-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate SSL in panos_import #36972
Validate SSL in panos_import #36972
Conversation
Note to reviewers. This changes default behavior from false to true. It is a much better default but may break existing plays. |
The test
The test
|
@@ -60,6 +63,12 @@ | |||
- URL of the file that will be imported to device. | |||
required: false | |||
default: None | |||
validate_ssl: | |||
description: | |||
- Whether or not certificates should be validated |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please change to
If C(no), SSL certificates will not be validated. This should only set to no used on personally controlled sites using self-signed certificates.
description: | ||
- Whether or not certificates should be validated | ||
type: bool | ||
default: True |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes applied
The test
|
All requested changes should be integrated. It's now just a question of whether we should change the default to validate SSL or if staying with 'false' as default makes sense. |
I am going to change to have the default to false to not break backwards compatibility. If there is still a merge conflict, I’ll need someone to help fix that. |
Can this be merged? |
default: software | ||
file: | ||
description: | ||
- Location of the file to import into device. | ||
url: | ||
description: | ||
- URL of the file that will be imported to device. | ||
validate_cert: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be consistent with other modules, this should be validate_certs, not validate_cert.
default: software | ||
file: | ||
description: | ||
- Location of the file to import into device. | ||
url: | ||
description: | ||
- URL of the file that will be imported to device. | ||
validate_cert: | ||
description: | ||
- If C(no), SSL certificates will not be validated. This should only set to no used on personally controlled sites using self-signed certificates. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"This should only set to no used on" - sounds awkward. I also don't recommend reasons for when to turn this off. I'd just warn them it's not recommend. Even personally controlled sites using self-signed certs can fall victim to MITM attacks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, couple more changes please. Thanks for your changes so far.
- Renamed validate_cert to validate_certs - Changed documentation for disabling cert validation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All changes applied and pushed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me
Thanks, merged into |
* Fix bug 36936 * Added version_added to argument and fixed whitespace * Update panos_import documentation Update parameter documentation and add note. * Add type documentation * added version number for documentation For real * Integrated recommended changes - Added recommended changes from PR * Changed validate_ssl default back to True considering there is a note at the top of documentation explaining change * Format changes based on recommendations from gundalow * Rename validate_ssl to validate_cert * Change description to remove SSL reference * Change url default ih documentation * Integrated small changes from bug report - Renamed validate_cert to validate_certs - Changed documentation for disabling cert validation
SUMMARY
Bug #36936 states
panos_import
should validate SSL connections to avoid man in the middle attacks.Fixes #36936
ISSUE TYPE
COMPONENT NAME
panos_import
ANSIBLE VERSION
ADDITIONAL INFORMATION
This should likely be back ported to previous versions since the code seems to be the same.
No difference in output