Baselined from internal Repository

last_commit:a5d85ed0679a4eaf8bdc3c30e683211157d18c09

.env_sample

@@ -0,0 +1,2 @@
+# Meraki Section
+MERAKI_API_KEY = ""

.github/workflows/docker-publish.yml

@@ -0,0 +1,53 @@
+name: Docker Build & Publish
+
+on:
+  push:
+    branches:
+      - main
+      - master
+    tags:
+      - '*'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+
+jobs:
+  push:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.gitignore

@@ -0,0 +1,14 @@
+# Environment
+venv
+
+# Sensitive File
+.env
+flask_app/config.py
+
+# IDE files
+.idea
+__pycache__
+.DS_Store
+
+# DB File
+flask_app/sqlite.db

CODE_OF_CONDUCT.md

@@ -0,0 +1,45 @@
+# Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as maintainers of this Cisco Sample Code pledge to making participation with our project a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Showing empathy towards other people
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other interactions with this project that are not aligned to this Code of Conduct, or to ban temporarily or permanently any person for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project. Examples of representing a project include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the Cisco SE GitHub team at ciscose-github@cisco.com. The team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project or Cisco SE Leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

CONTRIBUTING.md

@@ -0,0 +1,11 @@
+# Cisco Sample Code
+
+This project, and the code contained herein, is provided for example and/or demonstration purposes by Cisco for use by our partners and customers in working with Cisco's products and services. While Cisco's customers and partners are free to use this code pursuant to the terms set forth in the [LICENSE][LICENSE], this is not an Open Source project as we are not seeking to build a community around this project and its capabilities.
+
+
+We do desire to provide functional and high-quality examples and demonstrations.  If you should discover some bug, issue, or opportunity for enhancement with the code contained in this project, please do notify us by:
+
+1. **Reviewing Open Issues** to verify that the issue hasn't already been reported.
+2. **Opening a New Issue** to report the bug, issue, or enhancement opportunity.
+
+[LICENSE]: ../LICENSE

Dockerfile

@@ -0,0 +1,9 @@
+FROM python:3.11-alpine
+
+WORKDIR /app
+COPY ./requirements.txt /app
+RUN pip install -r requirements.txt
+COPY ./flask_app .
+
+# Run the initial DB Script to build sqlite.db, then run main app
+CMD ["sh", "-c", "python ./db.py && python ./app.py"]

LICENSE.md

@@ -0,0 +1,81 @@
+CISCO SAMPLE CODE LICENSE
+                                  Version 1.1
+                Copyright (c) 2022 Cisco and/or its affiliates
+
+   These terms govern this Cisco Systems, Inc. ("Cisco"), example or demo
+   source code and its associated documentation (together, the "Sample
+   Code"). By downloading, copying, modifying, compiling, or redistributing
+   the Sample Code, you accept and agree to be bound by the following terms
+   and conditions (the "License"). If you are accepting the License on
+   behalf of an entity, you represent that you have the authority to do so
+   (either you or the entity, "you"). Sample Code is not supported by Cisco
+   TAC and is not tested for quality or performance. This is your only
+   license to the Sample Code and all rights not expressly granted are
+   reserved.
+
+   1. LICENSE GRANT: Subject to the terms and conditions of this License,
+      Cisco hereby grants to you a perpetual, worldwide, non-exclusive, non-
+      transferable, non-sublicensable, royalty-free license to copy and
+      modify the Sample Code in source code form, and compile and
+      redistribute the Sample Code in binary/object code or other executable
+      forms, in whole or in part, solely for use with Cisco products and
+      services. For interpreted languages like Java and Python, the
+      executable form of the software may include source code and
+      compilation is not required.
+
+   2. CONDITIONS: You shall not use the Sample Code independent of, or to
+      replicate or compete with, a Cisco product or service. Cisco products
+      and services are licensed under their own separate terms and you shall
+      not use the Sample Code in any way that violates or is inconsistent
+      with those terms (for more information, please visit:
+      www.cisco.com/go/terms).
+
+   3. OWNERSHIP: Cisco retains sole and exclusive ownership of the Sample
+      Code, including all intellectual property rights therein, except with
+      respect to any third-party material that may be used in or by the
+      Sample Code. Any such third-party material is licensed under its own
+      separate terms (such as an open source license) and all use must be in
+      full accordance with the applicable license. This License does not
+      grant you permission to use any trade names, trademarks, service
+      marks, or product names of Cisco. If you provide any feedback to Cisco
+      regarding the Sample Code, you agree that Cisco, its partners, and its
+      customers shall be free to use and incorporate such feedback into the
+      Sample Code, and Cisco products and services, for any purpose, and
+      without restriction, payment, or additional consideration of any kind.
+      If you initiate or participate in any litigation against Cisco, its
+      partners, or its customers (including cross-claims and counter-claims)
+      alleging that the Sample Code and/or its use infringe any patent,
+      copyright, or other intellectual property right, then all rights
+      granted to you under this License shall terminate immediately without
+      notice.
+
+   4. LIMITATION OF LIABILITY: CISCO SHALL HAVE NO LIABILITY IN CONNECTION
+      WITH OR RELATING TO THIS LICENSE OR USE OF THE SAMPLE CODE, FOR
+      DAMAGES OF ANY KIND, INCLUDING BUT NOT LIMITED TO DIRECT, INCIDENTAL,
+      AND CONSEQUENTIAL DAMAGES, OR FOR ANY LOSS OF USE, DATA, INFORMATION,
+      PROFITS, BUSINESS, OR GOODWILL, HOWEVER CAUSED, EVEN IF ADVISED OF THE
+      POSSIBILITY OF SUCH DAMAGES.
+
+   5. DISCLAIMER OF WARRANTY: SAMPLE CODE IS INTENDED FOR EXAMPLE PURPOSES
+      ONLY AND IS PROVIDED BY CISCO "AS IS" WITH ALL FAULTS AND WITHOUT
+      WARRANTY OR SUPPORT OF ANY KIND. TO THE MAXIMUM EXTENT PERMITTED BY
+      LAW, ALL EXPRESS AND IMPLIED CONDITIONS, REPRESENTATIONS, AND
+      WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR
+      CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-
+      INFRINGEMENT, SATISFACTORY QUALITY, NON-INTERFERENCE, AND ACCURACY,
+      ARE HEREBY EXCLUDED AND EXPRESSLY DISCLAIMED BY CISCO. CISCO DOES NOT
+      WARRANT THAT THE SAMPLE CODE IS SUITABLE FOR PRODUCTION OR COMMERCIAL
+      USE, WILL OPERATE PROPERLY, IS ACCURATE OR COMPLETE, OR IS WITHOUT
+      ERROR OR DEFECT.
+
+   6. GENERAL: This License shall be governed by and interpreted in
+      accordance with the laws of the State of California, excluding its
+      conflict of laws provisions. You agree to comply with all applicable
+      United States export laws, rules, and regulations. If any provision of
+      this License is judged illegal, invalid, or otherwise unenforceable,
+      that provision shall be severed and the rest of the License shall
+      remain in full force and effect. No failure by Cisco to enforce any of
+      its rights related to the Sample Code or to a breach of this License
+      in a particular situation will act as a waiver of such rights. In the
+      event of any inconsistencies with any other terms, this License shall
+      take precedence.

README.md

@@ -0,0 +1,128 @@
+# Meraki MX Security Baseline Templates
+
+This flask app provides the ability to provision Meraki MXs with a set of security configurations ("security templates") regardless of network or **organization**. This app addresses the limitation of native Meraki Templates which only exist within a single organization. 2 types of security templates are supported: 
+* Baseline Templates: Set at the organization Level (applies to all networks within an organization)
+* Exception Templates: Set per network
+
+The supported security configurations are:
+* L3 Outbound Rules ([API](https://developer.cisco.com/meraki/api/update-network-appliance-firewall-l-3-firewall-rules/))
+* L7 Rules ([API](https://developer.cisco.com/meraki/api/update-network-appliance-firewall-l-7-firewall-rules/))
+* Content Filtering Rules (URL, Category) ([API](https://developer.cisco.com/meraki/api/update-network-appliance-content-filtering/))
+
+Templates are combined via `Baseline Template + Exception Template`. The combined order of L3, L7, and Content Rules is determined following this equation (order is maintained within the templates).
+
+When deploying a template to a network, existing security configurations will be **overwritten**.
+
+**Note**:
+* For L3 Outbound Rules, it's expected all required network configuration (local VLANs, static routes, etc.) will be in place when applying rules with a Source IP or CIDR. If the configuration is missing, the same errors encountered on the dashboard will be encountered with the API. Policy Objects/Groups are **not** supported at this time.
+
+## Contacts
+* Trevor Maco
+
+## Solution Components
+* Meraki MX
+
+## Prerequisites
+#### Meraki API Keys
+In order to use the Meraki API, you need to enable the API for your organization first. After enabling API access, you can generate an API key. Follow these instructions to enable API access and generate an API key:
+1. Login to the Meraki dashboard
+2. In the left-hand menu, navigate to `Organization > Settings > Dashboard API access`
+3. Click on `Enable access to the Cisco Meraki Dashboard API`
+4. Go to `My Profile > API access`
+5. Under API access, click on `Generate API key`
+6. Save the API key in a safe place. The API key will only be shown once for security purposes, so it is very important to take note of the key then. In case you lose the key, then you have to revoke the key and a generate a new key. Moreover, there is a limit of only two API keys per profile.
+
+> For more information on how to generate an API key, please click [here](https://developer.cisco.com/meraki/api-v1/#!authorization/authorization). 
+
+> Note: You can add your account as Full Organization Admin to your organizations by following the instructions [here](https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/Managing_Dashboard_Administrators_and_Permissions).
+
+#### Docker
+This app provides a `Docker` file for easy deployment. `Docker` is the recommended deployment method. Install `Docker` [here](https://docs.docker.com/get-docker/).
+
+## Installation/Configuration
+1. Clone this repository with `git clone [repository name]`. To find the repository name, click the green `Code` button above the repository files. Then, the dropdown menu will show the https domain name. Click the copy button to the right of the domain name to get the value to replace [repository name] placeholder.
+2. Rename the `.env_sample` file to `.env`. Rename `config_sample.py` to `config.py` (located at: `flask_app/config_sample.py`)
+3. Add Meraki API key to environment variable in `.env`:
+```dotenv
+# Meraki Section
+MERAKI_API_KEY=""
+```
+4. This app provides the ability to control which security configurations to consider when building and synchronizing templates (all supported configurations are tracked by default). To ignore a security configuration, modify the dictionary value to `False` in `config.py`.
+When set to `False`, any existing configuration (in the dashboard) is maintained and any respective configuration included within the template files is ignored.
+```python
+tracked_settings = {
+    "mx_l3_outbound_firewall": True,
+    "mx_l7_firewall": True,
+    "mx_content_rules": True
+}
+```
+5. Set up a Python virtual environment. Make sure Python 3 is installed in your environment, and if not, you may download Python [here](https://www.python.org/downloads/). Once Python 3 is installed in your environment, you can activate the virtual environment with the instructions found [here](https://docs.python.org/3/tutorial/venv.html).
+6. Install the requirements with `pip3 install -r requirements.txt`
+
+## Usage
+To run the program (from the top-level directory), use the following commands to run with python directly:
+```
+$ python3 flask_app/db.py
+$ python3 flask_app/app.py
+```
+or with the docker command:
+```
+$ docker-compose up -d --build
+```
+
+**Note**:
+* `db.py` creates a sqlite database which maintains the template mappings (**it must be run first!**) while `app.py` represents the main flask app.
+* App logs and output are written to stdout console and log files in `flask_app/logs`
+
+Once the app is running, navigate to http://127.0.0.1:5000 to be greeted with the main landing page (overview page):
+
+![landing_page.png](IMAGES/landing_page.png)
+
+To see currently assigned baseline and exception templates, select an organization and search the table.
+
+The remaining pages and workflows are summarized below. The order in which the pages are shown shows a possible workflow when deploying your first security templates.
+
+`Download Templates`:
+
+![download_templates.png](IMAGES/download_templates.png)
+
+* Downloads the security config from an existing MX network to a JSON file (`[network-name].json`) in `flask_app/mx_configs`. Once downloaded, the security config can be used as a baseline or exception template. The template is organized into named sections (ex: `mx_l3_outbound_firewall`) and respective payloads which follow the Meraki API. It's possible to modify/create the JSON files directly, but each section's name and payload must be in the proper format (based on the Meraki API call documentation). See `blank_example.json` for the skeleton format.
+
+`Assign Baseline`:
+
+![assign_baseline.png](IMAGES/assign_baseline.png)
+
+* Assign baseline template to an organization (available options are within `flask_app/mx_configs`)
+
+`Assign Exception`:
+
+![assign_exceptions.png](IMAGES/assign_exceptions.png)
+
+* Assign exception template to a network (available options are within `flask_app/mx_configs`)
+
+`Deploy Tempaltes`
+
+![deploy_templates.png](IMAGES/deploy_templates.png)
+
+* Deploy baseline and exception templates to each selected network. Templates will be combined and deployed to each network, with each security setting deploying individually. If a setting fails to deploy (invalid format, invalid rules, etc.), that particular setting with fail with an error message displayed to the screen but will not impact other security settings.
+
+
+Optional: A cronjob can be created to periodically synchronize the networks and organizations with their assigned templates based on the sqlite database (`periodic_enforcement.py`). Please consult `crontab.txt` for more information.
+
+![/IMAGES/0image.png](/IMAGES/0image.png)
+
+### LICENSE
+
+Provided under Cisco Sample Code License, for details see [LICENSE](LICENSE.md)
+
+### CODE_OF_CONDUCT
+
+Our code of conduct is available [here](CODE_OF_CONDUCT.md)
+
+### CONTRIBUTING
+
+See our contributing guidelines [here](CONTRIBUTING.md)
+
+#### DISCLAIMER:
+<b>Please note:</b> This script is meant for demo purposes only. All tools/ scripts in this repo are released for use "AS IS" without any warranties of any kind, including, but not limited to their installation, use, or performance. Any use of these scripts and tools is at your own risk. There is no guarantee that they have been through thorough testing in a comparable environment and we are not responsible for any damage or data loss incurred with their use.
+You are responsible for reviewing and testing any scripts you run thoroughly before use in any non-testing environment.