Configure HTTP-based ARP information fetching from Palo Alto PIO-OS firewalls using management profiles #3147
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #3147 +/- ##
==========================================
+ Coverage 60.45% 60.60% +0.14%
==========================================
Files 605 605
Lines 43745 43725 -20
Branches 48 48
==========================================
+ Hits 26448 26500 +52
+ Misses 17285 17213 -72
Partials 12 12 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
This is shaping up really nicely!
I'm really glad you took the time to write a proper release notes entry, though I am not sure that we need to delve deeply into rationalizing why we are changing the palo alto API key config stuff. The bit about ARP being available only through the API I believe was explained in an earlier release note too.
You added a separate "make linter happy" commit, which should be unnecessary. These are formatting changes that your pre-commit hooks should have fixed for you in the original commits (you did install the pre-commit hooks, right?)
The "Fix unittests" commit is also probably best if squashed into the already existing commit that updates the tests.
python/nav/models/manage.py
Outdated
| def get_http_rest_management_profiles( | ||
| self, service: str | ||
| ) -> models.QuerySet: |
There was a problem hiding this comment.
Fixed! (Also moved functionality to the paloalto plugin.)
nav/python/nav/ipdevpoll/plugins/paloaltoarp.py
Lines 161 to 173 in 6c9d4b5
| for i, api_key in enumerate(api_keys): | ||
| arptable = yield self._do_request(ip, api_key) | ||
| if arptable is not None: | ||
| # process arpdata into an array of mappings | ||
| mappings = parse_arp(arptable.decode('utf-8')) | ||
| break | ||
| self._logger.info( | ||
| "Could not fetch ARP table from Paloalto device When using API key %d of %d", | ||
| i, | ||
| len(api_keys), | ||
| ) |
There was a problem hiding this comment.
IMNSHO, the key iteration functionality presented here should not really be the concern of the _get_paloalto_arp_mappings() method. It should be factored out.
There was a problem hiding this comment.
Moved the loop to the handle() function
nav/python/nav/ipdevpoll/plugins/paloaltoarp.py
Lines 55 to 67 in 6c9d4b5
| netbox.sysname in cls.configured_devices | ||
| or str(netbox.ip) in cls.configured_devices | ||
| ) | ||
| return netbox.get_http_rest_management_profiles("Palo Alto ARP").exists() |
There was a problem hiding this comment.
There's a big fat gotcha here: The can_handle() method runs inside the main event loop thread, so you should absolutely not run database queries from this method: They will block everything ipdevpoll is working on until the response comes back from the database.
If you need to access the database at this point, you should defer the lookup to a database thread instead. See
nav/python/nav/ipdevpoll/plugins/lldp.py
Lines 51 to 56 in 518e622
There was a problem hiding this comment.
Thanks for the catch, wrapped database queries appropriately
nav/python/nav/ipdevpoll/plugins/paloaltoarp.py
Lines 81 to 99 in bdc6e99
| @pytest.fixture | ||
| def paloalto_netbox_1234(db, client): | ||
| box = Netbox( | ||
| ip='127.0.0.1', | ||
| sysname='localhost.example.org', | ||
| organization_id='myorg', | ||
| room_id='myroom', | ||
| category_id='SRV', | ||
| ) | ||
| box.save() | ||
| profile = ManagementProfile( | ||
| name="PaloAlto Test Management Profile", | ||
| protocol=ManagementProfile.PROTOCOL_SNMP, # Correct protocol is set with HTTP POST below | ||
| configuration={ | ||
| "version": 2, | ||
| "community": "public", | ||
| "write": False, | ||
| }, | ||
| ) | ||
| profile.save() | ||
|
|
||
|
|
||
| netbox_url = reverse("seeddb-netbox-edit", args=(box.id,)) | ||
| management_profile_url = reverse( | ||
| "seeddb-management-profile-edit", args=(profile.id,) | ||
| ) | ||
|
|
||
| # Manually sending this post request helps reveal regression bugs in case | ||
| # HTTPRestForm.service.choices keys are altered; because the post's thus | ||
| # invalid service field should then cause the django form cleaning stage to | ||
| # fail. (Changing the HTTPRestForm.choice map to use enums as keys instead | ||
| # of strings would enable static analysis to reveal this.) | ||
| client.post( | ||
| management_profile_url, | ||
| follow=True, | ||
| data={ | ||
| "name": profile.name, | ||
| "description": profile.description, | ||
| "protocol": ManagementProfile.PROTOCOL_HTTP_REST, | ||
| "service": "Palo Alto ARP", | ||
| "api_key": "1234", | ||
| } | ||
| ) | ||
|
|
||
| client.post( | ||
| netbox_url, | ||
| follow=True, | ||
| data={ | ||
| "ip": box.ip, | ||
| "room": box.room_id, | ||
| "category": box.category_id, | ||
| "organization": box.organization_id, | ||
| "profiles": [profile.id], | ||
| }, | ||
| ) | ||
|
|
There was a problem hiding this comment.
According to the commit log, you seem to be arguing that this fixture is also a test for the web forms. I would advocate that it shouldn't be. Testing the web forms should be an explicit test function, with a name that makes it abundantly clear what kind of assertion is breaking when it fails.
For the purposes of testing the ipdevpoll plugin itself, it is much simpler for this fixture to just insert the required boxes/profiles directly into the database.
The fixture code as-is could/should be re-used in an explicit management profile form test :)
There was a problem hiding this comment.
Totally agree, simplified this fixture and moved form-related parts to a new test file
nav/tests/integration/web/management_profile_test.py
Lines 11 to 61 in 6c9d4b5
jorund1
force-pushed
the
rest-api-management-profile
branch
2 times, most recently
from
e6d1949
to
de813f0
Compare
jorund1
force-pushed
the
rest-api-management-profile
branch
3 times, most recently
from
bdc6e99
to
2449d89
Compare
Prior to this commit, the netboxes handled by the PaloaltoArp ipdevpoll plugin used to be configured in the `ipdevpoll.conf` configuration file, but since the netboxes the plugin wants to handle (i.e. collect Arp information from) already should reside in the NAV database, this configuration is now instead done through the SeedDB tool by assigning a HTTP_API ManagementProfile (with `service` set `Palo Alto ARP` and api_key set to some secret API key) to the netboxes to be handled. The prior way to configure the netboxes handled by the PaloAltoArp plugin implicitly only allowed one API key per netbox (both enforced in code but also by the configuration syntax). With ManagementProfiles, it is perfectly possible to assign multiple profiles (e.g. configurations) of the same type but with different parameters (e.g. API keys) to the same netbox. Hence the new way to configure the netboxes allow many API keys per netbox. Thus the semantics of the plugin must change a little: For any given netbox, the plugin now assumes there may be multiple API keys, and uses the ARP results of first API key for which the _do_request method returns a successful response. IMPORTANT: This commit removes the ability to configure the netboxes handled by the PaloaltoArp plugin the NAV version 5.10 - 5.11 way through the `[paloaltoarp]` section in the `ipdevpoll.conf` configuration file.
jorund1
force-pushed
the
rest-api-management-profile
branch
from
2449d89
to
8503acf
Compare
|
Deprecate the
[paloaltoarp]section ofipdevpoll.confin favor of using management profiles to configure HTTP-based fetching of ARP information from Palo Alto PIO-OS firewalls, analogous to how configuration of SNMP-based fetching is done.The new management profile protocol to configure HTTP-based fetching has been given the name
HTTP APIHTTP REST APIfor now, but this name might be missing the mark since there really isn't anything REST-related about the management profile type.HTTP WITH API KEY, would be a more fitting name?