mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Adds bigip_device_auth module (#44373)
This module can be used to configure auth settings to the mgmt interface on a BIG-IP.
This commit is contained in:
parent
b54f6cd132
commit
359d97f01b
2 changed files with 936 additions and 0 deletions
805
lib/ansible/modules/network/f5/bigip_device_auth.py
Normal file
805
lib/ansible/modules/network/f5/bigip_device_auth.py
Normal file
|
@ -0,0 +1,805 @@
|
|||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
# Copyright: (c) 2018, F5 Networks Inc.
|
||||
# GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
|
||||
from __future__ import absolute_import, division, print_function
|
||||
__metaclass__ = type
|
||||
|
||||
|
||||
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
||||
'status': ['preview'],
|
||||
'supported_by': 'community'}
|
||||
|
||||
DOCUMENTATION = r'''
|
||||
---
|
||||
module: bigip_device_auth
|
||||
short_description: Manage system authentication on a BIG-IP
|
||||
description:
|
||||
- Manage the system authentication configuration. This module can assist in configuring
|
||||
a number of different system authentication types. Note that this module can not be used
|
||||
to configure APM authentication types.
|
||||
version_added: 2.7
|
||||
options:
|
||||
type:
|
||||
description:
|
||||
- The authentication type to manage with this module.
|
||||
- Take special note that the parameters supported by this module will vary depending
|
||||
on the C(type) that you are configuring.
|
||||
- This module only supports a subset, at this time, of the total available auth types.
|
||||
choices:
|
||||
- tacacs
|
||||
- local
|
||||
servers:
|
||||
description:
|
||||
- Specifies a list of the IPv4 addresses for servers using the Terminal
|
||||
Access Controller Access System (TACACS)+ protocol with which the system
|
||||
communicates to obtain authorization data.
|
||||
- For each address, an alternate TCP port number may be optionally specified
|
||||
by specifying the C(port) key.
|
||||
- If no port number is specified, the default port C(49163) is used.
|
||||
- This parameter is supported by the C(tacacs) type.
|
||||
suboptions:
|
||||
address:
|
||||
description:
|
||||
- The IP address of the server.
|
||||
- This field is required, unless you are specifying a simple list of servers.
|
||||
In that case, the simple list can specify server IPs. See examples for
|
||||
more clarification.
|
||||
port:
|
||||
description:
|
||||
- The port of the server.
|
||||
default: 49163
|
||||
secret:
|
||||
description:
|
||||
- Secret key used to encrypt and decrypt packets sent or received from the
|
||||
server.
|
||||
- B(Do not) use the pound/hash sign in the secret for TACACS+ servers.
|
||||
- When configuring TACACS+ auth for the first time, this value is required.
|
||||
service_name:
|
||||
description:
|
||||
- Specifies the name of the service that the user is requesting to be
|
||||
authorized to use.
|
||||
- Identifying what the user is asking to be authorized for, enables the
|
||||
TACACS+ server to behave differently for different types of authorization
|
||||
requests.
|
||||
- When configuring this form of system authentication, this setting is required.
|
||||
- Note that the majority of TACACS+ implementations are of service type C(ppp),
|
||||
so try that first.
|
||||
choices:
|
||||
- slip
|
||||
- ppp
|
||||
- arap
|
||||
- shell
|
||||
- tty-daemon
|
||||
- connection
|
||||
- system
|
||||
- firewall
|
||||
protocol_name:
|
||||
description:
|
||||
- Specifies the protocol associated with the value specified in C(service_name),
|
||||
which is a subset of the associated service being used for client authorization
|
||||
or system accounting.
|
||||
- Note that the majority of TACACS+ implementations are of protocol type C(ip),
|
||||
so try that first.
|
||||
choices:
|
||||
- lcp
|
||||
- ip
|
||||
- ipx
|
||||
- atalk
|
||||
- vines
|
||||
- lat
|
||||
- xremote
|
||||
- tn3270
|
||||
- telnet
|
||||
- rlogin
|
||||
- pad
|
||||
- vpdn
|
||||
- ftp
|
||||
- http
|
||||
- deccp
|
||||
- osicp
|
||||
- unknown
|
||||
authentication:
|
||||
description:
|
||||
- Specifies the process the system employs when sending authentication requests.
|
||||
- When C(use-first-server), specifies that the system sends authentication
|
||||
attempts to only the first server in the list.
|
||||
- When C(use-all-servers), specifies that the system sends an authentication
|
||||
request to each server until authentication succeeds, or until the system has
|
||||
sent a request to all servers in the list.
|
||||
- This parameter is supported by the C(tacacs) type.
|
||||
choices:
|
||||
- use-first-server
|
||||
- use-all-servers
|
||||
use_for_auth:
|
||||
description:
|
||||
- Specifies whether or not this auth source is put in use on the system.
|
||||
type: bool
|
||||
state:
|
||||
description:
|
||||
- The state of the authentication configuration on the system.
|
||||
- When C(present), guarantees that the system is configured for the specified C(type).
|
||||
- When C(absent), sets the system auth source back to C(local).
|
||||
default: present
|
||||
choices:
|
||||
- absent
|
||||
- present
|
||||
update_secret:
|
||||
description:
|
||||
- C(always) will allow to update secrets if the user chooses to do so.
|
||||
- C(on_create) will only set the secret when a C(use_auth_source) is C(yes)
|
||||
and TACACS+ is not currently the auth source.
|
||||
default: always
|
||||
choices:
|
||||
- always
|
||||
- on_create
|
||||
extends_documentation_fragment: f5
|
||||
author:
|
||||
- Tim Rupp (@caphrim007)
|
||||
'''
|
||||
|
||||
EXAMPLES = r'''
|
||||
- name: Set the system auth to TACACS+, default server port
|
||||
bigip_device_auth:
|
||||
type: tacacs
|
||||
authentication: use-all-servers
|
||||
protocol_name: ip
|
||||
secret: secret
|
||||
servers:
|
||||
- 10.10.10.10
|
||||
- 10.10.10.11
|
||||
service_name: ppp
|
||||
state: present
|
||||
use_for_auth: yes
|
||||
provider:
|
||||
password: secret
|
||||
server: lb.mydomain.com
|
||||
user: admin
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Set the system auth to TACACS+, override server port
|
||||
bigip_device_auth:
|
||||
type: tacacs
|
||||
authentication: use-all-servers
|
||||
protocol_name: ip
|
||||
secret: secret
|
||||
servers:
|
||||
- address: 10.10.10.10
|
||||
port: 1234
|
||||
- 10.10.10.11
|
||||
service_name: ppp
|
||||
use_for_auth: yes
|
||||
state: present
|
||||
provider:
|
||||
password: secret
|
||||
server: lb.mydomain.com
|
||||
user: admin
|
||||
delegate_to: localhost
|
||||
'''
|
||||
|
||||
RETURN = r'''
|
||||
servers:
|
||||
description: List of servers used in TACACS authentication.
|
||||
returned: changed
|
||||
type: list
|
||||
sample: ['1.2.2.1', '4.5.5.4']
|
||||
authentication:
|
||||
description: Process the system uses to serve authentication requests when using TACACS.
|
||||
returned: changed
|
||||
type: string
|
||||
sample: use-all-servers
|
||||
service_name:
|
||||
description: Name of the service the user is requesting to be authorized to use.
|
||||
returned: changed
|
||||
type: string
|
||||
sample: ppp
|
||||
protocol_name:
|
||||
description: Name of the protocol associated with C(service_name) used for client authentication.
|
||||
returned: changed
|
||||
type: string
|
||||
sample: ip
|
||||
'''
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible.module_utils.six import string_types
|
||||
|
||||
try:
|
||||
from library.module_utils.network.f5.bigip import F5RestClient
|
||||
from library.module_utils.network.f5.common import F5ModuleError
|
||||
from library.module_utils.network.f5.common import AnsibleF5Parameters
|
||||
from library.module_utils.network.f5.common import cleanup_tokens
|
||||
from library.module_utils.network.f5.common import fq_name
|
||||
from library.module_utils.network.f5.common import f5_argument_spec
|
||||
from library.module_utils.network.f5.common import exit_json
|
||||
from library.module_utils.network.f5.common import fail_json
|
||||
except ImportError:
|
||||
from ansible.module_utils.network.f5.bigip import F5RestClient
|
||||
from ansible.module_utils.network.f5.common import F5ModuleError
|
||||
from ansible.module_utils.network.f5.common import AnsibleF5Parameters
|
||||
from ansible.module_utils.network.f5.common import cleanup_tokens
|
||||
from ansible.module_utils.network.f5.common import fq_name
|
||||
from ansible.module_utils.network.f5.common import f5_argument_spec
|
||||
from ansible.module_utils.network.f5.common import exit_json
|
||||
from ansible.module_utils.network.f5.common import fail_json
|
||||
|
||||
|
||||
class BaseParameters(AnsibleF5Parameters):
|
||||
@property
|
||||
def api_map(self):
|
||||
return {}
|
||||
|
||||
@property
|
||||
def api_attributes(self):
|
||||
return []
|
||||
|
||||
@property
|
||||
def returnables(self):
|
||||
return []
|
||||
|
||||
@property
|
||||
def updatables(self):
|
||||
return []
|
||||
|
||||
|
||||
class BaseApiParameters(BaseParameters):
|
||||
pass
|
||||
|
||||
|
||||
class BaseModuleParameters(BaseParameters):
|
||||
pass
|
||||
|
||||
|
||||
class BaseChanges(BaseParameters):
|
||||
def to_return(self):
|
||||
result = {}
|
||||
try:
|
||||
for returnable in self.returnables:
|
||||
result[returnable] = getattr(self, returnable)
|
||||
result = self._filter_params(result)
|
||||
except Exception:
|
||||
pass
|
||||
return result
|
||||
|
||||
|
||||
class BaseUsableChanges(BaseChanges):
|
||||
pass
|
||||
|
||||
|
||||
class BaseReportableChanges(BaseChanges):
|
||||
pass
|
||||
|
||||
|
||||
class TacacsParameters(BaseParameters):
|
||||
api_map = {
|
||||
'protocol': 'protocol_name',
|
||||
'service': 'service_name'
|
||||
}
|
||||
|
||||
api_attributes = [
|
||||
'authentication',
|
||||
'protocol',
|
||||
'service',
|
||||
'secret',
|
||||
'servers'
|
||||
]
|
||||
|
||||
returnables = [
|
||||
'servers',
|
||||
'secret',
|
||||
'authentication',
|
||||
'service_name',
|
||||
'protocol_name'
|
||||
]
|
||||
|
||||
updatables = [
|
||||
'servers',
|
||||
'secret',
|
||||
'authentication',
|
||||
'service_name',
|
||||
'protocol_name',
|
||||
'auth_source',
|
||||
]
|
||||
|
||||
|
||||
class TacacsApiParameters(TacacsParameters):
|
||||
pass
|
||||
|
||||
|
||||
class TacacsModuleParameters(TacacsParameters):
|
||||
@property
|
||||
def servers(self):
|
||||
if self._values['servers'] is None:
|
||||
return None
|
||||
result = []
|
||||
for server in self._values['servers']:
|
||||
if isinstance(server, dict):
|
||||
if 'address' not in server:
|
||||
raise F5ModuleError(
|
||||
"An 'address' field must be provided when specifying separate fields to the 'servers' parameter."
|
||||
)
|
||||
address = server.get('address')
|
||||
port = server.get('port', 49163)
|
||||
elif isinstance(server, string_types):
|
||||
address = server
|
||||
port = 49163
|
||||
result.append('{0}:{1}'.format(address, port))
|
||||
return result
|
||||
|
||||
@property
|
||||
def auth_source(self):
|
||||
return 'tacacs'
|
||||
|
||||
|
||||
class TacacsChanges(BaseChanges, TacacsParameters):
|
||||
pass
|
||||
|
||||
|
||||
class TacacsUsableChanges(TacacsChanges):
|
||||
pass
|
||||
|
||||
|
||||
class TacacsReportableChanges(TacacsChanges):
|
||||
@property
|
||||
def secret(self):
|
||||
return None
|
||||
|
||||
|
||||
class Difference(object):
|
||||
def __init__(self, want, have=None):
|
||||
self.want = want
|
||||
self.have = have
|
||||
|
||||
def compare(self, param):
|
||||
try:
|
||||
result = getattr(self, param)
|
||||
return result
|
||||
except AttributeError:
|
||||
return self.__default(param)
|
||||
|
||||
def __default(self, param):
|
||||
want = getattr(self.want, param)
|
||||
try:
|
||||
have = getattr(self.have, param)
|
||||
if want != have:
|
||||
return want
|
||||
except AttributeError:
|
||||
return want
|
||||
|
||||
@property
|
||||
def secret(self):
|
||||
if self.want.secret != self.have.secret and self.want.update_secret == 'always':
|
||||
return self.want.secret
|
||||
|
||||
|
||||
class BaseManager(object):
|
||||
def _set_changed_options(self):
|
||||
changed = {}
|
||||
for key in self.returnables:
|
||||
if getattr(self.want, key) is not None:
|
||||
changed[key] = getattr(self.want, key)
|
||||
if changed:
|
||||
self.changes = self.get_usable_changes(params=changed)
|
||||
|
||||
def _update_changed_options(self):
|
||||
diff = Difference(self.want, self.have)
|
||||
updatables = self.updatables
|
||||
changed = dict()
|
||||
for k in updatables:
|
||||
change = diff.compare(k)
|
||||
if change is None:
|
||||
continue
|
||||
else:
|
||||
if isinstance(change, dict):
|
||||
changed.update(change)
|
||||
else:
|
||||
changed[k] = change
|
||||
if changed:
|
||||
self.changes = self.get_usable_changes(params=changed)
|
||||
return True
|
||||
return False
|
||||
|
||||
def should_update(self):
|
||||
result = self._update_changed_options()
|
||||
if result:
|
||||
return True
|
||||
return False
|
||||
|
||||
def exec_module(self):
|
||||
changed = False
|
||||
result = dict()
|
||||
state = self.want.state
|
||||
|
||||
if state == "present":
|
||||
changed = self.present()
|
||||
elif state == "absent":
|
||||
changed = self.absent()
|
||||
|
||||
reportable = self.get_reportable_changes(params=self.changes.to_return())
|
||||
changes = reportable.to_return()
|
||||
result.update(**changes)
|
||||
result.update(dict(changed=changed))
|
||||
self._announce_deprecations(result)
|
||||
return result
|
||||
|
||||
def _announce_deprecations(self, result):
|
||||
warnings = result.pop('__warnings', [])
|
||||
for warning in warnings:
|
||||
self.client.module.deprecate(
|
||||
msg=warning['msg'],
|
||||
version=warning['version']
|
||||
)
|
||||
|
||||
def present(self):
|
||||
if self.exists():
|
||||
return self.update()
|
||||
return self.create()
|
||||
|
||||
def absent(self):
|
||||
if self.exists():
|
||||
return self.remove()
|
||||
return False
|
||||
|
||||
def update_auth_source_on_device(self, source):
|
||||
"""Set the system auth source.
|
||||
|
||||
Configuring the authentication source is only one step in the process of setting
|
||||
up an auth source. The other step is to inform the system of the auth source
|
||||
you want to use.
|
||||
|
||||
This method is used for situations where
|
||||
|
||||
* The ``use_for_auth`` parameter is set to ``yes``
|
||||
* The ``use_for_auth`` parameter is set to ``no``
|
||||
* The ``state`` parameter is set to ``absent``
|
||||
|
||||
When ``state`` equal to ``absent``, before you can delete the TACACS+ configuration,
|
||||
you must set the system auth to "something else". The system ships with a system
|
||||
auth called "local", so this is the logical "something else" to use.
|
||||
|
||||
When ``use_for_auth`` is no, the same situation applies as when ``state`` equal
|
||||
to ``absent`` is done above.
|
||||
|
||||
When ``use_for_auth`` is ``yes``, this method will set the current system auth
|
||||
state to TACACS+.
|
||||
|
||||
Arguments:
|
||||
source (string): The source that you want to set on the device.
|
||||
"""
|
||||
params = dict(
|
||||
type=source
|
||||
)
|
||||
uri = 'https://{0}:{1}/mgmt/tm/auth/source/'.format(
|
||||
self.client.provider['server'],
|
||||
self.client.provider['server_port']
|
||||
)
|
||||
|
||||
resp = self.client.api.patch(uri, json=params)
|
||||
try:
|
||||
response = resp.json()
|
||||
except ValueError as ex:
|
||||
raise F5ModuleError(str(ex))
|
||||
|
||||
if 'code' in response and response['code'] == 400:
|
||||
if 'message' in response:
|
||||
raise F5ModuleError(response['message'])
|
||||
else:
|
||||
raise F5ModuleError(resp.content)
|
||||
|
||||
def read_current_auth_source_from_device(self):
|
||||
uri = "https://{0}:{1}/mgmt/tm/auth/source".format(
|
||||
self.client.provider['server'],
|
||||
self.client.provider['server_port'],
|
||||
)
|
||||
resp = self.client.api.get(uri)
|
||||
try:
|
||||
response = resp.json()
|
||||
except ValueError as ex:
|
||||
raise F5ModuleError(str(ex))
|
||||
if 'code' in response and response['code'] == 400:
|
||||
if 'message' in response:
|
||||
raise F5ModuleError(response['message'])
|
||||
else:
|
||||
raise F5ModuleError(resp.content)
|
||||
return response['type']
|
||||
|
||||
|
||||
class LocalManager(BaseManager):
|
||||
def __init__(self, *args, **kwargs):
|
||||
self.module = kwargs.get('module', None)
|
||||
self.client = kwargs.get('client', None)
|
||||
self.want = self.get_module_parameters(params=self.module.params)
|
||||
self.have = self.get_api_parameters()
|
||||
self.changes = self.get_usable_changes()
|
||||
|
||||
@property
|
||||
def returnables(self):
|
||||
return []
|
||||
|
||||
@property
|
||||
def updatables(self):
|
||||
return []
|
||||
|
||||
def get_parameters(self, params=None):
|
||||
return BaseParameters(params=params)
|
||||
|
||||
def get_usable_changes(self, params=None):
|
||||
return BaseUsableChanges(params=params)
|
||||
|
||||
def get_reportable_changes(self, params=None):
|
||||
return BaseReportableChanges(params=params)
|
||||
|
||||
def get_module_parameters(self, params=None):
|
||||
return BaseModuleParameters(params=params)
|
||||
|
||||
def get_api_parameters(self, params=None):
|
||||
return BaseApiParameters(params=params)
|
||||
|
||||
def exists(self):
|
||||
uri = "https://{0}:{1}/mgmt/tm/auth/source".format(
|
||||
self.client.provider['server'],
|
||||
self.client.provider['server_port'],
|
||||
)
|
||||
resp = self.client.api.get(uri)
|
||||
try:
|
||||
response = resp.json()
|
||||
except ValueError as ex:
|
||||
raise F5ModuleError(str(ex))
|
||||
if 'code' in response and response['code'] == 400:
|
||||
if 'message' in response:
|
||||
raise F5ModuleError(response['message'])
|
||||
else:
|
||||
raise F5ModuleError(resp.content)
|
||||
if response['type'] == 'local':
|
||||
return True
|
||||
return False
|
||||
|
||||
def create(self):
|
||||
self._set_changed_options()
|
||||
if self.module.check_mode:
|
||||
return True
|
||||
self.update_auth_source_on_device('local')
|
||||
return True
|
||||
|
||||
def present(self):
|
||||
if not self.exists():
|
||||
return self.create()
|
||||
|
||||
def absent(self):
|
||||
raise F5ModuleError(
|
||||
"The 'local' type cannot be removed. "
|
||||
"Instead, specify a 'state' of 'present' on other types."
|
||||
)
|
||||
|
||||
|
||||
class TacacsManager(BaseManager):
|
||||
def __init__(self, *args, **kwargs):
|
||||
self.module = kwargs.get('module', None)
|
||||
self.client = kwargs.get('client', None)
|
||||
self.want = self.get_module_parameters(params=self.module.params)
|
||||
self.have = self.get_api_parameters()
|
||||
self.changes = self.get_usable_changes()
|
||||
|
||||
@property
|
||||
def returnables(self):
|
||||
return TacacsParameters.returnables
|
||||
|
||||
@property
|
||||
def updatables(self):
|
||||
return TacacsParameters.updatables
|
||||
|
||||
def get_usable_changes(self, params=None):
|
||||
return TacacsUsableChanges(params=params)
|
||||
|
||||
def get_reportable_changes(self, params=None):
|
||||
return TacacsReportableChanges(params=params)
|
||||
|
||||
def get_module_parameters(self, params=None):
|
||||
return TacacsModuleParameters(params=params)
|
||||
|
||||
def get_api_parameters(self, params=None):
|
||||
return TacacsApiParameters(params=params)
|
||||
|
||||
def exists(self):
|
||||
uri = "https://{0}:{1}/mgmt/tm/auth/tacacs/~Common~system-auth".format(
|
||||
self.client.provider['server'],
|
||||
self.client.provider['server_port'],
|
||||
)
|
||||
resp = self.client.api.get(uri)
|
||||
try:
|
||||
response = resp.json()
|
||||
except ValueError:
|
||||
return False
|
||||
if resp.status == 404 or 'code' in response and response['code'] == 404:
|
||||
return False
|
||||
return True
|
||||
|
||||
def create(self):
|
||||
self._set_changed_options()
|
||||
if self.module.check_mode:
|
||||
return True
|
||||
self.create_on_device()
|
||||
if self.want.use_for_auth:
|
||||
self.update_auth_source_on_device('tacacs')
|
||||
return True
|
||||
|
||||
def update(self):
|
||||
self.have = self.read_current_from_device()
|
||||
if not self.should_update():
|
||||
return False
|
||||
if self.module.check_mode:
|
||||
return True
|
||||
result = False
|
||||
if self.update_on_device():
|
||||
result = True
|
||||
if self.want.use_for_auth and self.changes.auth_source == 'tacacs':
|
||||
self.update_auth_source_on_device('tacacs')
|
||||
result = True
|
||||
return result
|
||||
|
||||
def remove(self):
|
||||
if self.module.check_mode:
|
||||
return True
|
||||
self.update_auth_source_on_device('local')
|
||||
self.remove_from_device()
|
||||
if self.exists():
|
||||
raise F5ModuleError("Failed to delete the resource.")
|
||||
return True
|
||||
|
||||
def create_on_device(self):
|
||||
params = self.changes.api_params()
|
||||
params['name'] = 'system-auth'
|
||||
uri = "https://{0}:{1}/mgmt/tm/auth/tacacs".format(
|
||||
self.client.provider['server'],
|
||||
self.client.provider['server_port']
|
||||
)
|
||||
resp = self.client.api.post(uri, json=params)
|
||||
try:
|
||||
response = resp.json()
|
||||
except ValueError as ex:
|
||||
raise F5ModuleError(str(ex))
|
||||
|
||||
if 'code' in response and response['code'] in [400, 403]:
|
||||
if 'message' in response:
|
||||
raise F5ModuleError(response['message'])
|
||||
else:
|
||||
raise F5ModuleError(resp.content)
|
||||
|
||||
def update_on_device(self):
|
||||
params = self.changes.api_params()
|
||||
if not params:
|
||||
return False
|
||||
|
||||
uri = 'https://{0}:{1}/mgmt/tm/auth/tacacs/~Common~system-auth'.format(
|
||||
self.client.provider['server'],
|
||||
self.client.provider['server_port']
|
||||
)
|
||||
|
||||
resp = self.client.api.patch(uri, json=params)
|
||||
try:
|
||||
response = resp.json()
|
||||
except ValueError as ex:
|
||||
raise F5ModuleError(str(ex))
|
||||
|
||||
if 'code' in response and response['code'] == 400:
|
||||
if 'message' in response:
|
||||
raise F5ModuleError(response['message'])
|
||||
else:
|
||||
raise F5ModuleError(resp.content)
|
||||
return True
|
||||
|
||||
def remove_from_device(self):
|
||||
uri = "https://{0}:{1}/mgmt/tm/auth/tacacs/~Common~system-auth".format(
|
||||
self.client.provider['server'],
|
||||
self.client.provider['server_port']
|
||||
)
|
||||
resp = self.client.api.delete(uri)
|
||||
if resp.status == 200:
|
||||
return True
|
||||
raise F5ModuleError(resp.content)
|
||||
|
||||
def read_current_from_device(self):
|
||||
uri = "https://{0}:{1}/mgmt/tm/auth/tacacs/~Common~system-auth".format(
|
||||
self.client.provider['server'],
|
||||
self.client.provider['server_port'],
|
||||
)
|
||||
resp = self.client.api.get(uri)
|
||||
try:
|
||||
response = resp.json()
|
||||
except ValueError as ex:
|
||||
raise F5ModuleError(str(ex))
|
||||
if 'code' in response and response['code'] == 400:
|
||||
if 'message' in response:
|
||||
raise F5ModuleError(response['message'])
|
||||
else:
|
||||
raise F5ModuleError(resp.content)
|
||||
response['auth_source'] = self.read_current_auth_source_from_device()
|
||||
return self.get_api_parameters(params=response)
|
||||
|
||||
|
||||
class ModuleManager(object):
|
||||
def __init__(self, *args, **kwargs):
|
||||
self.module = kwargs.get('module', None)
|
||||
self.client = kwargs.get('client', None)
|
||||
self.kwargs = kwargs
|
||||
|
||||
def exec_module(self):
|
||||
manager = self.get_manager(self.module.params['type'])
|
||||
return manager.exec_module()
|
||||
|
||||
def get_manager(self, type):
|
||||
if type == 'tacacs':
|
||||
return TacacsManager(**self.kwargs)
|
||||
elif type == 'local':
|
||||
return LocalManager(**self.kwargs)
|
||||
else:
|
||||
raise F5ModuleError(
|
||||
"The provided 'type' is unknown."
|
||||
)
|
||||
|
||||
|
||||
class ArgumentSpec(object):
|
||||
def __init__(self):
|
||||
self.supports_check_mode = True
|
||||
argument_spec = dict(
|
||||
type=dict(
|
||||
required=True,
|
||||
choices=['local', 'tacacs']
|
||||
),
|
||||
servers=dict(type='raw'),
|
||||
secret=dict(no_log=True),
|
||||
service_name=dict(
|
||||
choices=[
|
||||
'slip', 'ppp', 'arap', 'shell', 'tty-daemon',
|
||||
'connection', 'system', 'firewall'
|
||||
]
|
||||
),
|
||||
protocol_name=dict(
|
||||
choices=[
|
||||
'lcp', 'ip', 'ipx', 'atalk', 'vines', 'lat',
|
||||
'xremote', 'tn3270', 'telnet', 'rlogin', 'pad',
|
||||
'vpdn', 'ftp', 'http', 'deccp', 'osicp', 'unknown'
|
||||
]
|
||||
),
|
||||
authentication=dict(
|
||||
choices=[
|
||||
'use-first-server',
|
||||
'use-all-servers'
|
||||
]
|
||||
),
|
||||
use_for_auth=dict(type='bool'),
|
||||
update_secret=dict(
|
||||
choices=['always', 'on_create'],
|
||||
default='always'
|
||||
),
|
||||
state=dict(
|
||||
default='present',
|
||||
choices=['present', 'absent']
|
||||
),
|
||||
|
||||
)
|
||||
self.argument_spec = {}
|
||||
self.argument_spec.update(f5_argument_spec)
|
||||
self.argument_spec.update(argument_spec)
|
||||
|
||||
|
||||
def main():
|
||||
spec = ArgumentSpec()
|
||||
|
||||
module = AnsibleModule(
|
||||
argument_spec=spec.argument_spec,
|
||||
supports_check_mode=spec.supports_check_mode,
|
||||
)
|
||||
|
||||
try:
|
||||
client = F5RestClient(**module.params)
|
||||
mm = ModuleManager(module=module, client=client)
|
||||
results = mm.exec_module()
|
||||
exit_json(module, results, client)
|
||||
except F5ModuleError as ex:
|
||||
fail_json(module, ex, client)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
131
test/units/modules/network/f5/test_bigip_device_auth.py
Normal file
131
test/units/modules/network/f5/test_bigip_device_auth.py
Normal file
|
@ -0,0 +1,131 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
# Copyright: (c) 2018, F5 Networks Inc.
|
||||
# GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
|
||||
from __future__ import (absolute_import, division, print_function)
|
||||
__metaclass__ = type
|
||||
|
||||
import os
|
||||
import json
|
||||
import pytest
|
||||
import sys
|
||||
|
||||
from nose.plugins.skip import SkipTest
|
||||
if sys.version_info < (2, 7):
|
||||
raise SkipTest("F5 Ansible modules require Python >= 2.7")
|
||||
|
||||
from ansible.compat.tests import unittest
|
||||
from ansible.compat.tests.mock import Mock
|
||||
from ansible.compat.tests.mock import patch
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
|
||||
try:
|
||||
from library.modules.bigip_device_auth import TacacsApiParameters
|
||||
from library.modules.bigip_device_auth import TacacsModuleParameters
|
||||
from library.modules.bigip_device_auth import TacacsManager
|
||||
from library.modules.bigip_device_auth import ModuleManager
|
||||
from library.modules.bigip_device_auth import ArgumentSpec
|
||||
from library.module_utils.network.f5.common import F5ModuleError
|
||||
from test.unit.modules.utils import set_module_args
|
||||
except ImportError:
|
||||
try:
|
||||
from ansible.modules.network.f5.bigip_sys_auth import TacacsApiParameters
|
||||
from ansible.modules.network.f5.bigip_sys_auth import TacacsModuleParameters
|
||||
from ansible.modules.network.f5.bigip_sys_auth import TacacsManager
|
||||
from ansible.modules.network.f5.bigip_sys_auth import ModuleManager
|
||||
from ansible.modules.network.f5.bigip_sys_auth import ArgumentSpec
|
||||
from ansible.module_utils.network.f5.common import F5ModuleError
|
||||
from units.modules.utils import set_module_args
|
||||
except ImportError:
|
||||
raise SkipTest("F5 Ansible modules require the f5-sdk Python library")
|
||||
|
||||
fixture_path = os.path.join(os.path.dirname(__file__), 'fixtures')
|
||||
fixture_data = {}
|
||||
|
||||
|
||||
def load_fixture(name):
|
||||
path = os.path.join(fixture_path, name)
|
||||
|
||||
if path in fixture_data:
|
||||
return fixture_data[path]
|
||||
|
||||
with open(path) as f:
|
||||
data = f.read()
|
||||
|
||||
try:
|
||||
data = json.loads(data)
|
||||
except Exception:
|
||||
pass
|
||||
|
||||
fixture_data[path] = data
|
||||
return data
|
||||
|
||||
|
||||
class TestParameters(unittest.TestCase):
|
||||
def test_module_parameters(self):
|
||||
args = dict(
|
||||
type="tacacs",
|
||||
authentication="use-all-servers",
|
||||
protocol_name="ip",
|
||||
secret="$XXXXXXXXXXXXXXXXXXXX==",
|
||||
servers=['10.10.10.10', '10.10.10.11'],
|
||||
service_name="ppp",
|
||||
use_for_auth=True,
|
||||
update_secret="on_create",
|
||||
)
|
||||
p = TacacsModuleParameters(params=args)
|
||||
assert p.type == 'tacacs'
|
||||
assert p.authentication == 'use-all-servers'
|
||||
|
||||
def test_api_parameters(self):
|
||||
args = load_fixture('load_tm_auth_tacacs_1.json')
|
||||
p = TacacsApiParameters(params=args)
|
||||
assert p.authentication == 'use-first-server'
|
||||
assert p.protocol_name == 'ftp'
|
||||
assert p.secret == 'secret'
|
||||
assert p.servers == ['11.11.11.11']
|
||||
assert p.service_name == 'ppp'
|
||||
|
||||
|
||||
@patch('ansible.module_utils.f5_utils.AnsibleF5Client._get_mgmt_root',
|
||||
return_value=True)
|
||||
class TestManager(unittest.TestCase):
|
||||
|
||||
def setUp(self):
|
||||
self.spec = ArgumentSpec()
|
||||
|
||||
def test_create(self, *args):
|
||||
set_module_args(dict(
|
||||
type="tacacs",
|
||||
authentication="use-all-servers",
|
||||
protocol_name="ip",
|
||||
secret="secret",
|
||||
servers=['10.10.10.10', '10.10.10.11'],
|
||||
service_name="ppp",
|
||||
use_for_auth=True,
|
||||
update_secret="on_create",
|
||||
state='present',
|
||||
provider=dict(
|
||||
password='admin',
|
||||
server='localhost',
|
||||
user='admin'
|
||||
)
|
||||
))
|
||||
|
||||
module = AnsibleModule(
|
||||
argument_spec=self.spec.argument_spec,
|
||||
supports_check_mode=self.spec.supports_check_mode
|
||||
)
|
||||
|
||||
# Override methods to force specific logic in the module to happen
|
||||
m1 = TacacsManager(module=module)
|
||||
m1.exists = Mock(return_value=False)
|
||||
m1.create_on_device = Mock(return_value=True)
|
||||
m1.update_auth_source_on_device = Mock(return_value=True)
|
||||
|
||||
mm = ModuleManager(module=module)
|
||||
mm.get_manager = Mock(return_value=m1)
|
||||
|
||||
results = mm.exec_module()
|
||||
assert results['changed'] is True
|
Loading…
Reference in a new issue