]> git.proxmox.com Git - mirror_acme.sh.git/blame - deploy/panos.sh
fix format
[mirror_acme.sh.git] / deploy / panos.sh
CommitLineData
d9a9695f
PN
1#!/usr/bin/env sh
2
3# Script to deploy certificates to Palo Alto Networks PANOS via API
4# Note PANOS API KEY and IP address needs to be set prior to running.
5# The following variables exported from environment will be used.
6# If not set then values previously saved in domain.conf file are used.
7#
8# Firewall admin with superuser and IP address is required.
9#
10# export PANOS_USER="" # required
11# export PANOS_PASS="" # required
12# export PANOS_HOST="" # required
13
14# This function is to parse the XML
15parse_response() {
c2812896 16 type=$2
5dcb4176 17 if [ "$type" = 'keygen' ]; then
c2812896
PN
18 status=$(echo "$1" | sed 's/^.*\(['\'']\)\([a-z]*\)'\''.*/\2/g')
19 if [ "$status" = "success" ]; then
20 panos_key=$(echo "$1" | sed 's/^.*\(<key>\)\(.*\)<\/key>.*/\2/g')
21 _panos_key=$panos_key
c2812896
PN
22 else
23 message="PAN-OS Key could not be set."
24 fi
25 else
26 status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g')
27 message=$(echo "$1" | sed 's/^.*<result>\(.*\)<\/result.*/\1/g')
28 fi
d9a9695f
PN
29 return 0
30}
31
32deployer() {
21450a08 33 content=""
c2812896 34 type=$1 # Types are keygen, cert, key, commit
d9a9695f 35 _debug "**** Deploying $type *****"
c2812896 36 panos_url="https://$_panos_host/api/"
5dcb4176 37 if [ "$type" = 'keygen' ]; then
c2812896
PN
38 _H1="Content-Type: application/x-www-form-urlencoded"
39 content="type=keygen&user=$_panos_user&password=$_panos_pass"
40 # content="$content${nl}--$delim${nl}Content-Disposition: form-data; type=\"keygen\"; user=\"$_panos_user\"; password=\"$_panos_pass\"${nl}Content-Type: application/octet-stream${nl}${nl}"
d9a9695f 41 fi
c2812896 42
5dcb4176 43 if [ "$type" = 'cert' ] || [ "$type" = 'key' ]; then
cbdb8bd9
PN
44 #Generate DEIM
45 delim="-----MultipartDelimiter$(date "+%s%N")"
46 nl="\015\012"
47 #Set Header
48 export _H1="Content-Type: multipart/form-data; boundary=$delim"
5dcb4176 49 if [ "$type" = 'cert' ]; then
0453d656
BTG
50 panos_url="${panos_url}?type=import"
51 content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\ncertificate"
52 content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain"
53 content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key"
54 content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem"
c2812896
PN
55 content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")"
56 fi
5dcb4176 57 if [ "$type" = 'key' ]; then
0453d656
BTG
58 panos_url="${panos_url}?type=import"
59 content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\nprivate-key"
60 content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain"
61 content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key"
62 content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem"
63 content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n123456"
c2812896
PN
64 content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")"
65 fi
66 #Close multipart
0453d656 67 content="$content${nl}--$delim--${nl}${nl}"
c2812896
PN
68 #Convert CRLF
69 content=$(printf %b "$content")
d9a9695f
PN
70 fi
71
5dcb4176 72 if [ "$type" = 'commit' ]; then
71bc993e 73 export _H1="Content-Type: application/x-www-form-urlencoded"
c2812896
PN
74 cmd=$(printf "%s" "<commit><partial><$_panos_user></$_panos_user></partial></commit>" | _url_encode)
75 content="type=commit&key=$_panos_key&cmd=$cmd"
d9a9695f 76 fi
c2812896 77 response=$(_post "$content" "$panos_url" "" "POST")
71bc993e 78 parse_response "$response" "$type"
d9a9695f
PN
79 # Saving response to variables
80 response_status=$status
d9a9695f 81 #DEBUG
d9a9695f
PN
82 _debug response_status "$response_status"
83 if [ "$response_status" = "success" ]; then
84 _debug "Successfully deployed $type"
85 return 0
86 else
87 _err "Deploy of type $type failed. Try deploying with --debug to troubleshoot."
88 _debug "$message"
89 return 1
90 fi
91}
92
93# This is the main function that will call the other functions to deploy everything.
94panos_deploy() {
95 _cdomain="$1"
96 _ckey="$2"
97 _cfullchain="$5"
1fe3d808
PN
98 # PANOS ENV VAR check
99 if [ -z "$PANOS_USER" ] || [ -z "$PANOS_PASS" ] || [ -z "$PANOS_HOST" ]; then
100 _debug "No ENV variables found lets check for saved variables"
101 _getdeployconf PANOS_USER
102 _getdeployconf PANOS_PASS
103 _getdeployconf PANOS_HOST
104 _panos_user=$PANOS_USER
105 _panos_pass=$PANOS_PASS
106 _panos_host=$PANOS_HOST
107 if [ -z "$_panos_user" ] && [ -z "$_panos_pass" ] && [ -z "$_panos_host" ]; then
108 _err "No host, user and pass found.. If this is the first time deploying please set PANOS_HOST, PANOS_USER and PANOS_PASS in environment variables. Delete them after you have succesfully deployed certs."
d9a9695f
PN
109 return 1
110 else
1fe3d808 111 _debug "Using saved env variables."
d9a9695f
PN
112 fi
113 else
1fe3d808 114 _debug "Detected ENV variables to be saved to the deploy conf."
d9a9695f 115 # Encrypt and save user
1fe3d808
PN
116 _savedeployconf PANOS_USER "$PANOS_USER" 1
117 _savedeployconf PANOS_PASS "$PANOS_PASS" 1
118 _savedeployconf PANOS_HOST "$PANOS_HOST" 1
d9a9695f
PN
119 _panos_user="$PANOS_USER"
120 _panos_pass="$PANOS_PASS"
1fe3d808 121 _panos_host="$PANOS_HOST"
d9a9695f
PN
122 fi
123 _debug "Let's use username and pass to generate token."
124 if [ -z "$_panos_user" ] || [ -z "$_panos_pass" ] || [ -z "$_panos_host" ]; then
125 _err "Please pass username and password and host as env variables PANOS_USER, PANOS_PASS and PANOS_HOST"
126 return 1
127 else
128 _debug "Getting PANOS KEY"
c2812896
PN
129 deployer keygen
130 if [ -z "$_panos_key" ]; then
1fe3d808 131 _err "Missing apikey."
d9a9695f
PN
132 return 1
133 else
134 deployer cert
135 deployer key
136 deployer commit
137 fi
138 fi
cbdb8bd9 139}