knife-cisco_asa 0.1.0

data/.gitignore

@@ -0,0 +1,18 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+_yardoc
+bin
+coverage
+doc/
+Gemfile.lock
+InstalledFiles
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/CHANGELOG.md

@@ -0,0 +1,3 @@
+## v0.1.0
+
+* Initial release with basic support for adding/removing hosts

data/Gemfile

@@ -0,0 +1,5 @@
+source :rubygems
+
+gemspec
+
+gem "cisco"

data/README.md

@@ -0,0 +1,68 @@
+# knife-cisco_asa
+
+A knife plugin for managing Cisco ASA devices.
+
+## Installation
+
+Uses [cisco rubygem](https://github.com/jtimberman/ruby-cisco) for the backend.
+
+* `gem install knife-cisco_asa` (if using omnibus install, `/opt/chef/embedded/bin/gem install knife-cisco_asa`)
+* or... copy `lib/chef/knife/*` files to `~/.chef/plugins/knife`
+* or... copy `lib/chef/knife/*` files to `path/to/cheforg/.chef/plugins/knife`
+
+## Usage
+
+### Common parameters
+
+Configuration in knife.rb:
+* `knife[:cisco_asa_enable_password] = "ENABLE_PASSWORD"` - Enable password for Cisco ASA
+* `knife[:cisco_asa_hostname] = "HOSTNAME"` - Cisco ASA hostname
+* `knife[:cisco_asa_password] = "PASSWORD"` - Cisco ASA user password
+* `knife[:cisco_asa_usernamename] = "USERNAME"` - Cisco ASA username
+
+Otherwise, from the command line:
+* `--cisco-asa-enable-password ENABLE_PASSWORD` - Enable password for Cisco ASA
+* `--cisco-asa-hostname HOSTNAME` - Cisco ASA hostname
+* `--cisco-asa-password PASSWORD` - Cisco ASA user password
+* `--cisco-asa-username USERNAME` - Cisco ASA username
+* `--noop` - Perform no modifying operations
+
+Any missing user or enable password will be prompted at runtime.
+
+### `knife cicso asa host add NAME IP`
+
+Adds a host to the device.
+
+* `--description DESCRIPTION` - optionally set a description for the host
+* `--groups GROUP1[,GROUP2]` - optionally add host to object groups
+* `--nat IP` - optionally setup static NAT IP
+* `--nat-dns` - optionally enable DNS translation for NAT
+
+### `knife cicso asa host remove NAME`
+
+Removes a host from the device.
+
+* `--groups GROUP1[,GROUP2]` - required to remove hosts in groups
+* `--nat IP` - required to remove hosts with static NAT IP
+
+## Contributing
+
+Please use standard Github issues and pull requests.
+
+## License and Author
+      
+Author:: Brian Flad (<bflad417@gmail.com>)
+
+Copyright:: 2013
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/Rakefile

@@ -0,0 +1,2 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"

data/knife-cisco_asa.gemspec

@@ -0,0 +1,18 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/knife-cisco_asa/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Brian Flad"]
+  gem.email         = ["bflad417@gmail.com"]
+  gem.description   = %q{A knife plugin for managing Cisco ASA devices.}
+  gem.summary       = gem.summary
+  gem.homepage      = "https://github.com/bflad/knife-cisco_asa"
+
+  gem.add_runtime_dependency "cisco"
+
+  gem.files         = `git ls-files`.split($\)
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "knife-cisco_asa"
+  gem.require_paths = ["lib"]
+  gem.version       = Knife::CiscoAsa::VERSION
+end

data/lib/chef/knife/BaseCiscoAsaCommand.rb

@@ -0,0 +1,104 @@
+#
+# Author:: Brian Flad (<bflad417@gmail.com>)
+# License:: Apache License, Version 2.0
+#
+
+module CiscoAsaKnifePlugin
+
+  require 'chef/knife'
+  require 'cisco'
+  require 'highline/import'
+  
+  class BaseCiscoAsaCommand < Chef::Knife
+
+    deps do
+      require 'highline/import'
+    end
+
+    def self.get_common_options
+      unless defined? $default
+        $default = Hash.new
+      end
+
+      option :cisco_asa_enable_password,
+        :short => "-E PASSWORD",
+        :long => "--cisco-asa-enable-password PASSWORD",
+        :description => "Enable password for Cisco ASA"
+
+      ption :cisco_asa_hostname,
+        :short => "-h HOSTNAME",
+        :long => "--cisco-asa-hostname HOSTNAME",
+        :description => "The hostname for Cisco ASA"
+
+      option :cisco_asa_password,
+        :short => "-p PASSWORD",
+        :long => "--cisco-asa-password PASSWORD",
+        :description => "The password for Cisco ASA"
+
+      option :cisco_asa_username,
+        :short => "-u USERNAME",
+        :long => "--cisco-asa-username USERNAME",
+        :description => "The username for Cisco ASA"
+      $default[:cisco_asa_username] = ENV['USER']
+
+      option :noop,
+        :long => "--noop",
+        :description => "Perform no modifying operations",
+        :boolean => false
+
+    end
+
+    def get_config(key)
+      key = key.to_sym
+      rval = config[key] || Chef::Config[:knife][key] || $default[key]
+      Chef::Log.debug("value for config item #{key}: #{rval}")
+      rval
+    end
+
+    def get_cisco_asa_config
+      config[:cisco_asa_password] = ask("Cisco Password for #{get_config(:cisco_asa_username)}: ") { |q| q.echo = "*" } unless get_config(:cisco_asa_password)
+      config[:cisco_asa_enable_password] = ask("Enable Password for #{get_config(:cisco_asa_host)}: ") { |q| q.echo = "*" } unless get_config(:cisco_asa_enable_password)
+    end
+
+    def run_config_commands(commands)
+      asa = Cisco::Base.new(:host => get_config(:cisco_asa_host), :user => get_config(:cisco_asa_username), :password => get_config(:cisco_asa_password), :transport => :ssh)
+      asa.enable(get_config(:cisco_asa_enable_password))
+      asa.cmd("conf t")
+      commands.each do |command|
+        asa.cmd(command)
+      end
+      asa.cmd("end")
+      asa.cmd("write mem")
+      unless get_config(:noop)
+        output = asa.run
+        output.each do |line|
+          Chef::Log.debug(line)
+        end
+      end
+      output
+    end
+
+    def tcp_test_port(hostname,port)
+      tcp_socket = TCPSocket.new(hostname, port)
+      readable = IO.select([tcp_socket], nil, nil, 5)
+      if readable
+        Chef::Log.debug("sshd accepting connections on #{hostname}, banner is #{tcp_socket.gets}") if port == 22
+        true
+      else
+        false
+      end
+      rescue Errno::ETIMEDOUT
+        false
+      rescue Errno::EPERM
+        false
+      rescue Errno::ECONNREFUSED
+        sleep 2
+        false
+      rescue Errno::EHOSTUNREACH, Errno::ENETUNREACH
+        sleep 2
+        false
+      ensure
+        tcp_socket && tcp_socket.close
+    end
+  end
+end

data/lib/chef/knife/cisco_asa_host_add.rb

@@ -0,0 +1,100 @@
+#
+# Author:: Brian Flad (<bflad417@gmail.com>)
+# License:: Apache License, Version 2.0
+#
+
+module CiscoAsaKnifePlugin
+
+  require 'chef/knife'
+
+  class CiscoAsaHostAdd < BaseCiscoAsaCommand
+
+    banner "knife cisco asa host add NAME IP (options)"
+    category "cisco asa"
+
+    get_common_options
+
+    option :description, 
+      :long => "--description DESCRIPTION",
+      :description => "Description of host"
+
+    option :groups, 
+      :long => "--groups GROUP1[,GROUP2]",
+      :description => "Groups for host"
+    
+    option :nat,
+      :long => "--nat IP",
+      :description => "NAT IP"
+
+    option :nat_dns,
+      :long => "--nat-dns",
+      :description => "Enable NAT DNS translation",
+      :boolean => false
+
+    def run
+      
+      hostname = name_args.first
+
+      if hostname.nil?
+        ui.fatal "You need a host name!"
+        show_usage
+        exit 1
+      end
+
+      ip = name_args[1]
+
+      if ip.nil?
+        ui.fatal "You need an IP!"
+        show_usage
+        exit 1
+      end
+
+      args = name_args[2]
+      if args.nil?
+        args = ""
+      end
+
+      get_cisco_asa_config
+      commands = []
+
+      ui.info "Adding host to Cisco ASA:"
+      ui.info "#{ui.color "ASA:", :cyan} #{get_config(:cisco_asa_host)}"
+      ui.info "#{ui.color "Host:", :cyan} #{hostname}"
+      ui.info "#{ui.color "IP:", :cyan} #{ip}"
+
+      commands << "object network #{hostname}"
+      commands << "  host #{ip}"
+
+      if get_config(:description)
+        ui.info "#{ui.color "Description:", :cyan} #{get_config(:description)}"
+        commands << "  description #{get_config(:description)}"
+      end
+
+      if get_config(:nat)
+        ui.info "#{ui.color "NAT IP:", :cyan} #{get_config(:nat)}"
+        command = "  nat static #{get_config(:nat)}"
+        if get_config(:nat_dns)
+          ui.info "#{ui.color "NAT DNS:", :cyan} Enabled"
+          command = command + " dns"
+        end
+        commands << command
+      end
+
+      if get_config(:groups)
+        get_config(:groups).split(",").each do |group|
+          ui.info "#{ui.color "Group:", :cyan} #{group}"
+          commands << "object-group network #{group}"
+          commands << "  network-object object #{hostname}"
+        end
+      end
+
+      if get_config(:noop)
+        ui.info "#{ui.color "Skipping host creation process because --noop specified.", :red}"
+      else
+        run_config_commands(commands)
+      end
+      
+    end
+
+  end
+end

data/lib/chef/knife/cisco_asa_host_remove.rb

@@ -0,0 +1,70 @@
+#
+# Author:: Brian Flad (<bflad417@gmail.com>)
+# License:: Apache License, Version 2.0
+#
+
+module CiscoAsaKnifePlugin
+
+  require 'chef/knife'
+
+  class CiscoAsaHostRemove < BaseCiscoAsaCommand
+
+    banner "knife cisco asa host remove NAME (options)"
+    category "cisco asa"
+
+    get_common_options
+
+    option :groups, 
+      :long => "--groups GROUP[,GROUP2]",
+      :description => "Groups for host"
+
+    option :nat,
+      :long => "--nat IP",
+      :description => "NAT IP"
+    
+    def run
+      
+      hostname = name_args.first.upcase
+
+      if hostname.nil?
+        ui.fatal "You need a host name!"
+        show_usage
+        exit 1
+      end
+
+      args = name_args[1]
+      if args.nil?
+        args = ""
+      end
+
+      get_cisco_asa_config
+      commands = []
+
+      ui.info "Removing host from Cisco ASA:"
+      ui.info "#{ui.color "ASA:", :cyan} #{get_config(:cisco_asa_host)}"
+      ui.info "#{ui.color "Host:", :cyan} #{hostname}"
+      ui.info "#{ui.color "NAT IP:", :cyan} #{natip}"
+
+      commands << "object network #{hostname}"
+      commands << "  no nat (inside,outside) static #{natip} dns"
+
+      if get_config(:groups)
+        get_config(:groups).split(",").each do |group|
+          ui.info "#{ui.color "Group:", :cyan} #{group}"
+          commands << "object-group network #{group}"
+          commands << "  no network-object object #{hostname}"
+        end
+      end
+
+      commands << "no object network #{hostname}"
+
+      if get_config(:noop)
+        ui.info "#{ui.color "Skipping host removal process because --noop specified.", :red}"
+      else
+        run_config_commands(commands)
+      end
+      
+    end
+
+  end
+end

data/lib/knife-cisco_asa/version.rb

@@ -0,0 +1,5 @@
+module Knife
+  module CiscoAsa
+    VERSION = "0.1.0"
+  end
+end

metadata

@@ -0,0 +1,71 @@
+--- !ruby/object:Gem::Specification
+name: knife-cisco_asa
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+  prerelease: 
+platform: ruby
+authors:
+- Brian Flad
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-02-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: cisco
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: A knife plugin for managing Cisco ASA devices.
+email:
+- bflad417@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- CHANGELOG.md
+- Gemfile
+- README.md
+- Rakefile
+- knife-cisco_asa.gemspec
+- lib/chef/knife/BaseCiscoAsaCommand.rb
+- lib/chef/knife/cisco_asa_host_add.rb
+- lib/chef/knife/cisco_asa_host_remove.rb
+- lib/knife-cisco_asa/version.rb
+homepage: https://github.com/bflad/knife-cisco_asa
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: ''
+test_files: []