diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..b792477 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,24 @@ +{ + "cSpell.words": [ + "adminpassword", + "apikey", + "apipassword", + "apiuser", + "argparse", + "auditability", + "docstrings", + "dynaconf", + "failovers", + "highavailability", + "hostnames", + "proxied", + "Pydantic", + "pyproject", + "pytest", + "refreshall", + "typer", + "Typer", + "unsynchronized", + "Xapi" + ] +} \ No newline at end of file diff --git a/docker/Dockerfile b/docker/Dockerfile index 7230fbc..98316e3 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,3 +1,4 @@ +# trunk-ignore-all(terrascan/AC_DOCKER_0047) # Use an official Python runtime as a parent image, based on Alpine FROM python:3.12-alpine @@ -5,23 +6,31 @@ FROM python:3.12-alpine # gcc and musl-dev are required for compiling C extensions # libffi-dev is required for the cffi package # make is often required for building packages -RUN apk add --no-cache gcc musl-dev libffi-dev make +RUN apk add --no-cache gcc=13.2.1_git20231014-r0 musl-dev=1.2.4_git20230717-r4 libffi-dev=3.4.4-r3 make=4.4.1-r2 # Set the working directory in the container to /app WORKDIR /app # Add settings.yaml to the container at /app -ADD settings.yaml /app +COPY settings.yaml /app # Install any needed packages specified in requirements.txt -# Note: The requirements.txt should contain pan-os-upgrade==1.3.4 +# Note: The requirements.txt should contain pan-os-upgrade==1.3.5 RUN pip install --no-cache-dir pan-os-upgrade==1.3.4 # Set the locale to avoid issues with emoji rendering ENV LANG C.UTF-8 +# Create a non-root user +RUN adduser -D panadmin +USER panadmin + # Define the entry point for the application ENTRYPOINT ["pan-os-upgrade"] # By default, show the help message if no arguments are provided CMD ["--help"] + +# Add a healthcheck +HEALTHCHECK --interval=30s --timeout=5s \ + CMD pgrep -f "pan-os-upgrade" > /dev/null || exit 1 diff --git a/docs/about/release-notes.md b/docs/about/release-notes.md index 539f01c..ea86a67 100644 --- a/docs/about/release-notes.md +++ b/docs/about/release-notes.md @@ -2,12 +2,19 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provides a detailed record of changes, enhancements, and fixes in each version of the tool. +## Version 1.3.5 + +**Release Date:** *<20240315>* + +### What's New in version 1.3.5 + +- Added ability for Panorama appliances to check for a valid license before beginning upgrade process. + ## Version 1.3.4 **Release Date:** *<20240303>* - -### What's New +### What's New in version 1.3.4 - Resolved an issue where snapshots would not be taken after an upgrade if settings.yaml file was present in the current working directory. @@ -15,8 +22,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240228>* - -### What's New +### What's New in version 1.3.3 - Resolved an issue where a firewall would still reboot even if the install failed three consecutive PAN-OS installs. @@ -24,8 +30,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240225>* - -### What's New +### What's New in version 1.3.2 - Documentation updates. @@ -33,8 +38,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240225>* - -### What's New +### What's New in version 1.3.1 - Remediated a bug where snapshots weren't taken after an upgrade if `settings.yaml` wasn't in the current working directory. @@ -42,8 +46,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240220>* - -### What's New +### What's New in version 1.3.0 - Refactor script by breaking functions into smaller, more manageable module function files. - Revamp all pytest tests @@ -52,8 +55,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240217>* - -### What's New +### What's New in version 1.2.6 - Move HA status collection within the `get_firewall_details` function for batch upgrades. - Update interactive inventory menu to include HA role of the firewall and if it has `preempt` enabled. @@ -62,8 +64,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240215>* - -### What's New +### What's New in version 1.2.5 - Update repo with SUPPORT.md with details of support. - Update console banner message to include disclaimer of support. @@ -72,8 +73,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240215>* - -### What's New +### What's New in version 1.2.4 - Remove HA sync strict check before upgrade process to account for scenarios where a passive firewall is upgrades within a thread of the first phase before the active is targeted within the same phase. @@ -81,8 +81,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240214>* - -### What's New +### What's New in version 1.2.3 - Introduce `create_firewall_mapping` Function to Fix Firewall Object Mapping. @@ -90,8 +89,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240214>* - -### What's New +### What's New in version 1.2.2 - Changed the HA config sync check of Panorama appliances to be less strict as a temporary workaround for performing HA upgrades. @@ -99,8 +97,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240214>* - -### What's New +### What's New in version 1.2.1 - Added multi-threaded execution of "show system info" command to grab firewall details @@ -108,8 +105,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240213>* - -### What's New +### What's New in version 1.2.0 - Revamped ability to select multiple firewalls when using Panorama as a communication proxy - Removed support for `-f` and `--filter` flags, instead relying on interactive selection menu @@ -119,8 +115,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240211>* - -### What's New +### What's New in version 1.1.6 - Added over 100 tests - Changed default behavior of ARP snapshots to False @@ -129,8 +124,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240209>* - -### What's New +### What's New in version 1.1.5 - Support for skipping all readiness checks and snapshots with `settings` subcommand @@ -138,8 +132,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240209>* - -### What's New +### What's New in version 1.1.4 - Documentation bug fixes - Support for `-c` in hotfix name @@ -148,7 +141,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240208>* -### What's New +### What's New in version 1.1.3 - Documentation bug fixes @@ -156,8 +149,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240208>* - -### What's New +### What's New in version 1.1.2 - Fixed a bug that prevented HA Panorama appliances from being targeted for upgrades @@ -165,8 +157,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240204>* - -### What's New +### What's New in version 1.1.1 - Fixed a bug that prevented access to the `logo.png` file used by the PDF generation process @@ -174,8 +165,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240204>* - -### What's New +### What's New in version 1.1.0 - Pre/Post upgrade diff report created in PDF format - Changed structure of AssuranceOptions @@ -189,8 +179,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240131>* - -### What's New +### What's New in version 1.0.0 - Shipping first release! 🚀 @@ -198,8 +187,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240129>* - -### What's New +### What's New in version 0.4.3 - Created workflow that will download the base image if making a major/minor upgrade - Included new download settings to be overridden with `pan-os-upgrade` settings @@ -209,8 +197,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240127>* - -### What's New +### What's New in version 0.4.2 - Created mechanism to override the default settings of `pan-os-upgrade` - Added support for new CLI argument, `pan-os-upgrade settings` @@ -220,8 +207,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240127>* - -### What's New +### What's New in version 0.4.1 - Resolved an issue where missing fields in session snapshots for older PAN-OS versions caused errors in Pydantic models - Updated the requirements.txt file to reflect the latest compatible versions of dependencies @@ -231,8 +217,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240126>* - -### What's New +### What's New in version 0.4.0 - Support for three unique workflows: - `firewall`: targets and upgrades an individual firewall @@ -245,8 +230,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240125>* - -### What's New +### What's New in version 0.3.0 - Multi-threading added for concurrent upgrades (max limit of threads is 10). - Gracefully handle HA upgrades for HA active/passive peers. @@ -256,8 +240,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240123>* - -### What's New +### What's New in version 0.2.5 - Supports the ability to connect to Panorama as a proxy for firewall connections - Added new `--filter` CLI option for Panorama connections @@ -268,19 +251,17 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240122>* - -### What's New +### What's New in version 0.2.4 - Resolved a bug where console logging was duplicated - Simplified the non-debug console log output - Removed `requirements.txt` from Docker container image -## Version 0.2.4 +## Version 0.2.3 **Release Date:** *<20240121>* - -### What's New +### What's New in version 0.2.3 - Improved error handling for network layer transport. - Included new dependency [DNS Python](https://www.dnspython.org/) for hostname lookup @@ -289,8 +270,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240121>* - -### What's New +### What's New in version 0.2.2 - Optimized for Docker execution. - Refreshed documentation to showcase both paths of execution (Python virtual environments and Docker) @@ -299,8 +279,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240121>* - -### What's New +### What's New in version 0.2.1 - Adjusting the execution of our script to instead reference the Typer app `app()` instead of `main()`. - Updated the `pan-os-upgrade` alias within the pyproject.toml file to directly call `app()` instead of `main()` @@ -309,8 +288,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240121>* - -### What's New +### What's New in version 0.2.0 - Allow for simply running `pan-os-upgrade` without arguments, providing an interactive prompt for missing variables - Replaced `argparse` with `typer` for command-line argument parsing, offering a more intuitive and user-friendly CLI experience. @@ -327,8 +305,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid **Release Date:** *<20240119>* - -### What's New +### What's New in version 0.1.1 - First official release of the `pan-os-upgrade` tool on PyPi. - Made available for wide usage and distribution. @@ -337,7 +314,7 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid - Includes all the features and functionalities as they were in the initial development build. -## Version 0.1.0 +## Version 0.1.0 in version 0.1.0 **Release Date:** *<20240118>* @@ -348,4 +325,4 @@ Welcome to the release notes for the `pan-os-upgrade` tool. This document provid --- -For more detailed information on each release, visit the [GitHub repository](https://github.com/cdot65/pan-os-upgrade/releases) or check the [commit history](https://github.com/cdot65/pan-os-upgrade/commits/main). \ No newline at end of file +For more detailed information on each release, visit the [GitHub repository](https://github.com/cdot65/pan-os-upgrade/releases) or check the [commit history](https://github.com/cdot65/pan-os-upgrade/commits/main). diff --git a/pan_os_upgrade/components/device.py b/pan_os_upgrade/components/device.py index 62746dd..0751103 100644 --- a/pan_os_upgrade/components/device.py +++ b/pan_os_upgrade/components/device.py @@ -175,6 +175,29 @@ def connect_to_host( sys.exit(1) +def check_panorama_license(panorama: Panorama) -> bool: + try: + + # Perform the operational command to retrieve license info + response = panorama.op("request license info") + + licenses_element = response.find(".//licenses") + + if licenses_element is None or len(licenses_element) == 0: + return False + + # Check if any license entry has expired + for entry in licenses_element.findall(".//entry"): + if entry.find("expired").text == "yes": + return False + + return True + + except Exception as e: + logging.error(f"Error checking Panorama license: {e}") + return False + + def get_firewall_details( firewall: Firewall, ) -> Dict[str, Any]: diff --git a/pan_os_upgrade/components/upgrade.py b/pan_os_upgrade/components/upgrade.py index 64de09d..bb522d2 100644 --- a/pan_os_upgrade/components/upgrade.py +++ b/pan_os_upgrade/components/upgrade.py @@ -30,6 +30,7 @@ perform_snapshot, ) from pan_os_upgrade.components.device import ( + check_panorama_license, get_ha_status, perform_reboot, ) @@ -842,6 +843,18 @@ def upgrade_panorama( f"{get_emoji(action='report')} {hostname}: {panorama.serial} {panorama_details.ip_address}" ) + # Check Panorama license before proceeding with the upgrade + logging.info(f"{get_emoji(action='start')} {hostname}: Checking Panorama license.") + if not check_panorama_license(panorama): + logging.error( + f"{get_emoji(action='error')} {hostname}: Panorama does not have an active license. Cannot proceed with the upgrade." + ) + sys.exit(1) + else: + logging.info( + f"{get_emoji(action='success')} {hostname}: Panorama license is valid." + ) + # Determine if the Panorama is standalone, HA, or in a cluster logging.debug( f"{get_emoji(action='start')} {hostname}: Performing test to see if Panorama is standalone, HA, or in a cluster." diff --git a/pyproject.toml b/pyproject.toml index 0674024..a0a2473 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "pan-os-upgrade" -version = "1.3.4" +version = "1.3.5" description = "Python script to automate the upgrade process of PAN-OS firewalls." authors = ["Calvin Remsburg "] documentation = "https://cdot65.github.io/pan-os-upgrade/"