From 0d50131d5ea8f1e82948b47daa4828432e5ddacf Mon Sep 17 00:00:00 2001 From: dlehrman Date: Thu, 20 Jun 2024 15:03:28 -0400 Subject: [PATCH] Enable Custom Cipher Selection for Redfish Modules (#8533) * Enable custom cipher selection for redfish modules Signed-off-by: David Ehrman * Add changelog fragment Signed-off-by: David Ehrman * Added version_added to the ciphers option in redfish modules Signed-off-by: David Ehrman --------- Signed-off-by: David Ehrman --- .../fragments/8533-add-ciphers-option.yml | 4 ++++ plugins/module_utils/redfish_utils.py | 13 ++++++------ plugins/modules/redfish_command.py | 18 +++++++++++++++- plugins/modules/redfish_config.py | 21 +++++++++++++++++-- plugins/modules/redfish_info.py | 17 ++++++++++++++- 5 files changed, 63 insertions(+), 10 deletions(-) create mode 100644 changelogs/fragments/8533-add-ciphers-option.yml diff --git a/changelogs/fragments/8533-add-ciphers-option.yml b/changelogs/fragments/8533-add-ciphers-option.yml new file mode 100644 index 0000000000..7f9880ebee --- /dev/null +++ b/changelogs/fragments/8533-add-ciphers-option.yml @@ -0,0 +1,4 @@ +--- +minor_changes: + - redfish_* modules - adds ``ciphers`` option for custom cipher selection (https://github.com/ansible-collections/community.general/pull/8533). +... diff --git a/plugins/module_utils/redfish_utils.py b/plugins/module_utils/redfish_utils.py index 139628bd9f..4240b9e4e7 100644 --- a/plugins/module_utils/redfish_utils.py +++ b/plugins/module_utils/redfish_utils.py @@ -42,7 +42,7 @@ FAIL_MSG = 'Issuing a data modification command without specifying the '\ class RedfishUtils(object): def __init__(self, creds, root_uri, timeout, module, resource_id=None, - data_modification=False, strip_etag_quotes=False): + data_modification=False, strip_etag_quotes=False, ciphers=None): self.root_uri = root_uri self.creds = creds self.timeout = timeout @@ -53,6 +53,7 @@ class RedfishUtils(object): self.resource_id = resource_id self.data_modification = data_modification self.strip_etag_quotes = strip_etag_quotes + self.ciphers = ciphers self._vendor = None self._init_session() @@ -149,7 +150,7 @@ class RedfishUtils(object): url_username=username, url_password=password, force_basic_auth=basic_auth, validate_certs=False, follow_redirects='all', - use_proxy=True, timeout=timeout) + use_proxy=True, timeout=timeout, ciphers=self.ciphers) headers = dict((k.lower(), v) for (k, v) in resp.info().items()) try: if headers.get('content-encoding') == 'gzip' and LooseVersion(ansible_version) < LooseVersion('2.14'): @@ -199,7 +200,7 @@ class RedfishUtils(object): url_username=username, url_password=password, force_basic_auth=basic_auth, validate_certs=False, follow_redirects='all', - use_proxy=True, timeout=self.timeout) + use_proxy=True, timeout=self.timeout, ciphers=self.ciphers) try: data = json.loads(to_native(resp.read())) except Exception as e: @@ -253,7 +254,7 @@ class RedfishUtils(object): url_username=username, url_password=password, force_basic_auth=basic_auth, validate_certs=False, follow_redirects='all', - use_proxy=True, timeout=self.timeout) + use_proxy=True, timeout=self.timeout, ciphers=self.ciphers) except HTTPError as e: msg = self._get_extended_message(e) return {'ret': False, 'changed': False, @@ -288,7 +289,7 @@ class RedfishUtils(object): url_username=username, url_password=password, force_basic_auth=basic_auth, validate_certs=False, follow_redirects='all', - use_proxy=True, timeout=self.timeout) + use_proxy=True, timeout=self.timeout, ciphers=self.ciphers) except HTTPError as e: msg = self._get_extended_message(e) return {'ret': False, @@ -314,7 +315,7 @@ class RedfishUtils(object): url_username=username, url_password=password, force_basic_auth=basic_auth, validate_certs=False, follow_redirects='all', - use_proxy=True, timeout=self.timeout) + use_proxy=True, timeout=self.timeout, ciphers=self.ciphers) except HTTPError as e: msg = self._get_extended_message(e) return {'ret': False, diff --git a/plugins/modules/redfish_command.py b/plugins/modules/redfish_command.py index 0f7a64b81f..f9b0c8bd3b 100644 --- a/plugins/modules/redfish_command.py +++ b/plugins/modules/redfish_command.py @@ -302,6 +302,17 @@ options: type: int default: 120 version_added: 9.1.0 + ciphers: + required: false + description: + - SSL/TLS Ciphers to use for the request. + - 'When a list is provided, all ciphers are joined in order with V(:).' + - See the L(OpenSSL Cipher List Format,https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-LIST-FORMAT) + for more details. + - The available ciphers is dependent on the Python and OpenSSL/LibreSSL versions. + type: list + elements: str + version_added: 9.2.0 author: - "Jose Delarosa (@jose-delarosa)" @@ -868,6 +879,7 @@ def main(): bios_attributes=dict(type="dict"), wait=dict(type='bool', default=False), wait_timeout=dict(type='int', default=120), + ciphers=dict(type='list', elements='str'), ), required_together=[ ('username', 'password'), @@ -936,10 +948,14 @@ def main(): # BIOS Attributes options bios_attributes = module.params['bios_attributes'] + # ciphers + ciphers = module.params['ciphers'] + # Build root URI root_uri = "https://" + module.params['baseuri'] rf_utils = RedfishUtils(creds, root_uri, timeout, module, - resource_id=resource_id, data_modification=True, strip_etag_quotes=strip_etag_quotes) + resource_id=resource_id, data_modification=True, strip_etag_quotes=strip_etag_quotes, + ciphers=ciphers) # Check that Category is valid if category not in CATEGORY_COMMANDS_ALL: diff --git a/plugins/modules/redfish_config.py b/plugins/modules/redfish_config.py index 129b33b2e6..25f3cffdb4 100644 --- a/plugins/modules/redfish_config.py +++ b/plugins/modules/redfish_config.py @@ -167,6 +167,18 @@ options: type: dict default: {} version_added: '7.5.0' + ciphers: + required: false + description: + - SSL/TLS Ciphers to use for the request. + - 'When a list is provided, all ciphers are joined in order with V(:).' + - See the L(OpenSSL Cipher List Format,https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-LIST-FORMAT) + for more details. + - The available ciphers is dependent on the Python and OpenSSL/LibreSSL versions. + type: list + elements: str + version_added: 9.2.0 + author: - "Jose Delarosa (@jose-delarosa)" - "T S Kushal (@TSKushal)" @@ -405,7 +417,8 @@ def main(): storage_subsystem_id=dict(type='str', default=''), volume_ids=dict(type='list', default=[], elements='str'), secure_boot_enable=dict(type='bool', default=True), - volume_details=dict(type='dict', default={}) + volume_details=dict(type='dict', default={}), + ciphers=dict(type='list', elements='str'), ), required_together=[ ('username', 'password'), @@ -469,10 +482,14 @@ def main(): volume_details = module.params['volume_details'] storage_subsystem_id = module.params['storage_subsystem_id'] + # ciphers + ciphers = module.params['ciphers'] + # Build root URI root_uri = "https://" + module.params['baseuri'] rf_utils = RedfishUtils(creds, root_uri, timeout, module, - resource_id=resource_id, data_modification=True, strip_etag_quotes=strip_etag_quotes) + resource_id=resource_id, data_modification=True, strip_etag_quotes=strip_etag_quotes, + ciphers=ciphers) # Check that Category is valid if category not in CATEGORY_COMMANDS_ALL: diff --git a/plugins/modules/redfish_info.py b/plugins/modules/redfish_info.py index efcb34f016..b1b4a45ee5 100644 --- a/plugins/modules/redfish_info.py +++ b/plugins/modules/redfish_info.py @@ -73,6 +73,17 @@ options: - Handle to check the status of an update in progress. type: str version_added: '6.1.0' + ciphers: + required: false + description: + - SSL/TLS Ciphers to use for the request. + - 'When a list is provided, all ciphers are joined in order with V(:).' + - See the L(OpenSSL Cipher List Format,https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-LIST-FORMAT) + for more details. + - The available ciphers is dependent on the Python and OpenSSL/LibreSSL versions. + type: list + elements: str + version_added: 9.2.0 author: "Jose Delarosa (@jose-delarosa)" ''' @@ -423,6 +434,7 @@ def main(): timeout=dict(type='int', default=60), update_handle=dict(), manager=dict(), + ciphers=dict(type='list', elements='str'), ), required_together=[ ('username', 'password'), @@ -450,9 +462,12 @@ def main(): # manager manager = module.params['manager'] + # ciphers + ciphers = module.params['ciphers'] + # Build root URI root_uri = "https://" + module.params['baseuri'] - rf_utils = RedfishUtils(creds, root_uri, timeout, module) + rf_utils = RedfishUtils(creds, root_uri, timeout, module, ciphers=ciphers) # Build Category list if "all" in module.params['category']: