def main(): global was_changed # Initializing parameters to variables: command = module.params["command"] parameters = module.params.get("parameters") session_data = module.params.get("session-data") fingerprint = module.params.get("fingerprint") context = module.params.get("context") api_version = module.params.get("api_version") if parameters: parameters = parameters.replace("None", "null") parameters = parameters.replace("'", '"') # The following replace method must be the last replace option!!! # This is intended for running run-script API command in CLISH mode, where the "'" character is required inside the script parameter. # Example: "clish -c 'show core-dump status'" # For such case, the YML must be in the following format: 'clish -c \"show core-dump status\"' parameters = parameters.replace("\\\\\"", "'") parameters = parameters.replace("True", "true") parameters = parameters.replace("False", "false") # Finally, parse to JSON parameters = json.loads(parameters) if command == "login": # Login parameters: username = parameters.get("user", parameters.get("username")) password = parameters.get("pass", parameters.get("password")) management = parameters.get("management", "127.0.0.1") port = parameters.get("port", 443) domain = parameters.get("domain") session_timeout = parameters.get("session-timeout", 600) payload = {"session-timeout": session_timeout} client_args = APIClientArgs(server=management, port=port, context=context, api_version=api_version) client = APIClient(client_args) # Validate fingerprint: validate_fingerprint(client, fingerprint) # Tries to login: client.login(username=username, password=password, domain=domain, payload=payload) # Building a session data object session_data = { "url": management + ":" + str(port), "domain": domain, "sid": client.sid, "fingerprint": client.fingerprint, "context": client.context, "api_version": client.api_version } resp = session_data else: # Parsing the session-data argument: try: session_data = ast.literal_eval(session_data)["response"] except (ValueError, KeyError): if not session_data: error("You must specify session-data for commands that are not login (use the command \"login\"" " to obtain the session data).") else: error("session-data variable is invalid.") session_id = session_data["sid"] domain = session_data["domain"] context = session_data["context"] if api_version is None: api_version = session_data["api_version"] management = session_data["url"].split('//')[1].split('/')[0].split(':')[0] if '//' in session_data["url"] else \ session_data["url"].split('/')[0].split(':')[0] if '//' in session_data["url"] and len(session_data["url"].split('//')[1].split('/')[0].split(':')) > 1 and is_int(session_data["url"].split('//')[1].split('/')[0].split(':')[1]): port = int(session_data["url"].split('//')[1].split('/')[0].split(':')[1]) elif len(session_data["url"].split('/')[0].split(':')) > 1 and is_int(session_data["url"].split('/')[0].split(':')[1]): port = int(session_data["url"].split('/')[0].split(':')[1]) else: port = 443 fingerprint = session_data["fingerprint"] client_args = APIClientArgs(server=management, port=port, sid=session_id, context=context, api_version=api_version) client = APIClient(client_args) client.domain = domain validate_fingerprint(client, fingerprint) # Doesn't run commands that act immediately (not waiting for 'publish'), like install-policy, publish, etc. if module.check_mode and command in unavailable_in_check_commands: error("Can't run the following commands in check mode: " + str(unavailable_in_check_commands) + ". Know that your script ran fine up to this point " + ("and we've discarded the changes made, you can now run it without check mode." if command == "publish" else "and we are skipping this command."), client=client if command == "publish" else None, discard=True, logout=False, exit=True, fail=False) if command == "install-policy" and module.check_mode: command = "verify-policy" parameters = {"policy-package": parameters["policy-package"]} # Run the command: res = client.api_call(command=command, payload=parameters) if command.split("-")[0] in ["add", "delete", "set"] and res.success and not module.check_mode: was_changed = True if not res.success: error("Command '{} {}' failed{}. All changes are discarded and the session is invalidated." .format(command, parameters, " with error message: " + str(res.error_message) if hasattr(res, "error_message") else ""), client=client) resp = res.data module.exit_json(response=resp, changed=was_changed)
class CP: """ Wrapper for APIClientArgs, APIClient Parameter: ip-addr mgmgt, username, password, optional domain,port """ def __init__(self, ipaddr, username, password, domain=None, port="443"): self.api_server = ipaddr self.username = username self.password = password self.port = port #self.urlbase = "https://{ipaddr}:{port}/".format(ipaddr=self.ipaddr,port=self.port) #self.timeout = timeout if domain: self.domain = domain client_args = APIClientArgs(server=self.api_server, port=self.port) self.client = APIClient(client_args) if self.client.check_fingerprint() is False: print( "Could not get the server's fingerprint - Check connectivity with the server." ) exit(1) # login to server: if domain: login_res = self.client.login(self.username, self.password, False, self.domain) else: login_res = self.client.login(self.username, self.password) if login_res.success is False: print("Login failed:\n{}".format(login_res.error_message)) exit(1) # getting details from the user def add_rule(self, mydict): """ add rule Parameter: name, payload """ # add a rule to the top of the "Network" layer #add_rule_response = self.client.api_call("add-access-rule", # {"name": rule_name, "layer": "Network", "position": "top"}) response = self.client.api_call("add-access-rule", mydict) if response.success: print("The rule: '{}' has been added successfully".format( mydict['name'])) return (response) else: return (-1) def get_hosts(self): """ get hosts parameter: none returns list of hosts """ list_of_hosts = [] for x in range(100): # max 5000 hosts offset = x * 500 response = self.client.api_call("show-hosts", { "limit": 500, "offset": offset, "details-level": "standard" }) #pprint.pprint(response) if response.success: #print (len(response.as_dict())) mydict = response.as_dict() tmp_list_of_hosts = mydict['data']['objects'] list_of_hosts = list_of_hosts + tmp_list_of_hosts counthosts = len(tmp_list_of_hosts) if counthosts < 500: break return (list_of_hosts) def add_host(self, name, ipaddr): """ add host Parameter: name, ipaddr """ response = self.client.api_call( "add-host", { "name": name, "ip-address": ipaddr, 'set-if-exists': True, 'ignore-warnings': True }) #pprint.pprint(response) if response.success: #print (len(response.as_dict())) print("host: {} added successfull".format(name)) return (0) else: return (-1) def add_network(self, name, subnet, subnetmask): """ add netork object Parameter: name, subnet, subnetmask """ response = self.client.api_call("add-network", { 'name': name, 'subnet': subnet, 'subnet-mask': subnetmask }) #pprint.pprint(response) if response.success: #print (len(response.as_dict())) print("network: {} added successfull".format(name)) return (0) else: return (-1) def add_service_tcp(self, name, port): """ add service tcp Parameter: name,port """ response = self.client.api_call( "add-service-tcp", { "name": name, "port": port, 'set-if-exists': False, 'match-for-any': False }) #pprint.pprint(response) if response.success: #print (len(response.as_dict())) print("service: {} added successfull".format(name)) return (0) else: return (-1) def add_service_udp(self, name, port): """ add service udp Parameter: name,port """ response = self.client.api_call( "add-service-udp", { "name": name, "port": port, 'set-if-exists': False, 'match-for-any': False }) #pprint.pprint(response) if response.success: #print (len(response.as_dict())) print("service: {} added successfull".format(name)) return (0) else: return (-1) def get_networks(self): """ returns list of networks """ list_of_networks = [] for x in range(100): # max 5000 hosts offset = x * 500 response = self.client.api_call("show-networks", { "limit": 500, "offset": offset, "details-level": "standard" }) #pprint.pprint(response) if response.success: #print (len(response.as_dict())) mydict = response.as_dict() num_networks = mydict['data']['total'] #print (mydict) tmp_list_of_networks = mydict['res_obj']['data']['objects'] list_of_networks = list_of_networks + tmp_list_of_networks count = len(tmp_list_of_networks) if count < 500: break return (list_of_networks) def get_services_tcp(self): """ returns list of tcp services """ list_of_services = [] for x in range(100): # max 5000 hosts offset = x * 500 response = self.client.api_call("show-services-tcp", { "limit": 500, "offset": offset, "details-level": "standard" }) #pprint.pprint(response) if response.success: #print (len(response.as_dict())) mydict = response.as_dict() num_networks = mydict['data']['total'] #print (mydict) tmp_list_of_services = mydict['res_obj']['data']['objects'] list_of_services = list_of_services + tmp_list_of_services count = len(tmp_list_of_services) if count < 500: break return (list_of_services) def get_services_udp(self): """ returns list of udp services """ list_of_services = [] for x in range(100): # max 50000 offset = x * 500 response = self.client.api_call("show-services-udp", { "limit": 500, "offset": offset, "details-level": "standard" }) #pprint.pprint(response) if response.success: #print (len(response.as_dict())) mydict = response.as_dict() num_networks = mydict['data']['total'] #print (mydict) tmp_list_of_services = mydict['res_obj']['data']['objects'] list_of_services = list_of_services + tmp_list_of_services count = len(tmp_list_of_services) if count < 500: break return (list_of_services) def get_policy_packages(self): """ POST {{server}}/show-packages Content-Type: application/json X-chkp-sid: {{session}} { "limit" : 50, "offset" : 0, "details-level" : "standard" } returns list of policy packages """ response = self.client.api_call("show-packages", { "limit": 50, "offset": 0, "details-level": "standard" }) if response.success: #print (len(response.as_dict())) mydict = response.as_dict() tmp_list = mydict['res_obj']['data']['packages'] return (tmp_list) def commit(self): """ commit changes on management """ response = self.client.api_call("publish", {}) if response.success: print("The changes were published successfully.") return (0) else: print("Failed to publish the changes.") return (-1) def call_api(self, call, item=None): """ Wrapper for api_call callnmae e.g add-host payload e.g {"name":"test123", "ip-address": "1.2.3.4"} """ if (item == None): response = self.client.api_call(call) else: response = self.client.api_call(call, item) if response.success: print("The call was successfull.") return (response) else: print("The call failed") return (response) def logout(self): """ logout of management """ response = self.client.api_call("logout") if response.success: print("Logout was successfull.") return (0) else: print("Logout failed") return (-1) def get_host_dict(self): """ returns dictionary of hosts, index is IP-Address """ mylist = self.get_hosts() obj_dictionary = {} for host in mylist: ipaddr = host.get("ipv4-address") if ipaddr is None: print(host["name"] + " has no IPv4 address. Skipping...") continue host_data = {"name": host["name"], "uid": host["uid"]} if ipaddr in obj_dictionary: obj_dictionary[ipaddr] += [host_data ] # '+=' modifies the list in place else: obj_dictionary[ipaddr] = [host_data] return obj_dictionary def get_network_dict(self): """ returns dictionary of networks, index is subnet """ obj_dictionary = {} mylist = self.get_networks() for network in mylist: subnet = network.get("subnet4") if subnet is None: continue else: netmask = network.get("subnet-mask") network_data = { "name": network["name"], "uid": network["uid"], "subnet4": network["subnet4"], "subnet-mask": network["subnet-mask"] } if subnet in obj_dictionary: obj_dictionary[subnet] += [network_data] else: obj_dictionary[subnet] = [network_data] return (obj_dictionary) def get_tcp_services_dict(self): """ returns dictionary of tcp services, index is Name """ obj_dictionary = {} mylist = self.get_services_tcp() """ {'uid': '24de2cde-dfcd-4c9b-9124-492ac4bedba7', 'name': 'Xanadu', 'type': 'service-tcp', 'domain': {'uid': 'a0bbbc99-adef-4ef8-bb6d-defdefdefdef', 'name': 'Check Point Data', 'domain-type': 'data domain'}, 'port': '1031'} """ for service in mylist: port = service.get("port") name = service.get("name") if port is None: continue service_data = { "name": service["name"], "uid": service["uid"], "port": service["port"] } if name in obj_dictionary: obj_dictionary[name] += [service_data] else: obj_dictionary[name] = [service_data] return (obj_dictionary) def get_udp_services_dict(self): """ returns dictionary of udp services, index is Name """ obj_dictionary = {} mylist = self.get_services_udp() """ {'uid': '24de2cde-dfcd-4c9b-9124-492ac4bedba7', 'name': 'Xanadu', 'type': 'service-tcp', 'domain': {'uid': 'a0bbbc99-adef-4ef8-bb6d-defdefdefdef', 'name': 'Check Point Data', 'domain-type': 'data domain'}, 'port': '1031'} """ for service in mylist: port = service.get("port") name = service.get("name") if port is None: continue service_data = { "name": service["name"], "uid": service["uid"], "port": service["port"] } if name in obj_dictionary: obj_dictionary[name] += [service_data] else: obj_dictionary[name] = [service_data] return (obj_dictionary)