From 22059cbe67682eb67823310dff2add373c340a82 Mon Sep 17 00:00:00 2001 From: Tim Rupp Date: Thu, 14 Dec 2017 14:16:28 -0800 Subject: [PATCH] Adds bigip_device_httpd module (#33924) this module can be used to adjust the details of the server that hosts the BIG-IP web ui. --- .../modules/network/f5/bigip_device_httpd.py | 477 ++++++++++++++++++ .../network/f5/fixtures/load_sys_httpd.json | 36 ++ .../network/f5/test_bigip_device_httpd.py | 122 +++++ 3 files changed, 635 insertions(+) create mode 100644 lib/ansible/modules/network/f5/bigip_device_httpd.py create mode 100644 test/units/modules/network/f5/fixtures/load_sys_httpd.json create mode 100644 test/units/modules/network/f5/test_bigip_device_httpd.py diff --git a/lib/ansible/modules/network/f5/bigip_device_httpd.py b/lib/ansible/modules/network/f5/bigip_device_httpd.py new file mode 100644 index 00000000000..864182dda3b --- /dev/null +++ b/lib/ansible/modules/network/f5/bigip_device_httpd.py @@ -0,0 +1,477 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# +# Copyright: (c) 2017, F5 Networks Inc. +# GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + + +ANSIBLE_METADATA = {'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community'} + +DOCUMENTATION = r''' +--- +module: bigip_device_httpd +short_description: Manage HTTPD related settings on BIG-IP +description: + - Manages HTTPD related settings on the BIG-IP. These settings are interesting + to change when you want to set GUI timeouts and other TMUI related settings. +version_added: "2.5" +options: + auth_name: + description: + - Sets the BIG-IP authentication realm name + auth_pam_idle_timeout: + description: + - Sets the GUI timeout for automatic logout, in seconds. + auth_pam_validate_ip: + description: + - Sets the authPamValidateIp setting. + choices: ['on', 'off'] + auth_pam_dashboard_timeout: + description: + - Sets whether or not the BIG-IP dashboard will timeout. + choices: ['on', 'off'] + fast_cgi_timeout: + description: + - Sets the timeout of FastCGI. + hostname_lookup: + description: + - Sets whether or not to display the hostname, if possible. + choices: ['on', 'off'] + log_level: + description: + - Sets the minimum httpd log level. + choices: ['alert', 'crit', 'debug', 'emerg', 'error', 'info', 'notice', 'warn'] + max_clients: + description: + - Sets the maximum number of clients that can connect to the GUI at once. + redirect_http_to_https: + description: + - Whether or not to redirect http requests to the GUI to https. + choices: ['yes', 'no'] + ssl_port: + description: + - The HTTPS port to listen on. +notes: + - Requires the f5-sdk Python package on the host. This is as easy as pip + install f5-sdk. + - Requires the requests Python package on the host. This is as easy as + pip install requests. +requirements: + - f5-sdk >= 3.0.4 + - requests +extends_documentation_fragment: f5 +author: + - Joe Reifel (@JoeReifel) + - Tim Rupp (@caphrim007) +''' + +EXAMPLES = r''' +- name: Set the BIG-IP authentication realm name + bigip_device_httpd: + auth_name: BIG-IP + password: secret + server: lb.mydomain.com + user: admin + delegate_to: localhost + +- name: Set the auth pam timeout to 3600 seconds + bigip_device_httpd: + auth_pam_idle_timeout: 1200 + password: secret + server: lb.mydomain.com + user: admin + delegate_to: localhost + +- name: Set the validate IP settings + bigip_device_httpd: + auth_pam_validate_ip: on + password: secret + server: lb.mydomain.com + user: admin + delegate_to: localhost +''' + +RETURN = r''' +auth_pam_idle_timeout: + description: The new number of seconds for GUI timeout. + returned: changed + type: string + sample: 1200 +''' + +import time + +from ansible.module_utils.f5_utils import AnsibleF5Client +from ansible.module_utils.f5_utils import AnsibleF5Parameters +from ansible.module_utils.f5_utils import HAS_F5SDK +from ansible.module_utils.f5_utils import F5ModuleError +from ansible.module_utils.six import iteritems +from collections import defaultdict + +try: + from ansible.module_utils.f5_utils import iControlUnexpectedHTTPError +except ImportError: + HAS_F5SDK = False + +try: + from requests.exceptions import ConnectionError + HAS_REQUESTS = True +except ImportError: + HAS_REQUESTS = False + + +class Parameters(AnsibleF5Parameters): + api_map = { + 'authPamIdleTimeout': 'auth_pam_idle_timeout', + 'authPamValidateIp': 'auth_pam_validate_ip', + 'authName': 'auth_name', + 'authPamDashboardTimeout': 'auth_pam_dashboard_timeout', + 'fastcgiTimeout': 'fast_cgi_timeout', + 'hostnameLookup': 'hostname_lookup', + 'logLevel': 'log_level', + 'maxClients': 'max_clients', + 'redirectHttpToHttps': 'redirect_http_to_https', + 'sslPort': 'ssl_port' + } + + api_attributes = [ + 'authPamIdleTimeout', 'authPamValidateIp', 'authName', 'authPamDashboardTimeout', + 'fastcgiTimeout', 'hostnameLookup', 'logLevel', 'maxClients', 'sslPort', + 'redirectHttpToHttps' + ] + + returnables = [ + 'auth_pam_idle_timeout', 'auth_pam_validate_ip', 'auth_name', + 'auth_pam_dashboard_timeout', 'fast_cgi_timeout', 'hostname_lookup', + 'log_level', 'max_clients', 'redirect_http_to_https', 'ssl_port' + ] + + updatables = [ + 'auth_pam_idle_timeout', 'auth_pam_validate_ip', 'auth_name', + 'auth_pam_dashboard_timeout', 'fast_cgi_timeout', 'hostname_lookup', + 'log_level', 'max_clients', 'redirect_http_to_https', 'ssl_port' + ] + + def __init__(self, params=None): + self._values = defaultdict(lambda: None) + self._values['__warnings'] = [] + if params: + self.update(params=params) + + def update(self, params=None): + if params: + for k, v in iteritems(params): + if self.api_map is not None and k in self.api_map: + map_key = self.api_map[k] + else: + map_key = k + + # Handle weird API parameters like `dns.proxy.__iter__` by + # using a map provided by the module developer + class_attr = getattr(type(self), map_key, None) + if isinstance(class_attr, property): + # There is a mapped value for the api_map key + if class_attr.fset is None: + # If the mapped value does not have + # an associated setter + self._values[map_key] = v + else: + # The mapped value has a setter + setattr(self, map_key, v) + else: + # If the mapped value is not a @property + self._values[map_key] = v + + def api_params(self): + result = {} + for api_attribute in self.api_attributes: + if self.api_map is not None and api_attribute in self.api_map: + result[api_attribute] = getattr(self, self.api_map[api_attribute]) + else: + result[api_attribute] = getattr(self, api_attribute) + result = self._filter_params(result) + return result + + @property + def auth_pam_idle_timeout(self): + if self._values['auth_pam_idle_timeout'] is None: + return None + return int(self._values['auth_pam_idle_timeout']) + + @property + def fast_cgi_timeout(self): + if self._values['fast_cgi_timeout'] is None: + return None + return int(self._values['fast_cgi_timeout']) + + @property + def max_clients(self): + if self._values['max_clients'] is None: + return None + return int(self._values['max_clients']) + + @property + def ssl_port(self): + if self._values['ssl_port'] is None: + return None + return int(self._values['ssl_port']) + + +class ModuleParameters(Parameters): + @property + def auth_pam_validate_ip(self): + if self._values['auth_pam_validate_ip'] is None: + return None + if self._values['auth_pam_validate_ip']: + return "on" + return "off" + + @property + def auth_pam_dashboard_timeout(self): + if self._values['auth_pam_dashboard_timeout'] is None: + return None + if self._values['auth_pam_dashboard_timeout']: + return "on" + return "off" + + @property + def hostname_lookup(self): + if self._values['hostname_lookup'] is None: + return None + if self._values['hostname_lookup']: + return "on" + return "off" + + @property + def redirect_http_to_https(self): + if self._values['redirect_http_to_https'] is None: + return None + if self._values['redirect_http_to_https']: + return "enabled" + return "disabled" + + +class ApiParameters(Parameters): + pass + + +class Changes(Parameters): + def to_return(self): + result = {} + try: + for returnable in self.returnables: + result[returnable] = getattr(self, returnable) + result = self._filter_params(result) + except Exception: + pass + return result + + +class UsableChanges(Changes): + pass + + +class ReportableChanges(Changes): + pass + + +class Difference(object): + def __init__(self, want, have=None): + self.want = want + self.have = have + + def compare(self, param): + try: + result = getattr(self, param) + return result + except AttributeError: + return self.__default(param) + + def __default(self, param): + attr1 = getattr(self.want, param) + try: + attr2 = getattr(self.have, param) + if attr1 != attr2: + return attr1 + except AttributeError: + return attr1 + + +class ModuleManager(object): + def __init__(self, client): + self.client = client + self.want = ModuleParameters(params=self.client.module.params) + self.have = ApiParameters() + self.changes = UsableChanges() + + def _set_changed_options(self): + changed = {} + for key in Parameters.returnables: + if getattr(self.want, key) is not None: + changed[key] = getattr(self.want, key) + if changed: + self.changes = Changes(changed) + + def _update_changed_options(self): + diff = Difference(self.want, self.have) + updatables = Parameters.updatables + changed = dict() + for k in updatables: + change = diff.compare(k) + if change is None: + continue + else: + if isinstance(change, dict): + changed.update(change) + else: + changed[k] = change + if changed: + self.changes = UsableChanges(changed) + return True + return False + + def should_update(self): + result = self._update_changed_options() + if result: + return True + return False + + def exec_module(self): + result = dict() + + try: + changed = self.present() + except iControlUnexpectedHTTPError as e: + raise F5ModuleError(str(e)) + + reportable = ReportableChanges(self.changes.to_return()) + changes = reportable.to_return() + result.update(**changes) + result.update(dict(changed=changed)) + self._announce_deprecations(result) + return result + + def _announce_deprecations(self, result): + warnings = result.pop('__warnings', []) + for warning in warnings: + self.client.module.deprecate( + msg=warning['msg'], + version=warning['version'] + ) + + def present(self): + return self.update() + + def update(self): + self.have = self.read_current_from_device() + if not self.should_update(): + return False + if self.client.check_mode: + return True + self.update_on_device() + return True + + def update_on_device(self): + params = self.changes.api_params() + resource = self.client.api.tm.sys.httpd.load() + + try: + resource.modify(**params) + return True + except ConnectionError as ex: + pass + + # BIG-IP will kill your management connection when you change the HTTP + # redirect setting. So this catches that and handles it gracefully. + if 'Connection aborted' in str(ex) and 'redirectHttpToHttps' in params: + # Wait for BIG-IP web server to settle after changing this + time.sleep(2) + return True + raise F5ModuleError(str(ex)) + + def read_current_from_device(self): + resource = self.client.api.tm.sys.httpd.load() + return ApiParameters(params=resource.attrs) + + +class ArgumentSpec(object): + def __init__(self): + self.supports_check_mode = True + self.argument_spec = dict( + auth_name=dict(), + auth_pam_idle_timeout=dict( + type='int' + ), + fast_cgi_timeout=dict( + type='int' + ), + max_clients=dict( + type='int' + ), + ssl_port=dict( + type='int' + ), + auth_pam_validate_ip=dict( + type='bool' + ), + auth_pam_dashboard_timeout=dict( + type='bool' + ), + hostname_lookup=dict( + type='bool' + ), + log_level=dict( + choices=[ + 'alert', 'crit', 'debug', 'emerg', + 'error', 'info', 'notice', 'warn' + ] + ), + redirect_http_to_https=dict( + type='bool' + ) + ) + self.f5_product_name = 'bigip' + + +def cleanup_tokens(client): + try: + resource = client.api.shared.authz.tokens_s.token.load( + name=client.api.icrs.token + ) + resource.delete() + except Exception: + pass + + +def main(): + if not HAS_F5SDK: + raise F5ModuleError("The python f5-sdk module is required") + + if not HAS_REQUESTS: + raise F5ModuleError("The python requests module is required") + + spec = ArgumentSpec() + + client = AnsibleF5Client( + argument_spec=spec.argument_spec, + supports_check_mode=spec.supports_check_mode, + f5_product_name=spec.f5_product_name + ) + + try: + mm = ModuleManager(client) + results = mm.exec_module() + cleanup_tokens(client) + client.module.exit_json(**results) + except F5ModuleError as e: + cleanup_tokens(client) + client.module.fail_json(msg=str(e)) + + +if __name__ == '__main__': + main() diff --git a/test/units/modules/network/f5/fixtures/load_sys_httpd.json b/test/units/modules/network/f5/fixtures/load_sys_httpd.json new file mode 100644 index 00000000000..38d761681b5 --- /dev/null +++ b/test/units/modules/network/f5/fixtures/load_sys_httpd.json @@ -0,0 +1,36 @@ +{ + "kind": "tm:sys:httpd:httpdstate", + "selfLink": "https://localhost/mgmt/tm/sys/httpd?ver=12.1.2", + "allow": [ + "All" + ], + "authName": "BIG-IP", + "authPamDashboardTimeout": "off", + "authPamIdleTimeout": 1200, + "authPamValidateIp": "on", + "fastcgiTimeout": 300, + "fipsCipherVersion": 0, + "hostnameLookup": "off", + "logLevel": "warn", + "maxClients": 10, + "redirectHttpToHttps": "disabled", + "requestBodyMaxTimeout": 0, + "requestBodyMinRate": 500, + "requestBodyTimeout": 60, + "requestHeaderMaxTimeout": 40, + "requestHeaderMinRate": 500, + "requestHeaderTimeout": 20, + "sslCertfile": "/etc/httpd/conf/ssl.crt/server.crt", + "sslCertkeyfile": "/etc/httpd/conf/ssl.key/server.key", + "sslCiphersuite": "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA", + "sslOcspDefaultResponder": "http://127.0.0.1", + "sslOcspEnable": "off", + "sslOcspOverrideResponder": "off", + "sslOcspResponderTimeout": 300, + "sslOcspResponseMaxAge": -1, + "sslOcspResponseTimeSkew": 300, + "sslPort": 443, + "sslProtocol": "all -SSLv2 -SSLv3", + "sslVerifyClient": "no", + "sslVerifyDepth": 10 +} diff --git a/test/units/modules/network/f5/test_bigip_device_httpd.py b/test/units/modules/network/f5/test_bigip_device_httpd.py new file mode 100644 index 00000000000..ecf55109a75 --- /dev/null +++ b/test/units/modules/network/f5/test_bigip_device_httpd.py @@ -0,0 +1,122 @@ +# -*- coding: utf-8 -*- +# +# Copyright: (c) 2017, F5 Networks Inc. +# GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import json +import sys + +from nose.plugins.skip import SkipTest +if sys.version_info < (2, 7): + raise SkipTest("F5 Ansible modules require Python >= 2.7") + +from ansible.compat.tests import unittest +from ansible.compat.tests.mock import Mock +from ansible.compat.tests.mock import patch +from ansible.module_utils.f5_utils import AnsibleF5Client + +try: + from library.bigip_device_httpd import Parameters + from library.bigip_device_httpd import ModuleManager + from library.bigip_device_httpd import ArgumentSpec + from ansible.module_utils.f5_utils import iControlUnexpectedHTTPError + from test.unit.modules.utils import set_module_args +except ImportError: + try: + from ansible.modules.network.f5.bigip_device_httpd import Parameters + from ansible.modules.network.f5.bigip_device_httpd import ModuleManager + from ansible.modules.network.f5.bigip_device_httpd import ArgumentSpec + from ansible.module_utils.f5_utils import iControlUnexpectedHTTPError + from units.modules.utils import set_module_args + except ImportError: + raise SkipTest("F5 Ansible modules require the f5-sdk Python library") + +fixture_path = os.path.join(os.path.dirname(__file__), 'fixtures') +fixture_data = {} + + +def load_fixture(name): + path = os.path.join(fixture_path, name) + + if path in fixture_data: + return fixture_data[path] + + with open(path) as f: + data = f.read() + + try: + data = json.loads(data) + except Exception: + pass + + fixture_data[path] = data + return data + + +class TestParameters(unittest.TestCase): + def test_module_parameters(self): + args = dict( + auth_name='BIG-IP', + auth_pam_idle_timeout=1200, + auth_pam_validate_ip='on' + ) + + p = Parameters(args) + assert p.auth_name == 'BIG-IP' + assert p.auth_pam_idle_timeout == 1200 + assert p.auth_pam_validate_ip == 'on' + + def test_api_parameters(self): + args = load_fixture('load_sys_httpd.json') + p = Parameters(args) + assert p.auth_name == 'BIG-IP' + assert p.auth_pam_idle_timeout == 1200 + + +@patch('ansible.module_utils.f5_utils.AnsibleF5Client._get_mgmt_root', + return_value=True) +class TestModuleManager(unittest.TestCase): + + def setUp(self): + self.spec = ArgumentSpec() + + def test_update(self, *args): + set_module_args( + dict( + auth_name='foo', + auth_pam_idle_timeout='1000', + auth_pam_validate_ip='off', + auth_pam_dashboard_timeout='on', + fast_cgi_timeout=200, + hostname_lookup='on', + log_level='error', + max_clients='20', + redirect_http_to_https='yes', + ssl_port=8443, + server='localhost', + user='admin', + password='password' + ) + ) + + current = Parameters( + load_fixture('load_sys_httpd.json') + ) + + client = AnsibleF5Client( + argument_spec=self.spec.argument_spec, + supports_check_mode=self.spec.supports_check_mode, + f5_product_name=self.spec.f5_product_name + ) + mm = ModuleManager(client) + + # Override methods to force specific logic in the module to happen + mm.update_on_device = Mock(return_value=True) + mm.read_current_from_device = Mock(return_value=current) + + results = mm.exec_module() + assert results['changed'] is True