Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fortinet FortiGate - Official Support for Capirca #222

Open
wants to merge 31 commits into
base: master
Choose a base branch
from
Open

Fortinet FortiGate - Official Support for Capirca #222

wants to merge 31 commits into from

Conversation

ftntcorecse
Copy link

The Fortinet team is pleased to provide this contribution to Google Capirca. We welcome your guidance and suggestions to this contribution and are committed to the processes at hand.

We have only included a single sample .POL file, per the observed standards, but have more to provide for additional testing if required.

Thank you.

@google-cla
Copy link

google-cla bot commented Oct 22, 2020

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@google-cla google-cla bot added the cla: no label Oct 22, 2020
@google-cla
Copy link

google-cla bot commented Oct 22, 2020

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@google-cla
Copy link

google-cla bot commented Oct 22, 2020

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@google-cla
Copy link

google-cla bot commented Oct 22, 2020

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@ftntcorecse
Copy link
Author

CLA is coming. Please standby.

@google-cla
Copy link

google-cla bot commented Oct 30, 2020

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@google-cla
Copy link

google-cla bot commented Dec 10, 2020

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@ftntcorecse
Copy link
Author

@googlebot I signed it!

@google-cla
Copy link

google-cla bot commented Dec 10, 2020

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

Capirca Team and others added 3 commits December 11, 2020 11:02
Make CloudArmor (CA) generator render rules that don't specify a sour…
e5dc16d 
…ce_address

CA generator currently drops any rules missing a source_address which is undesired, especially in the context of default denies automagically added by MirACL.

Verified that generation is accurate on local MirACL instance - https://paste.googleplex.com/5190971101806592

PiperOrigin-RevId: 347033734
Add attribute calculation to GCE generator.
fad05d4 
This allows users to pass in an integer that can be used to limit the max number of attributes in a VPC firewall policy. If a VPC firewall policy exceeds the max, an error will be thrown.

The library will now count the number of rules generated and log the number generated.

PiperOrigin-RevId: 347102880
@rdsharma
Add generator patterns documentation
eb5c9d4 
PiperOrigin-RevId: 347106320
@rdsharma
Copy link
Contributor

Hi, it appears there are still some issues with your CLA. We can't assign anyone internally to look at this until the CLA bot shows green.

Also, please take a look at the generator patterns documentation we just uploaded. These standards will be enforced for all future generators to ensure consistent code quality.

https://github.com/google/capirca/blob/master/doc/generator_patterns.md

Please ACK that you have seen this and let us know when you think you have met these guidelines. Once you give us the go ahead on this and the CLA is assigned we can start reviewing.

@ftntcorecse
Copy link
Author

@googlebot I signed it!

@google-cla
Copy link

google-cla bot commented Dec 15, 2020

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@ftntcorecse
Copy link
Author

@rdsharma Acknowledged. We'll get back to you soon.

@google-cla
Copy link

google-cla bot commented Dec 28, 2020

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@google-cla
Copy link

google-cla bot commented Dec 28, 2020

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@google-cla
Copy link

google-cla bot commented Jan 15, 2021

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@ftntcorecse
Copy link
Author

@googlebot I signed it!

@google-cla
Copy link

google-cla bot commented Jan 15, 2021

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

1 similar comment
@googlebot
Copy link

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@rdsharma
Copy link
Contributor

Hello,

The CLAs bot is not passing because the company CLA was signed but individual CLAs still need to be signed for all users that committed code. Please have GitHub users lweighall and ftntcorecse sign individual CLAs as well and the bot should pass.

Thanks!

@ftntcorecse
Copy link
Author

ftntcorecse commented Jan 28, 2021
edited
Loading

Hello,

The CLAs bot is not passing because the company CLA was signed but individual CLAs still need to be signed for all users that committed code. Please have GitHub users lweighall and ftntcorecse sign individual CLAs as well and the bot should pass.

Thanks!

@rdsharma - thanks for clearing this up. Unfortunately, that makes very little sense. Why have a corporate signature and then have individuals sign it? The rules talk to having a google group administered by the signer that has the contributors in it - that has been accomplished. We have also ensured the commit email address is that of the signer as also instructed by the rules. Why would everyone that works on the product under the corporate umbrella need to sign a document? That is what the corporate signature is for is it not?

@rdsharma
Copy link
Contributor

I'm not super familiar with the CLA bot myself, but my guess is that part of the problem is that ftntcorecse is not registered to a @fortinet.com email address. (How would the bot know this is a legitimate Fortinet user?) If we still are having issues I can talk to the team who is responsible for the CLA bot and try and figure out more of what's going on.

@ftntcorecse
Copy link
Author

ftntcorecse commented Jan 28, 2021
edited
Loading

I'm not super familiar with the CLA bot myself, but my guess is that part of the problem is that ftntcorecse is not registered to a @fortinet.com email address. (How would the bot know this is a legitimate Fortinet user?) If we still are having issues I can talk to the team who is responsible for the CLA bot and try and figure out more of what's going on.

ftntcorecse is also in the Google Group. The instructions talk to that being how they know it's someone doing something that is authorized by the signer. The Google Group has been created and those people that are contributing are in the Group and have "admin" access to that group as well.......The whole idea is that we can have Open Source accounts work on Open Source code and use their accounts so they don't then need to make special accounts for this specific solution....it sort of kills the idea of it being Open Source while also not allowing the Corporate umbrella to play how it's supposed to. Otherwise everyone would just need to sign the CLA - which again, makes little sense from the Corporate perspective since many corporations are going to make this go through a legal process for each individual. Having the blanket corporate agreement and then consuming them in a group should tell the bot that these people are part of that one signature.

I know these aren't your rules - so forgive me if this sounds very aggressive....it's not the intent. We've tried just about everything with the commits and the Google Group based on what the instructions asked at this point so we're sort of like....?

@rdsharma
Copy link
Contributor

Which Google Group are you referring to? To clarify my comment from before, I'm pretty sure the reason the corporate CLA isn't being applied by the bot is because your GitHub user (ftntcorecse) is registered to a @brainslayer.com email address and not a @fortinet.com email address. My understanding is that the bot will only apply the corporate CLA for Fortinet to users registered to @fortinet.com email addresses. Individual CLAs are needed for users that aren't registered to a corporate email address from a company that has signed a CLA.

@nero85
Copy link
Contributor

nero85 commented Feb 17, 2021
edited
Loading

Hi, We have reviewed our internal documentation and it does seem the email address with @brainslayer.com is not included with the CLA's authorized contributor group. If you attach a @fortinet.com account to your @brainslayer.com account perhaps it will recognized the association.

Also signing the individual CLA: https://cla.developers.google.com/about/google-individual. This should give your account the proper credentials as well to proceed.

We are sorry this is confusing and hope we can get this process soon. I have been assigned to review the change. My schedule is busy over the next few weeks and will likely not be able to review this change until March. If we can get this CLA problem fixed soon then perhaps I can get the review prioritized sooner.

@dhalperi
Copy link

We would be interested in playing with this support, were it to get merged.

@ggiesen
Copy link

ggiesen commented Jul 16, 2021

Would love to see this merged as well.

@olljanat
Copy link

@ftntcorecse I would like to see this merged as well so can you/someone from Fortinet team squash all changes to one commit which author is @fortinet.com email address so it will pass CLA?

@ftntcorecse
Copy link
Author

@nero85 and @rdsharma - this account is registered to [email protected] - it can get no more @fortinet.com than that. It has been the entire time. The brainslayer.com address already has multiple @fortinet.com addresses attached to it. There's something that the bot cannot check or is not checking effectively. I cannot sign an INDIVIDUAL CLA as this is not done by an individual. Nor is it company policy to have an individual sign CLAs (particularly for free software environments which still has me quite confused as it is). We have completed every and all checks that your instructions stated for the Google Group creation, the attachment of all accounts under the umbrella of that group, and then attached account after account to other accounts that might be near or on an account that could be near an account. Can one of you please let me know a simple fix to this outside of just breaking the entire process, by having an individual sign a CLA - which is not an answer since this is a Corporate CLA that gets signed. As you can see people do want this merged, and we are attempting to support and extend this really cool process you've created. However, the gateway to get this merged has become impassable it seems. Is there another set of instructions that we need to follow outside of the ones we've already followed? Is there a way that the owner of the binaryslayer.com address - who has a fortinet.com address as well - do something that will alleviate these issues?

@nero85 nero85 mentioned this pull request Jan 6, 2022
Closed
@dgarros
Copy link

dgarros commented Apr 22, 2022

what is the status on this PR ? it would be very useful to have Fortinet support in Capirca

@TheNetworkGuy
Copy link

I would be interested in this functionallity as well. It would be a shame to not implement this code just by a failing check.

@ChrisdAutume
Copy link

Any news about this merge request ? We are interesting by those functionality !

@FlorianHeigl
Copy link

FlorianHeigl commented Sep 12, 2022
edited
Loading

Reminder: Almost two years spent on the CLA process for an apparently finished patch because y'all stuck in corp nightmares, or rather because there's a bot that has more decision making power than people who can read...

seems there's three options:

  • fortinet / @ftntcorecse : you make a new github account for your fortinet address and re-submit (i bet you could also temporarily flip around your primary email account?)
  • google / @rdsharma : you find a human in your org who's authorized to flex that human adaptability in obvious cases
  • we all laugh and check back in 2023

Personally: As far as it goes for contribs to capirca it can't go any bigger than a whole new vendor support being submitted, especially by the vendor.
This would be an exemplary point for seeing when an OSS project takes off and outside submissions really grow the project. Even knowing that capirca already is internally driven and grown/funded, and there most not be uncertainties regarding authorship of its components, this is just going the wrong way.
if there's no way of telling your bot "The CLA is valid." in a 'Stand on Zanzibar' style, then it's a failure, and you'd be better off to just relicense it as MIT/BSD.

@ggiesen
Copy link

ggiesen commented Jan 5, 2023

2023 checkin? Any way to get @ftntcorecse, @rdsharma, and someone with cla bot clue together to get this solved? Would love to not still be waiting here in 2024...

@ggiesen
Copy link

ggiesen commented Jan 5, 2023
edited
Loading

2023 checkin? Any way to get @ftntcorecse, @rdsharma, and someone with cla bot clue together to get this solved? Would love to not still be waiting here in 2024...

@ftntcorecse,

I did a little poking at the commits in this patch, and it looks like the last commit was signed with your f*******t@b************.**m address:

https://github.com/google/capirca/commit/97fb022435a86a582ba9669fd62f9e614445bd72.patch

Upon reading the CLA troubleshooting doc here, I see the following:

One of the most common problems is that the git author email in the commit is not an email address associated with a CLA. The solution is to change the git author email to be an address covered by the CLA. That email should also be added to their GitHub account; it doesn't need to be the primary email, but it should be on the account. For contributors covered by a corporate CLA, this should typically be their work email address, or whatever was added to the corporate CLA's authorized contributor group.

So unless f*******t@b************.**m is actually listed on the CLA, cla-bot won't process it. Assuming only @fortinet.com email addresses are actually on the CLA, you need to rewrite your commits to only @fortinet.com email addresses:

git commit --amend --author="M**h Ly <m*y@f*******t.com>"

Alternatively, @rdsharma seems to have an easy button here:

Particularly for projects on GitHub, there are times when we're not able to automatically verify CLAs (see Troubleshooting CLAs). At the end of the day, we always rely on the project owners to verify the CLA status, whether that means simply looking for the commit status set by SignCLA, or by manually checking the CLA themselves. It's okay to accept a contribution that you are certain is covered by a CLA, even if the automatic verification failed for some reason.

@ggiesen
Copy link

ggiesen commented Jan 5, 2023
edited
Loading

I also see as part of this commit https://github.com/google/capirca/commit/6214e680b8d9523bbd78fc200179b8716e9c4a65.patch that g****b@f*******.**m has a commit here. Is it part of the signed CLA as well?

@rdsharma
Copy link
Contributor

rdsharma commented Jan 5, 2023

@ggiesen that's correct, this should be fixable by just amend'ing the commits to have the correct author info. I believe I pointed out this somewhat in my first comment years ago, but appreciate you explaining it more clearly. We don't feel comfortable fixing these tags for them as it's author/copyright info, and we can't force push to someone else's branch anyways.

@ftntcorecse if you are still interested in getting this merged, please fix the commit author info and rebase. Once the CLA bot passes we can assign someone on our side for the actual review, but we aren't allowed to do that until we have the CLA bot passing.

@ggiesen
Copy link

ggiesen commented Jan 5, 2023
edited
Loading

@ggiesen that's correct, this should be fixable by just amend'ing the commits to have the correct author info. I believe I pointed out this somewhat in my first comment years ago, but appreciate you explaining it more clearly. We don't feel comfortable fixing these tags for them as it's author/copyright info, and we can't force push to someone else's branch anyways.

@ftntcorecse if you are still interested in getting this merged, please fix the commit author info and rebase. Once the CLA bot passes we can assign someone on our side for the actual review, but we aren't allowed to do that until we have the CLA bot passing.

@rdsharma To be fair to @ftntcorecse, after going through the commits, the only ones of any substance are from L**e W******l <l*******l@f*******.**m>. Assuming he has signed the CLA (which I believe you can verify manually), the only remaining commits are basically manipulating one period to try to get CLA bot to behave. The changes are not even copyrightable. If ever there was a time to use some sound judgment to override an automatic process, this would be it. Otherwise we can wait another 2+ years...

@ggiesen
Copy link

ggiesen commented Jan 5, 2023

For reference, here's the commit log:

google-capirca$ git log
commit 97fb022435a86a582ba9669fd62f9e614445bd72 (HEAD -> ftnt_pr, origin/ftnt_pr)
Author: F******t <f******t@b**********.**m>
Date:   Fri Jan 15 10:51:24 2021 -0800

    Changes for updated standards in Q4 2020.

commit b39a3a455ef67c37af0696b1f5821badbad66823
Author: M**h Ly <m*y@f*******.**m>
Date:   Mon Dec 28 12:39:47 2020 -0800

    Kicking over CLA part four?

commit 28f6584275a623dbe4b1ec4ae2df13106eca396d
Merge: c7f508a 6214e68
Author: F******t <g****b@f*******.**m>
Date:   Mon Dec 28 12:23:31 2020 -0800

    Merge branch 'ftnt_pr' of https://github.com/fortinet/google-capirca into ftnt_pr

commit c7f508a1bfeff6f81f58cc7b607ecde3ff31c634
Author: F******t <g****b@f*******.**m>
Date:   Mon Dec 28 12:18:05 2020 -0800

    Kicking over CLA take two.

commit 3515a0cd2a7439184daa1755651391aa130daa04
Author: M**h Ly <m*y@f*******.**m>
Date:   Mon Dec 28 12:15:03 2020 -0800

    Trying to kick over CLA....

commit 95ff67147258d245134f6e1c3e01019a191ce56e
Author: L**e W******l <m*y@f*******.**m>
Date:   Mon Dec 28 12:12:21 2020 -0800

    Editing git email user

commit 7914fdc48cee523efc88419e1b7dd3f919c94d28
Author: L**e W******l <l*******l@f*******.**m>
Date:   Mon Dec 28 12:06:33 2020 -0800

    Changes for updated standards in Q4 2020.

commit eed95e1aa86c565c8dd28d3c137d9608f8f11adc
Author: L**e W******l <l*******l@f*******.**m>
Date:   Mon Dec 28 12:02:44 2020 -0800

    Changes for updated standards in Q4 2020.

commit ff0a48f0f2c52818280b72e19748504ca49a37ef
Author: L**e W******l <l*******l@f*******.**m>
Date:   Fri Oct 30 11:25:00 2020 -0700

    Updates to multitarget support.

commit ac6fecb04a7580957dc8e0c597560f5c4246fc21
Author: L**e W******l <l*******l@f*******.**m>
Date:   Thu Oct 22 09:51:00 2020 -0700

    Removed tailing whitespace in policy.py.

commit c17bfecda28390ec45a85f8e8797933d5d2e477a
Author: L**e W******l <l*******l@f*******.**m>
Date:   Thu Oct 22 09:47:07 2020 -0700

    Removed two trailing whitespaces in fortigate_test.py

commit 20ba26fd3927e8285e4bbec9c519ccf7b2d40ad4
Author: L**e W******l <l*******l@f*******.**m>
Date:   Thu Oct 22 09:41:30 2020 -0700

    Minor bug fix to fortigate_test.py.

commit 4cf778fa519451072c5ebc82020ef4e3618200a6
Author: L**e W******l <l*******l@f*******.**m>
Date:   Wed Oct 21 15:31:02 2020 -0700

    Added a few missing items from policy.py, policy_simple.py, and aclgen.py.

commit fc9c3e56b9540dbca7af521f4d266e62c36f48a9
Author: L**e W******l <l*******l@f*******.**m>
Date:   Wed Oct 21 15:00:29 2020 -0700

    First Round of Lint validation changes. PR Candidate.

commit fc5a0d8654ee383fd4c15710daea452e2c7ebc1b
Author: L**e W******l <l*******l@f*******.**m>
Date:   Wed Oct 21 12:17:53 2020 -0700

    Added Fortigate modules and sample_fortigate.pol.

commit 6214e680b8d9523bbd78fc200179b8716e9c4a65
Author: F******t <g****b@f*******.**m>
Date:   Mon Dec 28 12:18:05 2020 -0800

    Kicking over CLA take two.

commit 8b0b17dd15f083dfb687ae241c3893921ee6385f
Author: M**h Ly <m*y@f*******.**m>
Date:   Mon Dec 28 12:15:03 2020 -0800

    Trying to kick over CLA....

commit dcf73b43b66da2a8ef9d8163af71e6962b17bc12
Author: L**e W******l <m*y@f*******.**m>
Date:   Mon Dec 28 12:12:21 2020 -0800

    Editing git email user

commit c45c5ddedcffdfa2e94e7d366bb9387a0400c099
Author: L**e W******l <l*******l@f*******.**m>
Date:   Mon Dec 28 12:06:33 2020 -0800

    Changes for updated standards in Q4 2020.

commit f409a56c2ffd7fd6639d072363c4b61d3f0cd146
Author: L**e W******l <l*******l@f*******.**m>
Date:   Mon Dec 28 12:02:44 2020 -0800

    Changes for updated standards in Q4 2020.

commit eb5c9d4467de409e53af719c0a7b4891decd1a85
Author: R****v S****a <r******a@g*****.**m>
Date:   Fri Dec 11 17:27:50 2020 -0800

    Add generator patterns documentation

    PiperOrigin-RevId: 347106320

commit fad05d4db5ab25b09c6e5340d6cbf556d33a9083
Author: C*****a T**m <n******y@g*****.**m>
Date:   Fri Dec 11 17:01:34 2020 -0800

    Add attribute calculation to GCE generator.

    This allows users to pass in an integer that can be used to limit the max number of attributes in a VPC firewall policy. If a VPC firewall policy exceeds the max, an error will be thrown.

    The library will now count the number of rules generated and log the number generated.

    PiperOrigin-RevId: 347102880

commit e5dc16d465b49daace1a7dc56ee96877cfea1828
Author: C*****a T**m <n******y@g*****.**m>
Date:   Fri Dec 11 11:02:13 2020 -0800

    Make CloudArmor (CA) generator render rules that don't specify a source_address

    CA generator currently drops any rules missing a source_address which is undesired, especially in the context of default denies automagically added by MirACL.

    Verified that generation is accurate on local MirACL instance - https://paste.googleplex.com/5190971101806592

    PiperOrigin-RevId: 347033734

commit 75c5832d410db785de67bbfd7f03a840a93cd51c
Merge: 40631a2 c0ca9d9
Author: L**e W******l <l*******l@f*******.**m>
Date:   Wed Dec 9 16:26:18 2020 -0800

    Merge branch 'master' into ftnt_pr

commit c0ca9d9a3a34d3dab0b41510571448f5d82c033d (origin/master, origin/HEAD, master)
Author: C*****a T**m <n******y@g*****.**m>
Date:   Mon Dec 7 11:47:47 2020 -0800

    Prune terms with invalid inet version [Cloned from CL cl/342970618 by maddychan@].

    Filter source_address and destination_address based on filter_type (inet, inet6, mixed) before adding to address book.

    Tests are broadly verifying two things:
    - Any terms referencing non-existent addressset labels are now dropped instead of being included
    - Address book entries for any address set labels referenced in individual terms are in fact being created correctly

    PiperOrigin-RevId: 346143903

commit b3e605a54f12efa1e6b0b1cfd179ee6078313c9d
Author: C*****a T**m <n******y@g*****.**m>
Date:   Wed Nov 18 17:30:30 2020 -0800

    Get PAN generator to drop stateless replies automagically added by MirACL.

    Since PAN is stateful, the generator should drop the stateless replies MirACL adds by default (regardless of whether the platform is stateful or stateless).

    Successfully generated policy spec in b/173145745#comment3 =>   https://paste.googleplex.com/6412461923106816

    PiperOrigin-RevId: 343190940

commit 1e410386dd120832c5950df8b611037e39252b9a
Author: C*****a T**m <n******y@g*****.**m>
Date:   Wed Nov 18 12:25:36 2020 -0800

    Update function GetCost in the gcp_hf.py generator due to cost calculation changes in the hierarchical firewall product.

    PiperOrigin-RevId: 343132102

commit 47f9f548a49ad079631651b530ee90a0f0b5c6b0
Author: C*****a T**m <n******y@g*****.**m>
Date:   Tue Nov 3 14:12:39 2020 -0800

    Update gcp_hf to raise errors to when target resources or port list exceed 256 items.

    Currently, when source-address or destination-address in HF terms exceeds 256 elements, the gcp_hf generator will split those rules into new rules that comply with this limit. With this change, if destination-ports and target-resources contain more than 256 entries, gcp_hf raises an error, so the user is expected to provide terms that do not exceed these limits. However, the future plan is to support splitting of these fields into different rules.

    PiperOrigin-RevId: 340522557

commit 40631a254c1df68d752bb9d20f9e48f83a8b7501
Author: L**e W******l <l*******l@f*******.**m>
Date:   Fri Oct 30 11:25:00 2020 -0700

    Updates to multitarget support.

commit 2b1782259dfbf2b3762642456bb3e4dbae79bae1
Author: C*****a T**m <n******y@g*****.**m>
Date:   Tue Oct 27 22:55:05 2020 -0700

    Add a test to ensure destination IP addresses are split into separate rules if there are more than 256 IP ranges.

    PiperOrigin-RevId: 339400225

commit 02e9d60a8aaec5cdb0cec059f43c368ed0eba079
Author: C*****a T**m <n******y@g*****.**m>
Date:   Tue Oct 27 15:02:54 2020 -0700

    Update the formula of the quota cost calculator in gcp_hf.py.

    PiperOrigin-RevId: 339337455

commit 598fe96c50924e78101588cca24382ceebcd5da9
Author: C*****a T**m <n******y@g*****.**m>
Date:   Tue Oct 27 11:26:40 2020 -0700

    Fix the issue where source and destination fields in HF cannot exceed 256 IP ranges.

    PiperOrigin-RevId: 339291627

commit a0d2f925466d1f719d9b2a13783d168c20a8d2c6
Author: C*****a T**m <n******y@g*****.**m>
Date:   Mon Oct 26 14:30:23 2020 -0700

    Update gcp_hf.py to ensure a term is nonempty before adding it to the list of policies.

    PiperOrigin-RevId: 339118530

commit 0fadc587909372f3e976878d1bfdf16699121ee3
Author: R****v S****a <r******a@g*****.**m>
Date:   Mon Oct 26 10:33:10 2020 -0700

    Fix indentation issue in ciscoasa.py

    Fixes #219

    PiperOrigin-RevId: 339067717

commit 801ded2a675acb27460e358cf79d9cba1c8cd219
Author: C*****a T**m <n******y@g*****.**m>
Date:   Fri Oct 23 16:23:32 2020 -0700

    Update the string format of the target resources field.

    PiperOrigin-RevId: 338764861

commit 7c79e701fc23afe9d0a3a8c40fbe1f26318a4aab
Author: C*****a T**m <n******y@g*****.**m>
Date:   Tue Oct 20 15:27:07 2020 -0700

    Some cosmetic changes to make ACL auditting easier.

    indent multiline comments by 1 character
    place application-sets all together
    add missing semi-colons

    Startblock:
      is approved
      and then
      has LGTM from any
      and then
      all comments are resolved
      and then
      out of freeze
      and then
      out of Network-Infrastructure/GEN/gen freeze
      and then
      on Monday, Tuesday, Wednesday, Thursday in Google/US-CAM
    PiperOrigin-RevId: 338149999

commit 334abcb337ded8985c2df807ff83eec020148a16
Author: C*****a T**m <n******y@g*****.**m>
Date:   Tue Oct 20 09:09:08 2020 -0700

    Add MS-MPC support to capirca/aclgen

    Startblock:
      is approved
      and then
      has LGTM from any
      has LGTM from tracip
      and then
      all comments are resolved
      and then
      out of freeze
      and then
      out of Network-Infrastructure/GEN/gen freeze
      and then
      on Monday, Tuesday, Wednesday, Thursday in Google/US-CAM
    PiperOrigin-RevId: 338071120

commit f4b93385bac523d4be6c9ea76f08bae5a6e373d9
Author: R****v S****a <r******a@g*****.**m>
Date:   Mon Oct 5 17:15:04 2020 -0700

    Remove redundant definition of PortMap in cisco.py

    Fixes #218

    PiperOrigin-RevId: 335533568

commit 16f0b2d16c6de04f87691819e7548c1dc13b5dfb
Author: L**e W******l <l*******l@f*******.**m>
Date:   Thu Oct 22 09:51:00 2020 -0700

    Removed tailing whitespace in policy.py.

commit 4ff7a7f4a19bae27b0fcfeeacf98856ba5060fb3
Author: L**e W******l <l*******l@f*******.**m>
Date:   Thu Oct 22 09:47:07 2020 -0700

    Removed two trailing whitespaces in fortigate_test.py

commit d1055ca98f20ffc12ef833449914d702ef17de3f
Author: L**e W******l <l*******l@f*******.**m>
Date:   Thu Oct 22 09:41:30 2020 -0700

    Minor bug fix to fortigate_test.py.

commit 881819009f9193fd72ecb02919790e84a225b35b
Author: L**e W******l <l*******l@f*******.**m>
Date:   Wed Oct 21 15:31:02 2020 -0700

    Added a few missing items from policy.py, policy_simple.py, and aclgen.py.

commit 9b3cd8585d5355c7e01ca94ba9ec43a58eeb06fa
Author: L**e W******l <l*******l@f*******.**m>
Date:   Wed Oct 21 15:00:29 2020 -0700

    First Round of Lint validation changes. PR Candidate.

commit 3d9e89d6f282843392c0326695fecebc19b6f83c
Author: L**e W******l <l*******l@f*******.**m>
Date:   Wed Oct 21 12:17:53 2020 -0700

    Added Fortigate modules and sample_fortigate.pol.

@rdsharma
Copy link
Contributor

rdsharma commented Jan 6, 2023

@ggiesen yes, to fix this we'd need to only see commits from Fortinet email addresses, so that the corporate CLA applies. There is also another email address at the top of your commit log. But none of this changes the fact that I don't have (actual/GitHub, ignoring legal/copyright) permissions to push to their branch. If this was something I could do for them I'd have done it a long time ago. :( It'll have to get fixed on their side, but should only take a couple minutes. We'd also need to know that there is still someone at Fortinet who will handle the review/any changes needed once we can get it kicked off.

@ggiesen
Copy link

ggiesen commented Jan 6, 2023
edited
Loading

t the corporate CLA applies. There is also another email address at the top of your commit log. But none of this changes the fact that I don't have (actual/GitHub, ignoring legal/copyright) permissions to push to their branch. If this was something I could do for them I'd have done it a long time ago. :( It'll have to get fixed on their side, but should only take a couple minutes. We'd also need to know that there is still someone at Fortinet who will handle the review/any changes needed once we can get it kicked of

@rdsharma

I think my point was lost here. According to the Google CLA docs, you can manually bypass the CLA process by setting the cla:yes tag. They'd of course still have to rebase to current master but at least it would remove one rather silly obstacle.

Or am I missing something else?

@ankenyr ankenyr mentioned this pull request Jan 23, 2023
Open
@mroe1234
Copy link

I really hope these issues can be resolved. Supporting Fortinet would be a huge benefit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
cla: no
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.