Support v2 https layers (#97)

* Fix import failure of threat-profile overrides

* Fix import failure of threat-profile overrides

* support https layers V2 API change

Author: chkp-edenbr

exporting/export_https_rulebase.py

@@ -9,7 +9,7 @@
 
 def export_https_rulebase(package, layer, layer_uid, client):
     data_dict = {}
-
+    certs = {}
     debug_log("Exporting HTTPS Layer [" + layer + "]", True)
 
     layer_settings, rulebase_sections, rulebase_rules, general_objects = \
@@ -24,9 +24,23 @@ def export_https_rulebase(package, layer, layer_uid, client):
     to_position = None
 
     debug_log("Processing https rules and sections", True)
-
     for rulebase_item in rulebase_sections + rulebase_rules:
         if "rule" in rulebase_item["type"]:
+            cert_uid = rulebase_item["certificate"]
+            if cert_uid not in certs:
+                for index, obj in enumerate(unexportable_objects):
+                    if obj["uid"] == cert_uid:
+                        if "display-name" in obj:
+                            certs[cert_uid] = obj["display-name"]
+                        else:
+                            certs[cert_uid] = obj["name"].split(cert_uid + '_')[-1]
+                        rulebase_item["certificate"] = certs[cert_uid]
+                        unexportable_objects.pop(index)
+                        break
+            # in case the cert is a default obj then we can keep its uid
+            #we already iterated of this crt in a different rule
+            else:
+                rulebase_item["certificate"] = certs[cert_uid]
             replace_rule_field_uids_by_name(rulebase_item, general_objects)
         elif "section" in rulebase_item["type"]:
             if "from" in rulebase_item:

exporting/export_objects.py

@@ -48,6 +48,8 @@ def get_query_rulebase_data(client, api_type, payload):
                           "comments": layer_data["comments"],
                           "shared": layer_data["shared"],
                           "type": "https-layer"}
+        if "layer-type" in layer_data:
+            layer_settings["layer-type"] = layer_data["layer-type"]
     else:
         layer_settings = {"name": layer_data["name"],
                           "uid": layer_data["uid"],

exporting/export_package.py

@@ -9,7 +9,7 @@
 from exporting.export_threat_rulebase import export_threat_rulebase
 from exporting.export_https_rulebase import export_https_rulebase
 from lists_and_dictionaries import singular_to_plural_dictionary
-from utils import debug_log, export_to_tar, create_tar_file, generate_export_error_report
+from utils import debug_log, export_to_tar, create_tar_file, generate_export_error_report, compare_versions
 
 
 def export_package(client, args):
@@ -92,7 +92,12 @@ def export_package(client, args):
         if "https-inspection-policy" in show_package.data:
             if show_package.data["https-inspection-policy"]:
                 debug_log("Exporting HTTPS layers", True)
-                https_layers = [show_package.data["https-inspection-layer"]]
+                if compare_versions(client.api_version, '2') == -1:
+                    https_layers = [show_package.data["https-inspection-layer"]]
+                else:
+                    https_layers = []
+                    for layer_data in show_package.data["https-inspection-layers"].values():
+                        https_layers.append(layer_data)
                 for https_layer in https_layers:
                     https_data_dict, https_unexportable_objects \
                         = export_https_rulebase(show_package.data["name"], https_layer["name"], https_layer["uid"], client)

importing/import_package.py

@@ -4,7 +4,7 @@
 import sys
 
 from importing.import_objects import import_objects, add_tag_to_object_payload
-from utils import debug_log, generate_import_error_report, count_global_layers
+from utils import debug_log, generate_import_error_report, count_global_layers, compare_versions
 
 
 def import_package(client, args):
@@ -53,6 +53,7 @@ def import_package(client, args):
                 exit(0)
 
     debug_log("Importing general objects", True)
+    machine_version = client.api_version
     layers_to_attach = import_objects(args.file, client, {}, package, None, args)
 
     num_global_access, num_global_threat = count_global_layers(client, package)
@@ -74,17 +75,31 @@ def import_package(client, args):
     set_package_payload = {"name": package, "access-layers": {"add": access_layers},
                            "threat-layers": {"add": threat_layers}}
 
-    if "https" in layers_to_attach and len(layers_to_attach["https"]) > 0:
-        https_layer_name = layers_to_attach["https"][0]
-        set_package_payload["https-layer"] = https_layer_name
+    if "https" in layers_to_attach:
+        # If the imported package's version < 2
+        if compare_versions(client.api_version, '2') == -1:
+            outbound_layer_name = layers_to_attach["https"][0]
+            # If the version of the machine importing the package < 2
+            if compare_versions(machine_version, '2') == -1:
+                set_package_payload["https-layer"] = outbound_layer_name
+
+        else:
+            inbound_layer_name = layers_to_attach["https"][0]
+            outbound_layer_name = layers_to_attach["https"][1]
+            set_package_payload["https-inspection-layers"] = {"inbound-https-layer": inbound_layer_name,
+                                                              "outbound-https-layer": outbound_layer_name}
+
         # Remove default 'Predefined Rule'
-        https_rulebase_reply = client.api_call("show-https-rulebase", {"name": https_layer_name, "details-level": "uid"})
+        https_rulebase_reply = client.api_call("show-https-rulebase",
+                                               {"name": outbound_layer_name, "details-level": "uid"})
         if https_rulebase_reply.success and "total" in https_rulebase_reply.data:
             last_rule_number = int(https_rulebase_reply.data["total"])
             if last_rule_number > 1:
-                delete_https_rule = client.api_call("delete-https-rule", {"rule-number": last_rule_number, "layer": https_layer_name})
+                delete_https_rule = client.api_call("delete-https-rule",
+                                                    {"rule-number": last_rule_number, "layer": outbound_layer_name})
                 if not delete_https_rule.success:
-                    debug_log("Failed to remove default Predefined Rule in https layer ["+https_layer_name+"]", True, True)
+                    debug_log("Failed to remove default Predefined Rule in https layer [" + outbound_layer_name + "]",
+                              True, True)
 
     debug_log("Attaching layers to package")
     layer_attachment_reply = client.api_call("set-package", set_package_payload)
@@ -97,22 +112,4 @@ def import_package(client, args):
                   "Error: " + publish_reply.error_message + ". Import operation aborted.", True, True)
         sys.exit(1)
 
-    generate_import_error_report()
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+    generate_import_error_report()

lists_and_dictionaries.py

@@ -761,6 +761,64 @@
         "https-rule": "https-rules",
         "central-license": "central-licenses"
     },
+    "2": {
+        "access-role": "access-roles",
+        "threat-profile": "threat-profiles",
+        "host": "hosts",
+        "network": "networks",
+        "address-range": "address_ranges",
+        "multicast-address-range": "multicast-address-ranges",
+        "security-zone": "security-zones",
+        "time": "times",
+        "simple-gateway": "simple-gateways",
+        "simple-cluster": "simple-clusters",
+        "dynamic-object": "dynamic-objects",
+        "trusted-client": "trusted-clients",
+        "tags": "tags",
+        "dns-domain": "dns-domains",
+        "opsec-application": "opsec-applications",
+        "data-center": "data-centers",
+        "data-center-object": "data-center-objects",
+        "service-tcp": "services-tcp",
+        "service-udp": "services-udp",
+        "service-icmp": "services-icmp",
+        "service-icmp6": "services-icmp6",
+        "service-sctp": "services-sctp",
+        "service-rpc": "services-rpc",
+        "service-other": "services-other",
+        "service-dce-rpc": "services-dce-rpc",
+        "application-site": "applications-sites",
+        "application-site-category": "application-site-categories",
+        "application-site-group": "application-site-groups",
+        "vpn-community-meshed": "vpn-communities-meshed",
+        "vpn-community-star": "vpn-communities-star",
+        "placeholder": "placeholders",
+        "administrator": "administrators",
+        "group": "groups",
+        "group-with-exclusion": "groups-with-exclusion",
+        "service-group": "service-groups",
+        "time-group": "time-groups",
+        "application-group": "application-groups",
+        "threat-protection": "threat-protections",
+        "exception-group": "exception-groups",
+        "generic-object": "",
+        "access-layer": "access-layers",
+        "access-section": "access-sections",
+        "access-rule": "access-rules",
+        "nat-layer": "nat-layers",
+        "nat-section": "nat-sections",
+        "nat-rule": "nat-rules",
+        "threat-layer": "threat-layers",
+        "threat-rule": "threat-rules",
+        "threat-exception-section": "threat-exception-sections",
+        "threat-exception": "threat-exceptions",
+        "wildcard": "wildcards",
+        "updatable-object": "updatable-objects",
+        "https-layer": "https-layers",
+        "https-section": "https-sections",
+        "https-rule": "https-rules",
+        "central-license": "central-licenses"
+    },
 }
 
 unexportable_objects_map = {}

utils.py

@@ -284,6 +284,8 @@ def export_to_tar(data_dict, timestamp, tar, lst, api_version, ignore_list=None)
 def write_data(json_data, out_file, file_format, close_file=True):
     for obj in json_data:
         for field in obj:
+            if field == "certificate" and "https-rule" in out_file.name:
+                continue
             if obj[field] in unexportable_objects_map:
                 obj[field] = unexportable_objects_map[obj[field]]
     if "json" in file_format: