def main():
cred = authenticate()
print("authentication successful")
#import objects and policies from json
objects_file = open("objects.json").read()
objects = json.loads(objects_file)
policy_file = open("policy.json").read()
policies = json.loads(policy_file)
pkeys = policies.keys()
okeys = objects.keys()
#each object is a list the first position is the type of object
#the second position is the data
print("Objects")
for key in okeys:
r, c = api_post(cred, "add-" + objects[key][0], objects[key][1])
print(c)
print("Policies")
for key in pkeys:
if policies[key][0] in ["access-layer"]:
r, c = api_post(cred, "set-access-layer", policies[key][1])
else:
r, c = api_post(cred, "add-" + policies[key][0], policies[key][1])
print(c)
api_post(cred, "publish", {})
api_post(cred, "logout", {})
return
def host_duplicate(cred, host_uid, rule_set):
'''Creates duplicate host IF ip matches rule in rule_set
return uid of new host, return None if no new host created'''
new_host = {}
old_host, c = api_post(cred, "show-host", {"uid": host_uid})
#check to see if ip matches regex rule
new_ip, color = regex_rules(old_host["ipv4-address"], rule_set)
#if it doesn't match rule no change is needed
if new_ip == None:
return None
new_host["ipv4-address"] = new_ip
new_host["color"] = color
new_host["comments"] = old_host["comments"]
new_host["interfaces"] = old_host["interfaces"]
new_host["name"] = old_host["name"] + "-AZ-" + new_ip
new_host["nat-settings"] = old_host["nat-settings"]
tags = []
for tag in old_host["tags"]:
tags.append(tag["name"])
tags.append("New")
new_host["tags"] = tags
r, c = api_post(cred, "add-host", new_host)
#if the new object already exsists
if c != 200:
r, c = api_post(cred, "show-host", {"name": new_host["name"]})
new_uid = r["uid"]
#add tag "Old" to old object for easy deletion later
r, c = api_post(cred, "set-host", {
"uid": host_uid,
"tags": {
"add": "Old"
}
})
return new_uid
def network_duplicate(cred, network_uid, rule_set):
'''Creates duplicate network IF ip matches rule in rule_set
return uid of new network, return None if no new network created'''
new_network = {}
old_network, c = api_post(cred, "show-network", {"uid": network_uid})
#check to see if ip matches regex rule
new_ip, color = regex_rules(old_network["subnet4"], rule_set)
#if it doesn't match rule no change is needed
if new_ip == None:
return None
new_network["subnet4"] = new_ip
new_network["color"] = color
new_network["broadcast"] = old_network["broadcast"]
new_network["comments"] = old_network["comments"]
new_network["mask-length4"] = old_network["mask-length4"]
new_network["name"] = old_network["name"] + "-AZ-" + new_ip
new_network["nat-settings"] = old_network["nat-settings"]
tags = []
for tag in old_network["tags"]:
tags.append(tag["name"])
tags.append("New")
new_network["tags"] = tags
r, c = api_post(cred, "add-network", new_network)
#if the new object already exsists
if c != 200:
r, c = api_post(cred, "show-network", {"name": new_network["name"]})
new_uid = r["uid"]
#add tag "Old" to old object for easy deletion later
r, c = api_post(cred, "set-network", {
"uid": network_uid,
"tags": {
"add": "Old"
}
})
return new_uid
def cleanup(cred, object_type, uid, layer, rule_uid, source_destination):
r, c = api_post(cred, "show-" + object_type, {"uid": uid})
#put tags into one list
tag_list = []
for tag in r["tags"]:
tag_list.append(tag["name"])
#remove object from rule
#TODO: edit this when the bug of added old to new instances is fixed
if "Old" in tag_list and "New" not in tag_list:
print("Removing " + r["name"])
delete, c = api_post(
cred, "set-access-rule", {
"uid": rule_uid,
"layer": layer,
source_destination: {
"remove": r["uid"]
}
})
#we cannot rename the object unless we delete the old object
'''
def main():
cred = authenticate()
print("Authentication Successful")
#change policy query if you are adapting this to your rulebase
policy_query = {
"offset": 0,
"limit": 20,
"name": "API_Policy Network",
"details-level": "full",
"use-object-dictionary": "true"
}
r, c = api_post(cred, "show-access-rulebase", policy_query)
layer = "API_Policy Network"
#for each rule
for rule in r["rulebase"]:
rule_uid = rule["uid"]
#for each source item in that rule
for item in rule["source"]:
r, c = api_post(cred, "show-object", {"uid": item})
object_type = r["object"]["type"]
if object_type in ["host", "network"]:
cleanup(cred, object_type, item, layer, rule_uid, "source")
#for each destination item in that rule
for item in rule["destination"]:
r, c = api_post(cred, "show-object", {"uid": item})
object_type = r["object"]["type"]
if object_type in ["host", "network"]:
cleanup(cred, object_type, item, layer, rule_uid,
"destination")
api_post(cred, "publish", {})
api_post(cred, "logout", {})
return
def main():
rule_set = read_rules()
cred = authenticate()
print("Authentication Successful")
#change policy query if you are adapting this to your rulebase
policy_query = {
"offset": 0,
"limit": 20,
"name": "API_Policy Network",
"details-level": "full",
"use-object-dictionary": "true"
}
r, c = api_post(cred, "show-access-rulebase", policy_query)
layer = "API_Policy Network"
#for each rule
for rule in r["rulebase"]:
print(" --- " + rule["name"] + " --- ")
rule_uid = rule["uid"]
#for each source item in that rule
for item in rule["source"]:
r, c = api_post(cred, "show-object", {"uid": item})
object_type = r["object"]["type"]
if object_type == "host":
new_host_uid = host_duplicate(cred, item, rule_set)
#if object did not match regex rules no modification of rule needed
if new_host_uid == None:
continue
#else take new uid and add to rulebase
else:
r, c = api_post(
cred, "set-access-rule", {
"uid": rule_uid,
"layer": layer,
"source": {
"add": new_host_uid
}
})
if object_type == "network":
new_network_uid = network_duplicate(cred, item, rule_set)
#if object did not match regex rules no modification of rule needed
if new_network_uid == None:
continue
#else take new uid and add to rulebase
else:
r, c = api_post(
cred, "set-access-rule", {
"uid": rule_uid,
"layer": layer,
"source": {
"add": new_network_uid
}
})
#TODO: add handling for group object
elif object_type == "group":
continue
else:
continue
#for each destination item in that rule
for item in rule["destination"]:
r, c = api_post(cred, "show-object", {"uid": item})
object_type = r["object"]["type"]
if object_type == "host":
new_host_uid = host_duplicate(cred, item, rule_set)
#if object did not match regex rules no modification of rule needed
if new_host_uid == None:
continue
#else take new uid and add to rulebase
else:
r, c = api_post(
cred, "set-access-rule", {
"uid": rule_uid,
"layer": layer,
"destination": {
"add": new_host_uid
}
})
if object_type == "network":
new_network_uid = network_duplicate(cred, item, rule_set)
#if object did not match regex rules no modification of rule needed
if new_network_uid == None:
continue
#else take new uid and add to rulebase
else:
r, c = api_post(
cred, "set-access-rule", {
"uid": rule_uid,
"layer": layer,
"destination": {
"add": new_network_uid
}
})
#TODO: add handling for group object
elif object_type == "group":
continue
else:
continue
api_post(cred, "publish", {})
api_post(cred, "logout", {})
return