From 02893520a93f8c2c49577453411e8ee444ff8aa9 Mon Sep 17 00:00:00 2001 From: Gregor Riepl Date: Mon, 26 Nov 2018 18:20:52 +0100 Subject: [PATCH] Cloudstack: Add password reset module (#47931) --- .../cloudstack/cs_instance_password_reset.py | 164 ++++++++++++++++++ .../cs_instance_password_reset/aliases | 2 + .../cs_instance_password_reset/meta/main.yml | 3 + .../cs_instance_password_reset/tasks/main.yml | 85 +++++++++ 4 files changed, 254 insertions(+) create mode 100644 lib/ansible/modules/cloud/cloudstack/cs_instance_password_reset.py create mode 100644 test/integration/targets/cs_instance_password_reset/aliases create mode 100644 test/integration/targets/cs_instance_password_reset/meta/main.yml create mode 100644 test/integration/targets/cs_instance_password_reset/tasks/main.yml diff --git a/lib/ansible/modules/cloud/cloudstack/cs_instance_password_reset.py b/lib/ansible/modules/cloud/cloudstack/cs_instance_password_reset.py new file mode 100644 index 0000000000..6691b3d168 --- /dev/null +++ b/lib/ansible/modules/cloud/cloudstack/cs_instance_password_reset.py @@ -0,0 +1,164 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# +# (c) 2018, Gregor Riepl +# based on cs_sshkeypair (c) 2015, René Moser +# +# This file is part of Ansible +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + + +ANSIBLE_METADATA = {'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community'} + + +DOCUMENTATION = ''' +--- +module: cs_instance_password_reset +short_description: Allows resetting VM the default passwords on Apache CloudStack based clouds. +description: + - Resets the default user account's password on an instance. + - Requires cloud-init to be installed in the virtual machine. + - The passwordenabled flag must be set on the template associated with the VM. +version_added: '2.8' +author: "Gregor Riepl (@onitake)" +options: + vm: + description: + - Name of the virtual machine to reset the password on. + required: true + domain: + description: + - Name of the domain the virtual machine belongs to. + account: + description: + - Account the virtual machine belongs to. + project: + description: + - Name of the project the virtual machine belongs to. + zone: + description: + - Name of the zone in which the instance is deployed. + - If not set, the default zone is used. + poll_async: + description: + - Poll async jobs until job has finished. + default: yes + type: bool +extends_documentation_fragment: cloudstack +''' + +EXAMPLES = ''' +- name: stop the virtual machine before resetting the password + local_action: + module: cs_instance + name: myvirtualmachine + state: stopped +- name: reset and get new default password + local_action: + module: cs_instance_password_reset + vm: myvirtualmachine + register: root +- debug: + msg: "new default password is {{ root.password }}" +- name: boot the virtual machine to activate the new password + local_action: + module: cs_instance + name: myvirtualmachine + state: started + when: root is changed +''' + +RETURN = ''' +--- +id: + description: ID of the virtual machine. + returned: success + type: string + sample: a6f7a5fc-43f8-11e5-a151-feff819cdc9f +password: + description: The new default password. + returned: success + type: string + sample: ahQu5nuNge3keesh +''' + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.cloudstack import ( + AnsibleCloudStack, + cs_required_together, + cs_argument_spec +) + + +class AnsibleCloudStackPasswordReset(AnsibleCloudStack): + + def __init__(self, module): + super(AnsibleCloudStackPasswordReset, self).__init__(module) + self.returns = { + 'password': 'password', + } + self.password = None + + def reset_password(self): + args = { + 'id': self.get_vm(key='id'), + } + + res = None + self.result['changed'] = True + if not self.module.check_mode: + res = self.query_api('resetPasswordForVirtualMachine', **args) + + poll_async = self.module.params.get('poll_async') + if res and poll_async: + res = self.poll_job(res, 'virtualmachine') + + if res and 'password' in res: + self.password = res['password'] + + return self.password + + +def main(): + argument_spec = cs_argument_spec() + argument_spec.update(dict( + vm=dict(required=True), + domain=dict(), + account=dict(), + project=dict(), + zone=dict(), + poll_async=dict(type='bool', default=True), + )) + + module = AnsibleModule( + argument_spec=argument_spec, + required_together=cs_required_together(), + supports_check_mode=True + ) + + acs_password = AnsibleCloudStackPasswordReset(module) + password = acs_password.reset_password() + result = acs_password.get_result({'password': password}) + + module.exit_json(**result) + + +if __name__ == '__main__': + main() diff --git a/test/integration/targets/cs_instance_password_reset/aliases b/test/integration/targets/cs_instance_password_reset/aliases new file mode 100644 index 0000000000..c89c86d7d2 --- /dev/null +++ b/test/integration/targets/cs_instance_password_reset/aliases @@ -0,0 +1,2 @@ +cloud/cs +shippable/cs/group1 diff --git a/test/integration/targets/cs_instance_password_reset/meta/main.yml b/test/integration/targets/cs_instance_password_reset/meta/main.yml new file mode 100644 index 0000000000..e9a5b9eeae --- /dev/null +++ b/test/integration/targets/cs_instance_password_reset/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - cs_common diff --git a/test/integration/targets/cs_instance_password_reset/tasks/main.yml b/test/integration/targets/cs_instance_password_reset/tasks/main.yml new file mode 100644 index 0000000000..543c8f59e7 --- /dev/null +++ b/test/integration/targets/cs_instance_password_reset/tasks/main.yml @@ -0,0 +1,85 @@ +--- +- name: reset without giving a VM + action: cs_instance_password_reset + ignore_errors: yes + register: reset1 +- name: verify that the argument was missing + assert: + that: + - reset1 is failed + - "reset1.msg == 'missing required arguments: vm'" + +- name: disable password_enabled on default template + cs_template: + name: "{{ cs_common_template }}" + template_filter: all + password_enabled: no + +- name: cleanup test VM + cs_instance: + name: test-nopassword + zone: "{{ cs_common_zone_adv }}" + state: expunged +- name: create test VM + cs_instance: + name: test-nopassword + template: "{{ cs_common_template }}" + service_offering: "{{ cs_common_service_offering }}" + zone: "{{ cs_common_zone_adv }}" + state: started + register: testvm_nopass + until: testvm_nopass is success + retries: 12 + delay: 10 +- name: stop test VM + cs_instance: + name: test-nopassword + zone: "{{ cs_common_zone_adv }}" + state: stopped +- name: reset nopassword + cs_instance_password_reset: + vm: test-nopassword + zone: "{{ cs_common_zone_adv }}" + ignore_errors: yes + register: reset2 +- name: verify that template was not pw enabled + assert: + that: + - reset2 is failed + - reset2.msg.endswith("the template is not password enabled'") + +- name: enable password_enabled on default template + cs_template: + name: "{{ cs_common_template }}" + template_filter: all + password_enabled: yes + +- name: cleanup test VM + cs_instance: + name: test-password + zone: "{{ cs_common_zone_adv }}" + state: expunged +- name: create test VM + cs_instance: + name: test-password + template: "{{ cs_common_template }}" + service_offering: "{{ cs_common_service_offering }}" + zone: "{{ cs_common_zone_adv }}" + state: started +- name: stop test VM + cs_instance: + name: test-password + zone: "{{ cs_common_zone_adv }}" + state: stopped +- name: reset password + cs_instance_password_reset: + vm: test-password + zone: "{{ cs_common_zone_adv }}" + register: reset3 +- debug: + var: reset3.password +- name: verify that a password was set + assert: + that: + - reset3 is success + - reset3.password != ''