Fixes ssl cipher ordering in bigip_device_httpd. Also fix unit tests (#48475)
This commit is contained in:
Tim Rupp
GitHub
parent
d508d5820a
commit
0873043e5a
2 changed files with 58 additions and 36 deletions
|
|
@ -103,64 +103,71 @@ EXAMPLES = r'''
|
|||
- name: Set the BIG-IP authentication realm name
|
||||
bigip_device_httpd:
|
||||
auth_name: BIG-IP
|
||||
password: secret
|
||||
server: lb.mydomain.com
|
||||
user: admin
|
||||
provider:
|
||||
password: secret
|
||||
server: lb.mydomain.com
|
||||
user: admin
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Set the auth pam timeout to 3600 seconds
|
||||
bigip_device_httpd:
|
||||
auth_pam_idle_timeout: 1200
|
||||
password: secret
|
||||
server: lb.mydomain.com
|
||||
user: admin
|
||||
provider:
|
||||
password: secret
|
||||
server: lb.mydomain.com
|
||||
user: admin
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Set the validate IP settings
|
||||
bigip_device_httpd:
|
||||
auth_pam_validate_ip: on
|
||||
password: secret
|
||||
server: lb.mydomain.com
|
||||
user: admin
|
||||
provider:
|
||||
password: secret
|
||||
server: lb.mydomain.com
|
||||
user: admin
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Set SSL cipher suite by list
|
||||
bigip_device_httpd:
|
||||
password: secret
|
||||
server: lb.mydomain.com
|
||||
user: admin
|
||||
ssl_cipher_suite:
|
||||
- ECDHE-RSA-AES128-GCM-SHA256
|
||||
- ECDHE-RSA-AES256-GCM-SHA384
|
||||
- ECDHE-RSA-AES128-SHA
|
||||
- AES256-SHA256
|
||||
provider:
|
||||
password: secret
|
||||
server: lb.mydomain.com
|
||||
user: admin
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Set SSL cipher suite by string
|
||||
bigip_device_httpd:
|
||||
password: secret
|
||||
server: lb.mydomain.com
|
||||
user: admin
|
||||
ssl_cipher_suite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:AES256-SHA256
|
||||
provider:
|
||||
password: secret
|
||||
server: lb.mydomain.com
|
||||
user: admin
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Set SSL protocols by list
|
||||
bigip_device_httpd:
|
||||
password: secret
|
||||
server: lb.mydomain.com
|
||||
user: admin
|
||||
ssl_protocols:
|
||||
- all
|
||||
- -SSLv2
|
||||
- -SSLv3
|
||||
provider:
|
||||
password: secret
|
||||
server: lb.mydomain.com
|
||||
user: admin
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Set SSL protocols by string
|
||||
bigip_device_httpd:
|
||||
password: secret
|
||||
server: lb.mydomain.com
|
||||
user: admin
|
||||
ssl_cipher_suite: all -SSLv2 -SSLv3
|
||||
ssl_protocols: all -SSLv2 -SSLv3
|
||||
provider:
|
||||
password: secret
|
||||
server: lb.mydomain.com
|
||||
user: admin
|
||||
delegate_to: localhost
|
||||
'''
|
||||
|
||||
|
|
@ -220,6 +227,11 @@ ssl_cipher_suite:
|
|||
returned: changed
|
||||
type: string
|
||||
sample: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA
|
||||
ssl_cipher_suite_list:
|
||||
description: List of the new ciphers that the system uses.
|
||||
returned: changed
|
||||
type: string
|
||||
sample: ['ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES128-SHA']
|
||||
ssl_protocols:
|
||||
description: The new list of SSL protocols to accept on the management console.
|
||||
returned: changed
|
||||
|
|
@ -276,7 +288,7 @@ class Parameters(AnsibleF5Parameters):
|
|||
'auth_pam_idle_timeout', 'auth_pam_validate_ip', 'auth_name',
|
||||
'auth_pam_dashboard_timeout', 'fast_cgi_timeout', 'hostname_lookup',
|
||||
'log_level', 'max_clients', 'redirect_http_to_https', 'ssl_port',
|
||||
'allow', 'ssl_cipher_suite', 'ssl_protocols'
|
||||
'allow', 'ssl_cipher_suite', 'ssl_protocols', 'ssl_cipher_suite_list',
|
||||
]
|
||||
|
||||
updatables = [
|
||||
|
|
@ -394,11 +406,11 @@ class ModuleParameters(Parameters):
|
|||
"ssl_cipher_suite may not be set to 'none'"
|
||||
)
|
||||
if ciphers == 'default':
|
||||
ciphers = ':'.join(sorted(Parameters._ciphers.split(':')))
|
||||
ciphers = ':'.join(Parameters._ciphers.split(':'))
|
||||
elif isinstance(self._values['ssl_cipher_suite'], string_types):
|
||||
ciphers = ':'.join(sorted(ciphers.split(':')))
|
||||
ciphers = ':'.join(ciphers.split(':'))
|
||||
else:
|
||||
ciphers = ':'.join(sorted(ciphers))
|
||||
ciphers = ':'.join(ciphers)
|
||||
return ciphers
|
||||
|
||||
@property
|
||||
|
|
@ -454,12 +466,16 @@ class UsableChanges(Changes):
|
|||
class ReportableChanges(Changes):
|
||||
@property
|
||||
def ssl_cipher_suite(self):
|
||||
default = ':'.join(sorted(Parameters._ciphers.split(':')))
|
||||
default = ':'.join(Parameters._ciphers.split(':'))
|
||||
if self._values['ssl_cipher_suite'] == default:
|
||||
return 'default'
|
||||
else:
|
||||
return self._values['ssl_cipher_suite']
|
||||
|
||||
@property
|
||||
def ssl_cipher_suite_list(self):
|
||||
return self._values['ssl_cipher_suite'].split(':')
|
||||
|
||||
@property
|
||||
def ssl_protocols(self):
|
||||
default = ' '.join(sorted(Parameters._protocols.split(' ')))
|
||||
|
|
@ -684,8 +700,9 @@ def main():
|
|||
supports_check_mode=spec.supports_check_mode,
|
||||
)
|
||||
|
||||
client = F5RestClient(**module.params)
|
||||
|
||||
try:
|
||||
client = F5RestClient(**module.params)
|
||||
mm = ModuleManager(module=module, client=client)
|
||||
results = mm.exec_module()
|
||||
cleanup_tokens(client)
|
||||
|
|
|
|||
|
|
@ -14,25 +14,30 @@ from nose.plugins.skip import SkipTest
|
|||
if sys.version_info < (2, 7):
|
||||
raise SkipTest("F5 Ansible modules require Python >= 2.7")
|
||||
|
||||
from units.compat import unittest
|
||||
from units.compat.mock import Mock
|
||||
from units.compat.mock import patch
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
|
||||
try:
|
||||
from library.modules.bigip_device_httpd import Parameters
|
||||
from library.modules.bigip_device_httpd import ModuleManager
|
||||
from library.modules.bigip_device_httpd import ArgumentSpec
|
||||
from library.module_utils.network.f5.common import F5ModuleError
|
||||
from library.module_utils.network.f5.common import iControlUnexpectedHTTPError
|
||||
from test.unit.modules.utils import set_module_args
|
||||
|
||||
# In Ansible 2.8, Ansible changed import paths.
|
||||
from test.units.compat import unittest
|
||||
from test.units.compat.mock import Mock
|
||||
from test.units.compat.mock import patch
|
||||
|
||||
from test.units.modules.utils import set_module_args
|
||||
except ImportError:
|
||||
try:
|
||||
from ansible.modules.network.f5.bigip_device_httpd import Parameters
|
||||
from ansible.modules.network.f5.bigip_device_httpd import ModuleManager
|
||||
from ansible.modules.network.f5.bigip_device_httpd import ArgumentSpec
|
||||
from ansible.module_utils.network.f5.common import F5ModuleError
|
||||
from ansible.module_utils.network.f5.common import iControlUnexpectedHTTPError
|
||||
|
||||
# Ansible 2.8 imports
|
||||
from units.compat import unittest
|
||||
from units.compat.mock import Mock
|
||||
from units.compat.mock import patch
|
||||
|
||||
from units.modules.utils import set_module_args
|
||||
except ImportError:
|
||||
raise SkipTest("F5 Ansible modules require the f5-sdk Python library")
|
||||
|
|
|
|||
Loading…
Reference in a new issue