new module: na_ontap_vserver_cifs_security (#59817)

* new module * fixes
5 years ago · ae794369f8
parent 69bc24f607
commit ae794369f8
2 changed files with 443 additions and 0 deletions
--- a/lib/ansible/modules/storage/netapp/na_ontap_vserver_cifs_security.py
+++ b/lib/ansible/modules/storage/netapp/na_ontap_vserver_cifs_security.py
@ -0,0 +1,282 @@
+#!/usr/bin/python
+
+# (c) 2018-2019, NetApp, Inc
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+ANSIBLE_METADATA = {'metadata_version': '1.1',
+                    'status': ['preview'],
+                    'supported_by': 'certified'}
+
+DOCUMENTATION = '''
+---
+module: na_ontap_vserver_cifs_security
+short_description: NetApp ONTAP vserver CIFS security modification
+extends_documentation_fragment:
+    - netapp.na_ontap
+version_added: '2.9'
+author: NetApp Ansible Team (@carchi8py) <ng-ansibleteam@netapp.com>
+
+description:
+    - modify vserver CIFS security.
+
+options:
+
+  vserver:
+    description:
+    - name of the vserver.
+    required: true
+    type: str
+
+  kerberos_clock_skew:
+    description:
+    - The clock skew in minutes is the tolerance for accepting tickets with time stamps that do not exactly match the host's system clock.
+    type: int
+
+  kerberos_ticket_age:
+    description:
+    - Determine the maximum amount of time in hours that a user's ticket may be used for the purpose of Kerberos authentication.
+    type: int
+
+  kerberos_renew_age:
+    description:
+    - Determine the maximum amount of time in days for which a ticket can be renewed.
+    type: int
+
+  kerberos_kdc_timeout:
+    description:
+    - Determine the timeout value in seconds for KDC connections.
+    type: int
+
+  is_signing_required:
+    description:
+    - Determine whether signing is required for incoming CIFS traffic.
+    type: bool
+
+  is_password_complexity_required:
+    description:
+    - Determine whether password complexity is required for local users.
+    type: bool
+
+  is_aes_encryption_enabled:
+    description:
+    - Determine whether AES-128 and AES-256 encryption mechanisms are enabled for Kerberos-related CIFS communication.
+    type: bool
+
+  is_smb_encryption_required:
+    description:
+    - Determine whether SMB encryption is required for incoming CIFS traffic.
+    type: bool
+
+  lm_compatibility_level:
+    description:
+    - Determine the LM compatibility level.
+    choices: ['lm_ntlm_ntlmv2_krb', 'ntlm_ntlmv2_krb', 'ntlmv2_krb', 'krb']
+    type: str
+
+  referral_enabled_for_ad_ldap:
+    description:
+    - Determine whether LDAP referral chasing is enabled or not for AD LDAP connections.
+    type: bool
+
+  session_security_for_ad_ldap:
+    description:
+    - Determine the level of security required for LDAP communications.
+    choices: ['none', 'sign', 'seal']
+    type: str
+
+  smb1_enabled_for_dc_connections:
+    description:
+    - Determine if SMB version 1 is used for connections to domain controllers.
+    choices: ['false', 'true', 'system_default']
+    type: str
+
+  smb2_enabled_for_dc_connections:
+    description:
+    - Determine if SMB version 2 is used for connections to domain controllers.
+    choices: ['false', 'true', 'system_default']
+    type: str
+
+  use_start_tls_for_ad_ldap:
+    description:
+    - Determine whether to use start_tls for AD LDAP connections.
+    type: bool
+
+'''
+
+EXAMPLES = '''
+    - name: modify cifs security
+      na_ontap_vserver_cifs_security:
+        vserver: ansible
+        hostname: "{{ hostname }}"
+        kerberos_clock_skew: 5
+        kerberos_ticket_age: 5
+        kerberos_renew_age: 10
+        kerberos_kdc_timeout: 5
+        is_signing_required: true
+        is_password_complexity_required: true
+        is_aes_encryption_enabled: true
+        is_smb_encryption_required: true
+        lm_compatibility_level: krb
+        smb1_enabled_for_dc_connections: true
+        smb2_enabled_for_dc_connections: true
+        use_start_tls_for_ad_ldap: true
+        username: username
+        password: password
+
+    - name: modify cifs security
+      na_ontap_vserver_cifs_security:
+        vserver: ansible
+        hostname: "{{ hostname }}"
+        referral_enabled_for_ad_ldap: true
+        username: username
+        password: password
+
+    - name: modify cifs security
+      na_ontap_vserver_cifs_security:
+        vserver: ansible
+        hostname: "{{ hostname }}"
+        session_security_for_ad_ldap: true
+        username: username
+        password: password
+'''
+
+RETURN = '''
+'''
+
+import traceback
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_native
+import ansible.module_utils.netapp as netapp_utils
+from ansible.module_utils.netapp_module import NetAppModule
+
+HAS_NETAPP_LIB = netapp_utils.has_netapp_lib()
+
+
+class NetAppONTAPCifsSecurity(object):
+    '''
+    modify vserver cifs security
+    '''
+    def __init__(self):
+
+        self.argument_spec = netapp_utils.na_ontap_host_argument_spec()
+        self.argument_spec.update(dict(
+            vserver=dict(required=True, type='str'),
+            kerberos_clock_skew=dict(required=False, type='int'),
+            kerberos_ticket_age=dict(required=False, type='int'),
+            kerberos_renew_age=dict(required=False, type='int'),
+            kerberos_kdc_timeout=dict(required=False, type='int'),
+            is_signing_required=dict(required=False, type='bool'),
+            is_password_complexity_required=dict(required=False, type='bool'),
+            is_aes_encryption_enabled=dict(required=False, type='bool'),
+            is_smb_encryption_required=dict(required=False, type='bool'),
+            lm_compatibility_level=dict(required=False, choices=['lm_ntlm_ntlmv2_krb', 'ntlm_ntlmv2_krb', 'ntlmv2_krb', 'krb']),
+            referral_enabled_for_ad_ldap=dict(required=False, type='bool'),
+            session_security_for_ad_ldap=dict(required=False, choices=['none', 'sign', 'seal']),
+            smb1_enabled_for_dc_connections=dict(required=False, choices=['false', 'true', 'system_default']),
+            smb2_enabled_for_dc_connections=dict(required=False, choices=['false', 'true', 'system_default']),
+            use_start_tls_for_ad_ldap=dict(required=False, type='bool')
+        ))
+
+        self.module = AnsibleModule(
+            argument_spec=self.argument_spec,
+            supports_check_mode=True
+        )
+
+        self.na_helper = NetAppModule()
+        self.parameters = self.na_helper.set_parameters(self.module.params)
+
+        if HAS_NETAPP_LIB is False:
+            self.module.fail_json(msg="the python NetApp-Lib module is required")
+        else:
+            self.server = netapp_utils.setup_na_ontap_zapi(module=self.module, vserver=self.parameters['vserver'])
+
+    def cifs_security_get_iter(self):
+        """
+        get current vserver cifs security.
+        :return: a dict of vserver cifs security
+        """
+        cifs_security_get = netapp_utils.zapi.NaElement('cifs-security-get-iter')
+        query = netapp_utils.zapi.NaElement('query')
+        cifs_security = netapp_utils.zapi.NaElement('cifs-security')
+        cifs_security.add_new_child('vserver', self.parameters['vserver'])
+        query.add_child_elem(cifs_security)
+        cifs_security_get.add_child_elem(query)
+        cifs_security_details = dict()
+        try:
+            result = self.server.invoke_successfully(cifs_security_get, enable_tunneling=True)
+        except netapp_utils.zapi.NaApiError as error:
+            self.module.fail_json(msg='Error fetching cifs security from %s: %s'
+                                      % (self.parameters['vserver'], to_native(error)),
+                                  exception=traceback.format_exc())
+        if result.get_child_by_name('num-records') and int(result.get_child_content('num-records')) > 0:
+            cifs_security_info = result.get_child_by_name('attributes-list').get_child_by_name('cifs-security')
+            cifs_security_details['kerberos_clock_skew'] = cifs_security_info.get_child_content('kerberos-clock-skew')
+            cifs_security_details['kerberos_ticket_age'] = cifs_security_info.get_child_content('kerberos-ticket-age')
+            cifs_security_details['kerberos_renew_age'] = cifs_security_info.get_child_content('kerberos-renew-age')
+            cifs_security_details['kerberos_kdc_timeout'] = cifs_security_info.get_child_content('kerberos-kdc-timeout')
+            cifs_security_details['is_signing_required'] = bool(cifs_security_info.get_child_content('is-signing-required'))
+            cifs_security_details['is_password_complexity_required'] = bool(cifs_security_info.get_child_content('is-password-complexity-required'))
+            cifs_security_details['is_aes_encryption_enabled'] = bool(cifs_security_info.get_child_content('is-aes-encryption-enabled'))
+            cifs_security_details['is_smb_encryption_required'] = bool(cifs_security_info.get_child_content('is-smb-encryption-required'))
+            cifs_security_details['lm_compatibility_level'] = cifs_security_info.get_child_content('lm-compatibility-level')
+            cifs_security_details['referral_enabled_for_ad_ldap'] = bool(cifs_security_info.get_child_content('referral-enabled-for-ad-ldap'))
+            cifs_security_details['session_security_for_ad_ldap'] = cifs_security_info.get_child_content('session-security-for-ad-ldap')
+            cifs_security_details['smb1_enabled_for_dc_connections'] = cifs_security_info.get_child_content('smb1-enabled-for-dc-connections')
+            cifs_security_details['smb2_enabled_for_dc_connections'] = cifs_security_info.get_child_content('smb2-enabled-for-dc-connections')
+            cifs_security_details['use_start_tls_for_ad_ldap'] = bool(cifs_security_info.get_child_content('use-start-tls-for-ad-ldap'))
+            return cifs_security_details
+        return None
+
+    def cifs_security_modify(self, modify):
+        """
+        :param modify: A list of attributes to modify
+        :return: None
+        """
+        cifs_security_modify = netapp_utils.zapi.NaElement('cifs-security-modify')
+        for attribute in modify:
+            cifs_security_modify.add_new_child(self.attribute_to_name(attribute), str(self.parameters[attribute]))
+        try:
+            self.server.invoke_successfully(cifs_security_modify, enable_tunneling=True)
+        except netapp_utils.zapi.NaApiError as e:
+            self.module.fail_json(msg='Error modifying cifs security on %s: %s'
+                                  % (self.parameters['vserver'], to_native(e)),
+                                  exception=traceback.format_exc())
+
+    @staticmethod
+    def attribute_to_name(attribute):
+        return str.replace(attribute, '_', '-')
+
+    def apply(self):
+        """Call modify operations."""
+        self.asup_log_for_cserver("na_ontap_vserver_cifs_security")
+        current = self.cifs_security_get_iter()
+        modify = self.na_helper.get_modified_attributes(current, self.parameters)
+        if self.na_helper.changed:
+            if self.module.check_mode:
+                pass
+            else:
+                if modify:
+                    self.cifs_security_modify(modify)
+        self.module.exit_json(changed=self.na_helper.changed)
+
+    def asup_log_for_cserver(self, event_name):
+        """
+        Fetch admin vserver for the given cluster
+        Create and Autosupport log event with the given module name
+        :param event_name: Name of the event log
+        :return: None
+        """
+        results = netapp_utils.get_cserver(self.server)
+        cserver = netapp_utils.setup_na_ontap_zapi(module=self.module, vserver=results)
+        netapp_utils.ems_log_event(event_name, cserver)
+
+
+def main():
+    obj = NetAppONTAPCifsSecurity()
+    obj.apply()
+
+
+if __name__ == '__main__':
+    main()
--- a/test/units/modules/storage/netapp/test_na_ontap_vserver_cifs_security.py
+++ b/test/units/modules/storage/netapp/test_na_ontap_vserver_cifs_security.py
@ -0,0 +1,161 @@
+# (c) 2019, NetApp, Inc
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+''' unit test template for ONTAP Ansible module '''
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+import json
+import pytest
+
+from units.compat import unittest
+from units.compat.mock import patch, Mock
+from ansible.module_utils import basic
+from ansible.module_utils._text import to_bytes
+import ansible.module_utils.netapp as netapp_utils
+
+from ansible.modules.storage.netapp.na_ontap_vserver_cifs_security \
+    import NetAppONTAPCifsSecurity as cifs_security_module  # module under test
+
+if not netapp_utils.has_netapp_lib():
+    pytestmark = pytest.mark.skip('skipping as missing required netapp_lib')
+
+
+def set_module_args(args):
+    """prepare arguments so that they will be picked up during module creation"""
+    args = json.dumps({'ANSIBLE_MODULE_ARGS': args})
+    basic._ANSIBLE_ARGS = to_bytes(args)  # pylint: disable=protected-access
+
+
+class AnsibleExitJson(Exception):
+    """Exception class to be raised by module.exit_json and caught by the test case"""
+    pass
+
+
+class AnsibleFailJson(Exception):
+    """Exception class to be raised by module.fail_json and caught by the test case"""
+    pass
+
+
+def exit_json(*args, **kwargs):  # pylint: disable=unused-argument
+    """function to patch over exit_json; package return data into an exception"""
+    if 'changed' not in kwargs:
+        kwargs['changed'] = False
+    raise AnsibleExitJson(kwargs)
+
+
+def fail_json(*args, **kwargs):  # pylint: disable=unused-argument
+    """function to patch over fail_json; package return data into an exception"""
+    kwargs['failed'] = True
+    raise AnsibleFailJson(kwargs)
+
+
+class MockONTAPConnection(object):
+    ''' mock server connection to ONTAP host '''
+
+    def __init__(self, kind=None, data=None):
+        ''' save arguments '''
+        self.type = kind
+        self.data = data
+        self.xml_in = None
+        self.xml_out = None
+
+    def invoke_successfully(self, xml, enable_tunneling):  # pylint: disable=unused-argument
+        ''' mock invoke_successfully returning xml data '''
+        self.xml_in = xml
+        if self.type == 'cifs_security':
+            xml = self.build_port_info(self.data)
+        if self.type == 'error':
+            error = netapp_utils.zapi.NaApiError('test', 'error')
+            raise error
+        self.xml_out = xml
+        return xml
+
+    @staticmethod
+    def build_port_info(cifs_security_details):
+        ''' build xml data for cifs-security '''
+        xml = netapp_utils.zapi.NaElement('xml')
+        attributes = {
+            'num-records': 1,
+            'attributes-list': {
+                'cifs-security': {
+                    'is_aes_encryption_enabled': cifs_security_details['is_aes_encryption_enabled'],
+                    'lm_compatibility_level': cifs_security_details['lm_compatibility_level']
+                }
+            }
+        }
+        xml.translate_struct(attributes)
+        return xml
+
+
+class TestMyModule(unittest.TestCase):
+    ''' a group of related Unit Tests '''
+
+    def setUp(self):
+        self.mock_module_helper = patch.multiple(basic.AnsibleModule,
+                                                 exit_json=exit_json,
+                                                 fail_json=fail_json)
+        self.mock_module_helper.start()
+        self.addCleanup(self.mock_module_helper.stop)
+        self.mock_cifs_security = {
+            'is_aes_encryption_enabled': 'true',
+            'lm_compatibility_level': 'krb'
+        }
+
+    def mock_args(self):
+        return {
+            'is_aes_encryption_enabled': self.mock_cifs_security['is_aes_encryption_enabled'],
+            'lm_compatibility_level': self.mock_cifs_security['lm_compatibility_level'],
+            'vserver': 'ansible',
+            'hostname': 'test',
+            'username': 'test_user',
+            'password': 'test_pass!',
+            'https': 'False'
+        }
+
+    def get_cifs_security_mock_object(self, kind=None):
+        """
+        Helper method to return an na_ontap_vserver_cifs_security object
+        :param kind: passes this param to MockONTAPConnection()
+        :return: na_ontap_vserver_cifs_security object
+        """
+        obj = cifs_security_module()
+        obj.asup_log_for_cserver = Mock(return_value=None)
+        obj.server = Mock()
+        obj.server.invoke_successfully = Mock()
+        if kind is None:
+            obj.server = MockONTAPConnection()
+        else:
+            obj.server = MockONTAPConnection(kind=kind, data=self.mock_cifs_security)
+        return obj
+
+    @patch('ansible.modules.storage.netapp.na_ontap_vserver_cifs_security.NetAppONTAPCifsSecurity.cifs_security_get_iter')
+    def test_successful_modify(self, get_cifs_security):
+        ''' Test successful modify max throughput '''
+        data = self.mock_args()
+        set_module_args(data)
+        current = {
+            'is_aes_encryption_enabled': False,
+            'lm_compatibility_level': 'lm_ntlm_ntlmv2_krb'
+        }
+        get_cifs_security.side_effect = [
+            current
+        ]
+        with pytest.raises(AnsibleExitJson) as exc:
+            self.get_cifs_security_mock_object('cifs_security').apply()
+        assert exc.value.args[0]['changed']
+
+    @patch('ansible.modules.storage.netapp.na_ontap_vserver_cifs_security.NetAppONTAPCifsSecurity.cifs_security_get_iter')
+    def test_modify_error(self, get_cifs_security):
+        ''' Test create idempotency '''
+        data = self.mock_args()
+        set_module_args(data)
+        current = {
+            'is_aes_encryption_enabled': False
+        }
+        get_cifs_security.side_effect = [
+            current
+        ]
+        with pytest.raises(AnsibleFailJson) as exc:
+            self.get_cifs_security_mock_object('error').apply()
+        assert exc.value.args[0]['msg'] == 'Error modifying cifs security on ansible: NetApp API failed. Reason - test:error'