Adds the bigip_password_policy module (#48951)

This module can be used to manage password policy settings on a BIG-IP

lib/ansible/modules/network/f5/bigip_password_policy.py

@@ -0,0 +1,439 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+#
+# Copyright: (c) 2018, F5 Networks Inc.
+# GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+ANSIBLE_METADATA = {'metadata_version': '1.1',
+                    'status': ['preview'],
+                    'supported_by': 'certified'}
+
+DOCUMENTATION = r'''
+---
+module: bigip_password_policy
+short_description: Manages the authentication password policy on a BIG-IP
+description:
+  - Manages the authentication password policy on a BIG-IP.
+version_added: 2.8
+options:
+  expiration_warning:
+    description:
+      - Specifies the number of days before a password expires.
+      - Based on this value, the BIG-IP system automatically warns users when their
+        password is about to expire.
+  max_duration:
+    description:
+      - Specifies the maximum number of days a password is valid.
+  max_login_failures:
+    description:
+      - Specifies the number of consecutive unsuccessful login attempts
+        that the system allows before locking out the user.
+      - Specify zero (0) to disable this parameter.
+  min_duration:
+    description:
+      - Specifies the minimum number of days a password is valid.
+  min_length:
+    description:
+      - Specifies the minimum number of characters in a valid password.
+      - This value must be between 6 and 255.
+  policy_enforcement:
+    description:
+      - Enables or disables the password policy on the BIG-IP system.
+    type: bool
+  required_lowercase:
+    description:
+      - Specifies the number of lowercase alpha characters that must be
+        present in a password for the password to be valid.
+  required_numeric:
+    description:
+      - Specifies the number of numeric characters that must be present in
+        a password for the password to be valid.
+  required_special:
+    description:
+      - Specifies the number of special characters that must be present in
+        a password for the password to be valid.
+  required_uppercase:
+    description:
+      - Specifies the number of uppercase alpha characters that must be
+        present in a password for the password to be valid.
+  password_memory:
+    description:
+      - Specifies whether the user has configured the BIG-IP system to
+        remember a password on a specific computer and how many passwords
+        to remember.
+extends_documentation_fragment: f5
+author:
+  - Tim Rupp (@caphrim007)
+'''
+
+EXAMPLES = r'''
+- name: Change password policy to require 2 numeric characters
+  bigip_password_policy:
+    required_numeric: 2
+    provider:
+      password: secret
+      server: lb.mydomain.com
+      user: admin
+  delegate_to: localhost
+'''
+
+RETURN = r'''
+expiration_warning:
+  description: The new expiration warning.
+  returned: changed
+  type: int
+  sample: 7
+max_duration:
+  description: The new max duration.
+  returned: changed
+  type: int
+  sample: 99999
+max_login_failures:
+  description: The new max login failures.
+  returned: changed
+  type: int
+  sample: 0
+min_duration:
+  description: The new min duration.
+  returned: changed
+  type: int
+  sample: 0
+min_length:
+  description: The new min password length.
+  returned: changed
+  type: int
+  sample: 6
+policy_enforcement:
+  description: The new policy enforcement setting.
+  returned: changed
+  type: bool
+  sample: yes
+required_lowercase:
+  description: The lowercase requirement.
+  returned: changed
+  type: int
+  sample: 1
+required_numeric:
+  description: The numeric requirement.
+  returned: changed
+  type: int
+  sample: 2
+required_special:
+  description: The special character requirement.
+  returned: changed
+  type: int
+  sample: 1
+required_uppercase:
+  description: The uppercase character requirement.
+  returned: changed
+  type: int
+  sample: 1
+password_memory:
+  description: The new number of remembered passwords
+  returned: changed
+  type: int
+  sample: 0
+'''
+
+from ansible.module_utils.basic import AnsibleModule
+
+try:
+    from library.module_utils.network.f5.bigip import F5RestClient
+    from library.module_utils.network.f5.common import F5ModuleError
+    from library.module_utils.network.f5.common import AnsibleF5Parameters
+    from library.module_utils.network.f5.common import cleanup_tokens
+    from library.module_utils.network.f5.common import fq_name
+    from library.module_utils.network.f5.common import transform_name
+    from library.module_utils.network.f5.common import f5_argument_spec
+    from library.module_utils.network.f5.common import exit_json
+    from library.module_utils.network.f5.common import fail_json
+    from library.module_utils.network.f5.common import flatten_boolean
+except ImportError:
+    from ansible.module_utils.network.f5.bigip import F5RestClient
+    from ansible.module_utils.network.f5.common import F5ModuleError
+    from ansible.module_utils.network.f5.common import AnsibleF5Parameters
+    from ansible.module_utils.network.f5.common import cleanup_tokens
+    from ansible.module_utils.network.f5.common import fq_name
+    from ansible.module_utils.network.f5.common import transform_name
+    from ansible.module_utils.network.f5.common import f5_argument_spec
+    from ansible.module_utils.network.f5.common import exit_json
+    from ansible.module_utils.network.f5.common import fail_json
+    from ansible.module_utils.network.f5.common import flatten_boolean
+
+
+class Parameters(AnsibleF5Parameters):
+    api_map = {
+        'expirationWarning': 'expiration_warning',
+        'maxDuration': 'max_duration',
+        'maxLoginFailures': 'max_login_failures',
+        'minDuration': 'min_duration',
+        'minimumLength': 'min_length',
+        'passwordMemory': 'password_memory',
+        'policyEnforcement': 'policy_enforcement',
+        'requiredLowercase': 'required_lowercase',
+        'requiredNumeric': 'required_numeric',
+        'requiredSpecial': 'required_special',
+        'requiredUppercase': 'required_uppercase',
+    }
+
+    api_attributes = [
+        'expirationWarning',
+        'maxDuration',
+        'maxLoginFailures',
+        'minDuration',
+        'minimumLength',
+        'passwordMemory',
+        'policyEnforcement',
+        'requiredLowercase',
+        'requiredNumeric',
+        'requiredSpecial',
+        'requiredUppercase',
+    ]
+
+    returnables = [
+        'expiration_warning',
+        'max_duration',
+        'max_login_failures',
+        'min_duration',
+        'min_length',
+        'password_memory',
+        'policy_enforcement',
+        'required_lowercase',
+        'required_numeric',
+        'required_special',
+        'required_uppercase',
+    ]
+
+    updatables = [
+        'expiration_warning',
+        'max_duration',
+        'max_login_failures',
+        'min_duration',
+        'min_length',
+        'password_memory',
+        'policy_enforcement',
+        'required_lowercase',
+        'required_numeric',
+        'required_special',
+        'required_uppercase',
+    ]
+
+    @property
+    def policy_enforcement(self):
+        return flatten_boolean(self._values['policy_enforcement'])
+
+
+class ApiParameters(Parameters):
+    pass
+
+
+class ModuleParameters(Parameters):
+    pass
+
+
+class Changes(Parameters):
+    def to_return(self):
+        result = {}
+        try:
+            for returnable in self.returnables:
+                result[returnable] = getattr(self, returnable)
+            result = self._filter_params(result)
+        except Exception:
+            pass
+        return result
+
+
+class UsableChanges(Changes):
+    @property
+    def policy_enforcement(self):
+        if self._values['policy_enforcement'] is None:
+            return None
+        if self._values['policy_enforcement'] == 'yes':
+            return 'enabled'
+        return 'disabled'
+
+
+class ReportableChanges(Changes):
+    @property
+    def policy_enforcement(self):
+        return flatten_boolean(self._values['policy_enforcement'])
+
+
+class Difference(object):
+    def __init__(self, want, have=None):
+        self.want = want
+        self.have = have
+
+    def compare(self, param):
+        try:
+            result = getattr(self, param)
+            return result
+        except AttributeError:
+            return self.__default(param)
+
+    def __default(self, param):
+        attr1 = getattr(self.want, param)
+        try:
+            attr2 = getattr(self.have, param)
+            if attr1 != attr2:
+                return attr1
+        except AttributeError:
+            return attr1
+
+
+class ModuleManager(object):
+    def __init__(self, *args, **kwargs):
+        self.module = kwargs.get('module', None)
+        self.client = kwargs.get('client', None)
+        self.want = ModuleParameters(params=self.module.params)
+        self.have = ApiParameters()
+        self.changes = UsableChanges()
+
+    def _set_changed_options(self):
+        changed = {}
+        for key in Parameters.returnables:
+            if getattr(self.want, key) is not None:
+                changed[key] = getattr(self.want, key)
+        if changed:
+            self.changes = UsableChanges(params=changed)
+
+    def _update_changed_options(self):
+        diff = Difference(self.want, self.have)
+        updatables = Parameters.updatables
+        changed = dict()
+        for k in updatables:
+            change = diff.compare(k)
+            if change is None:
+                continue
+            else:
+                if isinstance(change, dict):
+                    changed.update(change)
+                else:
+                    changed[k] = change
+        if changed:
+            self.changes = UsableChanges(params=changed)
+            return True
+        return False
+
+    def _announce_deprecations(self, result):
+        warnings = result.pop('__warnings', [])
+        for warning in warnings:
+            self.client.module.deprecate(
+                msg=warning['msg'],
+                version=warning['version']
+            )
+
+    def exec_module(self):
+        result = dict()
+
+        changed = self.present()
+
+        reportable = ReportableChanges(params=self.changes.to_return())
+        changes = reportable.to_return()
+        result.update(**changes)
+        result.update(dict(changed=changed))
+        self._announce_deprecations(result)
+        return result
+
+    def present(self):
+        return self.update()
+
+    def should_update(self):
+        result = self._update_changed_options()
+        if result:
+            return True
+        return False
+
+    def update(self):
+        self.have = self.read_current_from_device()
+        if not self.should_update():
+            return False
+        if self.module.check_mode:
+            return True
+        self.update_on_device()
+        return True
+
+    def update_on_device(self):
+        params = self.changes.api_params()
+        uri = "https://{0}:{1}/mgmt/tm/auth/password-policy".format(
+            self.client.provider['server'],
+            self.client.provider['server_port'],
+        )
+        resp = self.client.api.patch(uri, json=params)
+        try:
+            response = resp.json()
+        except ValueError as ex:
+            raise F5ModuleError(str(ex))
+
+        if 'code' in response and response['code'] == 400:
+            if 'message' in response:
+                raise F5ModuleError(response['message'])
+            else:
+                raise F5ModuleError(resp.content)
+
+    def read_current_from_device(self):
+        uri = "https://{0}:{1}/mgmt/tm/auth/password-policy".format(
+            self.client.provider['server'],
+            self.client.provider['server_port'],
+        )
+        resp = self.client.api.get(uri)
+        try:
+            response = resp.json()
+        except ValueError as ex:
+            raise F5ModuleError(str(ex))
+
+        if 'code' in response and response['code'] == 400:
+            if 'message' in response:
+                raise F5ModuleError(response['message'])
+            else:
+                raise F5ModuleError(resp.content)
+        return ApiParameters(params=response)
+
+
+class ArgumentSpec(object):
+    def __init__(self):
+        self.supports_check_mode = True
+        argument_spec = dict(
+            expiration_warning=dict(type='int'),
+            max_duration=dict(type='int'),
+            max_login_failures=dict(type='int'),
+            min_duration=dict(type='int'),
+            min_length=dict(type='int'),
+            password_memory=dict(type='int'),
+            policy_enforcement=dict(type='bool'),
+            required_lowercase=dict(type='int'),
+            required_numeric=dict(type='int'),
+            required_special=dict(type='int'),
+            required_uppercase=dict(type='int'),
+        )
+        self.argument_spec = {}
+        self.argument_spec.update(f5_argument_spec)
+        self.argument_spec.update(argument_spec)
+
+
+def main():
+    spec = ArgumentSpec()
+
+    module = AnsibleModule(
+        argument_spec=spec.argument_spec,
+        supports_check_mode=spec.supports_check_mode,
+    )
+
+    client = F5RestClient(**module.params)
+
+    try:
+        mm = ModuleManager(module=module, client=client)
+        results = mm.exec_module()
+        cleanup_tokens(client)
+        exit_json(module, results, client)
+    except F5ModuleError as ex:
+        cleanup_tokens(client)
+        fail_json(module, ex, client)
+
+
+if __name__ == '__main__':
+    main()

test/units/modules/network/f5/fixtures/load_tm_auth_password_policy_1.json

@@ -0,0 +1,15 @@
+{
+    "kind": "tm:auth:password-policy:password-policystate",
+    "selfLink": "https://localhost/mgmt/tm/auth/password-policy?ver=13.1.0.7",
+    "expirationWarning": 7,
+    "maxDuration": 99999,
+    "maxLoginFailures": 0,
+    "minDuration": 0,
+    "minimumLength": 6,
+    "passwordMemory": 0,
+    "policyEnforcement": "disabled",
+    "requiredLowercase": 0,
+    "requiredNumeric": 0,
+    "requiredSpecial": 0,
+    "requiredUppercase": 0
+}

test/units/modules/network/f5/test_bigip_password_policy.py

@@ -0,0 +1,151 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright: (c) 2018, F5 Networks Inc.
+# GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+import json
+import pytest
+import sys
+
+from nose.plugins.skip import SkipTest
+if sys.version_info < (2, 7):
+    raise SkipTest("F5 Ansible modules require Python >= 2.7")
+
+from ansible.module_utils.basic import AnsibleModule
+
+try:
+    from library.modules.bigip_password_policy import ApiParameters
+    from library.modules.bigip_password_policy import ModuleParameters
+    from library.modules.bigip_password_policy import ModuleManager
+    from library.modules.bigip_password_policy import ArgumentSpec
+
+    # In Ansible 2.8, Ansible changed import paths.
+    from test.units.compat import unittest
+    from test.units.compat.mock import Mock
+    from test.units.compat.mock import patch
+
+    from test.units.modules.utils import set_module_args
+except ImportError:
+    from ansible.modules.network.f5.bigip_password_policy import ApiParameters
+    from ansible.modules.network.f5.bigip_password_policy import ModuleParameters
+    from ansible.modules.network.f5.bigip_password_policy import ModuleManager
+    from ansible.modules.network.f5.bigip_password_policy import ArgumentSpec
+
+    # Ansible 2.8 imports
+    from units.compat import unittest
+    from units.compat.mock import Mock
+    from units.compat.mock import patch
+
+    from units.modules.utils import set_module_args
+
+
+fixture_path = os.path.join(os.path.dirname(__file__), 'fixtures')
+fixture_data = {}
+
+
+def load_fixture(name):
+    path = os.path.join(fixture_path, name)
+
+    if path in fixture_data:
+        return fixture_data[path]
+
+    with open(path) as f:
+        data = f.read()
+
+    try:
+        data = json.loads(data)
+    except Exception:
+        pass
+
+    fixture_data[path] = data
+    return data
+
+
+class TestParameters(unittest.TestCase):
+    def test_module_parameters(self):
+        args = dict(
+            expiration_warning=7,
+            max_duration=99999,
+            max_login_failures=0,
+            min_duration=0,
+            min_length=6,
+            password_memory=0,
+            policy_enforcement=False,
+            required_lowercase=0,
+            required_numeric=0,
+            required_special=0,
+            required_uppercase=0,
+        )
+
+        p = ModuleParameters(params=args)
+        assert p.expiration_warning == 7
+        assert p.max_duration == 99999
+        assert p.max_login_failures == 0
+        assert p.min_duration == 0
+        assert p.password_memory == 0
+        assert p.policy_enforcement == 'no'
+        assert p.required_lowercase == 0
+        assert p.required_numeric == 0
+        assert p.required_special == 0
+        assert p.required_uppercase == 0
+
+    def test_api_parameters(self):
+        args = load_fixture('load_tm_auth_password_policy_1.json')
+
+        p = ApiParameters(params=args)
+        assert p.expiration_warning == 7
+        assert p.max_duration == 99999
+        assert p.max_login_failures == 0
+        assert p.min_duration == 0
+        assert p.password_memory == 0
+        assert p.policy_enforcement == 'no'
+        assert p.required_lowercase == 0
+        assert p.required_numeric == 0
+        assert p.required_special == 0
+        assert p.required_uppercase == 0
+
+
+@patch('ansible.module_utils.f5_utils.AnsibleF5Client._get_mgmt_root',
+       return_value=True)
+class TestManager(unittest.TestCase):
+
+    def setUp(self):
+        self.spec = ArgumentSpec()
+
+    def test_create_partition(self, *args):
+        set_module_args(dict(
+            expiration_warning=7,
+            max_duration=9999,
+            max_login_failures=0,
+            min_duration=0,
+            min_length=6,
+            password_memory=0,
+            policy_enforcement='no',
+            required_lowercase=0,
+            required_numeric=0,
+            required_special=0,
+            required_uppercase=0,
+            server='localhost',
+            password='password',
+            user='admin'
+        ))
+
+        current = ApiParameters(params=load_fixture('load_tm_auth_password_policy_1.json'))
+        module = AnsibleModule(
+            argument_spec=self.spec.argument_spec,
+            supports_check_mode=self.spec.supports_check_mode
+        )
+
+        # Override methods in the specific type of manager
+        mm = ModuleManager(module=module)
+        mm.exists = Mock(side_effect=[False, True])
+        mm.update_on_device = Mock(return_value=True)
+        mm.read_current_from_device = Mock(return_value=current)
+
+        results = mm.exec_module()
+
+        assert results['changed'] is True