EVOLUTION-MANAGER
Edit File: bigip_profile_http.py
#!/usr/bin/python # -*- coding: utf-8 -*- # # Copyright: (c) 2018, F5 Networks Inc. # GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) from __future__ import absolute_import, division, print_function __metaclass__ = type ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ['preview'], 'supported_by': 'certified'} DOCUMENTATION = r''' --- module: bigip_profile_http short_description: Manage HTTP profiles on a BIG-IP description: - Manage HTTP profiles on a BIG-IP. version_added: 2.7 options: name: description: - Specifies the name of the profile. type: str required: True parent: description: - Specifies the profile from which this profile inherits settings. - When creating a new profile, if this parameter is not specified, the default is the system-supplied C(http) profile. type: str default: /Common/http description: description: - Description of the profile. type: str proxy_type: description: - Specifies the proxy mode for the profile. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str choices: - reverse - transparent - explicit dns_resolver: description: - Specifies the name of a configured DNS resolver, this option is mandatory when C(proxy_type) is set to C(explicit). - Format of the name can be either be prepended by partition (C(/Common/foo)), or specified just as an object name (C(foo)). - To remove the entry a value of C(none) or C('') can be set, however the profile C(proxy_type) must not be set as C(explicit). type: str insert_xforwarded_for: description: - When specified system inserts an X-Forwarded-For header in an HTTP request with the client IP address, to use with connection pooling. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: bool redirect_rewrite: description: - Specifies whether the system rewrites the URIs that are part of HTTP redirect (3XX) responses. - When set to C(none) the system will not rewrite the URI in any HTTP redirect responses. - When set to C(all) the system rewrites the URI in all HTTP redirect responses. - When set to C(matching) the system rewrites the URI in any HTTP redirect responses that match the request URI. - When set to C(nodes) if the URI contains a node IP address instead of a host name, the system changes it to the virtual server address. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str choices: - none - all - matching - nodes encrypt_cookies: description: - Cookie names for the system to encrypt. - To remove the entry completely a value of C(none) or C('') should be set. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: list encrypt_cookie_secret: description: - Passphrase for cookie encryption. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str update_password: description: - C(always) will update passwords if the C(encrypt_cookie_secret) is specified. - C(on_create) will only set the password for newly created profiles. type: str choices: - always - on_create default: always header_erase: description: - The name of a header, in an HTTP request, which the system removes from request. - To remove the entry completely a value of C(none) or C('') should be set. - The format of the header must be in C(KEY:VALUE) format, otherwise error is raised. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str version_added: 2.8 header_insert: description: - A string that the system inserts as a header in an HTTP request. - To remove the entry completely a value of C(none) or C('') should be set. - The format of the header must be in C(KEY:VALUE) format, otherwise error is raised. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str version_added: 2.8 server_agent_name: description: - Specifies the string used as the server name in traffic generated by BIG-IP. - To remove the entry completely a value of C(none) or C('') should be set. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str version_added: 2.8 include_subdomains: description: - When set to C(yes), applies the HSTS policy to the HSTS host and its sub-domains. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: bool version_added: 2.8 maximum_age: description: - Specifies the maximum length of time, in seconds, that HSTS functionality requests that clients only use HTTPS to connect to the current host and any sub-domains of the current host's domain name. - The accepted value range is C(0 - 4294967295) seconds, a value of C(0) seconds re-enables plaintext HTTP access, while specifying C(indefinite) will set it to the maximum value. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str version_added: 2.8 hsts_mode: description: - When set to C(yes), enables the HSTS settings. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: bool version_added: 2.8 accept_xff: description: - Enables or disables trusting the client IP address, and statistics from the client IP address, based on the request's XFF (X-forwarded-for) headers, if they exist. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: bool version_added: 2.9 xff_alternative_names: description: - Specifies alternative XFF headers instead of the default X-forwarded-for header. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: list version_added: 2.9 fallback_host: description: - Specifies an HTTP fallback host. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str version_added: 2.9 fallback_status_codes: description: - Specifies one or more HTTP error codes from server responses that should trigger a redirection to the fallback host. - The accepted valid error codes are as defined by rfc2616. - The codes can be specified as individual items or as valid ranges e.g. C(400-417) or C(500-505). - Mixing response code range across error types is invalid e.g. defining C(400-505) will raise an error. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: list version_added: 2.9 oneconnect_transformations: description: - Enables the system to perform HTTP header transformations for the purpose of keeping server-side connections open. This feature requires configuration of a OneConnect profile. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: bool version_added: 2.9 request_chunking: description: - Specifies how to handle chunked and unchunked requests. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str choices: - rechunk - selective - preserve version_added: 2.9 response_chunking: description: - Specifies how to handle chunked and unchunked responses. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str choices: - rechunk - selective - preserve version_added: 2.9 enforcement: description: - Specifies protocol enforcement settings for the HTTP profile. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. suboptions: truncated_redirects: description: - Specifies what happens if a truncated redirect is seen from a server. - If C(yes), the redirect will be forwarded to the client, otherwise the malformed HTTP will be silently ignored. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: bool excess_client_headers: description: - Specifies the behavior when too many client headers are received. - If set to C(pass-through), will switch to pass through mode, when C(reject) the connection will be rejected. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str choices: - reject - pass-through excess_server_headers: description: - Specifies the behavior when too many server headers are received. - If set to C(pass-through), will switch to pass through mode, when C(reject) the connection will be rejected. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str choices: - reject - pass-through oversize_client_headers: description: - Specifies the behavior when too-large client headers are received. - If set to C(pass-through), will switch to pass through mode, when C(reject) the connection will be rejected. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str choices: - reject - pass-through oversize_server_headers: description: - Specifies the behavior when too-large server headers are received. - If set to C(pass-through), will switch to pass through mode, when C(reject) the connection will be rejected. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str choices: - reject - pass-through pipeline: description: - Enables HTTP/1.1 pipelining, allowing clients to make requests even when prior requests have not received a response. - In order for this to succeed, however, destination servers must include support for pipelining. - If set to C(pass-through), pipelined data will cause the BIG-IP to immediately switch to pass-through mode and disable the HTTP filter. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str choices: - allow - reject - pass-through unknown_method: description: - Specifies whether to allow, reject or switch to pass-through mode when an unknown HTTP method is parsed. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str choices: - allow - reject - pass-through max_header_count: description: - Specifies the maximum number of headers allowed in HTTP request/response. - The valid value range is between 16 and 4096 inclusive. - When set to C(default) the value of this parameter will be C(64) - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str max_header_size: description: - Specifies the maximum header size specified in bytes. - The valid value range is between 0 and 4294967295 inclusive. - When set to C(default) the value of this parameter will be C(32768) bytes - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str max_requests: description: - Specifies the number of requests that the system accepts on a per-connection basis. - The valid value range is between 0 and 4294967295 inclusive. - When set to C(default) the value of this parameter will be C(0), which means the system will not limit the number of requests per connection. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: str known_methods: description: - Specifies which HTTP methods count as being known, removing RFC-defined methods from this list will cause the HTTP filter to not recognize them. - "The default list provided with the system include: C(CONNECT), C(DELETE), C(GET), C(HEAD), C(LOCK), C(OPTIONS), C(POST), C(PROPFIND), C(PUT), C(TRACE) ,C(UNLOCK). The list can be appended by by specifying C(default) keyword as one of the list elements." - The C(default) keyword can also be used to restore the default C(known_methods) on the system. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: list type: dict version_added: 2.9 sflow: description: - Specifies sFlow settings for the HTTP profile. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. suboptions: poll_interval: description: - Specifies the maximum interval in seconds between two pollings. - The valid value range is between 0 and 4294967295 seconds inclusive. - For this setting to take effect the C(poll_interval_global) parameter must be set to C(no). - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: int poll_interval_global: description: - Specifies whether the global HTTP poll-interval setting overrides the object-level Cpoll-interval setting. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: bool sampling_rate: description: - Specifies the ratio of packets observed to the samples generated. For example, a sampling rate of C(2000) specifies that 1 sample will be randomly generated for every 2000 packets observed. - The valid value range is between 0 and 4294967295 packets inclusive. - For this setting to take effect the C(sampling_rate_global) parameter must be set to C(no). - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: int sampling_rate_global: description: - Specifies whether the global HTTP sampling-rate setting overrides the object-level sampling-rate setting. - When creating a new profile, if this parameter is not specified, the default is provided by the parent profile. type: bool type: dict version_added: 2.9 partition: description: - Device partition to manage resources on. type: str default: Common state: description: - When C(present), ensures that the profile exists. - When C(absent), ensures the profile is removed. type: str choices: - present - absent default: present extends_documentation_fragment: f5 author: - Wojciech Wypior (@wojtek0806) ''' EXAMPLES = r''' - name: Create HTTP profile bigip_profile_http: name: my_profile insert_xforwarded_for: yes redirect_rewrite: all state: present provider: user: admin password: secret server: lb.mydomain.com delegate_to: localhost - name: Remove HTTP profile bigip_profile_http: name: my_profile state: absent provider: server: lb.mydomain.com user: admin password: secret delegate_to: localhost - name: Add HTTP profile for transparent proxy bigip_profile_http: name: my_profile proxy_type: transparent provider: password: secret server: lb.mydomain.com user: admin delegate_to: localhost ''' RETURN = r''' parent: description: Specifies the profile from which this profile inherits settings. returned: changed type: str sample: /Common/http description: description: Description of the profile. returned: changed type: str sample: My profile proxy_type: description: Specify proxy mode of the profile. returned: changed type: str sample: explicit hsts_mode: description: Enables the HSTS settings. returned: changed type: bool sample: no maximum_age: description: The maximum length of time, in seconds, that HSTS functionality requests that clients only use HTTPS. returned: changed type: str sample: indefinite include_subdomains: description: Applies the HSTS policy to the HSTS host and its sub-domains. returned: changed type: bool sample: yes server_agent_name: description: The string used as the server name in traffic generated by BIG-IP. returned: changed type: str sample: foobar header_erase: description: The name of a header, in an HTTP request, which the system removes from request. returned: changed type: str sample: FOO:BAR header_insert: description: The string that the system inserts as a header in an HTTP request. returned: changed type: str sample: FOO:BAR insert_xforwarded_for: description: Insert X-Forwarded-For-Header. returned: changed type: bool sample: yes redirect_rewrite: description: Rewrite URI that are part of 3xx responses. returned: changed type: str sample: all encrypt_cookies: description: Cookie names to encrypt. returned: changed type: list sample: ['MyCookie1', 'MyCookie2'] dns_resolver: description: Configured dns resolver. returned: changed type: str sample: '/Common/FooBar' accept_xff: description: Enables or disables trusting the client IP address, and statistics from the client IP address. returned: changed type: bool sample: yes xff_alternative_names: description: Specifies alternative XFF headers instead of the default X-forwarded-for header. returned: changed type: list sample: ['FooBar', 'client1'] fallback_host: description: Specifies an HTTP fallback host. returned: changed type: str sample: 'foobar.com' fallback_status_codes: description: HTTP error codes from server responses that should trigger a redirection to the fallback host. returned: changed type: list sample: ['400-404', '500', '501'] oneconnect_transformations: description: Enables or disables HTTP header transformations. returned: changed type: bool sample: no request_chunking: description: Specifies how to handle chunked and unchunked requests. returned: changed type: str sample: rechunk response_chunking: description: Specifies how to handle chunked and unchunked responses. returned: changed type: str sample: rechunk enforcement: description: Specifies protocol enforcement settings for the HTTP profile. type: complex returned: changed contains: truncated_redirects: description: Specifies what happens if a truncated redirect is seen from a server. returned: changed type: bool sample: yes excess_server_headers: description: Specifies the behavior when too many server headers are received. returned: changed type: str sample: pass-through oversize_client_headers: description: Specifies the behavior when too-large client headers are received. returned: changed type: str sample: reject oversize_server_headers: description: Specifies the behavior when too-large server headers are received. returned: changed type: str sample: reject pipeline: description: Allows, rejects or switches to pass-through mode when dealing with pipelined data. returned: changed type: str sample: allow unknown_method: description: Allows, rejects or switches to pass-through mode when an unknown HTTP method is parsed. returned: changed type: str sample: allow max_header_count: description: The maximum number of headers allowed in HTTP request/response. returned: changed type: str sample: 4096 max_header_size: description: The maximum header size specified in bytes. returned: changed type: str sample: default max_requests: description: The number of requests that the system accepts on a per-connection basis. returned: changed type: str sample: default known_methods: description: The list of known HTTP methods. returned: changed type: list sample: ['default', 'FOO', 'BAR'] sample: hash/dictionary of values sflow: description: Specifies sFlow settings for the HTTP profile. type: complex returned: changed contains: poll_interval: description: Specifies the maximum interval in seconds between two pollings. returned: changed type: int sample: 30 poll_interval_global: description: Enables/Disables overriding HTTP poll-interval setting. returned: changed type: bool sample: yes sampling_rate: description: Specifies the ratio of packets observed to the samples generated. returned: changed type: int sample: 2000 sampling_rate_global: description: Enables/Disables overriding HTTP sampling-rate setting. returned: changed type: bool sample: yes sample: hash/dictionary of values ''' import re from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import env_fallback try: from library.module_utils.network.f5.bigip import F5RestClient from library.module_utils.network.f5.common import F5ModuleError from library.module_utils.network.f5.common import AnsibleF5Parameters from library.module_utils.network.f5.common import fq_name from library.module_utils.network.f5.common import f5_argument_spec from library.module_utils.network.f5.common import flatten_boolean from library.module_utils.network.f5.common import transform_name from library.module_utils.network.f5.compare import cmp_simple_list from library.module_utils.network.f5.urls import check_header_validity except ImportError: from ansible.module_utils.network.f5.bigip import F5RestClient from ansible.module_utils.network.f5.common import F5ModuleError from ansible.module_utils.network.f5.common import AnsibleF5Parameters from ansible.module_utils.network.f5.common import fq_name from ansible.module_utils.network.f5.common import f5_argument_spec from ansible.module_utils.network.f5.common import flatten_boolean from ansible.module_utils.network.f5.common import transform_name from ansible.module_utils.network.f5.compare import cmp_simple_list from ansible.module_utils.network.f5.urls import check_header_validity class Parameters(AnsibleF5Parameters): api_map = { 'defaultsFrom': 'parent', 'insertXforwardedFor': 'insert_xforwarded_for', 'redirectRewrite': 'redirect_rewrite', 'encryptCookies': 'encrypt_cookies', 'encryptCookieSecret': 'encrypt_cookie_secret', 'proxyType': 'proxy_type', 'explicitProxy': 'explicit_proxy', 'headerErase': 'header_erase', 'headerInsert': 'header_insert', 'serverAgentName': 'server_agent_name', 'includeSubdomains': 'include_subdomains', 'maximumAge': 'maximum_age', 'mode': 'hsts_mode', 'acceptXff': 'accept_xff', 'xffAlternativeNames': 'xff_alternative_names', 'fallbackHost': 'fallback_host', 'fallbackStatusCodes': 'fallback_status_codes', 'oneconnectTransformations': 'oneconnect_transformations', 'requestChunking': 'request_chunking', 'responseChunking': 'response_chunking', } api_attributes = [ 'insertXforwardedFor', 'description', 'defaultsFrom', 'redirectRewrite', 'encryptCookies', 'encryptCookieSecret', 'proxyType', 'explicitProxy', 'headerErase', 'headerInsert', 'hsts', 'serverAgentName', 'acceptXff', 'xffAlternativeNames', 'fallbackHost', 'fallbackStatusCodes', 'oneconnectTransformations', 'requestChunking', 'responseChunking', 'enforcement', 'sflow', ] returnables = [ 'parent', 'description', 'insert_xforwarded_for', 'redirect_rewrite', 'encrypt_cookies', 'proxy_type', 'explicit_proxy', 'dns_resolver', 'hsts_mode', 'maximum_age', 'include_subdomains', 'server_agent_name', 'header_erase', 'header_insert', 'accept_xff', 'xff_alternative_names', 'fallback_host', 'fallback_status_codes', 'oneconnect_transformations', 'request_chunking', 'response_chunking', 'truncated_redirects', 'excess_client_headers', 'excess_server_headers', 'oversize_client_headers', 'oversize_server_headers', 'pipeline', 'unknown_method', 'max_header_count', 'max_header_size', 'max_requests', 'known_methods', 'poll_interval', 'poll_interval_global', 'sampling_rate', 'sampling_rate_global', ] updatables = [ 'description', 'insert_xforwarded_for', 'redirect_rewrite', 'encrypt_cookies', 'encrypt_cookie_secret', 'proxy_type', 'dns_resolver', 'hsts_mode', 'maximum_age', 'include_subdomains', 'server_agent_name', 'header_erase', 'header_insert', 'accept_xff', 'xff_alternative_names', 'fallback_host', 'fallback_status_codes', 'oneconnect_transformations', 'request_chunking', 'response_chunking', 'truncated_redirects', 'excess_client_headers', 'excess_server_headers', 'oversize_client_headers', 'oversize_server_headers', 'pipeline', 'unknown_method', 'max_header_count', 'max_header_size', 'max_requests', 'known_methods', 'poll_interval', 'poll_interval_global', 'sampling_rate', 'sampling_rate_global', ] class ApiParameters(Parameters): @property def poll_interval(self): return self._values['sflow']['pollInterval'] @property def poll_interval_global(self): return self._values['sflow']['pollIntervalGlobal'] @property def sampling_rate(self): return self._values['sflow']['samplingRate'] @property def sampling_rate_global(self): return self._values['sflow']['samplingRateGlobal'] @property def truncated_redirects(self): return self._values['enforcement']['truncatedRedirects'] @property def excess_client_headers(self): return self._values['enforcement']['excessClientHeaders'] @property def excess_server_headers(self): return self._values['enforcement']['excessServerHeaders'] @property def oversize_client_headers(self): return self._values['enforcement']['oversizeClientHeaders'] @property def oversize_server_headers(self): return self._values['enforcement']['oversizeServerHeaders'] @property def pipeline(self): return self._values['enforcement']['pipeline'] @property def unknown_method(self): return self._values['enforcement']['unknownMethod'] @property def max_header_count(self): return self._values['enforcement']['maxHeaderCount'] @property def max_header_size(self): return self._values['enforcement']['maxHeaderSize'] @property def max_requests(self): return self._values['enforcement']['maxRequests'] @property def known_methods(self): return self._values['enforcement'].get('knownMethods', None) @property def dns_resolver(self): if self._values['explicit_proxy'] is None: return None if 'dnsResolver' in self._values['explicit_proxy']: return self._values['explicit_proxy']['dnsResolver'] @property def dns_resolver_address(self): if self._values['explicit_proxy'] is None: return None if 'dnsResolverReference' in self._values['explicit_proxy']: return self._values['explicit_proxy']['dnsResolverReference'] @property def include_subdomains(self): if self._values['hsts'] is None: return None return self._values['hsts']['includeSubdomains'] @property def hsts_mode(self): if self._values['hsts'] is None: return None return self._values['hsts']['mode'] @property def maximum_age(self): if self._values['hsts'] is None: return None return self._values['hsts']['maximumAge'] class ModuleParameters(Parameters): @property def accept_xff(self): result = flatten_boolean(self._values['accept_xff']) if result is None: return None if result == 'yes': return 'enabled' return 'disabled' @property def fallback_status_codes(self): if self._values['fallback_status_codes'] is None: return None p1 = r'(?!([4][0-1][0-7]))\d{3}' p2 = r'(?!(50[0-5]))\d{3}' for code in self._values['fallback_status_codes']: match_4xx = re.search(p1, code) if match_4xx: match_5xx = re.search(p2, code) if match_5xx: raise F5ModuleError( 'Invalid HTTP error code or error code range specified.' ) return self._values['fallback_status_codes'] @property def oneconnect_transformations(self): result = flatten_boolean(self._values['oneconnect_transformations']) if result is None: return None if result == 'yes': return 'enabled' return 'disabled' @property def proxy_type(self): if self._values['proxy_type'] is None: return None if self._values['proxy_type'] == 'explicit': if self.dns_resolver is None or self.dns_resolver == '': raise F5ModuleError( 'A proxy type cannot be set to {0} without providing DNS resolver.'.format(self._values['proxy_type']) ) return self._values['proxy_type'] @property def dns_resolver(self): if self._values['dns_resolver'] is None: return None if self._values['dns_resolver'] == '' or self._values['dns_resolver'] == 'none': return '' result = fq_name(self.partition, self._values['dns_resolver']) return result @property def dns_resolver_address(self): resolver = self.dns_resolver if resolver is None: return None tmp = resolver.split('/') link = dict(link='https://localhost/mgmt/tm/net/dns-resolver/~{0}~{1}'.format(tmp[1], tmp[2])) return link @property def insert_xforwarded_for(self): result = flatten_boolean(self._values['insert_xforwarded_for']) if result is None: return None if result == 'yes': return 'enabled' return 'disabled' @property def parent(self): if self._values['parent'] is None: return None result = fq_name(self.partition, self._values['parent']) return result @property def encrypt_cookies(self): if self._values['encrypt_cookies'] is None: return None if self._values['encrypt_cookies'] == [''] or self._values['encrypt_cookies'] == ['none']: return list() return self._values['encrypt_cookies'] @property def explicit_proxy(self): if self.dns_resolver is None: return None result = dict( dnsResolver=self.dns_resolver, dnsResolverReference=self.dns_resolver_address ) return result @property def include_subdomains(self): result = flatten_boolean(self._values['include_subdomains']) if result is None: return None if result == 'yes': return 'enabled' return 'disabled' @property def maximum_age(self): if self._values['maximum_age'] is None: return None if self._values['maximum_age'] == 'indefinite': return 4294967295 if 0 <= int(self._values['maximum_age']) <= 4294967295: return int(self._values['maximum_age']) raise F5ModuleError( "Valid 'maximum_age' must be in range 0 - 4294967295, or 'indefinite'." ) @property def hsts_mode(self): result = flatten_boolean(self._values['hsts_mode']) if result is None: return None if result == 'yes': return 'enabled' return 'disabled' @property def header_erase(self): header_erase = self._values['header_erase'] if header_erase is None: return None if header_erase in ['none', '']: return self._values['header_erase'] check_header_validity(header_erase) return header_erase @property def header_insert(self): header_insert = self._values['header_insert'] if header_insert is None: return None if header_insert in ['none', '']: return self._values['header_insert'] check_header_validity(header_insert) return header_insert @property def excess_client_headers(self): if self._values['enforcement'] is None: return None return self._values['enforcement']['excess_client_headers'] @property def excess_server_headers(self): if self._values['enforcement'] is None: return None return self._values['enforcement']['excess_server_headers'] @property def oversize_client_headers(self): if self._values['enforcement'] is None: return None return self._values['enforcement']['oversize_client_headers'] @property def oversize_server_headers(self): if self._values['enforcement'] is None: return None return self._values['enforcement']['oversize_server_headers'] @property def pipeline(self): if self._values['enforcement'] is None: return None return self._values['enforcement']['pipeline'] @property def unknown_method(self): if self._values['enforcement'] is None: return None return self._values['enforcement']['unknown_method'] @property def truncated_redirects(self): if self._values['enforcement'] is None: return None result = flatten_boolean(self._values['enforcement']['truncated_redirects']) if result is None: return None if result == 'yes': return 'enabled' return 'disabled' @property def max_header_count(self): if self._values['enforcement'] is None: return None if self._values['enforcement']['max_header_count'] is None: return None if self._values['enforcement']['max_header_count'] == 'default': return 64 if 16 <= int(self._values['enforcement']['max_header_count']) <= 4096: return int(self._values['enforcement']['max_header_count']) raise F5ModuleError( "Valid 'max_header_count' must be in range 16 - 4096, or 'default'." ) @property def max_header_size(self): if self._values['enforcement'] is None: return None if self._values['enforcement']['max_header_size'] is None: return None if self._values['enforcement']['max_header_size'] == 'default': return 32768 if 0 <= int(self._values['enforcement']['max_header_size']) <= 4294967295: return int(self._values['enforcement']['max_header_size']) raise F5ModuleError( "Valid 'max_header_size' must be in range 0 - 4294967295, or 'default'." ) @property def max_requests(self): if self._values['enforcement'] is None: return None if self._values['enforcement']['max_requests'] is None: return None if self._values['enforcement']['max_requests'] == 'default': return 0 if 0 <= int(self._values['enforcement']['max_requests']) <= 4294967295: return int(self._values['enforcement']['max_requests']) raise F5ModuleError( "Valid 'max_requests' must be in range 0 - 4294967295, or 'default'." ) @property def known_methods(self): if self._values['enforcement'] is None: return None defaults = ['CONNECT', 'DELETE', 'GET', 'HEAD', 'LOCK', 'OPTIONS', 'POST', 'PROPFIND', 'PUT', 'TRACE', 'UNLOCK'] known = self._values['enforcement']['known_methods'] if known is None: return None if len(known) == 1: if known[0] == 'default': return defaults if known[0] == '': return [] if 'default' in known: to_return = [method for method in known if method != 'default'] to_return.extend(defaults) return to_return result = [method for method in known] return result @property def poll_interval(self): if self._values['sflow'] is None: return None if self._values['sflow']['poll_interval'] is None: return None if 0 <= self._values['sflow']['poll_interval'] <= 4294967295: return self._values['sflow']['poll_interval'] raise F5ModuleError( "Valid 'poll_interval' must be in range 0 - 4294967295 seconds." ) @property def sampling_rate(self): if self._values['sflow'] is None: return None if self._values['sflow']['sampling_rate'] is None: return None if 0 <= self._values['sflow']['sampling_rate'] <= 4294967295: return self._values['sflow']['sampling_rate'] raise F5ModuleError( "Valid 'sampling_rate' must be in range 0 - 4294967295 packets." ) @property def poll_interval_global(self): if self._values['sflow'] is None: return None result = flatten_boolean(self._values['sflow']['poll_interval_global']) return result @property def sampling_rate_global(self): if self._values['sflow'] is None: return None result = flatten_boolean(self._values['sflow']['sampling_rate_global']) return result class Changes(Parameters): def to_return(self): result = {} try: for returnable in self.returnables: result[returnable] = getattr(self, returnable) result = self._filter_params(result) except Exception: pass return result class UsableChanges(Changes): @property def explicit_proxy(self): result = dict() if self._values['dns_resolver'] is not None: result['dnsResolver'] = self._values['dns_resolver'] if self._values['dns_resolver_address'] is not None: result['dnsResolverReference'] = self._values['dns_resolver_address'] if not result: return None return result @property def hsts(self): result = dict() if self._values['hsts_mode'] is not None: result['mode'] = self._values['hsts_mode'] if self._values['maximum_age'] is not None: result['maximumAge'] = self._values['maximum_age'] if self._values['include_subdomains'] is not None: result['includeSubdomains'] = self._values['include_subdomains'] if not result: return None return result @property def enforcement(self): to_filter = dict( excessClientHeaders=self._values['excess_client_headers'], excessServerHeaders=self._values['excess_server_headers'], knownMethods=self._values['known_methods'], maxHeaderCount=self._values['max_header_count'], maxHeaderSize=self._values['max_header_size'], maxRequests=self._values['max_requests'], oversizeClientHeaders=self._values['oversize_client_headers'], oversizeServerHeaders=self._values['oversize_server_headers'], pipeline=self._values['pipeline'], truncatedRedirects=self._values['truncated_redirects'], unknownMethod=self._values['unknown_method'] ) result = self._filter_params(to_filter) if result: return result @property def sflow(self): to_filter = dict( pollInterval=self._values['poll_interval'], pollIntervalGlobal=self._values['poll_interval_global'], samplingRate=self._values['sampling_rate'], samplingRateGlobal=self._values['sampling_rate_global'], ) result = self._filter_params(to_filter) if result: return result class ReportableChanges(Changes): returnables = [ 'parent', 'description', 'insert_xforwarded_for', 'redirect_rewrite', 'encrypt_cookies', 'proxy_type', 'explicit_proxy', 'dns_resolver', 'hsts_mode', 'maximum_age', 'include_subdomains', 'server_agent_name', 'header_erase', 'header_insert', 'accept_xff', 'xff_alternative_names', 'fallback_host', 'fallback_status_codes', 'oneconnect_transformations', 'request_chunking', 'response_chunking', 'enforcement', 'sflow' ] @property def insert_xforwarded_for(self): if self._values['insert_xforwarded_for'] is None: return None elif self._values['insert_xforwarded_for'] == 'enabled': return 'yes' return 'no' @property def hsts_mode(self): if self._values['hsts_mode'] is None: return None elif self._values['hsts_mode'] == 'enabled': return 'yes' return 'no' @property def include_subdomains(self): if self._values['include_subdomains'] is None: return None elif self._values['include_subdomains'] == 'enabled': return 'yes' return 'no' @property def maximum_age(self): if self._values['maximum_age'] is None: return None if self._values['maximum_age'] == 4294967295: return 'indefinite' return int(self._values['maximum_age']) @property def truncated_redirects(self): result = flatten_boolean(self._values['truncated_redirects']) return result @property def max_header_count(self): if self._values['max_header_count'] is None: return None if self._values['max_header_count'] == 64: return 'default' return str(self._values['max_header_count']) @property def max_header_size(self): if self._values['max_header_size'] is None: return None if self._values['max_header_size'] == 32768: return 'default' return str(self._values['max_header_size']) @property def max_requests(self): if self._values['max_requests'] is None: return None if self._values['max_requests'] == 0: return 'default' return str(self._values['max_requests']) @property def known_methods(self): defaults = ['CONNECT', 'DELETE', 'GET', 'HEAD', 'LOCK', 'OPTIONS', 'POST', 'PROPFIND', 'PUT', 'TRACE', 'UNLOCK'] known = self._values['known_methods'] if known is None: return None if not known: return [''] if set(known) == set(defaults): return ['default'] if set(known).issuperset(set(defaults)): result = [item for item in known if item not in defaults] result.append('default') return result return known @property def enforcement(self): to_filter = dict( excess_client_headers=self._values['excess_client_headers'], excess_server_headers=self._values['excess_server_headers'], known_methods=self.known_methods, max_header_count=self.max_header_count, max_header_size=self.max_header_size, max_requests=self.max_requests, oversize_client_headers=self._values['oversize_client_headers'], oversize_server_headers=self._values['oversize_server_headers'], pipeline=self._values['pipeline'], truncated_redirects=self.truncated_redirects, unknown_method=self._values['unknown_method'] ) result = self._filter_params(to_filter) if result: return result @property def accept_xff(self): result = flatten_boolean(self._values['accept_xff']) return result @property def oneconnect_transformations(self): result = flatten_boolean(self._values['oneconnect_transformations']) return result @property def sflow(self): to_filter = dict( poll_interval=self._values['poll_interval'], poll_interval_global=self._values['poll_interval_global'], sampling_rate=self._values['sampling_rate'], sampling_rate_global=self._values['sampling_rate_global'], ) result = self._filter_params(to_filter) if result: return result class Difference(object): def __init__(self, want, have=None): self.want = want self.have = have def compare(self, param): try: result = getattr(self, param) return result except AttributeError: return self.__default(param) def __default(self, param): attr1 = getattr(self.want, param) try: attr2 = getattr(self.have, param) if attr1 != attr2: return attr1 except AttributeError: return attr1 @property def parent(self): if self.want.parent != self.have.parent: raise F5ModuleError( "The parent http profile cannot be changed" ) @property def dns_resolver(self): if self.want.dns_resolver is None: return None if self.want.dns_resolver == '': if self.have.dns_resolver is None or self.have.dns_resolver == 'none': return None elif self.have.proxy_type == 'explicit' and self.want.proxy_type is None: raise F5ModuleError( "DNS resolver cannot be empty or 'none' if an existing profile proxy type is set to {0}.".format(self.have.proxy_type) ) elif self.have.dns_resolver is not None: return self.want.dns_resolver if self.have.dns_resolver is None: return self.want.dns_resolver @property def header_erase(self): if self.want.header_erase is None: return None if self.want.header_erase in ['none', '']: if self.have.header_erase in [None, 'none']: return None if self.want.header_erase != self.have.header_erase: return self.want.header_erase @property def header_insert(self): if self.want.header_insert is None: return None if self.want.header_insert in ['none', '']: if self.have.header_insert in [None, 'none']: return None if self.want.header_insert != self.have.header_insert: return self.want.header_insert @property def server_agent_name(self): if self.want.server_agent_name is None: return None if self.want.server_agent_name in ['none', '']: if self.have.server_agent_name in [None, 'none']: return None if self.want.server_agent_name != self.have.server_agent_name: return self.want.server_agent_name @property def encrypt_cookies(self): if self.want.encrypt_cookies is None: return None if self.have.encrypt_cookies in [None, []]: if not self.want.encrypt_cookies: return None else: return self.want.encrypt_cookies if set(self.want.encrypt_cookies) != set(self.have.encrypt_cookies): return self.want.encrypt_cookies @property def encrypt_cookie_secret(self): if self.want.encrypt_cookie_secret != self.have.encrypt_cookie_secret: if self.want.update_password == 'always': result = self.want.encrypt_cookie_secret return result @property def xff_alternative_names(self): result = cmp_simple_list(self.want.xff_alternative_names, self.have.xff_alternative_names) return result @property def fallback_status_codes(self): result = cmp_simple_list(self.want.fallback_status_codes, self.have.fallback_status_codes) return result @property def known_methods(self): result = cmp_simple_list(self.want.known_methods, self.have.known_methods) return result class ModuleManager(object): def __init__(self, *args, **kwargs): self.module = kwargs.get('module', None) self.client = F5RestClient(**self.module.params) self.want = ModuleParameters(params=self.module.params) self.have = ApiParameters() self.changes = UsableChanges() def _set_changed_options(self): changed = {} for key in Parameters.returnables: if getattr(self.want, key) is not None: changed[key] = getattr(self.want, key) if changed: self.changes = UsableChanges(params=changed) def _update_changed_options(self): diff = Difference(self.want, self.have) updatables = Parameters.updatables changed = dict() for k in updatables: change = diff.compare(k) if change is None: continue else: if isinstance(change, dict): changed.update(change) else: changed[k] = change if changed: self.changes = UsableChanges(params=changed) return True return False def should_update(self): result = self._update_changed_options() if result: return True return False def exec_module(self): changed = False result = dict() state = self.want.state if state == "present": changed = self.present() elif state == "absent": changed = self.absent() reportable = ReportableChanges(params=self.changes.to_return()) changes = reportable.to_return() result.update(**changes) result.update(dict(changed=changed)) self._announce_deprecations(result) return result def _announce_deprecations(self, result): warnings = result.pop('__warnings', []) for warning in warnings: self.client.module.deprecate( msg=warning['msg'], version=warning['version'] ) def present(self): if self.exists(): return self.update() else: return self.create() def absent(self): if self.exists(): return self.remove() return False def update(self): self.have = self.read_current_from_device() if not self.should_update(): return False if self.module.check_mode: return True self.update_on_device() return True def remove(self): if self.module.check_mode: return True self.remove_from_device() if self.exists(): raise F5ModuleError("Failed to delete the resource.") return True def create(self): self._set_changed_options() if self.module.check_mode: return True self.create_on_device() return True def exists(self): uri = "https://{0}:{1}/mgmt/tm/ltm/profile/http/{2}".format( self.client.provider['server'], self.client.provider['server_port'], transform_name(self.want.partition, self.want.name) ) resp = self.client.api.get(uri) try: response = resp.json() except ValueError: return False if resp.status == 404 or 'code' in response and response['code'] == 404: return False return True def create_on_device(self): params = self.changes.api_params() params['name'] = self.want.name params['partition'] = self.want.partition uri = "https://{0}:{1}/mgmt/tm/ltm/profile/http/".format( self.client.provider['server'], self.client.provider['server_port'] ) resp = self.client.api.post(uri, json=params) try: response = resp.json() except ValueError as ex: raise F5ModuleError(str(ex)) if 'code' in response and response['code'] in [400, 403, 404]: if 'message' in response: raise F5ModuleError(response['message']) else: raise F5ModuleError(resp.content) return response['selfLink'] def update_on_device(self): params = self.changes.api_params() uri = "https://{0}:{1}/mgmt/tm/ltm/profile/http/{2}".format( self.client.provider['server'], self.client.provider['server_port'], transform_name(self.want.partition, self.want.name) ) resp = self.client.api.patch(uri, json=params) try: response = resp.json() except ValueError as ex: raise F5ModuleError(str(ex)) if 'code' in response and response['code'] in [400, 404]: if 'message' in response: raise F5ModuleError(response['message']) else: raise F5ModuleError(resp.content) def remove_from_device(self): uri = "https://{0}:{1}/mgmt/tm/ltm/profile/http/{2}".format( self.client.provider['server'], self.client.provider['server_port'], transform_name(self.want.partition, self.want.name) ) response = self.client.api.delete(uri) if response.status == 200: return True raise F5ModuleError(response.content) def read_current_from_device(self): uri = "https://{0}:{1}/mgmt/tm/ltm/profile/http/{2}".format( self.client.provider['server'], self.client.provider['server_port'], transform_name(self.want.partition, self.want.name) ) resp = self.client.api.get(uri) try: response = resp.json() except ValueError as ex: raise F5ModuleError(str(ex)) if 'code' in response and response['code'] == 400: if 'message' in response: raise F5ModuleError(response['message']) else: raise F5ModuleError(resp.content) return ApiParameters(params=response) class ArgumentSpec(object): def __init__(self): self.supports_check_mode = True self.chunk = ['rechunk', 'selective', 'preserve'] self.choices = ['pass-through', 'reject'] self.select = ['allow', 'pass-through', 'reject'] argument_spec = dict( name=dict(required=True), parent=dict(default='/Common/http'), description=dict(), accept_xff=dict(type='bool'), xff_alternative_names=dict(type='list'), fallback_host=dict(), fallback_status_codes=dict(type='list'), oneconnect_transformations=dict(type='bool'), request_chunking=dict(choices=self.chunk), response_chunking=dict(choices=self.chunk), proxy_type=dict( choices=[ 'reverse', 'transparent', 'explicit' ] ), dns_resolver=dict(), insert_xforwarded_for=dict(type='bool'), redirect_rewrite=dict( choices=[ 'none', 'all', 'matching', 'nodes' ] ), encrypt_cookies=dict(type='list'), encrypt_cookie_secret=dict(no_log=True), update_password=dict( default='always', choices=['always', 'on_create'] ), header_erase=dict(), header_insert=dict(), server_agent_name=dict(), hsts_mode=dict(type='bool'), maximum_age=dict(), include_subdomains=dict(type='bool'), enforcement=dict( type='dict', options=dict( truncated_redirects=dict(type='bool'), excess_client_headers=dict(choices=self.choices), excess_server_headers=dict(choices=self.choices), oversize_client_headers=dict(choices=self.choices), oversize_server_headers=dict(choices=self.choices), pipeline=dict(choices=self.select), unknown_method=dict(choices=self.select), max_header_count=dict(), max_header_size=dict(), max_requests=dict(), known_methods=dict(type='list'), ) ), sflow=dict( type='dict', options=dict( poll_interval=dict(type='int'), poll_interval_global=dict(type='bool'), sampling_rate=dict(type='int'), sampling_rate_global=dict(type='bool'), ) ), state=dict( default='present', choices=['present', 'absent'] ), partition=dict( default='Common', fallback=(env_fallback, ['F5_PARTITION']) ) ) self.argument_spec = {} self.argument_spec.update(f5_argument_spec) self.argument_spec.update(argument_spec) def main(): spec = ArgumentSpec() module = AnsibleModule( argument_spec=spec.argument_spec, supports_check_mode=spec.supports_check_mode, ) try: mm = ModuleManager(module=module) results = mm.exec_module() module.exit_json(**results) except F5ModuleError as ex: module.fail_json(msg=str(ex)) if __name__ == '__main__': main()