Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adding devel changes to master #882

Merged
merged 14 commits into from
Oct 11, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions bigip/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,7 @@ func Provider() *schema.Provider {
"bigip_sys_dns": resourceBigipSysDns(),
"bigip_sys_iapp": resourceBigipSysIapp(),
"bigip_sys_ntp": resourceBigipSysNtp(),
"bigip_sys_ocsp": resourceBigipSysOcsp(),
"bigip_sys_provision": resourceBigipSysProvision(),
"bigip_sys_snmp": resourceBigipSysSnmp(),
"bigip_sys_snmp_traps": resourceBigipSysSnmpTraps(),
Expand Down
13 changes: 12 additions & 1 deletion bigip/resource_bigip_ltm_cipher_group.go
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,18 @@ func resourceBigipLtmCipherGroupRead(ctx context.Context, d *schema.ResourceData
}
_ = d.Set("name", cipherGroup.FullPath)
_ = d.Set("ordering", cipherGroup.Ordering)
log.Printf("[INFO] Cipher group response :%+v", cipherGroup)
var allowList []interface{}
for _, val := range cipherGroup.Allow {
tmpCipher := fmt.Sprintf("/%s/%s", val.(map[string]interface{})["partition"].(string), val.(map[string]interface{})["name"].(string))
allowList = append(allowList, tmpCipher)
}
_ = d.Set("allow", allowList)
var requireList []interface{}
for _, val := range cipherGroup.Require {
tmpCipher := fmt.Sprintf("/%s/%s", val.(map[string]interface{})["partition"].(string), val.(map[string]interface{})["name"].(string))
requireList = append(requireList, tmpCipher)
}
_ = d.Set("require", requireList)
return nil
}

Expand Down
7 changes: 4 additions & 3 deletions bigip/resource_bigip_ltm_cipher_rule.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,13 @@ func resourceBigipLtmCipherRule() *schema.Resource {
"dh_groups": {
Type: schema.TypeString,
Optional: true,
Computed: true,
Description: "Specifies the DH Groups Elliptic Curve Diffie-Hellman key exchange algorithms, separated by colons (:).Note: You can also type a special keyword, DEFAULT, which represents the recommended set of named groups",
},
"signature_algorithms": {
Type: schema.TypeString,
Optional: true,
Computed: true,
Description: "Specifies the Signature Algorithms, separated by colons (:), that you want to include in the cipher rule. You can also type a special keyword, DEFAULT, which represents the recommended set of signature algorithms",
},
},
Expand Down Expand Up @@ -108,9 +110,8 @@ func resourceBigipLtmCipherRuleRead(ctx context.Context, d *schema.ResourceData,
return diag.FromErr(err)
}
log.Printf("[INFO] Cipher rule response :%+v", cipherRule)
_ = d.Set("name", cipherRule.Name)
_ = d.Set("partition", cipherRule.Partition)
_ = d.Set("cipher_suites", cipherRule.Cipher)
_ = d.Set("name", cipherRule.FullPath)
_ = d.Set("cipher", cipherRule.Cipher)
_ = d.Set("dh_groups", cipherRule.DhGroups)
_ = d.Set("signature_algorithms", cipherRule.SignatureAlgorithms)
return nil
Expand Down
128 changes: 125 additions & 3 deletions bigip/resource_bigip_ltm_profile_http.go
Original file line number Diff line number Diff line change
Expand Up @@ -166,9 +166,10 @@ func resourceBigipLtmProfileHttp() *schema.Resource {
Description: "Specifies how the system handles HTTP content that is chunked by a server. The default is Selective",
},
"server_agent_name": {
Type: schema.TypeString,
Optional: true,
Computed: true,
Type: schema.TypeString,
Optional: true,
// Computed: true,
Default: "BigIP",
Description: "Specifies the value of the Server header in responses that the BIG-IP itself generates. The default is BigIP. If no string is specified, then no Server header will be added to such responses",
},
"via_host_name": {
Expand Down Expand Up @@ -197,6 +198,72 @@ func resourceBigipLtmProfileHttp() *schema.Resource {
Computed: true,
Description: "Specifies alternative XFF headers instead of the default X-forwarded-for header",
},
"http_strict_transport_security": {
Type: schema.TypeSet,
Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"include_subdomains": {
Type: schema.TypeString,
Optional: true,
Default: "enabled",
Description: "Specifies whether to include the includeSubdomains directive in the HSTS header.",
},
"maximum_age": {
Type: schema.TypeInt,
Optional: true,
Default: 16070400,
Description: "Specifies the maximum age to assume the connection should remain secure.",
},
"mode": {
Type: schema.TypeString,
Optional: true,
Default: "disabled",
Description: "Specifies whether to include the HSTS response header.",
},
"preload": {
Type: schema.TypeString,
Optional: true,
Default: "disabled",
Description: "Specifies whether to include the preload directive in the HSTS header.",
},
},
},
},
"enforcement": {
Type: schema.TypeSet,
Optional: true,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"known_methods": {
Type: schema.TypeList,
Computed: true,
Elem: &schema.Schema{Type: schema.TypeString},
Optional: true,
Description: "Specifies which HTTP methods count as being known. Removing RFC-defined methods from this list will cause the HTTP filter to not recognize them.",
},
"max_header_count": {
Type: schema.TypeInt,
Optional: true,
Default: 64,
Description: "Specifies the maximum number of headers allowed in HTTP request/response.",
},
"max_header_size": {
Type: schema.TypeInt,
Optional: true,
Default: 32768,
Description: "Specifies the maximum header size.",
},
"unknown_method": {
Type: schema.TypeString,
Optional: true,
Default: "allow",
Description: "Specifies whether to allow, reject or switch to pass-through mode when an unknown HTTP method is parsed.",
},
},
},
},
},
}
}
Expand Down Expand Up @@ -325,6 +392,37 @@ func resourceBigipLtmProfileHttpRead(ctx context.Context, d *schema.ResourceData
}
_ = d.Set("xff_alternative_names", pp.XffAlternativeNames)

var enforcementList []interface{}
enforcement := make(map[string]interface{})
enforcement["max_header_count"] = pp.Enforcement.MaxHeaderCount
enforcement["max_header_size"] = pp.Enforcement.MaxHeaderSize
enforcement["unknown_method"] = pp.Enforcement.UnknownMethod

if p, ok := d.GetOk("enforcement"); ok {
for _, r := range p.(*schema.Set).List() {
if len(r.(map[string]interface{})["known_methods"].([]interface{})) != 0 {
enforcement["known_methods"] = pp.Enforcement.KnownMethods
}
}
}

enforcementList = append(enforcementList, enforcement)

if _, ok := d.GetOk("enforcement"); ok {
_ = d.Set("enforcement", enforcementList)
}

var hstsList []interface{}
hsts := make(map[string]interface{})
hsts["include_subdomains"] = pp.Hsts.IncludeSubdomains
hsts["maximum_age"] = pp.Hsts.MaximumAge
hsts["mode"] = pp.Hsts.Mode
hsts["preload"] = pp.Hsts.Preload

hstsList = append(hstsList, hsts)
if _, ok := d.GetOk("http_strict_transport_security"); ok {
_ = d.Set("http_strict_transport_security", hstsList)
}
return nil
}

Expand All @@ -337,6 +435,7 @@ func resourceBigipLtmProfileHttpUpdate(ctx context.Context, d *schema.ResourceDa
Name: name,
}
config := getHttpProfileConfig(d, pss)

err := client.ModifyHttpProfile(name, config)

if err != nil {
Expand Down Expand Up @@ -387,5 +486,28 @@ func getHttpProfileConfig(d *schema.ResourceData, config *bigip.HttpProfile) *bi
config.ViaRequest = d.Get("via_request").(string)
config.ViaResponse = d.Get("via_response").(string)
config.XffAlternativeNames = setToInterfaceSlice(d.Get("xff_alternative_names").(*schema.Set))
config.LwsWidth = d.Get("lws_width").(int)
p := d.Get("http_strict_transport_security")

for _, r := range p.(*schema.Set).List() {
config.Hsts.IncludeSubdomains = r.(map[string]interface{})["include_subdomains"].(string)
config.Hsts.Mode = r.(map[string]interface{})["preload"].(string)
config.Hsts.Preload = r.(map[string]interface{})["mode"].(string)
config.Hsts.MaximumAge = r.(map[string]interface{})["maximum_age"].(int)
}

v := d.Get("enforcement")

for _, r := range v.(*schema.Set).List() {
var knownMethods []string
for _, val := range r.(map[string]interface{})["known_methods"].([]interface{}) {
knownMethods = append(knownMethods, val.(string))
}
config.Enforcement.KnownMethods = knownMethods
config.Enforcement.UnknownMethod = r.(map[string]interface{})["unknown_method"].(string)
config.Enforcement.MaxHeaderCount = r.(map[string]interface{})["max_header_count"].(int)
config.Enforcement.MaxHeaderSize = r.(map[string]interface{})["max_header_size"].(int)
}

return config
}
97 changes: 97 additions & 0 deletions bigip/resource_bigip_ltm_profile_http_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -342,6 +342,87 @@ func TestAccBigipLtmProfileHttpUpdateEncryptCookies(t *testing.T) {
})
}

func TestAccBigipLtmProfileHttpUpdateEnforcement(t *testing.T) {
t.Parallel()
var instName = "test-http-Update-enforcement"
var instFullName = fmt.Sprintf("/%s/%s", TestPartition, instName)
resFullName := fmt.Sprintf("%s.%s", resHttpName, instName)
resource.Test(t, resource.TestCase{
PreCheck: func() {
testAcctPreCheck(t)
},
Providers: testAccProviders,
CheckDestroy: testCheckHttpsDestroyed,
Steps: []resource.TestStep{
{
Config: testaccbigipltmprofilehttpUpdateParam(instName, ""),
Check: resource.ComposeTestCheckFunc(
testCheckhttpExists(instFullName),
resource.TestCheckResourceAttr(resFullName, "name", instFullName),
resource.TestCheckResourceAttr(resFullName, "defaults_from", "/Common/http"),
),
},
{
Config: testaccbigipltmprofilehttpUpdateParam(instName, "enforcement"),
Check: resource.ComposeTestCheckFunc(
testCheckhttpExists(instFullName),
resource.TestCheckResourceAttr(resFullName, "name", instFullName),
resource.TestCheckResourceAttr(resFullName, "defaults_from", "/Common/http"),
resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "CONNECT"),
resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "DELETE"),
resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "GET"),
resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "HEAD"),
resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "LOCK"),
resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "POST"),
resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "PROPFIND"),
resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "PUT"),
resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "TRACE"),
resource.TestCheckTypeSetElemAttr(resFullName, "enforcement.0.known_methods.*", "UNLOCK"),
resource.TestCheckResourceAttr(resFullName, "enforcement.0.unknown_method", "allow"),
resource.TestCheckResourceAttr(resFullName, "enforcement.0.max_header_count", "40"),
resource.TestCheckResourceAttr(resFullName, "enforcement.0.max_header_size", "80"),
),
},
},
})
}

func TestAccBigipLtmProfileHttpUpdateHSTS(t *testing.T) {
t.Parallel()
var instName = "test-http-Update-hsts"
var instFullName = fmt.Sprintf("/%s/%s", TestPartition, instName)
resFullName := fmt.Sprintf("%s.%s", resHttpName, instName)
resource.Test(t, resource.TestCase{
PreCheck: func() {
testAcctPreCheck(t)
},
Providers: testAccProviders,
CheckDestroy: testCheckHttpsDestroyed,
Steps: []resource.TestStep{
{
Config: testaccbigipltmprofilehttpUpdateParam(instName, ""),
Check: resource.ComposeTestCheckFunc(
testCheckhttpExists(instFullName),
resource.TestCheckResourceAttr(resFullName, "name", instFullName),
resource.TestCheckResourceAttr(resFullName, "defaults_from", "/Common/http"),
),
},
{
Config: testaccbigipltmprofilehttpUpdateParam(instName, "hsts"),
Check: resource.ComposeTestCheckFunc(
testCheckhttpExists(instFullName),
resource.TestCheckResourceAttr(resFullName, "name", instFullName),
resource.TestCheckResourceAttr(resFullName, "defaults_from", "/Common/http"),
resource.TestCheckResourceAttr(resFullName, "http_strict_transport_security.0.include_subdomains", "disabled"),
resource.TestCheckResourceAttr(resFullName, "http_strict_transport_security.0.preload", "enabled"),
resource.TestCheckResourceAttr(resFullName, "http_strict_transport_security.0.mode", "enabled"),
resource.TestCheckResourceAttr(resFullName, "http_strict_transport_security.0.maximum_age", "80"),
),
},
},
})
}

func TestAccBigipLtmProfileHttpImport(t *testing.T) {
resource.Test(t, resource.TestCase{
PreCheck: func() {
Expand Down Expand Up @@ -469,6 +550,22 @@ func testaccbigipltmprofilehttpUpdateParam(instName, updateParam string) string
case "basic_auth_realm":
resPrefix = fmt.Sprintf(`%s
basic_auth_realm = "titanic"`, resPrefix)
case "enforcement":
resPrefix = fmt.Sprintf(`%s
enforcement {
known_methods = ["CONNECT","DELETE","GET","HEAD","LOCK","OPTIONS","POST","PROPFIND","PUT","TRACE","UNLOCK"]
unknown_method = "allow"
max_header_count = 40
max_header_size = 80
}`, resPrefix)
case "hsts":
resPrefix = fmt.Sprintf(`%s
http_strict_transport_security {
include_subdomains = "disabled"
preload = "enabled"
mode = "enabled"
maximum_age = 80
}`, resPrefix)
default:
}
return fmt.Sprintf(`%s
Expand Down
16 changes: 14 additions & 2 deletions bigip/resource_bigip_ltm_profile_ssl_client.go
Original file line number Diff line number Diff line change
Expand Up @@ -328,6 +328,13 @@ func resourceBigipLtmProfileClientSsl() *schema.Resource {
Description: "ModSSL Methods enabled / disabled. Default is disabled.",
},

"ocsp_stapling": {
Type: schema.TypeString,
Optional: true,
Default: "disabled",
Description: "Specifies whether the system uses OCSP stapling.",
},

"tm_options": {
Type: schema.TypeSet,
Elem: &schema.Schema{Type: schema.TypeString},
Expand Down Expand Up @@ -686,6 +693,10 @@ func resourceBigipLtmProfileClientSSLRead(ctx context.Context, d *schema.Resourc
_ = d.Set("tm_options", tmOptions)
}

if _, ok := d.GetOk("ocsp_stapling"); ok {
_ = d.Set("ocsp_stapling", obj.OcspStapling)
}

if _, ok := d.GetOk("proxy_ca_cert"); ok {
_ = d.Set("proxy_ca_cert", obj.ProxyCaCert)
}
Expand Down Expand Up @@ -856,6 +867,7 @@ func getClientSslConfig(d *schema.ResourceData, config *bigip.ClientSSLProfile)
config.CaFile = d.Get("ca_file").(string)
config.CacheSize = d.Get("cache_size").(int)
config.CacheTimeout = d.Get("cache_timeout").(int)
config.OcspStapling = d.Get("ocsp_stapling").(string)
log.Printf("[DEBUG] Length of certKeyChains :%+v", len(certKeyChains))
log.Printf("[DEBUG] certKeyChains :%+v", certKeyChains)
if len(certKeyChains) == 0 {
Expand All @@ -873,8 +885,8 @@ func getClientSslConfig(d *schema.ResourceData, config *bigip.ClientSSLProfile)
config.Ciphers = ciphers.(string)
config.CipherGroup = "none"
}
if cipher_grp, ok := d.GetOk("cipher_group"); ok && cipher_grp != "none" {
config.CipherGroup = cipher_grp.(string)
if cipherGrp, ok := d.GetOk("cipher_group"); ok && cipherGrp != "none" {
config.CipherGroup = cipherGrp.(string)
config.Ciphers = "none"
}
config.ClientCertCa = d.Get("client_cert_ca").(string)
Expand Down
12 changes: 8 additions & 4 deletions bigip/resource_bigip_ltm_profile_ssl_server.go
Original file line number Diff line number Diff line change
Expand Up @@ -493,8 +493,12 @@ func resourceBigipLtmProfileServerSslRead(ctx context.Context, d *schema.Resourc
_ = d.Set("ca_file", obj.CaFile)
_ = d.Set("cert", obj.Cert)
_ = d.Set("chain", obj.Chain)
_ = d.Set("ciphers", obj.Ciphers)
_ = d.Set("cipher_group", obj.CipherGroup)
if _, ok := d.GetOk("ciphers"); ok {
_ = d.Set("ciphers", obj.Ciphers)
}
if _, ok := d.GetOk("cipher_group"); ok {
_ = d.Set("cipher_group", obj.CipherGroup)
}
_ = d.Set("expire_cert_response_control", obj.ExpireCertResponseControl)
_ = d.Set("cache_size", obj.CacheSize)
_ = d.Set("handshake_timeout", obj.HandshakeTimeout)
Expand Down Expand Up @@ -637,8 +641,8 @@ func getServerSslConfig(d *schema.ResourceData, config *bigip.ServerSSLProfile)
config.Ciphers = ciphers.(string)
config.CipherGroup = "none"
}
if cipher_grp, ok := d.GetOk("cipher_group"); ok && cipher_grp != "none" {
config.CipherGroup = cipher_grp.(string)
if cipherGrp, ok := d.GetOk("cipher_group"); ok && cipherGrp != "none" {
config.CipherGroup = cipherGrp.(string)
config.Ciphers = "none"
}
config.ExpireCertResponseControl = d.Get("expire_cert_response_control").(string)
Expand Down
Loading