def main(): payload = dict(name=dict(type='str', required=True), ip_address=dict(type='str'), port=dict(type='int', required=True), identifier=dict(type='str'), waf_host=dict(type='str', required=True), service_name=dict(type='str', required=True), comments=dict(type='str'), status=dict(type='str', required=True), address_version=dict(type='str'), hostname=dict(type='str'), state=dict(type='str', required=True)) choice_map = {"present": svr_create, "absent": svr_delete} module = AnsibleModule(argument_spec=payload) logs = logger() is_error, has_changed, result = choice_map.get(module.params['state'])( module.params) if not is_error: module.exit_json(changed=has_changed, meta=result) else: module.fail_json(msg="Error executing this request", meta=result)
def main(): payload = dict(name=dict(type='str', required=True), comments=dict(type='str'), url_match=dict(type='str', required=True), extended_match_sequence=dict(type='int', required=False, default=1000), extended_match=dict(type='str', default="*"), web_firewall_policy=dict(type='str', default="default"), host_match=dict(type='str', required=True), status=dict(type='str', default="On"), app_id=dict(type='str'), access_log=dict(type='str', default="Enable"), mode=dict(type='str', default="Passive"), waf_host=dict(type='str', required=True), service_name=dict(type='str', required=True), state=dict(type='str', required=True)) choice_map = {"present": rule_grp_create, "absent": rule_grp_delete} logs = logger() module = AnsibleModule(argument_spec=payload) is_error, has_changed, result = choice_map.get(module.params['state'])( module.params) if not is_error: module.exit_json(changed=has_changed, meta=result) else: module.fail_json(msg="Error executing this request", meta=result)
def main(): payload = dict( waf_host = dict(type='str', required=True), service_name = dict(type='str', required=True), enable_hsts = dict(type='str'), include_hsts_sub_domains = dict(type='list'), enable_tls_1_3 = dict(type='str'), override_ciphers_tls_1_1 = dict(type='str'), enable_pfs = dict(type='str'), selected_ciphers = dict(type='list'), override_ciphers_tls_1 = dict(type='str'), enable_sni = dict(type='str'), override_ciphers_ssl3 = dict(type='str'), certificate = dict(type='str'), enable_tls_1_1 = dict(type='str'), sni_ecdsa_certificate = dict(type='str'), ciphers = dict(type='list'), enable_strict_sni_check = dict(type='str'), enable_tls_1_2 = dict(type='str'), enable_ssl_3 = dict(type='str'), ecdsa_certificate = dict(type='str'), enable_tls_1 = dict(type='str'), status = dict(type='str', required=True), hsts_max_age = dict(type='int'), domain = dict(type='list'), sni_certificate = dict(type='str'), ) logs=logger() config_map = { "on": ssl_config_update, "off": ssl_config_update, } module = AnsibleModule(argument_spec=payload) logs.debug(type(module)) is_error, has_changed, result = config_map.get(module.params['status'])(module.params) if not is_error: module.exit_json(changed=has_changed, meta=result) else: module.fail_json(msg="Error executing this request", meta=result)
def main(): # define available arguments/parameters a user can pass to the module payload = dict( waf_host=dict(type='str', required=True), name=dict(type='str', required=True), port=dict(type='int', required=True), ip_address=dict(type='str', required=True), service_type=dict(type='str', required=True), state=dict(type='str', required=True), address_version=dict(type='str', default='IPv4'), app_id=dict(type='str'), certificate=dict(type='str'), vsite=dict(type='str'), group=dict(type='str'), mask=dict(type='str'), status=dict(type='str', default='On'), comments=dict(type='str', default='Created by Ansible Playbook'), enable_access_logs=dict(type='str'), session_timeout=dict(type='int'), secure_site_domain=dict(type='list'), dps_enabled=dict(type='str'), ) choice_map = {"present": waf_svc_create, "absent": waf_svc_delete} module = AnsibleModule(argument_spec=payload) is_error, has_changed, result = choice_map.get(module.params['state'])( module.params) logs = logger() if not is_error: logs.debug("success condition") logs.debug(result) module.exit_json(changed=has_changed, meta=result) else: logs.debug("failure condition") logs.debug(result) module.fail_json(msg="Error executing this request", meta=result)
def waf_svc_create(data): #Picks up the service attributes from the payload var, # makes an API call to the waf to create the service headers, waf_ip, waf_port, proto = token(data['waf_host']) service_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" logs = logger() del data['state'] service_data = { "name": data['name'], "ip-address": data['ip_address'], "port": data['port'], "app-id": data['app_id'], "comments": data['comments'], "address-version": data['address_version'], "vsite": data['vsite'], "type": data['service_type'], "group": data['group'], "mask": data['mask'], "certificate": data['certificate'], "secure-site-domain": data['secure_site_domain'], } service_url_get = service_url + data['name'] svc_info = requests.get(service_url_get, headers=headers, verify=False) #when service exists and an update is required. #need to compare the service_data attributes with the existing configuration and then #issue a put command for the changed attribute. if svc_info.status_code == 200: # compare the service attributes with the payload return waf_svc_update(data) #when there is no service, create a service if svc_info.status_code == 404: delete_list = [ key for key, value in service_data.items() if value is None ] for key in delete_list: del service_data[key] logs.debug(service_data) r = requests.post(service_url, data=json.dumps(service_data), headers=headers, verify=False) if r.status_code == 201: if data['service_type'] == "Instant SSL": #result={"status_code": r.status_code, "msg":r.text[1]} return False, True, result_func(r) else: logs.debug("service created, checking for updates") return waf_svc_update(data) if r.status_code != 201: #result= {"status_code":r.status_code, "msg": r.text[1]} return True, False, result_func(r)
def waf_svc_update(data): logs = logger() headers, waf_ip, waf_port, proto = token(data['waf_host']) service_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" service_url_get = service_url + data['name'] svc_info = requests.get(service_url_get, headers=headers, verify=False) config = json.loads(svc_info.text) svc_config = config["data"][data['name']] update_data_list = [ "app-id", "comments", "enable-access-logs", "ip-address", "mask", "port", "session-timeout", "status" ] existing_config = dict() ansible_config = dict() for attribute in update_data_list: existing_config[attribute] = config['data'][data['name']][attribute] svc_type = config['data'][data['name']]['type'] if svc_type == 'HTTPS': existing_config["secure-site-domain"] = config['data'][ data['name']]['Instant SSL']['secure-site-domain'] else: pass logs.debug(existing_config) ansible_config = { "app-id": data['app_id'], "comments": data['comments'], "enable-access-logs": data['enable_access_logs'], "ip-address": data['ip_address'], "mask": data['mask'], "port": data['port'], "session-timeout": data['session_timeout'], "status": data['status'], "secure-site-domain": data['secure_site_domain'], } if existing_config.items() == ansible_config.items(): result = { "msg": "existing configuration and ansible configuration are same. No changes made" } return False, False, result else: update_config_payload = dict() update_config_payload['waf_host'] = data['waf_host'] delete_list = [ key for key, value in ansible_config.items() if value is None ] logs.debug(delete_list) for key in delete_list: del ansible_config[key] del ansible_config['secure-site-domain'] update_config_payload = ansible_config #del update_config_payload['waf_host'] logs.debug("***") logs.debug(update_config_payload) put_url = proto + waf_ip + ":" + waf_port + "/restapi/v3.1/services/" + data[ 'name'] r = requests.put(put_url, headers=headers, data=json.dumps(update_config_payload), verify=False) logs.debug(r.text) if r.status_code == 200: #result = {"status_code": r.status_code, "msg": "Configuration Updated"} #logs.debug(result) return False, True, result_func(r) else: #result = {"status_code": r.status_code, "msg": r.text[1]} return True, False, result_func(r)
def ssl_config_update(data): logs = logger() headers,waf_ip,waf_port,proto = token(data['waf_host']) svc_name = data['service_name'] svc_get_url = proto+waf_ip+":"+waf_port+"/restapi/v3.1/services/"+svc_name r = requests.get(svc_get_url, headers=headers, verify=False) existing_config = json.loads(r.text) service_type = existing_config["data"][svc_name]["type"] logs.debug(service_type) if r.status_code == 200: # build update payload ssl_config_url = proto+waf_ip+":"+waf_port+"/restapi/v3.1/services/"+svc_name+"/ssl-security" logs.debug("test message") r = requests.get(ssl_config_url, headers=headers, verify=False) existing_values = json.loads(r.text) existing_config = existing_values["data"][svc_name]["SSL Security"] ansible_config = { "enable-tls-1-2": data['enable_tls_1_2'], "sni-certificate": data['sni_certificate'], "sni-ecdsa-certificate": data['sni_ecdsa_certificate'], "override-ciphers-ssl3": data['override_ciphers_ssl3'], "ciphers": data['ciphers'], "selected-ciphers": data['selected_ciphers'], "enable-strict-sni-check": data['enable_strict_sni_check'], "enable-tls-1-3": data['enable_tls_1_3'], "certificate": data['certificate'], "override-ciphers-tls-1-1": data['override_ciphers_tls_1_1'], "enable-pfs": data['enable_pfs'], "status": data['status'], "enable-tls-1-1": data['enable_tls_1_1'], "domain": data['domain'], "enable-ssl-3": data['enable_ssl_3'], "hsts-max-age": data['hsts_max_age'], "ecdsa-certificate": data['ecdsa_certificate'], "override-ciphers-tls-1": data['override_ciphers_tls_1'], "include-hsts-sub-domains": data['include_hsts_sub_domains'], "enable-tls-1": data['enable_tls_1'], "enable-sni": data['enable_sni'], "enable-hsts": data['enable_hsts'], } if existing_config.items() == ansible_config.items(): result={"msg": "existing configuration and ansible configuration are same. No changes made"} return False, False, result else: update_config_payload = dict() update_config_payload['waf_host'] = data['waf_host'] delete_list = [key for key,value in ansible_config.items() if value is None] for key in delete_list: del ansible_config[key] update_config_payload = ansible_config logs.debug(update_config_payload) r = requests.put(ssl_config_url, data=json.dumps(update_config_payload), headers=headers, verify=False) if r.status_code == 200: #result = {"status_code": r.status_code, "msg": r.text} return False, True, result_func(r) else: #result = {"status_code": r.status_code, "msg": r.text} return True, False, result_func(r) else: #result={"msg":"service does not exist"} return True, False, result_func(r)