mirror of https://github.com/ansible/ansible.git
access_rule module (#61281)
* access_rule module * remove : * fix to pass tests * don't start line with quote (") * remove redundant indentation * return the origin description * don't start line with quote (") * enable longer lines, add '-' * adding state: present * update examples * dict to list * list to dict * Update cp_mgmt_access_rule.py * remove rule_numberpull/61506/head
parent
09f4acbe51
commit
e7931d8074
@ -0,0 +1,355 @@
|
||||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
# Ansible module to manage CheckPoint Firewall (c) 2019
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
|
||||
from __future__ import (absolute_import, division, print_function)
|
||||
|
||||
__metaclass__ = type
|
||||
|
||||
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
||||
'status': ['preview'],
|
||||
'supported_by': 'community'}
|
||||
|
||||
DOCUMENTATION = """
|
||||
---
|
||||
module: cp_mgmt_access_rule
|
||||
short_description: Manages access-rule objects on Checkpoint over Web Services API
|
||||
description:
|
||||
- Manages access-rule objects on Checkpoint devices including creating, updating and removing objects.
|
||||
- All operations are performed over Web Services API.
|
||||
version_added: "2.9"
|
||||
author: "Or Soffer (@chkp-orso)"
|
||||
options:
|
||||
layer:
|
||||
description:
|
||||
- Layer that the rule belongs to identified by the name or UID.
|
||||
type: str
|
||||
position:
|
||||
description:
|
||||
- Position in the rulebase.
|
||||
type: str
|
||||
name:
|
||||
description:
|
||||
- Object name.
|
||||
type: str
|
||||
required: True
|
||||
action:
|
||||
description:
|
||||
- a "Accept", "Drop", "Ask", "Inform", "Reject", "User Auth", "Client Auth", "Apply Layer".
|
||||
type: str
|
||||
action_settings:
|
||||
description:
|
||||
- Action settings.
|
||||
type: dict
|
||||
suboptions:
|
||||
enable_identity_captive_portal:
|
||||
description:
|
||||
- N/A
|
||||
type: bool
|
||||
limit:
|
||||
description:
|
||||
- N/A
|
||||
type: str
|
||||
content:
|
||||
description:
|
||||
- List of processed file types that this rule applies on.
|
||||
type: list
|
||||
content_direction:
|
||||
description:
|
||||
- On which direction the file types processing is applied.
|
||||
type: str
|
||||
choices: ['any', 'up', 'down']
|
||||
content_negate:
|
||||
description:
|
||||
- True if negate is set for data.
|
||||
type: bool
|
||||
custom_fields:
|
||||
description:
|
||||
- Custom fields.
|
||||
type: dict
|
||||
suboptions:
|
||||
field_1:
|
||||
description:
|
||||
- First custom field.
|
||||
type: str
|
||||
field_2:
|
||||
description:
|
||||
- Second custom field.
|
||||
type: str
|
||||
field_3:
|
||||
description:
|
||||
- Third custom field.
|
||||
type: str
|
||||
destination:
|
||||
description:
|
||||
- Collection of Network objects identified by the name or UID.
|
||||
type: list
|
||||
destination_negate:
|
||||
description:
|
||||
- True if negate is set for destination.
|
||||
type: bool
|
||||
enabled:
|
||||
description:
|
||||
- Enable/Disable the rule.
|
||||
type: bool
|
||||
inline_layer:
|
||||
description:
|
||||
- Inline Layer identified by the name or UID. Relevant only if "Action" was set to "Apply Layer".
|
||||
type: str
|
||||
install_on:
|
||||
description:
|
||||
- Which Gateways identified by the name or UID to install the policy on.
|
||||
type: list
|
||||
service:
|
||||
description:
|
||||
- Collection of Network objects identified by the name or UID.
|
||||
type: list
|
||||
service_negate:
|
||||
description:
|
||||
- True if negate is set for service.
|
||||
type: bool
|
||||
source:
|
||||
description:
|
||||
- Collection of Network objects identified by the name or UID.
|
||||
type: list
|
||||
source_negate:
|
||||
description:
|
||||
- True if negate is set for source.
|
||||
type: bool
|
||||
time:
|
||||
description:
|
||||
- List of time objects. For example, "Weekend", "Off-Work", "Every-Day".
|
||||
type: list
|
||||
track:
|
||||
description:
|
||||
- Track Settings.
|
||||
type: dict
|
||||
suboptions:
|
||||
accounting:
|
||||
description:
|
||||
- Turns accounting for track on and off.
|
||||
type: bool
|
||||
alert:
|
||||
description:
|
||||
- Type of alert for the track.
|
||||
type: str
|
||||
choices: ['none', 'alert', 'snmp', 'mail', 'user alert 1', 'user alert 2', 'user alert 3']
|
||||
enable_firewall_session:
|
||||
description:
|
||||
- Determine whether to generate session log to firewall only connections.
|
||||
type: bool
|
||||
per_connection:
|
||||
description:
|
||||
- Determines whether to perform the log per connection.
|
||||
type: bool
|
||||
per_session:
|
||||
description:
|
||||
- Determines whether to perform the log per session.
|
||||
type: bool
|
||||
type:
|
||||
description:
|
||||
- a "Log", "Extended Log", "Detailed Log", "None".
|
||||
type: str
|
||||
user_check:
|
||||
description:
|
||||
- User check settings.
|
||||
type: dict
|
||||
suboptions:
|
||||
confirm:
|
||||
description:
|
||||
- N/A
|
||||
type: str
|
||||
choices: ['per rule', 'per category', 'per application/site', 'per data type']
|
||||
custom_frequency:
|
||||
description:
|
||||
- N/A
|
||||
type: dict
|
||||
suboptions:
|
||||
every:
|
||||
description:
|
||||
- N/A
|
||||
type: int
|
||||
unit:
|
||||
description:
|
||||
- N/A
|
||||
type: str
|
||||
choices: ['hours', 'days', 'weeks', 'months']
|
||||
frequency:
|
||||
description:
|
||||
- N/A
|
||||
type: str
|
||||
choices: ['once a day', 'once a week', 'once a month', 'custom frequency...']
|
||||
interaction:
|
||||
description:
|
||||
- N/A
|
||||
type: str
|
||||
vpn:
|
||||
description:
|
||||
- Communities or Directional.
|
||||
type: list
|
||||
suboptions:
|
||||
community:
|
||||
description:
|
||||
- List of community name or UID.
|
||||
type: list
|
||||
directional:
|
||||
description:
|
||||
- Communities directional match condition.
|
||||
type: list
|
||||
suboptions:
|
||||
from:
|
||||
description:
|
||||
- From community name or UID.
|
||||
type: str
|
||||
to:
|
||||
description:
|
||||
- To community name or UID.
|
||||
type: str
|
||||
comments:
|
||||
description:
|
||||
- Comments string.
|
||||
type: str
|
||||
details_level:
|
||||
description:
|
||||
- The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed
|
||||
representation of the object.
|
||||
type: str
|
||||
choices: ['uid', 'standard', 'full']
|
||||
ignore_warnings:
|
||||
description:
|
||||
- Apply changes ignoring warnings.
|
||||
type: bool
|
||||
ignore_errors:
|
||||
description:
|
||||
- Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
|
||||
type: bool
|
||||
extends_documentation_fragment: checkpoint_objects
|
||||
"""
|
||||
|
||||
EXAMPLES = """
|
||||
- name: add-access-rule
|
||||
cp_mgmt_access_rule:
|
||||
layer: Network
|
||||
name: Rule 1
|
||||
position: 1
|
||||
service:
|
||||
- SMTP
|
||||
- AOL
|
||||
state: present
|
||||
|
||||
- name: set-access-rule
|
||||
cp_mgmt_access_rule:
|
||||
action: Ask
|
||||
action_settings:
|
||||
enable_identity_captive_portal: true
|
||||
limit: Upload_1Gbps
|
||||
layer: Network
|
||||
name: Rule 1
|
||||
state: present
|
||||
|
||||
- name: delete-access-rule
|
||||
cp_mgmt_access_rule:
|
||||
layer: Network
|
||||
name: Rule 2
|
||||
state: absent
|
||||
"""
|
||||
|
||||
RETURN = """
|
||||
cp_mgmt_access_rule:
|
||||
description: The checkpoint object created or updated.
|
||||
returned: always, except when deleting the object.
|
||||
type: dict
|
||||
"""
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible.module_utils.connection import Connection
|
||||
from ansible.module_utils.network.checkpoint.checkpoint import checkpoint_argument_spec_for_objects, api_call, api_call_for_rule
|
||||
|
||||
|
||||
def main():
|
||||
argument_spec = dict(
|
||||
layer=dict(type='str'),
|
||||
position=dict(type='str'),
|
||||
name=dict(type='str', required=True),
|
||||
action=dict(type='str'),
|
||||
action_settings=dict(type='dict', options=dict(
|
||||
enable_identity_captive_portal=dict(type='bool'),
|
||||
limit=dict(type='str')
|
||||
)),
|
||||
content=dict(type='list'),
|
||||
content_direction=dict(type='str', choices=['any', 'up', 'down']),
|
||||
content_negate=dict(type='bool'),
|
||||
custom_fields=dict(type='dict', options=dict(
|
||||
field_1=dict(type='str'),
|
||||
field_2=dict(type='str'),
|
||||
field_3=dict(type='str')
|
||||
)),
|
||||
destination=dict(type='list'),
|
||||
destination_negate=dict(type='bool'),
|
||||
enabled=dict(type='bool'),
|
||||
inline_layer=dict(type='str'),
|
||||
install_on=dict(type='list'),
|
||||
service=dict(type='list'),
|
||||
service_negate=dict(type='bool'),
|
||||
source=dict(type='list'),
|
||||
source_negate=dict(type='bool'),
|
||||
time=dict(type='list'),
|
||||
track=dict(type='dict', options=dict(
|
||||
accounting=dict(type='bool'),
|
||||
alert=dict(type='str', choices=['none', 'alert', 'snmp', 'mail', 'user alert 1', 'user alert 2', 'user alert 3']),
|
||||
enable_firewall_session=dict(type='bool'),
|
||||
per_connection=dict(type='bool'),
|
||||
per_session=dict(type='bool'),
|
||||
type=dict(type='str')
|
||||
)),
|
||||
user_check=dict(type='dict', options=dict(
|
||||
confirm=dict(type='str', choices=['per rule', 'per category', 'per application/site', 'per data type']),
|
||||
custom_frequency=dict(type='dict', options=dict(
|
||||
every=dict(type='int'),
|
||||
unit=dict(type='str', choices=['hours', 'days', 'weeks', 'months'])
|
||||
)),
|
||||
frequency=dict(type='str', choices=['once a day', 'once a week', 'once a month', 'custom frequency...']),
|
||||
interaction=dict(type='str')
|
||||
)),
|
||||
vpn=dict(type='list', options=dict(
|
||||
community=dict(type='list'),
|
||||
directional=dict(type='list', options=dict(
|
||||
to=dict(type='str')
|
||||
))
|
||||
)),
|
||||
comments=dict(type='str'),
|
||||
details_level=dict(type='str', choices=['uid', 'standard', 'full']),
|
||||
ignore_warnings=dict(type='bool'),
|
||||
ignore_errors=dict(type='bool')
|
||||
)
|
||||
argument_spec['vpn']['options']['directional']['options']['from'] = dict(type='str')
|
||||
argument_spec.update(checkpoint_argument_spec_for_objects)
|
||||
|
||||
module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=True)
|
||||
api_call_object = 'access-rule'
|
||||
|
||||
if module.params['action'] is None and module.params['position'] is None:
|
||||
result = api_call(module, api_call_object)
|
||||
else:
|
||||
result = api_call_for_rule(module, api_call_object)
|
||||
|
||||
module.exit_json(**result)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
@ -0,0 +1,244 @@
|
||||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
# Ansible module to manage CheckPoint Firewall (c) 2019
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
|
||||
from __future__ import (absolute_import, division, print_function)
|
||||
|
||||
__metaclass__ = type
|
||||
|
||||
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
||||
'status': ['preview'],
|
||||
'supported_by': 'community'}
|
||||
|
||||
DOCUMENTATION = """
|
||||
---
|
||||
module: cp_mgmt_access_rule_facts
|
||||
short_description: Get access-rule objects facts on Checkpoint over Web Services API
|
||||
description:
|
||||
- Get access-rule objects facts on Checkpoint devices.
|
||||
- All operations are performed over Web Services API.
|
||||
- This module handles both operations, get a specific object and get several objects,
|
||||
For getting a specific object use the parameter 'name'.
|
||||
version_added: "2.9"
|
||||
author: "Or Soffer (@chkp-orso)"
|
||||
options:
|
||||
name:
|
||||
description:
|
||||
- Object name. Should be unique in the domain.
|
||||
type: str
|
||||
layer:
|
||||
description:
|
||||
- Layer that the rule belongs to identified by the name or UID.
|
||||
type: str
|
||||
show_as_ranges:
|
||||
description:
|
||||
- When true, the source, destination and services & applications parameters are displayed as ranges of IP addresses and port numbers rather than
|
||||
network objects.<br /> Objects that are not represented using IP addresses or port numbers are presented as objects.<br /> In addition, the response
|
||||
of each rule does not contain the parameters, source, source-negate, destination, destination-negate, service and service-negate, but instead it
|
||||
contains the parameters, source-ranges, destination-ranges and service-ranges.<br /><br /> Note, Requesting to show rules as ranges is limited up to
|
||||
20 rules per request, otherwise an error is returned. If you wish to request more rules, use the offset and limit parameters to limit your request.
|
||||
type: bool
|
||||
show_hits:
|
||||
description:
|
||||
- N/A
|
||||
type: bool
|
||||
hits_settings:
|
||||
description:
|
||||
- N/A
|
||||
type: dict
|
||||
suboptions:
|
||||
from_date:
|
||||
description:
|
||||
- Format, 'YYYY-MM-DD', 'YYYY-mm-ddThh:mm:ss'.
|
||||
type: str
|
||||
target:
|
||||
description:
|
||||
- Target gateway name or UID.
|
||||
type: str
|
||||
to_date:
|
||||
description:
|
||||
- Format, 'YYYY-MM-DD', 'YYYY-mm-ddThh:mm:ss'.
|
||||
type: str
|
||||
details_level:
|
||||
description:
|
||||
- The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed
|
||||
representation of the object.
|
||||
type: str
|
||||
choices: ['uid', 'standard', 'full']
|
||||
filter:
|
||||
description:
|
||||
- Search expression to filter the rulebase. The provided text should be exactly the same as it would be given in Smart Console. The logical
|
||||
operators in the expression ('AND', 'OR') should be provided in capital letters. If an operator is not used, the default OR operator applies.
|
||||
type: str
|
||||
filter_settings:
|
||||
description:
|
||||
- Sets filter preferences.
|
||||
type: dict
|
||||
suboptions:
|
||||
search_mode:
|
||||
description:
|
||||
- When set to 'general', both the Full Text Search and Packet Search are enabled. In this mode, Packet Search will not match on 'Any'
|
||||
object, a negated cell or a group-with-exclusion. When the search-mode is set to 'packet', by default, the match on 'Any' object, a negated cell
|
||||
or a group-with-exclusion are enabled. packet-search-settings may be provided to change the default behavior.
|
||||
type: str
|
||||
choices: ['general', 'packet']
|
||||
packet_search_settings:
|
||||
description:
|
||||
- When 'search-mode' is set to 'packet', this object allows to set the packet search preferences.
|
||||
type: dict
|
||||
suboptions:
|
||||
expand_group_members:
|
||||
description:
|
||||
- When true, if the search expression contains a UID or a name of a group object, results will include rules that match on at
|
||||
least one member of the group.
|
||||
type: bool
|
||||
expand_group_with_exclusion_members:
|
||||
description:
|
||||
- When true, if the search expression contains a UID or a name of a group-with-exclusion object, results will include rules that
|
||||
match at least one member of the "include" part and is not a member of the "except" part.
|
||||
type: bool
|
||||
match_on_any:
|
||||
description:
|
||||
- Whether to match on 'Any' object.
|
||||
type: bool
|
||||
match_on_group_with_exclusion:
|
||||
description:
|
||||
- Whether to match on a group-with-exclusion.
|
||||
type: bool
|
||||
match_on_negate:
|
||||
description:
|
||||
- Whether to match on a negated cell.
|
||||
type: bool
|
||||
limit:
|
||||
description:
|
||||
- No more than that many results will be returned.
|
||||
This parameter is relevant only for getting few objects.
|
||||
type: int
|
||||
offset:
|
||||
description:
|
||||
- Skip that many results before beginning to return them.
|
||||
This parameter is relevant only for getting few objects.
|
||||
type: int
|
||||
order:
|
||||
description:
|
||||
- Sorts results by the given field. By default the results are sorted in the ascending order by name.
|
||||
This parameter is relevant only for getting few objects.
|
||||
type: list
|
||||
suboptions:
|
||||
ASC:
|
||||
description:
|
||||
- Sorts results by the given field in ascending order.
|
||||
type: str
|
||||
choices: ['name']
|
||||
DESC:
|
||||
description:
|
||||
- Sorts results by the given field in descending order.
|
||||
type: str
|
||||
choices: ['name']
|
||||
package:
|
||||
description:
|
||||
- Name of the package.
|
||||
type: str
|
||||
use_object_dictionary:
|
||||
description:
|
||||
- N/A
|
||||
type: bool
|
||||
dereference_group_members:
|
||||
description:
|
||||
- Indicates whether to dereference "members" field by details level for every object in reply.
|
||||
type: bool
|
||||
show_membership:
|
||||
description:
|
||||
- Indicates whether to calculate and show "groups" field for every object in reply.
|
||||
type: bool
|
||||
extends_documentation_fragment: checkpoint_facts
|
||||
"""
|
||||
|
||||
EXAMPLES = """
|
||||
- name: show-access-rule
|
||||
cp_mgmt_access_rule_facts:
|
||||
layer: Network
|
||||
name: Rule 1
|
||||
|
||||
- name: show-access-rulebase
|
||||
cp_mgmt_access_rule_facts:
|
||||
details_level: standard
|
||||
limit: 20
|
||||
name: Network
|
||||
offset: 0
|
||||
use_object_dictionary: true
|
||||
"""
|
||||
|
||||
RETURN = """
|
||||
ansible_facts:
|
||||
description: The checkpoint object facts.
|
||||
returned: always.
|
||||
type: dict
|
||||
"""
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible.module_utils.network.checkpoint.checkpoint import checkpoint_argument_spec_for_facts, api_call_facts_for_rule
|
||||
|
||||
|
||||
def main():
|
||||
argument_spec = dict(
|
||||
name=dict(type='str'),
|
||||
layer=dict(type='str'),
|
||||
show_as_ranges=dict(type='bool'),
|
||||
show_hits=dict(type='bool'),
|
||||
hits_settings=dict(type='dict', options=dict(
|
||||
from_date=dict(type='str'),
|
||||
target=dict(type='str'),
|
||||
to_date=dict(type='str')
|
||||
)),
|
||||
details_level=dict(type='str', choices=['uid', 'standard', 'full']),
|
||||
filter=dict(type='str'),
|
||||
filter_settings=dict(type='dict', options=dict(
|
||||
search_mode=dict(type='str', choices=['general', 'packet']),
|
||||
packet_search_settings=dict(type='dict', options=dict(
|
||||
expand_group_members=dict(type='bool'),
|
||||
expand_group_with_exclusion_members=dict(type='bool'),
|
||||
match_on_any=dict(type='bool'),
|
||||
match_on_group_with_exclusion=dict(type='bool'),
|
||||
match_on_negate=dict(type='bool')
|
||||
))
|
||||
)),
|
||||
limit=dict(type='int'),
|
||||
offset=dict(type='int'),
|
||||
order=dict(type='list', options=dict(
|
||||
ASC=dict(type='str', choices=['name']),
|
||||
DESC=dict(type='str', choices=['name'])
|
||||
)),
|
||||
package=dict(type='str'),
|
||||
use_object_dictionary=dict(type='bool'),
|
||||
dereference_group_members=dict(type='bool'),
|
||||
show_membership=dict(type='bool')
|
||||
)
|
||||
argument_spec.update(checkpoint_argument_spec_for_facts)
|
||||
|
||||
module = AnsibleModule(argument_spec=argument_spec)
|
||||
|
||||
api_call_object = "access-rule"
|
||||
api_call_object_plural_version = "access-rulebase"
|
||||
|
||||
result = api_call_facts_for_rule(module, api_call_object, api_call_object_plural_version)
|
||||
module.exit_json(ansible_facts=result)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
Loading…
Reference in New Issue