Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drfwsupport #21

Merged
merged 61 commits into from
Jul 9, 2024
Merged
Changes from 1 commit
Commits
Show all changes
61 commits
Select commit Hold shift + click to select a range
e169be3
checkpoint for DR Support
bhillkeyfactor Jun 3, 2024
bc7b13c
new binding version
bhillkeyfactor Jun 17, 2024
011d938
changed
bhillkeyfactor Jun 17, 2024
bb16e4b
Fixed Logging Issue
bhillkeyfactor Jun 18, 2024
ceb7d7a
Test case update
bhillkeyfactor Jun 24, 2024
257a2b6
Update generated README
Jun 24, 2024
2b654ee
readme updates
bhillkeyfactor Jun 24, 2024
08554ea
Update generated README
Jun 24, 2024
681834c
readme changes
bhillkeyfactor Jun 24, 2024
c38c5fc
Merge branch 'drfwsupport' of https://github.com/Keyfactor/paloalto-f…
bhillkeyfactor Jun 24, 2024
b6703b2
Update generated README
Jun 24, 2024
f236f19
readme changes
bhillkeyfactor Jun 25, 2024
55bf657
Merge branch 'drfwsupport' of https://github.com/Keyfactor/paloalto-f…
bhillkeyfactor Jun 25, 2024
0913cfd
Update generated README
Jun 25, 2024
201c6a1
cert store updated
bhillkeyfactor Jun 25, 2024
a7ef806
Merge branch 'drfwsupport' of https://github.com/Keyfactor/paloalto-f…
bhillkeyfactor Jun 25, 2024
f6539df
Update generated README
Jun 25, 2024
fc263e8
Readme Updates
bhillkeyfactor Jun 25, 2024
c81d221
Merge branch 'drfwsupport' of https://github.com/Keyfactor/paloalto-f…
bhillkeyfactor Jun 25, 2024
d4f88dd
Update generated README
Jun 25, 2024
2a03add
Readme Updates
bhillkeyfactor Jun 25, 2024
a1d51f7
Merge branch 'drfwsupport' of https://github.com/Keyfactor/paloalto-f…
bhillkeyfactor Jun 25, 2024
ee12765
Update generated README
Jun 25, 2024
9fcf1c8
Readme Updates
bhillkeyfactor Jun 25, 2024
4c5fb91
Merge branch 'drfwsupport' of https://github.com/Keyfactor/paloalto-f…
bhillkeyfactor Jun 25, 2024
b762ff7
Update generated README
Jun 25, 2024
dc8181e
Readme Updates
bhillkeyfactor Jun 25, 2024
5c6038d
Merge branch 'drfwsupport' of https://github.com/Keyfactor/paloalto-f…
bhillkeyfactor Jun 25, 2024
fbc3ecc
Update generated README
Jun 25, 2024
ce2a9e8
Readme Updates
bhillkeyfactor Jun 25, 2024
4f0b6ab
Merge branch 'drfwsupport' of https://github.com/Keyfactor/paloalto-f…
bhillkeyfactor Jun 25, 2024
0e31df4
Update generated README
Jun 25, 2024
883ce26
Readme Updates
bhillkeyfactor Jun 25, 2024
b8a278d
Merge branch 'drfwsupport' of https://github.com/Keyfactor/paloalto-f…
bhillkeyfactor Jun 25, 2024
19424d0
Update generated README
Jun 25, 2024
eb72a3a
Readme Updates
bhillkeyfactor Jun 25, 2024
11cf49d
Merge branch 'drfwsupport' of https://github.com/Keyfactor/paloalto-f…
bhillkeyfactor Jun 25, 2024
b94685a
Update generated README
Jun 25, 2024
c5b9cdd
Readme Updates
bhillkeyfactor Jun 25, 2024
b9a2f39
Merge branch 'drfwsupport' of https://github.com/Keyfactor/paloalto-f…
bhillkeyfactor Jun 25, 2024
6729520
Update generated README
Jun 25, 2024
94e5a63
Readme Updates
bhillkeyfactor Jun 25, 2024
9e8a953
Merge branch 'drfwsupport' of https://github.com/Keyfactor/paloalto-f…
bhillkeyfactor Jun 25, 2024
442ec1d
Update generated README
Jun 25, 2024
8b78a1a
Readme Updates
bhillkeyfactor Jun 25, 2024
99acb1d
Merge branch 'drfwsupport' of https://github.com/Keyfactor/paloalto-f…
bhillkeyfactor Jun 25, 2024
7ba6f2b
Update generated README
Jun 25, 2024
be04109
Readme Updates
bhillkeyfactor Jun 25, 2024
b4b6342
Merge branch 'drfwsupport' of https://github.com/Keyfactor/paloalto-f…
bhillkeyfactor Jun 25, 2024
a3c7d28
Update generated README
Jun 25, 2024
5734968
Readme Updates
bhillkeyfactor Jun 25, 2024
1cd4925
Merge branch 'drfwsupport' of https://github.com/Keyfactor/paloalto-f…
bhillkeyfactor Jun 25, 2024
39016af
Update generated README
Jun 25, 2024
d78941a
Readme Updates
bhillkeyfactor Jun 25, 2024
3c270f1
Merge branch 'drfwsupport' of https://github.com/Keyfactor/paloalto-f…
bhillkeyfactor Jun 25, 2024
4602f66
Readme Updates
bhillkeyfactor Jun 25, 2024
36c8b6b
Update CHANGELOG.md
bhillkeyfactor Jun 25, 2024
3d8666d
Merge branch 'release-2.2' into drfwsupport
bhillkeyfactor Jun 25, 2024
0899793
Readme Updates
bhillkeyfactor Jun 25, 2024
b201794
Merge branch 'drfwsupport' of https://github.com/Keyfactor/paloalto-f…
bhillkeyfactor Jun 25, 2024
3ad1ecb
Logged more when session times out
bhillkeyfactor Jun 26, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
checkpoint for DR Support
  • Loading branch information
bhillkeyfactor committed Jun 3, 2024

Verified

This commit was signed with the committer’s verified signature.
florianduros Florian Duros
commit e169be3a46d79c0aa932a2346ef23e36fea10ce7
73 changes: 73 additions & 0 deletions PaloAlto/Client/PaloAltoClient.cs
Original file line number Diff line number Diff line change
@@ -119,6 +119,26 @@ public async Task<CommitResponse> GetCommitResponse()
}
}

public async Task<CommitResponse> GetDecryptionRulesByCertName(string certName,string vsysName)
{
try
{
var xpath =
$"/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='{vsysName}']/rulebase/decryption/rules[.//ssl-inbound-inspection='{certName}']";

var uri =
$"/api/?&type=commit&action=partial&cmd=<commit><partial><admin><member>{ServerUserName}</member></admin></partial></commit>&key={ApiKey}";

var response = await GetXmlResponseAsync<CommitResponse>(await HttpClient.GetAsync(uri));
return response;
}
catch (Exception e)
{
_logger.LogError($"Error Occured in PaloAltoClient.GetCertificateList: {e.Message}");
throw;
}
}

public async Task<CommitResponse> GetCommitAllResponse(string deviceGroup)
{
try
@@ -233,6 +253,56 @@ public async Task<string> GetCertificateByName(string name)
}
}

public async Task<string> GetDecryptionRuleBindings(string certificateName,string vsysName)
{
try
{
var xPath = $"/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='{vsysName}']/rulebase/decryption/rules[.//ssl-inbound-inspection='{certificateName}']";
var uri = $"/api/?type=config&key={ApiKey}&xpath={xPath}";

return await GetResponseAsync(await HttpClient.GetAsync(uri));
}
catch (Exception e)
{
_logger.LogError($"Error Occured in PaloAltoClient.GetCertificateByName: {e.Message}");
throw;
}
}


public async Task<string> GetTlsProfileBindings(string certificateName, string vsysName)
{
try
{
var xPath = $"/config/devices/entry/vsys/entry[@name='{vsysName}']/ssl-tls-service-profile";
var uri = $"/api/?type=config&key={ApiKey}&xpath={xPath}";

return await GetResponseAsync(await HttpClient.GetAsync(uri));
}
catch (Exception e)
{
_logger.LogError($"Error Occured in PaloAltoClient.GetCertificateByName: {e.Message}");
throw;
}
}


public async Task<string> GetTlsProfileBindings(string certificateName)
{
try
{
var xPath = "/config/shared/ssl-tls-service-profile";
var uri = $"/api/?type=config&key={ApiKey}&xpath={xPath}";

return await GetResponseAsync(await HttpClient.GetAsync(uri));
}
catch (Exception e)
{
_logger.LogError($"Error Occured in PaloAltoClient.GetCertificateByName: {e.Message}");
throw;
}
}

public async Task<ErrorSuccessResponse> SubmitDeleteCertificate(string name, string storePath)
{
try
@@ -261,6 +331,7 @@ public async Task<ErrorSuccessResponse> SubmitDeleteTrustedRoot(string name, str
}
}


public async Task<ErrorSuccessResponse> SubmitSetTrustedRoot(string name, string storePath)
{
try
@@ -340,6 +411,8 @@ public async Task<string> GetResponseAsync(HttpResponseMessage response)
}
}



private void EnsureSuccessfulResponse(HttpResponseMessage response)
{
try
89 changes: 72 additions & 17 deletions PaloAlto/Jobs/Inventory.cs
Original file line number Diff line number Diff line change
@@ -18,6 +18,8 @@
using System.Linq;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Text.RegularExpressions;
using System.Xml.Linq;
using System.Xml.Serialization;
using Keyfactor.Extensions.Orchestrator.PaloAlto.Client;
using Keyfactor.Extensions.Orchestrator.PaloAlto.Models.Responses;
@@ -66,6 +68,23 @@ public string ResolvePamField(string name, string value)
return _resolver.Resolve(value);
}

static string GetVirtualSystemFromPath(string path)
{
string pattern = @"vsys/entry\[@name='([^']*)'\]";

Match match = Regex.Match(path, pattern);

if (match.Success)
{
string vsysName = match.Groups[1].Value;
return vsysName;
}
else
{
return "";
}
}

private JobResult PerformInventory(InventoryJobConfiguration config, SubmitInventoryUpdate submitInventory)
{
try
@@ -112,9 +131,36 @@ private JobResult PerformInventory(InventoryJobConfiguration config, SubmitInven
{
_logger.LogTrace(
$"Building Cert List Inventory Item Alias: {c.Name} Pem: {c.PublicKey} Private Key: {c.PrivateKey?.Length > 0}");
var bindings =
client.GetProfileByCertificate(config.CertificateStoreDetails.StorePath, c.Name).Result;
return BuildInventoryItem(c.Name, c.PublicKey, c.PrivateKey?.Length>0,bindings,false);

var bindingList=new Dictionary<string,object>();
if (config.CertificateStoreDetails.StorePath.Contains("/vsys"))
{
var vsys = GetVirtualSystemFromPath(config.CertificateStoreDetails.StorePath);
var drBindings = client.GetDecryptionRuleBindings(c.Name, vsys).Result;
var tlsBindings = client.GetTlsProfileBindings(c.Name, vsys).Result;
if (tlsBindings.Length > 0)
{
var tlsCsv = GetTlsCsv(tlsBindings, c.Name);
bindingList.Add("TlsProfile", tlsCsv);
}

if (drBindings.Length > 0)
{
var drCsv = GetDrBindingsCsv(drBindings);
bindingList.Add("DecryptionRule", drCsv);
}
}
else
{
var tlsBindings = client.GetTlsProfileBindings(c.Name).Result;
if (tlsBindings.Length > 0)
{
var tlsCsv = GetTlsCsv(tlsBindings, c.Name);
bindingList.Add("TlsProfile", tlsCsv);
}
}

return BuildInventoryItem(c.Name, c.PublicKey, c.PrivateKey?.Length>0, bindingList, false);
}
catch
{
@@ -137,9 +183,7 @@ private JobResult PerformInventory(InventoryJobConfiguration config, SubmitInven
var cert = new X509Certificate2(bytes);
_logger.LogTrace(
$"Building Trusted Root Inventory Item Pem: {certificatePem.Result} Has Private Key: {cert.HasPrivateKey}");
var bindings =
client.GetProfileByCertificate(config.CertificateStoreDetails.StorePath, trustedRootCert.Name).Result;
inventoryItems.Add(BuildInventoryItem(trustedRootCert.Name, certificatePem.Result, cert.HasPrivateKey,bindings,true));
inventoryItems.Add(BuildInventoryItem(trustedRootCert.Name, certificatePem.Result, cert.HasPrivateKey,new Dictionary<string, object>(), true));
}
catch
{
@@ -164,6 +208,26 @@ private JobResult PerformInventory(InventoryJobConfiguration config, SubmitInven
}
}

public static string GetDrBindingsCsv(string xmlContent)
{
XDocument doc = XDocument.Parse(xmlContent);
var names = doc.Descendants("entry")
.Select(e => e.Attribute("name")?.Value)
.Where(name => !string.IsNullOrEmpty(name));

return string.Join(", ", names);
}

static string GetTlsCsv(string xmlResponse, string certificateName)
{
XDocument doc = XDocument.Parse(xmlResponse);
var entries = doc.Descendants("entry")
.Where(e => (string)e.Element("certificate") == certificateName)
.Select(e => (string)e.Attribute("name"));

return string.Join(",", entries);
}

private JobResult ReturnJobResult(InventoryJobConfiguration config, bool warningFlag, StringBuilder sb)
{
if (warningFlag)
@@ -194,21 +258,12 @@ private void LogResponse<T>(T content)
_logger.LogTrace($"Serialized Xml Response {resWriter}");
}

protected virtual CurrentInventoryItem BuildInventoryItem(string alias, string certPem, bool privateKey, GetProfileByCertificateResponse bindings,bool trustedRoot)
protected virtual CurrentInventoryItem BuildInventoryItem(string alias, string certPem, bool privateKey, Dictionary<string,object> bindings,bool trustedRoot)
{
try
{
_logger.MethodEntry();

//Add Entry Params so the show up in the UI Inventory Store Popup
var siteSettingsDict = new Dictionary<string, object>
{
{ "TlsProfileName", string.IsNullOrEmpty(bindings.Result?.Entry?.Name)?"":bindings.Result?.Entry?.Name},
{ "TlsMinVersion", string.IsNullOrEmpty(bindings.Result?.Entry?.ProtocolSettings?.MinVersion?.Text)?"":bindings.Result?.Entry?.ProtocolSettings?.MinVersion?.Text},
{ "TlsMaxVersion", string.IsNullOrEmpty(bindings.Result?.Entry?.ProtocolSettings?.MaxVersion?.Text)?"":bindings.Result?.Entry?.ProtocolSettings?.MaxVersion?.Text },
{ "Trusted Root", trustedRoot},
};

_logger.LogTrace($"Alias: {alias} Pem: {certPem} PrivateKey: {privateKey}");
var acsi = new CurrentInventoryItem
{
@@ -217,7 +272,7 @@ protected virtual CurrentInventoryItem BuildInventoryItem(string alias, string c
ItemStatus = OrchestratorInventoryItemStatus.Unknown,
PrivateKeyEntry = privateKey,
UseChainLevel = false,
Parameters = siteSettingsDict
Parameters = bindings
};

return acsi;
9 changes: 8 additions & 1 deletion PaloAlto/Validators.cs
Original file line number Diff line number Diff line change
@@ -69,13 +69,20 @@ static bool IsValidPanoramaFormat(string input)
return regex.IsMatch(input);
}

static bool IsValidFirewallVsysFormat(string input)
{
string pattern = @"^/config/devices/entry\[@name='localhost\.localdomain'\]/vsys/entry\[@name='[^']+'\]$";
return Regex.IsMatch(input, pattern);

}

public static (bool valid, JobResult result) ValidateStoreProperties(JobProperties storeProperties,
string storePath,string clientMachine,long jobHistoryId, string serverUserName, string serverPassword)
{
var errors = string.Empty;

//Check path Validity for either panorama shared location or firewall shared location or panorama level certificates
if (storePath != "/config/panorama" && storePath != "/config/shared" && !IsValidPanoramaFormat(storePath))
if (storePath != "/config/panorama" && storePath != "/config/shared" && !IsValidPanoramaFormat(storePath) && !IsValidFirewallVsysFormat(storePath))
{
errors +=
"Path is invalid needs to be /config/panorama, /config/shared or in format of /config/devices/entry[@name='localhost.localdomain']/template/entry[@name='TemplateName']/config/shared.";
2 changes: 1 addition & 1 deletion PaloAltoTestConsole/Program.cs
Original file line number Diff line number Diff line change
@@ -48,7 +48,7 @@ private static async Task Main(string[] args)


var arguments = new Dictionary<string, string>();
Thread.Sleep(20000);
//Thread.Sleep(20000);
foreach (var argument in args)
{
var splitted = argument.Split('=',2);
Loading