def __do_convert_url_pattern(self, result: Result, s: str,
is_allow: bool) -> None:
t = s
is_domain_suffix = True
if t.startswith("||"):
t = t[2:]
is_domain_suffix = True
if t.startswith("|"):
t = t[1:]
is_domain_suffix = False
if t.startswith("."):
t = t[1:]
is_domain_suffix = True
t = re.sub(r"^https?://", "", t)
t = t.lstrip("*.").rstrip("^/*")
ur = urllib.parse.urlparse("http://" + t)
if ur.fragment:
return
if ur.path and not self.ignore_path:
return
t = ur.netloc
t = re.sub(r":\d{2,5}$", "", t)
if validators.ipv4(t) or validators.ipv4_cidr(t):
result.add(result.ipv4_cidr, t, remove=is_allow)
elif validators.ipv6(t) or validators.ipv6_cidr(t):
result.add(result.ipv6_cidr, t, remove=is_allow)
else:
if validators.domain(t) and tld.get_fld(
t, fail_silently=True, fix_protocol=True):
if is_domain_suffix:
result.add(result.domain_suffix, t, remove=is_allow)
else:
result.add(result.domain, t, remove=is_allow)
def ipv4(self, candidate):
logger.debug('Testing candidate for IPv4-ness: {}'.format(candidate))
if validators.ip_address.ipv4(candidate):
return True
elif validators.ipv4_cidr(candidate):
return True
else:
return False
def _get_kind(address: str):
if validators.ipv4(address):
return "IPv4Address"
elif validators.ipv6(address):
return "IPv6Address"
elif validators.ipv4_cidr(address):
return "IPv4Network"
raise PluginException(
cause=f"Kind not detected from address: {address}",
assistance="Check address input and try again. Allowed kind are: " "IPv4Address, IPv6Address, IPv4Network.",
)
def write_privoxy(self, forward: str, proxy: str, file=sys.stdout):
out = file
if not file: out = sys.stdout
print("{+forward-override{forward-%s %s .}}" % (forward, proxy), file=out)
for ip in self.ipv4_cidr:
if not validators.ipv4_cidr(ip):
print("%s" % ip, file=out)
for ip in self.ipv6_cidr:
if not validators.ipv6_cidr(ip):
print("%s" % ip, file=out)
x = SortedSet().union(self.domain).union(self.domain_suffix)
for d in x:
print(".%s" % d, file=out)
def validate_url(value: str) -> bool:
if (validatorslib.url(value) or
validatorslib.domain(value) or
validatorslib.ipv4(value) or
validatorslib.ipv6(value) or
validatorslib.ipv4_cidr(value) or
validatorslib.ipv6_cidr(value) or
validatorslib.slug(value)):
return True
if DOMAIN_PORT_REGEX.match(value):
return True
return False
def write_surge(self, file=sys.stdout):
out = file
if not file: out = sys.stdout
for dom in self.domain:
print("DOMAIN,%s" % dom, file=out)
for dom in self.domain_suffix:
print("DOMAIN-SUFFIX,%s" % dom, file=out)
for ip in self.ipv4_cidr:
if validators.ipv4_cidr(ip):
print("IP-CIDR,%s,no-resolve" % ip, file=out)
else:
print("IP-CIDR,%s/32,no-resolve" % ip, file=out)
for ip in self.ipv6_cidr:
if validators.ipv6_cidr(ip):
print("IP-CIDR6,%s,no-resolve" % ip, file=out)
else:
print("IP-CIDR6,%s/128,no-resolve" % ip, file=out)
for url_regex in self.url_regex:
print("url-regex: %s" % url_regex)
def test_returns_failed_validation_on_invalid_ipv4_cidr(cidr):
assert isinstance(ipv4_cidr(cidr), ValidationFailure)
def test_returns_true_on_valid_ipv4_cidr(cidr):
assert ipv4_cidr(cidr)
assert not ipv6_cidr(cidr)
def run(self, params={}):
name = params.get(Input.NAME)
value = params.get(Input.ADDRESS)
if validators.ipv4_cidr(value) or validators.ipv6_cidr(value):
value_type = "CIDR"
else:
value_type = "RANGE"
url = requests.compat.urljoin(self.connection.okta_url,
'/api/v1/zones')
response = self.connection.session.get(url)
zones = response.json()
zone = None
for search_zone in zones:
if search_zone.get("name") == name:
zone = search_zone
break
if not zone:
raise PluginException(
cause=f"Name {name} does not exist in Okta zones.",
assistance="Please enter valid zone name and try again.")
zone_id = zone.get("id")
gateways = zone.get("gateways", [])
if params.get(Input.BLACKLIST_STATE):
for gateway in gateways:
if self.check_value(gateway, value):
raise PluginException(
cause=
f"The address {value} already exist in provided Okta zone {name}.",
assistance=
"Please enter an address that is not in the blacklist zone."
)
gateways.append({"type": value_type, "value": value})
zone["gateways"] = gateways
update_url = requests.compat.urljoin(self.connection.okta_url,
f'/api/v1/zones/{zone_id}')
else:
new_gateways = []
for gateway in gateways:
if self.check_value(gateway, value):
continue
new_gateways.append(gateway)
if len(new_gateways) == len(gateways):
raise PluginException(
cause=
f"The address {value} does not exist in provided Okta zone {name}.",
assistance=
"Please enter an address that is blacklisted and try again."
)
else:
update_url = requests.compat.urljoin(
self.connection.okta_url, f'/api/v1/zones/{zone_id}')
zone["gateways"] = new_gateways
response = self.connection.session.put(update_url, json=zone)
if response.status_code < 200 or response.status_code >= 400:
raise PluginException(preset=PluginException.Preset.SERVER_ERROR,
data=response.text)
return {Output.ZONE_LIST: komand.helper.clean(response.json())}
def run(self, params={}):
group_name = params.get(Input.GROUP)
device_name = params.get(Input.DEVICE_NAME)
virtual_system = params.get(Input.VIRTUAL_SYSTEM)
response = self.connection.request.get_address_group(
device_name=device_name,
virtual_system=virtual_system,
group_name=group_name)
try:
address_objects = response.get("response").get("result").get(
"entry").get("static").get("member")
except AttributeError:
raise PluginException(
cause="PAN OS returned an unexpected response.",
assistance=
f"Could not find group '{group_name}', or group was empty. Check the name, virtual system "
f"name, and device name.\nDevice name: {device_name}\nVirtual system: {virtual_system}\n",
data=response,
)
fqdn_addresses = []
ipv4_addresses = []
ipv6_addresses = []
all_addresses = []
for name in address_objects:
object_name = self.get_name(name)
response = self.connection.request.get_address_object(
device_name=device_name,
virtual_system=virtual_system,
object_name=object_name)
try:
address_object = response.get("response").get("result").get(
"entry")
except AttributeError:
raise PluginException(
cause="PAN OS returned an unexpected response.",
assistance=
f"Could not find address object '{name}'. Check the name, virtual system name, and "
f"device name.\nDevice name: {device_name}\nVirtual system: {virtual_system}\n",
data=response,
)
address = ""
if address_object.get("fqdn"):
address = self.get_name(address_object.get("fqdn"))
if address in fqdn_addresses:
continue
else:
fqdn_addresses.append(address)
elif address_object.get("ip-netmask"):
address = self.get_name(address_object.get("ip-netmask"))
if validators.ipv4(address) or validators.ipv4_cidr(address):
if address in ipv4_addresses:
continue
else:
ipv4_addresses.append(address)
if validators.ipv6(address) or validators.ipv6_cidr(address):
if address in ipv6_addresses:
continue
else:
ipv6_addresses.append(address)
if address in all_addresses:
continue
else:
all_addresses.append(address)
return {
Output.SUCCESS: True,
Output.FQDN_ADDRESSES: fqdn_addresses,
Output.IPV4_ADDRESSES: ipv4_addresses,
Output.IPV6_ADDRESSES: ipv6_addresses,
Output.ALL_ADDRESSES: all_addresses,
}