#!/usr/bin/python # -*- coding: utf-8 -*- # # Copyright: (c) 2017, F5 Networks Inc. # GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) from __future__ import absolute_import, division, print_function __metaclass__ = type DOCUMENTATION = r''' --- module: bigip_ssl_certificate short_description: Import/Delete certificates from BIG-IP description: - This module imports/deletes SSL certificates on BIG-IP LTM. Certificates can be imported from certificate and key files on the local disk, in PEM format. version_added: "1.0.0" options: content: description: - Sets the contents of a certificate directly to the specified value. This is used with lookup plugins or for anything with formatting, or - C(content) must be provided when C(state) is C(present). type: str aliases: ['cert_content'] state: description: - Certificate state. This determines if the provided certificate and key is to be made C(present) on the device or C(absent). type: str choices: - present - absent default: present name: description: - SSL Certificate Name. This is the cert name used when importing a certificate into the BIG-IP. It also determines the filenames of the objects on the LTM. type: str required: True issuer_cert: description: - Issuer certificate used for OCSP monitoring. - This parameter is only valid on versions of BIG-IP 13.0.0 or above. type: str true_names: description: - When C(true), the module does not append C(.crt) extension to the given certificate name. - When C(false), the module appends C(.crt) extension to the given certificate name. type: bool default: false version_added: "1.24.0" partition: description: - Device partition to manage resources on. type: str default: Common notes: - This module does not behave like other modules that you might include in roles, where referencing files or templates first looks in the role's files or templates directory. To have it behave that way, use the Ansible file or template lookup (see Examples). The lookups behave as expected in a role context. extends_documentation_fragment: f5networks.f5_modules.f5 requirements: - BIG-IP >= v12 author: - Tim Rupp (@caphrim007) - Wojciech Wypior (@wojtek0806) ''' EXAMPLES = r''' - name: Use a file lookup to import PEM Certificate bigip_ssl_certificate: name: certificate-name state: present content: "{{ lookup('file', '/path/to/cert.crt') }}" provider: server: lb.mydomain.com user: admin password: secret delegate_to: localhost - name: Use a file lookup to import CA certificate chain bigip_ssl_certificate: name: ca-chain-name state: present content: "{{ lookup('file', '/path/to/ca-chain.crt') }}" provider: server: lb.mydomain.com user: admin password: secret delegate_to: localhost - name: Delete Certificate bigip_ssl_certificate: name: certificate-name state: absent provider: server: lb.mydomain.com user: admin password: secret delegate_to: localhost ''' RETURN = r''' cert_name: description: The name of the certificate. returned: created type: str sample: cert1 filename: description: - The name of the SSL certificate. returned: created type: str sample: cert1.crt checksum: description: SHA1 checksum of the cert. returned: changed and created type: str sample: f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0 source_path: description: Path on BIG-IP where the source of the certificate is stored. returned: created type: str sample: /var/config/rest/downloads/cert1.crt ''' import hashlib import os import re from datetime import datetime from ansible.module_utils.basic import ( AnsibleModule, env_fallback ) from ..module_utils.bigip import F5RestClient from ..module_utils.common import ( F5ModuleError, AnsibleF5Parameters, transform_name, f5_argument_spec, fq_name, flatten_boolean ) from ..module_utils.icontrol import ( upload_file, tmos_version ) from ..module_utils.teem import send_teem try: from StringIO import StringIO except ImportError: from io import StringIO class Parameters(AnsibleF5Parameters): download_path = '/var/config/rest/downloads' api_map = { 'sourcePath': 'source_path', 'issuerCert': 'issuer_cert', } updatables = [ 'content', 'issuer_cert', 'source_path', ] returnables = [ 'filename', 'checksum', 'source_path', 'issuer_cert', ] api_attributes = [ 'issuerCert', 'sourcePath', ] class ApiParameters(Parameters): @property def checksum(self): if self._values['checksum'] is None: return None pattern = r'SHA1:\d+:(?P[\w+]{40})' matches = re.match(pattern, self._values['checksum']) if matches: return matches.group('value') else: return None @property def filename(self): return self._values['name'] class ModuleParameters(Parameters): def _get_hash(self, content): k = hashlib.sha1() s = StringIO(content) while True: data = s.read(1024) if not data: break k.update(data.encode('utf-8')) return k.hexdigest() @property def issuer_cert(self): if self._values['issuer_cert'] is None: return None name = fq_name(self.partition, self._values['issuer_cert']) true_name = flatten_boolean(self.true_names) if true_name == ' yes': return self.name else: if name.endswith('.crt'): return name else: return name + '.crt' @property def checksum(self): if self.content is None: return None return self._get_hash(self.content) @property def filename(self): true_name = flatten_boolean(self.true_names) if true_name == 'yes': return self.name else: if self.name.endswith('.crt'): return self.name else: return self.name + '.crt' @property def source_path(self): result = 'file://' + os.path.join( self.download_path, self.filename ) return result class Changes(Parameters): def to_return(self): result = {} try: for returnable in self.returnables: result[returnable] = getattr(self, returnable) result = self._filter_params(result) except Exception: raise return result class ReportableChanges(Changes): pass class UsableChanges(Changes): pass class Difference(object): def __init__(self, want, have=None): self.want = want self.have = have def compare(self, param): try: result = getattr(self, param) return result except AttributeError: result = self.__default(param) return result def __default(self, param): attr1 = getattr(self.want, param) try: attr2 = getattr(self.have, param) if attr1 != attr2: return attr1 except AttributeError: return attr1 @property def source_path(self): if self.want.source_path is None: return None if self.want.source_path == self.have.source_path: if self.content: return self.want.source_path if self.want.source_path != self.have.source_path: return self.want.source_path @property def content(self): if self.want.checksum != self.have.checksum: result = dict( checksum=self.want.checksum, content=self.want.content ) return result class ModuleManager(object): def __init__(self, *args, **kwargs): self.module = kwargs.get('module', None) self.client = F5RestClient(**self.module.params) self.want = ModuleParameters(params=self.module.params) self.have = ApiParameters() self.changes = UsableChanges() def exec_module(self): start = datetime.now().isoformat() version = tmos_version(self.client) changed = False result = dict() state = self.want.state if state == "present": changed = self.present() elif state == "absent": changed = self.absent() reportable = ReportableChanges(params=self.changes.to_return()) changes = reportable.to_return() result.update(**changes) result.update(dict(changed=changed)) self._announce_deprecations(result) send_teem(start, self.client, self.module, version) return result def _announce_deprecations(self, result): warnings = result.pop('__warnings', []) for warning in warnings: self.module.deprecate( msg=warning['msg'], version=warning['version'] ) def present(self): if self.exists(): return self.update() else: return self.create() def create(self): self._set_changed_options() if self.module.check_mode: return True self.create_on_device() self.remove_uploaded_file_from_device(self.want.filename) return True def should_update(self): result = self._update_changed_options() if result: return True return False def update(self): self.have = self.read_current_from_device() if not self.should_update(): return False if self.module.check_mode: return True self.update_on_device() self.remove_uploaded_file_from_device(self.want.filename) return True def absent(self): if self.exists(): return self.remove() return False def remove(self): if self.module.check_mode: return True self.remove_from_device() return True def _set_changed_options(self): changed = {} for key in Parameters.returnables: if getattr(self.want, key) is not None: changed[key] = getattr(self.want, key) if changed: self.changes = UsableChanges(params=changed) def _update_changed_options(self): diff = Difference(self.want, self.have) updatables = Parameters.updatables changed = dict() for k in updatables: change = diff.compare(k) if change is None: continue else: if isinstance(change, dict): changed.update(change) else: changed[k] = change if changed: self.changes = UsableChanges(params=changed) return True return False def remove_uploaded_file_from_device(self, name): filepath = '/var/config/rest/downloads/{0}'.format(name) params = { "command": "run", "utilCmdArgs": filepath } uri = "https://{0}:{1}/mgmt/tm/util/unix-rm".format( self.client.provider['server'], self.client.provider['server_port'] ) resp = self.client.api.post(uri, json=params) try: response = resp.json() except ValueError as ex: raise F5ModuleError(str(ex)) if resp.status in [200, 201] or 'code' in response and response['code'] in [200, 201]: return True raise F5ModuleError(resp.content) def exists(self): uri = "https://{0}:{1}/mgmt/tm/sys/file/ssl-cert/{2}".format( self.client.provider['server'], self.client.provider['server_port'], transform_name(self.want.partition, self.want.filename) ) resp = self.client.api.get(uri) try: response = resp.json() except ValueError as ex: raise F5ModuleError(str(ex)) if resp.status == 404 or 'code' in response and response['code'] == 404: return False if resp.status in [200, 201] or 'code' in response and response['code'] in [200, 201]: return True errors = [401, 403, 409, 500, 501, 502, 503, 504] if resp.status in errors or 'code' in response and response['code'] in errors: if 'message' in response: raise F5ModuleError(response['message']) else: raise F5ModuleError(resp.content) def upload_file_to_device(self, content, name): url = 'https://{0}:{1}/mgmt/shared/file-transfer/uploads'.format( self.client.provider['server'], self.client.provider['server_port'] ) try: upload_file(self.client, url, content, name) except F5ModuleError: raise F5ModuleError( "Failed to upload the file." ) def update_on_device(self): content = StringIO(self.want.content) self.upload_file_to_device(content, self.want.filename) params = self.changes.api_params() uri = "https://{0}:{1}/mgmt/tm/sys/file/ssl-cert/{2}".format( self.client.provider['server'], self.client.provider['server_port'], transform_name(self.want.partition, self.want.filename) ) resp = self.client.api.put(uri, json=params) try: response = resp.json() except ValueError as ex: raise F5ModuleError(str(ex)) if resp.status in [200, 201] or 'code' in response and response['code'] in [200, 201]: return True raise F5ModuleError(resp.content) def create_on_device(self): content = StringIO(self.want.content) self.upload_file_to_device(content, self.want.filename) uri = "https://{0}:{1}/mgmt/tm/sys/file/ssl-cert/".format( self.client.provider['server'], self.client.provider['server_port'], ) params = dict( sourcePath=self.want.source_path, name=self.want.filename, partition=self.want.partition ) resp = self.client.api.post(uri, json=params) try: response = resp.json() except ValueError as ex: raise F5ModuleError(str(ex)) if resp.status not in [200, 201] or 'code' in response and response['code'] not in [200, 201]: raise F5ModuleError(resp.content) # This needs to be done because of the way that BIG-IP creates certificates. # # The extra params (such as OCSP and issuer stuff) are not available in the # payload. In a nutshell, the available resource attributes *change* after # a create so that *more* are available. params = self.want.api_params() if params: uri = "https://{0}:{1}/mgmt/tm/sys/file/ssl-cert/{2}".format( self.client.provider['server'], self.client.provider['server_port'], transform_name(self.want.partition, self.want.filename) ) resp = self.client.api.put(uri, json=params) try: response = resp.json() except ValueError as ex: raise F5ModuleError(str(ex)) if resp.status in [200, 201] or 'code' in response and response['code'] in [200, 201]: return True raise F5ModuleError(resp.content) def read_current_from_device(self): uri = "https://{0}:{1}/mgmt/tm/sys/file/ssl-cert/{2}".format( self.client.provider['server'], self.client.provider['server_port'], transform_name(self.want.partition, self.want.filename) ) query = '?expandSubcollections=true' resp = self.client.api.get(uri + query) try: response = resp.json() except ValueError as ex: raise F5ModuleError(str(ex)) if resp.status in [200, 201] or 'code' in response and response['code'] in [200, 201]: return ApiParameters(params=response) raise F5ModuleError(resp.content) def remove_from_device(self): uri = "https://{0}:{1}/mgmt/tm/sys/file/ssl-cert/{2}".format( self.client.provider['server'], self.client.provider['server_port'], transform_name(self.want.partition, self.want.filename) ) response = self.client.api.delete(uri) if response.status == 200: return True raise F5ModuleError(response.content) class ArgumentSpec(object): def __init__(self): self.supports_check_mode = True argument_spec = dict( name=dict( required=True ), content=dict(aliases=['cert_content']), state=dict( default='present', choices=['absent', 'present'] ), issuer_cert=dict(), true_names=dict( type='bool', default='no' ), partition=dict( default='Common', fallback=(env_fallback, ['F5_PARTITION']) ) ) self.argument_spec = {} self.argument_spec.update(f5_argument_spec) self.argument_spec.update(argument_spec) def main(): spec = ArgumentSpec() module = AnsibleModule( argument_spec=spec.argument_spec, supports_check_mode=spec.supports_check_mode ) try: mm = ModuleManager(module=module) results = mm.exec_module() module.exit_json(**results) except F5ModuleError as ex: module.fail_json(msg=str(ex)) if __name__ == '__main__': main()