From 128cf5fd74f9cde538fc297b9a78207891f5afe9 Mon Sep 17 00:00:00 2001 From: Marc Abramowitz Date: Mon, 23 Mar 2015 14:26:11 -0700 Subject: [PATCH] Add `validate_certs` param to bigip_* modules Ignoring SSL cert verification may be necessary when testing with a server that has a self-signed certificate. See https://github.com/ansible/ansible-modules-extras/pull/288#issuecomment-85196736 --- .../modules/extras/network/f5/bigip_facts.py | 19 +++++++++++++++++ .../extras/network/f5/bigip_monitor_http.py | 21 +++++++++++++++++++ .../extras/network/f5/bigip_monitor_tcp.py | 21 +++++++++++++++++++ .../modules/extras/network/f5/bigip_node.py | 19 +++++++++++++++++ .../modules/extras/network/f5/bigip_pool.py | 19 +++++++++++++++++ .../extras/network/f5/bigip_pool_member.py | 19 +++++++++++++++++ 6 files changed, 118 insertions(+) diff --git a/lib/ansible/modules/extras/network/f5/bigip_facts.py b/lib/ansible/modules/extras/network/f5/bigip_facts.py index 2c333e58fba..59a6a48aa5e 100755 --- a/lib/ansible/modules/extras/network/f5/bigip_facts.py +++ b/lib/ansible/modules/extras/network/f5/bigip_facts.py @@ -56,6 +56,14 @@ options: default: null choices: [] aliases: [] + validate_certs: + description: + - If C(no), SSL certificates will not be validated. This should only be used + on personally controlled sites using self-signed certificates. + required: false + default: 'yes' + choices: ['yes', 'no'] + version_added: 1.9.1 session: description: - BIG-IP session support; may be useful to avoid concurrency @@ -1566,6 +1574,12 @@ def generate_software_list(f5): software_list = software.get_all_software_status() return software_list +def disable_ssl_cert_validation(): + # You probably only want to do this for testing and never in production. + # From https://www.python.org/dev/peps/pep-0476/#id29 + import ssl + ssl._create_default_https_context = ssl._create_unverified_context + def main(): module = AnsibleModule( @@ -1573,6 +1587,7 @@ def main(): server = dict(type='str', required=True), user = dict(type='str', required=True), password = dict(type='str', required=True), + validate_certs = dict(default='yes', type='bool'), session = dict(type='bool', default=False), include = dict(type='list', required=True), filter = dict(type='str', required=False), @@ -1585,6 +1600,7 @@ def main(): server = module.params['server'] user = module.params['user'] password = module.params['password'] + validate_certs = module.params['validate_certs'] session = module.params['session'] fact_filter = module.params['filter'] if fact_filter: @@ -1601,6 +1617,9 @@ def main(): if not all(include_test): module.fail_json(msg="value of include must be one or more of: %s, got: %s" % (",".join(valid_includes), ",".join(include))) + if not validate_certs: + disable_ssl_cert_validation() + try: facts = {} diff --git a/lib/ansible/modules/extras/network/f5/bigip_monitor_http.py b/lib/ansible/modules/extras/network/f5/bigip_monitor_http.py index 62823f86579..dd20fb04d74 100644 --- a/lib/ansible/modules/extras/network/f5/bigip_monitor_http.py +++ b/lib/ansible/modules/extras/network/f5/bigip_monitor_http.py @@ -51,6 +51,14 @@ options: - BIG-IP password required: true default: null + validate_certs: + description: + - If C(no), SSL certificates will not be validated. This should only be used + on personally controlled sites using self-signed certificates. + required: false + default: 'yes' + choices: ['yes', 'no'] + version_added: 1.9.1 state: description: - Monitor state @@ -177,6 +185,14 @@ def bigip_api(bigip, user, password): return api +def disable_ssl_cert_validation(): + + # You probably only want to do this for testing and never in production. + # From https://www.python.org/dev/peps/pep-0476/#id29 + import ssl + ssl._create_default_https_context = ssl._create_unverified_context + + def check_monitor_exists(module, api, monitor, parent): # hack to determine if monitor exists @@ -311,6 +327,7 @@ def main(): server = dict(required=True), user = dict(required=True), password = dict(required=True), + validate_certs = dict(default='yes', type='bool'), partition = dict(default='Common'), state = dict(default='present', choices=['present', 'absent']), name = dict(required=True), @@ -331,6 +348,7 @@ def main(): server = module.params['server'] user = module.params['user'] password = module.params['password'] + validate_certs = module.params['validate_certs'] partition = module.params['partition'] parent_partition = module.params['parent_partition'] state = module.params['state'] @@ -348,6 +366,9 @@ def main(): # end monitor specific stuff + if not validate_certs: + disable_ssl_cert_validation() + if not bigsuds_found: module.fail_json(msg="the python bigsuds module is required") api = bigip_api(server, user, password) diff --git a/lib/ansible/modules/extras/network/f5/bigip_monitor_tcp.py b/lib/ansible/modules/extras/network/f5/bigip_monitor_tcp.py index 8b89a0c6113..78a51f2529b 100644 --- a/lib/ansible/modules/extras/network/f5/bigip_monitor_tcp.py +++ b/lib/ansible/modules/extras/network/f5/bigip_monitor_tcp.py @@ -49,6 +49,14 @@ options: - BIG-IP password required: true default: null + validate_certs: + description: + - If C(no), SSL certificates will not be validated. This should only be used + on personally controlled sites using self-signed certificates. + required: false + default: 'yes' + choices: ['yes', 'no'] + version_added: 1.9.1 state: description: - Monitor state @@ -196,6 +204,14 @@ def bigip_api(bigip, user, password): return api +def disable_ssl_cert_validation(): + + # You probably only want to do this for testing and never in production. + # From https://www.python.org/dev/peps/pep-0476/#id29 + import ssl + ssl._create_default_https_context = ssl._create_unverified_context + + def check_monitor_exists(module, api, monitor, parent): # hack to determine if monitor exists @@ -331,6 +347,7 @@ def main(): server = dict(required=True), user = dict(required=True), password = dict(required=True), + validate_certs = dict(default='yes', type='bool'), partition = dict(default='Common'), state = dict(default='present', choices=['present', 'absent']), name = dict(required=True), @@ -351,6 +368,7 @@ def main(): server = module.params['server'] user = module.params['user'] password = module.params['password'] + validate_certs = module.params['validate_certs'] partition = module.params['partition'] parent_partition = module.params['parent_partition'] state = module.params['state'] @@ -372,6 +390,9 @@ def main(): # end monitor specific stuff + if not validate_certs: + disable_ssl_cert_validation() + if not bigsuds_found: module.fail_json(msg="the python bigsuds module is required") api = bigip_api(server, user, password) diff --git a/lib/ansible/modules/extras/network/f5/bigip_node.py b/lib/ansible/modules/extras/network/f5/bigip_node.py index 68b6a2b52f1..c45a7f12d5c 100644 --- a/lib/ansible/modules/extras/network/f5/bigip_node.py +++ b/lib/ansible/modules/extras/network/f5/bigip_node.py @@ -54,6 +54,14 @@ options: default: null choices: [] aliases: [] + validate_certs: + description: + - If C(no), SSL certificates will not be validated. This should only be used + on personally controlled sites using self-signed certificates. + required: false + default: 'yes' + choices: ['yes', 'no'] + version_added: 1.9.1 state: description: - Pool member state @@ -154,6 +162,12 @@ def bigip_api(bigip, user, password): api = bigsuds.BIGIP(hostname=bigip, username=user, password=password) return api +def disable_ssl_cert_validation(): + # You probably only want to do this for testing and never in production. + # From https://www.python.org/dev/peps/pep-0476/#id29 + import ssl + ssl._create_default_https_context = ssl._create_unverified_context + def node_exists(api, address): # hack to determine if node exists result = False @@ -212,6 +226,7 @@ def main(): server = dict(type='str', required=True), user = dict(type='str', required=True), password = dict(type='str', required=True), + validate_certs = dict(default='yes', type='bool'), state = dict(type='str', default='present', choices=['present', 'absent']), partition = dict(type='str', default='Common'), name = dict(type='str', required=True), @@ -227,6 +242,7 @@ def main(): server = module.params['server'] user = module.params['user'] password = module.params['password'] + validate_certs = module.params['validate_certs'] state = module.params['state'] partition = module.params['partition'] host = module.params['host'] @@ -234,6 +250,9 @@ def main(): address = "/%s/%s" % (partition, name) description = module.params['description'] + if not validate_certs: + disable_ssl_cert_validation() + if state == 'absent' and host is not None: module.fail_json(msg="host parameter invalid when state=absent") diff --git a/lib/ansible/modules/extras/network/f5/bigip_pool.py b/lib/ansible/modules/extras/network/f5/bigip_pool.py index 48d03b9f1cb..e7ddce6d391 100644 --- a/lib/ansible/modules/extras/network/f5/bigip_pool.py +++ b/lib/ansible/modules/extras/network/f5/bigip_pool.py @@ -54,6 +54,14 @@ options: default: null choices: [] aliases: [] + validate_certs: + description: + - If C(no), SSL certificates will not be validated. This should only be used + on personally controlled sites using self-signed certificates. + required: false + default: 'yes' + choices: ['yes', 'no'] + version_added: 1.9.1 state: description: - Pool/pool member state @@ -235,6 +243,12 @@ def bigip_api(bigip, user, password): api = bigsuds.BIGIP(hostname=bigip, username=user, password=password) return api +def disable_ssl_cert_validation(): + # You probably only want to do this for testing and never in production. + # From https://www.python.org/dev/peps/pep-0476/#id29 + import ssl + ssl._create_default_https_context = ssl._create_unverified_context + def pool_exists(api, pool): # hack to determine if pool exists result = False @@ -359,6 +373,7 @@ def main(): server = dict(type='str', required=True), user = dict(type='str', required=True), password = dict(type='str', required=True), + validate_certs = dict(default='yes', type='bool'), state = dict(type='str', default='present', choices=['present', 'absent']), name = dict(type='str', required=True, aliases=['pool']), partition = dict(type='str', default='Common'), @@ -380,6 +395,7 @@ def main(): server = module.params['server'] user = module.params['user'] password = module.params['password'] + validate_certs = module.params['validate_certs'] state = module.params['state'] name = module.params['name'] partition = module.params['partition'] @@ -407,6 +423,9 @@ def main(): address = "/%s/%s" % (partition, host) port = module.params['port'] + if not validate_certs: + disable_ssl_cert_validation() + # sanity check user supplied values if (host and not port) or (port and not host): diff --git a/lib/ansible/modules/extras/network/f5/bigip_pool_member.py b/lib/ansible/modules/extras/network/f5/bigip_pool_member.py index 5aef9f0ae98..6a00864056c 100644 --- a/lib/ansible/modules/extras/network/f5/bigip_pool_member.py +++ b/lib/ansible/modules/extras/network/f5/bigip_pool_member.py @@ -56,6 +56,14 @@ options: default: null choices: [] aliases: [] + validate_certs: + description: + - If C(no), SSL certificates will not be validated. This should only be used + on personally controlled sites using self-signed certificates. + required: false + default: 'yes' + choices: ['yes', 'no'] + version_added: 1.9.1 state: description: - Pool member state @@ -189,6 +197,12 @@ def bigip_api(bigip, user, password): api = bigsuds.BIGIP(hostname=bigip, username=user, password=password) return api +def disable_ssl_cert_validation(): + # You probably only want to do this for testing and never in production. + # From https://www.python.org/dev/peps/pep-0476/#id29 + import ssl + ssl._create_default_https_context = ssl._create_unverified_context + def pool_exists(api, pool): # hack to determine if pool exists result = False @@ -282,6 +296,7 @@ def main(): server = dict(type='str', required=True), user = dict(type='str', required=True), password = dict(type='str', required=True), + validate_certs = dict(default='yes', type='bool'), state = dict(type='str', default='present', choices=['present', 'absent']), pool = dict(type='str', required=True), partition = dict(type='str', default='Common'), @@ -301,6 +316,7 @@ def main(): server = module.params['server'] user = module.params['user'] password = module.params['password'] + validate_certs = module.params['validate_certs'] state = module.params['state'] partition = module.params['partition'] pool = "/%s/%s" % (partition, module.params['pool']) @@ -312,6 +328,9 @@ def main(): address = "/%s/%s" % (partition, host) port = module.params['port'] + if not validate_certs: + disable_ssl_cert_validation() + # sanity check user supplied values if (host and not port) or (port and not host):