archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fixes ssl cipher ordering in bigip_device_httpd. Also fix unit tests (#48475)

Browse Source
pull/48480/head
Tim Rupp 6 years ago committed by GitHub
parent d508d5820a
commit 0873043e5a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 58 additions and 36 deletions
Show Stats Download Patch File Download Diff File

73
lib/ansible/modules/network/f5/bigip_device_httpd.py
Unescape Escape View File

@ -103,64 +103,71 @@ EXAMPLES = r'''
- name: Set the BIG-IP authentication realm name - name: Set the BIG-IP authentication realm name
bigip_device_httpd: bigip_device_httpd:
auth_name: BIG-IP auth_name: BIG-IP
password: secret provider:
server: lb.mydomain.com password: secret
user: admin server: lb.mydomain.com
user: admin
delegate_to: localhost delegate_to: localhost
- name: Set the auth pam timeout to 3600 seconds - name: Set the auth pam timeout to 3600 seconds
bigip_device_httpd: bigip_device_httpd:
auth_pam_idle_timeout: 1200 auth_pam_idle_timeout: 1200
password: secret provider:
server: lb.mydomain.com password: secret
user: admin server: lb.mydomain.com
user: admin
delegate_to: localhost delegate_to: localhost
- name: Set the validate IP settings - name: Set the validate IP settings
bigip_device_httpd: bigip_device_httpd:
auth_pam_validate_ip: on auth_pam_validate_ip: on
password: secret provider:
server: lb.mydomain.com password: secret
user: admin server: lb.mydomain.com
user: admin
delegate_to: localhost delegate_to: localhost
- name: Set SSL cipher suite by list - name: Set SSL cipher suite by list
bigip_device_httpd: bigip_device_httpd:
password: secret
server: lb.mydomain.com
user: admin
ssl_cipher_suite: ssl_cipher_suite:
- ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-SHA - ECDHE-RSA-AES128-SHA
- AES256-SHA256 - AES256-SHA256
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost delegate_to: localhost
- name: Set SSL cipher suite by string - name: Set SSL cipher suite by string
bigip_device_httpd: bigip_device_httpd:
password: secret
server: lb.mydomain.com
user: admin
ssl_cipher_suite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:AES256-SHA256 ssl_cipher_suite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:AES256-SHA256
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost delegate_to: localhost
- name: Set SSL protocols by list - name: Set SSL protocols by list
bigip_device_httpd: bigip_device_httpd:
password: secret
server: lb.mydomain.com
user: admin
ssl_protocols: ssl_protocols:
- all - all
- -SSLv2 - -SSLv2
- -SSLv3 - -SSLv3
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost delegate_to: localhost
- name: Set SSL protocols by string - name: Set SSL protocols by string
bigip_device_httpd: bigip_device_httpd:
password: secret ssl_protocols: all -SSLv2 -SSLv3
server: lb.mydomain.com provider:
user: admin password: secret
ssl_cipher_suite: all -SSLv2 -SSLv3 server: lb.mydomain.com
user: admin
delegate_to: localhost delegate_to: localhost
''' '''
@ -220,6 +227,11 @@ ssl_cipher_suite:
returned: changed returned: changed
type: string type: string
sample: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA sample: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA
ssl_cipher_suite_list:
description: List of the new ciphers that the system uses.
returned: changed
type: string
sample: ['ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES128-SHA']
ssl_protocols: ssl_protocols:
description: The new list of SSL protocols to accept on the management console. description: The new list of SSL protocols to accept on the management console.
returned: changed returned: changed
@ -276,7 +288,7 @@ class Parameters(AnsibleF5Parameters):
'auth_pam_idle_timeout', 'auth_pam_validate_ip', 'auth_name', 'auth_pam_idle_timeout', 'auth_pam_validate_ip', 'auth_name',
'auth_pam_dashboard_timeout', 'fast_cgi_timeout', 'hostname_lookup', 'auth_pam_dashboard_timeout', 'fast_cgi_timeout', 'hostname_lookup',
'log_level', 'max_clients', 'redirect_http_to_https', 'ssl_port', 'log_level', 'max_clients', 'redirect_http_to_https', 'ssl_port',
'allow', 'ssl_cipher_suite', 'ssl_protocols' 'allow', 'ssl_cipher_suite', 'ssl_protocols', 'ssl_cipher_suite_list',
] ]
updatables = [ updatables = [
@ -394,11 +406,11 @@ class ModuleParameters(Parameters):
"ssl_cipher_suite may not be set to 'none'" "ssl_cipher_suite may not be set to 'none'"
) )
if ciphers == 'default': if ciphers == 'default':
ciphers = ':'.join(sorted(Parameters._ciphers.split(':'))) ciphers = ':'.join(Parameters._ciphers.split(':'))
elif isinstance(self._values['ssl_cipher_suite'], string_types): elif isinstance(self._values['ssl_cipher_suite'], string_types):
ciphers = ':'.join(sorted(ciphers.split(':'))) ciphers = ':'.join(ciphers.split(':'))
else: else:
ciphers = ':'.join(sorted(ciphers)) ciphers = ':'.join(ciphers)
return ciphers return ciphers
@property @property
@ -454,12 +466,16 @@ class UsableChanges(Changes):
class ReportableChanges(Changes): class ReportableChanges(Changes):
@property @property
def ssl_cipher_suite(self): def ssl_cipher_suite(self):
default = ':'.join(sorted(Parameters._ciphers.split(':'))) default = ':'.join(Parameters._ciphers.split(':'))
if self._values['ssl_cipher_suite'] == default: if self._values['ssl_cipher_suite'] == default:
return 'default' return 'default'
else: else:
return self._values['ssl_cipher_suite'] return self._values['ssl_cipher_suite']
@property
def ssl_cipher_suite_list(self):
return self._values['ssl_cipher_suite'].split(':')
@property @property
def ssl_protocols(self): def ssl_protocols(self):
default = ' '.join(sorted(Parameters._protocols.split(' '))) default = ' '.join(sorted(Parameters._protocols.split(' ')))
@ -684,8 +700,9 @@ def main():
supports_check_mode=spec.supports_check_mode, supports_check_mode=spec.supports_check_mode,
) )
client = F5RestClient(**module.params)
try: try:
client = F5RestClient(**module.params)
mm = ModuleManager(module=module, client=client) mm = ModuleManager(module=module, client=client)
results = mm.exec_module() results = mm.exec_module()
cleanup_tokens(client) cleanup_tokens(client)

21
test/units/modules/network/f5/test_bigip_device_httpd.py
Unescape Escape View File

@ -14,25 +14,30 @@ from nose.plugins.skip import SkipTest
if sys.version_info < (2, 7): if sys.version_info < (2, 7):
raise SkipTest("F5 Ansible modules require Python >= 2.7") raise SkipTest("F5 Ansible modules require Python >= 2.7")
from units.compat import unittest
from units.compat.mock import Mock
from units.compat.mock import patch
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule
try: try:
from library.modules.bigip_device_httpd import Parameters from library.modules.bigip_device_httpd import Parameters
from library.modules.bigip_device_httpd import ModuleManager from library.modules.bigip_device_httpd import ModuleManager
from library.modules.bigip_device_httpd import ArgumentSpec from library.modules.bigip_device_httpd import ArgumentSpec
from library.module_utils.network.f5.common import F5ModuleError
from library.module_utils.network.f5.common import iControlUnexpectedHTTPError # In Ansible 2.8, Ansible changed import paths.
from test.unit.modules.utils import set_module_args from test.units.compat import unittest
from test.units.compat.mock import Mock
from test.units.compat.mock import patch
from test.units.modules.utils import set_module_args
except ImportError: except ImportError:
try: try:
from ansible.modules.network.f5.bigip_device_httpd import Parameters from ansible.modules.network.f5.bigip_device_httpd import Parameters
from ansible.modules.network.f5.bigip_device_httpd import ModuleManager from ansible.modules.network.f5.bigip_device_httpd import ModuleManager
from ansible.modules.network.f5.bigip_device_httpd import ArgumentSpec from ansible.modules.network.f5.bigip_device_httpd import ArgumentSpec
from ansible.module_utils.network.f5.common import F5ModuleError
from ansible.module_utils.network.f5.common import iControlUnexpectedHTTPError # Ansible 2.8 imports
from units.compat import unittest
from units.compat.mock import Mock
from units.compat.mock import patch
from units.modules.utils import set_module_args from units.modules.utils import set_module_args
except ImportError: except ImportError:
raise SkipTest("F5 Ansible modules require the f5-sdk Python library") raise SkipTest("F5 Ansible modules require the f5-sdk Python library")

Write Preview
Loading…
Cancel
Save