AAC Access Control Policy Configuration

aac/get_accesscontrol_configuration/README.md

@@ -0,0 +1,44 @@
+# Get the full access control configuration
+
+Will download into a separate directory, a full dump of the AAC advanced access control configuration in yaml files.
+These files can be used to configure the actual Ansible configuraiton.
+
+The role creates a randomly named directory to store all files in; in the access_control_output_dir you define .
+See defaults/main.yml for the default configuration. 
+
+It exports
+- the Access control policies, in the xml format required to upload them.
+- the Access control resources and attachments, in yaml format, ready to re-use in plays.
+
+## Example playbook
+
+- hosts: "all"
+  connection: local
+  gather_facts: yes
+  tasks:
+    - name: Export aac access control configuration in yaml files
+      tags: ["infomap"]
+      import_role:
+        name: aac/get_accesscontrol_configuration
+      vars:
+        access_control_output_dir: "{{ inventory_dir }}"
+
+### Prerequisites
+
+start_config
+
+```
+access_control_output_dir: variable to set to the directory you want the output to be
+```
+
+## Versioning
+1.0.0
+
+## Authors
+
+* **Tom Bosmans** - *Initial work* - [tombosmansibm](https://github.com/tombosmansibm/isam-ansible-roles)
+
+## Acknowledgments
+
+* Ram Sreerangam, for driving the ISAM Ansible automation
+

aac/get_accesscontrol_configuration/defaults/main.yml

@@ -0,0 +1,16 @@
+# Default variables
+access_control_output_dir : "{{ playbook_dir }}/files/{{ inventory_dir | basename }}"
+
+# prepare export directory; become
+access_control_output_become: false
+# set group to this group, null to not do anything
+access_control_output_export_group: null
+# default mode.  Should probably set to something a bit more restrictive than this.
+access_control_output_export_mode: '0755'
+
+
+# webseal domain
+webseal_domain: "Default"
+sec_master_id: "sec_master"
+sec_master_pwd: "Passw0rd"
+

aac/get_accesscontrol_configuration/meta/main.yml

@@ -0,0 +1,19 @@
+galaxy_info:
+  author: IBM
+  description: Role to get access control policies and stuff
+  company: IBM
+
+  license: Apache
+
+  min_ansible_version: 2.5
+
+  galaxy_tags:
+  - v1.0.0
+  - isam
+  - ibm
+  - configure
+  - access_control_policies
+  - aac
+
+dependencies:
+  - start_config

aac/get_accesscontrol_configuration/tasks/main.yml

@@ -0,0 +1,138 @@
+- name: Get all Access Control Policies
+  isam:
+    appliance: "{{ inventory_hostname }}"
+    adminProxyProtocol: "{{ adminProxyProtocol | default(omit) }}"
+    adminProxyHostname: "{{ adminProxyHostname | default(omit) }}"
+    adminProxyPort: "{{ adminProxyPort | default(omit) }}"
+    adminProxyApplianceShortName: "{{ adminProxyApplianceShortName | default(omit) }}"
+    omitAdminProxy: "{{ omitAdminProxy | default(omit) }}"
+    username:  "{{ username }}"
+    password:  "{{ password }}"
+    lmi_port:  "{{ port | default(omit) }}"
+    log:       "{{ log_level | default(omit) }}"
+    force:     "{{ force | default(omit) }}"
+    action: ibmsecurity.isam.aac.access_control.policies.get_all
+    isamapi:
+  register: ret_obj
+
+- name: Set variable get_accesscontrolpolicies for use by rest of playbook
+  set_fact:
+       get_accesscontrolpolicies: "{{ ret_obj.data | default([]) }}"
+       unique_code: "{{ 10000 | random }}"
+
+- name: Make sure destination directory "{{ access_control_output_dir }}/{{ unique_code }}" exists
+  become: "{{ access_control_output_become | default(false) }}"
+  file  :
+     path   : "{{ access_control_output_dir }}/{{ unique_code }}"
+     state  : directory
+     mode   : "{{ access_control_output_export_mode }}"
+     group  : "{{ access_control_output_export_group }}"
+     recurse: true
+
+- name: Create a file with the output "{{ access_control_output_dir }}/{{ unique_code }}/access_control_policies.yaml"
+  copy:
+    content: "{{ get_accesscontrolpolicies | to_nice_yaml }}"
+    dest: "{{ access_control_output_dir }}/{{ unique_code }}/access_control_policies.yaml"
+
+- name: Export all policies to XACML
+  isam:
+    appliance: "{{ inventory_hostname }}"
+    adminProxyProtocol: "{{ adminProxyProtocol | default(omit) }}"
+    adminProxyHostname: "{{ adminProxyHostname | default(omit) }}"
+    adminProxyPort: "{{ adminProxyPort | default(omit) }}"
+    adminProxyApplianceShortName: "{{ adminProxyApplianceShortName | default(omit) }}"
+    omitAdminProxy: "{{ omitAdminProxy | default(omit) }}"
+    username:  "{{ username }}"
+    password:  "{{ password }}"
+    lmi_port:  "{{ port | default(omit) }}"
+    log:       "{{ log_level | default(omit) }}"
+    force:     "{{ force | default(omit) }}"
+    action: ibmsecurity.isam.aac.access_control.policies.export_xacml
+    isamapi:
+           name: "{{ item.name }}"
+           filename: "{{ access_control_output_dir }}/{{ unique_code }}/{{ item.name.split(' ') | join('_') }}.xml"
+  loop: "{{ get_accesscontrolpolicies }}"
+  loop_control:
+      label: "EXPORT : {{ access_control_output_dir }}/{{ unique_code }}/{{ item.name.split(' ') | join('_') }}.xml"
+  when: get_accesscontrolpolicies is defined
+
+- name: Get all Access Control Policy Resources
+  isam:
+    appliance: "{{ inventory_hostname }}"
+    adminProxyProtocol: "{{ adminProxyProtocol | default(omit) }}"
+    adminProxyHostname: "{{ adminProxyHostname | default(omit) }}"
+    adminProxyPort: "{{ adminProxyPort | default(omit) }}"
+    adminProxyApplianceShortName: "{{ adminProxyApplianceShortName | default(omit) }}"
+    omitAdminProxy: "{{ omitAdminProxy | default(omit) }}"
+    username:  "{{ username }}"
+    password:  "{{ password }}"
+    lmi_port:  "{{ port | default(omit) }}"
+    log:       "{{ log_level | default(omit) }}"
+    force:     "{{ force | default(omit) }}"
+    action: ibmsecurity.isam.aac.access_control.policy_attachments.get_all
+    isamapi:
+  register: ret_obj
+
+- name: Set variable get_accesscontrolpolicyresources for use by rest of playbook
+  set_fact:
+       get_accesscontrolpolicyresources: "{{ ret_obj.data | default([]) }}"
+
+- name: Create a file with the output "{{ access_control_output_dir }}/{{ unique_code }}/access_control_policyresources.yaml"
+  copy:
+    content: "{{ get_accesscontrolpolicyresources | to_nice_yaml }}"
+    dest: "{{ access_control_output_dir }}/{{ unique_code }}/access_control_policyresources.yaml"
+
+- name: Authenticate to the Security Access Manager domain "{{ webseal_domain }}"
+  isam:
+    appliance: "{{ inventory_hostname }}"
+    adminProxyProtocol: "{{ adminProxyProtocol | default(omit) }}"
+    adminProxyHostname: "{{ adminProxyHostname | default(omit) }}"
+    adminProxyPort: "{{ adminProxyPort | default(omit) }}"
+    adminProxyApplianceShortName: "{{ adminProxyApplianceShortName | default(omit) }}"
+    omitAdminProxy: "{{ omitAdminProxy | default(omit) }}"
+    username:  "{{ username }}"
+    password:  "{{ password }}"
+    lmi_port:  "{{ port | default(omit) }}"
+    log:       "{{ log_level | default(omit) }}"
+    force:     "{{ force | default(omit) }}"
+    action: ibmsecurity.isam.aac.access_control.policy_attachments.authenticate
+    isamapi:
+           username: "{{ sec_master_id }}"
+           password: "{{ sec_master_pwd }}"
+           domain: "{{ webseal_domain }}"
+  register: ret_obj
+
+- name: Create a file with the output
+  copy:
+    content: "{{ ret_obj.data | default([]) | to_nice_yaml }}"
+    dest: "{{ access_control_output_dir }}/{{ unique_code }}/authenticate.yaml"
+
+- name: Get all Access Control Policy Attachments
+  isam:
+    appliance: "{{ inventory_hostname }}"
+    adminProxyProtocol: "{{ adminProxyProtocol | default(omit) }}"
+    adminProxyHostname: "{{ adminProxyHostname | default(omit) }}"
+    adminProxyPort: "{{ adminProxyPort | default(omit) }}"
+    adminProxyApplianceShortName: "{{ adminProxyApplianceShortName | default(omit) }}"
+    omitAdminProxy: "{{ omitAdminProxy | default(omit) }}"
+    username:  "{{ username }}"
+    password:  "{{ password }}"
+    lmi_port:  "{{ port | default(omit) }}"
+    log:       "{{ log_level | default(omit) }}"
+    force:     "{{ force | default(omit) }}"
+    action: ibmsecurity.isam.aac.access_control.policy_attachments.get_attachments
+    isamapi:
+           server: "{{ item.server }}"
+           resourceUri: "{{ item.resourceUri }}"
+  loop: "{{ get_accesscontrolpolicyresources }}"
+  when: get_accesscontrolpolicyresources is defined and get_accesscontrolpolicyresources != []
+  register: ret_obj_loop
+
+- name: Set variable get_accesscontrolpolicyattachments for use by rest of playbook
+  set_fact:
+       get_accesscontrolpolicyattachments: "{{ ret_obj_loop | default([]) | json_query('results[*].item') }}"
+
+- name: Create a file with the output
+  copy:
+    content: "{{ get_accesscontrolpolicyattachments | to_nice_yaml }}"
+    dest: "{{ access_control_output_dir }}/{{ unique_code }}/access_control_policyattachments.yaml"

aac/set_accesscontrol_policies/README.md

@@ -0,0 +1,47 @@
+# Configure Access Control Policy
+
+This role create Advanced access control policies, based on a policy xml file.
+This xml file cannot contain whitespaces, it must have all xml on 1 single line.
+
+To create such a file, it's best to use the aac/get_acccesscontrol_configuration, that will generate (among others)
+the policy files of a configured system.
+
+## Example playbook
+
+- hosts: "all"
+  connection: local
+  gather_facts: yes
+  tasks:
+    - name: Create AAC Access Control policies
+      tags: ["aac","access-control-policy","resources"]
+      import_role:
+       name: aac/set_accesscontrol_policies
+      vars:
+       accesscontrol_policies: 
+        -  attributesrequired: false
+           description: 'TOTP Policy'
+           dialect: urn:oasis:names:tc:xacml:2.0:policy:schema:os
+           name: totp_policy
+           predefined: false
+           policy_file: "files/mga/access_control_policies/TOTP.xml"
+
+### Prerequisites
+
+start_config
+
+```
+The policy file (policy_file) needs to exist , in the correct xacml format . 
+
+```
+
+## Versioning
+1.0.0
+
+## Authors
+
+* **Tom Bosmans** - *Initial work* - [tombosmansibm](https://github.com/tombosmansibm/isam-ansible-roles)
+
+## Acknowledgments
+
+* Ram Sreerangam, for driving the ISAM Ansible automation
+

aac/set_accesscontrol_policies/defaults/main.yml

@@ -0,0 +1,2 @@
+# Default variables for configuration of authentication policies
+accesscontrol_policies: []

aac/set_accesscontrol_policies/meta/main.yml

@@ -0,0 +1,18 @@
+galaxy_info:
+  author: IBM
+  description: Role to configure authentication policies
+  company: IBM
+
+  license: Apache
+
+  min_ansible_version: 2.5
+
+  galaxy_tags:
+  - v1.0.0
+  - isam
+  - ibm
+  - configure
+  - accesscontrol_policies
+
+dependencies:
+  - start_config

aac/set_accesscontrol_policies/tasks/main.yml

@@ -0,0 +1,30 @@
+# Role to set policy based on policy file
+
+---
+- name: Create Policy based on policy files
+  isam:
+    appliance: "{{ inventory_hostname }}"
+    adminProxyProtocol: "{{ adminProxyProtocol | default(omit) }}"
+    adminProxyHostname: "{{ adminProxyHostname | default(omit) }}"
+    adminProxyPort: "{{ adminProxyPort | default(omit) }}"
+    adminProxyApplianceShortName: "{{ adminProxyApplianceShortName | default(omit) }}"
+    omitAdminProxy: "{{ omitAdminProxy | default(omit) }}"
+    username:  "{{ username }}"
+    password:  "{{ password }}"
+    lmi_port:  "{{ port | default(omit) }}"
+    log:       "{{ log_level | default(omit) }}"
+    force:     "{{ force | default(omit) }}"
+    action: ibmsecurity.isam.aac.access_control.policies.set_file
+    isamapi:
+           name: "{{ item.name }}"
+           attributesrequired: "{{ item.attributesrequired }}"
+           policy_file: "{{ item.policy_file }}"
+           description: "{{ item.description | default(omit) }}"
+           dialect: "{{ item.dialect | default(omit) }}"
+           predefined: "{{ item.predefined | default(omit) }}"
+           new_name: "{{ item.name | default(omit) }}"
+  loop: "{{ accesscontrol_policies }}"
+  loop_control:
+      label: "Configuring {{ item.name }} with policy file {{ item.policy_file | default('skipping - no file defined ...') }}"
+  when: item.policy_file is defined
+  notify: Commit Changes

aac/set_accesscontrol_policyattachment/README.md

@@ -0,0 +1,56 @@
+# Create policy attachments
+
+This role links the policies to resources in ISAM (URI's).
+
+You can use the role aac/get_accesscontrol_configuration to generate yaml -formatted output of existing policy
+attachment configuration , to use here.
+
+## Example playbook
+
+- hosts: "all"
+  connection: local
+  gather_facts: yes
+  tasks:
+    - name       : Attach Access Control Policies to resources
+      tags       : ["attachments","access-control-policy","resources"]
+      import_role:
+        name: aac/set_accesscontrol_policyattachment
+      vars       :
+        accesscontrol_policy_attachments:
+          - cache: -1
+            policies:
+            -   name: totp_policy
+                type: policy
+            policyCombiningAlgorithm: denyOverrides
+            resourceUri: /wps/myportal
+            server: "{{ appliance_name }}-{{ 'wrp1' }}"
+            type: reverse_proxy
+          - cache: -1
+            policies:
+            -   name: totp_policy
+                type: policy
+            policyCombiningAlgorithm: denyOverrides
+            resourceUri: /demo/mobile-demo/diag
+            server: "{{ appliance_name }}-{{ 'wrp1' }}"
+            type: reverse_proxy
+
+
+### Prerequisites
+
+start_config
+
+```
+
+```
+
+## Versioning
+1.0.0
+
+## Authors
+
+* **Tom Bosmans** - *Initial work* - [tombosmansibm](https://github.com/tombosmansibm/isam-ansible-roles)
+
+## Acknowledgments
+
+* Ram Sreerangam, for driving the ISAM Ansible automation
+

aac/set_accesscontrol_policyattachment/defaults/main.yml

@@ -0,0 +1,4 @@
+# Default variables for configuration of authentication policies
+accesscontrol_policies: []
+# Default domain
+aac_access_control_domain: 'Default'