Pan-chainguard

------------------

- Major updates to guard.py:

- Allow incremental certificate updates using --update (replaces
--add)
- Allow update of only root certificates
- Add --dry-run to show what actions would be performed without
updating PAN-OS
- Add --show to show managed config
- Add --update-trusted to fix out of sync trusted root CA certificate
settings

- chainring.py: For HTML document, create hyperlink for certificate
fingerprint to crt.sh.

- chain.py:

For a root certificate the "Parent Certificate Name" is set to the
"CA Owner" field; change node tag to use CA-Owner vs Issuer. Also
quote Subject, Issuer, CA-Owner.

- chainring.py: Add --test-collisions to test for PAN-OS certificate
name collisions using the JSON certificate tree as input.

------------------

- Split chain.py into separate programs for:

- Intermediate certificate determination (chain.py)
- Certificate download (link.py)

- Re-implement chain.py to use a tree (using treelib package).

- Add chainring.py to generate documents from JSON certificate tree.

- Get CA certificates program (link.py) can use alternate certificate
sources before downloading from crt.sh.

- Allow update of root store only, without adding intermediate
certificates.

- Certificate name on PAN-OS has been changed to
'LINK-[0-9A-F]{26,26}' (sequence number replaced by 'LINK').

- Add tests for CCADB module.

- guard.py:

PAN-257401 is an issue where a specific certificate, when imported
as a device certificate and set as a trusted root CA, results in a
commit error due to a bad signature. Implement temporary workaround
to not import this certificate on --add.

- sprocket.py: Fix GitHub Issue 3.

------------------

- chain.py: Fix bug where only a single child certificate chain for a
root was used.

- Add To Do List.

- guard.py: When API import results in expired certificate error, skip
that certificate. Allows use of an older certificate archive.

- chain.py: Remove unneeded else.

- chain.py: Raise debug level to 3 for revoked and expired logging.

- chain.py: Fix incorrect indent for saving 'Intermediate with no
parent' certificate.

- Add features to allow a custom root store to replace the PAN-OS root
store.

------------------

- ccadb.py: Add functions for 'Derived Trust Bits' to ccadb module.

- chain.py: Set user-agent header to pan-chainguard/version for crt.sh
API.

- chain.py, guard.py: Generalise some message strings previously
specifying PAN-OS to prepare for using other root stores as input.

- chain.py, ccadb.py: Add pan_chainguard.ccadb module.

- Documentation improvements and fixes.

------------------

- guard.py: Cache certificate names so we can use a single API request
to enable them as trusted root CAs.

- guard.py: When device is panorama and template specified, perform
partial commit with template scope.

- chain.py: Also retry download on 503 Service Unavailable.

- guard.py: Fix partial commit using specific admin. In the XML cmd
document, <admin> needs to be within <partial> container.

- guard.py: Simplify Xpath() class.

- admin-guide.rst:

chainguard-api admin profile does require type=op because we use
synchronous commit in pan.xapi which uses 'show jobs id id-num' to
check job status.

- guard.py: Fix use of panorama from removal of global.

------------------

- guard.py: Add support for import to Panorama Template shared device
certificates.

- chain.py:

Change 'Server Authentication' not in 'Derived Trust Bits' check to
a warning. Safer to leave these valid until we can research this
more.

- Documentation improvements and fixes:

+ type=op not needed in admin role profile.

+ Add admin role profile for Panorama.

+ Document intermediate certificate name pattern.

+ There is a single *All Certificate Information (root and
intermediate) in CCADB (CSV)* data file now.