def test_01_setup(self, dev, state_map):
state = state_map.setdefault(dev)
state.err = True
state.fail_func = pytest.skip
state.parent = dev
state.tmpl = None
state.name = None
state.obj = None
state.targets = [testlib.random_name() for x in range(2)]
if self.FUNC is None:
pytest.skip("{0}.FUNC must be defined".format(
self.__class__.__name__))
elif self.CLASS is None:
pytest.skip("{0}.CLASS must be defined".format(
self.__class__.__name__))
elif self.PARAM is None:
pytest.skip("{0}.PARAM must be defined".format(
self.__class__.__name__))
if isinstance(state.parent, Panorama):
tmpl = Template(testlib.random_name())
state.parent.add(tmpl)
v = Vsys("vsys2")
tmpl.add(v)
state.parent = v
tmpl.create()
state.tmpl = tmpl
else:
vsys_list = [
x.name for x in Vsys.refreshall(dev, add=False, name_only=True)
]
if "vsys2" not in vsys_list:
pytest.skip("Firewall needs vsys2 to exist")
cls_args = {}
eth_args = {"mode": "layer3"}
if self.CLASS == Vlan:
eth_args["mode"] = "layer2"
elif self.CLASS == Zone:
cls_args["mode"] = "layer3"
state.name = testlib.get_available_interfaces(state.parent)[0]
state.obj = EthernetInterface(state.name, **eth_args)
state.parent.add(state.obj)
if state.tmpl is None:
dev.vsys = "vsys2"
instances = [
self.CLASS(state.targets[x], **cls_args) for x in range(2)
]
for x in instances:
state.parent.add(x)
x.create()
state.err = False
def populate_facts(self):
# Get session usage XML
session_root = self.parent.op('show session meter')
# Loop through all VSYS
virtual_systems = []
vsys_list = Vsys.refreshall(self.parent, name_only=True)
for vsys in vsys_list:
for var in ('display_name', 'interface', 'virtual_routers'):
vsys.refresh_variable(var)
zones = [x.name for x in Zone.refreshall(vsys, name_only=True)]
vsys_id = vsys.name[4:]
vsys_sessions = session_root.find(".//entry/[vsys='" + vsys_id + "']")
vsys_currentsessions = vsys_sessions.find('.//current').text
vsys_maxsessions = vsys_sessions.find('.//maximum').text
virtual_systems.append({
'vsys_id': vsys_id,
'vsys_name': vsys.name,
'vsys_description': vsys.display_name,
'vsys_iflist': vsys.interface,
'vsys_vrlist': vsys.virtual_routers,
'vsys_zonelist': zones,
'vsys_maxsessions': vsys_maxsessions,
'vsys_currentsessions': vsys_currentsessions,
})
self.facts.update({
'virtual-systems': virtual_systems
})
def test_01_setup(self, dev, state_map):
state = state_map.setdefault(dev)
state.err = True
state.fail_func = pytest.skip
state.parent = dev
state.name = None
state.delete_parent = False
state.obj = None
if self.CLASS is None:
pytest.skip("{0}.CLASS must be defined".format(
self.__class__.__name__))
elif self.VSYS_PARAM is None:
pytest.skip("{0}.VSYS_PARAM must be defined".format(
self.__class__.__name__))
if isinstance(state.parent, Panorama):
tmpl = Template(testlib.random_name())
state.parent.add(tmpl)
state.parent = tmpl
state.parent.add(Vsys("vsys1"))
state.parent.add(Vsys("vsys2"))
state.parent.add(Vsys("vsys3"))
state.parent.create()
state.delete_parent = True
else:
vsys_list = [
x.name for x in Vsys.refreshall(dev, add=False, name_only=True)
]
if not all("vsys{0}".format(x) in vsys_list for x in range(1, 4)):
pytest.skip("Firewall needs vsys1 - vsys3 to exist")
args = {}
if self.CLASS == EthernetInterface:
state.name = testlib.get_available_interfaces(state.parent)[0]
args = {"mode": "layer3"}
else:
state.name = testlib.random_name()
state.obj = self.CLASS(state.name, **args)
state.parent.add(state.obj)
state.err = False
def sanity(self, dev, state_map, fw_test=False):
state = state_map.setdefault(dev)
if state.err:
state.fail_func("prereq failed")
if fw_test:
if not isinstance(dev, Firewall):
pytest.skip("Skipping firewall-only test")
dev.removeall()
dev.add(state.obj)
vsys_list = Vsys.refreshall(dev, name_only=True)
for v in vsys_list:
v.refresh_variable(self.VSYS_PARAM)
return state
def assert_imported_into(self, vsys, state):
found = False
vsys_list = Vsys.refreshall(state.parent, add=False, name_only=True)
for v in vsys_list:
v.refresh_variable(self.VSYS_PARAM)
if getattr(v, self.VSYS_PARAM) is None:
setattr(v, self.VSYS_PARAM, [])
if vsys == v.name:
found = True
assert state.name in getattr(v, self.VSYS_PARAM)
else:
assert state.name not in getattr(v, self.VSYS_PARAM)
if vsys is not None:
assert found
def get_pandevice_parent(self, module, timeout=0):
"""Builds the pandevice object tree, returning the parent object.
If pandevice is not installed, then module.fail_json() will be
invoked.
Arguments:
* module(AnsibleModule): the ansible module.
* timeout(int): Number of seconds to retry opening the connection to PAN-OS.
Returns:
* The parent pandevice object based on the spec given to
get_connection().
"""
# Sanity check.
if not HAS_PANDEVICE:
module.fail_json(msg='Missing required library "pandevice".')
pdv = tuple(int(x) for x in panos.__version__.split("."))
# Inform people that they should upgrade to pan-os-python instead of pandevice.
if pdv < (1, 0, 0):
lum = [
'Python library "pandevice" is now "pan-os-python" and is now 1.0!',
'Please "pip install pan-os-python" at your earliest convenience.',
]
module.deprecate(" ".join(lum),
version="3.0.0",
collection_name="paloaltonetworks.panos")
# Verify pandevice minimum version.
if self.min_pandevice_version is not None:
if pdv < self.min_pandevice_version:
module.fail_json(msg=_MIN_VERSION_ERROR.format(
"panos", panos.__version__,
_vstr(self.min_pandevice_version)))
pan_device_auth, serial_number = None, None
if module.params["provider"] and module.params["provider"][
"ip_address"]:
pan_device_auth = (
module.params["provider"]["ip_address"],
module.params["provider"]["username"],
module.params["provider"]["password"],
module.params["provider"]["api_key"],
module.params["provider"]["port"],
)
serial_number = module.params["provider"]["serial_number"]
elif module.params.get("ip_address", None) is not None:
pan_device_auth = (
module.params["ip_address"],
module.params["username"],
module.params["password"],
module.params["api_key"],
module.params["port"],
)
msg = 'Classic provider params are deprecated; use "provider" instead'
module.deprecate(msg,
version="3.0.0",
collection_name="paloaltonetworks.panos")
else:
module.fail_json(msg="Provider params are required.")
# Create the connection object.
if not isinstance(timeout, int):
raise ValueError("Timeout must be an int")
elif timeout < 0:
raise ValueError("Timeout must greater than or equal to 0")
end_time = time.time() + timeout
while True:
try:
self.device = PanDevice.create_from_device(*pan_device_auth)
except PanDeviceError as e:
if timeout == 0:
module.fail_json(msg="Failed connection: {0}".format(e))
elif time.time() >= end_time:
module.fail_json(msg="Connection timeout: {0}".format(e))
else:
break
# Verify PAN-OS minimum version.
if self.min_panos_version is not None:
if self.device._version_info < self.min_panos_version:
module.fail_json(msg=_MIN_VERSION_ERROR.format(
"PAN-OS",
_vstr(self.device._version_info),
_vstr(self.min_panos_version),
))
# Optional: Firewall via Panorama connectivity specified.
if hasattr(self.device, "refresh_devices") and serial_number:
fw = Firewall(serial=serial_number)
self.device.add(fw)
self.device = fw
parent = self.device
no_shared = 'Scope "shared" is not allowed'
not_found = '{0} "{1}" is not present.'
pano_mia_param = 'Param "{0}" is required for Panorama but not specified.'
ts_error = "Specify either the template or the template stack{0}."
if hasattr(self.device, "refresh_devices"):
# Panorama connection.
templated = False
# Error if Panorama is not supported.
if self.panorama_error is not None:
module.fail_json(msg=self.panorama_error)
# Spec: template stack.
tmpl_required = False
added_template = False
if self.template_stack is not None:
name = module.params[self.template_stack]
if name is not None:
templated = True
stacks = TemplateStack.refreshall(parent, name_only=True)
for ts in stacks:
if ts.name == name:
parent = ts
added_template = True
break
else:
module.fail_json(msg=not_found.format(
"Template stack",
name,
))
elif self.template is not None:
tmpl_required = True
elif not self.template_is_optional:
module.fail_json(
msg=pano_mia_param.format(self.template_stack))
# Spec: template.
if self.template is not None:
name = module.params[self.template]
if name is not None:
templated = True
if added_template:
module.fail_json(msg=ts_error.format(", not both"))
templates = Template.refreshall(parent, name_only=True)
for t in templates:
if t.name == name:
parent = t
break
else:
module.fail_json(msg=not_found.format(
"Template",
name,
))
elif self.template_is_optional:
pass
elif tmpl_required:
module.fail_json(msg=ts_error.format(""))
elif not added_template:
module.fail_json(msg=pano_mia_param.format(self.template))
# Spec: vsys_dg or device_group.
dg_name = self.vsys_dg or self.device_group
if dg_name is not None:
name = module.params[dg_name]
if name not in (None, "shared"):
groups = DeviceGroup.refreshall(parent, name_only=True)
for dg in groups:
if dg.name == name:
parent = dg
break
else:
module.fail_json(msg=not_found.format(
"Device group",
name,
))
# Spec: vsys importable.
vsys_name = self.vsys_importable or self.vsys or self.vsys_shared
if dg_name is None and templated and vsys_name is not None:
name = module.params[vsys_name]
if name not in (None, "shared"):
vo = Vsys(name)
parent.add(vo)
parent = vo
# Spec: rulebase.
if self.rulebase is not None:
if module.params[self.rulebase] in (None, "pre-rulebase"):
rb = PreRulebase()
parent.add(rb)
parent = rb
elif module.params[self.rulebase] == "rulebase":
rb = Rulebase()
parent.add(rb)
parent = rb
elif module.params[self.rulebase] == "post-rulebase":
rb = PostRulebase()
parent.add(rb)
parent = rb
else:
module.fail_json(msg=not_found.format(
"Rulebase", module.params[self.rulebase]))
else:
# Firewall connection.
# Error if firewalls are not supported.
if self.firewall_error is not None:
module.fail_json(msg=self.firewall_error)
# Spec: vsys or vsys_dg or vsys_importable.
vsys_name = (self.vsys_dg or self.vsys or self.vsys_importable
or self.vsys_shared)
if vsys_name is not None:
parent.vsys = module.params[vsys_name]
if parent.vsys == "shared" and self.error_on_firewall_shared:
module.fail_json(msg=no_shared)
# Spec: rulebase.
if self.rulebase is not None:
rb = Rulebase()
parent.add(rb)
parent = rb
# If the module has the commit option set, show a deprecation warning.
if module.params.get("commit"):
module.deprecate(
"Please use the commit modules instead of the commit option",
version="3.0.0",
collection_name="paloaltonetworks.panos",
)
# Done.
return parent