Enable Custom Cipher Selection for Redfish Modules (#8533)

* Enable custom cipher selection for redfish modules Signed-off-by: David Ehrman <[email protected]> * Add changelog fragment Signed-off-by: David Ehrman <[email protected]> * Added version_added to the ciphers option in redfish modules Signed-off-by: David Ehrman <[email protected]> --------- Signed-off-by: David Ehrman <[email protected]>
ansible-collections · Jun 20, 2024 · 0d50131 · 0d50131
1 parent 60ba7ca
commit 0d50131
Show file tree

Hide file tree

Showing 5 changed files with 63 additions and 10 deletions.
diff --git a/changelogs/fragments/8533-add-ciphers-option.yml b/changelogs/fragments/8533-add-ciphers-option.yml
@@ -0,0 +1,4 @@
+---
+minor_changes:
+  - redfish_* modules - adds ``ciphers`` option for custom cipher selection (https://github.com/ansible-collections/community.general/pull/8533).
+...
diff --git a/plugins/module_utils/redfish_utils.py b/plugins/module_utils/redfish_utils.py
@@ -42,7 +42,7 @@
 class RedfishUtils(object):
 
     def __init__(self, creds, root_uri, timeout, module, resource_id=None,
-                 data_modification=False, strip_etag_quotes=False):
+                 data_modification=False, strip_etag_quotes=False, ciphers=None):
         self.root_uri = root_uri
         self.creds = creds
         self.timeout = timeout
@@ -53,6 +53,7 @@ def __init__(self, creds, root_uri, timeout, module, resource_id=None,
         self.resource_id = resource_id
         self.data_modification = data_modification
         self.strip_etag_quotes = strip_etag_quotes
+        self.ciphers = ciphers
         self._vendor = None
         self._init_session()
 
@@ -149,7 +150,7 @@ def get_request(self, uri, override_headers=None, allow_no_resp=False, timeout=N
                             url_username=username, url_password=password,
                             force_basic_auth=basic_auth, validate_certs=False,
                             follow_redirects='all',
-                            use_proxy=True, timeout=timeout)
+                            use_proxy=True, timeout=timeout, ciphers=self.ciphers)
             headers = dict((k.lower(), v) for (k, v) in resp.info().items())
             try:
                 if headers.get('content-encoding') == 'gzip' and LooseVersion(ansible_version) < LooseVersion('2.14'):
@@ -199,7 +200,7 @@ def post_request(self, uri, pyld, multipart=False):
                             url_username=username, url_password=password,
                             force_basic_auth=basic_auth, validate_certs=False,
                             follow_redirects='all',
-                            use_proxy=True, timeout=self.timeout)
+                            use_proxy=True, timeout=self.timeout, ciphers=self.ciphers)
             try:
                 data = json.loads(to_native(resp.read()))
             except Exception as e:
@@ -253,7 +254,7 @@ def patch_request(self, uri, pyld, check_pyld=False):
                             url_username=username, url_password=password,
                             force_basic_auth=basic_auth, validate_certs=False,
                             follow_redirects='all',
-                            use_proxy=True, timeout=self.timeout)
+                            use_proxy=True, timeout=self.timeout, ciphers=self.ciphers)
         except HTTPError as e:
             msg = self._get_extended_message(e)
             return {'ret': False, 'changed': False,
@@ -288,7 +289,7 @@ def put_request(self, uri, pyld):
                             url_username=username, url_password=password,
                             force_basic_auth=basic_auth, validate_certs=False,
                             follow_redirects='all',
-                            use_proxy=True, timeout=self.timeout)
+                            use_proxy=True, timeout=self.timeout, ciphers=self.ciphers)
         except HTTPError as e:
             msg = self._get_extended_message(e)
             return {'ret': False,
@@ -314,7 +315,7 @@ def delete_request(self, uri, pyld=None):
                             url_username=username, url_password=password,
                             force_basic_auth=basic_auth, validate_certs=False,
                             follow_redirects='all',
-                            use_proxy=True, timeout=self.timeout)
+                            use_proxy=True, timeout=self.timeout, ciphers=self.ciphers)
         except HTTPError as e:
             msg = self._get_extended_message(e)
             return {'ret': False,

diff --git a/plugins/modules/redfish_command.py b/plugins/modules/redfish_command.py
@@ -302,6 +302,17 @@
     type: int
     default: 120
     version_added: 9.1.0
+  ciphers:
+    required: false
+    description:
+      - SSL/TLS Ciphers to use for the request.
+      - 'When a list is provided, all ciphers are joined in order with V(:).'
+      - See the L(OpenSSL Cipher List Format,https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-LIST-FORMAT)
+        for more details.
+      - The available ciphers is dependent on the Python and OpenSSL/LibreSSL versions.
+    type: list
+    elements: str
+    version_added: 9.2.0
 
 author:
   - "Jose Delarosa (@jose-delarosa)"
@@ -868,6 +879,7 @@ def main():
             bios_attributes=dict(type="dict"),
             wait=dict(type='bool', default=False),
             wait_timeout=dict(type='int', default=120),
+            ciphers=dict(type='list', elements='str'),
         ),
         required_together=[
             ('username', 'password'),
@@ -936,10 +948,14 @@ def main():
     # BIOS Attributes options
     bios_attributes = module.params['bios_attributes']
 
+    # ciphers
+    ciphers = module.params['ciphers']
+
     # Build root URI
     root_uri = "https://" + module.params['baseuri']
     rf_utils = RedfishUtils(creds, root_uri, timeout, module,
-                            resource_id=resource_id, data_modification=True, strip_etag_quotes=strip_etag_quotes)
+                            resource_id=resource_id, data_modification=True, strip_etag_quotes=strip_etag_quotes,
+                            ciphers=ciphers)
 
     # Check that Category is valid
     if category not in CATEGORY_COMMANDS_ALL:

diff --git a/plugins/modules/redfish_config.py b/plugins/modules/redfish_config.py
@@ -167,6 +167,18 @@
     type: dict
     default: {}
     version_added: '7.5.0'
+  ciphers:
+    required: false
+    description:
+      - SSL/TLS Ciphers to use for the request.
+      - 'When a list is provided, all ciphers are joined in order with V(:).'
+      - See the L(OpenSSL Cipher List Format,https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-LIST-FORMAT)
+        for more details.
+      - The available ciphers is dependent on the Python and OpenSSL/LibreSSL versions.
+    type: list
+    elements: str
+    version_added: 9.2.0
+
 author:
   - "Jose Delarosa (@jose-delarosa)"
   - "T S Kushal (@TSKushal)"
@@ -405,7 +417,8 @@ def main():
             storage_subsystem_id=dict(type='str', default=''),
             volume_ids=dict(type='list', default=[], elements='str'),
             secure_boot_enable=dict(type='bool', default=True),
-            volume_details=dict(type='dict', default={})
+            volume_details=dict(type='dict', default={}),
+            ciphers=dict(type='list', elements='str'),
         ),
         required_together=[
             ('username', 'password'),
@@ -469,10 +482,14 @@ def main():
     volume_details = module.params['volume_details']
     storage_subsystem_id = module.params['storage_subsystem_id']
 
+    # ciphers
+    ciphers = module.params['ciphers']
+
     # Build root URI
     root_uri = "https://" + module.params['baseuri']
     rf_utils = RedfishUtils(creds, root_uri, timeout, module,
-                            resource_id=resource_id, data_modification=True, strip_etag_quotes=strip_etag_quotes)
+                            resource_id=resource_id, data_modification=True, strip_etag_quotes=strip_etag_quotes,
+                            ciphers=ciphers)
 
     # Check that Category is valid
     if category not in CATEGORY_COMMANDS_ALL:

diff --git a/plugins/modules/redfish_info.py b/plugins/modules/redfish_info.py
@@ -73,6 +73,17 @@
       - Handle to check the status of an update in progress.
     type: str
     version_added: '6.1.0'
+  ciphers:
+    required: false
+    description:
+      - SSL/TLS Ciphers to use for the request.
+      - 'When a list is provided, all ciphers are joined in order with V(:).'
+      - See the L(OpenSSL Cipher List Format,https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-LIST-FORMAT)
+        for more details.
+      - The available ciphers is dependent on the Python and OpenSSL/LibreSSL versions.
+    type: list
+    elements: str
+    version_added: 9.2.0
 
 author: "Jose Delarosa (@jose-delarosa)"
 '''
@@ -423,6 +434,7 @@ def main():
             timeout=dict(type='int', default=60),
             update_handle=dict(),
             manager=dict(),
+            ciphers=dict(type='list', elements='str'),
         ),
         required_together=[
             ('username', 'password'),
@@ -450,9 +462,12 @@ def main():
     # manager
     manager = module.params['manager']
 
+    # ciphers
+    ciphers = module.params['ciphers']
+
     # Build root URI
     root_uri = "https://" + module.params['baseuri']
-    rf_utils = RedfishUtils(creds, root_uri, timeout, module)
+    rf_utils = RedfishUtils(creds, root_uri, timeout, module, ciphers=ciphers)
 
     # Build Category list
     if "all" in module.params['category']: