From 513724c0a5ba1aaef30d64cbd1afd713a9f550ff Mon Sep 17 00:00:00 2001
From: Marc Abramowitz <marc@marc-abramowitz.com>
Date: Mon, 23 Mar 2015 14:26:11 -0700
Subject: [PATCH] Add `validate_certs` param to bigip_* modules

Ignoring SSL cert verification may be necessary when testing with a
server that has a self-signed certificate.

See
https://github.com/ansible/ansible-modules-extras/pull/288#issuecomment-85196736
---
 network/f5/bigip_facts.py        | 19 +++++++++++++++++++
 network/f5/bigip_monitor_http.py | 21 +++++++++++++++++++++
 network/f5/bigip_monitor_tcp.py  | 21 +++++++++++++++++++++
 network/f5/bigip_node.py         | 19 +++++++++++++++++++
 network/f5/bigip_pool.py         | 19 +++++++++++++++++++
 network/f5/bigip_pool_member.py  | 19 +++++++++++++++++++
 6 files changed, 118 insertions(+)

diff --git a/network/f5/bigip_facts.py b/network/f5/bigip_facts.py
index 99a1e31de68..d5f63695a61 100755
--- a/network/f5/bigip_facts.py
+++ b/network/f5/bigip_facts.py
@@ -56,6 +56,14 @@ options:
         default: null
         choices: []
         aliases: []
+    validate_certs:
+        description:
+            - If C(no), SSL certificates will not be validated. This should only be used
+              on personally controlled sites using self-signed certificates.
+        required: false
+        default: 'yes'
+        choices: ['yes', 'no']
+        version_added: 1.9.1
     session:
         description:
             - BIG-IP session support; may be useful to avoid concurrency
@@ -1566,6 +1574,12 @@ def generate_software_list(f5):
     software_list = software.get_all_software_status()
     return software_list
 
+def disable_ssl_cert_validation():
+    # You probably only want to do this for testing and never in production.
+    # From https://www.python.org/dev/peps/pep-0476/#id29
+    import ssl
+    ssl._create_default_https_context = ssl._create_unverified_context
+
 
 def main():
     module = AnsibleModule(
@@ -1573,6 +1587,7 @@ def main():
             server = dict(type='str', required=True),
             user = dict(type='str', required=True),
             password = dict(type='str', required=True),
+            validate_certs = dict(default='yes', type='bool'),
             session = dict(type='bool', default=False),
             include = dict(type='list', required=True),
             filter = dict(type='str', required=False),
@@ -1585,6 +1600,7 @@ def main():
     server = module.params['server']
     user = module.params['user']
     password = module.params['password']
+    validate_certs = module.params['validate_certs']
     session = module.params['session']
     fact_filter = module.params['filter']
     if fact_filter:
@@ -1601,6 +1617,9 @@ def main():
     if not all(include_test):
         module.fail_json(msg="value of include must be one or more of: %s, got: %s" % (",".join(valid_includes), ",".join(include)))
 
+    if not validate_certs:
+        disable_ssl_cert_validation()
+
     try:
         facts = {}
 
diff --git a/network/f5/bigip_monitor_http.py b/network/f5/bigip_monitor_http.py
index 62823f86579..dd20fb04d74 100644
--- a/network/f5/bigip_monitor_http.py
+++ b/network/f5/bigip_monitor_http.py
@@ -51,6 +51,14 @@ options:
             - BIG-IP password
         required: true
         default: null
+    validate_certs:
+        description:
+            - If C(no), SSL certificates will not be validated. This should only be used
+              on personally controlled sites using self-signed certificates.
+        required: false
+        default: 'yes'
+        choices: ['yes', 'no']
+        version_added: 1.9.1
     state:
         description:
             - Monitor state
@@ -177,6 +185,14 @@ def bigip_api(bigip, user, password):
     return api
 
 
+def disable_ssl_cert_validation():
+
+    # You probably only want to do this for testing and never in production.
+    # From https://www.python.org/dev/peps/pep-0476/#id29
+    import ssl
+    ssl._create_default_https_context = ssl._create_unverified_context
+
+
 def check_monitor_exists(module, api, monitor, parent):
 
     # hack to determine if monitor exists
@@ -311,6 +327,7 @@ def main():
             server    = dict(required=True),
             user      = dict(required=True),
             password  = dict(required=True),
+            validate_certs = dict(default='yes', type='bool'),
             partition = dict(default='Common'),
             state     = dict(default='present', choices=['present', 'absent']),
             name      = dict(required=True),
@@ -331,6 +348,7 @@ def main():
     server = module.params['server']
     user = module.params['user']
     password = module.params['password']
+    validate_certs = module.params['validate_certs']
     partition = module.params['partition']
     parent_partition = module.params['parent_partition']
     state = module.params['state']
@@ -348,6 +366,9 @@ def main():
 
     # end monitor specific stuff
 
+    if not validate_certs:
+        disable_ssl_cert_validation()
+
     if not bigsuds_found:
         module.fail_json(msg="the python bigsuds module is required")
     api = bigip_api(server, user, password)
diff --git a/network/f5/bigip_monitor_tcp.py b/network/f5/bigip_monitor_tcp.py
index 8b89a0c6113..78a51f2529b 100644
--- a/network/f5/bigip_monitor_tcp.py
+++ b/network/f5/bigip_monitor_tcp.py
@@ -49,6 +49,14 @@ options:
             - BIG-IP password
         required: true
         default: null
+    validate_certs:
+        description:
+            - If C(no), SSL certificates will not be validated. This should only be used
+              on personally controlled sites using self-signed certificates.
+        required: false
+        default: 'yes'
+        choices: ['yes', 'no']
+        version_added: 1.9.1
     state:
         description:
             - Monitor state
@@ -196,6 +204,14 @@ def bigip_api(bigip, user, password):
     return api
 
 
+def disable_ssl_cert_validation():
+
+    # You probably only want to do this for testing and never in production.
+    # From https://www.python.org/dev/peps/pep-0476/#id29
+    import ssl
+    ssl._create_default_https_context = ssl._create_unverified_context
+
+
 def check_monitor_exists(module, api, monitor, parent):
 
     # hack to determine if monitor exists
@@ -331,6 +347,7 @@ def main():
             server    = dict(required=True),
             user      = dict(required=True),
             password  = dict(required=True),
+            validate_certs = dict(default='yes', type='bool'),
             partition = dict(default='Common'),
             state     = dict(default='present', choices=['present', 'absent']),
             name      = dict(required=True),
@@ -351,6 +368,7 @@ def main():
     server = module.params['server']
     user = module.params['user']
     password = module.params['password']
+    validate_certs = module.params['validate_certs']
     partition = module.params['partition']
     parent_partition = module.params['parent_partition']
     state = module.params['state']
@@ -372,6 +390,9 @@ def main():
 
     # end monitor specific stuff
 
+    if not validate_certs:
+        disable_ssl_cert_validation()
+
     if not bigsuds_found:
         module.fail_json(msg="the python bigsuds module is required")
     api = bigip_api(server, user, password)
diff --git a/network/f5/bigip_node.py b/network/f5/bigip_node.py
index 68b6a2b52f1..c45a7f12d5c 100644
--- a/network/f5/bigip_node.py
+++ b/network/f5/bigip_node.py
@@ -54,6 +54,14 @@ options:
         default: null
         choices: []
         aliases: []
+    validate_certs:
+        description:
+            - If C(no), SSL certificates will not be validated. This should only be used
+              on personally controlled sites using self-signed certificates.
+        required: false
+        default: 'yes'
+        choices: ['yes', 'no']
+        version_added: 1.9.1
     state:
         description:
             - Pool member state
@@ -154,6 +162,12 @@ def bigip_api(bigip, user, password):
     api = bigsuds.BIGIP(hostname=bigip, username=user, password=password)
     return api
 
+def disable_ssl_cert_validation():
+    # You probably only want to do this for testing and never in production.
+    # From https://www.python.org/dev/peps/pep-0476/#id29
+    import ssl
+    ssl._create_default_https_context = ssl._create_unverified_context
+
 def node_exists(api, address):
     # hack to determine if node exists
     result = False
@@ -212,6 +226,7 @@ def main():
             server = dict(type='str', required=True),
             user = dict(type='str', required=True),
             password = dict(type='str', required=True),
+            validate_certs = dict(default='yes', type='bool'),
             state = dict(type='str', default='present', choices=['present', 'absent']),
             partition = dict(type='str', default='Common'),
             name = dict(type='str', required=True),
@@ -227,6 +242,7 @@ def main():
     server = module.params['server']
     user = module.params['user']
     password = module.params['password']
+    validate_certs = module.params['validate_certs']
     state = module.params['state']
     partition = module.params['partition']
     host = module.params['host']
@@ -234,6 +250,9 @@ def main():
     address = "/%s/%s" % (partition, name)
     description = module.params['description']
 
+    if not validate_certs:
+        disable_ssl_cert_validation()
+
     if state == 'absent' and host is not None:
         module.fail_json(msg="host parameter invalid when state=absent")
 
diff --git a/network/f5/bigip_pool.py b/network/f5/bigip_pool.py
index 48d03b9f1cb..e7ddce6d391 100644
--- a/network/f5/bigip_pool.py
+++ b/network/f5/bigip_pool.py
@@ -54,6 +54,14 @@ options:
         default: null
         choices: []
         aliases: []
+    validate_certs:
+        description:
+            - If C(no), SSL certificates will not be validated. This should only be used
+              on personally controlled sites using self-signed certificates.
+        required: false
+        default: 'yes'
+        choices: ['yes', 'no']
+        version_added: 1.9.1
     state:
         description:
             - Pool/pool member state
@@ -235,6 +243,12 @@ def bigip_api(bigip, user, password):
     api = bigsuds.BIGIP(hostname=bigip, username=user, password=password)
     return api
 
+def disable_ssl_cert_validation():
+    # You probably only want to do this for testing and never in production.
+    # From https://www.python.org/dev/peps/pep-0476/#id29
+    import ssl
+    ssl._create_default_https_context = ssl._create_unverified_context
+
 def pool_exists(api, pool):
     # hack to determine if pool exists
     result = False
@@ -359,6 +373,7 @@ def main():
             server = dict(type='str', required=True),
             user = dict(type='str', required=True),
             password = dict(type='str', required=True),
+            validate_certs = dict(default='yes', type='bool'),
             state = dict(type='str', default='present', choices=['present', 'absent']),
             name = dict(type='str', required=True, aliases=['pool']),
             partition = dict(type='str', default='Common'),
@@ -380,6 +395,7 @@ def main():
     server = module.params['server']
     user = module.params['user']
     password = module.params['password']
+    validate_certs = module.params['validate_certs']
     state = module.params['state']
     name = module.params['name']
     partition = module.params['partition']
@@ -407,6 +423,9 @@ def main():
     address = "/%s/%s" % (partition, host)
     port = module.params['port']
 
+    if not validate_certs:
+        disable_ssl_cert_validation()
+
     # sanity check user supplied values
 
     if (host and not port) or (port and not host):
diff --git a/network/f5/bigip_pool_member.py b/network/f5/bigip_pool_member.py
index 5aef9f0ae98..6a00864056c 100644
--- a/network/f5/bigip_pool_member.py
+++ b/network/f5/bigip_pool_member.py
@@ -56,6 +56,14 @@ options:
         default: null
         choices: []
         aliases: []
+    validate_certs:
+        description:
+            - If C(no), SSL certificates will not be validated. This should only be used
+              on personally controlled sites using self-signed certificates.
+        required: false
+        default: 'yes'
+        choices: ['yes', 'no']
+        version_added: 1.9.1
     state:
         description:
             - Pool member state
@@ -189,6 +197,12 @@ def bigip_api(bigip, user, password):
     api = bigsuds.BIGIP(hostname=bigip, username=user, password=password)
     return api
 
+def disable_ssl_cert_validation():
+    # You probably only want to do this for testing and never in production.
+    # From https://www.python.org/dev/peps/pep-0476/#id29
+    import ssl
+    ssl._create_default_https_context = ssl._create_unverified_context
+
 def pool_exists(api, pool):
     # hack to determine if pool exists
     result = False
@@ -282,6 +296,7 @@ def main():
             server = dict(type='str', required=True),
             user = dict(type='str', required=True),
             password = dict(type='str', required=True),
+            validate_certs = dict(default='yes', type='bool'),
             state = dict(type='str', default='present', choices=['present', 'absent']),
             pool = dict(type='str', required=True),
             partition = dict(type='str', default='Common'),
@@ -301,6 +316,7 @@ def main():
     server = module.params['server']
     user = module.params['user']
     password = module.params['password']
+    validate_certs = module.params['validate_certs']
     state = module.params['state']
     partition = module.params['partition']
     pool = "/%s/%s" % (partition, module.params['pool'])
@@ -312,6 +328,9 @@ def main():
     address = "/%s/%s" % (partition, host)
     port = module.params['port']
 
+    if not validate_certs:
+        disable_ssl_cert_validation()
+
     # sanity check user supplied values
 
     if (host and not port) or (port and not host):