From d9a9695fe089f07e81199fcfb9ebb75fe6def7be Mon Sep 17 00:00:00 2001 From: Paul Nguyen Date: Wed, 5 Feb 2020 14:29:01 -0800 Subject: [PATCH 01/10] Deploy certificates to Palo Alto Network Firewalls --- deploy/panos.sh | 144 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 144 insertions(+) create mode 100644 deploy/panos.sh diff --git a/deploy/panos.sh b/deploy/panos.sh new file mode 100644 index 00000000..8a288e7b --- /dev/null +++ b/deploy/panos.sh @@ -0,0 +1,144 @@ +#!/usr/bin/env sh + +# Script to deploy certificates to Palo Alto Networks PANOS via API +# Note PANOS API KEY and IP address needs to be set prior to running. +# The following variables exported from environment will be used. +# If not set then values previously saved in domain.conf file are used. +# +# Firewall admin with superuser and IP address is required. +# +# export PANOS_USER="" # required +# export PANOS_PASS="" # required +# export PANOS_HOST="" # required + +# This function is to parse the XML +parse_response() { + status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g') + message=$(echo "$1" | sed 's/^.*\(.*\)<\/result.*/\1/g') + return 0 +} + +deployer() { + type=$1 # Types are cert, key, commit + _debug "**** Deploying $type *****" + + #Generate DEIM + delim="-----MultipartDelimiter$(date "+%s%N")" + nl="\015\012" + #Set Header + _H1="Content-Type: multipart/form-data; boundary=$delim" + if [ $type = 'cert' ]; then + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")" + fi + if [ $type = 'key' ]; then + #Add key + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")" + fi + #Close multipart + content="$content${nl}--$delim--${nl}" + #Convert CRLF + content=$(printf %b "$content") + + if [ $type = 'cert' ]; then + panos_url="https://$_panos_host/api/?type=import&category=certificate&certificate-name=$_cdomain&format=pem&key=$_panos_key" + fi + + if [ $type = 'key' ]; then + panos_url="https://$_panos_host/api/?type=import&category=private-key&certificate-name=$_cdomain&format=pem&passphrase=none&key=$_panos_key" + fi + if [ $type = 'commit' ]; then + cmd=$(_url_encode "<$_panos_user>") + panos_url="https://$_panos_host/api/?type=commit&cmd=$cmd&key=$_panos_key" + fi + + if [ $type = 'key' ] || [ $type = 'cert' ]; then + response=$(_post "$content" "$panos_url" "" "POST") + else + response=$(_get $panos_url) + fi + _debug panos_url $panos_url + _debug "RESPONSE $response" + parse_response "$response" + _debug "STATUS IS $status" + _debug "MESSAGE IS $message" + # Saving response to variables + response_status=$status + # Check for cert upload error and handle gracefully. + + #DEBUG + _debug header "$_H1" + # _debug content "$content" + _debug response_status "$response_status" + if [ "$response_status" = "success" ]; then + _debug "Successfully deployed $type" + return 0 + else + _err "Deploy of type $type failed. Try deploying with --debug to troubleshoot." + _debug "$message" + return 1 + fi +} + +# This is the main function that will call the other functions to deploy everything. +panos_deploy() { + _cdomain="$1" + _ckey="$2" + _cfullchain="$5" + # PANOS HOST is required to make API calls to the PANOS/Panorama + if [ -z "$PANOS_HOST" ]; then + if [ -z "$_panos_host" ]; then + _err "PANOS_HOST not defined." + return 1 + fi + else + _debug "PANOS HOST is set. Save to domain conf." + _panos_host="$PANOS_HOST" + _savedomainconf _panos_host "$_panos_host" + fi + # Retrieve stored variables + _panos_user="$(_readaccountconf_mutable PANOS_USER)" + _panos_pass="$(_readaccountconf_mutable PANOS_PASS)" + # PANOS Credentials check + if [ -z "$PANOS_USER" ] || [ -z "$PANOS_PASS" ]; then + _debug "PANOS_USER, PANOS_PASS is not defined" + if [ -z "$_panos_user" ] && [ -z "$_panos_pass" ]; then + _err "No user and pass found in storage. If this is the first time deploying please set PANOS_USER and PANOS_PASS in environment variables." + return 1 + else + _debug "ok" + fi + else + _debug "Saving environment variables" + # Encrypt and save user + _saveaccountconf_mutable PANOS_USER "$PANOS_USER" + _saveaccountconf_mutable PANOS_PASS "$PANOS_PASS" + _panos_user="$PANOS_USER" + _panos_pass="$PANOS_PASS" + fi + _debug "Let's use username and pass to generate token." + if [ -z "$_panos_user" ] || [ -z "$_panos_pass" ] || [ -z "$_panos_host" ]; then + _err "Please pass username and password and host as env variables PANOS_USER, PANOS_PASS and PANOS_HOST" + return 1 + else + _debug "Getting PANOS KEY" + panos_key_response=$(_get "https://$_panos_host/api/?type=keygen&user=$_panos_user&password=$_panos_pass") + _debug "PANOS KEY FULL RESPONSE $panos_key_response" + status=$(echo "$panos_key_response" | sed 's/^.*\(['\'']\)\([a-z]*\)'\''.*/\2/g') + _debug "STATUS IS $status" + if [ "$status" = "success" ]; then + panos_key=$(echo "$panos_key_response" | sed 's/^.*\(\)\(.*\)<\/key>.*/\2/g') + _panos_key=$panos_key + else + _err "PANOS Key could not be set. Deploy with --debug to troubleshoot" + return 1 + fi + if [ -z "$_panos_host" ] && [ -z "$_panos_key" ] && [ -z "$_panos_user" ]; then + _err "Missing host, apikey, user." + return 1 + else + deployer cert + deployer key + deployer commit + fi + fi +} \ No newline at end of file From c2812896f8947c29117fe3a8b0832965aabdabeb Mon Sep 17 00:00:00 2001 From: Paul Nguyen Date: Tue, 11 Feb 2020 18:15:10 -0800 Subject: [PATCH 02/10] Update deployer --- deploy/panos.sh | 114 +++++++++++++++++++++++++----------------------- 1 file changed, 59 insertions(+), 55 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index 8a288e7b..ca03706f 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -13,61 +13,75 @@ # This function is to parse the XML parse_response() { - status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g') - message=$(echo "$1" | sed 's/^.*\(.*\)<\/result.*/\1/g') + type=$2 + if [ $type = 'keygen' ]; then + status=$(echo "$1" | sed 's/^.*\(['\'']\)\([a-z]*\)'\''.*/\2/g') + if [ "$status" = "success" ]; then + panos_key=$(echo "$1" | sed 's/^.*\(\)\(.*\)<\/key>.*/\2/g') + _panos_key=$panos_key + message='PAN-OS key is set.' + else + message="PAN-OS Key could not be set." + fi + else + status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g') + message=$(echo "$1" | sed 's/^.*\(.*\)<\/result.*/\1/g') + fi return 0 } deployer() { - type=$1 # Types are cert, key, commit + type=$1 # Types are keygen, cert, key, commit _debug "**** Deploying $type *****" - - #Generate DEIM - delim="-----MultipartDelimiter$(date "+%s%N")" - nl="\015\012" - #Set Header - _H1="Content-Type: multipart/form-data; boundary=$delim" - if [ $type = 'cert' ]; then - content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")" + panos_url="https://$_panos_host/api/" + + if [ $type = 'keygen' ]; then + _H1="Content-Type: application/x-www-form-urlencoded" + content="type=keygen&user=$_panos_user&password=$_panos_pass" + # content="$content${nl}--$delim${nl}Content-Disposition: form-data; type=\"keygen\"; user=\"$_panos_user\"; password=\"$_panos_pass\"${nl}Content-Type: application/octet-stream${nl}${nl}" fi - if [ $type = 'key' ]; then - #Add key - content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")" - fi - #Close multipart - content="$content${nl}--$delim--${nl}" - #Convert CRLF - content=$(printf %b "$content") - if [ $type = 'cert' ]; then - panos_url="https://$_panos_host/api/?type=import&category=certificate&certificate-name=$_cdomain&format=pem&key=$_panos_key" + if [ $type = 'cert' ] || [ $type = 'key' ]; then + #Generate DEIM + delim="-----MultipartDelimiter$(date "+%s%N")" + nl="\015\012" + #Set Header + _H1="Content-Type: multipart/form-data; boundary=$delim" + + if [ $type = 'cert' ]; then + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"type\"\r\n\r\n\r\nimport" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\n\r\ncertificate" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n\r\n$_cdomain" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n\r\n$_panos_key" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\n\r\npem" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")" + fi + if [ $type = 'key' ]; then + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"type\"\r\n\r\n\r\nimport" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\n\r\nprivate-key" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n\r\n$_cdomain" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n\r\n$_panos_key" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\n\r\npem" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n\r\nnone" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")" + fi + #Close multipart + content="$content${nl}--$delim--${nl}" + #Convert CRLF + content=$(printf %b "$content") + fi + + if [ $type = 'commit' ]; then + _H1="Content-Type: application/x-www-form-urlencoded" + cmd=$(printf "%s" "<$_panos_user>" | _url_encode) + content="type=commit&key=$_panos_key&cmd=$cmd" fi - if [ $type = 'key' ]; then - panos_url="https://$_panos_host/api/?type=import&category=private-key&certificate-name=$_cdomain&format=pem&passphrase=none&key=$_panos_key" - fi - if [ $type = 'commit' ]; then - cmd=$(_url_encode "<$_panos_user>") - panos_url="https://$_panos_host/api/?type=commit&cmd=$cmd&key=$_panos_key" - fi - - if [ $type = 'key' ] || [ $type = 'cert' ]; then - response=$(_post "$content" "$panos_url" "" "POST") - else - response=$(_get $panos_url) - fi - _debug panos_url $panos_url - _debug "RESPONSE $response" - parse_response "$response" - _debug "STATUS IS $status" - _debug "MESSAGE IS $message" + response=$(_post "$content" "$panos_url" "" "POST") + parse_response "$response" $type # Saving response to variables response_status=$status - # Check for cert upload error and handle gracefully. - #DEBUG - _debug header "$_H1" - # _debug content "$content" _debug response_status "$response_status" if [ "$response_status" = "success" ]; then _debug "Successfully deployed $type" @@ -121,18 +135,8 @@ panos_deploy() { return 1 else _debug "Getting PANOS KEY" - panos_key_response=$(_get "https://$_panos_host/api/?type=keygen&user=$_panos_user&password=$_panos_pass") - _debug "PANOS KEY FULL RESPONSE $panos_key_response" - status=$(echo "$panos_key_response" | sed 's/^.*\(['\'']\)\([a-z]*\)'\''.*/\2/g') - _debug "STATUS IS $status" - if [ "$status" = "success" ]; then - panos_key=$(echo "$panos_key_response" | sed 's/^.*\(\)\(.*\)<\/key>.*/\2/g') - _panos_key=$panos_key - else - _err "PANOS Key could not be set. Deploy with --debug to troubleshoot" - return 1 - fi - if [ -z "$_panos_host" ] && [ -z "$_panos_key" ] && [ -z "$_panos_user" ]; then + deployer keygen + if [ -z "$_panos_key" ]; then _err "Missing host, apikey, user." return 1 else From 71bc993e3ddf72d497b16a2a9ee598bcc0f92847 Mon Sep 17 00:00:00 2001 From: Paul Nguyen Date: Tue, 11 Feb 2020 22:23:10 -0800 Subject: [PATCH 03/10] Fixed Shellchecks --- deploy/panos.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index ca03706f..b2c3b1d9 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -14,7 +14,7 @@ # This function is to parse the XML parse_response() { type=$2 - if [ $type = 'keygen' ]; then + if [ $type = "keygen" ]; then status=$(echo "$1" | sed 's/^.*\(['\'']\)\([a-z]*\)'\''.*/\2/g') if [ "$status" = "success" ]; then panos_key=$(echo "$1" | sed 's/^.*\(\)\(.*\)<\/key>.*/\2/g') @@ -35,20 +35,20 @@ deployer() { _debug "**** Deploying $type *****" panos_url="https://$_panos_host/api/" - if [ $type = 'keygen' ]; then + if [ $type = "keygen" ]; then _H1="Content-Type: application/x-www-form-urlencoded" content="type=keygen&user=$_panos_user&password=$_panos_pass" # content="$content${nl}--$delim${nl}Content-Disposition: form-data; type=\"keygen\"; user=\"$_panos_user\"; password=\"$_panos_pass\"${nl}Content-Type: application/octet-stream${nl}${nl}" fi - if [ $type = 'cert' ] || [ $type = 'key' ]; then + if [ $type = "cert" ] || [ $type = "key" ]; then #Generate DEIM delim="-----MultipartDelimiter$(date "+%s%N")" nl="\015\012" #Set Header - _H1="Content-Type: multipart/form-data; boundary=$delim" + export _H1="Content-Type: multipart/form-data; boundary=$delim" - if [ $type = 'cert' ]; then + if [ $type = "cert" ]; then content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"type\"\r\n\r\n\r\nimport" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\n\r\ncertificate" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n\r\n$_cdomain" @@ -56,7 +56,7 @@ deployer() { content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\n\r\npem" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")" fi - if [ $type = 'key' ]; then + if [ $type = "key" ]; then content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"type\"\r\n\r\n\r\nimport" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\n\r\nprivate-key" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n\r\n$_cdomain" @@ -71,14 +71,14 @@ deployer() { content=$(printf %b "$content") fi - if [ $type = 'commit' ]; then - _H1="Content-Type: application/x-www-form-urlencoded" + if [ $type = "commit" ]; then + export _H1="Content-Type: application/x-www-form-urlencoded" cmd=$(printf "%s" "<$_panos_user>" | _url_encode) content="type=commit&key=$_panos_key&cmd=$cmd" fi response=$(_post "$content" "$panos_url" "" "POST") - parse_response "$response" $type + parse_response "$response" "$type" # Saving response to variables response_status=$status #DEBUG From 5dcb4176769321555f953f44a046258dc1096294 Mon Sep 17 00:00:00 2001 From: Paul Nguyen Date: Tue, 11 Feb 2020 22:26:48 -0800 Subject: [PATCH 04/10] ShellCheck fixes --- deploy/panos.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index b2c3b1d9..8e00fd6c 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -14,7 +14,7 @@ # This function is to parse the XML parse_response() { type=$2 - if [ $type = "keygen" ]; then + if [ "$type" = 'keygen' ]; then status=$(echo "$1" | sed 's/^.*\(['\'']\)\([a-z]*\)'\''.*/\2/g') if [ "$status" = "success" ]; then panos_key=$(echo "$1" | sed 's/^.*\(\)\(.*\)<\/key>.*/\2/g') @@ -35,20 +35,20 @@ deployer() { _debug "**** Deploying $type *****" panos_url="https://$_panos_host/api/" - if [ $type = "keygen" ]; then + if [ "$type" = 'keygen' ]; then _H1="Content-Type: application/x-www-form-urlencoded" content="type=keygen&user=$_panos_user&password=$_panos_pass" # content="$content${nl}--$delim${nl}Content-Disposition: form-data; type=\"keygen\"; user=\"$_panos_user\"; password=\"$_panos_pass\"${nl}Content-Type: application/octet-stream${nl}${nl}" fi - if [ $type = "cert" ] || [ $type = "key" ]; then + if [ "$type" = 'cert' ] || [ "$type" = 'key' ]; then #Generate DEIM delim="-----MultipartDelimiter$(date "+%s%N")" nl="\015\012" #Set Header export _H1="Content-Type: multipart/form-data; boundary=$delim" - if [ $type = "cert" ]; then + if [ "$type" = 'cert' ]; then content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"type\"\r\n\r\n\r\nimport" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\n\r\ncertificate" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n\r\n$_cdomain" @@ -56,7 +56,7 @@ deployer() { content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\n\r\npem" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")" fi - if [ $type = "key" ]; then + if [ "$type" = 'key' ]; then content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"type\"\r\n\r\n\r\nimport" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\n\r\nprivate-key" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n\r\n$_cdomain" @@ -71,7 +71,7 @@ deployer() { content=$(printf %b "$content") fi - if [ $type = "commit" ]; then + if [ "$type" = 'commit' ]; then export _H1="Content-Type: application/x-www-form-urlencoded" cmd=$(printf "%s" "<$_panos_user>" | _url_encode) content="type=commit&key=$_panos_key&cmd=$cmd" From cbdb8bd9b96a8370051f952806fa24dc13d80f9b Mon Sep 17 00:00:00 2001 From: Paul Nguyen Date: Tue, 11 Feb 2020 22:34:55 -0800 Subject: [PATCH 05/10] Fixing gitdiff --- deploy/panos.sh | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index 8e00fd6c..c199caf4 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -42,11 +42,11 @@ deployer() { fi if [ "$type" = 'cert' ] || [ "$type" = 'key' ]; then - #Generate DEIM - delim="-----MultipartDelimiter$(date "+%s%N")" - nl="\015\012" - #Set Header - export _H1="Content-Type: multipart/form-data; boundary=$delim" + #Generate DEIM + delim="-----MultipartDelimiter$(date "+%s%N")" + nl="\015\012" + #Set Header + export _H1="Content-Type: multipart/form-data; boundary=$delim" if [ "$type" = 'cert' ]; then content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"type\"\r\n\r\n\r\nimport" @@ -76,7 +76,6 @@ deployer() { cmd=$(printf "%s" "<$_panos_user>" | _url_encode) content="type=commit&key=$_panos_key&cmd=$cmd" fi - response=$(_post "$content" "$panos_url" "" "POST") parse_response "$response" "$type" # Saving response to variables @@ -145,4 +144,4 @@ panos_deploy() { deployer commit fi fi -} \ No newline at end of file +} From 2077a70d03a548dfbb5501a5b4388948b93db9f7 Mon Sep 17 00:00:00 2001 From: Paul Nguyen Date: Tue, 11 Feb 2020 22:44:51 -0800 Subject: [PATCH 06/10] Fixing gitdiff --- deploy/panos.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index c199caf4..3806f14f 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -34,7 +34,6 @@ deployer() { type=$1 # Types are keygen, cert, key, commit _debug "**** Deploying $type *****" panos_url="https://$_panos_host/api/" - if [ "$type" = 'keygen' ]; then _H1="Content-Type: application/x-www-form-urlencoded" content="type=keygen&user=$_panos_user&password=$_panos_pass" @@ -47,7 +46,6 @@ deployer() { nl="\015\012" #Set Header export _H1="Content-Type: multipart/form-data; boundary=$delim" - if [ "$type" = 'cert' ]; then content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"type\"\r\n\r\n\r\nimport" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\n\r\ncertificate" From 930e16b64a25e60fbb6998d3f27749a257111939 Mon Sep 17 00:00:00 2001 From: Paul Nguyen Date: Tue, 11 Feb 2020 22:50:05 -0800 Subject: [PATCH 07/10] fix gitdiff --- deploy/panos.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index 3806f14f..eaa19c89 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -19,7 +19,6 @@ parse_response() { if [ "$status" = "success" ]; then panos_key=$(echo "$1" | sed 's/^.*\(\)\(.*\)<\/key>.*/\2/g') _panos_key=$panos_key - message='PAN-OS key is set.' else message="PAN-OS Key could not be set." fi From 1fe3d80838d2aab564ad15aca7c2342b29e04f97 Mon Sep 17 00:00:00 2001 From: Paul Nguyen Date: Wed, 12 Feb 2020 14:57:31 -0800 Subject: [PATCH 08/10] Updated to use saveconf function and base64encode. --- deploy/panos.sh | 43 +++++++++++++++++++------------------------ 1 file changed, 19 insertions(+), 24 deletions(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index eaa19c89..627a59de 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -94,36 +94,31 @@ panos_deploy() { _cdomain="$1" _ckey="$2" _cfullchain="$5" - # PANOS HOST is required to make API calls to the PANOS/Panorama - if [ -z "$PANOS_HOST" ]; then - if [ -z "$_panos_host" ]; then - _err "PANOS_HOST not defined." - return 1 - fi - else - _debug "PANOS HOST is set. Save to domain conf." - _panos_host="$PANOS_HOST" - _savedomainconf _panos_host "$_panos_host" - fi - # Retrieve stored variables - _panos_user="$(_readaccountconf_mutable PANOS_USER)" - _panos_pass="$(_readaccountconf_mutable PANOS_PASS)" - # PANOS Credentials check - if [ -z "$PANOS_USER" ] || [ -z "$PANOS_PASS" ]; then - _debug "PANOS_USER, PANOS_PASS is not defined" - if [ -z "$_panos_user" ] && [ -z "$_panos_pass" ]; then - _err "No user and pass found in storage. If this is the first time deploying please set PANOS_USER and PANOS_PASS in environment variables." + + # PANOS ENV VAR check + if [ -z "$PANOS_USER" ] || [ -z "$PANOS_PASS" ] || [ -z "$PANOS_HOST" ]; then + _debug "No ENV variables found lets check for saved variables" + _getdeployconf PANOS_USER + _getdeployconf PANOS_PASS + _getdeployconf PANOS_HOST + _panos_user=$PANOS_USER + _panos_pass=$PANOS_PASS + _panos_host=$PANOS_HOST + if [ -z "$_panos_user" ] && [ -z "$_panos_pass" ] && [ -z "$_panos_host" ]; then + _err "No host, user and pass found.. If this is the first time deploying please set PANOS_HOST, PANOS_USER and PANOS_PASS in environment variables. Delete them after you have succesfully deployed certs." return 1 else - _debug "ok" + _debug "Using saved env variables." fi else - _debug "Saving environment variables" + _debug "Detected ENV variables to be saved to the deploy conf." # Encrypt and save user - _saveaccountconf_mutable PANOS_USER "$PANOS_USER" - _saveaccountconf_mutable PANOS_PASS "$PANOS_PASS" + _savedeployconf PANOS_USER "$PANOS_USER" 1 + _savedeployconf PANOS_PASS "$PANOS_PASS" 1 + _savedeployconf PANOS_HOST "$PANOS_HOST" 1 _panos_user="$PANOS_USER" _panos_pass="$PANOS_PASS" + _panos_host="$PANOS_HOST" fi _debug "Let's use username and pass to generate token." if [ -z "$_panos_user" ] || [ -z "$_panos_pass" ] || [ -z "$_panos_host" ]; then @@ -133,7 +128,7 @@ panos_deploy() { _debug "Getting PANOS KEY" deployer keygen if [ -z "$_panos_key" ]; then - _err "Missing host, apikey, user." + _err "Missing apikey." return 1 else deployer cert From c355b25bb1eea5fbf1b5d08185bc52032b60cabd Mon Sep 17 00:00:00 2001 From: Paul Nguyen Date: Wed, 12 Feb 2020 15:00:23 -0800 Subject: [PATCH 09/10] Fixed line formatting --- deploy/panos.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index 627a59de..a550d877 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -94,7 +94,6 @@ panos_deploy() { _cdomain="$1" _ckey="$2" _cfullchain="$5" - # PANOS ENV VAR check if [ -z "$PANOS_USER" ] || [ -z "$PANOS_PASS" ] || [ -z "$PANOS_HOST" ]; then _debug "No ENV variables found lets check for saved variables" From 21450a08c27af39e3788526464c249a41c3db61f Mon Sep 17 00:00:00 2001 From: Paul Nguyen Date: Thu, 13 Feb 2020 18:01:27 -0800 Subject: [PATCH 10/10] Fixed 6 character requirement. --- deploy/panos.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/deploy/panos.sh b/deploy/panos.sh index a550d877..6316784a 100644 --- a/deploy/panos.sh +++ b/deploy/panos.sh @@ -30,6 +30,7 @@ parse_response() { } deployer() { + content="" type=$1 # Types are keygen, cert, key, commit _debug "**** Deploying $type *****" panos_url="https://$_panos_host/api/" @@ -59,7 +60,7 @@ deployer() { content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n\r\n$_cdomain" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n\r\n$_panos_key" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\n\r\npem" - content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n\r\nnone" + content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n\r\n123456" content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")" fi #Close multipart