def main(): cred = authenticate() print("authentication successful") #import objects and policies from json objects_file = open("objects.json").read() objects = json.loads(objects_file) policy_file = open("policy.json").read() policies = json.loads(policy_file) pkeys = policies.keys() okeys = objects.keys() #each object is a list the first position is the type of object #the second position is the data print("Objects") for key in okeys: r, c = api_post(cred, "add-" + objects[key][0], objects[key][1]) print(c) print("Policies") for key in pkeys: if policies[key][0] in ["access-layer"]: r, c = api_post(cred, "set-access-layer", policies[key][1]) else: r, c = api_post(cred, "add-" + policies[key][0], policies[key][1]) print(c) api_post(cred, "publish", {}) api_post(cred, "logout", {}) return
def host_duplicate(cred, host_uid, rule_set): '''Creates duplicate host IF ip matches rule in rule_set return uid of new host, return None if no new host created''' new_host = {} old_host, c = api_post(cred, "show-host", {"uid": host_uid}) #check to see if ip matches regex rule new_ip, color = regex_rules(old_host["ipv4-address"], rule_set) #if it doesn't match rule no change is needed if new_ip == None: return None new_host["ipv4-address"] = new_ip new_host["color"] = color new_host["comments"] = old_host["comments"] new_host["interfaces"] = old_host["interfaces"] new_host["name"] = old_host["name"] + "-AZ-" + new_ip new_host["nat-settings"] = old_host["nat-settings"] tags = [] for tag in old_host["tags"]: tags.append(tag["name"]) tags.append("New") new_host["tags"] = tags r, c = api_post(cred, "add-host", new_host) #if the new object already exsists if c != 200: r, c = api_post(cred, "show-host", {"name": new_host["name"]}) new_uid = r["uid"] #add tag "Old" to old object for easy deletion later r, c = api_post(cred, "set-host", { "uid": host_uid, "tags": { "add": "Old" } }) return new_uid
def network_duplicate(cred, network_uid, rule_set): '''Creates duplicate network IF ip matches rule in rule_set return uid of new network, return None if no new network created''' new_network = {} old_network, c = api_post(cred, "show-network", {"uid": network_uid}) #check to see if ip matches regex rule new_ip, color = regex_rules(old_network["subnet4"], rule_set) #if it doesn't match rule no change is needed if new_ip == None: return None new_network["subnet4"] = new_ip new_network["color"] = color new_network["broadcast"] = old_network["broadcast"] new_network["comments"] = old_network["comments"] new_network["mask-length4"] = old_network["mask-length4"] new_network["name"] = old_network["name"] + "-AZ-" + new_ip new_network["nat-settings"] = old_network["nat-settings"] tags = [] for tag in old_network["tags"]: tags.append(tag["name"]) tags.append("New") new_network["tags"] = tags r, c = api_post(cred, "add-network", new_network) #if the new object already exsists if c != 200: r, c = api_post(cred, "show-network", {"name": new_network["name"]}) new_uid = r["uid"] #add tag "Old" to old object for easy deletion later r, c = api_post(cred, "set-network", { "uid": network_uid, "tags": { "add": "Old" } }) return new_uid
def cleanup(cred, object_type, uid, layer, rule_uid, source_destination): r, c = api_post(cred, "show-" + object_type, {"uid": uid}) #put tags into one list tag_list = [] for tag in r["tags"]: tag_list.append(tag["name"]) #remove object from rule #TODO: edit this when the bug of added old to new instances is fixed if "Old" in tag_list and "New" not in tag_list: print("Removing " + r["name"]) delete, c = api_post( cred, "set-access-rule", { "uid": rule_uid, "layer": layer, source_destination: { "remove": r["uid"] } }) #we cannot rename the object unless we delete the old object '''
def main(): cred = authenticate() print("Authentication Successful") #change policy query if you are adapting this to your rulebase policy_query = { "offset": 0, "limit": 20, "name": "API_Policy Network", "details-level": "full", "use-object-dictionary": "true" } r, c = api_post(cred, "show-access-rulebase", policy_query) layer = "API_Policy Network" #for each rule for rule in r["rulebase"]: rule_uid = rule["uid"] #for each source item in that rule for item in rule["source"]: r, c = api_post(cred, "show-object", {"uid": item}) object_type = r["object"]["type"] if object_type in ["host", "network"]: cleanup(cred, object_type, item, layer, rule_uid, "source") #for each destination item in that rule for item in rule["destination"]: r, c = api_post(cred, "show-object", {"uid": item}) object_type = r["object"]["type"] if object_type in ["host", "network"]: cleanup(cred, object_type, item, layer, rule_uid, "destination") api_post(cred, "publish", {}) api_post(cred, "logout", {}) return
def main(): rule_set = read_rules() cred = authenticate() print("Authentication Successful") #change policy query if you are adapting this to your rulebase policy_query = { "offset": 0, "limit": 20, "name": "API_Policy Network", "details-level": "full", "use-object-dictionary": "true" } r, c = api_post(cred, "show-access-rulebase", policy_query) layer = "API_Policy Network" #for each rule for rule in r["rulebase"]: print(" --- " + rule["name"] + " --- ") rule_uid = rule["uid"] #for each source item in that rule for item in rule["source"]: r, c = api_post(cred, "show-object", {"uid": item}) object_type = r["object"]["type"] if object_type == "host": new_host_uid = host_duplicate(cred, item, rule_set) #if object did not match regex rules no modification of rule needed if new_host_uid == None: continue #else take new uid and add to rulebase else: r, c = api_post( cred, "set-access-rule", { "uid": rule_uid, "layer": layer, "source": { "add": new_host_uid } }) if object_type == "network": new_network_uid = network_duplicate(cred, item, rule_set) #if object did not match regex rules no modification of rule needed if new_network_uid == None: continue #else take new uid and add to rulebase else: r, c = api_post( cred, "set-access-rule", { "uid": rule_uid, "layer": layer, "source": { "add": new_network_uid } }) #TODO: add handling for group object elif object_type == "group": continue else: continue #for each destination item in that rule for item in rule["destination"]: r, c = api_post(cred, "show-object", {"uid": item}) object_type = r["object"]["type"] if object_type == "host": new_host_uid = host_duplicate(cred, item, rule_set) #if object did not match regex rules no modification of rule needed if new_host_uid == None: continue #else take new uid and add to rulebase else: r, c = api_post( cred, "set-access-rule", { "uid": rule_uid, "layer": layer, "destination": { "add": new_host_uid } }) if object_type == "network": new_network_uid = network_duplicate(cred, item, rule_set) #if object did not match regex rules no modification of rule needed if new_network_uid == None: continue #else take new uid and add to rulebase else: r, c = api_post( cred, "set-access-rule", { "uid": rule_uid, "layer": layer, "destination": { "add": new_network_uid } }) #TODO: add handling for group object elif object_type == "group": continue else: continue api_post(cred, "publish", {}) api_post(cred, "logout", {}) return