mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Checkpoint access rule (#49937)
* WIP checkpoint_access_rule module * Add fixes and docstrings * Add dunder init * Fix sanity tests issues * Fix sanity test * Add RETURN and EXAMPLES * Fix example * Fix pep8 * Add tests * Fix pep8 * Fix pep8
This commit is contained in:
parent
260285a73f
commit
3e91ec28b8
5 changed files with 342 additions and 0 deletions
0
lib/ansible/modules/network/checkpoint/__init__.py
Normal file
0
lib/ansible/modules/network/checkpoint/__init__.py
Normal file
235
lib/ansible/modules/network/checkpoint/checkpoint_access_rule.py
Normal file
235
lib/ansible/modules/network/checkpoint/checkpoint_access_rule.py
Normal file
|
@ -0,0 +1,235 @@
|
|||
#!/usr/bin/python
|
||||
#
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
|
||||
from __future__ import (absolute_import, division, print_function)
|
||||
__metaclass__ = type
|
||||
|
||||
|
||||
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
||||
'status': ['preview'],
|
||||
'supported_by': 'network'}
|
||||
|
||||
|
||||
DOCUMENTATION = """
|
||||
---
|
||||
module: checkpoint_access_rule
|
||||
short_description: Manages access rules on Checkpoint over Web Services API
|
||||
description:
|
||||
- Manages access rules on Checkpoint devices including creating, updating, removing access rules objects,
|
||||
All operations are performed over Web Services API.
|
||||
version_added: "2.8"
|
||||
author: "Ansible by Red Hat (@rcarrillocruz)"
|
||||
options:
|
||||
name:
|
||||
description:
|
||||
- Name of the access rule.
|
||||
type: str
|
||||
layer:
|
||||
description:
|
||||
- Layer to attach the access rule to.
|
||||
required: True
|
||||
type: str
|
||||
position:
|
||||
description:
|
||||
- Position of the access rule.
|
||||
type: str
|
||||
source:
|
||||
description:
|
||||
- Source object of the access rule.
|
||||
type: str
|
||||
destination:
|
||||
description:
|
||||
- Destionation object of the access rule.
|
||||
type: str
|
||||
action:
|
||||
description:
|
||||
- Action of the access rule (accept, drop, inform, etc).
|
||||
type: str
|
||||
default: drop
|
||||
enabled:
|
||||
description:
|
||||
- Enabled or disabled flag.
|
||||
type: bool
|
||||
default: True
|
||||
state:
|
||||
description:
|
||||
- State of the access rule (present or absent). Defaults to present.
|
||||
type: str
|
||||
default: present
|
||||
"""
|
||||
|
||||
EXAMPLES = """
|
||||
- name: Create access rule
|
||||
checkpoint_access_rule:
|
||||
layer: Network
|
||||
name: "Drop attacker"
|
||||
position: top
|
||||
source: attacker
|
||||
destination: Any
|
||||
action: Drop
|
||||
|
||||
- name: Delete access rule
|
||||
checkpoint_access_rule:
|
||||
layer: Network
|
||||
name: "Drop attacker"
|
||||
"""
|
||||
|
||||
RETURN = """
|
||||
checkpoint_access_rules:
|
||||
description: The checkpoint access rule object created or updated.
|
||||
returned: always, except when deleting the access rule.
|
||||
type: list
|
||||
"""
|
||||
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible.module_utils.connection import Connection
|
||||
from ansible.module_utils.network.checkpoint.checkpoint import publish, install_policy
|
||||
import json
|
||||
|
||||
|
||||
def get_access_rule(module, connection):
|
||||
name = module.params['name']
|
||||
layer = module.params['layer']
|
||||
|
||||
payload = {'name': name, 'layer': layer}
|
||||
|
||||
code, response = connection.send_request('/web_api/show-access-rule', payload)
|
||||
|
||||
return code, response
|
||||
|
||||
|
||||
def create_access_rule(module, connection):
|
||||
name = module.params['name']
|
||||
layer = module.params['layer']
|
||||
position = module.params['position']
|
||||
source = module.params['source']
|
||||
destination = module.params['destination']
|
||||
action = module.params['action']
|
||||
|
||||
payload = {'name': name,
|
||||
'layer': layer,
|
||||
'position': position,
|
||||
'source': source,
|
||||
'destination': destination,
|
||||
'action': action}
|
||||
|
||||
code, response = connection.send_request('/web_api/add-access-rule', payload)
|
||||
|
||||
return code, response
|
||||
|
||||
|
||||
def update_access_rule(module, connection):
|
||||
name = module.params['name']
|
||||
layer = module.params['layer']
|
||||
position = module.params['position']
|
||||
source = module.params['source']
|
||||
destination = module.params['destination']
|
||||
action = module.params['action']
|
||||
enabled = module.params['enabled']
|
||||
|
||||
payload = {'name': name,
|
||||
'layer': layer,
|
||||
'position': position,
|
||||
'source': source,
|
||||
'destination': destination,
|
||||
'action': action,
|
||||
'enabled': enabled}
|
||||
|
||||
code, response = connection.send_request('/web_api/set-access-rule', payload)
|
||||
|
||||
return code, response
|
||||
|
||||
|
||||
def delete_access_rule(module, connection):
|
||||
name = module.params['name']
|
||||
layer = module.params['layer']
|
||||
|
||||
payload = {'name': name,
|
||||
'layer': layer,
|
||||
}
|
||||
|
||||
code, response = connection.send_request('/web_api/delete-access-rule', payload)
|
||||
|
||||
return code, response
|
||||
|
||||
|
||||
def needs_update(module, access_rule):
|
||||
res = False
|
||||
|
||||
if module.params['source'] and module.params['source'] != access_rule['source'][0]['name']:
|
||||
res = True
|
||||
if module.params['destination'] and module.params['destination'] != access_rule['destination'][0]['name']:
|
||||
res = True
|
||||
if module.params['action'] != access_rule['action']['name']:
|
||||
res = True
|
||||
if module.params['enabled'] != access_rule['enabled']:
|
||||
res = True
|
||||
|
||||
return res
|
||||
|
||||
|
||||
def main():
|
||||
argument_spec = dict(
|
||||
name=dict(type='str', required=True),
|
||||
layer=dict(type='str'),
|
||||
position=dict(type='str'),
|
||||
source=dict(type='str'),
|
||||
destination=dict(type='str'),
|
||||
action=dict(type='str', default='drop'),
|
||||
enabled=dict(type='bool', default=True),
|
||||
state=dict(type='str', default='present')
|
||||
)
|
||||
|
||||
required_if = [('state', 'present', ('layer', 'position'))]
|
||||
module = AnsibleModule(argument_spec=argument_spec, required_if=required_if)
|
||||
connection = Connection(module._socket_path)
|
||||
code, response = get_access_rule(module, connection)
|
||||
result = {'changed': False}
|
||||
|
||||
if module.params['state'] == 'present':
|
||||
if code == 200:
|
||||
if needs_update(module, response):
|
||||
code, response = update_access_rule(module, connection)
|
||||
publish(module, connection)
|
||||
install_policy(module, connection)
|
||||
result['changed'] = True
|
||||
result['checkpoint_access_rules'] = response
|
||||
else:
|
||||
pass
|
||||
elif code == 404:
|
||||
code, response = create_access_rule(module, connection)
|
||||
publish(module, connection)
|
||||
install_policy(module, connection)
|
||||
result['changed'] = True
|
||||
result['checkpoint_access_rules'] = response
|
||||
else:
|
||||
if code == 200:
|
||||
# Handle deletion
|
||||
code, response = delete_access_rule(module, connection)
|
||||
publish(module, connection)
|
||||
install_policy(module, connection)
|
||||
result['changed'] = True
|
||||
elif code == 404:
|
||||
pass
|
||||
|
||||
module.exit_json(**result)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
|
@ -58,6 +58,8 @@ class HttpApi(HttpApiBase):
|
|||
value = self._get_response_value(response_data)
|
||||
|
||||
return response.getcode(), self._response_to_json(value)
|
||||
except AnsibleConnectionFailure as e:
|
||||
return 404, 'Object not found'
|
||||
except HTTPError as e:
|
||||
error = json.loads(e.read())
|
||||
return e.code, error
|
||||
|
|
0
test/units/modules/network/checkpoint/__init__.py
Normal file
0
test/units/modules/network/checkpoint/__init__.py
Normal file
|
@ -0,0 +1,105 @@
|
|||
# Copyright (c) 2018 Red Hat
|
||||
#
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
|
||||
from __future__ import absolute_import
|
||||
|
||||
import pytest
|
||||
from units.modules.utils import set_module_args, exit_json, fail_json, AnsibleFailJson, AnsibleExitJson
|
||||
|
||||
from ansible.module_utils import basic
|
||||
from ansible.modules.network.checkpoint import checkpoint_access_rule
|
||||
|
||||
OBJECT = {'layer': 'foo', 'position': 'bar', 'name': 'baz',
|
||||
'source': [{'name': 'lol'}], 'destination': [{'name': 'Any'}],
|
||||
'action': {'name': 'drop'}, 'enabled': True}
|
||||
PAYLOAD = {'layer': 'foo', 'position': 'bar', 'name': 'baz'}
|
||||
|
||||
|
||||
class TestCheckpointAccessRule(object):
|
||||
module = checkpoint_access_rule
|
||||
|
||||
@pytest.fixture(autouse=True)
|
||||
def module_mock(self, mocker):
|
||||
return mocker.patch.multiple(basic.AnsibleModule, exit_json=exit_json, fail_json=fail_json)
|
||||
|
||||
@pytest.fixture
|
||||
def connection_mock(self, mocker):
|
||||
connection_class_mock = mocker.patch('ansible.modules.network.checkpoint.checkpoint_access_rule.Connection')
|
||||
return connection_class_mock.return_value
|
||||
|
||||
@pytest.fixture
|
||||
def get_access_rule_200(self, mocker):
|
||||
mock_function = mocker.patch('ansible.modules.network.checkpoint.checkpoint_access_rule.get_access_rule')
|
||||
mock_function.return_value = (200, OBJECT)
|
||||
return mock_function.return_value
|
||||
|
||||
@pytest.fixture
|
||||
def get_access_rule_404(self, mocker):
|
||||
mock_function = mocker.patch('ansible.modules.network.checkpoint.checkpoint_access_rule.get_access_rule')
|
||||
mock_function.return_value = (404, 'Object not found')
|
||||
return mock_function.return_value
|
||||
|
||||
def test_create(self, get_access_rule_404, connection_mock):
|
||||
connection_mock.send_request.return_value = (200, OBJECT)
|
||||
result = self._run_module(PAYLOAD)
|
||||
|
||||
assert result['changed']
|
||||
assert 'checkpoint_access_rules' in result
|
||||
|
||||
def test_create_idempotent(self, get_access_rule_200, connection_mock):
|
||||
connection_mock.send_request.return_value = (200, PAYLOAD)
|
||||
result = self._run_module(PAYLOAD)
|
||||
|
||||
assert not result['changed']
|
||||
|
||||
def test_update(self, get_access_rule_200, connection_mock):
|
||||
payload_for_update = {'enabled': False}
|
||||
payload_for_update.update(PAYLOAD)
|
||||
connection_mock.send_request.return_value = (200, payload_for_update)
|
||||
result = self._run_module(payload_for_update)
|
||||
|
||||
assert result['changed']
|
||||
assert not result['checkpoint_access_rules']['enabled']
|
||||
|
||||
def test_delete(self, get_access_rule_200, connection_mock):
|
||||
connection_mock.send_request.return_value = (200, OBJECT)
|
||||
payload_for_delete = {'state': 'absent'}
|
||||
payload_for_delete.update(PAYLOAD)
|
||||
result = self._run_module(payload_for_delete)
|
||||
|
||||
assert result['changed']
|
||||
|
||||
def test_delete_idempotent(self, get_access_rule_404, connection_mock):
|
||||
payload = {'name': 'baz', 'state': 'absent'}
|
||||
connection_mock.send_request.return_value = (200, OBJECT)
|
||||
result = self._run_module(payload)
|
||||
|
||||
assert not result['changed']
|
||||
|
||||
def _run_module(self, module_args):
|
||||
set_module_args(module_args)
|
||||
with pytest.raises(AnsibleExitJson) as ex:
|
||||
self.module.main()
|
||||
return ex.value.args[0]
|
||||
|
||||
def _run_module_with_fail_json(self, module_args):
|
||||
set_module_args(module_args)
|
||||
with pytest.raises(AnsibleFailJson) as exc:
|
||||
self.module.main()
|
||||
result = exc.value.args[0]
|
||||
return result
|
Loading…
Reference in a new issue