Adds params to the profile-client-ssl module (#44656)
This patch adds new parameters to the client ssl module.
This commit is contained in:
parent
990e95eb57
commit
79153b95e5
3 changed files with 231 additions and 15 deletions
|
@ -63,9 +63,7 @@ class F5Client(F5BaseClient):
|
|||
|
||||
class F5RestClient(F5BaseClient):
|
||||
def __init__(self, *args, **kwargs):
|
||||
params = kwargs.get('module').params
|
||||
module = kwargs.pop('module')
|
||||
super(F5RestClient, self).__init__(module=module, **params)
|
||||
super(F5RestClient, self).__init__(*args, **kwargs)
|
||||
self.provider = self.merge_provider_params()
|
||||
|
||||
@property
|
||||
|
@ -89,7 +87,7 @@ class F5RestClient(F5BaseClient):
|
|||
|
||||
if response.status not in [200]:
|
||||
raise F5ModuleError('Status code: {0}. Unexpected Error: {1} for uri: {2}\nText: {3}'.format(
|
||||
response.status, response.reason, response.url, response._content
|
||||
response.status, response.reason, response.url, response.content
|
||||
))
|
||||
|
||||
session.headers['X-F5-Auth-Token'] = response.json()['token']['token']
|
||||
|
|
|
@ -54,6 +54,7 @@ f5_provider_spec = {
|
|||
default='rest'
|
||||
),
|
||||
'timeout': dict(type='int'),
|
||||
'auth_provider': dict()
|
||||
}
|
||||
|
||||
f5_argument_spec = {
|
||||
|
@ -88,6 +89,9 @@ f5_top_spec = {
|
|||
'transport': dict(
|
||||
removed_in_version=2.9,
|
||||
choices=['cli', 'rest']
|
||||
),
|
||||
'auth_provider': dict(
|
||||
default=None
|
||||
)
|
||||
}
|
||||
f5_argument_spec.update(f5_top_spec)
|
||||
|
@ -105,6 +109,13 @@ def load_params(params):
|
|||
params[key] = value
|
||||
|
||||
|
||||
def is_empty_list(seq):
|
||||
if len(seq) == 1:
|
||||
if seq[0] == '' or seq[0] == 'none':
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
# Fully Qualified name (with the partition)
|
||||
def fqdn_name(partition, value):
|
||||
"""This method is not used
|
||||
|
@ -204,7 +215,9 @@ def flatten_boolean(value):
|
|||
return 'no'
|
||||
|
||||
|
||||
def cleanup_tokens(client):
|
||||
def cleanup_tokens(client=None):
|
||||
if client is None:
|
||||
return
|
||||
try:
|
||||
# isinstance cannot be used here because to import it creates a
|
||||
# circular dependency with teh module_utils.network.f5.bigip file.
|
||||
|
|
|
@ -7,7 +7,6 @@
|
|||
from __future__ import absolute_import, division, print_function
|
||||
__metaclass__ = type
|
||||
|
||||
|
||||
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
||||
'status': ['preview'],
|
||||
'supported_by': 'community'}
|
||||
|
@ -42,8 +41,7 @@ options:
|
|||
type of each certificate/key type. This means that you can only have one
|
||||
RSA, one DSA, and one ECDSA per profile. If you attempt to assign two
|
||||
RSA, DSA, or ECDSA certificate/key combo, the device will reject this.
|
||||
- This list is a complex list that specifies a number of keys. There are
|
||||
several supported keys.
|
||||
- This list is a complex list that specifies a number of keys.
|
||||
suboptions:
|
||||
cert:
|
||||
description:
|
||||
|
@ -69,6 +67,59 @@ options:
|
|||
- Device partition to manage resources on.
|
||||
default: Common
|
||||
version_added: 2.5
|
||||
options:
|
||||
description:
|
||||
- Options that the system uses for SSL processing in the form of a list. When
|
||||
creating a new profile, the list is provided by the parent profile.
|
||||
- When a C('') or C(none) value is provided all options for SSL processing are disabled.
|
||||
choices:
|
||||
- netscape-reuse-cipher-change-bug
|
||||
- microsoft-big-sslv3-buffer
|
||||
- msie-sslv2-rsa-padding
|
||||
- ssleay-080-client-dh-bug
|
||||
- tls-d5-bug
|
||||
- tls-block-padding-bug
|
||||
- dont-insert-empty-fragments
|
||||
- no-ssl
|
||||
- no-dtls
|
||||
- no-session-resumption-on-renegotiation
|
||||
- no-tlsv1.1
|
||||
- no-tlsv1.2
|
||||
- single-dh-use
|
||||
- ephemeral-rsa
|
||||
- cipher-server-preference
|
||||
- tls-rollback-bug
|
||||
- no-sslv2
|
||||
- no-sslv3
|
||||
- no-tls
|
||||
- no-tlsv1
|
||||
- pkcs1-check-1
|
||||
- pkcs1-check-2
|
||||
- netscape-ca-dn-bug
|
||||
- netscape-demo-cipher-change-bug
|
||||
version_added: 2.7
|
||||
secure_renegotiation:
|
||||
description:
|
||||
- Specifies the method of secure renegotiations for SSL connections. When
|
||||
creating a new profile, the setting is provided by the parent profile.
|
||||
- When C(request) is set the ssystem request secure renegotation of SSL
|
||||
connections.
|
||||
- C(require) is a default setting and when set the system permits initial SSL
|
||||
handshakes from clients but terminates renegotiations from unpatched clients.
|
||||
- The C(require-strict) setting the system requires strict renegotiation of SSL
|
||||
connections. In this mode the system refuses connections to insecure servers,
|
||||
and terminates existing SSL connections to insecure servers.
|
||||
choices:
|
||||
- require
|
||||
- require-strict
|
||||
- request
|
||||
version_added: 2.7
|
||||
allow_non_ssl:
|
||||
description:
|
||||
- Enables or disables acceptance of non-SSL connections.
|
||||
- When creating a new profile, the setting is provided by the parent profile.
|
||||
type: bool
|
||||
version_added: 2.7
|
||||
state:
|
||||
description:
|
||||
- When C(present), ensures that the profile exists.
|
||||
|
@ -83,6 +134,7 @@ notes:
|
|||
extends_documentation_fragment: f5
|
||||
author:
|
||||
- Tim Rupp (@caphrim007)
|
||||
- Wojciech Wypior (@wojtek0806)
|
||||
'''
|
||||
|
||||
EXAMPLES = r'''
|
||||
|
@ -105,6 +157,28 @@ EXAMPLES = r'''
|
|||
ciphers: "!SSLv3:!SSLv2:ECDHE+AES-GCM+SHA256:ECDHE-RSA-AES128-CBC-SHA"
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Create client SSL profile with specific SSL options
|
||||
bigip_profile_client_ssl:
|
||||
state: present
|
||||
server: lb.mydomain.com
|
||||
user: admin
|
||||
password: secret
|
||||
name: my_profile
|
||||
options:
|
||||
- no-sslv2
|
||||
- no-sslv3
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Create client SSL profile require secure renegotiation
|
||||
bigip_profile_client_ssl:
|
||||
state: present
|
||||
server: lb.mydomain.com
|
||||
user: admin
|
||||
password: secret
|
||||
name: my_profile
|
||||
secure_renegotation: request
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Create a client SSL profile with a cert/key/chain setting
|
||||
bigip_profile_client_ssl:
|
||||
state: present
|
||||
|
@ -125,6 +199,21 @@ ciphers:
|
|||
returned: changed
|
||||
type: string
|
||||
sample: "!SSLv3:!SSLv2:ECDHE+AES-GCM+SHA256:ECDHE-RSA-AES128-CBC-SHA"
|
||||
options:
|
||||
description: The list of options for SSL processing.
|
||||
returned: changed
|
||||
type: list
|
||||
sample: ['no-sslv2', 'no-sslv3']
|
||||
secure_renegotation:
|
||||
description: The method of secure SSL renegotiation.
|
||||
returned: changed
|
||||
type: string
|
||||
sample: request
|
||||
allow_non_ssl:
|
||||
description: Acceptance of non-SSL connections.
|
||||
returned: changed
|
||||
type: bool
|
||||
sample: yes
|
||||
'''
|
||||
|
||||
import os
|
||||
|
@ -141,6 +230,8 @@ try:
|
|||
from library.module_utils.network.f5.common import cleanup_tokens
|
||||
from library.module_utils.network.f5.common import fq_name
|
||||
from library.module_utils.network.f5.common import f5_argument_spec
|
||||
from library.module_utils.network.f5.common import flatten_boolean
|
||||
from library.module_utils.network.f5.common import is_empty_list
|
||||
try:
|
||||
from library.module_utils.network.f5.common import iControlUnexpectedHTTPError
|
||||
except ImportError:
|
||||
|
@ -153,6 +244,8 @@ except ImportError:
|
|||
from ansible.module_utils.network.f5.common import cleanup_tokens
|
||||
from ansible.module_utils.network.f5.common import fq_name
|
||||
from ansible.module_utils.network.f5.common import f5_argument_spec
|
||||
from ansible.module_utils.network.f5.common import flatten_boolean
|
||||
from ansible.module_utils.network.f5.common import is_empty_list
|
||||
try:
|
||||
from ansible.module_utils.network.f5.common import iControlUnexpectedHTTPError
|
||||
except ImportError:
|
||||
|
@ -162,20 +255,26 @@ except ImportError:
|
|||
class Parameters(AnsibleF5Parameters):
|
||||
api_map = {
|
||||
'certKeyChain': 'cert_key_chain',
|
||||
'defaultsFrom': 'parent'
|
||||
'defaultsFrom': 'parent',
|
||||
'allowNonSsl': 'allow_non_ssl',
|
||||
'secureRenegotiation': 'secure_renegotiation',
|
||||
'tmOptions': 'options',
|
||||
}
|
||||
|
||||
api_attributes = [
|
||||
'ciphers', 'certKeyChain',
|
||||
'defaultsFrom'
|
||||
'defaultsFrom', 'tmOptions',
|
||||
'secureRenegotiation', 'allowNonSsl',
|
||||
]
|
||||
|
||||
returnables = [
|
||||
'ciphers'
|
||||
'ciphers', 'allow_non_ssl', 'options',
|
||||
'secure_renegotiation',
|
||||
]
|
||||
|
||||
updatables = [
|
||||
'ciphers', 'cert_key_chain'
|
||||
'ciphers', 'cert_key_chain', 'allow_non_ssl',
|
||||
'options', 'secure_renegotiation',
|
||||
]
|
||||
|
||||
|
||||
|
@ -237,6 +336,57 @@ class ModuleParameters(Parameters):
|
|||
result = sorted(result, key=lambda x: x['name'])
|
||||
return result
|
||||
|
||||
@property
|
||||
def allow_non_ssl(self):
|
||||
result = flatten_boolean(self._values['allow_non_ssl'])
|
||||
if result is None:
|
||||
return None
|
||||
if result == 'yes':
|
||||
return 'enabled'
|
||||
return 'disabled'
|
||||
|
||||
@property
|
||||
def options(self):
|
||||
choices = [
|
||||
'netscape-reuse-cipher-change-bug',
|
||||
'microsoft-big-sslv3-buffer',
|
||||
'msie-sslv2-rsa-padding',
|
||||
'ssleay-080-client-dh-bug',
|
||||
'tls-d5-bug',
|
||||
'tls-block-padding-bug',
|
||||
'dont-insert-empty-fragments',
|
||||
'no-ssl',
|
||||
'no-dtls',
|
||||
'no-session-resumption-on-renegotiation',
|
||||
'no-tlsv1.1',
|
||||
'no-tlsv1.2',
|
||||
'single-dh-use',
|
||||
'ephemeral-rsa',
|
||||
'cipher-server-preference',
|
||||
'tls-rollback-bug',
|
||||
'no-sslv2',
|
||||
'no-sslv3',
|
||||
'no-tls',
|
||||
'no-tlsv1',
|
||||
'pkcs1-check-1',
|
||||
'pkcs1-check-2',
|
||||
'netscape-ca-dn-bug',
|
||||
'netscape-demo-cipher-change-bug'
|
||||
]
|
||||
options = self._values['options']
|
||||
|
||||
if options is None:
|
||||
return None
|
||||
|
||||
if is_empty_list(options):
|
||||
return []
|
||||
|
||||
if set(options).issubset(set(choices)):
|
||||
return options
|
||||
else:
|
||||
offenders = set(options).difference(set(choices))
|
||||
raise F5ModuleError('Invalid options specified: {0}'.format(offenders))
|
||||
|
||||
|
||||
class ApiParameters(Parameters):
|
||||
@property
|
||||
|
@ -275,7 +425,13 @@ class UsableChanges(Changes):
|
|||
|
||||
|
||||
class ReportableChanges(Changes):
|
||||
pass
|
||||
@property
|
||||
def allow_non_ssl(self):
|
||||
if self._values['allow_non_ssl'] is None:
|
||||
return None
|
||||
elif self._values['allow_non_ssl'] == 'enabled':
|
||||
return 'yes'
|
||||
return 'no'
|
||||
|
||||
|
||||
class Difference(object):
|
||||
|
@ -331,6 +487,22 @@ class Difference(object):
|
|||
result = self._diff_complex_items(self.want.cert_key_chain, self.have.cert_key_chain)
|
||||
return result
|
||||
|
||||
@property
|
||||
def options(self):
|
||||
if self.want.options is None:
|
||||
return None
|
||||
if not self.want.options:
|
||||
if self.have.options is None:
|
||||
return None
|
||||
if not self.have.options:
|
||||
return None
|
||||
if self.have.options is not None:
|
||||
return self.want.options
|
||||
if self.have.options is None:
|
||||
return self.want.options
|
||||
if set(self.want.options) != set(self.have.options):
|
||||
return self.want.options
|
||||
|
||||
|
||||
class ModuleManager(object):
|
||||
def __init__(self, *args, **kwargs):
|
||||
|
@ -482,6 +654,39 @@ class ArgumentSpec(object):
|
|||
name=dict(required=True),
|
||||
parent=dict(default='/Common/clientssl'),
|
||||
ciphers=dict(),
|
||||
allow_non_ssl=dict(type='bool'),
|
||||
secure_renegotiation=dict(
|
||||
choices=['require', 'require-strict', 'request']
|
||||
),
|
||||
options=dict(
|
||||
type='list',
|
||||
choices=[
|
||||
'netscape-reuse-cipher-change-bug',
|
||||
'microsoft-big-sslv3-buffer',
|
||||
'msie-sslv2-rsa-padding',
|
||||
'ssleay-080-client-dh-bug',
|
||||
'tls-d5-bug',
|
||||
'tls-block-padding-bug',
|
||||
'dont-insert-empty-fragments',
|
||||
'no-ssl',
|
||||
'no-dtls',
|
||||
'no-session-resumption-on-renegotiation',
|
||||
'no-tlsv1.1',
|
||||
'no-tlsv1.2',
|
||||
'single-dh-use',
|
||||
'ephemeral-rsa',
|
||||
'cipher-server-preference',
|
||||
'tls-rollback-bug',
|
||||
'no-sslv2',
|
||||
'no-sslv3',
|
||||
'no-tls',
|
||||
'no-tlsv1',
|
||||
'pkcs1-check-1',
|
||||
'pkcs1-check-2',
|
||||
'netscape-ca-dn-bug',
|
||||
'netscape-demo-cipher-change-bug',
|
||||
]
|
||||
),
|
||||
cert_key_chain=dict(
|
||||
type='list',
|
||||
options=dict(
|
||||
|
@ -507,7 +712,6 @@ class ArgumentSpec(object):
|
|||
|
||||
def main():
|
||||
spec = ArgumentSpec()
|
||||
|
||||
module = AnsibleModule(
|
||||
argument_spec=spec.argument_spec,
|
||||
supports_check_mode=spec.supports_check_mode
|
||||
|
@ -515,8 +719,9 @@ def main():
|
|||
if not HAS_F5SDK:
|
||||
module.fail_json(msg="The python f5-sdk module is required")
|
||||
|
||||
client = F5Client(**module.params)
|
||||
|
||||
try:
|
||||
client = F5Client(**module.params)
|
||||
mm = ModuleManager(module=module, client=client)
|
||||
results = mm.exec_module()
|
||||
cleanup_tokens(client)
|
||||
|
|
Loading…
Reference in a new issue