illumio-pylo 0.2.5__py3-none-any.whl

illumio_pylo/cli/commands/credential_manager.py

@@ -0,0 +1,168 @@
+from prettytable import PrettyTable
+import argparse
+import os
+
+import paramiko
+
+import illumio_pylo as pylo
+import click
+from illumio_pylo.API.CredentialsManager import get_all_credentials, create_credential_in_file, CredentialFileEntry, \
+    create_credential_in_default_file, encrypt_api_key_with_paramiko_key, decrypt_api_key_with_paramiko_key
+
+from illumio_pylo import log
+from . import Command
+
+
+command_name = "cred-manager"
+objects_load_filter = None
+
+
+def fill_parser(parser: argparse.ArgumentParser):
+    sub_parser = parser.add_subparsers(dest='sub_command', required=True)
+    list_parser = sub_parser.add_parser('list', help='List all credentials')
+    create_parser = sub_parser.add_parser('create', help='Create a new credential')
+
+    create_parser.add_argument('--name', required=True, type=str,
+                               help='Name of the credential')
+    create_parser.add_argument('--fqdn', required=True, type=str,
+                                 help='FQDN of the PCE')
+    create_parser.add_argument('--port', required=True, type=int,
+                                 help='Port of the PCE')
+    create_parser.add_argument('--org', required=True, type=int,
+                                 help='Organization ID')
+    create_parser.add_argument('--api-user', required=True, type=str,
+                                    help='API user')
+    create_parser.add_argument('--verify-ssl', required=True, type=bool,
+                                 help='Verify SSL')
+
+
+def __main(args, **kwargs):
+    if args['sub_command'] == 'list':
+        credentials = get_all_credentials()
+        # sort credentials by name
+        credentials.sort(key=lambda x: x.name)
+
+        # print credentials in a nice table
+        table_template = " {:<19} {:<40} {:<22} {:<25}"
+        print(table_template.format("Name", "URL", "API User", "Originating File"))
+
+        for credential in credentials:
+            print(table_template.format(credential.name,
+                                        credential.fqdn + ':' + str(credential.port),
+                                        credential.api_user,
+                                        credential.originating_file)
+                  )
+
+    elif args['sub_command'] == 'create':
+        print("Recap:")
+        print("Name: {}".format(args['name']))
+        print("FQDN: {}".format(args['fqdn']))
+        print("Port: {}".format(args['port']))
+        print("Org ID: {}".format(args['org']))
+        print("API User: {}".format(args['api_user']))
+        print("Verify SSL: {}".format(args['verify_ssl']))
+        print()
+
+        print("* Checking if a credential with the same name already exists...", flush=True, end="")
+        credentials = get_all_credentials()
+        for credential in credentials:
+            if credential.name == args['name']:
+                raise pylo.PyloEx("A credential named '{}' already exists".format(args['name']))
+        print("OK!")
+
+        # prompt of API key from user input, single line, hidden
+        api_key = click.prompt('> API Key', hide_input=True)
+
+        credentials_data: CredentialFileEntry = {
+            "name": args['name'],
+            "fqdn": args['fqdn'],
+            "port": args['port'],
+            "org_id": args['org'],
+            "api_user": args['api_user'],
+            "verify_ssl": args['verify_ssl'],
+            "api_key": api_key
+        }
+
+        encrypt_api_key = click.prompt('> Encrypt API? Y/N', type=bool)
+        if encrypt_api_key:
+            print("Available keys (ECDSA NISTPXXX keys and a few others are not supported and will be filtered out):")
+            ssh_keys = paramiko.Agent().get_keys()
+            # filter out ECDSA NISTPXXX and sk-ssh-ed25519@openssh.com
+            ssh_keys = get_supported_keys_from_ssh_agent()
+
+            # display a table of keys
+            print_keys(keys=ssh_keys, display_index=True)
+            print()
+
+            index_of_selected_key = click.prompt('> Select key by ID#', type=click.IntRange(0, len(ssh_keys)-1))
+            selected_ssh_key = ssh_keys[index_of_selected_key]
+            print("Selected key: {} | {} | {}".format(selected_ssh_key.get_name(),
+                                                      selected_ssh_key.get_fingerprint().hex(),
+                                                      selected_ssh_key.comment))
+            print(" * encrypting API key with selected key (you may be prompted by your SSH agent for confirmation or PIN code) ...", flush=True, end="")
+            encrypted_api_key = encrypt_api_key_with_paramiko_key(ssh_key=selected_ssh_key, api_key=api_key)
+            print("OK!")
+            print(" * trying to decrypt the encrypted API key...", flush=True, end="")
+            decrypted_api_key = decrypt_api_key_with_paramiko_key(encrypted_api_key_payload=encrypted_api_key)
+            if decrypted_api_key != api_key:
+                raise pylo.PyloEx("Decrypted API key does not match original API key")
+            print("OK!")
+            credentials_data["api_key"] = encrypted_api_key
+
+
+        cwd = os.getcwd()
+        create_in_current_workdir = click.prompt('> Create in current workdir ({})? If not then user homedir will be used.   Y/N '.format(cwd), type=bool)
+
+
+        print("* Creating credential...", flush=True, end="")
+        if create_in_current_workdir:
+            file_path = create_credential_in_file(file_full_path=cwd, data=credentials_data)
+        else:
+            file_path = create_credential_in_default_file(data=credentials_data)
+
+        print("OK! ({})".format(file_path))
+
+
+command_object = Command(command_name, __main, fill_parser, credentials_manager_mode=True)
+
+
+def get_supported_keys_from_ssh_agent() -> list[paramiko.AgentKey]:
+    keys = paramiko.Agent().get_keys()
+    # filter out ECDSA NISTPXXX and sk-ssh-ed25519
+    # RSA and ED25519 keys are reported to be working
+    return [key for key in keys if not (key.get_name().startswith("ecdsa-sha2-nistp") or
+                                        key.get_name().startswith("sk-ssh-ed25519"))]
+
+def print_keys(keys: list[paramiko.AgentKey], display_index = True) -> None:
+
+    args_for_print = []
+
+    column_properties = [  # (name, width)
+        ("ID#", 4),
+        ("Type", 20),
+        ("Fingerprint", 40),
+        ("Comment", 48)
+    ]
+
+    if not display_index:
+        # remove tuple with name "ID#"
+        column_properties = [item for item in column_properties if item[0] != "ID#"]
+
+
+    table = PrettyTable()
+    table.field_names = [item[0] for item in column_properties]
+
+
+    for i, key in enumerate(keys):
+        display_values = []
+        if display_index:
+            display_values.append(i)
+        display_values.append(key.get_name())
+        display_values.append(key.get_fingerprint().hex())
+        display_values.append(key.comment)
+
+        table.add_row(display_values)
+
+    print(table)
+
+

illumio_pylo/cli/commands/iplist_import_from_file.py

@@ -0,0 +1,185 @@
+import illumio_pylo as pylo
+import argparse
+import sys
+from .misc import make_filename_with_timestamp
+from . import Command
+
+command_name = 'iplist-import'
+objects_load_filter = ['iplists']
+
+
+def fill_parser(parser: argparse.ArgumentParser):
+    parser.add_argument('--input-file', '-i', type=str, required=True,
+                        help='CSV or Excel input filename')
+    parser.add_argument('--input-file-delimiter', type=str, required=False, default=',',
+                        help='CSV field delimiter')
+
+    parser.add_argument('--ignore-if-iplist-exists', action='store_true',
+                        help='If an IPList with same same exists, ignore CSV entry')
+
+    parser.add_argument('--network-delimiter', type=str, required=False, default=',', nargs='?', const=True,
+                        help='If an IPList with same same exists, ignore CSV entry')
+
+
+def __main(args, org: pylo.Organization, **kwargs):
+    input_file = args['input_file']
+    input_file_delimiter = args['input_file_delimiter']
+    ignore_if_iplist_exists = args['ignore_if_iplist_exists']
+    network_delimiter = args['network_delimiter']
+
+    output_file_prefix = make_filename_with_timestamp('import-iplists-results_')
+    output_file_csv = output_file_prefix + '.csv'
+    output_file_excel = output_file_prefix + '.xlsx'
+
+    csv_expected_fields = [
+        {'name': 'name', 'optional': False},
+        {'name': 'description', 'optional': True},
+        {'name': 'networks', 'optional': False, 'type': 'array_of_strings'}
+    ]
+
+    csv_created_fields = csv_expected_fields.copy()
+    csv_created_fields.append({'name': 'href'})
+    csv_created_fields.append({'name': '**not_created_reason**'})
+
+    pylo.file_clean(output_file_csv)
+    pylo.file_clean(output_file_excel)
+
+    print(" * Loading CSV input file '{}'...".format(input_file), flush=True, end='')
+    csv_data = pylo.CsvExcelToObject(input_file, expected_headers=csv_expected_fields, csv_delimiter=input_file_delimiter)
+    print('OK')
+    print("   - CSV has {} columns and {} lines (headers don't count)".format(csv_data.count_columns(), csv_data.count_lines()))
+    # print(pylo.nice_json(csv_data._objects))
+
+    print(" * Checking for iplist name collisions:", flush=True)
+    name_cache = {}
+    for iplist in org.IPListStore.items_by_href.values():
+        if iplist.name is not None and len(iplist.name) > 0:
+            lower_name = iplist.name.lower()
+            if lower_name not in name_cache:
+                name_cache[lower_name] = {'pce': True}
+            else:
+                print("  - Warning duplicate found in the PCE for IPList name: {}".format(iplist.name))
+
+    for csv_object in csv_data.objects():
+        if csv_object['name'] is not None and len(csv_object['name']) > 0:
+            lower_name = csv_object['name'].lower()
+            if lower_name not in name_cache:
+                name_cache[lower_name] = {'csv': True}
+            else:
+                if 'csv' in name_cache[lower_name]:
+                    pylo.log.error('CSV contains iplists with duplicates name: {}'.format(lower_name))
+                    sys.exit(1)
+                else:
+                    csv_object['**not_created_reason**'] = 'Found duplicated name in PCE'
+                    if not ignore_if_iplist_exists:
+                        pylo.log.error("PCE contains iplists with duplicates name from CSV: '{}' at line #{}. Please fix CSV or look for --options to ignore it".format(lower_name, csv_object['*line*']))
+                        sys.exit(1)
+                    print("  - WARNING: CSV has an entry for iplist name '{}' at line #{} but it exists already in the PCE. It will be ignored.".format(lower_name, csv_object['*line*']))
+
+    del name_cache
+    print("  * DONE", flush=True)
+
+    # Listing objects to be created (filtering out inconsistent ones)
+    csv_objects_to_create = []
+    ignored_objects_count = 0
+    for csv_object in csv_data.objects():
+        if '**not_created_reason**' not in csv_object:
+            csv_objects_to_create.append(csv_object)
+        else:
+            ignored_objects_count += 1
+
+    print(' * Preparing Iplist JSON data...')
+    iplists_json_data = []
+    for data in csv_objects_to_create:
+        new_iplist = {}
+        iplists_json_data.append(new_iplist)
+
+        if len(data['name']) < 1:
+            raise pylo.PyloEx('Iplist at line #{} is missing a name in CSV'.format(data['*line*']))
+        else:
+            new_iplist['name'] = data['name']
+
+        if len(data['description']) > 0:
+            new_iplist['description'] = data['description']
+
+        if len(data['networks']) < 1:
+            print('Iplist at line #{} has empty networks list'.format(data['*line*']))
+            sys.exit(1)
+
+        network_delimiter = network_delimiter.replace("\\n", "\n")
+        ip_ranges = []
+        new_iplist['ip_ranges'] = ip_ranges
+
+        for network_string in data['networks'].rsplit(network_delimiter):
+            network_string = network_string.strip(" \r\n")  # cleanup trailing characters
+
+            exclusion = False
+            if network_string.find('!') == 0:
+                exclusion = True
+                network_string = network_string[1:]
+
+            split_dash = network_string.split('-')
+            if len(split_dash) > 2:
+                pylo.log.error('Iplist at line #{} has invalid network entry: {}'.format(data['*line*'], network_string))
+                sys.exit(1)
+            if len(split_dash) == 2:
+                ip_ranges.append({'from_ip': split_dash[0], 'to_ip': split_dash[1], 'exclusion': exclusion})
+                continue
+
+            split_slash = network_string.split('/')
+            if len(split_slash) > 2:
+                pylo.log.error('Iplist at line #{} has invalid network entry: {}'.format(data['*line*'], network_string))
+                sys.exit(1)
+            if len(split_slash) == 2:
+                if len(split_slash[1]) > 2:
+                    pylo.log.error('Iplist at line #{} has invalid network mask in CIDR {}'.format(data['*line*'], network_string))
+                    sys.exit(1)
+                ip_ranges.append({'from_ip': split_slash[0]+'/'+split_slash[1], 'exclusion': exclusion})
+                continue
+            else:
+                is_ip4 = pylo.is_valid_ipv4(network_string)
+                is_ip6 = pylo.is_valid_ipv6(network_string)
+
+                if not is_ip4 and not is_ip6:
+                    pylo.log.error('Iplist at line #{} has invalid address format: {}'.format(data['*line*'], network_string))
+                    sys.exit(1)
+                ip_ranges.append({'from_ip': network_string, 'exclusion': exclusion})
+                continue
+
+        if len(ip_ranges) == 0:
+            pylo.log.error('Iplist at line #{} has no network entry'.format(data['*line*']))
+            sys.exit(1)
+
+        print("  - iplist '{}' extracted with {} with networks".format(new_iplist['name'], len(new_iplist['ip_ranges'])))
+        # print(new_iplist)
+
+    print("  * DONE")
+
+    print(" * Creating {} IPLists".format(len(iplists_json_data)))
+    total_created_count = 0
+    total_failed_count = 0
+
+    for index in range(0, len(iplists_json_data)):
+        json_blob = iplists_json_data[index]
+        print("  - Pushing new iplist '{}' to PCE (#{} of {})... ".format(json_blob['name'], index+1, len(iplists_json_data)), end='', flush=True)
+        result = org.connector.objects_iplist_create(json_blob)
+        print("OK")
+
+        href = result.get('href')
+        if href is None:
+            raise pylo.PyloEx('API returned unexpected response which is missing a HREF:', result)
+
+        total_created_count += 1
+        csv_objects_to_create[index]['href'] = href
+
+        csv_data.save_to_csv(output_file_csv, csv_created_fields)
+        csv_data.save_to_excel(output_file_excel, csv_created_fields)
+
+    csv_data.save_to_csv(output_file_csv, csv_created_fields)
+    csv_data.save_to_excel(output_file_excel, csv_created_fields)
+
+    print("  * DONE - {} created with success, {} failures and {} ignored. A report was created in {} and {}".format(total_created_count, total_failed_count, ignored_objects_count, output_file_csv, output_file_excel))
+
+
+command_object = Command(command_name, __main, fill_parser, load_specific_objects_only=objects_load_filter)
+

illumio_pylo/cli/commands/misc.py

@@ -0,0 +1,7 @@
+from datetime import datetime
+import illumio_pylo as pylo
+
+
+def make_filename_with_timestamp(prefix: str):
+    now = datetime.now()
+    return prefix + now.strftime("%Y%m%d-%H%M%S")

illumio_pylo/cli/commands/ruleset_export.py

@@ -0,0 +1,129 @@
+import argparse
+import os
+from typing import Dict, List
+
+import illumio_pylo as pylo
+from .misc import make_filename_with_timestamp
+from . import Command
+
+command_name = 'rule-export'
+
+
+def fill_parser(parser: argparse.ArgumentParser):
+    parser.add_argument('--format', '-f', required=False, default='excel',choices=['csv', 'excel'], help='Output file format')
+    parser.add_argument('--output', '-o', required=False, default='.', help='Directory where to save the output file')
+    parser.add_argument('--prefix-objects-with-type', nargs='?', const=True, default=False,
+                        help='Prefix objects with their type (e.g. "label:mylabel")')
+    parser.add_argument('--object-types-as-section', action='store_true', default=False,
+                        help="Consumer and providers will show objects types section headers, example:" + os.linesep +
+                        "LABELS: " + os.linesep +
+                        "R-WEB" + os.linesep +
+                        "A-FUSION" + os.linesep +
+                        "IPLISTS: " + os.linesep +
+                        "Private_Networks" + os.linesep +
+                        "Public_NATed")
+
+
+
+def __main(options: Dict, org: pylo.Organization, **kwargs):
+    csv_report_headers: List[pylo.ExcelHeader] = \
+        [{'name': 'ruleset', 'max_width': 40},
+         {'name': 'scope', 'max_width': 50},
+         {'name': 'type', 'max_width': 10},
+         {'name': 'consumers', 'max_width': 80},
+         {'name': 'providers', 'max_width': 80},
+         {'name': 'services', 'max_width': 30},
+         {'name': 'options', 'max_width': 40},
+         {'name': 'ruleset_url', 'max_width': 40, 'wrap_text': False},
+         {'name': 'ruleset_href', 'max_width': 30, 'wrap_text': False}
+         ]
+
+    setting_prefix_objects_with_type: bool|str = options['prefix_objects_with_type']
+    if setting_prefix_objects_with_type is False:
+        print(" * Prefix for object types are disabled")
+    else:
+        print(" * Prefix for object types are enabled")
+
+    setting_object_types_as_section: bool = options['prefix_objects_with_type']
+    if setting_object_types_as_section is False:
+        print(" * Object types as section are disabled")
+    else:
+        print(" * Object types as section are enabled")
+
+    output_file_format = options.get('format')
+    if output_file_format == "excel":
+        output_file_extension = ".xlsx"
+    elif output_file_format == "csv":
+        output_file_extension = ".csv"
+    else:
+        raise Exception("Unknown output file format: %s" % output_file_format)
+
+    output_file_name = options.get('output') + os.sep + make_filename_with_timestamp('rule_export_') + output_file_extension
+    output_file_name = os.path.abspath(output_file_name)
+
+    csv_report = pylo.ArraysToExcel()
+    sheet = csv_report.create_sheet('rulesets', csv_report_headers, force_all_wrap_text=True, multivalues_cell_delimiter=',')
+
+    for ruleset in org.RulesetStore.rulesets:
+        for rule in ruleset.rules_ordered_by_type:
+            rule_options = []
+            if not rule.enabled:
+                rule_options.append('disabled')
+            if rule.secure_connect:
+                rule_options.append('secure-connect')
+            if rule.stateless:
+                rule_options.append('stateless')
+            if rule.machine_auth:
+                rule_options.append('machine_auth')
+
+            scope_str = ''
+            for scope in ruleset.scopes.scope_entries.values():
+                if len(scope_str) > 0:
+                    scope_str += "\n"
+                if scope.is_all_all_all():
+                    scope_str += "*ALL LABELS*"
+                    continue
+                for label in scope.labels_sorted_by_type:
+                    scope_str += f"{label.name}\n"
+            # remove last \n from scope
+            if scope_str[-1] == "\n":
+                scope_str = scope_str[:-1]
+
+
+            consumers_str = rule.consumers.members_to_str("\n", prefix_objects_with_type=setting_prefix_objects_with_type,
+                                                            object_types_as_section=setting_object_types_as_section)
+            providers_str = rule.providers.members_to_str("\n", prefix_objects_with_type=setting_prefix_objects_with_type,
+                                                          object_types_as_section=setting_object_types_as_section)
+
+
+            data = {'ruleset': ruleset.name, 'scope': scope_str,
+                    'consumers': consumers_str,
+                    'providers': providers_str,
+                    'services': rule.services.members_to_str("\n"),
+                    'options': pylo.string_list_to_text(rule_options, "\n"),
+                    'ruleset_href': ruleset.href,
+                    'ruleset_url': ruleset.get_ruleset_url()}
+            if rule.is_extra_scope():
+                data['type'] = 'extra'
+            else:
+                data['type'] = 'intra'
+            sheet.add_line_from_object(data)
+
+    if output_file_format == "csv":
+        print(" * Writing export file '{}' ... ".format(output_file_name), end='', flush=True)
+        sheet.write_to_csv(output_file_name)
+        print("DONE")
+    elif output_file_format == "excel":
+        print(" * Writing export file '{}' ... ".format(output_file_name), end='', flush=True)
+        csv_report.write_to_excel(output_file_name)
+        print("DONE")
+    else:
+        raise pylo.PyloEx("Unknown format: '{}'".format(options['format']))
+
+
+command_object = Command(command_name, __main, fill_parser)
+
+
+
+
+

illumio_pylo/cli/commands/update_pce_objects_cache.py

@@ -0,0 +1,44 @@
+import logging
+import argparse
+import illumio_pylo as pylo
+import os
+import datetime
+import json
+
+from illumio_pylo import log
+from . import Command
+
+
+command_name = "pce-objects-cache-updater"
+objects_load_filter = None
+
+
+def fill_parser(parser: argparse.ArgumentParser):
+    parser.add_argument('--include-deleted-workloads', action='store_true',
+                        help='should deleted workloads be downloaded as well')
+
+
+def __main(args, org: pylo.Organization = None, connector: pylo.APIConnector = None, config_data=None, **kwargs):
+
+    # filename should be like 'cache_xxx.yyy.zzz.json'
+    filename = 'cache_' + connector.name + '.json'
+
+    timestamp = datetime.datetime.now(datetime.timezone.utc)
+
+    json_content = {'generation_date': timestamp.isoformat(),
+                    'pce_version': connector.get_software_version_string(),
+                    'data': config_data,
+                    }
+
+    with open(filename, 'w') as outfile:
+        json.dump(json_content, outfile)
+
+    size = os.path.getsize(filename)
+
+    print("\nPCE objects and settings were saved to file '%s' with a size of %iKB" % (filename, int(size/1024)))
+
+    print()
+
+
+command_object = Command(command_name, __main, fill_parser, skip_pce_config_loading=True)
+