deploy/panos.sh

   1 #!/usr/bin/env sh
   2
   3 # Script to deploy certificates to Palo Alto Networks PANOS via API
   4 # Note PANOS API KEY and IP address needs to be set prior to running.
   5 # The following variables exported from environment will be used.
   6 # If not set then values previously saved in domain.conf file are used.
   7 #
   8 # Firewall admin with superuser and IP address is required.
   9 #
  10 # export PANOS_USER=""  # required
  11 # export PANOS_PASS=""  # required
  12 # export PANOS_HOST=""  # required
  13 # export PANOS_KEY=""   # optional
  14
  15 # This function is to parse the XML
  16 parse_response() {
  17   type=$2
  18   if [ "$type" = 'keygen' ]; then
  19     status=$(echo "$1" | sed 's/^.*\(['\'']\)\([a-z]*\)'\''.*/\2/g')
  20     if [ "$status" = "success" ]; then
  21       panos_key=$(echo "$1" | sed 's/^.*\(<key>\)\(.*\)<\/key>.*/\2/g')
  22       _panos_key=$panos_key
  23     else
  24       message="PAN-OS Key could not be set."
  25     fi
  26   else
  27     status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g')
  28     message=$(echo "$1" | sed 's/^.*<result>\(.*\)<\/result.*/\1/g')
  29     if [ "$type" = 'testkey' ] && [ "$status" != "success" ]; then
  30       _debug "**** Saved API key is invalid ****"
  31       unset _panos_key
  32     fi
  33   fi
  34   return 0
  35 }
  36
  37 deployer() {
  38   content=""
  39   type=$1 # Types are testkey, keygen, cert, key, commit
  40   _debug "**** Deploying $type ****"
  41   panos_url="https://$_panos_host/api/"
  42
  43   #Test API Key by performing an empty commit.
  44   if [ "$type" = 'testkey' ]; then
  45     _H1="Content-Type: application/x-www-form-urlencoded"
  46     content="type=commit&cmd=<commit></commit>&key=$_panos_key"
  47   fi
  48
  49   # Generate API Key
  50   if [ "$type" = 'keygen' ]; then
  51     _H1="Content-Type: application/x-www-form-urlencoded"
  52     content="type=keygen&user=$_panos_user&password=$_panos_pass"
  53     # content="$content${nl}--$delim${nl}Content-Disposition: form-data; type=\"keygen\"; user=\"$_panos_user\"; password=\"$_panos_pass\"${nl}Content-Type: application/octet-stream${nl}${nl}"
  54   fi
  55
  56   if [ "$type" = 'cert' ] || [ "$type" = 'key' ]; then
  57     #Generate DEIM
  58     delim="-----MultipartDelimiter$(date "+%s%N")"
  59     nl="\015\012"
  60     #Set Header
  61     export _H1="Content-Type: multipart/form-data; boundary=$delim"
  62     if [ "$type" = 'cert' ]; then
  63       panos_url="${panos_url}?type=import"
  64       content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\ncertificate"
  65       content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain"
  66       content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key"
  67       content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem"
  68       content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")"
  69     fi
  70     if [ "$type" = 'key' ]; then
  71       panos_url="${panos_url}?type=import"
  72       content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\nprivate-key"
  73       content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain"
  74       content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key"
  75       content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem"
  76       content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n123456"
  77       content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cdomain.key")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")"
  78     fi
  79     #Close multipart
  80     content="$content${nl}--$delim--${nl}${nl}"
  81     #Convert CRLF
  82     content=$(printf %b "$content")
  83   fi
  84
  85   if [ "$type" = 'commit' ]; then
  86     export _H1="Content-Type: application/x-www-form-urlencoded"
  87     cmd=$(printf "%s" "<commit><partial><$_panos_user></$_panos_user></partial></commit>" | _url_encode)
  88     content="type=commit&key=$_panos_key&cmd=$cmd"
  89   fi
  90   response=$(_post "$content" "$panos_url" "" "POST")
  91   parse_response "$response" "$type"
  92   # Saving response to variables
  93   response_status=$status
  94   #DEBUG
  95   _debug response_status "$response_status"
  96   if [ "$response_status" = "success" ]; then
  97     _debug "Successfully deployed $type"
  98     return 0
  99   else
 100     _err "Deploy of type $type failed. Try deploying with --debug to troubleshoot."
 101     _debug "$message"
 102     return 1
 103   fi
 104 }
 105
 106 # This is the main function that will call the other functions to deploy everything.
 107 panos_deploy() {
 108   _cdomain=$(echo "$1" | sed 's/*/WILDCARD_/g') #Wildcard Safe Filename
 109   _ckey="$2"
 110   _cfullchain="$5"
 111   # VALID ECC KEY CHECK
 112   keysuffix=$(printf '%s' "$_ckey" | tail -c 8)
 113   if [ "$keysuffix" = "_ecc.key" ] && [ ! -f "$_ckey" ]; then
 114     _debug "The ECC key $_ckey doesn't exist. Attempting to strip '_ecc' from the key name"
 115     _ckey=$(echo "$_ckey" | sed 's/\(.*\)_ecc.key$/\1.key/g')
 116     if [ ! -f "$_ckey" ]; then
 117       _err "Unable to find a valid key.  Try issuing the certificate using RSA (non-ECC) encryption."
 118       return 1
 119     fi
 120   fi
 121   # PANOS ENV VAR check
 122   if [ -z "$PANOS_USER" ] || [ -z "$PANOS_PASS" ] || [ -z "$PANOS_HOST" ]; then
 123     _debug "No ENV variables found lets check for saved variables"
 124     _getdeployconf PANOS_USER
 125     _getdeployconf PANOS_PASS
 126     _getdeployconf PANOS_HOST
 127     _getdeployconf PANOS_KEY
 128     _panos_user=$PANOS_USER
 129     _panos_pass=$PANOS_PASS
 130     _panos_host=$PANOS_HOST
 131     _panos_key=$PANOS_KEY
 132     if [ -z "$_panos_user" ] && [ -z "$_panos_pass" ] && [ -z "$_panos_host" ]; then
 133       _err "No host, user and pass found.. If this is the first time deploying please set PANOS_HOST, PANOS_USER and PANOS_PASS in environment variables. Delete them after you have succesfully deployed certs."
 134       return 1
 135     else
 136       _debug "Using saved env variables."
 137     fi
 138   else
 139     _debug "Detected ENV variables to be saved to the deploy conf."
 140     # Encrypt and save user
 141     _savedeployconf PANOS_USER "$PANOS_USER" 1
 142     _savedeployconf PANOS_PASS "$PANOS_PASS" 1
 143     _savedeployconf PANOS_HOST "$PANOS_HOST" 1
 144     _panos_user="$PANOS_USER"
 145     _panos_pass="$PANOS_PASS"
 146     _panos_host="$PANOS_HOST"
 147     if [ "$PANOS_KEY" ]; then
 148       _savedeployconf PANOS_KEY "$PANOS_KEY" 1
 149       _panos_key="$PANOS_KEY"
 150     else
 151       _getdeployconf PANOS_KEY
 152       _panos_key=$PANOS_KEY
 153     fi
 154   fi
 155   _debug "Let's use username and pass to generate token."
 156   if [ -z "$_panos_user" ] || [ -z "$_panos_pass" ] || [ -z "$_panos_host" ]; then
 157     _err "Please pass username and password and host as env variables PANOS_USER, PANOS_PASS and PANOS_HOST"
 158     return 1
 159   else
 160     #Test API Key
 161     if [ "$_panos_key" ]; then
 162       _debug "**** Testing Saved API KEY ****"
 163       deployer testkey
 164     fi
 165
 166     # Generate a new API key if no valid key exists
 167     if [ -z "$_panos_key" ]; then
 168       _debug "**** Generating new PANOS API KEY ****"
 169       deployer keygen
 170       _savedeployconf PANOS_KEY "$_panos_key" 1
 171     fi
 172
 173     # Confirm that a valid key was generated
 174     if [ -z "$_panos_key" ]; then
 175       _err "Missing apikey."
 176       return 1
 177     else
 178       deployer cert
 179       deployer key
 180       deployer commit
 181     fi
 182   fi
 183 }