feat(Policies.Security): Adding group-tag

michalbil · Nov 24, 2021 · a3aef92 · a3aef92
1 parent 50e89f7
commit a3aef92
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 0 deletions.
diff --git a/poli/security/entry.go b/poli/security/entry.go
@@ -48,6 +48,7 @@ type Entry struct {
 	FileBlocking                    string
 	WildFireAnalysis                string
 	DataFiltering                   string
+	GroupTag                        string   // PAN-OS 9.0+
 	Uuid                            string   // PAN-OS 9.0+
 	SourceDevices                   []string // PAN-OS 10.0+
 	DestinationDevices              []string // PAN-OS 10.0+
@@ -153,6 +154,7 @@ func (o *Entry) Copy(s Entry) {
 	o.FileBlocking = s.FileBlocking
 	o.WildFireAnalysis = s.WildFireAnalysis
 	o.DataFiltering = s.DataFiltering
+	o.GroupTag = s.GroupTag
 	o.SourceDevices = util.CopyStringSlice(s.SourceDevices)
 	o.DestinationDevices = util.CopyStringSlice(s.DestinationDevices)
 }
@@ -405,6 +407,7 @@ func (o *entry_v2) normalize() Entry {
 		Disabled:             util.AsBool(o.Disabled),
 		Schedule:             o.Schedule,
 		IcmpUnreachable:      util.AsBool(o.IcmpUnreachable),
+		GroupTag:             o.GroupTag,
 	}
 	if o.Options != nil {
 		ans.DisableServerResponseInspection = util.AsBool(o.Options.DisableServerResponseInspection)
@@ -457,6 +460,7 @@ type entry_v2 struct {
 	Options              *secOptions      `xml:"option"`
 	TargetInfo           *targetInfo      `xml:"target"`
 	ProfileSettings      *profileSettings `xml:"profile-setting"`
+	GroupTag             string           `xml:"group-tag,omitempty"`
 }
 
 func (e *entry_v2) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error {
@@ -497,6 +501,7 @@ func specify_v2(e Entry) interface{} {
 		Schedule:             e.Schedule,
 		IcmpUnreachable:      util.YesNo(e.IcmpUnreachable),
 		Options:              &secOptions{util.YesNo(e.DisableServerResponseInspection)},
+		GroupTag:             e.GroupTag,
 	}
 	if e.Targets != nil || e.NegateTarget {
 		nfo := &targetInfo{
@@ -574,6 +579,7 @@ func (o *entry_v3) normalize() Entry {
 		Disabled:             util.AsBool(o.Disabled),
 		Schedule:             o.Schedule,
 		IcmpUnreachable:      util.AsBool(o.IcmpUnreachable),
+		GroupTag:             o.GroupTag,
 		SourceDevices:        util.MemToStr(o.SourceDevices),
 		DestinationDevices:   util.MemToStr(o.DestinationDevices),
 	}
@@ -628,6 +634,7 @@ type entry_v3 struct {
 	Options              *secOptions      `xml:"option"`
 	TargetInfo           *targetInfo      `xml:"target"`
 	ProfileSettings      *profileSettings `xml:"profile-setting"`
+	GroupTag             string           `xml:"group-tag,omitempty"`
 	SourceDevices        *util.MemberType `xml:"source-hip"`
 	DestinationDevices   *util.MemberType `xml:"destination-hip"`
 }
@@ -670,6 +677,7 @@ func specify_v3(e Entry) interface{} {
 		Schedule:             e.Schedule,
 		IcmpUnreachable:      util.YesNo(e.IcmpUnreachable),
 		Options:              &secOptions{util.YesNo(e.DisableServerResponseInspection)},
+		GroupTag:             e.GroupTag,
 		SourceDevices:        util.StrToMem(e.SourceDevices),
 		DestinationDevices:   util.StrToMem(e.DestinationDevices),
 	}

diff --git a/poli/security/testdata_test.go b/poli/security/testdata_test.go
@@ -133,6 +133,22 @@ func getTests() []testCase {
 			Action:               "allow",
 			LogEnd:               true,
 		}},
+		{version.Number{9, 0, 0, ""}, "rule with group tag", "", "", Entry{
+			Name:                 "rule1",
+			Type:                 "universal",
+			SourceZones:          []string{"sz1", "sz2"},
+			SourceAddresses:      []string{"sa1", "sa2"},
+			SourceUsers:          []string{"su1", "su2"},
+			HipProfiles:          []string{"hp3", "hp2", "hp1"},
+			DestinationZones:     []string{"dz1", "dz2"},
+			DestinationAddresses: []string{"da1", "da2"},
+			Applications:         []string{"app1"},
+			Services:             []string{"s2", "s1"},
+			Categories:           []string{"cat1"},
+			Action:               "allow",
+			LogEnd:               false,
+			GroupTag:             "oneTime",
+		}},
 		{version.Number{10, 0, 0, ""}, "basic rule", "", "", Entry{
 			Name:                 "rule1",
 			Type:                 "universal",
@@ -217,5 +233,38 @@ func getTests() []testCase {
 			Action:               "allow",
 			LogEnd:               false,
 		}},
+		{version.Number{10, 0, 0, ""}, "rule with group tag", "", "", Entry{
+			Name:                 "rule1",
+			Type:                 "universal",
+			SourceZones:          []string{"sz1", "sz2"},
+			SourceAddresses:      []string{"sa1", "sa2"},
+			SourceUsers:          []string{"su1", "su2"},
+			HipProfiles:          []string{"hp3", "hp2", "hp1"},
+			DestinationZones:     []string{"dz1", "dz2"},
+			DestinationAddresses: []string{"da1", "da2"},
+			Applications:         []string{"app1"},
+			Services:             []string{"s2", "s1"},
+			Categories:           []string{"cat1"},
+			Action:               "allow",
+			LogEnd:               true,
+			GroupTag:             "oneTime",
+		}},
+		{version.Number{10, 0, 0, ""}, "rule with source and dst devices", "", "", Entry{
+			Name:                 "rule1",
+			Type:                 "universal",
+			SourceZones:          []string{"sz1", "sz2"},
+			SourceAddresses:      []string{"sa1", "sa2"},
+			SourceUsers:          []string{"su1", "su2"},
+			HipProfiles:          []string{"hp3", "hp2", "hp1"},
+			DestinationZones:     []string{"dz1", "dz2"},
+			DestinationAddresses: []string{"da1", "da2"},
+			Applications:         []string{"app1"},
+			Services:             []string{"s2", "s1"},
+			Categories:           []string{"cat1"},
+			Action:               "allow",
+			LogEnd:               true,
+			SourceDevices:        []string{"src2", "src1"},
+			DestinationDevices:   []string{"dstDev"},
+		}},
 	}
 }