Merge pull request #544 from swaschkut/main

UTIL type=device | introduce actions==sp_spg-create-BP

CHANGELOG.txt

@@ -3,14 +3,22 @@ CHANGELOG
 2.0.34
 UTILS:
 * UTIL API - introduce postman_collection
+* UTIL type=device actions=display-shadowrule | improve JSON output
+* UTIL develop - introduce create_template_mgmt_permittedips.php
+* UTIL type=device | introduce actions==sp_spg-create-BP
+* UTIL type=device | extend actions=actions=sp_spg-create-BP:true/false,SP-NAME - with SP-NAME defined only the OUTBOUND profile is created with the defined SP-NAME
+* UTIL optimise test_filter script for QA
 
 BUGFIX:
 * UTIL API - bugfix related to JSON output
 * UTIL type=rule | bugfix 'filter=(rule is.unused.fast)' if searching via API mode on Panorama
 * class PanAPIConnector | bugfix to avoid using shadow-apikeynohidden for PAN-OS >=9 if Panorama is used as proxy
 * UTIL type=rule 'filter=(src has OBJECTNAME)' - fix if object does not exist at same DG level or above - filter is now returning false
+* UTIL type=tag | bugfix for 'filter=(reflocation is shared )'
 
 GENERAL:
+* introduce UTIL actions test script
+* framework | bugfixes for different CLASSES related to UTIL test_filter / test_action found issues
 
 
 2.0.33 (20220404)

composer.json

@@ -15,6 +15,11 @@
         }
     ],
     "require": {
-        "php": ">=7.4.0"
+      "php": ">=7.4.0",
+      "ext-json": "*",
+      "ext-curl": "*",
+      "ext-dom": "*",
+      "ext-mbstring": "*",
+      "ext-bcmath": "*"
     }
 }

lib/container-classes/AddressRuleContainer.php

@@ -120,16 +120,20 @@ public function API_add($Obj)
      *
      * @return bool  True if Zone was found and removed. False if not found.
      */
-    public function remove($Obj, $rewriteXml = TRUE, $forceAny = FALSE)
+    public function remove($Obj, $rewriteXml = TRUE, $forceAny = FALSE, $context = null)
     {
         $count = count($this->o);
 
         $ret = parent::remove($Obj);
 
         if( $ret && $count == 1 && !$forceAny )
         {
-            derr("you are trying to remove last Object from a rule which will set it to ANY, please use forceAny=true for object: "
-                . $this->toString());
+            $string = "you are trying to remove last Object from a rule which will set it to ANY, please use forceAny=true for object: " . $this->toString();
+            if( $context === null )
+                derr( $string );
+
+            PH::ACTIONstatus( $context, 'skipped', $string);
+            return false;
         }
 
         if( $ret && $rewriteXml )
@@ -144,9 +148,9 @@ public function remove($Obj, $rewriteXml = TRUE, $forceAny = FALSE)
      * @param bool $forceAny
      * @return bool
      */
-    public function API_remove($Obj, $forceAny = FALSE)
+    public function API_remove($Obj, $forceAny = FALSE, $context = null)
     {
-        if( $this->remove($Obj, TRUE, $forceAny) )
+        if( $this->remove($Obj, TRUE, $forceAny, $context) )
         {
             $con = findConnectorOrDie($this);
 

lib/container-classes/ServiceRuleContainer.php

@@ -256,8 +256,13 @@ public function rewriteXML()
     {
         if( $this->appDef )
             DH::Hosts_to_xmlDom($this->xmlroot, $this->o, 'member', TRUE, 'application-default');
-        else
+        elseif( $this->xmlroot !== null )
             DH::Hosts_to_xmlDom($this->xmlroot, $this->o, 'member', TRUE);
+        elseif( $this->xmlroot === null )
+        {
+            //DH::Hosts_to_xmlDom($this->xmlroot, $this->o, 'member', TRUE);
+        }
+
     }
 
 

lib/misc-classes/PH.php

@@ -885,6 +885,8 @@ public static function UTILdeprecated( $type, $argv, $argc, $PHP_FILE)
         mwarning( 'this script '.basename($PHP_FILE).' is deprecated, please use: pan-os-php.php', null, FALSE );
         PH::print_stdout( PH::boldText("pan-os-php".$argString) );
 
+        PH::print_stdout( PH::boldText("sleeping now 15 seconds") );
+        sleep(15);
 
         PH::callPANOSPHP( $type, $argv, $argc, $PHP_FILE );
 

lib/misc-classes/filters/filters-Address.php

@@ -1241,7 +1241,7 @@
     'arg' => true,
     'help' => 'returns TRUE if object IP value describe multiple IP addresses; e.g. ip-range: 10.0.0.0-10.0.0.255 will match "ip.count > 200"',
     'ci' => array(
-        'fString' => '(%PROP%)',
+        'fString' => '(%PROP% 5)',
         'input' => 'input/panorama-8.0.xml'
     )
 );

lib/misc-classes/filters/filters-Rule.php

@@ -1084,6 +1084,10 @@
 );
 RQuery::$defaultFilters['rule']['tag']['operators']['has.regex'] = array(
     'Function' => function (RuleRQueryContext $context) {
+
+        if( !isset( $context->object->tags ) )
+            return FALSE;
+
         foreach( $context->object->tags->tags() as $tag )
         {
             $matching = preg_match($context->value, $tag->name());
@@ -1148,7 +1152,8 @@
 RQuery::$defaultFilters['rule']['app']['operators']['has.regex'] = array(
     'Function' => function (RuleRQueryContext $context) {
         $rule = $context->object;
-        if( $rule->isNatRule() || $rule->isDecryptionRule() || $rule->isCaptivePortalRule() || $rule->isAuthenticationRule() || $rule->isDoSRule() )
+
+        if( !isset( $context->object->apps ) )
             return FALSE;
 
         foreach( $context->object->apps->apps() as $app )
@@ -1172,7 +1177,7 @@
 RQuery::$defaultFilters['rule']['app']['operators']['has.recursive'] = array(
     'Function' => function (RuleRQueryContext $context) {
         $rule = $context->object;
-        if( $rule->isNatRule() || $rule->isDecryptionRule() || $rule->isCaptivePortalRule() || $rule->isAuthenticationRule() || $rule->isDoSRule() )
+        if( !isset( $rule->apps ) )
             return FALSE;
 
         foreach( $rule->apps->getAll() as $app)
@@ -1208,7 +1213,7 @@
 RQuery::$defaultFilters['rule']['app']['operators']['includes.full.or.partial'] = array(
     'Function' => function (RuleRQueryContext $context) {
         $rule = $context->object;
-        if( $rule->isNatRule() || $rule->isDecryptionRule() || $rule->isCaptivePortalRule() || $rule->isAuthenticationRule() || $rule->isDoSRule() )
+        if( !isset( $rule->apps ) )
             return FALSE;
 
         /** @var Rule|SecurityRule|AppOverrideRule|PbfRule|QoSRule $object */
@@ -1224,7 +1229,7 @@
 RQuery::$defaultFilters['rule']['app']['operators']['includes.full.or.partial.nocase'] = array(
     'Function' => function (RuleRQueryContext $context) {
         $rule = $context->object;
-        if( $rule->isNatRule() || $rule->isDecryptionRule() || $rule->isCaptivePortalRule() || $rule->isAuthenticationRule() || $rule->isDoSRule() )
+        if( !isset( $rule->apps ) )
             return FALSE;
 
         return $rule->apps->includesApp($context->value, FALSE) === TRUE;
@@ -1238,7 +1243,7 @@
 RQuery::$defaultFilters['rule']['app']['operators']['included-in.full.or.partial'] = array(
     'Function' => function (RuleRQueryContext $context) {
         $rule = $context->object;
-        if( $rule->isNatRule() || $rule->isDecryptionRule() || $rule->isCaptivePortalRule() || $rule->isAuthenticationRule() || $rule->isDoSRule() )
+        if( !isset( $rule->apps ) )
             return FALSE;
 
         /** @var Rule|SecurityRule|AppOverrideRule|PbfRule|QoSRule $object */
@@ -1254,7 +1259,7 @@
 RQuery::$defaultFilters['rule']['app']['operators']['included-in.full.or.partial.nocase'] = array(
     'Function' => function (RuleRQueryContext $context) {
         $rule = $context->object;
-        if( $rule->isNatRule() || $rule->isDecryptionRule() || $rule->isCaptivePortalRule() || $rule->isAuthenticationRule() || $rule->isDoSRule() )
+        if( !isset( $rule->apps ) )
             return FALSE;
 
         return $rule->apps->includedInApp($context->value, FALSE) === TRUE;
@@ -1268,7 +1273,7 @@
 RQuery::$defaultFilters['rule']['app']['operators']['custom.has.signature'] = array(
     'Function' => function (RuleRQueryContext $context) {
         $rule = $context->object;
-        if( $rule->isNatRule() || $rule->isDecryptionRule() || $rule->isCaptivePortalRule() || $rule->isAuthenticationRule() || $rule->isDoSRule() )
+        if( !isset( $rule->apps ) )
             return FALSE;
 
         /** @var Rule|SecurityRule|AppOverrideRule|PbfRule|QoSRule $object */
@@ -1290,6 +1295,9 @@
         if( $rule->isNatRule() )
             return $rule->service === null;
 
+        if( $rule->services ===  null )
+            return false;
+
         return $rule->services->isAny();
     },
     'arg' => FALSE,
@@ -1311,7 +1319,7 @@
 RQuery::$defaultFilters['rule']['service']['operators']['has'] = array(
     'eval' => function ($object, &$nestedQueries, $value) {
         /** @var Rule|SecurityRule|NatRule|DecryptionRule|AppOverrideRule|CaptivePortalRule|AuthenticationRule|PbfRule|QoSRule|DoSRule $object */
-        return $object->services->has($value) === TRUE;
+        return $object->isSecurityRule() && $object->services->has($value) === TRUE;
     },
     'arg' => TRUE,
     'argObjectFinder' => "\$objectFind=null;\n\$objectFind=\$object->services->parentCentralStore->find('!value!');"
@@ -1325,6 +1333,9 @@
                 return FALSE;
             return $object->service === $value;
         }
+        if( $object->services === null )
+            return FALSE;
+
         if( $object->services->count() != 1 || !$object->services->has($value) )
             return FALSE;
 
@@ -1349,6 +1360,9 @@
             return FALSE;
         }
 
+        if( $rule->services === null )
+            return FALSE;
+
         foreach( $rule->services->all() as $service )
         {
             $matching = preg_match($context->value, $service->name());
@@ -1387,6 +1401,9 @@
             return $rule->service->hasNamedObjectRecursive($value);
         }
 
+        if( $rule->services === null )
+            return FALSE;
+
         return $rule->services->hasNamedObjectRecursive($value);
     },
     'arg' => TRUE,
@@ -1406,6 +1423,9 @@
             return FALSE;
         }
 
+        if( $rule->services === null )
+            return FALSE;
+
         /** @var Service|ServiceGroup $value */
         $objects = $rule->services->all();
 
@@ -1445,6 +1465,9 @@
             return FALSE;
         }
 
+        if( $rule->services === null )
+            return FALSE;
+
         /** @var Service|ServiceGroup $value */
         $objects = $rule->services->all();
         foreach( $objects as $object )
@@ -1484,6 +1507,9 @@
             return FALSE;
         }
 
+        if( $rule->services === null )
+            return FALSE;
+
         /** @var Service|ServiceGroup $value */
         $objects = $rule->services->all();
 
@@ -1524,6 +1550,9 @@
             return FALSE;
         }
 
+        if( $rule->services === null )
+            return FALSE;
+
         /** @var Service|ServiceGroup $value */
         $objects = $rule->services->all();
         foreach( $objects as $object )
@@ -1563,6 +1592,9 @@
             return FALSE;
         }
 
+        if( $rule->services === null )
+            return FALSE;
+
         return $rule->services->hasValue($value, TRUE);
     },
     'arg' => TRUE,
@@ -1583,6 +1615,9 @@
             return FALSE;
         }
 
+        if( $rule->services === null )
+            return FALSE;
+
         return $rule->services->hasValue($value);
     },
     'arg' => TRUE,
@@ -1603,6 +1638,9 @@
             return FALSE;
         }
 
+        if( $rule->services === null )
+            return FALSE;
+
         if( $rule->services->count() != 1 )
             return FALSE;
 
@@ -1620,9 +1658,9 @@
         $counter = $context->value;
         $rule = $context->object;
 
-        if( $rule->isNatRule() )
+        if( !$rule->isSecurityRule() )
         {
-            mwarning("this filter does not yet support NAT Rules");
+            mwarning("this filter does only yet support Security Rules", null, FALSE);
             return FALSE;
         }
 
@@ -1649,9 +1687,9 @@
         $counter = $context->value;
         $rule = $context->object;
 
-        if( $rule->isNatRule() )
+        if( !$rule->isSecurityRule() )
         {
-            mwarning("this filter does not yet support NAT Rules");
+            mwarning("this filter does only yet support Security Rules", null, FALSE);
             return FALSE;
         }
 
@@ -1678,9 +1716,9 @@
         $counter = $context->value;
         $rule = $context->object;
 
-        if( $rule->isNatRule() )
+        if( !$rule->isSecurityRule() )
         {
-            mwarning("this filter does not yet support NAT Rules");
+            mwarning("this filter does only yet support Security Rules", null, FALSE);
             return FALSE;
         }
 

lib/misc-classes/trait/ReferenceableObject.php

@@ -235,7 +235,7 @@ public function getReferencesLocation( &$counter_array = array() )
         {
             #print get_class( $cur)."\n";
             //Firewall
-            if( isset($cur->owner->owner) && $cur->owner->owner !== null && $cur->owner->owner->name() !== "")
+            if( isset($cur->owner->owner) && $cur->owner->owner !== null && method_exists($cur->owner->owner,'name') && $cur->owner->owner->name() !== "")
             {
                 #print $cur->owner->owner->name()."\n";
                 $location_array[$cur->owner->owner->name()] = $cur->owner->owner->name();
@@ -246,14 +246,14 @@ public function getReferencesLocation( &$counter_array = array() )
             }
 
             //Panorama
-            if( isset($cur->owner->owner->owner) && $cur->owner->owner->owner !== null && $cur->owner->owner->owner->name() !== "")
+            if( isset($cur->owner->owner->owner) && $cur->owner->owner->owner !== null && method_exists($cur->owner->owner->owner,'name') && $cur->owner->owner->owner->name() !== "")
             {
                 #print $cur->owner->owner->owner->name()."\n";
                 $location_array[$cur->owner->owner->owner->name()] = $cur->owner->owner->owner->name();
-                if( isset($counter_array[$cur->owner->owner->name()]))
-                    $counter_array[$cur->owner->owner->name()] += 1;
+                if( isset($counter_array[$cur->owner->owner->owner->name()]))
+                    $counter_array[$cur->owner->owner->owner->name()] += 1;
                 else
-                    $counter_array[$cur->owner->owner->name()] = 1;
+                    $counter_array[$cur->owner->owner->owner->name()] = 1;
             }
 
 

lib/object-classes/AddressGroup.php

@@ -600,6 +600,12 @@ public function rewriteXML()
         if( $this->isDynamic() )
             derr('unsupported rewriteXML for dynamic group');
 
+        if( !isset($this->owner->owner) )
+            return;
+
+        if( $this->xmlroot === false || $this->membersRoot === false )
+            return;
+
         if( $this->owner->owner->version >= 60 )
             DH::Hosts_to_xmlDom($this->membersRoot, $this->members, 'member', FALSE);
         else

lib/object-classes/AddressStore.php

@@ -723,7 +723,7 @@ public function rewriteAddressGroupStoreXML()
      */
     public function newAddress($name, $type, $value, $description = '')
     {
-        $found = $this->find($name, null, TRUE);
+        $found = $this->find($name, null, FALSE);
         if( $found !== null )
             derr("cannot create Address named '" . $name . "' as this name is already in use");
 

lib/object-classes/SecurityProfileStore.php

@@ -512,11 +512,11 @@ public function load_predefined_url_categories_from_domxml(DOMElement $xml)
 
 
     /**
-     * @param SecurityProfile $tag
+     * @param SecurityProfile| URLProfile | AntiSpywareProfile | AntiVirusProfile | VulnerabilityProfile | FileBlockingProfile | WildfireProfile $tag
      *
      * @return bool  True if Zone was found and removed. False if not found.
      */
-    public function removeSecurityProfile(SecurityProfile $tag)
+    public function removeSecurityProfile( $tag)
     {
         $ret = $this->remove($tag);