Class: Puppet::Transport::Panos::API Private

Inherits:

Object

• Object
• Puppet::Transport::Panos::API

Defined in:

lib/puppet/transport/panos.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

A simple adaptor to expose the basic PAN-OS XML API operations. Having this in a separate class aids with keeping the gnarly HTTP code away from the business logic, and helps with testing, too.

Instance Method Summary

• #apikey ⇒ Object private
• #fetch_apikey(user, password) ⇒ Object private
• #fingerprint_from_hexdigest(hexdigest) ⇒ Object private
• #handle_response_errors(doc) ⇒ Object private
• #handle_verify_mode(verify_mode) ⇒ Object private

  Returns the OpenSSL verify mode based on the verify_mode arguments.

• #hexdigest_from_cert(cert) ⇒ Object private
• #http ⇒ Object private
• #initialize(connection_info) ⇒ API constructor private

  A new instance of API.

• #job_request(type, **options) ⇒ Object private
• #message_from_code(code) ⇒ Object private
• #request(type, **options) ⇒ Object private
• #same_cert_fingerprint?(end_cert) ⇒ Boolean private
• #upload(type, file, **options) ⇒ Object private
• #verify_callback(preverify_ok, cert_store) ⇒ Object private

  stackoverflow.com/questions/22093042/implementing-https-certificate-pubkey-pinning-with-ruby/22108461#22108461 this method will be called on the OpenSSL connection to allow for additional verification.

Constructor Details

#initialize(connection_info) ⇒ API

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of API.

# File 'lib/puppet/transport/panos.rb', line 120

def initialize(connection_info)
  @host = connection_info[:host] || connection_info[:address]
  @port = connection_info.key?(:port) ? connection_info[:port].to_i : 443
  @user = connection_info[:user] || connection_info[:username]
  @password = connection_info[:password].unwrap unless connection_info[:password].nil?
  @ssl_verify = connection_info[:ssl].nil? ? true : connection_info[:ssl]
  @ca_file = connection_info[:ssl_ca_file] if connection_info[:ssl_ca_file]
  @ssl_version = connection_info[:ssl_version] if connection_info[:ssl_version]
  @ciphers = connection_info[:ssl_ciphers] if connection_info[:ssl_ciphers]
  @fingerprint = connection_info[:ssl_fingerprint].unwrap unless connection_info[:ssl_fingerprint].nil?
  @apikey = connection_info[:apikey].unwrap unless connection_info[:apikey].nil?
end

Instance Method Details

#apikey ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/transport/panos.rb', line 219

def apikey
  @apikey ||= fetch_apikey(@user, @password)
end

#fetch_apikey(user, password) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/transport/panos.rb', line 205

def fetch_apikey(user, password)
  uri = URI::HTTP.build(path: '/api/')
  params = { type: 'keygen', user: user, password: password }
  uri.query = URI.encode_www_form(params)

  res = http.get(uri)
  unless res.is_a?(Net::HTTPSuccess)
    raise "Error: #{res}: #{res.message}"
  end
  doc = REXML::Document.new(res.body)
  handle_response_errors(doc)
  doc.elements['/response/result/key'].text
end

#fingerprint_from_hexdigest(hexdigest) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/transport/panos.rb', line 186

def fingerprint_from_hexdigest(hexdigest)
  hexdigest.scan(%r{..}).map { |s| s.upcase }.join(':')
end

#handle_response_errors(doc) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/transport/panos.rb', line 339

def handle_response_errors(doc)
  status = doc.elements['/response'].attributes['status']
  code = doc.elements['/response'].attributes['code']
  error_message = ('Received "%{status}" with code %{code}: %{message}' % {
    status: status,
    code: code,
    message: message_from_code(code),
  })
  # require 'pry';binding.pry
  if status == 'success'
    # Messages without a code require more processing by the caller
    Puppet.debug(error_message) if code
  else
    error_message << "\n"
    doc.write(error_message, 2)
    raise Puppet::ResourceError, error_message
  end
end

#handle_verify_mode(verify_mode) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns the OpenSSL verify mode based on the verify_mode arguments

Parameters:

• String —

  verify mode to use

Returns:

• OpenSSL::SSL verification mode

Raises:

• if verify_mode param is not ‘on` or `off`

# File 'lib/puppet/transport/panos.rb', line 140

def handle_verify_mode(verify_mode)
  case verify_mode
  when true
    OpenSSL::SSL::VERIFY_PEER
  when false
    Puppet.warning("SSL verification turned off in configuration for $#{Puppet[:certname]}")
    OpenSSL::SSL::VERIFY_NONE
  else
    raise Puppet::ResourceError, "\"#{verify_mode}\" is not a valid mode, " \
          'valid modes are: "false" for no client verification, ' \
          'and "true" for validating the certificate'
  end
end

#hexdigest_from_cert(cert) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/transport/panos.rb', line 182

def hexdigest_from_cert(cert)
  OpenSSL::Digest::SHA256.hexdigest(cert.to_der)
end

#http ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/transport/panos.rb', line 190

def http
  @http ||= begin
              Puppet.debug('Connecting to https://%{host}:%{port}' % { host: @host, port: @port })
              Net::HTTP.start(@host, @port,
                              use_ssl: true,
                              verify_mode: handle_verify_mode(@ssl_verify),
                              ca_file: @ca_file,
                              ssl_version: @ssl_version,
                              ciphers: @ciphers ? @ciphers.join(':') : @ciphers,
                              verify_callback: ->(preverify_ok, cert_store) do
                                                 verify_callback(preverify_ok, cert_store)
                                               end)
            end
end

#job_request(type, **options) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/transport/panos.rb', line 273

def job_request(type, **options)
  result = request(type, options)
  response_message = result.elements['/response/msg']
  if response_message
    Puppet.debug('api response (no changes): %{msg}' % { msg: response_message.text })
    return
  end

  job_id = result.elements['/response/result/job'].text
  job_msg = []
  result.elements['/response/result/msg'].each_element_with_text { |e| job_msg << e.text }
  Puppet.debug('api response (job queued): %{msg}' % { msg: job_msg.join("\n") })

  tries = 0
  loop do
    # https://<firewall>/api/?type=op&cmd=<show><jobs><id>4</id></jobs></show>
    poll_result = request('op', cmd: "<show><jobs><id>#{job_id}</id></jobs></show>")
    status = poll_result.elements['/response/result/job/status'].text
    result = poll_result.elements['/response/result/job/result'].text
    progress = poll_result.elements['/response/result/job/progress'].text
    details = []
    poll_result.elements['/response/result/job/details'].each_element_with_text { |e| details << e.text }
    if status == 'FIN'
      # TODO: go to debug
      # poll_result.write($stdout, 2)
      break if result == 'OK'
      raise Puppet::ResourceError, 'job failed. result="%{result}": %{details}' % { result: result, details: details.join("\n") }
    end
    tries += 1

    details.unshift("sleeping for #{tries} seconds")
    Puppet.debug('job still in progress (%{progress}%%). result="%{result}": %{details}' % { result: result, progress: progress, details: details.join("\n") })
    sleep tries
  end

  Puppet.debug('job was successful')
end

#message_from_code(code) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/transport/panos.rb', line 311

def message_from_code(code)
  message_codes ||= begin
    h = Hash.new { |_hash, key| 'Unknown error code %{code}' % { code: key } }
    h['1'] = 'Unknown command: The specific config or operational command is not recognized.'
    h['2'] = "Internal error: Check with Palo Alto's technical support."
    h['3'] = "Internal error: Check with Palo Alto's technical support."
    h['4'] = "Internal error: Check with Palo Alto's technical support."
    h['5'] = "Internal error: Check with Palo Alto's technical support."
    h['11'] = "Internal error: Check with Palo Alto's technical support."
    h['21'] = "Internal error: Check with Palo Alto's technical support."
    h['6'] = 'Bad XPath: The xpath specified in one or more attributes of the command is invalid.'
    h['7'] = "Object not present: Object specified by the xpath is not present. For example, entry[@name='value'] where no object with name 'value' is present."
    h['8'] = 'Object not unique: For commands that operate on a single object, the specified object is not unique.'
    h['10'] = 'Reference count not zero: Object cannot be deleted as there are other objects that refer to it. For example,:addressobject still in use in policy.'
    h['12'] = 'Invalid object: Xpath or element values provided are not complete.'
    h['14'] = 'Operation not possible: Operation is allowed but not possible in this case. For example, moving a rule up one position when it is already at the top.'
    h['15'] = 'Operation denied: Operation is allowed. For example, Admin not allowed to delete own account, Running a command that is not allowed on a passive device.'
    h['16'] = 'Unauthorized: The API role does not have access rights to run this query.'
    h['17'] = 'Invalid command: Invalid command or parameters.'
    h['18'] = 'Malformed command: The XML is malformed.'
    h['19'] = 'Success: Command completed successfully.'
    h['20'] = 'Success: Command completed successfully.'
    h['22'] = 'Session timed out: The session for this query timed out.'
    h
  end
  message_codes[code]
end

#request(type, **options) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/transport/panos.rb', line 223

def request(type, **options)
  params = { type: type, key: apikey }
  params.merge!(options)

  uri = URI::HTTP.build(path: '/api/')
  uri.query = URI.encode_www_form(params)

  res = http.get(uri)
  unless res.is_a?(Net::HTTPSuccess)
    raise "Error: #{res}: #{res.message}"
  end
  doc = REXML::Document.new(res.body)
  handle_response_errors(doc)
  doc
end

#same_cert_fingerprint?(end_cert) ⇒ Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns:

• (Boolean)

# File 'lib/puppet/transport/panos.rb', line 176

def same_cert_fingerprint?(end_cert)
  hexdigest = hexdigest_from_cert(end_cert)
  cert_fingerprint = fingerprint_from_hexdigest(hexdigest)
  cert_fingerprint == @fingerprint
end

#upload(type, file, **options) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Raises:

• (Puppet::ResourceError)

# File 'lib/puppet/transport/panos.rb', line 239

def upload(type, file, **options)
  params = { type: type, key: apikey }
  params.merge!(options)

  uri = URI::HTTP.build(path: '/api/')
  uri.query = URI.encode_www_form(params)

  raise Puppet::ResourceError, "File: `#{file}` does not exist" unless File.exist?(file)

  # from: http://www.rubyinside.com/nethttp-cheat-sheet-2940.html
  # Token used to terminate the file in the post body.
  @boundary ||= SecureRandom.hex(25)

  post_body = []
  post_body << "--#{@boundary}\r\n"
  post_body << "Content-Disposition: form-data; name=\"file\"; filename=\"#{CGI.escape(File.basename(file))}\"\r\n"
  post_body << "Content-Type: text/plain\r\n"
  post_body << "\r\n"
  post_body << File.open(file, 'rb') { |f| f.read }
  post_body << "\r\n--#{@boundary}--\r\n"

  request = Net::HTTP::Post.new(uri.request_uri)
  request.body = post_body.join
  request.content_type = "multipart/form-data, boundary=#{@boundary}"

  res = http.request(request)
  unless res.is_a?(Net::HTTPSuccess)
    raise "Error: #{res}: #{res.message}"
  end
  doc = REXML::Document.new(res.body)
  handle_response_errors(doc)
  doc
end

#verify_callback(preverify_ok, cert_store) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

stackoverflow.com/questions/22093042/implementing-https-certificate-pubkey-pinning-with-ruby/22108461#22108461 this method will be called on the OpenSSL connection to allow for additional verification.

A return of false means that verification has failed and will cause certificate verification errors.

A return of true is verification has been successful

# File 'lib/puppet/transport/panos.rb', line 163

def verify_callback(preverify_ok, cert_store)
  # if ssl_fingerprint is specified then do not
  # depend on the pre-verification checks,
  # if no ssl_fingerprint and the preverify_checks fail
  # then certificate verification will fail overall
  return false unless preverify_ok || @fingerprint

  end_cert = cert_store.chain[0]

  return true unless end_cert.to_der == cert_store.current_cert.to_der
  @fingerprint ? same_cert_fingerprint?(end_cert) : true
end