access_rule module (#61281)

* access_rule module

* remove :

* fix to pass tests

* don't start line with quote (")

* remove redundant indentation

* return the origin description

* don't start line with quote (")

* enable longer lines, add '-'

*  adding state: present

* update examples

* dict to list

* list to dict

* Update cp_mgmt_access_rule.py

* remove rule_number
pull/61506/head
chkp-orso 5 years ago committed by Sumit Jaiswal
parent 09f4acbe51
commit e7931d8074

@ -0,0 +1,355 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Ansible module to manage CheckPoint Firewall (c) 2019
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'],
'supported_by': 'community'}
DOCUMENTATION = """
---
module: cp_mgmt_access_rule
short_description: Manages access-rule objects on Checkpoint over Web Services API
description:
- Manages access-rule objects on Checkpoint devices including creating, updating and removing objects.
- All operations are performed over Web Services API.
version_added: "2.9"
author: "Or Soffer (@chkp-orso)"
options:
layer:
description:
- Layer that the rule belongs to identified by the name or UID.
type: str
position:
description:
- Position in the rulebase.
type: str
name:
description:
- Object name.
type: str
required: True
action:
description:
- a "Accept", "Drop", "Ask", "Inform", "Reject", "User Auth", "Client Auth", "Apply Layer".
type: str
action_settings:
description:
- Action settings.
type: dict
suboptions:
enable_identity_captive_portal:
description:
- N/A
type: bool
limit:
description:
- N/A
type: str
content:
description:
- List of processed file types that this rule applies on.
type: list
content_direction:
description:
- On which direction the file types processing is applied.
type: str
choices: ['any', 'up', 'down']
content_negate:
description:
- True if negate is set for data.
type: bool
custom_fields:
description:
- Custom fields.
type: dict
suboptions:
field_1:
description:
- First custom field.
type: str
field_2:
description:
- Second custom field.
type: str
field_3:
description:
- Third custom field.
type: str
destination:
description:
- Collection of Network objects identified by the name or UID.
type: list
destination_negate:
description:
- True if negate is set for destination.
type: bool
enabled:
description:
- Enable/Disable the rule.
type: bool
inline_layer:
description:
- Inline Layer identified by the name or UID. Relevant only if "Action" was set to "Apply Layer".
type: str
install_on:
description:
- Which Gateways identified by the name or UID to install the policy on.
type: list
service:
description:
- Collection of Network objects identified by the name or UID.
type: list
service_negate:
description:
- True if negate is set for service.
type: bool
source:
description:
- Collection of Network objects identified by the name or UID.
type: list
source_negate:
description:
- True if negate is set for source.
type: bool
time:
description:
- List of time objects. For example, "Weekend", "Off-Work", "Every-Day".
type: list
track:
description:
- Track Settings.
type: dict
suboptions:
accounting:
description:
- Turns accounting for track on and off.
type: bool
alert:
description:
- Type of alert for the track.
type: str
choices: ['none', 'alert', 'snmp', 'mail', 'user alert 1', 'user alert 2', 'user alert 3']
enable_firewall_session:
description:
- Determine whether to generate session log to firewall only connections.
type: bool
per_connection:
description:
- Determines whether to perform the log per connection.
type: bool
per_session:
description:
- Determines whether to perform the log per session.
type: bool
type:
description:
- a "Log", "Extended Log", "Detailed Log", "None".
type: str
user_check:
description:
- User check settings.
type: dict
suboptions:
confirm:
description:
- N/A
type: str
choices: ['per rule', 'per category', 'per application/site', 'per data type']
custom_frequency:
description:
- N/A
type: dict
suboptions:
every:
description:
- N/A
type: int
unit:
description:
- N/A
type: str
choices: ['hours', 'days', 'weeks', 'months']
frequency:
description:
- N/A
type: str
choices: ['once a day', 'once a week', 'once a month', 'custom frequency...']
interaction:
description:
- N/A
type: str
vpn:
description:
- Communities or Directional.
type: list
suboptions:
community:
description:
- List of community name or UID.
type: list
directional:
description:
- Communities directional match condition.
type: list
suboptions:
from:
description:
- From community name or UID.
type: str
to:
description:
- To community name or UID.
type: str
comments:
description:
- Comments string.
type: str
details_level:
description:
- The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed
representation of the object.
type: str
choices: ['uid', 'standard', 'full']
ignore_warnings:
description:
- Apply changes ignoring warnings.
type: bool
ignore_errors:
description:
- Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
type: bool
extends_documentation_fragment: checkpoint_objects
"""
EXAMPLES = """
- name: add-access-rule
cp_mgmt_access_rule:
layer: Network
name: Rule 1
position: 1
service:
- SMTP
- AOL
state: present
- name: set-access-rule
cp_mgmt_access_rule:
action: Ask
action_settings:
enable_identity_captive_portal: true
limit: Upload_1Gbps
layer: Network
name: Rule 1
state: present
- name: delete-access-rule
cp_mgmt_access_rule:
layer: Network
name: Rule 2
state: absent
"""
RETURN = """
cp_mgmt_access_rule:
description: The checkpoint object created or updated.
returned: always, except when deleting the object.
type: dict
"""
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.connection import Connection
from ansible.module_utils.network.checkpoint.checkpoint import checkpoint_argument_spec_for_objects, api_call, api_call_for_rule
def main():
argument_spec = dict(
layer=dict(type='str'),
position=dict(type='str'),
name=dict(type='str', required=True),
action=dict(type='str'),
action_settings=dict(type='dict', options=dict(
enable_identity_captive_portal=dict(type='bool'),
limit=dict(type='str')
)),
content=dict(type='list'),
content_direction=dict(type='str', choices=['any', 'up', 'down']),
content_negate=dict(type='bool'),
custom_fields=dict(type='dict', options=dict(
field_1=dict(type='str'),
field_2=dict(type='str'),
field_3=dict(type='str')
)),
destination=dict(type='list'),
destination_negate=dict(type='bool'),
enabled=dict(type='bool'),
inline_layer=dict(type='str'),
install_on=dict(type='list'),
service=dict(type='list'),
service_negate=dict(type='bool'),
source=dict(type='list'),
source_negate=dict(type='bool'),
time=dict(type='list'),
track=dict(type='dict', options=dict(
accounting=dict(type='bool'),
alert=dict(type='str', choices=['none', 'alert', 'snmp', 'mail', 'user alert 1', 'user alert 2', 'user alert 3']),
enable_firewall_session=dict(type='bool'),
per_connection=dict(type='bool'),
per_session=dict(type='bool'),
type=dict(type='str')
)),
user_check=dict(type='dict', options=dict(
confirm=dict(type='str', choices=['per rule', 'per category', 'per application/site', 'per data type']),
custom_frequency=dict(type='dict', options=dict(
every=dict(type='int'),
unit=dict(type='str', choices=['hours', 'days', 'weeks', 'months'])
)),
frequency=dict(type='str', choices=['once a day', 'once a week', 'once a month', 'custom frequency...']),
interaction=dict(type='str')
)),
vpn=dict(type='list', options=dict(
community=dict(type='list'),
directional=dict(type='list', options=dict(
to=dict(type='str')
))
)),
comments=dict(type='str'),
details_level=dict(type='str', choices=['uid', 'standard', 'full']),
ignore_warnings=dict(type='bool'),
ignore_errors=dict(type='bool')
)
argument_spec['vpn']['options']['directional']['options']['from'] = dict(type='str')
argument_spec.update(checkpoint_argument_spec_for_objects)
module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=True)
api_call_object = 'access-rule'
if module.params['action'] is None and module.params['position'] is None:
result = api_call(module, api_call_object)
else:
result = api_call_for_rule(module, api_call_object)
module.exit_json(**result)
if __name__ == '__main__':
main()

@ -0,0 +1,244 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Ansible module to manage CheckPoint Firewall (c) 2019
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'],
'supported_by': 'community'}
DOCUMENTATION = """
---
module: cp_mgmt_access_rule_facts
short_description: Get access-rule objects facts on Checkpoint over Web Services API
description:
- Get access-rule objects facts on Checkpoint devices.
- All operations are performed over Web Services API.
- This module handles both operations, get a specific object and get several objects,
For getting a specific object use the parameter 'name'.
version_added: "2.9"
author: "Or Soffer (@chkp-orso)"
options:
name:
description:
- Object name. Should be unique in the domain.
type: str
layer:
description:
- Layer that the rule belongs to identified by the name or UID.
type: str
show_as_ranges:
description:
- When true, the source, destination and services & applications parameters are displayed as ranges of IP addresses and port numbers rather than
network objects.<br /> Objects that are not represented using IP addresses or port numbers are presented as objects.<br /> In addition, the response
of each rule does not contain the parameters, source, source-negate, destination, destination-negate, service and service-negate, but instead it
contains the parameters, source-ranges, destination-ranges and service-ranges.<br /><br /> Note, Requesting to show rules as ranges is limited up to
20 rules per request, otherwise an error is returned. If you wish to request more rules, use the offset and limit parameters to limit your request.
type: bool
show_hits:
description:
- N/A
type: bool
hits_settings:
description:
- N/A
type: dict
suboptions:
from_date:
description:
- Format, 'YYYY-MM-DD', 'YYYY-mm-ddThh:mm:ss'.
type: str
target:
description:
- Target gateway name or UID.
type: str
to_date:
description:
- Format, 'YYYY-MM-DD', 'YYYY-mm-ddThh:mm:ss'.
type: str
details_level:
description:
- The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed
representation of the object.
type: str
choices: ['uid', 'standard', 'full']
filter:
description:
- Search expression to filter the rulebase. The provided text should be exactly the same as it would be given in Smart Console. The logical
operators in the expression ('AND', 'OR') should be provided in capital letters. If an operator is not used, the default OR operator applies.
type: str
filter_settings:
description:
- Sets filter preferences.
type: dict
suboptions:
search_mode:
description:
- When set to 'general', both the Full Text Search and Packet Search are enabled. In this mode, Packet Search will not match on 'Any'
object, a negated cell or a group-with-exclusion. When the search-mode is set to 'packet', by default, the match on 'Any' object, a negated cell
or a group-with-exclusion are enabled. packet-search-settings may be provided to change the default behavior.
type: str
choices: ['general', 'packet']
packet_search_settings:
description:
- When 'search-mode' is set to 'packet', this object allows to set the packet search preferences.
type: dict
suboptions:
expand_group_members:
description:
- When true, if the search expression contains a UID or a name of a group object, results will include rules that match on at
least one member of the group.
type: bool
expand_group_with_exclusion_members:
description:
- When true, if the search expression contains a UID or a name of a group-with-exclusion object, results will include rules that
match at least one member of the "include" part and is not a member of the "except" part.
type: bool
match_on_any:
description:
- Whether to match on 'Any' object.
type: bool
match_on_group_with_exclusion:
description:
- Whether to match on a group-with-exclusion.
type: bool
match_on_negate:
description:
- Whether to match on a negated cell.
type: bool
limit:
description:
- No more than that many results will be returned.
This parameter is relevant only for getting few objects.
type: int
offset:
description:
- Skip that many results before beginning to return them.
This parameter is relevant only for getting few objects.
type: int
order:
description:
- Sorts results by the given field. By default the results are sorted in the ascending order by name.
This parameter is relevant only for getting few objects.
type: list
suboptions:
ASC:
description:
- Sorts results by the given field in ascending order.
type: str
choices: ['name']
DESC:
description:
- Sorts results by the given field in descending order.
type: str
choices: ['name']
package:
description:
- Name of the package.
type: str
use_object_dictionary:
description:
- N/A
type: bool
dereference_group_members:
description:
- Indicates whether to dereference "members" field by details level for every object in reply.
type: bool
show_membership:
description:
- Indicates whether to calculate and show "groups" field for every object in reply.
type: bool
extends_documentation_fragment: checkpoint_facts
"""
EXAMPLES = """
- name: show-access-rule
cp_mgmt_access_rule_facts:
layer: Network
name: Rule 1
- name: show-access-rulebase
cp_mgmt_access_rule_facts:
details_level: standard
limit: 20
name: Network
offset: 0
use_object_dictionary: true
"""
RETURN = """
ansible_facts:
description: The checkpoint object facts.
returned: always.
type: dict
"""
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.network.checkpoint.checkpoint import checkpoint_argument_spec_for_facts, api_call_facts_for_rule
def main():
argument_spec = dict(
name=dict(type='str'),
layer=dict(type='str'),
show_as_ranges=dict(type='bool'),
show_hits=dict(type='bool'),
hits_settings=dict(type='dict', options=dict(
from_date=dict(type='str'),
target=dict(type='str'),
to_date=dict(type='str')
)),
details_level=dict(type='str', choices=['uid', 'standard', 'full']),
filter=dict(type='str'),
filter_settings=dict(type='dict', options=dict(
search_mode=dict(type='str', choices=['general', 'packet']),
packet_search_settings=dict(type='dict', options=dict(
expand_group_members=dict(type='bool'),
expand_group_with_exclusion_members=dict(type='bool'),
match_on_any=dict(type='bool'),
match_on_group_with_exclusion=dict(type='bool'),
match_on_negate=dict(type='bool')
))
)),
limit=dict(type='int'),
offset=dict(type='int'),
order=dict(type='list', options=dict(
ASC=dict(type='str', choices=['name']),
DESC=dict(type='str', choices=['name'])
)),
package=dict(type='str'),
use_object_dictionary=dict(type='bool'),
dereference_group_members=dict(type='bool'),
show_membership=dict(type='bool')
)
argument_spec.update(checkpoint_argument_spec_for_facts)
module = AnsibleModule(argument_spec=argument_spec)
api_call_object = "access-rule"
api_call_object_plural_version = "access-rulebase"
result = api_call_facts_for_rule(module, api_call_object, api_call_object_plural_version)
module.exit_json(ansible_facts=result)
if __name__ == '__main__':
main()
Loading…
Cancel
Save