From df66c6f8a9453bca761107a14d9a4f0355e87bf8 Mon Sep 17 00:00:00 2001 From: Andreas Maier Date: Wed, 9 Jun 2021 02:16:26 +0200 Subject: [PATCH] Added support for verifying HMC certificates (#405) Details: * Added module sub-parameters 'ca_certs' and 'verify' to the 'hmc_auth' module parameter of all modules. (issue #401) * Changed module input parameter 'hmc_auth.userid' to no longer be hidden in logs, for better debugging. The password is still hidden in any logs. * Increased minimum version of zhmcclient to 0.31.0 in order to have the support for certificate verification. Signed-off-by: Andreas Maier --- docs/source/modules/zhmc_adapter.rst | 17 +++++- docs/source/modules/zhmc_cpc.rst | 17 +++++- .../source/modules/zhmc_crypto_attachment.rst | 17 +++++- docs/source/modules/zhmc_hba.rst | 17 +++++- docs/source/modules/zhmc_nic.rst | 17 +++++- docs/source/modules/zhmc_partition.rst | 17 +++++- docs/source/modules/zhmc_storage_group.rst | 17 +++++- .../modules/zhmc_storage_group_attachment.rst | 17 +++++- docs/source/modules/zhmc_storage_volume.rst | 17 +++++- docs/source/modules/zhmc_user.rst | 17 +++++- docs/source/modules/zhmc_virtual_function.rst | 17 +++++- docs/source/release_notes.rst | 17 +++++- minimum-constraints.txt | 4 +- plugins/module_utils/common.py | 21 +++++--- plugins/modules/zhmc_adapter.py | 54 +++++++++++++++---- plugins/modules/zhmc_cpc.py | 44 ++++++++++++--- plugins/modules/zhmc_crypto_attachment.py | 49 +++++++++++++---- plugins/modules/zhmc_hba.py | 44 ++++++++++++--- plugins/modules/zhmc_nic.py | 44 ++++++++++++--- plugins/modules/zhmc_partition.py | 54 +++++++++++++++---- plugins/modules/zhmc_storage_group.py | 49 +++++++++++++---- .../modules/zhmc_storage_group_attachment.py | 49 +++++++++++++---- plugins/modules/zhmc_storage_volume.py | 49 +++++++++++++---- plugins/modules/zhmc_user.py | 49 +++++++++++++---- plugins/modules/zhmc_virtual_function.py | 44 ++++++++++++--- requirements.txt | 5 +- tests/unit/test_hba.py | 11 +++- tests/unit/test_nic.py | 11 +++- tests/unit/test_partition.py | 11 +++- tests/unit/test_virtual_function.py | 11 +++- 30 files changed, 684 insertions(+), 123 deletions(-) diff --git a/docs/source/modules/zhmc_adapter.rst b/docs/source/modules/zhmc_adapter.rst index a9f8fea7e..3cf57f4b1 100644 --- a/docs/source/modules/zhmc_adapter.rst +++ b/docs/source/modules/zhmc_adapter.rst @@ -36,7 +36,7 @@ hmc_host hmc_auth - The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``. + The authentication credentials for the HMC. | **required**: True | **type**: dict @@ -56,6 +56,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + name The name of the target adapter. In case of renaming an adapter, this is the new name of the adapter. diff --git a/docs/source/modules/zhmc_cpc.rst b/docs/source/modules/zhmc_cpc.rst index ca7ae8fd5..cb7ee2e70 100644 --- a/docs/source/modules/zhmc_cpc.rst +++ b/docs/source/modules/zhmc_cpc.rst @@ -35,7 +35,7 @@ hmc_host hmc_auth - The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``. + The authentication credentials for the HMC. | **required**: True | **type**: dict @@ -55,6 +55,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + name The name of the target CPC. diff --git a/docs/source/modules/zhmc_crypto_attachment.rst b/docs/source/modules/zhmc_crypto_attachment.rst index 3b5e0b370..63ec0545d 100644 --- a/docs/source/modules/zhmc_crypto_attachment.rst +++ b/docs/source/modules/zhmc_crypto_attachment.rst @@ -36,7 +36,7 @@ hmc_host hmc_auth - The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``. + The authentication credentials for the HMC. | **required**: True | **type**: dict @@ -56,6 +56,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + cpc_name The name of the CPC that has the partition and the crypto adapters. diff --git a/docs/source/modules/zhmc_hba.rst b/docs/source/modules/zhmc_hba.rst index c282b720c..316edf4b3 100644 --- a/docs/source/modules/zhmc_hba.rst +++ b/docs/source/modules/zhmc_hba.rst @@ -35,7 +35,7 @@ hmc_host hmc_auth - The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``. + The authentication credentials for the HMC. | **required**: True | **type**: dict @@ -55,6 +55,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + cpc_name The name of the CPC with the partition containing the HBA. diff --git a/docs/source/modules/zhmc_nic.rst b/docs/source/modules/zhmc_nic.rst index 00a80baa5..8606a085c 100644 --- a/docs/source/modules/zhmc_nic.rst +++ b/docs/source/modules/zhmc_nic.rst @@ -35,7 +35,7 @@ hmc_host hmc_auth - The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``. + The authentication credentials for the HMC. | **required**: True | **type**: dict @@ -55,6 +55,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + cpc_name The name of the CPC with the partition containing the NIC. diff --git a/docs/source/modules/zhmc_partition.rst b/docs/source/modules/zhmc_partition.rst index 6b8a9338f..4602504df 100644 --- a/docs/source/modules/zhmc_partition.rst +++ b/docs/source/modules/zhmc_partition.rst @@ -36,7 +36,7 @@ hmc_host hmc_auth - The authentication credentials for the HMC, as a dictionary of userid, password. + The authentication credentials for the HMC. | **required**: True | **type**: dict @@ -56,6 +56,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + cpc_name The name of the CPC with the target partition. diff --git a/docs/source/modules/zhmc_storage_group.rst b/docs/source/modules/zhmc_storage_group.rst index 1dec550a7..e3df9a923 100644 --- a/docs/source/modules/zhmc_storage_group.rst +++ b/docs/source/modules/zhmc_storage_group.rst @@ -35,7 +35,7 @@ hmc_host hmc_auth - The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``. + The authentication credentials for the HMC. | **required**: True | **type**: dict @@ -55,6 +55,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + cpc_name The name of the CPC associated with the target storage group. diff --git a/docs/source/modules/zhmc_storage_group_attachment.rst b/docs/source/modules/zhmc_storage_group_attachment.rst index c9dfbd2b1..8e1a58e85 100644 --- a/docs/source/modules/zhmc_storage_group_attachment.rst +++ b/docs/source/modules/zhmc_storage_group_attachment.rst @@ -35,7 +35,7 @@ hmc_host hmc_auth - The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``. + The authentication credentials for the HMC. | **required**: True | **type**: dict @@ -55,6 +55,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + cpc_name The name of the CPC that has the partition and is associated with the storage group. diff --git a/docs/source/modules/zhmc_storage_volume.rst b/docs/source/modules/zhmc_storage_volume.rst index fb8bce511..2bc558a7b 100644 --- a/docs/source/modules/zhmc_storage_volume.rst +++ b/docs/source/modules/zhmc_storage_volume.rst @@ -35,7 +35,7 @@ hmc_host hmc_auth - The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``. + The authentication credentials for the HMC. | **required**: True | **type**: dict @@ -55,6 +55,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + cpc_name The name of the CPC associated with the storage group containing the target storage volume. diff --git a/docs/source/modules/zhmc_user.rst b/docs/source/modules/zhmc_user.rst index 594d339d6..ff414fa00 100644 --- a/docs/source/modules/zhmc_user.rst +++ b/docs/source/modules/zhmc_user.rst @@ -35,7 +35,7 @@ hmc_host hmc_auth - The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``. + The authentication credentials for the HMC. | **required**: True | **type**: dict @@ -55,6 +55,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + name The userid of the target user (i.e. the 'name' property of the User object). diff --git a/docs/source/modules/zhmc_virtual_function.rst b/docs/source/modules/zhmc_virtual_function.rst index 4dbd2ed53..65e445502 100644 --- a/docs/source/modules/zhmc_virtual_function.rst +++ b/docs/source/modules/zhmc_virtual_function.rst @@ -35,7 +35,7 @@ hmc_host hmc_auth - The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``. + The authentication credentials for the HMC. | **required**: True | **type**: dict @@ -55,6 +55,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + cpc_name The name of the CPC with the partition containing the virtual function. diff --git a/docs/source/release_notes.rst b/docs/source/release_notes.rst index e51bc77b2..b94c7f958 100644 --- a/docs/source/release_notes.rst +++ b/docs/source/release_notes.rst @@ -29,6 +29,13 @@ Released: not yet **Incompatible changes:** +* The new support for verifying HMC certificates will by default verify the + HMC certificate using the "Mozilla CA Certificate List" provided by the + 'certifi' Python package, causing self-signed HMC certificates to be + rejected. The verification behavior can be controlled with the new + 'ca_certs' and 'verify' sub-parameters of the 'hmc_auth' module parameter + of each module. + **Deprecations:** **Bug fixes:** @@ -65,7 +72,15 @@ Released: not yet * Docs: The idempotency of each module and possible limitations are now described for each module. (issue #375) -* Increased minimum version of zhmcclient to 0.29.0 to pick up fixes. +* Increased minimum version of zhmcclient to 0.31.0 in order to have + the support for certificate verification and to pick up fixes. + +* Added support for verifying HMC certificates by adding module sub-parameters + 'ca_certs' and 'verify' to the 'hmc_auth' module parameter of all modules. + (issue #401) + +* Changed module input parameter 'hmc_auth.userid' to no longer be hidden in + logs, for better debugging. The password is still hidden in any logs. **Cleanup:** diff --git a/minimum-constraints.txt b/minimum-constraints.txt index 6fd01cb95..30a7df546 100644 --- a/minimum-constraints.txt +++ b/minimum-constraints.txt @@ -87,8 +87,8 @@ wheel==0.33.5; python_version >= '3.8' ansible==2.9.0.0 requests==2.20.1 -# git+https://github.com/zhmcclient/python-zhmcclient@master#egg=zhmcclient -zhmcclient==0.29.0 +# TODO: Enable zhmcclient 0.31.0 once released on Pypi +# zhmcclient==0.31.0 # Indirect dependencies for installation (must be consistent with requirements.txt) diff --git a/plugins/module_utils/common.py b/plugins/module_utils/common.py index eade4ecc1..ddfa22882 100644 --- a/plugins/module_utils/common.py +++ b/plugins/module_utils/common.py @@ -153,11 +153,14 @@ def get_hmc_auth(hmc_auth): Parameters: hmc_auth (dict): value of the 'hmc_auth' module input parameter, - which is a dictionary with items 'userid' and 'password'. + which is a dictionary with required items 'userid' and 'password' + and optional items 'ca_certs' and 'verify'. Returns: - tuple(userid, password): A tuple with the respective items - of the input dictionary. + tuple(userid, password, ca_certs, verify): A tuple with the respective + items of the input dictionary. Optional items are defaulted: + - ca_certs: Defaults to None. + - verify: Defaults to True. Raises: ParameterError: An item in the input dictionary was missing. @@ -172,7 +175,9 @@ def get_hmc_auth(hmc_auth): except KeyError: raise ParameterError("Required item 'password' is missing in " "dictionary module parameter 'hmc_auth'.") - return userid, password + ca_certs = hmc_auth.get('ca_certs', None) + verify = hmc_auth.get('verify', True) + return userid, password, ca_certs, verify def pull_partition_status(partition): @@ -364,7 +369,7 @@ def wait_for_transition_completion(partition): raise AssertionError() -def get_session(faked_session, host, userid, password): +def get_session(faked_session, host, userid, password, ca_certs, verify): """ Return a session object for the HMC. @@ -372,13 +377,13 @@ def get_session(faked_session, host, userid, password): faked_session (zhmcclient_mock.FakedSession or None): If this object is a `zhmcclient_mock.FakedSession` object, return that object. - Else, return a new `zhmcclient.Session` object from the `host`, - `userid`, and `password` arguments. + Else, return a new `zhmcclient.Session` object from the other arguments. """ if isinstance(faked_session, FakedSession): return faked_session else: - return Session(host, userid, password) + verify_cert = ca_certs if verify else False + return Session(host, userid, password, verify_cert=verify_cert) def to_unicode(value): diff --git a/plugins/modules/zhmc_adapter.py b/plugins/modules/zhmc_adapter.py index beabb3cc6..b7e611ced 100644 --- a/plugins/modules/zhmc_adapter.py +++ b/plugins/modules/zhmc_adapter.py @@ -52,8 +52,7 @@ required: true hmc_auth: description: - - The authentication credentials for the HMC, as a dictionary of - C(userid), C(password). + - The authentication credentials for the HMC. type: dict required: true suboptions: @@ -67,6 +66,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true name: description: - The name of the target adapter. In case of renaming an adapter, this is @@ -524,7 +543,7 @@ def ensure_set(params, check_mode): # Note: Defaults specified in argument_spec will be set in params dict host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] adapter_name = params['name'] adapter_match = params['match'] @@ -533,7 +552,8 @@ def ensure_set(params, check_mode): changed = False try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) adapter = identify_adapter(cpc, adapter_name, adapter_match) @@ -601,7 +621,7 @@ def ensure_present(params, check_mode): # Note: Defaults specified in argument_spec will be set in params dict host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] adapter_name = params['name'] _faked_session = params.get('_faked_session', None) # No default specified @@ -609,7 +629,8 @@ def ensure_present(params, check_mode): changed = False try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -736,7 +757,7 @@ def ensure_absent(params, check_mode): # Note: Defaults specified in argument_spec will be set in params dict host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] adapter_name = params['name'] _faked_session = params.get('_faked_session', None) # No default specified @@ -745,7 +766,8 @@ def ensure_absent(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -776,13 +798,14 @@ def facts(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] adapter_name = params['name'] _faked_session = params.get('_faked_session', None) # No default specified try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) adapter = cpc.adapters.find(name=adapter_name) @@ -831,7 +854,16 @@ def main(): # description of the options in the DOCUMENTATION string. argument_spec = dict( hmc_host=dict(required=True, type='str'), - hmc_auth=dict(required=True, type='dict', no_log=True), + hmc_auth=dict( + required=True, + type='dict', + options=dict( + userid=dict(required=True, type='str'), + password=dict(required=True, type='str', no_log=True), + ca_certs=dict(required=False, type='str', default=None), + verify=dict(required=False, type='bool', default=True), + ), + ), cpc_name=dict(required=True, type='str'), name=dict(required=True, type='str'), match=dict(required=False, type='dict', default={}), diff --git a/plugins/modules/zhmc_cpc.py b/plugins/modules/zhmc_cpc.py index acde60880..3d5b50599 100644 --- a/plugins/modules/zhmc_cpc.py +++ b/plugins/modules/zhmc_cpc.py @@ -52,8 +52,7 @@ required: true hmc_auth: description: - - The authentication credentials for the HMC, as a dictionary of - C(userid), C(password). + - The authentication credentials for the HMC. type: dict required: true suboptions: @@ -67,6 +66,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true name: description: - The name of the target CPC. @@ -444,14 +463,15 @@ def ensure_set(params, check_mode): # Note: Defaults specified in argument_spec will be set in params dict host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['name'] _faked_session = params.get('_faked_session', None) # No default specified changed = False try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -489,12 +509,13 @@ def facts(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['name'] _faked_session = params.get('_faked_session', None) # No default specified try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -535,7 +556,16 @@ def main(): # description of the options in the DOCUMENTATION string. argument_spec = dict( hmc_host=dict(required=True, type='str'), - hmc_auth=dict(required=True, type='dict', no_log=True), + hmc_auth=dict( + required=True, + type='dict', + options=dict( + userid=dict(required=True, type='str'), + password=dict(required=True, type='str', no_log=True), + ca_certs=dict(required=False, type='str', default=None), + verify=dict(required=False, type='bool', default=True), + ), + ), name=dict(required=True, type='str'), state=dict(required=True, type='str', choices=['set', 'facts']), properties=dict(required=False, type='dict', default={}), diff --git a/plugins/modules/zhmc_crypto_attachment.py b/plugins/modules/zhmc_crypto_attachment.py index a2c2d0c66..64072bd21 100644 --- a/plugins/modules/zhmc_crypto_attachment.py +++ b/plugins/modules/zhmc_crypto_attachment.py @@ -54,8 +54,7 @@ required: true hmc_auth: description: - - The authentication credentials for the HMC, as a dictionary of - C(userid), C(password). + - The authentication credentials for the HMC. type: dict required: true suboptions: @@ -69,6 +68,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true cpc_name: description: - The name of the CPC that has the partition and the crypto adapters. @@ -466,7 +485,7 @@ def ensure_attached(params, check_mode): # Note: Defaults specified in argument_spec will be set in params dict host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['partition_name'] adapter_count = params['adapter_count'] @@ -496,7 +515,8 @@ def ensure_attached(params, check_mode): result_changes = dict() try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) partition = cpc.partitions.find(name=partition_name) @@ -901,7 +921,7 @@ def ensure_detached(params, check_mode): # Note: Defaults specified in argument_spec will be set in params dict host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['partition_name'] _faked_session = params.get('_faked_session', None) # No default specified @@ -911,7 +931,8 @@ def ensure_detached(params, check_mode): result_changes = dict() try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) partition = cpc.partitions.find(name=partition_name) @@ -990,13 +1011,14 @@ def facts(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['partition_name'] _faked_session = params.get('_faked_session', None) # No default specified try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) partition = cpc.partitions.find(name=partition_name) @@ -1043,7 +1065,16 @@ def main(): # description of the options in the DOCUMENTATION string. argument_spec = dict( hmc_host=dict(required=True, type='str'), - hmc_auth=dict(required=True, type='dict', no_log=True), + hmc_auth=dict( + required=True, + type='dict', + options=dict( + userid=dict(required=True, type='str'), + password=dict(required=True, type='str', no_log=True), + ca_certs=dict(required=False, type='str', default=None), + verify=dict(required=False, type='bool', default=True), + ), + ), cpc_name=dict(required=True, type='str'), partition_name=dict(required=True, type='str'), state=dict(required=True, type='str', diff --git a/plugins/modules/zhmc_hba.py b/plugins/modules/zhmc_hba.py index 53b336d79..92184ee3b 100644 --- a/plugins/modules/zhmc_hba.py +++ b/plugins/modules/zhmc_hba.py @@ -57,8 +57,7 @@ required: true hmc_auth: description: - - The authentication credentials for the HMC, as a dictionary of - C(userid), C(password). + - The authentication credentials for the HMC. type: dict required: true suboptions: @@ -72,6 +71,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true cpc_name: description: - The name of the CPC with the partition containing the HBA. @@ -408,7 +427,7 @@ def ensure_present(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['partition_name'] hba_name = params['name'] @@ -418,7 +437,8 @@ def ensure_present(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -504,7 +524,7 @@ def ensure_absent(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['partition_name'] hba_name = params['name'] @@ -514,7 +534,8 @@ def ensure_absent(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) partition = cpc.partitions.find(name=partition_name) @@ -561,7 +582,16 @@ def main(): # description of the options in the DOCUMENTATION string. argument_spec = dict( hmc_host=dict(required=True, type='str'), - hmc_auth=dict(required=True, type='dict', no_log=True), + hmc_auth=dict( + required=True, + type='dict', + options=dict( + userid=dict(required=True, type='str'), + password=dict(required=True, type='str', no_log=True), + ca_certs=dict(required=False, type='str', default=None), + verify=dict(required=False, type='bool', default=True), + ), + ), cpc_name=dict(required=True, type='str'), partition_name=dict(required=True, type='str'), name=dict(required=True, type='str'), diff --git a/plugins/modules/zhmc_nic.py b/plugins/modules/zhmc_nic.py index 97e70f57a..77564e9b4 100644 --- a/plugins/modules/zhmc_nic.py +++ b/plugins/modules/zhmc_nic.py @@ -54,8 +54,7 @@ required: true hmc_auth: description: - - The authentication credentials for the HMC, as a dictionary of - C(userid), C(password). + - The authentication credentials for the HMC. type: dict required: true suboptions: @@ -69,6 +68,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true cpc_name: description: - The name of the CPC with the partition containing the NIC. @@ -487,7 +506,7 @@ def ensure_present(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['partition_name'] nic_name = params['name'] @@ -497,7 +516,8 @@ def ensure_present(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -582,7 +602,7 @@ def ensure_absent(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['partition_name'] nic_name = params['name'] @@ -592,7 +612,8 @@ def ensure_absent(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) partition = cpc.partitions.find(name=partition_name) @@ -639,7 +660,16 @@ def main(): # description of the options in the DOCUMENTATION string. argument_spec = dict( hmc_host=dict(required=True, type='str'), - hmc_auth=dict(required=True, type='dict', no_log=True), + hmc_auth=dict( + required=True, + type='dict', + options=dict( + userid=dict(required=True, type='str'), + password=dict(required=True, type='str', no_log=True), + ca_certs=dict(required=False, type='str', default=None), + verify=dict(required=False, type='bool', default=True), + ), + ), cpc_name=dict(required=True, type='str'), partition_name=dict(required=True, type='str'), name=dict(required=True, type='str'), diff --git a/plugins/modules/zhmc_partition.py b/plugins/modules/zhmc_partition.py index 85ecece19..3a20be441 100644 --- a/plugins/modules/zhmc_partition.py +++ b/plugins/modules/zhmc_partition.py @@ -59,8 +59,7 @@ required: true hmc_auth: description: - - The authentication credentials for the HMC, as a dictionary of userid, - password. + - The authentication credentials for the HMC. type: dict required: true suboptions: @@ -74,6 +73,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true cpc_name: description: - The name of the CPC with the target partition. @@ -1099,7 +1118,7 @@ def ensure_active(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['name'] expand_storage_groups = params['expand_storage_groups'] @@ -1110,7 +1129,8 @@ def ensure_active(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -1203,7 +1223,7 @@ def ensure_stopped(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['name'] expand_storage_groups = params['expand_storage_groups'] @@ -1214,7 +1234,8 @@ def ensure_stopped(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -1284,7 +1305,7 @@ def ensure_absent(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['name'] _faked_session = params.get('_faked_session', None) @@ -1293,7 +1314,8 @@ def ensure_absent(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -1324,7 +1346,7 @@ def facts(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['name'] expand_storage_groups = params['expand_storage_groups'] @@ -1337,7 +1359,8 @@ def facts(params, check_mode): try: # The default exception handling is sufficient for this code - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) @@ -1381,7 +1404,16 @@ def main(): # description of the options in the DOCUMENTATION string. argument_spec = dict( hmc_host=dict(required=True, type='str'), - hmc_auth=dict(required=True, type='dict', no_log=True), + hmc_auth=dict( + required=True, + type='dict', + options=dict( + userid=dict(required=True, type='str'), + password=dict(required=True, type='str', no_log=True), + ca_certs=dict(required=False, type='str', default=None), + verify=dict(required=False, type='bool', default=True), + ), + ), cpc_name=dict(required=True, type='str'), name=dict(required=True, type='str'), state=dict(required=True, type='str', diff --git a/plugins/modules/zhmc_storage_group.py b/plugins/modules/zhmc_storage_group.py index 83620910a..f5864d2d0 100644 --- a/plugins/modules/zhmc_storage_group.py +++ b/plugins/modules/zhmc_storage_group.py @@ -61,8 +61,7 @@ required: true hmc_auth: description: - - The authentication credentials for the HMC, as a dictionary of - C(userid), C(password). + - The authentication credentials for the HMC. type: dict required: true suboptions: @@ -76,6 +75,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true cpc_name: description: - The name of the CPC associated with the target storage group. @@ -780,7 +799,7 @@ def ensure_present(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] storage_group_name = params['name'] expand = params['expand'] @@ -790,7 +809,8 @@ def ensure_present(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console cpc = client.cpcs.find(name=cpc_name) @@ -864,7 +884,7 @@ def ensure_absent(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] storage_group_name = params['name'] _faked_session = params.get('_faked_session', None) @@ -873,7 +893,8 @@ def ensure_absent(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console cpc = client.cpcs.find(name=cpc_name) @@ -918,7 +939,7 @@ def facts(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] storage_group_name = params['name'] expand = params['expand'] @@ -930,7 +951,8 @@ def facts(params, check_mode): try: # The default exception handling is sufficient for this code - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console cpc = client.cpcs.find(name=cpc_name) @@ -980,7 +1002,16 @@ def main(): # description of the options in the DOCUMENTATION string. argument_spec = dict( hmc_host=dict(required=True, type='str'), - hmc_auth=dict(required=True, type='dict', no_log=True), + hmc_auth=dict( + required=True, + type='dict', + options=dict( + userid=dict(required=True, type='str'), + password=dict(required=True, type='str', no_log=True), + ca_certs=dict(required=False, type='str', default=None), + verify=dict(required=False, type='bool', default=True), + ), + ), cpc_name=dict(required=True, type='str'), name=dict(required=True, type='str'), state=dict(required=True, type='str', diff --git a/plugins/modules/zhmc_storage_group_attachment.py b/plugins/modules/zhmc_storage_group_attachment.py index f86dfdc10..3260ea889 100644 --- a/plugins/modules/zhmc_storage_group_attachment.py +++ b/plugins/modules/zhmc_storage_group_attachment.py @@ -59,8 +59,7 @@ required: true hmc_auth: description: - - The authentication credentials for the HMC, as a dictionary of - C(userid), C(password). + - The authentication credentials for the HMC. type: dict required: true suboptions: @@ -74,6 +73,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true cpc_name: description: - The name of the CPC that has the partition and is associated with the @@ -219,7 +238,7 @@ def ensure_attached(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] storage_group_name = params['storage_group_name'] partition_name = params['partition_name'] @@ -229,7 +248,8 @@ def ensure_attached(params, check_mode): attached = None try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console cpc = client.cpcs.find(name=cpc_name) @@ -273,7 +293,7 @@ def ensure_detached(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] storage_group_name = params['storage_group_name'] partition_name = params['partition_name'] @@ -283,7 +303,8 @@ def ensure_detached(params, check_mode): attached = None try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console cpc = client.cpcs.find(name=cpc_name) @@ -327,7 +348,7 @@ def facts(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] storage_group_name = params['storage_group_name'] partition_name = params['partition_name'] @@ -337,7 +358,8 @@ def facts(params, check_mode): attached = None try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console cpc = client.cpcs.find(name=cpc_name) @@ -393,7 +415,16 @@ def main(): # description of the options in the DOCUMENTATION string. argument_spec = dict( hmc_host=dict(required=True, type='str'), - hmc_auth=dict(required=True, type='dict', no_log=True), + hmc_auth=dict( + required=True, + type='dict', + options=dict( + userid=dict(required=True, type='str'), + password=dict(required=True, type='str', no_log=True), + ca_certs=dict(required=False, type='str', default=None), + verify=dict(required=False, type='bool', default=True), + ), + ), cpc_name=dict(required=True, type='str'), storage_group_name=dict(required=True, type='str'), partition_name=dict(required=True, type='str'), diff --git a/plugins/modules/zhmc_storage_volume.py b/plugins/modules/zhmc_storage_volume.py index 4e6c6bc31..d0bd3f035 100644 --- a/plugins/modules/zhmc_storage_volume.py +++ b/plugins/modules/zhmc_storage_volume.py @@ -60,8 +60,7 @@ required: true hmc_auth: description: - - The authentication credentials for the HMC, as a dictionary of - C(userid), C(password). + - The authentication credentials for the HMC. type: dict required: true suboptions: @@ -75,6 +74,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true cpc_name: description: - The name of the CPC associated with the storage group containing the @@ -427,7 +446,7 @@ def ensure_present(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] storage_group_name = params['storage_group_name'] storage_volume_name = params['name'] @@ -437,7 +456,8 @@ def ensure_present(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console cpc = client.cpcs.find(name=cpc_name) @@ -526,7 +546,7 @@ def ensure_absent(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] storage_group_name = params['storage_group_name'] storage_volume_name = params['name'] @@ -536,7 +556,8 @@ def ensure_absent(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console cpc = client.cpcs.find(name=cpc_name) @@ -580,7 +601,7 @@ def facts(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] storage_group_name = params['storage_group_name'] storage_volume_name = params['name'] @@ -590,7 +611,8 @@ def facts(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console cpc = client.cpcs.find(name=cpc_name) @@ -648,7 +670,16 @@ def main(): # description of the options in the DOCUMENTATION string. argument_spec = dict( hmc_host=dict(required=True, type='str'), - hmc_auth=dict(required=True, type='dict', no_log=True), + hmc_auth=dict( + required=True, + type='dict', + options=dict( + userid=dict(required=True, type='str'), + password=dict(required=True, type='str', no_log=True), + ca_certs=dict(required=False, type='str', default=None), + verify=dict(required=False, type='bool', default=True), + ), + ), cpc_name=dict(required=True, type='str'), storage_group_name=dict(required=True, type='str'), name=dict(required=True, type='str'), diff --git a/plugins/modules/zhmc_user.py b/plugins/modules/zhmc_user.py index 8291153d4..088d47a75 100644 --- a/plugins/modules/zhmc_user.py +++ b/plugins/modules/zhmc_user.py @@ -50,8 +50,7 @@ required: true hmc_auth: description: - - The authentication credentials for the HMC, as a dictionary of - C(userid), C(password). + - The authentication credentials for the HMC. type: dict required: true suboptions: @@ -65,6 +64,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true name: description: - The userid of the target user (i.e. the 'name' property of the User @@ -763,7 +782,7 @@ def ensure_present(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) user_name = params['name'] expand = params['expand'] _faked_session = params.get('_faked_session', None) @@ -772,7 +791,8 @@ def ensure_present(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console # The default exception handling is sufficient for the above. @@ -846,7 +866,7 @@ def ensure_absent(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) user_name = params['name'] _faked_session = params.get('_faked_session', None) @@ -854,7 +874,8 @@ def ensure_absent(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console # The default exception handling is sufficient for the above. @@ -884,7 +905,7 @@ def facts(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) user_name = params['name'] expand = params['expand'] _faked_session = params.get('_faked_session', None) @@ -895,7 +916,8 @@ def facts(params, check_mode): try: # The default exception handling is sufficient for this code - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console @@ -937,7 +959,16 @@ def main(): # description of the options in the DOCUMENTATION string. argument_spec = dict( hmc_host=dict(required=True, type='str'), - hmc_auth=dict(required=True, type='dict', no_log=True), + hmc_auth=dict( + required=True, + type='dict', + options=dict( + userid=dict(required=True, type='str'), + password=dict(required=True, type='str', no_log=True), + ca_certs=dict(required=False, type='str', default=None), + verify=dict(required=False, type='bool', default=True), + ), + ), name=dict(required=True, type='str'), state=dict(required=True, type='str', choices=['absent', 'present', 'facts']), diff --git a/plugins/modules/zhmc_virtual_function.py b/plugins/modules/zhmc_virtual_function.py index 4f5b90cda..539a972a2 100644 --- a/plugins/modules/zhmc_virtual_function.py +++ b/plugins/modules/zhmc_virtual_function.py @@ -54,8 +54,7 @@ required: true hmc_auth: description: - - The authentication credentials for the HMC, as a dictionary of - C(userid), C(password). + - The authentication credentials for the HMC. type: dict required: true suboptions: @@ -69,6 +68,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true cpc_name: description: - The name of the CPC with the partition containing the virtual function. @@ -385,7 +404,7 @@ def ensure_present(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['partition_name'] vfunction_name = params['name'] @@ -395,7 +414,8 @@ def ensure_present(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -480,7 +500,7 @@ def ensure_absent(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['partition_name'] vfunction_name = params['name'] @@ -490,7 +510,8 @@ def ensure_absent(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) partition = cpc.partitions.find(name=partition_name) @@ -537,7 +558,16 @@ def main(): # description of the options in the DOCUMENTATION string. argument_spec = dict( hmc_host=dict(required=True, type='str'), - hmc_auth=dict(required=True, type='dict', no_log=True), + hmc_auth=dict( + required=True, + type='dict', + options=dict( + userid=dict(required=True, type='str'), + password=dict(required=True, type='str', no_log=True), + ca_certs=dict(required=False, type='str', default=None), + verify=dict(required=False, type='bool', default=True), + ), + ), cpc_name=dict(required=True, type='str'), partition_name=dict(required=True, type='str'), name=dict(required=True, type='str'), diff --git a/requirements.txt b/requirements.txt index 805683a85..50154ec0c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -11,8 +11,9 @@ ansible>=2.9.0.0 requests>=2.20.1 -# git+https://github.com/zhmcclient/python-zhmcclient@master#egg=zhmcclient -zhmcclient>=0.29.0 # Apache-2.0 +# TODO: Enable zhmcclient 0.31.0 once released on Pypi +git+https://github.com/zhmcclient/python-zhmcclient@master#egg=zhmcclient +# zhmcclient>=0.31.0 # Apache-2.0 # Indirect dependencies are not specified in this file, unless needed to solve versioning issues: diff --git a/tests/unit/test_hba.py b/tests/unit/test_hba.py index f440ecd6f..f277751ed 100755 --- a/tests/unit/test_hba.py +++ b/tests/unit/test_hba.py @@ -80,7 +80,16 @@ def test_main_success( # Assert call to AnsibleModule() expected_argument_spec = dict( hmc_host=dict(required=True, type='str'), - hmc_auth=dict(required=True, type='dict', no_log=True), + hmc_auth=dict( + required=True, + type='dict', + options=dict( + userid=dict(required=True, type='str'), + password=dict(required=True, type='str', no_log=True), + ca_certs=dict(required=False, type='str', default=None), + verify=dict(required=False, type='bool', default=True), + ), + ), cpc_name=dict(required=True, type='str'), partition_name=dict(required=True, type='str'), name=dict(required=True, type='str'), diff --git a/tests/unit/test_nic.py b/tests/unit/test_nic.py index 3973ee3a4..aa8088ee5 100755 --- a/tests/unit/test_nic.py +++ b/tests/unit/test_nic.py @@ -80,7 +80,16 @@ def test_main_success( # Assert call to AnsibleModule() expected_argument_spec = dict( hmc_host=dict(required=True, type='str'), - hmc_auth=dict(required=True, type='dict', no_log=True), + hmc_auth=dict( + required=True, + type='dict', + options=dict( + userid=dict(required=True, type='str'), + password=dict(required=True, type='str', no_log=True), + ca_certs=dict(required=False, type='str', default=None), + verify=dict(required=False, type='bool', default=True), + ), + ), cpc_name=dict(required=True, type='str'), partition_name=dict(required=True, type='str'), name=dict(required=True, type='str'), diff --git a/tests/unit/test_partition.py b/tests/unit/test_partition.py index b8ca65ca9..40bfac588 100755 --- a/tests/unit/test_partition.py +++ b/tests/unit/test_partition.py @@ -79,7 +79,16 @@ def test_main_success(self, ansible_mod_cls, perform_task_func): # Assert call to AnsibleModule() expected_argument_spec = dict( hmc_host=dict(required=True, type='str'), - hmc_auth=dict(required=True, type='dict', no_log=True), + hmc_auth=dict( + required=True, + type='dict', + options=dict( + userid=dict(required=True, type='str'), + password=dict(required=True, type='str', no_log=True), + ca_certs=dict(required=False, type='str', default=None), + verify=dict(required=False, type='bool', default=True), + ), + ), cpc_name=dict(required=True, type='str'), name=dict(required=True, type='str'), state=dict(required=True, type='str', diff --git a/tests/unit/test_virtual_function.py b/tests/unit/test_virtual_function.py index 9554f96ab..b7397e504 100755 --- a/tests/unit/test_virtual_function.py +++ b/tests/unit/test_virtual_function.py @@ -80,7 +80,16 @@ def test_main_success( # Assert call to AnsibleModule() expected_argument_spec = dict( hmc_host=dict(required=True, type='str'), - hmc_auth=dict(required=True, type='dict', no_log=True), + hmc_auth=dict( + required=True, + type='dict', + options=dict( + userid=dict(required=True, type='str'), + password=dict(required=True, type='str', no_log=True), + ca_certs=dict(required=False, type='str', default=None), + verify=dict(required=False, type='bool', default=True), + ), + ), cpc_name=dict(required=True, type='str'), partition_name=dict(required=True, type='str'), name=dict(required=True, type='str'),