   pan-application:: ssl http
+  pan-security-profile-group:: url-filtering
   action:: accept
 }
 """
@@ -163,6 +164,7 @@
     'stateless_reply',
     'timeout',
     'pan_application',
+    'pan_security_profile_group',
     'translated'
 }
 

Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,7 @@ term allow-icmp{`
`41`	`41`
`42`	`42`	`term allow-only-pan-app{`
`43`	`43`	`pan-application:: http`
	`44`	`+ pan-security-profile-group:: my-group`
`44`	`45`	`action:: accept`
`45`	`46`	`}`
`46`	`47`
Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,7 @@`
`63`	`63`	`destination-address:: SOME_HOST`
`64`	`64`	`protocol:: tcp`
`65`	`65`	`pan-application:: ssl http`
	`66`	`+ pan-security-profile-group:: url-filtering`
`66`	`67`	`action:: accept`
`67`	`68`	`}`
`68`	`69`	`"""`
`@@ -163,6 +164,7 @@`
`163`	`164`	`'stateless_reply',`
`164`	`165`	`'timeout',`
`165`	`166`	`'pan_application',`
	`167`	`+ 'pan_security_profile_group',`
`166`	`168`	`'translated'`
`167`	`169`	`}`
`168`	`170`