Merge pull request #15 from akamai/develop

0.5.5 code merge into master branch

VERSION

@@ -1 +1 @@
-0.5.1
+0.5.5

bin/_paths.py

@@ -1,4 +1,4 @@
-# Copyright 2021 Akamai Technologies, Inc. All Rights Reserved
+# Copyright 2022 Akamai Technologies, Inc. All Rights Reserved
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

bin/akamai-eaa

@@ -35,7 +35,7 @@ from urllib.parse import parse_qsl
 import os
 
 # cli-eaa
-import _paths
+import _paths # noqa: F401
 from common import cli, config, BaseAPI, EAAItem, __version__
 from eventlog import EventLogAPI
 from cert import CertificateAPI

cli.json

@@ -5,7 +5,7 @@
  "commands": [
  {
  "name": "eaa",
- "version": "0.5.1",
+ "version": "0.5.5",
  "description": "Akamai CLI for Enterprise Application Access (EAA)"
  }
  ]

docs/developers.md

@@ -0,0 +1,25 @@
+# cli-eaa developer notes
+
+## Versioning
+
+When bumping to a new version 3 locations need update:
+
+|File|Instructions|
+|-|-|
+|`/VERSION`|Replace the version number in the text file|
+|`/cli-json`|In the `commands` > `version` key, update the value|
+|`/libeaa/common.py`|Locate the `__version__` variable and update it|
+
+## Visual Studio Code
+
+There are some dependencies between python code sitting in `bin/` and `libeaa/` directories.
+To avoid the Pylance warning, you may use the following settings in your `.vscode/settings.json`
+
+```json
+{
+ "python.analysis.extraPaths": [
+ "bin",
+ "libeaa"
+ ]
+}
+```

docs/examples/clientbasedapp-tunnel.json.j2

@@ -0,0 +1,170 @@
+{
+ "eaa_cli_comment": [
+ "This is an example of JSON template to create an EAA client based application ",
+ "with a single command line using Akamai CLI and EAA package.",
+ "To create the app, use the following command:",
+ "cat clientbasedapp-tunnel.json.j2 | akamai eaa app - create",
+ "",
+ "Replace the relevant configuration settings to match your environment."
+ ],
+
+ {#- Jinja variable to allow create unique app 
+ every time the command is executed -#}
+ {% set random_appsuffix = range(1, 10000) | random %}
+
+ "Services": [
+ {
+ "access_rules": [
+ {
+ "action": 512,
+ "description": null,
+ "name": "Deny for Med/High Risk Device",
+ "position": 1,
+ "rule_type": 1,
+ "settings": [
+ {
+ "custom": false,
+ "operator": "==",
+ "type": "device_risk_tier",
+ "value": "13"
+ }
+ ],
+ "status": 1
+ }
+ ],
+ "service": {
+ "description": null,
+ "name": "Access Control",
+ "service_type": 6,
+ "settings": {},
+ "status": "on"
+ }
+ }
+ ],
+ "advanced_settings": {
+ "acceleration": "true",
+ "allow_cors": "false",
+ "anonymous_server_conn_limit": "50",
+ "anonymous_server_request_limit": "100",
+ "app_auth": "none",
+ "app_auth_domain": null,
+ "app_client_cert_auth": "false",
+ "app_cookie_domain": null,
+ "app_location": null,
+ "app_server_read_timeout": "60",
+ "authenticated_server_conn_limit": "50",
+ "authenticated_server_request_limit": "100",
+ "client_cert_auth": "false",
+ "client_cert_user_param": "",
+ "cookie_domain": "",
+ "cors_header_list": "unbounded",
+ "cors_max_age": "86400",
+ "cors_method_list": "unbounded",
+ "cors_origin_list": "unbounded",
+ "cors_support_credential": "on",
+ "custom_headers": [],
+ "domain_exception_list": "",
+ "edge_authentication_enabled": "false",
+ "edge_cookie_key": "",
+ "external_cookie_domain": null,
+ "force_mfa": "off",
+ "forward_ticket_granting_ticket": "false",
+ "g2o_enabled": "false",
+ "g2o_key": null,
+ "g2o_nonce": null,
+ "health_check_fall": "3",
+ "health_check_http_host_header": null,
+ "health_check_http_url": "/",
+ "health_check_http_version": "1.1",
+ "health_check_interval": "30000",
+ "health_check_rise": "2",
+ "health_check_timeout": "50000",
+ "health_check_type": "5",
+ "hidden_app": "false",
+ "host_key": null,
+ "hsts_age": "15552000",
+ "http_only_cookie": "true",
+ "https_sslv3": "false",
+ "idle_close_time_seconds": "1200",
+ "idle_conn_ceil": "75",
+ "idle_conn_floor": "50",
+ "idle_conn_step": "10",
+ "idp_idle_expiry": null,
+ "idp_max_expiry": null,
+ "ignore_bypass_mfa": "off",
+ "ignore_cname_resolution": "false",
+ "inject_ajax_javascript": "off",
+ "internal_host_port": "0",
+ "internal_hostname": "application-{{ random_appsuffix }}.akamaidemo.net",
+ "ip_access_allow": "false",
+ "is_ssl_verification_enabled": "false",
+ "keepalive_connection_pool": "50",
+ "keepalive_enable": "true",
+ "keepalive_timeout": "3",
+ "kerberos_negotiate_once": "off",
+ "keyed_keepalive_enable": "false",
+ "keytab": "",
+ "load_balancing_metric": "round-robin",
+ "logging_enabled": "true",
+ "login_timeout": "5",
+ "login_url": null,
+ "logout_url": null,
+ "mdc_enable": "false",
+ "mfa": "inherit",
+ "offload_onpremise_traffic": "false",
+ "pass_phrase": null,
+ "preauth_consent": "false",
+ "preauth_enforce_url": "",
+ "private_key": null,
+ "proxy_buffer_size_kb": "4",
+ "proxy_disable_clipboard": "false",
+ "rate_limit": "on",
+ "refresh_sticky_cookie": "on",
+ "request_body_rewrite": "false",
+ "request_parameters": null,
+ "saas_enabled": "false",
+ "sentry_redirect_401": "off",
+ "server_cert_validate": "true",
+ "server_request_burst": "100",
+ "service_principle_name": null,
+ "session_sticky": null,
+ "session_sticky_cookie_maxage": "0",
+ "session_sticky_server_cookie": null,
+ "spdy_enabled": "true",
+ "ssh_audit_enabled": "false",
+ "sso": "true",
+ "sticky_agent": "false",
+ "user_name": null,
+ "wapp_auth": "form",
+ "websocket_enabled": "true",
+ "wildcard_internal_hostname": "false"
+ },
+ "agents": {% include 'includes/akdemo-amer-2maincon.json' %},
+ "app_category": {},
+ "app_logo": "",
+ "app_profile": 9,
+ "app_profile_id": null,
+ "app_type": 4,
+ "auth_agent": null,
+ "auth_enabled": "true",
+ "auth_type": 1,
+ "client_app_mode": 2,
+ "cname": "akdemo-tunapp-{{ random_appsuffix }}.go.akamai-access.com",
+ "description": "Client-based application (tunnel mode)",
+ "directories": {% include 'includes/akdemo-directory.json' %},
+ "domain": 2,
+ "domain_suffix": "go.akamai-access.com",
+ "host": "akdemo-tunapp-{{ random_appsuffix }}",
+ "idp": {% include 'includes/akdemo-idp.json' %},
+ "name": "Client based app demo from CLI {{ random_appsuffix }}",
+ "pop": "{{ cli_cloudzone('Client-US-East') }}",
+ "tunnel_internal_hosts": [
+ {
+ "host": "internal-app-{{ random_appsuffix }}.akamaidemo.net",
+ "port_range": "1-65535",
+ "proto_type": 3
+ }
+ ],
+ "groups": {% include 'includes/akdemo-groups-default.json' %},
+ "urllocation": []
+}

docs/examples/readme.md

@@ -0,0 +1,7 @@
+# cli-eaa examples of EAA configuration
+
+cli-eaa allows import or export EAA application configuration as JSON file.
+It also supports Jinja templating so you can introduce variables, include files, etc... without requiring to create code and learn about EAA API.
+
+These examples should help you to get started.
+In each example, you'll find the instructions at the top of the file.

docs/examples/webapp.json.j2

@@ -0,0 +1,49 @@
+{
+ "eaa_cli_comment": [
+ "This is an example of JSON template to create an EAA web application "
+ "with a single command line using Akamai CLI and EAA package.",
+ "To create the app, use the following command:",
+ "cat webapp.json.j2 | akamai eaa app - create",
+ "",
+ "Replace the relevant configuration settings to match your environment."
+ ],
+
+ {#- Jinja variable to allow create unique app 
+ every time the command is executed -#}
+ {% set random_appsuffix = range(1, 10000) | random %}
+
+ "app_profile": {{ AppProfile.HTTP.value }},
+ "domain" : {{ AppDomainType.Akamai.value }},
+ "name": "EAA CLI Example web Application {{ random_appsuffix }}",
+ "description" : "This is a test, feel free to delete this app",
+ "host" : "webapp-test-{{ random_appsuffix }}",
+ "pop": "{{ cli_cloudzone('US-East') }}",
+ "servers": [
+ {"origin_host": "10.0.2.3", "orig_tls": "false", "origin_port": 443, "origin_protocol": "https"}
+ ],
+ "agents": [
+ {"name": "my-connector-1", "uuid_url": "connector-1-uuid"},
+ {"name": "my-connector-1", "uuid_url": "connector-2-uuid"}
+ ],
+ "idp": {
+ "idp_id": "idp-1-uuid"
+ },
+ "directories": [
+ {
+ "name": "AD Domain AkamaiDemo.net (global)",
+ "uuid_url": "directory-uuid"
+ }
+ ],
+ "groups": [
+ {
+ "name": "Administrators",
+ "enable_mfa": "inherit",
+ "uuid_url": "group-admin-uuid"
+ },
+ {
+ "name": "Support",
+ "enable_mfa": "inherit",
+ "uuid_url": "group-support-uuid"
+ }
+ ]
+}

libeaa/application.py

@@ -16,12 +16,13 @@
 import logging
 import sys
 import json
+import os
 
 # cli-eaa
 from common import cli, BaseAPI, EAAInvalidMoniker, EAAItem, config
 
 # 3rd party
-from jinja2 import Template
+from jinja2 import Environment, FileSystemLoader
 
 
 class ApplicationAPI(BaseAPI):
@@ -67,6 +68,10 @@ class Domain(Enum):
  class ServiceType(Enum):
  ACL = 6
 
+ class ClientMode(Enum):
+ TCP = 1
+ Tunnel = 2
+
  def __init__(self, config):
  super(ApplicationAPI, self).__init__(config, api=BaseAPI.API_Version.OpenAPI)
 
@@ -240,9 +245,10 @@ def certificate_lookup(self, cn):
 
  def parse_template(self, raw_config):
  """
- Parse a template
+ Parse the EAA configuration as JINJA2 template
  """
- t = Template(raw_config)
+ logging.debug("Jinja template loader base directory: %s" % os.getcwd())
+ t = Environment(loader=FileSystemLoader(os.getcwd())).from_string(raw_config)
  t.globals['AppProfile'] = ApplicationAPI.Profile
  t.globals['AppType'] = ApplicationAPI.Type
  t.globals['AppDomainType'] = ApplicationAPI.Domain
@@ -261,7 +267,7 @@ def create(self, raw_app_config):
 
  Note: the portal use the POST to create a new app with a minimal payload:
  {"app_profile":1,"app_type":1,"client_app_mode":1,"app_profile_id":"Fp3RYok1EeSE6AIy9YR0Dw",
- "name":"tes","description":"test"}
+ "name":"test app","description":"This is my test app"}
  We should do the same here
  """
  app_config = json.loads(self.parse_template(raw_app_config))
@@ -272,6 +278,10 @@ def create(self, raw_app_config):
  "name": app_config.get('name'),
  "description": app_config.get('description')
  }
+ # Client based app mode must be set (TCP mode is the default otherwise)
+ if app_config.get('client_app_mode'):
+ app_config_create["client_app_mode"] = \
+ app_config.get('client_app_mode', ApplicationAPI.ClientMode.TCP.value)
  newapp = self.post('mgmt-pop/apps', json=app_config_create)
  logging.info("Create app core: %s %s" % (newapp.status_code, newapp.text))
  if newapp.status_code != 200:
@@ -281,7 +291,7 @@ def create(self, raw_app_config):
  app_moniker = EAAItem("app://{}".format(newapp_config.get('uuid_url')))
  logging.info("UUID of the newapp: %s" % app_moniker)
 
- # Now we push everything else as a PUT
+ # Now we push everything else as a PUT (update)
  self.put('mgmt-pop/apps/{applicationId}'.format(applicationId=app_moniker.uuid), json=app_config)
 
  # Sub-components of the application configuration definition