cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yas...@apache.org
Subject git commit: updated refs/heads/4.3 to 794c179
Date Tue, 10 Dec 2013 02:29:18 GMT
Updated Branches:
  refs/heads/4.3 93fd32335 -> 794c17921


CLOUDSTACK-5425: Fixed egress rules in Palo Alto plugin and removed un-need api commands.

Signed-off-by: Sheng Yang <sheng.yang@citrix.com>


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/794c1792
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/794c1792
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/794c1792

Branch: refs/heads/4.3
Commit: 794c17921ba8ca8d57c984c198c2cabee354c9f1
Parents: 93fd323
Author: Will Stevens <wstevens@cloudops.com>
Authored: Mon Dec 9 15:53:11 2013 -0500
Committer: Sheng Yang <sheng.yang@citrix.com>
Committed: Mon Dec 9 18:28:48 2013 -0800

----------------------------------------------------------------------
 client/tomcatconf/commands.properties.in        |   4 -
 .../api/commands/AddExternalFirewallCmd.java    | 112 -------------
 .../api/commands/DeleteExternalFirewallCmd.java |  88 ----------
 .../api/commands/ListExternalFirewallsCmd.java  |  88 ----------
 .../PaloAltoExternalFirewallElement.java        |  74 +-------
 .../element/PaloAltoFirewallElementService.java |  15 --
 .../network/resource/PaloAltoResource.java      | 167 ++++++++++++++++---
 .../resource/MockablePaloAltoResource.java      |  15 +-
 .../configuration/ConfigurationManagerImpl.java |   4 +-
 9 files changed, 156 insertions(+), 411 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/794c1792/client/tomcatconf/commands.properties.in
----------------------------------------------------------------------
diff --git a/client/tomcatconf/commands.properties.in b/client/tomcatconf/commands.properties.in
index 773c035..3016543 100644
--- a/client/tomcatconf/commands.properties.in
+++ b/client/tomcatconf/commands.properties.in
@@ -544,10 +544,6 @@ listSrxFirewalls=1
 listSrxFirewallNetworks=1
 
 #### Palo Alto firewall commands
-addExternalFirewall=1
-deleteExternalFirewall=1
-listExternalFirewalls=1
-
 addPaloAltoFirewall=1
 deletePaloAltoFirewall=1
 configurePaloAltoFirewall=1

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/794c1792/plugins/network-elements/palo-alto/src/com/cloud/api/commands/AddExternalFirewallCmd.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/palo-alto/src/com/cloud/api/commands/AddExternalFirewallCmd.java
b/plugins/network-elements/palo-alto/src/com/cloud/api/commands/AddExternalFirewallCmd.java
deleted file mode 100644
index 84ee869..0000000
--- a/plugins/network-elements/palo-alto/src/com/cloud/api/commands/AddExternalFirewallCmd.java
+++ /dev/null
@@ -1,112 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package com.cloud.api.commands;
-
-import javax.inject.Inject;
-
-import org.apache.cloudstack.api.response.ZoneResponse;
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseCmd;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import com.cloud.exception.InvalidParameterValueException;
-import com.cloud.host.Host;
-import com.cloud.network.element.PaloAltoFirewallElementService;
-import org.apache.cloudstack.api.response.ExternalFirewallResponse;
-import com.cloud.user.Account;
-import com.cloud.utils.exception.CloudRuntimeException;
-
-@APICommand(name = "addExternalFirewall", description="Adds an external firewall appliance",
responseObject = ExternalFirewallResponse.class)
-public class AddExternalFirewallCmd extends BaseCmd {
-    public static final Logger s_logger = Logger.getLogger(AddExternalFirewallCmd.class.getName());
-    private static final String s_name = "addexternalfirewallresponse";
-
-    /////////////////////////////////////////////////////
-    //////////////// API parameters /////////////////////
-    /////////////////////////////////////////////////////
-
-    @Parameter(name=ApiConstants.ZONE_ID, type=CommandType.UUID, entityType = ZoneResponse.class,
-            required = true, description="Zone in which to add the external firewall appliance.")
-    private Long zoneId;
-
-    @Parameter(name=ApiConstants.URL, type=CommandType.STRING, required = true, description="URL
of the external firewall appliance.")
-    private String url;
-
-    @Parameter(name=ApiConstants.USERNAME, type=CommandType.STRING, required = true, description="Username
of the external firewall appliance.")
-    private String username;
-
-    @Parameter(name=ApiConstants.PASSWORD, type=CommandType.STRING, required = true, description="Password
of the external firewall appliance.")
-    private String password;
-
-    ///////////////////////////////////////////////////
-    /////////////////// Accessors ///////////////////////
-    /////////////////////////////////////////////////////
-
-    public Long getZoneId() {
-        return zoneId;
-    }
-
-    public String getUrl() {
-        return url;
-    }
-
-    public String getUsername() {
-        return username;
-    }
-
-    public String getPassword() {
-        return password;
-    }
-
-
-    /////////////////////////////////////////////////////
-    /////////////// API Implementation///////////////////
-    /////////////////////////////////////////////////////
-
-    @Inject PaloAltoFirewallElementService _paElementService;
-
-    @Override
-    public String getCommandName() {
-        return s_name;
-    }
-
-    @Override
-    public long getEntityOwnerId() {
-        return Account.ACCOUNT_ID_SYSTEM;
-    }
-
-    @SuppressWarnings("deprecation")
-    @Override
-    public void execute(){
-        try {
-            Host externalFirewall = _paElementService.addExternalFirewall(this);
-            ExternalFirewallResponse response = _paElementService.createExternalFirewallResponse(externalFirewall);
-            response.setObjectName("externalfirewall");
-            response.setResponseName(getCommandName());
-            this.setResponseObject(response);
-        } catch (InvalidParameterValueException ipve) {
-            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, ipve.getMessage());
-        } catch (CloudRuntimeException cre) {
-            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, cre.getMessage());
-        }
-    }
-}
-

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/794c1792/plugins/network-elements/palo-alto/src/com/cloud/api/commands/DeleteExternalFirewallCmd.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/palo-alto/src/com/cloud/api/commands/DeleteExternalFirewallCmd.java
b/plugins/network-elements/palo-alto/src/com/cloud/api/commands/DeleteExternalFirewallCmd.java
deleted file mode 100644
index 93f752a..0000000
--- a/plugins/network-elements/palo-alto/src/com/cloud/api/commands/DeleteExternalFirewallCmd.java
+++ /dev/null
@@ -1,88 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package com.cloud.api.commands;
-
-import javax.inject.Inject;
-
-import org.apache.cloudstack.api.response.HostResponse;
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseCmd;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.SuccessResponse;
-import com.cloud.exception.InvalidParameterValueException;
-import com.cloud.network.element.PaloAltoFirewallElementService;
-import com.cloud.user.Account;
-
-@APICommand(name = "deleteExternalFirewall", description="Deletes an external firewall appliance.",
responseObject = SuccessResponse.class)
-public class DeleteExternalFirewallCmd extends BaseCmd {
-    public static final Logger s_logger = Logger.getLogger(DeleteExternalFirewallCmd.class.getName());
-    private static final String s_name = "deleteexternalfirewallresponse";
-
-    /////////////////////////////////////////////////////
-    //////////////// API parameters /////////////////////
-    /////////////////////////////////////////////////////
-
-    @Parameter(name=ApiConstants.ID, type=CommandType.UUID, entityType = HostResponse.class,
-            required = true, description="Id of the external firewall appliance.")
-    private Long id;
-
-    ///////////////////////////////////////////////////
-    /////////////////// Accessors ///////////////////////
-    /////////////////////////////////////////////////////
-
-    public Long getId() {
-        return id;
-    }
-
-    /////////////////////////////////////////////////////
-    /////////////// API Implementation///////////////////
-    /////////////////////////////////////////////////////
-
-    @Inject PaloAltoFirewallElementService _paElementService;
-
-    @Override
-    public String getCommandName() {
-        return s_name;
-    }
-
-    @Override
-    public long getEntityOwnerId() {
-        return Account.ACCOUNT_ID_SYSTEM;
-    }
-
-    @SuppressWarnings("deprecation")
-    @Override
-    public void execute(){
-        try {
-            boolean result = _paElementService.deleteExternalFirewall(this);
-            if (result) {
-            SuccessResponse response = new SuccessResponse(getCommandName());
-            response.setResponseName(getCommandName());
-            this.setResponseObject(response);
-            } else {
-                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete
external firewall.");
-            }
-        } catch (InvalidParameterValueException e) {
-            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Failed to delete external
firewall.");
-        }
-    }
-}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/794c1792/plugins/network-elements/palo-alto/src/com/cloud/api/commands/ListExternalFirewallsCmd.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/palo-alto/src/com/cloud/api/commands/ListExternalFirewallsCmd.java
b/plugins/network-elements/palo-alto/src/com/cloud/api/commands/ListExternalFirewallsCmd.java
deleted file mode 100644
index ebced7e..0000000
--- a/plugins/network-elements/palo-alto/src/com/cloud/api/commands/ListExternalFirewallsCmd.java
+++ /dev/null
@@ -1,88 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the 
-// specific language governing permissions and limitations
-// under the License.
-package com.cloud.api.commands;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.inject.Inject;
-
-import org.apache.cloudstack.api.command.user.offering.ListServiceOfferingsCmd;
-import org.apache.cloudstack.api.response.ZoneResponse;
-import org.apache.log4j.Logger;
-
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseListCmd;
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.response.ListResponse;
-import com.cloud.host.Host;
-import com.cloud.network.element.PaloAltoFirewallElementService;
-import org.apache.cloudstack.api.response.ExternalFirewallResponse;
-
-@APICommand(name = "listExternalFirewalls", description="List external firewall appliances.",
responseObject = ExternalFirewallResponse.class)
-public class ListExternalFirewallsCmd extends BaseListCmd {
-	public static final Logger s_logger = Logger.getLogger(ListServiceOfferingsCmd.class.getName());
-    private static final String s_name = "listexternalfirewallsresponse";
-
-    /////////////////////////////////////////////////////
-    //////////////// API parameters /////////////////////
-    /////////////////////////////////////////////////////
-
-    @Parameter(name=ApiConstants.ZONE_ID, type=CommandType.UUID, entityType = ZoneResponse.class,
-            required = true, description="zone Id")
-    private long zoneId;
-
-    /////////////////////////////////////////////////////
-    /////////////////// Accessors ///////////////////////
-    /////////////////////////////////////////////////////
-
-    public long getZoneId() {
-        return zoneId;
-    }
-
-    /////////////////////////////////////////////////////
-    /////////////// API Implementation///////////////////
-    /////////////////////////////////////////////////////
-
-    @Inject PaloAltoFirewallElementService _paElementService;
-
-    @Override
-    public String getCommandName() {
-        return s_name;
-    }
-
-    @SuppressWarnings("deprecation")
-    @Override
-    public void execute(){
-
-    	List<? extends Host> externalFirewalls = _paElementService.listExternalFirewalls(this);
-
-        ListResponse<ExternalFirewallResponse> listResponse = new ListResponse<ExternalFirewallResponse>();
-        List<ExternalFirewallResponse> responses = new ArrayList<ExternalFirewallResponse>();
-        for (Host externalFirewall : externalFirewalls) {
-        	ExternalFirewallResponse response = _paElementService.createExternalFirewallResponse(externalFirewall);
-        	response.setObjectName("externalfirewall");
-        	response.setResponseName(getCommandName());
-        	responses.add(response);
-        }
-
-        listResponse.setResponses(responses);
-        listResponse.setResponseName(getCommandName());
-        this.setResponseObject(listResponse);
-    }
-}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/794c1792/plugins/network-elements/palo-alto/src/com/cloud/network/element/PaloAltoExternalFirewallElement.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/palo-alto/src/com/cloud/network/element/PaloAltoExternalFirewallElement.java
b/plugins/network-elements/palo-alto/src/com/cloud/network/element/PaloAltoExternalFirewallElement.java
index 3eb802e..108d5a4 100644
--- a/plugins/network-elements/palo-alto/src/com/cloud/network/element/PaloAltoExternalFirewallElement.java
+++ b/plugins/network-elements/palo-alto/src/com/cloud/network/element/PaloAltoExternalFirewallElement.java
@@ -30,12 +30,9 @@ import org.apache.cloudstack.network.ExternalNetworkDeviceManager.NetworkDevice;
 import org.apache.log4j.Logger;
 
 import com.cloud.api.ApiDBUtils;
-import com.cloud.api.commands.AddExternalFirewallCmd;
 import com.cloud.api.commands.AddPaloAltoFirewallCmd;
 import com.cloud.api.commands.ConfigurePaloAltoFirewallCmd;
-import com.cloud.api.commands.DeleteExternalFirewallCmd;
 import com.cloud.api.commands.DeletePaloAltoFirewallCmd;
-import com.cloud.api.commands.ListExternalFirewallsCmd;
 import com.cloud.api.commands.ListPaloAltoFirewallNetworksCmd;
 import com.cloud.api.commands.ListPaloAltoFirewallsCmd;
 import com.cloud.api.response.PaloAltoFirewallResponse;
@@ -296,81 +293,11 @@ PortForwardingServiceProvider, IpDeployer, PaloAltoFirewallElementService,
Stati
     }
 
     @Override
-    @Deprecated
-    // should use more generic addNetworkDevice command to add firewall
-    public Host addExternalFirewall(AddExternalFirewallCmd cmd) {
-        Long zoneId = cmd.getZoneId();
-        DataCenterVO zone = null;
-        PhysicalNetworkVO pNetwork = null;
-        HostVO fwHost = null;
-
-        zone = _dcDao.findById(zoneId);
-        if (zone == null) {
-            throw new InvalidParameterValueException("Could not find zone with ID: " + zoneId);
-        }
-
-        List<PhysicalNetworkVO> physicalNetworks = _physicalNetworkDao.listByZone(zoneId);
-        if ((physicalNetworks == null) || (physicalNetworks.size() > 1)) {
-            throw new InvalidParameterValueException("There are no physical networks or multiple
physical networks configured in zone with ID: "
-                    + zoneId + " to add this device.");
-        }
-        pNetwork = physicalNetworks.get(0);
-
-        String deviceType = NetworkDevice.PaloAltoFirewall.getName();
-        ExternalFirewallDeviceVO fwDeviceVO = addExternalFirewall(pNetwork.getId(), cmd.getUrl(),
cmd.getUsername(), cmd.getPassword(), deviceType, new PaloAltoResource());
-        if (fwDeviceVO != null) {
-            fwHost = _hostDao.findById(fwDeviceVO.getHostId());
-        }
-
-        return fwHost;
-    }
-
-    @Override
-    public boolean deleteExternalFirewall(DeleteExternalFirewallCmd cmd) {
-        return deleteExternalFirewall(cmd.getId());
-    }
-
-    @Override
-    @Deprecated
-    // should use more generic listNetworkDevice command
-    public List<Host> listExternalFirewalls(ListExternalFirewallsCmd cmd) {
-        List<Host> firewallHosts = new ArrayList<Host>();
-        Long zoneId = cmd.getZoneId();
-        DataCenterVO zone = null;
-        PhysicalNetworkVO pNetwork = null;
-
-        if (zoneId != null) {
-            zone = _dcDao.findById(zoneId);
-            if (zone == null) {
-                throw new InvalidParameterValueException("Could not find zone with ID: "
+ zoneId);
-            }
-
-            List<PhysicalNetworkVO> physicalNetworks = _physicalNetworkDao.listByZone(zoneId);
-            if ((physicalNetworks == null) || (physicalNetworks.size() > 1)) {
-                throw new InvalidParameterValueException("There are no physical networks
or multiple physical networks configured in zone with ID: "
-                        + zoneId + " to add this device.");
-            }
-            pNetwork = physicalNetworks.get(0);
-        }
-
-        firewallHosts.addAll(listExternalFirewalls(pNetwork.getId(), NetworkDevice.PaloAltoFirewall.getName()));
-        return firewallHosts;
-    }
-
-    @Override
-    public ExternalFirewallResponse createExternalFirewallResponse(Host externalFirewall)
{
-        return super.createExternalFirewallResponse(externalFirewall);
-    }
-
-    @Override
     public List<Class<?>> getCommands() {
         List<Class<?>> cmdList = new ArrayList<Class<?>>();
-        cmdList.add(AddExternalFirewallCmd.class);
         cmdList.add(AddPaloAltoFirewallCmd.class);
         cmdList.add(ConfigurePaloAltoFirewallCmd.class);
-        cmdList.add(DeleteExternalFirewallCmd.class);
         cmdList.add(DeletePaloAltoFirewallCmd.class);
-        cmdList.add(ListExternalFirewallsCmd.class);
         cmdList.add(ListPaloAltoFirewallNetworksCmd.class);
         cmdList.add(ListPaloAltoFirewallsCmd.class);
         return cmdList;
@@ -382,6 +309,7 @@ PortForwardingServiceProvider, IpDeployer, PaloAltoFirewallElementService,
Stati
         if (!deviceName.equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
             throw new InvalidParameterValueException("Invalid Palo Alto firewall device type");
         }
+
         return addExternalFirewall(cmd.getPhysicalNetworkId(), cmd.getUrl(), cmd.getUsername(),
cmd.getPassword(), deviceName,
             new PaloAltoResource());
     }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/794c1792/plugins/network-elements/palo-alto/src/com/cloud/network/element/PaloAltoFirewallElementService.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/palo-alto/src/com/cloud/network/element/PaloAltoFirewallElementService.java
b/plugins/network-elements/palo-alto/src/com/cloud/network/element/PaloAltoFirewallElementService.java
index d2842ab..dafae8b 100644
--- a/plugins/network-elements/palo-alto/src/com/cloud/network/element/PaloAltoFirewallElementService.java
+++ b/plugins/network-elements/palo-alto/src/com/cloud/network/element/PaloAltoFirewallElementService.java
@@ -18,12 +18,9 @@ package com.cloud.network.element;
 
 import java.util.List;
 
-import com.cloud.api.commands.AddExternalFirewallCmd;
 import com.cloud.api.commands.AddPaloAltoFirewallCmd;
 import com.cloud.api.commands.ConfigurePaloAltoFirewallCmd;
-import com.cloud.api.commands.DeleteExternalFirewallCmd;
 import com.cloud.api.commands.DeletePaloAltoFirewallCmd;
-import com.cloud.api.commands.ListExternalFirewallsCmd;
 import com.cloud.api.commands.ListPaloAltoFirewallNetworksCmd;
 import com.cloud.api.commands.ListPaloAltoFirewallsCmd;
 import com.cloud.api.response.PaloAltoFirewallResponse;
@@ -72,17 +69,5 @@ public interface PaloAltoFirewallElementService  extends PluggableService
{
     public List<? extends Network> listNetworks(ListPaloAltoFirewallNetworksCmd cmd);
 
     public PaloAltoFirewallResponse createPaloAltoFirewallResponse(ExternalFirewallDeviceVO
fwDeviceVO);
-
-
-    @Deprecated // API helper function supported for backward compatibility
-    public Host addExternalFirewall(AddExternalFirewallCmd cmd);
-
-    @Deprecated // API helper function supported for backward compatibility
-    public boolean deleteExternalFirewall(DeleteExternalFirewallCmd cmd);
-    
-    @Deprecated // API helper function supported for backward compatibility
-    public List<Host> listExternalFirewalls(ListExternalFirewallsCmd cmd);
     
-    @Deprecated // API helper function supported for backward compatibility
-    public ExternalFirewallResponse createExternalFirewallResponse(Host externalFirewall);
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/794c1792/plugins/network-elements/palo-alto/src/com/cloud/network/resource/PaloAltoResource.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/palo-alto/src/com/cloud/network/resource/PaloAltoResource.java
b/plugins/network-elements/palo-alto/src/com/cloud/network/resource/PaloAltoResource.java
index 2251ce0..a4bcf5b 100644
--- a/plugins/network-elements/palo-alto/src/com/cloud/network/resource/PaloAltoResource.java
+++ b/plugins/network-elements/palo-alto/src/com/cloud/network/resource/PaloAltoResource.java
@@ -31,6 +31,7 @@ import org.w3c.dom.NodeList;
 import org.xml.sax.InputSource;
 import javax.naming.ConfigurationException;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.transform.dom.DOMSource;
 
 import com.cloud.agent.IAgentControl;
 import com.cloud.agent.api.Answer;
@@ -466,11 +467,14 @@ public class PaloAltoResource implements ServerResource {
             String guestVlanSubnet = NetUtils.getCidrSubNet(guestVlanGateway, cidrSize);
   
             
             Long publicVlanTag = null;
-            if (ip.getBroadcastUri() != null && !ip.getBroadcastUri().equals("untagged"))
{
-                try {
-                    publicVlanTag = Long.parseLong(ip.getBroadcastUri());
-                } catch (Exception e) {
-                    throw new ExecutionException("Could not parse public VLAN tag: " + ip.getBroadcastUri());
+            if (ip.getBroadcastUri() != null) {
+                String parsedVlanTag = parsePublicVlanTag(ip.getBroadcastUri());
+                if (!parsedVlanTag.equals("untagged")) {
+                    try {
+                        publicVlanTag = Long.parseLong(parsedVlanTag);
+                    } catch (Exception e) {
+                        throw new ExecutionException("Could not parse public VLAN tag: "
+ parsedVlanTag);
+                    }
                 }
             } 
 
@@ -521,6 +525,9 @@ public class PaloAltoResource implements ServerResource {
     private void shutdownGuestNetwork(ArrayList<IPaloAltoCommand> cmdList, GuestNetworkType
type, Long publicVlanTag, String sourceNatIpAddress, long privateVlanTag, String privateGateway,
String privateSubnet, long privateCidrSize) throws ExecutionException {     
         privateSubnet = privateSubnet+"/"+privateCidrSize;
 
+        // remove any orphaned egress rules if they exist...
+        removeOrphanedFirewallRules(cmdList, privateVlanTag);
+
         if (type.equals(GuestNetworkType.SOURCE_NAT)) {
             manageNetworkIsolation(cmdList, PaloAltoPrimative.DELETE, privateVlanTag, privateSubnet,
privateGateway);
             manageSrcNatRule(cmdList, PaloAltoPrimative.DELETE, type, publicVlanTag, sourceNatIpAddress+"/32",
privateVlanTag, privateGateway+"/"+privateCidrSize);
@@ -941,12 +948,18 @@ public class PaloAltoResource implements ServerResource {
         String dstNatName = genDstNatRuleName(publicIp, rule.getId());
 
         String publicInterfaceName;
-        String publicVlanTag = rule.getSrcVlanTag();
-        if (publicVlanTag == null || publicVlanTag.equals("untagged")) {
+        String publicVlanTag;
+        if (rule.getSrcVlanTag() == null) {
             publicInterfaceName = genPublicInterfaceName(new Long("9999"));
         } else {
-            publicInterfaceName = genPublicInterfaceName(new Long(publicVlanTag));
+            publicVlanTag = parsePublicVlanTag(rule.getSrcVlanTag());
+            if (publicVlanTag.equals("untagged")) {
+                publicInterfaceName = genPublicInterfaceName(new Long("9999"));
+            } else {
+                publicInterfaceName = genPublicInterfaceName(new Long(publicVlanTag));
+            }
         }
+        
 
         switch (prim) {
 
@@ -1083,11 +1096,16 @@ public class PaloAltoResource implements ServerResource {
         String stcNatName = genStcNatRuleName(publicIp, rule.getId());
 
         String publicInterfaceName;
-        String publicVlanTag = rule.getSrcVlanTag();
-        if (publicVlanTag == null || publicVlanTag.equals("untagged")) {
+        String publicVlanTag;
+        if (rule.getSrcVlanTag() == null) {
             publicInterfaceName = genPublicInterfaceName(new Long("9999"));
         } else {
-            publicInterfaceName = genPublicInterfaceName(new Long(publicVlanTag));
+            publicVlanTag = parsePublicVlanTag(rule.getSrcVlanTag());
+            if (publicVlanTag.equals("untagged")) {
+                publicInterfaceName = genPublicInterfaceName(new Long("9999"));
+            } else {
+                publicInterfaceName = genPublicInterfaceName(new Long(publicVlanTag));
+            }
         }
 
         switch (prim) {
@@ -1168,13 +1186,21 @@ public class PaloAltoResource implements ServerResource {
     /*
      * Firewall rule implementation
      */
-
-    private String genFirewallRuleName(long id) {
+    private String genFirewallRuleName(long id) { // ingress
         return "policy_"+Long.toString(id);
     }
+    private String genFirewallRuleName(long id, String vlan) { // egress
+        return "policy_"+Long.toString(id)+"_"+vlan;
+    }
 
     public boolean manageFirewallRule(ArrayList<IPaloAltoCommand> cmdList, PaloAltoPrimative
prim, FirewallRuleTO rule) throws ExecutionException {
-        String ruleName = genFirewallRuleName(rule.getId());
+        String ruleName;
+        if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) {
+            ruleName = genFirewallRuleName(rule.getId(), rule.getSrcVlanTag());
+        } else {
+            ruleName = genFirewallRuleName(rule.getId());
+        }
+        
 
         switch (prim) {
 
@@ -1201,6 +1227,7 @@ public class PaloAltoResource implements ServerResource {
             String serviceXML;
 
             String protocol = rule.getProtocol();
+            String action = "allow";
 
             // Only ICMP will use an Application, so others will be any.
             if (protocol.equals(Protocol.ICMP.toString())) {
@@ -1230,11 +1257,23 @@ public class PaloAltoResource implements ServerResource {
                 serviceXML = "<member>any</member>";
             }
 
-            if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) { // Network egress
rule
+            // handle different types of fire wall rules (egress | ingress)
+            if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) { // Egress Rule
                 srcZone = _privateZone;
                 dstZone = _publicZone;
                 dstAddressXML = "<member>any</member>";
-            } else {
+
+                // defaults to 'allow', the deny rules are as follows
+                if (rule.getType() == FirewallRule.FirewallRuleType.System) {
+                    if (!rule.isDefaultEgressPolicy()) { // default of deny && system
rule, so deny
+                        action = "deny";
+                    }
+                } else {
+                    if (rule.isDefaultEgressPolicy()) { // default is allow && user
rule, so deny
+                        action = "deny";
+                    }
+                }
+            } else { // Ingress Rule
                 srcZone = _publicZone;
                 dstZone = _privateZone;
                 dstAddressXML = "<member>"+rule.getSrcIp()+"</member>";
@@ -1263,6 +1302,7 @@ public class PaloAltoResource implements ServerResource {
                 }
             }
 
+            // build new rule xml
             String xml = "";
             xml += "<from><member>"+srcZone+"</member></from>";
             xml += "<to><member>"+dstZone+"</member></to>";
@@ -1270,16 +1310,52 @@ public class PaloAltoResource implements ServerResource {
             xml += "<destination>"+dstAddressXML+"</destination>";
             xml += "<application>"+appXML+"</application>";
             xml += "<service>"+serviceXML+"</service>";
-            xml += "<action>allow</action>";
+            xml += "<action>"+action+"</action>";
             xml += "<negate-source>no</negate-source>";
             xml += "<negate-destination>no</negate-destination>";
-            if (_threatProfile != null) { // add the threat profile if it exists
+            if (_threatProfile != null && action.equals("allow")) { // add the threat
profile if it exists
                 xml += "<profile-setting><group><member>"+_threatProfile+"</member></group></profile-setting>";
             }
-            if (_logProfile != null) { // add the log profile if it exists
+            if (_logProfile != null && action.equals("allow")) { // add the log profile
if it exists
                 xml += "<log-setting>"+_logProfile+"</log-setting>";
             }
 
+            boolean has_default = false;
+            String defaultEgressRule = "";
+            if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) {
+                // check if a default egress rule exists because it always has to be after
the other rules.
+                Map<String, String> e_params = new HashMap<String, String>();
+                e_params.put("type", "config");
+                e_params.put("action", "get");
+                e_params.put("xpath", "/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_0_"+rule.getSrcVlanTag()+"']");
+                String e_response = request(PaloAltoMethod.GET, e_params);
+                has_default = (validResponse(e_response) && responseNotEmpty(e_response));
+
+                // there is an existing default rule, so we need to remove it and add it
back after the new rule is added.
+                if (has_default) {
+                    s_logger.debug("Moving the default egress rule after the new rule: "+ruleName);
+                    NodeList response_body;
+                    Document doc = getDocument(e_response);
+                    XPath xpath = XPathFactory.newInstance().newXPath();
+                    try {
+                        XPathExpression expr = xpath.compile("/response[@status='success']/result/entry/node()");
+                        response_body = (NodeList) expr.evaluate(doc, XPathConstants.NODESET);
+                    } catch (XPathExpressionException e) {
+                        throw new ExecutionException(e.getCause().getMessage());
+                    }
+                    for (int i=0; i<response_body.getLength(); i++) {
+                        Node n = response_body.item(i);
+                        defaultEgressRule += nodeToString(n);
+                    }
+                    Map<String, String> dd_params = new HashMap<String, String>();
+                    dd_params.put("type", "config");
+                    dd_params.put("action", "delete");
+                    dd_params.put("xpath", "/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_0_"+rule.getSrcVlanTag()+"']");
+                    cmdList.add(new DefaultPaloAltoCommand(PaloAltoMethod.POST, dd_params));
+                }
+            }
+
+            // add the new rule...
             Map<String, String> a_params = new HashMap<String, String>();
             a_params.put("type", "config");
             a_params.put("action", "set");
@@ -1287,6 +1363,17 @@ public class PaloAltoResource implements ServerResource {
             a_params.put("element", xml);
             cmdList.add(new DefaultPaloAltoCommand(PaloAltoMethod.POST, a_params));
 
+            // add back the default rule
+            if (rule.getTrafficType() == FirewallRule.TrafficType.Egress && has_default)
{
+                Map<String, String> da_params = new HashMap<String, String>();
+                da_params.put("type", "config");
+                da_params.put("action", "set");
+                da_params.put("xpath", "/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_0_"+rule.getSrcVlanTag()+"']");
+                da_params.put("element", defaultEgressRule);
+                cmdList.add(new DefaultPaloAltoCommand(PaloAltoMethod.POST, da_params));
+                s_logger.debug("Completed move of the default egress rule after rule: "+ruleName);
+            }
+
             return true;
 
         case DELETE:
@@ -1308,6 +1395,24 @@ public class PaloAltoResource implements ServerResource {
         }
     }
 
+    // remove orphaned rules if they exist...
+    public void removeOrphanedFirewallRules(ArrayList<IPaloAltoCommand> cmdList, long
vlan) throws ExecutionException {
+        Map<String, String> params = new HashMap<String, String>();
+        params.put("type", "config");
+        params.put("action", "get");
+        params.put("xpath", "/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[contains(@name,
'policy') and contains(@name, '"+Long.toString(vlan)+"')]");
+        String response = request(PaloAltoMethod.GET, params);
+        boolean has_orphans = (validResponse(response) && responseNotEmpty(response));
+
+        if (has_orphans) {
+            Map<String, String> d_params = new HashMap<String, String>();
+            d_params.put("type", "config");
+            d_params.put("action", "delete");
+            d_params.put("xpath", "/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[contains(@name,
'policy') and contains(@name, '"+Long.toString(vlan)+"')]");
+            cmdList.add(new DefaultPaloAltoCommand(PaloAltoMethod.POST, d_params));
+        }
+    }
+
 
 
     /*
@@ -1436,7 +1541,6 @@ public class PaloAltoResource implements ServerResource {
         }
     }
 
-
     private String genServiceName(String protocol, String dstPorts, String srcPorts) {
         String name;
         if (srcPorts == null) {
@@ -1937,6 +2041,10 @@ public class PaloAltoResource implements ServerResource {
         return ip.replace('.', '-').replace('/', '-');
     }
 
+    private String parsePublicVlanTag(String uri) {
+        return uri.replace("vlan://", "");
+    }
+
     private Protocol getProtocol(String protocolName) throws ExecutionException {
         protocolName = protocolName.toLowerCase();
 
@@ -1966,6 +2074,20 @@ public class PaloAltoResource implements ServerResource {
         }
     }
 
+    // return an xml node as a string
+    private String nodeToString(Node node) throws ExecutionException {
+        StringWriter sw = new StringWriter();
+        try {
+            Transformer t = TransformerFactory.newInstance().newTransformer();
+            t.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
+            t.transform(new DOMSource(node), new StreamResult(sw));
+        } catch (Throwable t) {
+            throw new ExecutionException("XML convert error when modifying PA config: "+t.getMessage());
+        }
+        return sw.toString();
+    }
+
+    // pretty printing of xml strings
     private String prettyFormat(String input) {
         int indent = 4;
         try {
@@ -2000,13 +2122,11 @@ public class PaloAltoResource implements ServerResource {
     //@Override
     public void setName(String name) {
         // TODO Auto-generated method stub
-        
     }
 
     //@Override
     public void setConfigParams(Map<String, Object> params) {
         // TODO Auto-generated method stub
-        
     }
 
     //@Override
@@ -2025,6 +2145,5 @@ public class PaloAltoResource implements ServerResource {
     public void setRunLevel(int level) {
         // TODO Auto-generated method stub
         
-    }    
-    
+    }
 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/794c1792/plugins/network-elements/palo-alto/test/com/cloud/network/resource/MockablePaloAltoResource.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/palo-alto/test/com/cloud/network/resource/MockablePaloAltoResource.java
b/plugins/network-elements/palo-alto/test/com/cloud/network/resource/MockablePaloAltoResource.java
index 9a9eb6e..5ffb7ce 100755
--- a/plugins/network-elements/palo-alto/test/com/cloud/network/resource/MockablePaloAltoResource.java
+++ b/plugins/network-elements/palo-alto/test/com/cloud/network/resource/MockablePaloAltoResource.java
@@ -196,10 +196,10 @@ public class MockablePaloAltoResource extends PaloAltoResource {
                     }
                 }
 
-                // get egress firewall rule | has_egress_fw_rule | policy_0
-                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_0']"))
{
+                // get egress firewall rule | has_egress_fw_rule | policy_0_3954
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_0_3954']"))
{
                     if (context.containsKey("has_egress_fw_rule") && context.get("has_egress_fw_rule").equals("true"))
{
-                        response = "<response status=\"success\" code=\"19\"><result
total-count=\"1\" count=\"1\"><entry name=\"policy_0\" admin=\"admin\" time=\"2013/07/03
12:43:30\"><from admin=\"admin\" time=\"2013/07/03 12:43:30\"><member admin=\"admin\"
time=\"2013/07/03 12:43:30\">trust</member></from><to><member>untrust</member></to><source><member>10.3.96.1/20</member></source><destination><member>any</member></destination><application><member>any</member></application><service><member>cs_tcp_80</member></service><action>allow</action><negate-source>no</negate-source><negate-destination>no</negate-destination></entry></result></response>";
+                        response = "<response status=\"success\" code=\"19\"><result
total-count=\"1\" count=\"1\"><entry name=\"policy_0_3954\" admin=\"admin\" time=\"2013/07/03
12:43:30\"><from admin=\"admin\" time=\"2013/07/03 12:43:30\"><member admin=\"admin\"
time=\"2013/07/03 12:43:30\">trust</member></from><to><member>untrust</member></to><source><member>10.3.96.1/20</member></source><destination><member>any</member></destination><application><member>any</member></application><service><member>cs_tcp_80</member></service><action>allow</action><negate-source>no</negate-source><negate-destination>no</negate-destination></entry></result></response>";
                     } else {
                         response = "<response status=\"success\" code=\"19\"><result/></response>";
                     }
@@ -214,6 +214,11 @@ public class MockablePaloAltoResource extends PaloAltoResource {
                     }
                 }
 
+                // get default egress rule | policy_0_3954
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[contains(@name,
'policy') and contains(@name, '3954')]")) {
+                    response = "<response status=\"success\" code=\"19\"><result/></response>";
+                }
+
                 // get destination nat rule (port forwarding) | has_dst_nat_rule
                 if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='dst_nat.192-168-80-103_9']"))
{
                     if (context.containsKey("has_dst_nat_rule") && context.get("has_dst_nat_rule").equals("true"))
{
@@ -296,7 +301,7 @@ public class MockablePaloAltoResource extends PaloAltoResource {
                 }
 
                 // add egress firewall rule
-                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_0']"))
{
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_0_3954']"))
{
                     response = "<response status=\"success\" code=\"20\"><msg>command
succeeded</msg></response>";
                     context.put("has_egress_fw_rule", "true");
                 }
@@ -329,7 +334,7 @@ public class MockablePaloAltoResource extends PaloAltoResource {
         	// action = 'delete'
         	if (params.get("action").equals("delete")) {
                 // remove egress firewall rule
-                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_0']"))
{
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_0_3954']"))
{
                     response = "<response status=\"success\" code=\"20\"><msg>command
succeeded</msg></response>";
                     context.remove("has_egress_fw_rule");
                 }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/794c1792/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
index ac16ef4..fd0c2dd 100755
--- a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
+++ b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
@@ -3903,8 +3903,8 @@ ConfigurationManagerImpl extends ManagerBase implements ConfigurationManager,
Co
             Set<Provider> firewallProviderSet = new HashSet<Provider>();
             firewallProviderSet.add(firewallProvider);
             serviceProviderMap.put(Service.Firewall, firewallProviderSet);
-            if (!(firewallProvider.getName().equals(Provider.JuniperSRX.getName()) || firewallProvider.getName().equals(Provider.VirtualRouter.getName()))
&& egressDefaultPolicy == false) {
-                throw new InvalidParameterValueException("Firewall egress with default policy
" +  egressDefaultPolicy + "is not supported by the provider "+ firewallProvider.getName());
+            if (!(firewallProvider.getName().equals(Provider.JuniperSRX.getName()) || firewallProvider.getName().equals(Provider.PaloAlto.getName())
|| firewallProvider.getName().equals(Provider.VirtualRouter.getName())) && egressDefaultPolicy
== false) {
+                throw new InvalidParameterValueException("Firewall egress with default policy
" +  egressDefaultPolicy + " is not supported by the provider "+ firewallProvider.getName());
             }
         }
 


Mime
View raw message