PaloAltoNetworks / pan-os-python

The PAN-OS SDK for Python is a package to help interact with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). The pan-os-python SDK is object oriented and mimics the traditional interaction with the device via the GUI or CLI/API.
https://pan-os-python.readthedocs.io
ISC License
347 stars 170 forks source link

activate_feature_using_authorization_code returns nothing if successful and eventually times out the client #424

Open barryCrunch opened 2 years ago

barryCrunch commented 2 years ago

Describe the bug

When using the activate_feature_using_authorization_code method, nothing is returned. After the license is applied the FW goes for a reboot and the client disconnects with an http.client.RemoteDisconnected: Remote end closed connection without response exception.

Expected behavior

Return anything, so we know if the license application was successful. It looks like the method checks for a status from the op call, so maybe return that status.

if result.attrib.get("status") != "success":
            raise err.PanActivateFeatureAuthCodeError(
                result.get("./msg/line").text, pan_device=self
            )

Return the status if it was successful

if result.attrib.get("status") != "success":
            raise err.PanActivateFeatureAuthCodeError(
                result.get("./msg/line").text, pan_device=self
            )
else:
        return result.attrib.get("status")

Current behavior

Nothing is returned, and the client times out with an http.client error.

Traceback (most recent call last):
  File "license.py", line 43, in <module>
    main()
  File "license.py", line 33, in main
    fw.activate_feature_using_authorization_code(code)
  File "/home/mbarry/.virtualenvs/azure-panos/lib/python3.8/site-packages/panos/base.py", line 5112, in activate_feature_using_authorization_code
    result = self.op('request license fetch auth-code "{0}"'.format(code))
  File "/home/mbarry/.virtualenvs/azure-panos/lib/python3.8/site-packages/panos/firewall.py", line 219, in op
    return super(Firewall, self).op(
  File "/home/mbarry/.virtualenvs/azure-panos/lib/python3.8/site-packages/panos/base.py", line 3822, in op
    element = self.xapi.op(
  File "/home/mbarry/.virtualenvs/azure-panos/lib/python3.8/site-packages/panos/base.py", line 3661, in method
    super_method(self, *args, **kwargs)
  File "/home/mbarry/.virtualenvs/azure-panos/lib/python3.8/site-packages/pan/xapi.py", line 951, in op
    self.__type_op(cmd, vsys, extra_qs)
  File "/home/mbarry/.virtualenvs/azure-panos/lib/python3.8/site-packages/pan/xapi.py", line 969, in __type_op
    response = self.__api_request(query)
  File "/home/mbarry/.virtualenvs/azure-panos/lib/python3.8/site-packages/pan/xapi.py", line 545, in __api_request
    response = urlopen(**kwargs)
  File "/usr/lib/python3.8/urllib/request.py", line 222, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib/python3.8/urllib/request.py", line 525, in open
    response = self._open(req, data)
  File "/usr/lib/python3.8/urllib/request.py", line 542, in _open
    result = self._call_chain(self.handle_open, protocol, protocol +
  File "/usr/lib/python3.8/urllib/request.py", line 502, in _call_chain
    result = func(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 1369, in https_open
    return self.do_open(http.client.HTTPSConnection, req,
  File "/usr/lib/python3.8/urllib/request.py", line 1330, in do_open
    r = h.getresponse()
  File "/usr/lib/python3.8/http/client.py", line 1332, in getresponse
    response.begin()
  File "/usr/lib/python3.8/http/client.py", line 303, in begin
    version, status, reason = self._read_status()
  File "/usr/lib/python3.8/http/client.py", line 272, in _read_status
    raise RemoteDisconnected("Remote end closed connection without"
http.client.RemoteDisconnected: Remote end closed connection without response

Possible solution

Return result as mentioned above.

Steps to reproduce

  1. Start with an unlicensed vm-series firewall
  2. Issue authcode with activate_feature_using_authorization_code
  3. Whatch client connection timeout.

Context

We are trying to apply an auth code programmatically through a pipeline.

Your Environment

panos - 10.1.4 python - 3.8.2 os - ubuntu 20.04 pan-os-python: 1.6.0

welcome-to-palo-alto-networks[bot] commented 2 years ago

:tada: Thanks for opening your first issue here! Welcome to the community!

shinmog commented 2 years ago

This is not something pan-os-python can really do something about. If PAN-OS decides to accept an API call, then reboot the management plane (or the whole appliance) before returning a response to the XML API client, pan-os-python can not make it behave properly. This is something that used to behave properly, so I recommend opening up a TAC issue against PAN-OS and tell them that the API is not returning a response to you before rebooting.