From fb782fa3e979f24a41b4b13e686d3629ac940466 Mon Sep 17 00:00:00 2001 From: Tim Rupp Date: Tue, 20 Nov 2018 11:59:02 -0800 Subject: [PATCH] Adds the bigip_password_policy module (#48951) This module can be used to manage password policy settings on a BIG-IP --- .../network/f5/bigip_password_policy.py | 439 ++++++++++++++++++ .../load_tm_auth_password_policy_1.json | 15 + .../network/f5/test_bigip_password_policy.py | 151 ++++++ 3 files changed, 605 insertions(+) create mode 100644 lib/ansible/modules/network/f5/bigip_password_policy.py create mode 100644 test/units/modules/network/f5/fixtures/load_tm_auth_password_policy_1.json create mode 100644 test/units/modules/network/f5/test_bigip_password_policy.py diff --git a/lib/ansible/modules/network/f5/bigip_password_policy.py b/lib/ansible/modules/network/f5/bigip_password_policy.py new file mode 100644 index 00000000000..49c3dfd87ea --- /dev/null +++ b/lib/ansible/modules/network/f5/bigip_password_policy.py @@ -0,0 +1,439 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# +# Copyright: (c) 2018, F5 Networks Inc. +# GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + + +ANSIBLE_METADATA = {'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'certified'} + +DOCUMENTATION = r''' +--- +module: bigip_password_policy +short_description: Manages the authentication password policy on a BIG-IP +description: + - Manages the authentication password policy on a BIG-IP. +version_added: 2.8 +options: + expiration_warning: + description: + - Specifies the number of days before a password expires. + - Based on this value, the BIG-IP system automatically warns users when their + password is about to expire. + max_duration: + description: + - Specifies the maximum number of days a password is valid. + max_login_failures: + description: + - Specifies the number of consecutive unsuccessful login attempts + that the system allows before locking out the user. + - Specify zero (0) to disable this parameter. + min_duration: + description: + - Specifies the minimum number of days a password is valid. + min_length: + description: + - Specifies the minimum number of characters in a valid password. + - This value must be between 6 and 255. + policy_enforcement: + description: + - Enables or disables the password policy on the BIG-IP system. + type: bool + required_lowercase: + description: + - Specifies the number of lowercase alpha characters that must be + present in a password for the password to be valid. + required_numeric: + description: + - Specifies the number of numeric characters that must be present in + a password for the password to be valid. + required_special: + description: + - Specifies the number of special characters that must be present in + a password for the password to be valid. + required_uppercase: + description: + - Specifies the number of uppercase alpha characters that must be + present in a password for the password to be valid. + password_memory: + description: + - Specifies whether the user has configured the BIG-IP system to + remember a password on a specific computer and how many passwords + to remember. +extends_documentation_fragment: f5 +author: + - Tim Rupp (@caphrim007) +''' + +EXAMPLES = r''' +- name: Change password policy to require 2 numeric characters + bigip_password_policy: + required_numeric: 2 + provider: + password: secret + server: lb.mydomain.com + user: admin + delegate_to: localhost +''' + +RETURN = r''' +expiration_warning: + description: The new expiration warning. + returned: changed + type: int + sample: 7 +max_duration: + description: The new max duration. + returned: changed + type: int + sample: 99999 +max_login_failures: + description: The new max login failures. + returned: changed + type: int + sample: 0 +min_duration: + description: The new min duration. + returned: changed + type: int + sample: 0 +min_length: + description: The new min password length. + returned: changed + type: int + sample: 6 +policy_enforcement: + description: The new policy enforcement setting. + returned: changed + type: bool + sample: yes +required_lowercase: + description: The lowercase requirement. + returned: changed + type: int + sample: 1 +required_numeric: + description: The numeric requirement. + returned: changed + type: int + sample: 2 +required_special: + description: The special character requirement. + returned: changed + type: int + sample: 1 +required_uppercase: + description: The uppercase character requirement. + returned: changed + type: int + sample: 1 +password_memory: + description: The new number of remembered passwords + returned: changed + type: int + sample: 0 +''' + +from ansible.module_utils.basic import AnsibleModule + +try: + from library.module_utils.network.f5.bigip import F5RestClient + from library.module_utils.network.f5.common import F5ModuleError + from library.module_utils.network.f5.common import AnsibleF5Parameters + from library.module_utils.network.f5.common import cleanup_tokens + from library.module_utils.network.f5.common import fq_name + from library.module_utils.network.f5.common import transform_name + from library.module_utils.network.f5.common import f5_argument_spec + from library.module_utils.network.f5.common import exit_json + from library.module_utils.network.f5.common import fail_json + from library.module_utils.network.f5.common import flatten_boolean +except ImportError: + from ansible.module_utils.network.f5.bigip import F5RestClient + from ansible.module_utils.network.f5.common import F5ModuleError + from ansible.module_utils.network.f5.common import AnsibleF5Parameters + from ansible.module_utils.network.f5.common import cleanup_tokens + from ansible.module_utils.network.f5.common import fq_name + from ansible.module_utils.network.f5.common import transform_name + from ansible.module_utils.network.f5.common import f5_argument_spec + from ansible.module_utils.network.f5.common import exit_json + from ansible.module_utils.network.f5.common import fail_json + from ansible.module_utils.network.f5.common import flatten_boolean + + +class Parameters(AnsibleF5Parameters): + api_map = { + 'expirationWarning': 'expiration_warning', + 'maxDuration': 'max_duration', + 'maxLoginFailures': 'max_login_failures', + 'minDuration': 'min_duration', + 'minimumLength': 'min_length', + 'passwordMemory': 'password_memory', + 'policyEnforcement': 'policy_enforcement', + 'requiredLowercase': 'required_lowercase', + 'requiredNumeric': 'required_numeric', + 'requiredSpecial': 'required_special', + 'requiredUppercase': 'required_uppercase', + } + + api_attributes = [ + 'expirationWarning', + 'maxDuration', + 'maxLoginFailures', + 'minDuration', + 'minimumLength', + 'passwordMemory', + 'policyEnforcement', + 'requiredLowercase', + 'requiredNumeric', + 'requiredSpecial', + 'requiredUppercase', + ] + + returnables = [ + 'expiration_warning', + 'max_duration', + 'max_login_failures', + 'min_duration', + 'min_length', + 'password_memory', + 'policy_enforcement', + 'required_lowercase', + 'required_numeric', + 'required_special', + 'required_uppercase', + ] + + updatables = [ + 'expiration_warning', + 'max_duration', + 'max_login_failures', + 'min_duration', + 'min_length', + 'password_memory', + 'policy_enforcement', + 'required_lowercase', + 'required_numeric', + 'required_special', + 'required_uppercase', + ] + + @property + def policy_enforcement(self): + return flatten_boolean(self._values['policy_enforcement']) + + +class ApiParameters(Parameters): + pass + + +class ModuleParameters(Parameters): + pass + + +class Changes(Parameters): + def to_return(self): + result = {} + try: + for returnable in self.returnables: + result[returnable] = getattr(self, returnable) + result = self._filter_params(result) + except Exception: + pass + return result + + +class UsableChanges(Changes): + @property + def policy_enforcement(self): + if self._values['policy_enforcement'] is None: + return None + if self._values['policy_enforcement'] == 'yes': + return 'enabled' + return 'disabled' + + +class ReportableChanges(Changes): + @property + def policy_enforcement(self): + return flatten_boolean(self._values['policy_enforcement']) + + +class Difference(object): + def __init__(self, want, have=None): + self.want = want + self.have = have + + def compare(self, param): + try: + result = getattr(self, param) + return result + except AttributeError: + return self.__default(param) + + def __default(self, param): + attr1 = getattr(self.want, param) + try: + attr2 = getattr(self.have, param) + if attr1 != attr2: + return attr1 + except AttributeError: + return attr1 + + +class ModuleManager(object): + def __init__(self, *args, **kwargs): + self.module = kwargs.get('module', None) + self.client = kwargs.get('client', None) + self.want = ModuleParameters(params=self.module.params) + self.have = ApiParameters() + self.changes = UsableChanges() + + def _set_changed_options(self): + changed = {} + for key in Parameters.returnables: + if getattr(self.want, key) is not None: + changed[key] = getattr(self.want, key) + if changed: + self.changes = UsableChanges(params=changed) + + def _update_changed_options(self): + diff = Difference(self.want, self.have) + updatables = Parameters.updatables + changed = dict() + for k in updatables: + change = diff.compare(k) + if change is None: + continue + else: + if isinstance(change, dict): + changed.update(change) + else: + changed[k] = change + if changed: + self.changes = UsableChanges(params=changed) + return True + return False + + def _announce_deprecations(self, result): + warnings = result.pop('__warnings', []) + for warning in warnings: + self.client.module.deprecate( + msg=warning['msg'], + version=warning['version'] + ) + + def exec_module(self): + result = dict() + + changed = self.present() + + reportable = ReportableChanges(params=self.changes.to_return()) + changes = reportable.to_return() + result.update(**changes) + result.update(dict(changed=changed)) + self._announce_deprecations(result) + return result + + def present(self): + return self.update() + + def should_update(self): + result = self._update_changed_options() + if result: + return True + return False + + def update(self): + self.have = self.read_current_from_device() + if not self.should_update(): + return False + if self.module.check_mode: + return True + self.update_on_device() + return True + + def update_on_device(self): + params = self.changes.api_params() + uri = "https://{0}:{1}/mgmt/tm/auth/password-policy".format( + self.client.provider['server'], + self.client.provider['server_port'], + ) + resp = self.client.api.patch(uri, json=params) + try: + response = resp.json() + except ValueError as ex: + raise F5ModuleError(str(ex)) + + if 'code' in response and response['code'] == 400: + if 'message' in response: + raise F5ModuleError(response['message']) + else: + raise F5ModuleError(resp.content) + + def read_current_from_device(self): + uri = "https://{0}:{1}/mgmt/tm/auth/password-policy".format( + self.client.provider['server'], + self.client.provider['server_port'], + ) + resp = self.client.api.get(uri) + try: + response = resp.json() + except ValueError as ex: + raise F5ModuleError(str(ex)) + + if 'code' in response and response['code'] == 400: + if 'message' in response: + raise F5ModuleError(response['message']) + else: + raise F5ModuleError(resp.content) + return ApiParameters(params=response) + + +class ArgumentSpec(object): + def __init__(self): + self.supports_check_mode = True + argument_spec = dict( + expiration_warning=dict(type='int'), + max_duration=dict(type='int'), + max_login_failures=dict(type='int'), + min_duration=dict(type='int'), + min_length=dict(type='int'), + password_memory=dict(type='int'), + policy_enforcement=dict(type='bool'), + required_lowercase=dict(type='int'), + required_numeric=dict(type='int'), + required_special=dict(type='int'), + required_uppercase=dict(type='int'), + ) + self.argument_spec = {} + self.argument_spec.update(f5_argument_spec) + self.argument_spec.update(argument_spec) + + +def main(): + spec = ArgumentSpec() + + module = AnsibleModule( + argument_spec=spec.argument_spec, + supports_check_mode=spec.supports_check_mode, + ) + + client = F5RestClient(**module.params) + + try: + mm = ModuleManager(module=module, client=client) + results = mm.exec_module() + cleanup_tokens(client) + exit_json(module, results, client) + except F5ModuleError as ex: + cleanup_tokens(client) + fail_json(module, ex, client) + + +if __name__ == '__main__': + main() diff --git a/test/units/modules/network/f5/fixtures/load_tm_auth_password_policy_1.json b/test/units/modules/network/f5/fixtures/load_tm_auth_password_policy_1.json new file mode 100644 index 00000000000..7d5aac7b61d --- /dev/null +++ b/test/units/modules/network/f5/fixtures/load_tm_auth_password_policy_1.json @@ -0,0 +1,15 @@ +{ + "kind": "tm:auth:password-policy:password-policystate", + "selfLink": "https://localhost/mgmt/tm/auth/password-policy?ver=13.1.0.7", + "expirationWarning": 7, + "maxDuration": 99999, + "maxLoginFailures": 0, + "minDuration": 0, + "minimumLength": 6, + "passwordMemory": 0, + "policyEnforcement": "disabled", + "requiredLowercase": 0, + "requiredNumeric": 0, + "requiredSpecial": 0, + "requiredUppercase": 0 +} diff --git a/test/units/modules/network/f5/test_bigip_password_policy.py b/test/units/modules/network/f5/test_bigip_password_policy.py new file mode 100644 index 00000000000..312e33db3fd --- /dev/null +++ b/test/units/modules/network/f5/test_bigip_password_policy.py @@ -0,0 +1,151 @@ +# -*- coding: utf-8 -*- +# +# Copyright: (c) 2018, F5 Networks Inc. +# GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import json +import pytest +import sys + +from nose.plugins.skip import SkipTest +if sys.version_info < (2, 7): + raise SkipTest("F5 Ansible modules require Python >= 2.7") + +from ansible.module_utils.basic import AnsibleModule + +try: + from library.modules.bigip_password_policy import ApiParameters + from library.modules.bigip_password_policy import ModuleParameters + from library.modules.bigip_password_policy import ModuleManager + from library.modules.bigip_password_policy import ArgumentSpec + + # In Ansible 2.8, Ansible changed import paths. + from test.units.compat import unittest + from test.units.compat.mock import Mock + from test.units.compat.mock import patch + + from test.units.modules.utils import set_module_args +except ImportError: + from ansible.modules.network.f5.bigip_password_policy import ApiParameters + from ansible.modules.network.f5.bigip_password_policy import ModuleParameters + from ansible.modules.network.f5.bigip_password_policy import ModuleManager + from ansible.modules.network.f5.bigip_password_policy import ArgumentSpec + + # Ansible 2.8 imports + from units.compat import unittest + from units.compat.mock import Mock + from units.compat.mock import patch + + from units.modules.utils import set_module_args + + +fixture_path = os.path.join(os.path.dirname(__file__), 'fixtures') +fixture_data = {} + + +def load_fixture(name): + path = os.path.join(fixture_path, name) + + if path in fixture_data: + return fixture_data[path] + + with open(path) as f: + data = f.read() + + try: + data = json.loads(data) + except Exception: + pass + + fixture_data[path] = data + return data + + +class TestParameters(unittest.TestCase): + def test_module_parameters(self): + args = dict( + expiration_warning=7, + max_duration=99999, + max_login_failures=0, + min_duration=0, + min_length=6, + password_memory=0, + policy_enforcement=False, + required_lowercase=0, + required_numeric=0, + required_special=0, + required_uppercase=0, + ) + + p = ModuleParameters(params=args) + assert p.expiration_warning == 7 + assert p.max_duration == 99999 + assert p.max_login_failures == 0 + assert p.min_duration == 0 + assert p.password_memory == 0 + assert p.policy_enforcement == 'no' + assert p.required_lowercase == 0 + assert p.required_numeric == 0 + assert p.required_special == 0 + assert p.required_uppercase == 0 + + def test_api_parameters(self): + args = load_fixture('load_tm_auth_password_policy_1.json') + + p = ApiParameters(params=args) + assert p.expiration_warning == 7 + assert p.max_duration == 99999 + assert p.max_login_failures == 0 + assert p.min_duration == 0 + assert p.password_memory == 0 + assert p.policy_enforcement == 'no' + assert p.required_lowercase == 0 + assert p.required_numeric == 0 + assert p.required_special == 0 + assert p.required_uppercase == 0 + + +@patch('ansible.module_utils.f5_utils.AnsibleF5Client._get_mgmt_root', + return_value=True) +class TestManager(unittest.TestCase): + + def setUp(self): + self.spec = ArgumentSpec() + + def test_create_partition(self, *args): + set_module_args(dict( + expiration_warning=7, + max_duration=9999, + max_login_failures=0, + min_duration=0, + min_length=6, + password_memory=0, + policy_enforcement='no', + required_lowercase=0, + required_numeric=0, + required_special=0, + required_uppercase=0, + server='localhost', + password='password', + user='admin' + )) + + current = ApiParameters(params=load_fixture('load_tm_auth_password_policy_1.json')) + module = AnsibleModule( + argument_spec=self.spec.argument_spec, + supports_check_mode=self.spec.supports_check_mode + ) + + # Override methods in the specific type of manager + mm = ModuleManager(module=module) + mm.exists = Mock(side_effect=[False, True]) + mm.update_on_device = Mock(return_value=True) + mm.read_current_from_device = Mock(return_value=current) + + results = mm.exec_module() + + assert results['changed'] is True