diff --git a/lib/ansible/modules/network/fortimanager/fmgr_secprof_ssl_ssh.py b/lib/ansible/modules/network/fortimanager/fmgr_secprof_ssl_ssh.py new file mode 100644 index 0000000000..92d32d8298 --- /dev/null +++ b/lib/ansible/modules/network/fortimanager/fmgr_secprof_ssl_ssh.py @@ -0,0 +1,1095 @@ +#!/usr/bin/python +# +# This file is part of Ansible +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . +# + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = {'status': ['preview'], + 'supported_by': 'community', + 'metadata_version': '1.1'} + +DOCUMENTATION = ''' +--- +module: fmgr_secprof_ssl_ssh +version_added: "2.8" +author: + - Luke Weighall (@lweighall) + - Andrew Welsh (@Ghilli3) + - Jim Huber (@p4r4n0y1ng) +short_description: Manage SSL and SSH security profiles in FortiManager +description: + - Manage SSL and SSH security profiles in FortiManager via the FMG API + +options: + adom: + description: + - The ADOM the configuration should belong to. + required: false + default: root + + host: + description: + - The FortiManager's address. + required: true + + username: + description: + - The username associated with the account. + required: true + + password: + description: + - The password associated with the username account. + required: true + + mode: + description: + - Sets one of three modes for managing the object. + - Allows use of soft-adds instead of overwriting existing values + choices: ['add', 'set', 'delete', 'update'] + required: false + default: add + + whitelist: + description: + - Enable/disable exempting servers by FortiGuard whitelist. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + use_ssl_server: + description: + - Enable/disable the use of SSL server table for SSL offloading. + - choice | disable | Don't use SSL server configuration. + - choice | enable | Use SSL server configuration. + required: false + choices: ["disable", "enable"] + + untrusted_caname: + description: + - Untrusted CA certificate used by SSL Inspection. + required: false + + ssl_exemptions_log: + description: + - Enable/disable logging SSL exemptions. + - choice | disable | Disable logging SSL exemptions. + - choice | enable | Enable logging SSL exemptions. + required: false + choices: ["disable", "enable"] + + ssl_anomalies_log: + description: + - Enable/disable logging SSL anomalies. + - choice | disable | Disable logging SSL anomalies. + - choice | enable | Enable logging SSL anomalies. + required: false + choices: ["disable", "enable"] + + server_cert_mode: + description: + - Re-sign or replace the server's certificate. + - choice | re-sign | Multiple clients connecting to multiple servers. + - choice | replace | Protect an SSL server. + required: false + choices: ["re-sign", "replace"] + + server_cert: + description: + - Certificate used by SSL Inspection to replace server certificate. + required: false + + rpc_over_https: + description: + - Enable/disable inspection of RPC over HTTPS. + - choice | disable | Disable inspection of RPC over HTTPS. + - choice | enable | Enable inspection of RPC over HTTPS. + required: false + choices: ["disable", "enable"] + + name: + description: + - Name. + required: false + + mapi_over_https: + description: + - Enable/disable inspection of MAPI over HTTPS. + - choice | disable | Disable inspection of MAPI over HTTPS. + - choice | enable | Enable inspection of MAPI over HTTPS. + required: false + choices: ["disable", "enable"] + + comment: + description: + - Optional comments. + required: false + + caname: + description: + - CA certificate used by SSL Inspection. + required: false + + ftps: + description: + - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! + - List of multiple child objects to be added. Expects a list of dictionaries. + - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. + - If submitted, all other prefixed sub-parameters ARE IGNORED. + - This object is MUTUALLY EXCLUSIVE with its options. + - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. + - WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS + required: false + + ftps_allow_invalid_server_cert: + description: + - When enabled, allows SSL sessions whose server certificate validation failed. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + ftps_client_cert_request: + description: + - Action based on client certificate request failure. + - choice | bypass | Bypass. + - choice | inspect | Inspect. + - choice | block | Block. + required: false + choices: ["bypass", "inspect", "block"] + + ftps_ports: + description: + - Ports to use for scanning (1 - 65535, default = 443). + required: false + + ftps_status: + description: + - Configure protocol inspection status. + - choice | disable | Disable. + - choice | deep-inspection | Full SSL inspection. + required: false + choices: ["disable", "deep-inspection"] + + ftps_unsupported_ssl: + description: + - Action based on the SSL encryption used being unsupported. + - choice | bypass | Bypass. + - choice | inspect | Inspect. + - choice | block | Block. + required: false + choices: ["bypass", "inspect", "block"] + + ftps_untrusted_cert: + description: + - Allow, ignore, or block the untrusted SSL session server certificate. + - choice | allow | Allow the untrusted server certificate. + - choice | block | Block the connection when an untrusted server certificate is detected. + - choice | ignore | Always take the server certificate as trusted. + required: false + choices: ["allow", "block", "ignore"] + + https: + description: + - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! + - List of multiple child objects to be added. Expects a list of dictionaries. + - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. + - If submitted, all other prefixed sub-parameters ARE IGNORED. + - This object is MUTUALLY EXCLUSIVE with its options. + - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. + - WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS + required: false + + https_allow_invalid_server_cert: + description: + - When enabled, allows SSL sessions whose server certificate validation failed. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + https_client_cert_request: + description: + - Action based on client certificate request failure. + - choice | bypass | Bypass. + - choice | inspect | Inspect. + - choice | block | Block. + required: false + choices: ["bypass", "inspect", "block"] + + https_ports: + description: + - Ports to use for scanning (1 - 65535, default = 443). + required: false + + https_status: + description: + - Configure protocol inspection status. + - choice | disable | Disable. + - choice | certificate-inspection | Inspect SSL handshake only. + - choice | deep-inspection | Full SSL inspection. + required: false + choices: ["disable", "certificate-inspection", "deep-inspection"] + + https_unsupported_ssl: + description: + - Action based on the SSL encryption used being unsupported. + - choice | bypass | Bypass. + - choice | inspect | Inspect. + - choice | block | Block. + required: false + choices: ["bypass", "inspect", "block"] + + https_untrusted_cert: + description: + - Allow, ignore, or block the untrusted SSL session server certificate. + - choice | allow | Allow the untrusted server certificate. + - choice | block | Block the connection when an untrusted server certificate is detected. + - choice | ignore | Always take the server certificate as trusted. + required: false + choices: ["allow", "block", "ignore"] + + imaps: + description: + - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! + - List of multiple child objects to be added. Expects a list of dictionaries. + - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. + - If submitted, all other prefixed sub-parameters ARE IGNORED. + - This object is MUTUALLY EXCLUSIVE with its options. + - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. + - WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS + required: false + + imaps_allow_invalid_server_cert: + description: + - When enabled, allows SSL sessions whose server certificate validation failed. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + imaps_client_cert_request: + description: + - Action based on client certificate request failure. + - choice | bypass | Bypass. + - choice | inspect | Inspect. + - choice | block | Block. + required: false + choices: ["bypass", "inspect", "block"] + + imaps_ports: + description: + - Ports to use for scanning (1 - 65535, default = 443). + required: false + + imaps_status: + description: + - Configure protocol inspection status. + - choice | disable | Disable. + - choice | deep-inspection | Full SSL inspection. + required: false + choices: ["disable", "deep-inspection"] + + imaps_unsupported_ssl: + description: + - Action based on the SSL encryption used being unsupported. + - choice | bypass | Bypass. + - choice | inspect | Inspect. + - choice | block | Block. + required: false + choices: ["bypass", "inspect", "block"] + + imaps_untrusted_cert: + description: + - Allow, ignore, or block the untrusted SSL session server certificate. + - choice | allow | Allow the untrusted server certificate. + - choice | block | Block the connection when an untrusted server certificate is detected. + - choice | ignore | Always take the server certificate as trusted. + required: false + choices: ["allow", "block", "ignore"] + + pop3s: + description: + - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! + - List of multiple child objects to be added. Expects a list of dictionaries. + - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. + - If submitted, all other prefixed sub-parameters ARE IGNORED. + - This object is MUTUALLY EXCLUSIVE with its options. + - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. + - WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS + required: false + + pop3s_allow_invalid_server_cert: + description: + - When enabled, allows SSL sessions whose server certificate validation failed. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + pop3s_client_cert_request: + description: + - Action based on client certificate request failure. + - choice | bypass | Bypass. + - choice | inspect | Inspect. + - choice | block | Block. + required: false + choices: ["bypass", "inspect", "block"] + + pop3s_ports: + description: + - Ports to use for scanning (1 - 65535, default = 443). + required: false + + pop3s_status: + description: + - Configure protocol inspection status. + - choice | disable | Disable. + - choice | deep-inspection | Full SSL inspection. + required: false + choices: ["disable", "deep-inspection"] + + pop3s_unsupported_ssl: + description: + - Action based on the SSL encryption used being unsupported. + - choice | bypass | Bypass. + - choice | inspect | Inspect. + - choice | block | Block. + required: false + choices: ["bypass", "inspect", "block"] + + pop3s_untrusted_cert: + description: + - Allow, ignore, or block the untrusted SSL session server certificate. + - choice | allow | Allow the untrusted server certificate. + - choice | block | Block the connection when an untrusted server certificate is detected. + - choice | ignore | Always take the server certificate as trusted. + required: false + choices: ["allow", "block", "ignore"] + + smtps: + description: + - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! + - List of multiple child objects to be added. Expects a list of dictionaries. + - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. + - If submitted, all other prefixed sub-parameters ARE IGNORED. + - This object is MUTUALLY EXCLUSIVE with its options. + - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. + - WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS + required: false + + smtps_allow_invalid_server_cert: + description: + - When enabled, allows SSL sessions whose server certificate validation failed. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + smtps_client_cert_request: + description: + - Action based on client certificate request failure. + - choice | bypass | Bypass. + - choice | inspect | Inspect. + - choice | block | Block. + required: false + choices: ["bypass", "inspect", "block"] + + smtps_ports: + description: + - Ports to use for scanning (1 - 65535, default = 443). + required: false + + smtps_status: + description: + - Configure protocol inspection status. + - choice | disable | Disable. + - choice | deep-inspection | Full SSL inspection. + required: false + choices: ["disable", "deep-inspection"] + + smtps_unsupported_ssl: + description: + - Action based on the SSL encryption used being unsupported. + - choice | bypass | Bypass. + - choice | inspect | Inspect. + - choice | block | Block. + required: false + choices: ["bypass", "inspect", "block"] + + smtps_untrusted_cert: + description: + - Allow, ignore, or block the untrusted SSL session server certificate. + - choice | allow | Allow the untrusted server certificate. + - choice | block | Block the connection when an untrusted server certificate is detected. + - choice | ignore | Always take the server certificate as trusted. + required: false + choices: ["allow", "block", "ignore"] + + ssh: + description: + - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! + - List of multiple child objects to be added. Expects a list of dictionaries. + - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. + - If submitted, all other prefixed sub-parameters ARE IGNORED. + - This object is MUTUALLY EXCLUSIVE with its options. + - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. + - WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS + required: false + + ssh_inspect_all: + description: + - Level of SSL inspection. + - choice | disable | Disable. + - choice | deep-inspection | Full SSL inspection. + required: false + choices: ["disable", "deep-inspection"] + + ssh_ports: + description: + - Ports to use for scanning (1 - 65535, default = 443). + required: false + + ssh_ssh_algorithm: + description: + - Relative strength of encryption algorithms accepted during negotiation. + - choice | compatible | Allow a broader set of encryption algorithms for best compatibility. + - choice | high-encryption | Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms. + required: false + choices: ["compatible", "high-encryption"] + + ssh_ssh_policy_check: + description: + - Enable/disable SSH policy check. + - choice | disable | Disable SSH policy check. + - choice | enable | Enable SSH policy check. + required: false + choices: ["disable", "enable"] + + ssh_ssh_tun_policy_check: + description: + - Enable/disable SSH tunnel policy check. + - choice | disable | Disable SSH tunnel policy check. + - choice | enable | Enable SSH tunnel policy check. + required: false + choices: ["disable", "enable"] + + ssh_status: + description: + - Configure protocol inspection status. + - choice | disable | Disable. + - choice | deep-inspection | Full SSL inspection. + required: false + choices: ["disable", "deep-inspection"] + + ssh_unsupported_version: + description: + - Action based on SSH version being unsupported. + - choice | block | Block. + - choice | bypass | Bypass. + required: false + choices: ["block", "bypass"] + + ssl: + description: + - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! + - List of multiple child objects to be added. Expects a list of dictionaries. + - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. + - If submitted, all other prefixed sub-parameters ARE IGNORED. + - This object is MUTUALLY EXCLUSIVE with its options. + - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. + - WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS + required: false + + ssl_allow_invalid_server_cert: + description: + - When enabled, allows SSL sessions whose server certificate validation failed. + - choice | disable | Disable setting. + - choice | enable | Enable setting. + required: false + choices: ["disable", "enable"] + + ssl_client_cert_request: + description: + - Action based on client certificate request failure. + - choice | bypass | Bypass. + - choice | inspect | Inspect. + - choice | block | Block. + required: false + choices: ["bypass", "inspect", "block"] + + ssl_inspect_all: + description: + - Level of SSL inspection. + - choice | disable | Disable. + - choice | certificate-inspection | Inspect SSL handshake only. + - choice | deep-inspection | Full SSL inspection. + required: false + choices: ["disable", "certificate-inspection", "deep-inspection"] + + ssl_unsupported_ssl: + description: + - Action based on the SSL encryption used being unsupported. + - choice | bypass | Bypass. + - choice | inspect | Inspect. + - choice | block | Block. + required: false + choices: ["bypass", "inspect", "block"] + + ssl_untrusted_cert: + description: + - Allow, ignore, or block the untrusted SSL session server certificate. + - choice | allow | Allow the untrusted server certificate. + - choice | block | Block the connection when an untrusted server certificate is detected. + - choice | ignore | Always take the server certificate as trusted. + required: false + choices: ["allow", "block", "ignore"] + + ssl_exempt: + description: + - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! + - List of multiple child objects to be added. Expects a list of dictionaries. + - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. + - If submitted, all other prefixed sub-parameters ARE IGNORED. + - This object is MUTUALLY EXCLUSIVE with its options. + - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. + - WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS + required: false + + ssl_exempt_address: + description: + - IPv4 address object. + required: false + + ssl_exempt_address6: + description: + - IPv6 address object. + required: false + + ssl_exempt_fortiguard_category: + description: + - FortiGuard category ID. + required: false + + ssl_exempt_regex: + description: + - Exempt servers by regular expression. + required: false + + ssl_exempt_type: + description: + - Type of address object (IPv4 or IPv6) or FortiGuard category. + - choice | fortiguard-category | FortiGuard category. + - choice | address | Firewall IPv4 address. + - choice | address6 | Firewall IPv6 address. + - choice | wildcard-fqdn | Fully Qualified Domain Name with wildcard characters. + - choice | regex | Regular expression FQDN. + required: false + choices: ["fortiguard-category", "address", "address6", "wildcard-fqdn", "regex"] + + ssl_exempt_wildcard_fqdn: + description: + - Exempt servers by wildcard FQDN. + required: false + + ssl_server: + description: + - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! + - List of multiple child objects to be added. Expects a list of dictionaries. + - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. + - If submitted, all other prefixed sub-parameters ARE IGNORED. + - This object is MUTUALLY EXCLUSIVE with its options. + - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. + - WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS + required: false + + ssl_server_ftps_client_cert_request: + description: + - Action based on client certificate request failure during the FTPS handshake. + - choice | bypass | Bypass. + - choice | inspect | Inspect. + - choice | block | Block. + required: false + choices: ["bypass", "inspect", "block"] + + ssl_server_https_client_cert_request: + description: + - Action based on client certificate request failure during the HTTPS handshake. + - choice | bypass | Bypass. + - choice | inspect | Inspect. + - choice | block | Block. + required: false + choices: ["bypass", "inspect", "block"] + + ssl_server_imaps_client_cert_request: + description: + - Action based on client certificate request failure during the IMAPS handshake. + - choice | bypass | Bypass. + - choice | inspect | Inspect. + - choice | block | Block. + required: false + choices: ["bypass", "inspect", "block"] + + ssl_server_ip: + description: + - IPv4 address of the SSL server. + required: false + + ssl_server_pop3s_client_cert_request: + description: + - Action based on client certificate request failure during the POP3S handshake. + - choice | bypass | Bypass. + - choice | inspect | Inspect. + - choice | block | Block. + required: false + choices: ["bypass", "inspect", "block"] + + ssl_server_smtps_client_cert_request: + description: + - Action based on client certificate request failure during the SMTPS handshake. + - choice | bypass | Bypass. + - choice | inspect | Inspect. + - choice | block | Block. + required: false + choices: ["bypass", "inspect", "block"] + + ssl_server_ssl_other_client_cert_request: + description: + - Action based on client certificate request failure during an SSL protocol handshake. + - choice | bypass | Bypass. + - choice | inspect | Inspect. + - choice | block | Block. + required: false + choices: ["bypass", "inspect", "block"] + + +''' + +EXAMPLES = ''' + - name: DELETE Profile + fmgr_secprof_ssl_ssh: + host: "{{inventory_hostname}}" + username: "{{ username }}" + password: "{{ password }}" + name: Ansible_SSL_SSH_Profile + mode: delete + + - name: CREATE Profile + fmgr_secprof_ssl_ssh: + host: "{{inventory_hostname}}" + username: "{{ username }}" + password: "{{ password }}" + name: Ansible_SSL_SSH_Profile + comment: "Created by Ansible Module TEST" + mode: set + mapi_over_https: enable + rpc_over_https: enable + server_cert_mode: replace + ssl_anomalies_log: enable + ssl_exemptions_log: enable + use_ssl_server: enable + whitelist: enable +''' + +RETURN = """ +api_result: + description: full API response, includes status code and message + returned: always + type: string +""" + +from ansible.module_utils.basic import AnsibleModule, env_fallback +from ansible.module_utils.network.fortimanager.fortimanager import AnsibleFortiManager + +############### +# START METHODS +############### + + +def fmgr_firewall_ssl_ssh_profile_addsetdelete(fmg, paramgram): + """ + fmgr_firewall_ssl_ssh_profile -- Your Description here, bruh + """ + + mode = paramgram["mode"] + adom = paramgram["adom"] + + response = (-100000, {"msg": "Illegal or malformed paramgram discovered. System Exception"}) + url = "" + datagram = {} + + # EVAL THE MODE PARAMETER FOR SET OR ADD + if mode in ['set', 'add', 'update']: + url = '/pm/config/adom/{adom}/obj/firewall/ssl-ssh-profile'.format(adom=adom) + datagram = fmgr_del_none(fmgr_prepare_dict(paramgram)) + + # EVAL THE MODE PARAMETER FOR DELETE + elif mode == "delete": + # SET THE CORRECT URL FOR DELETE + url = '/pm/config/adom/{adom}/obj/firewall/ssl-ssh-profile/{name}'.format(adom=adom, name=paramgram["name"]) + datagram = {} + + # IF MODE = SET -- USE THE 'SET' API CALL MODE + if mode == "set": + response = fmg.set(url, datagram) + # IF MODE = UPDATE -- USER THE 'UPDATE' API CALL MODE + elif mode == "update": + response = fmg.update(url, datagram) + # IF MODE = ADD -- USE THE 'ADD' API CALL MODE + elif mode == "add": + response = fmg.add(url, datagram) + # IF MODE = DELETE -- USE THE DELETE URL AND API CALL MODE + elif mode == "delete": + response = fmg.delete(url, datagram) + + return response + + +# ADDITIONAL COMMON FUNCTIONS +def fmgr_logout(fmg, module, msg="NULL", results=(), good_codes=(0,), logout_on_fail=True, logout_on_success=False): + """ + THIS METHOD CONTROLS THE LOGOUT AND ERROR REPORTING AFTER AN METHOD OR FUNCTION RUNS + """ + # VALIDATION ERROR (NO RESULTS, JUST AN EXIT) + if msg != "NULL" and len(results) == 0: + try: + fmg.logout() + except: + pass + module.fail_json(msg=msg) + + # SUBMISSION ERROR + if len(results) > 0: + if msg == "NULL": + try: + msg = results[1]['status']['message'] + except: + msg = "No status message returned from pyFMG. Possible that this was a GET with a tuple result." + + if results[0] not in good_codes: + if logout_on_fail: + fmg.logout() + module.fail_json(msg=msg, **results[1]) + else: + if logout_on_success: + fmg.logout() + module.exit_json(msg="API Called worked, but logout handler has been asked to logout on success", + **results[1]) + return msg + + +# FUNCTION/METHOD FOR CONVERTING CIDR TO A NETMASK +# DID NOT USE IP ADDRESS MODULE TO KEEP INCLUDES TO A MINIMUM +def fmgr_cidr_to_netmask(cidr): + cidr = int(cidr) + mask = (0xffffffff >> (32 - cidr)) << (32 - cidr) + return(str((0xff000000 & mask) >> 24) + '.' + + str((0x00ff0000 & mask) >> 16) + '.' + + str((0x0000ff00 & mask) >> 8) + '.' + + str((0x000000ff & mask))) + + +# utility function: removing keys wih value of None, nothing in playbook for that key +def fmgr_del_none(obj): + if isinstance(obj, dict): + return type(obj)((fmgr_del_none(k), fmgr_del_none(v)) + for k, v in obj.items() if k is not None and (v is not None and not fmgr_is_empty_dict(v))) + else: + return obj + + +# utility function: remove keys that are need for the logic but the FMG API won't accept them +def fmgr_prepare_dict(obj): + list_of_elems = ["mode", "adom", "host", "username", "password"] + if isinstance(obj, dict): + obj = dict((key, fmgr_prepare_dict(value)) for (key, value) in obj.items() if key not in list_of_elems) + return obj + + +def fmgr_is_empty_dict(obj): + return_val = False + if isinstance(obj, dict): + if len(obj) > 0: + for k, v in obj.items(): + if isinstance(v, dict): + if len(v) == 0: + return_val = True + elif len(v) > 0: + for k1, v1 in v.items(): + if v1 is None: + return_val = True + elif v1 is not None: + return_val = False + return return_val + elif v is None: + return_val = True + elif v is not None: + return_val = False + return return_val + elif len(obj) == 0: + return_val = True + + return return_val + + +def fmgr_split_comma_strings_into_lists(obj): + if isinstance(obj, dict): + if len(obj) > 0: + for k, v in obj.items(): + if isinstance(v, str): + new_list = list() + if "," in v: + new_items = v.split(",") + for item in new_items: + new_list.append(item.strip()) + obj[k] = new_list + + return obj + + +############# +# END METHODS +############# + + +def main(): + argument_spec = dict( + adom=dict(type="str", default="root"), + host=dict(required=True, type="str"), + password=dict(fallback=(env_fallback, ["ANSIBLE_NET_PASSWORD"]), no_log=True, required=True), + username=dict(fallback=(env_fallback, ["ANSIBLE_NET_USERNAME"]), no_log=True, required=True), + mode=dict(choices=["add", "set", "delete", "update"], type="str", default="add"), + + whitelist=dict(required=False, type="str", choices=["disable", "enable"]), + use_ssl_server=dict(required=False, type="str", choices=["disable", "enable"]), + untrusted_caname=dict(required=False, type="str"), + ssl_exemptions_log=dict(required=False, type="str", choices=["disable", "enable"]), + ssl_anomalies_log=dict(required=False, type="str", choices=["disable", "enable"]), + server_cert_mode=dict(required=False, type="str", choices=["re-sign", "replace"]), + server_cert=dict(required=False, type="str"), + rpc_over_https=dict(required=False, type="str", choices=["disable", "enable"]), + name=dict(required=False, type="str"), + mapi_over_https=dict(required=False, type="str", choices=["disable", "enable"]), + comment=dict(required=False, type="str"), + caname=dict(required=False, type="str"), + ftps=dict(required=False, type="list"), + ftps_allow_invalid_server_cert=dict(required=False, type="str", choices=["disable", "enable"]), + ftps_client_cert_request=dict(required=False, type="str", choices=["bypass", "inspect", "block"]), + ftps_ports=dict(required=False, type="str"), + ftps_status=dict(required=False, type="str", choices=["disable", "deep-inspection"]), + ftps_unsupported_ssl=dict(required=False, type="str", choices=["bypass", "inspect", "block"]), + ftps_untrusted_cert=dict(required=False, type="str", choices=["allow", "block", "ignore"]), + https=dict(required=False, type="list"), + https_allow_invalid_server_cert=dict(required=False, type="str", choices=["disable", "enable"]), + https_client_cert_request=dict(required=False, type="str", choices=["bypass", "inspect", "block"]), + https_ports=dict(required=False, type="str"), + https_status=dict(required=False, type="str", choices=["disable", "certificate-inspection", "deep-inspection"]), + https_unsupported_ssl=dict(required=False, type="str", choices=["bypass", "inspect", "block"]), + https_untrusted_cert=dict(required=False, type="str", choices=["allow", "block", "ignore"]), + imaps=dict(required=False, type="list"), + imaps_allow_invalid_server_cert=dict(required=False, type="str", choices=["disable", "enable"]), + imaps_client_cert_request=dict(required=False, type="str", choices=["bypass", "inspect", "block"]), + imaps_ports=dict(required=False, type="str"), + imaps_status=dict(required=False, type="str", choices=["disable", "deep-inspection"]), + imaps_unsupported_ssl=dict(required=False, type="str", choices=["bypass", "inspect", "block"]), + imaps_untrusted_cert=dict(required=False, type="str", choices=["allow", "block", "ignore"]), + pop3s=dict(required=False, type="list"), + pop3s_allow_invalid_server_cert=dict(required=False, type="str", choices=["disable", "enable"]), + pop3s_client_cert_request=dict(required=False, type="str", choices=["bypass", "inspect", "block"]), + pop3s_ports=dict(required=False, type="str"), + pop3s_status=dict(required=False, type="str", choices=["disable", "deep-inspection"]), + pop3s_unsupported_ssl=dict(required=False, type="str", choices=["bypass", "inspect", "block"]), + pop3s_untrusted_cert=dict(required=False, type="str", choices=["allow", "block", "ignore"]), + smtps=dict(required=False, type="list"), + smtps_allow_invalid_server_cert=dict(required=False, type="str", choices=["disable", "enable"]), + smtps_client_cert_request=dict(required=False, type="str", choices=["bypass", "inspect", "block"]), + smtps_ports=dict(required=False, type="str"), + smtps_status=dict(required=False, type="str", choices=["disable", "deep-inspection"]), + smtps_unsupported_ssl=dict(required=False, type="str", choices=["bypass", "inspect", "block"]), + smtps_untrusted_cert=dict(required=False, type="str", choices=["allow", "block", "ignore"]), + ssh=dict(required=False, type="list"), + ssh_inspect_all=dict(required=False, type="str", choices=["disable", "deep-inspection"]), + ssh_ports=dict(required=False, type="str"), + ssh_ssh_algorithm=dict(required=False, type="str", choices=["compatible", "high-encryption"]), + ssh_ssh_policy_check=dict(required=False, type="str", choices=["disable", "enable"]), + ssh_ssh_tun_policy_check=dict(required=False, type="str", choices=["disable", "enable"]), + ssh_status=dict(required=False, type="str", choices=["disable", "deep-inspection"]), + ssh_unsupported_version=dict(required=False, type="str", choices=["block", "bypass"]), + ssl=dict(required=False, type="list"), + ssl_allow_invalid_server_cert=dict(required=False, type="str", choices=["disable", "enable"]), + ssl_client_cert_request=dict(required=False, type="str", choices=["bypass", "inspect", "block"]), + ssl_inspect_all=dict(required=False, type="str", choices=["disable", "certificate-inspection", + "deep-inspection"]), + ssl_unsupported_ssl=dict(required=False, type="str", choices=["bypass", "inspect", "block"]), + ssl_untrusted_cert=dict(required=False, type="str", choices=["allow", "block", "ignore"]), + ssl_exempt=dict(required=False, type="list"), + ssl_exempt_address=dict(required=False, type="str"), + ssl_exempt_address6=dict(required=False, type="str"), + ssl_exempt_fortiguard_category=dict(required=False, type="str"), + ssl_exempt_regex=dict(required=False, type="str"), + ssl_exempt_type=dict(required=False, type="str", choices=["fortiguard-category", "address", "address6", + "wildcard-fqdn", "regex"]), + ssl_exempt_wildcard_fqdn=dict(required=False, type="str"), + ssl_server=dict(required=False, type="list"), + ssl_server_ftps_client_cert_request=dict(required=False, type="str", choices=["bypass", "inspect", "block"]), + ssl_server_https_client_cert_request=dict(required=False, type="str", choices=["bypass", "inspect", "block"]), + ssl_server_imaps_client_cert_request=dict(required=False, type="str", choices=["bypass", "inspect", "block"]), + ssl_server_ip=dict(required=False, type="str"), + ssl_server_pop3s_client_cert_request=dict(required=False, type="str", choices=["bypass", "inspect", "block"]), + ssl_server_smtps_client_cert_request=dict(required=False, type="str", choices=["bypass", "inspect", "block"]), + ssl_server_ssl_other_client_cert_request=dict(required=False, type="str", choices=["bypass", "inspect", + "block"]), + + ) + + module = AnsibleModule(argument_spec, supports_check_mode=False) + + # MODULE PARAMGRAM + paramgram = { + "mode": module.params["mode"], + "adom": module.params["adom"], + "whitelist": module.params["whitelist"], + "use-ssl-server": module.params["use_ssl_server"], + "untrusted-caname": module.params["untrusted_caname"], + "ssl-exemptions-log": module.params["ssl_exemptions_log"], + "ssl-anomalies-log": module.params["ssl_anomalies_log"], + "server-cert-mode": module.params["server_cert_mode"], + "server-cert": module.params["server_cert"], + "rpc-over-https": module.params["rpc_over_https"], + "name": module.params["name"], + "mapi-over-https": module.params["mapi_over_https"], + "comment": module.params["comment"], + "caname": module.params["caname"], + "ftps": { + "allow-invalid-server-cert": module.params["ftps_allow_invalid_server_cert"], + "client-cert-request": module.params["ftps_client_cert_request"], + "ports": module.params["ftps_ports"], + "status": module.params["ftps_status"], + "unsupported-ssl": module.params["ftps_unsupported_ssl"], + "untrusted-cert": module.params["ftps_untrusted_cert"], + }, + "https": { + "allow-invalid-server-cert": module.params["https_allow_invalid_server_cert"], + "client-cert-request": module.params["https_client_cert_request"], + "ports": module.params["https_ports"], + "status": module.params["https_status"], + "unsupported-ssl": module.params["https_unsupported_ssl"], + "untrusted-cert": module.params["https_untrusted_cert"], + }, + "imaps": { + "allow-invalid-server-cert": module.params["imaps_allow_invalid_server_cert"], + "client-cert-request": module.params["imaps_client_cert_request"], + "ports": module.params["imaps_ports"], + "status": module.params["imaps_status"], + "unsupported-ssl": module.params["imaps_unsupported_ssl"], + "untrusted-cert": module.params["imaps_untrusted_cert"], + }, + "pop3s": { + "allow-invalid-server-cert": module.params["pop3s_allow_invalid_server_cert"], + "client-cert-request": module.params["pop3s_client_cert_request"], + "ports": module.params["pop3s_ports"], + "status": module.params["pop3s_status"], + "unsupported-ssl": module.params["pop3s_unsupported_ssl"], + "untrusted-cert": module.params["pop3s_untrusted_cert"], + }, + "smtps": { + "allow-invalid-server-cert": module.params["smtps_allow_invalid_server_cert"], + "client-cert-request": module.params["smtps_client_cert_request"], + "ports": module.params["smtps_ports"], + "status": module.params["smtps_status"], + "unsupported-ssl": module.params["smtps_unsupported_ssl"], + "untrusted-cert": module.params["smtps_untrusted_cert"], + }, + "ssh": { + "inspect-all": module.params["ssh_inspect_all"], + "ports": module.params["ssh_ports"], + "ssh-algorithm": module.params["ssh_ssh_algorithm"], + "ssh-policy-check": module.params["ssh_ssh_policy_check"], + "ssh-tun-policy-check": module.params["ssh_ssh_tun_policy_check"], + "status": module.params["ssh_status"], + "unsupported-version": module.params["ssh_unsupported_version"], + }, + "ssl": { + "allow-invalid-server-cert": module.params["ssl_allow_invalid_server_cert"], + "client-cert-request": module.params["ssl_client_cert_request"], + "inspect-all": module.params["ssl_inspect_all"], + "unsupported-ssl": module.params["ssl_unsupported_ssl"], + "untrusted-cert": module.params["ssl_untrusted_cert"], + }, + "ssl-exempt": { + "address": module.params["ssl_exempt_address"], + "address6": module.params["ssl_exempt_address6"], + "fortiguard-category": module.params["ssl_exempt_fortiguard_category"], + "regex": module.params["ssl_exempt_regex"], + "type": module.params["ssl_exempt_type"], + "wildcard-fqdn": module.params["ssl_exempt_wildcard_fqdn"], + }, + "ssl-server": { + "ftps-client-cert-request": module.params["ssl_server_ftps_client_cert_request"], + "https-client-cert-request": module.params["ssl_server_https_client_cert_request"], + "imaps-client-cert-request": module.params["ssl_server_imaps_client_cert_request"], + "ip": module.params["ssl_server_ip"], + "pop3s-client-cert-request": module.params["ssl_server_pop3s_client_cert_request"], + "smtps-client-cert-request": module.params["ssl_server_smtps_client_cert_request"], + "ssl-other-client-cert-request": module.params["ssl_server_ssl_other_client_cert_request"], + } + } + + list_overrides = ['ftps', 'https', 'imaps', 'pop3s', 'smtps', 'ssh', 'ssl', 'ssl-exempt', 'ssl-server'] + for list_variable in list_overrides: + override_data = list() + try: + override_data = module.params[list_variable] + except: + pass + try: + if override_data: + del paramgram[list_variable] + paramgram[list_variable] = override_data + except: + pass + + # CHECK IF THE HOST/USERNAME/PW EXISTS, AND IF IT DOES, LOGIN. + host = module.params["host"] + password = module.params["password"] + username = module.params["username"] + if host is None or username is None or password is None: + module.fail_json(msg="Host and username and password are required") + + # CHECK IF LOGIN FAILED + fmg = AnsibleFortiManager(module, module.params["host"], module.params["username"], module.params["password"]) + + response = fmg.login() + if response[1]['status']['code'] != 0: + module.fail_json(msg="Connection to FortiManager Failed") + + results = fmgr_firewall_ssl_ssh_profile_addsetdelete(fmg, paramgram) + if results[0] != 0: + fmgr_logout(fmg, module, results=results, good_codes=[0]) + + fmg.logout() + + if results is not None: + return module.exit_json(**results[1]) + else: + return module.exit_json(msg="No results were returned from the API call.") + + +if __name__ == "__main__": + main() diff --git a/test/units/modules/network/fortimanager/fixtures/test_fmgr_secprof_ssl_ssh.json b/test/units/modules/network/fortimanager/fixtures/test_fmgr_secprof_ssl_ssh.json new file mode 100644 index 0000000000..c0c44a79fd --- /dev/null +++ b/test/units/modules/network/fortimanager/fixtures/test_fmgr_secprof_ssl_ssh.json @@ -0,0 +1,202 @@ +{ + "fmgr_firewall_ssl_ssh_profile_addsetdelete": [ + { + "paramgram_used": { + "comment": null, + "untrusted-caname": null, + "mapi-over-https": null, + "whitelist": null, + "caname": null, + "ftps": { + "status": null, + "allow-invalid-server-cert": null, + "unsupported-ssl": null, + "client-cert-request": null, + "ports": null, + "untrusted-cert": null + }, + "ssl-exemptions-log": null, + "https": { + "status": null, + "allow-invalid-server-cert": null, + "unsupported-ssl": null, + "client-cert-request": null, + "ports": null, + "untrusted-cert": null + }, + "imaps": { + "status": null, + "allow-invalid-server-cert": null, + "unsupported-ssl": null, + "client-cert-request": null, + "ports": null, + "untrusted-cert": null + }, + "server-cert-mode": null, + "adom": "root", + "ssl-exempt": { + "regex": null, + "wildcard-fqdn": null, + "fortiguard-category": null, + "address6": null, + "address": null, + "type": null + }, + "ssl": { + "inspect-all": null, + "allow-invalid-server-cert": null, + "client-cert-request": null, + "untrusted-cert": null, + "unsupported-ssl": null + }, + "ssh": { + "status": null, + "inspect-all": null, + "ssh-tun-policy-check": null, + "ssh-policy-check": null, + "ssh-algorithm": null, + "unsupported-version": null, + "ports": null + }, + "use-ssl-server": null, + "server-cert": null, + "name": "Ansible_SSL_SSH_Profile", + "ssl-anomalies-log": null, + "ssl-server": { + "pop3s-client-cert-request": null, + "imaps-client-cert-request": null, + "smtps-client-cert-request": null, + "ip": null, + "ssl-other-client-cert-request": null, + "https-client-cert-request": null, + "ftps-client-cert-request": null + }, + "smtps": { + "status": null, + "allow-invalid-server-cert": null, + "unsupported-ssl": null, + "client-cert-request": null, + "ports": null, + "untrusted-cert": null + }, + "rpc-over-https": null, + "mode": "delete", + "pop3s": { + "status": null, + "allow-invalid-server-cert": null, + "unsupported-ssl": null, + "client-cert-request": null, + "ports": null, + "untrusted-cert": null + } + }, + "raw_response": { + "status": { + "message": "OK", + "code": 0 + }, + "url": "/pm/config/adom/root/obj/firewall/ssl-ssh-profile/Ansible_SSL_SSH_Profile" + }, + "post_method": "delete" + }, + { + "raw_response": { + "status": { + "message": "OK", + "code": 0 + }, + "url": "/pm/config/adom/root/obj/firewall/ssl-ssh-profile" + }, + "paramgram_used": { + "comment": "Created by Ansible Module TEST", + "untrusted-caname": null, + "mapi-over-https": "enable", + "whitelist": "enable", + "caname": null, + "ftps": { + "status": null, + "allow-invalid-server-cert": null, + "unsupported-ssl": null, + "untrusted-cert": null, + "client-cert-request": null, + "ports": null + }, + "ssl-exemptions-log": "enable", + "https": { + "status": null, + "allow-invalid-server-cert": null, + "unsupported-ssl": null, + "untrusted-cert": null, + "client-cert-request": null, + "ports": null + }, + "pop3s": { + "status": null, + "allow-invalid-server-cert": null, + "unsupported-ssl": null, + "untrusted-cert": null, + "client-cert-request": null, + "ports": null + }, + "server-cert-mode": "replace", + "adom": "root", + "ssl-exempt": { + "regex": null, + "wildcard-fqdn": null, + "fortiguard-category": null, + "address6": null, + "address": null, + "type": null + }, + "ssl": { + "unsupported-ssl": null, + "inspect-all": null, + "allow-invalid-server-cert": null, + "untrusted-cert": null, + "client-cert-request": null + }, + "ssh": { + "status": null, + "inspect-all": null, + "ssh-tun-policy-check": null, + "ssh-policy-check": null, + "ssh-algorithm": null, + "unsupported-version": null, + "ports": null + }, + "server-cert": null, + "name": "Ansible_SSL_SSH_Profile", + "ssl-anomalies-log": "enable", + "ssl-server": { + "pop3s-client-cert-request": null, + "imaps-client-cert-request": null, + "smtps-client-cert-request": null, + "ip": null, + "ssl-other-client-cert-request": null, + "https-client-cert-request": null, + "ftps-client-cert-request": null + }, + "smtps": { + "status": null, + "allow-invalid-server-cert": null, + "unsupported-ssl": null, + "untrusted-cert": null, + "client-cert-request": null, + "ports": null + }, + "imaps": { + "status": null, + "allow-invalid-server-cert": null, + "unsupported-ssl": null, + "untrusted-cert": null, + "client-cert-request": null, + "ports": null + }, + "rpc-over-https": "enable", + "mode": "set", + "use-ssl-server": "enable" + }, + "post_method": "set" + } + ] +} diff --git a/test/units/modules/network/fortimanager/test_fmgr_secprof_ssl_ssh.py b/test/units/modules/network/fortimanager/test_fmgr_secprof_ssl_ssh.py new file mode 100644 index 0000000000..f688d924aa --- /dev/null +++ b/test/units/modules/network/fortimanager/test_fmgr_secprof_ssl_ssh.py @@ -0,0 +1,135 @@ +# Copyright 2018 Fortinet, Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . + +# Make coding more python3-ish +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import json +from pyFMG.fortimgr import FortiManager +import pytest + +try: + from ansible.modules.network.fortimanager import fmgr_secprof_ssl_ssh +except ImportError: + pytest.skip("Could not load required modules for testing", allow_module_level=True) + +fmg_instance = FortiManager("1.1.1.1", "admin", "") + + +def load_fixtures(): + fixture_path = os.path.join( + os.path.dirname(__file__), + 'fixtures') + "/{filename}.json".format( + filename=os.path.splitext( + os.path.basename(__file__))[0]) + try: + with open(fixture_path, "r") as fixture_file: + fixture_data = json.load(fixture_file) + except IOError: + return [] + return [fixture_data] + + +@pytest.fixture(scope="function", params=load_fixtures()) +def fixture_data(request): + func_name = request.function.__name__.replace("test_", "") + return request.param.get(func_name, None) + + +def test_fmgr_firewall_ssl_ssh_profile_addsetdelete(fixture_data, mocker): + mocker.patch("pyFMG.fortimgr.FortiManager._post_request", side_effect=fixture_data) + # Fixture sets used:########################### + + ################################################## + # comment: None + # untrusted-caname: None + # mapi-over-https: None + # whitelist: None + # caname: None + # ftps: {'status': None, 'allow-invalid-server-cert': None, 'unsupported-ssl': None, 'client-cert-request': None, + # 'ports': None, 'untrusted-cert': None} + # ssl-exemptions-log: None + # https: {'status': None, 'allow-invalid-server-cert': None, 'unsupported-ssl': None, 'client-cert-request': None, + # 'ports': None, 'untrusted-cert': None} + # imaps: {'status': None, 'allow-invalid-server-cert': None, 'unsupported-ssl': None, 'client-cert-request': None, + # 'ports': None, 'untrusted-cert': None} + # server-cert-mode: None + # adom: root + # ssl-exempt: {'regex': None, 'wildcard-fqdn': None, 'fortiguard-category': None, 'address6': None, + # 'address': None, 'type': None} + # ssl: {'inspect-all': None, 'allow-invalid-server-cert': None, 'client-cert-request': None, + # 'untrusted-cert': None, 'unsupported-ssl': None} + # ssh: {'status': None, 'inspect-all': None, 'ssh-tun-policy-check': None, 'ssh-policy-check': None, + # 'ssh-algorithm': None, 'unsupported-version': None, 'ports': None} + # use-ssl-server: None + # server-cert: None + # name: Ansible_SSL_SSH_Profile + # ssl-anomalies-log: None + # ssl-server: {'pop3s-client-cert-request': None, 'imaps-client-cert-request': None, + # 'smtps-client-cert-request': None, 'ip': None, 'ssl-other-client-cert-request': None, + # 'https-client-cert-request': None, 'ftps-client-cert-request': None} + # smtps: {'status': None, 'allow-invalid-server-cert': None, 'unsupported-ssl': None, 'client-cert-request': None, + # 'ports': None, 'untrusted-cert': None} + # rpc-over-https: None + # mode: delete + # pop3s: {'status': None, 'allow-invalid-server-cert': None, 'unsupported-ssl': None, 'client-cert-request': None, + # 'ports': None, 'untrusted-cert': None} + ################################################## + ################################################## + # comment: Created by Ansible Module TEST + # untrusted-caname: None + # mapi-over-https: enable + # whitelist: enable + # caname: None + # ftps: {'status': None, 'allow-invalid-server-cert': None, 'unsupported-ssl': None, 'untrusted-cert': None, + # 'client-cert-request': None, 'ports': None} + # ssl-exemptions-log: enable + # https: {'status': None, 'allow-invalid-server-cert': None, 'unsupported-ssl': None, 'untrusted-cert': None, + # 'client-cert-request': None, 'ports': None} + # pop3s: {'status': None, 'allow-invalid-server-cert': None, 'unsupported-ssl': None, 'untrusted-cert': None, + # 'client-cert-request': None, 'ports': None} + # server-cert-mode: replace + # adom: root + # ssl-exempt: {'regex': None, 'wildcard-fqdn': None, 'fortiguard-category': None, 'address6': None, + # 'address': None, 'type': None} + # ssl: {'unsupported-ssl': None, 'inspect-all': None, 'allow-invalid-server-cert': None, 'untrusted-cert': None, + # 'client-cert-request': None} + # ssh: {'status': None, 'inspect-all': None, 'ssh-tun-policy-check': None, 'ssh-policy-check': None, + # 'ssh-algorithm': None, 'unsupported-version': None, 'ports': None} + # server-cert: None + # name: Ansible_SSL_SSH_Profile + # ssl-anomalies-log: enable + # ssl-server: {'pop3s-client-cert-request': None, 'imaps-client-cert-request': None, + # 'smtps-client-cert-request': None, 'ip': None, 'ssl-other-client-cert-request': None, + # 'https-client-cert-request': None, 'ftps-client-cert-request': None} + # smtps: {'status': None, 'allow-invalid-server-cert': None, 'unsupported-ssl': None, 'untrusted-cert': None, + # 'client-cert-request': None, 'ports': None} + # imaps: {'status': None, 'allow-invalid-server-cert': None, 'unsupported-ssl': None, 'untrusted-cert': None, + # 'client-cert-request': None, 'ports': None} + # rpc-over-https: enable + # mode: set + # use-ssl-server: enable + ################################################## + + # Test using fixture 1 # + output = fmgr_secprof_ssl_ssh.fmgr_firewall_ssl_ssh_profile_addsetdelete( + fmg_instance, fixture_data[0]['paramgram_used']) + assert output['raw_response']['status']['code'] == 0 + # Test using fixture 2 # + output = fmgr_secprof_ssl_ssh.fmgr_firewall_ssl_ssh_profile_addsetdelete( + fmg_instance, fixture_data[1]['paramgram_used']) + assert output['raw_response']['status']['code'] == 0