def configuration_export_create(data):
backup_type = data['backup_type']
if backup_type == "partial":
headers, waf_ip, waf_port, proto = token(data['waf_host'])
config_check_point_name = data['name']
config_checkpoint_get_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/configuration-checkpoints/" + config_check_point_name
r = requests.get(config_checkpoint_get_url,
headers=headers,
verify=False)
if r.status_code == 200:
export_post_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/ops/export-configuration"
export_payload = {
"backup-type": "partial",
"name": config_check_point_name,
}
r = requests.post(export_post_url,
data=json.dumps(export_payload),
headers=headers,
verify=False)
if r.status_code == 200:
json_data = json.loads(r.text)
with open('config_file.json', 'w') as json_file:
json.dump(json_data, json_file)
#result={"status_code": r.status_code, "msg": "configuration exported"}
return False, True, result_func(r)
else:
#result={"status_code": r.status_code, "msg": r.text}
return True, False, result_func(r)
else:
#result = {"msg": "configuration checkpoint name not found"}
return True, False, result_func(r)
elif backup_type == "full":
headers, waf_ip, waf_port, proto = token(data['waf_host'])
export_post_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/ops/export-configuration"
export_payload = {
"backup-type": "full",
}
r = requests.post(export_post_url,
headers=headers,
data=json.dumps(export_payload),
verify=False)
if r.status_code == 200:
json_data = json.loads(r.text)
with open('config_file.json', 'w') as json_file:
json.dump(json_data, json_file)
#result={"status_code": r.status_code, "msg": "configuration exported"}
return False, True, result_func(r)
else:
#result={"status_code": r.status_code, "msg": "error executing this request"}
return True, False, result_func(r)
'''else:
def sec_policy_create(data):
headers, waf_ip, waf_port, proto = token(data['waf_host'])
sec_policy_name = data['name']
sec_policy_get_url = proto + waf_ip + ":" + waf_port + "/restapi/v3/security-policies/" + sec_policy_name
get_sec_policy = requests.get(sec_policy_get_url,
headers=headers,
verify=False)
if get_sec_policy.status_code == 200:
#result={"msg":"Policy exists"}
return True, False, result_func(r)
else:
sec_policy_url = proto + waf_ip + ":" + waf_port + "/restapi/v3/security-policies"
del data['waf_host']
del data['state']
sec_policy_payload = {
"name": data['name'],
"based-on": data['based_on']
}
r = requests.post(sec_policy_url,
data=json.dumps(sec_policy_payload),
headers=headers,
verify=False)
if r.status_code == 201:
#result={"status_code":r.status_code, "msg":r.text}
return False, True, result_func(r)
else:
#result={"status_code":r.status_code, "msg":r.text}
return True, False, result_func(r)
def svr_update(data):
headers, waf_ip, waf_port, proto = token(data['waf_host'])
svr_name = data['name']
svc_name = data['service_name']
svr_url = proto + waf_ip + ":" + waf_port + "/restapi/v3/services/" + svc_name + "/content-rules/" + data[
'rule_group_name'] + "/content-rule-servers/" + svr_name
update_payload = {
"hostname": data['hostname'],
"port": data['port'],
"status": data['status'],
"ip-address": data['ip_address'],
"identifier": data['identifier'],
"comments": data['comments']
}
delete_list = list()
for key in update_payload.keys():
if update_payload.values() is None:
delete_list = list.append[key]
for key in delete_list:
del update_payload[key]
r = requests.put(svr_url,
headers=headers,
data=json.dumps(update_payload),
verify=False)
if r.status_code == 200:
result = {"status_code": r.status_code, "msg": r.text}
return False, True, result
else:
result = {"status_code": r.status_code, "msg": r.text}
return True, False, result
def sec_policy_delete(data=None):
headers, waf_ip, waf_port, proto = token(data['waf_host'])
sec_policy_name = data['name']
sec_policy_del_url = proto + waf_ip + ":" + waf_port + "/restapi/v3/security-policies/" + sec_policy_name
r = requests.delete(sec_policy_del_url, headers=headers, verify=False)
#result={"status_code":r.status_code, "msg":r.text}
if r.status_code == 200:
return False, True, result_func(r)
else:
return True, False, result_func(r)
def waf_svc_delete(data=None):
headers, waf_ip, waf_port, proto = token(data['waf_host'])
service_name = data['name']
service_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + service_name
r = requests.delete(service_url, headers=headers, verify=False)
#result={"status_code":r.status_code, "msg":r.text[1]}
if r.status_code == 200:
return False, True, result_func(r)
if r.status_code != 200:
return True, False, result_func(r)
def rule_grp_delete(data=None):
headers, waf_ip, waf_port, proto = token(data['waf_host'])
del_rule_grp_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + data[
'service_name'] + "/" + "content-rules/" + data['name']
r = requests.delete(del_rule_grp_url, headers=headers, verify=False)
if r.status_code == 200:
result = {"status_code": r.status_code, "msg": r.text}
return False, True, result
else:
result = {"status_code": r.status_code, "msg": r.text}
return True, False, result
def configuration_checkpoint_delete(data=None):
headers, waf_ip, waf_port, proto = token(data['waf_host'])
config_check_point_name = data['name']
delete_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/configuration-checkpoints/" + config_check_point_name
r = requests.delete(delete_url, headers=headers, verify=False)
if r.status_code == 200:
result = {"status_code": r.status_code, "msg": r.text}
return False, True, result
else:
result = {"status_code": r.status_code, "msg": r.text}
return True, False, result
def svr_delete(data=None):
headers, waf_ip, waf_port, proto = token(data['waf_host'])
svr_del_url = proto + waf_ip + ":" + waf_port + "/restapi/v3/services/" + svc_name + "/content-rules/" + data[
'rule_group_name'] + "/content-rule-servers/" + svr_name
r = requests.delete(svr_del_url, headers=headers, verify=False)
if r.status_code == 200:
result = {"status_code": r.status_code, "msg": r.text}
return False, True, result
if r.status_code != 200:
result = {"status_code": r.status_code, "msg": r.text}
return True, False, result
def delete_self_signed_cert(data=None):
headers, waf_ip, waf_port, proto = token(data['waf_host'])
cert_delete_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/certificates/self-signed-certificate/" + data[
'name']
r = requests.delete(cert_delete_url, headers=headers, verify=False)
if r.status_code == 200:
#result={"status_code":r.status_code, "msg": r.text}
return False, True, result_func(r)
else:
#result={"status_code":r.status_code, "msg": r.text}
return True, False, result_func(r)
def svr_delete(data=None):
headers, waf_ip, waf_port, proto = token(data['waf_host'])
svr_name = data['name']
svc_name = data['service_name']
headers = {"Content-Type": "application/json", 'Authorization': auth_token}
svr_del_url = proto + waf_ip + ":" + waf_port + "/restapi/v3/services/" + svc_name + "/servers/" + svr_name
r = requests.delete(svr_del_url, headers=headers, verify=False)
if r.status_code == 200:
#result={"status_code":r.status_code, "msg": r.text}
return False, True, result_func(r)
if r.status_code != 200:
#result={"status_code":r.status_code, "msg": r.text}
return True, False, result_func(r)
def rule_grp_update(data):
headers, waf_ip, waf_port, proto = token(data['waf_host'])
get_rule_grp = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + data[
'service_name'] + "/" + "content-rules/" + data['name']
get_rule_grp_request = requests.get(get_rule_grp,
headers=headers,
verify=False)
config = json.loads(get_rule_grp_request.text)
existing_payload = dict()
update_data = [
"app-id", "mode", "extended-match-sequence", "extended-match",
"web-firewall-policy", "host-match", "status", "url-match", "comments"
]
for key in update_data:
existing_payload[key] = config["data"][data['name']][key]
existing_payload['access-log'] = config["data"][
data['name']]["Logging"]["access-log"]
ansible_config = dict()
ansible_config = {
"app-id": data['app_id'],
"access-log": data['access_log'],
"mode": data['mode'],
"extended-match-sequence": data['extended_match_sequence'],
"extended-match": data['extended_match'],
"web-firewall-policy": data['web_firewall_policy'],
"host-match": data['host_match'],
"status": data['status'],
"url-match": data['url_match'],
"comments": data['comments']
}
for key in ansible_config.keys():
if ansible_config[key] is None:
del ansible_config[key]
if ansible_config.items() == existing_payload.items():
result = "configuration is same. Nothing to be done"
return False, False, result
else:
r = requests.put(get_rule_grp,
headers=headers,
data=json.dumps(ansible_config),
verify=False)
result = {"status_code": r.status_code, "msg": r.text}
return False, True, result
def svr_create(data):
headers, waf_ip, waf_port, proto = token(data['waf_host'])
svr_name = data['name']
svc_name = data['service_name']
svr_url = proto + waf_ip + ":" + waf_port + "/restapi/v3/services/" + svc_name + "/servers/" + svr_name
svr_info = requests.get(svr_url, headers=headers, verify=False)
if svr_info.status_code == 200:
#check for server parameters to figure if PUT is required
#if svr_info = data_info:
return svr_update(data)
if svr_info.status_code == 404:
svr_payload = {
"ip-address": data['ip_address'],
"comments": data['comments'],
"name": data['name'],
"status": data['status'],
"port": data['port'],
"identifier": data['identifier'],
"address-version": data['address_version'],
"hostname": data['hostname']
}
'''
if data['identifier'] != "Hostname":
del svr_payload['hostname']
'''
delete_list = [
key for key, value in svr_payload.items() if value is None
]
for key in delete_list:
del svr_payload[key]
svr_common_url = proto + waf_ip + ":" + waf_port + "/restapi/v3/services/" + svc_name + "/servers"
r = requests.post(svr_common_url,
data=json.dumps(svr_payload),
headers=headers,
verify=False)
if r.status_code == 201:
return svr_update(data)
else:
#result={"status_code":r.status_code, "msg": r.text}
return True, False, result_func(r)
def svr_create(data):
headers, waf_ip, waf_port, proto = token(data['waf_host'])
svr_name = data['name']
svc_name = data['service_name']
svr_url = proto + waf_ip + ":" + waf_port + "/restapi/v3/services/" + svc_name + "/content-rules/" + data[
'rule_group_name'] + "/content-rule-servers/" + svr_name
svr_info = requests.get(svr_url, headers=headers, verify=False)
del data['waf_host']
del data['state']
del data['service_name']
if svr_info.status_code == 200:
#check for server parameters to figure if PUT is required
#if svr_info = data_info:
return svr_update(data)
if svr_info.status_code == 404:
svr_payload = {
"ip-address": data['ip_address'],
"comments": data['comments'],
"name": data['name'],
"status": data['status'],
"port": data['port'],
"identifier": data['identifier'],
"address-version": data['address_version'],
"hostname": data['hostname']
}
if data['identifier'] != "Hostname":
del svr_payload['hostname']
svr_common_url = proto + waf_ip + ":" + waf_port + "/restapi/v3/services/" + svc_name + "/content-rules/" + data[
'rule_group_name'] + "/content-rule-servers"
r = requests.post(svr_common_url,
data=json.dumps(svr_payload),
headers=headers,
verify=False)
if r.status_code == 201:
return svr_update(data)
else:
result = {"status_code": r.status_code, "msg": r.text}
return True, False, result
def rule_grp_create(data):
headers, waf_ip, waf_port, proto = token(data['waf_host'])
get_rule_grp = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + data[
'service_name'] + "/" + "content-rules/" + data['name']
get_rule_grp_request = requests.get(get_rule_grp,
headers=headers,
verify=False)
if get_rule_grp_request.status_code == 200:
#check for PUT requests
return rule_grp_update(data)
if get_rule_grp_request.status_code == 404:
rule_grp_payload = {
"comments": data['comments'],
"url-match": data['url_match'],
"name": data['name'],
"extended-match-sequence": data['extended_match_sequence'],
"extended-match": data['extended_match'],
"web-firewall-policy": data['web_firewall_policy'],
"host-match": data['host_match'],
"status": data['status'],
"app-id": data['app_id'],
"access-log": data['access_log'],
"mode": data['mode']
}
if rule_grp_payload['app-id'] is None:
del rule_grp_payload['app-id']
if rule_grp_payload['comments'] is None:
del rule_grp_payload['comments']
if rule_grp_payload['extended-match-sequence'] is None:
del rule_grp_payload['extended-match-sequence']
post_rule_grp_request_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + data[
'service_name'] + "/content-rules"
r = requests.post(post_rule_grp_request_url,
headers=headers,
data=json.dumps(rule_grp_payload),
verify=False)
if r.status_code == 201:
return rule_grp_update(data)
else:
result = {"status_code": r.status_code, "msg": r.text}
return True, False, result
def create_self_signed_cert(data):
headers, waf_ip, waf_port, proto = token(data['waf_host'])
cert_create_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/certificates/self-signed-certificate"
cert_get_url = cert_create_url + "/" + data['name']
r = requests.get(cert_get_url, headers=headers, verify=False)
if r.status_code == 200:
#certificate exists
#result={"msg":"certificate exists"}
return False, False, result_func(r)
if r.status_code == 404:
payload_data = {
"allow-private-key-export": data['allow_private_key_export'],
"city": data['city'],
"common-name": data['common_name'],
"country-code": data['country_code'],
"elliptic-curve-name": "secp256r1",
"key-size": data['key_size'],
"key-type": data['key_type'],
"name": data['name'],
"organization-name": data['organization_name'],
"organizational-unit": data['organizational_unit'],
"san-certificate": data['san_certificate'],
"state": data['state'],
"status": data['status']
}
del payload_data['status']
r = requests.post(cert_create_url,
data=json.dumps(payload_data),
headers=headers,
verify=False)
if r.status_code == 201:
#result={"status_code":r.status_code, "msg": r.text}
return False, True, result_func(r)
else:
#result={"status_code":r.status_code, "msg": r.text}
return True, False, result_func(r)
def configuration_checkpoint_create(data):
headers, waf_ip, waf_port, proto = token(data['waf_host'])
config_check_point_name = data['name']
config_checkpoint_get_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/configuration-checkpoints/" + config_check_point_name
r = requests.get(config_checkpoint_get_url, headers=headers, verify=False)
if r.status_code == 200:
result = {"status_code": r.status_code, "msg": "Checkpoint exists"}
return False, False, result
else:
post_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/configuration-checkpoints"
config_checkpoint_payload = {
"name": data['name'],
"comment": data['comment']
}
r = requests.post(post_url,
headers=headers,
data=json.dumps(config_checkpoint_payload),
verify=False)
if r.status_code == 201:
result = {"status_code": r.status_code, "msg": r.text}
return False, True, result
else:
result = {"status_code": r.status_code, "msg": r.text}
return True, False, result
def waf_svc_create(data):
#Picks up the service attributes from the payload var,
# makes an API call to the waf to create the service
headers, waf_ip, waf_port, proto = token(data['waf_host'])
service_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/"
logs = logger()
del data['state']
service_data = {
"name": data['name'],
"ip-address": data['ip_address'],
"port": data['port'],
"app-id": data['app_id'],
"comments": data['comments'],
"address-version": data['address_version'],
"vsite": data['vsite'],
"type": data['service_type'],
"group": data['group'],
"mask": data['mask'],
"certificate": data['certificate'],
"secure-site-domain": data['secure_site_domain'],
}
service_url_get = service_url + data['name']
svc_info = requests.get(service_url_get, headers=headers, verify=False)
#when service exists and an update is required.
#need to compare the service_data attributes with the existing configuration and then
#issue a put command for the changed attribute.
if svc_info.status_code == 200:
# compare the service attributes with the payload
return waf_svc_update(data)
#when there is no service, create a service
if svc_info.status_code == 404:
delete_list = [
key for key, value in service_data.items() if value is None
]
for key in delete_list:
del service_data[key]
logs.debug(service_data)
r = requests.post(service_url,
data=json.dumps(service_data),
headers=headers,
verify=False)
if r.status_code == 201:
if data['service_type'] == "Instant SSL":
#result={"status_code": r.status_code, "msg":r.text[1]}
return False, True, result_func(r)
else:
logs.debug("service created, checking for updates")
return waf_svc_update(data)
if r.status_code != 201:
#result= {"status_code":r.status_code, "msg": r.text[1]}
return True, False, result_func(r)
def ssl_config_update(data):
logs = logger()
headers,waf_ip,waf_port,proto = token(data['waf_host'])
svc_name = data['service_name']
svc_get_url = proto+waf_ip+":"+waf_port+"/restapi/v3.1/services/"+svc_name
r = requests.get(svc_get_url, headers=headers, verify=False)
existing_config = json.loads(r.text)
service_type = existing_config["data"][svc_name]["type"]
logs.debug(service_type)
if r.status_code == 200:
# build update payload
ssl_config_url = proto+waf_ip+":"+waf_port+"/restapi/v3.1/services/"+svc_name+"/ssl-security"
logs.debug("test message")
r = requests.get(ssl_config_url, headers=headers, verify=False)
existing_values = json.loads(r.text)
existing_config = existing_values["data"][svc_name]["SSL Security"]
ansible_config = {
"enable-tls-1-2": data['enable_tls_1_2'],
"sni-certificate": data['sni_certificate'],
"sni-ecdsa-certificate": data['sni_ecdsa_certificate'],
"override-ciphers-ssl3": data['override_ciphers_ssl3'],
"ciphers": data['ciphers'],
"selected-ciphers": data['selected_ciphers'],
"enable-strict-sni-check": data['enable_strict_sni_check'],
"enable-tls-1-3": data['enable_tls_1_3'],
"certificate": data['certificate'],
"override-ciphers-tls-1-1": data['override_ciphers_tls_1_1'],
"enable-pfs": data['enable_pfs'],
"status": data['status'],
"enable-tls-1-1": data['enable_tls_1_1'],
"domain": data['domain'],
"enable-ssl-3": data['enable_ssl_3'],
"hsts-max-age": data['hsts_max_age'],
"ecdsa-certificate": data['ecdsa_certificate'],
"override-ciphers-tls-1": data['override_ciphers_tls_1'],
"include-hsts-sub-domains": data['include_hsts_sub_domains'],
"enable-tls-1": data['enable_tls_1'],
"enable-sni": data['enable_sni'],
"enable-hsts": data['enable_hsts'],
}
if existing_config.items() == ansible_config.items():
result={"msg": "existing configuration and ansible configuration are same. No changes made"}
return False, False, result
else:
update_config_payload = dict()
update_config_payload['waf_host'] = data['waf_host']
delete_list = [key for key,value in ansible_config.items() if value is None]
for key in delete_list:
del ansible_config[key]
update_config_payload = ansible_config
logs.debug(update_config_payload)
r = requests.put(ssl_config_url, data=json.dumps(update_config_payload), headers=headers, verify=False)
if r.status_code == 200:
#result = {"status_code": r.status_code, "msg": r.text}
return False, True, result_func(r)
else:
#result = {"status_code": r.status_code, "msg": r.text}
return True, False, result_func(r)
else:
#result={"msg":"service does not exist"}
return True, False, result_func(r)
def waf_svc_update(data):
logs = logger()
headers, waf_ip, waf_port, proto = token(data['waf_host'])
service_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/"
service_url_get = service_url + data['name']
svc_info = requests.get(service_url_get, headers=headers, verify=False)
config = json.loads(svc_info.text)
svc_config = config["data"][data['name']]
update_data_list = [
"app-id", "comments", "enable-access-logs", "ip-address", "mask",
"port", "session-timeout", "status"
]
existing_config = dict()
ansible_config = dict()
for attribute in update_data_list:
existing_config[attribute] = config['data'][data['name']][attribute]
svc_type = config['data'][data['name']]['type']
if svc_type == 'HTTPS':
existing_config["secure-site-domain"] = config['data'][
data['name']]['Instant SSL']['secure-site-domain']
else:
pass
logs.debug(existing_config)
ansible_config = {
"app-id": data['app_id'],
"comments": data['comments'],
"enable-access-logs": data['enable_access_logs'],
"ip-address": data['ip_address'],
"mask": data['mask'],
"port": data['port'],
"session-timeout": data['session_timeout'],
"status": data['status'],
"secure-site-domain": data['secure_site_domain'],
}
if existing_config.items() == ansible_config.items():
result = {
"msg":
"existing configuration and ansible configuration are same. No changes made"
}
return False, False, result
else:
update_config_payload = dict()
update_config_payload['waf_host'] = data['waf_host']
delete_list = [
key for key, value in ansible_config.items() if value is None
]
logs.debug(delete_list)
for key in delete_list:
del ansible_config[key]
del ansible_config['secure-site-domain']
update_config_payload = ansible_config
#del update_config_payload['waf_host']
logs.debug("***")
logs.debug(update_config_payload)
put_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + data[
'name']
r = requests.put(put_url,
headers=headers,
data=json.dumps(update_config_payload),
verify=False)
logs.debug(r.text)
if r.status_code == 200:
#result = {"status_code": r.status_code, "msg": "Configuration Updated"}
#logs.debug(result)
return False, True, result_func(r)
else:
#result = {"status_code": r.status_code, "msg": r.text[1]}
return True, False, result_func(r)
