139 lines
5.6 KiB

5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
  1. #!/usr/bin/env sh
  2. # Script to deploy certificates to Palo Alto Networks PANOS via API
  3. # Note PANOS API KEY and IP address needs to be set prior to running.
  4. # The following variables exported from environment will be used.
  5. # If not set then values previously saved in domain.conf file are used.
  6. #
  7. # Firewall admin with superuser and IP address is required.
  8. #
  9. # export PANOS_USER="" # required
  10. # export PANOS_PASS="" # required
  11. # export PANOS_HOST="" # required
  12. # This function is to parse the XML
  13. parse_response() {
  14. type=$2
  15. if [ "$type" = 'keygen' ]; then
  16. status=$(echo "$1" | sed 's/^.*\(['\'']\)\([a-z]*\)'\''.*/\2/g')
  17. if [ "$status" = "success" ]; then
  18. panos_key=$(echo "$1" | sed 's/^.*\(<key>\)\(.*\)<\/key>.*/\2/g')
  19. _panos_key=$panos_key
  20. else
  21. message="PAN-OS Key could not be set."
  22. fi
  23. else
  24. status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g')
  25. message=$(echo "$1" | sed 's/^.*<result>\(.*\)<\/result.*/\1/g')
  26. fi
  27. return 0
  28. }
  29. deployer() {
  30. content=""
  31. type=$1 # Types are keygen, cert, key, commit
  32. _debug "**** Deploying $type *****"
  33. panos_url="https://$_panos_host/api/"
  34. if [ "$type" = 'keygen' ]; then
  35. _H1="Content-Type: application/x-www-form-urlencoded"
  36. content="type=keygen&user=$_panos_user&password=$_panos_pass"
  37. # content="$content${nl}--$delim${nl}Content-Disposition: form-data; type=\"keygen\"; user=\"$_panos_user\"; password=\"$_panos_pass\"${nl}Content-Type: application/octet-stream${nl}${nl}"
  38. fi
  39. if [ "$type" = 'cert' ] || [ "$type" = 'key' ]; then
  40. #Generate DEIM
  41. delim="-----MultipartDelimiter$(date "+%s%N")"
  42. nl="\015\012"
  43. #Set Header
  44. export _H1="Content-Type: multipart/form-data; boundary=$delim"
  45. if [ "$type" = 'cert' ]; then
  46. panos_url="${panos_url}?type=import"
  47. content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\ncertificate"
  48. content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain"
  49. content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key"
  50. content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem"
  51. content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")"
  52. fi
  53. if [ "$type" = 'key' ]; then
  54. panos_url="${panos_url}?type=import"
  55. content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\nprivate-key"
  56. content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain"
  57. content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key"
  58. content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem"
  59. content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n123456"
  60. content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")"
  61. fi
  62. #Close multipart
  63. content="$content${nl}--$delim--${nl}${nl}"
  64. #Convert CRLF
  65. content=$(printf %b "$content")
  66. fi
  67. if [ "$type" = 'commit' ]; then
  68. export _H1="Content-Type: application/x-www-form-urlencoded"
  69. cmd=$(printf "%s" "<commit><partial><$_panos_user></$_panos_user></partial></commit>" | _url_encode)
  70. content="type=commit&key=$_panos_key&cmd=$cmd"
  71. fi
  72. response=$(_post "$content" "$panos_url" "" "POST")
  73. parse_response "$response" "$type"
  74. # Saving response to variables
  75. response_status=$status
  76. #DEBUG
  77. _debug response_status "$response_status"
  78. if [ "$response_status" = "success" ]; then
  79. _debug "Successfully deployed $type"
  80. return 0
  81. else
  82. _err "Deploy of type $type failed. Try deploying with --debug to troubleshoot."
  83. _debug "$message"
  84. return 1
  85. fi
  86. }
  87. # This is the main function that will call the other functions to deploy everything.
  88. panos_deploy() {
  89. _cdomain="$1"
  90. _ckey="$2"
  91. _cfullchain="$5"
  92. # PANOS ENV VAR check
  93. if [ -z "$PANOS_USER" ] || [ -z "$PANOS_PASS" ] || [ -z "$PANOS_HOST" ]; then
  94. _debug "No ENV variables found lets check for saved variables"
  95. _getdeployconf PANOS_USER
  96. _getdeployconf PANOS_PASS
  97. _getdeployconf PANOS_HOST
  98. _panos_user=$PANOS_USER
  99. _panos_pass=$PANOS_PASS
  100. _panos_host=$PANOS_HOST
  101. if [ -z "$_panos_user" ] && [ -z "$_panos_pass" ] && [ -z "$_panos_host" ]; then
  102. _err "No host, user and pass found.. If this is the first time deploying please set PANOS_HOST, PANOS_USER and PANOS_PASS in environment variables. Delete them after you have succesfully deployed certs."
  103. return 1
  104. else
  105. _debug "Using saved env variables."
  106. fi
  107. else
  108. _debug "Detected ENV variables to be saved to the deploy conf."
  109. # Encrypt and save user
  110. _savedeployconf PANOS_USER "$PANOS_USER" 1
  111. _savedeployconf PANOS_PASS "$PANOS_PASS" 1
  112. _savedeployconf PANOS_HOST "$PANOS_HOST" 1
  113. _panos_user="$PANOS_USER"
  114. _panos_pass="$PANOS_PASS"
  115. _panos_host="$PANOS_HOST"
  116. fi
  117. _debug "Let's use username and pass to generate token."
  118. if [ -z "$_panos_user" ] || [ -z "$_panos_pass" ] || [ -z "$_panos_host" ]; then
  119. _err "Please pass username and password and host as env variables PANOS_USER, PANOS_PASS and PANOS_HOST"
  120. return 1
  121. else
  122. _debug "Getting PANOS KEY"
  123. deployer keygen
  124. if [ -z "$_panos_key" ]; then
  125. _err "Missing apikey."
  126. return 1
  127. else
  128. deployer cert
  129. deployer key
  130. deployer commit
  131. fi
  132. fi
  133. }