Added functionality for Palo Alto Firewall deployments (PANOS)

deploy/panos.sh

@@ -25,15 +25,27 @@ parse_response() {
   else
     status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g')
     message=$(echo "$1" | sed 's/^.*<result>\(.*\)<\/result.*/\1/g')
+    if  [ "$type" = 'testkey' ] && [ "$status" != "success" ]; then
+      _debug "**** Saved API key is invalid ****"
+      unset _panos_key
+    fi
   fi
   return 0
 }
 
 deployer() {
   content=""
-  type=$1 # Types are keygen, cert, key, commit
-  _debug "**** Deploying $type *****"
+  type=$1 # Types are testkey, keygen, cert, key, commit
+  _debug "**** Deploying $type ****"
   panos_url="https://$_panos_host/api/"
+
+  #Test API Key by performing an empty commit.
+  if [ "$type" = 'testkey' ]; then
+    _H1="Content-Type: application/x-www-form-urlencoded"
+    content="type=commit&cmd=<commit></commit>&key=$_panos_key"
+  fi
+
+  # Generate API Key
   if [ "$type" = 'keygen' ]; then
     _H1="Content-Type: application/x-www-form-urlencoded"
     content="type=keygen&user=$_panos_user&password=$_panos_pass"
@@ -61,7 +73,7 @@ deployer() {
       content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key"
       content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem"
       content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n123456"
-      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")"
+      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cdomain.key")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")"
     fi
     #Close multipart
     content="$content${nl}--$delim--${nl}${nl}"
@@ -92,9 +104,18 @@ deployer() {
 
 # This is the main function that will call the other functions to deploy everything.
 panos_deploy() {
-  _cdomain="$1"
+  _cdomain=${1//[*]/WILDCARD_}  #Wildcard Safe filename
   _ckey="$2"
   _cfullchain="$5"
+  # VALID ECC KEY CHECK
+  if [[ "${_ckey: -8}" == "_ecc.key" ]] && [[ ! -f $_ckey ]]; then
+    _debug "The ECC key $_ckey doesn't exist. Attempting to strip _ecc from the filename"
+    _ckey="${_ckey:0:${#_ckey}-8}.key"
+    if [[ ! -f $_ckey ]]; then
+      _err "Still didn't work.  Try issuing the certificate using RSA (non-ECC) encryption."
+     return 1
+    fi
+  fi
   # PANOS ENV VAR check
   if [ -z "$PANOS_USER" ] || [ -z "$PANOS_PASS" ] || [ -z "$PANOS_HOST" ]; then
     _debug "No ENV variables found lets check for saved variables"
@@ -125,8 +146,22 @@ panos_deploy() {
     _err "Please pass username and password and host as env variables PANOS_USER, PANOS_PASS and PANOS_HOST"
     return 1
   else
-    _debug "Getting PANOS KEY"
-    deployer keygen
+    #Check for saved API Key
+    _getdeployconf PANOS_KEY
+    _panos_key=$PANOS_KEY
+    if [ "$_panos_key" ]; then
+      _debug "**** Testing Saved API KEY ****"
+      deployer testkey
+    fi
+
+    # Generate a new API key if needed
+    if [ -z "$_panos_key" ]; then
+      _debug "**** Generating new PANOS API KEY ****"
+      deployer keygen
+      _savedeployconf PANOS_KEY "$_panos_key" 1
+    fi
+
+    # Recheck the key
     if [ -z "$_panos_key" ]; then
       _err "Missing apikey."
       return 1