]>
Commit | Line | Data |
---|---|---|
d9a9695f PN |
1 | #!/usr/bin/env sh |
2 | ||
3 | # Script to deploy certificates to Palo Alto Networks PANOS via API | |
4 | # Note PANOS API KEY and IP address needs to be set prior to running. | |
5 | # The following variables exported from environment will be used. | |
6 | # If not set then values previously saved in domain.conf file are used. | |
7 | # | |
8 | # Firewall admin with superuser and IP address is required. | |
9 | # | |
10 | # export PANOS_USER="" # required | |
11 | # export PANOS_PASS="" # required | |
12 | # export PANOS_HOST="" # required | |
13 | ||
14 | # This function is to parse the XML | |
15 | parse_response() { | |
c2812896 | 16 | type=$2 |
5dcb4176 | 17 | if [ "$type" = 'keygen' ]; then |
c2812896 PN |
18 | status=$(echo "$1" | sed 's/^.*\(['\'']\)\([a-z]*\)'\''.*/\2/g') |
19 | if [ "$status" = "success" ]; then | |
20 | panos_key=$(echo "$1" | sed 's/^.*\(<key>\)\(.*\)<\/key>.*/\2/g') | |
21 | _panos_key=$panos_key | |
c2812896 PN |
22 | else |
23 | message="PAN-OS Key could not be set." | |
24 | fi | |
25 | else | |
26 | status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g') | |
27 | message=$(echo "$1" | sed 's/^.*<result>\(.*\)<\/result.*/\1/g') | |
28 | fi | |
d9a9695f PN |
29 | return 0 |
30 | } | |
31 | ||
32 | deployer() { | |
21450a08 | 33 | content="" |
c2812896 | 34 | type=$1 # Types are keygen, cert, key, commit |
d9a9695f | 35 | _debug "**** Deploying $type *****" |
c2812896 | 36 | panos_url="https://$_panos_host/api/" |
5dcb4176 | 37 | if [ "$type" = 'keygen' ]; then |
c2812896 PN |
38 | _H1="Content-Type: application/x-www-form-urlencoded" |
39 | content="type=keygen&user=$_panos_user&password=$_panos_pass" | |
40 | # content="$content${nl}--$delim${nl}Content-Disposition: form-data; type=\"keygen\"; user=\"$_panos_user\"; password=\"$_panos_pass\"${nl}Content-Type: application/octet-stream${nl}${nl}" | |
d9a9695f | 41 | fi |
c2812896 | 42 | |
5dcb4176 | 43 | if [ "$type" = 'cert' ] || [ "$type" = 'key' ]; then |
cbdb8bd9 PN |
44 | #Generate DEIM |
45 | delim="-----MultipartDelimiter$(date "+%s%N")" | |
46 | nl="\015\012" | |
47 | #Set Header | |
48 | export _H1="Content-Type: multipart/form-data; boundary=$delim" | |
5dcb4176 | 49 | if [ "$type" = 'cert' ]; then |
0453d656 BTG |
50 | panos_url="${panos_url}?type=import" |
51 | content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\ncertificate" | |
52 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain" | |
53 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key" | |
54 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem" | |
c2812896 PN |
55 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")" |
56 | fi | |
5dcb4176 | 57 | if [ "$type" = 'key' ]; then |
0453d656 BTG |
58 | panos_url="${panos_url}?type=import" |
59 | content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\nprivate-key" | |
60 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain" | |
61 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key" | |
62 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem" | |
63 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n123456" | |
c2812896 PN |
64 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")" |
65 | fi | |
66 | #Close multipart | |
0453d656 | 67 | content="$content${nl}--$delim--${nl}${nl}" |
c2812896 PN |
68 | #Convert CRLF |
69 | content=$(printf %b "$content") | |
d9a9695f PN |
70 | fi |
71 | ||
5dcb4176 | 72 | if [ "$type" = 'commit' ]; then |
71bc993e | 73 | export _H1="Content-Type: application/x-www-form-urlencoded" |
c2812896 PN |
74 | cmd=$(printf "%s" "<commit><partial><$_panos_user></$_panos_user></partial></commit>" | _url_encode) |
75 | content="type=commit&key=$_panos_key&cmd=$cmd" | |
d9a9695f | 76 | fi |
c2812896 | 77 | response=$(_post "$content" "$panos_url" "" "POST") |
71bc993e | 78 | parse_response "$response" "$type" |
d9a9695f PN |
79 | # Saving response to variables |
80 | response_status=$status | |
d9a9695f | 81 | #DEBUG |
d9a9695f PN |
82 | _debug response_status "$response_status" |
83 | if [ "$response_status" = "success" ]; then | |
84 | _debug "Successfully deployed $type" | |
85 | return 0 | |
86 | else | |
87 | _err "Deploy of type $type failed. Try deploying with --debug to troubleshoot." | |
88 | _debug "$message" | |
89 | return 1 | |
90 | fi | |
91 | } | |
92 | ||
93 | # This is the main function that will call the other functions to deploy everything. | |
94 | panos_deploy() { | |
95 | _cdomain="$1" | |
96 | _ckey="$2" | |
97 | _cfullchain="$5" | |
1fe3d808 PN |
98 | # PANOS ENV VAR check |
99 | if [ -z "$PANOS_USER" ] || [ -z "$PANOS_PASS" ] || [ -z "$PANOS_HOST" ]; then | |
100 | _debug "No ENV variables found lets check for saved variables" | |
101 | _getdeployconf PANOS_USER | |
102 | _getdeployconf PANOS_PASS | |
103 | _getdeployconf PANOS_HOST | |
104 | _panos_user=$PANOS_USER | |
105 | _panos_pass=$PANOS_PASS | |
106 | _panos_host=$PANOS_HOST | |
107 | if [ -z "$_panos_user" ] && [ -z "$_panos_pass" ] && [ -z "$_panos_host" ]; then | |
108 | _err "No host, user and pass found.. If this is the first time deploying please set PANOS_HOST, PANOS_USER and PANOS_PASS in environment variables. Delete them after you have succesfully deployed certs." | |
d9a9695f PN |
109 | return 1 |
110 | else | |
1fe3d808 | 111 | _debug "Using saved env variables." |
d9a9695f PN |
112 | fi |
113 | else | |
1fe3d808 | 114 | _debug "Detected ENV variables to be saved to the deploy conf." |
d9a9695f | 115 | # Encrypt and save user |
1fe3d808 PN |
116 | _savedeployconf PANOS_USER "$PANOS_USER" 1 |
117 | _savedeployconf PANOS_PASS "$PANOS_PASS" 1 | |
118 | _savedeployconf PANOS_HOST "$PANOS_HOST" 1 | |
d9a9695f PN |
119 | _panos_user="$PANOS_USER" |
120 | _panos_pass="$PANOS_PASS" | |
1fe3d808 | 121 | _panos_host="$PANOS_HOST" |
d9a9695f PN |
122 | fi |
123 | _debug "Let's use username and pass to generate token." | |
124 | if [ -z "$_panos_user" ] || [ -z "$_panos_pass" ] || [ -z "$_panos_host" ]; then | |
125 | _err "Please pass username and password and host as env variables PANOS_USER, PANOS_PASS and PANOS_HOST" | |
126 | return 1 | |
127 | else | |
128 | _debug "Getting PANOS KEY" | |
c2812896 PN |
129 | deployer keygen |
130 | if [ -z "$_panos_key" ]; then | |
1fe3d808 | 131 | _err "Missing apikey." |
d9a9695f PN |
132 | return 1 |
133 | else | |
134 | deployer cert | |
135 | deployer key | |
136 | deployer commit | |
137 | fi | |
138 | fi | |
cbdb8bd9 | 139 | } |