community.general/lib/ansible/modules/network/f5/bigip_ssl_ocsp.py

#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright: (c) 2018, F5 Networks Inc.
# GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)

from __future__ import absolute_import, division, print_function
__metaclass__ = type


ANSIBLE_METADATA = {'metadata_version': '1.1',
                    'status': ['preview'],
                    'supported_by': 'certified'}

DOCUMENTATION = r'''
---
module: bigip_ssl_ocsp
short_description: Manage OCSP configurations on BIG-IP
description:
  - Manage OCSP configurations on BIG-IP.
version_added: 2.8
options:
  name:
    description:
      - Specifies the name of the OCSP certificate validator.
    required: True
  cache_error_timeout:
    description:
      - Specifies the lifetime of an error response in the cache, in seconds.
  proxy_server_pool:
    description:
      - Specifies the proxy server pool the BIG-IP system uses to fetch the OCSP
        response.
      - This involves creating a pool with proxy-servers.
      - Use this option when either the OCSP responder cannot be reached on any of
        BIG-IP system's interfaces or one or more servers can proxy an HTTP request
        to an external server and fetch the response.
  cache_timeout:
    description:
      - Specifies the lifetime of the OCSP response in the cache, in seconds.
  clock_skew:
    description:
      - Specifies the tolerable absolute difference in the clocks of the responder
        and the BIG-IP system, in seconds.
  connections_limit:
    description:
      - Specifies the maximum number of connections per second allowed for the
        OCSP certificate validator.
  dns_resolver:
    description:
      - Specifies the internal DNS resolver the BIG-IP system uses to fetch the
        OCSP response.
      - This involves specifying one or more DNS servers in the DNS resolver
        configuration.
      - Use this option when either there is a DNS server that can do the
        name-resolution of the OCSP responders or the OCSP responder can be
        reached on one of BIG-IP system's interfaces.
  route_domain:
    description:
      - Specifies the route domain for fetching an OCSP response using HTTP
        forward proxy.
  hash_algorithm:
    description:
      - Specifies a hash algorithm used to sign an OCSP request.
    choices:
      - sha256
      - sha1
  certificate:
    description:
      - Specifies a certificate used to sign an OCSP request.
  key:
    description:
      - Specifies a key used to sign an OCSP request.
  passphrase:
    description:
      - Specifies a passphrase used to sign an OCSP request.
  status_age:
    description:
      - Specifies the maximum allowed lag time that the BIG-IP system accepts for
        the 'thisUpdate' time in the OCSP response.
  strict_responder_checking:
    description:
      - Specifies whether the responder's certificate is checked for an OCSP
        signing extension.
    type: bool
  connection_timeout:
    description:
      - Specifies the time interval that the BIG-IP system waits for before
        ending the connection to the OCSP responder, in seconds.
  trusted_responders:
    description:
      - Specifies the certificates used for validating the OCSP response
        when the responder's certificate has been omitted from the response.
  responder_url:
    description:
      - Specifies the absolute URL that overrides the OCSP responder URL
        obtained from the certificate's AIA extensions. This should be an
        HTTP-based URL.
  update_password:
    description:
      - C(always) will allow to update passwords if the user chooses to do so.
        C(on_create) will only set the password for newly created OCSP validators.
    default: always
    choices:
      - always
      - on_create
  partition:
    description:
      - Device partition to manage resources on.
    default: Common
    version_added: 2.5
  state:
    description:
      - When C(present), ensures that the resource exists.
      - When C(absent), ensures that the resource does not exist.
    default: present
    choices:
      - present
      - absent
extends_documentation_fragment: f5
notes:
  - Requires BIG-IP >= 13.x.
author:
  - Tim Rupp (@caphrim007)
'''

EXAMPLES = r'''
- name: Create a OCSP validator
  bigip_ssl_ocsp:
    name: foo
    proxy_server_pool: validators-pool
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
  delegate_to: localhost
'''

RETURN = r'''
cache_error_timeout:
  description: The new Response Caching Error Timeout value.
  returned: changed
  type: int
  sample: 3600
cache_timeout:
  description: The new Response Caching Timeout value.
  returned: changed
  type: string
  sample: indefinite
clock_skew:
  description: The new Response Validation Clock Skew value.
  returned: changed
  type: int
  sample: 300
connections_limit:
  description: The new Concurrent Connections Limit value.
  returned: changed
  type: int
  sample: 50
dns_resolver:
  description: The new DNS Resolver value.
  returned: changed
  type: string
  sample: /Common/resolver1
route_domain:
  description: The new Route Domain value.
  returned: changed
  type: string
  sample: /Common/0
hash_algorithm:
  description: The new Request Signing Hash Algorithm value.
  returned: changed
  type: string
  sample: sha256
certificate:
  description: The new Request Signing Certificate value.
  returned: changed
  type: string
  sample: /Common/cert1
key:
  description: The new Request Signing Key value.
  returned: changed
  type: string
  sample: /Common/key1
proxy_server_pool:
  description: The new Proxy Server Pool value.
  returned: changed
  type: string
  sample: /Common/pool1
responder_url:
  description: The new Connection Responder URL value.
  returned: changed
  type: string
  sample: "http://responder.site.com"
status_age:
  description: The new Response Validation Status Age value.
  returned: changed
  type: int
  sample: 0
strict_responder_checking:
  description: The new Response Validation Strict Responder Certificate Checking value.
  returned: changed
  type: bool
  sample: yes
connection_timeout:
  description: The new Connection Timeout value.
  returned: changed
  type: int
  sample: 8
trusted_responders:
  description: The new Response Validation Trusted Responders value.
  returned: changed
  type: int
  sample: /Common/default
'''

from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.basic import env_fallback
from distutils.version import LooseVersion

try:
    from library.module_utils.network.f5.bigip import F5RestClient
    from library.module_utils.network.f5.common import F5ModuleError
    from library.module_utils.network.f5.common import AnsibleF5Parameters
    from library.module_utils.network.f5.common import cleanup_tokens
    from library.module_utils.network.f5.common import fq_name
    from library.module_utils.network.f5.common import f5_argument_spec
    from library.module_utils.network.f5.common import exit_json
    from library.module_utils.network.f5.common import fail_json
    from library.module_utils.network.f5.common import transform_name
    from library.module_utils.network.f5.common import flatten_boolean
    from library.module_utils.network.f5.icontrol import tmos_version
except ImportError:
    from ansible.module_utils.network.f5.bigip import F5RestClient
    from ansible.module_utils.network.f5.common import F5ModuleError
    from ansible.module_utils.network.f5.common import AnsibleF5Parameters
    from ansible.module_utils.network.f5.common import cleanup_tokens
    from ansible.module_utils.network.f5.common import fq_name
    from ansible.module_utils.network.f5.common import f5_argument_spec
    from ansible.module_utils.network.f5.common import exit_json
    from ansible.module_utils.network.f5.common import fail_json
    from ansible.module_utils.network.f5.common import transform_name
    from ansible.module_utils.network.f5.common import flatten_boolean
    from ansible.module_utils.network.f5.icontrol import tmos_version


class Parameters(AnsibleF5Parameters):
    api_map = {
        'cacheErrorTimeout': 'cache_error_timeout',
        'cacheTimeout': 'cache_timeout',
        'clockSkew': 'clock_skew',
        'concurrentConnectionsLimit': 'connections_limit',
        'dnsResolver': 'dns_resolver',
        'proxyServerPool': 'proxy_server_pool',
        'responderUrl': 'responder_url',
        'routeDomain': 'route_domain',
        'signHash': 'hash_algorithm',
        'signerCert': 'certificate',
        'signerKey': 'key',
        'signerKeyPassphrase': 'passphrase',
        'statusAge': 'status_age',
        'strictRespCertCheck': 'strict_responder_checking',
        'timeout': 'connection_timeout',
        'trustedResponders': 'trusted_responders',
    }

    api_attributes = [
        'cacheErrorTimeout',
        'cacheTimeout',
        'clockSkew',
        'concurrentConnectionsLimit',
        'dnsResolver',
        'routeDomain',
        'proxyServerPool',
        'responderUrl',
        'signHash',
        'signerCert',
        'signerKey',
        'signerKeyPassphrase',
        'statusAge',
        'strictRespCertCheck',
        'timeout',
        'trustedResponders',
    ]

    returnables = [
        'cache_error_timeout',
        'cache_timeout',
        'clock_skew',
        'connections_limit',
        'dns_resolver',
        'route_domain',
        'hash_algorithm',
        'certificate',
        'key',
        'passphrase',
        'proxy_server_pool',
        'responder_url',
        'status_age',
        'strict_responder_checking',
        'connection_timeout',
        'trusted_responders',
    ]

    updatables = [
        'cache_error_timeout',
        'cache_timeout',
        'clock_skew',
        'connections_limit',
        'dns_resolver',
        'route_domain',
        'hash_algorithm',
        'certificate',
        'key',
        'passphrase',
        'proxy_server_pool',
        'responder_url',
        'status_age',
        'strict_responder_checking',
        'connection_timeout',
        'trusted_responders',
    ]

    @property
    def strict_responder_checking(self):
        return flatten_boolean(self._values['strict_responder_checking'])

    @property
    def cache_timeout(self):
        if self._values['cache_timeout'] is None:
            return None
        try:
            return int(self._values['cache_timeout'])
        except ValueError:
            return self._values['cache_timeout']


class ApiParameters(Parameters):
    pass


class ModuleParameters(Parameters):
    @property
    def route_domain(self):
        if self._values['route_domain'] is None:
            return None
        result = fq_name(self.partition, self._values['route_domain'])
        return result

    @property
    def dns_resolver(self):
        if self._values['dns_resolver'] is None:
            return None
        result = fq_name(self.partition, self._values['dns_resolver'])
        return result

    @property
    def proxy_server_pool(self):
        if self._values['proxy_server_pool'] is None:
            return None
        result = fq_name(self.partition, self._values['proxy_server_pool'])
        return result

    @property
    def responder_url(self):
        if self._values['responder_url'] is None:
            return None
        if self._values['responder_url'] in ['', 'none']:
            return ''
        return self._values['responder_url']

    @property
    def certificate(self):
        if self._values['certificate'] is None:
            return None
        if self._values['certificate'] in ['', 'none']:
            return ''
        result = fq_name(self.partition, self._values['certificate'])
        return result

    @property
    def key(self):
        if self._values['key'] is None:
            return None
        if self._values['key'] in ['', 'none']:
            return ''
        result = fq_name(self.partition, self._values['key'])
        return result

    @property
    def trusted_responders(self):
        if self._values['trusted_responders'] is None:
            return None
        if self._values['trusted_responders'] in ['', 'none']:
            return ''
        result = fq_name(self.partition, self._values['trusted_responders'])
        return result


class Changes(Parameters):
    def to_return(self):
        result = {}
        try:
            for returnable in self.returnables:
                result[returnable] = getattr(self, returnable)
            result = self._filter_params(result)
        except Exception:
            pass
        return result


class UsableChanges(Changes):
    @property
    def strict_responder_checking(self):
        if self._values['strict_responder_checking'] == 'yes':
            return 'enabled'
        elif self._values['strict_responder_checking'] == 'no':
            return 'disabled'


class ReportableChanges(Changes):
    @property
    def strict_responder_checking(self):
        result = flatten_boolean(self._values['strict_responder_checking'])
        return result

    @property
    def passphrase(self):
        return None


class Difference(object):
    def __init__(self, want, have=None):
        self.want = want
        self.have = have

    def compare(self, param):
        try:
            result = getattr(self, param)
            return result
        except AttributeError:
            return self.__default(param)

    def __default(self, param):
        attr1 = getattr(self.want, param)
        try:
            attr2 = getattr(self.have, param)
            if attr1 != attr2:
                return attr1
        except AttributeError:
            return attr1

    @property
    def responder_url(self):
        if self.want.responder_url is None:
            return None
        if self.want.responder_url == '' and self.have.responder_url is None:
            return None
        if self.want.responder_url != self.have.responder_url:
            return self.want.responder_url

    @property
    def certificate(self):
        if self.want.certificate is None:
            return None
        if self.want.certificate == '' and self.have.certificate is None:
            return None
        if self.want.certificate != self.have.certificate:
            return self.want.certificate

    @property
    def key(self):
        if self.want.key is None:
            return None
        if self.want.key == '' and self.have.key is None:
            return None
        if self.want.key != self.have.key:
            return self.want.key

    @property
    def trusted_responders(self):
        if self.want.trusted_responders is None:
            return None
        if self.want.trusted_responders == '' and self.have.trusted_responders is None:
            return None
        if self.want.trusted_responders != self.have.trusted_responders:
            return self.want.trusted_responders


class ModuleManager(object):
    def __init__(self, *args, **kwargs):
        self.module = kwargs.get('module', None)
        self.client = kwargs.get('client', None)
        self.want = ModuleParameters(params=self.module.params)
        self.have = ApiParameters()
        self.changes = UsableChanges()

    def _set_changed_options(self):
        changed = {}
        for key in Parameters.returnables:
            if getattr(self.want, key) is not None:
                changed[key] = getattr(self.want, key)
        if changed:
            self.changes = UsableChanges(params=changed)

    def _update_changed_options(self):
        diff = Difference(self.want, self.have)
        updatables = Parameters.updatables
        changed = dict()
        for k in updatables:
            change = diff.compare(k)
            if change is None:
                continue
            else:
                if isinstance(change, dict):
                    changed.update(change)
                else:
                    changed[k] = change
        if changed:
            self.changes = UsableChanges(params=changed)
            return True
        return False

    def should_update(self):
        result = self._update_changed_options()
        if result:
            return True
        return False

    def exec_module(self):
        tmos = tmos_version(self.client)
        if LooseVersion(tmos) < LooseVersion('13.0.0'):
            raise F5ModuleError(
                "BIG-IP v13 or greater is required to use this module."
            )
        changed = False
        result = dict()
        state = self.want.state

        if state == "present":
            changed = self.present()
        elif state == "absent":
            changed = self.absent()

        reportable = ReportableChanges(params=self.changes.to_return())
        changes = reportable.to_return()
        result.update(**changes)
        result.update(dict(changed=changed))
        self._announce_deprecations(result)
        return result

    def _announce_deprecations(self, result):
        warnings = result.pop('__warnings', [])
        for warning in warnings:
            self.client.module.deprecate(
                msg=warning['msg'],
                version=warning['version']
            )

    def present(self):
        if self.exists():
            return self.update()
        else:
            return self.create()

    def exists(self):
        uri = "https://{0}:{1}/mgmt/tm/sys/crypto/cert-validator/ocsp/{2}".format(
            self.client.provider['server'],
            self.client.provider['server_port'],
            transform_name(self.want.partition, self.want.name)
        )
        resp = self.client.api.get(uri)
        try:
            response = resp.json()
        except ValueError:
            return False
        if resp.status == 404 or 'code' in response and response['code'] == 404:
            return False
        return True

    def update(self):
        self.have = self.read_current_from_device()

        if self.want.update_password == 'always':
            self.want.update({'passphrase': self.want.passphrase})
        else:
            if self.want.passphrase:
                del self.want._values['passphrase']

        if not self.should_update():
            return False

        # these two params are mutually exclusive, and so one must be zeroed
        # out so that the other can be set. This zeros the non-specified values
        # out so that the PATCH can happen
        if self.want.dns_resolver:
            self.changes.update({'proxy_server_pool': ''})
        if self.want.proxy_server_pool:
            self.changes.update({'dns_resolver': ''})

        if self.module.check_mode:
            return True
        self.update_on_device()
        return True

    def remove(self):
        if self.module.check_mode:
            return True
        self.remove_from_device()
        if self.exists():
            raise F5ModuleError("Failed to delete the resource.")
        return True

    def create(self):
        self._set_changed_options()
        if self.module.check_mode:
            return True
        self.create_on_device()
        return True

    def create_on_device(self):
        params = self.changes.api_params()
        params['name'] = self.want.name
        params['partition'] = self.want.partition
        uri = "https://{0}:{1}/mgmt/tm/sys/crypto/cert-validator/ocsp/".format(
            self.client.provider['server'],
            self.client.provider['server_port']
        )
        resp = self.client.api.post(uri, json=params)
        try:
            response = resp.json()
        except ValueError as ex:
            raise F5ModuleError(str(ex))

        if 'code' in response and response['code'] in [400, 403]:
            if 'message' in response:
                raise F5ModuleError(response['message'])
            else:
                raise F5ModuleError(resp.content)

    def update_on_device(self):
        params = self.changes.api_params()
        uri = "https://{0}:{1}/mgmt/tm/sys/crypto/cert-validator/ocsp/{2}".format(
            self.client.provider['server'],
            self.client.provider['server_port'],
            transform_name(self.want.partition, self.want.name)
        )
        resp = self.client.api.patch(uri, json=params)
        try:
            response = resp.json()
        except ValueError as ex:
            raise F5ModuleError(str(ex))

        if 'code' in response and response['code'] == 400:
            if 'message' in response:
                raise F5ModuleError(response['message'])
            else:
                raise F5ModuleError(resp.content)

    def absent(self):
        if self.exists():
            return self.remove()
        return False

    def remove_from_device(self):
        uri = "https://{0}:{1}/mgmt/tm/sys/crypto/cert-validator/ocsp/{2}".format(
            self.client.provider['server'],
            self.client.provider['server_port'],
            transform_name(self.want.partition, self.want.name)
        )
        response = self.client.api.delete(uri)
        if response.status == 200:
            return True
        raise F5ModuleError(response.content)

    def read_current_from_device(self):
        uri = "https://{0}:{1}/mgmt/tm/sys/crypto/cert-validator/ocsp/{2}".format(
            self.client.provider['server'],
            self.client.provider['server_port'],
            transform_name(self.want.partition, self.want.name)
        )
        resp = self.client.api.get(uri)
        try:
            response = resp.json()
        except ValueError as ex:
            raise F5ModuleError(str(ex))

        if 'code' in response and response['code'] == 400:
            if 'message' in response:
                raise F5ModuleError(response['message'])
            else:
                raise F5ModuleError(resp.content)
        return ApiParameters(params=response)


class ArgumentSpec(object):
    def __init__(self):
        self.supports_check_mode = True
        argument_spec = dict(
            name=dict(required=True),
            cache_error_timeout=dict(type='int'),
            proxy_server_pool=dict(),
            cache_timeout=dict(),
            clock_skew=dict(type='int'),
            connections_limit=dict(type='int'),
            dns_resolver=dict(),
            route_domain=dict(),
            hash_algorithm=dict(
                choices=['sha256', 'sha1']
            ),
            certificate=dict(),
            key=dict(),
            passphrase=dict(no_log=True),
            status_age=dict(type='int'),
            strict_responder_checking=dict(type='bool'),
            connection_timeout=dict(type='int'),
            trusted_responders=dict(),
            responder_url=dict(),
            update_password=dict(
                default='always',
                choices=['always', 'on_create']
            ),
            state=dict(
                default='present',
                choices=['present', 'absent']
            ),
            partition=dict(
                default='Common',
                fallback=(env_fallback, ['F5_PARTITION'])
            )
        )
        self.argument_spec = {}
        self.argument_spec.update(f5_argument_spec)
        self.argument_spec.update(argument_spec)
        self.mutually_exclusive = [
            ['dns_resolver', 'proxy_server_pool']
        ]
        self.required_together = [
            ['certificate', 'key']
        ]


def main():
    spec = ArgumentSpec()

    module = AnsibleModule(
        argument_spec=spec.argument_spec,
        supports_check_mode=spec.supports_check_mode,
        mutually_exclusive=spec.mutually_exclusive,
        required_together=spec.required_together,
    )

    client = F5RestClient(**module.params)

    try:
        mm = ModuleManager(module=module, client=client)
        results = mm.exec_module()
        cleanup_tokens(client)
        exit_json(module, results, client)
    except F5ModuleError as ex:
        cleanup_tokens(client)
        fail_json(module, ex, client)


if __name__ == '__main__':
    main()