diff --git a/lib/ansible/modules/network/f5/bigip_profile_http.py b/lib/ansible/modules/network/f5/bigip_profile_http.py new file mode 100644 index 0000000000..e1259d8c4d --- /dev/null +++ b/lib/ansible/modules/network/f5/bigip_profile_http.py @@ -0,0 +1,686 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# +# Copyright: (c) 2018, F5 Networks Inc. +# GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = {'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community'} + +DOCUMENTATION = r''' +--- +module: bigip_profile_http +short_description: Manage HTTP profiles on a BIG-IP +description: + - Manage HTTP profiles on a BIG-IP. +version_added: 2.7 +options: + name: + description: + - Specifies the name of the profile. + required: True + parent: + description: + - Specifies the profile from which this profile inherits settings. + - When creating a new profile, if this parameter is not specified, the default + is the system-supplied C(http) profile. + default: /Common/http + description: + description: + - Description of the profile. + proxy_type: + description: + - Specifies the proxy mode for the profile. + - When creating a new profile, if this parameter is not specified, the + default is provided by the parent profile. + choices: + - reverse + - transparent + - explicit + dns_resolver: + description: + - Specifies the name of a configured DNS resolver, this option is mandatory when C(proxy_type) + is set to C(explicit). + - Format of the name can be either be prepended by partition (C(/Common/foo)), or specified + just as an object name (C(foo)). + - To remove the entry a value of C(none) or C('') can be set, however the profile C(proxy_type) + must not be set as C(explicit). + insert_xforwarded_for: + description: + - When specified system inserts an X-Forwarded-For header in an HTTP request + with the client IP address, to use with connection pooling. + - When creating a new profile, if this parameter is not specified, the + default is provided by the parent profile. + type: bool + redirect_rewrite: + description: + - Specifies whether the system rewrites the URIs that are part of HTTP + redirect (3XX) responses. + - When set to C(none) the system will not rewrite the URI in any + HTTP redirect responses. + - When set to C(all) the system rewrites the URI in all HTTP redirect responses. + - When set to C(matching) the system rewrites the URI in any + HTTP redirect responses that match the request URI. + - When set to C(nodes) if the URI contains a node IP address instead of a host name, + the system changes it to the virtual server address. + - When creating a new profile, if this parameter is not specified, the + default is provided by the parent profile. + choices: + - none + - all + - matching + - nodes + encrypt_cookies: + description: + - Cookie names for the system to encrypt. + - To remove the entry completely a value of C(none) or C('') should be set. + - When creating a new profile, if this parameter is not specified, the + default is provided by the parent profile. + type: list + encrypt_cookie_secret: + description: + - Passphrase for cookie encryption. + - When creating a new profile, if this parameter is not specified, the + default is provided by the parent profile. + update_password: + description: + - C(always) will update passwords if the C(encrypt_cookie_secret) is specified. + - C(on_create) will only set the password for newly created profiles. + default: always + choices: + - always + - on_create + partition: + description: + - Device partition to manage resources on. + default: Common + state: + description: + - When C(present), ensures that the profile exists. + - When C(absent), ensures the profile is removed. + default: present + choices: + - present + - absent +extends_documentation_fragment: f5 +author: + - Wojciech Wypior (@wojtek0806) +''' + +EXAMPLES = r''' +- name: Create HTTP profile + bigip_profile_http: + name: my_profile + password: secret + server: lb.mydomain.com + insert_xforwarded_for: yes + redirect_rewrite: all + state: present + user: admin + delegate_to: localhost + +- name: Remove HTTP profile + bigip_profile_http: + name: my_profile + state: absent + server: lb.mydomain.com + user: admin + password: secret + delegate_to: localhost + +- name: Add HTTP profile for transparent proxy + bigip_profile_http: + name: my_profile + server: lb.mydomain.com + user: admin + proxy_type: transparent + password: secret + delegate_to: localhost +''' + +RETURN = r''' +description: + description: Description of the profile. + returned: changed + type: string + sample: My profile +proxy_type: + description: Specify proxy mode of the profile. + returned: changed + type: string + sample: explicit +insert_xforwarded_for: + description: Insert X-Forwarded-For-Header. + returned: changed + type: bool + sample: yes +redirect_rewrite: + description: Rewrite URI that are part of 3xx responses. + returned: changed + type: string + sample: all +encrypt_cookies: + description: Cookie names to encrypt. + returned: changed + type: list + sample: ['MyCookie1', 'MyCookie2'] +dns_resolver: + description: Configured dns resolver. + returned: changed + type: string + sample: '/Common/FooBar' +''' + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.basic import env_fallback + +try: + from library.module_utils.network.f5.bigip import F5RestClient + from library.module_utils.network.f5.common import F5ModuleError + from library.module_utils.network.f5.common import AnsibleF5Parameters + from library.module_utils.network.f5.common import cleanup_tokens + from library.module_utils.network.f5.common import fq_name + from library.module_utils.network.f5.common import f5_argument_spec + from library.module_utils.network.f5.common import flatten_boolean + from library.module_utils.network.f5.common import transform_name + from library.module_utils.network.f5.common import exit_json + from library.module_utils.network.f5.common import fail_json +except ImportError: + from ansible.module_utils.network.f5.bigip import F5RestClient + from ansible.module_utils.network.f5.common import F5ModuleError + from ansible.module_utils.network.f5.common import AnsibleF5Parameters + from ansible.module_utils.network.f5.common import cleanup_tokens + from ansible.module_utils.network.f5.common import fq_name + from ansible.module_utils.network.f5.common import f5_argument_spec + from ansible.module_utils.network.f5.common import flatten_boolean + from ansible.module_utils.network.f5.common import transform_name + from ansible.module_utils.network.f5.common import exit_json + from ansible.module_utils.network.f5.common import fail_json + + +class Parameters(AnsibleF5Parameters): + api_map = { + 'defaultsFrom': 'parent', + 'insertXforwardedFor': 'insert_xforwarded_for', + 'redirectRewrite': 'redirect_rewrite', + 'encryptCookies': 'encrypt_cookies', + 'encryptCookieSecret': 'encrypt_cookie_secret', + 'proxyType': 'proxy_type', + 'explicitProxy': 'explicit_proxy', + + } + + api_attributes = [ + 'insertXforwardedFor', + 'description', + 'defaultsFrom', + 'redirectRewrite', + 'encryptCookies', + 'encryptCookieSecret', + 'proxyType', + 'explicitProxy', + ] + + returnables = [ + 'parent', + 'description', + 'insert_xforwarded_for', + 'redirect_rewrite', + 'encrypt_cookies', + 'proxy_type', + 'explicit_proxy', + 'dns_resolver', + ] + + updatables = [ + 'description', + 'insert_xforwarded_for', + 'redirect_rewrite', + 'encrypt_cookies', + 'encrypt_cookie_secret', + 'proxy_type', + 'dns_resolver', + ] + + +class ApiParameters(Parameters): + @property + def dns_resolver(self): + if self._values['explicit_proxy'] is None: + return None + if 'dnsResolver' in self._values['explicit_proxy']: + return self._values['explicit_proxy']['dnsResolver'] + + @property + def dns_resolver_address(self): + if self._values['explicit_proxy'] is None: + return None + if 'dnsResolverReference' in self._values['explicit_proxy']: + return self._values['explicit_proxy']['dnsResolverReference'] + + +class ModuleParameters(Parameters): + @property + def proxy_type(self): + if self._values['proxy_type'] is None: + return None + if self._values['proxy_type'] == 'explicit': + if self.dns_resolver is None or self.dns_resolver == '': + raise F5ModuleError( + 'A proxy type cannot be set to {0} without providing DNS resolver.'.format(self._values['proxy_type']) + ) + return self._values['proxy_type'] + + @property + def dns_resolver(self): + if self._values['dns_resolver'] is None: + return None + if self._values['dns_resolver'] == '' or self._values['dns_resolver'] == 'none': + return '' + result = fq_name(self.partition, self._values['dns_resolver']) + return result + + @property + def dns_resolver_address(self): + resolver = self.dns_resolver + if resolver is None: + return None + tmp = resolver.split('/') + link = dict(link='https://localhost/mgmt/tm/net/dns-resolver/~{0}~{1}'.format(tmp[1], tmp[2])) + return link + + @property + def insert_xforwarded_for(self): + result = flatten_boolean(self._values['insert_xforwarded_for']) + if result is None: + return None + if result == 'yes': + return 'enabled' + return 'disabled' + + @property + def parent(self): + if self._values['parent'] is None: + return None + result = fq_name(self.partition, self._values['parent']) + return result + + @property + def encrypt_cookies(self): + if self._values['encrypt_cookies'] is None: + return None + if self._values['encrypt_cookies'] == [''] or self._values['encrypt_cookies'] == ['none']: + return list() + return self._values['encrypt_cookies'] + + @property + def explicit_proxy(self): + if self.dns_resolver is None: + return None + result = dict( + dnsResolver=self.dns_resolver, + dnsResolverReference=self.dns_resolver_address + ) + return result + + +class Changes(Parameters): + def to_return(self): + result = {} + try: + for returnable in self.returnables: + result[returnable] = getattr(self, returnable) + result = self._filter_params(result) + except Exception: + pass + return result + + +class UsableChanges(Changes): + @property + def explicit_proxy(self): + result = dict() + if self._values['dns_resolver'] is not None: + result['dnsResolver'] = self._values['dns_resolver'] + if self._values['dns_resolver_address'] is not None: + result['dnsResolverReference'] = self._values['dns_resolver_address'] + if not result: + return None + return result + + +class ReportableChanges(Changes): + @property + def insert_xforwarded_for(self): + if self._values['insert_xforwarded_for'] is None: + return None + elif self._values['insert_xforwarded_for'] == 'enabled': + return 'yes' + return 'no' + + +class Difference(object): + def __init__(self, want, have=None): + self.want = want + self.have = have + + def compare(self, param): + try: + result = getattr(self, param) + return result + except AttributeError: + return self.__default(param) + + def __default(self, param): + attr1 = getattr(self.want, param) + try: + attr2 = getattr(self.have, param) + if attr1 != attr2: + return attr1 + except AttributeError: + return attr1 + + @property + def parent(self): + if self.want.parent != self.have.parent: + raise F5ModuleError( + "The parent http profile cannot be changed" + ) + + @property + def dns_resolver(self): + if self.want.dns_resolver is None: + return None + if self.want.dns_resolver == '': + if self.have.dns_resolver is None or self.have.dns_resolver == 'none': + return None + elif self.have.proxy_type == 'explicit' and self.want.proxy_type is None: + raise F5ModuleError( + "DNS resolver cannot be empty or 'none' if an existing profile proxy type is set to {0}.".format(self.have.proxy_type) + ) + elif self.have.dns_resolver is not None: + return self.want.dns_resolver + if self.have.dns_resolver is None: + return self.want.dns_resolver + + @property + def encrypt_cookies(self): + if self.want.encrypt_cookies is None: + return None + if self.have.encrypt_cookies == [] and self.want.encrypt_cookies == []: + return None + if self.have.encrypt_cookies is not None and self.want.encrypt_cookies == []: + return self.want.encrypt_cookies + if self.have.encrypt_cookies is None: + return self.want.encrypt_cookies + if set(self.want.encrypt_cookies) != set(self.have.encrypt_cookies): + return self.want.encrypt_cookies + + @property + def encrypt_cookie_secret(self): + if self.want.encrypt_cookie_secret != self.have.encrypt_cookie_secret: + if self.want.update_password == 'always': + result = self.want.encrypt_cookie_secret + return result + + +class ModuleManager(object): + def __init__(self, *args, **kwargs): + self.module = kwargs.get('module', None) + self.client = kwargs.get('client', None) + self.want = ModuleParameters(params=self.module.params) + self.have = ApiParameters() + self.changes = UsableChanges() + + def _set_changed_options(self): + changed = {} + for key in Parameters.returnables: + if getattr(self.want, key) is not None: + changed[key] = getattr(self.want, key) + if changed: + self.changes = UsableChanges(params=changed) + + def _update_changed_options(self): + diff = Difference(self.want, self.have) + updatables = Parameters.updatables + changed = dict() + for k in updatables: + change = diff.compare(k) + if change is None: + continue + else: + if isinstance(change, dict): + changed.update(change) + else: + changed[k] = change + if changed: + self.changes = UsableChanges(params=changed) + return True + return False + + def should_update(self): + result = self._update_changed_options() + if result: + return True + return False + + def exec_module(self): + changed = False + result = dict() + state = self.want.state + + if state == "present": + changed = self.present() + elif state == "absent": + changed = self.absent() + + reportable = ReportableChanges(params=self.changes.to_return()) + changes = reportable.to_return() + result.update(**changes) + result.update(dict(changed=changed)) + self._announce_deprecations(result) + return result + + def _announce_deprecations(self, result): + warnings = result.pop('__warnings', []) + for warning in warnings: + self.client.module.deprecate( + msg=warning['msg'], + version=warning['version'] + ) + + def present(self): + if self.exists(): + return self.update() + else: + return self.create() + + def exists(self): + uri = "https://{0}:{1}/mgmt/tm/ltm/profile/http/{2}".format( + self.client.provider['server'], + self.client.provider['server_port'], + transform_name(self.want.partition, self.want.name) + ) + resp = self.client.api.get(uri) + try: + response = resp.json() + except ValueError: + return False + if resp.status == 404 or 'code' in response and response['code'] == 404: + return False + return True + + def update(self): + self.have = self.read_current_from_device() + if not self.should_update(): + return False + if self.module.check_mode: + return True + self.update_on_device() + return True + + def remove(self): + if self.module.check_mode: + return True + self.remove_from_device() + if self.exists(): + raise F5ModuleError("Failed to delete the resource.") + return True + + def create(self): + self._set_changed_options() + if self.module.check_mode: + return True + self.create_on_device() + return True + + def create_on_device(self): + params = self.changes.api_params() + params['name'] = self.want.name + params['partition'] = self.want.partition + uri = "https://{0}:{1}/mgmt/tm/ltm/profile/http/".format( + self.client.provider['server'], + self.client.provider['server_port'] + ) + resp = self.client.api.post(uri, json=params) + try: + response = resp.json() + except ValueError as ex: + raise F5ModuleError(str(ex)) + + if 'code' in response and response['code'] in [400, 403]: + if 'message' in response: + raise F5ModuleError(response['message']) + else: + raise F5ModuleError(resp.content) + return response['selfLink'] + + def update_on_device(self): + params = self.changes.api_params() + uri = "https://{0}:{1}/mgmt/tm/ltm/profile/http/{2}".format( + self.client.provider['server'], + self.client.provider['server_port'], + transform_name(self.want.partition, self.want.name) + ) + resp = self.client.api.patch(uri, json=params) + try: + response = resp.json() + except ValueError as ex: + raise F5ModuleError(str(ex)) + + if 'code' in response and response['code'] == 400: + if 'message' in response: + raise F5ModuleError(response['message']) + else: + raise F5ModuleError(resp.content) + + def absent(self): + if self.exists(): + return self.remove() + return False + + def remove_from_device(self): + uri = "https://{0}:{1}/mgmt/tm/ltm/profile/http/{2}".format( + self.client.provider['server'], + self.client.provider['server_port'], + transform_name(self.want.partition, self.want.name) + ) + response = self.client.api.delete(uri) + if response.status == 200: + return True + + if 'code' in response and response['code'] == 400: + if 'message' in response: + raise F5ModuleError(response['message']) + else: + raise F5ModuleError(response.content) + + def read_current_from_device(self): + uri = "https://{0}:{1}/mgmt/tm/ltm/profile/http/{2}".format( + self.client.provider['server'], + self.client.provider['server_port'], + transform_name(self.want.partition, self.want.name) + ) + resp = self.client.api.get(uri) + try: + response = resp.json() + except ValueError as ex: + raise F5ModuleError(str(ex)) + + if 'code' in response and response['code'] == 400: + if 'message' in response: + raise F5ModuleError(response['message']) + else: + raise F5ModuleError(resp.content) + return ApiParameters(params=response) + + +class ArgumentSpec(object): + def __init__(self): + self.supports_check_mode = True + argument_spec = dict( + name=dict(required=True), + parent=dict(default='/Common/http'), + description=dict(), + proxy_type=dict( + choices=[ + 'reverse', + 'transparent', + 'explicit' + ] + ), + dns_resolver=dict(), + insert_xforwarded_for=dict(type='bool'), + redirect_rewrite=dict( + choices=[ + 'none', + 'all', + 'matching', + 'nodes' + ] + ), + encrypt_cookies=dict(type='list'), + encrypt_cookie_secret=dict(no_log=True), + update_password=dict( + default='always', + choices=['always', 'on_create'] + ), + state=dict( + default='present', + choices=['present', 'absent'] + ), + partition=dict( + default='Common', + fallback=(env_fallback, ['F5_PARTITION']) + + ) + ) + self.argument_spec = {} + self.argument_spec.update(f5_argument_spec) + self.argument_spec.update(argument_spec) + + +def main(): + spec = ArgumentSpec() + + module = AnsibleModule( + argument_spec=spec.argument_spec, + supports_check_mode=spec.supports_check_mode, + ) + + client = F5RestClient(**module.params) + + try: + mm = ModuleManager(module=module, client=client) + results = mm.exec_module() + exit_json(module, results, client) + except F5ModuleError as ex: + fail_json(module, ex, client) + + +if __name__ == '__main__': + main() diff --git a/test/units/modules/network/f5/fixtures/load_ltm_http_profile_1.json b/test/units/modules/network/f5/fixtures/load_ltm_http_profile_1.json new file mode 100644 index 0000000000..0d8f83c706 --- /dev/null +++ b/test/units/modules/network/f5/fixtures/load_ltm_http_profile_1.json @@ -0,0 +1,81 @@ +{ + "kind": "tm:ltm:profile:http:httpstate", + "name": "http", + "partition": "Common", + "fullPath": "/Common/http", + "generation": 1405, + "selfLink": "https://localhost/mgmt/tm/ltm/profile/http/~Common~http?ver=13.1.0.6", + "acceptXff": "disabled", + "appService": "none", + "basicAuthRealm": "none", + "defaultsFrom": "none", + "description": "none", + "encryptCookies": [], + "enforcement": { + "excessClientHeaders": "reject", + "excessServerHeaders": "reject", + "knownMethods": [ + "CONNECT", + "DELETE", + "GET", + "HEAD", + "LOCK", + "OPTIONS", + "POST", + "PROPFIND", + "PUT", + "TRACE", + "UNLOCK" + ], + "maxHeaderCount": 64, + "maxHeaderSize": 32768, + "maxRequests": 0, + "oversizeClientHeaders": "reject", + "oversizeServerHeaders": "reject", + "pipeline": "allow", + "truncatedRedirects": "disabled", + "unknownMethod": "allow" + }, + "explicitProxy": { + "badRequestMessage": "none", + "badResponseMessage": "none", + "connectErrorMessage": "none", + "defaultConnectHandling": "deny", + "dnsErrorMessage": "none", + "dnsResolver": "none", + "hostNames": [], + "ipv6": "no", + "routeDomain": "none", + "tunnelName": "none" + }, + "fallbackHost": "none", + "fallbackStatusCodes": [], + "headerErase": "none", + "headerInsert": "none", + "hsts": { + "includeSubdomains": "enabled", + "maximumAge": 16070400, + "mode": "disabled", + "preload": "disabled" + }, + "insertXforwardedFor": "disabled", + "lwsSeparator": "none", + "lwsWidth": 80, + "oneconnectTransformations": "enabled", + "proxyType": "reverse", + "redirectRewrite": "none", + "requestChunking": "preserve", + "responseChunking": "selective", + "responseHeadersPermitted": [], + "serverAgentName": "BigIP", + "sflow": { + "pollInterval": 0, + "pollIntervalGlobal": "yes", + "samplingRate": 0, + "samplingRateGlobal": "yes" + }, + "viaHostName": "none", + "viaRequest": "preserve", + "viaResponse": "preserve", + "xffAlternativeNames": [] +} diff --git a/test/units/modules/network/f5/test_bigip_profile_http.py b/test/units/modules/network/f5/test_bigip_profile_http.py new file mode 100644 index 0000000000..63c2cf2fa5 --- /dev/null +++ b/test/units/modules/network/f5/test_bigip_profile_http.py @@ -0,0 +1,123 @@ +# -*- coding: utf-8 -*- +# +# Copyright: (c) 2018, F5 Networks Inc. +# GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import json +import sys + +from nose.plugins.skip import SkipTest +if sys.version_info < (2, 7): + raise SkipTest("F5 Ansible modules require Python >= 2.7") + +from ansible.compat.tests import unittest +from ansible.compat.tests.mock import Mock +from ansible.module_utils.basic import AnsibleModule + +try: + from library.modules.bigip_profile_http import ApiParameters + from library.modules.bigip_profile_http import ModuleParameters + from library.modules.bigip_profile_http import ModuleManager + from library.modules.bigip_profile_http import ArgumentSpec + from library.module_utils.network.f5.common import F5ModuleError + from library.module_utils.network.f5.common import iControlUnexpectedHTTPError + from test.unit.modules.utils import set_module_args +except ImportError: + try: + from ansible.modules.network.f5.bigip_profile_http import ApiParameters + from ansible.modules.network.f5.bigip_profile_http import ModuleParameters + from ansible.modules.network.f5.bigip_profile_http import ModuleManager + from ansible.modules.network.f5.bigip_profile_http import ArgumentSpec + from ansible.module_utils.network.f5.common import F5ModuleError + from ansible.module_utils.network.f5.common import iControlUnexpectedHTTPError + from units.modules.utils import set_module_args + except ImportError: + raise SkipTest("F5 Ansible modules require the f5-sdk Python library") + +fixture_path = os.path.join(os.path.dirname(__file__), 'fixtures') +fixture_data = {} + + +def load_fixture(name): + path = os.path.join(fixture_path, name) + + if path in fixture_data: + return fixture_data[path] + + with open(path) as f: + data = f.read() + + try: + data = json.loads(data) + except Exception: + pass + + fixture_data[path] = data + return data + + +class TestParameters(unittest.TestCase): + def test_module_parameters(self): + args = dict( + name='foo', + parent='bar', + description='This is a Test', + proxy_type='transparent', + insert_xforwarded_for=True, + redirect_rewrite='all', + encrypt_cookies=['FooCookie'], + encrypt_cookie_secret='12345' + ) + + p = ModuleParameters(params=args) + assert p.name == 'foo' + assert p.parent == '/Common/bar' + assert p.description == 'This is a Test' + assert p.proxy_type == 'transparent' + assert p.insert_xforwarded_for == 'enabled' + assert p.redirect_rewrite == 'all' + assert p.encrypt_cookies == ['FooCookie'] + assert p.encrypt_cookie_secret == '12345' + + def test_api_parameters(self): + args = load_fixture('load_ltm_http_profile_1.json') + p = ApiParameters(params=args) + assert p.name == 'http' + assert p.insert_xforwarded_for == 'disabled' + assert p.description == 'none' + + +class TestManager(unittest.TestCase): + + def setUp(self): + self.spec = ArgumentSpec() + + def test_create(self, *args): + # Configure the arguments that would be sent to the Ansible module + set_module_args(dict( + name='foo', + insert_xforwarded_for='yes', + parent='bar', + password='password', + server='localhost', + user='admin' + )) + + module = AnsibleModule( + argument_spec=self.spec.argument_spec, + supports_check_mode=self.spec.supports_check_mode + ) + mm = ModuleManager(module=module) + + # Override methods to force specific logic in the module to happen + mm.exists = Mock(return_value=False) + mm.create_on_device = Mock(return_value=True) + + results = mm.exec_module() + + assert results['changed'] is True + assert results['insert_xforwarded_for'] == 'yes'