Add autopublish and autoinstallpolicy behaviour to Checkpoint devices (#50862)

* Add autopublish and autoinstallpolicy behaviour to Checkpoint devices Up till now we published and installed policy package for every operation, however operators may not want that and only reconcile changes after a series of changes. Added flags to toggle this behaviour, which defaults to autopublish and autoinstall policy package just as it was till now. The policy package name defaults to 'standard', since it's the default one created on the Checkpoint management server on AWS, unsure if that's common in other setups. * Change signature for publish and install policy The module object is not needed * Fix pep8 * Fix install_policy invocation Also fix payload in publish/discard, since it seems passing the UID when it's not needed has issues. * Add doc fragments * Remove default value of targets on install_policy method It's already defaulting to None via checkpoint_arg_spec * Fix pep8 * Remove doc fragment and push down auto options to resource modules I realized if I put those options as doc fragments they will show up on facts module, which do not apply, only on resource modules that mangle with objects. * Fix bogus param name and validate modules issues * Fix bogus param name on checkpoint_host
2019-01-15 11:03:48 +01:00 · 2019-01-15 11:03:48 +01:00 · 077d6a63c1
parent bca50b47ed
commit 077d6a63c1
4 changed files with 118 additions and 19 deletions
--- a/lib/ansible/module_utils/network/checkpoint/checkpoint.py
+++ b/lib/ansible/module_utils/network/checkpoint/checkpoint.py
@ -27,10 +27,33 @@
 #


-def publish(module, connection):
-    connection.send_request('/web_api/publish', None)
+checkpoint_argument_spec = dict(auto_publish_session=dict(type='bool', default=True),
+                                policy_package=dict(type='str', default='standard'),
+                                auto_install_policy=dict(type='bool', default=True),
+                                targets=dict(type='list')
+                                )


-def install_policy(module, connection):
-    payload = {'policy-package': 'standard'}
+def publish(connection, uid=None):
+    payload = None
+
+    if uid:
+        payload = {'uid': uid}
+
+    connection.send_request('/web_api/publish', payload)
+
+
+def discard(connection, uid=None):
+    payload = None
+
+    if uid:
+        payload = {'uid': uid}
+
+    connection.send_request('/web_api/discard', payload)
+
+
+def install_policy(connection, policy_package, targets):
+    payload = {'policy-package': policy_package,
+               'targets': targets}
+
    connection.send_request('/web_api/install-policy', payload)
--- a/lib/ansible/modules/network/checkpoint/checkpoint_access_rule.py
+++ b/lib/ansible/modules/network/checkpoint/checkpoint_access_rule.py
@ -71,6 +71,27 @@ options:
      - State of the access rule (present or absent). Defaults to present.
    type: str
    default: present
+  auto_publish_session:
+    description:
+      - Publish the current session if changes have been performed
+        after task completes.
+    type: bool
+    default: 'yes'
+  auto_install_policy:
+    description:
+      - Install the package policy if changes have been performed
+        after the task completes.
+    type: bool
+    default: 'yes'
+  policy_package:
+    description:
+      - Package policy name to be installed.
+    type: bool
+    default: 'standard'
+  targets:
+    description:
+      - Targets to install the package policy on.
+    type: list
 """

 EXAMPLES = """
@ -99,7 +120,7 @@ checkpoint_access_rules:

 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.connection import Connection
-from ansible.module_utils.network.checkpoint.checkpoint import publish, install_policy
+from ansible.module_utils.network.checkpoint.checkpoint import checkpoint_argument_spec, publish, install_policy
 import json


@ -195,6 +216,7 @@ def main():
        enabled=dict(type='bool', default=True),
        state=dict(type='str', default='present')
    )
+    argument_spec.update(checkpoint_argument_spec)

    required_if = [('state', 'present', ('layer', 'position'))]
    module = AnsibleModule(argument_spec=argument_spec, required_if=required_if)
@ -206,28 +228,42 @@ def main():
        if code == 200:
            if needs_update(module, response):
                code, response = update_access_rule(module, connection)
-                publish(module, connection)
-                install_policy(module, connection)
+                if module.params['auto_publish_session']:
+                    publish(connection)
+
+                    if module.params['auto_install_policy']:
+                        install_policy(connection, module.params['policy_package'], module.params['targets'])
+
                result['changed'] = True
                result['checkpoint_access_rules'] = response
            else:
                pass
        elif code == 404:
            code, response = create_access_rule(module, connection)
-            publish(module, connection)
-            install_policy(module, connection)
+
+            if module.params['auto_publish_session']:
+                publish(connection)
+
+                if module.params['auto_install_policy']:
+                    install_policy(connection, module.params['policy_package'], module.params['targets'])
+
            result['changed'] = True
            result['checkpoint_access_rules'] = response
    else:
        if code == 200:
-            # Handle deletion
            code, response = delete_access_rule(module, connection)
-            publish(module, connection)
-            install_policy(module, connection)
+
+            if module.params['auto_publish_session']:
+                publish(connection)
+
+                if module.params['auto_install_policy']:
+                    install_policy(connection, module.params['policy_package'], module.params['targets'])
+
            result['changed'] = True
        elif code == 404:
            pass

+    result['checkpoint_sid'] = connection.get_sid()
    module.exit_json(**result)


--- a/lib/ansible/modules/network/checkpoint/checkpoint_host.py
+++ b/lib/ansible/modules/network/checkpoint/checkpoint_host.py
@ -49,6 +49,27 @@ options:
      - State of the access rule (present or absent). Defaults to present.
    type: str
    default: present
+  auto_publish_session:
+    description:
+      - Publish the current session if changes have been performed
+        after task completes.
+    type: bool
+    default: 'yes'
+  auto_install_policy:
+    description:
+      - Install the package policy if changes have been performed
+        after the task completes.
+    type: bool
+    default: 'yes'
+  policy_package:
+    description:
+      - Package policy name to be installed.
+    type: bool
+    default: 'standard'
+  targets:
+    description:
+      - Targets to install the package policy on.
+    type: list
 """

 EXAMPLES = """
@ -73,7 +94,7 @@ checkpoint_hosts:

 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.connection import Connection
-from ansible.module_utils.network.checkpoint.checkpoint import publish, install_policy
+from ansible.module_utils.network.checkpoint.checkpoint import checkpoint_argument_spec, publish, install_policy
 import json


@ -137,6 +158,7 @@ def main():
        ip_address=dict(type='str'),
        state=dict(type='str', default='present')
    )
+    argument_spec.update(checkpoint_argument_spec)

    required_if = [('state', 'present', 'ip_address')]
    module = AnsibleModule(argument_spec=argument_spec)
@ -148,24 +170,39 @@ def main():
        if code == 200:
            if needs_update(module, response):
                code, response = update_host(module, connection)
-                publish(module, connection)
-                install_policy(module, connection)
+
+                if module.params['auto_publish_session']:
+                    publish(connection)
+
+                    if module.params['auto_install_policy']:
+                        install_policy(connection, module.params['policy_package'], module.params['targets'])
+
                result['changed'] = True
                result['checkpoint_hosts'] = response
            else:
                pass
        elif code == 404:
            code, response = create_host(module, connection)
-            publish(module, connection)
-            install_policy(module, connection)
+
+            if module.params['auto_publish_session']:
+                publish(connection)
+
+                if module.params['auto_install_policy']:
+                    install_policy(connection, module.params['policy_package'], module.params['targets'])
+
            result['changed'] = True
            result['checkpoint_hosts'] = response
    else:
        if code == 200:
            # Handle deletion
            code, response = delete_host(module, connection)
-            publish(module, connection)
-            install_policy(module, connection)
+
+            if module.params['auto_publish_session']:
+                publish(connection)
+
+                if module.params['auto_install_policy']:
+                    install_policy(connection, module.params['policy_package'], module.params['targets'])
+
            result['changed'] = True
        elif code == 404:
            pass
--- a/lib/ansible/plugins/httpapi/checkpoint.py
+++ b/lib/ansible/plugins/httpapi/checkpoint.py
@ -49,6 +49,9 @@ class HttpApi(HttpApiBase):

        response, dummy = self.send_request(url, None)

+    def get_sid(self):
+        return self.connection._auth['X-chkp-sid']
+
    def send_request(self, path, body_params):
        data = json.dumps(body_params) if body_params else '{}'