From e7931d8074d63bbd688c0c36c1520e17e6f8d670 Mon Sep 17 00:00:00 2001
From: chkp-orso <47325598+chkp-orso@users.noreply.github.com>
Date: Thu, 29 Aug 2019 06:48:37 +0300
Subject: [PATCH] access_rule module (#61281)
* access_rule module
* remove :
* fix to pass tests
* don't start line with quote (")
* remove redundant indentation
* return the origin description
* don't start line with quote (")
* enable longer lines, add '-'
* adding state: present
* update examples
* dict to list
* list to dict
* Update cp_mgmt_access_rule.py
* remove rule_number
---
.../network/checkpoint/cp_mgmt_access_rule.py | 355 ++++++++++++++++++
.../checkpoint/cp_mgmt_access_rule_facts.py | 244 ++++++++++++
2 files changed, 599 insertions(+)
create mode 100644 lib/ansible/modules/network/checkpoint/cp_mgmt_access_rule.py
create mode 100644 lib/ansible/modules/network/checkpoint/cp_mgmt_access_rule_facts.py
diff --git a/lib/ansible/modules/network/checkpoint/cp_mgmt_access_rule.py b/lib/ansible/modules/network/checkpoint/cp_mgmt_access_rule.py
new file mode 100644
index 00000000000..89f1b4a0e2d
--- /dev/null
+++ b/lib/ansible/modules/network/checkpoint/cp_mgmt_access_rule.py
@@ -0,0 +1,355 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+#
+# Ansible module to manage CheckPoint Firewall (c) 2019
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible. If not, see .
+#
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {'metadata_version': '1.1',
+ 'status': ['preview'],
+ 'supported_by': 'community'}
+
+DOCUMENTATION = """
+---
+module: cp_mgmt_access_rule
+short_description: Manages access-rule objects on Checkpoint over Web Services API
+description:
+ - Manages access-rule objects on Checkpoint devices including creating, updating and removing objects.
+ - All operations are performed over Web Services API.
+version_added: "2.9"
+author: "Or Soffer (@chkp-orso)"
+options:
+ layer:
+ description:
+ - Layer that the rule belongs to identified by the name or UID.
+ type: str
+ position:
+ description:
+ - Position in the rulebase.
+ type: str
+ name:
+ description:
+ - Object name.
+ type: str
+ required: True
+ action:
+ description:
+ - a "Accept", "Drop", "Ask", "Inform", "Reject", "User Auth", "Client Auth", "Apply Layer".
+ type: str
+ action_settings:
+ description:
+ - Action settings.
+ type: dict
+ suboptions:
+ enable_identity_captive_portal:
+ description:
+ - N/A
+ type: bool
+ limit:
+ description:
+ - N/A
+ type: str
+ content:
+ description:
+ - List of processed file types that this rule applies on.
+ type: list
+ content_direction:
+ description:
+ - On which direction the file types processing is applied.
+ type: str
+ choices: ['any', 'up', 'down']
+ content_negate:
+ description:
+ - True if negate is set for data.
+ type: bool
+ custom_fields:
+ description:
+ - Custom fields.
+ type: dict
+ suboptions:
+ field_1:
+ description:
+ - First custom field.
+ type: str
+ field_2:
+ description:
+ - Second custom field.
+ type: str
+ field_3:
+ description:
+ - Third custom field.
+ type: str
+ destination:
+ description:
+ - Collection of Network objects identified by the name or UID.
+ type: list
+ destination_negate:
+ description:
+ - True if negate is set for destination.
+ type: bool
+ enabled:
+ description:
+ - Enable/Disable the rule.
+ type: bool
+ inline_layer:
+ description:
+ - Inline Layer identified by the name or UID. Relevant only if "Action" was set to "Apply Layer".
+ type: str
+ install_on:
+ description:
+ - Which Gateways identified by the name or UID to install the policy on.
+ type: list
+ service:
+ description:
+ - Collection of Network objects identified by the name or UID.
+ type: list
+ service_negate:
+ description:
+ - True if negate is set for service.
+ type: bool
+ source:
+ description:
+ - Collection of Network objects identified by the name or UID.
+ type: list
+ source_negate:
+ description:
+ - True if negate is set for source.
+ type: bool
+ time:
+ description:
+ - List of time objects. For example, "Weekend", "Off-Work", "Every-Day".
+ type: list
+ track:
+ description:
+ - Track Settings.
+ type: dict
+ suboptions:
+ accounting:
+ description:
+ - Turns accounting for track on and off.
+ type: bool
+ alert:
+ description:
+ - Type of alert for the track.
+ type: str
+ choices: ['none', 'alert', 'snmp', 'mail', 'user alert 1', 'user alert 2', 'user alert 3']
+ enable_firewall_session:
+ description:
+ - Determine whether to generate session log to firewall only connections.
+ type: bool
+ per_connection:
+ description:
+ - Determines whether to perform the log per connection.
+ type: bool
+ per_session:
+ description:
+ - Determines whether to perform the log per session.
+ type: bool
+ type:
+ description:
+ - a "Log", "Extended Log", "Detailed Log", "None".
+ type: str
+ user_check:
+ description:
+ - User check settings.
+ type: dict
+ suboptions:
+ confirm:
+ description:
+ - N/A
+ type: str
+ choices: ['per rule', 'per category', 'per application/site', 'per data type']
+ custom_frequency:
+ description:
+ - N/A
+ type: dict
+ suboptions:
+ every:
+ description:
+ - N/A
+ type: int
+ unit:
+ description:
+ - N/A
+ type: str
+ choices: ['hours', 'days', 'weeks', 'months']
+ frequency:
+ description:
+ - N/A
+ type: str
+ choices: ['once a day', 'once a week', 'once a month', 'custom frequency...']
+ interaction:
+ description:
+ - N/A
+ type: str
+ vpn:
+ description:
+ - Communities or Directional.
+ type: list
+ suboptions:
+ community:
+ description:
+ - List of community name or UID.
+ type: list
+ directional:
+ description:
+ - Communities directional match condition.
+ type: list
+ suboptions:
+ from:
+ description:
+ - From community name or UID.
+ type: str
+ to:
+ description:
+ - To community name or UID.
+ type: str
+ comments:
+ description:
+ - Comments string.
+ type: str
+ details_level:
+ description:
+ - The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed
+ representation of the object.
+ type: str
+ choices: ['uid', 'standard', 'full']
+ ignore_warnings:
+ description:
+ - Apply changes ignoring warnings.
+ type: bool
+ ignore_errors:
+ description:
+ - Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
+ type: bool
+extends_documentation_fragment: checkpoint_objects
+"""
+
+EXAMPLES = """
+- name: add-access-rule
+ cp_mgmt_access_rule:
+ layer: Network
+ name: Rule 1
+ position: 1
+ service:
+ - SMTP
+ - AOL
+ state: present
+
+- name: set-access-rule
+ cp_mgmt_access_rule:
+ action: Ask
+ action_settings:
+ enable_identity_captive_portal: true
+ limit: Upload_1Gbps
+ layer: Network
+ name: Rule 1
+ state: present
+
+- name: delete-access-rule
+ cp_mgmt_access_rule:
+ layer: Network
+ name: Rule 2
+ state: absent
+"""
+
+RETURN = """
+cp_mgmt_access_rule:
+ description: The checkpoint object created or updated.
+ returned: always, except when deleting the object.
+ type: dict
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.connection import Connection
+from ansible.module_utils.network.checkpoint.checkpoint import checkpoint_argument_spec_for_objects, api_call, api_call_for_rule
+
+
+def main():
+ argument_spec = dict(
+ layer=dict(type='str'),
+ position=dict(type='str'),
+ name=dict(type='str', required=True),
+ action=dict(type='str'),
+ action_settings=dict(type='dict', options=dict(
+ enable_identity_captive_portal=dict(type='bool'),
+ limit=dict(type='str')
+ )),
+ content=dict(type='list'),
+ content_direction=dict(type='str', choices=['any', 'up', 'down']),
+ content_negate=dict(type='bool'),
+ custom_fields=dict(type='dict', options=dict(
+ field_1=dict(type='str'),
+ field_2=dict(type='str'),
+ field_3=dict(type='str')
+ )),
+ destination=dict(type='list'),
+ destination_negate=dict(type='bool'),
+ enabled=dict(type='bool'),
+ inline_layer=dict(type='str'),
+ install_on=dict(type='list'),
+ service=dict(type='list'),
+ service_negate=dict(type='bool'),
+ source=dict(type='list'),
+ source_negate=dict(type='bool'),
+ time=dict(type='list'),
+ track=dict(type='dict', options=dict(
+ accounting=dict(type='bool'),
+ alert=dict(type='str', choices=['none', 'alert', 'snmp', 'mail', 'user alert 1', 'user alert 2', 'user alert 3']),
+ enable_firewall_session=dict(type='bool'),
+ per_connection=dict(type='bool'),
+ per_session=dict(type='bool'),
+ type=dict(type='str')
+ )),
+ user_check=dict(type='dict', options=dict(
+ confirm=dict(type='str', choices=['per rule', 'per category', 'per application/site', 'per data type']),
+ custom_frequency=dict(type='dict', options=dict(
+ every=dict(type='int'),
+ unit=dict(type='str', choices=['hours', 'days', 'weeks', 'months'])
+ )),
+ frequency=dict(type='str', choices=['once a day', 'once a week', 'once a month', 'custom frequency...']),
+ interaction=dict(type='str')
+ )),
+ vpn=dict(type='list', options=dict(
+ community=dict(type='list'),
+ directional=dict(type='list', options=dict(
+ to=dict(type='str')
+ ))
+ )),
+ comments=dict(type='str'),
+ details_level=dict(type='str', choices=['uid', 'standard', 'full']),
+ ignore_warnings=dict(type='bool'),
+ ignore_errors=dict(type='bool')
+ )
+ argument_spec['vpn']['options']['directional']['options']['from'] = dict(type='str')
+ argument_spec.update(checkpoint_argument_spec_for_objects)
+
+ module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=True)
+ api_call_object = 'access-rule'
+
+ if module.params['action'] is None and module.params['position'] is None:
+ result = api_call(module, api_call_object)
+ else:
+ result = api_call_for_rule(module, api_call_object)
+
+ module.exit_json(**result)
+
+
+if __name__ == '__main__':
+ main()
diff --git a/lib/ansible/modules/network/checkpoint/cp_mgmt_access_rule_facts.py b/lib/ansible/modules/network/checkpoint/cp_mgmt_access_rule_facts.py
new file mode 100644
index 00000000000..ed76ca1176d
--- /dev/null
+++ b/lib/ansible/modules/network/checkpoint/cp_mgmt_access_rule_facts.py
@@ -0,0 +1,244 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+#
+# Ansible module to manage CheckPoint Firewall (c) 2019
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible. If not, see .
+#
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {'metadata_version': '1.1',
+ 'status': ['preview'],
+ 'supported_by': 'community'}
+
+DOCUMENTATION = """
+---
+module: cp_mgmt_access_rule_facts
+short_description: Get access-rule objects facts on Checkpoint over Web Services API
+description:
+ - Get access-rule objects facts on Checkpoint devices.
+ - All operations are performed over Web Services API.
+ - This module handles both operations, get a specific object and get several objects,
+ For getting a specific object use the parameter 'name'.
+version_added: "2.9"
+author: "Or Soffer (@chkp-orso)"
+options:
+ name:
+ description:
+ - Object name. Should be unique in the domain.
+ type: str
+ layer:
+ description:
+ - Layer that the rule belongs to identified by the name or UID.
+ type: str
+ show_as_ranges:
+ description:
+ - When true, the source, destination and services & applications parameters are displayed as ranges of IP addresses and port numbers rather than
+ network objects.
Objects that are not represented using IP addresses or port numbers are presented as objects.
In addition, the response
+ of each rule does not contain the parameters, source, source-negate, destination, destination-negate, service and service-negate, but instead it
+ contains the parameters, source-ranges, destination-ranges and service-ranges.
Note, Requesting to show rules as ranges is limited up to
+ 20 rules per request, otherwise an error is returned. If you wish to request more rules, use the offset and limit parameters to limit your request.
+ type: bool
+ show_hits:
+ description:
+ - N/A
+ type: bool
+ hits_settings:
+ description:
+ - N/A
+ type: dict
+ suboptions:
+ from_date:
+ description:
+ - Format, 'YYYY-MM-DD', 'YYYY-mm-ddThh:mm:ss'.
+ type: str
+ target:
+ description:
+ - Target gateway name or UID.
+ type: str
+ to_date:
+ description:
+ - Format, 'YYYY-MM-DD', 'YYYY-mm-ddThh:mm:ss'.
+ type: str
+ details_level:
+ description:
+ - The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed
+ representation of the object.
+ type: str
+ choices: ['uid', 'standard', 'full']
+ filter:
+ description:
+ - Search expression to filter the rulebase. The provided text should be exactly the same as it would be given in Smart Console. The logical
+ operators in the expression ('AND', 'OR') should be provided in capital letters. If an operator is not used, the default OR operator applies.
+ type: str
+ filter_settings:
+ description:
+ - Sets filter preferences.
+ type: dict
+ suboptions:
+ search_mode:
+ description:
+ - When set to 'general', both the Full Text Search and Packet Search are enabled. In this mode, Packet Search will not match on 'Any'
+ object, a negated cell or a group-with-exclusion. When the search-mode is set to 'packet', by default, the match on 'Any' object, a negated cell
+ or a group-with-exclusion are enabled. packet-search-settings may be provided to change the default behavior.
+ type: str
+ choices: ['general', 'packet']
+ packet_search_settings:
+ description:
+ - When 'search-mode' is set to 'packet', this object allows to set the packet search preferences.
+ type: dict
+ suboptions:
+ expand_group_members:
+ description:
+ - When true, if the search expression contains a UID or a name of a group object, results will include rules that match on at
+ least one member of the group.
+ type: bool
+ expand_group_with_exclusion_members:
+ description:
+ - When true, if the search expression contains a UID or a name of a group-with-exclusion object, results will include rules that
+ match at least one member of the "include" part and is not a member of the "except" part.
+ type: bool
+ match_on_any:
+ description:
+ - Whether to match on 'Any' object.
+ type: bool
+ match_on_group_with_exclusion:
+ description:
+ - Whether to match on a group-with-exclusion.
+ type: bool
+ match_on_negate:
+ description:
+ - Whether to match on a negated cell.
+ type: bool
+ limit:
+ description:
+ - No more than that many results will be returned.
+ This parameter is relevant only for getting few objects.
+ type: int
+ offset:
+ description:
+ - Skip that many results before beginning to return them.
+ This parameter is relevant only for getting few objects.
+ type: int
+ order:
+ description:
+ - Sorts results by the given field. By default the results are sorted in the ascending order by name.
+ This parameter is relevant only for getting few objects.
+ type: list
+ suboptions:
+ ASC:
+ description:
+ - Sorts results by the given field in ascending order.
+ type: str
+ choices: ['name']
+ DESC:
+ description:
+ - Sorts results by the given field in descending order.
+ type: str
+ choices: ['name']
+ package:
+ description:
+ - Name of the package.
+ type: str
+ use_object_dictionary:
+ description:
+ - N/A
+ type: bool
+ dereference_group_members:
+ description:
+ - Indicates whether to dereference "members" field by details level for every object in reply.
+ type: bool
+ show_membership:
+ description:
+ - Indicates whether to calculate and show "groups" field for every object in reply.
+ type: bool
+extends_documentation_fragment: checkpoint_facts
+"""
+
+EXAMPLES = """
+- name: show-access-rule
+ cp_mgmt_access_rule_facts:
+ layer: Network
+ name: Rule 1
+
+- name: show-access-rulebase
+ cp_mgmt_access_rule_facts:
+ details_level: standard
+ limit: 20
+ name: Network
+ offset: 0
+ use_object_dictionary: true
+"""
+
+RETURN = """
+ansible_facts:
+ description: The checkpoint object facts.
+ returned: always.
+ type: dict
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.network.checkpoint.checkpoint import checkpoint_argument_spec_for_facts, api_call_facts_for_rule
+
+
+def main():
+ argument_spec = dict(
+ name=dict(type='str'),
+ layer=dict(type='str'),
+ show_as_ranges=dict(type='bool'),
+ show_hits=dict(type='bool'),
+ hits_settings=dict(type='dict', options=dict(
+ from_date=dict(type='str'),
+ target=dict(type='str'),
+ to_date=dict(type='str')
+ )),
+ details_level=dict(type='str', choices=['uid', 'standard', 'full']),
+ filter=dict(type='str'),
+ filter_settings=dict(type='dict', options=dict(
+ search_mode=dict(type='str', choices=['general', 'packet']),
+ packet_search_settings=dict(type='dict', options=dict(
+ expand_group_members=dict(type='bool'),
+ expand_group_with_exclusion_members=dict(type='bool'),
+ match_on_any=dict(type='bool'),
+ match_on_group_with_exclusion=dict(type='bool'),
+ match_on_negate=dict(type='bool')
+ ))
+ )),
+ limit=dict(type='int'),
+ offset=dict(type='int'),
+ order=dict(type='list', options=dict(
+ ASC=dict(type='str', choices=['name']),
+ DESC=dict(type='str', choices=['name'])
+ )),
+ package=dict(type='str'),
+ use_object_dictionary=dict(type='bool'),
+ dereference_group_members=dict(type='bool'),
+ show_membership=dict(type='bool')
+ )
+ argument_spec.update(checkpoint_argument_spec_for_facts)
+
+ module = AnsibleModule(argument_spec=argument_spec)
+
+ api_call_object = "access-rule"
+ api_call_object_plural_version = "access-rulebase"
+
+ result = api_call_facts_for_rule(module, api_call_object, api_call_object_plural_version)
+ module.exit_json(ansible_facts=result)
+
+
+if __name__ == '__main__':
+ main()