From a3aef923ccb4916a335d8034d985600a0d399b63 Mon Sep 17 00:00:00 2001 From: Garfield Freeman Date: Wed, 24 Nov 2021 08:08:50 -0800 Subject: [PATCH] feat(Policies.Security): Adding group-tag --- poli/security/entry.go | 8 ++++++ poli/security/testdata_test.go | 49 ++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/poli/security/entry.go b/poli/security/entry.go index df049dcc..c47f55e1 100644 --- a/poli/security/entry.go +++ b/poli/security/entry.go @@ -48,6 +48,7 @@ type Entry struct { FileBlocking string WildFireAnalysis string DataFiltering string + GroupTag string // PAN-OS 9.0+ Uuid string // PAN-OS 9.0+ SourceDevices []string // PAN-OS 10.0+ DestinationDevices []string // PAN-OS 10.0+ @@ -153,6 +154,7 @@ func (o *Entry) Copy(s Entry) { o.FileBlocking = s.FileBlocking o.WildFireAnalysis = s.WildFireAnalysis o.DataFiltering = s.DataFiltering + o.GroupTag = s.GroupTag o.SourceDevices = util.CopyStringSlice(s.SourceDevices) o.DestinationDevices = util.CopyStringSlice(s.DestinationDevices) } @@ -405,6 +407,7 @@ func (o *entry_v2) normalize() Entry { Disabled: util.AsBool(o.Disabled), Schedule: o.Schedule, IcmpUnreachable: util.AsBool(o.IcmpUnreachable), + GroupTag: o.GroupTag, } if o.Options != nil { ans.DisableServerResponseInspection = util.AsBool(o.Options.DisableServerResponseInspection) @@ -457,6 +460,7 @@ type entry_v2 struct { Options *secOptions `xml:"option"` TargetInfo *targetInfo `xml:"target"` ProfileSettings *profileSettings `xml:"profile-setting"` + GroupTag string `xml:"group-tag,omitempty"` } func (e *entry_v2) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error { @@ -497,6 +501,7 @@ func specify_v2(e Entry) interface{} { Schedule: e.Schedule, IcmpUnreachable: util.YesNo(e.IcmpUnreachable), Options: &secOptions{util.YesNo(e.DisableServerResponseInspection)}, + GroupTag: e.GroupTag, } if e.Targets != nil || e.NegateTarget { nfo := &targetInfo{ @@ -574,6 +579,7 @@ func (o *entry_v3) normalize() Entry { Disabled: util.AsBool(o.Disabled), Schedule: o.Schedule, IcmpUnreachable: util.AsBool(o.IcmpUnreachable), + GroupTag: o.GroupTag, SourceDevices: util.MemToStr(o.SourceDevices), DestinationDevices: util.MemToStr(o.DestinationDevices), } @@ -628,6 +634,7 @@ type entry_v3 struct { Options *secOptions `xml:"option"` TargetInfo *targetInfo `xml:"target"` ProfileSettings *profileSettings `xml:"profile-setting"` + GroupTag string `xml:"group-tag,omitempty"` SourceDevices *util.MemberType `xml:"source-hip"` DestinationDevices *util.MemberType `xml:"destination-hip"` } @@ -670,6 +677,7 @@ func specify_v3(e Entry) interface{} { Schedule: e.Schedule, IcmpUnreachable: util.YesNo(e.IcmpUnreachable), Options: &secOptions{util.YesNo(e.DisableServerResponseInspection)}, + GroupTag: e.GroupTag, SourceDevices: util.StrToMem(e.SourceDevices), DestinationDevices: util.StrToMem(e.DestinationDevices), } diff --git a/poli/security/testdata_test.go b/poli/security/testdata_test.go index db827dcb..dfb66e16 100644 --- a/poli/security/testdata_test.go +++ b/poli/security/testdata_test.go @@ -133,6 +133,22 @@ func getTests() []testCase { Action: "allow", LogEnd: true, }}, + {version.Number{9, 0, 0, ""}, "rule with group tag", "", "", Entry{ + Name: "rule1", + Type: "universal", + SourceZones: []string{"sz1", "sz2"}, + SourceAddresses: []string{"sa1", "sa2"}, + SourceUsers: []string{"su1", "su2"}, + HipProfiles: []string{"hp3", "hp2", "hp1"}, + DestinationZones: []string{"dz1", "dz2"}, + DestinationAddresses: []string{"da1", "da2"}, + Applications: []string{"app1"}, + Services: []string{"s2", "s1"}, + Categories: []string{"cat1"}, + Action: "allow", + LogEnd: false, + GroupTag: "oneTime", + }}, {version.Number{10, 0, 0, ""}, "basic rule", "", "", Entry{ Name: "rule1", Type: "universal", @@ -217,5 +233,38 @@ func getTests() []testCase { Action: "allow", LogEnd: false, }}, + {version.Number{10, 0, 0, ""}, "rule with group tag", "", "", Entry{ + Name: "rule1", + Type: "universal", + SourceZones: []string{"sz1", "sz2"}, + SourceAddresses: []string{"sa1", "sa2"}, + SourceUsers: []string{"su1", "su2"}, + HipProfiles: []string{"hp3", "hp2", "hp1"}, + DestinationZones: []string{"dz1", "dz2"}, + DestinationAddresses: []string{"da1", "da2"}, + Applications: []string{"app1"}, + Services: []string{"s2", "s1"}, + Categories: []string{"cat1"}, + Action: "allow", + LogEnd: true, + GroupTag: "oneTime", + }}, + {version.Number{10, 0, 0, ""}, "rule with source and dst devices", "", "", Entry{ + Name: "rule1", + Type: "universal", + SourceZones: []string{"sz1", "sz2"}, + SourceAddresses: []string{"sa1", "sa2"}, + SourceUsers: []string{"su1", "su2"}, + HipProfiles: []string{"hp3", "hp2", "hp1"}, + DestinationZones: []string{"dz1", "dz2"}, + DestinationAddresses: []string{"da1", "da2"}, + Applications: []string{"app1"}, + Services: []string{"s2", "s1"}, + Categories: []string{"cat1"}, + Action: "allow", + LogEnd: true, + SourceDevices: []string{"src2", "src1"}, + DestinationDevices: []string{"dstDev"}, + }}, } }