Adds bigip_profile_client_ssl module (#33844)

This module can be used to manage client ssl profiles on a BIG-IP

test/units/modules/network/f5/fixtures/load_ltm_profile_clientssl.json

@@ -0,0 +1,103 @@
+{
+    "kind": "tm:ltm:profile:client-ssl:client-sslstate",
+    "name": "foo",
+    "partition": "Common",
+    "fullPath": "/Common/foo",
+    "generation": 351,
+    "selfLink": "https://localhost/mgmt/tm/ltm/profile/client-ssl/~Common~foo?ver=13.0.0",
+    "alertTimeout": "indefinite",
+    "allowDynamicRecordSizing": "disabled",
+    "allowExpiredCrl": "disabled",
+    "allowNonSsl": "disabled",
+    "appService": "none",
+    "authenticate": "once",
+    "authenticateDepth": 9,
+    "bypassOnClientCertFail": "disabled",
+    "bypassOnHandshakeAlert": "disabled",
+    "caFile": "none",
+    "cacheSize": 262144,
+    "cacheTimeout": 3600,
+    "cert": "/Common/default.crt",
+    "certReference": {
+        "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~default.crt?ver=13.0.0"
+    },
+    "certExtensionIncludes": [
+        "basic-constraints",
+        "subject-alternative-name"
+    ],
+    "certLifespan": 30,
+    "certLookupByIpaddrPort": "disabled",
+    "chain": "none",
+    "cipherGroup": "none",
+    "ciphers": "DEFAULT",
+    "clientCertCa": "none",
+    "crlFile": "none",
+    "defaultsFrom": "/Common/clientssl",
+    "defaultsFromReference": {
+        "link": "https://localhost/mgmt/tm/ltm/profile/client-ssl/~Common~clientssl?ver=13.0.0"
+    },
+    "description": "none",
+    "destinationIpBlacklist": "none",
+    "destinationIpWhitelist": "none",
+    "forwardProxyBypassDefaultAction": "intercept",
+    "genericAlert": "enabled",
+    "handshakeTimeout": "10",
+    "hostnameBlacklist": "none",
+    "hostnameWhitelist": "none",
+    "inheritCertkeychain": "true",
+    "key": "/Common/default.key",
+    "keyReference": {
+        "link": "https://localhost/mgmt/tm/sys/file/ssl-key/~Common~default.key?ver=13.0.0"
+    },
+    "maxActiveHandshakes": "indefinite",
+    "maxAggregateRenegotiationPerMinute": "indefinite",
+    "maxRenegotiationsPerMinute": 5,
+    "maximumRecordSize": 16384,
+    "modSslMethods": "disabled",
+    "mode": "enabled",
+    "notifyCertStatusToVirtualServer": "disabled",
+    "ocspStapling": "disabled",
+    "tmOptions": [
+        "dont-insert-empty-fragments"
+    ],
+    "peerCertMode": "ignore",
+    "peerNoRenegotiateTimeout": "10",
+    "proxyCaCert": "none",
+    "proxyCaKey": "none",
+    "proxySsl": "disabled",
+    "proxySslPassthrough": "disabled",
+    "renegotiateMaxRecordDelay": "indefinite",
+    "renegotiatePeriod": "indefinite",
+    "renegotiateSize": "indefinite",
+    "renegotiation": "enabled",
+    "retainCertificate": "true",
+    "secureRenegotiation": "require",
+    "serverName": "none",
+    "sessionMirroring": "disabled",
+    "sessionTicket": "disabled",
+    "sessionTicketTimeout": 0,
+    "sniDefault": "false",
+    "sniRequire": "false",
+    "sourceIpBlacklist": "none",
+    "sourceIpWhitelist": "none",
+    "sslForwardProxy": "disabled",
+    "sslForwardProxyBypass": "disabled",
+    "sslSignHash": "any",
+    "strictResume": "disabled",
+    "uncleanShutdown": "enabled",
+    "certKeyChain": [
+        {
+            "name": "default",
+            "appService": "none",
+            "cert": "/Common/default.crt",
+            "certReference": {
+                "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~default.crt?ver=13.0.0"
+            },
+            "chain": "none",
+            "key": "/Common/default.key",
+            "keyReference": {
+                "link": "https://localhost/mgmt/tm/sys/file/ssl-key/~Common~default.key?ver=13.0.0"
+            }
+        }
+    ]
+}

test/units/modules/network/f5/test_bigip_profile_client_ssl.py

@@ -0,0 +1,128 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) 2017 F5 Networks Inc.
+# GNU General Public License v3.0 (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+import json
+import pytest
+import sys
+
+from nose.plugins.skip import SkipTest
+if sys.version_info < (2, 7):
+    raise SkipTest("F5 Ansible modules require Python >= 2.7")
+
+from ansible.compat.tests import unittest
+from ansible.compat.tests.mock import Mock
+from ansible.compat.tests.mock import patch
+from ansible.module_utils.f5_utils import AnsibleF5Client
+
+try:
+    from library.bigip_profile_client_ssl import ModuleParameters
+    from library.bigip_profile_client_ssl import ApiParameters
+    from library.bigip_profile_client_ssl import ModuleManager
+    from library.bigip_profile_client_ssl import ArgumentSpec
+    from ansible.module_utils.f5_utils import iControlUnexpectedHTTPError
+    from test.unit.modules.utils import set_module_args
+except ImportError:
+    try:
+        from ansible.modules.network.f5.bigip_profile_client_ssl import ModuleParameters
+        from ansible.modules.network.f5.bigip_profile_client_ssl import ApiParameters
+        from ansible.modules.network.f5.bigip_profile_client_ssl import ModuleManager
+        from ansible.modules.network.f5.bigip_profile_client_ssl import ArgumentSpec
+        from ansible.module_utils.f5_utils import iControlUnexpectedHTTPError
+        from units.modules.utils import set_module_args
+    except ImportError:
+        raise SkipTest("F5 Ansible modules require the f5-sdk Python library")
+
+fixture_path = os.path.join(os.path.dirname(__file__), 'fixtures')
+fixture_data = {}
+
+
+def load_fixture(name):
+    path = os.path.join(fixture_path, name)
+
+    if path in fixture_data:
+        return fixture_data[path]
+
+    with open(path) as f:
+        data = f.read()
+
+    try:
+        data = json.loads(data)
+    except Exception:
+        pass
+
+    fixture_data[path] = data
+    return data
+
+
+class TestParameters(unittest.TestCase):
+    def test_module_parameters(self):
+        args = dict(
+            name='foo',
+            parent='bar',
+            ciphers='!SSLv3:!SSLv2:ECDHE+AES-GCM+SHA256:ECDHE-RSA-AES128-CBC-SHA',
+            cert_key_chain=[
+                dict(
+                    cert='bigip_ssl_cert1',
+                    key='bigip_ssl_key1',
+                    chain='bigip_ssl_cert1'
+                )
+            ]
+        )
+
+        p = ModuleParameters(args)
+        assert p.name == 'foo'
+        assert p.parent == '/Common/bar'
+        assert p.ciphers == '!SSLv3:!SSLv2:ECDHE+AES-GCM+SHA256:ECDHE-RSA-AES128-CBC-SHA'
+
+    def test_api_parameters(self):
+        args = load_fixture('load_ltm_profile_clientssl.json')
+        p = ApiParameters(args)
+        assert p.name == 'foo'
+        assert p.ciphers == 'DEFAULT'
+
+
+@patch('ansible.module_utils.f5_utils.AnsibleF5Client._get_mgmt_root',
+       return_value=True)
+class TestManager(unittest.TestCase):
+
+    def setUp(self):
+        self.spec = ArgumentSpec()
+
+    def test_create(self, *args):
+        # Configure the arguments that would be sent to the Ansible module
+        set_module_args(dict(
+            name='foo',
+            parent='bar',
+            ciphers='!SSLv3:!SSLv2:ECDHE+AES-GCM+SHA256:ECDHE-RSA-AES128-CBC-SHA',
+            cert_key_chain=[
+                dict(
+                    cert='bigip_ssl_cert1',
+                    key='bigip_ssl_key1',
+                    chain='bigip_ssl_cert1'
+                )
+            ],
+            password='passsword',
+            server='localhost',
+            user='admin'
+        ))
+
+        client = AnsibleF5Client(
+            argument_spec=self.spec.argument_spec,
+            supports_check_mode=self.spec.supports_check_mode,
+            f5_product_name=self.spec.f5_product_name
+        )
+        mm = ModuleManager(client)
+
+        # Override methods to force specific logic in the module to happen
+        mm.exists = Mock(return_value=False)
+        mm.create_on_device = Mock(return_value=True)
+
+        results = mm.exec_module()
+
+        assert results['changed'] is True