diff --git a/lib/ansible/modules/network/nxos/nxos_ntp_auth.py b/lib/ansible/modules/network/nxos/nxos_ntp_auth.py new file mode 100644 index 00000000000..2cd6b7ded3b --- /dev/null +++ b/lib/ansible/modules/network/nxos/nxos_ntp_auth.py @@ -0,0 +1,566 @@ +#!/usr/bin/python +# +# This file is part of Ansible +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . +# + +DOCUMENTATION = ''' +--- + +module: nxos_ntp_auth +version_added: "2.2" +short_description: Manages NTP authentication. +description: + - Manages NTP authentication. +extends_documentation_fragment: nxos +author: + - Jason Edelman (@jedelman8) +notes: + - If C(state=absent), the moudle will attempt to remove the given key configuration. + If a matching key configuration isn't found on the device, the module will fail. + - If C(state=absent) and C(authentication=on), authentication will be turned off. + - If C(state=absent) and C(authentication=off), authentication will be turned on. +options: + key_id: + description: + - Authentication key identifier (numeric). + required: true + md5string: + description: + - MD5 String. + required: true + default: null + auth_type: + description: + - Whether the given md5string is in cleartext or + has been encrypted. If in cleartext, the device + will encrypt it before storing it. + required: false + default: text + choices: ['text', 'encrypt'] + trusted_key: + description: + - Whether the given key is required to be supplied by a time source + for the device to synchronize to the time source. + required: false + default: false + choices: ['true', 'false'] + authentication: + description: + - Turns NTP authenication on or off. + required: false + default: null + choices: ['on', 'off'] + state: + description: + - Manage the state of the resource. + required: false + default: present + choices: ['present','absent'] +''' + +EXAMPLES = ''' +# Basic NTP authentication configuration +- nxos_ntp_auth: + key_id=32 + md5string=hello + auth_type=text + host={{ inventory_hostname }} + username={{ un }} + password={{ pwd }} +''' + +RETURN = ''' +proposed: + description: k/v pairs of parameters passed into module + returned: always + type: dict + sample: {"auth_type": "text", "authentication": "off", + "key_id": "32", "md5string": "helloWorld", + "trusted_key": "true"} +existing: + description: + - k/v pairs of existing ntp authentication + type: dict + sample: {"authentication": "off", "trusted_key": "false"} +end_state: + description: k/v pairs of ntp autherntication after module execution + returned: always + type: dict + sample: {"authentication": "off", "key_id": "32", + "md5string": "kapqgWjwdg", "trusted_key": "true"} +state: + description: state as sent in from the playbook + returned: always + type: string + sample: "present" +updates: + description: command sent to the device + returned: always + type: list + sample: ["ntp authentication-key 32 md5 helloWorld 0", "ntp trusted-key 32"] +changed: + description: check to see if a change was made on the device + returned: always + type: boolean + sample: true +''' + + +import json + +# COMMON CODE FOR MIGRATION +import re + +from ansible.module_utils.basic import get_exception +from ansible.module_utils.netcfg import NetworkConfig, ConfigLine +from ansible.module_utils.shell import ShellError + +try: + from ansible.module_utils.nxos import get_module +except ImportError: + from ansible.module_utils.nxos import NetworkModule + + +def to_list(val): + if isinstance(val, (list, tuple)): + return list(val) + elif val is not None: + return [val] + else: + return list() + + +class CustomNetworkConfig(NetworkConfig): + + def expand_section(self, configobj, S=None): + if S is None: + S = list() + S.append(configobj) + for child in configobj.children: + if child in S: + continue + self.expand_section(child, S) + return S + + def get_object(self, path): + for item in self.items: + if item.text == path[-1]: + parents = [p.text for p in item.parents] + if parents == path[:-1]: + return item + + def to_block(self, section): + return '\n'.join([item.raw for item in section]) + + def get_section(self, path): + try: + section = self.get_section_objects(path) + return self.to_block(section) + except ValueError: + return list() + + def get_section_objects(self, path): + if not isinstance(path, list): + path = [path] + obj = self.get_object(path) + if not obj: + raise ValueError('path does not exist in config') + return self.expand_section(obj) + + + def add(self, lines, parents=None): + """Adds one or lines of configuration + """ + + ancestors = list() + offset = 0 + obj = None + + ## global config command + if not parents: + for line in to_list(lines): + item = ConfigLine(line) + item.raw = line + if item not in self.items: + self.items.append(item) + + else: + for index, p in enumerate(parents): + try: + i = index + 1 + obj = self.get_section_objects(parents[:i])[0] + ancestors.append(obj) + + except ValueError: + # add parent to config + offset = index * self.indent + obj = ConfigLine(p) + obj.raw = p.rjust(len(p) + offset) + if ancestors: + obj.parents = list(ancestors) + ancestors[-1].children.append(obj) + self.items.append(obj) + ancestors.append(obj) + + # add child objects + for line in to_list(lines): + # check if child already exists + for child in ancestors[-1].children: + if child.text == line: + break + else: + offset = len(parents) * self.indent + item = ConfigLine(line) + item.raw = line.rjust(len(line) + offset) + item.parents = ancestors + ancestors[-1].children.append(item) + self.items.append(item) + + +def get_network_module(**kwargs): + try: + return get_module(**kwargs) + except NameError: + return NetworkModule(**kwargs) + +def get_config(module, include_defaults=False): + config = module.params['config'] + if not config: + try: + config = module.get_config() + except AttributeError: + defaults = module.params['include_defaults'] + config = module.config.get_config(include_defaults=defaults) + return CustomNetworkConfig(indent=2, contents=config) + +def load_config(module, candidate): + config = get_config(module) + + commands = candidate.difference(config) + commands = [str(c).strip() for c in commands] + + save_config = module.params['save'] + + result = dict(changed=False) + + if commands: + if not module.check_mode: + try: + module.configure(commands) + except AttributeError: + module.config(commands) + + if save_config: + try: + module.config.save_config() + except AttributeError: + module.execute(['copy running-config startup-config']) + + result['changed'] = True + result['updates'] = commands + + return result +# END OF COMMON CODE + + +def execute_config_command(commands, module): + try: + module.configure(commands) + except ShellError: + clie = get_exception() + module.fail_json(msg='Error sending CLI commands', + error=str(clie), commands=commands) + except AttributeError: + try: + commands.insert(0, 'configure') + module.cli.add_commands(commands, output='config') + module.cli.run_commands() + except ShellError: + clie = get_exception() + module.fail_json(msg='Error sending CLI commands', + error=str(clie), commands=commands) + + +def get_cli_body_ssh(command, response, module): + """Get response for when transport=cli. This is kind of a hack and mainly + needed because these modules were originally written for NX-API. And + not every command supports "| json" when using cli/ssh. As such, we assume + if | json returns an XML string, it is a valid command, but that the + resource doesn't exist yet. Instead, the output will be a raw string + when issuing commands containing 'show run'. + """ + if 'xml' in response[0]: + body = [] + elif 'show run' in command: + body = response + else: + try: + if isinstance(response[0], str): + body = [json.loads(response[0])] + else: + body = response + except ValueError: + module.fail_json(msg='Command does not support JSON output', + command=command) + return body + + +def execute_show(cmds, module, command_type=None): + command_type_map = { + 'cli_show': 'json', + 'cli_show_ascii': 'text' + } + + try: + if command_type: + response = module.execute(cmds, command_type=command_type) + else: + response = module.execute(cmds) + except ShellError: + clie = get_exception() + module.fail_json(msg='Error sending {0}'.format(cmds), + error=str(clie)) + except AttributeError: + try: + if command_type: + command_type = command_type_map.get(command_type) + module.cli.add_commands(cmds, output=command_type) + response = module.cli.run_commands() + else: + module.cli.add_commands(cmds) + response = module.cli.run_commands() + except ShellError: + clie = get_exception() + module.fail_json(msg='Error sending {0}'.format(cmds), + error=str(clie)) + return response + + +def execute_show_command(command, module, command_type='cli_show'): + if module.params['transport'] == 'cli': + if 'show run' not in command: + command += ' | json' + cmds = [command] + response = execute_show(cmds, module) + body = get_cli_body_ssh(command, response, module) + elif module.params['transport'] == 'nxapi': + cmds = [command] + body = execute_show(cmds, module, command_type=command_type) + + return body + + +def flatten_list(command_lists): + flat_command_list = [] + for command in command_lists: + if isinstance(command, list): + flat_command_list.extend(command) + else: + flat_command_list.append(command) + return flat_command_list + + +def get_ntp_auth(module): + command = 'show ntp authentication-status' + + body = execute_show_command(command, module)[0] + ntp_auth_str = body['authentication'] + + if 'enabled' in ntp_auth_str: + ntp_auth = True + else: + ntp_auth = False + + return ntp_auth + + +def get_ntp_trusted_key(module): + trusted_key_list = [] + command = 'show run | inc ntp.trusted-key' + + trusted_key_str = execute_show_command( + command, module, command_type='cli_show_ascii')[0] + if trusted_key_str: + trusted_keys = trusted_key_str.splitlines() + + else: + trusted_keys = [] + + for line in trusted_keys: + if line: + trusted_key_list.append(str(line.split()[2])) + + return trusted_key_list + + +def get_ntp_auth_key(key_id, module): + authentication_key = {} + command = 'show run | inc ntp.authentication-key.{0}'.format(key_id) + auth_regex = (".*ntp\sauthentication-key\s(?P\d+)\s" + "md5\s(?P\S+).*") + + body = execute_show_command(command, module, command_type='cli_show_ascii') + + try: + match_authentication = re.match(auth_regex, body[0], re.DOTALL) + group_authentication = match_authentication.groupdict() + key_id = group_authentication["key_id"] + md5string = group_authentication['md5string'] + authentication_key['key_id'] = key_id + authentication_key['md5string'] = md5string + except (AttributeError, TypeError): + authentication_key = {} + + return authentication_key + + +def get_ntp_auth_info(key_id, module): + auth_info = get_ntp_auth_key(key_id, module) + trusted_key_list = get_ntp_trusted_key(module) + auth_power = get_ntp_auth(module) + + if key_id in trusted_key_list: + auth_info['trusted_key'] = 'true' + else: + auth_info['trusted_key'] = 'false' + + if auth_power: + auth_info['authentication'] = 'on' + else: + auth_info['authentication'] = 'off' + + return auth_info + + +def auth_type_to_num(auth_type): + return '7' if auth_type == 'encrypt' else '0' + + +def set_ntp_auth_key(key_id, md5string, auth_type, trusted_key, authentication): + ntp_auth_cmds = [] + auth_type_num = auth_type_to_num(auth_type) + ntp_auth_cmds.append( + 'ntp authentication-key {0} md5 {1} {2}'.format( + key_id, md5string, auth_type_num)) + + if trusted_key == 'true': + ntp_auth_cmds.append( + 'ntp trusted-key {0}'.format(key_id)) + elif trusted_key == 'false': + ntp_auth_cmds.append( + 'no ntp trusted-key {0}'.format(key_id)) + + if authentication == 'on': + ntp_auth_cmds.append( + 'ntp authenticate') + elif authentication == 'off': + ntp_auth_cmds.append( + 'no ntp authenticate') + + return ntp_auth_cmds + + +def remove_ntp_auth_key(key_id, md5string, auth_type, trusted_key, authentication): + auth_remove_cmds = [] + auth_type_num = auth_type_to_num(auth_type) + auth_remove_cmds.append( + 'no ntp authentication-key {0} md5 {1} {2}'.format( + key_id, md5string, auth_type_num)) + + if authentication == 'on': + auth_remove_cmds.append( + 'no ntp authenticate') + elif authentication == 'off': + auth_remove_cmds.append( + 'ntp authenticate') + + return auth_remove_cmds + + +def main(): + argument_spec = dict( + key_id=dict(required=True, type='str'), + md5string=dict(required=True, type='str'), + auth_type=dict(choices=['text', 'encrypt'], default='text'), + trusted_key=dict(choices=['true', 'false'], default='false'), + authentication=dict(choices=['on', 'off']), + state=dict(choices=['absent', 'present'], default='present'), + ) + module = get_network_module(argument_spec=argument_spec, + supports_check_mode=True) + + key_id = module.params['key_id'] + md5string = module.params['md5string'] + auth_type = module.params['auth_type'] + trusted_key = module.params['trusted_key'] + authentication = module.params['authentication'] + state = module.params['state'] + + args = dict(key_id=key_id, md5string=md5string, + auth_type=auth_type, trusted_key=trusted_key, + authentication=authentication) + + changed = False + proposed = dict((k, v) for k, v in args.iteritems() if v is not None) + + existing = get_ntp_auth_info(key_id, module) + end_state = existing + + delta = dict(set(proposed.iteritems()).difference(existing.iteritems())) + + commands = [] + if state == 'present': + if delta: + command = set_ntp_auth_key( + key_id, md5string, auth_type, trusted_key, delta.get('authentication')) + if command: + commands.append(command) + elif state == 'absent': + if existing: + auth_toggle = None + if authentication == existing.get('authentication'): + auth_toggle = authentication + command = remove_ntp_auth_key( + key_id, md5string, auth_type, trusted_key, auth_toggle) + if command: + commands.append(command) + + cmds = flatten_list(commands) + if cmds: + if module.check_mode: + module.exit_json(changed=True, commands=cmds) + else: + try: + execute_config_command(cmds, module) + except ShellError: + clie = get_exception() + module.fail_json(msg=str(clie) + ": " + cmds) + end_state = get_ntp_auth_info(key_id, module) + delta = dict(set(end_state.iteritems()).difference(existing.iteritems())) + if delta or (len(existing) != len(end_state)): + changed = True + + results = {} + results['proposed'] = proposed + results['existing'] = existing + results['updates'] = cmds + results['changed'] = changed + results['end_state'] = end_state + + module.exit_json(**results) + +if __name__ == '__main__': + main() \ No newline at end of file