cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Fixes ssl cipher ordering in bigip_device_httpd. Also fix unit tests (#48475)

Browse source
This commit is contained in:
Tim Rupp 2018-11-10 11:40:18 -08:00 committed by GitHub
parent d508d5820a
commit 0873043e5a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 58 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
lib/ansible/modules/network/f5/bigip_device_httpd.py
View file

@ -103,6 +103,7 @@ EXAMPLES = r'''
- name: Set the BIG-IP authentication realm name
bigip_device_httpd:
auth_name: BIG-IP
provider:
password: secret
server: lb.mydomain.com
user: admin
@ -111,6 +112,7 @@ EXAMPLES = r'''
- name: Set the auth pam timeout to 3600 seconds
bigip_device_httpd:
auth_pam_idle_timeout: 1200
provider:
password: secret
server: lb.mydomain.com
user: admin
@ -119,6 +121,7 @@ EXAMPLES = r'''
- name: Set the validate IP settings
bigip_device_httpd:
auth_pam_validate_ip: on
provider:
password: secret
server: lb.mydomain.com
user: admin
@ -126,41 +129,45 @@ EXAMPLES = r'''
- name: Set SSL cipher suite by list
bigip_device_httpd:
password: secret
server: lb.mydomain.com
user: admin
ssl_cipher_suite:
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-SHA
- AES256-SHA256
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Set SSL cipher suite by string
bigip_device_httpd:
ssl_cipher_suite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:AES256-SHA256
provider:
password: secret
server: lb.mydomain.com
user: admin
ssl_cipher_suite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:AES256-SHA256
delegate_to: localhost
- name: Set SSL protocols by list
bigip_device_httpd:
password: secret
server: lb.mydomain.com
user: admin
ssl_protocols:
- all
- -SSLv2
- -SSLv3
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Set SSL protocols by string
bigip_device_httpd:
ssl_protocols: all -SSLv2 -SSLv3
provider:
password: secret
server: lb.mydomain.com
user: admin
ssl_cipher_suite: all -SSLv2 -SSLv3
delegate_to: localhost
'''
@ -220,6 +227,11 @@ ssl_cipher_suite:
returned: changed
type: string
sample: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA
ssl_cipher_suite_list:
description: List of the new ciphers that the system uses.
returned: changed
type: string
sample: ['ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES128-SHA']
ssl_protocols:
description: The new list of SSL protocols to accept on the management console.
returned: changed
@ -276,7 +288,7 @@ class Parameters(AnsibleF5Parameters):
'auth_pam_idle_timeout', 'auth_pam_validate_ip', 'auth_name',
'auth_pam_dashboard_timeout', 'fast_cgi_timeout', 'hostname_lookup',
'log_level', 'max_clients', 'redirect_http_to_https', 'ssl_port',
'allow', 'ssl_cipher_suite', 'ssl_protocols'
'allow', 'ssl_cipher_suite', 'ssl_protocols', 'ssl_cipher_suite_list',
]
updatables = [
@ -394,11 +406,11 @@ class ModuleParameters(Parameters):
"ssl_cipher_suite may not be set to 'none'"
)
if ciphers == 'default':
ciphers = ':'.join(sorted(Parameters._ciphers.split(':')))
ciphers = ':'.join(Parameters._ciphers.split(':'))
elif isinstance(self._values['ssl_cipher_suite'], string_types):
ciphers = ':'.join(sorted(ciphers.split(':')))
ciphers = ':'.join(ciphers.split(':'))
else:
ciphers = ':'.join(sorted(ciphers))
ciphers = ':'.join(ciphers)
return ciphers
@property
@ -454,12 +466,16 @@ class UsableChanges(Changes):
class ReportableChanges(Changes):
@property
def ssl_cipher_suite(self):
default = ':'.join(sorted(Parameters._ciphers.split(':')))
default = ':'.join(Parameters._ciphers.split(':'))
if self._values['ssl_cipher_suite'] == default:
return 'default'
else:
return self._values['ssl_cipher_suite']
@property
def ssl_cipher_suite_list(self):
return self._values['ssl_cipher_suite'].split(':')
@property
def ssl_protocols(self):
default = ' '.join(sorted(Parameters._protocols.split(' ')))
@ -684,8 +700,9 @@ def main():
supports_check_mode=spec.supports_check_mode,
)
try:
client = F5RestClient(**module.params)
try:
mm = ModuleManager(module=module, client=client)
results = mm.exec_module()
cleanup_tokens(client)

21
test/units/modules/network/f5/test_bigip_device_httpd.py
View file

@ -14,25 +14,30 @@ from nose.plugins.skip import SkipTest
if sys.version_info < (2, 7):
raise SkipTest("F5 Ansible modules require Python >= 2.7")
from units.compat import unittest
from units.compat.mock import Mock
from units.compat.mock import patch
from ansible.module_utils.basic import AnsibleModule
try:
from library.modules.bigip_device_httpd import Parameters
from library.modules.bigip_device_httpd import ModuleManager
from library.modules.bigip_device_httpd import ArgumentSpec
from library.module_utils.network.f5.common import F5ModuleError
from library.module_utils.network.f5.common import iControlUnexpectedHTTPError
from test.unit.modules.utils import set_module_args
# In Ansible 2.8, Ansible changed import paths.
from test.units.compat import unittest
from test.units.compat.mock import Mock
from test.units.compat.mock import patch
from test.units.modules.utils import set_module_args
except ImportError:
try:
from ansible.modules.network.f5.bigip_device_httpd import Parameters
from ansible.modules.network.f5.bigip_device_httpd import ModuleManager
from ansible.modules.network.f5.bigip_device_httpd import ArgumentSpec
from ansible.module_utils.network.f5.common import F5ModuleError
from ansible.module_utils.network.f5.common import iControlUnexpectedHTTPError
# Ansible 2.8 imports
from units.compat import unittest
from units.compat.mock import Mock
from units.compat.mock import patch
from units.modules.utils import set_module_args
except ImportError:
raise SkipTest("F5 Ansible modules require the f5-sdk Python library")