def main():
payload = dict(name=dict(type='str', required=True),
ip_address=dict(type='str'),
port=dict(type='int', required=True),
identifier=dict(type='str'),
waf_host=dict(type='str', required=True),
service_name=dict(type='str', required=True),
comments=dict(type='str'),
status=dict(type='str', required=True),
address_version=dict(type='str'),
hostname=dict(type='str'),
state=dict(type='str', required=True))
choice_map = {"present": svr_create, "absent": svr_delete}
module = AnsibleModule(argument_spec=payload)
logs = logger()
is_error, has_changed, result = choice_map.get(module.params['state'])(
module.params)
if not is_error:
module.exit_json(changed=has_changed, meta=result)
else:
module.fail_json(msg="Error executing this request", meta=result)
def svr_update(data):
logs = logger()
headers, waf_ip, waf_port, proto = token(data['waf_host'])
svr_name = data['name']
svc_name = data['service_name']
svr_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + svc_name + "/content-rules/" + data[
'rule_group_name'] + "/content-rule-servers/" + svr_name
update_payload = {
"hostname": data['hostname'],
"port": data['port'],
"status": data['status'],
"ip-address": data['ip_address'],
"identifier": data['identifier'],
"comments": data['comments']
}
delete_list = list()
for key in update_payload.keys():
if update_payload.values() is None:
delete_list = list.append[key]
for key in delete_list:
del update_payload[key]
r = requests.put(svr_url,
headers=headers,
data=json.dumps(update_payload),
verify=False)
if r.status_code == 200:
result = {"status_code": r.status_code, "msg": r.text}
return False, True, result
else:
result = {"status_code": r.status_code, "msg": r.text}
return True, False, result
def main():
payload = dict(name=dict(type='str', required=True),
comments=dict(type='str'),
url_match=dict(type='str', required=True),
extended_match_sequence=dict(type='int',
required=False,
default=1000),
extended_match=dict(type='str', default="*"),
web_firewall_policy=dict(type='str', default="default"),
host_match=dict(type='str', required=True),
status=dict(type='str', default="On"),
app_id=dict(type='str'),
access_log=dict(type='str', default="Enable"),
mode=dict(type='str', default="Passive"),
waf_host=dict(type='str', required=True),
service_name=dict(type='str', required=True),
state=dict(type='str', required=True))
choice_map = {"present": rule_grp_create, "absent": rule_grp_delete}
logs = logger()
module = AnsibleModule(argument_spec=payload)
is_error, has_changed, result = choice_map.get(module.params['state'])(
module.params)
if not is_error:
module.exit_json(changed=has_changed, meta=result)
else:
module.fail_json(msg="Error executing this request", meta=result)
def system_info(data):
logs = logger()
headers, waf_ip, waf_port, proto = token(data['waf_host'])
system_update_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/system"
r = requests.get(system_update_url, headers=headers, verify=False)
system_info = json.loads(r.text)
wan_params = system_info['data']['System']
system_ip = wan_params["WAN Configuration"]['ip-address']
return system_ip
def svr_create(data):
logs = logger()
headers, waf_ip, waf_port, proto = token(data['waf_host'])
svr_name = data['name']
svc_name = data['service_name']
svr_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + svc_name + "/content-rules/" + data[
'rule_group_name'] + "/content-rule-servers/" + svr_name
svr_info = requests.get(svr_url, headers=headers, verify=False)
#del data['waf_host']
#del data['state']
#del data['service_name']
if svr_info.status_code == 200:
#check for server parameters to figure if PUT is required
#if svr_info = data_info:
return svr_update(data)
if svr_info.status_code == 404:
svr_payload = {
"ip-address": data['ip_address'],
"comments": data['comments'],
"name": data['name'],
"status": data['status'],
"port": data['port'],
"identifier": data['identifier'],
"address-version": data['address_version'],
"hostname": data['hostname']
}
if data['identifier'] != "Hostname":
del svr_payload['hostname']
svr_common_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + svc_name + "/content-rules/" + data[
'rule_group_name'] + "/content-rule-servers"
r = requests.post(svr_common_url,
data=json.dumps(svr_payload),
headers=headers,
verify=False)
if r.status_code == 201:
return svr_update(data)
else:
result = {"status_code": r.status_code, "msg": r.text}
return True, False, result
def main():
payload = dict(
waf_host=dict(type='str', required=True),
service_name=dict(type='str', required=True),
enable_hsts=dict(type='str'),
include_hsts_sub_domains=dict(type='list'),
enable_tls_1_3=dict(type='str'),
override_ciphers_tls_1_1=dict(type='str'),
enable_pfs=dict(type='str'),
selected_ciphers=dict(type='list'),
override_ciphers_tls_1=dict(type='str'),
enable_sni=dict(type='str'),
override_ciphers_ssl3=dict(type='str'),
certificate=dict(type='str'),
enable_tls_1_1=dict(type='str'),
sni_ecdsa_certificate=dict(type='str'),
ciphers=dict(type='list'),
enable_strict_sni_check=dict(type='str'),
enable_tls_1_2=dict(type='str'),
enable_ssl_3=dict(type='str'),
ecdsa_certificate=dict(type='str'),
enable_tls_1=dict(type='str'),
status=dict(type='str', required=True),
hsts_max_age=dict(type='int'),
domain=dict(type='list'),
sni_certificate=dict(type='str'),
)
logs = logger()
config_map = {
"on": ssl_config_update,
"off": ssl_config_update,
}
module = AnsibleModule(argument_spec=payload)
logs.debug(type(module))
is_error, has_changed, result = config_map.get(module.params['status'])(
module.params)
if not is_error:
module.exit_json(changed=has_changed, meta=result)
else:
module.fail_json(msg="Error executing this request", meta=result)
def main():
# define available arguments/parameters a user can pass to the module
payload = dict(
waf_host=dict(type='str', required=True),
name=dict(type='str', required=True),
port=dict(type='int', required=True),
ip_address=dict(type='str', required=True),
service_type=dict(type='str', required=True),
state=dict(type='str', required=True),
address_version=dict(type='str', default='IPv4'),
app_id=dict(type='str'),
certificate=dict(type='str'),
vsite=dict(type='str'),
group=dict(type='str'),
mask=dict(type='str'),
status=dict(type='str', default='On'),
comments=dict(type='str', default='Created by Ansible Playbook'),
enable_access_logs=dict(type='str'),
session_timeout=dict(type='int'),
secure_site_domain=dict(type='list'),
dps_enabled=dict(type='str'),
)
choice_map = {"present": waf_svc_create, "absent": waf_svc_delete}
module = AnsibleModule(argument_spec=payload)
is_error, has_changed, result = choice_map.get(module.params['state'])(
module.params)
logs = logger()
if not is_error:
logs.debug("success condition")
logs.debug(result)
module.exit_json(changed=has_changed, meta=result)
else:
logs.debug("failure condition")
logs.debug(result)
module.fail_json(msg="Error executing this request", meta=result)
def ssl_config_update(data):
logs = logger()
headers, waf_ip, waf_port, proto = token(data['waf_host'])
svc_name = data['service_name']
svc_get_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + svc_name
r = requests.get(svc_get_url, headers=headers, verify=False)
existing_config = json.loads(r.text)
service_type = existing_config["data"][svc_name]["type"]
logs.debug(service_type)
if r.status_code == 200:
# build update payload
ssl_config_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + svc_name + "/ssl-security"
logs.debug("test message")
r = requests.get(ssl_config_url, headers=headers, verify=False)
existing_values = json.loads(r.text)
existing_config = existing_values["data"][svc_name]["SSL Security"]
ansible_config = {
"enable-tls-1-2": data['enable_tls_1_2'],
"sni-certificate": data['sni_certificate'],
"sni-ecdsa-certificate": data['sni_ecdsa_certificate'],
"override-ciphers-ssl3": data['override_ciphers_ssl3'],
"ciphers": data['ciphers'],
"selected-ciphers": data['selected_ciphers'],
"enable-strict-sni-check": data['enable_strict_sni_check'],
"enable-tls-1-3": data['enable_tls_1_3'],
"certificate": data['certificate'],
"override-ciphers-tls-1-1": data['override_ciphers_tls_1_1'],
"enable-pfs": data['enable_pfs'],
"status": data['status'],
"enable-tls-1-1": data['enable_tls_1_1'],
"domain": data['domain'],
"enable-ssl-3": data['enable_ssl_3'],
"hsts-max-age": data['hsts_max_age'],
"ecdsa-certificate": data['ecdsa_certificate'],
"override-ciphers-tls-1": data['override_ciphers_tls_1'],
"include-hsts-sub-domains": data['include_hsts_sub_domains'],
"enable-tls-1": data['enable_tls_1'],
"enable-sni": data['enable_sni'],
"enable-hsts": data['enable_hsts'],
}
if existing_config.items() == ansible_config.items():
result = {
"msg":
"existing configuration and ansible configuration are same. No changes made"
}
return False, False, result
else:
update_config_payload = dict()
update_config_payload['waf_host'] = data['waf_host']
delete_list = [
key for key, value in ansible_config.items() if value is None
]
for key in delete_list:
del ansible_config[key]
update_config_payload = ansible_config
logs.debug(update_config_payload)
r = requests.put(ssl_config_url,
data=json.dumps(update_config_payload),
headers=headers,
verify=False)
if r.status_code == 200:
#result = {"status_code": r.status_code, "msg": r.text}
return False, True, result_func(r)
else:
#result = {"status_code": r.status_code, "msg": r.text}
return True, False, result_func(r)
else:
#result={"msg":"service does not exist"}
return True, False, result_func(r)
def waf_svc_create(data):
#Picks up the service attributes from the payload var,
# makes an API call to the waf to create the service
headers, waf_ip, waf_port, proto = token(data['waf_host'])
service_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/"
logs = logger()
del data['state']
service_data = {
"name": data['name'],
"ip-address": data['ip_address'],
"port": data['port'],
"app-id": data['app_id'],
"comments": data['comments'],
"address-version": data['address_version'],
"vsite": data['vsite'],
"type": data['service_type'],
"group": data['group'],
"mask": data['mask'],
"certificate": data['certificate'],
"secure-site-domain": data['secure_site_domain'],
}
service_url_get = service_url + data['name']
svc_info = requests.get(service_url_get, headers=headers, verify=False)
#when service exists and an update is required.
#need to compare the service_data attributes with the existing configuration and then
#issue a put command for the changed attribute.
if svc_info.status_code == 200:
# compare the service attributes with the payload
return waf_svc_update(data)
#when there is no service, create a service
if svc_info.status_code == 404:
delete_list = [
key for key, value in service_data.items() if value is None
]
for key in delete_list:
del service_data[key]
if service_data['ip-address'] == 'system_ip':
service_data['ip-address'] = system_info(data)
else:
pass
r = requests.post(service_url,
data=json.dumps(service_data),
headers=headers,
verify=False)
if r.status_code == 201:
if data['service_type'] == "Instant SSL":
#result={"status_code": r.status_code, "msg":r.text[1]}
return False, True, result_func(r)
else:
logs.debug("service created, checking for updates")
return waf_svc_update(data)
if r.status_code != 201:
#result= {"status_code":r.status_code, "msg": r.text[1]}
return True, False, result_func(r)
def waf_svc_update(data):
logs = logger()
headers, waf_ip, waf_port, proto = token(data['waf_host'])
service_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/"
service_url_get = service_url + data['name']
svc_info = requests.get(service_url_get, headers=headers, verify=False)
config = json.loads(svc_info.text)
svc_config = config["data"][data['name']]
update_data_list = [
"app-id", "comments", "enable-access-logs", "ip-address", "mask",
"port", "session-timeout", "status"
]
existing_config = dict()
ansible_config = dict()
for attribute in update_data_list:
existing_config[attribute] = config['data'][data['name']][attribute]
svc_type = config['data'][data['name']]['type']
if svc_type == 'HTTPS':
existing_config["secure-site-domain"] = config['data'][
data['name']]['Instant SSL']['secure-site-domain']
else:
pass
#logs.debug(existing_config)
ansible_config = {
"app-id": data['app_id'],
"comments": data['comments'],
"enable-access-logs": data['enable_access_logs'],
"ip-address": data['ip_address'],
"mask": data['mask'],
"port": data['port'],
"session-timeout": data['session_timeout'],
"status": data['status'],
"secure-site-domain": data['secure_site_domain'],
}
if existing_config.items() == ansible_config.items():
result = {
"msg":
"existing configuration and ansible configuration are same. No changes made"
}
return False, False, result
else:
logs.debug("hello")
update_config_payload = dict()
update_config_payload['waf_host'] = data['waf_host']
delete_list = [
key for key, value in ansible_config.items() if value is None
]
logs.debug("****")
logs.debug(delete_list)
for key in delete_list:
del ansible_config[key]
logs.debug(ansible_config.keys())
#del ansible_config['secure-site-domain']
update_config_payload = ansible_config
#del update_config_payload['waf_host']
logs.debug("***")
if update_config_payload['ip-address'] == 'system_ip':
update_config_payload['ip-address'] = system_info(data)
else:
pass
put_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + data[
'name']
r = requests.put(put_url,
headers=headers,
data=json.dumps(update_config_payload),
verify=False)
logs.debug(r.text)
if r.status_code == 200:
#result = {"status_code": r.status_code, "msg": "Configuration Updated"}
#logs.debug(result)
return False, True, result_func(r)
else:
#result = {"status_code": r.status_code, "msg": r.text[1]}
return True, False, result_func(r)