-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathaci-functions.psm1
294 lines (260 loc) · 8.94 KB
/
aci-functions.psm1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
###################################################################################################################
##
## ACI-Functions.psml
##
###################################################################################################################
#
# Part of ACI-PoSH, a set of functions to manipulate Cisco ACI from PowerShell
#
# Origin were once from https://github.com/smitmartijn/public-powershell/blob/master/Cisco/aci-functions.ps1 a GitHub project by Martijn Smit
#
# 2018-12-31 KPI Initial External Release
#
# Declarations
# This is where we save the cookies !
$global:ACIPoSHCookieJar = New-Object System.Net.CookieContainer
$global:ACIPoSHAPIC = ''
$global:ACIPoSHLoggedIn = $False
$global:ACIPoSHLoggingIn = $False
##
## Function to call APIC REST API calls from other scripts
##
Function New-ACI-Api-Call
([string]$method,
[string]$encoding,
[string]$url,
$headers,
[string]$postData)
{
<#
.SYNOPSIS
A module to make a RESTful API call to the Cisco ACI APIC infrastucture
.DESCRIPTION
A module to make a RESTful API call to the Cisco ACI APIC infrastucture
.PARAMETER method
The HTTP method you wish to use, such as GET, POST, DELETE etc. Not all are supported by APIC
.PARAMETER encoding
The encoding method used to communicate with the APIC
.PARAMETER url
The specific URL to connect to
.PARAMETER headers
HTTP headers for the session
.PARAMETER postdata
A blob of data (usually JSON) typically for a POST
.EXAMPLE
To be added
.NOTES
General notes
#>
$return_value = New-Object PsObject -Property @{httpCode =""; httpResponse =""}
Try
{
## Create the request
[System.Net.HttpWebRequest] $request = [System.Net.HttpWebRequest] [System.Net.WebRequest]::Create($url)
#
# Ignore SSL certificate errors
[System.Net.ServicePointManager]::ServerCertificateValidationCallback ={$true}
[System.Net.ServicePointManager]::SecurityProtocol = 3072 # <-- ACI NEEDS THIS
# We want cookies!
$request.CookieContainer = $global:ACIPoSHCookieJar
}
Catch
{
Write-Host "An error occured with the initial connection to the APIC. Exception: $($_.Exception.Message)"
Write-Host "Please try again." -ForegroundColor Red
Break
}
## Add the method (GET, POST, etc.)
$request.Method = $method
## Add an headers to the request
ForEach($key in $headers.keys)
{
$request.Headers.Add($key, $headers[$key])
}
## If we're logged in, add the saved cookies to this request
If ($global:ACIPoSHLoggedIn -eq $True)
{
$request.CookieContainer = $global:ACIPoSHCookieJar
$global:ACIPoSHLoggingIn = $False
}
else
{
## We're not logged in to the APIC, start login first
if($global:ACIPoSHLoggingIn -eq $False)
{
$global:ACIPoSHLoggingIn = $True
Write-Host ""
Write-Host "Not currently logged into APIC. Re-authenticate using the New-ACI-Login commandlet " -ForegroundColor Yellow
Break
}
}
## We are using $encoding for the request as well as the expected response
$request.Accept = $encoding
## Send a custom user agent to ACI
$request.UserAgent = "ACIPoSH Script"
## Create the request body if the verb accepts it (NOTE: utf-8 is assumed here)
if ($method -eq "POST" -or $method -eq "PUT")
{
$bytes = [System.Text.Encoding]::UTF8.GetBytes($postData)
$request.ContentType = $encoding
$request.ContentLength = $bytes.Length
try
{
[System.IO.Stream] $outputStream =
[System.IO.Stream]$request.GetRequestStream()
$outputStream.Write($bytes,0,$bytes.Length)
$outputStream.Close()
}
catch
{
Write-Host "An error occured creating the stream connection. Please try again" -ForegroundColor Red
Break
}
}
## This is where we actually make the call.
try
{
[System.Net.HttpWebResponse] $response = [System.Net.HttpWebResponse] $request.GetResponse()
foreach($cookie in $response.Cookies)
{
## We've found the APIC cookie and can conclude our login business
if($cookie.Name -eq "APIC-cookie")
{
$global:ACIPoSHLoggedIn = $True
$global:ACIPoSHLoggingIn = $False
}
}
$sr = New-Object System.IO.StreamReader($response.GetResponseStream())
$txt = $sr.ReadToEnd()
#Write-Debug "CONTENT-TYPE: " $response.ContentType
#Write-Debug "RAW RESPONSE DATA:" . $txt
## Return the response body to the caller
$return_value.httpResponse = $txt
$return_value.httpCode = [int]$response.StatusCode
return $return_value
}
## This catches errors from the server (404, 500, 501, etc.)
catch [Net.WebException] {
[System.Net.HttpWebResponse] $resp = [System.Net.HttpWebResponse] $_.Exception.Response
#Write-Debug $resp.StatusCode -ForegroundColor Red -BackgroundColor Yellow
#Write-Debug $resp.StatusDescription -ForegroundColor. Red -BackgroundColor Yellow
## Return the error to the caller
## If the APIC returns a 403, the session most likely has been expired. Login again and rerun the API call
if($resp.StatusCode -eq 403)
{
# We do this by resetting the global login variables and simply call the ACI-API-Call function again
$global:ACIPoSHLoggedIn = $False
$global:ACIPoSHLoggingIn = $False
New-ACI-Api-Call $method $encoding $url $headers $postData
}
$return_value.httpResponse = $resp.StatusDescription
$return_value.httpCode = [int]$resp.StatusCode
return $return_value
}
}
## Function to login to ACI and store credentials in cookies (method used by APIC authentication)
Function New-ACI-Login
([string]$Apic,
[String]$Username,
[String]$Password,
[String]$StoreLocation)
{
<#
.SYNOPSIS
A module to authenticate to Cisco ACI APIC infrastucture
.DESCRIPTION
A module to authenticate to Cisco ACI APIC infrastucture
.PARAMETER Apic
The APIC you wish to connect to. Can be a hostname, FQDN or even IP address. HTTPS is always assumed.
.PARAMETER Username
The username to connect to the APIC with. Must be defined in ACI or downstream AAA as a valid user AND have access.
.PARAMETER Password
The password for the username specified.
.PARAMETER StoreLocation
(Optional) A location a hashed password is stored. This can be useful for automation tasks.
.EXAMPLE
New-Aci-Login -Apic MyAPIC -Username MyUsername -Password MyPassword
.NOTES
General notes
#>
##Check if an APIC was specified.
if (!($Apic))
{
# No pipeline APIC specified so check for global varible
If (!($global:ACIPoSHAPIC))
{
#No global APIC defined so prompt
#$Apic = Read-Host -Prompt "No APIC was specified. Please enter either hostname or IP address "
Write-Host "No APIC specified. Trying APIC"
$Apic = "apic"
}
}
## Save the APIC name as a global var for the session
$global:ACIPoSHAPIC = $apic
if (!($UserName))
{
## Assume no username specified so extract from Windows which should be the same credential
$UserName = $env:USERNAME
}
if (!($StoreLocation))
{
## No credentail store location specified so check for password
if (!($Password))
{
## No password specified thus prompt
$Password = Read-Host -Prompt "No password or credential file was specified as an argument. Please enter your password "
## Clear screen just to remove from console view
Clear-Host
}
}
else
{
## Credential Stored file specified, so extract the password. This is not a straightforward operation !
## Import the encrpted password and convert to a Secure String
try
{
$SecPass = (ConvertTo-SecureString (Get-Content $StoreLocation))
}
catch
{
write-host "Password file access failed. It may be missing. Please try again" -ForegroundColor Red
Break
}
## Instansiate a new PS credential object. This is the only way to extract the PT
try
{
$SecCred = New-Object system.management.automation.pscredential -ArgumentList $UserName,$SecPass
}
catch
{
write-host "Extraction of credential failed. Its contents are probably not valid. Please try again" -ForegroundColor Red
Break
}
## Extract the PT password from the credential
try
{
$Password = $SecCred.GetNetworkCredential().Password
}
catch
{
write-host "Extraction of password failed. Please try again" -ForegroundColor Red
Break
}
}
## Set the logging in flag
$global:ACIPoSHLoggingIn = $True
## This is the URL we're going to be logging in to
$loginurl = "https://" + $apic + "/api/aaaLogin.xml"
## Format the XML body for a login
$creds = '<aaaUser name="' + $UserName + '" pwd="' + $Password + '"/>'
## Execute the API Call
$result = New-ACI-Api-Call "POST" "application/xml" $loginUrl "" $creds
if($result.httpResponse.Contains("Unauthorized"))
{
Write-Host "Authentication to APIC failed! Please check your credentials." -ForegroundColor Red
}
else
{
Write-Host "Authenticated!" -ForegroundColor Green
}
}