new module for private cert generation (#20889)

* new module for private cert generation

* - changes based on the reviewer's comments

* - changes based on the reviewer's comments

* extra documentation per request
pull/21286/head
Ivan Bojer 8 years ago committed by John R Barker
parent 59306e2aef
commit 5b9807dbac

@ -0,0 +1,202 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Ansible module to manage PaloAltoNetworks Firewall
# (c) 2016, techbizdev <techbizdev@paloaltonetworks.com>
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
DOCUMENTATION = '''
---
module: panos_cert_gen_ssh
short_description: generates a self-signed certificate using SSH protocol with SSH key
description:
- This module generates a self-signed certificate that can be used by GlobalProtect client, SSL connector, or
- otherwise. Root certificate must be preset on the system first. This module depends on paramiko for ssh.
author: "Luigi Mori (@jtschichold), Ivan Bojer (@ivanbojer)"
version_added: "2.3"
requirements:
- paramiko
note:
- Checkmode is not supported.
options:
ip_address:
description:
- IP address (or hostname) of PAN-OS device being configured.
required: true
default: null
key_filename:
description:
- Location of the filename that is used for the auth. Either I(key_filename) or I(password) is required.
required: true
default: null
password:
description:
- Password credentials to use for auth. Either I(key_filename) or I(password) is required.
required: true
default: null
cert_friendly_name:
description:
- Human friendly certificate name (not CN but just a friendly name).
required: true
default: null
cert_cn:
description:
- Certificate CN (common name) embeded in the certificate signature.
required: true
default: null
signed_by:
description:
- Undersigning authority (CA) that MUST already be presents on the device.
required: true
default: null
rsa_nbits:
description:
- Number of bits used by the RSA algorithm for the certificate generation.
required: false
default: "2048"
'''
EXAMPLES = '''
# Generates a new self-signed certificate using ssh
- name: generate self signed certificate
panos_cert_gen_ssh:
ip_address: "192.168.1.1"
password: "paloalto"
cert_cn: "1.1.1.1"
cert_friendly_name: "test123"
signed_by: "root-ca"
'''
RETURN='''
# Default return values
'''
ANSIBLE_METADATA = {'status': ['preview'],
'supported_by': 'community',
'version': '1.0'}
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.basic import get_exception
import time
try:
import paramiko
HAS_LIB=True
except ImportError:
HAS_LIB=False
_PROMPTBUFF = 4096
def wait_with_timeout(module, shell, prompt, timeout=60):
now = time.time()
result = ""
while True:
if shell.recv_ready():
result += shell.recv(_PROMPTBUFF)
endresult = result.strip()
if len(endresult) != 0 and endresult[-1] == prompt:
break
if time.time()-now > timeout:
module.fail_json(msg="Timeout waiting for prompt")
return result
def generate_cert(module, ip_address, key_filename, password,
cert_cn, cert_friendly_name, signed_by, rsa_nbits ):
stdout = ""
client = paramiko.SSHClient()
# add policy to accept all host keys, I haven't found
# a way to retreive the instance SSH key fingerprint from AWS
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
if not key_filename:
client.connect(ip_address, username="admin", password=password)
else:
client.connect(ip_address, username="admin", key_filename=key_filename)
shell = client.invoke_shell()
# wait for the shell to start
buff = wait_with_timeout(module, shell, ">")
stdout += buff
# generate self-signed certificate
if isinstance(cert_cn, list):
cert_cn = cert_cn[0]
cmd = 'request certificate generate signed-by {0} certificate-name {1} name {2} algorithm RSA rsa-nbits {3}\n'.format(
signed_by, cert_friendly_name, cert_cn, rsa_nbits)
shell.send(cmd)
# wait for the shell to complete
buff = wait_with_timeout(module, shell, ">")
stdout += buff
# exit
shell.send('exit\n')
if 'Success' not in buff:
module.fail_json(msg="Error generating self signed certificate: "+stdout)
client.close()
return stdout
def main():
argument_spec = dict(
ip_address=dict(required=True),
key_filename=dict(),
password=dict(no_log=True),
cert_cn=dict(required=True),
cert_friendly_name=dict(required=True),
rsa_nbits=dict(default='2048'),
signed_by=dict(required=True)
)
module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=False,
required_one_of=[['key_filename', 'password']])
if not HAS_LIB:
module.fail_json(msg='paramiko is required for this module')
ip_address = module.params["ip_address"]
key_filename = module.params["key_filename"]
password = module.params["password"]
cert_cn = module.params["cert_cn"]
cert_friendly_name = module.params["cert_friendly_name"]
signed_by = module.params["signed_by"]
rsa_nbits = module.params["rsa_nbits"]
try:
stdout = generate_cert(module,
ip_address,
key_filename,
password,
cert_cn,
cert_friendly_name,
signed_by,
rsa_nbits)
except Exception:
exc = get_exception()
module.fail_json(msg=exc.message)
module.exit_json(changed=True, msg="okey dokey")
if __name__ == '__main__':
main()
Loading…
Cancel
Save