threat_rule module (#61280)

* threat_rule module * remove : * insert to list * remove redundant indentation * Revert "insert to list" This reverts commit de08dfdf32. * enable longer lines, remove present, add '-' * state: present * update examples * list to dict * remove rule_number
2019-08-29 06:46:50 +03:00 · 2019-08-29 06:46:50 +03:00 · 09f4acbe51
commit 09f4acbe51
parent 86aab259fc
2 changed files with 418 additions and 0 deletions
--- a/lib/ansible/modules/network/checkpoint/cp_mgmt_threat_rule.py
+++ b/lib/ansible/modules/network/checkpoint/cp_mgmt_threat_rule.py
@ -0,0 +1,209 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+#
+# Ansible module to manage CheckPoint Firewall (c) 2019
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {'metadata_version': '1.1',
+                    'status': ['preview'],
+                    'supported_by': 'community'}
+
+DOCUMENTATION = """
+---
+module: cp_mgmt_threat_rule
+short_description: Manages threat-rule objects on Checkpoint over Web Services API
+description:
+  - Manages threat-rule objects on Checkpoint devices including creating, updating and removing objects.
+  - All operations are performed over Web Services API.
+version_added: "2.9"
+author: "Or Soffer (@chkp-orso)"
+options:
+  position:
+    description:
+      - Position in the rulebase.
+    type: str
+  layer:
+    description:
+      - Layer that the rule belongs to identified by the name or UID.
+    type: str
+  name:
+    description:
+      - Object name.
+    type: str
+    required: True
+  action:
+    description:
+      - Action-the enforced profile.
+    type: str
+  destination:
+    description:
+      - Collection of Network objects identified by the name or UID.
+    type: list
+  destination_negate:
+    description:
+      - True if negate is set for destination.
+    type: bool
+  enabled:
+    description:
+      - Enable/Disable the rule.
+    type: bool
+  install_on:
+    description:
+      - Which Gateways identified by the name or UID to install the policy on.
+    type: list
+  protected_scope:
+    description:
+      - Collection of objects defining Protected Scope identified by the name or UID.
+    type: list
+  protected_scope_negate:
+    description:
+      - True if negate is set for Protected Scope.
+    type: bool
+  service:
+    description:
+      - Collection of Network objects identified by the name or UID.
+    type: list
+  service_negate:
+    description:
+      - True if negate is set for Service.
+    type: bool
+  source:
+    description:
+      - Collection of Network objects identified by the name or UID.
+    type: list
+  source_negate:
+    description:
+      - True if negate is set for source.
+    type: bool
+  track:
+    description:
+      - Packet tracking.
+    type: str
+  track_settings:
+    description:
+      - Threat rule track settings.
+    type: dict
+    suboptions:
+      packet_capture:
+        description:
+          - Packet capture.
+        type: bool
+  comments:
+    description:
+      - Comments string.
+    type: str
+  details_level:
+    description:
+      - The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed
+        representation of the object.
+    type: str
+    choices: ['uid', 'standard', 'full']
+  ignore_warnings:
+    description:
+      - Apply changes ignoring warnings.
+    type: bool
+  ignore_errors:
+    description:
+      - Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
+    type: bool
+extends_documentation_fragment: checkpoint_objects
+"""
+
+EXAMPLES = """
+- name: add-threat-rule
+  cp_mgmt_threat_rule:
+    comments: ''
+    install_on: Policy Targets
+    layer: New Layer 1
+    name: First threat rule
+    position: 1
+    protected_scope: All_Internet
+    state: present
+    track: None
+
+- name: set-threat-rule
+  cp_mgmt_threat_rule:
+    action: New Profile 1
+    comments: commnet for the first rule
+    install_on: Policy Targets
+    layer: New Layer 1
+    name: Rule Name
+    position: 1
+    protected_scope: All_Internet
+    state: present
+
+- name: delete-threat-rule
+  cp_mgmt_threat_rule:
+    layer: New Layer 1
+    name: Rule Name
+    state: absent
+"""
+
+RETURN = """
+cp_mgmt_threat_rule:
+  description: The checkpoint object created or updated.
+  returned: always, except when deleting the object.
+  type: dict
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.network.checkpoint.checkpoint import checkpoint_argument_spec_for_objects, api_call, api_call_for_rule
+
+
+def main():
+    argument_spec = dict(
+        position=dict(type='str'),
+        layer=dict(type='str'),
+        name=dict(type='str', required=True),
+        action=dict(type='str'),
+        destination=dict(type='list'),
+        destination_negate=dict(type='bool'),
+        enabled=dict(type='bool'),
+        install_on=dict(type='list'),
+        protected_scope=dict(type='list'),
+        protected_scope_negate=dict(type='bool'),
+        service=dict(type='list'),
+        service_negate=dict(type='bool'),
+        source=dict(type='list'),
+        source_negate=dict(type='bool'),
+        track=dict(type='str'),
+        track_settings=dict(type='dict', options=dict(
+            packet_capture=dict(type='bool')
+        )),
+        comments=dict(type='str'),
+        details_level=dict(type='str', choices=['uid', 'standard', 'full']),
+        ignore_warnings=dict(type='bool'),
+        ignore_errors=dict(type='bool')
+    )
+    argument_spec.update(checkpoint_argument_spec_for_objects)
+
+    module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=True)
+    api_call_object = 'threat-rule'
+
+    if module.params['position'] is None:
+        result = api_call(module, api_call_object)
+    else:
+        result = api_call_for_rule(module, api_call_object)
+
+    module.exit_json(**result)
+
+
+if __name__ == '__main__':
+    main()
--- a/lib/ansible/modules/network/checkpoint/cp_mgmt_threat_rule_facts.py
+++ b/lib/ansible/modules/network/checkpoint/cp_mgmt_threat_rule_facts.py
@ -0,0 +1,209 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+#
+# Ansible module to manage CheckPoint Firewall (c) 2019
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {'metadata_version': '1.1',
+                    'status': ['preview'],
+                    'supported_by': 'community'}
+
+DOCUMENTATION = """
+---
+module: cp_mgmt_threat_rule_facts
+short_description: Get threat-rule objects facts on Checkpoint over Web Services API
+description:
+  - Get threat-rule objects facts on Checkpoint devices.
+  - All operations are performed over Web Services API.
+  - This module handles both operations, get a specific object and get several objects,
+    For getting a specific object use the parameter 'name'.
+version_added: "2.9"
+author: "Or Soffer (@chkp-orso)"
+options:
+  name:
+    description:
+      - Object name. Should be unique in the domain.
+    type: str
+  layer:
+    description:
+      - Layer that the rule belongs to identified by the name or UID.
+    type: str
+  details_level:
+    description:
+      - The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed
+        representation of the object.
+    type: str
+    choices: ['uid', 'standard', 'full']
+  filter:
+    description:
+      - Search expression to filter the rulebase. The provided text should be exactly the same as it would be given in Smart Console. The logical
+        operators in the expression ('AND', 'OR') should be provided in capital letters. If an operator is not used, the default OR operator applies.
+    type: str
+  filter_settings:
+    description:
+      - Sets filter preferences.
+    type: dict
+    suboptions:
+      search_mode:
+        description:
+          - When set to 'general', both the Full Text Search and Packet Search are enabled. In this mode, Packet Search will not match on 'Any'
+            object, a negated cell or a group-with-exclusion. When the search-mode is set to 'packet', by default, the match on 'Any' object, a negated cell
+            or a group-with-exclusion are enabled. packet-search-settings may be provided to change the default behavior.
+        type: str
+        choices: ['general', 'packet']
+      packet_search_settings:
+        description:
+          - When 'search-mode' is set to 'packet', this object allows to set the packet search preferences.
+        type: dict
+        suboptions:
+          expand_group_members:
+            description:
+              - When true, if the search expression contains a UID or a name of a group object, results will include rules that match on at
+                least one member of the group.
+            type: bool
+          expand_group_with_exclusion_members:
+            description:
+              - When true, if the search expression contains a UID or a name of a group-with-exclusion object, results will include rules that
+                match at least one member of the "include" part and is not a member of the "except" part.
+            type: bool
+          match_on_any:
+            description:
+              - Whether to match on 'Any' object.
+            type: bool
+          match_on_group_with_exclusion:
+            description:
+              - Whether to match on a group-with-exclusion.
+            type: bool
+          match_on_negate:
+            description:
+              - Whether to match on a negated cell.
+            type: bool
+  limit:
+    description:
+      - No more than that many results will be returned.
+        This parameter is relevant only for getting few objects.
+    type: int
+  offset:
+    description:
+      - Skip that many results before beginning to return them.
+        This parameter is relevant only for getting few objects.
+    type: int
+  order:
+    description:
+      - Sorts results by the given field. By default the results are sorted in the ascending order by name.
+        This parameter is relevant only for getting few objects.
+    type: list
+    suboptions:
+      ASC:
+        description:
+          - Sorts results by the given field in ascending order.
+        type: str
+        choices: ['name']
+      DESC:
+        description:
+          - Sorts results by the given field in descending order.
+        type: str
+        choices: ['name']
+  package:
+    description:
+      - Name of the package.
+    type: str
+  use_object_dictionary:
+    description:
+      - N/A
+    type: bool
+  dereference_group_members:
+    description:
+      - Indicates whether to dereference "members" field by details level for every object in reply.
+    type: bool
+  show_membership:
+    description:
+      - Indicates whether to calculate and show "groups" field for every object in reply.
+    type: bool
+extends_documentation_fragment: checkpoint_facts
+"""
+
+EXAMPLES = """
+- name: show-threat-rule
+  cp_mgmt_threat_rule_facts:
+    layer: New Layer 1
+    name: Rule Name
+
+- name: show-threat-rulebase
+  cp_mgmt_threat_rule_facts:
+    details_level: standard
+    filter: ''
+    limit: 20
+    name: Threat Prevention
+    offset: 0
+    use_object_dictionary: false
+"""
+
+RETURN = """
+ansible_facts:
+  description: The checkpoint object facts.
+  returned: always.
+  type: dict
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.network.checkpoint.checkpoint import checkpoint_argument_spec_for_facts, api_call_facts_for_rule
+
+
+def main():
+    argument_spec = dict(
+        name=dict(type='str'),
+        layer=dict(type='str'),
+        details_level=dict(type='str', choices=['uid', 'standard', 'full']),
+        filter=dict(type='str'),
+        filter_settings=dict(type='dict', options=dict(
+            search_mode=dict(type='str', choices=['general', 'packet']),
+            packet_search_settings=dict(type='dict', options=dict(
+                expand_group_members=dict(type='bool'),
+                expand_group_with_exclusion_members=dict(type='bool'),
+                match_on_any=dict(type='bool'),
+                match_on_group_with_exclusion=dict(type='bool'),
+                match_on_negate=dict(type='bool')
+            ))
+        )),
+        limit=dict(type='int'),
+        offset=dict(type='int'),
+        order=dict(type='list', options=dict(
+            ASC=dict(type='str', choices=['name']),
+            DESC=dict(type='str', choices=['name'])
+        )),
+        package=dict(type='str'),
+        use_object_dictionary=dict(type='bool'),
+        dereference_group_members=dict(type='bool'),
+        show_membership=dict(type='bool')
+    )
+    argument_spec.update(checkpoint_argument_spec_for_facts)
+
+    module = AnsibleModule(argument_spec=argument_spec)
+
+    api_call_object = "threat-rule"
+    api_call_object_plural_version = "threat-rulebase"
+
+    result = api_call_facts_for_rule(module, api_call_object, api_call_object_plural_version)
+    module.exit_json(ansible_facts=result)
+
+
+if __name__ == '__main__':
+    main()