(FM-7602) Update tasks to work with Bolt and RSAPI Transports

Author: da-ar

lib/puppet/transport/panos.rb

@@ -8,7 +8,7 @@ module Puppet::Transport
   # The main connection class to a PAN-OS API endpoint
   class Panos
     def self.validate_connection_info(connection_info)
-      raise Puppet::ResourceError, 'Could not find "username"/"password" or "apikey" in the configuration' unless (connection_info.key?(:username) && connection_info.key?(:password)) || connection_info.key?(:apikey) # rubocop:disable Metrics/LineLength
+      raise Puppet::ResourceError, 'Could not find "user"/"password" or "apikey" in the configuration' unless (connection_info.key?(:user) && connection_info.key?(:password)) || connection_info.key?(:apikey) # rubocop:disable Metrics/LineLength
       connection_info
     end
 
@@ -102,6 +102,10 @@ def commit
       api.job_request('commit', cmd: '<commit></commit>')
     end
 
+    def apikey
+      api.apikey
+    end
+
     private
 
     def api

lib/puppet/transport/schema/panos.rb

@@ -7,15 +7,15 @@
 EOS
   features: [],
   connection_info: {
-    address: {
+    host: {
       type: 'String',
       desc: 'The FQDN or IP address of the firewall to connect to.',
     },
     port: {
       type: 'Optional[Integer]',
       desc: 'The port of the firewall to connect to.',
     },
-    username: {
+    user: {
       type: 'Optional[String]',
       desc: 'The username to use for authenticating all connections to the firewall. Only one of `username`/`password` or `apikey` can be specified.',
     },

tasks/apikey.json

@@ -1,19 +1,13 @@
 {
   "puppet_task_version": 1,
   "supports_noop": false,
-  "description": "Retrieve a PAN-OS apikey using PAN-OS host, username and password.",
+  "remote": true,
+  "description": "Retrieve a PAN-OS apikey",
   "parameters": {
-    "host": {
-      "description": "The host to connect to",
-      "type": "String"
-    },
-    "user": {
-      "description": "The user name",
-      "type": "String"
-    },
-    "password": {
-      "description": "The password",
-      "type": "String"
-    }
-  }
+  },
+  "files": [
+    "panos/tasks/panos_task.rb",
+    "panos/lib/puppet/transport/panos.rb",
+    "panos/lib/puppet/transport/schema/panos.rb"
+  ]
 }

tasks/apikey.rb

@@ -1,26 +1,6 @@
 #!/opt/puppetlabs/puppet/bin/ruby
 
-# work around the fact that bolt (for now, see BOLT-132) is not able to transport additional code from the module
-# this requires that the panos module is pluginsynced to the node executing the task
-require 'puppet'
-Puppet.settings.initialize_app_defaults(
-  Puppet::Settings.app_defaults_for_run_mode(
-    Puppet::Util::RunMode[:agent],
-  ),
-)
-$LOAD_PATH.unshift(Puppet[:plugindest])
+require_relative 'panos_task'
+task = PanosTask.new
 
-# setup logging to stdout/stderr which will be available to task executors
-Puppet::Util::Log.newdestination(:console)
-Puppet[:log_level] = 'debug'
-
-#### the real task ###
-
-require 'json'
-require 'puppet/resource_api/transport/wrapper'
-
-params = JSON.parse(ENV['PARAMS'] || STDIN.read)
-wrapper = Puppet::ResourceApi::Transport::Wrapper.new('panos', params['credentials_file'])
-transport = wrapper.transport
-
-puts JSON.generate(apikey: transport.apikey)
+puts JSON.generate(apikey: task.transport.apikey)

tasks/commit.json

@@ -1,11 +1,13 @@
 {
   "puppet_task_version": 1,
+  "remote": true,
   "supports_noop": false,
   "description": "Commit a candidate configuration to a firewall.",
   "parameters": {
-    "credentials_file": {
-      "description": "The filename of the credentials file (as referenced in device.conf)",
-      "type": "String"
-    }
-  }
+  },
+  "files": [
+    "panos/tasks/panos_task.rb",
+    "panos/lib/puppet/transport/panos.rb",
+    "panos/lib/puppet/transport/schema/panos.rb"
+  ]
 }

tasks/commit.rb

@@ -1,28 +1,8 @@
 #!/opt/puppetlabs/puppet/bin/ruby
 
-# work around the fact that bolt (for now, see BOLT-132) is not able to transport additional code from the module
-# this requires that the panos module is pluginsynced to the node executing the task
-require 'puppet'
-Puppet.settings.initialize_app_defaults(
-  Puppet::Settings.app_defaults_for_run_mode(
-    Puppet::Util::RunMode[:agent],
-  ),
-)
-$LOAD_PATH.unshift(Puppet[:plugindest])
+require_relative 'panos_task'
+task = PanosTask.new
 
-# setup logging to stdout/stderr which will be available to task executors
-Puppet::Util::Log.newdestination(:console)
-Puppet[:log_level] = 'debug'
-
-#### the real task ###
-
-require 'json'
-require 'puppet/resource_api/transport/wrapper'
-
-params = JSON.parse(ENV['PARAMS'] || STDIN.read)
-wrapper = Puppet::ResourceApi::Transport::Wrapper.new('panos', params['credentials_file'])
-transport = wrapper.transport
-
-if transport.outstanding_changes?
-  transport.commit
+if task.transport.outstanding_changes?
+  task.transport.commit
 end

tasks/panos_task.rb

@@ -0,0 +1,66 @@
+require 'puppet'
+require 'json'
+
+class PanosTask
+  def initialize
+    # work around the fact that bolt (for now, see BOLT-132) is not able to transport additional code from the module
+    # this requires that the panos module is pluginsynced to the node executing the task
+    Puppet.settings.initialize_app_defaults(
+      Puppet::Settings.app_defaults_for_run_mode(
+        Puppet::Util::RunMode[:agent],
+      ),
+    )
+    $LOAD_PATH.unshift(Puppet[:plugindest])
+
+    unless target
+      puts "Panos task must be run on a proxy"
+      exit 1
+    end
+
+    add_plugin_paths(params['_installdir'])
+  end
+
+  def transport
+    require 'puppet/resource_api/transport'
+    require 'puppet/transport/panos'
+
+    Puppet::ResourceApi::Transport.connect('panos', credentials)
+  end
+
+  def params
+    @params ||= JSON.parse(ENV['PARAMS'] || STDIN.read)
+  end
+
+  def target
+    @target ||= params['_target']
+  end
+
+  def credentials
+    @credentials ||= if target.key? 'apikey'
+                        {
+                          host: target['host'],
+                          apikey: target['apikey']
+                        }
+                      else
+                        {
+                          host: target['host'],
+                          user: target['user'],
+                          password: target['password']
+                        }
+                      end
+
+    if target.key? 'port'
+      @credentials[:port] = target['port']
+    end
+
+    @credentials
+  end
+
+  private
+  # Syncs across anything from the module lib
+  def add_plugin_paths(install_dir)
+    Dir.glob(File.join([install_dir, '*'])).each do |mod|
+      $LOAD_PATH << File.join([mod, "lib"])
+    end
+  end
+end

tasks/set_config.json

@@ -1,12 +1,9 @@
 {
   "puppet_task_version": 1,
   "supports_noop": false,
+  "remote": true,
   "description": "upload and/or apply a configuration to a firewall.",
   "parameters": {
-    "credentials_file": {
-      "description": "The filename of the credentials file (as referenced in device.conf)",
-      "type": "String"
-    },
     "config_file": {
       "description": "The filename of the configuration file to upload",
       "type": "String"
@@ -15,5 +12,10 @@
       "description": "true: upload and immediately apply the config. false: upload the config, without applying",
       "type": "Boolean"
     }
-  }
+  },
+  "files": [
+    "panos/tasks/panos_task.rb",
+    "panos/lib/puppet/transport/panos.rb",
+    "panos/lib/puppet/transport/schema/panos.rb"
+  ]
 }

tasks/set_config.rb

@@ -1,30 +1,11 @@
 #!/opt/puppetlabs/puppet/bin/ruby
 
-# work around the fact that bolt (for now, see BOLT-132) is not able to transport additional code from the module
-# this requires that the panos module is pluginsynced to the node executing the task
-require 'puppet'
-Puppet.settings.initialize_app_defaults(
-  Puppet::Settings.app_defaults_for_run_mode(
-    Puppet::Util::RunMode[:agent],
-  ),
-)
-$LOAD_PATH.unshift(Puppet[:plugindest])
+require_relative 'panos_task'
+task = PanosTask.new
 
-# setup logging to stdout/stderr which will be available to task executors
-Puppet::Util::Log.newdestination(:console)
-Puppet[:log_level] = 'debug'
-
-#### the real task ###
-
-require 'json'
-require 'puppet/resource_api/transport/wrapper'
-
-params = JSON.parse(ENV['PARAMS'] || STDIN.read)
-wrapper = Puppet::ResourceApi::Transport::Wrapper.new('panos', params['credentials_file'])
-transport = wrapper.transport
-
-file = params['config_file']
+file = task.params['config_file']
 transport.import(file, 'configuration')
-if params['apply']
+
+if task.params['apply']
   transport.load_config(File.basename(file))
 end