#!/usr/bin/python # -*- coding: utf-8 -*- # # Copyright: (c) 2018, F5 Networks Inc. # GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) from __future__ import absolute_import, division, print_function __metaclass__ = type ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ['preview'], 'supported_by': 'certified'} DOCUMENTATION = r''' --- module: bigip_profile_http short_description: Manage HTTP profiles on a BIG-IP description: - Manage HTTP profiles on a BIG-IP. version_added: 2.7 options: name: description: - Specifies the name of the profile. type: str required: True parent: description: - Specifies the profile from which this profile inherits settings. - When creating a new profile, if this parameter is not specified, the default is the system-supplied C(http) profile. type: str default: /Common/http description: description: - Description of the profile. type: str proxy_type: description: - Specifies the proxy mode for the profile. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str choices: - reverse - transparent - explicit dns_resolver: description: - Specifies the name of a configured DNS resolver, this option is mandatory when C(proxy_type) is set to C(explicit). - Format of the name can be either be prepended by partition (C(/Common/foo)), or specified just as an object name (C(foo)). - To remove the entry a value of C(none) or C('') can be set, however the profile C(proxy_type) must not be set as C(explicit). type: str insert_xforwarded_for: description: - When specified system inserts an X-Forwarded-For header in an HTTP request with the client IP address, to use with connection pooling. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: bool redirect_rewrite: description: - Specifies whether the system rewrites the URIs that are part of HTTP redirect (3XX) responses. - When set to C(none) the system will not rewrite the URI in any HTTP redirect responses. - When set to C(all) the system rewrites the URI in all HTTP redirect responses. - When set to C(matching) the system rewrites the URI in any HTTP redirect responses that match the request URI. - When set to C(nodes) if the URI contains a node IP address instead of a host name, the system changes it to the virtual server address. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str choices: - none - all - matching - nodes encrypt_cookies: description: - Cookie names for the system to encrypt. - To remove the entry completely a value of C(none) or C('') should be set. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: list encrypt_cookie_secret: description: - Passphrase for cookie encryption. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str update_password: description: - C(always) will update passwords if the C(encrypt_cookie_secret) is specified. - C(on_create) will only set the password for newly created profiles. type: str choices: - always - on_create default: always header_erase: description: - The name of a header, in an HTTP request, which the system removes from request. - To remove the entry completely a value of C(none) or C('') should be set. - The format of the header must be in C(KEY:VALUE) format, otherwise error is raised. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str version_added: 2.8 header_insert: description: - A string that the system inserts as a header in an HTTP request. - To remove the entry completely a value of C(none) or C('') should be set. - The format of the header must be in C(KEY:VALUE) format, otherwise error is raised. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str version_added: 2.8 server_agent_name: description: - Specifies the string used as the server name in traffic generated by LTM. - To remove the entry completely a value of C(none) or C('') should be set. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str version_added: 2.8 include_subdomains: description: - When set to C(yes), applies the HSTS policy to the HSTS host and its sub-domains. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: bool version_added: 2.8 maximum_age: description: - Specifies the maximum length of time, in seconds, that HSTS functionality requests that clients only use HTTPS to connect to the current host and any sub-domains of the current host's domain name. - The accepted value range is C(0 - 4294967295) seconds, a value of C(0) seconds re-enables plaintext HTTP access, while specifying C(indefinite) will set it to the maximum value. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str version_added: 2.8 hsts_mode: description: - When set to C(yes), enables the HSTS settings. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: bool version_added: 2.8 partition: description: - Device partition to manage resources on. type: str default: Common state: description: - When C(present), ensures that the profile exists. - When C(absent), ensures the profile is removed. type: str choices: - present - absent default: present extends_documentation_fragment: f5 author: - Wojciech Wypior (@wojtek0806) ''' EXAMPLES = r''' - name: Create HTTP profile bigip_profile_http: name: my_profile insert_xforwarded_for: yes redirect_rewrite: all state: present provider: user: admin password: secret server: lb.mydomain.com delegate_to: localhost - name: Remove HTTP profile bigip_profile_http: name: my_profile state: absent provider: server: lb.mydomain.com user: admin password: secret delegate_to: localhost - name: Add HTTP profile for transparent proxy bigip_profile_http: name: my_profile proxy_type: transparent provider: password: secret server: lb.mydomain.com user: admin delegate_to: localhost ''' RETURN = r''' description: description: Description of the profile. returned: changed type: str sample: My profile proxy_type: description: Specify proxy mode of the profile. returned: changed type: str sample: explicit insert_xforwarded_for: description: Insert X-Forwarded-For-Header. returned: changed type: bool sample: yes redirect_rewrite: description: Rewrite URI that are part of 3xx responses. returned: changed type: str sample: all encrypt_cookies: description: Cookie names to encrypt. returned: changed type: list sample: ['MyCookie1', 'MyCookie2'] dns_resolver: description: Configured dns resolver. returned: changed type: str sample: '/Common/FooBar' ''' from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import env_fallback try: from library.module_utils.network.f5.bigip import F5RestClient from library.module_utils.network.f5.common import F5ModuleError from library.module_utils.network.f5.common import AnsibleF5Parameters from library.module_utils.network.f5.common import fq_name from library.module_utils.network.f5.common import f5_argument_spec from library.module_utils.network.f5.common import flatten_boolean from library.module_utils.network.f5.common import transform_name from library.module_utils.network.f5.urls import check_header_validity except ImportError: from ansible.module_utils.network.f5.bigip import F5RestClient from ansible.module_utils.network.f5.common import F5ModuleError from ansible.module_utils.network.f5.common import AnsibleF5Parameters from ansible.module_utils.network.f5.common import fq_name from ansible.module_utils.network.f5.common import f5_argument_spec from ansible.module_utils.network.f5.common import flatten_boolean from ansible.module_utils.network.f5.common import transform_name from ansible.module_utils.network.f5.urls import check_header_validity class Parameters(AnsibleF5Parameters): api_map = { 'defaultsFrom': 'parent', 'insertXforwardedFor': 'insert_xforwarded_for', 'redirectRewrite': 'redirect_rewrite', 'encryptCookies': 'encrypt_cookies', 'encryptCookieSecret': 'encrypt_cookie_secret', 'proxyType': 'proxy_type', 'explicitProxy': 'explicit_proxy', 'headerErase': 'header_erase', 'headerInsert': 'header_insert', 'serverAgentName': 'server_agent_name', 'includeSubdomains': 'include_subdomains', 'maximumAge': 'maximum_age', 'mode': 'hsts_mode', } api_attributes = [ 'insertXforwardedFor', 'description', 'defaultsFrom', 'redirectRewrite', 'encryptCookies', 'encryptCookieSecret', 'proxyType', 'explicitProxy', 'headerErase', 'headerInsert', 'hsts', 'serverAgentName', ] returnables = [ 'parent', 'description', 'insert_xforwarded_for', 'redirect_rewrite', 'encrypt_cookies', 'proxy_type', 'explicit_proxy', 'dns_resolver', 'hsts_mode', 'maximum_age', 'include_subdomains', 'server_agent_name', 'header_erase', 'header_insert', ] updatables = [ 'description', 'insert_xforwarded_for', 'redirect_rewrite', 'encrypt_cookies', 'encrypt_cookie_secret', 'proxy_type', 'dns_resolver', 'hsts_mode', 'maximum_age', 'include_subdomains', 'server_agent_name', 'header_erase', 'header_insert', ] class ApiParameters(Parameters): @property def dns_resolver(self): if self._values['explicit_proxy'] is None: return None if 'dnsResolver' in self._values['explicit_proxy']: return self._values['explicit_proxy']['dnsResolver'] @property def dns_resolver_address(self): if self._values['explicit_proxy'] is None: return None if 'dnsResolverReference' in self._values['explicit_proxy']: return self._values['explicit_proxy']['dnsResolverReference'] @property def include_subdomains(self): if self._values['hsts'] is None: return None return self._values['hsts']['includeSubdomains'] @property def hsts_mode(self): if self._values['hsts'] is None: return None return self._values['hsts']['mode'] @property def maximum_age(self): if self._values['hsts'] is None: return None return self._values['hsts']['maximumAge'] class ModuleParameters(Parameters): @property def proxy_type(self): if self._values['proxy_type'] is None: return None if self._values['proxy_type'] == 'explicit': if self.dns_resolver is None or self.dns_resolver == '': raise F5ModuleError( 'A proxy type cannot be set to {0} without providing DNS resolver.'.format(self._values['proxy_type']) ) return self._values['proxy_type'] @property def dns_resolver(self): if self._values['dns_resolver'] is None: return None if self._values['dns_resolver'] == '' or self._values['dns_resolver'] == 'none': return '' result = fq_name(self.partition, self._values['dns_resolver']) return result @property def dns_resolver_address(self): resolver = self.dns_resolver if resolver is None: return None tmp = resolver.split('/') link = dict(link='https://localhost/mgmt/tm/net/dns-resolver/~{0}~{1}'.format(tmp[1], tmp[2])) return link @property def insert_xforwarded_for(self): result = flatten_boolean(self._values['insert_xforwarded_for']) if result is None: return None if result == 'yes': return 'enabled' return 'disabled' @property def parent(self): if self._values['parent'] is None: return None result = fq_name(self.partition, self._values['parent']) return result @property def encrypt_cookies(self): if self._values['encrypt_cookies'] is None: return None if self._values['encrypt_cookies'] == [''] or self._values['encrypt_cookies'] == ['none']: return list() return self._values['encrypt_cookies'] @property def explicit_proxy(self): if self.dns_resolver is None: return None result = dict( dnsResolver=self.dns_resolver, dnsResolverReference=self.dns_resolver_address ) return result @property def include_subdomains(self): result = flatten_boolean(self._values['include_subdomains']) if result is None: return None if result == 'yes': return 'enabled' return 'disabled' @property def maximum_age(self): if self._values['maximum_age'] is None: return None if self._values['maximum_age'] == 'indefinite': return 4294967295 if 0 <= int(self._values['maximum_age']) <= 4294967295: return int(self._values['maximum_age']) raise F5ModuleError( "Valid 'maximum_age' must be in range 0 - 4294967295, or 'indefinite'." ) @property def hsts_mode(self): result = flatten_boolean(self._values['hsts_mode']) if result is None: return None if result == 'yes': return 'enabled' return 'disabled' @property def header_erase(self): header_erase = self._values['header_erase'] if header_erase is None: return None if header_erase in ['none', '']: return self._values['header_erase'] check_header_validity(header_erase) return header_erase @property def header_insert(self): header_insert = self._values['header_insert'] if header_insert is None: return None if header_insert in ['none', '']: return self._values['header_insert'] check_header_validity(header_insert) return header_insert class Changes(Parameters): def to_return(self): result = {} try: for returnable in self.returnables: result[returnable] = getattr(self, returnable) result = self._filter_params(result) except Exception: pass return result class UsableChanges(Changes): @property def explicit_proxy(self): result = dict() if self._values['dns_resolver'] is not None: result['dnsResolver'] = self._values['dns_resolver'] if self._values['dns_resolver_address'] is not None: result['dnsResolverReference'] = self._values['dns_resolver_address'] if not result: return None return result @property def hsts(self): result = dict() if self._values['hsts_mode'] is not None: result['mode'] = self._values['hsts_mode'] if self._values['maximum_age'] is not None: result['maximumAge'] = self._values['maximum_age'] if self._values['include_subdomains'] is not None: result['includeSubdomains'] = self._values['include_subdomains'] if not result: return None return result class ReportableChanges(Changes): @property def insert_xforwarded_for(self): if self._values['insert_xforwarded_for'] is None: return None elif self._values['insert_xforwarded_for'] == 'enabled': return 'yes' return 'no' @property def hsts_mode(self): if self._values['hsts_mode'] is None: return None elif self._values['hsts_mode'] == 'enabled': return 'yes' return 'no' @property def include_subdomains(self): if self._values['include_subdomains'] is None: return None elif self._values['include_subdomains'] == 'enabled': return 'yes' return 'no' @property def maximum_age(self): if self._values['maximum_age'] is None: return None if self._values['maximum_age'] == 4294967295: return 'indefinite' return int(self._values['maximum_age']) class Difference(object): def __init__(self, want, have=None): self.want = want self.have = have def compare(self, param): try: result = getattr(self, param) return result except AttributeError: return self.__default(param) def __default(self, param): attr1 = getattr(self.want, param) try: attr2 = getattr(self.have, param) if attr1 != attr2: return attr1 except AttributeError: return attr1 @property def parent(self): if self.want.parent != self.have.parent: raise F5ModuleError( "The parent http profile cannot be changed" ) @property def dns_resolver(self): if self.want.dns_resolver is None: return None if self.want.dns_resolver == '': if self.have.dns_resolver is None or self.have.dns_resolver == 'none': return None elif self.have.proxy_type == 'explicit' and self.want.proxy_type is None: raise F5ModuleError( "DNS resolver cannot be empty or 'none' if an existing profile proxy type is set to {0}.".format(self.have.proxy_type) ) elif self.have.dns_resolver is not None: return self.want.dns_resolver if self.have.dns_resolver is None: return self.want.dns_resolver @property def header_erase(self): if self.want.header_erase is None: return None if self.want.header_erase in ['none', '']: if self.have.header_erase in [None, 'none']: return None if self.want.header_erase != self.have.header_erase: return self.want.header_erase @property def header_insert(self): if self.want.header_insert is None: return None if self.want.header_insert in ['none', '']: if self.have.header_insert in [None, 'none']: return None if self.want.header_insert != self.have.header_insert: return self.want.header_insert @property def server_agent_name(self): if self.want.server_agent_name is None: return None if self.want.server_agent_name in ['none', '']: if self.have.server_agent_name in [None, 'none']: return None if self.want.server_agent_name != self.have.server_agent_name: return self.want.server_agent_name @property def encrypt_cookies(self): if self.want.encrypt_cookies is None: return None if self.have.encrypt_cookies in [None, []]: if not self.want.encrypt_cookies: return None else: return self.want.encrypt_cookies if set(self.want.encrypt_cookies) != set(self.have.encrypt_cookies): return self.want.encrypt_cookies @property def encrypt_cookie_secret(self): if self.want.encrypt_cookie_secret != self.have.encrypt_cookie_secret: if self.want.update_password == 'always': result = self.want.encrypt_cookie_secret return result class ModuleManager(object): def __init__(self, *args, **kwargs): self.module = kwargs.get('module', None) self.client = F5RestClient(**self.module.params) self.want = ModuleParameters(params=self.module.params) self.have = ApiParameters() self.changes = UsableChanges() def _set_changed_options(self): changed = {} for key in Parameters.returnables: if getattr(self.want, key) is not None: changed[key] = getattr(self.want, key) if changed: self.changes = UsableChanges(params=changed) def _update_changed_options(self): diff = Difference(self.want, self.have) updatables = Parameters.updatables changed = dict() for k in updatables: change = diff.compare(k) if change is None: continue else: if isinstance(change, dict): changed.update(change) else: changed[k] = change if changed: self.changes = UsableChanges(params=changed) return True return False def should_update(self): result = self._update_changed_options() if result: return True return False def exec_module(self): changed = False result = dict() state = self.want.state if state == "present": changed = self.present() elif state == "absent": changed = self.absent() reportable = ReportableChanges(params=self.changes.to_return()) changes = reportable.to_return() result.update(**changes) result.update(dict(changed=changed)) self._announce_deprecations(result) return result def _announce_deprecations(self, result): warnings = result.pop('__warnings', []) for warning in warnings: self.client.module.deprecate( msg=warning['msg'], version=warning['version'] ) def present(self): if self.exists(): return self.update() else: return self.create() def absent(self): if self.exists(): return self.remove() return False def update(self): self.have = self.read_current_from_device() if not self.should_update(): return False if self.module.check_mode: return True self.update_on_device() return True def remove(self): if self.module.check_mode: return True self.remove_from_device() if self.exists(): raise F5ModuleError("Failed to delete the resource.") return True def create(self): self._set_changed_options() if self.module.check_mode: return True self.create_on_device() return True def exists(self): uri = "https://{0}:{1}/mgmt/tm/ltm/profile/http/{2}".format( self.client.provider['server'], self.client.provider['server_port'], transform_name(self.want.partition, self.want.name) ) resp = self.client.api.get(uri) try: response = resp.json() except ValueError: return False if resp.status == 404 or 'code' in response and response['code'] == 404: return False return True def create_on_device(self): params = self.changes.api_params() params['name'] = self.want.name params['partition'] = self.want.partition uri = "https://{0}:{1}/mgmt/tm/ltm/profile/http/".format( self.client.provider['server'], self.client.provider['server_port'] ) resp = self.client.api.post(uri, json=params) try: response = resp.json() except ValueError as ex: raise F5ModuleError(str(ex)) if 'code' in response and response['code'] in [400, 403, 404]: if 'message' in response: raise F5ModuleError(response['message']) else: raise F5ModuleError(resp.content) return response['selfLink'] def update_on_device(self): params = self.changes.api_params() uri = "https://{0}:{1}/mgmt/tm/ltm/profile/http/{2}".format( self.client.provider['server'], self.client.provider['server_port'], transform_name(self.want.partition, self.want.name) ) resp = self.client.api.patch(uri, json=params) try: response = resp.json() except ValueError as ex: raise F5ModuleError(str(ex)) if 'code' in response and response['code'] in [400, 404]: if 'message' in response: raise F5ModuleError(response['message']) else: raise F5ModuleError(resp.content) def remove_from_device(self): uri = "https://{0}:{1}/mgmt/tm/ltm/profile/http/{2}".format( self.client.provider['server'], self.client.provider['server_port'], transform_name(self.want.partition, self.want.name) ) response = self.client.api.delete(uri) if response.status == 200: return True raise F5ModuleError(response.content) def read_current_from_device(self): uri = "https://{0}:{1}/mgmt/tm/ltm/profile/http/{2}".format( self.client.provider['server'], self.client.provider['server_port'], transform_name(self.want.partition, self.want.name) ) resp = self.client.api.get(uri) try: response = resp.json() except ValueError as ex: raise F5ModuleError(str(ex)) if 'code' in response and response['code'] == 400: if 'message' in response: raise F5ModuleError(response['message']) else: raise F5ModuleError(resp.content) return ApiParameters(params=response) class ArgumentSpec(object): def __init__(self): self.supports_check_mode = True argument_spec = dict( name=dict(required=True), parent=dict(default='/Common/http'), description=dict(), proxy_type=dict( choices=[ 'reverse', 'transparent', 'explicit' ] ), dns_resolver=dict(), insert_xforwarded_for=dict(type='bool'), redirect_rewrite=dict( choices=[ 'none', 'all', 'matching', 'nodes' ] ), encrypt_cookies=dict(type='list'), encrypt_cookie_secret=dict(no_log=True), update_password=dict( default='always', choices=['always', 'on_create'] ), header_erase=dict(), header_insert=dict(), server_agent_name=dict(), hsts_mode=dict(type='bool'), maximum_age=dict(), include_subdomains=dict(type='bool'), state=dict( default='present', choices=['present', 'absent'] ), partition=dict( default='Common', fallback=(env_fallback, ['F5_PARTITION']) ) ) self.argument_spec = {} self.argument_spec.update(f5_argument_spec) self.argument_spec.update(argument_spec) def main(): spec = ArgumentSpec() module = AnsibleModule( argument_spec=spec.argument_spec, supports_check_mode=spec.supports_check_mode, ) try: mm = ModuleManager(module=module) results = mm.exec_module() module.exit_json(**results) except F5ModuleError as ex: module.fail_json(msg=str(ex)) if __name__ == '__main__': main()