knife-cisco_asa 0.1.4 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG.md +4 -0
- data/README.md +4 -0
- data/lib/chef/knife/cisco_asa_base.rb +109 -0
- data/lib/chef/knife/cisco_asa_host_add.rb +74 -72
- data/lib/chef/knife/cisco_asa_host_remove.rb +50 -48
- data/lib/knife-cisco_asa/version.rb +2 -1
- metadata +3 -3
- data/lib/chef/knife/BaseCiscoAsaCommand.rb +0 -104
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
@@ -2,6 +2,10 @@
|
|
2
2
|
|
3
3
|
A knife plugin for managing Cisco ASA devices.
|
4
4
|
|
5
|
+
[![Gem Version](https://badge.fury.io/rb/knife-cisco_asa.png)](http://badge.fury.io/rb/knife-cisco_asa)
|
6
|
+
|
7
|
+
[![Code Climate](https://codeclimate.com/github/bflad/knife-cisco_asa.png)](https://codeclimate.com/github/bflad/knife-cisco_asa)
|
8
|
+
|
5
9
|
## Installation
|
6
10
|
|
7
11
|
Uses [cisco rubygem](https://github.com/jtimberman/ruby-cisco) for the backend.
|
@@ -0,0 +1,109 @@
|
|
1
|
+
#
|
2
|
+
# Author:: Brian Flad (<bflad417@gmail.com>)
|
3
|
+
# License:: Apache License, Version 2.0
|
4
|
+
#
|
5
|
+
|
6
|
+
require 'chef/knife'
|
7
|
+
require 'cisco'
|
8
|
+
require 'highline/import'
|
9
|
+
|
10
|
+
class Chef
|
11
|
+
class Knife
|
12
|
+
module CiscoAsaBase
|
13
|
+
|
14
|
+
def self.included(includer)
|
15
|
+
includer.class_eval do
|
16
|
+
|
17
|
+
deps do
|
18
|
+
require 'readline'
|
19
|
+
require 'chef/json_compat'
|
20
|
+
end
|
21
|
+
|
22
|
+
unless defined? $default
|
23
|
+
$default = Hash.new
|
24
|
+
end
|
25
|
+
|
26
|
+
option :cisco_asa_enable_password,
|
27
|
+
:short => "-E PASSWORD",
|
28
|
+
:long => "--cisco-asa-enable-password PASSWORD",
|
29
|
+
:description => "Enable password for Cisco ASA"
|
30
|
+
|
31
|
+
option :cisco_asa_hostname,
|
32
|
+
:short => "-h HOSTNAME",
|
33
|
+
:long => "--cisco-asa-hostname HOSTNAME",
|
34
|
+
:description => "The hostname for Cisco ASA"
|
35
|
+
|
36
|
+
option :cisco_asa_password,
|
37
|
+
:short => "-p PASSWORD",
|
38
|
+
:long => "--cisco-asa-password PASSWORD",
|
39
|
+
:description => "The password for Cisco ASA"
|
40
|
+
|
41
|
+
option :cisco_asa_username,
|
42
|
+
:short => "-u USERNAME",
|
43
|
+
:long => "--cisco-asa-username USERNAME",
|
44
|
+
:description => "The username for Cisco ASA"
|
45
|
+
$default[:cisco_asa_username] = ENV['USER']
|
46
|
+
|
47
|
+
option :noop,
|
48
|
+
:long => "--noop",
|
49
|
+
:description => "Perform no modifying operations",
|
50
|
+
:boolean => false
|
51
|
+
end
|
52
|
+
end
|
53
|
+
|
54
|
+
def get_config(key)
|
55
|
+
key = key.to_sym
|
56
|
+
rval = config[key] || Chef::Config[:knife][key] || $default[key]
|
57
|
+
Chef::Log.debug("value for config item #{key}: #{rval}")
|
58
|
+
rval
|
59
|
+
end
|
60
|
+
|
61
|
+
def get_cisco_asa_config
|
62
|
+
config[:cisco_asa_password] = ask("Cisco Password for #{get_config(:cisco_asa_username)}: ") { |q| q.echo = "*" } unless get_config(:cisco_asa_password)
|
63
|
+
config[:cisco_asa_enable_password] = ask("Enable Password for #{get_config(:cisco_asa_hostname)}: ") { |q| q.echo = "*" } unless get_config(:cisco_asa_enable_password)
|
64
|
+
end
|
65
|
+
|
66
|
+
def run_config_commands(commands)
|
67
|
+
asa = Cisco::Base.new(:host => get_config(:cisco_asa_hostname), :user => get_config(:cisco_asa_username), :password => get_config(:cisco_asa_password), :transport => :ssh)
|
68
|
+
asa.enable(get_config(:cisco_asa_enable_password))
|
69
|
+
asa.cmd("conf t")
|
70
|
+
commands.each do |command|
|
71
|
+
asa.cmd(command)
|
72
|
+
end
|
73
|
+
asa.cmd("end")
|
74
|
+
asa.cmd("write mem")
|
75
|
+
unless get_config(:noop)
|
76
|
+
output = asa.run
|
77
|
+
output.each do |line|
|
78
|
+
Chef::Log.debug(line)
|
79
|
+
end
|
80
|
+
end
|
81
|
+
output
|
82
|
+
end
|
83
|
+
|
84
|
+
def tcp_test_port(hostname,port)
|
85
|
+
tcp_socket = TCPSocket.new(hostname, port)
|
86
|
+
readable = IO.select([tcp_socket], nil, nil, 5)
|
87
|
+
if readable
|
88
|
+
Chef::Log.debug("sshd accepting connections on #{hostname}, banner is #{tcp_socket.gets}") if port == 22
|
89
|
+
true
|
90
|
+
else
|
91
|
+
false
|
92
|
+
end
|
93
|
+
rescue Errno::ETIMEDOUT
|
94
|
+
false
|
95
|
+
rescue Errno::EPERM
|
96
|
+
false
|
97
|
+
rescue Errno::ECONNREFUSED
|
98
|
+
sleep 2
|
99
|
+
false
|
100
|
+
rescue Errno::EHOSTUNREACH, Errno::ENETUNREACH
|
101
|
+
sleep 2
|
102
|
+
false
|
103
|
+
ensure
|
104
|
+
tcp_socket && tcp_socket.close
|
105
|
+
end
|
106
|
+
|
107
|
+
end
|
108
|
+
end
|
109
|
+
end
|
@@ -3,98 +3,100 @@
|
|
3
3
|
# License:: Apache License, Version 2.0
|
4
4
|
#
|
5
5
|
|
6
|
-
|
6
|
+
require 'chef/knife/cisco_asa_base'
|
7
7
|
|
8
|
-
|
8
|
+
class Chef
|
9
|
+
class Knife
|
10
|
+
class CiscoAsaHostAdd < Knife
|
9
11
|
|
10
|
-
|
12
|
+
include Knife::CiscoAsaBase
|
11
13
|
|
12
|
-
|
13
|
-
|
14
|
+
banner "knife cisco asa host add NAME IP (options)"
|
15
|
+
category "cisco asa"
|
14
16
|
|
15
|
-
|
17
|
+
option :description,
|
18
|
+
:long => "--description DESCRIPTION",
|
19
|
+
:description => "Description of host"
|
16
20
|
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
option :groups,
|
22
|
-
:long => "--groups GROUP1[,GROUP2]",
|
23
|
-
:description => "Groups for host"
|
24
|
-
|
25
|
-
option :nat,
|
26
|
-
:long => "--nat IP",
|
27
|
-
:description => "NAT IP"
|
28
|
-
|
29
|
-
option :nat_dns,
|
30
|
-
:long => "--nat-dns",
|
31
|
-
:description => "Enable NAT DNS translation",
|
32
|
-
:boolean => false
|
33
|
-
|
34
|
-
def run
|
21
|
+
option :groups,
|
22
|
+
:long => "--groups GROUP1[,GROUP2]",
|
23
|
+
:description => "Groups for host"
|
35
24
|
|
36
|
-
|
25
|
+
option :nat,
|
26
|
+
:long => "--nat IP",
|
27
|
+
:description => "NAT IP"
|
28
|
+
|
29
|
+
option :nat_dns,
|
30
|
+
:long => "--nat-dns",
|
31
|
+
:description => "Enable NAT DNS translation",
|
32
|
+
:boolean => false
|
33
|
+
|
34
|
+
def run
|
35
|
+
$stdout.sync = true
|
36
|
+
|
37
|
+
hostname = name_args.first
|
38
|
+
|
39
|
+
if hostname.nil?
|
40
|
+
ui.fatal "You need a host name!"
|
41
|
+
show_usage
|
42
|
+
exit 1
|
43
|
+
end
|
37
44
|
|
38
|
-
|
39
|
-
ui.fatal "You need a host name!"
|
40
|
-
show_usage
|
41
|
-
exit 1
|
42
|
-
end
|
45
|
+
ip = name_args[1]
|
43
46
|
|
44
|
-
|
47
|
+
if ip.nil?
|
48
|
+
ui.fatal "You need an IP!"
|
49
|
+
show_usage
|
50
|
+
exit 1
|
51
|
+
end
|
45
52
|
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
end
|
53
|
+
args = name_args[2]
|
54
|
+
if args.nil?
|
55
|
+
args = ""
|
56
|
+
end
|
51
57
|
|
52
|
-
|
53
|
-
|
54
|
-
args = ""
|
55
|
-
end
|
58
|
+
get_cisco_asa_config
|
59
|
+
commands = []
|
56
60
|
|
57
|
-
|
58
|
-
|
61
|
+
ui.info "Adding host to Cisco ASA:"
|
62
|
+
ui.info "#{ui.color "ASA:", :cyan} #{get_config(:cisco_asa_hostname)}"
|
63
|
+
ui.info "#{ui.color "Host:", :cyan} #{hostname}"
|
64
|
+
ui.info "#{ui.color "IP:", :cyan} #{ip}"
|
59
65
|
|
60
|
-
|
61
|
-
|
62
|
-
ui.info "#{ui.color "Host:", :cyan} #{hostname}"
|
63
|
-
ui.info "#{ui.color "IP:", :cyan} #{ip}"
|
66
|
+
commands << "object network #{hostname}"
|
67
|
+
commands << " host #{ip}"
|
64
68
|
|
65
|
-
|
66
|
-
|
69
|
+
if get_config(:description)
|
70
|
+
ui.info "#{ui.color "Description:", :cyan} #{get_config(:description)}"
|
71
|
+
commands << " description #{get_config(:description)}"
|
72
|
+
end
|
67
73
|
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
74
|
+
if get_config(:nat)
|
75
|
+
ui.info "#{ui.color "NAT IP:", :cyan} #{get_config(:nat)}"
|
76
|
+
command = " nat static #{get_config(:nat)}"
|
77
|
+
if get_config(:nat_dns)
|
78
|
+
ui.info "#{ui.color "NAT DNS:", :cyan} Enabled"
|
79
|
+
command = command + " dns"
|
80
|
+
end
|
81
|
+
commands << command
|
82
|
+
end
|
72
83
|
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
84
|
+
if get_config(:groups)
|
85
|
+
get_config(:groups).split(",").each do |group|
|
86
|
+
ui.info "#{ui.color "Group:", :cyan} #{group}"
|
87
|
+
commands << "object-group network #{group}"
|
88
|
+
commands << " network-object object #{hostname}"
|
89
|
+
end
|
79
90
|
end
|
80
|
-
commands << command
|
81
|
-
end
|
82
91
|
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
commands
|
87
|
-
commands << " network-object object #{hostname}"
|
92
|
+
if get_config(:noop)
|
93
|
+
ui.info "#{ui.color "Skipping host creation process because --noop specified.", :red}"
|
94
|
+
else
|
95
|
+
run_config_commands(commands)
|
88
96
|
end
|
97
|
+
|
89
98
|
end
|
90
99
|
|
91
|
-
if get_config(:noop)
|
92
|
-
ui.info "#{ui.color "Skipping host creation process because --noop specified.", :red}"
|
93
|
-
else
|
94
|
-
run_config_commands(commands)
|
95
|
-
end
|
96
|
-
|
97
100
|
end
|
98
|
-
|
99
101
|
end
|
100
102
|
end
|
@@ -3,70 +3,72 @@
|
|
3
3
|
# License:: Apache License, Version 2.0
|
4
4
|
#
|
5
5
|
|
6
|
-
|
6
|
+
require 'chef/knife/cisco_asa_base'
|
7
7
|
|
8
|
-
|
8
|
+
class Chef
|
9
|
+
class Knife
|
10
|
+
class CiscoAsaHostRemove < Knife
|
9
11
|
|
10
|
-
|
12
|
+
include Knife::CiscoAsaBase
|
11
13
|
|
12
|
-
|
13
|
-
|
14
|
+
banner "knife cisco asa host remove NAME (options)"
|
15
|
+
category "cisco asa"
|
14
16
|
|
15
|
-
|
17
|
+
option :groups,
|
18
|
+
:long => "--groups GROUP[,GROUP2]",
|
19
|
+
:description => "Groups for host"
|
16
20
|
|
17
|
-
|
18
|
-
|
19
|
-
|
21
|
+
option :nat,
|
22
|
+
:long => "--nat IP",
|
23
|
+
:description => "NAT IP"
|
20
24
|
|
21
|
-
|
22
|
-
|
23
|
-
|
25
|
+
def run
|
26
|
+
$stdout.sync = true
|
27
|
+
|
28
|
+
hostname = name_args.first.upcase
|
24
29
|
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
ui.fatal "You need a host name!"
|
31
|
-
show_usage
|
32
|
-
exit 1
|
33
|
-
end
|
30
|
+
if hostname.nil?
|
31
|
+
ui.fatal "You need a host name!"
|
32
|
+
show_usage
|
33
|
+
exit 1
|
34
|
+
end
|
34
35
|
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
36
|
+
args = name_args[1]
|
37
|
+
if args.nil?
|
38
|
+
args = ""
|
39
|
+
end
|
39
40
|
|
40
|
-
|
41
|
-
|
41
|
+
get_cisco_asa_config
|
42
|
+
commands = []
|
42
43
|
|
43
|
-
|
44
|
-
|
45
|
-
|
44
|
+
ui.info "Removing host from Cisco ASA:"
|
45
|
+
ui.info "#{ui.color "ASA:", :cyan} #{get_config(:cisco_asa_hostname)}"
|
46
|
+
ui.info "#{ui.color "Host:", :cyan} #{hostname}"
|
46
47
|
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
48
|
+
if get_config(:nat)
|
49
|
+
ui.info "#{ui.color "NAT IP:", :cyan} #{get_config(:nat)}"
|
50
|
+
commands << "object network #{hostname}"
|
51
|
+
commands << " no nat (inside,outside) static #{get_config(:nat)} dns"
|
52
|
+
end
|
52
53
|
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
54
|
+
if get_config(:groups)
|
55
|
+
get_config(:groups).split(",").each do |group|
|
56
|
+
ui.info "#{ui.color "Group:", :cyan} #{group}"
|
57
|
+
commands << "object-group network #{group}"
|
58
|
+
commands << " no network-object object #{hostname}"
|
59
|
+
end
|
58
60
|
end
|
59
|
-
end
|
60
61
|
|
61
|
-
|
62
|
+
commands << "no object network #{hostname}"
|
62
63
|
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
64
|
+
if get_config(:noop)
|
65
|
+
ui.info "#{ui.color "Skipping host removal process because --noop specified.", :red}"
|
66
|
+
else
|
67
|
+
run_config_commands(commands)
|
68
|
+
end
|
69
|
+
|
67
70
|
end
|
68
|
-
|
69
|
-
end
|
70
71
|
|
72
|
+
end
|
71
73
|
end
|
72
74
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: knife-cisco_asa
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.2.0
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2013-
|
12
|
+
date: 2013-03-21 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: cisco
|
@@ -40,7 +40,7 @@ files:
|
|
40
40
|
- README.md
|
41
41
|
- Rakefile
|
42
42
|
- knife-cisco_asa.gemspec
|
43
|
-
- lib/chef/knife/
|
43
|
+
- lib/chef/knife/cisco_asa_base.rb
|
44
44
|
- lib/chef/knife/cisco_asa_host_add.rb
|
45
45
|
- lib/chef/knife/cisco_asa_host_remove.rb
|
46
46
|
- lib/knife-cisco_asa/version.rb
|
@@ -1,104 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Author:: Brian Flad (<bflad417@gmail.com>)
|
3
|
-
# License:: Apache License, Version 2.0
|
4
|
-
#
|
5
|
-
|
6
|
-
module CiscoAsaKnifePlugin
|
7
|
-
|
8
|
-
require 'chef/knife'
|
9
|
-
require 'cisco'
|
10
|
-
require 'highline/import'
|
11
|
-
|
12
|
-
class BaseCiscoAsaCommand < Chef::Knife
|
13
|
-
|
14
|
-
deps do
|
15
|
-
require 'highline/import'
|
16
|
-
end
|
17
|
-
|
18
|
-
def self.get_common_options
|
19
|
-
unless defined? $default
|
20
|
-
$default = Hash.new
|
21
|
-
end
|
22
|
-
|
23
|
-
option :cisco_asa_enable_password,
|
24
|
-
:short => "-E PASSWORD",
|
25
|
-
:long => "--cisco-asa-enable-password PASSWORD",
|
26
|
-
:description => "Enable password for Cisco ASA"
|
27
|
-
|
28
|
-
option :cisco_asa_hostname,
|
29
|
-
:short => "-h HOSTNAME",
|
30
|
-
:long => "--cisco-asa-hostname HOSTNAME",
|
31
|
-
:description => "The hostname for Cisco ASA"
|
32
|
-
|
33
|
-
option :cisco_asa_password,
|
34
|
-
:short => "-p PASSWORD",
|
35
|
-
:long => "--cisco-asa-password PASSWORD",
|
36
|
-
:description => "The password for Cisco ASA"
|
37
|
-
|
38
|
-
option :cisco_asa_username,
|
39
|
-
:short => "-u USERNAME",
|
40
|
-
:long => "--cisco-asa-username USERNAME",
|
41
|
-
:description => "The username for Cisco ASA"
|
42
|
-
$default[:cisco_asa_username] = ENV['USER']
|
43
|
-
|
44
|
-
option :noop,
|
45
|
-
:long => "--noop",
|
46
|
-
:description => "Perform no modifying operations",
|
47
|
-
:boolean => false
|
48
|
-
|
49
|
-
end
|
50
|
-
|
51
|
-
def get_config(key)
|
52
|
-
key = key.to_sym
|
53
|
-
rval = config[key] || Chef::Config[:knife][key] || $default[key]
|
54
|
-
Chef::Log.debug("value for config item #{key}: #{rval}")
|
55
|
-
rval
|
56
|
-
end
|
57
|
-
|
58
|
-
def get_cisco_asa_config
|
59
|
-
config[:cisco_asa_password] = ask("Cisco Password for #{get_config(:cisco_asa_username)}: ") { |q| q.echo = "*" } unless get_config(:cisco_asa_password)
|
60
|
-
config[:cisco_asa_enable_password] = ask("Enable Password for #{get_config(:cisco_asa_hostname)}: ") { |q| q.echo = "*" } unless get_config(:cisco_asa_enable_password)
|
61
|
-
end
|
62
|
-
|
63
|
-
def run_config_commands(commands)
|
64
|
-
asa = Cisco::Base.new(:host => get_config(:cisco_asa_hostname), :user => get_config(:cisco_asa_username), :password => get_config(:cisco_asa_password), :transport => :ssh)
|
65
|
-
asa.enable(get_config(:cisco_asa_enable_password))
|
66
|
-
asa.cmd("conf t")
|
67
|
-
commands.each do |command|
|
68
|
-
asa.cmd(command)
|
69
|
-
end
|
70
|
-
asa.cmd("end")
|
71
|
-
asa.cmd("write mem")
|
72
|
-
unless get_config(:noop)
|
73
|
-
output = asa.run
|
74
|
-
output.each do |line|
|
75
|
-
Chef::Log.debug(line)
|
76
|
-
end
|
77
|
-
end
|
78
|
-
output
|
79
|
-
end
|
80
|
-
|
81
|
-
def tcp_test_port(hostname,port)
|
82
|
-
tcp_socket = TCPSocket.new(hostname, port)
|
83
|
-
readable = IO.select([tcp_socket], nil, nil, 5)
|
84
|
-
if readable
|
85
|
-
Chef::Log.debug("sshd accepting connections on #{hostname}, banner is #{tcp_socket.gets}") if port == 22
|
86
|
-
true
|
87
|
-
else
|
88
|
-
false
|
89
|
-
end
|
90
|
-
rescue Errno::ETIMEDOUT
|
91
|
-
false
|
92
|
-
rescue Errno::EPERM
|
93
|
-
false
|
94
|
-
rescue Errno::ECONNREFUSED
|
95
|
-
sleep 2
|
96
|
-
false
|
97
|
-
rescue Errno::EHOSTUNREACH, Errno::ENETUNREACH
|
98
|
-
sleep 2
|
99
|
-
false
|
100
|
-
ensure
|
101
|
-
tcp_socket && tcp_socket.close
|
102
|
-
end
|
103
|
-
end
|
104
|
-
end
|