mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-07-22 12:50:22 -07:00
FortiManager Plugin Module Conversion: fmgr_fwpol_ipv4 (#52785)
* Auto Commit for: fmgr_fwpol_ipv4 * Auto Commit for: fmgr_fwpol_ipv4
This commit is contained in:
ftntcorecse
Nilashish Chakraborty
parent
0c874a022b
commit
2efacfcdad
3 changed files with 716 additions and 1384 deletions
|
|
@ -28,6 +28,8 @@ DOCUMENTATION = '''
|
|||
---
|
||||
module: fmgr_fwpol_ipv4
|
||||
version_added: "2.8"
|
||||
notes:
|
||||
- Full Documentation at U(https://ftnt-ansible-docs.readthedocs.io/en/latest/).
|
||||
author:
|
||||
- Luke Weighall (@lweighall)
|
||||
- Andrew Welsh (@Ghilli3)
|
||||
|
|
@ -43,21 +45,6 @@ options:
|
|||
required: false
|
||||
default: root
|
||||
|
||||
host:
|
||||
description:
|
||||
- The FortiManager's address.
|
||||
required: true
|
||||
|
||||
username:
|
||||
description:
|
||||
- The username associated with the account.
|
||||
required: true
|
||||
|
||||
password:
|
||||
description:
|
||||
- The password associated with the username account.
|
||||
required: true
|
||||
|
||||
mode:
|
||||
description:
|
||||
- Sets one of three modes for managing the object.
|
||||
|
|
@ -913,9 +900,6 @@ options:
|
|||
EXAMPLES = '''
|
||||
- name: ADD VERY BASIC IPV4 POLICY WITH NO NAT (WIDE OPEN)
|
||||
fmgr_fwpol_ipv4:
|
||||
host: "{{ inventory_hostname }}"
|
||||
username: "{{ username }}"
|
||||
password: "{{ password }}"
|
||||
mode: "set"
|
||||
adom: "ansible"
|
||||
package_name: "default"
|
||||
|
|
@ -932,9 +916,6 @@ EXAMPLES = '''
|
|||
|
||||
- name: ADD VERY BASIC IPV4 POLICY WITH NAT AND MULTIPLE ENTRIES
|
||||
fmgr_fwpol_ipv4:
|
||||
host: "{{ inventory_hostname }}"
|
||||
username: "{{ username }}"
|
||||
password: "{{ password }}"
|
||||
mode: "set"
|
||||
adom: "ansible"
|
||||
package_name: "default"
|
||||
|
|
@ -953,9 +934,6 @@ EXAMPLES = '''
|
|||
|
||||
- name: ADD VERY BASIC IPV4 POLICY WITH NAT AND MULTIPLE ENTRIES AND SEC PROFILES
|
||||
fmgr_fwpol_ipv4:
|
||||
host: "{{ inventory_hostname }}"
|
||||
username: "{{ username }}"
|
||||
password: "{{ password }}"
|
||||
mode: "set"
|
||||
adom: "ansible"
|
||||
package_name: "default"
|
||||
|
|
@ -983,45 +961,47 @@ api_result:
|
|||
type: str
|
||||
"""
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule, env_fallback
|
||||
from ansible.module_utils.network.fortimanager.fortimanager import AnsibleFortiManager
|
||||
|
||||
# check for pyFMG lib
|
||||
try:
|
||||
from pyFMG.fortimgr import FortiManager
|
||||
|
||||
HAS_PYFMGR = True
|
||||
except ImportError:
|
||||
HAS_PYFMGR = False
|
||||
|
||||
###############
|
||||
# START METHODS
|
||||
###############
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible.module_utils.connection import Connection
|
||||
from ansible.module_utils.network.fortimanager.fortimanager import FortiManagerHandler
|
||||
from ansible.module_utils.network.fortimanager.common import FMGBaseException
|
||||
from ansible.module_utils.network.fortimanager.common import FMGRCommon
|
||||
from ansible.module_utils.network.fortimanager.common import FMGRMethods
|
||||
from ansible.module_utils.network.fortimanager.common import DEFAULT_RESULT_OBJ
|
||||
from ansible.module_utils.network.fortimanager.common import FAIL_SOCKET_MSG
|
||||
from ansible.module_utils.network.fortimanager.common import prepare_dict
|
||||
from ansible.module_utils.network.fortimanager.common import scrub_dict
|
||||
|
||||
|
||||
def fmgr_firewall_policy_addsetdelete(fmg, paramgram):
|
||||
def fmgr_firewall_policy_modify(fmgr, paramgram):
|
||||
"""
|
||||
fmgr_firewall_policy -- Add/Set/Deletes Firewall Policy Objects defined in the "paramgram"
|
||||
|
||||
:param fmgr: The fmgr object instance from fmgr_utils.py
|
||||
:type fmgr: class object
|
||||
:param paramgram: The formatted dictionary of options to process
|
||||
:type paramgram: dict
|
||||
|
||||
:return: The response from the FortiManager
|
||||
:rtype: dict
|
||||
"""
|
||||
|
||||
mode = paramgram["mode"]
|
||||
adom = paramgram["adom"]
|
||||
# INIT A BASIC OBJECTS
|
||||
response = (-100000, {"msg": "Illegal or malformed paramgram discovered. System Exception"})
|
||||
response = DEFAULT_RESULT_OBJ
|
||||
url = ""
|
||||
datagram = {}
|
||||
|
||||
# EVAL THE MODE PARAMETER FOR SET OR ADD
|
||||
if mode in ['set', 'add', 'update']:
|
||||
url = '/pm/config/adom/{adom}/pkg/{pkg}/firewall/policy'.format(adom=adom, pkg=paramgram["package_name"])
|
||||
datagram = fmgr_del_none(fmgr_prepare_dict(paramgram))
|
||||
datagram = scrub_dict((prepare_dict(paramgram)))
|
||||
del datagram["package_name"]
|
||||
datagram = fmgr_split_comma_strings_into_lists(datagram)
|
||||
datagram = fmgr._tools.split_comma_strings_into_lists(datagram)
|
||||
|
||||
# EVAL THE MODE PARAMETER FOR DELETE
|
||||
elif mode == "delete":
|
||||
|
||||
# WE NEED TO GET THE POLICY ID FROM THE NAME OF THE POLICY
|
||||
url = '/pm/config/adom/{adom}/pkg/{pkg}/firewall' \
|
||||
'/policy/{policyid}'.format(adom=paramgram["adom"],
|
||||
pkg=paramgram["package_name"],
|
||||
|
|
@ -1030,127 +1010,10 @@ def fmgr_firewall_policy_addsetdelete(fmg, paramgram):
|
|||
"policyid": paramgram["policyid"]
|
||||
}
|
||||
|
||||
# IF MODE = SET -- USE THE 'SET' API CALL MODE
|
||||
if mode == "set":
|
||||
response = fmg.set(url, datagram)
|
||||
# IF MODE = UPDATE -- USER THE 'UPDATE' API CALL MODE
|
||||
elif mode == "update":
|
||||
response = fmg.update(url, datagram)
|
||||
# IF MODE = ADD -- USE THE 'ADD' API CALL MODE
|
||||
elif mode == "add":
|
||||
response = fmg.add(url, datagram)
|
||||
# IF MODE = DELETE -- USE THE DELETE URL AND API CALL MODE
|
||||
elif mode == "delete":
|
||||
response = fmg.delete(url, datagram)
|
||||
|
||||
response = fmgr.process_request(url, datagram, paramgram["mode"])
|
||||
return response
|
||||
|
||||
|
||||
# ADDITIONAL COMMON FUNCTIONS
|
||||
# FUNCTION/METHOD FOR LOGGING OUT AND ANALYZING ERROR CODES
|
||||
def fmgr_logout(fmg, module, msg="NULL", results=(), good_codes=(0,), logout_on_fail=True, logout_on_success=False):
|
||||
"""
|
||||
THIS METHOD CONTROLS THE LOGOUT AND ERROR REPORTING AFTER AN METHOD OR FUNCTION RUNS
|
||||
"""
|
||||
|
||||
# VALIDATION ERROR (NO RESULTS, JUST AN EXIT)
|
||||
if msg != "NULL" and len(results) == 0:
|
||||
try:
|
||||
fmg.logout()
|
||||
except Exception:
|
||||
pass
|
||||
module.fail_json(msg=msg)
|
||||
|
||||
# SUBMISSION ERROR
|
||||
if len(results) > 0:
|
||||
if msg == "NULL":
|
||||
try:
|
||||
msg = results[1]['status']['message']
|
||||
except Exception:
|
||||
msg = "No status message returned from pyFMG. Possible that this was a GET with a tuple result."
|
||||
|
||||
if results[0] not in good_codes:
|
||||
if logout_on_fail:
|
||||
fmg.logout()
|
||||
module.fail_json(msg=msg, **results[1])
|
||||
else:
|
||||
if logout_on_success:
|
||||
fmg.logout()
|
||||
module.exit_json(msg="API Called worked, but logout handler has been asked to logout on success",
|
||||
**results[1])
|
||||
|
||||
return msg
|
||||
|
||||
|
||||
# FUNCTION/METHOD FOR CONVERTING CIDR TO A NETMASK
|
||||
# DID NOT USE IP ADDRESS MODULE TO KEEP INCLUDES TO A MINIMUM
|
||||
def fmgr_cidr_to_netmask(cidr):
|
||||
cidr = int(cidr)
|
||||
mask = (0xffffffff >> (32 - cidr)) << (32 - cidr)
|
||||
return (str((0xff000000 & mask) >> 24) + '.' +
|
||||
str((0x00ff0000 & mask) >> 16) + '.' +
|
||||
str((0x0000ff00 & mask) >> 8) + '.' +
|
||||
str((0x000000ff & mask)))
|
||||
|
||||
|
||||
# utility function: removing keys wih value of None, nothing in playbook for that key
|
||||
def fmgr_del_none(obj):
|
||||
if isinstance(obj, dict):
|
||||
return type(obj)((fmgr_del_none(k), fmgr_del_none(v))
|
||||
for k, v in obj.items() if k is not None and (v is not None and not fmgr_is_empty_dict(v)))
|
||||
else:
|
||||
return obj
|
||||
|
||||
|
||||
# utility function: remove keys that are need for the logic but the FMG API won't accept them
|
||||
def fmgr_prepare_dict(obj):
|
||||
list_of_elems = ["mode", "adom", "host", "username", "password"]
|
||||
if isinstance(obj, dict):
|
||||
obj = dict((key, fmgr_prepare_dict(value)) for (key, value) in obj.items() if key not in list_of_elems)
|
||||
return obj
|
||||
|
||||
|
||||
def fmgr_is_empty_dict(obj):
|
||||
return_val = False
|
||||
if isinstance(obj, dict):
|
||||
if len(obj) > 0:
|
||||
for k, v in obj.items():
|
||||
if isinstance(v, dict):
|
||||
if len(v) == 0:
|
||||
return_val = True
|
||||
elif len(v) > 0:
|
||||
for k1, v1 in v.items():
|
||||
if v1 is None:
|
||||
return_val = True
|
||||
elif v1 is not None:
|
||||
return_val = False
|
||||
return return_val
|
||||
elif v is None:
|
||||
return_val = True
|
||||
elif v is not None:
|
||||
return_val = False
|
||||
return return_val
|
||||
elif len(obj) == 0:
|
||||
return_val = True
|
||||
|
||||
return return_val
|
||||
|
||||
|
||||
def fmgr_split_comma_strings_into_lists(obj):
|
||||
if isinstance(obj, dict):
|
||||
if len(obj) > 0:
|
||||
for k, v in obj.items():
|
||||
if isinstance(v, str):
|
||||
new_list = list()
|
||||
if "," in v:
|
||||
new_items = v.split(",")
|
||||
for item in new_items:
|
||||
new_list.append(item.strip())
|
||||
obj[k] = new_list
|
||||
|
||||
return obj
|
||||
|
||||
|
||||
#############
|
||||
# END METHODS
|
||||
#############
|
||||
|
|
@ -1159,9 +1022,6 @@ def fmgr_split_comma_strings_into_lists(obj):
|
|||
def main():
|
||||
argument_spec = dict(
|
||||
adom=dict(type="str", default="root"),
|
||||
host=dict(required=True, type="str"),
|
||||
password=dict(fallback=(env_fallback, ["ANSIBLE_NET_PASSWORD"]), no_log=True, required=True),
|
||||
username=dict(fallback=(env_fallback, ["ANSIBLE_NET_USERNAME"]), no_log=True, required=True),
|
||||
mode=dict(choices=["add", "set", "delete", "update"], type="str", default="add"),
|
||||
package_name=dict(type="str", required=False, default="default"),
|
||||
|
||||
|
|
@ -1298,8 +1158,7 @@ def main():
|
|||
|
||||
)
|
||||
|
||||
module = AnsibleModule(argument_spec, supports_check_mode=False)
|
||||
|
||||
module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=False, )
|
||||
# MODULE PARAMGRAM
|
||||
paramgram = {
|
||||
"mode": module.params["mode"],
|
||||
|
|
@ -1438,70 +1297,50 @@ def main():
|
|||
"subnet": module.params["vpn_src_node_subnet"],
|
||||
}
|
||||
}
|
||||
list_overrides = ['vpn_dst_node', 'vpn_src_node']
|
||||
for list_variable in list_overrides:
|
||||
override_data = list()
|
||||
try:
|
||||
override_data = module.params[list_variable]
|
||||
except Exception:
|
||||
pass
|
||||
try:
|
||||
if override_data:
|
||||
del paramgram[list_variable]
|
||||
paramgram[list_variable] = override_data
|
||||
except Exception:
|
||||
pass
|
||||
|
||||
# CHECK IF THE HOST/USERNAME/PW EXISTS, AND IF IT DOES, LOGIN.
|
||||
host = module.params["host"]
|
||||
password = module.params["password"]
|
||||
username = module.params["username"]
|
||||
if host is None or username is None or password is None:
|
||||
module.fail_json(msg="Host and username and password are required")
|
||||
|
||||
# CHECK IF LOGIN FAILED
|
||||
fmg = AnsibleFortiManager(module, module.params["host"], module.params["username"], module.params["password"])
|
||||
|
||||
response = fmg.login()
|
||||
if response[1]['status']['code'] != 0:
|
||||
module.fail_json(msg="Connection to FortiManager Failed")
|
||||
|
||||
if paramgram["mode"] == "delete":
|
||||
# WE NEED TO GET THE POLICY ID FROM THE NAME OF THE POLICY TO DELETE IT
|
||||
url = '/pm/config/adom/{adom}/pkg/{pkg}/firewall' \
|
||||
'/policy/'.format(adom=paramgram["adom"],
|
||||
pkg=paramgram["package_name"])
|
||||
datagram = {
|
||||
"filter": ["name", "==", paramgram["name"]]
|
||||
}
|
||||
response = fmg.get(url, datagram)
|
||||
try:
|
||||
if response[1][0]["policyid"]:
|
||||
policy_id = response[1][0]["policyid"]
|
||||
paramgram["policyid"] = policy_id
|
||||
except Exception:
|
||||
fmgr_logout(fmg, module, results=response, msg="Couldn't get Policy ID from name, delete failed")
|
||||
|
||||
results = fmgr_firewall_policy_addsetdelete(fmg, paramgram)
|
||||
if results[0] == -10131:
|
||||
fmgr_logout(fmg, module, results=results, good_codes=[0, -9998, ],
|
||||
msg=str(results[0]) + " - Object Dependency Failed. Do the objects named in parameters exist?!")
|
||||
elif results[0] == -3:
|
||||
fmgr_logout(fmg, module, results=results, good_codes=[0, -3],
|
||||
msg="Couldn't Delete - Policy Doesn't Exist")
|
||||
elif results[0] == 0:
|
||||
fmgr_logout(fmg, module, results=results, good_codes=[0, -9998],
|
||||
msg="Successfully Set FW Policy")
|
||||
elif results[0] not in [0, -9998]:
|
||||
fmgr_logout(fmg, module, results=results, good_codes=[0, -9998],
|
||||
msg=str(results[0]) + "Could not set FW policy.")
|
||||
|
||||
fmg.logout()
|
||||
|
||||
if results is not None:
|
||||
return module.exit_json(**results[1])
|
||||
module.paramgram = paramgram
|
||||
fmgr = None
|
||||
if module._socket_path:
|
||||
connection = Connection(module._socket_path)
|
||||
fmgr = FortiManagerHandler(connection, module)
|
||||
fmgr.tools = FMGRCommon()
|
||||
else:
|
||||
return module.exit_json(msg="No results were returned from the API call.")
|
||||
module.fail_json(**FAIL_SOCKET_MSG)
|
||||
|
||||
list_overrides = ['vpn_dst_node', 'vpn_src_node']
|
||||
paramgram = fmgr.tools.paramgram_child_list_override(list_overrides=list_overrides,
|
||||
paramgram=paramgram, module=module)
|
||||
|
||||
# BEGIN MODULE-SPECIFIC LOGIC -- THINGS NEED TO HAPPEN DEPENDING ON THE ENDPOINT AND OPERATION
|
||||
results = DEFAULT_RESULT_OBJ
|
||||
try:
|
||||
if paramgram["mode"] == "delete":
|
||||
# WE NEED TO GET THE POLICY ID FROM THE NAME OF THE POLICY TO DELETE IT
|
||||
url = '/pm/config/adom/{adom}/pkg/{pkg}/firewall' \
|
||||
'/policy/'.format(adom=paramgram["adom"],
|
||||
pkg=paramgram["package_name"])
|
||||
datagram = {
|
||||
"filter": ["name", "==", paramgram["name"]]
|
||||
}
|
||||
response = fmgr.process_request(url, datagram, FMGRMethods.GET)
|
||||
try:
|
||||
if response[1][0]["policyid"]:
|
||||
policy_id = response[1][0]["policyid"]
|
||||
paramgram["policyid"] = policy_id
|
||||
except BaseException:
|
||||
fmgr.return_response(module=module, results=response, good_codes=[0, ], stop_on_success=True,
|
||||
ansible_facts=fmgr.construct_ansible_facts(results, module.params, paramgram),
|
||||
msg="Couldn't find policy ID number for policy name specified.")
|
||||
except Exception as err:
|
||||
raise FMGBaseException(err)
|
||||
|
||||
try:
|
||||
results = fmgr_firewall_policy_modify(fmgr, paramgram)
|
||||
fmgr.govern_response(module=module, results=results, good_codes=[0, -9998],
|
||||
ansible_facts=fmgr.construct_ansible_facts(results, module.params, paramgram))
|
||||
except Exception as err:
|
||||
raise FMGBaseException(err)
|
||||
|
||||
return module.exit_json(**results[1])
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue