def configuration_export_create(data): backup_type = data['backup_type'] if backup_type == "partial": headers, waf_ip, waf_port, proto = token(data['waf_host']) config_check_point_name = data['name'] config_checkpoint_get_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/configuration-checkpoints/" + config_check_point_name r = requests.get(config_checkpoint_get_url, headers=headers, verify=False) if r.status_code == 200: export_post_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/ops/export-configuration" export_payload = { "backup-type": "partial", "name": config_check_point_name, } r = requests.post(export_post_url, data=json.dumps(export_payload), headers=headers, verify=False) if r.status_code == 200: json_data = json.loads(r.text) with open('config_file.json', 'w') as json_file: json.dump(json_data, json_file) #result={"status_code": r.status_code, "msg": "configuration exported"} return False, True, result_func(r) else: #result={"status_code": r.status_code, "msg": r.text} return True, False, result_func(r) else: #result = {"msg": "configuration checkpoint name not found"} return True, False, result_func(r) elif backup_type == "full": headers, waf_ip, waf_port, proto = token(data['waf_host']) export_post_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/ops/export-configuration" export_payload = { "backup-type": "full", } r = requests.post(export_post_url, headers=headers, data=json.dumps(export_payload), verify=False) if r.status_code == 200: json_data = json.loads(r.text) with open('config_file.json', 'w') as json_file: json.dump(json_data, json_file) #result={"status_code": r.status_code, "msg": "configuration exported"} return False, True, result_func(r) else: #result={"status_code": r.status_code, "msg": "error executing this request"} return True, False, result_func(r) '''else:
def svr_update(data): headers, waf_ip, waf_port, proto = token(data['waf_host']) update_payload = { "hostname": data['hostname'], "port": data['port'], "status": data['status'], "ip-address": data['ip_address'], "identifier": data['identifier'], "comments": data['comments'] } delete_list = list() for key in update_payload.keys(): if update_payload.values() is None: delete_list = list.append[key] for key in delete_list: del update_payload[key] svr_name = data['name'] svc_name = data['service_name'] svr_url = proto + waf_ip + ":" + waf_port + "/restapi/v3/services/" + svc_name + "/servers/" + svr_name r = requests.put(svr_url, headers=headers, data=json.dumps(update_payload), verify=False) if r.status_code == 200: #result={"status_code":r.status_code, "msg": r.text} return False, True, result_func(r) else: #result={"status_code":r.status_code, "msg": r.text} return True, False, result_func(r)
def system_info(data): logs = logger() headers, waf_ip, waf_port, proto = token(data['waf_host']) system_update_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/system" r = requests.get(system_update_url, headers=headers, verify=False) system_info = json.loads(r.text) wan_params = system_info['data']['System'] system_ip = wan_params["WAN Configuration"]['ip-address'] return system_ip
def waf_svc_delete(data=None): headers, waf_ip, waf_port, proto = token(data['waf_host']) service_name = data['name'] service_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + service_name r = requests.delete(service_url, headers=headers, verify=False) #result={"status_code":r.status_code, "msg":r.text[1]} if r.status_code == 200: return False, True, result_func(r) if r.status_code != 200: return True, False, result_func(r)
def rule_grp_delete(data=None): headers, waf_ip, waf_port, proto = token(data['waf_host']) del_rule_grp_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + data[ 'service_name'] + "/" + "content-rules/" + data['name'] r = requests.delete(del_rule_grp_url, headers=headers, verify=False) if r.status_code == 200: result = {"status_code": r.status_code, "msg": r.text} return False, True, result else: result = {"status_code": r.status_code, "msg": r.text} return True, False, result
def configuration_checkpoint_delete(data=None): headers,waf_ip,waf_port,proto = token(data['waf_host']) config_check_point_name = data['name'] delete_url = proto+waf_ip+":"+waf_port+"/restapi/v3.1/configuration-checkpoints/"+config_check_point_name r = requests.delete(delete_url, headers=headers, verify=False) if r.status_code == 200: result = {"status_code": r.status_code, "msg": r.text} return False, True, result else: result = {"status_code": r.status_code, "msg": r.text} return True, False, result
def svr_delete(data=None): headers, waf_ip, waf_port, proto = token(data['waf_host']) svr_del_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + svc_name + "/content-rules/" + data[ 'rule_group_name'] + "/content-rule-servers/" + svr_name r = requests.delete(svr_del_url, headers=headers, verify=False) if r.status_code == 200: result = {"status_code": r.status_code, "msg": r.text} return False, True, result if r.status_code != 200: result = {"status_code": r.status_code, "msg": r.text} return True, False, result
def delete_self_signed_cert(data=None): headers, waf_ip, waf_port, proto = token(data['waf_host']) cert_delete_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/certificates/self-signed-certificate/" + data[ 'name'] r = requests.delete(cert_delete_url, headers=headers, verify=False) if r.status_code == 200: #result={"status_code":r.status_code, "msg": r.text} return False, True, result_func(r) else: #result={"status_code":r.status_code, "msg": r.text} return True, False, result_func(r)
def svr_delete(data=None): headers, waf_ip, waf_port, proto = token(data['waf_host']) svr_name = data['name'] svc_name = data['service_name'] headers = {"Content-Type": "application/json", 'Authorization': auth_token} svr_del_url = proto + waf_ip + ":" + waf_port + "/restapi/v3/services/" + svc_name + "/servers/" + svr_name r = requests.delete(svr_del_url, headers=headers, verify=False) if r.status_code == 200: #result={"status_code":r.status_code, "msg": r.text} return False, True, result_func(r) if r.status_code != 200: #result={"status_code":r.status_code, "msg": r.text} return True, False, result_func(r)
def rule_grp_update(data): headers, waf_ip, waf_port, proto = token(data['waf_host']) get_rule_grp = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + data[ 'service_name'] + "/" + "content-rules/" + data['name'] get_rule_grp_request = requests.get(get_rule_grp, headers=headers, verify=False) config = json.loads(get_rule_grp_request.text) existing_payload = dict() update_data = [ "app-id", "mode", "extended-match-sequence", "extended-match", "web-firewall-policy", "host-match", "status", "url-match", "comments" ] for key in update_data: existing_payload[key] = config["data"][data['name']][key] existing_payload['access-log'] = config["data"][ data['name']]["Logging"]["access-log"] ansible_config = dict() ansible_config = { "app-id": data['app_id'], "access-log": data['access_log'], "mode": data['mode'], "extended-match-sequence": data['extended_match_sequence'], "extended-match": data['extended_match'], "web-firewall-policy": data['web_firewall_policy'], "host-match": data['host_match'], "status": data['status'], "url-match": data['url_match'], "comments": data['comments'] } for key in ansible_config.keys(): if ansible_config[key] is None: del ansible_config[key] if ansible_config.items() == existing_payload.items(): result = "configuration is same. Nothing to be done" return False, False, result else: r = requests.put(get_rule_grp, headers=headers, data=json.dumps(ansible_config), verify=False) result = {"status_code": r.status_code, "msg": r.text} return False, True, result
def svr_create(data): logs = logger() headers, waf_ip, waf_port, proto = token(data['waf_host']) svr_name = data['name'] svc_name = data['service_name'] svr_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + svc_name + "/content-rules/" + data[ 'rule_group_name'] + "/content-rule-servers/" + svr_name svr_info = requests.get(svr_url, headers=headers, verify=False) #del data['waf_host'] #del data['state'] #del data['service_name'] if svr_info.status_code == 200: #check for server parameters to figure if PUT is required #if svr_info = data_info: return svr_update(data) if svr_info.status_code == 404: svr_payload = { "ip-address": data['ip_address'], "comments": data['comments'], "name": data['name'], "status": data['status'], "port": data['port'], "identifier": data['identifier'], "address-version": data['address_version'], "hostname": data['hostname'] } if data['identifier'] != "Hostname": del svr_payload['hostname'] svr_common_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + svc_name + "/content-rules/" + data[ 'rule_group_name'] + "/content-rule-servers" r = requests.post(svr_common_url, data=json.dumps(svr_payload), headers=headers, verify=False) if r.status_code == 201: return svr_update(data) else: result = {"status_code": r.status_code, "msg": r.text} return True, False, result
def svr_create(data): headers, waf_ip, waf_port, proto = token(data['waf_host']) svr_name = data['name'] svc_name = data['service_name'] svr_url = proto + waf_ip + ":" + waf_port + "/restapi/v3/services/" + svc_name + "/servers/" + svr_name svr_info = requests.get(svr_url, headers=headers, verify=False) if svr_info.status_code == 200: #check for server parameters to figure if PUT is required #if svr_info = data_info: return svr_update(data) if svr_info.status_code == 404: svr_payload = { "ip-address": data['ip_address'], "comments": data['comments'], "name": data['name'], "status": data['status'], "port": data['port'], "identifier": data['identifier'], "address-version": data['address_version'], "hostname": data['hostname'] } ''' if data['identifier'] != "Hostname": del svr_payload['hostname'] ''' delete_list = [ key for key, value in svr_payload.items() if value is None ] for key in delete_list: del svr_payload[key] svr_common_url = proto + waf_ip + ":" + waf_port + "/restapi/v3/services/" + svc_name + "/servers" r = requests.post(svr_common_url, data=json.dumps(svr_payload), headers=headers, verify=False) if r.status_code == 201: return svr_update(data) else: #result={"status_code":r.status_code, "msg": r.text} return True, False, result_func(r)
def rule_grp_create(data): headers, waf_ip, waf_port, proto = token(data['waf_host']) get_rule_grp = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + data[ 'service_name'] + "/" + "content-rules/" + data['name'] get_rule_grp_request = requests.get(get_rule_grp, headers=headers, verify=False) if get_rule_grp_request.status_code == 200: #check for PUT requests return rule_grp_update(data) if get_rule_grp_request.status_code == 404: rule_grp_payload = { "comments": data['comments'], "url-match": data['url_match'], "name": data['name'], "extended-match-sequence": data['extended_match_sequence'], "extended-match": data['extended_match'], "web-firewall-policy": data['web_firewall_policy'], "host-match": data['host_match'], "status": data['status'], "app-id": data['app_id'], "access-log": data['access_log'], "mode": data['mode'] } if rule_grp_payload['app-id'] is None: del rule_grp_payload['app-id'] if rule_grp_payload['comments'] is None: del rule_grp_payload['comments'] if rule_grp_payload['extended-match-sequence'] is None: del rule_grp_payload['extended-match-sequence'] post_rule_grp_request_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + data[ 'service_name'] + "/content-rules" r = requests.post(post_rule_grp_request_url, headers=headers, data=json.dumps(rule_grp_payload), verify=False) if r.status_code == 201: return rule_grp_update(data) else: result = {"status_code": r.status_code, "msg": r.text} return True, False, result
def configuration_checkpoint_create(data): headers,waf_ip,waf_port,proto = token(data['waf_host']) config_check_point_name = data['name'] config_checkpoint_get_url = proto+waf_ip+":"+waf_port+"/restapi/v3.1/configuration-checkpoints/"+config_check_point_name r = requests.get(config_checkpoint_get_url, headers=headers, verify=False) if r.status_code == 200: result={"status_code": r.status_code, "msg": "Checkpoint exists"} return False, False, result else: post_url = proto+waf_ip+":"+waf_port+"/restapi/v3.1/configuration-checkpoints" config_checkpoint_payload = { "name": data['name'], "comment": data['comment'] } r=requests.post(post_url, headers=headers, data=json.dumps(config_checkpoint_payload), verify=False) if r.status_code == 201: result={"status_code": r.status_code, "msg": r.text} return False, True, result else: result={"status_code": r.status_code, "msg": r.text} return True, False, result
def create_self_signed_cert(data): headers, waf_ip, waf_port, proto = token(data['waf_host']) cert_create_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/certificates/self-signed-certificate" cert_get_url = cert_create_url + "/" + data['name'] r = requests.get(cert_get_url, headers=headers, verify=False) if r.status_code == 200: #certificate exists #result={"msg":"certificate exists"} return False, False, result_func(r) if r.status_code == 404: payload_data = { "allow-private-key-export": data['allow_private_key_export'], "city": data['city'], "common-name": data['common_name'], "country-code": data['country_code'], "elliptic-curve-name": "secp256r1", "key-size": data['key_size'], "key-type": data['key_type'], "name": data['name'], "organization-name": data['organization_name'], "organizational-unit": data['organizational_unit'], "san-certificate": data['san_certificate'], "state": data['state'], "status": data['status'] } del payload_data['status'] r = requests.post(cert_create_url, data=json.dumps(payload_data), headers=headers, verify=False) if r.status_code == 201: #result={"status_code":r.status_code, "msg": r.text} return False, True, result_func(r) else: #result={"status_code":r.status_code, "msg": r.text} return True, False, result_func(r)
def waf_svc_create(data): #Picks up the service attributes from the payload var, # makes an API call to the waf to create the service headers, waf_ip, waf_port, proto = token(data['waf_host']) service_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" logs = logger() del data['state'] service_data = { "name": data['name'], "ip-address": data['ip_address'], "port": data['port'], "app-id": data['app_id'], "comments": data['comments'], "address-version": data['address_version'], "vsite": data['vsite'], "type": data['service_type'], "group": data['group'], "mask": data['mask'], "certificate": data['certificate'], "secure-site-domain": data['secure_site_domain'], } service_url_get = service_url + data['name'] svc_info = requests.get(service_url_get, headers=headers, verify=False) #when service exists and an update is required. #need to compare the service_data attributes with the existing configuration and then #issue a put command for the changed attribute. if svc_info.status_code == 200: # compare the service attributes with the payload return waf_svc_update(data) #when there is no service, create a service if svc_info.status_code == 404: delete_list = [ key for key, value in service_data.items() if value is None ] for key in delete_list: del service_data[key] if service_data['ip-address'] == 'system_ip': service_data['ip-address'] = system_info(data) else: pass r = requests.post(service_url, data=json.dumps(service_data), headers=headers, verify=False) if r.status_code == 201: if data['service_type'] == "Instant SSL": #result={"status_code": r.status_code, "msg":r.text[1]} return False, True, result_func(r) else: logs.debug("service created, checking for updates") return waf_svc_update(data) if r.status_code != 201: #result= {"status_code":r.status_code, "msg": r.text[1]} return True, False, result_func(r)
def ssl_config_update(data): logs = logger() headers, waf_ip, waf_port, proto = token(data['waf_host']) svc_name = data['service_name'] svc_get_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + svc_name r = requests.get(svc_get_url, headers=headers, verify=False) existing_config = json.loads(r.text) service_type = existing_config["data"][svc_name]["type"] logs.debug(service_type) if r.status_code == 200: # build update payload ssl_config_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + svc_name + "/ssl-security" logs.debug("test message") r = requests.get(ssl_config_url, headers=headers, verify=False) existing_values = json.loads(r.text) existing_config = existing_values["data"][svc_name]["SSL Security"] ansible_config = { "enable-tls-1-2": data['enable_tls_1_2'], "sni-certificate": data['sni_certificate'], "sni-ecdsa-certificate": data['sni_ecdsa_certificate'], "override-ciphers-ssl3": data['override_ciphers_ssl3'], "ciphers": data['ciphers'], "selected-ciphers": data['selected_ciphers'], "enable-strict-sni-check": data['enable_strict_sni_check'], "enable-tls-1-3": data['enable_tls_1_3'], "certificate": data['certificate'], "override-ciphers-tls-1-1": data['override_ciphers_tls_1_1'], "enable-pfs": data['enable_pfs'], "status": data['status'], "enable-tls-1-1": data['enable_tls_1_1'], "domain": data['domain'], "enable-ssl-3": data['enable_ssl_3'], "hsts-max-age": data['hsts_max_age'], "ecdsa-certificate": data['ecdsa_certificate'], "override-ciphers-tls-1": data['override_ciphers_tls_1'], "include-hsts-sub-domains": data['include_hsts_sub_domains'], "enable-tls-1": data['enable_tls_1'], "enable-sni": data['enable_sni'], "enable-hsts": data['enable_hsts'], } if existing_config.items() == ansible_config.items(): result = { "msg": "existing configuration and ansible configuration are same. No changes made" } return False, False, result else: update_config_payload = dict() update_config_payload['waf_host'] = data['waf_host'] delete_list = [ key for key, value in ansible_config.items() if value is None ] for key in delete_list: del ansible_config[key] update_config_payload = ansible_config logs.debug(update_config_payload) r = requests.put(ssl_config_url, data=json.dumps(update_config_payload), headers=headers, verify=False) if r.status_code == 200: #result = {"status_code": r.status_code, "msg": r.text} return False, True, result_func(r) else: #result = {"status_code": r.status_code, "msg": r.text} return True, False, result_func(r) else: #result={"msg":"service does not exist"} return True, False, result_func(r)
def waf_svc_update(data): logs = logger() headers, waf_ip, waf_port, proto = token(data['waf_host']) service_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" service_url_get = service_url + data['name'] svc_info = requests.get(service_url_get, headers=headers, verify=False) config = json.loads(svc_info.text) svc_config = config["data"][data['name']] update_data_list = [ "app-id", "comments", "enable-access-logs", "ip-address", "mask", "port", "session-timeout", "status" ] existing_config = dict() ansible_config = dict() for attribute in update_data_list: existing_config[attribute] = config['data'][data['name']][attribute] svc_type = config['data'][data['name']]['type'] if svc_type == 'HTTPS': existing_config["secure-site-domain"] = config['data'][ data['name']]['Instant SSL']['secure-site-domain'] else: pass #logs.debug(existing_config) ansible_config = { "app-id": data['app_id'], "comments": data['comments'], "enable-access-logs": data['enable_access_logs'], "ip-address": data['ip_address'], "mask": data['mask'], "port": data['port'], "session-timeout": data['session_timeout'], "status": data['status'], "secure-site-domain": data['secure_site_domain'], } if existing_config.items() == ansible_config.items(): result = { "msg": "existing configuration and ansible configuration are same. No changes made" } return False, False, result else: logs.debug("hello") update_config_payload = dict() update_config_payload['waf_host'] = data['waf_host'] delete_list = [ key for key, value in ansible_config.items() if value is None ] logs.debug("****") logs.debug(delete_list) for key in delete_list: del ansible_config[key] logs.debug(ansible_config.keys()) #del ansible_config['secure-site-domain'] update_config_payload = ansible_config #del update_config_payload['waf_host'] logs.debug("***") if update_config_payload['ip-address'] == 'system_ip': update_config_payload['ip-address'] = system_info(data) else: pass put_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + data[ 'name'] r = requests.put(put_url, headers=headers, data=json.dumps(update_config_payload), verify=False) logs.debug(r.text) if r.status_code == 200: #result = {"status_code": r.status_code, "msg": "Configuration Updated"} #logs.debug(result) return False, True, result_func(r) else: #result = {"status_code": r.status_code, "msg": r.text[1]} return True, False, result_func(r)