diff --git a/lib/ansible/modules/storage/netapp/na_ontap_vserver_cifs_security.py b/lib/ansible/modules/storage/netapp/na_ontap_vserver_cifs_security.py new file mode 100644 index 0000000000..afb66d2ee2 --- /dev/null +++ b/lib/ansible/modules/storage/netapp/na_ontap_vserver_cifs_security.py @@ -0,0 +1,282 @@ +#!/usr/bin/python + +# (c) 2018-2019, NetApp, Inc +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = {'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'certified'} + +DOCUMENTATION = ''' +--- +module: na_ontap_vserver_cifs_security +short_description: NetApp ONTAP vserver CIFS security modification +extends_documentation_fragment: + - netapp.na_ontap +version_added: '2.9' +author: NetApp Ansible Team (@carchi8py) + +description: + - modify vserver CIFS security. + +options: + + vserver: + description: + - name of the vserver. + required: true + type: str + + kerberos_clock_skew: + description: + - The clock skew in minutes is the tolerance for accepting tickets with time stamps that do not exactly match the host's system clock. + type: int + + kerberos_ticket_age: + description: + - Determine the maximum amount of time in hours that a user's ticket may be used for the purpose of Kerberos authentication. + type: int + + kerberos_renew_age: + description: + - Determine the maximum amount of time in days for which a ticket can be renewed. + type: int + + kerberos_kdc_timeout: + description: + - Determine the timeout value in seconds for KDC connections. + type: int + + is_signing_required: + description: + - Determine whether signing is required for incoming CIFS traffic. + type: bool + + is_password_complexity_required: + description: + - Determine whether password complexity is required for local users. + type: bool + + is_aes_encryption_enabled: + description: + - Determine whether AES-128 and AES-256 encryption mechanisms are enabled for Kerberos-related CIFS communication. + type: bool + + is_smb_encryption_required: + description: + - Determine whether SMB encryption is required for incoming CIFS traffic. + type: bool + + lm_compatibility_level: + description: + - Determine the LM compatibility level. + choices: ['lm_ntlm_ntlmv2_krb', 'ntlm_ntlmv2_krb', 'ntlmv2_krb', 'krb'] + type: str + + referral_enabled_for_ad_ldap: + description: + - Determine whether LDAP referral chasing is enabled or not for AD LDAP connections. + type: bool + + session_security_for_ad_ldap: + description: + - Determine the level of security required for LDAP communications. + choices: ['none', 'sign', 'seal'] + type: str + + smb1_enabled_for_dc_connections: + description: + - Determine if SMB version 1 is used for connections to domain controllers. + choices: ['false', 'true', 'system_default'] + type: str + + smb2_enabled_for_dc_connections: + description: + - Determine if SMB version 2 is used for connections to domain controllers. + choices: ['false', 'true', 'system_default'] + type: str + + use_start_tls_for_ad_ldap: + description: + - Determine whether to use start_tls for AD LDAP connections. + type: bool + +''' + +EXAMPLES = ''' + - name: modify cifs security + na_ontap_vserver_cifs_security: + vserver: ansible + hostname: "{{ hostname }}" + kerberos_clock_skew: 5 + kerberos_ticket_age: 5 + kerberos_renew_age: 10 + kerberos_kdc_timeout: 5 + is_signing_required: true + is_password_complexity_required: true + is_aes_encryption_enabled: true + is_smb_encryption_required: true + lm_compatibility_level: krb + smb1_enabled_for_dc_connections: true + smb2_enabled_for_dc_connections: true + use_start_tls_for_ad_ldap: true + username: username + password: password + + - name: modify cifs security + na_ontap_vserver_cifs_security: + vserver: ansible + hostname: "{{ hostname }}" + referral_enabled_for_ad_ldap: true + username: username + password: password + + - name: modify cifs security + na_ontap_vserver_cifs_security: + vserver: ansible + hostname: "{{ hostname }}" + session_security_for_ad_ldap: true + username: username + password: password +''' + +RETURN = ''' +''' + +import traceback +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_native +import ansible.module_utils.netapp as netapp_utils +from ansible.module_utils.netapp_module import NetAppModule + +HAS_NETAPP_LIB = netapp_utils.has_netapp_lib() + + +class NetAppONTAPCifsSecurity(object): + ''' + modify vserver cifs security + ''' + def __init__(self): + + self.argument_spec = netapp_utils.na_ontap_host_argument_spec() + self.argument_spec.update(dict( + vserver=dict(required=True, type='str'), + kerberos_clock_skew=dict(required=False, type='int'), + kerberos_ticket_age=dict(required=False, type='int'), + kerberos_renew_age=dict(required=False, type='int'), + kerberos_kdc_timeout=dict(required=False, type='int'), + is_signing_required=dict(required=False, type='bool'), + is_password_complexity_required=dict(required=False, type='bool'), + is_aes_encryption_enabled=dict(required=False, type='bool'), + is_smb_encryption_required=dict(required=False, type='bool'), + lm_compatibility_level=dict(required=False, choices=['lm_ntlm_ntlmv2_krb', 'ntlm_ntlmv2_krb', 'ntlmv2_krb', 'krb']), + referral_enabled_for_ad_ldap=dict(required=False, type='bool'), + session_security_for_ad_ldap=dict(required=False, choices=['none', 'sign', 'seal']), + smb1_enabled_for_dc_connections=dict(required=False, choices=['false', 'true', 'system_default']), + smb2_enabled_for_dc_connections=dict(required=False, choices=['false', 'true', 'system_default']), + use_start_tls_for_ad_ldap=dict(required=False, type='bool') + )) + + self.module = AnsibleModule( + argument_spec=self.argument_spec, + supports_check_mode=True + ) + + self.na_helper = NetAppModule() + self.parameters = self.na_helper.set_parameters(self.module.params) + + if HAS_NETAPP_LIB is False: + self.module.fail_json(msg="the python NetApp-Lib module is required") + else: + self.server = netapp_utils.setup_na_ontap_zapi(module=self.module, vserver=self.parameters['vserver']) + + def cifs_security_get_iter(self): + """ + get current vserver cifs security. + :return: a dict of vserver cifs security + """ + cifs_security_get = netapp_utils.zapi.NaElement('cifs-security-get-iter') + query = netapp_utils.zapi.NaElement('query') + cifs_security = netapp_utils.zapi.NaElement('cifs-security') + cifs_security.add_new_child('vserver', self.parameters['vserver']) + query.add_child_elem(cifs_security) + cifs_security_get.add_child_elem(query) + cifs_security_details = dict() + try: + result = self.server.invoke_successfully(cifs_security_get, enable_tunneling=True) + except netapp_utils.zapi.NaApiError as error: + self.module.fail_json(msg='Error fetching cifs security from %s: %s' + % (self.parameters['vserver'], to_native(error)), + exception=traceback.format_exc()) + if result.get_child_by_name('num-records') and int(result.get_child_content('num-records')) > 0: + cifs_security_info = result.get_child_by_name('attributes-list').get_child_by_name('cifs-security') + cifs_security_details['kerberos_clock_skew'] = cifs_security_info.get_child_content('kerberos-clock-skew') + cifs_security_details['kerberos_ticket_age'] = cifs_security_info.get_child_content('kerberos-ticket-age') + cifs_security_details['kerberos_renew_age'] = cifs_security_info.get_child_content('kerberos-renew-age') + cifs_security_details['kerberos_kdc_timeout'] = cifs_security_info.get_child_content('kerberos-kdc-timeout') + cifs_security_details['is_signing_required'] = bool(cifs_security_info.get_child_content('is-signing-required')) + cifs_security_details['is_password_complexity_required'] = bool(cifs_security_info.get_child_content('is-password-complexity-required')) + cifs_security_details['is_aes_encryption_enabled'] = bool(cifs_security_info.get_child_content('is-aes-encryption-enabled')) + cifs_security_details['is_smb_encryption_required'] = bool(cifs_security_info.get_child_content('is-smb-encryption-required')) + cifs_security_details['lm_compatibility_level'] = cifs_security_info.get_child_content('lm-compatibility-level') + cifs_security_details['referral_enabled_for_ad_ldap'] = bool(cifs_security_info.get_child_content('referral-enabled-for-ad-ldap')) + cifs_security_details['session_security_for_ad_ldap'] = cifs_security_info.get_child_content('session-security-for-ad-ldap') + cifs_security_details['smb1_enabled_for_dc_connections'] = cifs_security_info.get_child_content('smb1-enabled-for-dc-connections') + cifs_security_details['smb2_enabled_for_dc_connections'] = cifs_security_info.get_child_content('smb2-enabled-for-dc-connections') + cifs_security_details['use_start_tls_for_ad_ldap'] = bool(cifs_security_info.get_child_content('use-start-tls-for-ad-ldap')) + return cifs_security_details + return None + + def cifs_security_modify(self, modify): + """ + :param modify: A list of attributes to modify + :return: None + """ + cifs_security_modify = netapp_utils.zapi.NaElement('cifs-security-modify') + for attribute in modify: + cifs_security_modify.add_new_child(self.attribute_to_name(attribute), str(self.parameters[attribute])) + try: + self.server.invoke_successfully(cifs_security_modify, enable_tunneling=True) + except netapp_utils.zapi.NaApiError as e: + self.module.fail_json(msg='Error modifying cifs security on %s: %s' + % (self.parameters['vserver'], to_native(e)), + exception=traceback.format_exc()) + + @staticmethod + def attribute_to_name(attribute): + return str.replace(attribute, '_', '-') + + def apply(self): + """Call modify operations.""" + self.asup_log_for_cserver("na_ontap_vserver_cifs_security") + current = self.cifs_security_get_iter() + modify = self.na_helper.get_modified_attributes(current, self.parameters) + if self.na_helper.changed: + if self.module.check_mode: + pass + else: + if modify: + self.cifs_security_modify(modify) + self.module.exit_json(changed=self.na_helper.changed) + + def asup_log_for_cserver(self, event_name): + """ + Fetch admin vserver for the given cluster + Create and Autosupport log event with the given module name + :param event_name: Name of the event log + :return: None + """ + results = netapp_utils.get_cserver(self.server) + cserver = netapp_utils.setup_na_ontap_zapi(module=self.module, vserver=results) + netapp_utils.ems_log_event(event_name, cserver) + + +def main(): + obj = NetAppONTAPCifsSecurity() + obj.apply() + + +if __name__ == '__main__': + main() diff --git a/test/units/modules/storage/netapp/test_na_ontap_vserver_cifs_security.py b/test/units/modules/storage/netapp/test_na_ontap_vserver_cifs_security.py new file mode 100644 index 0000000000..d6dd0129fd --- /dev/null +++ b/test/units/modules/storage/netapp/test_na_ontap_vserver_cifs_security.py @@ -0,0 +1,161 @@ +# (c) 2019, NetApp, Inc +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +''' unit test template for ONTAP Ansible module ''' + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type +import json +import pytest + +from units.compat import unittest +from units.compat.mock import patch, Mock +from ansible.module_utils import basic +from ansible.module_utils._text import to_bytes +import ansible.module_utils.netapp as netapp_utils + +from ansible.modules.storage.netapp.na_ontap_vserver_cifs_security \ + import NetAppONTAPCifsSecurity as cifs_security_module # module under test + +if not netapp_utils.has_netapp_lib(): + pytestmark = pytest.mark.skip('skipping as missing required netapp_lib') + + +def set_module_args(args): + """prepare arguments so that they will be picked up during module creation""" + args = json.dumps({'ANSIBLE_MODULE_ARGS': args}) + basic._ANSIBLE_ARGS = to_bytes(args) # pylint: disable=protected-access + + +class AnsibleExitJson(Exception): + """Exception class to be raised by module.exit_json and caught by the test case""" + pass + + +class AnsibleFailJson(Exception): + """Exception class to be raised by module.fail_json and caught by the test case""" + pass + + +def exit_json(*args, **kwargs): # pylint: disable=unused-argument + """function to patch over exit_json; package return data into an exception""" + if 'changed' not in kwargs: + kwargs['changed'] = False + raise AnsibleExitJson(kwargs) + + +def fail_json(*args, **kwargs): # pylint: disable=unused-argument + """function to patch over fail_json; package return data into an exception""" + kwargs['failed'] = True + raise AnsibleFailJson(kwargs) + + +class MockONTAPConnection(object): + ''' mock server connection to ONTAP host ''' + + def __init__(self, kind=None, data=None): + ''' save arguments ''' + self.type = kind + self.data = data + self.xml_in = None + self.xml_out = None + + def invoke_successfully(self, xml, enable_tunneling): # pylint: disable=unused-argument + ''' mock invoke_successfully returning xml data ''' + self.xml_in = xml + if self.type == 'cifs_security': + xml = self.build_port_info(self.data) + if self.type == 'error': + error = netapp_utils.zapi.NaApiError('test', 'error') + raise error + self.xml_out = xml + return xml + + @staticmethod + def build_port_info(cifs_security_details): + ''' build xml data for cifs-security ''' + xml = netapp_utils.zapi.NaElement('xml') + attributes = { + 'num-records': 1, + 'attributes-list': { + 'cifs-security': { + 'is_aes_encryption_enabled': cifs_security_details['is_aes_encryption_enabled'], + 'lm_compatibility_level': cifs_security_details['lm_compatibility_level'] + } + } + } + xml.translate_struct(attributes) + return xml + + +class TestMyModule(unittest.TestCase): + ''' a group of related Unit Tests ''' + + def setUp(self): + self.mock_module_helper = patch.multiple(basic.AnsibleModule, + exit_json=exit_json, + fail_json=fail_json) + self.mock_module_helper.start() + self.addCleanup(self.mock_module_helper.stop) + self.mock_cifs_security = { + 'is_aes_encryption_enabled': 'true', + 'lm_compatibility_level': 'krb' + } + + def mock_args(self): + return { + 'is_aes_encryption_enabled': self.mock_cifs_security['is_aes_encryption_enabled'], + 'lm_compatibility_level': self.mock_cifs_security['lm_compatibility_level'], + 'vserver': 'ansible', + 'hostname': 'test', + 'username': 'test_user', + 'password': 'test_pass!', + 'https': 'False' + } + + def get_cifs_security_mock_object(self, kind=None): + """ + Helper method to return an na_ontap_vserver_cifs_security object + :param kind: passes this param to MockONTAPConnection() + :return: na_ontap_vserver_cifs_security object + """ + obj = cifs_security_module() + obj.asup_log_for_cserver = Mock(return_value=None) + obj.server = Mock() + obj.server.invoke_successfully = Mock() + if kind is None: + obj.server = MockONTAPConnection() + else: + obj.server = MockONTAPConnection(kind=kind, data=self.mock_cifs_security) + return obj + + @patch('ansible.modules.storage.netapp.na_ontap_vserver_cifs_security.NetAppONTAPCifsSecurity.cifs_security_get_iter') + def test_successful_modify(self, get_cifs_security): + ''' Test successful modify max throughput ''' + data = self.mock_args() + set_module_args(data) + current = { + 'is_aes_encryption_enabled': False, + 'lm_compatibility_level': 'lm_ntlm_ntlmv2_krb' + } + get_cifs_security.side_effect = [ + current + ] + with pytest.raises(AnsibleExitJson) as exc: + self.get_cifs_security_mock_object('cifs_security').apply() + assert exc.value.args[0]['changed'] + + @patch('ansible.modules.storage.netapp.na_ontap_vserver_cifs_security.NetAppONTAPCifsSecurity.cifs_security_get_iter') + def test_modify_error(self, get_cifs_security): + ''' Test create idempotency ''' + data = self.mock_args() + set_module_args(data) + current = { + 'is_aes_encryption_enabled': False + } + get_cifs_security.side_effect = [ + current + ] + with pytest.raises(AnsibleFailJson) as exc: + self.get_cifs_security_mock_object('error').apply() + assert exc.value.args[0]['msg'] == 'Error modifying cifs security on ansible: NetApp API failed. Reason - test:error'