avi-python-scripts/remove_ciphers.py at main · thebertster/avi-python-scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#!/usr/bin/env python

"""Script to disable 'unsafe' ciphers in SSL Profiles."""

import argparse
import getpass

import requests
import urllib3
from avi.sdk.avi_api import ApiSession

# Disable certificate warnings

if hasattr(requests.packages.urllib3, 'disable_warnings'):
    requests.packages.urllib3.disable_warnings()

if hasattr(urllib3, 'disable_warnings'):
    urllib3.disable_warnings()

UNSAFE_CIPHERS = {
    # Below is not in Controller's unsafe list but probably should be!
    # 'TLS_RSA_WITH_3DES_EDE_CBC_SHA',
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
    'TLS_RSA_WITH_AES_128_GCM_SHA256',
    'TLS_RSA_WITH_AES_256_GCM_SHA384',
    'TLS_RSA_WITH_AES_256_CBC_SHA256',
    'TLS_RSA_WITH_AES_128_CBC_SHA',
    'TLS_RSA_WITH_AES_128_CBC_SHA256',
    'TLS_RSA_WITH_AES_256_CBC_SHA'
}

if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        formatter_class=argparse.RawDescriptionHelpFormatter)
    parser.add_argument('-c', '--controller',
                        help='FQDN or IP address of Avi Controller')
    parser.add_argument('-u', '--user', help='Avi API Username',
                        default='admin')
    parser.add_argument('-p', '--password', help='Avi API Password')
    parser.add_argument('-t', '--tenant', help='Tenant',
                        default='admin')
    parser.add_argument('-x', '--apiversion', help='Avi API version')
    parser.add_argument('-n', '--name', help='SSL Profile search filter',
                        default='')
    parser.add_argument('-e', '--exclude', help='Comma-separated list of '
                        'SSL Prorilfes to exlude',
                        default='')

    args = parser.parse_args()

    if args:
        # If not specified on the command-line, prompt the user for the
        # controller IP address and/or password

        controller = args.controller
        user = args.user
        password = args.password
        tenant = args.tenant
        api_version = args.apiversion
        name = args.name
        exclusions = args.exclude.lower().split(',')

        while not controller:
            controller = input('Controller:')

        while not password:
            password = getpass.getpass(f'Password for {user}@{controller}:')

        if not api_version:
            # Discover Controller's version if no API version specified

            api = ApiSession.get_session(controller, user, password)
            api_version = api.remote_api_version['Version']
            api.delete_session()
            print(f'Discovered Controller version {api_version}.')
        api = ApiSession.get_session(controller, user, password,
                                     api_version=api_version)

        ssl_profiles = api.get_objects_iter('sslprofile', tenant=tenant,
                                            params={'isearch':
                                                    f'(name,{name})'})
        for ssl_profile in ssl_profiles:
            profile_name = ssl_profile['name']
            print(f'Processing SSL Profile {profile_name}...', end='')
            if profile_name.lower() in exclusions:
                print('Skipping')
                continue
            ciphers = set(ssl_profile.get('cipher_enums', []))
            ciphers_removed = ciphers & UNSAFE_CIPHERS
            if ciphers_removed:
                print('')
                print('Removing the following ciphers:')
                print(', '.join(ciphers_removed), end='...')
                ssl_profile['cipher_enums'] = list(ciphers - UNSAFE_CIPHERS)
                resp = api.put(f'sslprofile/{ssl_profile["uuid"]}', ssl_profile,
                               tenant=tenant)
                if resp.status_code == 200:
                    print('OK!')
                else:
                    print(f'Got error {resp.status_code}')
                print()
            else:
                print('No unsafe ciphers')
    else:
        parser.print_help()