def testPlatformTerm(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + PLATFORM_TERM, self.naming) paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) output = str(paloalto) x = paloalto.config.findtext( PATH_RULES + "/entry[@name='test-accept-action']/action") self.assertEqual(x, 'allow', output)
def testDenyAction(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + ACTION_DENY_TERM, self.naming) paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) output = str(paloalto) x = paloalto.config.findtext(PATH_RULES + "/entry[@name='test-deny-action']/action") self.assertEqual(x, 'deny', output)
def testSkipEstablished(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + TCP_ESTABLISHED_TERM, self.naming) paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) output = str(paloalto) x = paloalto.config.find(PATH_RULES + "/entry[@name='tcp-established']") self.assertIsNone(x, output) pol = policy.ParsePolicy(GOOD_HEADER_1 + UDP_ESTABLISHED_TERM, self.naming) paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) output = str(paloalto) x = paloalto.config.find(PATH_RULES + "/entry[@name='udp-established-term']") self.assertIsNone(x, output)
def testResetAction(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + ACTION_RESET_TERM, self.naming) paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) output = str(paloalto) x = paloalto.config.findtext( PATH_RULES + "/entry[@name='test-reset-action']/action") self.assertEqual(x, 'reset-client', output)
def testBuildTokens(self): self.naming.GetServiceByProto.side_effect = [['25'], ['26']] pol1 = paloaltofw.PaloAltoFW( policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_2, self.naming), EXP_INFO) st, sst = pol1._BuildTokens() self.assertEqual(st, SUPPORTED_TOKENS) self.assertEqual(sst, SUPPORTED_SUB_TOKENS)
def testPortLessNonPort(self): POL = """ header { target:: paloalto from-zone trust to-zone untrust } term rule-1 { %s action:: accept }""" T = """ protocol:: udp icmp """ pol = policy.ParsePolicy(POL % T, self.naming) paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) output = str(paloalto) x = paloalto.config.findall(PATH_RULES + "/entry[@name='rule-1-1']/service/member") self.assertTrue(len(x) > 0, output) services = {elem.text for elem in x} self.assertEqual({"any-udp"}, services, output) x = paloalto.config.findall( PATH_RULES + "/entry[@name='rule-1-2']/application/member") self.assertTrue(len(x) > 0, output) applications = {elem.text for elem in x} self.assertEqual({"icmp"}, applications, output) T = """ protocol:: udp tcp icmp gre """ pol = policy.ParsePolicy(POL % T, self.naming) paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) output = str(paloalto) x = paloalto.config.findall(PATH_RULES + "/entry[@name='rule-1-1']/service/member") self.assertTrue(len(x) > 0, output) services = {elem.text for elem in x} self.assertEqual({"any-udp", "any-tcp"}, services, output) x = paloalto.config.findall( PATH_RULES + "/entry[@name='rule-1-2']/application/member") self.assertTrue(len(x) > 0, output) applications = {elem.text for elem in x} self.assertEqual({"icmp", "gre"}, applications, output)
def testDefaultDeny(self): paloalto = paloaltofw.PaloAltoFW( policy.ParsePolicy(GOOD_HEADER_1 + DEFAULT_TERM_1, self.naming), EXP_INFO) output = str(paloalto) x = paloalto.config.find(PATH_RULES + "/entry[@name='default-term-1']/action") self.assertIsNotNone(x, output) self.assertEqual(x.text, 'deny', output)
def testGreProtoTerm(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + GRE_PROTO_TERM, self.naming) paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) output = str(paloalto) x = paloalto.config.find( PATH_RULES + "/entry[@name='test-gre-protocol']/application") self.assertIsNotNone(x, output) self.assertEqual(len(x), 1, output) self.assertEqual(x[0].tag, 'member', output) self.assertEqual(x[0].text, 'gre', output)
def testLoggingBoth(self): paloalto = paloaltofw.PaloAltoFW( policy.ParsePolicy(GOOD_HEADER_1 + LOGGING_BOTH_TERM, self.naming), EXP_INFO) output = str(paloalto) x = paloalto.config.findtext(PATH_RULES + "/entry[@name='test-log-both']/log-start") self.assertEqual(x, 'yes', output) x = paloalto.config.findtext(PATH_RULES + "/entry[@name='test-log-both']/log-end") self.assertEqual(x, 'yes', output)
def testLogging(self): for term in [ LOGGING_SYSLOG_KEYWORD, LOGGING_LOCAL_KEYWORD, LOGGING_PYTRUE_KEYWORD, LOGGING_TRUE_KEYWORD ]: pol = paloaltofw.PaloAltoFW( policy.ParsePolicy(GOOD_HEADER_1 + term, self.naming), EXP_INFO) output = str(pol) self.assertNotIn('<log-start>yes</log-start>', output, output) self.assertIn('<log-end>yes</log-end>', output, output)
def testDisableLogging(self): paloalto = paloaltofw.PaloAltoFW( policy.ParsePolicy(GOOD_HEADER_1 + LOGGING_DISABLED, self.naming), EXP_INFO) output = str(paloalto) x = paloalto.config.findtext( PATH_RULES + "/entry[@name='test-disabled-log']/log-start") self.assertEqual(x, 'no', output) x = paloalto.config.findtext( PATH_RULES + "/entry[@name='test-disabled-log']/log-end") self.assertEqual(x, 'no', output)
def testTermAndFilterName(self): self.naming.GetNetAddr.return_value = _IPSET self.naming.GetServiceByProto.return_value = ['25'] paloalto = paloaltofw.PaloAltoFW( policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_1, self.naming), EXP_INFO) output = str(paloalto) self.assertIn('<entry name="good-term-1">', output, output) self.naming.GetNetAddr.assert_called_once_with('FOOBAR') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testTermAndFilterName(self): self.naming.GetNetAddr.return_value = _IPSET self.naming.GetServiceByProto.return_value = ['25'] paloalto = paloaltofw.PaloAltoFW( policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_1, self.naming), EXP_INFO) output = str(paloalto) x = paloalto.config.find(PATH_RULES + "/entry[@name='good-term-1']") self.assertIsNotNone(x, output) self.naming.GetNetAddr.assert_called_once_with('FOOBAR') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testSkipStatelessReply(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_4_STATELESS_REPLY, self.naming) # Add stateless_reply to terms, there is no current way to include it in the # term definition. _, terms = pol.filters[0] for term in terms: term.stateless_reply = True output = str(paloaltofw.PaloAltoFW(pol, EXP_INFO)) self.assertNotIn('good-term-stateless-reply', output, output)
def testICMPProtocolOnly(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + ICMP_ONLY_TERM_1, self.naming) paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) output = str(paloalto) x = paloalto.config.find(PATH_RULES + "/entry[@name='test-icmp-only']/application") self.assertIsNotNone(x, output) members = [] for node in x: self.assertEqual(node.tag, 'member', output) members.append(node.text) self.assertEqual(['icmp'], members, output)
def testPanApplication(self): POL1 = """ header { target:: paloalto from-zone trust to-zone untrust } term rule-1 { action:: accept }""" POL2 = """ header { target:: paloalto from-zone trust to-zone untrust } term rule-1 { pan-application:: %s action:: accept }""" APPS = [ {'app1'}, {'app1', 'app2'}, {'app1', 'app2', 'app3'}, ] pol = policy.ParsePolicy(POL1, self.naming) paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) output = str(paloalto) x = paloalto.config.findtext( PATH_RULES + "/entry[@name='rule-1']/application/member") self.assertEqual(x, 'any', output) for i, app in enumerate(APPS): pol = policy.ParsePolicy(POL2 % ' '.join(app), self.naming) paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) output = str(paloalto) x = paloalto.config.findall( PATH_RULES + "/entry[@name='rule-1']/application/member") apps = {elem.text for elem in x} self.assertEqual(APPS[i], apps, output)
def testSkipStatelessReply(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_4_STATELESS_REPLY, self.naming) # Add stateless_reply to terms, there is no current way to include it in the # term definition. _, terms = pol.filters[0] for term in terms: term.stateless_reply = True paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) output = str(paloalto) x = paloalto.config.find(PATH_RULES + "/entry[@name='good-term-stateless-reply']") self.assertIsNone(x, output)
def testIcmpTypes(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + ICMP_TYPE_TERM_1, self.naming) paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) output = str(paloalto) x = paloalto.config.find(PATH_RULES + "/entry[@name='test-icmp']/application") self.assertIsNotNone(x, output) members = [] for node in x: self.assertEqual(node.tag, 'member', output) members.append(node.text) self.assertCountEqual( ['icmp-echo-reply', 'icmp-echo-request', 'icmp-unreachable'], members, output)
def testLogging(self): for term in [ LOGGING_SYSLOG_KEYWORD, LOGGING_LOCAL_KEYWORD, LOGGING_PYTRUE_KEYWORD, LOGGING_TRUE_KEYWORD ]: paloalto = paloaltofw.PaloAltoFW( policy.ParsePolicy(GOOD_HEADER_1 + term, self.naming), EXP_INFO) output = str(paloalto) # we don't have term name so match all elements with attribute # name at the entry level x = paloalto.config.findall(PATH_RULES + '/entry[@name]/log-start') self.assertEqual(len(x), 0, output) x = paloalto.config.findall(PATH_RULES + '/entry[@name]/log-end') self.assertEqual(len(x), 1, output) self.assertEqual(x[0].text, 'yes', output)
def testAcceptAction(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + ACTION_ACCEPT_TERM, self.naming) output = str(paloaltofw.PaloAltoFW(pol, EXP_INFO)) self.assertIn('<action>allow</action>', output, output)
def testResetAction(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + ACTION_RESET_TERM, self.naming) output = str(paloaltofw.PaloAltoFW(pol, EXP_INFO)) self.assertIn('<action>reset-client</action>', output, output)
def testICMPProtocolOnly(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + ICMP_ONLY_TERM_1, self.naming) output = str(paloaltofw.PaloAltoFW(pol, EXP_INFO)) self.assertIn('<member>icmp</member>', output, output)
def testIcmpTypes(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + ICMP_TYPE_TERM_1, self.naming) output = str(paloaltofw.PaloAltoFW(pol, EXP_INFO)) self.assertIn('<member>icmp-echo-request</member>', output, output) self.assertIn('<member>icmp-echo-reply</member>', output, output)
def testDefaultDeny(self): paloalto = paloaltofw.PaloAltoFW( policy.ParsePolicy(GOOD_HEADER_1 + DEFAULT_TERM_1, self.naming), EXP_INFO) output = str(paloalto) self.assertIn('<action>deny</action>', output, output)
def RenderFile(base_directory, input_file, output_directory, definitions, exp_info, write_files): """Render a single file. Args: base_directory: The base directory to look for acls. input_file: the name of the input policy file. output_directory: the directory in which we place the rendered file. definitions: the definitions from naming.Naming(). exp_info: print a info message when a term is set to expire in that many weeks. write_files: a list of file tuples, (output_file, acl_text), to write """ logging.debug('rendering file: %s into %s', input_file, output_directory) pol = None jcl = False acl = False asacl = False aacl = False bacl = False eacl = False gca = False gcefw = False ips = False ipt = False spd = False nsx = False pcap_accept = False pcap_deny = False pf = False srx = False jsl = False nft = False win_afw = False xacl = False paloalto = False try: with open(input_file) as f: conf = f.read() logging.debug('opened and read %s', input_file) except IOError as e: logging.warning('bad file: \n%s', e) raise try: pol = policy.ParsePolicy(conf, definitions, optimize=FLAGS.optimize, base_dir=base_directory, shade_check=FLAGS.shade_check) except policy.ShadingError as e: logging.warning('shading errors for %s:\n%s', input_file, e) return except (policy.Error, naming.Error): raise ACLParserError( 'Error parsing policy file %s:\n%s%s' % (input_file, sys.exc_info()[0], sys.exc_info()[1])) platforms = set() for header in pol.headers: platforms.update(header.platforms) if 'juniper' in platforms: jcl = copy.deepcopy(pol) if 'cisco' in platforms: acl = copy.deepcopy(pol) if 'ciscoasa' in platforms: asacl = copy.deepcopy(pol) if 'brocade' in platforms: bacl = copy.deepcopy(pol) if 'arista' in platforms: eacl = copy.deepcopy(pol) if 'aruba' in platforms: aacl = copy.deepcopy(pol) if 'ipset' in platforms: ips = copy.deepcopy(pol) if 'iptables' in platforms: ipt = copy.deepcopy(pol) if 'nsxv' in platforms: nsx = copy.deepcopy(pol) if 'packetfilter' in platforms: pf = copy.deepcopy(pol) if 'pcap' in platforms: pcap_accept = copy.deepcopy(pol) pcap_deny = copy.deepcopy(pol) if 'speedway' in platforms: spd = copy.deepcopy(pol) if 'srx' in platforms: srx = copy.deepcopy(pol) if 'srxlo' in platforms: jsl = copy.deepcopy(pol) if 'windows_advfirewall' in platforms: win_afw = copy.deepcopy(pol) if 'ciscoxr' in platforms: xacl = copy.deepcopy(pol) if 'nftables' in platforms: nft = copy.deepcopy(pol) if 'gce' in platforms: gcefw = copy.deepcopy(pol) if 'paloalto' in platforms: paloalto = copy.deepcopy(pol) if 'cloudarmor' in platforms: gca = copy.deepcopy(pol) if not output_directory.endswith('/'): output_directory += '/' try: if jcl: acl_obj = juniper.Juniper(jcl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if srx: acl_obj = junipersrx.JuniperSRX(srx, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if acl: acl_obj = cisco.Cisco(acl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if asacl: acl_obj = ciscoasa.CiscoASA(asacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if aacl: acl_obj = aruba.Aruba(aacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if bacl: acl_obj = brocade.Brocade(bacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if eacl: acl_obj = arista.Arista(eacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if ips: acl_obj = ipset.Ipset(ips, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if ipt: acl_obj = iptables.Iptables(ipt, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if nsx: acl_obj = nsxv.Nsxv(nsx, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if spd: acl_obj = speedway.Speedway(spd, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if pcap_accept: acl_obj = pcap.PcapFilter(pcap_accept, exp_info) RenderACL(str(acl_obj), '-accept' + acl_obj.SUFFIX, output_directory, input_file, write_files) if pcap_deny: acl_obj = pcap.PcapFilter(pcap_deny, exp_info, invert=True) RenderACL(str(acl_obj), '-deny' + acl_obj.SUFFIX, output_directory, input_file, write_files) if pf: acl_obj = packetfilter.PacketFilter(pf, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if win_afw: acl_obj = windows_advfirewall.WindowsAdvFirewall(win_afw, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if jsl: acl_obj = srxlo.SRXlo(jsl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if xacl: acl_obj = ciscoxr.CiscoXR(xacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if nft: acl_obj = nftables.Nftables(nft, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if gcefw: acl_obj = gce.GCE(gcefw, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if paloalto: acl_obj = paloaltofw.PaloAltoFW(paloalto, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if gca: acl_obj = cloudarmor.CloudArmor(gca, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) # TODO(robankeny) add additional errors. except (juniper.Error, junipersrx.Error, cisco.Error, ipset.Error, iptables.Error, speedway.Error, pcap.Error, aclgenerator.Error, aruba.Error, nftables.Error, gce.Error, cloudarmor.Error) as e: raise ACLGeneratorError('Error generating target ACL for %s:\n%s' % (input_file, e))
def testPanPorts(self): POL = """ header { target:: paloalto from-zone trust to-zone untrust } term rule-1 { %s action:: accept }""" T = """ protocol:: udp destination-port:: NTP """ definitions = naming.Naming() definitions._ParseLine('NTP = 123/tcp 123/udp', 'services') definitions._ParseLine('DNS = 53/tcp 53/udp', 'services') pol = policy.ParsePolicy(POL % T, definitions) paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) output = str(paloalto) name = "service-rule-1-udp" path = "/entry[@name='%s']/protocol/udp/port" % name x = paloalto.config.findtext(PATH_SERVICE + path) self.assertEqual(x, "123", output) path = "/entry[@name='%s']/protocol/udp/source-port" % name x = paloalto.config.findtext(PATH_SERVICE + path) self.assertIsNone(x, output) T = """ protocol:: udp source-port:: NTP """ pol = policy.ParsePolicy(POL % T, definitions) paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) output = str(paloalto) name = "service-rule-1-udp" path = "/entry[@name='%s']/protocol/udp/port" % name x = paloalto.config.findtext(PATH_SERVICE + path) self.assertEqual(x, "0-65535", output) path = "/entry[@name='%s']/protocol/udp/source-port" % name x = paloalto.config.findtext(PATH_SERVICE + path) self.assertEqual(x, "123", output) T = """ protocol:: tcp source-port:: NTP destination-port:: NTP DNS """ pol = policy.ParsePolicy(POL % T, definitions) paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) output = str(paloalto) name = "service-rule-1-tcp" path = "/entry[@name='%s']/protocol/tcp/port" % name x = paloalto.config.findtext(PATH_SERVICE + path) self.assertEqual(x, "53,123", output) path = "/entry[@name='%s']/protocol/tcp/source-port" % name x = paloalto.config.findtext(PATH_SERVICE + path) self.assertEqual(x, "123", output) T = """ protocol:: tcp """ pol = policy.ParsePolicy(POL % T, definitions) paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) output = str(paloalto) name = "any-tcp" path = "/entry[@name='%s']/protocol/tcp/port" % name x = paloalto.config.findtext(PATH_SERVICE + path) self.assertEqual(x, "0-65535", output) path = "/entry[@name='%s']/protocol/tcp/source-port" % name x = paloalto.config.find(PATH_SERVICE + path) self.assertIsNone(x, output) T = """ protocol:: tcp udp """ pol = policy.ParsePolicy(POL % T, definitions) paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO) output = str(paloalto) name = "any-tcp" path = "/entry[@name='%s']/protocol/tcp/port" % name x = paloalto.config.findtext(PATH_SERVICE + path) self.assertEqual(x, "0-65535", output) name = "any-udp" path = "/entry[@name='%s']/protocol/udp/port" % name x = paloalto.config.findtext(PATH_SERVICE + path) self.assertEqual(x, "0-65535", output) x = paloalto.config.findall(PATH_RULES + "/entry[@name='rule-1']/service/member") services = {elem.text for elem in x} self.assertEqual({"any-tcp", "any-udp"}, services, output)
def testIcmpTypes(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + ICMP_TYPE_TERM_1, self.naming) output = str(paloaltofw.PaloAltoFW(pol, EXP_INFO)) self.failUnless('<member>ping</member>' in output, output)
def testICMPProtocolOnly(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + ICMP_ONLY_TERM_1, self.naming) output = str(paloaltofw.PaloAltoFW(pol, EXP_INFO)) self.failUnless('<member>ping</member>' in output, output)
def testDenyAction(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + ACTION_DENY_TERM, self.naming) output = str(paloaltofw.PaloAltoFW(pol, EXP_INFO)) self.assertIn('<action>deny</action>', output, output)
def get_acl(inputs): """Generates an ACL using Capirca. Args: inputs: Module parameters. Returns: ACL string. """ header_base = ''' header { comment:: "$comment" target:: $platform $options } ''' result = "" # Create copy of input options removing any spaces inputs['options_copy'] = [ str(elem).replace(" ", "") for elem in inputs['filter_options'] ] # Add from/to-zone to 'paloalto' and 'srx'. if inputs['platform'] in ('paloalto' 'srx'): if len(inputs['options_copy']) < 2: raise AnsibleError( "The number of options for {0} is less than 2".format( inputs['platform'])) inputs['options_copy'][0] = "from-zone " + inputs['options_copy'][0] inputs['options_copy'][1] = "to-zone " + inputs['options_copy'][1] # Create option string for header inputs['options'] = ' '.join( [str(elem) for elem in inputs['options_copy']]) header_template = Template(header_base) header = header_template.safe_substitute(inputs) defs = naming.Naming(inputs['def_folder']) terms = open(inputs['pol_file']).read() pol = policy.ParsePolicy(header + '\n' + terms, defs, optimize=True) # Exp info in weeks EXP_INFO = 2 # List from https://github.com/google/capirca/blob/master/capirca/aclgen.py#L202 # Does Python have a Switch statement? if inputs['platform'] == 'juniper': result = juniper.Juniper(pol, EXP_INFO) elif inputs['platform'] == 'cisco': result = cisco.Cisco(pol, EXP_INFO) elif inputs['platform'] == 'ciscoasa': result = ciscoasa.CiscoASA(pol, EXP_INFO) elif inputs['platform'] == 'brocade': result = brocade.Brocade(pol, EXP_INFO) elif inputs['platform'] == 'arista': result = arista.Arista(pol, EXP_INFO) elif inputs['platform'] == 'aruba': result = aruba.Aruba(pol, EXP_INFO) elif inputs['platform'] == 'ipset': result = ipset.Ipset(pol, EXP_INFO) elif inputs['platform'] == 'iptables': result = iptables.Iptables(pol, EXP_INFO) elif inputs['platform'] == 'nsxv': result = nsxv.Nsxv(pol, EXP_INFO) elif inputs['platform'] == 'packetfilter': result = packetfilter.PacketFilter(pol, EXP_INFO) elif inputs['platform'] == 'pcap': result = pcap.PcapFilter(pol, EXP_INFO) elif inputs['platform'] == 'speedway': result = speedway.Speedway(pol, EXP_INFO) elif inputs['platform'] == 'srx': result = junipersrx.JuniperSRX(pol, EXP_INFO) elif inputs['platform'] == 'srxlo': result = srxlo.SRXlo(pol, EXP_INFO) elif inputs['platform'] == 'windows_advfirewall': result = windows_advfirewall.WindowsAdvFirewall(pol, EXP_INFO) elif inputs['platform'] == 'ciscoxr': result = ciscoxr.CiscoXR(pol, EXP_INFO) elif inputs['platform'] == 'nftables': result = nftables.Nftables(pol, EXP_INFO) elif inputs['platform'] == 'gce': result = gce.GCE(pol, EXP_INFO) elif inputs['platform'] == 'paloalto': result = paloaltofw.PaloAltoFW(pol, EXP_INFO) elif inputs['platform'] == 'cloudarmor': result = cloudarmor.CloudArmor(pol, EXP_INFO) return str(result)