Skip to content

Commit

Permalink
access_rule module (ansible#61281)
Browse files Browse the repository at this point in the history 
* access_rule module

* remove :

* fix to pass tests

* don't start line with quote (")

* remove redundant indentation

* return the origin description

* don't start line with quote (")

* enable longer lines, add '-'

*  adding state: present

* update examples

* dict to list

* list to dict

* Update cp_mgmt_access_rule.py

* remove rule_number
  • Loading branch information
@chkp-orso @adharshsrivatsr
chkp-orso authored and adharshsrivatsr committed Sep 3, 2019
1 parent 6d918ca commit 5f3cf88
Show file tree
Hide file tree
Showing 2 changed files with 599 additions and 0 deletions.
355 changes: 355 additions & 0 deletions lib/ansible/modules/network/checkpoint/cp_mgmt_access_rule.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,355 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Ansible module to manage CheckPoint Firewall (c) 2019
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
#

from __future__ import (absolute_import, division, print_function)

__metaclass__ = type

ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'],
'supported_by': 'community'}

DOCUMENTATION = """
---
module: cp_mgmt_access_rule
short_description: Manages access-rule objects on Checkpoint over Web Services API
description:
- Manages access-rule objects on Checkpoint devices including creating, updating and removing objects.
- All operations are performed over Web Services API.
version_added: "2.9"
author: "Or Soffer (@chkp-orso)"
options:
layer:
description:
- Layer that the rule belongs to identified by the name or UID.
type: str
position:
description:
- Position in the rulebase.
type: str
name:
description:
- Object name.
type: str
required: True
action:
description:
- a "Accept", "Drop", "Ask", "Inform", "Reject", "User Auth", "Client Auth", "Apply Layer".
type: str
action_settings:
description:
- Action settings.
type: dict
suboptions:
enable_identity_captive_portal:
description:
- N/A
type: bool
limit:
description:
- N/A
type: str
content:
description:
- List of processed file types that this rule applies on.
type: list
content_direction:
description:
- On which direction the file types processing is applied.
type: str
choices: ['any', 'up', 'down']
content_negate:
description:
- True if negate is set for data.
type: bool
custom_fields:
description:
- Custom fields.
type: dict
suboptions:
field_1:
description:
- First custom field.
type: str
field_2:
description:
- Second custom field.
type: str
field_3:
description:
- Third custom field.
type: str
destination:
description:
- Collection of Network objects identified by the name or UID.
type: list
destination_negate:
description:
- True if negate is set for destination.
type: bool
enabled:
description:
- Enable/Disable the rule.
type: bool
inline_layer:
description:
- Inline Layer identified by the name or UID. Relevant only if "Action" was set to "Apply Layer".
type: str
install_on:
description:
- Which Gateways identified by the name or UID to install the policy on.
type: list
service:
description:
- Collection of Network objects identified by the name or UID.
type: list
service_negate:
description:
- True if negate is set for service.
type: bool
source:
description:
- Collection of Network objects identified by the name or UID.
type: list
source_negate:
description:
- True if negate is set for source.
type: bool
time:
description:
- List of time objects. For example, "Weekend", "Off-Work", "Every-Day".
type: list
track:
description:
- Track Settings.
type: dict
suboptions:
accounting:
description:
- Turns accounting for track on and off.
type: bool
alert:
description:
- Type of alert for the track.
type: str
choices: ['none', 'alert', 'snmp', 'mail', 'user alert 1', 'user alert 2', 'user alert 3']
enable_firewall_session:
description:
- Determine whether to generate session log to firewall only connections.
type: bool
per_connection:
description:
- Determines whether to perform the log per connection.
type: bool
per_session:
description:
- Determines whether to perform the log per session.
type: bool
type:
description:
- a "Log", "Extended Log", "Detailed Log", "None".
type: str
user_check:
description:
- User check settings.
type: dict
suboptions:
confirm:
description:
- N/A
type: str
choices: ['per rule', 'per category', 'per application/site', 'per data type']
custom_frequency:
description:
- N/A
type: dict
suboptions:
every:
description:
- N/A
type: int
unit:
description:
- N/A
type: str
choices: ['hours', 'days', 'weeks', 'months']
frequency:
description:
- N/A
type: str
choices: ['once a day', 'once a week', 'once a month', 'custom frequency...']
interaction:
description:
- N/A
type: str
vpn:
description:
- Communities or Directional.
type: list
suboptions:
community:
description:
- List of community name or UID.
type: list
directional:
description:
- Communities directional match condition.
type: list
suboptions:
from:
description:
- From community name or UID.
type: str
to:
description:
- To community name or UID.
type: str
comments:
description:
- Comments string.
type: str
details_level:
description:
- The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed
representation of the object.
type: str
choices: ['uid', 'standard', 'full']
ignore_warnings:
description:
- Apply changes ignoring warnings.
type: bool
ignore_errors:
description:
- Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
type: bool
extends_documentation_fragment: checkpoint_objects
"""

EXAMPLES = """
- name: add-access-rule
cp_mgmt_access_rule:
layer: Network
name: Rule 1
position: 1
service:
- SMTP
- AOL
state: present
- name: set-access-rule
cp_mgmt_access_rule:
action: Ask
action_settings:
enable_identity_captive_portal: true
limit: Upload_1Gbps
layer: Network
name: Rule 1
state: present
- name: delete-access-rule
cp_mgmt_access_rule:
layer: Network
name: Rule 2
state: absent
"""

RETURN = """
cp_mgmt_access_rule:
description: The checkpoint object created or updated.
returned: always, except when deleting the object.
type: dict
"""

from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.connection import Connection
from ansible.module_utils.network.checkpoint.checkpoint import checkpoint_argument_spec_for_objects, api_call, api_call_for_rule


def main():
argument_spec = dict(
layer=dict(type='str'),
position=dict(type='str'),
name=dict(type='str', required=True),
action=dict(type='str'),
action_settings=dict(type='dict', options=dict(
enable_identity_captive_portal=dict(type='bool'),
limit=dict(type='str')
)),
content=dict(type='list'),
content_direction=dict(type='str', choices=['any', 'up', 'down']),
content_negate=dict(type='bool'),
custom_fields=dict(type='dict', options=dict(
field_1=dict(type='str'),
field_2=dict(type='str'),
field_3=dict(type='str')
)),
destination=dict(type='list'),
destination_negate=dict(type='bool'),
enabled=dict(type='bool'),
inline_layer=dict(type='str'),
install_on=dict(type='list'),
service=dict(type='list'),
service_negate=dict(type='bool'),
source=dict(type='list'),
source_negate=dict(type='bool'),
time=dict(type='list'),
track=dict(type='dict', options=dict(
accounting=dict(type='bool'),
alert=dict(type='str', choices=['none', 'alert', 'snmp', 'mail', 'user alert 1', 'user alert 2', 'user alert 3']),
enable_firewall_session=dict(type='bool'),
per_connection=dict(type='bool'),
per_session=dict(type='bool'),
type=dict(type='str')
)),
user_check=dict(type='dict', options=dict(
confirm=dict(type='str', choices=['per rule', 'per category', 'per application/site', 'per data type']),
custom_frequency=dict(type='dict', options=dict(
every=dict(type='int'),
unit=dict(type='str', choices=['hours', 'days', 'weeks', 'months'])
)),
frequency=dict(type='str', choices=['once a day', 'once a week', 'once a month', 'custom frequency...']),
interaction=dict(type='str')
)),
vpn=dict(type='list', options=dict(
community=dict(type='list'),
directional=dict(type='list', options=dict(
to=dict(type='str')
))
)),
comments=dict(type='str'),
details_level=dict(type='str', choices=['uid', 'standard', 'full']),
ignore_warnings=dict(type='bool'),
ignore_errors=dict(type='bool')
)
argument_spec['vpn']['options']['directional']['options']['from'] = dict(type='str')
argument_spec.update(checkpoint_argument_spec_for_objects)

module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=True)
api_call_object = 'access-rule'

if module.params['action'] is None and module.params['position'] is None:
result = api_call(module, api_call_object)
else:
result = api_call_for_rule(module, api_call_object)

module.exit_json(**result)


if __name__ == '__main__':
main()
Loading

0 comments on commit 5f3cf88

Please sign in to comment.