From 0873043e5af45097327b5f3785db14ccd8b0c71b Mon Sep 17 00:00:00 2001 From: Tim Rupp Date: Sat, 10 Nov 2018 11:40:18 -0800 Subject: [PATCH] Fixes ssl cipher ordering in bigip_device_httpd. Also fix unit tests (#48475) --- .../modules/network/f5/bigip_device_httpd.py | 73 ++++++++++++------- .../network/f5/test_bigip_device_httpd.py | 21 ++++-- 2 files changed, 58 insertions(+), 36 deletions(-) diff --git a/lib/ansible/modules/network/f5/bigip_device_httpd.py b/lib/ansible/modules/network/f5/bigip_device_httpd.py index 168d7b89b7..28218dc728 100644 --- a/lib/ansible/modules/network/f5/bigip_device_httpd.py +++ b/lib/ansible/modules/network/f5/bigip_device_httpd.py @@ -103,64 +103,71 @@ EXAMPLES = r''' - name: Set the BIG-IP authentication realm name bigip_device_httpd: auth_name: BIG-IP - password: secret - server: lb.mydomain.com - user: admin + provider: + password: secret + server: lb.mydomain.com + user: admin delegate_to: localhost - name: Set the auth pam timeout to 3600 seconds bigip_device_httpd: auth_pam_idle_timeout: 1200 - password: secret - server: lb.mydomain.com - user: admin + provider: + password: secret + server: lb.mydomain.com + user: admin delegate_to: localhost - name: Set the validate IP settings bigip_device_httpd: auth_pam_validate_ip: on - password: secret - server: lb.mydomain.com - user: admin + provider: + password: secret + server: lb.mydomain.com + user: admin delegate_to: localhost - name: Set SSL cipher suite by list bigip_device_httpd: - password: secret - server: lb.mydomain.com - user: admin ssl_cipher_suite: - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-RSA-AES128-SHA - AES256-SHA256 + provider: + password: secret + server: lb.mydomain.com + user: admin delegate_to: localhost - name: Set SSL cipher suite by string bigip_device_httpd: - password: secret - server: lb.mydomain.com - user: admin ssl_cipher_suite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:AES256-SHA256 + provider: + password: secret + server: lb.mydomain.com + user: admin delegate_to: localhost - name: Set SSL protocols by list bigip_device_httpd: - password: secret - server: lb.mydomain.com - user: admin ssl_protocols: - all - -SSLv2 - -SSLv3 + provider: + password: secret + server: lb.mydomain.com + user: admin delegate_to: localhost - name: Set SSL protocols by string bigip_device_httpd: - password: secret - server: lb.mydomain.com - user: admin - ssl_cipher_suite: all -SSLv2 -SSLv3 + ssl_protocols: all -SSLv2 -SSLv3 + provider: + password: secret + server: lb.mydomain.com + user: admin delegate_to: localhost ''' @@ -220,6 +227,11 @@ ssl_cipher_suite: returned: changed type: string sample: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA +ssl_cipher_suite_list: + description: List of the new ciphers that the system uses. + returned: changed + type: string + sample: ['ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES128-SHA'] ssl_protocols: description: The new list of SSL protocols to accept on the management console. returned: changed @@ -276,7 +288,7 @@ class Parameters(AnsibleF5Parameters): 'auth_pam_idle_timeout', 'auth_pam_validate_ip', 'auth_name', 'auth_pam_dashboard_timeout', 'fast_cgi_timeout', 'hostname_lookup', 'log_level', 'max_clients', 'redirect_http_to_https', 'ssl_port', - 'allow', 'ssl_cipher_suite', 'ssl_protocols' + 'allow', 'ssl_cipher_suite', 'ssl_protocols', 'ssl_cipher_suite_list', ] updatables = [ @@ -394,11 +406,11 @@ class ModuleParameters(Parameters): "ssl_cipher_suite may not be set to 'none'" ) if ciphers == 'default': - ciphers = ':'.join(sorted(Parameters._ciphers.split(':'))) + ciphers = ':'.join(Parameters._ciphers.split(':')) elif isinstance(self._values['ssl_cipher_suite'], string_types): - ciphers = ':'.join(sorted(ciphers.split(':'))) + ciphers = ':'.join(ciphers.split(':')) else: - ciphers = ':'.join(sorted(ciphers)) + ciphers = ':'.join(ciphers) return ciphers @property @@ -454,12 +466,16 @@ class UsableChanges(Changes): class ReportableChanges(Changes): @property def ssl_cipher_suite(self): - default = ':'.join(sorted(Parameters._ciphers.split(':'))) + default = ':'.join(Parameters._ciphers.split(':')) if self._values['ssl_cipher_suite'] == default: return 'default' else: return self._values['ssl_cipher_suite'] + @property + def ssl_cipher_suite_list(self): + return self._values['ssl_cipher_suite'].split(':') + @property def ssl_protocols(self): default = ' '.join(sorted(Parameters._protocols.split(' '))) @@ -684,8 +700,9 @@ def main(): supports_check_mode=spec.supports_check_mode, ) + client = F5RestClient(**module.params) + try: - client = F5RestClient(**module.params) mm = ModuleManager(module=module, client=client) results = mm.exec_module() cleanup_tokens(client) diff --git a/test/units/modules/network/f5/test_bigip_device_httpd.py b/test/units/modules/network/f5/test_bigip_device_httpd.py index d469ae67a3..2f2823d376 100644 --- a/test/units/modules/network/f5/test_bigip_device_httpd.py +++ b/test/units/modules/network/f5/test_bigip_device_httpd.py @@ -14,25 +14,30 @@ from nose.plugins.skip import SkipTest if sys.version_info < (2, 7): raise SkipTest("F5 Ansible modules require Python >= 2.7") -from units.compat import unittest -from units.compat.mock import Mock -from units.compat.mock import patch from ansible.module_utils.basic import AnsibleModule try: from library.modules.bigip_device_httpd import Parameters from library.modules.bigip_device_httpd import ModuleManager from library.modules.bigip_device_httpd import ArgumentSpec - from library.module_utils.network.f5.common import F5ModuleError - from library.module_utils.network.f5.common import iControlUnexpectedHTTPError - from test.unit.modules.utils import set_module_args + + # In Ansible 2.8, Ansible changed import paths. + from test.units.compat import unittest + from test.units.compat.mock import Mock + from test.units.compat.mock import patch + + from test.units.modules.utils import set_module_args except ImportError: try: from ansible.modules.network.f5.bigip_device_httpd import Parameters from ansible.modules.network.f5.bigip_device_httpd import ModuleManager from ansible.modules.network.f5.bigip_device_httpd import ArgumentSpec - from ansible.module_utils.network.f5.common import F5ModuleError - from ansible.module_utils.network.f5.common import iControlUnexpectedHTTPError + + # Ansible 2.8 imports + from units.compat import unittest + from units.compat.mock import Mock + from units.compat.mock import patch + from units.modules.utils import set_module_args except ImportError: raise SkipTest("F5 Ansible modules require the f5-sdk Python library")