diff --git a/lib/ansible/modules/network/f5/bigip_iapp_template.py b/lib/ansible/modules/network/f5/bigip_iapp_template.py index 524ec067922..9a19fb6db98 100644 --- a/lib/ansible/modules/network/f5/bigip_iapp_template.py +++ b/lib/ansible/modules/network/f5/bigip_iapp_template.py @@ -115,6 +115,7 @@ try: from library.module_utils.network.f5.common import AnsibleF5Parameters from library.module_utils.network.f5.common import cleanup_tokens from library.module_utils.network.f5.common import f5_argument_spec + from library.module_utils.network.f5.common import fq_name try: from library.module_utils.network.f5.common import iControlUnexpectedHTTPError from f5.utils.iapp_parser import NonextantTemplateNameException @@ -127,6 +128,7 @@ except ImportError: from ansible.module_utils.network.f5.common import AnsibleF5Parameters from ansible.module_utils.network.f5.common import cleanup_tokens from ansible.module_utils.network.f5.common import f5_argument_spec + from ansible.module_utils.network.f5.common import fq_name try: from ansible.module_utils.network.f5.common import iControlUnexpectedHTTPError from f5.utils.iapp_parser import NonextantTemplateNameException @@ -163,8 +165,7 @@ class Parameters(AnsibleF5Parameters): if self._values['content'] is None: return None result = self._squash_template_name_prefix() - if self._values['name']: - result = self._replace_template_name(result) + result = self._replace_template_name(result) return result @property @@ -206,7 +207,13 @@ class Parameters(AnsibleF5Parameters): :return string """ pattern = r'sys\s+application\s+template\s+[^ ]+' - replace = 'sys application template {0}'.format(self._values['name']) + + if self._values['name']: + name = self._values['name'] + else: + name = self._get_template_name() + + replace = 'sys application template {0}'.format(fq_name(self.partition, name)) return re.sub(pattern, replace, template) def _get_template_name(self): @@ -214,7 +221,7 @@ class Parameters(AnsibleF5Parameters): # using it in all cases to get the name of an iApp. So we'll use this # pattern for now and file a bug with the F5 SDK pattern = r'sys\s+application\s+template\s+(?P\/[^\{}"\'*?|#]+\/)?(?P[^\{}"\'*?|#]+)' - matches = re.search(pattern, self.content) + matches = re.search(pattern, self._values['content']) try: result = matches.group('name').strip() except IndexError: @@ -392,6 +399,8 @@ class ModuleManager(object): result = output.commandResult if 'Syntax Error' in result: raise F5ModuleError(output.commandResult) + if 'ERROR' in result: + raise F5ModuleError(output.commandResult) def remove(self): if self.module.check_mode: diff --git a/lib/ansible/modules/network/f5/bigip_profile_dns.py b/lib/ansible/modules/network/f5/bigip_profile_dns.py index a5d50b248ba..86be7c69083 100644 --- a/lib/ansible/modules/network/f5/bigip_profile_dns.py +++ b/lib/ansible/modules/network/f5/bigip_profile_dns.py @@ -17,7 +17,7 @@ DOCUMENTATION = r''' module: bigip_profile_dns short_description: Manage DNS profiles on a BIG-IP description: - - Manage DNS profiles on a BIG-IP. There are a variety of DNS profiles, each with their + - Manage DNS profiles on a BIG-IP. Many DNS profiles; each with their own adjustments to the standard C(dns) profile. Users of this module should be aware that many of the adjustable knobs have no module default. Instead, the default is assigned by the BIG-IP system itself which, in most cases, is acceptable. @@ -35,8 +35,8 @@ options: enable_dns_express: description: - Specifies whether the DNS Express engine is enabled. - - When creating a new profile, if this parameter is not specified, the default is - C(yes). + - When creating a new profile, if this parameter is not specified, the default + is provided by the parent profile. - The DNS Express engine receives zone transfers from the authoritative DNS server for the zone. If the C(enable_zone_transfer) setting is also C(yes) on this profile, the DNS Express engine also responds to zone transfer requests made by the nameservers @@ -46,8 +46,8 @@ options: description: - Specifies whether the system answers zone transfer requests for a DNS zone created on the system. - - When creating a new profile, if this parameter is not specified, the default is - C(no). + - When creating a new profile, if this parameter is not specified, the default + is provided by the parent profile. - The C(enable_dns_express) and C(enable_zone_transfer) settings on a DNS profile affect how the system responds to zone transfer requests. - When the C(enable_dns_express) and C(enable_zone_transfer) settings are both C(yes), @@ -61,21 +61,21 @@ options: description: - Specifies whether the system signs responses with DNSSEC keys and replies to DNSSEC specific queries (e.g., DNSKEY query type). - - When creating a new profile, if this parameter is not specified, the default is - C(yes). + - When creating a new profile, if this parameter is not specified, the default + is provided by the parent profile. type: bool enable_gtm: description: - Specifies whether the system uses Global Traffic Manager to manage the response. - - When creating a new profile, if this parameter is not specified, the default is - C(yes). + - When creating a new profile, if this parameter is not specified, the default + is provided by the parent profile. type: bool process_recursion_desired: description: - Specifies whether to process client-side DNS packets with Recursion Desired set in the header. - - When creating a new profile, if this parameter is not specified, the default is - C(yes). + - When creating a new profile, if this parameter is not specified, the default + is provided by the parent profile. - If set to C(no), processing of the packet is subject to the unhandled-query-action option. type: bool @@ -84,15 +84,54 @@ options: - Specifies whether the system forwards non-wide IP queries to the local BIND server on the BIG-IP system. - For best performance, disable this setting when using a DNS cache. - - When creating a new profile, if this parameter is not specified, the default is - C(yes). + - When creating a new profile, if this parameter is not specified, the default + is provided by the parent profile. type: bool enable_dns_firewall: description: - Specifies whether DNS firewall capability is enabled. - - When creating a new profile, if this parameter is not specified, the default is - C(no). + - When creating a new profile, if this parameter is not specified, the default + is provided by the parent profile. + type: bool + enable_cache: + description: + - Specifies whether the system caches DNS responses. + - When creating a new profile, if this parameter is not specified, the default + is provided by the parent profile. + - When C(yes), the BIG-IP system caches DNS responses handled by the virtual + servers associated with this profile. When you enable this setting, you must + also specify a value for C(cache_name). + - When C(no), the BIG-IP system does not cache DNS responses handled by the + virtual servers associated with this profile. However, the profile retains + the association with the DNS cache in the C(cache_name) parameter. Disable + this setting when you want to debug the system. type: bool + version_added: 2.7 + cache_name: + description: + - Specifies the user-created cache that the system uses to cache DNS responses. + - When you select a cache for the system to use, you must also set C(enable_dns_cache) + to C(yes) + version_added: 2.7 + unhandled_query_action: + description: + - Specifies the action to take when a query does not match a Wide IP or a DNS Express Zone. + - When C(allow), the BIG-IP system forwards queries to a DNS server or pool member. + If a pool is not associated with a listener and the Use BIND Server on BIG-IP setting + is set to Enabled, requests are forwarded to the local BIND server. + - When C(drop), the BIG-IP system does not respond to the query. + - When C(reject), the BIG-IP system returns the query with the REFUSED return code. + - When C(hint), the BIG-IP system returns the query with a list of root name servers. + - When C(no-error), the BIG-IP system returns the query with the NOERROR return code. + - When creating a new profile, if this parameter is not specified, the default + is provided by the parent profile. + choices: + - allow + - drop + - reject + - hint + - no-error + version_added: 2.7 partition: description: - Device partition to manage resources on. @@ -132,37 +171,52 @@ enable_dns_express: description: Whether DNS Express is enabled on the resource or not. returned: changed type: bool - sample: True + sample: yes enable_zone_transfer: description: Whether zone transfer are enabled on the resource or not. returned: changed type: bool - sample: False + sample: no enable_dnssec: description: Whether DNSSEC is enabled on the resource or not. returned: changed type: bool - sample: False + sample: no enable_gtm: description: Whether GTM is used to manage the resource or not. returned: changed type: bool - sample: True + sample: yes process_recursion_desired: description: Whether client-side DNS packets are processed with Recursion Desired set. returned: changed type: bool - sample: True + sample: yes use_local_bind: description: Whether non-wide IP queries are forwarded to the local BIND server or not. returned: changed type: bool - sample: False + sample: no enable_dns_firewall: description: Whether DNS firewall capability is enabled or not. returned: changed type: bool - sample: False + sample: no +enable_cache: + description: Whether DNS caching is enabled or not. + returned: changed + type: bool + sample: no +cache_name: + description: Name of the cache used by DNS. + returned: changed + type: string + sample: /Common/cache1 +unhandled_query_action: + description: What to do with unhandled queries + returned: changed + type: string + sample: allow ''' from ansible.module_utils.basic import AnsibleModule @@ -204,6 +258,9 @@ class Parameters(AnsibleF5Parameters): 'processXfr': 'enable_zone_transfer', 'enableDnsExpress': 'enable_dns_express', 'defaultsFrom': 'parent', + 'enableCache': 'enable_cache', + 'cache': 'cache_name', + 'unhandledQueryAction': 'unhandled_query_action', } api_attributes = [ @@ -214,7 +271,10 @@ class Parameters(AnsibleF5Parameters): 'enableDnssec', 'processXfr', 'enableDnsExpress', - 'defaultsFrom' + 'defaultsFrom', + 'cache', + 'enableCache', + 'unhandledQueryAction', ] returnables = [ @@ -225,6 +285,9 @@ class Parameters(AnsibleF5Parameters): 'enable_dnssec', 'enable_zone_transfer', 'enable_dns_express', + 'cache_name', + 'enable_cache', + 'unhandled_query_action', ] updatables = [ @@ -235,6 +298,9 @@ class Parameters(AnsibleF5Parameters): 'enable_dnssec', 'enable_zone_transfer', 'enable_dns_express', + 'cache_name', + 'enable_cache', + 'unhandled_query_action', ] @@ -271,6 +337,14 @@ class ApiParameters(Parameters): return True return False + @property + def enable_cache(self): + if self._values['enable_cache'] is None: + return None + if self._values['enable_cache'] == 'yes': + return True + return False + @property def enable_dnssec(self): if self._values['enable_dnssec'] is None: @@ -295,6 +369,14 @@ class ApiParameters(Parameters): return True return False + @property + def unhandled_query_action(self): + if self._values['unhandled_query_action'] is None: + return None + elif self._values['unhandled_query_action'] == 'noerror': + return 'no-error' + return self._values['unhandled_query_action'] + class ModuleParameters(Parameters): @property @@ -304,6 +386,15 @@ class ModuleParameters(Parameters): result = fq_name(self.partition, self._values['parent']) return result + @property + def cache_name(self): + if self._values['cache_name'] is None: + return None + if self._values['cache_name'] == '': + return '' + result = fq_name(self.partition, self._values['cache_name']) + return result + class Changes(Parameters): def to_return(self): @@ -350,6 +441,14 @@ class UsableChanges(Changes): return 'yes' return 'no' + @property + def enable_cache(self): + if self._values['enable_cache'] is None: + return None + if self._values['enable_cache']: + return 'yes' + return 'no' + @property def enable_dnssec(self): if self._values['enable_dnssec'] is None: @@ -374,63 +473,17 @@ class UsableChanges(Changes): return 'yes' return 'no' - -class ReportableChanges(Changes): @property - def enable_dns_firewall(self): - if self._values['enable_dns_firewall'] is None: + def unhandled_query_action(self): + if self._values['unhandled_query_action'] is None: return None - if self._values['enable_dns_firewall'] == 'yes': - return True - return False + elif self._values['unhandled_query_action'] == 'no-error': + return 'noerror' + return self._values['unhandled_query_action'] - @property - def use_local_bind(self): - if self._values['use_local_bind'] is None: - return None - if self._values['use_local_bind'] == 'yes': - return True - return False - - @property - def process_recursion_desired(self): - if self._values['process_recursion_desired'] is None: - return None - if self._values['process_recursion_desired'] == 'yes': - return True - return False - - @property - def enable_gtm(self): - if self._values['enable_gtm'] is None: - return None - if self._values['enable_gtm'] == 'yes': - return True - return False - - @property - def enable_dnssec(self): - if self._values['enable_dnssec'] is None: - return None - if self._values['enable_dnssec'] == 'yes': - return True - return False - - @property - def enable_zone_transfer(self): - if self._values['enable_zone_transfer'] is None: - return None - if self._values['enable_zone_transfer'] == 'yes': - return True - return False - @property - def enable_dns_express(self): - if self._values['enable_dns_express'] is None: - return None - if self._values['enable_dns_express'] == 'yes': - return True - return False +class ReportableChanges(Changes): + pass class Difference(object): @@ -540,6 +593,11 @@ class ModuleManager(object): self.have = self.read_current_from_device() if not self.should_update(): return False + if self.changes.enable_cache is True or self.have.enable_cache is True: + if not self.have.cache_name or self.changes.cache_name == '': + raise F5ModuleError( + "To enable DNS cache, a DNS cache must be specified." + ) if self.module.check_mode: return True self.update_on_device() @@ -554,22 +612,12 @@ class ModuleManager(object): return True def create(self): - if self.want.enable_dns_express is None: - self.want.update({'enable_dns_express': True}) - if self.want.enable_zone_transfer is None: - self.want.update({'enable_zone_transfer': False}) - if self.want.enable_dnssec is None: - self.want.update({'enable_dnssec': True}) - if self.want.enable_gtm is None: - self.want.update({'enable_gtm': True}) - if self.want.process_recursion_desired is None: - self.want.update({'process_recursion_desired': True}) - if self.want.use_local_bind is None: - self.want.update({'use_local_bind': True}) - if self.want.enable_dns_firewall is None: - self.want.update({'enable_dns_firewall': False}) - self._set_changed_options() + if self.want.enable_cache is True and not self.want.cache_name: + raise F5ModuleError( + "You must specify a 'cache_name' when creating a DNS profile that sets 'enable_cache' to 'yes'." + ) + if self.module.check_mode: return True self.create_on_device() @@ -626,6 +674,11 @@ class ArgumentSpec(object): process_recursion_desired=dict(type='bool'), use_local_bind=dict(type='bool'), enable_dns_firewall=dict(type='bool'), + enable_cache=dict(type='bool'), + unhandled_query_action=dict( + choices=['allow', 'drop', 'reject', 'hint', 'no-error'] + ), + cache_name=dict(), state=dict( default='present', choices=['present', 'absent'] diff --git a/test/units/modules/network/f5/fixtures/load_ltm_irules.json b/test/units/modules/network/f5/fixtures/load_ltm_irules.json index 05286e6b040..b3e026a120b 100644 --- a/test/units/modules/network/f5/fixtures/load_ltm_irules.json +++ b/test/units/modules/network/f5/fixtures/load_ltm_irules.json @@ -6,7 +6,7 @@ "fullPath": "/Common/_sys_APM_ExchangeSupport_OA_BasicAuth", "generation": 1, "selfLink": "https://localhost/mgmt/tm/ltm/rule/~Common~_sys_APM_ExchangeSupport_OA_BasicAuth?ver=12.1.2", - "apiAnonymous": "nodelete nowrite \n # Global variables\n # static::POLICY_RESULT_CACHE_AUTHFAILED\n # Administrator can set this into 1, when there is a necessity to cache failed policy result.\n # This may be needed to avoid account locked caused by the Active Sync device when it uses wrong passwords.\n # One possible scenario, is that when the user changes the password in Active Directory, but missed to changed in their devices.\n # Responses\n # On denied result\n # Administrator can customize the responses to the device depends on more complex conditions when necessary.\n # In those cases, please use ACCESS::respond command.\n # The following is the syntax of ACCESS::respond\n # ACCESS::respond [ content ] [ * ]\n # e.g. ACCESS::respond 401 content \"Error: Denied\" WWW-Authenticate \"basic realm=\\\"f5.com\\\"\" Connection close\n when RULE_INIT {\n # Please set the following global variables for customized responses.\n set static::actsync_401_http_body \"Authentication FailuredError: Authentication Failure\"\n set static::actsync_503_http_body \"Service is not availableError: Service is not available\"\n set static::ACCESS_LOG_PREFIX \"01490000:7:\"\n\n # Second Virtual Server name for 401 NTLM responder\n set static::ACCESS_SECOND_VIRTUAL_NAME \"_ACCESS_401_NTLM_responder_HTTPS\"\n\n set static::POLICY_INPROGRESS \"policy_inprogress\"\n set static::POLICY_AUTHFAILED \"policy_authfailed\"\n # The request with huge content length can not be used for starting ACCESS session.\n # This kind of request will be put on hold, and this iRule will try to use another\n # request to start the session. The following value is used for Outlook Anywhere.\n set static::OA_MAGIC_CONTENT_LEN 1073741824\n\n # Similar with OutlookAnywhere case, ACCESS can not use the request which is\n # larger then following size. This becomes an issue with application that using\n # Exchange Web Service as its main protocol such as macOS applications\n # (e.g. Mail app, Microsoft Entourage, etc)\n # This kind of request will be put on hold, and this iRule will try to use another\n # request to start the session.\n set static::FIRST_BIG_POST_CONTENT_LEN 640000\n\n # Set it into 1 if the backend EWS handler accepts HTTP Basic Authentication.\n set static::EWS_BKEND_BASIC_AUTH 0\n # The following variable controls the polling mechanism.\n set static::POLICY_RESULT_POLL_INTERVAL 250\n set static::POLICY_RESULT_POLL_MAXRETRYCYCLE 600\n\n # Set this global variable to 1 for caching authentication failure\n # Useful for avoiding account locked out.\n set static::POLICY_RESULT_CACHE_AUTHFAILED 0\n\n # set this global variable to set alternative timeout for particular session\n set static::POLICY_ALT_INACTIVITY_TIMEOUT 120\n\n set static::ACCESS_USERKEY_TBLNAME \"_access_userkey\"\n\n\n set static::ACCESS_DEL_COOKIE_HDR_VAL \"MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/\"\n\n log -noname accesscontrol.local1.debug \"01490000:7: EWS_BKEND_BASIC_AUTH = $static::EWS_BKEND_BASIC_AUTH\"\n }\n when ACCESS_ACL_ALLOWED {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX [HTTP::method] [HTTP::uri] [HTTP::header Content-Length]\"\n\n # MSFT Exchange's EWS request handler always requesting NTLM even the connection has been\n # already authenticated if there is a HTTP Basic Auth in the request.\n if { [ info exists f_exchange_web_service ] && $f_exchange_web_service == 1 } {\n if { $static::EWS_BKEND_BASIC_AUTH == 0 } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Removing HTTP Basic Authorization header\"\n HTTP::header remove Authorization\n }\n }\n }\n\n when HTTP_REQUEST {\n set http_path [ string tolower [HTTP::path] ]\n set f_clientless_mode 0\n set f_alt_inactivity_timeout 0\n set f_rpc_over_http 0\n set f_exchange_web_service 0\n set f_auto_discover 0\n set f_activesync 0\n set f_offline_address_book 0\n set f_availability_service 0\n\n # Here put appropriate pool when necessary.\n switch -glob $http_path {\n \"/rpc/rpcproxy.dll\" {\n # Supports for RPC over HTTP. (Outlook Anywhere)\n set f_rpc_over_http 1\n }\n \"/autodiscover/autodiscover.xml\" {\n # Supports for Auto Discover protocol.\n set f_auto_discover 1\n # This request does not require long inactivity timeout.\n # Don't use this for now\n set f_alt_inactivity_timeout 0\n }\n \"/microsoft-server-activesync\" {\n # Supports for ActiveSync\n set f_activesync 1\n }\n \"/oab/*\" {\n # Supports for Offline Address Book\n set f_offline_address_book 1\n # Don't use this for now\n set f_alt_inactivity_timeout 0\n }\n \"/ews/*\" {\n # Support for Exchange Web Service\n # Outlook's Availability Service borrows this protocol.\n set f_exchange_web_service 1\n }\n \"/as/*\" {\n # Support for Availability Service.\n # do nothing for now. (Untested)\n set f_availability_service 1\n }\n default {\n return\n }\n }\n\n set f_reqside_set_sess_id 0\n set http_method [HTTP::method]\n set http_hdr_host [HTTP::host]\n set http_hdr_uagent [HTTP::header User-Agent]\n set http_uri [HTTP::uri]\n set http_content_len [HTTP::header Content-Length]\n set MRHSession_cookie [HTTP::cookie value MRHSession]\n set auth_info_b64enc \"\"\n\n if { ! [ info exists src_ip ] } {\n set src_ip [IP::remote_addr]\n }\n if { ! [ info exists PROFILE_POLICY_TIMEOUT ] } {\n set PROFILE_POLICY_TIMEOUT [PROFILE::access access_policy_timeout]\n }\n if { ! [ info exists PROFILE_MAX_SESS_TIMEOUT ] } {\n set PROFILE_MAX_SESS_TIMEOUT [PROFILE::access max_session_timeout]\n }\n if { ! [ info exists PROFILE_RESTRICT_SINGLE_IP ] } {\n set PROFILE_RESTRICT_SINGLE_IP 1\n }\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX method: $http_method\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Src IP: $src_ip\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX User-Agent: $http_hdr_uagent\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP uri: $http_uri\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP len: $http_content_len\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Restrict-to-single-client-ip: $PROFILE_RESTRICT_SINGLE_IP\"\n\n # First, do we have valid MRHSession cookie.\n if { $MRHSession_cookie != \"\" } {\n if { [ACCESS::session exists -state_allow -sid $MRHSession_cookie] } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP *VALID* MRHSession cookie: $MRHSession_cookie\"\n } else {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP *INVALID* MRHSession cookie: $MRHSession_cookie\"\n set MRHSession_cookie \"\"\n HTTP::cookie remove MRHSession\n }\n }\n\n set http_hdr_auth [HTTP::header Authorization]\n if { [ string match -nocase {basic *} $http_hdr_auth ] != 1 } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Not basic authentication. Ignore received auth header\"\n set http_hdr_auth \"\"\n }\n\n if { $http_hdr_auth == \"\" } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX No/Empty Auth header\"\n # clean up the cookie\n if { $MRHSession_cookie == \"\" } {\n HTTP::respond 401 content $static::actsync_401_http_body WWW-Authenticate \"Basic realm=\\\"[HTTP::header Host]\\\"\" Set-Cookie $static::ACCESS_DEL_COOKIE_HDR_VAL Connection Close\n return\n }\n # Do nothing if we have a valid MRHSession cookie.\n }\n\n set f_release_request 0\n # Optimization for clients which support cookie\n if { $MRHSession_cookie != \"\" } {\n # Default profile access setting is false\n if { $PROFILE_RESTRICT_SINGLE_IP == 0 } {\n set f_release_request 1\n }\n elseif { [ IP::addr $src_ip equals [ ACCESS::session data get -sid $MRHSession_cookie \"session.user.clientip\" ] ] } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX source IP matched\"\n set f_release_request 1\n }\n else {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX source IP does not matched\"\n set MRHSession_cookie \"\"\n HTTP::cookie remove MRHSession\n }\n }\n\n if { $f_release_request == 0 } {\n set apm_username [string tolower [HTTP::username]]\n set apm_password [HTTP::password]\n if { $PROFILE_RESTRICT_SINGLE_IP == 0 } {\n binary scan [md5 \"$apm_password\"] H* user_hash\n }\n else {\n binary scan [md5 \"$apm_password$src_ip\"] H* user_hash\n }\n set user_key \"$apm_username.$user_hash\"\n unset user_hash\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP Hdr Auth: $http_hdr_auth\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX apm_username: $apm_username\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX user_key = $user_key\"\n set apm_cookie_list [ ACCESS::user getsid $user_key ]\n if { [ llength $apm_cookie_list ] != 0 } {\n set apm_cookie [ ACCESS::user getkey [ lindex $apm_cookie_list 0 ] ]\n if { $apm_cookie != \"\" } {\n HTTP::cookie insert name MRHSession value $apm_cookie\n set f_release_request 1\n }\n }\n }\n\n if { $http_content_len == $static::OA_MAGIC_CONTENT_LEN } {\n set f_oa_magic_content_len 1\n }\n\n set f_sleep_here 0\n set retry 1\n\n while { $f_release_request == 0 && $retry <= $static::POLICY_RESULT_POLL_MAXRETRYCYCLE } {\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Trying #$retry for $http_method $http_uri $http_content_len\"\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Reading $user_key from table $static::ACCESS_USERKEY_TBLNAME\"\n\n set apm_cookie [table lookup -subtable $static::ACCESS_USERKEY_TBLNAME -notouch $user_key]\n if { $apm_cookie != \"\" } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Verifying table cookie = $apm_cookie\"\n\n # Accessing SessionDB is not that cheap. Here we are trying to check known value.\n if { $apm_cookie == \"policy_authfailed\" || $apm_cookie == \"policy_inprogress\"} {\n # Do nothing\n } elseif { ! [ ACCESS::session exists $apm_cookie ] } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX table cookie = $apm_cookie is out-of-sync\"\n # Table value is out of sync. Ignores it.\n set apm_cookie \"\"\n }\n }\n\n switch $apm_cookie {\n \"\" {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX NO APM Cookie found\"\n\n if { [ info exists f_oa_magic_content_len ] && $f_oa_magic_content_len == 1 } {\n # Outlook Anywhere request comes in pair. The one with 1G payload is not usable\n # for creating new session since 1G content-length is intended for client to upload\n # the data when needed.\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Start to wait $static::POLICY_RESULT_POLL_INTERVAL ms for request with magic content-len\"\n set f_sleep_here 1\n } elseif { [ info exists f_exchange_web_service ] && $f_exchange_web_service == 1 && $http_content_len > $static::FIRST_BIG_POST_CONTENT_LEN } {\n # Here we are getting large EWS request, which can't be used for starting new session\n # in clientless-mode. Have it here waiting for next smaller one.\n # We are holding the request here in HTTP filter, and HTTP filter automatically\n # clamping down the TCP window when necessary.\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Start to wait $static::POLICY_RESULT_POLL_INTERVAL ms for big EWS request\"\n set f_sleep_here 1\n } else {\n set apm_cookie \"policy_inprogress\"\n set f_reqside_set_sess_id 1\n set f_release_request 1\n }\n }\n \"policy_authfailed\" {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Found $user_key with AUTH_FAILED\"\n HTTP::respond 401 content $static::actsync_401_http_body\n set f_release_request 1\n }\n \"policy_inprogress\" {\n if { [ info exists f_activesync ] && ($f_activesync == 1) } {\n # For ActiveSync requests, aggressively starts new session.\n set f_reqside_set_sess_id 1\n set f_release_request 1\n } else {\n set f_sleep_here 1\n }\n }\n default {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Using MRHSession = $apm_cookie\"\n HTTP::header insert Cookie \"MRHSession=$apm_cookie\"\n set f_release_request 1\n }\n }\n\n if { $f_reqside_set_sess_id == 1 } {\n set f_reqside_set_sess_id 0\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Setting $user_key=$apm_cookie $PROFILE_POLICY_TIMEOUT $PROFILE_POLICY_TIMEOUT\"\n set f_clientless_mode 1\n HTTP::cookie remove MRHSession\n HTTP::header insert \"clientless-mode\" 1\n HTTP::header insert \"username\" $apm_username\n HTTP::header insert \"password\" $apm_password\n table set -subtable $static::ACCESS_USERKEY_TBLNAME $user_key $apm_cookie $PROFILE_POLICY_TIMEOUT $PROFILE_POLICY_TIMEOUT\n }\n\n if { $f_sleep_here == 1 } {\n set f_sleep_here 0\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Waiting $static::POLICY_RESULT_POLL_INTERVAL ms for $http_method $http_uri\"\n after $static::POLICY_RESULT_POLL_INTERVAL\n }\n\n incr retry\n }\n\n if { ($f_release_request == 0) && ($retry >= $static::POLICY_RESULT_POLL_MAXRETRYCYCLE) } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Policy did not finish in [expr { $static::POLICY_RESULT_POLL_MAXRETRYCYCLE * $static::POLICY_RESULT_POLL_INTERVAL } ] ms. Close connection for $http_method $http_uri\"\n\n table delete -subtable $static::ACCESS_USERKEY_TBLNAME $user_key\n ACCESS::disable\n TCP::close\n return\n }\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Releasing request $http_method $http_uri\"\n }\n\n when ACCESS_SESSION_STARTED {\n if { [ info exists user_key ] } {\n\n ACCESS::session data set \"session.user.uuid\" $user_key\n ACCESS::session data set \"session.user.microsoft-exchange-client\" 1\n\n if { [ info exists f_activesync ] && $f_activesync == 1 } {\n ACCESS::session data set \"session.user.microsoft-activesync\" 1\n }\n elseif { [ info exists f_auto_discover ] && $f_auto_discover == 1 } {\n ACCESS::session data set \"session.user.microsoft-autodiscover\" 1\n }\n elseif { [ info exists f_availability_service ] && $f_availability_service == 1 } {\n ACCESS::session data set \"session.user.microsoft-availabilityservice\" 1\n }\n elseif { [ info exists f_rpc_over_http ] && $f_rpc_over_http == 1 } {\n ACCESS::session data set \"session.user.microsoft-rpcoverhttp\" 1\n }\n elseif { [ info exists f_offline_address_book ] && $f_offline_address_book == 1 } {\n ACCESS::session data set \"session.user.microsoft-offlineaddressbook\" 1\n }\n elseif { [ info exists f_exchange_web_service ] && $f_exchange_web_service == 1 } {\n ACCESS::session data set \"session.user.microsoft-exchangewebservice\" 1\n }\n }\n if { [ info exists f_alt_inactivity_timeout ] && $f_alt_inactivity_timeout == 1 } {\n ACCESS::session data set \"session.inactivity_timeout\" $static::POLICY_ALT_INACTIVITY_TIMEOUT\n }\n }\n\n when ACCESS_POLICY_COMPLETED {\n if { ! [ info exists user_key ] } {\n return\n }\n\n set user_key_value \"\"\n set f_delete_session 0\n set policy_result [ACCESS::policy result]\n set sid [ ACCESS::session sid ]\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX ACCESS_POLICY_COMPLETED: policy_result = \\\"$policy_result\\\" user_key = \\\"$user_key\\\" sid = \\\"$sid\\\"\"\n\n set inactivity_timeout [ACCESS::session data get \"session.inactivity_timeout\"]\n set max_sess_timeout [ACCESS::session data get \"session.max_session_timeout\"]\n if { $max_sess_timeout == \"\" } {\n set max_sess_timeout $PROFILE_MAX_SESS_TIMEOUT\n }\n\n switch $policy_result {\n \"allow\" {\n # We depends on this table record self-cleanup capability in order to\n # indirectly sync with session DB.\n set user_key_value $sid\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Result: Allow: $user_key => $sid $inactivity_timeout $max_sess_timeout\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX user_key_value = $user_key_value\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX sid = $sid\"\n }\n \"deny\" {\n # When necessary the admin here can check appropriate session variable\n # and decide what response more appropriate then this default response.\n ACCESS::respond 401 content $static::actsync_401_http_body Set-Cookie $static::ACCESS_DEL_COOKIE_HDR_VAL Connection Close\n if { $static::POLICY_RESULT_CACHE_AUTHFAILED == 1 } {\n set user_key_value $static::POLICY_AUTHFAILED\n } else {\n set f_delete_session 1\n }\n }\n default {\n ACCESS::respond 503 content $static::actsync_503_http_body Connection Close\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Got unsupported policy result for $user_key ($sid)\"\n set f_delete_session 1\n }\n }\n if { $user_key_value != \"\" } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Setting $user_key => $user_key_value $inactivity_timeout $max_sess_timeout in table $static::ACCESS_USERKEY_TBLNAME\"\n\n table set -subtable $static::ACCESS_USERKEY_TBLNAME $user_key $user_key_value $inactivity_timeout $max_sess_timeout\n } else {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Deleting $user_key in table $static::ACCESS_USERKEY_TBLNAME\"\n\n table delete -subtable $static::ACCESS_USERKEY_TBLNAME $user_key\n }\n\n if { $f_delete_session == 1 } {\n ACCESS::session remove\n set f_delete_session 0\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Removing the session for $user_key.\"\n }\n }\ndefinition-signature CZnUb3niz9wZPWvOmjDB0Dy4ixqjBEhIZrAVGt8VYe7+wZkhcBUFTADz3S1y5uomVwhRkGL20PLH7tfanDlpr3+IppgAGQlp98sPUl5ndEoWA4Rr90QiRGNRl/V7jWK58SOdJCQOirnutVMoeYjBWLwuprXGts08PO0WML5s0xJNOY7WPuGNeG+7Ht2pIB0vu80CgnCNGZJGZH0QR3kMVOx3yUN0ro5bAOmQ/XWel4qkj0F5DN9ufvsmKtTvb+Lc3y+5PHGbbFAQIrZ7lntZUJl/F8e/d26HE3spmZzQpPzi16qYWaMOxbvT6oedxpyhwbmJLiRNGyZmnT6kHj93FA==", + "apiAnonymous": "nodelete nowrite \n # Global variables\n # static::POLICY_RESULT_CACHE_AUTHFAILED\n # Administrator can set this into 1, when there is a necessity to cache failed policy result.\n # This may be needed to avoid account locked caused by the Active Sync device when it uses wrong passwords.\n # One possible scenario, is that when the user changes the password in Active Directory, but missed to changed in their devices.\n # Responses\n # On denied result\n # Administrator can customize the responses to the device depends on more complex conditions when necessary.\n # In those cases, please use ACCESS::respond command.\n # The following is the syntax of ACCESS::respond\n # ACCESS::respond [ content ] [ * ]\n # e.g. ACCESS::respond 401 content \"Error: Denied\" WWW-Authenticate \"basic realm=\\\"f5.com\\\"\" Connection close\n when RULE_INIT {\n # Please set the following global variables for customized responses.\n set static::actsync_401_http_body \"Authentication FailuredError: Authentication Failure\"\n set static::actsync_503_http_body \"Service is not availableError: Service is not available\"\n set static::ACCESS_LOG_PREFIX \"01490000:7:\"\n\n # Second Virtual Server name for 401 NTLM responder\n set static::ACCESS_SECOND_VIRTUAL_NAME \"_ACCESS_401_NTLM_responder_HTTPS\"\n\n set static::POLICY_INPROGRESS \"policy_inprogress\"\n set static::POLICY_AUTHFAILED \"policy_authfailed\"\n # The request with huge content length can not be used for starting ACCESS session.\n # This kind of request will be put on hold, and this iRule will try to use another\n # request to start the session. The following value is used for Outlook Anywhere.\n set static::OA_MAGIC_CONTENT_LEN 1073741824\n\n # Similar with OutlookAnywhere case, ACCESS can not use the request which is\n # larger then following size. This becomes an issue with application that using\n # Exchange Web Service as its main protocol such as Mac OS X applications\n # (e.g. Mail app, Microsoft Entourage, etc)\n # This kind of request will be put on hold, and this iRule will try to use another\n # request to start the session.\n set static::FIRST_BIG_POST_CONTENT_LEN 640000\n\n # Set it into 1 if the backend EWS handler accepts HTTP Basic Authentication.\n set static::EWS_BKEND_BASIC_AUTH 0\n # The following variable controls the polling mechanism.\n set static::POLICY_RESULT_POLL_INTERVAL 250\n set static::POLICY_RESULT_POLL_MAXRETRYCYCLE 600\n\n # Set this global variable to 1 for caching authentication failure\n # Useful for avoiding account locked out.\n set static::POLICY_RESULT_CACHE_AUTHFAILED 0\n\n # set this global variable to set alternative timeout for particular session\n set static::POLICY_ALT_INACTIVITY_TIMEOUT 120\n\n set static::ACCESS_USERKEY_TBLNAME \"_access_userkey\"\n\n\n set static::ACCESS_DEL_COOKIE_HDR_VAL \"MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/\"\n\n log -noname accesscontrol.local1.debug \"01490000:7: EWS_BKEND_BASIC_AUTH = $static::EWS_BKEND_BASIC_AUTH\"\n }\n when ACCESS_ACL_ALLOWED {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX [HTTP::method] [HTTP::uri] [HTTP::header Content-Length]\"\n\n # MSFT Exchange's EWS request handler always requesting NTLM even the connection has been\n # already authenticated if there is a HTTP Basic Auth in the request.\n if { [ info exists f_exchange_web_service ] && $f_exchange_web_service == 1 } {\n if { $static::EWS_BKEND_BASIC_AUTH == 0 } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Removing HTTP Basic Authorization header\"\n HTTP::header remove Authorization\n }\n }\n }\n\n when HTTP_REQUEST {\n set http_path [ string tolower [HTTP::path] ]\n set f_clientless_mode 0\n set f_alt_inactivity_timeout 0\n set f_rpc_over_http 0\n set f_exchange_web_service 0\n set f_auto_discover 0\n set f_activesync 0\n set f_offline_address_book 0\n set f_availability_service 0\n\n # Here put appropriate pool when necessary.\n switch -glob $http_path {\n \"/rpc/rpcproxy.dll\" {\n # Supports for RPC over HTTP. (Outlook Anywhere)\n set f_rpc_over_http 1\n }\n \"/autodiscover/autodiscover.xml\" {\n # Supports for Auto Discover protocol.\n set f_auto_discover 1\n # This request does not require long inactivity timeout.\n # Don't use this for now\n set f_alt_inactivity_timeout 0\n }\n \"/microsoft-server-activesync\" {\n # Supports for ActiveSync\n set f_activesync 1\n }\n \"/oab/*\" {\n # Supports for Offline Address Book\n set f_offline_address_book 1\n # Don't use this for now\n set f_alt_inactivity_timeout 0\n }\n \"/ews/*\" {\n # Support for Exchange Web Service\n # Outlook's Availability Service borrows this protocol.\n set f_exchange_web_service 1\n }\n \"/as/*\" {\n # Support for Availability Service.\n # do nothing for now. (Untested)\n set f_availability_service 1\n }\n default {\n return\n }\n }\n\n set f_reqside_set_sess_id 0\n set http_method [HTTP::method]\n set http_hdr_host [HTTP::host]\n set http_hdr_uagent [HTTP::header User-Agent]\n set http_uri [HTTP::uri]\n set http_content_len [HTTP::header Content-Length]\n set MRHSession_cookie [HTTP::cookie value MRHSession]\n set auth_info_b64enc \"\"\n\n if { ! [ info exists src_ip ] } {\n set src_ip [IP::remote_addr]\n }\n if { ! [ info exists PROFILE_POLICY_TIMEOUT ] } {\n set PROFILE_POLICY_TIMEOUT [PROFILE::access access_policy_timeout]\n }\n if { ! [ info exists PROFILE_MAX_SESS_TIMEOUT ] } {\n set PROFILE_MAX_SESS_TIMEOUT [PROFILE::access max_session_timeout]\n }\n if { ! [ info exists PROFILE_RESTRICT_SINGLE_IP ] } {\n set PROFILE_RESTRICT_SINGLE_IP 1\n }\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX method: $http_method\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Src IP: $src_ip\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX User-Agent: $http_hdr_uagent\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP uri: $http_uri\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP len: $http_content_len\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Restrict-to-single-client-ip: $PROFILE_RESTRICT_SINGLE_IP\"\n\n # First, do we have valid MRHSession cookie.\n if { $MRHSession_cookie != \"\" } {\n if { [ACCESS::session exists -state_allow -sid $MRHSession_cookie] } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP *VALID* MRHSession cookie: $MRHSession_cookie\"\n } else {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP *INVALID* MRHSession cookie: $MRHSession_cookie\"\n set MRHSession_cookie \"\"\n HTTP::cookie remove MRHSession\n }\n }\n\n set http_hdr_auth [HTTP::header Authorization]\n if { [ string match -nocase {basic *} $http_hdr_auth ] != 1 } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Not basic authentication. Ignore received auth header\"\n set http_hdr_auth \"\"\n }\n\n if { $http_hdr_auth == \"\" } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX No/Empty Auth header\"\n # clean up the cookie\n if { $MRHSession_cookie == \"\" } {\n HTTP::respond 401 content $static::actsync_401_http_body WWW-Authenticate \"Basic realm=\\\"[HTTP::header Host]\\\"\" Set-Cookie $static::ACCESS_DEL_COOKIE_HDR_VAL Connection Close\n return\n }\n # Do nothing if we have a valid MRHSession cookie.\n }\n\n set f_release_request 0\n # Optimization for clients which support cookie\n if { $MRHSession_cookie != \"\" } {\n # Default profile access setting is false\n if { $PROFILE_RESTRICT_SINGLE_IP == 0 } {\n set f_release_request 1\n }\n elseif { [ IP::addr $src_ip equals [ ACCESS::session data get -sid $MRHSession_cookie \"session.user.clientip\" ] ] } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX source IP matched\"\n set f_release_request 1\n }\n else {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX source IP does not matched\"\n set MRHSession_cookie \"\"\n HTTP::cookie remove MRHSession\n }\n }\n\n if { $f_release_request == 0 } {\n set apm_username [string tolower [HTTP::username]]\n set apm_password [HTTP::password]\n if { $PROFILE_RESTRICT_SINGLE_IP == 0 } {\n binary scan [md5 \"$apm_password\"] H* user_hash\n }\n else {\n binary scan [md5 \"$apm_password$src_ip\"] H* user_hash\n }\n set user_key \"$apm_username.$user_hash\"\n unset user_hash\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP Hdr Auth: $http_hdr_auth\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX apm_username: $apm_username\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX user_key = $user_key\"\n set apm_cookie_list [ ACCESS::user getsid $user_key ]\n if { [ llength $apm_cookie_list ] != 0 } {\n set apm_cookie [ ACCESS::user getkey [ lindex $apm_cookie_list 0 ] ]\n if { $apm_cookie != \"\" } {\n HTTP::cookie insert name MRHSession value $apm_cookie\n set f_release_request 1\n }\n }\n }\n\n if { $http_content_len == $static::OA_MAGIC_CONTENT_LEN } {\n set f_oa_magic_content_len 1\n }\n\n set f_sleep_here 0\n set retry 1\n\n while { $f_release_request == 0 && $retry <= $static::POLICY_RESULT_POLL_MAXRETRYCYCLE } {\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Trying #$retry for $http_method $http_uri $http_content_len\"\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Reading $user_key from table $static::ACCESS_USERKEY_TBLNAME\"\n\n set apm_cookie [table lookup -subtable $static::ACCESS_USERKEY_TBLNAME -notouch $user_key]\n if { $apm_cookie != \"\" } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Verifying table cookie = $apm_cookie\"\n\n # Accessing SessionDB is not that cheap. Here we are trying to check known value.\n if { $apm_cookie == \"policy_authfailed\" || $apm_cookie == \"policy_inprogress\"} {\n # Do nothing\n } elseif { ! [ ACCESS::session exists $apm_cookie ] } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX table cookie = $apm_cookie is out-of-sync\"\n # Table value is out of sync. Ignores it.\n set apm_cookie \"\"\n }\n }\n\n switch $apm_cookie {\n \"\" {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX NO APM Cookie found\"\n\n if { [ info exists f_oa_magic_content_len ] && $f_oa_magic_content_len == 1 } {\n # Outlook Anywhere request comes in pair. The one with 1G payload is not usable\n # for creating new session since 1G content-length is intended for client to upload\n # the data when needed.\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Start to wait $static::POLICY_RESULT_POLL_INTERVAL ms for request with magic content-len\"\n set f_sleep_here 1\n } elseif { [ info exists f_exchange_web_service ] && $f_exchange_web_service == 1 && $http_content_len > $static::FIRST_BIG_POST_CONTENT_LEN } {\n # Here we are getting large EWS request, which can't be used for starting new session\n # in clientless-mode. Have it here waiting for next smaller one.\n # We are holding the request here in HTTP filter, and HTTP filter automatically\n # clamping down the TCP window when necessary.\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Start to wait $static::POLICY_RESULT_POLL_INTERVAL ms for big EWS request\"\n set f_sleep_here 1\n } else {\n set apm_cookie \"policy_inprogress\"\n set f_reqside_set_sess_id 1\n set f_release_request 1\n }\n }\n \"policy_authfailed\" {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Found $user_key with AUTH_FAILED\"\n HTTP::respond 401 content $static::actsync_401_http_body\n set f_release_request 1\n }\n \"policy_inprogress\" {\n if { [ info exists f_activesync ] && ($f_activesync == 1) } {\n # For ActiveSync requests, aggressively starts new session.\n set f_reqside_set_sess_id 1\n set f_release_request 1\n } else {\n set f_sleep_here 1\n }\n }\n default {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Using MRHSession = $apm_cookie\"\n HTTP::header insert Cookie \"MRHSession=$apm_cookie\"\n set f_release_request 1\n }\n }\n\n if { $f_reqside_set_sess_id == 1 } {\n set f_reqside_set_sess_id 0\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Setting $user_key=$apm_cookie $PROFILE_POLICY_TIMEOUT $PROFILE_POLICY_TIMEOUT\"\n set f_clientless_mode 1\n HTTP::cookie remove MRHSession\n HTTP::header insert \"clientless-mode\" 1\n HTTP::header insert \"username\" $apm_username\n HTTP::header insert \"password\" $apm_password\n table set -subtable $static::ACCESS_USERKEY_TBLNAME $user_key $apm_cookie $PROFILE_POLICY_TIMEOUT $PROFILE_POLICY_TIMEOUT\n }\n\n if { $f_sleep_here == 1 } {\n set f_sleep_here 0\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Waiting $static::POLICY_RESULT_POLL_INTERVAL ms for $http_method $http_uri\"\n after $static::POLICY_RESULT_POLL_INTERVAL\n }\n\n incr retry\n }\n\n if { ($f_release_request == 0) && ($retry >= $static::POLICY_RESULT_POLL_MAXRETRYCYCLE) } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Policy did not finish in [expr { $static::POLICY_RESULT_POLL_MAXRETRYCYCLE * $static::POLICY_RESULT_POLL_INTERVAL } ] ms. Close connection for $http_method $http_uri\"\n\n table delete -subtable $static::ACCESS_USERKEY_TBLNAME $user_key\n ACCESS::disable\n TCP::close\n return\n }\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Releasing request $http_method $http_uri\"\n }\n\n when ACCESS_SESSION_STARTED {\n if { [ info exists user_key ] } {\n\n ACCESS::session data set \"session.user.uuid\" $user_key\n ACCESS::session data set \"session.user.microsoft-exchange-client\" 1\n\n if { [ info exists f_activesync ] && $f_activesync == 1 } {\n ACCESS::session data set \"session.user.microsoft-activesync\" 1\n }\n elseif { [ info exists f_auto_discover ] && $f_auto_discover == 1 } {\n ACCESS::session data set \"session.user.microsoft-autodiscover\" 1\n }\n elseif { [ info exists f_availability_service ] && $f_availability_service == 1 } {\n ACCESS::session data set \"session.user.microsoft-availabilityservice\" 1\n }\n elseif { [ info exists f_rpc_over_http ] && $f_rpc_over_http == 1 } {\n ACCESS::session data set \"session.user.microsoft-rpcoverhttp\" 1\n }\n elseif { [ info exists f_offline_address_book ] && $f_offline_address_book == 1 } {\n ACCESS::session data set \"session.user.microsoft-offlineaddressbook\" 1\n }\n elseif { [ info exists f_exchange_web_service ] && $f_exchange_web_service == 1 } {\n ACCESS::session data set \"session.user.microsoft-exchangewebservice\" 1\n }\n }\n if { [ info exists f_alt_inactivity_timeout ] && $f_alt_inactivity_timeout == 1 } {\n ACCESS::session data set \"session.inactivity_timeout\" $static::POLICY_ALT_INACTIVITY_TIMEOUT\n }\n }\n\n when ACCESS_POLICY_COMPLETED {\n if { ! [ info exists user_key ] } {\n return\n }\n\n set user_key_value \"\"\n set f_delete_session 0\n set policy_result [ACCESS::policy result]\n set sid [ ACCESS::session sid ]\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX ACCESS_POLICY_COMPLETED: policy_result = \\\"$policy_result\\\" user_key = \\\"$user_key\\\" sid = \\\"$sid\\\"\"\n\n set inactivity_timeout [ACCESS::session data get \"session.inactivity_timeout\"]\n set max_sess_timeout [ACCESS::session data get \"session.max_session_timeout\"]\n if { $max_sess_timeout == \"\" } {\n set max_sess_timeout $PROFILE_MAX_SESS_TIMEOUT\n }\n\n switch $policy_result {\n \"allow\" {\n # We depends on this table record self-cleanup capability in order to\n # indirectly sync with session DB.\n set user_key_value $sid\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Result: Allow: $user_key => $sid $inactivity_timeout $max_sess_timeout\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX user_key_value = $user_key_value\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX sid = $sid\"\n }\n \"deny\" {\n # When necessary the admin here can check appropriate session variable\n # and decide what response more appropriate then this default response.\n ACCESS::respond 401 content $static::actsync_401_http_body Set-Cookie $static::ACCESS_DEL_COOKIE_HDR_VAL Connection Close\n if { $static::POLICY_RESULT_CACHE_AUTHFAILED == 1 } {\n set user_key_value $static::POLICY_AUTHFAILED\n } else {\n set f_delete_session 1\n }\n }\n default {\n ACCESS::respond 503 content $static::actsync_503_http_body Connection Close\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Got unsupported policy result for $user_key ($sid)\"\n set f_delete_session 1\n }\n }\n if { $user_key_value != \"\" } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Setting $user_key => $user_key_value $inactivity_timeout $max_sess_timeout in table $static::ACCESS_USERKEY_TBLNAME\"\n\n table set -subtable $static::ACCESS_USERKEY_TBLNAME $user_key $user_key_value $inactivity_timeout $max_sess_timeout\n } else {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Deleting $user_key in table $static::ACCESS_USERKEY_TBLNAME\"\n\n table delete -subtable $static::ACCESS_USERKEY_TBLNAME $user_key\n }\n\n if { $f_delete_session == 1 } {\n ACCESS::session remove\n set f_delete_session 0\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Removing the session for $user_key.\"\n }\n }\ndefinition-signature CZnUb3niz9wZPWvOmjDB0Dy4ixqjBEhIZrAVGt8VYe7+wZkhcBUFTADz3S1y5uomVwhRkGL20PLH7tfanDlpr3+IppgAGQlp98sPUl5ndEoWA4Rr90QiRGNRl/V7jWK58SOdJCQOirnutVMoeYjBWLwuprXGts08PO0WML5s0xJNOY7WPuGNeG+7Ht2pIB0vu80CgnCNGZJGZH0QR3kMVOx3yUN0ro5bAOmQ/XWel4qkj0F5DN9ufvsmKtTvb+Lc3y+5PHGbbFAQIrZ7lntZUJl/F8e/d26HE3spmZzQpPzi16qYWaMOxbvT6oedxpyhwbmJLiRNGyZmnT6kHj93FA==", "apiRawValues": { "verificationStatus": "signature-verified" } @@ -42,7 +42,7 @@ "fullPath": "/Common/_sys_APM_ExchangeSupport_main", "generation": 1, "selfLink": "https://localhost/mgmt/tm/ltm/rule/~Common~_sys_APM_ExchangeSupport_main?ver=12.1.2", - "apiAnonymous": "nodelete nowrite \n # Global variables\n # static::POLICY_RESULT_CACHE_AUTHFAILED\n # Administrator can set this into 1, when there is a necessity to cache failed policy result.\n # This may be needed to avoid account locked caused by the Active Sync device when it uses wrong passwords.\n # One possible scenario, is that when the user changes the password in Active Directory, but missed to changed in their devices.\n # Responses\n # On denied result\n # Administrator can customize the responses to the device depends on more complex conditions when necessary.\n # In those cases, please use ACCESS::respond command.\n # The following is the syntax of ACCESS::respond\n # ACCESS::respond [ content ] [ * ]\n # e.g. ACCESS::respond 401 content \"Error: Denied\" WWW-Authenticate \"basic realm=\\\"f5.com\\\"\" Connection close\n when RULE_INIT {\n # Please set the following global variables for customized responses.\n set static::actsync_401_http_body \"Authentication FailuredError: Authentication Failure\"\n set static::actsync_503_http_body \"Service is not availableError: Service is not available\"\n set static::ACCESS_LOG_PREFIX \"01490000:7:\"\n\n # Second Virtual Server name for 401 NTLM responder\n set static::ACCESS_SECOND_VIRTUAL_NAME \"_ACCESS_401_NTLM_responder_HTTPS\"\n\n set static::POLICY_INPROGRESS \"policy_inprogress\"\n set static::POLICY_AUTHFAILED \"policy_authfailed\"\n # The request with huge content length can not be used for starting ACCESS session.\n # This kind of request will be put on hold, and this iRule will try to use another\n # request to start the session. The following value is used for Outlook Anywhere.\n set static::OA_MAGIC_CONTENT_LEN 1073741824\n\n # Similar with OutlookAnywhere case, ACCESS can not use the request which is\n # larger then following size. This becomes an issue with application that using\n # Exchange Web Service as its main protocol such as macOS applications\n # (e.g. Mail app, Microsoft Entourage, etc)\n # This kind of request will be put on hold, and this iRule will try to use another\n # request to start the session.\n set static::FIRST_BIG_POST_CONTENT_LEN 640000\n\n # Set it into 1 if the backend EWS handler accepts HTTP Basic Authentication.\n set static::EWS_BKEND_BASIC_AUTH 0\n # Set it into 1 if the backend RPC-over-HTTP handler accepts HTTP Basic Authentication.\n set static::RPC_OVER_HTTP_BKEND_BASIC_AUTH 0\n # The following variable controls the polling mechanism.\n set static::POLICY_RESULT_POLL_INTERVAL 250\n set static::POLICY_RESULT_POLL_MAXRETRYCYCLE 600\n\n # Set this global variable to 1 for caching authentication failure\n # Useful for avoiding account locked out.\n set static::POLICY_RESULT_CACHE_AUTHFAILED 0\n\n # set this global variable to set alternative timeout for particular session\n set static::POLICY_ALT_INACTIVITY_TIMEOUT 120\n\n set static::ACCESS_USERKEY_TBLNAME \"_access_userkey\"\n\n\n set static::ACCESS_DEL_COOKIE_HDR_VAL \"MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/\"\n\n log -noname accesscontrol.local1.debug \"01490000:7: RPC_OVER_HTTP_BKEND_BASIC_AUTH = $static::RPC_OVER_HTTP_BKEND_BASIC_AUTH\"\n log -noname accesscontrol.local1.debug \"01490000:7: EWS_BKEND_BASIC_AUTH = $static::EWS_BKEND_BASIC_AUTH\"\n }\n when ACCESS_ACL_ALLOWED {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX [HTTP::method] [HTTP::uri] [HTTP::header Content-Length]\"\n\n if { [ info exists f_rpc_over_http ] && $f_rpc_over_http == 1 } {\n if { $static::RPC_OVER_HTTP_BKEND_BASIC_AUTH == 0 } {\n if { [ info exists f_oa_magic_content_len ] && $f_oa_magic_content_len == 1 } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Use this virtual $static::ACCESS_SECOND_VIRTUAL_NAME just once. Will be reset back after disconnection.\"\n use virtual $static::ACCESS_SECOND_VIRTUAL_NAME\n }\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Remove HTTP Auth header\"\n HTTP::header remove Authorization\n }\n }\n # MSFT Exchange's EWS request handler always requesting NTLM even the connection has been\n # already authenticated if there is a HTTP Basic Auth in the request.\n if { [ info exists f_exchange_web_service ] && $f_exchange_web_service == 1 } {\n if { $static::EWS_BKEND_BASIC_AUTH == 0 } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Removing HTTP Basic Authorization header\"\n HTTP::header remove Authorization\n }\n }\n }\n\n when HTTP_REQUEST {\n set http_path [ string tolower [HTTP::path] ]\n set f_clientless_mode 0\n set f_alt_inactivity_timeout 0\n set f_rpc_over_http 0\n set f_exchange_web_service 0\n set f_auto_discover 0\n set f_activesync 0\n set f_offline_address_book 0\n set f_availability_service 0\n\n # Here put appropriate pool when necessary.\n switch -glob $http_path {\n \"/rpc/rpcproxy.dll\" {\n # Supports for RPC over HTTP. (Outlook Anywhere)\n set f_rpc_over_http 1\n }\n \"/autodiscover/autodiscover.xml\" {\n # Supports for Auto Discover protocol.\n set f_auto_discover 1\n # This request does not require long inactivity timeout.\n # Don't use this for now\n set f_alt_inactivity_timeout 0\n }\n \"/microsoft-server-activesync\" {\n # Supports for ActiveSync\n set f_activesync 1\n }\n \"/oab/*\" {\n # Supports for Offline Address Book\n set f_offline_address_book 1\n }\n \"/ews/*\" {\n # Support for Exchange Web Service\n # Outlook's Availability Service borrows this protocol.\n set f_exchange_web_service 1\n }\n \"/as/*\" {\n # Support for Availability Service.\n # do nothing for now. (Untested)\n set f_availability_service 1\n }\n default {\n return\n }\n }\n\n set f_reqside_set_sess_id 0\n set http_method [HTTP::method]\n set http_hdr_host [HTTP::host]\n set http_hdr_uagent [HTTP::header User-Agent]\n set src_ip [IP::remote_addr]\n set http_uri [HTTP::uri]\n set http_content_len [HTTP::header Content-Length]\n set MRHSession_cookie [HTTP::cookie value MRHSession]\n set auth_info_b64enc \"\"\n\n if { ! [ info exists PROFILE_POLICY_TIMEOUT ] } {\n set PROFILE_POLICY_TIMEOUT [PROFILE::access access_policy_timeout]\n }\n if { ! [ info exists PROFILE_MAX_SESS_TIMEOUT ] } {\n set PROFILE_MAX_SESS_TIMEOUT [PROFILE::access max_session_timeout]\n }\n if { ! [ info exists PROFILE_RESTRICT_SINGLE_IP ] } {\n set PROFILE_RESTRICT_SINGLE_IP 1\n }\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX method: $http_method\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Src IP: $src_ip\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX User-Agent: $http_hdr_uagent\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP uri: $http_uri\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP len: $http_content_len\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Restrict-to-single-client-ip: $PROFILE_RESTRICT_SINGLE_IP\"\n\n # First, do we have valid MRHSession cookie.\n if { $MRHSession_cookie != \"\" } {\n if { [ACCESS::session exists -state_allow -sid $MRHSession_cookie] } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP *VALID* MRHSession cookie: $MRHSession_cookie\"\n } else {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP *INVALID* MRHSession cookie: $MRHSession_cookie\"\n set MRHSession_cookie \"\"\n HTTP::cookie remove MRHSession\n }\n }\n\n set http_hdr_auth [HTTP::header Authorization]\n if { [ string match -nocase {basic *} $http_hdr_auth ] != 1 } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Not basic authentication. Ignore received auth header\"\n set http_hdr_auth \"\"\n }\n\n if { $http_hdr_auth == \"\" } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX No/Empty Auth header\"\n # clean up the cookie\n if { $MRHSession_cookie == \"\" } {\n HTTP::respond 401 content $static::actsync_401_http_body WWW-Authenticate \"Basic realm=\\\"[HTTP::header Host]\\\"\" Set-Cookie $static::ACCESS_DEL_COOKIE_HDR_VAL Connection close\n return\n }\n # Do nothing if we have a valid MRHSession cookie.\n }\n\n set f_release_request 0\n # Optimization for clients which support cookie\n if { $MRHSession_cookie != \"\" } {\n # Default profile access setting is false\n if { $PROFILE_RESTRICT_SINGLE_IP == 0 } {\n set f_release_request 1\n }\n elseif { [ IP::addr $src_ip equals [ ACCESS::session data get -sid $MRHSession_cookie \"session.user.clientip\" ] ] } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX source IP matched\"\n set f_release_request 1\n }\n else {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX source IP does not matched\"\n set MRHSession_cookie \"\"\n HTTP::cookie remove MRHSession\n }\n }\n\n if { $f_release_request == 0 } {\n set apm_username [ string tolower [HTTP::username]]\n set apm_password [HTTP::password]\n if { $PROFILE_RESTRICT_SINGLE_IP == 0 } {\n binary scan [md5 \"$apm_password\"] H* user_hash\n } else {\n binary scan [md5 \"$apm_password$src_ip\"] H* user_hash\n }\n\n set user_key {}\n append user_key $apm_username \".\" $user_hash\n unset user_hash\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP Hdr Auth: $http_hdr_auth\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX apm_username: $apm_username\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX user_key = $user_key\"\n set apm_cookie_list [ ACCESS::user getsid $user_key ]\n if { [ llength $apm_cookie_list ] != 0 } {\n set apm_cookie [ ACCESS::user getkey [ lindex $apm_cookie_list 0 ] ]\n if { $apm_cookie != \"\" } {\n HTTP::cookie insert name MRHSession value $apm_cookie\n set f_release_request 1\n }\n }\n }\n\n if { $http_content_len == $static::OA_MAGIC_CONTENT_LEN } {\n set f_oa_magic_content_len 1\n }\n\n set f_sleep_here 0\n set retry 1\n\n while { $f_release_request == 0 && $retry <= $static::POLICY_RESULT_POLL_MAXRETRYCYCLE } {\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Trying #$retry for $http_method $http_uri $http_content_len\"\n\n # This is also going to touch the table entry timer.\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Reading $user_key from table $static::ACCESS_USERKEY_TBLNAME\"\n\n set apm_cookie [table lookup -subtable $static::ACCESS_USERKEY_TBLNAME -notouch $user_key]\n if { $apm_cookie != \"\" } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Verifying table cookie = $apm_cookie\"\n\n # Accessing SessionDB is not that cheap. Here we are trying to check known value.\n if { $apm_cookie == \"policy_authfailed\" || $apm_cookie == \"policy_inprogress\"} {\n # Do nothing\n } elseif { ! [ ACCESS::session exists $apm_cookie ] } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX table cookie = $apm_cookie is out-of-sync\"\n # Table value is out of sync. Ignores it.\n set apm_cookie \"\"\n }\n }\n\n switch $apm_cookie {\n \"\" {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX NO APM Cookie found\"\n\n if { [ info exists f_oa_magic_content_len ] && $f_oa_magic_content_len == 1 } {\n # Outlook Anywhere request comes in pair. The one with 1G payload is not usable\n # for creating new session since 1G content-length is intended for client to upload\n # the data when needed.\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Start to wait $static::POLICY_RESULT_POLL_INTERVAL ms for request with magic content-len\"\n set f_sleep_here 1\n } elseif { [ info exists f_exchange_web_service ] && $f_exchange_web_service == 1 && $http_content_len > $static::FIRST_BIG_POST_CONTENT_LEN } {\n # Here we are getting large EWS request, which can't be used for starting new session\n # in clientless-mode. Have it here waiting for next smaller one.\n # We are holding the request here in HTTP filter, and HTTP filter automatically\n # clamping down the TCP window when necessary.\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Start to wait $static::POLICY_RESULT_POLL_INTERVAL ms for big EWS request\"\n set f_sleep_here 1\n } else {\n set apm_cookie \"policy_inprogress\"\n set f_reqside_set_sess_id 1\n set f_release_request 1\n }\n }\n \"policy_authfailed\" {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Found $user_key with AUTH_FAILED\"\n HTTP::respond 401 content $static::actsync_401_http_body\n set f_release_request 1\n }\n \"policy_inprogress\" {\n if { [ info exists f_activesync ] && ($f_activesync == 1) } {\n # For ActiveSync requests, aggressively starts new session.\n set f_reqside_set_sess_id 1\n set f_release_request 1\n } else {\n set f_sleep_here 1\n }\n }\n default {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Using MRHSession = $apm_cookie\"\n HTTP::header insert Cookie \"MRHSession=$apm_cookie\"\n set f_release_request 1\n }\n }\n\n if { $f_reqside_set_sess_id == 1 } {\n set f_reqside_set_sess_id 0\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Setting $user_key=$apm_cookie $PROFILE_POLICY_TIMEOUT $PROFILE_MAX_SESS_TIMEOUT\"\n set f_clientless_mode 1\n HTTP::cookie remove MRHSession\n HTTP::header insert \"clientless-mode\" 1\n HTTP::header insert \"username\" $apm_username\n HTTP::header insert \"password\" $apm_password\n table set -subtable $static::ACCESS_USERKEY_TBLNAME $user_key $apm_cookie $PROFILE_POLICY_TIMEOUT $PROFILE_MAX_SESS_TIMEOUT\n }\n\n if { $f_sleep_here == 1 } {\n set f_sleep_here 0\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Waiting $static::POLICY_RESULT_POLL_INTERVAL ms for $http_method $http_uri\"\n after $static::POLICY_RESULT_POLL_INTERVAL\n }\n\n incr retry\n }\n\n if { $f_release_request == 0 && $retry >= $static::POLICY_RESULT_POLL_MAXRETRYCYCLE } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Policy did not finish in [expr { $static::POLICY_RESULT_POLL_MAXRETRYCYCLE * $static::POLICY_RESULT_POLL_INTERVAL } ] ms. Close connection for $http_method $http_uri\"\n\n table delete -subtable $static::ACCESS_USERKEY_TBLNAME $user_key\n ACCESS::disable\n TCP::close\n return\n }\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Releasing request $http_method $http_uri\"\n }\n\n when ACCESS_SESSION_STARTED {\n if { [ info exists user_key ] } {\n ACCESS::session data set \"session.user.uuid\" $user_key\n ACCESS::session data set \"session.user.microsoft-exchange-client\" 1\n\n if { [ info exists f_activesync ] && $f_activesync == 1 } {\n ACCESS::session data set \"session.user.microsoft-activesync\" 1\n }\n elseif { [ info exists f_auto_discover ] && $f_auto_discover == 1 } {\n ACCESS::session data set \"session.user.microsoft-autodiscover\" 1\n }\n elseif { [ info exists f_availability_service ] && $f_availability_service == 1 } {\n ACCESS::session data set \"session.user.microsoft-availabilityservice\" 1\n }\n elseif { [ info exists f_rpc_over_http ] && $f_rpc_over_http == 1 } {\n ACCESS::session data set \"session.user.microsoft-rpcoverhttp\" 1\n }\n elseif { [ info exists f_offline_address_book ] && $f_offline_address_book == 1 } {\n ACCESS::session data set \"session.user.microsoft-offlineaddressbook\" 1\n }\n elseif { [ info exists f_exchange_web_service ] && $f_exchange_web_service == 1 } {\n ACCESS::session data set \"session.user.microsoft-exchangewebservice\" 1\n }\n }\n if { [ info exists f_alt_inactivity_timeout ] && $f_alt_inactivity_timeout == 1 } {\n ACCESS::session data set \"session.inactivity_timeout\" $static::POLICY_ALT_INACTIVITY_TIMEOUT\n }\n }\n\n when HTTP_RESPONSE {\n if { [ info exists f_auto_discover ] && $f_auto_discover == 1 } {\n set content_len [ HTTP::header Content-Length ]\n if { $content_len > 0 } {\n HTTP::collect $content_len\n }\n }\n }\n when HTTP_RESPONSE_DATA {\n if { [ info exists f_auto_discover ] && $f_auto_discover == 1 } {\n if { [ regsub -line {Ntlm} [ HTTP::payload ] {Basic} payload ] != 0 } {\n HTTP::payload replace 0 $content_len $payload\n }\n }\n }\n when ACCESS_POLICY_COMPLETED {\n if { ! [ info exists user_key ] } {\n return\n }\n\n set user_key_value \"\"\n set f_delete_session 0\n set policy_result [ACCESS::policy result]\n set sid [ ACCESS::session sid ]\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX ACCESS_POLICY_COMPLETED: policy_result = \\\"$policy_result\\\" user_key = \\\"$user_key\\\" sid = \\\"$sid\\\"\"\n\n set inactivity_timeout [ACCESS::session data get \"session.inactivity_timeout\"]\n set max_sess_timeout [ACCESS::session data get \"session.max_session_timeout\"]\n if { $max_sess_timeout == \"\" } {\n set max_sess_timeout $PROFILE_MAX_SESS_TIMEOUT\n }\n\n switch $policy_result {\n \"allow\" {\n # We depends on this table record self-cleanup capability in order to\n # indirectly sync with session DB.\n set user_key_value $sid\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Result: Allow: $user_key => $sid $inactivity_timeout $max_sess_timeout\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX user_key_value = $user_key_value\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX sid = $sid\"\n }\n \"deny\" {\n # When necessary the admin here can check appropriate session variable\n # and decide what response more appropriate then this default response.\n ACCESS::respond 401 content $static::actsync_401_http_body Set-Cookie $static::ACCESS_DEL_COOKIE_HDR_VAL Connection close\n if { $static::POLICY_RESULT_CACHE_AUTHFAILED == 1 } {\n set user_key_value $static::POLICY_AUTHFAILED\n } else {\n set f_delete_session 1\n }\n }\n default {\n ACCESS::respond 503 content $static::actsync_503_http_body Connection close\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Got unsupported policy result for $user_key ($sid)\"\n set f_delete_session 1\n }\n }\n if { $user_key_value != \"\" } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Setting $user_key => $user_key_value $inactivity_timeout $max_sess_timeout in table $static::ACCESS_USERKEY_TBLNAME\"\n\n table set -subtable $static::ACCESS_USERKEY_TBLNAME $user_key $user_key_value $inactivity_timeout $max_sess_timeout\n } else {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Deleting $user_key in table $static::ACCESS_USERKEY_TBLNAME\"\n\n table delete -subtable $static::ACCESS_USERKEY_TBLNAME $user_key\n }\n\n if { $f_delete_session == 1 } {\n ACCESS::session remove\n set f_delete_session 0\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Removing the session for $user_key.\"\n }\n }\ndefinition-signature feX9LM+vB6YOEdVF+EA1JtNyVkPaB7gwdW0JzaB083MXl4yPP2nZnjm+WAx3YQhsmLttq5UkPl1zHpr5H9cwJX1bu9BNMi/+n0bIqWOipDHhhSYQ+TH+a5jQUSeftISr52BSQxh0cQKZkzM3rFU/qRZn9D9Dbf0kDGiDC1KWwVosrdjp5tVHOiQXWx8zybbGPFfgBcIBE6IvOvGbh5ohebVL2ADZm0URRj2NM4ZvZ2T3C14k2rHGXnDdRsvhmf5USZ+FH1hoKtWRxqtFjkWIaqw8leenXeot1j2bdKy92/AVTC9oZj1HJN1ePuQo5v414zlUhMEtkVy/gaxvj1+vPQ==", + "apiAnonymous": "nodelete nowrite \n # Global variables\n # static::POLICY_RESULT_CACHE_AUTHFAILED\n # Administrator can set this into 1, when there is a necessity to cache failed policy result.\n # This may be needed to avoid account locked caused by the Active Sync device when it uses wrong passwords.\n # One possible scenario, is that when the user changes the password in Active Directory, but missed to changed in their devices.\n # Responses\n # On denied result\n # Administrator can customize the responses to the device depends on more complex conditions when necessary.\n # In those cases, please use ACCESS::respond command.\n # The following is the syntax of ACCESS::respond\n # ACCESS::respond [ content ] [ * ]\n # e.g. ACCESS::respond 401 content \"Error: Denied\" WWW-Authenticate \"basic realm=\\\"f5.com\\\"\" Connection close\n when RULE_INIT {\n # Please set the following global variables for customized responses.\n set static::actsync_401_http_body \"Authentication FailuredError: Authentication Failure\"\n set static::actsync_503_http_body \"Service is not availableError: Service is not available\"\n set static::ACCESS_LOG_PREFIX \"01490000:7:\"\n\n # Second Virtual Server name for 401 NTLM responder\n set static::ACCESS_SECOND_VIRTUAL_NAME \"_ACCESS_401_NTLM_responder_HTTPS\"\n\n set static::POLICY_INPROGRESS \"policy_inprogress\"\n set static::POLICY_AUTHFAILED \"policy_authfailed\"\n # The request with huge content length can not be used for starting ACCESS session.\n # This kind of request will be put on hold, and this iRule will try to use another\n # request to start the session. The following value is used for Outlook Anywhere.\n set static::OA_MAGIC_CONTENT_LEN 1073741824\n\n # Similar with OutlookAnywhere case, ACCESS can not use the request which is\n # larger then following size. This becomes an issue with application that using\n # Exchange Web Service as its main protocol such as Mac OS X applications\n # (e.g. Mail app, Microsoft Entourage, etc)\n # This kind of request will be put on hold, and this iRule will try to use another\n # request to start the session.\n set static::FIRST_BIG_POST_CONTENT_LEN 640000\n\n # Set it into 1 if the backend EWS handler accepts HTTP Basic Authentication.\n set static::EWS_BKEND_BASIC_AUTH 0\n # Set it into 1 if the backend RPC-over-HTTP handler accepts HTTP Basic Authentication.\n set static::RPC_OVER_HTTP_BKEND_BASIC_AUTH 0\n # The following variable controls the polling mechanism.\n set static::POLICY_RESULT_POLL_INTERVAL 250\n set static::POLICY_RESULT_POLL_MAXRETRYCYCLE 600\n\n # Set this global variable to 1 for caching authentication failure\n # Useful for avoiding account locked out.\n set static::POLICY_RESULT_CACHE_AUTHFAILED 0\n\n # set this global variable to set alternative timeout for particular session\n set static::POLICY_ALT_INACTIVITY_TIMEOUT 120\n\n set static::ACCESS_USERKEY_TBLNAME \"_access_userkey\"\n\n\n set static::ACCESS_DEL_COOKIE_HDR_VAL \"MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/\"\n\n log -noname accesscontrol.local1.debug \"01490000:7: RPC_OVER_HTTP_BKEND_BASIC_AUTH = $static::RPC_OVER_HTTP_BKEND_BASIC_AUTH\"\n log -noname accesscontrol.local1.debug \"01490000:7: EWS_BKEND_BASIC_AUTH = $static::EWS_BKEND_BASIC_AUTH\"\n }\n when ACCESS_ACL_ALLOWED {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX [HTTP::method] [HTTP::uri] [HTTP::header Content-Length]\"\n\n if { [ info exists f_rpc_over_http ] && $f_rpc_over_http == 1 } {\n if { $static::RPC_OVER_HTTP_BKEND_BASIC_AUTH == 0 } {\n if { [ info exists f_oa_magic_content_len ] && $f_oa_magic_content_len == 1 } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Use this virtual $static::ACCESS_SECOND_VIRTUAL_NAME just once. Will be reset back after disconnection.\"\n use virtual $static::ACCESS_SECOND_VIRTUAL_NAME\n }\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Remove HTTP Auth header\"\n HTTP::header remove Authorization\n }\n }\n # MSFT Exchange's EWS request handler always requesting NTLM even the connection has been\n # already authenticated if there is a HTTP Basic Auth in the request.\n if { [ info exists f_exchange_web_service ] && $f_exchange_web_service == 1 } {\n if { $static::EWS_BKEND_BASIC_AUTH == 0 } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Removing HTTP Basic Authorization header\"\n HTTP::header remove Authorization\n }\n }\n }\n\n when HTTP_REQUEST {\n set http_path [ string tolower [HTTP::path] ]\n set f_clientless_mode 0\n set f_alt_inactivity_timeout 0\n set f_rpc_over_http 0\n set f_exchange_web_service 0\n set f_auto_discover 0\n set f_activesync 0\n set f_offline_address_book 0\n set f_availability_service 0\n\n # Here put appropriate pool when necessary.\n switch -glob $http_path {\n \"/rpc/rpcproxy.dll\" {\n # Supports for RPC over HTTP. (Outlook Anywhere)\n set f_rpc_over_http 1\n }\n \"/autodiscover/autodiscover.xml\" {\n # Supports for Auto Discover protocol.\n set f_auto_discover 1\n # This request does not require long inactivity timeout.\n # Don't use this for now\n set f_alt_inactivity_timeout 0\n }\n \"/microsoft-server-activesync\" {\n # Supports for ActiveSync\n set f_activesync 1\n }\n \"/oab/*\" {\n # Supports for Offline Address Book\n set f_offline_address_book 1\n }\n \"/ews/*\" {\n # Support for Exchange Web Service\n # Outlook's Availability Service borrows this protocol.\n set f_exchange_web_service 1\n }\n \"/as/*\" {\n # Support for Availability Service.\n # do nothing for now. (Untested)\n set f_availability_service 1\n }\n default {\n return\n }\n }\n\n set f_reqside_set_sess_id 0\n set http_method [HTTP::method]\n set http_hdr_host [HTTP::host]\n set http_hdr_uagent [HTTP::header User-Agent]\n set src_ip [IP::remote_addr]\n set http_uri [HTTP::uri]\n set http_content_len [HTTP::header Content-Length]\n set MRHSession_cookie [HTTP::cookie value MRHSession]\n set auth_info_b64enc \"\"\n\n if { ! [ info exists PROFILE_POLICY_TIMEOUT ] } {\n set PROFILE_POLICY_TIMEOUT [PROFILE::access access_policy_timeout]\n }\n if { ! [ info exists PROFILE_MAX_SESS_TIMEOUT ] } {\n set PROFILE_MAX_SESS_TIMEOUT [PROFILE::access max_session_timeout]\n }\n if { ! [ info exists PROFILE_RESTRICT_SINGLE_IP ] } {\n set PROFILE_RESTRICT_SINGLE_IP 1\n }\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX method: $http_method\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Src IP: $src_ip\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX User-Agent: $http_hdr_uagent\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP uri: $http_uri\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP len: $http_content_len\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Restrict-to-single-client-ip: $PROFILE_RESTRICT_SINGLE_IP\"\n\n # First, do we have valid MRHSession cookie.\n if { $MRHSession_cookie != \"\" } {\n if { [ACCESS::session exists -state_allow -sid $MRHSession_cookie] } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP *VALID* MRHSession cookie: $MRHSession_cookie\"\n } else {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP *INVALID* MRHSession cookie: $MRHSession_cookie\"\n set MRHSession_cookie \"\"\n HTTP::cookie remove MRHSession\n }\n }\n\n set http_hdr_auth [HTTP::header Authorization]\n if { [ string match -nocase {basic *} $http_hdr_auth ] != 1 } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Not basic authentication. Ignore received auth header\"\n set http_hdr_auth \"\"\n }\n\n if { $http_hdr_auth == \"\" } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX No/Empty Auth header\"\n # clean up the cookie\n if { $MRHSession_cookie == \"\" } {\n HTTP::respond 401 content $static::actsync_401_http_body WWW-Authenticate \"Basic realm=\\\"[HTTP::header Host]\\\"\" Set-Cookie $static::ACCESS_DEL_COOKIE_HDR_VAL Connection close\n return\n }\n # Do nothing if we have a valid MRHSession cookie.\n }\n\n set f_release_request 0\n # Optimization for clients which support cookie\n if { $MRHSession_cookie != \"\" } {\n # Default profile access setting is false\n if { $PROFILE_RESTRICT_SINGLE_IP == 0 } {\n set f_release_request 1\n }\n elseif { [ IP::addr $src_ip equals [ ACCESS::session data get -sid $MRHSession_cookie \"session.user.clientip\" ] ] } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX source IP matched\"\n set f_release_request 1\n }\n else {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX source IP does not matched\"\n set MRHSession_cookie \"\"\n HTTP::cookie remove MRHSession\n }\n }\n\n if { $f_release_request == 0 } {\n set apm_username [ string tolower [HTTP::username]]\n set apm_password [HTTP::password]\n if { $PROFILE_RESTRICT_SINGLE_IP == 0 } {\n binary scan [md5 \"$apm_password\"] H* user_hash\n } else {\n binary scan [md5 \"$apm_password$src_ip\"] H* user_hash\n }\n\n set user_key {}\n append user_key $apm_username \".\" $user_hash\n unset user_hash\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX HTTP Hdr Auth: $http_hdr_auth\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX apm_username: $apm_username\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX user_key = $user_key\"\n set apm_cookie_list [ ACCESS::user getsid $user_key ]\n if { [ llength $apm_cookie_list ] != 0 } {\n set apm_cookie [ ACCESS::user getkey [ lindex $apm_cookie_list 0 ] ]\n if { $apm_cookie != \"\" } {\n HTTP::cookie insert name MRHSession value $apm_cookie\n set f_release_request 1\n }\n }\n }\n\n if { $http_content_len == $static::OA_MAGIC_CONTENT_LEN } {\n set f_oa_magic_content_len 1\n }\n\n set f_sleep_here 0\n set retry 1\n\n while { $f_release_request == 0 && $retry <= $static::POLICY_RESULT_POLL_MAXRETRYCYCLE } {\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Trying #$retry for $http_method $http_uri $http_content_len\"\n\n # This is also going to touch the table entry timer.\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Reading $user_key from table $static::ACCESS_USERKEY_TBLNAME\"\n\n set apm_cookie [table lookup -subtable $static::ACCESS_USERKEY_TBLNAME -notouch $user_key]\n if { $apm_cookie != \"\" } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Verifying table cookie = $apm_cookie\"\n\n # Accessing SessionDB is not that cheap. Here we are trying to check known value.\n if { $apm_cookie == \"policy_authfailed\" || $apm_cookie == \"policy_inprogress\"} {\n # Do nothing\n } elseif { ! [ ACCESS::session exists $apm_cookie ] } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX table cookie = $apm_cookie is out-of-sync\"\n # Table value is out of sync. Ignores it.\n set apm_cookie \"\"\n }\n }\n\n switch $apm_cookie {\n \"\" {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX NO APM Cookie found\"\n\n if { [ info exists f_oa_magic_content_len ] && $f_oa_magic_content_len == 1 } {\n # Outlook Anywhere request comes in pair. The one with 1G payload is not usable\n # for creating new session since 1G content-length is intended for client to upload\n # the data when needed.\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Start to wait $static::POLICY_RESULT_POLL_INTERVAL ms for request with magic content-len\"\n set f_sleep_here 1\n } elseif { [ info exists f_exchange_web_service ] && $f_exchange_web_service == 1 && $http_content_len > $static::FIRST_BIG_POST_CONTENT_LEN } {\n # Here we are getting large EWS request, which can't be used for starting new session\n # in clientless-mode. Have it here waiting for next smaller one.\n # We are holding the request here in HTTP filter, and HTTP filter automatically\n # clamping down the TCP window when necessary.\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Start to wait $static::POLICY_RESULT_POLL_INTERVAL ms for big EWS request\"\n set f_sleep_here 1\n } else {\n set apm_cookie \"policy_inprogress\"\n set f_reqside_set_sess_id 1\n set f_release_request 1\n }\n }\n \"policy_authfailed\" {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Found $user_key with AUTH_FAILED\"\n HTTP::respond 401 content $static::actsync_401_http_body\n set f_release_request 1\n }\n \"policy_inprogress\" {\n if { [ info exists f_activesync ] && ($f_activesync == 1) } {\n # For ActiveSync requests, aggressively starts new session.\n set f_reqside_set_sess_id 1\n set f_release_request 1\n } else {\n set f_sleep_here 1\n }\n }\n default {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Using MRHSession = $apm_cookie\"\n HTTP::header insert Cookie \"MRHSession=$apm_cookie\"\n set f_release_request 1\n }\n }\n\n if { $f_reqside_set_sess_id == 1 } {\n set f_reqside_set_sess_id 0\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Setting $user_key=$apm_cookie $PROFILE_POLICY_TIMEOUT $PROFILE_MAX_SESS_TIMEOUT\"\n set f_clientless_mode 1\n HTTP::cookie remove MRHSession\n HTTP::header insert \"clientless-mode\" 1\n HTTP::header insert \"username\" $apm_username\n HTTP::header insert \"password\" $apm_password\n table set -subtable $static::ACCESS_USERKEY_TBLNAME $user_key $apm_cookie $PROFILE_POLICY_TIMEOUT $PROFILE_MAX_SESS_TIMEOUT\n }\n\n if { $f_sleep_here == 1 } {\n set f_sleep_here 0\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Waiting $static::POLICY_RESULT_POLL_INTERVAL ms for $http_method $http_uri\"\n after $static::POLICY_RESULT_POLL_INTERVAL\n }\n\n incr retry\n }\n\n if { $f_release_request == 0 && $retry >= $static::POLICY_RESULT_POLL_MAXRETRYCYCLE } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Policy did not finish in [expr { $static::POLICY_RESULT_POLL_MAXRETRYCYCLE * $static::POLICY_RESULT_POLL_INTERVAL } ] ms. Close connection for $http_method $http_uri\"\n\n table delete -subtable $static::ACCESS_USERKEY_TBLNAME $user_key\n ACCESS::disable\n TCP::close\n return\n }\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Releasing request $http_method $http_uri\"\n }\n\n when ACCESS_SESSION_STARTED {\n if { [ info exists user_key ] } {\n ACCESS::session data set \"session.user.uuid\" $user_key\n ACCESS::session data set \"session.user.microsoft-exchange-client\" 1\n\n if { [ info exists f_activesync ] && $f_activesync == 1 } {\n ACCESS::session data set \"session.user.microsoft-activesync\" 1\n }\n elseif { [ info exists f_auto_discover ] && $f_auto_discover == 1 } {\n ACCESS::session data set \"session.user.microsoft-autodiscover\" 1\n }\n elseif { [ info exists f_availability_service ] && $f_availability_service == 1 } {\n ACCESS::session data set \"session.user.microsoft-availabilityservice\" 1\n }\n elseif { [ info exists f_rpc_over_http ] && $f_rpc_over_http == 1 } {\n ACCESS::session data set \"session.user.microsoft-rpcoverhttp\" 1\n }\n elseif { [ info exists f_offline_address_book ] && $f_offline_address_book == 1 } {\n ACCESS::session data set \"session.user.microsoft-offlineaddressbook\" 1\n }\n elseif { [ info exists f_exchange_web_service ] && $f_exchange_web_service == 1 } {\n ACCESS::session data set \"session.user.microsoft-exchangewebservice\" 1\n }\n }\n if { [ info exists f_alt_inactivity_timeout ] && $f_alt_inactivity_timeout == 1 } {\n ACCESS::session data set \"session.inactivity_timeout\" $static::POLICY_ALT_INACTIVITY_TIMEOUT\n }\n }\n\n when HTTP_RESPONSE {\n if { [ info exists f_auto_discover ] && $f_auto_discover == 1 } {\n set content_len [ HTTP::header Content-Length ]\n if { $content_len > 0 } {\n HTTP::collect $content_len\n }\n }\n }\n when HTTP_RESPONSE_DATA {\n if { [ info exists f_auto_discover ] && $f_auto_discover == 1 } {\n if { [ regsub -line {Ntlm} [ HTTP::payload ] {Basic} payload ] != 0 } {\n HTTP::payload replace 0 $content_len $payload\n }\n }\n }\n when ACCESS_POLICY_COMPLETED {\n if { ! [ info exists user_key ] } {\n return\n }\n\n set user_key_value \"\"\n set f_delete_session 0\n set policy_result [ACCESS::policy result]\n set sid [ ACCESS::session sid ]\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX ACCESS_POLICY_COMPLETED: policy_result = \\\"$policy_result\\\" user_key = \\\"$user_key\\\" sid = \\\"$sid\\\"\"\n\n set inactivity_timeout [ACCESS::session data get \"session.inactivity_timeout\"]\n set max_sess_timeout [ACCESS::session data get \"session.max_session_timeout\"]\n if { $max_sess_timeout == \"\" } {\n set max_sess_timeout $PROFILE_MAX_SESS_TIMEOUT\n }\n\n switch $policy_result {\n \"allow\" {\n # We depends on this table record self-cleanup capability in order to\n # indirectly sync with session DB.\n set user_key_value $sid\n\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Result: Allow: $user_key => $sid $inactivity_timeout $max_sess_timeout\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX user_key_value = $user_key_value\"\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX sid = $sid\"\n }\n \"deny\" {\n # When necessary the admin here can check appropriate session variable\n # and decide what response more appropriate then this default response.\n ACCESS::respond 401 content $static::actsync_401_http_body Set-Cookie $static::ACCESS_DEL_COOKIE_HDR_VAL Connection close\n if { $static::POLICY_RESULT_CACHE_AUTHFAILED == 1 } {\n set user_key_value $static::POLICY_AUTHFAILED\n } else {\n set f_delete_session 1\n }\n }\n default {\n ACCESS::respond 503 content $static::actsync_503_http_body Connection close\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Got unsupported policy result for $user_key ($sid)\"\n set f_delete_session 1\n }\n }\n if { $user_key_value != \"\" } {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Setting $user_key => $user_key_value $inactivity_timeout $max_sess_timeout in table $static::ACCESS_USERKEY_TBLNAME\"\n\n table set -subtable $static::ACCESS_USERKEY_TBLNAME $user_key $user_key_value $inactivity_timeout $max_sess_timeout\n } else {\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Deleting $user_key in table $static::ACCESS_USERKEY_TBLNAME\"\n\n table delete -subtable $static::ACCESS_USERKEY_TBLNAME $user_key\n }\n\n if { $f_delete_session == 1 } {\n ACCESS::session remove\n set f_delete_session 0\n log -noname accesscontrol.local1.debug \"$static::ACCESS_LOG_PREFIX Removing the session for $user_key.\"\n }\n }\ndefinition-signature feX9LM+vB6YOEdVF+EA1JtNyVkPaB7gwdW0JzaB083MXl4yPP2nZnjm+WAx3YQhsmLttq5UkPl1zHpr5H9cwJX1bu9BNMi/+n0bIqWOipDHhhSYQ+TH+a5jQUSeftISr52BSQxh0cQKZkzM3rFU/qRZn9D9Dbf0kDGiDC1KWwVosrdjp5tVHOiQXWx8zybbGPFfgBcIBE6IvOvGbh5ohebVL2ADZm0URRj2NM4ZvZ2T3C14k2rHGXnDdRsvhmf5USZ+FH1hoKtWRxqtFjkWIaqw8leenXeot1j2bdKy92/AVTC9oZj1HJN1ePuQo5v414zlUhMEtkVy/gaxvj1+vPQ==", "apiRawValues": { "verificationStatus": "signature-verified" } diff --git a/test/units/modules/network/f5/test_bigip_configsync_action.py b/test/units/modules/network/f5/test_bigip_configsync_action.py index 03fb3cb61ec..7d2997c038a 100644 --- a/test/units/modules/network/f5/test_bigip_configsync_action.py +++ b/test/units/modules/network/f5/test_bigip_configsync_action.py @@ -101,7 +101,7 @@ class TestManager(unittest.TestCase): set_module_args(dict( sync_device_to_group='yes', device_group="foo", - password='passsword', + password='password', server='localhost', user='admin' )) diff --git a/test/units/modules/network/f5/test_bigip_device_group.py b/test/units/modules/network/f5/test_bigip_device_group.py index 789327c22fb..498576421a7 100644 --- a/test/units/modules/network/f5/test_bigip_device_group.py +++ b/test/units/modules/network/f5/test_bigip_device_group.py @@ -171,6 +171,7 @@ class TestModuleManager(unittest.TestCase): # Override methods to force specific logic in the module to happen mm.exists = Mock(side_effect=[True, False]) mm.remove_from_device = Mock(return_value=True) + mm.remove_members_in_group_from_device = Mock(return_value=True) results = mm.exec_module() assert results['changed'] is True diff --git a/test/units/modules/network/f5/test_bigip_gtm_facts.py b/test/units/modules/network/f5/test_bigip_gtm_facts.py index 6e7a4015a9d..25edd8da55f 100644 --- a/test/units/modules/network/f5/test_bigip_gtm_facts.py +++ b/test/units/modules/network/f5/test_bigip_gtm_facts.py @@ -115,7 +115,7 @@ class TestManager(unittest.TestCase): def test_get_typed_pool_facts(self, *args): set_module_args(dict( include='pool', - password='passsword', + password='password', server='localhost', user='admin' )) diff --git a/test/units/modules/network/f5/test_bigip_gtm_pool.py b/test/units/modules/network/f5/test_bigip_gtm_pool.py index 6ba12231430..198965e06a5 100644 --- a/test/units/modules/network/f5/test_bigip_gtm_pool.py +++ b/test/units/modules/network/f5/test_bigip_gtm_pool.py @@ -130,7 +130,7 @@ class TestUntypedManager(unittest.TestCase): set_module_args(dict( name='foo', preferred_lb_method='round-robin', - password='passsword', + password='password', server='localhost', user='admin' )) @@ -162,7 +162,7 @@ class TestUntypedManager(unittest.TestCase): preferred_lb_method='topology', alternate_lb_method='drop-packet', fallback_lb_method='cpu', - password='passsword', + password='password', server='localhost', user='admin' )) @@ -197,7 +197,7 @@ class TestUntypedManager(unittest.TestCase): set_module_args(dict( name='foo', state='absent', - password='passsword', + password='password', server='localhost', user='admin' )) @@ -233,7 +233,7 @@ class TestTypedManager(unittest.TestCase): name='foo', preferred_lb_method='round-robin', type='a', - password='passsword', + password='password', server='localhost', user='admin' )) @@ -266,7 +266,7 @@ class TestTypedManager(unittest.TestCase): alternate_lb_method='drop-packet', fallback_lb_method='cpu', type='a', - password='passsword', + password='password', server='localhost', user='admin' )) @@ -302,7 +302,7 @@ class TestTypedManager(unittest.TestCase): name='foo', type='a', state='absent', - password='passsword', + password='password', server='localhost', user='admin' )) diff --git a/test/units/modules/network/f5/test_bigip_gtm_wide_ip.py b/test/units/modules/network/f5/test_bigip_gtm_wide_ip.py index 1f80910f007..9bd1cb99502 100644 --- a/test/units/modules/network/f5/test_bigip_gtm_wide_ip.py +++ b/test/units/modules/network/f5/test_bigip_gtm_wide_ip.py @@ -126,7 +126,7 @@ class TestUntypedManager(unittest.TestCase): set_module_args(dict( name='foo.baz.bar', lb_method='round-robin', - password='passsword', + password='password', server='localhost', user='admin' )) @@ -164,7 +164,7 @@ class TestTypedManager(unittest.TestCase): name='foo.baz.bar', lb_method='round-robin', type='a', - password='passsword', + password='password', server='localhost', user='admin' )) @@ -196,7 +196,7 @@ class TestTypedManager(unittest.TestCase): name='foo.baz.bar', lb_method='round_robin', type='a', - password='passsword', + password='password', server='localhost', user='admin' )) @@ -228,7 +228,7 @@ class TestTypedManager(unittest.TestCase): name='foo.baz.bar', lb_method='global_availability', type='a', - password='passsword', + password='password', server='localhost', user='admin' )) @@ -266,7 +266,7 @@ class TestTypedManager(unittest.TestCase): ratio=10 ) ], - password='passsword', + password='password', server='localhost', user='admin' )) @@ -304,7 +304,7 @@ class TestTypedManager(unittest.TestCase): ratio=10 ) ], - password='passsword', + password='password', server='localhost', user='admin' )) @@ -344,7 +344,7 @@ class TestTypedManager(unittest.TestCase): ratio=100 ) ], - password='passsword', + password='password', server='localhost', user='admin' )) diff --git a/test/units/modules/network/f5/test_bigip_hostname.py b/test/units/modules/network/f5/test_bigip_hostname.py index 1e5c3559960..43c66683542 100644 --- a/test/units/modules/network/f5/test_bigip_hostname.py +++ b/test/units/modules/network/f5/test_bigip_hostname.py @@ -78,7 +78,7 @@ class TestManager(unittest.TestCase): def test_update_hostname(self, *args): set_module_args(dict( hostname='foo2.internal.com', - password='passsword', + password='password', server='localhost', user='admin' )) diff --git a/test/units/modules/network/f5/test_bigip_iapp_service.py b/test/units/modules/network/f5/test_bigip_iapp_service.py index a7ac029eaf7..b34cdbb9ddb 100644 --- a/test/units/modules/network/f5/test_bigip_iapp_service.py +++ b/test/units/modules/network/f5/test_bigip_iapp_service.py @@ -21,6 +21,8 @@ from ansible.module_utils.basic import AnsibleModule try: from library.modules.bigip_iapp_service import Parameters + from library.modules.bigip_iapp_service import ApiParameters + from library.modules.bigip_iapp_service import ModuleParameters from library.modules.bigip_iapp_service import ModuleManager from library.modules.bigip_iapp_service import ArgumentSpec from library.module_utils.network.f5.common import F5ModuleError @@ -29,6 +31,8 @@ try: except ImportError: try: from ansible.modules.network.f5.bigip_iapp_service import Parameters + from ansible.modules.network.f5.bigip_iapp_service import ApiParameters + from ansible.modules.network.f5.bigip_iapp_service import ModuleParameters from ansible.modules.network.f5.bigip_iapp_service import ModuleManager from ansible.modules.network.f5.bigip_iapp_service import ArgumentSpec from ansible.module_utils.network.f5.common import F5ModuleError @@ -63,13 +67,13 @@ class TestParameters(unittest.TestCase): def test_module_parameters_keys(self): args = load_fixture('create_iapp_service_parameters_f5_http.json') - p = Parameters(params=args) + p = ModuleParameters(params=args) # Assert the top-level keys assert p.name == 'http_example' assert p.partition == 'Common' assert p.template == '/Common/f5.http' - assert p.deviceGroup == 'none' + assert p.device_group is None assert p.inheritedTrafficGroup == 'true' assert p.inheritedDevicegroup == 'true' assert p.traffic_group == '/Common/traffic-group-local-only' @@ -119,7 +123,7 @@ class TestParameters(unittest.TestCase): def test_module_parameters_variables(self): args = load_fixture('create_iapp_service_parameters_f5_http.json') - p = Parameters(params=args) + p = ModuleParameters(params=args) assert 'variables' in p._values assert len(p.variables) == 34 @@ -142,13 +146,13 @@ class TestParameters(unittest.TestCase): args = dict( strict_updates=True ) - p = Parameters(params=args) + p = ModuleParameters(params=args) assert p.strict_updates == 'enabled' args = dict( strict_updates=False ) - p = Parameters(params=args) + p = ModuleParameters(params=args) assert p.strict_updates == 'disabled' def test_module_strict_updates_override_from_top_level(self): @@ -158,7 +162,7 @@ class TestParameters(unittest.TestCase): strictUpdates='disabled' ) ) - p = Parameters(params=args) + p = ModuleParameters(params=args) assert p.strict_updates == 'enabled' args = dict( @@ -167,7 +171,7 @@ class TestParameters(unittest.TestCase): strictUpdates='enabled' ) ) - p = Parameters(params=args) + p = ModuleParameters(params=args) assert p.strict_updates == 'disabled' def test_module_strict_updates_only_parameters(self): @@ -176,7 +180,7 @@ class TestParameters(unittest.TestCase): strictUpdates='disabled' ) ) - p = Parameters(params=args) + p = ModuleParameters(params=args) assert p.strict_updates == 'disabled' args = dict( @@ -184,7 +188,7 @@ class TestParameters(unittest.TestCase): strictUpdates='enabled' ) ) - p = Parameters(params=args) + p = ModuleParameters(params=args) assert p.strict_updates == 'enabled' def test_api_strict_updates_from_top_level(self): @@ -242,7 +246,7 @@ class TestParameters(unittest.TestCase): } ] ) - p = Parameters(params=args) + p = ApiParameters(params=args) assert p.tables[0]['name'] == 'pool__members' assert p.tables[0]['columnNames'] == ['addr', 'port', 'connection_limit'] assert len(p.tables[0]['rows']) == 2 @@ -255,8 +259,8 @@ class TestParameters(unittest.TestCase): args = dict( deviceGroup='none' ) - p = Parameters(params=args) - assert p.deviceGroup == 'none' + p = ApiParameters(params=args) + assert p.device_group is None def test_api_parameters_inherited_traffic_group(self): args = dict( @@ -284,7 +288,7 @@ class TestParameters(unittest.TestCase): template='foo', partition='bar' ) - p = Parameters(params=args) + p = ModuleParameters(params=args) assert p.template == '/bar/foo' def test_module_template_same_partition_full_path(self): @@ -292,7 +296,7 @@ class TestParameters(unittest.TestCase): template='/bar/foo', partition='bar' ) - p = Parameters(params=args) + p = ModuleParameters(params=args) assert p.template == '/bar/foo' def test_module_template_different_partition_full_path(self): @@ -300,7 +304,7 @@ class TestParameters(unittest.TestCase): template='/Common/foo', partition='bar' ) - p = Parameters(params=args) + p = ModuleParameters(params=args) assert p.template == '/Common/foo' @@ -316,7 +320,7 @@ class TestManager(unittest.TestCase): template='f5.http', parameters=parameters, state='present', - password='passsword', + password='password', server='localhost', user='admin' )) @@ -330,6 +334,7 @@ class TestManager(unittest.TestCase): # Override methods to force specific logic in the module to happen mm.exists = Mock(return_value=False) mm.create_on_device = Mock(return_value=True) + mm.template_exists = Mock(return_value=True) results = mm.exec_module() assert results['changed'] is True @@ -341,7 +346,7 @@ class TestManager(unittest.TestCase): template='f5.http', parameters=parameters, state='present', - password='passsword', + password='password', server='localhost', user='admin' )) diff --git a/test/units/modules/network/f5/test_bigip_iapp_template.py b/test/units/modules/network/f5/test_bigip_iapp_template.py index 1031283111f..426f0a13728 100644 --- a/test/units/modules/network/f5/test_bigip_iapp_template.py +++ b/test/units/modules/network/f5/test_bigip_iapp_template.py @@ -68,6 +68,26 @@ class TestParameters(unittest.TestCase): p = Parameters(params=args) assert p.name == 'foo.iapp' + def test_module_parameters_custom_name(self): + iapp = load_fixture('create_iapp_template.iapp') + args = dict( + content=iapp, + name='foobar' + ) + p = Parameters(params=args) + assert p.name == 'foobar' + assert 'sys application template /Common/foobar' in p.content + + def test_module_parameters_custom_partition(self): + iapp = load_fixture('create_iapp_template.iapp') + args = dict( + content=iapp, + partition='foobar' + ) + p = Parameters(params=args) + assert p.name == 'foo.iapp' + assert 'sys application template /foobar/foo.iapp' in p.content + class TestManager(unittest.TestCase): @@ -78,7 +98,7 @@ class TestManager(unittest.TestCase): # Configure the arguments that would be sent to the Ansible module set_module_args(dict( content=load_fixture('basic-iapp.tmpl'), - password='passsword', + password='password', server='localhost', user='admin' )) @@ -101,7 +121,7 @@ class TestManager(unittest.TestCase): # Configure the arguments that would be sent to the Ansible module set_module_args(dict( content=load_fixture('basic-iapp.tmpl'), - password='passsword', + password='password', server='localhost', user='admin' )) @@ -130,7 +150,7 @@ class TestManager(unittest.TestCase): def test_delete_iapp_template(self, *args): set_module_args(dict( content=load_fixture('basic-iapp.tmpl'), - password='passsword', + password='password', server='localhost', user='admin', state='absent' @@ -153,7 +173,7 @@ class TestManager(unittest.TestCase): def test_delete_iapp_template_idempotent(self, *args): set_module_args(dict( content=load_fixture('basic-iapp.tmpl'), - password='passsword', + password='password', server='localhost', user='admin', state='absent' diff --git a/test/units/modules/network/f5/test_bigip_node.py b/test/units/modules/network/f5/test_bigip_node.py index 3793e52825a..181b7f2ecaf 100644 --- a/test/units/modules/network/f5/test_bigip_node.py +++ b/test/units/modules/network/f5/test_bigip_node.py @@ -95,7 +95,7 @@ class TestManager(unittest.TestCase): ], partition='Common', state='present', - password='passsword', + password='password', server='localhost', user='admin' )) @@ -123,7 +123,7 @@ class TestManager(unittest.TestCase): ], partition='Common', state='present', - password='passsword', + password='password', server='localhost', user='admin' )) @@ -153,7 +153,7 @@ class TestManager(unittest.TestCase): ], partition='Common', state='present', - password='passsword', + password='password', server='localhost', user='admin' )) @@ -182,7 +182,7 @@ class TestManager(unittest.TestCase): ], partition='Common', state='present', - password='passsword', + password='password', server='localhost', user='admin' )) @@ -214,7 +214,7 @@ class TestManager(unittest.TestCase): ], partition='Common', state='present', - password='passsword', + password='password', server='localhost', user='admin' )) diff --git a/test/units/modules/network/f5/test_bigip_profile_dns.py b/test/units/modules/network/f5/test_bigip_profile_dns.py index 21b9e16c0a3..ef482b9d1a3 100644 --- a/test/units/modules/network/f5/test_bigip_profile_dns.py +++ b/test/units/modules/network/f5/test_bigip_profile_dns.py @@ -136,10 +136,10 @@ class TestManager(unittest.TestCase): results = mm.exec_module() assert results['changed'] is True - assert results['enable_dns_express'] is True - assert results['enable_zone_transfer'] is True - assert results['enable_dnssec'] is True - assert results['enable_gtm'] is True - assert results['process_recursion_desired'] is True - assert results['use_local_bind'] is True - assert results['enable_dns_firewall'] is True + assert results['enable_dns_express'] == 'yes' + assert results['enable_zone_transfer'] == 'yes' + assert results['enable_dnssec'] == 'yes' + assert results['enable_gtm'] == 'yes' + assert results['process_recursion_desired'] == 'yes' + assert results['use_local_bind'] == 'yes' + assert results['enable_dns_firewall'] == 'yes' diff --git a/test/units/modules/network/f5/test_bigip_provision.py b/test/units/modules/network/f5/test_bigip_provision.py index e7932395a85..e8d81d85157 100644 --- a/test/units/modules/network/f5/test_bigip_provision.py +++ b/test/units/modules/network/f5/test_bigip_provision.py @@ -85,7 +85,7 @@ class TestManager(unittest.TestCase): # Configure the arguments that would be sent to the Ansible module set_module_args(dict( module='gtm', - password='passsword', + password='password', server='localhost', user='admin' )) @@ -130,7 +130,7 @@ class TestManager(unittest.TestCase): # Configure the arguments that would be sent to the Ansible module set_module_args(dict( module=module, - password='passsword', + password='password', server='localhost', user='admin' )) diff --git a/test/units/modules/network/f5/test_bigip_selfip.py b/test/units/modules/network/f5/test_bigip_selfip.py index 651fa13e3be..8f4f76e0d8e 100644 --- a/test/units/modules/network/f5/test_bigip_selfip.py +++ b/test/units/modules/network/f5/test_bigip_selfip.py @@ -143,7 +143,7 @@ class TestManager(unittest.TestCase): state='present', traffic_group='traffic-group-local-only', vlan='net1', - password='passsword', + password='password', server='localhost', user='admin' )) @@ -177,7 +177,7 @@ class TestManager(unittest.TestCase): state='present', traffic_group='traffic-group-local-only', vlan='net1', - password='passsword', + password='password', server='localhost', user='admin' )) diff --git a/test/units/modules/network/f5/test_bigip_service_policy.py b/test/units/modules/network/f5/test_bigip_service_policy.py index 25c08963601..07031709b04 100644 --- a/test/units/modules/network/f5/test_bigip_service_policy.py +++ b/test/units/modules/network/f5/test_bigip_service_policy.py @@ -106,7 +106,7 @@ class TestManager(unittest.TestCase): port_misuse_policy='misuse1', partition='Common', state='present', - password='passsword', + password='password', server='localhost', user='admin' )) diff --git a/test/units/modules/network/f5/test_bigip_snat_pool.py b/test/units/modules/network/f5/test_bigip_snat_pool.py index c2540727811..04518b122eb 100644 --- a/test/units/modules/network/f5/test_bigip_snat_pool.py +++ b/test/units/modules/network/f5/test_bigip_snat_pool.py @@ -94,7 +94,7 @@ class TestManager(unittest.TestCase): name='my-snat-pool', state='present', members=['10.10.10.10', '20.20.20.20'], - password='passsword', + password='password', server='localhost', user='admin' )) @@ -121,7 +121,7 @@ class TestManager(unittest.TestCase): name='asdasd', state='present', members=['1.1.1.1', '2.2.2.2'], - password='passsword', + password='password', server='localhost', user='admin' )) @@ -147,7 +147,7 @@ class TestManager(unittest.TestCase): name='asdasd', state='present', members=['30.30.30.30'], - password='passsword', + password='password', server='localhost', user='admin' )) diff --git a/test/units/modules/network/f5/test_bigip_snmp.py b/test/units/modules/network/f5/test_bigip_snmp.py index 16277c379df..e2fab881791 100644 --- a/test/units/modules/network/f5/test_bigip_snmp.py +++ b/test/units/modules/network/f5/test_bigip_snmp.py @@ -129,7 +129,7 @@ class TestManager(unittest.TestCase): def test_update_agent_status_traps(self, *args): set_module_args(dict( agent_status_traps='enabled', - password='passsword', + password='password', server='localhost', user='admin' )) @@ -165,7 +165,7 @@ class TestManager(unittest.TestCase): 'foo', 'baz.foo.com' ], - password='passsword', + password='password', server='localhost', user='admin' )) @@ -201,7 +201,7 @@ class TestManager(unittest.TestCase): allowed_addresses=[ 'default' ], - password='passsword', + password='password', server='localhost', user='admin' )) @@ -233,7 +233,7 @@ class TestManager(unittest.TestCase): def test_update_allowed_addresses_empty(self, *args): set_module_args(dict( allowed_addresses=[''], - password='passsword', + password='password', server='localhost', user='admin' )) diff --git a/test/units/modules/network/f5/test_bigip_software_update.py b/test/units/modules/network/f5/test_bigip_software_update.py index d86ced6c5c3..7820dc73aa9 100644 --- a/test/units/modules/network/f5/test_bigip_software_update.py +++ b/test/units/modules/network/f5/test_bigip_software_update.py @@ -91,7 +91,7 @@ class TestManager(unittest.TestCase): set_module_args(dict( auto_check='no', auto_phone_home='no', - password='passsword', + password='password', server='localhost', user='admin' )) diff --git a/test/units/modules/network/f5/test_bigip_ucs_fetch.py b/test/units/modules/network/f5/test_bigip_ucs_fetch.py index 4de4b8f3a75..f4bdef7601a 100644 --- a/test/units/modules/network/f5/test_bigip_ucs_fetch.py +++ b/test/units/modules/network/f5/test_bigip_ucs_fetch.py @@ -94,7 +94,7 @@ class TestV1Manager(unittest.TestCase): force='yes', fail_on_missing='no', src='remote.ucs', - password='passsword', + password='password', server='localhost', user='admin' )) diff --git a/test/units/modules/network/f5/test_bigip_wait.py b/test/units/modules/network/f5/test_bigip_wait.py index cceb108f02f..cebb7e60fba 100644 --- a/test/units/modules/network/f5/test_bigip_wait.py +++ b/test/units/modules/network/f5/test_bigip_wait.py @@ -101,7 +101,7 @@ class TestManager(unittest.TestCase): def test_wait_already_available(self, *args): set_module_args(dict( - password='passsword', + password='password', server='localhost', user='admin' ))