Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate SSL in panos_import #36972

Merged
merged 12 commits into from
Apr 5, 2018
Merged

Validate SSL in panos_import #36972

merged 12 commits into from
Apr 5, 2018

Conversation

kbreit
Copy link
Contributor

@kbreit kbreit commented Mar 4, 2018

SUMMARY

Bug #36936 states panos_import should validate SSL connections to avoid man in the middle attacks.

Fixes #36936

ISSUE TYPE
  • Docs Pull Request
COMPONENT NAME

panos_import

ANSIBLE VERSION
ansible 2.6.0 (panos/bug-36936 67c27ef877) last updated 2018/03/03 19:53:31 (GMT -500)
  config file = None
  configured module search path = ['/Users/kbreit/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/kbreit/Documents/Programming/ansible/lib/ansible
  executable location = /Users/kbreit/Documents/Programming/ansible/bin/ansible
  python version = 3.5.4 (default, Feb 25 2018, 14:56:02) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2)]
ADDITIONAL INFORMATION

This should likely be back ported to previous versions since the code seems to be the same.

No difference in output

@ansibot
Copy link
Contributor

ansibot commented Mar 4, 2018

cc @ivanbojer @jtschichold
click here for bot help

@ansibot ansibot added community_review In order to be merged, this PR must follow the community review workflow. docs This issue/PR relates to or includes documentation. module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. networking Network category support:community This issue/PR relates to code supported by the Ansible community. labels Mar 4, 2018
@kbreit
Copy link
Contributor Author

kbreit commented Mar 4, 2018

Note to reviewers. This changes default behavior from false to true. It is a much better default but may break existing plays.

@ansibot
Copy link
Contributor

ansibot commented Mar 4, 2018

The test ansible-test sanity --test pep8 [explain] failed with 1 error:

lib/ansible/modules/network/panos/panos_import.py:53:82: W291 trailing whitespace

The test ansible-test sanity --test validate-modules [explain] failed with 2 errors:

lib/ansible/modules/network/panos/panos_import.py:0:0: E309 version_added for new option (validate_ssl) should be 2.6. Currently 0.0
lib/ansible/modules/network/panos/panos_import.py:0:0: E325 argument_spec for "validate_ssl" defines type="bool" but documentation does not

click here for bot help

@ansibot ansibot added ci_verified Changes made in this PR are causing tests to fail. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. community_review In order to be merged, this PR must follow the community review workflow. and removed community_review In order to be merged, this PR must follow the community review workflow. ci_verified Changes made in this PR are causing tests to fail. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Mar 4, 2018
@gundalow gundalow self-assigned this Mar 4, 2018
@gundalow gundalow added affects_1.3 and removed needs_triage Needs a first human triage before being processed. labels Mar 4, 2018
gundalow
gundalow requested changes Mar 4, 2018
View reviewed changes
lib/ansible/modules/network/panos/panos_import.py Outdated
@@ -60,6 +63,12 @@
- URL of the file that will be imported to device.
required: false
default: None
validate_ssl:
description:
- Whether or not certificates should be validated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please change to
If C(no), SSL certificates will not be validated. This should only set to no used on personally controlled sites using self-signed certificates.

lib/ansible/modules/network/panos/panos_import.py Outdated
description:
- Whether or not certificates should be validated
type: bool
default: True
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes

@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed community_review In order to be merged, this PR must follow the community review workflow. labels Mar 4, 2018
kbreit
kbreit commented Mar 4, 2018
View reviewed changes
Copy link
Contributor Author

@kbreit kbreit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes applied

@ansibot
Copy link
Contributor

ansibot commented Mar 4, 2018

The test ansible-test sanity --test validate-modules [explain] failed with 1 error:

lib/ansible/modules/network/panos/panos_import.py:0:0: E309 version_added for new option (validate_ssl) should be 2.6. Currently 0.0

click here for bot help

@ansibot ansibot added ci_verified Changes made in this PR are causing tests to fail. and removed ci_verified Changes made in this PR are causing tests to fail. labels Mar 4, 2018
@kbreit
Copy link
Contributor Author

kbreit commented Mar 5, 2018

All requested changes should be integrated. It's now just a question of whether we should change the default to validate SSL or if staying with 'false' as default makes sense.

@ansibot ansibot added stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. stale_review Updates were made after the last review and the last review is more than 7 days old. labels Mar 13, 2018
@kbreit
Copy link
Contributor Author

kbreit commented Mar 20, 2018

I am going to change to have the default to false to not break backwards compatibility.

If there is still a merge conflict, I’ll need someone to help fix that.

@ansibot ansibot removed the stale_review Updates were made after the last review and the last review is more than 7 days old. label Mar 20, 2018
@ansibot ansibot added ci_verified Changes made in this PR are causing tests to fail. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Mar 31, 2018
@ansibot ansibot added community_review In order to be merged, this PR must follow the community review workflow. and removed ci_verified Changes made in this PR are causing tests to fail. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Apr 1, 2018
@kbreit
Copy link
Contributor Author

kbreit commented Apr 2, 2018

Can this be merged?

ericwb
ericwb reviewed Apr 2, 2018
View reviewed changes
lib/ansible/modules/network/panos/panos_import.py Outdated
default: software
file:
description:
- Location of the file to import into device.
url:
description:
- URL of the file that will be imported to device.
validate_cert:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be consistent with other modules, this should be validate_certs, not validate_cert.

ericwb
ericwb reviewed Apr 2, 2018
View reviewed changes
lib/ansible/modules/network/panos/panos_import.py Outdated
default: software
file:
description:
- Location of the file to import into device.
url:
description:
- URL of the file that will be imported to device.
validate_cert:
description:
- If C(no), SSL certificates will not be validated. This should only set to no used on personally controlled sites using self-signed certificates.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"This should only set to no used on" - sounds awkward. I also don't recommend reasons for when to turn this off. I'd just warn them it's not recommend. Even personally controlled sites using self-signed certs can fall victim to MITM attacks.

ericwb
ericwb suggested changes Apr 2, 2018
View reviewed changes
Copy link
Contributor

@ericwb ericwb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, couple more changes please. Thanks for your changes so far.

@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed community_review In order to be merged, this PR must follow the community review workflow. labels Apr 2, 2018
@kbreit
Integrated small changes from bug report
3856bc5 
- Renamed validate_cert to validate_certs
- Changed documentation for disabling cert validation
kbreit
kbreit commented Apr 2, 2018
View reviewed changes
Copy link
Contributor Author

@kbreit kbreit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All changes applied and pushed.

ericwb
ericwb approved these changes Apr 2, 2018
View reviewed changes
Copy link
Contributor

@ericwb ericwb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

@ansibot ansibot added community_review In order to be merged, this PR must follow the community review workflow. and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Apr 2, 2018
@acozine acozine moved this from In progress to Community Modules Maintenance in Ansible-maintained Collections Documentation Apr 4, 2018
@gundalow gundalow merged commit d5cfc54 into ansible:devel Apr 5, 2018
Ansible-maintained Collections Documentation automation moved this from Community Modules Maintenance to Done Apr 5, 2018
@gundalow
Copy link
Contributor

gundalow commented Apr 5, 2018

Thanks, merged into devel will be releases in 2.6.0
Not backporting as it introduces a new option.

ilicmilan pushed a commit to ilicmilan/ansible that referenced this pull request Nov 7, 2018
@kbreit @ilicmilan
Validate SSL in panos_import (ansible#36972)
5a7dd19 
* Fix bug 36936

* Added version_added to argument and fixed whitespace

* Update panos_import documentation

Update parameter documentation and add note.

* Add type documentation

* added version number for documentation

For real

* Integrated recommended changes

- Added recommended changes from PR

* Changed validate_ssl default back to True considering there is a
note at the top of documentation explaining change

* Format changes based on recommendations from gundalow

* Rename validate_ssl to validate_cert

* Change description to remove SSL reference

* Change url default ih documentation

* Integrated small changes from bug report
- Renamed validate_cert to validate_certs
- Changed documentation for disabling cert validation
@kbreit kbreit deleted the panos/bug-36936 branch November 9, 2018 02:56
@ansible ansible locked and limited conversation to collaborators Apr 27, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@gundalow gundalow gundalow approved these changes

@ericwb ericwb ericwb approved these changes

Assignees

@gundalow gundalow

Labels
community_review In order to be merged, this PR must follow the community review workflow. docs This issue/PR relates to or includes documentation. module This issue/PR relates to a module. networking Network category support:community This issue/PR relates to code supported by the Ansible community.
Projects
No open projects
Ansible-maintained Collections Docume...
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

panos_import module ignores certificate validation
4 participants
@kbreit @ansibot @gundalow @ericwb