class PFSenseAuthserverLDAP(object): def __init__(self, module): self.module = module self.pfsense = PFSenseModule(module) self.system = self.pfsense.get_element('system') self.authservers = self.system.findall('authserver') def _find_authserver_ldap(self, name): found = None i = 0 for authserver in self.authservers: i = list(self.system).index(authserver) if authserver.find('name').text == name and authserver.find('type').text == 'ldap': found = authserver break return (found, i) def add(self, authserver): authserver_elt, i = self._find_authserver_ldap(authserver['name']) changed = False # Replace the text CA name with the caref id authserver['ldap_caref'] = self.pfsense.get_caref(authserver['ca']) if authserver['ldap_caref'] is None and authserver['transport'] != 'tcp': self.module.fail_json(msg="could not find CA '%s'" % (authserver['ca'])) del authserver['ca'] if authserver_elt is None: changed = True if self.module.check_mode: self.module.exit_json(changed=True) authserver_elt = self.pfsense.new_element('authserver') authserver['refid'] = self.pfsense.uniqid() self.pfsense.copy_dict_to_element(authserver, authserver_elt) self.system.insert(i + 1, authserver_elt) self.pfsense.write_config(descr='ansible pfsense_authserver_ldap added %s' % (authserver['name'])) else: changed = self.pfsense.copy_dict_to_element(authserver, authserver_elt) if self.module.check_mode: self.module.exit_json(changed=changed) if changed: self.pfsense.write_config(descr='ansible pfsense_authserver_ldap updated "%s"' % (authserver['name'])) self.module.exit_json(changed=changed) def remove(self, authserver): authserver_elt, dummy = self._find_authserver_ldap(authserver['name']) changed = False if authserver_elt is not None: if self.module.check_mode: self.module.exit_json(changed=True) self.authservers.remove(authserver_elt) changed = True self.pfsense.write_config(descr='ansible pfsense_authserver_ldap removed "%s"' % (authserver['name'])) self.module.exit_json(changed=changed)
class pfSenseCA(object): def __init__(self, module): self.module = module self.pfsense = PFSenseModule(module) self.cas = self.pfsense.get_elements('ca') self.crls = self.pfsense.get_elements('crl') def _find_ca(self, name): found = None i = 0 for ca in self.cas: i = self.pfsense.get_index(ca) if ca.find('descr').text == name: found = ca break return (found, i) def _find_crl(self, caref): found = None i = 0 for crl in self.crls: i = self.pfsense.get_index(crl) if crl.find('caref').text == caref: found = crl break return (found, i) def validate_cert(self, cert): lines = cert.splitlines() if lines[0] == '-----BEGIN CERTIFICATE-----' and lines[ -1] == '-----END CERTIFICATE-----': return base64.b64encode(cert) elif re.match('LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t', cert): return cert else: self.module.fail_json( msg='Could not recognize certificate format: %s' % (cert)) def validate_crl(self, crl): lines = crl.splitlines() if lines[0] == '-----BEGIN X509 CRL-----' and lines[ -1] == '-----END X509 CRL-----': return base64.b64encode(crl) elif re.match('LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0t', crl): return crl else: self.module.fail_json(msg='Could not recognize CRL format: %s' % (crl)) def add(self, ca): ca_elt, i = self._find_ca(ca['descr']) changed = False crl = {} diff = {} if 'crl' in ca: crl['method'] = 'existing' crl['text'] = ca.pop('crl') if ca_elt is None: diff['before'] = '' changed = True ca_elt = self.pfsense.new_element('ca') ca['refid'] = self.pfsense.uniqid() if 'text' in crl: crl_elt = self.pfsense.new_element('crl') crl['refid'] = self.pfsense.uniqid() crl['descr'] = ca['descr'] + ' CRL' crl['caref'] = ca['refid'] self.pfsense.copy_dict_to_element(crl, crl_elt) self.pfsense.root.insert(i + 1, crl_elt) self.pfsense.copy_dict_to_element(ca, ca_elt) self.pfsense.root.insert(i + 1, ca_elt) descr = 'ansible pfsense_ca added %s' % (ca['descr']) else: diff['before'] = self.pfsense.element_to_dict(ca_elt) if 'text' in crl: crl_elt, crl_index = self._find_crl(ca_elt.find('refid').text) if crl_elt is None: changed = True crl_elt = self.pfsense.new_element('crl') crl['refid'] = self.pfsense.uniqid() crl['descr'] = ca['descr'] + ' CRL' crl['caref'] = ca_elt.find('refid').text self.pfsense.copy_dict_to_element(crl, crl_elt) self.pfsense.root.insert(crl_index + 1, crl_elt) else: diff['before']['crl'] = crl_elt.find('text').text changed = self.pfsense.copy_dict_to_element(crl, crl_elt) if self.pfsense.copy_dict_to_element(ca, ca_elt): changed = True descr = 'ansible pfsense_ca updated "%s"' % (ca['descr']) if changed and not self.module.check_mode: self.pfsense.write_config(descr=descr) if 'text' in crl: self.pfsense.phpshell(""" openvpn_refresh_crls(); vpn_ipsec_configure();""") diff['after'] = self.pfsense.element_to_dict(ca_elt) if 'text' in crl: diff['after']['crl'] = crl['text'] self.module.exit_json(changed=changed, diff=diff) def remove(self, ca): ca_elt, dummy = self._find_ca(ca['descr']) changed = False diff = {} diff['after'] = {} if ca_elt is not None: changed = True diff['before'] = self.pfsense.element_to_dict(ca_elt) crl_elt, dummy = self._find_crl(ca_elt.find('refid').text) self.cas.remove(ca_elt) if crl_elt is not None: diff['before']['crl'] = crl_elt.find('text').text self.crls.remove(crl_elt) else: diff['before'] = {} if changed and not self.module.check_mode: self.pfsense.write_config(descr='ansible pfsense_ca removed "%s"' % (ca['descr'])) self.module.exit_json(changed=changed, diff=diff)
class pfSenseCA(object): def __init__(self, module): self.module = module self.pfsense = PFSenseModule(module) self.cas = self.pfsense.get_elements('ca') self.crls = self.pfsense.get_elements('crl') def _find_ca(self, name): found = None i = 0 for ca in self.cas: i = self.pfsense.get_index(ca) if ca.find('descr').text == name: found = ca break return (found, i) def _find_crl(self, caref): found = None i = 0 for crl in self.crls: i = self.pfsense.get_index(crl) if crl.find('caref').text == caref: found = crl break return (found, i) def validate_cert(self, cert): # TODO - Make sure certificate purpose includes CA lines = cert.splitlines() if lines[0] == '-----BEGIN CERTIFICATE-----' and lines[ -1] == '-----END CERTIFICATE-----': return base64.b64encode(cert) elif re.match('LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t', cert): return cert else: self.module.fail_json( msg='Could not recognize certificate format: %s' % (cert)) def validate_crl(self, crl): lines = crl.splitlines() if lines[0] == '-----BEGIN X509 CRL-----' and lines[ -1] == '-----END X509 CRL-----': return base64.b64encode(crl) elif re.match('LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0t', crl): return crl else: self.module.fail_json(msg='Could not recognize CRL format: %s' % (crl)) def add(self, ca): ca_elt, ca_idx = self._find_ca(ca['descr']) changed = False crl = {} diff = {} stdout = None stderr = None if 'crl' in ca: crl['method'] = 'existing' crl['text'] = ca.pop('crl') if ca_elt is None: diff['before'] = '' changed = True ca_elt = self.pfsense.new_element('ca') ca['refid'] = self.pfsense.uniqid() self.pfsense.copy_dict_to_element(ca, ca_elt) self.pfsense.root.append(ca_elt) if 'text' in crl: crl_elt = self.pfsense.new_element('crl') crl['refid'] = self.pfsense.uniqid() crl['descr'] = ca['descr'] + ' CRL' crl['caref'] = ca['refid'] self.pfsense.copy_dict_to_element(crl, crl_elt) self.pfsense.root.append(crl_elt) descr = 'ansible pfsense_ca added %s' % (ca['descr']) else: diff['before'] = self.pfsense.element_to_dict(ca_elt) if 'text' in crl: crl_elt, crl_index = self._find_crl(ca_elt.find('refid').text) if crl_elt is None: changed = True crl_elt = self.pfsense.new_element('crl') crl['refid'] = self.pfsense.uniqid() crl['descr'] = ca['descr'] + ' CRL' crl['caref'] = ca_elt.find('refid').text self.pfsense.copy_dict_to_element(crl, crl_elt) # Add after the existing ca entry self.pfsense.root.insert(ca_idx + 1, crl_elt) else: diff['before']['crl'] = crl_elt.find('text').text changed = self.pfsense.copy_dict_to_element(crl, crl_elt) if self.pfsense.copy_dict_to_element(ca, ca_elt): changed = True descr = 'ansible pfsense_ca updated "%s"' % (ca['descr']) if changed and not self.module.check_mode: self.pfsense.write_config(descr=descr) # ca_import will base64 encode the cert + key and will fix 'caref' for CAs that reference each other # $ca needs to be an existing reference (particularly 'refid' must be set) before calling ca_import # key and serial are optional arguments. TODO - handle key and serial (dummy, stdout, stderr) = self.pfsense.phpshell(""" init_config_arr(array('ca')); $ca =& lookup_ca('{refid}'); ca_import($ca, '{cert}'); print_r($ca); print_r($config['ca']); write_config();""".format(refid=ca_elt.find('refid').text, cert=base64.b64decode( ca_elt.find('crt').text))) if 'text' in crl: self.pfsense.phpshell(""" require_once("openvpn.inc"); openvpn_refresh_crls(); require_once("vpn.inc"); vpn_ipsec_configure();""") diff['after'] = self.pfsense.element_to_dict(ca_elt) if 'text' in crl: diff['after']['crl'] = crl['text'] self.module.exit_json(changed=changed, diff=diff, stdout=stdout, stderr=stderr) def remove(self, ca): ca_elt, dummy = self._find_ca(ca['descr']) changed = False diff = {} diff['after'] = {} if ca_elt is not None: changed = True diff['before'] = self.pfsense.element_to_dict(ca_elt) crl_elt, dummy = self._find_crl(ca_elt.find('refid').text) self.cas.remove(ca_elt) if crl_elt is not None: diff['before']['crl'] = crl_elt.find('text').text self.crls.remove(crl_elt) else: diff['before'] = {} if changed and not self.module.check_mode: self.pfsense.write_config(descr='ansible pfsense_ca removed "%s"' % (ca['descr'])) self.module.exit_json(changed=changed, diff=diff)