Check Point Ansible Proxy Integration

Author: chkp-ameera

README.md

@@ -153,3 +153,40 @@ See [COPYING](https://www.gnu.org/licenses/gpl-3.0.txt) to see the full text.
 ## Supported Python versions
 
 - Modules and plugins require Python 2.7 or newer
+
+
+# Check Point Ansible Proxy Integration
+
+## Overview
+
+This feature integrating the Proxy API for Check Point Security Gateways through the Management Server. The Proxy API enables the Management Server to forward API requests to designated gateways, eliminating the need to address each gateway individually.
+
+
+ ![image](https://github.com/nilsujma-dev/Check-Point-Ansible-Proxy-Integration/assets/114651180/0a9dc69f-2a64-4511-bb95-01e28f0049af)
+
+
+
+## Integration Process
+
+### Step 1: Options Selected
+
+1. **Source Code:** 
+
+The revised code introduces a significant enhancement – the 'target gateway' option. This addition allows the specification of a designated gateway to receive API requests, leveraging the Management Server's Proxy API feature. This modification expands the module's capabilities, aligning with advanced network management requirements and enabling more precise API interactions.
+
+## How to Use
+
+1. Edit the `hosts` so that it will contain a new section similar to this one:
+```
+[check_point_mgmt]
+mgmt_proxy enabled=True
+```
+2. in the playbook add this var under each task:
+```
+vars:
+    ansible_checkpoint_target: <target_gatway>
+```
+3. in `hosts` change ansible_user and ansible_password to management credintials
+3. Follow the standard Ansible playbook execution process with the enhanced Check Point Ansible Collection.
+
+

plugins/httpapi/checkpoint.py

@@ -13,14 +13,32 @@
 description:
   - This HttpApi plugin provides methods to connect to Checkpoint
     devices over a HTTP(S)-based api.
-version_added: "1.0.0"
+version_added: "2.8.0"
 options:
+  cptarget:
+    type: str
+    description:
+      - target gateway
+    vars:
+      - name: ansible_checkpoint_target
   domain:
     type: str
     description:
       - Specifies the domain of the Check Point device
     vars:
       - name: ansible_checkpoint_domain
+  api_key:
+    type: str
+    description:
+      - Login with api-key instead of user & password
+    vars:
+      - name: ansible_api_key
+  cloud_mgmt_id:
+    type: str
+    description:
+      - The Cloud Management ID
+    vars:
+      - name: ansible_cloud_mgmt_id
 """
 
 import json
@@ -30,6 +48,8 @@
 from ansible.module_utils.six.moves.urllib.error import HTTPError
 from ansible.plugins.httpapi import HttpApiBase
 from ansible.module_utils.connection import ConnectionError
+from ansible.parsing.dataloader import DataLoader
+from ansible.inventory.manager import InventoryManager
 
 BASE_HEADERS = {
     'Content-Type': 'application/json',
@@ -38,29 +58,72 @@
 
 
 class HttpApi(HttpApiBase):
+    def __init__(self, connection):
+        super(HttpApi, self).__init__(connection)
+        self.connection = connection
+        self.mgmt_proxy_enabled = False
+        
+        loader = DataLoader()
+        # Initialize InventoryManager
+        inventory = InventoryManager(loader=loader, sources=['/etc/ansible/hosts'])
+        # Get host
+        host = inventory.get_host('mgmt_proxy')
+        # Get variable
+        try:
+            proxy_enabled = host.vars['enabled']
+            if proxy_enabled == True:
+                self.mgmt_proxy_enabled = True
+        except Exception as e:
+            pass
+
+
     def login(self, username, password):
-        if username and password:
-            payload = {'user': username, 'password': password}
-            url = '/gaia_api/login'
-            response, response_data = self.send_request(url, payload)
+        payload = {}
+        url = '/gaia_api/login'
+        cp_domain = self.get_option('domain')
+        cp_api_key = self.get_option('api_key')
+        if cp_domain:
+            payload['domain'] = cp_domain
+        if username and password and not cp_api_key:
+            payload['user'] = username
+            payload['password'] = password
+        elif cp_api_key and not username and not password:
+            payload['api-key'] = cp_api_key
         else:
-            raise AnsibleConnectionFailure('Username and password are required for login')
+            raise AnsibleConnectionFailure('[Username and password] or api_key are required for login')
+        if self.mgmt_proxy_enabled == True:
+            url = '/web_api/login'
+        response, response_data = self.send_request(url, payload)
 
         try:
             self.connection._auth = {'X-chkp-sid': response_data['sid']}
         except KeyError:
             raise ConnectionError(
-                'Server returned response without token info during connection authentication: %s' % response)
+                'Server returned response without token info during connection authentication: %s' % response_data)
+        # Case of read-only
+        if 'uid' in response_data.keys():
+            self.connection._session_uid = response_data['uid']
 
     def logout(self):
         url = '/gaia_api/logout'
-
+        if self.mgmt_proxy_enabled == True:
+            url = '/web_api/logout'
         response, dummy = self.send_request(url, None)
 
     def get_session_uid(self):
         return self.connection._session_uid
 
     def send_request(self, path, body_params):
+        cp_cloud_mgmt_id = self.get_option('cloud_mgmt_id')
+        if cp_cloud_mgmt_id:
+            path = '/' + cp_cloud_mgmt_id + path
+        # we only replace gaia_ip/ with web_api/gaia-api/ if target is set and path contails for gaia_ip/
+        cp_api_target = self.get_option('cptarget')
+        if 'gaia_api/' in path: # Avoid login/logut requests in case of web_api
+            if self.mgmt_proxy_enabled == True:
+                if cp_api_target != None:
+                    body_params['target'] = cp_api_target
+                path = path.replace("gaia_api/", "web_api/gaia-api/")
         data = json.dumps(body_params) if body_params else '{}'
 
         try: