From 232fcb9f34683ab3cab213b59d63ce428d60fbfb Mon Sep 17 00:00:00 2001 From: Tim Rupp Date: Sun, 11 Nov 2018 10:57:26 -0800 Subject: [PATCH] Adds the bigip_profile_server_ssl module (#48532) --- .../network/f5/bigip_profile_server_ssl.py | 661 ++++++++++++++++++ .../load_ltm_profile_serverssl_1.json | 73 ++ .../f5/test_bigip_profile_server_ssl.py | 116 +++ 3 files changed, 850 insertions(+) create mode 100644 lib/ansible/modules/network/f5/bigip_profile_server_ssl.py create mode 100644 test/units/modules/network/f5/fixtures/load_ltm_profile_serverssl_1.json create mode 100644 test/units/modules/network/f5/test_bigip_profile_server_ssl.py diff --git a/lib/ansible/modules/network/f5/bigip_profile_server_ssl.py b/lib/ansible/modules/network/f5/bigip_profile_server_ssl.py new file mode 100644 index 0000000000..9c282bd7fe --- /dev/null +++ b/lib/ansible/modules/network/f5/bigip_profile_server_ssl.py @@ -0,0 +1,661 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# +# Copyright: (c) 2018, F5 Networks Inc. +# GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + + +ANSIBLE_METADATA = {'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'certified'} + +DOCUMENTATION = r''' +--- +module: bigip_profile_server_ssl +short_description: Manages server SSL profiles on a BIG-IP +description: + - Manages server SSL profiles on a BIG-IP. +version_added: 2.8 +options: + name: + description: + - Specifies the name of the profile. + required: True + parent: + description: + - The parent template of this monitor template. Once this value has + been set, it cannot be changed. + default: /Common/serverssl + ciphers: + description: + - Specifies the list of ciphers that the system supports. When creating a new + profile, the default cipher list is provided by the parent profile. + secure_renegotiation: + description: + - Specifies the method of secure renegotiations for SSL connections. When + creating a new profile, the setting is provided by the parent profile. + - When C(request) is set the system request secure renegotation of SSL + connections. + - C(require) is a default setting and when set the system permits initial SSL + handshakes from clients but terminates renegotiations from unpatched clients. + - The C(require-strict) setting the system requires strict renegotiation of SSL + connections. In this mode the system refuses connections to insecure servers, + and terminates existing SSL connections to insecure servers. + choices: + - require + - require-strict + - request + server_name: + description: + - Specifies the fully qualified DNS hostname of the server used in Server Name + Indication communications. When creating a new profile, the setting is provided + by the parent profile. + sni_default: + description: + - Indicates that the system uses this profile as the default SSL profile when there + is no match to the server name, or when the client provides no SNI extension support. + - When creating a new profile, the setting is provided by the parent profile. + - There can be only one SSL profile with this setting enabled. + type: bool + sni_require: + description: + - Requires that the network peers also provide SNI support. This setting only takes + effect when C(sni_default) is C(yes). When creating a new profile, the setting + is provided by the parent profile. + type: bool + server_certificate: + description: + - Specifies the way the system handles server certificates. + - When C(ignore), specifies that the system ignores certificates from server systems. + - When C(require), specifies that the system requires a server to present a valid + certificate. + choices: + - ignore + - require + certificate: + description: + - Specifies the name of the certificate that the system uses for server-side SSL + processing. + key: + description: + - Specifies the file name of the SSL key. + chain: + description: + - Specifies the certificates-key chain to associate with the SSL profile. + passphrase: + description: + - Specifies a passphrase used to encrypt the key. + update_password: + description: + - C(always) will allow to update passwords if the user chooses to do so. + C(on_create) will only set the password for newly created profiles. + default: always + choices: + - always + - on_create + ocsp_profile: + description: + - Specifies the name of the OCSP profile for purpose of validating status + of server certificate. + partition: + description: + - Device partition to manage resources on. + default: Common + state: + description: + - When C(present), ensures that the profile exists. + - When C(absent), ensures the profile is removed. + default: present + choices: + - present + - absent +extends_documentation_fragment: f5 +author: + - Tim Rupp (@caphrim007) +''' + +EXAMPLES = r''' +- name: Create a new server SSL profile + bigip_profile_server_ssl: + name: foo + provider: + password: secret + server: lb.mydomain.com + user: admin + delegate_to: localhost +''' + +RETURN = r''' +ciphers: + description: The ciphers applied to the profile. + returned: changed + type: string + sample: "!SSLv3:!SSLv2:ECDHE+AES-GCM+SHA256:ECDHE-RSA-AES128-CBC-SHA" +secure_renegotation: + description: The method of secure SSL renegotiation. + returned: changed + type: string + sample: request +''' + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.basic import env_fallback + +try: + from library.module_utils.network.f5.bigip import F5RestClient + from library.module_utils.network.f5.common import F5ModuleError + from library.module_utils.network.f5.common import AnsibleF5Parameters + from library.module_utils.network.f5.common import cleanup_tokens + from library.module_utils.network.f5.common import fq_name + from library.module_utils.network.f5.common import f5_argument_spec + from library.module_utils.network.f5.common import exit_json + from library.module_utils.network.f5.common import fail_json + from library.module_utils.network.f5.common import flatten_boolean + from library.module_utils.network.f5.common import transform_name +except ImportError: + from ansible.module_utils.network.f5.bigip import F5RestClient + from ansible.module_utils.network.f5.common import F5ModuleError + from ansible.module_utils.network.f5.common import AnsibleF5Parameters + from ansible.module_utils.network.f5.common import cleanup_tokens + from ansible.module_utils.network.f5.common import fq_name + from ansible.module_utils.network.f5.common import f5_argument_spec + from ansible.module_utils.network.f5.common import exit_json + from ansible.module_utils.network.f5.common import fail_json + from ansible.module_utils.network.f5.common import flatten_boolean + from ansible.module_utils.network.f5.common import transform_name + + +class Parameters(AnsibleF5Parameters): + api_map = { + 'cert': 'certificate', + 'ocsp': 'ocsp_profile', + 'defaultsFrom': 'parent', + 'secureRenegotiation': 'secure_renegotiation', + 'sniDefault': 'sni_default', + 'sniRequire': 'sni_require', + 'serverName': 'server_name', + 'peerCertMode': 'server_certificate', + } + + api_attributes = [ + 'cert', + 'chain', + 'ciphers', + 'defaultsFrom', + 'key', + 'ocsp', + 'secureRenegotiation', + 'sniDefault', + 'sniRequire', + 'serverName', + 'peerCertMode', + ] + + returnables = [ + 'certificate', + 'chain', + 'ciphers', + 'key', + 'ocsp_profile', + 'secure_renegotiation', + 'parent', + 'sni_default', + 'sni_require', + 'server_name', + 'server_certificate', + ] + + updatables = [ + 'certificate', + 'chain', + 'ciphers', + 'key', + 'ocsp_profile', + 'secure_renegotiation', + 'sni_default', + 'sni_require', + 'server_name', + 'server_certificate', + ] + + @property + def sni_default(self): + return flatten_boolean(self._values['sni_default']) + + @property + def certificate(self): + if self._values['certificate'] is None: + return None + if self._values['certificate'] in ['', 'none']: + return '' + result = fq_name(self.partition, self._values['certificate']) + return result + + @property + def key(self): + if self._values['key'] is None: + return None + if self._values['key'] in ['', 'none']: + return '' + result = fq_name(self.partition, self._values['key']) + return result + + @property + def chain(self): + if self._values['chain'] is None: + return None + if self._values['chain'] in ['', 'none']: + return '' + result = fq_name(self.partition, self._values['chain']) + return result + + @property + def ocsp_profile(self): + if self._values['ocsp_profile'] is None: + return None + if self._values['ocsp_profile'] in ['', 'none']: + return '' + result = fq_name(self.partition, self._values['ocsp_profile']) + return result + + +class ApiParameters(Parameters): + @property + def sni_require(self): + return flatten_boolean(self._values['sni_require']) + + @property + def server_name(self): + if self._values['server_name'] in [None, 'none']: + return None + return self._values['server_name'] + + +class ModuleParameters(Parameters): + @property + def server_name(self): + if self._values['server_name'] is None: + return None + if self._values['server_name'] in ['', 'none']: + return '' + return self._values['server_name'] + + @property + def parent(self): + if self._values['parent'] is None: + return None + if self._values['parent'] == 'serverssl': + return '/Common/serverssl' + result = fq_name(self.partition, self._values['parent']) + return result + + @property + def sni_require(self): + require = flatten_boolean(self._values['sni_require']) + default = self.sni_default + if require is None: + return None + if default in [None, 'no']: + if require == 'yes': + raise F5ModuleError( + "Cannot set 'sni_require' to {0} if 'sni_default' is set as {1}".format(require, default)) + return require + + +class Changes(Parameters): + def to_return(self): + result = {} + try: + for returnable in self.returnables: + result[returnable] = getattr(self, returnable) + result = self._filter_params(result) + except Exception: + pass + return result + + +class UsableChanges(Changes): + @property + def sni_default(self): + if self._values['sni_default'] is None: + return None + elif self._values['sni_default'] == 'yes': + return 'true' + else: + return 'false' + + @property + def sni_require(self): + if self._values['sni_require'] is None: + return None + elif self._values['sni_require'] == 'yes': + return 'true' + else: + return 'false' + + +class ReportableChanges(Changes): + @property + def sni_default(self): + result = flatten_boolean(self._values['sni_default']) + return result + + @property + def sni_require(self): + result = flatten_boolean(self._values['sni_require']) + return result + + +class Difference(object): + def __init__(self, want, have=None): + self.want = want + self.have = have + + def compare(self, param): + try: + result = getattr(self, param) + return result + except AttributeError: + return self.__default(param) + + @property + def parent(self): + if self.want.parent != self.have.parent: + raise F5ModuleError( + "The parent profile cannot be changed" + ) + + @property + def sni_require(self): + if self.want.sni_require is None: + return None + if self.want.sni_require == 'no': + if self.have.sni_default == 'yes' and self.want.sni_default is None: + raise F5ModuleError( + "Cannot set 'sni_require' to {0} if 'sni_default' is {1}".format( + self.want.sni_require, self.have.sni_default + ) + ) + if self.want.sni_require != self.have.sni_require: + return self.want.sni_require + + @property + def server_name(self): + if self.want.server_name is None: + return None + if self.want.server_name == '' and self.have.server_name is None: + return None + if self.want.server_name != self.have.server_name: + return self.want.server_name + + def __default(self, param): + attr1 = getattr(self.want, param) + try: + attr2 = getattr(self.have, param) + if attr1 != attr2: + return attr1 + except AttributeError: + return attr1 + + +class ModuleManager(object): + def __init__(self, *args, **kwargs): + self.module = kwargs.get('module', None) + self.client = kwargs.get('client', None) + self.want = ModuleParameters(params=self.module.params) + self.have = ApiParameters() + self.changes = UsableChanges() + + def _set_changed_options(self): + changed = {} + for key in Parameters.returnables: + if getattr(self.want, key) is not None: + changed[key] = getattr(self.want, key) + if changed: + self.changes = UsableChanges(params=changed) + + def _update_changed_options(self): + diff = Difference(self.want, self.have) + updatables = Parameters.updatables + changed = dict() + for k in updatables: + change = diff.compare(k) + if change is None: + continue + else: + if isinstance(change, dict): + changed.update(change) + else: + changed[k] = change + if changed: + self.changes = UsableChanges(params=changed) + return True + return False + + def should_update(self): + result = self._update_changed_options() + if result: + return True + return False + + def exec_module(self): + changed = False + result = dict() + state = self.want.state + + if state == "present": + changed = self.present() + elif state == "absent": + changed = self.absent() + + reportable = ReportableChanges(params=self.changes.to_return()) + changes = reportable.to_return() + result.update(**changes) + result.update(dict(changed=changed)) + self._announce_deprecations(result) + return result + + def _announce_deprecations(self, result): + warnings = result.pop('__warnings', []) + for warning in warnings: + self.client.module.deprecate( + msg=warning['msg'], + version=warning['version'] + ) + + def present(self): + if self.exists(): + return self.update() + else: + return self.create() + + def exists(self): + uri = "https://{0}:{1}/mgmt/tm/ltm/profile/server-ssl/{2}".format( + self.client.provider['server'], + self.client.provider['server_port'], + transform_name(self.want.partition, self.want.name) + ) + resp = self.client.api.get(uri) + try: + response = resp.json() + except ValueError: + return False + if resp.status == 404 or 'code' in response and response['code'] == 404: + return False + return True + + def update(self): + self.have = self.read_current_from_device() + + if self.want.update_password == 'always': + self.want.update({'passphrase': self.want.passphrase}) + else: + if self.want.passphrase: + del self.want._values['passphrase'] + + if not self.should_update(): + return False + + if self.module.check_mode: + return True + self.update_on_device() + return True + + def remove(self): + if self.module.check_mode: + return True + self.remove_from_device() + if self.exists(): + raise F5ModuleError("Failed to delete the resource.") + return True + + def create(self): + self._set_changed_options() + if self.module.check_mode: + return True + self.create_on_device() + return True + + def create_on_device(self): + params = self.changes.api_params() + params['name'] = self.want.name + params['partition'] = self.want.partition + uri = "https://{0}:{1}/mgmt/tm/ltm/profile/server-ssl/".format( + self.client.provider['server'], + self.client.provider['server_port'] + ) + resp = self.client.api.post(uri, json=params) + try: + response = resp.json() + except ValueError as ex: + raise F5ModuleError(str(ex)) + + if 'code' in response and response['code'] in [400, 403]: + if 'message' in response: + raise F5ModuleError(response['message']) + else: + raise F5ModuleError(resp.content) + + def update_on_device(self): + params = self.changes.api_params() + uri = "https://{0}:{1}/mgmt/tm/ltm/profile/server-ssl/{2}".format( + self.client.provider['server'], + self.client.provider['server_port'], + transform_name(self.want.partition, self.want.name) + ) + resp = self.client.api.patch(uri, json=params) + try: + response = resp.json() + except ValueError as ex: + raise F5ModuleError(str(ex)) + + if 'code' in response and response['code'] == 400: + if 'message' in response: + raise F5ModuleError(response['message']) + else: + raise F5ModuleError(resp.content) + + def absent(self): + if self.exists(): + return self.remove() + return False + + def remove_from_device(self): + uri = "https://{0}:{1}/mgmt/tm/ltm/profile/server-ssl/{2}".format( + self.client.provider['server'], + self.client.provider['server_port'], + transform_name(self.want.partition, self.want.name) + ) + response = self.client.api.delete(uri) + if response.status == 200: + return True + raise F5ModuleError(response.content) + + def read_current_from_device(self): + uri = "https://{0}:{1}/mgmt/tm/ltm/profile/server-ssl/{2}".format( + self.client.provider['server'], + self.client.provider['server_port'], + transform_name(self.want.partition, self.want.name) + ) + resp = self.client.api.get(uri) + try: + response = resp.json() + except ValueError as ex: + raise F5ModuleError(str(ex)) + + if 'code' in response and response['code'] == 400: + if 'message' in response: + raise F5ModuleError(response['message']) + else: + raise F5ModuleError(resp.content) + return ApiParameters(params=response) + + +class ArgumentSpec(object): + def __init__(self): + self.supports_check_mode = True + argument_spec = dict( + name=dict(required=True), + certificate=dict(), + chain=dict(), + key=dict(), + passphrase=dict(no_log=True), + parent=dict(default='/Common/serverssl'), + ciphers=dict(), + secure_renegotiation=dict( + choices=['require', 'require-strict', 'request'] + ), + server_certificate=dict( + choices=['ignore', 'require'] + ), + state=dict( + default='present', + choices=['present', 'absent'] + ), + update_password=dict( + default='always', + choices=['always', 'on_create'] + ), + sni_default=dict(type='bool'), + sni_require=dict(type='bool'), + server_name=dict(), + ocsp_profile=dict(), + partition=dict( + default='Common', + fallback=(env_fallback, ['F5_PARTITION']) + ) + ) + self.argument_spec = {} + self.argument_spec.update(f5_argument_spec) + self.argument_spec.update(argument_spec) + self.required_together = [ + ['certificate', 'key'] + ] + + +def main(): + spec = ArgumentSpec() + + module = AnsibleModule( + argument_spec=spec.argument_spec, + supports_check_mode=spec.supports_check_mode, + required_together=spec.required_together, + ) + + client = F5RestClient(**module.params) + + try: + mm = ModuleManager(module=module, client=client) + results = mm.exec_module() + cleanup_tokens(client) + exit_json(module, results, client) + except F5ModuleError as ex: + cleanup_tokens(client) + fail_json(module, ex, client) + + +if __name__ == '__main__': + main() diff --git a/test/units/modules/network/f5/fixtures/load_ltm_profile_serverssl_1.json b/test/units/modules/network/f5/fixtures/load_ltm_profile_serverssl_1.json new file mode 100644 index 0000000000..94e6019fb1 --- /dev/null +++ b/test/units/modules/network/f5/fixtures/load_ltm_profile_serverssl_1.json @@ -0,0 +1,73 @@ +{ + "kind": "tm:ltm:profile:server-ssl:server-sslstate", + "name": "asda", + "partition": "Common", + "fullPath": "/Common/asda", + "generation": 160, + "selfLink": "https://localhost/mgmt/tm/ltm/profile/server-ssl/~Common~asda?ver=13.1.0.8", + "alertTimeout": "indefinite", + "allowExpiredCrl": "disabled", + "appService": "none", + "authenticate": "once", + "authenticateDepth": 9, + "authenticateName": "none", + "bypassOnClientCertFail": "disabled", + "bypassOnHandshakeAlert": "disabled", + "c3dCaCert": "none", + "c3dCaKey": "none", + "c3dCertExtensionCustomOids": [], + "c3dCertExtensionIncludes": [ + "basic-constraints", + "extended-key-usage", + "key-usage", + "subject-alternative-name" + ], + "c3dCertLifespan": 24, + "caFile": "none", + "cacheSize": 262144, + "cacheTimeout": 3600, + "cert": "none", + "chain": "/Common/default.crt", + "chainReference": { + "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~default.crt?ver=13.1.0.8" + }, + "cipherGroup": "none", + "ciphers": "DEFAULT", + "crlFile": "none", + "defaultsFrom": "/Common/serverssl", + "defaultsFromReference": { + "link": "https://localhost/mgmt/tm/ltm/profile/server-ssl/~Common~serverssl?ver=13.1.0.8" + }, + "description": "none", + "expireCertResponseControl": "drop", + "genericAlert": "enabled", + "handshakeTimeout": "10", + "key": "none", + "maxActiveHandshakes": "indefinite", + "modSslMethods": "disabled", + "mode": "enabled", + "ocsp": "none", + "tmOptions": [ + "dont-insert-empty-fragments" + ], + "peerCertMode": "ignore", + "proxySsl": "disabled", + "proxySslPassthrough": "disabled", + "renegotiatePeriod": "indefinite", + "renegotiateSize": "indefinite", + "renegotiation": "enabled", + "retainCertificate": "true", + "secureRenegotiation": "require-strict", + "serverName": "none", + "sessionMirroring": "disabled", + "sessionTicket": "disabled", + "sniDefault": "false", + "sniRequire": "false", + "sslC3d": "disabled", + "sslForwardProxy": "disabled", + "sslForwardProxyBypass": "disabled", + "sslSignHash": "any", + "strictResume": "disabled", + "uncleanShutdown": "enabled", + "untrustedCertResponseControl": "drop" +} diff --git a/test/units/modules/network/f5/test_bigip_profile_server_ssl.py b/test/units/modules/network/f5/test_bigip_profile_server_ssl.py new file mode 100644 index 0000000000..4c0cfeee44 --- /dev/null +++ b/test/units/modules/network/f5/test_bigip_profile_server_ssl.py @@ -0,0 +1,116 @@ +# -*- coding: utf-8 -*- +# +# Copyright: (c) 2018, F5 Networks Inc. +# GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import json +import sys + +from nose.plugins.skip import SkipTest +if sys.version_info < (2, 7): + raise SkipTest("F5 Ansible modules require Python >= 2.7") + +from ansible.module_utils.basic import AnsibleModule + +try: + from library.modules.bigip_profile_server_ssl import ApiParameters + from library.modules.bigip_profile_server_ssl import ModuleParameters + from library.modules.bigip_profile_server_ssl import ModuleManager + from library.modules.bigip_profile_server_ssl import ArgumentSpec + + # In Ansible 2.8, Ansible changed import paths. + from test.units.compat import unittest + from test.units.compat.mock import Mock + from test.units.compat.mock import patch + + from test.units.modules.utils import set_module_args +except ImportError: + try: + from ansible.modules.network.f5.bigip_profile_server_ssl import ApiParameters + from ansible.modules.network.f5.bigip_profile_server_ssl import ModuleParameters + from ansible.modules.network.f5.bigip_profile_server_ssl import ModuleManager + from ansible.modules.network.f5.bigip_profile_server_ssl import ArgumentSpec + + # Ansible 2.8 imports + from units.compat import unittest + from units.compat.mock import Mock + from units.compat.mock import patch + + from units.modules.utils import set_module_args + except ImportError: + raise SkipTest("F5 Ansible modules require the f5-sdk Python library") + +fixture_path = os.path.join(os.path.dirname(__file__), 'fixtures') +fixture_data = {} + + +def load_fixture(name): + path = os.path.join(fixture_path, name) + + if path in fixture_data: + return fixture_data[path] + + with open(path) as f: + data = f.read() + + try: + data = json.loads(data) + except Exception: + pass + + fixture_data[path] = data + return data + + +class TestParameters(unittest.TestCase): + def test_module_parameters(self): + args = dict( + name='foo', + server_name='foo.bar.com', + secure_renegotiation='require', + ) + + p = ModuleParameters(params=args) + assert p.name == 'foo' + assert p.server_name == 'foo.bar.com' + assert p.secure_renegotiation == 'require' + + def test_api_parameters(self): + args = load_fixture('load_ltm_profile_serverssl_1.json') + p = ApiParameters(params=args) + assert p.name == 'asda' + assert p.server_name is None + + +class TestManager(unittest.TestCase): + + def setUp(self): + self.spec = ArgumentSpec() + + def test_create(self, *args): + # Configure the arguments that would be sent to the Ansible module + set_module_args(dict( + name='foo', + server_name='foo.bar.com', + password='password', + server='localhost', + user='admin' + )) + + module = AnsibleModule( + argument_spec=self.spec.argument_spec, + supports_check_mode=self.spec.supports_check_mode + ) + mm = ModuleManager(module=module) + + # Override methods to force specific logic in the module to happen + mm.exists = Mock(return_value=False) + mm.create_on_device = Mock(return_value=True) + + results = mm.exec_module() + + assert results['changed'] is True