Update to na_ontap_firewall_policy (#51976)
* Revert "changes to clusteR"
This reverts commit 33ee1b71e4bc8435fb315762a871f8c4cb6c5f80.
* Fix issue and unit tests
* update to firewall
* fix import issues
* Revert "Revert "changes to clusteR""
This reverts commit 2713c75f31
.
* fix docs
* stop pylint on unicode line, line can only be run in python2
* Review comment
* add pylint skip
* add pylint skip
This commit is contained in:
parent
591e0ffb69
commit
dbcfb3d0fe
2 changed files with 470 additions and 156 deletions
|
@ -1,6 +1,6 @@
|
||||||
#!/usr/bin/python
|
#!/usr/bin/python
|
||||||
|
|
||||||
# (c) 2018, NetApp, Inc
|
# (c) 2018-2019, NetApp, Inc
|
||||||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||||
|
|
||||||
from __future__ import absolute_import, division, print_function
|
from __future__ import absolute_import, division, print_function
|
||||||
|
@ -16,71 +16,66 @@ short_description: NetApp ONTAP Manage a firewall policy
|
||||||
version_added: '2.7'
|
version_added: '2.7'
|
||||||
author: NetApp Ansible Team (@carchi8py) <ng-ansibleteam@netapp.com>
|
author: NetApp Ansible Team (@carchi8py) <ng-ansibleteam@netapp.com>
|
||||||
description:
|
description:
|
||||||
- Manage a firewall policy for an Ontap Cluster
|
- Configure firewall on an ONTAP node and manage firewall policy for an ONTAP SVM
|
||||||
extends_documentation_fragment:
|
extends_documentation_fragment:
|
||||||
- netapp.na_ontap
|
- netapp.na_ontap
|
||||||
|
requirements:
|
||||||
|
- Python package ipaddress. Install using 'pip install ipaddress'
|
||||||
options:
|
options:
|
||||||
state:
|
state:
|
||||||
description:
|
description:
|
||||||
- Whether to set up a fire policy or not
|
- Whether to set up a firewall policy or not
|
||||||
choices: ['present', 'absent']
|
choices: ['present', 'absent']
|
||||||
default: present
|
default: present
|
||||||
allow_list:
|
allow_list:
|
||||||
description:
|
description:
|
||||||
- A list of IPs and masks to use
|
- A list of IPs and masks to use.
|
||||||
|
- The host bits of the IP addresses used in this list must be set to 0.
|
||||||
policy:
|
policy:
|
||||||
description:
|
description:
|
||||||
- A policy name for the firewall policy
|
- A policy name for the firewall policy
|
||||||
required: true
|
|
||||||
service:
|
service:
|
||||||
description:
|
description:
|
||||||
- The service to apply the policy to
|
- The service to apply the policy to
|
||||||
choices: ['dns', 'http', 'https', 'ndmp', 'ndmps', 'ntp', 'rsh', 'snmp', 'ssh', 'telnet']
|
choices: ['dns', 'http', 'https', 'ndmp', 'ndmps', 'ntp', 'rsh', 'snmp', 'ssh', 'telnet']
|
||||||
required: true
|
|
||||||
vserver:
|
vserver:
|
||||||
description:
|
description:
|
||||||
- The Vserver to apply the policy to.
|
- The Vserver to apply the policy to.
|
||||||
required: true
|
|
||||||
enable:
|
enable:
|
||||||
description:
|
description:
|
||||||
- enabled firewall
|
- enable firewall on a node
|
||||||
choices: ['enable', 'disable']
|
choices: ['enable', 'disable']
|
||||||
default: enable
|
|
||||||
logging:
|
logging:
|
||||||
description:
|
description:
|
||||||
- enable logging
|
- enable logging for firewall on a node
|
||||||
choices: ['enable', 'disable']
|
choices: ['enable', 'disable']
|
||||||
default: disable
|
|
||||||
node:
|
node:
|
||||||
description:
|
description:
|
||||||
- The node to run the firewall configuration on
|
- The node to run the firewall configuration on
|
||||||
required: True
|
|
||||||
'''
|
'''
|
||||||
|
|
||||||
EXAMPLES = """
|
EXAMPLES = """
|
||||||
- name: create firewall Policy
|
- name: create firewall Policy
|
||||||
na_ontap_firewall_policy:
|
na_ontap_firewall_policy:
|
||||||
state: present
|
state: present
|
||||||
allow_list: [1.2.3.4/24,1.3.3.4/24]
|
allow_list: [1.2.3.0/24,1.3.0.0/16]
|
||||||
policy: pizza
|
policy: pizza
|
||||||
service: http
|
service: http
|
||||||
vserver: ci_dev
|
vserver: ci_dev
|
||||||
hostname: "{{ netapp hostname }}"
|
hostname: "{{ netapp hostname }}"
|
||||||
username: "{{ netapp username }}"
|
username: "{{ netapp username }}"
|
||||||
password: "{{ netapp password }}"
|
password: "{{ netapp password }}"
|
||||||
node: laurentn-vsim1
|
|
||||||
|
|
||||||
- name: Modify firewall Policy
|
- name: Modify firewall Policy
|
||||||
na_ontap_firewall_policy:
|
na_ontap_firewall_policy:
|
||||||
state: present
|
state: present
|
||||||
allow_list: [1.2.3.4/24,1.3.3.4/24]
|
allow_list: [1.5.3.0/24]
|
||||||
policy: pizza
|
policy: pizza
|
||||||
service: http
|
service: http
|
||||||
vserver: ci_dev
|
vserver: ci_dev
|
||||||
hostname: "{{ netapp hostname }}"
|
hostname: "{{ netapp hostname }}"
|
||||||
username: "{{ netapp username }}"
|
username: "{{ netapp username }}"
|
||||||
password: "{{ netapp password }}"
|
password: "{{ netapp password }}"
|
||||||
node: laurentn-vsim1
|
|
||||||
|
|
||||||
- name: Destory firewall Policy
|
- name: Destory firewall Policy
|
||||||
na_ontap_firewall_policy:
|
na_ontap_firewall_policy:
|
||||||
|
@ -91,7 +86,16 @@ EXAMPLES = """
|
||||||
hostname: "{{ netapp hostname }}"
|
hostname: "{{ netapp hostname }}"
|
||||||
username: "{{ netapp username }}"
|
username: "{{ netapp username }}"
|
||||||
password: "{{ netapp password }}"
|
password: "{{ netapp password }}"
|
||||||
node: laurentn-vsim1
|
|
||||||
|
- name: Enable firewall and logging on a node
|
||||||
|
na_ontap_firewall_policy:
|
||||||
|
node: test-vsim1
|
||||||
|
enable: enable
|
||||||
|
logging: enable
|
||||||
|
hostname: "{{ netapp hostname }}"
|
||||||
|
username: "{{ netapp username }}"
|
||||||
|
password: "{{ netapp password }}"
|
||||||
|
|
||||||
"""
|
"""
|
||||||
|
|
||||||
RETURN = """
|
RETURN = """
|
||||||
|
@ -103,6 +107,13 @@ from ansible.module_utils.basic import AnsibleModule
|
||||||
from ansible.module_utils._text import to_native
|
from ansible.module_utils._text import to_native
|
||||||
import ansible.module_utils.netapp as netapp_utils
|
import ansible.module_utils.netapp as netapp_utils
|
||||||
from ansible.module_utils.netapp_module import NetAppModule
|
from ansible.module_utils.netapp_module import NetAppModule
|
||||||
|
try:
|
||||||
|
import ipaddress
|
||||||
|
HAS_IPADDRESS_LIB = True
|
||||||
|
except ImportError:
|
||||||
|
HAS_IPADDRESS_LIB = False
|
||||||
|
|
||||||
|
import sys
|
||||||
|
|
||||||
HAS_NETAPP_LIB = netapp_utils.has_netapp_lib()
|
HAS_NETAPP_LIB = netapp_utils.has_netapp_lib()
|
||||||
|
|
||||||
|
@ -113,16 +124,20 @@ class NetAppONTAPFirewallPolicy(object):
|
||||||
self.argument_spec.update(dict(
|
self.argument_spec.update(dict(
|
||||||
state=dict(required=False, choices=['present', 'absent'], default='present'),
|
state=dict(required=False, choices=['present', 'absent'], default='present'),
|
||||||
allow_list=dict(required=False, type="list"),
|
allow_list=dict(required=False, type="list"),
|
||||||
policy=dict(required=True, type='str'),
|
policy=dict(required=False, type='str'),
|
||||||
service=dict(required=True, type='str', choices=['dns', 'http', 'https', 'ndmp', 'ndmps', 'ntp', 'rsh', 'snmp', 'ssh', 'telnet']),
|
service=dict(required=False, type='str', choices=['dns', 'http', 'https', 'ndmp',
|
||||||
vserver=dict(required=True, type="str"),
|
'ndmps', 'ntp', 'rsh', 'snmp', 'ssh', 'telnet']),
|
||||||
enable=dict(required=False, type="str", choices=['enable', 'disable'], default='enable'),
|
vserver=dict(required=False, type="str"),
|
||||||
logging=dict(required=False, type="str", choices=["enable", 'disable'], default='disable'),
|
enable=dict(required=False, type="str", choices=['enable', 'disable']),
|
||||||
node=dict(required=True, type="str")
|
logging=dict(required=False, type="str", choices=['enable', 'disable']),
|
||||||
|
node=dict(required=False, type="str")
|
||||||
))
|
))
|
||||||
|
|
||||||
self.module = AnsibleModule(
|
self.module = AnsibleModule(
|
||||||
argument_spec=self.argument_spec,
|
argument_spec=self.argument_spec,
|
||||||
|
required_together=(['policy', 'service', 'vserver'],
|
||||||
|
['enable', 'node']
|
||||||
|
),
|
||||||
supports_check_mode=True
|
supports_check_mode=True
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -133,33 +148,32 @@ class NetAppONTAPFirewallPolicy(object):
|
||||||
self.module.fail_json(msg="the python NetApp-Lib module is required")
|
self.module.fail_json(msg="the python NetApp-Lib module is required")
|
||||||
else:
|
else:
|
||||||
self.server = netapp_utils.setup_na_ontap_zapi(module=self.module)
|
self.server = netapp_utils.setup_na_ontap_zapi(module=self.module)
|
||||||
|
|
||||||
|
if HAS_IPADDRESS_LIB is False:
|
||||||
|
self.module.fail_json(msg="the python ipaddress lib is required for this module")
|
||||||
return
|
return
|
||||||
|
|
||||||
def create_firewall_policy(self):
|
def validate_ip_addresses(self):
|
||||||
"""
|
'''
|
||||||
Create a firewall policy
|
Validate if the given IP address is a network address (i.e. it's host bits are set to 0)
|
||||||
:return: Nothing
|
ONTAP doesn't validate if the host bits are set,
|
||||||
"""
|
and hence doesn't add a new address unless the IP is from a different network.
|
||||||
net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-create")
|
So this validation allows the module to be idempotent.
|
||||||
net_firewall_policy_obj = self.create_modify_policy(net_firewall_policy_obj)
|
|
||||||
try:
|
|
||||||
self.server.invoke_successfully(net_firewall_policy_obj, enable_tunneling=True)
|
|
||||||
except netapp_utils.zapi.NaApiError as error:
|
|
||||||
self.module.fail_json(msg="Error creating Firewall Policy: %s" % (to_native(error)), exception=traceback.format_exc())
|
|
||||||
|
|
||||||
def destroy_firewall_policy(self):
|
|
||||||
"""
|
|
||||||
Destroy a Firewall Policy
|
|
||||||
:return: None
|
:return: None
|
||||||
"""
|
'''
|
||||||
net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-destroy")
|
for ip in self.parameters['allow_list']:
|
||||||
net_firewall_policy_obj.add_new_child('policy', self.parameters['policy'])
|
# create an IPv4 object for current IP address
|
||||||
net_firewall_policy_obj.add_new_child('service', self.parameters['service'])
|
if sys.version_info[0] >= 3:
|
||||||
net_firewall_policy_obj.add_new_child('vserver', self.parameters['vserver'])
|
ip_addr = str(ip)
|
||||||
|
else:
|
||||||
|
ip_addr = unicode(ip) # pylint: disable=undefined-variable
|
||||||
|
# get network address from netmask, throw exception if address is not a network address
|
||||||
try:
|
try:
|
||||||
self.server.invoke_successfully(net_firewall_policy_obj, enable_tunneling=True)
|
ipaddress.ip_network(ip_addr)
|
||||||
except netapp_utils.zapi.NaApiError as error:
|
except ValueError as exc:
|
||||||
self.module.fail_json(msg="Error destroying Firewall Policy: %s" % (to_native(error)), exception=traceback.format_exc())
|
self.module.fail_json(msg='Error: Invalid IP address value for allow_list parameter.'
|
||||||
|
'Please specify a network address without host bits set: %s'
|
||||||
|
% (to_native(exc)))
|
||||||
|
|
||||||
def get_firewall_policy(self):
|
def get_firewall_policy(self):
|
||||||
"""
|
"""
|
||||||
|
@ -167,147 +181,161 @@ class NetAppONTAPFirewallPolicy(object):
|
||||||
:return: returns a firewall policy object, or returns False if there are none
|
:return: returns a firewall policy object, or returns False if there are none
|
||||||
"""
|
"""
|
||||||
net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-get-iter")
|
net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-get-iter")
|
||||||
net_firewall_policy_info = netapp_utils.zapi.NaElement("net-firewall-policy-info")
|
attributes = {
|
||||||
query = netapp_utils.zapi.NaElement('query')
|
'query': {
|
||||||
net_firewall_policy_info.add_new_child('policy', self.parameters['policy'])
|
'net-firewall-policy-info': self.firewall_policy_attributes()
|
||||||
query.add_child_elem(net_firewall_policy_info)
|
}
|
||||||
net_firewall_policy_obj.add_child_elem(query)
|
}
|
||||||
result = self.server.invoke_successfully(net_firewall_policy_obj, True)
|
net_firewall_policy_obj.translate_struct(attributes)
|
||||||
if result.get_child_by_name('num-records') and \
|
|
||||||
int(result.get_child_content('num-records')) == 1:
|
|
||||||
return result
|
|
||||||
return False
|
|
||||||
|
|
||||||
def modify_firewall_policy(self):
|
try:
|
||||||
|
result = self.server.invoke_successfully(net_firewall_policy_obj, True)
|
||||||
|
except netapp_utils.zapi.NaApiError as error:
|
||||||
|
self.module.fail_json(msg="Error getting firewall policy %s:%s" % (self.parameters['policy'],
|
||||||
|
to_native(error)),
|
||||||
|
exception=traceback.format_exc())
|
||||||
|
|
||||||
|
if result.get_child_by_name('num-records') and int(result.get_child_content('num-records')) >= 1:
|
||||||
|
attributes_list = result.get_child_by_name('attributes-list')
|
||||||
|
policy_info = attributes_list.get_child_by_name('net-firewall-policy-info')
|
||||||
|
ips = self.na_helper.get_value_for_list(from_zapi=True,
|
||||||
|
zapi_parent=policy_info.get_child_by_name('allow-list'))
|
||||||
|
return {
|
||||||
|
'service': policy_info['service'],
|
||||||
|
'allow_list': ips}
|
||||||
|
return None
|
||||||
|
|
||||||
|
def create_firewall_policy(self):
|
||||||
"""
|
"""
|
||||||
Modify a firewall Policy
|
Create a firewall policy for given vserver
|
||||||
|
:return: None
|
||||||
|
"""
|
||||||
|
net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-create")
|
||||||
|
net_firewall_policy_obj.translate_struct(self.firewall_policy_attributes())
|
||||||
|
if self.parameters.get('allow_list'):
|
||||||
|
self.validate_ip_addresses()
|
||||||
|
net_firewall_policy_obj.add_child_elem(self.na_helper.get_value_for_list(from_zapi=False,
|
||||||
|
zapi_parent='allow-list',
|
||||||
|
zapi_child='ip-and-mask',
|
||||||
|
data=self.parameters['allow_list'])
|
||||||
|
)
|
||||||
|
try:
|
||||||
|
self.server.invoke_successfully(net_firewall_policy_obj, enable_tunneling=True)
|
||||||
|
except netapp_utils.zapi.NaApiError as error:
|
||||||
|
self.module.fail_json(msg="Error creating Firewall Policy: %s" % (to_native(error)), exception=traceback.format_exc())
|
||||||
|
|
||||||
|
def destroy_firewall_policy(self):
|
||||||
|
"""
|
||||||
|
Destroy a Firewall Policy from a vserver
|
||||||
|
:return: None
|
||||||
|
"""
|
||||||
|
net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-destroy")
|
||||||
|
net_firewall_policy_obj.translate_struct(self.firewall_policy_attributes())
|
||||||
|
try:
|
||||||
|
self.server.invoke_successfully(net_firewall_policy_obj, enable_tunneling=True)
|
||||||
|
except netapp_utils.zapi.NaApiError as error:
|
||||||
|
self.module.fail_json(msg="Error destroying Firewall Policy: %s" % (to_native(error)), exception=traceback.format_exc())
|
||||||
|
|
||||||
|
def modify_firewall_policy(self, modify):
|
||||||
|
"""
|
||||||
|
Modify a firewall Policy on a vserver
|
||||||
:return: none
|
:return: none
|
||||||
"""
|
"""
|
||||||
|
self.validate_ip_addresses()
|
||||||
net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-modify")
|
net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-modify")
|
||||||
net_firewall_policy_obj = self.create_modify_policy(net_firewall_policy_obj)
|
net_firewall_policy_obj.translate_struct(self.firewall_policy_attributes())
|
||||||
|
net_firewall_policy_obj.add_child_elem(self.na_helper.get_value_for_list(from_zapi=False,
|
||||||
|
zapi_parent='allow-list',
|
||||||
|
zapi_child='ip-and-mask',
|
||||||
|
data=modify['allow_list']))
|
||||||
try:
|
try:
|
||||||
self.server.invoke_successfully(net_firewall_policy_obj, enable_tunneling=True)
|
self.server.invoke_successfully(net_firewall_policy_obj, enable_tunneling=True)
|
||||||
except netapp_utils.zapi.NaApiError as error:
|
except netapp_utils.zapi.NaApiError as error:
|
||||||
self.module.fail_json(msg="Error modifying Firewall Policy: %s" % (to_native(error)), exception=traceback.format_exc())
|
self.module.fail_json(msg="Error modifying Firewall Policy: %s" % (to_native(error)), exception=traceback.format_exc())
|
||||||
|
|
||||||
def create_modify_policy(self, net_firewall_policy_obj):
|
def firewall_policy_attributes(self):
|
||||||
"""
|
return {
|
||||||
Set up the parameters for creating or modifying a policy
|
'policy': self.parameters['policy'],
|
||||||
:param net_firewall_policy_obj: The Firewall policy to modify
|
'service': self.parameters['service'],
|
||||||
:return:
|
'vserver': self.parameters['vserver'],
|
||||||
"""
|
}
|
||||||
net_firewall_policy_obj.add_new_child('policy', self.parameters['policy'])
|
|
||||||
net_firewall_policy_obj.add_new_child('service', self.parameters['service'])
|
|
||||||
net_firewall_policy_obj.add_new_child('vserver', self.parameters['vserver'])
|
|
||||||
allow_ip_list = netapp_utils.zapi.NaElement("allow-list")
|
|
||||||
for each in self.parameters['allow_list']:
|
|
||||||
net_firewall_policy_ip = netapp_utils.zapi.NaElement("ip-and-mask")
|
|
||||||
net_firewall_policy_ip.set_content(each)
|
|
||||||
allow_ip_list.add_child_elem(net_firewall_policy_ip)
|
|
||||||
net_firewall_policy_obj.add_child_elem(allow_ip_list)
|
|
||||||
return net_firewall_policy_obj
|
|
||||||
|
|
||||||
def get_firewall_config(self):
|
def get_firewall_config_for_node(self):
|
||||||
"""
|
"""
|
||||||
Get a firewall configuration
|
Get firewall configuration on the node
|
||||||
:return: the firewall configuration
|
:return: dict() with firewall config details
|
||||||
"""
|
"""
|
||||||
|
if self.parameters.get('logging'):
|
||||||
|
if self.parameters.get('node') is None:
|
||||||
|
self.module.fail_json(msg='Error: Missing parameter \'node\' to modify firewall logging')
|
||||||
net_firewall_config_obj = netapp_utils.zapi.NaElement("net-firewall-config-get")
|
net_firewall_config_obj = netapp_utils.zapi.NaElement("net-firewall-config-get")
|
||||||
net_firewall_config_obj.add_new_child('node-name', self.parameters['node'])
|
net_firewall_config_obj.add_new_child('node-name', self.parameters['node'])
|
||||||
try:
|
try:
|
||||||
result = self.server.invoke_successfully(net_firewall_config_obj, True)
|
result = self.server.invoke_successfully(net_firewall_config_obj, True)
|
||||||
except netapp_utils.zapi.NaApiError as error:
|
except netapp_utils.zapi.NaApiError as error:
|
||||||
self.module.fail_json(msg="Error getting Firewall Configuration: %s" % (to_native(error)), exception=traceback.format_exc())
|
self.module.fail_json(msg="Error getting Firewall Configuration: %s" % (to_native(error)),
|
||||||
return result
|
exception=traceback.format_exc())
|
||||||
|
if result.get_child_by_name('attributes'):
|
||||||
|
firewall_info = result['attributes'].get_child_by_name('net-firewall-config-info')
|
||||||
|
return {'enable': self.change_status_to_bool(firewall_info.get_child_content('is-enabled'), to_zapi=False),
|
||||||
|
'logging': self.change_status_to_bool(firewall_info.get_child_content('is-logging'), to_zapi=False)}
|
||||||
|
return None
|
||||||
|
|
||||||
def check_policy(self, policy):
|
def modify_firewall_config(self, modify):
|
||||||
"""
|
"""
|
||||||
Check to see if a policy has been changed or not
|
Modify the configuration of a firewall on node
|
||||||
:param policy: policy to check
|
:return: None
|
||||||
:return: True if the policy has changed, False if there are no changes
|
|
||||||
"""
|
|
||||||
changed = False
|
|
||||||
attributes_list = policy.get_child_by_name('attributes-list')
|
|
||||||
policy_info = attributes_list.get_child_by_name('net-firewall-policy-info')
|
|
||||||
allow_list = policy_info.get_child_by_name('allow-list')
|
|
||||||
for each in allow_list.get_children():
|
|
||||||
if each.get_content() not in self.parameters['allow_list']:
|
|
||||||
changed = True
|
|
||||||
if self.parameters['service'] != policy_info.get_child_by_name('service').get_content():
|
|
||||||
changed = True
|
|
||||||
if self.parameters['policy'] != policy_info.get_child_by_name('policy').get_content():
|
|
||||||
changed = True
|
|
||||||
return changed
|
|
||||||
|
|
||||||
def modify_firewall_config(self):
|
|
||||||
"""
|
|
||||||
Modify the configuration of a firewall
|
|
||||||
:return: none
|
|
||||||
"""
|
"""
|
||||||
net_firewall_config_obj = netapp_utils.zapi.NaElement("net-firewall-config-modify")
|
net_firewall_config_obj = netapp_utils.zapi.NaElement("net-firewall-config-modify")
|
||||||
net_firewall_config_obj.add_new_child('node-name', self.parameters['node'])
|
net_firewall_config_obj.add_new_child('node-name', self.parameters['node'])
|
||||||
net_firewall_config_obj.add_new_child('is-enabled', self.parameters['enable'])
|
if modify.get('enable'):
|
||||||
net_firewall_config_obj.add_new_child('is-logging', self.parameters['logging'])
|
net_firewall_config_obj.add_new_child('is-enabled', self.change_status_to_bool(self.parameters['enable']))
|
||||||
|
if modify.get('logging'):
|
||||||
|
net_firewall_config_obj.add_new_child('is-logging', self.change_status_to_bool(self.parameters['logging']))
|
||||||
try:
|
try:
|
||||||
self.server.invoke_successfully(net_firewall_config_obj, enable_tunneling=True)
|
self.server.invoke_successfully(net_firewall_config_obj, enable_tunneling=True)
|
||||||
except netapp_utils.zapi.NaApiError as error:
|
except netapp_utils.zapi.NaApiError as error:
|
||||||
self.module.fail_json(msg="Error modifying Firewall Config: %s" % (to_native(error)), exception=traceback.format_exc())
|
self.module.fail_json(msg="Error modifying Firewall Config: %s" % (to_native(error)),
|
||||||
|
exception=traceback.format_exc())
|
||||||
|
|
||||||
def check_config(self, config):
|
def change_status_to_bool(self, input, to_zapi=True):
|
||||||
"""
|
if to_zapi:
|
||||||
check to see if a firewall configuration has changed or not
|
return 'true' if input == 'enable' else 'false'
|
||||||
:param config: The configuration to check
|
|
||||||
:return: true if it has changed, false if it has not
|
|
||||||
"""
|
|
||||||
changed = False
|
|
||||||
attributes_list = config.get_child_by_name('attributes')
|
|
||||||
firewall_info = attributes_list.get_child_by_name('net-firewall-config-info')
|
|
||||||
enable = firewall_info.get_child_by_name('is-enabled')
|
|
||||||
logging = firewall_info.get_child_by_name('is-logging')
|
|
||||||
if self.parameters['enable'] == 'enable':
|
|
||||||
is_enable = "true"
|
|
||||||
else:
|
else:
|
||||||
is_enable = "false"
|
return 'enable' if input == 'true' else 'disable'
|
||||||
if enable != is_enable:
|
|
||||||
changed = True
|
|
||||||
if self.parameters['logging'] == 'logging':
|
|
||||||
is_logging = "true"
|
|
||||||
else:
|
|
||||||
is_logging = "false"
|
|
||||||
if logging != is_logging:
|
|
||||||
changed = True
|
|
||||||
return changed
|
|
||||||
|
|
||||||
def apply(self):
|
def autosupport_log(self):
|
||||||
results = netapp_utils.get_cserver(self.server)
|
results = netapp_utils.get_cserver(self.server)
|
||||||
cserver = netapp_utils.setup_na_ontap_zapi(module=self.module, vserver=results)
|
cserver = netapp_utils.setup_na_ontap_zapi(module=self.module, vserver=results)
|
||||||
netapp_utils.ems_log_event("na_ontap_firewall_policy", cserver)
|
netapp_utils.ems_log_event("na_ontap_firewall_policy", cserver)
|
||||||
changed = False
|
|
||||||
if self.parameters['state'] == 'present':
|
def apply(self):
|
||||||
policy = self.get_firewall_policy()
|
self.autosupport_log()
|
||||||
if not policy:
|
cd_action, modify, modify_config = None, None, None
|
||||||
|
if self.parameters.get('policy'):
|
||||||
|
current = self.get_firewall_policy()
|
||||||
|
cd_action = self.na_helper.get_cd_action(current, self.parameters)
|
||||||
|
if cd_action is None and self.parameters['state'] == 'present':
|
||||||
|
modify = self.na_helper.get_modified_attributes(current, self.parameters)
|
||||||
|
if self.parameters.get('node'):
|
||||||
|
current_config = self.get_firewall_config_for_node()
|
||||||
|
# firewall config for a node is always present, we cannot create or delete a firewall on a node
|
||||||
|
modify_config = self.na_helper.get_modified_attributes(current_config, self.parameters)
|
||||||
|
|
||||||
|
if self.na_helper.changed:
|
||||||
|
if self.module.check_mode:
|
||||||
|
pass
|
||||||
|
else:
|
||||||
|
if cd_action == 'create':
|
||||||
self.create_firewall_policy()
|
self.create_firewall_policy()
|
||||||
if not self.check_config(self.get_firewall_config()):
|
elif cd_action == 'delete':
|
||||||
self.modify_firewall_config()
|
|
||||||
changed = True
|
|
||||||
else:
|
|
||||||
if self.check_policy(policy):
|
|
||||||
self.modify_firewall_policy()
|
|
||||||
changed = True
|
|
||||||
if not self.check_config(self.get_firewall_config()):
|
|
||||||
self.modify_firewall_config()
|
|
||||||
changed = True
|
|
||||||
else:
|
|
||||||
if self.get_firewall_policy():
|
|
||||||
self.destroy_firewall_policy()
|
self.destroy_firewall_policy()
|
||||||
if not self.check_config(self.get_firewall_config()):
|
|
||||||
self.modify_firewall_config()
|
|
||||||
changed = True
|
|
||||||
else:
|
else:
|
||||||
if not self.check_config(self.get_firewall_config()):
|
if modify:
|
||||||
self.modify_firewall_config()
|
self.modify_firewall_policy(modify)
|
||||||
changed = True
|
if modify_config:
|
||||||
self.module.exit_json(changed=changed)
|
self.modify_firewall_config(modify_config)
|
||||||
|
self.module.exit_json(changed=self.na_helper.changed)
|
||||||
|
|
||||||
|
|
||||||
def main():
|
def main():
|
||||||
|
|
|
@ -0,0 +1,286 @@
|
||||||
|
# (c) 2018, NetApp, Inc
|
||||||
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||||
|
|
||||||
|
''' unit test template for ONTAP Ansible module '''
|
||||||
|
|
||||||
|
from __future__ import print_function
|
||||||
|
import json
|
||||||
|
import pytest
|
||||||
|
|
||||||
|
from units.compat import unittest
|
||||||
|
from units.compat.mock import patch, Mock
|
||||||
|
from ansible.module_utils import basic
|
||||||
|
from ansible.module_utils._text import to_bytes
|
||||||
|
import ansible.module_utils.netapp as netapp_utils
|
||||||
|
|
||||||
|
from ansible.modules.storage.netapp.na_ontap_firewall_policy \
|
||||||
|
import NetAppONTAPFirewallPolicy as fp_module # module under test
|
||||||
|
|
||||||
|
if not netapp_utils.has_netapp_lib():
|
||||||
|
pytestmark = pytest.mark.skip('skipping as missing required netapp_lib')
|
||||||
|
|
||||||
|
|
||||||
|
def set_module_args(args):
|
||||||
|
"""prepare arguments so that they will be picked up during module creation"""
|
||||||
|
args = json.dumps({'ANSIBLE_MODULE_ARGS': args})
|
||||||
|
basic._ANSIBLE_ARGS = to_bytes(args) # pylint: disable=protected-access
|
||||||
|
|
||||||
|
|
||||||
|
class AnsibleExitJson(Exception):
|
||||||
|
"""Exception class to be raised by module.exit_json and caught by the test case"""
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
class AnsibleFailJson(Exception):
|
||||||
|
"""Exception class to be raised by module.fail_json and caught by the test case"""
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
def exit_json(*args, **kwargs): # pylint: disable=unused-argument
|
||||||
|
"""function to patch over exit_json; package return data into an exception"""
|
||||||
|
if 'changed' not in kwargs:
|
||||||
|
kwargs['changed'] = False
|
||||||
|
raise AnsibleExitJson(kwargs)
|
||||||
|
|
||||||
|
|
||||||
|
def fail_json(*args, **kwargs): # pylint: disable=unused-argument
|
||||||
|
"""function to patch over fail_json; package return data into an exception"""
|
||||||
|
kwargs['failed'] = True
|
||||||
|
raise AnsibleFailJson(kwargs)
|
||||||
|
|
||||||
|
|
||||||
|
class MockONTAPConnection(object):
|
||||||
|
''' mock server connection to ONTAP host '''
|
||||||
|
|
||||||
|
def __init__(self, kind=None, data=None):
|
||||||
|
''' save arguments '''
|
||||||
|
self.kind = kind
|
||||||
|
self.data = data
|
||||||
|
self.xml_in = None
|
||||||
|
self.xml_out = None
|
||||||
|
|
||||||
|
def invoke_successfully(self, xml, enable_tunneling): # pylint: disable=unused-argument
|
||||||
|
''' mock invoke_successfully returning xml data '''
|
||||||
|
self.xml_in = xml
|
||||||
|
if self.kind == 'policy':
|
||||||
|
xml = self.build_policy_info(self.data)
|
||||||
|
if self.kind == 'config':
|
||||||
|
xml = self.build_firewall_config_info(self.data)
|
||||||
|
self.xml_out = xml
|
||||||
|
return xml
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def build_policy_info(data):
|
||||||
|
''' build xml data for net-firewall-policy-info '''
|
||||||
|
xml = netapp_utils.zapi.NaElement('xml')
|
||||||
|
attributes = {
|
||||||
|
'num-records': 1,
|
||||||
|
'attributes-list': {
|
||||||
|
'net-firewall-policy-info': {
|
||||||
|
'policy': data['policy'],
|
||||||
|
'service': data['service'],
|
||||||
|
'allow-list': [
|
||||||
|
{'ip-and-mask': '1.2.3.0/24'}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
xml.translate_struct(attributes)
|
||||||
|
return xml
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def build_firewall_config_info(data):
|
||||||
|
''' build xml data for net-firewall-config-info '''
|
||||||
|
xml = netapp_utils.zapi.NaElement('xml')
|
||||||
|
attributes = {
|
||||||
|
'attributes': {
|
||||||
|
'net-firewall-config-info': {
|
||||||
|
'is-enabled': 'true',
|
||||||
|
'is-logging': 'false'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
xml.translate_struct(attributes)
|
||||||
|
return xml
|
||||||
|
|
||||||
|
|
||||||
|
class TestMyModule(unittest.TestCase):
|
||||||
|
''' a group of related Unit Tests '''
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
self.mock_module_helper = patch.multiple(basic.AnsibleModule,
|
||||||
|
exit_json=exit_json,
|
||||||
|
fail_json=fail_json)
|
||||||
|
self.mock_module_helper.start()
|
||||||
|
self.addCleanup(self.mock_module_helper.stop)
|
||||||
|
self.mock_policy = {
|
||||||
|
'policy': 'test',
|
||||||
|
'service': 'http',
|
||||||
|
'vserver': 'my_vserver',
|
||||||
|
'allow_list': '1.2.3.0/24'
|
||||||
|
}
|
||||||
|
self.mock_config = {
|
||||||
|
'node': 'test',
|
||||||
|
'enable': 'enable',
|
||||||
|
'logging': 'enable'
|
||||||
|
}
|
||||||
|
|
||||||
|
def mock_policy_args(self):
|
||||||
|
return {
|
||||||
|
'policy': self.mock_policy['policy'],
|
||||||
|
'service': self.mock_policy['service'],
|
||||||
|
'vserver': self.mock_policy['vserver'],
|
||||||
|
'allow_list': [self.mock_policy['allow_list']],
|
||||||
|
'hostname': 'test',
|
||||||
|
'username': 'test_user',
|
||||||
|
'password': 'test_pass!'
|
||||||
|
}
|
||||||
|
|
||||||
|
def mock_config_args(self):
|
||||||
|
return {
|
||||||
|
'node': self.mock_config['node'],
|
||||||
|
'enable': self.mock_config['enable'],
|
||||||
|
'logging': self.mock_config['logging'],
|
||||||
|
'hostname': 'test',
|
||||||
|
'username': 'test_user',
|
||||||
|
'password': 'test_pass!'
|
||||||
|
}
|
||||||
|
|
||||||
|
def get_mock_object(self, kind=None):
|
||||||
|
"""
|
||||||
|
Helper method to return an na_ontap_firewall_policy object
|
||||||
|
:param kind: passes this param to MockONTAPConnection()
|
||||||
|
:return: na_ontap_firewall_policy object
|
||||||
|
"""
|
||||||
|
obj = fp_module()
|
||||||
|
obj.autosupport_log = Mock(return_value=None)
|
||||||
|
if kind is None:
|
||||||
|
obj.server = MockONTAPConnection()
|
||||||
|
else:
|
||||||
|
mock_data = self.mock_config if kind == 'config' else self.mock_policy
|
||||||
|
obj.server = MockONTAPConnection(kind=kind, data=mock_data)
|
||||||
|
return obj
|
||||||
|
|
||||||
|
def test_module_fail_when_required_args_missing(self):
|
||||||
|
''' required arguments are reported as errors '''
|
||||||
|
with pytest.raises(AnsibleFailJson) as exc:
|
||||||
|
set_module_args({})
|
||||||
|
fp_module()
|
||||||
|
print('Info: %s' % exc.value.args[0]['msg'])
|
||||||
|
|
||||||
|
def test_helper_firewall_policy_attributes(self):
|
||||||
|
''' helper returns dictionary with vserver, service and policy details '''
|
||||||
|
data = self.mock_policy
|
||||||
|
set_module_args(self.mock_policy_args())
|
||||||
|
result = self.get_mock_object('policy').firewall_policy_attributes()
|
||||||
|
del data['allow_list']
|
||||||
|
assert data == result
|
||||||
|
|
||||||
|
def test_helper_validate_ip_addresses_positive(self):
|
||||||
|
''' test if helper validates if IP is a network address '''
|
||||||
|
data = self.mock_policy_args()
|
||||||
|
data['allow_list'] = ['1.2.0.0/16', '1.2.3.0/24']
|
||||||
|
set_module_args(data)
|
||||||
|
result = self.get_mock_object().validate_ip_addresses()
|
||||||
|
assert result is None
|
||||||
|
|
||||||
|
def test_helper_validate_ip_addresses_negative(self):
|
||||||
|
''' test if helper validates if IP is a network address '''
|
||||||
|
data = self.mock_policy_args()
|
||||||
|
data['allow_list'] = ['1.2.0.10/16', '1.2.3.0/24']
|
||||||
|
set_module_args(data)
|
||||||
|
with pytest.raises(AnsibleFailJson) as exc:
|
||||||
|
self.get_mock_object().validate_ip_addresses()
|
||||||
|
msg = 'Error: Invalid IP address value for allow_list parameter.' \
|
||||||
|
'Please specify a network address without host bits set: ' \
|
||||||
|
'1.2.0.10/16 has host bits set'
|
||||||
|
assert exc.value.args[0]['msg'] == msg
|
||||||
|
|
||||||
|
def test_get_nonexistent_policy(self):
|
||||||
|
''' Test if get_firewall_policy returns None for non-existent policy '''
|
||||||
|
set_module_args(self.mock_policy_args())
|
||||||
|
result = self.get_mock_object().get_firewall_policy()
|
||||||
|
assert result is None
|
||||||
|
|
||||||
|
def test_get_existing_policy(self):
|
||||||
|
''' Test if get_firewall_policy returns policy details for existing policy '''
|
||||||
|
data = self.mock_policy_args()
|
||||||
|
set_module_args(data)
|
||||||
|
result = self.get_mock_object('policy').get_firewall_policy()
|
||||||
|
assert result['service'] == data['service']
|
||||||
|
assert result['allow_list'] == ['1.2.3.0/24'] # from build_policy_info()
|
||||||
|
|
||||||
|
def test_successful_create(self):
|
||||||
|
''' Test successful create '''
|
||||||
|
set_module_args(self.mock_policy_args())
|
||||||
|
with pytest.raises(AnsibleExitJson) as exc:
|
||||||
|
self.get_mock_object().apply()
|
||||||
|
assert exc.value.args[0]['changed']
|
||||||
|
|
||||||
|
def test_create_idempotency(self):
|
||||||
|
''' Test create idempotency '''
|
||||||
|
set_module_args(self.mock_policy_args())
|
||||||
|
with pytest.raises(AnsibleExitJson) as exc:
|
||||||
|
self.get_mock_object('policy').apply()
|
||||||
|
assert not exc.value.args[0]['changed']
|
||||||
|
|
||||||
|
def test_successful_delete(self):
|
||||||
|
''' Test delete existing job '''
|
||||||
|
data = self.mock_policy_args()
|
||||||
|
data['state'] = 'absent'
|
||||||
|
set_module_args(data)
|
||||||
|
with pytest.raises(AnsibleExitJson) as exc:
|
||||||
|
self.get_mock_object('policy').apply()
|
||||||
|
assert exc.value.args[0]['changed']
|
||||||
|
|
||||||
|
def test_delete_idempotency(self):
|
||||||
|
''' Test delete idempotency '''
|
||||||
|
data = self.mock_policy_args()
|
||||||
|
data['state'] = 'absent'
|
||||||
|
set_module_args(data)
|
||||||
|
with pytest.raises(AnsibleExitJson) as exc:
|
||||||
|
self.get_mock_object().apply()
|
||||||
|
assert not exc.value.args[0]['changed']
|
||||||
|
|
||||||
|
def test_successful_modify(self):
|
||||||
|
''' Test successful modify allow_list '''
|
||||||
|
data = self.mock_policy_args()
|
||||||
|
data['allow_list'] = ['1.2.0.0/16']
|
||||||
|
set_module_args(data)
|
||||||
|
with pytest.raises(AnsibleExitJson) as exc:
|
||||||
|
self.get_mock_object('policy').apply()
|
||||||
|
assert exc.value.args[0]['changed']
|
||||||
|
|
||||||
|
def test_successful_modify_mutiple_ips(self):
|
||||||
|
''' Test successful modify allow_list '''
|
||||||
|
data = self.mock_policy_args()
|
||||||
|
data['allow_list'] = ['1.2.0.0/16', '1.0.0.0/8']
|
||||||
|
set_module_args(data)
|
||||||
|
with pytest.raises(AnsibleExitJson) as exc:
|
||||||
|
self.get_mock_object('policy').apply()
|
||||||
|
assert exc.value.args[0]['changed']
|
||||||
|
|
||||||
|
def test_get_nonexistent_config(self):
|
||||||
|
''' Test if get_firewall_config returns None for non-existent node '''
|
||||||
|
set_module_args(self.mock_config_args())
|
||||||
|
result = self.get_mock_object().get_firewall_config_for_node()
|
||||||
|
assert result is None
|
||||||
|
|
||||||
|
def test_get_existing_config(self):
|
||||||
|
''' Test if get_firewall_config returns policy details for existing node '''
|
||||||
|
data = self.mock_config_args()
|
||||||
|
set_module_args(data)
|
||||||
|
result = self.get_mock_object('config').get_firewall_config_for_node()
|
||||||
|
assert result['enable'] == 'enable' # from build_config_info()
|
||||||
|
assert result['logging'] == 'disable' # from build_config_info()
|
||||||
|
|
||||||
|
def test_successful_modify_config(self):
|
||||||
|
''' Test successful modify allow_list '''
|
||||||
|
data = self.mock_config_args()
|
||||||
|
data['enable'] = 'disable'
|
||||||
|
data['logging'] = 'enable'
|
||||||
|
set_module_args(data)
|
||||||
|
with pytest.raises(AnsibleExitJson) as exc:
|
||||||
|
self.get_mock_object('config').apply()
|
||||||
|
assert exc.value.args[0]['changed']
|
Loading…
Reference in a new issue