From 7d5418e3d072dde78d6b905e3334545d7ea10375 Mon Sep 17 00:00:00 2001 From: Chris Archibald Date: Fri, 22 Feb 2019 04:03:53 -0800 Subject: [PATCH] New Module: na_ontap_vscan_on_access_policy (#49785) * changes to clusteR * changes to clusteR * Revert "changes to clusteR" This reverts commit 33ee1b71e4bc8435fb315762a871f8c4cb6c5f80. * Revert "changes to clusteR" This reverts commit 33ee1b71e4bc8435fb315762a871f8c4cb6c5f80. * new module na_ontap_vscan_on_access_policy * update author * remove blank trys' * switch to int --- .../netapp/na_ontap_vscan_on_access_policy.py | 366 ++++++++++++++++++ .../test_na_ontap_vscan_on_access_policy.py | 156 ++++++++ 2 files changed, 522 insertions(+) create mode 100644 lib/ansible/modules/storage/netapp/na_ontap_vscan_on_access_policy.py create mode 100644 test/units/modules/storage/netapp/test_na_ontap_vscan_on_access_policy.py diff --git a/lib/ansible/modules/storage/netapp/na_ontap_vscan_on_access_policy.py b/lib/ansible/modules/storage/netapp/na_ontap_vscan_on_access_policy.py new file mode 100644 index 00000000000..5d079adc9f9 --- /dev/null +++ b/lib/ansible/modules/storage/netapp/na_ontap_vscan_on_access_policy.py @@ -0,0 +1,366 @@ +#!/usr/bin/python + +# (c) 2018-2019, NetApp Inc. +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = {'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'certified'} + +DOCUMENTATION = ''' +module: na_ontap_vscan_on_access_policy +short_description: NetApp ONTAP Vscan on access policy configuration. +extends_documentation_fragment: + - netapp.na_ontap +version_added: '2.8' +author: NetApp Ansible Team (@carchi8py) +description: +- Configure on access policy for Vscan (virus scan) +options: + state: + description: + - Whether a Vscan on Access policy is present or not + choices: ['present', 'absent'] + default: present + + vserver: + description: + - the name of the data vserver to use. + required: true + + policy_name: + description: + - The name of the policy + required: true + + file_ext_to_exclude: + description: + - File extensions for which On-Access scanning must not be performed. + + file_ext_to_include: + description: + - File extensions for which On-Access scanning is considered. The default value is '*', which means that all files are considered for scanning except + - those which are excluded from scanning. + + filters: + description: + - A list of filters which can be used to define the scope of the On-Access policy more precisely. The filters can be added in any order. Possible values + - scan_ro_volume Enable scans for read-only volume, + - scan_execute_access Scan only files opened with execute-access (CIFS only) + + is_scan_mandatory: + description: + - Specifies whether access to a file is allowed if there are no external virus-scanning servers available for virus scanning. It is true if not provided at + the time of creating a policy. + type: bool + + max_file_size: + description: + - Max file-size (in bytes) allowed for scanning. The default value of 2147483648 (2GB) is taken if not provided at the time of creating a policy. + + paths_to_exclude: + description: + - File paths for which On-Access scanning must not be performed. + + scan_files_with_no_ext: + description: + - Specifies whether files without any extension are considered for scanning or not. + default: True +''' + +EXAMPLES = """ + - name: Create Vscan On Access Policy + na_ontap_vscan_on_access_policy: + state: present + username: '{{ netapp_username }}' + password: '{{ netapp_password }}' + hostname: '{{ netapp_hostname }}' + vserver: carchi-vsim2 + policy_name: carchi_policy + file_ext_to_exclude: ['exe', 'yml'] + - name: modify Vscan on Access Policy + na_ontap_vscan_on_access_policy: + state: present + username: '{{ netapp_username }}' + password: '{{ netapp_password }}' + hostname: '{{ netapp_hostname }}' + vserver: carchi-vsim2 + policy_name: carchi_policy + file_ext_to_exclude: ['exe', 'yml', 'py'] + - name: Delete On Access Policy + na_ontap_vscan_on_access_policy: + state: absent + username: '{{ netapp_username }}' + password: '{{ netapp_password }}' + hostname: '{{ netapp_hostname }}' + vserver: carchi-vsim2 + policy_name: carchi_policy +""" + +RETURN = """ + +""" + +import traceback + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_native +import ansible.module_utils.netapp as netapp_utils + +HAS_NETAPP_LIB = netapp_utils.has_netapp_lib() + + +class NetAppOntapVscanOnAccessPolicy(object): + """ + Create/Modify/Delete a Vscan OnAccess policy + """ + def __init__(self): + self.argument_spec = netapp_utils.na_ontap_host_argument_spec() + self.argument_spec.update(dict( + state=dict(choices=['present', 'absent'], default='present'), + vserver=dict(required=True, type='str'), + policy_name=dict(required=True, type='str'), + file_ext_to_exclude=dict(required=False, type="list"), + file_ext_to_include=dict(required=False, type="list"), + filters=dict(required=False, type="list"), + is_scan_mandatory=dict(required=False, type='bool', default=False), + max_file_size=dict(required=False, type="int"), + paths_to_exclude=dict(required=False, type="list"), + scan_files_with_no_ext=dict(required=False, type=bool, default=True) + )) + self.module = AnsibleModule( + argument_spec=self.argument_spec, + supports_check_mode=True + ) + parameters = self.module.params + self.state = parameters['state'] + self.vserver = parameters['vserver'] + self.policy_name = parameters['policy_name'] + self.file_ext_to_exclude = parameters['file_ext_to_exclude'] + self.file_ext_to_include = parameters['file_ext_to_include'] + self.filters = parameters['filters'] + self.is_scan_mandatory = parameters['is_scan_mandatory'] + self.max_file_size = parameters['max_file_size'] + self.paths_to_exclude = parameters['paths_to_exclude'] + self.scan_files_with_no_ext = parameters['scan_files_with_no_ext'] + + if HAS_NETAPP_LIB is False: + self.module.fail_json(msg="the python NetApp-Lib module is required") + else: + self.server = netapp_utils.setup_na_ontap_zapi(module=self.module, vserver=self.vserver) + + def exists_access_policy(self, policy_obj=None): + """ + Check if a Vscan Access policy exists + :return: True if Exist, False if it does not + """ + if policy_obj is None: + policy_obj = self.return_on_access_policy() + if policy_obj: + return True + else: + return False + + def return_on_access_policy(self): + """ + Return a Vscan on Access Policy + :return: None if there is no access policy, return the policy if there is + """ + access_policy_obj = netapp_utils.zapi.NaElement('vscan-on-access-policy-get-iter') + access_policy_info = netapp_utils.zapi.NaElement('vscan-on-access-policy-info') + access_policy_info.add_new_child('policy-name', self.policy_name) + query = netapp_utils.zapi.NaElement('query') + query.add_child_elem(access_policy_info) + access_policy_obj.add_child_elem(query) + try: + result = self.server.invoke_successfully(access_policy_obj, True) + except netapp_utils.zapi.NaApiError as error: + self.module.fail_json(msg='Error searching Vscan on Access Policy %s: %s' % + (self.policy_name, to_native(error)), exception=traceback.format_exc()) + if result.get_child_by_name('num-records'): + if int(result.get_child_content('num-records')) == 1: + return result + elif int(result.get_child_content('num-records')) > 1: + self.module.fail_json(msg='Mutiple Vscan on Access Policy matching %s:' % self.policy_name) + return None + + def create_on_access_policy(self): + """ + Create a Vscan on Access policy + :return: none + """ + access_policy_obj = netapp_utils.zapi.NaElement('vscan-on-access-policy-create') + access_policy_obj.add_new_child('policy-name', self.policy_name) + access_policy_obj.add_new_child('protocol', 'cifs') + access_policy_obj = self._fill_in_access_policy(access_policy_obj) + + try: + self.server.invoke_successfully(access_policy_obj, True) + except netapp_utils.zapi.NaApiError as error: + self.module.fail_json(msg='Error creating Vscan on Access Policy %s: %s' % + (self.policy_name, to_native(error)), exception=traceback.format_exc()) + + def delete_on_access_policy(self): + """ + Delete a Vscan On Access Policy + :return: + """ + access_policy_obj = netapp_utils.zapi.NaElement('vscan-on-access-policy-delete') + access_policy_obj.add_new_child('policy-name', self.policy_name) + try: + self.server.invoke_successfully(access_policy_obj, True) + except netapp_utils.zapi.NaApiError as error: + self.module.fail_json(msg='Error Deleting Vscan on Access Policy %s: %s' % + (self.policy_name, to_native(error)), exception=traceback.format_exc()) + + def modify_on_access_policy(self): + """ + Modify a Vscan On Access policy + :return: nothing + """ + access_policy_obj = netapp_utils.zapi.NaElement('vscan-on-access-policy-modify') + access_policy_obj.add_new_child('policy-name', self.policy_name) + access_policy_obj = self._fill_in_access_policy(access_policy_obj) + try: + self.server.invoke_successfully(access_policy_obj, True) + except netapp_utils.zapi.NaApiError as error: + self.module.fail_json(msg='Error Modifying Vscan on Access Policy %s: %s' % + (self.policy_name, to_native(error)), exception=traceback.format_exc()) + + def _fill_in_access_policy(self, access_policy_obj): + if self.is_scan_mandatory is not None: + access_policy_obj.add_new_child('is-scan-mandatory', str(self.is_scan_mandatory).lower()) + if self.max_file_size: + access_policy_obj.add_new_child('max-file-size', str(self.max_file_size)) + if self.scan_files_with_no_ext is not None: + access_policy_obj.add_new_child('scan-files-with-no-ext', str(self.scan_files_with_no_ext)) + if self.file_ext_to_exclude: + ext_obj = netapp_utils.zapi.NaElement('file-ext-to-exclude') + access_policy_obj.add_child_elem(ext_obj) + for extension in self.file_ext_to_exclude: + ext_obj.add_new_child('file-extension', extension) + if self.file_ext_to_include: + ext_obj = netapp_utils.zapi.NaElement('file-ext-to-include') + access_policy_obj.add_child_elem(ext_obj) + for extension in self.file_ext_to_include: + ext_obj.add_new_child('file-extension', extension) + if self.filters: + ui_filter_obj = netapp_utils.zapi.NaElement('filters') + access_policy_obj.add_child_elem(ui_filter_obj) + for filter in self.filters: + ui_filter_obj.add_new_child('vscan-on-access-policy-ui-filter', filter) + if self.paths_to_exclude: + path_obj = netapp_utils.zapi.NaElement('paths-to-exclude') + access_policy_obj.add_child_elem(path_obj) + for path in self.paths_to_exclude: + path_obj.add_new_child('file-path', path) + return access_policy_obj + + def has_policy_changed(self): + results = self.return_on_access_policy() + if results is None: + return False + try: + policy_obj = results.get_child_by_name('attributes-list').get_child_by_name('vscan-on-access-policy-info') + except netapp_utils.zapi.NaApiError as error: + self.module.fail_json(msg='Error Accessing on access policy %s: %s' % + (self.policy_name, to_native(error)), exception=traceback.format_exc()) + if self.is_scan_mandatory is not None: + if str(self.is_scan_mandatory).lower() != policy_obj.get_child_content('is-scan-mandatory'): + return True + if self.max_file_size: + if self.max_file_size != int(policy_obj.get_child_content('max-file-size')): + return True + if self.scan_files_with_no_ext is not None: + if str(self.scan_files_with_no_ext).lower() != policy_obj.get_child_content('scan-files-with-no-ext'): + return True + if self.file_ext_to_exclude: + # if no file-ext-to-exclude are given at creation, XML will not have a file-ext-to-exclude + if policy_obj.get_child_by_name('file-ext-to-exclude') is None: + return True + current_to_exclude = [] + for each in policy_obj.get_child_by_name('file-ext-to-exclude').get_children(): + current_to_exclude.append(each.get_content()) + k = self._diff(self.file_ext_to_exclude, current_to_exclude) + # If the diff returns something the lists don't match and the policy has changed + if k: + return True + if self.file_ext_to_include: + # if no file-ext-to-include are given at creation, XML will not have a file-ext-to-include + if policy_obj.get_child_by_name('file-ext-to-include') is None: + return True + current_to_include = [] + for each in policy_obj.get_child_by_name('file-ext-to-include').get_children(): + current_to_include.append(each.get_content()) + k = self._diff(self.file_ext_to_include, current_to_include) + # If the diff returns something the lists don't match and the policy has changed + if k: + return True + if self.filters: + if policy_obj.get_child_by_name('filters') is None: + return True + current_filters = [] + for each in policy_obj.get_child_by_name('filters').get_children(): + current_filters.append(each.get_content()) + k = self._diff(self.filters, current_filters) + # If the diff returns something the lists don't match and the policy has changed + if k: + return True + if self.paths_to_exclude: + if policy_obj.get_child_by_name('paths-to-exclude') is None: + return True + current_paths_to_exlude = [] + for each in policy_obj.get_child_by_name('paths-to-exclude').get_children(): + current_paths_to_exlude.append(each.get_content()) + k = self._diff(self.paths_to_exclude, current_paths_to_exlude) + # If the diff returns something the lists don't match and the policy has changed + if k: + return True + return False + + def _diff(self, li1, li2): + """ + :param li1: list 1 + :param li2: list 2 + :return: a list contain items that are not on both lists + """ + li_dif = [i for i in li1 + li2 if i not in li1 or i not in li2] + return li_dif + + def apply(self): + netapp_utils.ems_log_event("na_ontap_vscan_on_access_policy", self.server) + changed = False + policy_obj = self.return_on_access_policy() + if self.state == 'present': + if not self.exists_access_policy(policy_obj): + if not self.module.check_mode: + self.create_on_access_policy() + changed = True + else: + # Check if anything has changed first. + if self.has_policy_changed(): + if not self.module.check_mode: + self.modify_on_access_policy() + changed = True + if self.state == 'absent': + if self.exists_access_policy(policy_obj): + if not self.module.check_mode: + self.delete_on_access_policy() + changed = True + self.module.exit_json(changed=changed) + + +def main(): + """ + Execute action from playbook + """ + command = NetAppOntapVscanOnAccessPolicy() + command.apply() + + +if __name__ == '__main__': + main() diff --git a/test/units/modules/storage/netapp/test_na_ontap_vscan_on_access_policy.py b/test/units/modules/storage/netapp/test_na_ontap_vscan_on_access_policy.py new file mode 100644 index 00000000000..308548c529c --- /dev/null +++ b/test/units/modules/storage/netapp/test_na_ontap_vscan_on_access_policy.py @@ -0,0 +1,156 @@ +# (c) 2018, NetApp, Inc +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +''' unit tests for Ansible module: na_ontap_vscan_scanner_pool ''' + +from __future__ import print_function +import json +import pytest + +from units.compat import unittest +from units.compat.mock import patch, Mock +from ansible.module_utils import basic +from ansible.module_utils._text import to_bytes +import ansible.module_utils.netapp as netapp_utils + +from ansible.modules.storage.netapp.na_ontap_vscan_on_access_policy \ + import NetAppOntapVscanOnAccessPolicy as policy_module # module under test + +if not netapp_utils.has_netapp_lib(): + pytestmark = pytest.skip('skipping as missing required netapp_lib') +HAS_NETAPP_ZAPI_MSG = "pip install netapp_lib is required" + + +def set_module_args(args): + """prepare arguments so that they will be picked up during module creation""" + args = json.dumps({'ANSIBLE_MODULE_ARGS': args}) + basic._ANSIBLE_ARGS = to_bytes(args) # pylint: disable=protected-access + + +class AnsibleExitJson(Exception): + """Exception class to be raised by module.exit_json and caught by the test case""" + pass + + +class AnsibleFailJson(Exception): + """Exception class to be raised by module.fail_json and caught by the test case""" + pass + + +def exit_json(*args, **kwargs): # pylint: disable=unused-argument + """function to patch over exit_json; package return data into an exception""" + if 'changed' not in kwargs: + kwargs['changed'] = False + raise AnsibleExitJson(kwargs) + + +def fail_json(*args, **kwargs): # pylint: disable=unused-argument + """function to patch over fail_json; package return data into an exception""" + kwargs['failed'] = True + raise AnsibleFailJson(kwargs) + + +class MockONTAPConnection(object): + ''' mock server connection to ONTAP host ''' + + def __init__(self, kind=None, data=None): + ''' save arguments ''' + self.kind = kind + self.params = data + self.xml_in = None + self.xml_out = None + + def invoke_successfully(self, xml, enable_tunneling): # pylint: disable=unused-argument + ''' mock invoke_successfully returning xml data ''' + self.xml_in = xml + if self.kind == 'policy': + xml = self.build_access_policy_info(self.params) + self.xml_out = xml + return xml + + @staticmethod + def build_access_policy_info(policy_details): + xml = netapp_utils.zapi.NaElement('xml') + attributes = {'num-records': 1, + 'attributes-list': {'vscan-on-access-policy-info': {'policy-name': policy_details['policy_name']}}} + xml.translate_struct(attributes) + return xml + + +class TestMyModule(unittest.TestCase): + ''' Unit tests for na_ontap_job_schedule ''' + + def setUp(self): + self.mock_module_helper = patch.multiple(basic.AnsibleModule, + exit_json=exit_json, + fail_json=fail_json) + self.mock_module_helper.start() + self.addCleanup(self.mock_module_helper.stop) + self.mock_access_policy = { + 'state': 'present', + 'vserver': 'test_vserver', + 'policy_name': 'test_carchi' + } + + def mock_args(self): + return { + 'state': self.mock_access_policy['state'], + 'vserver': self.mock_access_policy['vserver'], + 'policy_name': self.mock_access_policy['policy_name'], + 'hostname': 'test', + 'username': 'test_user', + 'password': 'test_pass!' + } + + def get_policy_mock_object(self, kind=None): + policy_obj = policy_module() + if kind is None: + policy_obj.server = MockONTAPConnection() + else: + policy_obj.server = MockONTAPConnection(kind='policy', data=self.mock_access_policy) + return policy_obj + + def test_module_fail_when_required_args_missing(self): + ''' required arguments are reported as errors ''' + with pytest.raises(AnsibleFailJson) as exc: + set_module_args({}) + policy_module() + print('Info: %s' % exc.value.args[0]['msg']) + + def test_get_nonexistent_policy(self): + set_module_args(self.mock_args()) + result = self.get_policy_mock_object().exists_access_policy() + assert not result + + def test_get_existing_scanner(self): + set_module_args(self.mock_args()) + result = self.get_policy_mock_object('policy').exists_access_policy() + assert result + + def test_successfully_create(self): + set_module_args(self.mock_args()) + with pytest.raises(AnsibleExitJson) as exc: + self.get_policy_mock_object().apply() + assert exc.value.args[0]['changed'] + + def test_create_idempotency(self): + set_module_args(self.mock_args()) + with pytest.raises(AnsibleExitJson) as exc: + self.get_policy_mock_object('policy').apply() + assert exc.value.args[0]['changed'] + + def test_successfully_delete(self): + data = self.mock_args() + data['state'] = 'absent' + set_module_args(data) + with pytest.raises(AnsibleExitJson) as exc: + self.get_policy_mock_object('policy').apply() + assert exc.value.args[0]['changed'] + + def test_delete_idempotency(self): + data = self.mock_args() + data['state'] = 'absent' + set_module_args(data) + with pytest.raises(AnsibleExitJson) as exc: + self.get_policy_mock_object().apply() + assert not exc.value.args[0]['changed']