Merge pull request #1424 from ansible/f5-remove-global-ssl-disable

Update f5 validate_certs functionality to do the right thing on multi…
reviewable/pr18780/r1
Toshio Kuratomi 9 years ago
commit f6a7b6dd1f

@ -59,7 +59,8 @@ options:
validate_certs: validate_certs:
description: description:
- If C(no), SSL certificates will not be validated. This should only be used - If C(no), SSL certificates will not be validated. This should only be used
on personally controlled sites using self-signed certificates. on personally controlled sites. Prior to 2.0, this module would always
validate on python >= 2.7.9 and never validate on python <= 2.7.8
required: false required: false
default: 'yes' default: 'yes'
choices: ['yes', 'no'] choices: ['yes', 'no']
@ -136,8 +137,8 @@ class F5(object):
api: iControl API instance. api: iControl API instance.
""" """
def __init__(self, host, user, password, session=False): def __init__(self, host, user, password, session=False, validate_certs=True):
self.api = bigsuds.BIGIP(hostname=host, username=user, password=password) self.api = bigip_api(host, user, password, validate_certs)
if session: if session:
self.start_session() self.start_session()
@ -1574,12 +1575,6 @@ def generate_software_list(f5):
software_list = software.get_all_software_status() software_list = software.get_all_software_status()
return software_list return software_list
def disable_ssl_cert_validation():
# You probably only want to do this for testing and never in production.
# From https://www.python.org/dev/peps/pep-0476/#id29
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
def main(): def main():
module = AnsibleModule( module = AnsibleModule(
@ -1595,7 +1590,7 @@ def main():
) )
if not bigsuds_found: if not bigsuds_found:
module.fail_json(msg="the python suds and bigsuds modules is required") module.fail_json(msg="the python suds and bigsuds modules are required")
server = module.params['server'] server = module.params['server']
user = module.params['user'] user = module.params['user']
@ -1603,6 +1598,12 @@ def main():
validate_certs = module.params['validate_certs'] validate_certs = module.params['validate_certs']
session = module.params['session'] session = module.params['session']
fact_filter = module.params['filter'] fact_filter = module.params['filter']
if validate_certs:
import ssl
if not hasattr(ssl, 'SSLContext'):
module.fail_json(msg='bigsuds does not support verifying certificates with python < 2.7.9. Either update python or set validate_certs=False on the task')
if fact_filter: if fact_filter:
regex = fnmatch.translate(fact_filter) regex = fnmatch.translate(fact_filter)
else: else:
@ -1617,14 +1618,11 @@ def main():
if not all(include_test): if not all(include_test):
module.fail_json(msg="value of include must be one or more of: %s, got: %s" % (",".join(valid_includes), ",".join(include))) module.fail_json(msg="value of include must be one or more of: %s, got: %s" % (",".join(valid_includes), ",".join(include)))
if not validate_certs:
disable_ssl_cert_validation()
try: try:
facts = {} facts = {}
if len(include) > 0: if len(include) > 0:
f5 = F5(server, user, password, session) f5 = F5(server, user, password, session, validate_certs)
saved_active_folder = f5.get_active_folder() saved_active_folder = f5.get_active_folder()
saved_recursive_query_state = f5.get_recursive_query_state() saved_recursive_query_state = f5.get_recursive_query_state()
if saved_active_folder != "/": if saved_active_folder != "/":
@ -1685,6 +1683,7 @@ def main():
# include magic from lib/ansible/module_common.py # include magic from lib/ansible/module_common.py
from ansible.module_utils.basic import * from ansible.module_utils.basic import *
from ansible.module_utils.f5 import *
if __name__ == '__main__': if __name__ == '__main__':
main() main()

@ -54,7 +54,8 @@ options:
validate_certs: validate_certs:
description: description:
- If C(no), SSL certificates will not be validated. This should only be used - If C(no), SSL certificates will not be validated. This should only be used
on personally controlled sites using self-signed certificates. on personally controlled sites. Prior to 2.0, this module would always
validate on python >= 2.7.9 and never validate on python <= 2.7.8
required: false required: false
default: 'yes' default: 'yes'
choices: ['yes', 'no'] choices: ['yes', 'no']
@ -333,7 +334,7 @@ def main():
# end monitor specific stuff # end monitor specific stuff
api = bigip_api(server, user, password) api = bigip_api(server, user, password, validate_certs)
monitor_exists = check_monitor_exists(module, api, monitor, parent) monitor_exists = check_monitor_exists(module, api, monitor, parent)

@ -52,7 +52,8 @@ options:
validate_certs: validate_certs:
description: description:
- If C(no), SSL certificates will not be validated. This should only be used - If C(no), SSL certificates will not be validated. This should only be used
on personally controlled sites using self-signed certificates. on personally controlled sites. Prior to 2.0, this module would always
validate on python >= 2.7.9 and never validate on python <= 2.7.8
required: false required: false
default: 'yes' default: 'yes'
choices: ['yes', 'no'] choices: ['yes', 'no']
@ -356,7 +357,7 @@ def main():
# end monitor specific stuff # end monitor specific stuff
api = bigip_api(server, user, password) api = bigip_api(server, user, password, validate_certs)
monitor_exists = check_monitor_exists(module, api, monitor, parent) monitor_exists = check_monitor_exists(module, api, monitor, parent)

@ -57,7 +57,8 @@ options:
validate_certs: validate_certs:
description: description:
- If C(no), SSL certificates will not be validated. This should only be used - If C(no), SSL certificates will not be validated. This should only be used
on personally controlled sites using self-signed certificates. on personally controlled sites. Prior to 2.0, this module would always
validate on python >= 2.7.9 and never validate on python <= 2.7.8
required: false required: false
default: 'yes' default: 'yes'
choices: ['yes', 'no'] choices: ['yes', 'no']
@ -290,7 +291,7 @@ def main():
module.fail_json(msg="host parameter invalid when state=absent") module.fail_json(msg="host parameter invalid when state=absent")
try: try:
api = bigip_api(server, user, password) api = bigip_api(server, user, password, validate_certs)
result = {'changed': False} # default result = {'changed': False} # default
if state == 'absent': if state == 'absent':

@ -57,7 +57,8 @@ options:
validate_certs: validate_certs:
description: description:
- If C(no), SSL certificates will not be validated. This should only be used - If C(no), SSL certificates will not be validated. This should only be used
on personally controlled sites using self-signed certificates. on personally controlled sites. Prior to 2.0, this module would always
validate on python >= 2.7.9 and never validate on python <= 2.7.8
required: false required: false
default: 'yes' default: 'yes'
choices: ['yes', 'no'] choices: ['yes', 'no']
@ -390,9 +391,6 @@ def main():
address = fq_name(partition,host) address = fq_name(partition,host)
port = module.params['port'] port = module.params['port']
if not validate_certs:
disable_ssl_cert_validation()
# sanity check user supplied values # sanity check user supplied values
if (host and not port) or (port and not host): if (host and not port) or (port and not host):
@ -421,7 +419,7 @@ def main():
module.fail_json(msg="quorum requires monitors parameter") module.fail_json(msg="quorum requires monitors parameter")
try: try:
api = bigip_api(server, user, password) api = bigip_api(server, user, password, validate_certs)
result = {'changed': False} # default result = {'changed': False} # default
if state == 'absent': if state == 'absent':

@ -50,7 +50,8 @@ options:
validate_certs: validate_certs:
description: description:
- If C(no), SSL certificates will not be validated. This should only be used - If C(no), SSL certificates will not be validated. This should only be used
on personally controlled sites using self-signed certificates. on personally controlled sites. Prior to 2.0, this module would always
validate on python >= 2.7.9 and never validate on python <= 2.7.8
required: false required: false
default: 'yes' default: 'yes'
choices: ['yes', 'no'] choices: ['yes', 'no']
@ -347,7 +348,7 @@ def main():
module.fail_json(msg="valid ports must be in range 1 - 65535") module.fail_json(msg="valid ports must be in range 1 - 65535")
try: try:
api = bigip_api(server, user, password) api = bigip_api(server, user, password, validate_certs)
if not pool_exists(api, pool): if not pool_exists(api, pool):
module.fail_json(msg="pool %s does not exist" % pool) module.fail_json(msg="pool %s does not exist" % pool)
result = {'changed': False} # default result = {'changed': False} # default

Loading…
Cancel
Save