apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Squashed commit of the Palo Alto Networks firewall integration plugin.

Browse Source 
This patch adds a network plugin to support Palo Alto Networks firewall (their appliance and their VM series firewall).

More information in the FS: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Palo+Alto+Firewall+Integration

Features supported are:
- List/Add/Delete Palo Alto service provider
- List/Add/Delete Palo Alto network service offering
- List/Add/Delete Palo Alto network with above service offering
- Add instance to the new network (creates the public IP and private gateway/cidr on the PA as well as the source nat rule)
- List/Add/Delete Ingress Firewall rule
- List/Add/Delete Egress Firewall rule
- List/Add/Delete Port Forwarding rule
- List/Add/Delete Static Nat rule
- Supports Palo Alto Networks 'Log Forwarding' profile globally per device (additional docs to come)
- Supports Palo Alto Networks 'Security Profile Groups' functionality globally per device (additional docs to come)

Knowns limitations:
- Only supports one public IP range in CloudStack.
- Currently not verifying SSL certificates when creating a connection between CloudStack and the Palo Alto Networks firewall.
- Currently not tracking usage on Public IPs.

Signed-off-by: Sheng Yang <sheng.yang@citrix.com>
This commit is contained in:
Will Stevens 2013-11-05 22:24:23 -05:00 committed by Sheng Yang
parent 40a7839323
commit 8f8ad3f38e
31 changed files with 5436 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
api/src/com/cloud/network/Network.java
View File

@ -116,6 +116,7 @@ public interface Network extends ControlledEntity, StateObject<Network.State>, I
public static final Provider VirtualRouter = new Provider("VirtualRouter", false);
public static final Provider JuniperContrail = new Provider("JuniperContrail", false);
public static final Provider JuniperSRX = new Provider("JuniperSRX", true);
public static final Provider PaloAlto = new Provider("PaloAlto", true);
public static final Provider F5BigIp = new Provider("F5BigIp", true);
public static final Provider Netscaler = new Provider("Netscaler", true);
public static final Provider ExternalDhcpServer = new Provider("ExternalDhcpServer", true);

3
api/src/org/apache/cloudstack/api/command/admin/network/AddNetworkDeviceCmd.java
View File

@ -47,8 +47,9 @@ public class AddNetworkDeviceCmd extends BaseCmd {
// ////////////// API parameters /////////////////////
// ///////////////////////////////////////////////////
@Inject ExternalNetworkDeviceManager nwDeviceMgr;
@Parameter(name = ApiConstants.NETWORK_DEVICE_TYPE, type = CommandType.STRING, description = "Network device type, now supports ExternalDhcp, PxeServer, NetscalerMPXLoadBalancer, NetscalerVPXLoadBalancer, NetscalerSDXLoadBalancer, F5BigIpLoadBalancer, JuniperSRXFirewall")
@Parameter(name = ApiConstants.NETWORK_DEVICE_TYPE, type = CommandType.STRING, description = "Network device type, now supports ExternalDhcp, PxeServer, NetscalerMPXLoadBalancer, NetscalerVPXLoadBalancer, NetscalerSDXLoadBalancer, F5BigIpLoadBalancer, JuniperSRXFirewall, PaloAltoFirewall")
private String type;
@Parameter(name = ApiConstants.NETWORK_DEVICE_PARAMETER_LIST, type = CommandType.MAP, description = "parameters for network device")

2
api/src/org/apache/cloudstack/api/command/admin/network/ListNetworkDeviceCmd.java
View File

@ -51,7 +51,7 @@ public class ListNetworkDeviceCmd extends BaseListCmd {
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name = ApiConstants.NETWORK_DEVICE_TYPE, type = CommandType.STRING, description = "Network device type, now supports ExternalDhcp, PxeServer, NetscalerMPXLoadBalancer, NetscalerVPXLoadBalancer, NetscalerSDXLoadBalancer, F5BigIpLoadBalancer, JuniperSRXFirewall")
@Parameter(name = ApiConstants.NETWORK_DEVICE_TYPE, type = CommandType.STRING, description = "Network device type, now supports ExternalDhcp, PxeServer, NetscalerMPXLoadBalancer, NetscalerVPXLoadBalancer, NetscalerSDXLoadBalancer, F5BigIpLoadBalancer, JuniperSRXFirewall, PaloAltoFirewall")
private String type;
@Parameter(name = ApiConstants.NETWORK_DEVICE_PARAMETER_LIST, type = CommandType.MAP, description = "parameters for network device")

1
api/src/org/apache/cloudstack/network/ExternalNetworkDeviceManager.java
View File

@ -42,6 +42,7 @@ public interface ExternalNetworkDeviceManager extends Manager {
public static final NetworkDevice NetscalerSDXLoadBalancer = new NetworkDevice("NetscalerSDXLoadBalancer", Network.Provider.Netscaler.getName());
public static final NetworkDevice F5BigIpLoadBalancer = new NetworkDevice("F5BigIpLoadBalancer", Network.Provider.F5BigIp.getName());
public static final NetworkDevice JuniperSRXFirewall = new NetworkDevice("JuniperSRXFirewall", Network.Provider.JuniperSRX.getName());
public static final NetworkDevice PaloAltoFirewall = new NetworkDevice("PaloAltoFirewall", Network.Provider.PaloAlto.getName());
public static final NetworkDevice NiciraNvp = new NetworkDevice("NiciraNvp", Network.Provider.NiciraNvp.getName());
public static final NetworkDevice CiscoVnmc = new NetworkDevice("CiscoVnmc", Network.Provider.CiscoVnmc.getName());

7
client/WEB-INF/classes/resources/messages.properties
View File

@ -304,6 +304,7 @@ label.add.new.F5=Add new F5
label.add.new.gateway=Add new gateway
label.add.new.NetScaler=Add new NetScaler
label.add.new.SRX=Add new SRX
label.add.new.PA=Add new Palo Alto
label.add.new.tier=Add new tier
label.add.NiciraNvp.device=Add Nvp Controller
label.add.physical.network=Add physical network
@ -318,6 +319,7 @@ label.add.secondary.storage=Add Secondary Storage
label.add.security.group=Add Security Group
label.add.service.offering=Add Service Offering
label.add.SRX.device=Add SRX device
label.add.PA.device=Add Palo Alto device
label.add.static.nat.rule=Add static NAT rule
label.add.static.route=Add static route
label.add.system.service.offering=Add System Service Offering
@ -479,6 +481,7 @@ label.delete.NetScaler=Delete NetScaler
label.delete.NiciraNvp=Remove Nvp Controller
label.delete.project=Delete project
label.delete.SRX=Delete SRX
label.delete.PA=Delete Palo Alto
label.delete.VPN.connection=delete VPN connection
label.delete.VPN.customer.gateway=delete VPN Customer Gateway
label.delete.VPN.gateway=delete VPN Gateway
@ -876,6 +879,8 @@ label.os.type=OS Type
label.owned.public.ips=Owned Public IP Addresses
label.owner.account=Owner Account
label.owner.domain=Owner Domain
label.PA.log.profile=Palo Alto Log Profile
label.PA.threat.profile=Palo Alto Threat Profile
label.parent.domain=Parent Domain
label.password.enabled=Password Enabled
label.password=Password
@ -1048,6 +1053,7 @@ label.specify.vlan=Specify VLAN
label.specify.vxlan=Specify VXLAN
label.SR.name = SR Name-Label
label.srx=SRX
label.PA=Palo Alto
label.start.IP=Start IP
label.start.port=Start Port
label.start.reserved.system.IP=Start Reserved system IP
@ -1366,6 +1372,7 @@ message.confirm.action.force.reconnect=Please confirm that you want to force rec
message.confirm.delete.F5=Please confirm that you would like to delete F5
message.confirm.delete.NetScaler=Please confirm that you would like to delete NetScaler
message.confirm.delete.SRX=Please confirm that you would like to delete SRX
message.confirm.delete.PA=Please confirm that you would like to delete Palo Alto
message.confirm.destroy.router=Please confirm that you would like to destroy this router
message.confirm.disable.provider=Please confirm that you would like to disable this provider
message.confirm.enable.provider=Please confirm that you would like to enable this provider

5
client/pom.xml
View File

@ -90,6 +90,11 @@
<artifactId>cloud-plugin-network-contrail</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-plugin-network-palo-alto</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-plugin-network-ovs</artifactId>

11
client/tomcatconf/commands.properties.in
View File

@ -533,6 +533,17 @@ configureSrxFirewall=1
listSrxFirewalls=1
listSrxFirewallNetworks=1
#### Palo Alto firewall commands
addExternalFirewall=1
deleteExternalFirewall=1
listExternalFirewalls=1
addPaloAltoFirewall=1
deletePaloAltoFirewall=1
configurePaloAltoFirewall=1
listPaloAltoFirewalls=1
listPaloAltoFirewallNetworks=1
####Netapp integration commands
createVolumeOnFiler=15
destroyVolumeOnFiler=15

29
plugins/network-elements/palo-alto/pom.xml Normal file
View File

@ -0,0 +1,29 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>cloud-plugin-network-palo-alto</artifactId>
<name>Apache CloudStack Plugin - Palo Alto</name>
<parent>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloudstack-plugins</artifactId>
<version>4.3.0-SNAPSHOT</version>
<relativePath>../../pom.xml</relativePath>
</parent>
</project>

18
plugins/network-elements/palo-alto/resources/META-INF/cloudstack/paloalto/module.properties Normal file
View File

@ -0,0 +1,18 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
name=paloalto
parent=network

33
plugins/network-elements/palo-alto/resources/META-INF/cloudstack/paloalto/spring-paloalto-context.xml Normal file
View File

@ -0,0 +1,33 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd"
>
<bean id="PaloAlto" class="com.cloud.network.element.PaloAltoExternalFirewallElement">
<property name="name" value="PaloAlto" />
</bean>
</beans>

112
plugins/network-elements/palo-alto/src/com/cloud/api/commands/AddExternalFirewallCmd.java Normal file
View File

@ -0,0 +1,112 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.api.commands;
import javax.inject.Inject;
import org.apache.cloudstack.api.response.ZoneResponse;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.host.Host;
import com.cloud.network.element.PaloAltoFirewallElementService;
import org.apache.cloudstack.api.response.ExternalFirewallResponse;
import com.cloud.user.Account;
import com.cloud.utils.exception.CloudRuntimeException;
@APICommand(name = "addExternalFirewall", description="Adds an external firewall appliance", responseObject = ExternalFirewallResponse.class)
public class AddExternalFirewallCmd extends BaseCmd {
public static final Logger s_logger = Logger.getLogger(AddExternalFirewallCmd.class.getName());
private static final String s_name = "addexternalfirewallresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name=ApiConstants.ZONE_ID, type=CommandType.UUID, entityType = ZoneResponse.class,
required = true, description="Zone in which to add the external firewall appliance.")
private Long zoneId;
@Parameter(name=ApiConstants.URL, type=CommandType.STRING, required = true, description="URL of the external firewall appliance.")
private String url;
@Parameter(name=ApiConstants.USERNAME, type=CommandType.STRING, required = true, description="Username of the external firewall appliance.")
private String username;
@Parameter(name=ApiConstants.PASSWORD, type=CommandType.STRING, required = true, description="Password of the external firewall appliance.")
private String password;
///////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getZoneId() {
return zoneId;
}
public String getUrl() {
return url;
}
public String getUsername() {
return username;
}
public String getPassword() {
return password;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Inject PaloAltoFirewallElementService _paElementService;
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM;
}
@SuppressWarnings("deprecation")
@Override
public void execute(){
try {
Host externalFirewall = _paElementService.addExternalFirewall(this);
ExternalFirewallResponse response = _paElementService.createExternalFirewallResponse(externalFirewall);
response.setObjectName("externalfirewall");
response.setResponseName(getCommandName());
this.setResponseObject(response);
} catch (InvalidParameterValueException ipve) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, ipve.getMessage());
} catch (CloudRuntimeException cre) {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, cre.getMessage());
}
}
}

135
plugins/network-elements/palo-alto/src/com/cloud/api/commands/AddPaloAltoFirewallCmd.java Normal file
View File

@ -0,0 +1,135 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.api.commands;
import javax.inject.Inject;
import org.apache.cloudstack.api.response.PhysicalNetworkResponse;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import com.cloud.api.response.PaloAltoFirewallResponse;
import com.cloud.event.EventTypes;
import com.cloud.exception.ConcurrentOperationException;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.dao.ExternalFirewallDeviceVO;
import com.cloud.network.element.PaloAltoFirewallElementService;
import org.apache.cloudstack.context.CallContext;
import com.cloud.utils.exception.CloudRuntimeException;
@APICommand(name = "addPaloAltoFirewall", responseObject=PaloAltoFirewallResponse.class, description="Adds a Palo Alto firewall device")
public class AddPaloAltoFirewallCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(AddPaloAltoFirewallCmd.class.getName());
private static final String s_name = "addpaloaltofirewallresponse";
@Inject PaloAltoFirewallElementService _paFwService;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name=ApiConstants.PHYSICAL_NETWORK_ID, type=CommandType.UUID, entityType = PhysicalNetworkResponse.class,
required=true, description="the Physical Network ID")
private Long physicalNetworkId;
@Parameter(name=ApiConstants.URL, type=CommandType.STRING, required = true, description="URL of the Palo Alto appliance.")
private String url;
@Parameter(name=ApiConstants.USERNAME, type=CommandType.STRING, required = true, description="Credentials to reach Palo Alto firewall device")
private String username;
@Parameter(name=ApiConstants.PASSWORD, type=CommandType.STRING, required = true, description="Credentials to reach Palo Alto firewall device")
private String password;
@Parameter(name = ApiConstants.NETWORK_DEVICE_TYPE, type = CommandType.STRING, required = true, description = "supports only PaloAltoFirewall")
private String deviceType;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getPhysicalNetworkId() {
return physicalNetworkId;
}
public String getUrl() {
return url;
}
public String getUsername() {
return username;
}
public String getPassword() {
return password;
}
public String getDeviceType() {
return deviceType;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException {
try {
ExternalFirewallDeviceVO fwDeviceVO = _paFwService.addPaloAltoFirewall(this);
if (fwDeviceVO != null) {
PaloAltoFirewallResponse response = _paFwService.createPaloAltoFirewallResponse(fwDeviceVO);
response.setObjectName("pafirewall");
response.setResponseName(getCommandName());
this.setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add Palo Alto firewall due to internal error.");
}
} catch (InvalidParameterValueException invalidParamExcp) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, invalidParamExcp.getMessage());
} catch (CloudRuntimeException runtimeExcp) {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, runtimeExcp.getMessage());
}
}
@Override
public String getEventDescription() {
return "Adding a Palo Alto firewall device";
}
@Override
public String getEventType() {
return EventTypes.EVENT_EXTERNAL_FIREWALL_DEVICE_ADD;
}
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return CallContext.current().getCallingAccount().getId();
}
}

114
plugins/network-elements/palo-alto/src/com/cloud/api/commands/ConfigurePaloAltoFirewallCmd.java Normal file
View File

@ -0,0 +1,114 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.api.commands;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import com.cloud.api.response.PaloAltoFirewallResponse;
import com.cloud.event.EventTypes;
import com.cloud.exception.ConcurrentOperationException;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.dao.ExternalFirewallDeviceVO;
import com.cloud.network.element.PaloAltoFirewallElementService;
import org.apache.cloudstack.context.CallContext;
import com.cloud.utils.exception.CloudRuntimeException;
@APICommand(name = "configurePaloAltoFirewall", responseObject=PaloAltoFirewallResponse.class, description="Configures a Palo Alto firewall device")
public class ConfigurePaloAltoFirewallCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(ConfigurePaloAltoFirewallCmd.class.getName());
private static final String s_name = "configurepaloaltofirewallresponse";
@Inject PaloAltoFirewallElementService _paFwService;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name=ApiConstants.FIREWALL_DEVICE_ID, type=CommandType.UUID, entityType = PaloAltoFirewallResponse.class,
required=true, description="Palo Alto firewall device ID")
private Long fwDeviceId;
@Parameter(name=ApiConstants.FIREWALL_DEVICE_CAPACITY, type=CommandType.LONG, required=false, description="capacity of the firewall device, Capacity will be interpreted as number of networks device can handle")
private Long capacity;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getFirewallDeviceId() {
return fwDeviceId;
}
public Long getFirewallCapacity() {
return capacity;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException {
try {
ExternalFirewallDeviceVO fwDeviceVO = _paFwService.configurePaloAltoFirewall(this);
if (fwDeviceVO != null) {
PaloAltoFirewallResponse response = _paFwService.createPaloAltoFirewallResponse(fwDeviceVO);
response.setObjectName("pafirewall");
response.setResponseName(getCommandName());
this.setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to configure Palo Alto firewall device due to internal error.");
}
} catch (InvalidParameterValueException invalidParamExcp) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, invalidParamExcp.getMessage());
} catch (CloudRuntimeException runtimeExcp) {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, runtimeExcp.getMessage());
}
}
@Override
public String getEventDescription() {
return "Configuring a Palo Alto firewall device";
}
@Override
public String getEventType() {
return EventTypes.EVENT_EXTERNAL_FIREWALL_DEVICE_CONFIGURE;
}
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return CallContext.current().getCallingAccount().getId();
}
}

88
plugins/network-elements/palo-alto/src/com/cloud/api/commands/DeleteExternalFirewallCmd.java Normal file
View File

@ -0,0 +1,88 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.api.commands;
import javax.inject.Inject;
import org.apache.cloudstack.api.response.HostResponse;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.SuccessResponse;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.network.element.PaloAltoFirewallElementService;
import com.cloud.user.Account;
@APICommand(name = "deleteExternalFirewall", description="Deletes an external firewall appliance.", responseObject = SuccessResponse.class)
public class DeleteExternalFirewallCmd extends BaseCmd {
public static final Logger s_logger = Logger.getLogger(DeleteExternalFirewallCmd.class.getName());
private static final String s_name = "deleteexternalfirewallresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name=ApiConstants.ID, type=CommandType.UUID, entityType = HostResponse.class,
required = true, description="Id of the external firewall appliance.")
private Long id;
///////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Inject PaloAltoFirewallElementService _paElementService;
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM;
}
@SuppressWarnings("deprecation")
@Override
public void execute(){
try {
boolean result = _paElementService.deleteExternalFirewall(this);
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
response.setResponseName(getCommandName());
this.setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete external firewall.");
}
} catch (InvalidParameterValueException e) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Failed to delete external firewall.");
}
}
}

105
plugins/network-elements/palo-alto/src/com/cloud/api/commands/DeletePaloAltoFirewallCmd.java Normal file
View File

@ -0,0 +1,105 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.api.commands;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.SuccessResponse;
import com.cloud.api.response.PaloAltoFirewallResponse;
import com.cloud.event.EventTypes;
import com.cloud.exception.ConcurrentOperationException;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.element.PaloAltoFirewallElementService;
import org.apache.cloudstack.context.CallContext;
import com.cloud.utils.exception.CloudRuntimeException;
@APICommand(name = "deletePaloAltoFirewall", responseObject=SuccessResponse.class, description=" delete a Palo Alto firewall device")
public class DeletePaloAltoFirewallCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(DeletePaloAltoFirewallCmd.class.getName());
private static final String s_name = "deletepaloaltofirewallresponse";
@Inject PaloAltoFirewallElementService _paElementService;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name=ApiConstants.FIREWALL_DEVICE_ID, type=CommandType.UUID, entityType = PaloAltoFirewallResponse.class,
required=true, description="Palo Alto firewall device ID")
private Long fwDeviceId;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getFirewallDeviceId() {
return fwDeviceId;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException {
try {
boolean result = _paElementService.deletePaloAltoFirewall(this);
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
response.setResponseName(getCommandName());
this.setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete Palo Alto firewall device");
}
} catch (InvalidParameterValueException invalidParamExcp) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, invalidParamExcp.getMessage());
} catch (CloudRuntimeException runtimeExcp) {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, runtimeExcp.getMessage());
}
}
@Override
public String getEventDescription() {
return "Deleting Palo Alto firewall device";
}
@Override
public String getEventType() {
return EventTypes.EVENT_EXTERNAL_FIREWALL_DEVICE_DELETE;
}
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return CallContext.current().getCallingAccount().getId();
}
}

88
plugins/network-elements/palo-alto/src/com/cloud/api/commands/ListExternalFirewallsCmd.java Normal file
View File

@ -0,0 +1,88 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.api.commands;
import java.util.ArrayList;
import java.util.List;
import javax.inject.Inject;
import org.apache.cloudstack.api.command.user.offering.ListServiceOfferingsCmd;
import org.apache.cloudstack.api.response.ZoneResponse;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseListCmd;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.response.ListResponse;
import com.cloud.host.Host;
import com.cloud.network.element.PaloAltoFirewallElementService;
import org.apache.cloudstack.api.response.ExternalFirewallResponse;
@APICommand(name = "listExternalFirewalls", description="List external firewall appliances.", responseObject = ExternalFirewallResponse.class)
public class ListExternalFirewallsCmd extends BaseListCmd {
public static final Logger s_logger = Logger.getLogger(ListServiceOfferingsCmd.class.getName());
private static final String s_name = "listexternalfirewallsresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name=ApiConstants.ZONE_ID, type=CommandType.UUID, entityType = ZoneResponse.class,
required = true, description="zone Id")
private long zoneId;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public long getZoneId() {
return zoneId;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Inject PaloAltoFirewallElementService _paElementService;
@Override
public String getCommandName() {
return s_name;
}
@SuppressWarnings("deprecation")
@Override
public void execute(){
List<? extends Host> externalFirewalls = _paElementService.listExternalFirewalls(this);
ListResponse<ExternalFirewallResponse> listResponse = new ListResponse<ExternalFirewallResponse>();
List<ExternalFirewallResponse> responses = new ArrayList<ExternalFirewallResponse>();
for (Host externalFirewall : externalFirewalls) {
ExternalFirewallResponse response = _paElementService.createExternalFirewallResponse(externalFirewall);
response.setObjectName("externalfirewall");
response.setResponseName(getCommandName());
responses.add(response);
}
listResponse.setResponses(responses);
listResponse.setResponseName(getCommandName());
this.setResponseObject(listResponse);
}
}

95
plugins/network-elements/palo-alto/src/com/cloud/api/commands/ListPaloAltoFirewallNetworksCmd.java Normal file
View File

@ -0,0 +1,95 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.api.commands;
import java.util.ArrayList;
import java.util.List;
import javax.inject.Inject;
import org.apache.cloudstack.api.*;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.response.ListResponse;
import org.apache.cloudstack.api.response.NetworkResponse;
import com.cloud.api.response.PaloAltoFirewallResponse;
import com.cloud.exception.ConcurrentOperationException;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.Network;
import com.cloud.network.element.PaloAltoFirewallElementService;
import com.cloud.utils.exception.CloudRuntimeException;
@APICommand(name = "listPaloAltoFirewallNetworks", responseObject=NetworkResponse.class, description="lists network that are using Palo Alto firewall device")
public class ListPaloAltoFirewallNetworksCmd extends BaseListCmd {
public static final Logger s_logger = Logger.getLogger(ListPaloAltoFirewallNetworksCmd.class.getName());
private static final String s_name = "listpaloaltofirewallnetworksresponse";
@Inject PaloAltoFirewallElementService _paFwService;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name=ApiConstants.LOAD_BALANCER_DEVICE_ID, type=CommandType.UUID, entityType = PaloAltoFirewallResponse.class,
required = true, description="palo alto balancer device ID")
private Long fwDeviceId;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getFirewallDeviceId() {
return fwDeviceId;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException {
try {
List<? extends Network> networks = _paFwService.listNetworks(this);
ListResponse<NetworkResponse> response = new ListResponse<NetworkResponse>();
List<NetworkResponse> networkResponses = new ArrayList<NetworkResponse>();
if (networks != null && !networks.isEmpty()) {
for (Network network : networks) {
NetworkResponse networkResponse = _responseGenerator.createNetworkResponse(network);
networkResponses.add(networkResponse);
}
}
response.setResponses(networkResponses);
response.setResponseName(getCommandName());
this.setResponseObject(response);
} catch (InvalidParameterValueException invalidParamExcp) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, invalidParamExcp.getMessage());
} catch (CloudRuntimeException runtimeExcp) {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, runtimeExcp.getMessage());
}
}
@Override
public String getCommandName() {
return s_name;
}
}

103
plugins/network-elements/palo-alto/src/com/cloud/api/commands/ListPaloAltoFirewallsCmd.java Normal file
View File

@ -0,0 +1,103 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.api.commands;
import java.util.ArrayList;
import java.util.List;
import javax.inject.Inject;
import org.apache.cloudstack.api.*;
import org.apache.cloudstack.api.response.PhysicalNetworkResponse;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.response.ListResponse;
import com.cloud.api.response.PaloAltoFirewallResponse;
import com.cloud.exception.ConcurrentOperationException;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.dao.ExternalFirewallDeviceVO;
import com.cloud.network.element.PaloAltoFirewallElementService;
import com.cloud.utils.exception.CloudRuntimeException;
@APICommand(name = "listPaloAltoFirewalls", responseObject=PaloAltoFirewallResponse.class, description="lists Palo Alto firewall devices in a physical network")
public class ListPaloAltoFirewallsCmd extends BaseListCmd {
public static final Logger s_logger = Logger.getLogger(ListPaloAltoFirewallsCmd.class.getName());
private static final String s_name = "listpaloaltofirewallresponse";
@Inject PaloAltoFirewallElementService _paFwService;
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name=ApiConstants.PHYSICAL_NETWORK_ID, type=CommandType.UUID, entityType = PhysicalNetworkResponse.class,
description="the Physical Network ID")
private Long physicalNetworkId;
@Parameter(name=ApiConstants.FIREWALL_DEVICE_ID, type=CommandType.UUID, entityType = PaloAltoFirewallResponse.class,
description="Palo Alto firewall device ID")
private Long fwDeviceId;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getFirewallDeviceId() {
return fwDeviceId;
}
public Long getPhysicalNetworkId() {
return physicalNetworkId;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException {
try {
List<ExternalFirewallDeviceVO> fwDevices = _paFwService.listPaloAltoFirewalls(this);
ListResponse<PaloAltoFirewallResponse> response = new ListResponse<PaloAltoFirewallResponse>();
List<PaloAltoFirewallResponse> fwDevicesResponse = new ArrayList<PaloAltoFirewallResponse>();
if (fwDevices != null && !fwDevices.isEmpty()) {
for (ExternalFirewallDeviceVO fwDeviceVO : fwDevices) {
PaloAltoFirewallResponse deviceResponse = _paFwService.createPaloAltoFirewallResponse(fwDeviceVO);
fwDevicesResponse.add(deviceResponse);
}
}
response.setResponses(fwDevicesResponse);
response.setResponseName(getCommandName());
this.setResponseObject(response);
} catch (InvalidParameterValueException invalidParamExcp) {
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, invalidParamExcp.getMessage());
} catch (CloudRuntimeException runtimeExcp) {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, runtimeExcp.getMessage());
}
}
@Override
public String getCommandName() {
return s_name;
}
}

142
plugins/network-elements/palo-alto/src/com/cloud/api/response/PaloAltoFirewallResponse.java Normal file
View File

@ -0,0 +1,142 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.api.response;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.EntityReference;
import com.cloud.serializer.Param;
import com.google.gson.annotations.SerializedName;
import org.apache.cloudstack.api.BaseResponse;
import com.cloud.network.dao.ExternalFirewallDeviceVO;
@EntityReference(value=ExternalFirewallDeviceVO.class)
@SuppressWarnings("unused")
public class PaloAltoFirewallResponse extends BaseResponse {
@SerializedName(ApiConstants.FIREWALL_DEVICE_ID) @Param(description="device id of the Palo Alto firewall")
private String id;
@SerializedName(ApiConstants.PHYSICAL_NETWORK_ID) @Param(description="the physical network to which this Palo Alto firewall belongs to")
private String physicalNetworkId;
@SerializedName(ApiConstants.PROVIDER) @Param(description="name of the provider")
private String providerName;
@SerializedName(ApiConstants.FIREWALL_DEVICE_NAME) @Param(description="device name")
private String deviceName;
@SerializedName(ApiConstants.FIREWALL_DEVICE_STATE) @Param(description="device state")
private String deviceState;
@SerializedName(ApiConstants.FIREWALL_DEVICE_CAPACITY) @Param(description="device capacity")
private Long deviceCapacity;
@SerializedName(ApiConstants.ZONE_ID) @Param(description="the zone ID of the external firewall")
private String zoneId;
@SerializedName(ApiConstants.IP_ADDRESS) @Param(description="the management IP address of the external firewall")
private String ipAddress;
@SerializedName(ApiConstants.USERNAME) @Param(description="the username that's used to log in to the external firewall")
private String username;
@SerializedName(ApiConstants.PUBLIC_INTERFACE) @Param(description="the public interface of the external firewall")
private String publicInterface;
@SerializedName(ApiConstants.USAGE_INTERFACE) @Param(description="the usage interface of the external firewall")
private String usageInterface;
@SerializedName(ApiConstants.PRIVATE_INTERFACE) @Param(description="the private interface of the external firewall")
private String privateInterface;
@SerializedName(ApiConstants.PUBLIC_ZONE) @Param(description="the public security zone of the external firewall")
private String publicZone;
@SerializedName(ApiConstants.PRIVATE_ZONE) @Param(description="the private security zone of the external firewall")
private String privateZone;
@SerializedName(ApiConstants.NUM_RETRIES) @Param(description="the number of times to retry requests to the external firewall")
private String numRetries;
@SerializedName(ApiConstants.TIMEOUT) @Param(description="the timeout (in seconds) for requests to the external firewall")
private String timeout;
public void setId(String lbDeviceId) {
this.id = lbDeviceId;
}
public void setPhysicalNetworkId(String physicalNetworkId) {
this.physicalNetworkId = physicalNetworkId;
}
public void setProvider(String provider) {
this.providerName = provider;
}
public void setDeviceName(String deviceName) {
this.deviceName = deviceName;
}
public void setDeviceCapacity(long deviceCapacity) {
this.deviceCapacity = deviceCapacity;
}
public void setDeviceState(String deviceState) {
this.deviceState = deviceState;
}
public void setIpAddress(String ipAddress) {
this.ipAddress = ipAddress;
}
public void setPublicInterface(String publicInterface) {
this.publicInterface = publicInterface;
}
public void setUsageInterface(String usageInterface) {
this.usageInterface = usageInterface;
}
public void setPrivateInterface(String privateInterface) {
this.privateInterface = privateInterface;
}
public void setPublicZone(String publicZone) {
this.publicZone = publicZone;
}
public void setPrivateZone(String privateZone) {
this.privateZone = privateZone;
}
public String getNumRetries() {
return numRetries;
}
public void setNumRetries(String numRetries) {
this.numRetries = numRetries;
}
public String getTimeout() {
return timeout;
}
public void setTimeout(String timeout) {
this.timeout = timeout;
}
}

538
plugins/network-elements/palo-alto/src/com/cloud/network/element/PaloAltoExternalFirewallElement.java Normal file
View File

@ -0,0 +1,538 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.network.element;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.ejb.Local;
import javax.inject.Inject;
import org.apache.cloudstack.api.response.ExternalFirewallResponse;
import org.apache.cloudstack.network.ExternalNetworkDeviceManager.NetworkDevice;
import org.apache.log4j.Logger;
import com.cloud.api.ApiDBUtils;
import com.cloud.api.commands.AddExternalFirewallCmd;
import com.cloud.api.commands.AddPaloAltoFirewallCmd;
import com.cloud.api.commands.ConfigurePaloAltoFirewallCmd;
import com.cloud.api.commands.DeleteExternalFirewallCmd;
import com.cloud.api.commands.DeletePaloAltoFirewallCmd;
import com.cloud.api.commands.ListExternalFirewallsCmd;
import com.cloud.api.commands.ListPaloAltoFirewallNetworksCmd;
import com.cloud.api.commands.ListPaloAltoFirewallsCmd;
import com.cloud.api.response.PaloAltoFirewallResponse;
import com.cloud.configuration.Config;
import com.cloud.configuration.ConfigurationManager;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import com.cloud.dc.DataCenter;
import com.cloud.dc.DataCenter.NetworkType;
import com.cloud.dc.DataCenterVO;
import com.cloud.dc.dao.DataCenterDao;
import com.cloud.deploy.DeployDestination;
import com.cloud.exception.ConcurrentOperationException;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.InsufficientNetworkCapacityException;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.host.Host;
import com.cloud.host.HostVO;
import com.cloud.host.dao.HostDao;
import com.cloud.host.dao.HostDetailsDao;
import com.cloud.network.ExternalFirewallDeviceManagerImpl;
import com.cloud.network.Network;
import com.cloud.network.Network.Capability;
import com.cloud.network.Network.Provider;
import com.cloud.network.Network.Service;
import com.cloud.network.NetworkModel;
import com.cloud.network.PhysicalNetwork;
import com.cloud.network.PhysicalNetworkServiceProvider;
import com.cloud.network.PublicIpAddress;
import com.cloud.network.dao.ExternalFirewallDeviceDao;
import com.cloud.network.dao.ExternalFirewallDeviceVO;
import com.cloud.network.dao.NetworkDao;
import com.cloud.network.dao.NetworkExternalFirewallDao;
import com.cloud.network.dao.NetworkExternalFirewallVO;
import com.cloud.network.dao.NetworkServiceMapDao;
import com.cloud.network.dao.NetworkVO;
import com.cloud.network.dao.PhysicalNetworkDao;
import com.cloud.network.dao.PhysicalNetworkVO;
import com.cloud.network.dao.ExternalFirewallDeviceVO.FirewallDeviceState;
import com.cloud.network.resource.PaloAltoResource;
import com.cloud.network.rules.FirewallRule;
import com.cloud.network.rules.PortForwardingRule;
import com.cloud.network.rules.StaticNat;
import com.cloud.offering.NetworkOffering;
import com.cloud.offerings.dao.NetworkOfferingDao;
import com.cloud.utils.NumbersUtil;
import com.cloud.utils.db.EntityManager;
import com.cloud.utils.exception.CloudRuntimeException;
import com.cloud.vm.NicProfile;
import com.cloud.vm.ReservationContext;
import com.cloud.vm.VirtualMachine;
import com.cloud.vm.VirtualMachineProfile;
@Local(value = {NetworkElement.class, FirewallServiceProvider.class,
PortForwardingServiceProvider.class, IpDeployer.class,
SourceNatServiceProvider.class})
public class PaloAltoExternalFirewallElement extends ExternalFirewallDeviceManagerImpl implements SourceNatServiceProvider, FirewallServiceProvider,
PortForwardingServiceProvider, IpDeployer, PaloAltoFirewallElementService, StaticNatServiceProvider {
private static final Logger s_logger = Logger.getLogger(PaloAltoExternalFirewallElement.class);
private static final Map<Service, Map<Capability, String>> capabilities = setCapabilities();
@Inject
NetworkModel _networkManager;
@Inject
HostDao _hostDao;
@Inject
ConfigurationManager _configMgr;
@Inject
NetworkOfferingDao _networkOfferingDao;
@Inject
NetworkDao _networksDao;
@Inject
DataCenterDao _dcDao;
@Inject
PhysicalNetworkDao _physicalNetworkDao;
@Inject
ExternalFirewallDeviceDao _fwDevicesDao;
@Inject
NetworkExternalFirewallDao _networkFirewallDao;
@Inject
NetworkDao _networkDao;
@Inject
NetworkServiceMapDao _ntwkSrvcDao;
@Inject
HostDetailsDao _hostDetailDao;
@Inject
ConfigurationDao _configDao;
@Inject
EntityManager _entityMgr;
private boolean canHandle(Network network, Service service) {
DataCenter zone = _entityMgr.findById(DataCenter.class, network.getDataCenterId());
if (zone.getNetworkType() == NetworkType.Advanced && network.getGuestType() != Network.GuestType.Isolated) {
s_logger.trace("Element " + getProvider().getName() + "is not handling network type = " + network.getGuestType());
return false;
}
if (service == null) {
if (!_networkManager.isProviderForNetwork(getProvider(), network.getId())) {
s_logger.trace("Element " + getProvider().getName() + " is not a provider for the network " + network);
return false;
}
} else {
if (!_networkManager.isProviderSupportServiceInNetwork(network.getId(), service, getProvider())) {
s_logger.trace("Element " + getProvider().getName() + " doesn't support service " + service.getName() + " in the network " + network);
return false;
}
}
return true;
}
@Override
public boolean implement(Network network, NetworkOffering offering, DeployDestination dest, ReservationContext context) throws ResourceUnavailableException, ConcurrentOperationException,
InsufficientNetworkCapacityException {
DataCenter zone = _entityMgr.findById(DataCenter.class, network.getDataCenterId());
// don't have to implement network is Basic zone
if (zone.getNetworkType() == NetworkType.Basic) {
s_logger.debug("Not handling network implement in zone of type " + NetworkType.Basic);
return false;
}
if (!canHandle(network, null)) {
return false;
}
try {
return manageGuestNetworkWithExternalFirewall(true, network);
} catch (InsufficientCapacityException capacityException) {
// TODO: handle out of capacity exception in more gracefule manner when multiple providers are present for
// the network
s_logger.error("Fail to implement the Palo Alto for network " + network, capacityException);
return false;
}
}
@Override
public boolean prepare(Network config, NicProfile nic, VirtualMachineProfile vm, DeployDestination dest, ReservationContext context) throws ConcurrentOperationException,
InsufficientNetworkCapacityException, ResourceUnavailableException {
return true;
}
@Override
public boolean release(Network config, NicProfile nic, VirtualMachineProfile vm, ReservationContext context) {
return true;
}
@Override
public boolean shutdown(Network network, ReservationContext context, boolean cleanup) throws ResourceUnavailableException, ConcurrentOperationException {
DataCenter zone = _entityMgr.findById(DataCenter.class, network.getDataCenterId());
// don't have to implement network is Basic zone
if (zone.getNetworkType() == NetworkType.Basic) {
s_logger.debug("Not handling network shutdown in zone of type " + NetworkType.Basic);
return false;
}
if (!canHandle(network, null)) {
return false;
}
try {
return manageGuestNetworkWithExternalFirewall(false, network);
} catch (InsufficientCapacityException capacityException) {
// TODO: handle out of capacity exception
return false;
}
}
@Override
public boolean destroy(Network config, ReservationContext context) {
return true;
}
@Override
public boolean applyFWRules(Network config, List<? extends FirewallRule> rules) throws ResourceUnavailableException {
if (!canHandle(config, Service.Firewall)) {
return false;
}
return applyFirewallRules(config, rules);
}
@Override
public Provider getProvider() {
return Provider.PaloAlto;
}
@Override
public Map<Service, Map<Capability, String>> getCapabilities() {
return capabilities;
}
private static Map<Service, Map<Capability, String>> setCapabilities() {
Map<Service, Map<Capability, String>> capabilities = new HashMap<Service, Map<Capability, String>>();
// Set capabilities for Firewall service
Map<Capability, String> firewallCapabilities = new HashMap<Capability, String>();
firewallCapabilities.put(Capability.SupportedProtocols, "tcp,udp,icmp");
firewallCapabilities.put(Capability.SupportedEgressProtocols, "tcp,udp,icmp,all");
firewallCapabilities.put(Capability.MultipleIps, "true");
firewallCapabilities.put(Capability.TrafficStatistics, "per public ip");
firewallCapabilities.put(Capability.SupportedTrafficDirection, "ingress, egress");
capabilities.put(Service.Firewall, firewallCapabilities);
capabilities.put(Service.Gateway, null);
Map<Capability, String> sourceNatCapabilities = new HashMap<Capability, String>();
// Specifies that this element supports either one source NAT rule per account;
sourceNatCapabilities.put(Capability.SupportedSourceNatTypes, "peraccount");
capabilities.put(Service.SourceNat, sourceNatCapabilities);
// Specifies that port forwarding rules are supported by this element
capabilities.put(Service.PortForwarding, null);
// Specifies that static NAT rules are supported by this element
capabilities.put(Service.StaticNat, null);
return capabilities;
}
@Override
public boolean applyPFRules(Network network, List<PortForwardingRule> rules) throws ResourceUnavailableException {
if (!canHandle(network, Service.PortForwarding)) {
return false;
}
return applyPortForwardingRules(network, rules);
}
@Override
public boolean isReady(PhysicalNetworkServiceProvider provider) {
List<ExternalFirewallDeviceVO> fwDevices = _fwDevicesDao.listByPhysicalNetworkAndProvider(provider.getPhysicalNetworkId(), Provider.PaloAlto.getName());
// true if at-least one Palo Alto device is added in to physical network and is in configured (in enabled state) state
if (fwDevices != null && !fwDevices.isEmpty()) {
for (ExternalFirewallDeviceVO fwDevice : fwDevices) {
if (fwDevice.getDeviceState() == FirewallDeviceState.Enabled) {
return true;
}
}
}
return false;
}
@Override
public boolean shutdownProviderInstances(PhysicalNetworkServiceProvider provider, ReservationContext context) throws ConcurrentOperationException,
ResourceUnavailableException {
// TODO Auto-generated method stub
return true;
}
@Override
public boolean canEnableIndividualServices() {
return true;
}
@Override
@Deprecated
// should use more generic addNetworkDevice command to add firewall
public Host addExternalFirewall(AddExternalFirewallCmd cmd) {
Long zoneId = cmd.getZoneId();
DataCenterVO zone = null;
PhysicalNetworkVO pNetwork = null;
HostVO fwHost = null;
zone = _dcDao.findById(zoneId);
if (zone == null) {
throw new InvalidParameterValueException("Could not find zone with ID: " + zoneId);
}
List<PhysicalNetworkVO> physicalNetworks = _physicalNetworkDao.listByZone(zoneId);
if ((physicalNetworks == null) || (physicalNetworks.size() > 1)) {
throw new InvalidParameterValueException("There are no physical networks or multiple physical networks configured in zone with ID: "
+ zoneId + " to add this device.");
}
pNetwork = physicalNetworks.get(0);
String deviceType = NetworkDevice.PaloAltoFirewall.getName();
ExternalFirewallDeviceVO fwDeviceVO = addExternalFirewall(pNetwork.getId(), cmd.getUrl(), cmd.getUsername(), cmd.getPassword(), deviceType, new PaloAltoResource());
if (fwDeviceVO != null) {
fwHost = _hostDao.findById(fwDeviceVO.getHostId());
}
return fwHost;
}
@Override
public boolean deleteExternalFirewall(DeleteExternalFirewallCmd cmd) {
return deleteExternalFirewall(cmd.getId());
}
@Override
@Deprecated
// should use more generic listNetworkDevice command
public List<Host> listExternalFirewalls(ListExternalFirewallsCmd cmd) {
List<Host> firewallHosts = new ArrayList<Host>();
Long zoneId = cmd.getZoneId();
DataCenterVO zone = null;
PhysicalNetworkVO pNetwork = null;
if (zoneId != null) {
zone = _dcDao.findById(zoneId);
if (zone == null) {
throw new InvalidParameterValueException("Could not find zone with ID: " + zoneId);
}
List<PhysicalNetworkVO> physicalNetworks = _physicalNetworkDao.listByZone(zoneId);
if ((physicalNetworks == null) || (physicalNetworks.size() > 1)) {
throw new InvalidParameterValueException("There are no physical networks or multiple physical networks configured in zone with ID: "
+ zoneId + " to add this device.");
}
pNetwork = physicalNetworks.get(0);
}
firewallHosts.addAll(listExternalFirewalls(pNetwork.getId(), NetworkDevice.PaloAltoFirewall.getName()));
return firewallHosts;
}
@Override
public ExternalFirewallResponse createExternalFirewallResponse(Host externalFirewall) {
return super.createExternalFirewallResponse(externalFirewall);
}
@Override
public List<Class<?>> getCommands() {
List<Class<?>> cmdList = new ArrayList<Class<?>>();
cmdList.add(AddExternalFirewallCmd.class);
cmdList.add(AddPaloAltoFirewallCmd.class);
cmdList.add(ConfigurePaloAltoFirewallCmd.class);
cmdList.add(DeleteExternalFirewallCmd.class);
cmdList.add(DeletePaloAltoFirewallCmd.class);
cmdList.add(ListExternalFirewallsCmd.class);
cmdList.add(ListPaloAltoFirewallNetworksCmd.class);
cmdList.add(ListPaloAltoFirewallsCmd.class);
return cmdList;
}
@Override
public ExternalFirewallDeviceVO addPaloAltoFirewall(AddPaloAltoFirewallCmd cmd) {
String deviceName = cmd.getDeviceType();
if (!deviceName.equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
throw new InvalidParameterValueException("Invalid Palo Alto firewall device type");
}
return addExternalFirewall(cmd.getPhysicalNetworkId(), cmd.getUrl(), cmd.getUsername(), cmd.getPassword(), deviceName,
new PaloAltoResource());
}
@Override
public boolean deletePaloAltoFirewall(DeletePaloAltoFirewallCmd cmd) {
Long fwDeviceId = cmd.getFirewallDeviceId();
ExternalFirewallDeviceVO fwDeviceVO = _fwDevicesDao.findById(fwDeviceId);
if (fwDeviceVO == null || !fwDeviceVO.getDeviceName().equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
throw new InvalidParameterValueException("No Palo Alto firewall device found with ID: " + fwDeviceId);
}
return deleteExternalFirewall(fwDeviceVO.getHostId());
}
@Override
public ExternalFirewallDeviceVO configurePaloAltoFirewall(ConfigurePaloAltoFirewallCmd cmd) {
Long fwDeviceId = cmd.getFirewallDeviceId();
Long deviceCapacity = cmd.getFirewallCapacity();
ExternalFirewallDeviceVO fwDeviceVO = _fwDevicesDao.findById(fwDeviceId);
if (fwDeviceVO == null || !fwDeviceVO.getDeviceName().equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
throw new InvalidParameterValueException("No Palo Alto firewall device found with ID: " + fwDeviceId);
}
if (deviceCapacity != null) {
// check if any networks are using this Palo Alto device
List<NetworkExternalFirewallVO> networks = _networkFirewallDao.listByFirewallDeviceId(fwDeviceId);
if ((networks != null) && !networks.isEmpty()) {
if (deviceCapacity < networks.size()) {
throw new CloudRuntimeException("There are more number of networks already using this Palo Alto firewall device than configured capacity");
}
}
if (deviceCapacity != null) {
fwDeviceVO.setCapacity(deviceCapacity);
}
}
fwDeviceVO.setDeviceState(FirewallDeviceState.Enabled);
_fwDevicesDao.update(fwDeviceId, fwDeviceVO);
return fwDeviceVO;
}
@Override
public List<ExternalFirewallDeviceVO> listPaloAltoFirewalls(ListPaloAltoFirewallsCmd cmd) {
Long physcialNetworkId = cmd.getPhysicalNetworkId();
Long fwDeviceId = cmd.getFirewallDeviceId();
PhysicalNetworkVO pNetwork = null;
List<ExternalFirewallDeviceVO> fwDevices = new ArrayList<ExternalFirewallDeviceVO>();
if (physcialNetworkId == null && fwDeviceId == null) {
throw new InvalidParameterValueException("Either physical network Id or load balancer device Id must be specified");
}
if (fwDeviceId != null) {
ExternalFirewallDeviceVO fwDeviceVo = _fwDevicesDao.findById(fwDeviceId);
if (fwDeviceVo == null || !fwDeviceVo.getDeviceName().equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
throw new InvalidParameterValueException("Could not find Palo Alto firewall device with ID: " + fwDeviceId);
}
fwDevices.add(fwDeviceVo);
}
if (physcialNetworkId != null) {
pNetwork = _physicalNetworkDao.findById(physcialNetworkId);
if (pNetwork == null) {
throw new InvalidParameterValueException("Could not find phyical network with ID: " + physcialNetworkId);
}
fwDevices = _fwDevicesDao.listByPhysicalNetworkAndProvider(physcialNetworkId, Provider.PaloAlto.getName());
}
return fwDevices;
}
@Override
public List<? extends Network> listNetworks(ListPaloAltoFirewallNetworksCmd cmd) {
Long fwDeviceId = cmd.getFirewallDeviceId();
List<NetworkVO> networks = new ArrayList<NetworkVO>();
ExternalFirewallDeviceVO fwDeviceVo = _fwDevicesDao.findById(fwDeviceId);
if (fwDeviceVo == null || !fwDeviceVo.getDeviceName().equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
throw new InvalidParameterValueException("Could not find Palo Alto firewall device with ID " + fwDeviceId);
}
List<NetworkExternalFirewallVO> networkFirewallMaps = _networkFirewallDao.listByFirewallDeviceId(fwDeviceId);
if (networkFirewallMaps != null && !networkFirewallMaps.isEmpty()) {
for (NetworkExternalFirewallVO networkFirewallMap : networkFirewallMaps) {
NetworkVO network = _networkDao.findById(networkFirewallMap.getNetworkId());
networks.add(network);
}
}
return networks;
}
@Override
public PaloAltoFirewallResponse createPaloAltoFirewallResponse(ExternalFirewallDeviceVO fwDeviceVO) {
PaloAltoFirewallResponse response = new PaloAltoFirewallResponse();
Map<String, String> fwDetails = _hostDetailDao.findDetails(fwDeviceVO.getHostId());
Host fwHost = _hostDao.findById(fwDeviceVO.getHostId());
response.setId(fwDeviceVO.getUuid());
PhysicalNetwork pnw = ApiDBUtils.findPhysicalNetworkById(fwDeviceVO.getPhysicalNetworkId());
if (pnw != null) {
response.setPhysicalNetworkId(pnw.getUuid());
}
response.setDeviceName(fwDeviceVO.getDeviceName());
if (fwDeviceVO.getCapacity() == 0) {
long defaultFwCapacity = NumbersUtil.parseLong(_configDao.getValue(Config.DefaultExternalFirewallCapacity.key()), 50);
response.setDeviceCapacity(defaultFwCapacity);
} else {
response.setDeviceCapacity(fwDeviceVO.getCapacity());
}
response.setProvider(fwDeviceVO.getProviderName());
response.setDeviceState(fwDeviceVO.getDeviceState().name());
response.setIpAddress(fwHost.getPrivateIpAddress());
response.setPublicInterface(fwDetails.get("publicInterface"));
response.setUsageInterface(fwDetails.get("usageInterface"));
response.setPrivateInterface(fwDetails.get("privateInterface"));
response.setPublicZone(fwDetails.get("publicZone"));
response.setPrivateZone(fwDetails.get("privateZone"));
response.setNumRetries(fwDetails.get("numRetries"));
response.setTimeout(fwDetails.get("timeout"));
response.setObjectName("paloaltofirewall");
return response;
}
@Override
public boolean verifyServicesCombination(Set<Service> services) {
if (!services.contains(Service.Firewall)) {
s_logger.warn("Palo Alto must be used as Firewall Service Provider in the network");
return false;
}
return true;
}
@Override
public IpDeployer getIpDeployer(Network network) {
return this;
}
@Override
public boolean applyIps(Network network, List<? extends PublicIpAddress> ipAddress, Set<Service> service) throws ResourceUnavailableException {
// return true, as IP will be associated as part of static NAT/port forwarding rule configuration
return true;
}
@Override
public boolean applyStaticNats(Network config, List<? extends StaticNat> rules) throws ResourceUnavailableException {
if (!canHandle(config, Service.StaticNat)) {
return false;
}
return applyStaticNatRules(config, rules);
}
}

88
plugins/network-elements/palo-alto/src/com/cloud/network/element/PaloAltoFirewallElementService.java Normal file
View File

@ -0,0 +1,88 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.network.element;
import java.util.List;
import com.cloud.api.commands.AddExternalFirewallCmd;
import com.cloud.api.commands.AddPaloAltoFirewallCmd;
import com.cloud.api.commands.ConfigurePaloAltoFirewallCmd;
import com.cloud.api.commands.DeleteExternalFirewallCmd;
import com.cloud.api.commands.DeletePaloAltoFirewallCmd;
import com.cloud.api.commands.ListExternalFirewallsCmd;
import com.cloud.api.commands.ListPaloAltoFirewallNetworksCmd;
import com.cloud.api.commands.ListPaloAltoFirewallsCmd;
import com.cloud.api.response.PaloAltoFirewallResponse;
import com.cloud.host.Host;
import com.cloud.network.Network;
import com.cloud.network.dao.ExternalFirewallDeviceVO;
import org.apache.cloudstack.api.response.ExternalFirewallResponse;
import com.cloud.utils.component.PluggableService;
public interface PaloAltoFirewallElementService extends PluggableService {
/**
* adds a Palo Alto firewall device in to a physical network
* @param AddPaloAltoFirewallCmd
* @return ExternalFirewallDeviceVO object for the firewall added
*/
public ExternalFirewallDeviceVO addPaloAltoFirewall(AddPaloAltoFirewallCmd cmd);
/**
* removes Palo Alto firewall device from a physical network
* @param DeletePaloAltoFirewallCmd
* @return true if firewall device successfully deleted
*/
public boolean deletePaloAltoFirewall(DeletePaloAltoFirewallCmd cmd);
/**
* configures a Palo Alto firewal device added in a physical network
* @param ConfigurePaloAltoFirewallCmd
* @return ExternalFirewallDeviceVO for the device configured
*/
public ExternalFirewallDeviceVO configurePaloAltoFirewall(ConfigurePaloAltoFirewallCmd cmd);
/**
* lists all the Palo Alto firewall devices added in to a physical network
* @param ListPaloAltoFirewallsCmd
* @return list of ExternalFirewallDeviceVO for the devices in the physical network.
*/
public List<ExternalFirewallDeviceVO> listPaloAltoFirewalls(ListPaloAltoFirewallsCmd cmd);
/**
* lists all the guest networks using a PaloAlto firewall device
* @param ListPaloAltoFirewallNetworksCmd
* @return list of the guest networks that are using this F5 load balancer
*/
public List<? extends Network> listNetworks(ListPaloAltoFirewallNetworksCmd cmd);
public PaloAltoFirewallResponse createPaloAltoFirewallResponse(ExternalFirewallDeviceVO fwDeviceVO);
@Deprecated // API helper function supported for backward compatibility
public Host addExternalFirewall(AddExternalFirewallCmd cmd);
@Deprecated // API helper function supported for backward compatibility
public boolean deleteExternalFirewall(DeleteExternalFirewallCmd cmd);
@Deprecated // API helper function supported for backward compatibility
public List<Host> listExternalFirewalls(ListExternalFirewallsCmd cmd);
@Deprecated // API helper function supported for backward compatibility
public ExternalFirewallResponse createExternalFirewallResponse(Host externalFirewall);
}

2030
plugins/network-elements/palo-alto/src/com/cloud/network/resource/PaloAltoResource.java Normal file
View File

File diff suppressed because it is too large Load Diff

69
plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java Normal file
View File

@ -0,0 +1,69 @@
package com.cloud.network.utils;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ClientConnectionManager;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.conn.ssl.X509HostnameVerifier;
import org.apache.http.impl.client.DefaultHttpClient;
import java.io.*;
public class HttpClientWrapper {
public static HttpClient wrapClient(HttpClient base) {
try {
SSLContext ctx = SSLContext.getInstance("TLS");
X509TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException {
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
X509HostnameVerifier verifier = new X509HostnameVerifier() {
@Override
public void verify(String string, SSLSocket ssls) throws IOException {
}
@Override
public void verify(String string, X509Certificate xc) throws SSLException {
}
@Override
public void verify(String string, String[] strings, String[] strings1) throws SSLException {
}
@Override
public boolean verify(String string, SSLSession ssls) {
return true;
}
};
ctx.init(null, new TrustManager[]{tm}, null);
SSLSocketFactory ssf = new SSLSocketFactory(ctx);
ssf.setHostnameVerifier(verifier);
ClientConnectionManager ccm = base.getConnectionManager();
SchemeRegistry sr = ccm.getSchemeRegistry();
sr.register(new Scheme("https", ssf, 443));
return new DefaultHttpClient(ccm, base.getParams());
} catch (Exception ex) {
ex.printStackTrace();
return null;
}
}
}

460
plugins/network-elements/palo-alto/test/com/cloud/network/resource/MockablePaloAltoResource.java Executable file
View File

@ -0,0 +1,460 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.network.resource;
import java.io.BufferedReader;
import java.io.FileReader;
import java.io.IOException;
import java.io.StringReader;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.log4j.Logger;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.InputSource;
import javax.naming.ConfigurationException;
import javax.xml.parsers.DocumentBuilderFactory;
import com.cloud.agent.IAgentControl;
import com.cloud.agent.api.Answer;
import com.cloud.agent.api.Command;
import com.cloud.agent.api.ExternalNetworkResourceUsageAnswer;
import com.cloud.agent.api.ExternalNetworkResourceUsageCommand;
import com.cloud.agent.api.MaintainAnswer;
import com.cloud.agent.api.MaintainCommand;
import com.cloud.agent.api.PingCommand;
import com.cloud.agent.api.ReadyAnswer;
import com.cloud.agent.api.ReadyCommand;
import com.cloud.agent.api.StartupCommand;
import com.cloud.agent.api.StartupExternalFirewallCommand;
import com.cloud.agent.api.routing.IpAssocAnswer;
import com.cloud.agent.api.routing.IpAssocCommand;
import com.cloud.agent.api.routing.NetworkElementCommand;
import com.cloud.agent.api.routing.SetFirewallRulesCommand;
import com.cloud.agent.api.routing.SetPortForwardingRulesCommand;
import com.cloud.agent.api.routing.SetStaticNatRulesCommand;
import com.cloud.agent.api.to.FirewallRuleTO;
import com.cloud.agent.api.to.IpAddressTO;
import com.cloud.agent.api.to.PortForwardingRuleTO;
import com.cloud.agent.api.to.StaticNatRuleTO;
import com.cloud.host.Host;
import com.cloud.network.rules.FirewallRule;
import com.cloud.network.rules.FirewallRule.TrafficType;
import com.cloud.network.rules.FirewallRule.Purpose;
import com.cloud.resource.ServerResource;
import com.cloud.utils.NumbersUtil;
import com.cloud.utils.exception.ExecutionException;
import com.cloud.utils.net.NetUtils;
import com.cloud.utils.script.Script;
// http client handling
import org.apache.http.client.ResponseHandler;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.BasicResponseHandler;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.NameValuePair;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.protocol.HTTP;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.net.URLDecoder;
import javax.xml.xpath.XPathFactory;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathExpression;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
import com.cloud.network.utils.HttpClientWrapper;
// for prettyFormat()
import javax.xml.transform.stream.StreamSource;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Source;
import java.io.StringWriter;
public class MockablePaloAltoResource extends PaloAltoResource {
private HashMap<String, String> context;
public void setMockContext(HashMap<String, String> context) {
this.context = context;
}
/* Fake the calls to the Palo Alto API */
protected String request(PaloAltoMethod method, Map<String, String> params) throws ExecutionException {
if (method != PaloAltoMethod.GET && method != PaloAltoMethod.POST) {
throw new ExecutionException("Invalid http method used to access the Palo Alto API.");
}
String response = "";
// 'keygen' request
if (params.containsKey("type") && params.get("type").equals("keygen")) {
response = "<response status = 'success'><result><key>LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09</key></result></response>";
}
// 'config' requests
if (params.containsKey("type") && params.get("type").equals("config") && params.containsKey("action")) {
// action = 'get'
if (params.get("action").equals("get")) {
// get interface for type
// | public_using_ethernet
if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/1']")) {
if (context.containsKey("public_using_ethernet") && context.get("public_using_ethernet").equals("true")) {
context.put("public_interface_type", "ethernet");
response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"ethernet1/1\" admin=\"admin\" time=\"2013/06/18 13:33:56\"><layer3 admin=\"admin\" time=\"2013/06/18 13:33:56\"><ipv6><neighbor-discovery><router-advertisement><enable>no</enable><min-interval>200</min-interval><max-interval>600</max-interval><hop-limit>64</hop-limit><reachable-time>unspecified</reachable-time><retransmission-timer>unspecified</retransmission-timer><lifetime>1800</lifetime><managed-flag>no</managed-flag><other-flag>no</other-flag><enable-consistency-check>no</enable-consistency-check><link-mtu>unspecified</link-mtu></router-advertisement><enable-dad>no</enable-dad><reachable-time>30</reachable-time><ns-interval>1</ns-interval><dad-attempts>1</dad-attempts></neighbor-discovery><enabled>no</enabled><interface-id>EUI-64</interface-id></ipv6><untagged-sub-interface>no</untagged-sub-interface><units admin=\"admin\" time=\"2013/06/18 13:33:56\"><entry name=\"ethernet1/1.9999\" admin=\"admin\" time=\"2013/06/18 13:33:56\"><ipv6><neighbor-discovery><router-advertisement><enable>no</enable><min-interval>200</min-interval><max-interval>600</max-interval><hop-limit>64</hop-limit><reachable-time>unspecified</reachable-time><retransmission-timer>unspecified</retransmission-timer><lifetime>1800</lifetime><managed-flag>no</managed-flag><other-flag>no</other-flag><enable-consistency-check>no</enable-consistency-check><link-mtu>unspecified</link-mtu></router-advertisement><enable-dad>no</enable-dad><reachable-time>30</reachable-time><ns-interval>1</ns-interval><dad-attempts>1</dad-attempts></neighbor-discovery><enabled>no</enabled><interface-id>EUI-64</interface-id></ipv6><ip admin=\"admin\" time=\"2013/06/18 13:33:56\"><entry name=\"192.168.80.254/24\"/></ip><adjust-tcp-mss>no</adjust-tcp-mss><tag>3033</tag></entry></units></layer3><link-speed>auto</link-speed><link-duplex>auto</link-duplex><link-state>auto</link-state></entry></result></response>";
} else {
response = "<response status=\"success\" code=\"19\"><result/></response>";
}
} // | private_using_ethernet
if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/2']")) {
if (context.containsKey("private_using_ethernet") && context.get("private_using_ethernet").equals("true")) {
context.put("private_interface_type", "ethernet");
response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"ethernet1/2\" admin=\"admin\" time=\"2013/06/18 13:33:57\"><layer3 admin=\"admin\" time=\"2013/06/18 13:33:57\"><ipv6><neighbor-discovery><router-advertisement><enable>no</enable><min-interval>200</min-interval><max-interval>600</max-interval><hop-limit>64</hop-limit><reachable-time>unspecified</reachable-time><retransmission-timer>unspecified</retransmission-timer><lifetime>1800</lifetime><managed-flag>no</managed-flag><other-flag>no</other-flag><enable-consistency-check>no</enable-consistency-check><link-mtu>unspecified</link-mtu></router-advertisement><enable-dad>no</enable-dad><reachable-time>30</reachable-time><ns-interval>1</ns-interval><dad-attempts>1</dad-attempts></neighbor-discovery><enabled>no</enabled><interface-id>EUI-64</interface-id></ipv6><untagged-sub-interface>no</untagged-sub-interface><units admin=\"admin\" time=\"2013/06/18 13:33:57\"/></layer3><link-speed>auto</link-speed><link-duplex>auto</link-duplex><link-state>auto</link-state></entry></result></response>";
} else {
response = "<response status=\"success\" code=\"19\"><result/></response>";
}
}
// get management profile | has_management_profile
if (params.get("xpath").equals("/config/devices/entry/network/profiles/interface-management-profile/entry[@name='Ping']")) {
if (context.containsKey("has_management_profile") && context.get("has_management_profile").equals("true")) {
response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"Ping\"><ping>yes</ping></entry></result></response>";
} else {
response = "<response status=\"success\" code=\"19\"><result/></response>";
}
}
// get public interface IP | has_public_interface
if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/1']/layer3/units/entry[@name='ethernet1/1.9999']/ip/entry[@name='192.168.80.102/32']")) {
if (context.containsKey("has_public_interface") && context.get("has_public_interface").equals("true")) {
response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"192.168.80.102/32\" admin=\"admin\" time=\"2013/07/05 13:02:37\"/></result></response>";
} else {
response = "<response status=\"success\" code=\"19\"><result/></response>";
}
}
// get private interface | has_private_interface
if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/2']/layer3/units/entry[@name='ethernet1/2.3954']")) {
if (context.containsKey("has_private_interface") && context.get("has_private_interface").equals("true")) {
response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"ethernet1/2.3954\" admin=\"admin\" time=\"2013/07/05 13:02:36\"><tag admin=\"admin\" time=\"2013/07/05 13:02:36\">3954</tag><ip><entry name=\"10.5.80.1/20\"/></ip><interface-management-profile>Ping</interface-management-profile></entry></result></response>";
} else {
response = "<response status=\"success\" code=\"19\"><result/></response>";
}
}
// get private interface ip
if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/2']/layer3/units/entry[@name='ethernet1/2.3954']/ip/entry")) {
response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"10.3.96.1/20\"/></result></response>";
}
// get source nat | has_src_nat_rule
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='src_nat.3954']")) {
if (context.containsKey("has_src_nat_rule") && context.get("has_src_nat_rule").equals("true")) {
response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"src_nat.3954\" admin=\"admin\" time=\"2013/07/05 13:02:38\"><to admin=\"admin\" time=\"2013/07/05 13:02:38\"><member admin=\"admin\" time=\"2013/07/05 13:02:38\">untrust</member></to><from><member>trust</member></from><source><member>10.5.80.1/20</member></source><destination><member>any</member></destination><service>any</service><nat-type>ipv4</nat-type><to-interface>ethernet1/1.9999</to-interface><source-translation><dynamic-ip-and-port><interface-address><ip>192.168.80.102/32</ip><interface>ethernet1/1.9999</interface></interface-address></dynamic-ip-and-port></source-translation></entry></result></response>";
} else {
response = "<response status=\"success\" code=\"19\"><result/></response>";
}
}
// get isolation firewall rule | has_isolation_fw_rule
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='isolate_3954']")) {
if (context.containsKey("has_isolation_fw_rule") && context.get("has_isolation_fw_rule").equals("true")) {
response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"isolate_3954\" admin=\"admin\" time=\"2013/07/05 13:02:38\"><from admin=\"admin\" time=\"2013/07/05 13:02:38\"><member admin=\"admin\" time=\"2013/07/05 13:02:38\">trust</member></from><to><member>trust</member></to><source><member>10.5.80.0/20</member></source><destination><member>10.5.80.1</member></destination><application><member>any</member></application><service><member>any</member></service><action>deny</action><negate-source>no</negate-source><negate-destination>yes</negate-destination></entry></result></response>";
} else {
response = "<response status=\"success\" code=\"19\"><result/></response>";
}
}
// get service | has_service
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/service/entry[@name='cs_tcp_80']")) {
if (context.containsKey("has_service_tcp_80") && context.get("has_service_tcp_80").equals("true")) {
response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"cs_tcp_80\"><protocol><tcp><port>80</port></tcp></protocol></entry></result></response>";
} else {
response = "<response status=\"success\" code=\"19\"><result/></response>";
}
}
// get egress firewall rule | has_egress_fw_rule | policy_0
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_0']")) {
if (context.containsKey("has_egress_fw_rule") && context.get("has_egress_fw_rule").equals("true")) {
response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"policy_0\" admin=\"admin\" time=\"2013/07/03 12:43:30\"><from admin=\"admin\" time=\"2013/07/03 12:43:30\"><member admin=\"admin\" time=\"2013/07/03 12:43:30\">trust</member></from><to><member>untrust</member></to><source><member>10.3.96.1/20</member></source><destination><member>any</member></destination><application><member>any</member></application><service><member>cs_tcp_80</member></service><action>allow</action><negate-source>no</negate-source><negate-destination>no</negate-destination></entry></result></response>";
} else {
response = "<response status=\"success\" code=\"19\"><result/></response>";
}
}
// get ingress firewall rule | has_ingress_fw_rule | policy_8
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_8']")) {
if (context.containsKey("has_ingress_fw_rule") && context.get("has_ingress_fw_rule").equals("true")) {
response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"policy_8\" admin=\"admin\" time=\"2013/07/03 13:26:27\"><from admin=\"admin\" time=\"2013/07/03 13:26:27\"><member admin=\"admin\" time=\"2013/07/03 13:26:27\">untrust</member></from><to><member>trust</member></to><source><member>any</member></source><destination><member>192.168.80.103</member></destination><application><member>any</member></application><service><member>cs_tcp_80</member></service><action>allow</action><negate-source>no</negate-source><negate-destination>no</negate-destination></entry></result></response>";
} else {
response = "<response status=\"success\" code=\"19\"><result/></response>";
}
}
// get destination nat rule (port forwarding) | has_dst_nat_rule
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='dst_nat.192-168-80-103_9']")) {
if (context.containsKey("has_dst_nat_rule") && context.get("has_dst_nat_rule").equals("true")) {
response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"dst_nat.192-168-80-103_9\" admin=\"admin\" time=\"2013/07/03 13:40:50\"><to admin=\"admin\" time=\"2013/07/03 13:40:50\"><member admin=\"admin\" time=\"2013/07/03 13:40:50\">untrust</member></to><from><member>untrust</member></from><source><member>any</member></source><destination><member>192.168.80.103</member></destination><service>cs_tcp_80</service><nat-type>ipv4</nat-type><to-interface>ethernet1/1.9999</to-interface><destination-translation><translated-address>10.3.97.158</translated-address><translated-port>8080</translated-port></destination-translation></entry></result></response>";
} else {
response = "<response status=\"success\" code=\"19\"><result/></response>";
}
}
// get destination nat rules (returns all dst nat rules per ip)
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[destination/member[text()='192.168.80.103']]")) {
if (context.containsKey("has_dst_nat_rule") && context.get("has_dst_nat_rule").equals("true")) {
response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"dst_nat.192-168-80-103_9\" admin=\"admin\" time=\"2013/07/03 13:40:50\"><to admin=\"admin\" time=\"2013/07/03 13:40:50\"><member admin=\"admin\" time=\"2013/07/03 13:40:50\">untrust</member></to><from><member>untrust</member></from><source><member>any</member></source><destination><member>192.168.80.103</member></destination><service>cs_tcp_80</service><nat-type>ipv4</nat-type><to-interface>ethernet1/1.9999</to-interface><destination-translation><translated-address>10.3.97.158</translated-address><translated-port>8080</translated-port></destination-translation></entry></result></response>";
} else {
response = "<response status=\"success\" code=\"19\"><result/></response>";
}
}
// get static nat rule | has_stc_nat_rule
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='stc_nat.192-168-80-103_0']")) {
if (context.containsKey("has_stc_nat_rule") && context.get("has_stc_nat_rule").equals("true")) {
response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"stc_nat.192-168-80-103_0\" admin=\"admin\" time=\"2013/07/03 14:02:23\"><to admin=\"admin\" time=\"2013/07/03 14:02:23\"><member admin=\"admin\" time=\"2013/07/03 14:02:23\">untrust</member></to><from><member>untrust</member></from><source><member>any</member></source><destination><member>192.168.80.103</member></destination><service>any</service><nat-type>ipv4</nat-type><to-interface>ethernet1/1.9999</to-interface><destination-translation><translated-address>10.3.97.158</translated-address></destination-translation></entry></result></response>";
} else {
response = "<response status=\"success\" code=\"19\"><result/></response>";
}
}
}
// action = 'set'
if (params.get("action").equals("set")) {
// set management profile
if (params.get("xpath").equals("/config/devices/entry/network/profiles/interface-management-profile/entry[@name='Ping']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
context.put("has_management_profile", "true");
}
// add private interface
if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/2']/layer3/units/entry[@name='ethernet1/2.3954']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
context.put("has_private_interface", "true");
}
// add public ip to public interface
if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/1']/layer3/units/entry[@name='ethernet1/1.9999']/ip")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
context.put("has_public_interface", "true");
}
// add private interface to zone
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/zone/entry[@name='trust']/network/layer3")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
}
// add public interface to zone
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/zone/entry[@name='untrust']/network/layer3")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
}
// set virtual router (public | private)
if (params.get("xpath").equals("/config/devices/entry/network/virtual-router/entry[@name='default']/interface")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
}
// add interface to network (public | private)
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/import/network/interface")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
}
// add src nat rule
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='src_nat.3954']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
context.put("has_src_nat_rule", "true");
}
// add isolation firewall rule
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='isolate_3954']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
context.put("has_isolation_fw_rule", "true");
}
// add egress firewall rule
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_0']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
context.put("has_egress_fw_rule", "true");
}
// add ingress firewall rule
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_8']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
context.put("has_ingress_fw_rule", "true");
}
// add destination nat rule (port forwarding)
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='dst_nat.192-168-80-103_9']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
context.put("has_dst_nat_rule", "true");
}
// add static nat rule
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='stc_nat.192-168-80-103_0']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
context.put("has_stc_nat_rule", "true");
}
// add tcp 80 service
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/service/entry[@name='cs_tcp_80']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
context.put("has_service_tcp_80", "true");
}
}
// action = 'delete'
if (params.get("action").equals("delete")) {
// remove egress firewall rule
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_0']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
context.remove("has_egress_fw_rule");
}
// remove ingress firewall rule
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_8']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
context.remove("has_ingress_fw_rule");
}
// remove destination nat rule
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='dst_nat.192-168-80-103_9']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
context.remove("has_dst_nat_rule");
}
// remove static nat rule
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='stc_nat.192-168-80-103_0']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
context.remove("has_dst_nat_rule");
}
// remove public ip from interface (dst_nat | stc_nat)
if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/1']/layer3/units/entry[@name='ethernet1/1.9999']/ip/entry[@name='192.168.80.103/32']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
}
// remove isolation firewall rule
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='isolate_3954']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
context.remove("has_isolation_fw_rule");
}
// remove source nat rule
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='src_nat.3954']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
context.remove("has_src_nat_rule");
}
// remove public source nat ip
if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/1']/layer3/units/entry[@name='ethernet1/1.9999']/ip/entry[@name='192.168.80.102/32']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
context.remove("has_public_interface");
}
// remove private interface from the zone
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/zone/entry[@name='trust']/network/layer3/member[text()='ethernet1/2.3954']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
}
// remove private interface from the virtual router
if (params.get("xpath").equals("/config/devices/entry/network/virtual-router/entry[@name='default']/interface/member[text()='ethernet1/2.3954']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
}
// remove private interface from network
if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/import/network/interface/member[text()='ethernet1/2.3954']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
}
// remove private interface
if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/2']/layer3/units/entry[@name='ethernet1/2.3954']")) {
response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
context.remove("has_private_interface");
}
}
} // end 'config'
// 'op' requests
if (params.containsKey("type") && params.get("type").equals("op")) {
// check if there are pending changes
if (params.get("cmd").equals("<check><pending-changes></pending-changes></check>")) {
if (context.containsKey("firewall_has_pending_changes") && context.get("firewall_has_pending_changes").equals("true")) {
response = "<response status=\"success\"><result>yes</result></response>";
} else {
response = "<response status=\"success\"><result>no</result></response>";
}
}
// add a config lock
if (params.get("cmd").equals("<request><config-lock><add></add></config-lock></request>")) {
response = "<response status=\"success\"><result>Successfully acquired lock. Other administrators will not be able to modify configuration for scope shared until lock is released</result></response>";
}
// check job status
if (params.get("cmd").equals("<show><jobs><id>1</id></jobs></show>")) {
if (context.containsKey("simulate_commit_failure") && context.get("simulate_commit_failure").equals("true")) {
response = "<response status=\"success\"><result><job><tenq>2013/07/10 11:11:49</tenq><id>1</id><user>admin</user><type>Commit</type><status>FIN</status><stoppable>no</stoppable><result>FAIL</result><tfin>11:11:54</tfin><progress>11:11:54</progress><details><line>Bad config</line><line>Commit failed</line></details><warnings></warnings></job></result></response>";
} else {
response = "<response status=\"success\"><result><job><tenq>2013/07/02 14:49:49</tenq><id>1</id><user>admin</user><type>Commit</type><status>FIN</status><stoppable>no</stoppable><result>OK</result><tfin>14:50:02</tfin><progress>14:50:02</progress><details><line>Configuration committed successfully</line></details><warnings></warnings></job></result></response>";
}
}
// load from running config
if (params.get("cmd").equals("<load><config><from>running-config.xml</from></config></load>")) {
response = "<response status=\"success\"><result><msg><line>Config loaded from running-config.xml</line></msg></result></response>";
}
// remove config lock
if (params.get("cmd").equals("<request><config-lock><remove></remove></config-lock></request>")) {
response = "<response status=\"success\"><result>Config lock released for scope shared</result></response>";
}
} // end 'op'
// 'commit' requests
if (params.containsKey("type") && params.get("type").equals("commit")) {
// cmd = '<commit></commit>'
if (params.get("cmd").equals("<commit></commit>")) {
response = "<response status=\"success\" code=\"19\"><result><msg><line>Commit job enqueued with jobid 1</line></msg><job>1</job></result></response>";
}
} // end 'commit'
// print out the details into the console
if (context.containsKey("enable_console_output") && context.get("enable_console_output") == "true") {
if (params.containsKey("xpath")) {
System.out.println("XPATH("+params.get("action")+"): "+params.get("xpath"));
}
if (params.containsKey("type") && params.get("type").equals("op")) {
System.out.println("OP CMD: "+params.get("cmd"));
}
System.out.println(response+"\n");
}
return response;
}
}

507
plugins/network-elements/palo-alto/test/com/cloud/network/resource/PaloAltoResourceTest.java Executable file
View File

@ -0,0 +1,507 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.network.resource;
// test imports
import static org.junit.Assert.*;
import static org.mockito.Mockito.*;
import org.junit.Before;
import org.junit.Test;
import java.util.Collections;
// basic imports
import java.io.BufferedReader;
import java.io.FileReader;
import java.io.IOException;
import java.io.StringReader;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.log4j.Logger;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.InputSource;
import javax.naming.ConfigurationException;
import javax.xml.parsers.DocumentBuilderFactory;
import com.cloud.agent.IAgentControl;
import com.cloud.agent.api.Answer;
import com.cloud.agent.api.Command;
import com.cloud.agent.api.ExternalNetworkResourceUsageAnswer;
import com.cloud.agent.api.ExternalNetworkResourceUsageCommand;
import com.cloud.agent.api.MaintainAnswer;
import com.cloud.agent.api.MaintainCommand;
import com.cloud.agent.api.PingCommand;
import com.cloud.agent.api.ReadyAnswer;
import com.cloud.agent.api.ReadyCommand;
import com.cloud.agent.api.StartupCommand;
import com.cloud.agent.api.StartupExternalFirewallCommand;
import com.cloud.agent.api.routing.IpAssocAnswer;
import com.cloud.agent.api.routing.IpAssocCommand;
import com.cloud.agent.api.routing.NetworkElementCommand;
import com.cloud.agent.api.routing.SetFirewallRulesCommand;
import com.cloud.agent.api.routing.SetPortForwardingRulesCommand;
import com.cloud.agent.api.routing.SetStaticNatRulesCommand;
import com.cloud.agent.api.to.FirewallRuleTO;
import com.cloud.agent.api.to.IpAddressTO;
import com.cloud.agent.api.to.PortForwardingRuleTO;
import com.cloud.agent.api.to.StaticNatRuleTO;
import com.cloud.host.Host;
import com.cloud.network.rules.FirewallRuleVO;
import com.cloud.network.rules.FirewallRule;
import com.cloud.network.rules.FirewallRule.TrafficType;
import com.cloud.network.rules.FirewallRule.Purpose;
import com.cloud.network.rules.FirewallRule.State;
import com.cloud.resource.ServerResource;
import com.cloud.utils.NumbersUtil;
import com.cloud.utils.exception.ExecutionException;
import com.cloud.utils.net.NetUtils;
import com.cloud.utils.script.Script;
// http client handling
import org.apache.http.client.ResponseHandler;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.BasicResponseHandler;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.NameValuePair;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.protocol.HTTP;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.net.URLDecoder;
import javax.xml.xpath.XPathFactory;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathExpression;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
import com.cloud.network.utils.HttpClientWrapper;
// for prettyFormat()
import javax.xml.transform.stream.StreamSource;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Source;
import java.io.StringWriter;
public class PaloAltoResourceTest {
// configuration data
private String _test_name = "PaloAltoTestDevice";
private String _test_zoneId = "TestZone";
private String _test_ip = "192.168.80.2";
private String _test_username = "admin";
private String _test_password = "admin";
private String _test_publicInterface = "ethernet1/1";
private String _test_privateInterface = "ethernet1/2";
private String _test_publicZone = "untrust";
private String _test_privateZone = "trust";
private String _test_virtualRouter = "default";
MockablePaloAltoResource _resource;
Map<String, Object> _resource_params;
HashMap<String, String> _context;
@Before
public void setUp() {
_resource = new MockablePaloAltoResource();
_resource_params = new HashMap<String, Object>(); // params to be passed to configure()
_resource_params.put("name", _test_name);
_resource_params.put("zoneId", _test_zoneId);
_resource_params.put("ip", _test_ip);
_resource_params.put("username", _test_username);
_resource_params.put("password", _test_password);
_resource_params.put("publicinterface", _test_publicInterface);
_resource_params.put("privateinterface", _test_privateInterface);
_resource_params.put("publicnetwork", _test_publicZone);
_resource_params.put("privatenetwork", _test_privateZone);
_resource_params.put("pavr", _test_virtualRouter);
_resource_params.put("guid", "aaaaa-bbbbb-ccccc");
_context = new HashMap<String, String>(); // global context
_context.put("name", _test_name);
_context.put("zone_id", _test_zoneId);
_context.put("ip", _test_ip);
_context.put("username", _test_username);
_context.put("password", _test_password);
_context.put("public_interface", _test_publicInterface);
_context.put("private_interface", _test_privateInterface);
_context.put("public_zone", _test_publicZone);
_context.put("private_zone", _test_privateZone);
_context.put("pa_vr", _test_virtualRouter);
// --
_context.put("public_using_ethernet", "true");
_context.put("private_using_ethernet", "true");
_context.put("has_management_profile", "true");
_context.put("enable_console_output", "false"); // CHANGE TO "true" TO ENABLE CONSOLE LOGGING OF TESTS
_resource.setMockContext(_context);
}
@Test (expected=ConfigurationException.class)
public void resourceConfigureFailure() throws ConfigurationException {
_resource.configure("PaloAltoResource", new HashMap<String, Object>());
}
@Test
public void resourceConfigureWithoutManagementProfile() throws ConfigurationException {
if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
System.out.println("\nTEST: resourceConfigureWithoutManagementProfile");
System.out.println("---------------------------------------------------");
}
_context.remove("has_management_profile");
_resource.setMockContext(_context);
_resource.configure("PaloAltoResource", _resource_params);
}
@Test
public void resourceConfigureWithManagementProfile() throws ConfigurationException {
if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
System.out.println("\nTEST: resourceConfigureWithManagementProfile");
System.out.println("---------------------------------------------------");
}
_resource.configure("PaloAltoResource", _resource_params);
}
@Test (expected=ConfigurationException.class)
public void simulateFirewallNotConfigurable() throws ConfigurationException {
if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
System.out.println("\nTEST: simulateFirewallNotConfigurable");
System.out.println("---------------------------------------------------");
}
_context.put("firewall_has_pending_changes", "true");
_context.remove("has_management_profile");
_resource.setMockContext(_context);
_resource.configure("PaloAltoResource", _resource_params);
}
@Test (expected=ConfigurationException.class)
public void simulateFirewallCommitFailure() throws ConfigurationException {
if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
System.out.println("\nTEST: simulateFirewallCommitFailure");
System.out.println("---------------------------------------------------");
}
_context.put("simulate_commit_failure", "true");
_context.remove("has_management_profile");
_resource.setMockContext(_context);
_resource.configure("PaloAltoResource", _resource_params);
}
@Test
public void testInitialize() throws ConfigurationException {
if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
System.out.println("\nTEST: testInitialization");
System.out.println("---------------------------------------------------");
}
_resource.configure("PaloAltoResource", _resource_params);
StartupCommand[] sc = _resource.initialize();
assertTrue(sc.length == 1);
assertTrue("aaaaa-bbbbb-ccccc".equals(sc[0].getGuid()));
assertTrue("PaloAltoTestDevice".equals(sc[0].getName()));
assertTrue("TestZone".equals(sc[0].getDataCenter()));
}
@Test // implement public & private interfaces, source nat, guest network
public void implementGuestNetwork() throws ConfigurationException, ExecutionException {
if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
System.out.println("\nTEST: implementGuestNetwork");
System.out.println("---------------------------------------------------");
}
_resource.configure("PaloAltoResource", _resource_params);
IpAddressTO ip = new IpAddressTO(Long.valueOf("1"), "192.168.80.102", true, false, true, "untagged", null, null, null, 100, false);
IpAddressTO[] ips = new IpAddressTO[1];
ips[0] = ip;
IpAssocCommand cmd = new IpAssocCommand(ips);
cmd.setAccessDetail(NetworkElementCommand.GUEST_NETWORK_GATEWAY, "10.3.96.1");
cmd.setAccessDetail(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
cmd.setAccessDetail(NetworkElementCommand.GUEST_VLAN_TAG, "3954");
IpAssocAnswer answer = (IpAssocAnswer) _resource.executeRequest(cmd);
assertTrue(answer.getResult());
}
@Test // remove public & private interface details, source nat, guest network
public void shutdownGuestNetwork() throws ConfigurationException, ExecutionException {
if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
System.out.println("\nTEST: shutdownGuestNetwork");
System.out.println("---------------------------------------------------");
}
_context.put("has_public_interface", "true");
_context.put("has_private_interface", "true");
_context.put("has_src_nat_rule", "true");
_context.put("has_isolation_fw_rule", "true");
_resource.setMockContext(_context);
_resource.configure("PaloAltoResource", _resource_params);
IpAddressTO ip = new IpAddressTO(Long.valueOf("1"), "192.168.80.102", false, false, true, "untagged", null, null, null, 100, false);
IpAddressTO[] ips = new IpAddressTO[1];
ips[0] = ip;
IpAssocCommand cmd = new IpAssocCommand(ips);
cmd.setAccessDetail(NetworkElementCommand.GUEST_NETWORK_GATEWAY, "10.3.96.1");
cmd.setAccessDetail(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
cmd.setAccessDetail(NetworkElementCommand.GUEST_VLAN_TAG, "3954");
IpAssocAnswer answer = (IpAssocAnswer) _resource.executeRequest(cmd);
assertTrue(answer.getResult());
}
@Test
public void addIngressFirewallRule() throws ConfigurationException, Exception {
if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
System.out.println("\nTEST: addIngressFirewallRule");
System.out.println("---------------------------------------------------");
}
_context.put("has_public_interface", "true");
_context.put("has_private_interface", "true");
_context.put("has_src_nat_rule", "true");
_context.put("has_isolation_fw_rule", "true");
_context.put("has_service_tcp_80", "true");
_resource.setMockContext(_context);
_resource.configure("PaloAltoResource", _resource_params);
long vlanId = 3954;
List<FirewallRuleTO> rules = new ArrayList<FirewallRuleTO>();
List<String> cidrList = new ArrayList<String>();
cidrList.add("0.0.0.0/0");
FirewallRuleTO active = new FirewallRuleTO(8,
null, "192.168.80.103", "tcp", 80, 80, false, false,
FirewallRule.Purpose.Firewall, cidrList, null, null);
rules.add(active);
SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rules);
cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
Answer answer = _resource.executeRequest(cmd);
assertTrue(answer.getResult());
}
@Test
public void removeIngressFirewallRule() throws ConfigurationException, Exception {
if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
System.out.println("\nTEST: removeIngressFirewallRule");
System.out.println("---------------------------------------------------");
}
_context.put("has_public_interface", "true");
_context.put("has_private_interface", "true");
_context.put("has_src_nat_rule", "true");
_context.put("has_isolation_fw_rule", "true");
_context.put("has_service_tcp_80", "true");
_context.put("has_ingress_fw_rule", "true");
_resource.setMockContext(_context);
_resource.configure("PaloAltoResource", _resource_params);
long vlanId = 3954;
List<FirewallRuleTO> rules = new ArrayList<FirewallRuleTO>();
FirewallRuleTO revoked = new FirewallRuleTO(8,
null, "192.168.80.103", "tcp", 80, 80, true, false,
FirewallRule.Purpose.Firewall, null, null, null);
rules.add(revoked);
SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rules);
cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
Answer answer = _resource.executeRequest(cmd);
assertTrue(answer.getResult());
}
@Test
public void addEgressFirewallRule() throws ConfigurationException, Exception {
if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
System.out.println("\nTEST: addEgressFirewallRule");
System.out.println("---------------------------------------------------");
}
_context.put("has_public_interface", "true");
_context.put("has_private_interface", "true");
_context.put("has_src_nat_rule", "true");
_context.put("has_isolation_fw_rule", "true");
_context.put("has_service_tcp_80", "true");
_resource.setMockContext(_context);
_resource.configure("PaloAltoResource", _resource_params);
long vlanId = 3954;
List<FirewallRuleTO> rules = new ArrayList<FirewallRuleTO>();
List<String> cidrList = new ArrayList<String>();
cidrList.add("0.0.0.0/0");
FirewallRuleVO activeVO = new FirewallRuleVO(null, null, 80, 80, "tcp",
1, 1, 1, Purpose.Firewall, cidrList, null,
null, null, FirewallRule.TrafficType.Egress);
FirewallRuleTO active = new FirewallRuleTO(activeVO, Long.toString(vlanId), null, Purpose.Firewall, FirewallRule.TrafficType.Egress);
rules.add(active);
SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rules);
cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
Answer answer = _resource.executeRequest(cmd);
assertTrue(answer.getResult());
}
@Test
public void removeEgressFirewallRule() throws ConfigurationException, Exception {
if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
System.out.println("\nTEST: removeEgressFirewallRule");
System.out.println("---------------------------------------------------");
}
_context.put("has_public_interface", "true");
_context.put("has_private_interface", "true");
_context.put("has_src_nat_rule", "true");
_context.put("has_isolation_fw_rule", "true");
_context.put("has_service_tcp_80", "true");
_context.put("has_egress_fw_rule", "true");
_resource.setMockContext(_context);
_resource.configure("PaloAltoResource", _resource_params);
long vlanId = 3954;
List<FirewallRuleTO> rules = new ArrayList<FirewallRuleTO>();
FirewallRuleVO revokedVO = new FirewallRuleVO(null, null, 80, 80, "tcp",
1, 1, 1, Purpose.Firewall, null, null, null, null, FirewallRule.TrafficType.Egress);
revokedVO.setState(State.Revoke);
FirewallRuleTO revoked = new FirewallRuleTO(revokedVO, Long.toString(vlanId), null, Purpose.Firewall, FirewallRule.TrafficType.Egress);
rules.add(revoked);
SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rules);
cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
Answer answer = _resource.executeRequest(cmd);
assertTrue(answer.getResult());
}
@Test
public void addStaticNatRule() throws ConfigurationException, Exception {
if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
System.out.println("\nTEST: addStaticNatRule");
System.out.println("---------------------------------------------------");
}
_context.put("has_public_interface", "true");
_context.put("has_private_interface", "true");
_context.put("has_src_nat_rule", "true");
_context.put("has_isolation_fw_rule", "true");
_context.put("has_service_tcp_80", "true");
_resource.setMockContext(_context);
_resource.configure("PaloAltoResource", _resource_params);
long vlanId = 3954;
List<StaticNatRuleTO> rules = new ArrayList<StaticNatRuleTO>();
StaticNatRuleTO active = new StaticNatRuleTO(0, "192.168.80.103", null,
null, "10.3.97.158", null, null, null, false, false);
rules.add(active);
SetStaticNatRulesCommand cmd = new SetStaticNatRulesCommand(rules, null);
cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
Answer answer = _resource.executeRequest(cmd);
assertTrue(answer.getResult());
}
@Test
public void removeStaticNatRule() throws ConfigurationException, Exception {
if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
System.out.println("\nTEST: removeStaticNatRule");
System.out.println("---------------------------------------------------");
}
_context.put("has_public_interface", "true");
_context.put("has_private_interface", "true");
_context.put("has_src_nat_rule", "true");
_context.put("has_isolation_fw_rule", "true");
_context.put("has_service_tcp_80", "true");
_context.put("has_stc_nat_rule", "true");
_resource.setMockContext(_context);
_resource.configure("PaloAltoResource", _resource_params);
long vlanId = 3954;
List<StaticNatRuleTO> rules = new ArrayList<StaticNatRuleTO>();
StaticNatRuleTO revoked = new StaticNatRuleTO(0, "192.168.80.103", null,
null, "10.3.97.158", null, null, null, true, false);
rules.add(revoked);
SetStaticNatRulesCommand cmd = new SetStaticNatRulesCommand(rules, null);
cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
Answer answer = _resource.executeRequest(cmd);
assertTrue(answer.getResult());
}
@Test
public void addPortForwardingRule() throws ConfigurationException, Exception {
if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
System.out.println("\nTEST: addPortForwardingRule");
System.out.println("---------------------------------------------------");
}
_context.put("has_public_interface", "true");
_context.put("has_private_interface", "true");
_context.put("has_src_nat_rule", "true");
_context.put("has_isolation_fw_rule", "true");
_context.put("has_service_tcp_80", "true");
_resource.setMockContext(_context);
_resource.configure("PaloAltoResource", _resource_params);
long vlanId = 3954;
List<PortForwardingRuleTO> rules = new ArrayList<PortForwardingRuleTO>();
PortForwardingRuleTO active = new PortForwardingRuleTO(9, "192.168.80.103", 80,
80, "10.3.97.158", 8080, 8080, "tcp", false, false);
rules.add(active);
SetPortForwardingRulesCommand cmd = new SetPortForwardingRulesCommand(rules);
cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
Answer answer = _resource.executeRequest(cmd);
assertTrue(answer.getResult());
}
@Test
public void removePortForwardingRule() throws ConfigurationException, Exception {
if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
System.out.println("\nTEST: removePortForwardingRule");
System.out.println("---------------------------------------------------");
}
_context.put("has_public_interface", "true");
_context.put("has_private_interface", "true");
_context.put("has_src_nat_rule", "true");
_context.put("has_isolation_fw_rule", "true");
_context.put("has_service_tcp_80", "true");
_context.put("has_dst_nat_rule", "true");
_resource.setMockContext(_context);
_resource.configure("PaloAltoResource", _resource_params);
long vlanId = 3954;
List<PortForwardingRuleTO> rules = new ArrayList<PortForwardingRuleTO>();
PortForwardingRuleTO revoked = new PortForwardingRuleTO(9, "192.168.80.103", 80,
80, "10.3.97.158", 8080, 8080, "tcp", true, false);
rules.add(revoked);
SetPortForwardingRulesCommand cmd = new SetPortForwardingRulesCommand(rules);
cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
Answer answer = _resource.executeRequest(cmd);
assertTrue(answer.getResult());
}
}

1
plugins/pom.xml
View File

@ -44,6 +44,7 @@
<module>network-elements/elastic-loadbalancer</module>
<module>network-elements/ovs</module>
<module>network-elements/juniper-contrail</module>
<module>network-elements/palo-alto</module>
<module>network-elements/nicira-nvp</module>
<module>network-elements/bigswitch-vns</module>
<module>network-elements/midonet</module>

2
server/src/com/cloud/api/ApiResponseHelper.java
View File

@ -2631,7 +2631,7 @@ public class ApiResponseHelper implements ResponseGenerator {
List<ProviderResponse> serviceProvidersResponses = new ArrayList<ProviderResponse>();
for (Network.Provider serviceProvider : serviceProviders) {
// return only Virtual Router/JuniperSRX/CiscoVnmc as a provider for the firewall
if (service == Service.Firewall && !(serviceProvider == Provider.VirtualRouter || serviceProvider == Provider.JuniperSRX || serviceProvider == Provider.CiscoVnmc)) {
if (service == Service.Firewall && !(serviceProvider == Provider.VirtualRouter || serviceProvider == Provider.JuniperSRX || serviceProvider == Provider.CiscoVnmc || serviceProvider == Provider.PaloAlto)) {
continue;
}

4
server/src/com/cloud/configuration/ConfigurationManagerImpl.java
View File

@ -3792,6 +3792,10 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
firewallProvider = provider;
}
if (provider == Provider.PaloAlto) {
firewallProvider = Provider.PaloAlto;
}
if ((service == Service.PortForwarding || service == Service.StaticNat)
&& provider == Provider.VirtualRouter) {
firewallProvider = Provider.VirtualRouter;

7
ui/dictionary.jsp
View File

@ -322,6 +322,7 @@ dictionary = {
'label.add.new.gateway': '<fmt:message key="label.add.new.gateway" />',
'label.add.new.NetScaler': '<fmt:message key="label.add.new.NetScaler" />',
'label.add.new.SRX': '<fmt:message key="label.add.new.SRX" />',
'label.add.new.PA': '<fmt:message key="label.add.new.PA" />',
'label.add.new.tier': '<fmt:message key="label.add.new.tier" />',
'label.add.NiciraNvp.device': '<fmt:message key="label.add.NiciraNvp.device" />',
'label.add.pod': '<fmt:message key="label.add.pod" />',
@ -334,6 +335,7 @@ dictionary = {
'label.add.security.group': '<fmt:message key="label.add.security.group" />',
'label.add.service.offering': '<fmt:message key="label.add.service.offering" />',
'label.add.SRX.device': '<fmt:message key="label.add.SRX.device" />',
'label.add.PA.device': '<fmt:message key="label.add.PA.device" />',
'label.add.static.nat.rule': '<fmt:message key="label.add.static.nat.rule" />',
'label.add.static.route': '<fmt:message key="label.add.static.route" />',
'label.add.system.service.offering': '<fmt:message key="label.add.system.service.offering" />',
@ -480,6 +482,7 @@ dictionary = {
'label.delete.NiciraNvp': '<fmt:message key="label.delete.NiciraNvp" />',
'label.delete.project': '<fmt:message key="label.delete.project" />',
'label.delete.SRX': '<fmt:message key="label.delete.SRX" />',
'label.delete.PA': '<fmt:message key="label.delete.PA" />',
'label.delete.VPN.connection': '<fmt:message key="label.delete.VPN.connection" />',
'label.delete.VPN.customer.gateway': '<fmt:message key="label.delete.VPN.customer.gateway" />',
'label.delete.VPN.gateway': '<fmt:message key="label.delete.VPN.gateway" />',
@ -859,6 +862,8 @@ dictionary = {
'label.owned.public.ips': '<fmt:message key="label.owned.public.ips" />',
'label.owner.account': '<fmt:message key="label.owner.account" />',
'label.owner.domain': '<fmt:message key="label.owner.domain" />',
'label.PA.log.profile': '<fmt:message key="label.PA.log.profile" />',
'label.PA.threat.profile': '<fmt:message key="label.PA.threat.profile" />',
'label.parent.domain': '<fmt:message key="label.parent.domain" />',
'label.password.enabled': '<fmt:message key="label.password.enabled" />',
'label.password': '<fmt:message key="label.password" />',
@ -1031,6 +1036,7 @@ dictionary = {
'label.specify.vxlan': '<fmt:message key="label.specify.vxlan" />',
'label.SR.name ': '<fmt:message key="label.SR.name " />',
'label.srx': '<fmt:message key="label.srx" />',
'label.PA': '<fmt:message key="label.PA" />',
'label.start.IP': '<fmt:message key="label.start.IP" />',
'label.start.port': '<fmt:message key="label.start.port" />',
'label.start.reserved.system.IP': '<fmt:message key="label.start.reserved.system.IP" />',
@ -1332,6 +1338,7 @@ dictionary = {
'message.confirm.delete.F5': '<fmt:message key="message.confirm.delete.F5" />',
'message.confirm.delete.NetScaler': '<fmt:message key="message.confirm.delete.NetScaler" />',
'message.confirm.delete.SRX': '<fmt:message key="message.confirm.delete.SRX" />',
'message.confirm.delete.PA': '<fmt:message key="message.confirm.delete.PA" />',
'message.confirm.destroy.router': '<fmt:message key="message.confirm.destroy.router" />',
'message.confirm.disable.provider': '<fmt:message key="message.confirm.disable.provider" />',
'message.confirm.enable.provider': '<fmt:message key="message.confirm.enable.provider" />',

69
ui/scripts/docs.js
View File

@ -770,6 +770,75 @@ cloudStack.docs = {
desc: 'Number of guest networks/accounts that will share this device',
externalLink: ''
},
// Add Palo Alto
helpPaloAltoIPAddress: {
desc: 'The IP address of the device',
externalLink: ''
},
helpPaloAltoUsername: {
desc: 'A user ID with valid authentication credentials that provide to access the device',
externalLink: ''
},
helpPaloAltoPassword: {
desc: 'The password for the user ID provided in Username',
externalLink: ''
},
helpPaloAltoType: {
desc: 'The type of device that is being added',
externalLink: ''
},
helpPaloAltoPublicInterface: {
desc: 'Interface of device that is configured to be part of the public network. For example, ge-0/0/2',
externalLink: ''
},
helpPaloAltoPrivateInterface: {
desc: 'Interface of device that is configured to be part of the private network. For example, ge-0/0/1',
externalLink: ''
},
helpPaloAltoUsageInterface: {
desc: 'Interface used to meter traffic. If you don\'t want to use the public interface, specify a different interface name here.',
externalLink: ''
},
helpPaloAltoRetries: {
desc: 'Number of times to attempt a command on the device before considering the operation failed. Default is 2.',
externalLink: ''
},
helpPaloAltoTimeout: {
desc: 'The time to wait for a command on the Palo Alto before considering it failed. Default is 300 seconds.',
externalLink: ''
},
helpPaloAltoMode: {
desc: 'Side by side mode is supported for the Palo Alto.',
externalLink: ''
},
helpPaloAltoPublicNetwork: {
desc: 'The name of the public network on the Palo Alto. For example, trust.',
externalLink: ''
},
helpPaloAltoPrivateNetwork: {
desc: 'The name of the private network on the Palo Alto. For example, untrust.',
externalLink: ''
},
helpPaloAltoVirtualRouter: {
desc: 'The name of the virtual router on the Palo Alto.',
externalLink: ''
},
helpPaloAltoThreatProfile: {
desc: 'The threat profile name/group to associate with allow firewall policies.',
externalLink: ''
},
helpPaloAltoLogProfile: {
desc: 'The log profile name/group to associate with allow firewall policies.',
externalLink: ''
},
helpPaloAltoDedicated: {
desc: 'Check this box to dedicate the device to a single account. The value in the Capacity field will be ignored.',
externalLink: ''
},
helpPaloAltoCapacity: {
desc: 'Number of guest networks/accounts that will share this device',
externalLink: ''
},
// Add system service offering
helpSystemOfferingName: {
desc: 'Any desired name for the offering',

572
ui/scripts/system.js
View File

@ -4944,6 +4944,288 @@
}
},
// Palo Alto provider detailView
pa: {
type: 'detailView',
id: 'paProvider',
label: 'label.PA',
viewAll: {
label: 'label.devices',
path: '_zone.paDevices'
},
tabs: {
details: {
title: 'label.details',
fields: [{
name: {
label: 'label.name'
}
}, {
state: {
label: 'label.state'
}
}],
dataProvider: function (args) {
refreshNspData("PaloAlto");
var providerObj;
$(nspHardcodingArray).each(function () {
if (this.id == "pa") {
providerObj = this;
return false; //break each loop
}
});
args.response.success({
data: providerObj,
actionFilter: networkProviderActionFilter('pa')
});
}
}
},
actions: {
add: {
label: 'label.add.PA.device',
createForm: {
title: 'label.add.PA.device',
fields: {
ip: {
label: 'label.ip.address',
docID: 'helpPaloAltoIPAddress'
},
username: {
label: 'label.username',
docID: 'helpPaloAltoUsername'
},
password: {
label: 'label.password',
isPassword: true,
docID: 'helpPaloAltoPassword'
},
networkdevicetype: {
label: 'label.type',
docID: 'helpPaloAltoType',
select: function (args) {
var items = [];
items.push({
id: "PaloAltoFirewall",
description: "Palo Alto Firewall"
});
args.response.success({
data: items
});
}
},
publicinterface: {
label: 'label.public.interface',
docID: 'helpPaloAltoPublicInterface'
},
privateinterface: {
label: 'label.private.interface',
docID: 'helpPaloAltoPrivateInterface'
},
//usageinterface: {
// label: 'Usage interface',
// docID: 'helpPaloAltoUsageInterface'
//},
numretries: {
label: 'label.numretries',
defaultValue: '2',
docID: 'helpPaloAltoRetries'
},
timeout: {
label: 'label.timeout',
defaultValue: '300',
docID: 'helpPaloAltoTimeout'
},
// inline: {
// label: 'Mode',
// docID: 'helpPaloAltoMode',
// select: function(args) {
// var items = [];
// items.push({id: "false", description: "side by side"});
// items.push({id: "true", description: "inline"});
// args.response.success({data: items});
// }
// },
publicnetwork: {
label: 'label.public.network',
defaultValue: 'untrust',
docID: 'helpPaloAltoPublicNetwork'
},
privatenetwork: {
label: 'label.private.network',
defaultValue: 'trust',
docID: 'helpPaloAltoPrivateNetwork'
},
pavr: {
label: 'label.virtual.router',
docID: 'helpPaloAltoVirtualRouter'
},
patp: {
label: 'label.PA.threat.profile',
docID: 'helpPaloAltoThreatProfile'
},
palp: {
label: 'label.PA.log.profile',
docID: 'helpPaloAltoLogProfile'
},
capacity: {
label: 'label.capacity',
validation: {
required: false,
number: true
},
docID: 'helpPaloAltoCapacity'
},
dedicated: {
label: 'label.dedicated',
isBoolean: true,
isChecked: false,
docID: 'helpPaloAltoDedicated'
}
}
},
action: function (args) {
if (nspMap["pa"] == null) {
$.ajax({
url: createURL("addNetworkServiceProvider&name=PaloAlto&physicalnetworkid=" + selectedPhysicalNetworkObj.id),
dataType: "json",
async: true,
success: function (json) {
var jobId = json.addnetworkserviceproviderresponse.jobid;
var addPaloAltoProviderIntervalID = setInterval(function () {
$.ajax({
url: createURL("queryAsyncJobResult&jobId=" + jobId),
dataType: "json",
success: function (json) {
var result = json.queryasyncjobresultresponse;
if (result.jobstatus == 0) {
return; //Job has not completed
} else {
clearInterval(addPaloAltoProviderIntervalID);
if (result.jobstatus == 1) {
nspMap["pa"] = json.queryasyncjobresultresponse.jobresult.networkserviceprovider;
addExternalFirewall(args, selectedPhysicalNetworkObj, "addPaloAltoFirewall", "addpaloaltofirewallresponse", "pafirewall");
} else if (result.jobstatus == 2) {
alert("addNetworkServiceProvider&name=Palo Alto failed. Error: " + _s(result.jobresult.errortext));
}
}
},
error: function (XMLHttpResponse) {
var errorMsg = parseXMLHttpResponse(XMLHttpResponse);
alert("addNetworkServiceProvider&name=Palo Alto failed. Error: " + errorMsg);
}
});
}, 3000);
}
});
} else {
addExternalFirewall(args, selectedPhysicalNetworkObj, "addPaloAltoFirewall", "addpaloaltofirewallresponse", "pafirewall");
}
},
messages: {
notification: function (args) {
return 'label.add.PA.device';
}
},
notification: {
poll: pollAsyncJobResult
}
},
enable: {
label: 'label.enable.provider',
action: function (args) {
$.ajax({
url: createURL("updateNetworkServiceProvider&id=" + nspMap["pa"].id + "&state=Enabled"),
dataType: "json",
success: function (json) {
var jid = json.updatenetworkserviceproviderresponse.jobid;
args.response.success({
_custom: {
jobId: jid,
getUpdatedItem: function (json) {
$(window).trigger('cloudStack.fullRefresh');
}
}
});
}
});
},
messages: {
confirm: function (args) {
return 'message.confirm.enable.provider';
},
notification: function () {
return 'label.enable.provider';
}
},
notification: {
poll: pollAsyncJobResult
}
},
disable: {
label: 'label.disable.provider',
action: function (args) {
$.ajax({
url: createURL("updateNetworkServiceProvider&id=" + nspMap["pa"].id + "&state=Disabled"),
dataType: "json",
success: function (json) {
var jid = json.updatenetworkserviceproviderresponse.jobid;
args.response.success({
_custom: {
jobId: jid,
getUpdatedItem: function (json) {
$(window).trigger('cloudStack.fullRefresh');
}
}
});
}
});
},
messages: {
confirm: function (args) {
return 'message.confirm.disable.provider';
},
notification: function () {
return 'label.disable.provider';
}
},
notification: {
poll: pollAsyncJobResult
}
},
destroy: {
label: 'label.shutdown.provider',
action: function (args) {
$.ajax({
url: createURL("deleteNetworkServiceProvider&id=" + nspMap["pa"].id),
dataType: "json",
success: function (json) {
var jid = json.deletenetworkserviceproviderresponse.jobid;
args.response.success({
_custom: {
jobId: jid
}
});
$(window).trigger('cloudStack.fullRefresh');
}
});
},
messages: {
confirm: function (args) {
return 'message.confirm.shutdown.provider';
},
notification: function (args) {
return 'label.shutdown.provider';
}
},
notification: {
poll: pollAsyncJobResult
}
}
}
},
// Security groups detail view
securityGroups: {
id: 'securityGroup-providers',
@ -9156,6 +9438,250 @@
}
}
},
//Palo Alto devices listView
paDevices: {
id: 'paDevices',
title: 'label.devices',
listView: {
id: 'paDevices',
fields: {
ipaddress: {
label: 'label.ip.address'
},
fwdevicestate: {
label: 'label.status'
},
fwdevicename: {
label: 'label.type'
}
},
actions: {
add: {
label: 'label.add.PA.device',
createForm: {
title: 'label.add.PA.device',
fields: {
ip: {
label: 'label.ip.address'
},
username: {
label: 'label.username'
},
password: {
label: 'label.password',
isPassword: true
},
networkdevicetype: {
label: 'label.type',
select: function (args) {
var items = [];
items.push({
id: "PaloAltoFirewall",
description: "Palo Alto Firewall"
});
args.response.success({
data: items
});
}
},
publicinterface: {
label: 'label.public.interface'
},
privateinterface: {
label: 'label.private.interface'
},
//usageinterface: {
// label: 'label.usage.interface'
//},
numretries: {
label: 'label.numretries',
defaultValue: '2'
},
timeout: {
label: 'label.timeout',
defaultValue: '300'
},
// inline: {
// label: 'Mode',
// select: function(args) {
// var items = [];
// items.push({id: "false", description: "side by side"});
// items.push({id: "true", description: "inline"});
// args.response.success({data: items});
// }
// },
publicnetwork: {
label: 'label.public.network',
defaultValue: 'untrust'
},
privatenetwork: {
label: 'label.private.network',
defaultValue: 'trust'
},
pavr: {
label: 'label.virtual.router'
},
patp: {
label: 'label.PA.threat.profile'
},
palp: {
label: 'label.PA.log.profile'
},
capacity: {
label: 'label.capacity',
validation: {
required: false,
number: true
}
},
dedicated: {
label: 'label.dedicated',
isBoolean: true,
isChecked: false
}
}
},
action: function (args) {
if (nspMap["pa"] == null) {
$.ajax({
url: createURL("addNetworkServiceProvider&name=PaloAlto&physicalnetworkid=" + selectedPhysicalNetworkObj.id),
dataType: "json",
async: true,
success: function (json) {
var jobId = json.addnetworkserviceproviderresponse.jobid;
var addPaloAltoProviderIntervalID = setInterval(function () {
$.ajax({
url: createURL("queryAsyncJobResult&jobId=" + jobId),
dataType: "json",
success: function (json) {
var result = json.queryasyncjobresultresponse;
if (result.jobstatus == 0) {
return; //Job has not completed
} else {
clearInterval(addPaloAltoProviderIntervalID);
if (result.jobstatus == 1) {
nspMap["pa"] = json.queryasyncjobresultresponse.jobresult.networkserviceprovider;
addExternalFirewall(args, selectedPhysicalNetworkObj, "addPaloAltoFirewall", "addpaloaltofirewallresponse", "pafirewall");
} else if (result.jobstatus == 2) {
alert("addNetworkServiceProvider&name=Palo Alto failed. Error: " + _s(result.jobresult.errortext));
}
}
},
error: function (XMLHttpResponse) {
var errorMsg = parseXMLHttpResponse(XMLHttpResponse);
alert("addNetworkServiceProvider&name=Palo Alto failed. Error: " + errorMsg);
}
});
}, 3000);
}
});
} else {
addExternalFirewall(args, selectedPhysicalNetworkObj, "addPaloAltoFirewall", "addpaloaltofirewallresponse", "pafirewall");
}
},
messages: {
notification: function (args) {
return 'label.add.PA.device';
}
},
notification: {
poll: pollAsyncJobResult
}
}
},
dataProvider: function (args) {
$.ajax({
url: createURL("listPaloAltoFirewalls&physicalnetworkid=" + selectedPhysicalNetworkObj.id),
data: {
page: args.page,
pageSize: pageSize
},
dataType: "json",
async: false,
success: function (json) {
var items = json.listpaloaltofirewallresponse.paloaltofirewall;
args.response.success({
data: items
});
}
});
},
detailView: {
name: 'Palo Alto details',
actions: {
'remove': {
label: 'label.delete.PA',
messages: {
confirm: function (args) {
return 'message.confirm.delete.PA';
},
notification: function (args) {
return 'label.delete.PA';
}
},
action: function (args) {
$.ajax({
url: createURL("deletePaloAltoFirewall&fwdeviceid=" + args.context.paDevices[0].fwdeviceid),
dataType: "json",
async: true,
success: function (json) {
var jid = json.deletepaloaltofirewallresponse.jobid;
args.response.success({
_custom: {
jobId: jid
}
});
}
});
},
notification: {
poll: pollAsyncJobResult
}
}
},
tabs: {
details: {
title: 'label.details',
fields: [{
fwdeviceid: {
label: 'label.id'
},
ipaddress: {
label: 'label.ip.address'
},
fwdevicestate: {
label: 'label.status'
},
fwdevicename: {
label: 'label.type'
},
fwdevicecapacity: {
label: 'label.capacity'
},
timeout: {
label: 'label.timeout'
}
}],
dataProvider: function (args) {
$.ajax({
url: createURL("listPaloAltoFirewalls&fwdeviceid=" + args.context.paDevices[0].fwdeviceid),
dataType: "json",
async: true,
success: function (json) {
var item = json.listpaloaltofirewallresponse.paloaltofirewall[0];
args.response.success({
data: item
});
}
});
}
}
}
}
}
},
// FIXME convert to nicira detailview
// NiciraNvp devices listView
niciraNvpDevices: {
@ -15763,6 +16289,44 @@
}
url.push("fwdevicededicated=" + dedicated.toString());
// START - Palo Alto Specific Fields
var externalVirtualRouter = args.data.pavr;
if(externalVirtualRouter != null && externalVirtualRouter.length > 0) {
if(isQuestionMarkAdded == false) {
url.push("?");
isQuestionMarkAdded = true;
}
else {
url.push("&");
}
url.push("pavr=" + encodeURIComponent(externalVirtualRouter));
}
var externalThreatProfile = args.data.patp;
if(externalThreatProfile != null && externalThreatProfile.length > 0) {
if(isQuestionMarkAdded == false) {
url.push("?");
isQuestionMarkAdded = true;
}
else {
url.push("&");
}
url.push("patp=" + encodeURIComponent(externalThreatProfile));
}
var externalLogProfile = args.data.palp;
if(externalLogProfile != null && externalLogProfile.length > 0) {
if(isQuestionMarkAdded == false) {
url.push("?");
isQuestionMarkAdded = true;
}
else {
url.push("&");
}
url.push("palp=" + encodeURIComponent(externalLogProfile));
}
// END - Palo Alto Specific Fields
array1.push("&url=" + todb(url.join("")));
//construct URL ends here
@ -16495,6 +17059,9 @@
case "JuniperSRX":
nspMap["srx"] = items[i];
break;
case "PaloAlto":
nspMap["pa"] = items[i];
break;
case "SecurityGroupProvider":
nspMap["securityGroups"] = items[i];
break;
@ -16576,6 +17143,11 @@
name: 'SRX',
state: nspMap.srx ? nspMap.srx.state : 'Disabled'
});
nspHardcodingArray.push({
id: 'pa',
name: 'Palo Alto',
state: nspMap.pa ? nspMap.pa.state : 'Disabled'
});
}
};