Adds bigip_remote_role module (#44358)

This module can be used to manage remote roles on a BIG-IP used
for remote authentication to management interfaces.
This commit is contained in:
Tim Rupp 2018-08-19 01:15:04 -04:00 committed by GitHub
parent 0eb284b040
commit 783b565583
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 664 additions and 0 deletions

View file

@ -0,0 +1,556 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright: (c) 2018, F5 Networks Inc.
# GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'],
'supported_by': 'community'}
DOCUMENTATION = r'''
---
module: bigip_remote_role
short_description: Manage remote roles on a BIG-IP
description:
- Manages remote roles on a BIG-IP. Remote roles are used in situations where
user authentication is handled off-box. Local access control to the BIG-IP
is controlled by the defined remote role. Where-as authentication (and by
extension, assignment to the role) is handled off-box.
version_added: 2.7
options:
name:
description:
- Specifies the name of the remote role.
required: True
line_order:
description:
- Specifies the order of the line in the file C(/config/bigip/auth/remoterole).
- The LDAP and Active Directory servers read this file line by line.
- The order of the information is important; therefore, F5 recommends that
you set the first line at 1000. This allows you, in the future, to insert
lines before the first line.
- When creating a new remote role, this parameter is required.
attribute_string:
description:
- Specifies the user account attributes saved in the group, in the format
C(cn=, ou=, dc=).
- When creating a new remote role, this parameter is required.
remote_access:
description:
- Enables or disables remote access for the specified group of remotely
authenticated users.
- When creating a new remote role, if this parameter is not specified, the default
is C(yes).
type: bool
assigned_role:
description:
- Specifies the authorization (level of access) for the account.
- When creating a new remote role, if this parameter is not provided, the
default is C(none).
- The C(partition_access) parameter controls which partitions the account can
access.
- The chosen role may affect the partitions that one is allowed to specify.
Specifically, roles such as C(administrator), C(auditor) and C(resource-administrator)
required a C(partition_access) of C(all).
- A set of pre-existing roles ship with the system. They are C(none), C(guest),
C(operator), C(application-editor), C(manager), C(certificate-manager),
C(irule-manager), C(user-manager), C(resource-administrator), C(auditor),
C(administrator), C(firewall-manager).
partition_access:
description:
- Specifies the accessible partitions for the account.
- This parameter supports the reserved names C(all) and C(Common), as well as
specific partitions a user may access.
- Users who have access to a partition can operate on objects in that partition,
as determined by the permissions conferred by the user's C(assigned_role).
- When creating a new remote role, if this parameter is not specified, the default
is C(all).
terminal_access:
description:
- Specifies terminal-based accessibility for remote accounts not already
explicitly assigned a user role.
- Common values for this include C(tmsh) and C(none), however custom values
may also be specified.
- When creating a new remote role, if this parameter is not specified, the default
is C(none).
state:
description:
- When C(present), guarantees that the remote role exists.
- When C(absent), removes the remote role from the system.
default: present
choices:
- absent
- present
extends_documentation_fragment: f5
author:
- Tim Rupp (@caphrim007)
'''
EXAMPLES = r'''
- name: Create a remote role
bigip_remote_role:
name: foo
group_name: ldap_group
line_order: 1
attribute_string: memberOf=cn=ldap_group,cn=ldap.group,ou=ldap
remote_access: enabled
assigned_role: administrator
partition_access: all
terminal_access: none
state: present
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
'''
RETURN = r'''
attribute_string:
description: The new attribute string of the resource.
returned: changed
type: string
sample: "memberOf=cn=ldap_group,cn=ldap.group,ou=ldap"
terminal_access:
description: The terminal setting of the remote role.
returned: changed
type: string
sample: tmsh
line_order:
description: Order of the remote role for LDAP and Active Directory servers.
returned: changed
type: int
sample: 1000
assigned_role:
description: System role that this remote role is associated with.
returned: changed
type: string
sample: administrator
partition_access:
description: Partition that the role has access to.
returned: changed
type: string
sample: all
remote_access:
description: Whether remote access is allowed or not.
returned: changed
type: bool
sample: no
'''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.basic import env_fallback
from ansible.module_utils.six import iteritems
try:
from library.module_utils.network.f5.bigip import F5RestClient
from library.module_utils.network.f5.common import F5ModuleError
from library.module_utils.network.f5.common import AnsibleF5Parameters
from library.module_utils.network.f5.common import cleanup_tokens
from library.module_utils.network.f5.common import fq_name
from library.module_utils.network.f5.common import f5_argument_spec
from library.module_utils.network.f5.common import exit_json
from library.module_utils.network.f5.common import fail_json
from library.module_utils.network.f5.common import flatten_boolean
from library.module_utils.network.f5.common import transform_name
except ImportError:
from ansible.module_utils.network.f5.bigip import F5RestClient
from ansible.module_utils.network.f5.common import F5ModuleError
from ansible.module_utils.network.f5.common import AnsibleF5Parameters
from ansible.module_utils.network.f5.common import cleanup_tokens
from ansible.module_utils.network.f5.common import fq_name
from ansible.module_utils.network.f5.common import f5_argument_spec
from ansible.module_utils.network.f5.common import exit_json
from ansible.module_utils.network.f5.common import fail_json
from ansible.module_utils.network.f5.common import flatten_boolean
from ansible.module_utils.network.f5.common import transform_name
class Parameters(AnsibleF5Parameters):
api_map = {
'attribute': 'attribute_string',
'console': 'terminal_access',
'lineOrder': 'line_order',
'role': 'assigned_role',
'userPartition': 'partition_access',
'deny': 'remote_access'
}
api_attributes = [
'attribute',
'console',
'lineOrder',
'role',
'deny',
'userPartition',
]
returnables = [
'attribute_string',
'terminal_access',
'line_order',
'assigned_role',
'partition_access',
'remote_access',
]
updatables = [
'attribute_string',
'terminal_access',
'line_order',
'assigned_role',
'partition_access',
'remote_access',
]
role_map = {
'application-editor': 'applicationeditor',
'none': 'noaccess',
'certificate-manager': 'certificatemanager',
'irule-manager': 'irulemanager',
'user-manager': 'usermanager',
'resource-administrator': 'resourceadmin',
'firewall-manager': 'firewallmanager'
}
class ApiParameters(Parameters):
pass
class ModuleParameters(Parameters):
@property
def partition(self):
return 'Common'
@property
def assigned_role(self):
if self._values['assigned_role'] is None:
return None
return self.role_map.get(self._values['assigned_role'], self._values['assigned_role'])
@property
def terminal_access(self):
if self._values['terminal_access'] in [None, 'tmsh']:
return self._values['terminal_access']
elif self._values['terminal_access'] == 'none':
return 'disable'
return self._values['terminal_access']
@property
def partition_access(self):
if self._values['partition_access'] is None:
return None
if self._values['partition_access'] == 'all':
return 'All'
return self._values['partition_access']
@property
def remote_access(self):
result = flatten_boolean(self._values['remote_access'])
if result == 'yes':
return 'disabled'
elif result == 'no':
return 'enabled'
class Changes(Parameters):
def to_return(self):
result = {}
try:
for returnable in self.returnables:
result[returnable] = getattr(self, returnable)
result = self._filter_params(result)
except Exception:
pass
return result
class UsableChanges(Changes):
pass
class ReportableChanges(Changes):
@property
def assigned_role(self):
if self._values['assigned_role'] is None:
return None
rmap = dict((v, k) for k, v in iteritems(self.role_map))
return rmap.get(self._values['assigned_role'], self._values['assigned_role'])
@property
def terminal_access(self):
if self._values['terminal_access'] in [None, 'tmsh']:
return self._values['terminal_access']
elif self._values['terminal_access'] == 'disabled':
return 'none'
return self._values['terminal_access']
class Difference(object):
def __init__(self, want, have=None):
self.want = want
self.have = have
def compare(self, param):
try:
result = getattr(self, param)
return result
except AttributeError:
return self.__default(param)
def __default(self, param):
attr1 = getattr(self.want, param)
try:
attr2 = getattr(self.have, param)
if attr1 != attr2:
return attr1
except AttributeError:
return attr1
class ModuleManager(object):
def __init__(self, *args, **kwargs):
self.module = kwargs.get('module', None)
self.client = kwargs.get('client', None)
self.want = ModuleParameters(params=self.module.params)
self.have = ApiParameters()
self.changes = UsableChanges()
def _set_changed_options(self):
changed = {}
for key in Parameters.returnables:
if getattr(self.want, key) is not None:
changed[key] = getattr(self.want, key)
if changed:
self.changes = UsableChanges(params=changed)
def _update_changed_options(self):
diff = Difference(self.want, self.have)
updatables = Parameters.updatables
changed = dict()
for k in updatables:
change = diff.compare(k)
if change is None:
continue
else:
if isinstance(change, dict):
changed.update(change)
else:
changed[k] = change
if changed:
self.changes = UsableChanges(params=changed)
return True
return False
def should_update(self):
result = self._update_changed_options()
if result:
return True
return False
def exec_module(self):
changed = False
result = dict()
state = self.want.state
if state == "present":
changed = self.present()
elif state == "absent":
changed = self.absent()
reportable = ReportableChanges(params=self.changes.to_return())
changes = reportable.to_return()
result.update(**changes)
result.update(dict(changed=changed))
self._announce_deprecations(result)
return result
def _announce_deprecations(self, result):
warnings = result.pop('__warnings', [])
for warning in warnings:
self.client.module.deprecate(
msg=warning['msg'],
version=warning['version']
)
def present(self):
if self.exists():
return self.update()
else:
return self.create()
def exists(self):
uri = "https://{0}:{1}/mgmt/tm/auth/remote-role/role-info/{2}".format(
self.client.provider['server'],
self.client.provider['server_port'],
transform_name(self.want.partition, self.want.name)
)
resp = self.client.api.get(uri)
try:
response = resp.json()
except ValueError:
return False
if resp.status == 404 or 'code' in response and response['code'] == 404:
return False
return True
def update(self):
self.have = self.read_current_from_device()
if not self.should_update():
return False
if self.module.check_mode:
return True
self.update_on_device()
return True
def remove(self):
if self.module.check_mode:
return True
self.remove_from_device()
if self.exists():
raise F5ModuleError("Failed to delete the resource.")
return True
def create(self):
if self.want.partition_access is None:
self.want.update({'partition_access': 'all'})
if self.want.remote_access is None:
self.want.update({'remote_access': True})
if self.want.assigned_role is None:
self.want.update({'assigned_role': 'none'})
if self.want.terminal_access is None:
self.want.update({'terminal_access': 'none'})
self._set_changed_options()
if self.module.check_mode:
return True
self.create_on_device()
return True
def create_on_device(self):
params = self.changes.api_params()
params['name'] = self.want.name
uri = "https://{0}:{1}/mgmt/tm/auth/remote-role/role-info/".format(
self.client.provider['server'],
self.client.provider['server_port']
)
resp = self.client.api.post(uri, json=params)
try:
response = resp.json()
except ValueError as ex:
raise F5ModuleError(str(ex))
if 'code' in response and response['code'] in [400, 403]:
if 'message' in response:
raise F5ModuleError(response['message'])
else:
raise F5ModuleError(resp.content)
def update_on_device(self):
params = self.changes.api_params()
uri = "https://{0}:{1}/mgmt/tm/auth/remote-role/role-info/{2}".format(
self.client.provider['server'],
self.client.provider['server_port'],
transform_name(self.want.partition, self.want.name)
)
resp = self.client.api.patch(uri, json=params)
try:
response = resp.json()
except ValueError as ex:
raise F5ModuleError(str(ex))
if 'code' in response and response['code'] == 400:
if 'message' in response:
if 'Once configured [All] partition, remote user group cannot' in response['message']:
raise F5ModuleError(
"The specified 'attribute_string' is already used in the 'all' partition."
)
raise F5ModuleError(response['message'])
else:
raise F5ModuleError(resp.content)
def absent(self):
if self.exists():
return self.remove()
return False
def remove_from_device(self):
uri = "https://{0}:{1}/mgmt/tm/auth/remote-role/role-info/{2}".format(
self.client.provider['server'],
self.client.provider['server_port'],
transform_name(self.want.partition, self.want.name)
)
response = self.client.api.delete(uri)
if response.status == 200:
return True
if 'code' in response and response['code'] == 400:
if 'message' in response:
raise F5ModuleError(response['message'])
else:
raise F5ModuleError(response.content)
def read_current_from_device(self):
uri = "https://{0}:{1}/mgmt/tm/auth/remote-role/role-info/{2}".format(
self.client.provider['server'],
self.client.provider['server_port'],
transform_name(self.want.partition, self.want.name)
)
resp = self.client.api.get(uri)
try:
response = resp.json()
except ValueError as ex:
raise F5ModuleError(str(ex))
if 'code' in response and response['code'] == 400:
if 'message' in response:
raise F5ModuleError(response['message'])
else:
raise F5ModuleError(resp.content)
return ApiParameters(params=response)
class ArgumentSpec(object):
def __init__(self):
self.supports_check_mode = True
argument_spec = dict(
name=dict(required=True),
line_order=dict(type='int'),
attribute_string=dict(),
remote_access=dict(type='bool'),
assigned_role=dict(),
partition_access=dict(),
terminal_access=dict(),
state=dict(
default='present',
choices=['present', 'absent']
),
)
self.argument_spec = {}
self.argument_spec.update(f5_argument_spec)
self.argument_spec.update(argument_spec)
def main():
spec = ArgumentSpec()
module = AnsibleModule(
argument_spec=spec.argument_spec,
supports_check_mode=spec.supports_check_mode,
)
try:
client = F5RestClient(**module.params)
mm = ModuleManager(module=module, client=client)
results = mm.exec_module()
exit_json(module, results, client)
except F5ModuleError as ex:
fail_json(module, ex, client)
if __name__ == '__main__':
main()

View file

@ -0,0 +1,108 @@
# -*- coding: utf-8 -*-
#
# Copyright: (c) 2017, F5 Networks Inc.
# GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
import os
import json
import pytest
import sys
from nose.plugins.skip import SkipTest
if sys.version_info < (2, 7):
raise SkipTest("F5 Ansible modules require Python >= 2.7")
from ansible.compat.tests import unittest
from ansible.compat.tests.mock import Mock
from ansible.compat.tests.mock import patch
from ansible.module_utils.basic import AnsibleModule
try:
from library.modules.bigip_remote_role import ApiParameters
from library.modules.bigip_remote_role import ModuleParameters
from library.modules.bigip_remote_role import ModuleManager
from library.modules.bigip_remote_role import ArgumentSpec
from library.module_utils.network.f5.common import F5ModuleError
from library.module_utils.network.f5.common import iControlUnexpectedHTTPError
from test.unit.modules.utils import set_module_args
except ImportError:
try:
from ansible.modules.network.f5.bigip_remote_role import ApiParameters
from ansible.modules.network.f5.bigip_remote_role import ModuleParameters
from ansible.modules.network.f5.bigip_remote_role import ModuleManager
from ansible.modules.network.f5.bigip_remote_role import ArgumentSpec
from ansible.module_utils.network.f5.common import F5ModuleError
from ansible.module_utils.network.f5.common import iControlUnexpectedHTTPError
from units.modules.utils import set_module_args
except ImportError:
raise SkipTest("F5 Ansible modules require the f5-sdk Python library")
fixture_path = os.path.join(os.path.dirname(__file__), 'fixtures')
fixture_data = {}
def load_fixture(name):
path = os.path.join(fixture_path, name)
if path in fixture_data:
return fixture_data[path]
with open(path) as f:
data = f.read()
try:
data = json.loads(data)
except Exception:
pass
fixture_data[path] = data
return data
class TestParameters(unittest.TestCase):
def test_module_parameters(self):
args = dict(
terminal_access='none',
)
p = ModuleParameters(params=args)
assert p.terminal_access == 'disable'
def test_api_parameters(self):
args = load_fixture('load_auth_remote_role_role_info_1.json')
p = ApiParameters(params=args)
assert p.terminal_access == 'disable'
class TestManager(unittest.TestCase):
def setUp(self):
self.spec = ArgumentSpec()
def test_create_remote_syslog(self, *args):
set_module_args(dict(
name='foo',
line_order=1000,
attribute_string='bar',
server='localhost',
password='password',
user='admin'
))
module = AnsibleModule(
argument_spec=self.spec.argument_spec,
supports_check_mode=self.spec.supports_check_mode
)
# Override methods in the specific type of manager
mm = ModuleManager(module=module)
mm.exists = Mock(side_effect=[False, True])
mm.create_on_device = Mock(return_value=True)
results = mm.exec_module()
assert results['changed'] is True